diff --git a/0001-fix-compile-error-undefined-reference-to-sys_sigabbr.patch b/0001-fix-compile-error-undefined-reference-to-sys_sigabbr.patch new file mode 100644 index 0000000000000000000000000000000000000000..fedf3e334eef41c68a0a0faff18a455718329595 --- /dev/null +++ b/0001-fix-compile-error-undefined-reference-to-sys_sigabbr.patch @@ -0,0 +1,387 @@ +From 2c066e021947d7a876cf4fd22cfdc8aa783401ec Mon Sep 17 00:00:00 2001 +From: wanglujun +Date: Mon, 7 Aug 2023 08:57:02 +0800 +Subject: [PATCH] fix compile error: undefined reference to sys_sigabbrev + +--- + lib/util/src/sig2str.rs | 163 ++++++++++++++++++++++++++++++++++++---- + lib/util/src/str2sig.rs | 147 +++++++++++++++++++++++++++++++++++- + 2 files changed, 291 insertions(+), 19 deletions(-) + +diff --git a/lib/util/src/sig2str.rs b/lib/util/src/sig2str.rs +index 05838c8..be45208 100644 +--- a/lib/util/src/sig2str.rs ++++ b/lib/util/src/sig2str.rs +@@ -49,19 +49,10 @@ macro_rules! NSIG { + }; + } + +-/* sys_sigabbrev is not declared by glibc */ +-// # define sudo_sys_signame sys_sigabbrev +-#[macro_export] +-macro_rules! sudo_sys_signame { +- () => { +- sys_sigabbrev +- }; +-} +- + pub type size_t = libc::c_ulong; +-pub const _SC_RTSIG_MAX: libc::c_int = 31; ++pub const _SC_RTSIG_MAX: libc::c_uint = 31; + pub type __int32_t = libc::c_int; +-pub const _ISlower: libc::c_int = 512; ++pub const _ISlower: libc::c_uint = 512; + + extern "C" { + fn __errno_location() -> *mut libc::c_int; +@@ -75,7 +66,6 @@ extern "C" { + _: ... + ) -> libc::c_int; + fn sudo_strlcpy(dst: *mut libc::c_char, src: *const libc::c_char, siz: size_t) -> size_t; +- static sys_sigabbrev: [*const libc::c_char; 65]; + fn __ctype_toupper_loc() -> *mut *const __int32_t; + fn __ctype_b_loc() -> *mut *const libc::c_ushort; + } +@@ -97,9 +87,150 @@ pub unsafe extern "C" fn sudo_sig2str( + signo: libc::c_int, + signame: *mut libc::c_char, + ) -> libc::c_int { ++ static mut sudo_sys_signame: [*mut libc::c_char; 65] = ++ [0 as *const libc::c_char as *mut libc::c_char; 65]; ++ let mut i: libc::c_int = 0; ++ sudo_sys_signame[0 as libc::c_int as usize] = ++ b"Signal 0\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ if (sudo_sys_signame[1 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[1 as libc::c_int as usize] = ++ b"HUP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[2 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[2 as libc::c_int as usize] = ++ b"INT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[3 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[3 as libc::c_int as usize] = ++ b"QUIT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[4 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[4 as libc::c_int as usize] = ++ b"ILL\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[5 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[5 as libc::c_int as usize] = ++ b"TRAP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[6 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[6 as libc::c_int as usize] = ++ b"ABRT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[6 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[6 as libc::c_int as usize] = ++ b"IOT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[8 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[8 as libc::c_int as usize] = ++ b"FPE\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[9 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[9 as libc::c_int as usize] = ++ b"KILL\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[7 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[7 as libc::c_int as usize] = ++ b"BUS\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[11 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[11 as libc::c_int as usize] = ++ b"SEGV\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[31 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[31 as libc::c_int as usize] = ++ b"SYS\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[13 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[13 as libc::c_int as usize] = ++ b"PIPE\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[14 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[14 as libc::c_int as usize] = ++ b"ALRM\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[15 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[15 as libc::c_int as usize] = ++ b"TERM\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[16 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[16 as libc::c_int as usize] = ++ b"STKFLT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[29 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[29 as libc::c_int as usize] = ++ b"IO\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[24 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[24 as libc::c_int as usize] = ++ b"XCPU\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[25 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[25 as libc::c_int as usize] = ++ b"XFSZ\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[26 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[26 as libc::c_int as usize] = ++ b"VTALRM\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[27 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[27 as libc::c_int as usize] = ++ b"PROF\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[28 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[28 as libc::c_int as usize] = ++ b"WINCH\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[10 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[10 as libc::c_int as usize] = ++ b"USR1\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[12 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[12 as libc::c_int as usize] = ++ b"USR2\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[30 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[30 as libc::c_int as usize] = ++ b"PWR\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[29 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[29 as libc::c_int as usize] = ++ b"POLL\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[19 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[19 as libc::c_int as usize] = ++ b"STOP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[20 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[20 as libc::c_int as usize] = ++ b"TSTP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[18 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[18 as libc::c_int as usize] = ++ b"CONT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[17 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[17 as libc::c_int as usize] = ++ b"CHLD\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[17 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[17 as libc::c_int as usize] = ++ b"CLD\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[21 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[21 as libc::c_int as usize] = ++ b"TTIN\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[22 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[22 as libc::c_int as usize] = ++ b"TTOU\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[23 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[23 as libc::c_int as usize] = ++ b"URG\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } + /* Realtime signal support. */ + if signo >= SIGRTMIN!() && signo <= SIGRTMAX!() { +- let mut rtmax: libc::c_long = sysconf(_SC_RTSIG_MAX); ++ let rtmax: libc::c_long = sysconf(_SC_RTSIG_MAX as libc::c_int); + if rtmax > 0 { + if signo == SIGRTMIN!() { + sudo_strlcpy( +@@ -134,12 +265,12 @@ pub unsafe extern "C" fn sudo_sig2str( + return 0; + } + +- if signo > 0 && signo < NSIG!() && !sudo_sys_signame!()[signo as usize].is_null() { +- sudo_strlcpy(signame, sudo_sys_signame!()[signo as usize], SIG2STR_MAX!()); ++ if signo > 0 && signo < NSIG!() && !(sudo_sys_signame[signo as usize]).is_null() { ++ sudo_strlcpy(signame, sudo_sys_signame[signo as usize], SIG2STR_MAX!()); + + /* Make sure we always return an upper case signame. */ + if *(*__ctype_b_loc()).offset(*signame.offset(0 as isize) as isize) as libc::c_int +- & _ISlower ++ & _ISlower as libc::c_int as libc::c_ushort as libc::c_int + != 0 + { + let mut i: libc::c_int = 0; +diff --git a/lib/util/src/str2sig.rs b/lib/util/src/str2sig.rs +index d47bda3..00989e8 100644 +--- a/lib/util/src/str2sig.rs ++++ b/lib/util/src/str2sig.rs +@@ -33,7 +33,6 @@ extern "C" { + fn strcmp(_: *const libc::c_char, _: *const libc::c_char) -> libc::c_int; + fn sysconf(__name: libc::c_int) -> libc::c_long; + fn strcasecmp(_: *const libc::c_char, _: *const libc::c_char) -> libc::c_int; +- static sys_sigabbrev: [*const libc::c_char; 65]; + fn __errno_location() -> *mut libc::c_int; + } + +@@ -105,6 +104,148 @@ pub unsafe extern "C" fn sudo_str2sig( + let mut errstr: *const libc::c_char = 0 as *const libc::c_char; + let mut signo: libc::c_int = 0; + ++ static mut sudo_sys_signame: [*mut libc::c_char; 65] = ++ [0 as *const libc::c_char as *mut libc::c_char; 65]; ++ let mut i: libc::c_int = 0; ++ sudo_sys_signame[0 as libc::c_int as usize] = ++ b"Signal 0\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ if (sudo_sys_signame[1 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[1 as libc::c_int as usize] = ++ b"HUP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[2 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[2 as libc::c_int as usize] = ++ b"INT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[3 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[3 as libc::c_int as usize] = ++ b"QUIT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[4 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[4 as libc::c_int as usize] = ++ b"ILL\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[5 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[5 as libc::c_int as usize] = ++ b"TRAP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[6 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[6 as libc::c_int as usize] = ++ b"ABRT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[6 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[6 as libc::c_int as usize] = ++ b"IOT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[8 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[8 as libc::c_int as usize] = ++ b"FPE\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[9 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[9 as libc::c_int as usize] = ++ b"KILL\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[7 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[7 as libc::c_int as usize] = ++ b"BUS\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[11 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[11 as libc::c_int as usize] = ++ b"SEGV\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[31 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[31 as libc::c_int as usize] = ++ b"SYS\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[13 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[13 as libc::c_int as usize] = ++ b"PIPE\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[14 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[14 as libc::c_int as usize] = ++ b"ALRM\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[15 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[15 as libc::c_int as usize] = ++ b"TERM\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[16 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[16 as libc::c_int as usize] = ++ b"STKFLT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[29 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[29 as libc::c_int as usize] = ++ b"IO\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[24 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[24 as libc::c_int as usize] = ++ b"XCPU\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[25 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[25 as libc::c_int as usize] = ++ b"XFSZ\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[26 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[26 as libc::c_int as usize] = ++ b"VTALRM\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[27 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[27 as libc::c_int as usize] = ++ b"PROF\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[28 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[28 as libc::c_int as usize] = ++ b"WINCH\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[10 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[10 as libc::c_int as usize] = ++ b"USR1\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[12 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[12 as libc::c_int as usize] = ++ b"USR2\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[30 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[30 as libc::c_int as usize] = ++ b"PWR\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[29 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[29 as libc::c_int as usize] = ++ b"POLL\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[19 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[19 as libc::c_int as usize] = ++ b"STOP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[20 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[20 as libc::c_int as usize] = ++ b"TSTP\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[18 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[18 as libc::c_int as usize] = ++ b"CONT\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[17 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[17 as libc::c_int as usize] = ++ b"CHLD\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[17 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[17 as libc::c_int as usize] = ++ b"CLD\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[21 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[21 as libc::c_int as usize] = ++ b"TTIN\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[22 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[22 as libc::c_int as usize] = ++ b"TTOU\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ if (sudo_sys_signame[23 as libc::c_int as usize]).is_null() { ++ sudo_sys_signame[23 as libc::c_int as usize] = ++ b"URG\0" as *const u8 as *const libc::c_char as *mut libc::c_char; ++ } ++ + if (*(*__ctype_b_loc()).offset(*signame.offset(0 as isize) as libc::c_uchar as isize) + as libc::c_int + & _ISdigit as libc::c_ushort as libc::c_int) +@@ -187,8 +328,8 @@ pub unsafe extern "C" fn sudo_str2sig( + + signo = 1; + while signo < NSIG as libc::c_int { +- if !(sys_sigabbrev[signo as usize]).is_null() { +- if strcasecmp(signame, sys_sigabbrev[signo as usize]) == 0 { ++ if !(sudo_sys_signame[signo as usize]).is_null() { ++ if strcasecmp(signame, sudo_sys_signame[signo as usize]) == 0 { + *result = signo; + return 0; + } +-- +2.31.1 + diff --git a/utsudo-0.0.1.tar.gz b/utsudo-0.0.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ff51db246a65d445cb513f0783ff5559dee92e5f Binary files /dev/null and b/utsudo-0.0.1.tar.gz differ diff --git a/utsudo-ldap.conf b/utsudo-ldap.conf new file mode 100644 index 0000000000000000000000000000000000000000..d8f8e4de09da233b50b429d81d7df567efec91da --- /dev/null +++ b/utsudo-ldap.conf @@ -0,0 +1,86 @@ +## BINDDN DN +## The BINDDN parameter specifies the identity, in the form of a Dis‐ +## tinguished Name (DN), to use when performing LDAP operations. If +## not specified, LDAP operations are performed with an anonymous +## identity. By default, most LDAP servers will allow anonymous +## access. +## +#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +## BINDPW secret +## The BINDPW parameter specifies the password to use when performing +## LDAP operations. This is typically used in conjunction with the +## BINDDN parameter. +## +#bindpw secret + +## SSL start_tls +## If the SSL parameter is set to start_tls, the LDAP server connec‐ +## tion is initiated normally and TLS encryption is begun before the +## bind credentials are sent. This has the advantage of not requiring +## a dedicated port for encrypted communications. This parameter is +## only supported by LDAP servers that honor the start_tls extension, +## such as the OpenLDAP and Tivoli Directory servers. +## +#ssl start_tls + +## TLS_CACERTFILE file name +## The path to a certificate authority bundle which contains the cer‐ +## tificates for all the Certificate Authorities the client knows to +## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ +## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries +## use the same certificate database for CA and client certificates +## (see TLS_CERT). +## +#tls_cacertfile /path/to/CA.crt + +## TLS_CHECKPEER on/true/yes/off/false/no +## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ +## cated to be verified. If the server's TLS certificate cannot be +## verified (usually because it is signed by an unknown certificate +## authority), sudo will be unable to connect to it. If TLS_CHECKPEER +## is disabled, no check is made. Note that disabling the check cre‐ +## ates an opportunity for man-in-the-middle attacks since the +## server's identity will not be authenticated. If possible, the CA's +## certificate should be installed locally so it can be verified. +## This option is not supported by the Tivoli Directory Server LDAP +## libraries. +#tls_checkpeer yes + +## +## URI ldap[s]://[hostname[:port]] ... +## Specifies a whitespace-delimited list of one or more +## URIs describing the LDAP server(s) to connect to. +## +#uri ldap://ldapserver + +## +## SUDOERS_BASE base +## The base DN to use when performing sudo LDAP queries. +## Multiple SUDOERS_BASE lines may be specified, in which +## case they are queried in the order specified. +## +#sudoers_base ou=SUDOers,dc=example,dc=com + +## +## BIND_TIMELIMIT seconds +## The BIND_TIMELIMIT parameter specifies the amount of +## time to wait while trying to connect to an LDAP server. +## +#bind_timelimit 30 + +## +## TIMELIMIT seconds +## The TIMELIMIT parameter specifies the amount of time +## to wait for a response to an LDAP query. +## +#timelimit 30 + +## +## SUDOERS_DEBUG debug_level +## This sets the debug level for sudo LDAP queries. Debugging +## information is printed to the standard error. A value of 1 +## results in a moderate amount of debugging information. +## A value of 2 shows the results of the matches themselves. +## +#sudoers_debug 1 diff --git a/utsudo.conf b/utsudo.conf new file mode 100644 index 0000000000000000000000000000000000000000..3047842c4c56c404ee7d711f3a5bd08e4ea2c964 --- /dev/null +++ b/utsudo.conf @@ -0,0 +1,57 @@ +# +# Default /etc/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# Sudo plugins: +# +# The plugin_path is relative to ${prefix}/libexec unless fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so + +# +# Sudo askpass: +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own passpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo noexec: +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support C or its equivalent. +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo_noexec.so + +# +# Core dumps: +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable +# +Set disable_coredump false diff --git a/utsudo.spec b/utsudo.spec new file mode 100644 index 0000000000000000000000000000000000000000..5ab864fb7b87ecce8a08a1f27c02ff7932527c6c --- /dev/null +++ b/utsudo.spec @@ -0,0 +1,203 @@ +ExcludeArch: i686 + +Summary: The tudo respect sudo +Name: utsudo +Version: 0.0.1 +Release: 0%{?dist}.01 +License: ISC +Group: Applications/System +URL: https://www.sudo.ws/ + +Source0: %{name}-%{version}.tar.gz +Source1: utsudoers +Source2: utsudo-ldap.conf +Source3: utsudo.conf + +Requires: /etc/pam.d/system-auth +Requires: /usr/bin/vi +Requires(post): /bin/chmod + +BuildRequires: /usr/sbin/sendmail +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: flex +BuildRequires: gettext +BuildRequires: groff +BuildRequires: libtool +BuildRequires: audit-libs-devel +BuildRequires: libcap-devel +BuildRequires: libgcrypt-devel +BuildRequires: libselinux-devel +BuildRequires: openldap-devel +BuildRequires: pam-devel +BuildRequires: zlib-devel +BuildRequires: cargo +BuildRequires: rust +BuildRequires: patchelf + +Patch0001: 0001-fix-compile-error-undefined-reference-to-sys_sigabbr.patch + +%description +Sudo (superuser do) allows a system administrator to give certain +users (or groups of users) the ability to run some (or all) commands +as root while logging all commands and arguments. Sudo operates on a +per-command basis. It is not a replacement for the shell. Features +include: the ability to restrict what commands a user may run on a +per-host basis, copious logging of each command (providing a clear +audit trail of who did what), a configurable timeout of the sudo +command, and the ability to use the same configuration file (sudoers) +on many different machines. + +%prep +%setup -q + +%patch0001 -p1 + +%build +# Remove bundled copy of zlib +rm -rf zlib/ +autoreconf -I m4 -fv --install + +%ifarch s390 s390x sparc64 +F_PIE=-fPIE +%else +F_PIE=-fpie +%endif + +export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" + +%configure \ + --prefix=%{_prefix} \ + --sbindir=%{_sbindir} \ + --libdir=%{_libdir} \ + --docdir=%{_pkgdocdir} \ + --disable-root-mailer \ + --with-logging=syslog \ + --with-logfac=authpriv \ + --with-pam \ + --with-pam-login \ + --with-editor=/bin/vi \ + --with-env-editor \ + --with-ignore-dot \ + --with-tty-tickets \ + --with-ldap \ + --with-ldap-conf-file="%{_sysconfdir}/utsudo-ldap.conf" \ + --with-selinux \ + --with-passprompt="[utsudo] password for %p: " \ + --with-linux-audit \ + --with-sssd +make + +%check +## make check + +%install +rm -rf $RPM_BUILD_ROOT + + +# Update README.LDAP (#736653) +sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/utsudo-ldap.conf|g' README.LDAP + +make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` +install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo +install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured +install -p -d -m 750 $RPM_BUILD_ROOT/etc/utsudoers.d +install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/utsudoers +install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/utsudo.conf +install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/utsudo-ldap.conf + +# Add sudo to protected packages +install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/ +touch utsudo.conf +echo utsudo > utsudo.conf +install -p -c -m 0644 utsudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/ +rm -f utsudo.conf +rm -f $RPM_BUILD_ROOT%{_bindir}/cvtsudoers +rm -f $RPM_BUILD_ROOT%{_bindir}/sudoreplay +rm -f $RPM_BUILD_ROOT%{_sbindir}/visudo +rm -f $RPM_BUILD_ROOT/etc/sudoers + +chmod +x $RPM_BUILD_ROOT%{_libexecdir}/utsudo/*.so # for stripping, reset in %%files + +# Don't package LICENSE as a doc +rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE + +# Remove examples; Examples can be found in man pages too. +rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo + +# Remove all .la files +find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' + +# Remove sudoers.dist +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist + +# Remove sudo_plugin.h -add by uos +rm -f $RPM_BUILD_ROOT%{_includedir}/sudo_plugin.h + +%find_lang utsudo +%find_lang utsudoers + +cat utsudo.lang utsudoers.lang > utsudo_all.lang +rm utsudo.lang utsudoers.lang + +mkdir -p $RPM_BUILD_ROOT/etc/pam.d +mkdir -p $RPM_BUILD_ROOT/usr/share/doc/utsudo +cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF +#%%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth +EOF + +cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF +#%%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo +EOF + + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -f utsudo_all.lang +%defattr(-,root,root) +%attr(0440,root,root) %config(noreplace) /etc/utsudoers +%attr(0640,root,root) %config(noreplace) /etc/utsudo.conf +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/utsudo-ldap.conf +%attr(0750,root,root) %dir /etc/utsudoers.d/ +%config(noreplace) /etc/pam.d/sudo +%config(noreplace) /etc/pam.d/sudo-i +%attr(0644,root,root) %{_tmpfilesdir}/utsudo.conf +%attr(0644,root,root) /etc/dnf/protected.d/utsudo.conf +%dir /var/db/sudo +%dir /var/db/sudo/lectured +%attr(4111,root,root) %{_bindir}/utsudo +%{_bindir}/utsudoedit +%dir %{_libexecdir}/utsudo +%attr(0755,root,root) %{_libexecdir}/utsudo/sesh +%attr(0644,root,root) %{_libexecdir}/utsudo/sudo_noexec.so +%attr(0644,root,root) %{_libexecdir}/utsudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/utsudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/utsudo/system_group.so +%{_libexecdir}/utsudo/libutsudo_util.so +%{_libexecdir}/utsudo/libutsudo_util.so.? +%attr(0644,root,root) %{_libexecdir}/utsudo/libutsudo_util.so.?.?.? +%dir %{_pkgdocdir}/ +%{!?_licensedir:%global license %%doc} +%license doc/LICENSE + +# Make sure permissions are ok even if we're updating +%post +/bin/chmod 0440 /etc/utsudoers || : + +%changelog +* Mon Aug 07 2023 Lujun - 0.0.1-0.01 +- Add Patch: 0001-fix-compile-error-undefined-reference-to-sys_sigabbr.patch + +* Tue May 10 2022 Lujun - 0.0.1 +- init. diff --git a/utsudoers b/utsudoers new file mode 100644 index 0000000000000000000000000000000000000000..93e02ba0e9ac86ab7bd51f3fd54780bc557b663a --- /dev/null +++ b/utsudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d