pkgsrc/security/sudo/options.mk

# $NetBSD: options.mk,v 1.17 2009/02/14 19:30:33 tonnerre Exp $
#

PKG_OPTIONS_VAR=	PKG_OPTIONS.sudo
PKG_SUPPORTED_OPTIONS=	ldap
PKG_OPTIONS_OPTIONAL_GROUPS= auth
PKG_OPTIONS_GROUP.auth=	kerberos pam skey

.if ${OPSYS} == "NetBSD" && exists(/usr/include/skey.h)
PKG_SUGGESTED_OPTIONS=	skey
.endif

.include "../../mk/bsd.options.mk"

.if !empty(PKG_OPTIONS:Mpam)
.  include "../../mk/pam.buildlink3.mk"
DL_AUTO_VARS=		yes
CONFIGURE_ARGS+=	--with-pam
.else
CONFIGURE_ARGS+=	--without-pam
.endif

.if !empty(PKG_OPTIONS:Mkerberos)
.  include "../../mk/krb5.buildlink3.mk"
CONFIGURE_ARGS+=	--without-kerb4
CONFIGURE_ARGS+=	--with-kerb5
.else
CONFIGURE_ARGS+=	--without-kerb5
.endif

.if !empty(PKG_OPTIONS:Mldap)
.  include "../../databases/openldap-client/buildlink3.mk"
.  include "../../security/cyrus-sasl/buildlink3.mk"
DL_AUTO_VARS=		yes
CONFIGURE_ARGS+=	--with-ldap=${BUILDLINK_PREFIX.openldap-client}
CONFIGURE_ARGS+=	--with-ldap-conf-file=${PKG_SYSCONFDIR}/ldap.conf
PLIST.ldap=		yes
.endif

.if !empty(PKG_OPTIONS:Mskey)
CONFIGURE_ARGS+=	--with-skey
.else
CONFIGURE_ARGS+=	--without-skey
.endif
The LDAP feature of sudo now also needs the SASL libraries to compile. 2009-02-14 20:30:33 +01:00			`# $NetBSD: options.mk,v 1.17 2009/02/14 19:30:33 tonnerre Exp $`
Update security/sudo to 1.6.8 and convert to use bsd.options.mk, which adds two new options, ldap and pam. Changes: * Sudo now supports storing sudoers info in LDAP (optionally using TLS). * There is a new -e option to edit files the with uid of the invoking user. This makes it possible to give users to ability to safely edit files without the possibility of editing other files or running commands as the target user. If sudo is run as "sudoedit" the -e flag is implied. * A new tag, NOEXEC, will prevent a dynamically-linked program being run by sudo from executing another program (think shell escapes). Because this uses LD_PRELOAD it has no effect on static binaries. * A uid specified in sudoers now matches the user specified by the -u flag even if the -u flag specified a name, not a uid. * Added a -i option to simulate an initial login similar to "su -". * If sudo is used to run as root shell, further sudo commands will be logged as run by the user specified by the SUDO_USER environment variable. In -e mode (sudoedit), SUDO_USER is used to determine what user to run the editor when the real uid is 0. * The sudoers file is now parsed as the runas user in all cases instead of root. This fixes some issues with running NFS-mounted commands. * If the target user == invoking user a password is no longer required. * Sudo now produces a sensible error message when the targetpw Defaults option is set and a non-existent uid is specified via the -u option. * A negated user/uid in a runas list is now treated the same as a negated command and overrides a previously allowed entry. * PAM support now uses Use pam_acct_mgmt() to check for disabled accounts. * Added a check in visudo for runas_default being used before it was set. * Fixed several issues when closing all open descriptors. Sudo now uses closefrom() if it exists, otherwise it uses /proc/$$/fd if that exists with a fallback of closing all possible descriptors. * Quoting globbing characters with a backslash now works as documented. * Fixed a problem on FreeBSD (and perhaps others) when the user is only listed in NIS (not master.passwd) and netgroups are used in the master.passwd file. * The username in a log entry is no longer truncated at 8 characters. * Added a "sudo_lecture" option that can point to a file containing a custom lecture. * The timeout for password reading is now done via alarm(), not select(). * /tmp/.odus is no longer used for timestamps by default. * Sudo now works on the nsr-tandem-nsk platform. * Fixed the --with-stow configure option. * TIS fwtk authentication now supports fwtk 2.0 and higher. * Added Stan Lee / Uncle Ben quote to the lecture from RedHat. * Added the --with-pc-insults configure to replace politically incorrect insults with other ones. 2004-08-23 23:15:17 +02:00			`#`

			`PKG_OPTIONS_VAR= PKG_OPTIONS.sudo`
PKG_OPTIONS_OPTIONAL_GROUPS/PKG_OPTIONS_NONEMPTY_SETS have their respective options added to PKG_SUPPORTED_OPTIONS automagically. Duplicate options removed. 2007-09-26 07:47:46 +02:00			`PKG_SUPPORTED_OPTIONS= ldap`
Update sudo package to 1.6.9p4. pkgsrc change: Make these options mutual exclusive: kerberos pam skey. (Really, combinations of kerberos and pam, pam and skey are conflicts.) CHANGES: 609) Worked around a bug ins some PAM implementations that caused a crash when no tty was present. 610) Fixed a crash on some platforms in the error logging function. 611) Documentation improvements. Sudo 1.6.9p1 released. 612) Fixed updating of the saved environment when the environ pointer gets changed out from underneath us. Sudo 1.6.9p2 released. 613) Fixed a bug related to supplemental group matching introduced in 1.6.9. Sudo 1.6.9p3 released. 614) Added IPv6 support from YOSHIFUJI Hideaki. 615) Fixed sudo_noexec installation path. 616) Fixed a K&R compilation error. Sudo 1.6.9p4 released. 2007-08-18 17:09:11 +02:00			`PKG_OPTIONS_OPTIONAL_GROUPS= auth`
			`PKG_OPTIONS_GROUP.auth= kerberos pam skey`
Packages have no business modifying PKG_DEFAULT_OPTIONS -- it's a user settable variable. Set PKG_SUGGESTED_OPTIONS instead. Also, make use of PKG_OPTIONS_LEGACY_VARS. Reviewed by wiz. 2005-05-31 12:01:36 +02:00
check for /usr/include/skey.h on NetBSD - in case dist with MKSKEY=no 2005-08-22 12:20:33 +02:00			`.if ${OPSYS} == "NetBSD" && exists(/usr/include/skey.h)`
Packages have no business modifying PKG_DEFAULT_OPTIONS -- it's a user settable variable. Set PKG_SUGGESTED_OPTIONS instead. Also, make use of PKG_OPTIONS_LEGACY_VARS. Reviewed by wiz. 2005-05-31 12:01:36 +02:00			`PKG_SUGGESTED_OPTIONS= skey`
Allow building sudo without S/Key support on NetBSD. Patch from PR pkg/28743 by Jukka Salmi with minor changes by me. 2004-12-22 05:36:32 +01:00			`.endif`

Update security/sudo to 1.6.8 and convert to use bsd.options.mk, which adds two new options, ldap and pam. Changes: * Sudo now supports storing sudoers info in LDAP (optionally using TLS). * There is a new -e option to edit files the with uid of the invoking user. This makes it possible to give users to ability to safely edit files without the possibility of editing other files or running commands as the target user. If sudo is run as "sudoedit" the -e flag is implied. * A new tag, NOEXEC, will prevent a dynamically-linked program being run by sudo from executing another program (think shell escapes). Because this uses LD_PRELOAD it has no effect on static binaries. * A uid specified in sudoers now matches the user specified by the -u flag even if the -u flag specified a name, not a uid. * Added a -i option to simulate an initial login similar to "su -". * If sudo is used to run as root shell, further sudo commands will be logged as run by the user specified by the SUDO_USER environment variable. In -e mode (sudoedit), SUDO_USER is used to determine what user to run the editor when the real uid is 0. * The sudoers file is now parsed as the runas user in all cases instead of root. This fixes some issues with running NFS-mounted commands. * If the target user == invoking user a password is no longer required. * Sudo now produces a sensible error message when the targetpw Defaults option is set and a non-existent uid is specified via the -u option. * A negated user/uid in a runas list is now treated the same as a negated command and overrides a previously allowed entry. * PAM support now uses Use pam_acct_mgmt() to check for disabled accounts. * Added a check in visudo for runas_default being used before it was set. * Fixed several issues when closing all open descriptors. Sudo now uses closefrom() if it exists, otherwise it uses /proc/$$/fd if that exists with a fallback of closing all possible descriptors. * Quoting globbing characters with a backslash now works as documented. * Fixed a problem on FreeBSD (and perhaps others) when the user is only listed in NIS (not master.passwd) and netgroups are used in the master.passwd file. * The username in a log entry is no longer truncated at 8 characters. * Added a "sudo_lecture" option that can point to a file containing a custom lecture. * The timeout for password reading is now done via alarm(), not select(). * /tmp/.odus is no longer used for timestamps by default. * Sudo now works on the nsr-tandem-nsk platform. * Fixed the --with-stow configure option. * TIS fwtk authentication now supports fwtk 2.0 and higher. * Added Stan Lee / Uncle Ben quote to the lecture from RedHat. * Added the --with-pc-insults configure to replace politically incorrect insults with other ones. 2004-08-23 23:15:17 +02:00			`.include "../../mk/bsd.options.mk"`

Update PKG_OPTIONS variable "PAM" to "pam". 2005-06-22 12:30:12 +02:00			`.if !empty(PKG_OPTIONS:Mpam)`
Create a pam.buildlink3.mk file that is used by PAM-using packages. It includes the correct buildlink3.mk file from either Linux-PAM (security/PAM) or OpenPAM (security/openpam) and eventually will support solaris-pam. pam.buildlink3.mk will: * set PAMBASE to the base directory of the PAM files; * set PAM_TYPE to the PAM implementation used. There are two variables that can be used to tweak the selection of the PAM implementation: PAM_DEFAULT is a user-settable variable whose value is the default PAM implementation to use. PAM_ACCEPTED is a package-settable list of PAM implementations that may be used by the package. Modify most packages that include PAM/buildlink3.mk to include pam.buildlink3.mk instead. 2005-01-14 06:15:39 +01:00			`. include "../../mk/pam.buildlink3.mk"`
Sort the options. 2004-12-22 04:59:10 +01:00			`DL_AUTO_VARS= yes`
			`CONFIGURE_ARGS+= --with-pam`
Update sudo to 1.6.9. We don't take the new default of PAM and no other authentication; that can be enabled by adding pam to the package options if users desire. 2007-07-23 18:38:36 +02:00			`.else`
			`CONFIGURE_ARGS+= --without-pam`
Sort the options. 2004-12-22 04:59:10 +01:00			`.endif`

Update security/sudo to 1.6.8 and convert to use bsd.options.mk, which adds two new options, ldap and pam. Changes: * Sudo now supports storing sudoers info in LDAP (optionally using TLS). * There is a new -e option to edit files the with uid of the invoking user. This makes it possible to give users to ability to safely edit files without the possibility of editing other files or running commands as the target user. If sudo is run as "sudoedit" the -e flag is implied. * A new tag, NOEXEC, will prevent a dynamically-linked program being run by sudo from executing another program (think shell escapes). Because this uses LD_PRELOAD it has no effect on static binaries. * A uid specified in sudoers now matches the user specified by the -u flag even if the -u flag specified a name, not a uid. * Added a -i option to simulate an initial login similar to "su -". * If sudo is used to run as root shell, further sudo commands will be logged as run by the user specified by the SUDO_USER environment variable. In -e mode (sudoedit), SUDO_USER is used to determine what user to run the editor when the real uid is 0. * The sudoers file is now parsed as the runas user in all cases instead of root. This fixes some issues with running NFS-mounted commands. * If the target user == invoking user a password is no longer required. * Sudo now produces a sensible error message when the targetpw Defaults option is set and a non-existent uid is specified via the -u option. * A negated user/uid in a runas list is now treated the same as a negated command and overrides a previously allowed entry. * PAM support now uses Use pam_acct_mgmt() to check for disabled accounts. * Added a check in visudo for runas_default being used before it was set. * Fixed several issues when closing all open descriptors. Sudo now uses closefrom() if it exists, otherwise it uses /proc/$$/fd if that exists with a fallback of closing all possible descriptors. * Quoting globbing characters with a backslash now works as documented. * Fixed a problem on FreeBSD (and perhaps others) when the user is only listed in NIS (not master.passwd) and netgroups are used in the master.passwd file. * The username in a log entry is no longer truncated at 8 characters. * Added a "sudo_lecture" option that can point to a file containing a custom lecture. * The timeout for password reading is now done via alarm(), not select(). * /tmp/.odus is no longer used for timestamps by default. * Sudo now works on the nsr-tandem-nsk platform. * Fixed the --with-stow configure option. * TIS fwtk authentication now supports fwtk 2.0 and higher. * Added Stan Lee / Uncle Ben quote to the lecture from RedHat. * Added the --with-pc-insults configure to replace politically incorrect insults with other ones. 2004-08-23 23:15:17 +02:00			`.if !empty(PKG_OPTIONS:Mkerberos)`
			`. include "../../mk/krb5.buildlink3.mk"`
			`CONFIGURE_ARGS+= --without-kerb4`
			`CONFIGURE_ARGS+= --with-kerb5`
			`.else`
			`CONFIGURE_ARGS+= --without-kerb5`
			`.endif`

			`.if !empty(PKG_OPTIONS:Mldap)`
The databases/openldap package has been split in -client and -server component packages. Convert LDAP-based applications to depend on openldap-client, and bump PKGREVISION for those that depend on it by default. 2006-05-31 20:22:23 +02:00			`. include "../../databases/openldap-client/buildlink3.mk"`
The LDAP feature of sudo now also needs the SASL libraries to compile. 2009-02-14 20:30:33 +01:00			`. include "../../security/cyrus-sasl/buildlink3.mk"`
Auto-add the options for dlopen() since we're only building a single application. 2004-11-26 19:26:01 +01:00			`DL_AUTO_VARS= yes`
The databases/openldap package has been split in -client and -server component packages. Convert LDAP-based applications to depend on openldap-client, and bump PKGREVISION for those that depend on it by default. 2006-05-31 20:22:23 +02:00			`CONFIGURE_ARGS+= --with-ldap=${BUILDLINK_PREFIX.openldap-client}`
Honor PKG_SYSCONFDIR by looking for the LDAP configuration file in ${PKG_SYSCONFDIR}/ldap.conf (by default, /usr/pkg/etc/ldap.conf) instead of hard-coding /etc/ldap.conf. Bump the PKGREVISION. 2004-11-20 00:18:01 +01:00			`CONFIGURE_ARGS+= --with-ldap-conf-file=${PKG_SYSCONFDIR}/ldap.conf`
Update security/sudo package to 1.7.0. * pkgsrc change: relax restriction to kerberos package. What's new in Sudo 1.7.0? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. * visudo will now check the sudoers file owner and mode in -c (check) mode when the -s (strict) flag is specified. 2009-02-05 14:48:12 +01:00			`PLIST.ldap= yes`
Update security/sudo to 1.6.8 and convert to use bsd.options.mk, which adds two new options, ldap and pam. Changes: * Sudo now supports storing sudoers info in LDAP (optionally using TLS). * There is a new -e option to edit files the with uid of the invoking user. This makes it possible to give users to ability to safely edit files without the possibility of editing other files or running commands as the target user. If sudo is run as "sudoedit" the -e flag is implied. * A new tag, NOEXEC, will prevent a dynamically-linked program being run by sudo from executing another program (think shell escapes). Because this uses LD_PRELOAD it has no effect on static binaries. * A uid specified in sudoers now matches the user specified by the -u flag even if the -u flag specified a name, not a uid. * Added a -i option to simulate an initial login similar to "su -". * If sudo is used to run as root shell, further sudo commands will be logged as run by the user specified by the SUDO_USER environment variable. In -e mode (sudoedit), SUDO_USER is used to determine what user to run the editor when the real uid is 0. * The sudoers file is now parsed as the runas user in all cases instead of root. This fixes some issues with running NFS-mounted commands. * If the target user == invoking user a password is no longer required. * Sudo now produces a sensible error message when the targetpw Defaults option is set and a non-existent uid is specified via the -u option. * A negated user/uid in a runas list is now treated the same as a negated command and overrides a previously allowed entry. * PAM support now uses Use pam_acct_mgmt() to check for disabled accounts. * Added a check in visudo for runas_default being used before it was set. * Fixed several issues when closing all open descriptors. Sudo now uses closefrom() if it exists, otherwise it uses /proc/$$/fd if that exists with a fallback of closing all possible descriptors. * Quoting globbing characters with a backslash now works as documented. * Fixed a problem on FreeBSD (and perhaps others) when the user is only listed in NIS (not master.passwd) and netgroups are used in the master.passwd file. * The username in a log entry is no longer truncated at 8 characters. * Added a "sudo_lecture" option that can point to a file containing a custom lecture. * The timeout for password reading is now done via alarm(), not select(). * /tmp/.odus is no longer used for timestamps by default. * Sudo now works on the nsr-tandem-nsk platform. * Fixed the --with-stow configure option. * TIS fwtk authentication now supports fwtk 2.0 and higher. * Added Stan Lee / Uncle Ben quote to the lecture from RedHat. * Added the --with-pc-insults configure to replace politically incorrect insults with other ones. 2004-08-23 23:15:17 +02:00			`.endif`
Allow building sudo without S/Key support on NetBSD. Patch from PR pkg/28743 by Jukka Salmi with minor changes by me. 2004-12-22 05:36:32 +01:00
			`.if !empty(PKG_OPTIONS:Mskey)`
			`CONFIGURE_ARGS+= --with-skey`
			`.else`
			`CONFIGURE_ARGS+= --without-skey`
			`.endif`