%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} %define WITH_SELINUX 1 %endif Summary: Allows restricted root access for specified users. Name: sudo Version: 1.6.8p9 Release: 2 License: BSD Group: Applications/System Source: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz Patch1: sudo-1.6.8p8-selinux.patch URL: http://www.courtesan.com/sudo/ BuildRoot: %{_tmppath}/%{name}-root Requires: /etc/pam.d/system-auth, vim-minimal BuildRequires: pam-devel, groff %if %{WITH_SELINUX} BuildRequires: libselinux-devel %endif # 154511 – sudo does not use limits.conf Patch2: sudo-1.6.8p8-pam-sess.patch %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. %prep %setup -q %if %{WITH_SELINUX} #SELinux %patch1 -p1 -b .selinux %endif %patch2 -p1 -b .sess %build %ifarch s390 s390x F_PIE=-fPIE %else F_PIE=-fpie %endif export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie" %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --with-logging=syslog \ --with-logfac=authpriv \ --with-pam \ --with-editor=/bin/vi \ --with-env-editor \ --with-ignore-dot \ --with-tty-tickets make %install rm -rf $RPM_BUILD_ROOT mkdir $RPM_BUILD_ROOT make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo mkdir -p $RPM_BUILD_ROOT/etc/pam.d cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_limits.so EOF %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc BUGS CHANGES HISTORY LICENSE README RUNSON TODO TROUBLESHOOTING UPGRADE *.pod %attr(0440,root,root) %config(noreplace) /etc/sudoers %config(noreplace) /etc/pam.d/sudo %dir /var/run/sudo %attr(4111,root,root) %{_bindir}/sudo %attr(4111,root,root) %{_bindir}/sudoedit %attr(0755,root,root) %{_sbindir}/visudo %if %{WITH_SELINUX} %attr(0755,root,root) %{_sbindir}/sesh %endif %{_libexecdir}/sudo_noexec.* %{_mandir}/man5/sudoers.5* %{_mandir}/man8/sudo.8* %{_mandir}/man8/sudoedit.8* %{_mandir}/man8/visudo.8* # Make sure permissions are ok even if we're updating %post /bin/chmod 0440 /etc/sudoers || : %changelog * Mon Aug 1 2005 Dan Walsh 1.6.8p9-2 - Add back in interfaces call, SELinux has been fixed to work around * Tue Jun 21 2005 Karel Zak 1.6.8p9-1 - new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution) * Tue May 24 2005 Karel Zak 1.6.8p8-2 - fix #154511 – sudo does not use limits.conf * Mon Apr 4 2005 Thomas Woerner 1.6.8p8-1 - new version 1.6.8p8: new sudoedit and sudo_noexec * Wed Feb 9 2005 Thomas Woerner 1.6.7p5-31 - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 - added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh * Mon Sep 27 2004 Dan Walsh 1.6.7p5-29 - Remove full patch check from sesh * Thu Jul 8 2004 Dan Walsh 1.6.7p5-28 - Fix selinux patch to switch to root user * Tue Jun 15 2004 Elliot Lee - rebuilt * Tue Apr 13 2004 Dan Walsh 1.6.7p5-26 - Eliminate tty handling from selinux * Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 - fixed spec file: sesh in file section with selinux flag (#119682) * Thu Mar 30 2004 Colin Walters 1.6.7p5-24 - Enhance sesh.c to fork/exec children itself, to avoid having sudo reap all domains. - Only reinstall default signal handlers immediately before exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 - change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 - Add /bin/sesh to run selinux code. - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 - Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. * Mon Mar 15 2004 Dan Walsh 1.6.7p5-19 - SELinux fixes to make transitions work properly * Fri Mar 5 2004 Thomas Woerner 1.6.7p5-18 - pied sudo * Fri Feb 13 2004 Elliot Lee - rebuilt * Tue Jan 27 2004 Dan Walsh 1.6.7p5-16 - Eliminate interfaces call, since this requires big SELinux privs - and it seems to be useless. * Tue Jan 27 2004 Karsten Hopp 1.6.7p5-15 - visudo requires vim-minimal or setting EDITOR to something useful (#68605) * Mon Jan 26 2004 Dan Walsh 1.6.7p5-14 - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 - Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. * Fri Jan 2 2004 Dan Walsh 1.6.7p5-11 - Fix usage message * Mon Dec 22 2003 Dan Walsh 1.6.7p5-10 - Clean up sudo.te to not blow up if pam.te not present * Thu Dec 18 2003 Thomas Woerner - added missing BuildRequires for groff * Tue Dec 16 2003 Jeremy Katz 1.6.7p5-9 - remove left-over debugging code * Tue Dec 16 2003 Dan Walsh 1.6.7p5-8 - Fix terminal handling that caused Sudo to exit on non selinux machines. * Mon Dec 15 2003 Dan Walsh 1.6.7p5-7 - Remove sudo_var_run_t which is now pam_var_run_t * Fri Dec 12 2003 Dan Walsh 1.6.7p5-6 - Fix terminal handling and policy * Thu Dec 11 2003 Dan Walsh 1.6.7p5-5 - Fix policy * Thu Nov 13 2003 Dan Walsh 1.6.7p5-4.sel - Turn on SELinux support * Tue Jul 29 2003 Dan Walsh 1.6.7p5-3 - Add support for SELinux * Wed Jun 04 2003 Elliot Lee - rebuilt * Mon May 19 2003 Thomas Woerner 1.6.7p5-1 * Wed Jan 22 2003 Tim Powers - rebuilt * Tue Nov 12 2002 Nalin Dahyabhai 1.6.6-2 - remove absolute path names from the PAM configuration, ensuring that the right modules get used for whichever arch we're built for - don't try to install the FAQ, which isn't there any more * Thu Jun 27 2002 Bill Nottingham 1.6.6-1 - update to 1.6.6 * Fri Jun 21 2002 Tim Powers - automated rebuild * Thu May 23 2002 Tim Powers - automated rebuild * Thu Apr 18 2002 Bernhard Rosenkraenzer 1.6.5p2-2 - Fix bug #63768 * Thu Mar 14 2002 Bernhard Rosenkraenzer 1.6.5p2-1 - 1.6.5p2 * Fri Jan 18 2002 Bernhard Rosenkraenzer 1.6.5p1-1 - 1.6.5p1 - Hope this "a new release per day" madness stops ;) * Thu Jan 17 2002 Bernhard Rosenkraenzer 1.6.5-1 - 1.6.5 * Tue Jan 15 2002 Bernhard Rosenkraenzer 1.6.4p1-1 - 1.6.4p1 * Mon Jan 14 2002 Bernhard Rosenkraenzer 1.6.4-1 - Update to 1.6.4 * Mon Jul 23 2001 Bernhard Rosenkraenzer 1.6.3p7-2 - Add build requirements (#49706) - s/Copyright/License/ - bzip2 source * Sat Jun 16 2001 Than Ngo - update to 1.6.3p7 - use %%{_tmppath} * Fri Feb 23 2001 Bernhard Rosenkraenzer - 1.6.3p6, fixes buffer overrun * Tue Oct 10 2000 Bernhard Rosenkraenzer - 1.6.3p5 * Wed Jul 12 2000 Prospector - automatic rebuild * Tue Jun 06 2000 Karsten Hopp - fixed owner of sudo and visudo * Thu Jun 1 2000 Nalin Dahyabhai - modify PAM setup to use system-auth - clean up buildrooting by using the makeinstall macro * Tue Apr 11 2000 Bernhard Rosenkraenzer - initial build in main distrib - update to 1.6.3 - deal with compressed man pages * Tue Dec 14 1999 Preston Brown - updated to 1.6.1 for Powertools 6.2 - config files are now noreplace. * Thu Jul 22 1999 Tim Powers - updated to 1.5.9p2 for Powertools 6.1 * Wed May 12 1999 Bill Nottingham - sudo is configured with pam. There's no pam.d file. Oops. * Mon Apr 26 1999 Preston Brown - upgraded to 1.59p1 for powertools 6.0 * Tue Oct 27 1998 Preston Brown - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Fri Oct 08 1998 Michael Maher - built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file. * Thu Jan 29 1998 Otto Hammersmith - updated to 1.5.4 * Tue Nov 18 1997 Otto Hammersmith - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright - Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD.