Use tab indents to reduce the chance of problem with <<-

Fix the debian %set section, pp does not set pp_deb_distro Uncomment %sudo line in sudoers for debian Uncomment some env_keep lines for RHEL, SLES and debian to more closely match the vendor sudoers files. Add /etc/pam.d to %files Remove the /etc/sudo-ldap.conf symlink on debian for ldap flavor
2025-08-29 05:17:54 +00:00 · 2010-07-15 15:12:34 -04:00 · 2010-07-15 15:12:34 -04:00 · 8a837375d0
commit 8a837375d0
parent af0bac430a
1 changed files with 185 additions and 153 deletions
--- a/sudo.pp
+++ b/sudo.pp
@ -1,107 +1,138 @@
 %set
-  if test -n "$SUDO_FLAVOR"; then
+	if test -n "$SUDO_FLAVOR"; then
-    name="sudo-$SUDO_FLAVOR"
+		name="sudo-$SUDO_FLAVOR"
-  else
+	else
-    name="sudo"
+		name="sudo"
-  fi
+	fi
-  summary="Provide limited super-user priveleges to specific users"
+	summary="Provide limited super-user priveleges to specific users"
-  description="Sudo is a program designed to allow a sysadmin to give \
+	description="Sudo is a program designed to allow a sysadmin to give \
 limited root privileges to users and log root activity.  \
 The basic philosophy is to give as few privileges as possible but \
 still allow people to get their work done."
-  vendor="Todd C. Miller"
+	vendor="Todd C. Miller"
-  copyright="(c) 1993-1996,1998-2010 Todd C. Miller"
+	copyright="(c) 1993-1996,1998-2010 Todd C. Miller"
-  pp_rpm_release="1"
+	pp_rpm_release="1"
-  pp_rpm_license="BSD"
+	pp_rpm_license="BSD"
-  pp_rpm_url="http://www.sudo.ws/"
+	pp_rpm_url="http://www.sudo.ws/"
-  pp_rpm_group="Applications/System"
+	pp_rpm_group="Applications/System"
-  pp_rpm_packager="Todd.Miller@courtesan.com"
+	pp_rpm_packager="Todd.Miller@courtesan.com"
-  pp_deb_maintainer="Todd.Miller@courtesan.com"
+	pp_deb_maintainer="Todd.Miller@courtesan.com"
-  pp_sd_vendor_tag="TCM"
+	pp_sd_vendor_tag="TCM"
-  pp_solaris_name="TCMsudo"
+	pp_solaris_name="TCMsudo"
 %set [rpm]
-  # Add distro info to release
+	# Add distro info to release
-  case "$pp_rpm_distro" in
+	case "$pp_rpm_distro" in
-    centos*|rhel*)
+	centos*|rhel*)
-	d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'`
+		d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'`
-	if test -n "$d"; then
+		if test -n "$d"; then
-	    pp_rpm_release="$pp_rpm_release.el$d"
+		    pp_rpm_release="$pp_rpm_release.el$d"
-	fi
+		fi
-	;;
+		;;
-    sles*)
+	sles*)
-	d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'`
+		d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'`
-	if test -n "$d"; then
+		if test -n "$d"; then
-	    pp_rpm_release="$pp_rpm_release.sles$d"
+		    pp_rpm_release="$pp_rpm_release.sles$d"
-	fi
+		fi
-	;;
+		;;
-  esac
+	esac
-  # For RedHat the doc dir is expected to include version and release
+	# Uncomment some Defaults in sudoers.dist
-  case "$pp_rpm_distro" in
+	# Note that the order must match that of sudoers.
-    centos*|rhel*)
+	case "$pp_rpm_distro" in
-      mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-1
+	centos*|rhel*)
-      docdir=${docdir}-${version}-1
+		# Uncomment some Defaults in sudoers.dist, must be tab indented.
-      ;;
+		# Note that the order must match that of sudoers.
-  esac
+		/bin/ed - ${pp_destdir}${sudoersdir}/sudoers.dist <<-'EOF'
 		/Locale settings/+1,s/^# //
 		/Desktop path settings/+1,s/^# //
 		w
 		q
 		EOF
 		;;
 	sles*)
 		# Uncomment some Defaults in sudoers.dist, must be tab indented.
 		# Note that the order must match that of sudoers.
 		/bin/ed - ${pp_destdir}${sudoersdir}/sudoers.dist <<-'EOF'
 		/Locale settings/+1,s/^# //
 		/ConsoleKit session/+1,s/^# //
 		w
 		q
 		EOF
 		;;
 	esac
-  # Choose the correct PAM file by distro
+	# For RedHat the doc dir is expected to include version and release
-  case "$pp_rpm_distro" in
+	case "$pp_rpm_distro" in
-    centos[0-4].*|rhel[0-4].*)
+	centos*|rhel*)
-        mkdir -p ${pp_destdir}/etc/pam.d
+		mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-1
-	cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+		docdir=${docdir}-${version}-1
-	#%PAM-1.0
+		;;
-	auth       required	pam_stack.so service=system-auth
+	esac
-	account    required	pam_stack.so service=system-auth
+
-	password   required	pam_stack.so service=system-auth
+	# Choose the correct PAM file by distro, must be tab indented for "<<-"
-	session    required	pam_limits.so
+	case "$pp_rpm_distro" in
-	EOF
+	centos[0-4].*|rhel[0-4].*)
-	;;
+		mkdir -p ${pp_destdir}/etc/pam.d
-    centos*|rhel*)
+		cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
-        mkdir -p ${pp_destdir}/etc/pam.d
+		#%PAM-1.0
-	cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+		auth       required	pam_stack.so service=system-auth
-	#%PAM-1.0
+		account    required	pam_stack.so service=system-auth
-	auth       include	system-auth
+		password   required	pam_stack.so service=system-auth
-	account    include	system-auth
+		session    required	pam_limits.so
-	password   include	system-auth
+		EOF
-	session    optional	pam_keyinit.so revoke
+		;;
-	session    required	pam_limits.so
+	centos*|rhel*)
-	EOF
+		mkdir -p ${pp_destdir}/etc/pam.d
-	cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
+		cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
-	#%PAM-1.0
+		#%PAM-1.0
-	auth       include	sudo
+		auth       include	system-auth
-	account    include	sudo
+		account    include	system-auth
-	password   include	sudo
+		password   include	system-auth
-	session    optional	pam_keyinit.so force revoke
+		session    optional	pam_keyinit.so revoke
-	session    required	pam_limits.so
+		session    required	pam_limits.so
-	EOF
+		EOF
-	;;
+		cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
-    sles9.*)
+		#%PAM-1.0
-        mkdir -p ${pp_destdir}/etc/pam.d
+		auth       include	sudo
-	cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+		account    include	sudo
-	#%PAM-1.0
+		password   include	sudo
-	auth     required       pam_unix2.so
+		session    optional	pam_keyinit.so force revoke
-	session  required       pam_limits.so
+		session    required	pam_limits.so
-	EOF
+		EOF
-	;;
+		;;
-    sles*)
+	  sles9.*)
-        mkdir -p ${pp_destdir}/etc/pam.d
+		mkdir -p ${pp_destdir}/etc/pam.d
-	cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+		cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
-	#%PAM-1.0
+		#%PAM-1.0
-	auth     include	common-auth
+		auth     required       pam_unix2.so
-	account  include	common-account
+		session  required       pam_limits.so
-	password include	common-password
+		EOF
-	session  include	common-session
+		;;
-	# session  optional	pam_xauth.so
+	  sles*)
-	EOF
+		mkdir -p ${pp_destdir}/etc/pam.d
-	;;
+		cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
-  esac
+		#%PAM-1.0
 		auth     include	common-auth
 		account  include	common-account
 		password include	common-password
 		session  include	common-session
 		# session  optional	pam_xauth.so
 		EOF
 		;;
 	esac
 %set [deb]
-  # Choose the correct PAM file by distro
+	# Uncomment some Defaults and the %sudo rule in sudoers.dist
-  case "$pp_deb_distro" in
+	# Note that the order must match that of sudoers and be tab-indented.
-    deb*)
+	/bin/ed - ${pp_destdir}${sudoersdir}/sudoers.dist <<-'EOF'
-        mkdir -p ${pp_destdir}/etc/pam.d
+	/Locale settings/+1,s/^# //
 	/X11 resource/+1,s/^# //
 	/^# \%sudo/,s/^# //
 	w
 	q
 	EOF
 	mkdir -p ${pp_destdir}/etc/pam.d
 	cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
 	#%PAM-1.0
@ -111,77 +142,78 @@ still allow people to get their work done."
 	session required pam_permit.so
 	session required pam_limits.so
 	EOF
 	;;
  esac
 %set [aix]
-  pp_aix_version=`echo $version | sed -e 's,\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\)p\([0-9][0-9]*\)q\([0-9][0-9]*\),\1.\2.\3.\4,'`
+	pp_aix_version=`echo $version | sed -e 's,\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\)p\([0-9][0-9]*\)q\([0-9][0-9]*\),\1.\2.\3.\4,'`
-  summary="Configurable super-user privileges"
+	summary="Configurable super-user privileges"
 %files
-  $bindir/sudo        4111 root:
+	$bindir/sudo        4111 root:
-  $bindir/sudoedit    4111 root:
+	$bindir/sudoedit    4111 root:
-  $sbindir/visudo     0111
+	$sbindir/visudo     0111
-  $bindir/sudoreplay  0111
+	$bindir/sudoreplay  0111
-  $libexecdir/*
+	$includedir/sudo_plugin.h
-  $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
+	$libexecdir/*
-  $sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid
+	$sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
-  $timedir/	      0700 root:
+	$sudoersdir/sudoers.d/	0750 $sudoers_uid:$sudoers_gid
-  $docdir/
+	$timedir/		0700 root:
-  $docdir/*
+	$docdir/
-  $includedir/sudo_plugin.h
+	$docdir/*
 	/etc/pam.d/*		volatile,optional
 %files [!aix]
-  $mandir/man*/*
+	$mandir/man*/*
 %files [aix]
-  # Some versions use catpages, some use manpages.
+	# Some versions use catpages, some use manpages.
-  $mandir/cat*/* optional
+	$mandir/cat*/* optional
-  $mandir/man*/* optional
+	$mandir/man*/* optional
 %files [rpm]
  /etc/pam.d/* volatile,optional
 %post
-  # Don't overwrite an existing sudoers file
+	# Don't overwrite an existing sudoers file
-  sysconfdir=%{sysconfdir}
+	sudoersdir=%{sudoersdir}
-  if test ! -r $sysconfdir/sudoers; then
+	if test ! -r $sudoersdir/sudoers; then
-    cp -p $sysconfdir/sudoers.dist $sysconfdir/sudoers
+		cp -p $sudoersdir/sudoers.dist $sudoersdir/sudoers
-  fi
+	fi
 %post [deb]
-  # dpkg-deb does not maintain the mode on the sudoers file, and
+	# dpkg-deb does not maintain the mode on the sudoers file, and
-  # installs it 0640 when sudo requires 0440
+	# installs it 0640 when sudo requires 0440
-  chmod %{sudoers_mode} %{sudoersdir}/sudoers
+	chmod %{sudoers_mode} %{sudoersdir}/sudoers
-  # create symlink to ease transition to new path for ldap config
+	# create symlink to ease transition to new path for ldap config
-  # if old config file exists and new one doesn't
+	# if old config file exists and new one doesn't
-  if test X"%{SUDO_FLAVOR}" = X"ldap"; then
+	if test X"%{SUDO_FLAVOR}" = X"ldap" -a \
-    if test -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
+	    -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
-      ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
+		ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
-    fi
+	fi
  fi
-  # Debian uses a sudo group in its default sudoers file
+	# Debian uses a sudo group in its default sudoers file
-  perl -e '
+	perl -e '
-    exit 0 if getgrnam("sudo");
+		exit 0 if getgrnam("sudo");
-    $gid = 27; # default debian sudo gid
+		$gid = 27; # default debian sudo gid
-    setgrent();
+		setgrent();
-    while (getgrgid($gid)) { $gid++; }
+		while (getgrgid($gid)) { $gid++; }
-    if ($gid != 27) {
+		if ($gid != 27) {
-      print "On Debian we normally use gid 27 for \"sudo\".\n";
+			print "On Debian we normally use gid 27 for \"sudo\".\n";
-      $gname = getgrgid(27);
+			$gname = getgrgid(27);
-      print "However, on your system gid 27 is group \"$gname\".\n\n";
+			print "However, on your system gid 27 is group \"$gname\".\n\n";
-      print "Would you like me to stop configuring sudo so that you can change this? [n] "; 
+			print "Would you like me to stop configuring sudo so that you can change this? [n] "; 
-      $ans = <STDIN>;
+			$ans = <STDIN>;
-      if ($ans =~ /^[yY]/) {
+			if ($ans =~ /^[yY]/) {
-	print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
+				print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
-	exit 1;
+				exit 1;
-      }
+			}
-    }
+		}
-    print "Creating group \"sudo\" with gid = $gid\n";
+		print "Creating group \"sudo\" with gid = $gid\n";
-    system("groupadd -g $gid sudo");
+		system("groupadd -g $gid sudo");
-    exit 0;
+		exit 0;
-  '
+	'
-# vim:ts=2:sw=2:et
+%preun [deb]
 	# Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
 	# it matches what we created in the postinstall script.
 	if test X"%{SUDO_FLAVOR}" = X"ldap" -a \
 	    X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
 		rm -f /etc/sudo-ldap.conf
 	fi