diff options
author | Tavis Ormandy <taviso@gentoo.org> | 2005-06-29 14:36:06 +0000 |
---|---|---|
committer | Tavis Ormandy <taviso@gentoo.org> | 2005-06-29 14:36:06 +0000 |
commit | 3337777c302179ab57cdce67349788e3d5cb0030 (patch) | |
tree | 787691f5e8928ff19d79da268d57246294d86871 /app-admin/sudo | |
parent | Removed unused digest entries. (diff) | |
download | gentoo-2-3337777c302179ab57cdce67349788e3d5cb0030.tar.gz gentoo-2-3337777c302179ab57cdce67349788e3d5cb0030.tar.bz2 gentoo-2-3337777c302179ab57cdce67349788e3d5cb0030.zip |
use a secure copy of ldap.conf to prevent local information leak.
(Portage version: 2.0.51.19)
Diffstat (limited to 'app-admin/sudo')
-rw-r--r-- | app-admin/sudo/ChangeLog | 9 | ||||
-rw-r--r-- | app-admin/sudo/Manifest | 34 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.7_p5-r4 | 1 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p8-r2 | 1 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p8-r3 | 1 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p9-r1 | 1 | ||||
-rw-r--r-- | app-admin/sudo/sudo-1.6.7_p5-r4.ebuild | 60 | ||||
-rw-r--r-- | app-admin/sudo/sudo-1.6.8_p8-r2.ebuild | 131 | ||||
-rw-r--r-- | app-admin/sudo/sudo-1.6.8_p9-r1.ebuild (renamed from app-admin/sudo/sudo-1.6.8_p8-r3.ebuild) | 46 |
9 files changed, 51 insertions, 233 deletions
diff --git a/app-admin/sudo/ChangeLog b/app-admin/sudo/ChangeLog index f9341c89dfc3..5bb9df11554f 100644 --- a/app-admin/sudo/ChangeLog +++ b/app-admin/sudo/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for app-admin/sudo # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.71 2005/06/23 03:35:01 tester Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.72 2005/06/29 14:36:06 taviso Exp $ + +*sudo-1.6.8_p9-r1 (29 Jun 2005) + + 29 Jun 2005; Tavis Ormandy <taviso@gentoo.org> -sudo-1.6.7_p5-r4.ebuild, + -sudo-1.6.8_p8-r2.ebuild, -sudo-1.6.8_p8-r3.ebuild, + +sudo-1.6.8_p9-r1.ebuild: + use a secure copy of ldap.conf to prevent local information leak. 23 Jun 2005; Olivier Crête <tester@gentoo.org> sudo-1.6.8_p9.ebuild: Stable on x86 diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest index 47f551c0abb0..40d9c534cfda 100644 --- a/app-admin/sudo/Manifest +++ b/app-admin/sudo/Manifest @@ -1,33 +1,19 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - MD5 e3427ce9192c5cee97c6637199066f5e sudo-1.6.8_p9.ebuild 6040 -MD5 994fa3d27c4fddfd287e805b67f5434c sudo-1.6.7_p5-r4.ebuild 1497 -MD5 077de261b8646214d8ff13d44933ffda ChangeLog 9323 MD5 1830dd653b9b5b92fa5cc86823e06d65 sudo-1.6.7_p5-r2.ebuild 1438 -MD5 eec74c7e7844116754be94ca7ed74d49 sudo-1.6.8_p8-r2.ebuild 4708 -MD5 682dc1426cfd3869d86ba74169674ff0 sudo-1.6.8_p8-r3.ebuild 5760 +MD5 c3925c17adb0e92e6148fd575073c2b4 sudo-1.6.8_p9-r1.ebuild 6135 +MD5 077de261b8646214d8ff13d44933ffda ChangeLog 9323 MD5 02caf6e86d5e08fd89baccd299a0ee3c sudo-1.6.7_p5-r5.ebuild 1508 MD5 8fc22f08ecb2e292e60ce7553c58d0c2 metadata.xml 222 -MD5 6c08a6d5527a45278ebc165df7f0031d files/sudo-1.6.8_p8 223 -MD5 0c8a06b3d3d86e988a826c8d9e86dbbf files/digest-sudo-1.6.8_p8-r2 64 -MD5 59acf8b0292a8e60b5277b5dc952cfc4 files/sudoers 1645 -MD5 0c8a06b3d3d86e988a826c8d9e86dbbf files/digest-sudo-1.6.8_p8-r3 64 -MD5 b1fc3dd8440dc02690820c01190106a3 files/sudo-strip-shellopts.diff 316 -MD5 4362800877ccb8e27de5437707d8a954 files/sudo-strip-bash-functions.diff 1335 -MD5 b906eb71f7564707384cfa9fc80c1b5f files/sudo-1.6.7_p5-strip-bash-functions.diff 1101 -MD5 ea5d9d51e647a2dbd410d952019ff19b files/digest-sudo-1.6.7_p5-r4 64 -MD5 0b50aabedf9bb326893b5f1c333e46b2 files/sudo-skeychallengeargs.diff 567 -MD5 375b1725c7c89570ce74eba2a96b767d files/digest-sudo-1.6.8_p9 64 MD5 a5463236fbb98e4ee6b1a0faba8c9c52 files/sudo 135 MD5 ea5d9d51e647a2dbd410d952019ff19b files/digest-sudo-1.6.7_p5-r2 64 MD5 ea5d9d51e647a2dbd410d952019ff19b files/digest-sudo-1.6.7_p5-r5 64 +MD5 6c08a6d5527a45278ebc165df7f0031d files/sudo-1.6.8_p8 223 +MD5 375b1725c7c89570ce74eba2a96b767d files/digest-sudo-1.6.8_p9-r1 64 +MD5 0b50aabedf9bb326893b5f1c333e46b2 files/sudo-skeychallengeargs.diff 567 +MD5 59acf8b0292a8e60b5277b5dc952cfc4 files/sudoers 1645 +MD5 b906eb71f7564707384cfa9fc80c1b5f files/sudo-1.6.7_p5-strip-bash-functions.diff 1101 +MD5 b1fc3dd8440dc02690820c01190106a3 files/sudo-strip-shellopts.diff 316 MD5 774b75e759fe13c7334c523b1db8ab2e files/sudo_include 67 MD5 4a46750ff53c19dbfed39d894dd6ff4d files/sudo-1.6.8_p8-ldap-tls_cacert.diff 542 ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.1 (GNU/Linux) - -iD8DBQFCui36mOfEJZHYOKcRAsrJAJ47BDq8d4A9GPxlwn2T7F0+3dQGXgCeNWL0 -ymxIVKrPW19sW27gKw9lWkU= -=jhXU ------END PGP SIGNATURE----- +MD5 4362800877ccb8e27de5437707d8a954 files/sudo-strip-bash-functions.diff 1335 +MD5 375b1725c7c89570ce74eba2a96b767d files/digest-sudo-1.6.8_p9 64 diff --git a/app-admin/sudo/files/digest-sudo-1.6.7_p5-r4 b/app-admin/sudo/files/digest-sudo-1.6.7_p5-r4 deleted file mode 100644 index 2875abeb053d..000000000000 --- a/app-admin/sudo/files/digest-sudo-1.6.7_p5-r4 +++ /dev/null @@ -1 +0,0 @@ -MD5 55d503e5c35bf1ea83d38244e0242aaf sudo-1.6.7p5.tar.gz 349785 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p8-r2 b/app-admin/sudo/files/digest-sudo-1.6.8_p8-r2 deleted file mode 100644 index 943da7ce48cd..000000000000 --- a/app-admin/sudo/files/digest-sudo-1.6.8_p8-r2 +++ /dev/null @@ -1 +0,0 @@ -MD5 7a60e95d0931dcf3caff7929e974d5cc sudo-1.6.8p8.tar.gz 585608 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p8-r3 b/app-admin/sudo/files/digest-sudo-1.6.8_p8-r3 deleted file mode 100644 index 943da7ce48cd..000000000000 --- a/app-admin/sudo/files/digest-sudo-1.6.8_p8-r3 +++ /dev/null @@ -1 +0,0 @@ -MD5 7a60e95d0931dcf3caff7929e974d5cc sudo-1.6.8p8.tar.gz 585608 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p9-r1 b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r1 new file mode 100644 index 000000000000..0629e17e9dd7 --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r1 @@ -0,0 +1 @@ +MD5 6d0346abd16914956bc7ea4f17fc85fb sudo-1.6.8p9.tar.gz 585509 diff --git a/app-admin/sudo/sudo-1.6.7_p5-r4.ebuild b/app-admin/sudo/sudo-1.6.7_p5-r4.ebuild deleted file mode 100644 index f0202909d97f..000000000000 --- a/app-admin/sudo/sudo-1.6.7_p5-r4.ebuild +++ /dev/null @@ -1,60 +0,0 @@ -# Copyright 1999-2005 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.7_p5-r4.ebuild,v 1.6 2005/06/15 06:55:11 corsair Exp $ - -inherit eutils pam - -# -# TODO: Fix support for krb4 and krb5 -# - -DESCRIPTION="Allows certain users/groups to run commands as root" -HOMEPAGE="http://www.sudo.ws/" -SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${P/_/}.tar.gz" - -LICENSE="Sudo" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm hppa ~ia64 ~mips ppc ppc64 ~s390 sparc x86" -IUSE="pam skey" - -DEPEND="pam? ( >=sys-libs/pam-0.73-r1 ) skey? ( >=app-admin/skey-1.1.5-r1 )" - -S=${WORKDIR}/${P/_/} - -src_unpack() { - unpack ${A}; cd ${S} - use skey && epatch ${FILESDIR}/${PN}-skeychallengeargs.diff - epatch ${FILESDIR}/${P}-strip-bash-functions.diff - epatch ${FILESDIR}/${PN}-strip-shellopts.diff -} - -src_compile() { - econf \ - --with-all-insults \ - --disable-path-info \ - --with-env-editor \ - $(use_with pam) \ - $(use_with skey) \ - || die "econf failed" - emake || die -} - -src_install() { - einstall || die - dodoc BUGS CHANGES HISTORY PORTING README RUNSON TODO \ - TROUBLESHOOTING UPGRADE sample.* - - dopamd ${FILESDIR}/sudo - - insinto /etc - doins ${FILESDIR}/sudoers - fperms 0440 /etc/sudoers -} - -pkg_postinst() { - use skey && use pam && { - ewarn "sudo will not use skey authentication when compiled with" - ewarn "pam support. to allow users to authenticate with one time" - ewarn "passwords, you should unset the pam USE flag for sudo." - } -} diff --git a/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild b/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild deleted file mode 100644 index 6d5f241ae2de..000000000000 --- a/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild +++ /dev/null @@ -1,131 +0,0 @@ -# Copyright 1999-2005 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.8_p8-r2.ebuild,v 1.16 2005/06/06 22:57:30 taviso Exp $ - -inherit eutils pam - -# TODO: Fix support for krb4 and krb5 - -DESCRIPTION="Allows certain users/groups to run commands as root" -HOMEPAGE="http://www.sudo.ws/" -SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${P/_/}.tar.gz" -LICENSE="Sudo" -SLOT="0" -KEYWORDS="~x86" -IUSE="pam skey offensive ldap" - -DEPEND="pam? ( >=sys-libs/pam-0.73-r1 ) skey? ( >=app-admin/skey-1.1.5-r1 ) - ldap? ( >=net-nds/openldap-2.1.30-r1 )" -S=${WORKDIR}/${P/_/} - -src_unpack() { - unpack ${A}; cd ${S} - - # compatability fix. - use skey && epatch ${FILESDIR}/${PN}-skeychallengeargs.diff - - # additional variables to disallow, should user disable env_reset. - - # NOTE: this is not a supported mode of operation, these variables - # are added to the blacklist as a convenience to administrators - # who fail to heed the warnings of allowing untrusted users - # to access sudo. - # - # there is *no possible way* to foresee all attack vectors in - # all possible applications that could potentially be used via - # sudo, these settings will just delay the inevitable. - # - # that said, I will accept suggestions for variables that can - # be misused in _common_ interpreters or libraries, such as - # perl, bash, python, ruby, etc., in the hope of dissuading - # a casual attacker. - - # XXX: perl should be using suid_perl. - # XXX: users can remove/add more via env_delete and env_check. - # XXX: <?> = probably safe enough for most circumstances. - - einfo "Blacklisting common variables (env_delete)..." - sudo_bad_var 'SHELLOPTS' # bash, change shoptions. - sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file. - sudo_bad_var 'PERL5LIB' # perl, change search path. - sudo_bad_var 'PERLLIB' # perl, change search path. -# sudo_bad_var 'PERL_HASH_SEED' # perl, change seed. <?> -# sudo_bad_var 'PERL_HASH_SEED_DEBUG' # perl, disclose seed. <?> -# sudo_bad_var 'PERL_SIGNALS' # perl, use deferred signals. <?> - sudo_bad_var 'FPATH' # ksh, search path for functions. - sudo_bad_var 'PS4' # sh, in case set -x is used. <?> -# sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?> -# sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?> -# sudo_bad_var 'TMPPREFIX' # zsh, prefix for tmp files. <?> - sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?> - sudo_bad_var 'PERL5OPT' # perl, set options. - sudo_bad_var 'PYTHONHOME' # python, module search path. - sudo_bad_var 'PYTHONPATH' # python, search path. - sudo_bad_var 'PYTHONINSPECT' # python, allow inspection. - sudo_bad_var 'RUBYLIB' # ruby, lib load path. - sudo_bad_var 'RUBYOPT' # ruby, cl options. -# sudo_bad_var 'RUBYPATH' # ruby, script search path. <?> - sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles. - einfo "...done." -} - -src_compile() { - local line ROOTPATH - - # FIXME: secure_path is a compile time setting. using ROOTPATH - # is not perfect, env-update may invalidate this, but until it - # is available as a sudoers setting this will have to do. - ebegin "Setting secure_path..." - - # why not use grep? variable might be expanded from other variables - # declared in that file. cannot just source the file, would override - # any variables already set. - eval `PS4= bash -x /etc/profile.env 2>&1 | \ - while read line; do - case $line in - ROOTPATH=*) echo $line; break;; - *) continue;; - esac - done` || ewarn "failed to find secure_path, please report this" - eend $? - - econf --with-secure-path="/bin:/sbin:/usr/bin:/usr/sbin:${ROOTPATH:-/usr/local/bin}" --with-env-editor \ - `use_with offensive insults` \ - `use_with offensive all-insults` \ - `use_with pam` \ - `use_with skey` \ - `use_with ldap` || die - - # disallow lazy bindings - emake SUDO_LDFLAGS="-Wl,-z,now" || die -} - -src_install() { - einstall || die - dodoc BUGS CHANGES HISTORY PORTING README RUNSON TODO \ - TROUBLESHOOTING UPGRADE sample.* - - use pam && newpamd ${FILESDIR}/sudo-${PV} sudo - - insinto /etc - doins ${FILESDIR}/sudoers - - fperms 0440 /etc/sudoers -} - -sudo_bad_var() { - local target='env.c' marker='\*initial_badenv_table\[\]' - - # add $1 to initial_badenv_table[]. - ebegin " $1" - sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' ${S}/${target} - eend $? -} - -pkg_postinst() { - use skey && use pam && { - ewarn "sudo will not use skey authentication when compiled with" - ewarn "pam support. to allow users to authenticate with one time" - ewarn "passwords, you should unset the pam USE flag for sudo." - } -} diff --git a/app-admin/sudo/sudo-1.6.8_p8-r3.ebuild b/app-admin/sudo/sudo-1.6.8_p9-r1.ebuild index 09a4eb660f30..3f3027102ded 100644 --- a/app-admin/sudo/sudo-1.6.8_p8-r3.ebuild +++ b/app-admin/sudo/sudo-1.6.8_p9-r1.ebuild @@ -1,21 +1,24 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.8_p8-r3.ebuild,v 1.13 2005/06/19 00:05:56 kloeri Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.8_p9-r1.ebuild,v 1.1 2005/06/29 14:36:06 taviso Exp $ inherit eutils pam # TODO: Fix support for krb4 and krb5 -DESCRIPTION="Allows certain users/groups to run commands as root" +DESCRIPTION="Allows users or groups to run commands as other users" HOMEPAGE="http://www.sudo.ws/" SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${P/_/}.tar.gz" LICENSE="Sudo" SLOT="0" -KEYWORDS="~alpha ~amd64 ~ppc64 ~sparc ~x86" +KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86" IUSE="pam skey offensive ldap" -DEPEND="pam? ( virtual/pam ) skey? ( >=app-admin/skey-1.1.5-r1 ) - ldap? ( >=net-nds/openldap-2.1.30-r1 )" +DEPEND="pam? ( || ( virtual/pam sys-libs/pam ) ) + ldap? ( >=net-nds/openldap-2.1.30-r1 ) + skey? ( >=app-admin/skey-1.1.5-r1 ) + sys-devel/bison + virtual/mta" RDEPEND="${DEPEND} ldap? ( dev-lang/perl )" S=${WORKDIR}/${P/_/} @@ -27,7 +30,7 @@ src_unpack() { epatch ${FILESDIR}/${PN}-skeychallengeargs.diff # make tls_cacert synonymous with tls_cacertfile. - epatch ${FILESDIR}/${P}-ldap-tls_cacert.diff + epatch ${FILESDIR}/${PN}-1.6.8_p8-ldap-tls_cacert.diff # additional variables to disallow, should user disable env_reset. @@ -111,6 +114,7 @@ src_compile() { $(use_with offensive all-insults) \ $(use_with pam) \ $(use_with skey) \ + $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \ $(use_with ldap) || die # disallow lazy bindings @@ -122,16 +126,27 @@ src_install() { dodoc BUGS CHANGES HISTORY PORTING README RUNSON TODO \ TROUBLESHOOTING UPGRADE sample.* - use ldap && { + if use ldap; then dodoc README.LDAP dosbin sudoers2ldif - } - pamd_mimic_system sudo auth account password session + printf "# See ldap.conf(5) for details\n" > ${T}/ldap.conf.sudo + printf "# This file should only be readable by root\n\n" >> ${T}/ldap.conf.sudo + + insinto /etc + doins ${T}/ldap.conf.sudo + fperms 0440 /etc/ldap.conf.sudo + fi + + if has_version virtual/pam; then + pamd_mimic_system sudo auth account password session + else + newpamd ${FILESDIR}/sudo-1.6.8_p8 sudo + fi insinto /etc doins ${FILESDIR}/sudoers - fperms 0440 /etc/sudoers + fperms 0640 /etc/sudoers } # remove duplicate path entries from $1 @@ -159,9 +174,12 @@ sudo_bad_var() { pkg_postinst() { use skey && use pam && { - ewarn "sudo will not use skey authentication when compiled with" - ewarn "pam support." - ewarn "To allow users to authenticate with one time passwords," - ewarn "you should unset the pam USE flag for sudo." + ewarn "sudo will not use skey authentication when compiled with" + ewarn "pam support." + ewarn "To allow users to authenticate with one time passwords," + ewarn "you should unset the pam USE flag for sudo." + } + use ldap && { + ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration." } } |