%set
if test -n "$flavor"; then
name="sudo-$flavor"
pp_kit_package="sudo_$flavor"
else
name="sudo"
pp_kit_package="sudo"
fi
summary="Provide limited super-user priveleges to specific users"
description="Sudo is a program designed to allow a sysadmin to give \
limited root privileges to users and log root activity. \
The basic philosophy is to give as few privileges as possible but \
still allow people to get their work done."
vendor="Todd C. Miller"
copyright="(c) 1993-1996,1998-2010 Todd C. Miller"
# Convert to 4 part version for AIX, including patch level
pp_aix_version=`echo $version|sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/' -e 's/[^0-9]*\([0-9]*\)$/.\1/'`
# Strip of patchlevel for kit which only supports x.y.z versions
pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/p[0-9]*$//'`"
pp_kit_name="TCM"
pp_sd_vendor_tag="TCM"
pp_solaris_name="TCM$"
%if [rpm,deb]
# Convert patch level into release and remove from version
pp_rpm_release="`echo $version|sed 's/^[0-9]*\.[0-9]*\.[0-9]*[^0-9]*//'`"
pp_rpm_release="`expr $pp_rpm_release + 1`"
pp_rpm_version="`echo $version|sed 's/p[0-9]*$//'`"
pp_rpm_license="BSD"
pp_rpm_url="http://www.sudo.ws/"
pp_rpm_group="Applications/System"
pp_rpm_packager="Todd.Miller@courtesan.com"
pp_deb_maintainer="$pp_rpm_packager"
pp_deb_release="$pp_rpm_release"
pp_deb_version="$pp_rpm_version"
%else
# For all but RPM and Debian we need to install sudoers with a different
# name and make a copy of it if there is no existing file.
mv $$sudoersdir/sudoers $$sudoersdir/sudoers.dist
%endif
%set [rpm]
# Add distro info to release
osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
case "$pp_rpm_distro" in
centos*|rhel*)
pp_rpm_release="$pp_rpm_release.el$"
;;
sles*)
pp_rpm_release="$pp_rpm_release.sles$osrelease"
;;
esac
# Uncomment some Defaults in sudoers
# Note that the order must match that of sudoers.
case "$pp_rpm_distro" in
centos*|rhel*)
/bin/ed - $$/sudoers <<-'EOF'
/Locale settings/+1,s/^# //
/Desktop path settings/+1,s/^# //
w
q
EOF
;;
sles*)
/bin/ed - $$/sudoers <<-'EOF'
/Locale settings/+1,s/^# //
/ConsoleKit session/+1,s/^# //
/allow any user to run sudo if they know the password/+2,s/^# //
/allow any user to run sudo if they know the password/+3,s/^# //
w
q
EOF
;;
esac
# For RedHat the doc dir is expected to include version and release
case "$pp_rpm_distro" in
centos*|rhel*)
mv $/$ $/$-$-$
docdir=$-$-$
;;
esac
# Choose the correct PAM file by distro, must be tab indented for "<<-"
case "$pp_rpm_distro" in
centos*|rhel*)
mkdir -p $/etc/pam.d
if test $osrelease -lt 50; then
cat > $/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_limits.so
EOF
else
cat > $/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
EOF
cat > $/etc/pam.d/sudo-i <<-EOF
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
EOF
fi
;;
sles*)
mkdir -p $/etc/pam.d
if test $osrelease -lt 10; then
cat > $/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth required pam_unix2.so
session required pam_limits.so
EOF
else
cat > $/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
# session optional pam_xauth.so
EOF
fi
;;
esac
%set [deb]
# Uncomment some Defaults and the %sudo rule in sudoers
# Note that the order must match that of sudoers and be tab-indented.
/bin/ed - $$/sudoers <<-'EOF'
/Locale settings/+1,s/^# //
/X11 resource/+1,s/^# //
/^# \%sudo/,s/^# //
w
q
EOF
mkdir -p $/etc/pam.d
cat > $/etc/pam.d/sudo <<-EOF
#%PAM-1.0
@include common-auth
@include common-account
session required pam_permit.so
session required pam_limits.so
EOF
%set [aix]
summary="Configurable super-user privileges"
%files
$bindir/sudo 4111 root:
$bindir/sudoedit 4111 root:
$sbindir/visudo 0111
$bindir/sudoreplay 0111
$libexecdir/*
$sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid
$timedir/ 0700 root:
$docdir/
$docdir/*
/etc/pam.d/* volatile,optional
%if [rpm,deb]
$sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%else
$sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%endif
%files [!aix]
$mandir/man*/*
%files [aix]
# Some versions use catpages, some use manpages.
$mandir/cat*/* optional
$mandir/man*/* optional
%post [!rpm,deb]
# Don't overwrite an existing sudoers file
sudoersdir=%{sudoersdir}
if test ! -r $sudoersdir/sudoers; then
cp -p $sudoersdir/sudoers.dist $sudoersdir/sudoers
fi
%post [deb]
# dpkg-deb does not maintain the mode on the sudoers file, and
# installs it 0640 when sudo requires 0440
chmod %{sudoers_mode} %{sudoersdir}/sudoers
# create symlink to ease transition to new path for ldap config
# if old config file exists and new one doesn't
if test X"%" = X"ldap" -a \
-r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
fi
# Debian uses a sudo group in its default sudoers file
perl -e '
exit 0 if getgrnam("sudo");
$gid = 27; # default debian sudo gid
setgrent();
while (getgrgid($gid)) { $gid++; }
if ($gid != 27) {
print "On Debian we normally use gid 27 for \"sudo\".\n";
$gname = getgrgid(27);
print "However, on your system gid 27 is group \"$gname\".\n\n";
print "Would you like me to stop configuring sudo so that you can change this? [n] ";
$ans = <STDIN>;
if ($ans =~ /^[yY]/) {
print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
exit 1;
}
}
print "Creating group \"sudo\" with gid = $gid\n";
system("groupadd -g $gid sudo");
exit 0;
'
%preun [deb]
# Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
# it matches what we created in the postinstall script.
if test X"%" = X"ldap" -a \
X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
rm -f /etc/sudo-ldap.conf
fi