From b13d8e33d1409d1e6ab3b3a0b9f239c55e6c0b5f Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 1 May 2018 14:29:57 -0400 Subject: [PATCH 1/6] app-admin/sudo: Import the latest ebuild from Gentoo --- .../coreos-overlay/app-admin/sudo/Manifest | 1 + .../app-admin/sudo/metadata.xml | 23 ++ .../app-admin/sudo/sudo-1.8.23.ebuild | 224 ++++++++++++++++++ 3 files changed, 248 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml create mode 100644 sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest new file mode 100644 index 0000000000..db973590ea --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/Manifest @@ -0,0 +1 @@ +DIST sudo-1.8.23.tar.gz 3150674 BLAKE2B 11b1c7bfa372005cda8baf651c4662f6fd15e94ca77f7705b23ca6573424796d5c1f8e47e2874c4b54017141d01a632885ac60c92346d932537048373cad0ede SHA512 a9d61850a4857bfd075547a13efb13b054e4736e3ebe3c8a98a90a090b1d9b9688354ec9725fc99d1d256999b6f9c6ae6215ce9770fcdebd7f24731107b48342 diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml new file mode 100644 index 0000000000..fd239654c5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/metadata.xml @@ -0,0 +1,23 @@ + + + + + base-system@gentoo.org + Gentoo Base System + + + Sudo (superuser do) allows a system administrator to give certain + users (or groups of users) the ability to run some (or all) + commands as root or another user while logging the commands and + arguments. + + + Use SHA2 from dev-libs/libgcrypt instead of sudo's internal SHA2 + Let sudo print insults when the user types the wrong password + Use SHA2 from dev-libs/openssl instead of sudo's internal SHA2 + Allow sudo to send emails with sendmail + + + cpe:/a:todd_miller:sudo + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild new file mode 100644 index 0000000000..b67fefb0af --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild @@ -0,0 +1,224 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit eutils pam multilib libtool + +MY_P=${P/_/} +MY_P=${MY_P/beta/b} + +uri_prefix= +case ${P} in + *_beta*|*_rc*) uri_prefix=beta/ ;; +esac + +DESCRIPTION="Allows users or groups to run commands as other users" +HOMEPAGE="https://www.sudo.ws/" +SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz + ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz" + +# Basic license is ISC-style as-is, some files are released under +# 3-clause BSD license +LICENSE="ISC BSD" +SLOT="0" +if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~sparc-solaris" +fi +IUSE="gcrypt ldap nls pam offensive openssl sasl selinux +sendmail skey" + +CDEPEND=" + gcrypt? ( dev-libs/libgcrypt:= ) + openssl? ( dev-libs/openssl:0= ) + pam? ( virtual/pam ) + sasl? ( dev-libs/cyrus-sasl ) + skey? ( >=sys-auth/skey-1.1.5-r1 ) + ldap? ( + >=net-nds/openldap-2.1.30-r1 + dev-libs/cyrus-sasl + ) + sys-libs/zlib +" +RDEPEND=" + ${CDEPEND} + selinux? ( sec-policy/selinux-sudo ) + ldap? ( dev-lang/perl ) + pam? ( sys-auth/pambase ) + >=app-misc/editor-wrapper-3 + virtual/editor + sendmail? ( virtual/mta ) +" +DEPEND=" + ${CDEPEND} + sys-devel/bison +" + +S="${WORKDIR}/${MY_P}" + +REQUIRED_USE=" + pam? ( !skey ) + skey? ( !pam ) + ?? ( gcrypt openssl ) +" + +MAKEOPTS+=" SAMPLES=" + +src_prepare() { + default + elibtoolize +} + +set_rootpath() { + # FIXME: secure_path is a compile time setting. using ROOTPATH + # is not perfect, env-update may invalidate this, but until it + # is available as a sudoers setting this will have to do. + einfo "Setting secure_path ..." + + # first extract the default ROOTPATH from build env + ROOTPATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}") + if [[ -z ${ROOTPATH} ]] ; then + ewarn " Failed to find ROOTPATH, please report this" + fi + + # then remove duplicate path entries + cleanpath() { + local newpath thisp IFS=: + for thisp in $1 ; do + if [[ :${newpath}: != *:${thisp}:* ]] ; then + newpath+=:$thisp + else + einfo " Duplicate entry ${thisp} removed..." + fi + done + ROOTPATH=${newpath#:} + } + cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}} + + # finally, strip gcc paths #136027 + rmpath() { + local e newpath thisp IFS=: + for thisp in ${ROOTPATH} ; do + for e ; do [[ $thisp == $e ]] && continue 2 ; done + newpath+=:$thisp + done + ROOTPATH=${newpath#:} + } + rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*' + + einfo "... done" +} + +src_configure() { + local ROOTPATH + set_rootpath + + # audit: somebody got to explain me how I can test this before I + # enable it.. - Diego + # plugindir: autoconf code is crappy and does not delay evaluation + # until `make` time, so we have to use a full path here rather than + # basing off other values. + myeconfargs=( + --enable-zlib=system + --with-editor="${EPREFIX}"/usr/libexec/editor + --with-env-editor + --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo + --with-rundir="${EPREFIX}"/var/run/sudo + --with-secure-path="${ROOTPATH}" + --with-vardir="${EPREFIX}"/var/db/sudo + --without-linux-audit + --without-opie + $(use_enable gcrypt) + $(use_enable nls) + $(use_enable openssl) + $(use_enable sasl) + $(use_with offensive insults) + $(use_with offensive all-insults) + $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) + $(use_with ldap) + $(use_with pam) + $(use_with skey) + $(use_with selinux) + $(use_with sendmail) + ) + econf "${myeconfargs[@]}" +} + +src_install() { + default + + if use ldap ; then + dodoc README.LDAP + + cat <<-EOF > "${T}"/ldap.conf.sudo + # See ldap.conf(5) and README.LDAP for details + # This file should only be readable by root + + # supported directives: host, port, ssl, ldap_version + # uri, binddn, bindpw, sudoers_base, sudoers_debug + # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key} + EOF + + insinto /etc + doins "${T}"/ldap.conf.sudo + fperms 0440 /etc/ldap.conf.sudo + + insinto /etc/openldap/schema + newins doc/schema.OpenLDAP sudo.schema + fi + + pamd_mimic system-auth sudo auth account session + + keepdir /var/db/sudo/lectured + fperms 0700 /var/db/sudo/lectured + fperms 0711 /var/db/sudo #652958 + + # Don't install into /var/run as that is a tmpfs most of the time + # (bug #504854) + rm -rf "${ED}"/var/run +} + +pkg_postinst() { + #652958 + local sudo_db="${EROOT}/var/db/sudo" + if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then + chmod 711 "${sudo_db}" || die + fi + + if use ldap ; then + ewarn + ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration." + ewarn + if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then + ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly" + ewarn "configured in /etc/nsswitch.conf." + ewarn + ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:" + ewarn " sudoers: ldap files" + ewarn + fi + fi + if use prefix ; then + ewarn + ewarn "To use sudo, you need to change file ownership and permissions" + ewarn "with root privileges, as follows:" + ewarn + ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo" + ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so" + ewarn " # chown root:root ${EPREFIX}/etc/sudoers" + ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d" + ewarn " # chown root:root ${EPREFIX}/var/db/sudo" + ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo" + ewarn + fi + + elog "To use the -A (askpass) option, you need to install a compatible" + elog "password program from the following list. Starred packages will" + elog "automatically register for the use with sudo (but will not force" + elog "the -A option):" + elog "" + elog " [*] net-misc/ssh-askpass-fullscreen" + elog " net-misc/x11-ssh-askpass" + elog "" + elog "You can override the choice by setting the SUDO_ASKPASS environmnent" + elog "variable to the program you want to use." +} From 0d3e8f6618815759b14837fb66b44995ccd21997 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 1 May 2018 14:31:23 -0400 Subject: [PATCH 2/6] app-admin/sudo: Apply CoreOS changes Stabilize, adjust LDAP support, and add SSSD sudoers support. This drops the Perl dependency for LDAP since it seems like it was only pulled in for an optional script that is no longer present. Also, the schema files are dropped from the installation since our OpenLDAP package has USE=minimal which skips the schema directory. (It still installs a default config file in /etc, but it contains only comments since there are a few others like that already.) Gentoo is leaving the SSSD option stalled in #525674 since 2014, so maybe this can be moved back to portage-stable if that is merged. Note that the proposed change there will depend on SSSD, so it will have to be disabled in the arm64 profile in that case, unless the SSSD packages are fixed by then. --- .../coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild index b67fefb0af..7378518071 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-admin/sudo/sudo-1.8.23.ebuild @@ -23,9 +23,9 @@ SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz LICENSE="ISC BSD" SLOT="0" if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~sparc-solaris" + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~sparc-solaris" fi -IUSE="gcrypt ldap nls pam offensive openssl sasl selinux +sendmail skey" +IUSE="gcrypt ldap nls pam offensive openssl sasl selinux +sendmail skey sssd" CDEPEND=" gcrypt? ( dev-libs/libgcrypt:= ) @@ -42,7 +42,6 @@ CDEPEND=" RDEPEND=" ${CDEPEND} selinux? ( sec-policy/selinux-sudo ) - ldap? ( dev-lang/perl ) pam? ( sys-auth/pambase ) >=app-misc/editor-wrapper-3 virtual/editor @@ -139,6 +138,7 @@ src_configure() { $(use_with skey) $(use_with selinux) $(use_with sendmail) + $(use_with sssd) ) econf "${myeconfargs[@]}" } @@ -161,9 +161,6 @@ src_install() { insinto /etc doins "${T}"/ldap.conf.sudo fperms 0440 /etc/ldap.conf.sudo - - insinto /etc/openldap/schema - newins doc/schema.OpenLDAP sudo.schema fi pamd_mimic system-auth sudo auth account session From 151c326d18394d167ca3c57a7e70e9a9fd46f99c Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 28 Nov 2017 19:03:47 -0500 Subject: [PATCH 3/6] profiles: Enable LDAP and SSSD support for sudoers on boards --- .../coreos-overlay/profiles/coreos/targets/generic/package.use | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use index 4852ebb51c..4eba98da50 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/package.use @@ -1,6 +1,7 @@ # Copyright (c) 2009 The Chromium OS Authors. All rights reserved. # Distributed under the terms of the GNU General Public License v2 +app-admin/sudo ldap sssd app-editors/vim minimal dev-lang/python -berkdb gdbm dev-libs/dbus-glib tools From 5a60821fb2c7ca5576e2b60c1ec18f1423a7f079 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 1 May 2018 14:35:13 -0400 Subject: [PATCH 4/6] profiles: Drop old sudo version on arm64 --- .../coreos-overlay/profiles/coreos/arm64/package.accept_keywords | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords index 195526e04b..a6563f6d3d 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords @@ -1,7 +1,6 @@ # arm64 keywords # Keep these in alphabetical order. -=app-admin/sudo-1.8.20_p2 ~arm64 =app-arch/bzip2-1.0.6-r8 ~arm64 =app-arch/libarchive-3.3.1 ~arm64 =app-crypt/mit-krb5-1.14.2 ~arm64 From 1c23e17748641338c1a98415f74b2438666a1c8a Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 1 May 2018 15:08:19 -0400 Subject: [PATCH 5/6] profiles: Enable LDAP support on arm64 This was disabled upstream with only the message "untested". It looks like only SSSD/AD-related packages depend on OpenLDAP unconditionally, so this is really just for sudo on arm64 at the moment. --- .../third_party/coreos-overlay/profiles/coreos/arm64/use.mask | 1 + 1 file changed, 1 insertion(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask new file mode 100644 index 0000000000..ff5beb9b41 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/use.mask @@ -0,0 +1 @@ +-ldap From ccdff44201f96a3dc58dfd2ca85a129c34c70d7b Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 1 May 2018 15:37:33 -0400 Subject: [PATCH 6/6] profiles: Don't install the LDIF conversion tool --- .../profiles/coreos/targets/generic/make.defaults | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults index ff205e130c..c12c33eb74 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults @@ -67,3 +67,7 @@ INSTALL_MASK="${INSTALL_MASK} /etc/ssl/misc/tsget " +# Remove tools that don't need to be installed on every server. +INSTALL_MASK="${INSTALL_MASK} + /usr/bin/cvtsudoers +"