ansible-bootstrap fails: slapd fails to start
stx-config/puppet-manifest: - set ldap module path to libexec - default is lib64 which is not where OE installs openldap sudo: - build --with-ldap and apply stx patches - needed for sudo.schema / slapd openldap: - install ldap / la modules packagegroups: - stx-python: pexpect, trove, colorama, debtcollector, mysql - stx: e2fsprogs-resize2fs nss-pam-ldapd openldap-devand libmysqld + deps rabbitmq-server: - run under uid 0 to bypass permission errors conf/layer.conf: - Add ldap user - set preferred versions - Set CONTROLLER_IP to localhost classes/stx-postrun.bbclass: - Add openldap fine tuning - fix permissions for keystone to start
This commit is contained in:
parent
3ac95c37ef
commit
1a30a897a9
@ -21,7 +21,7 @@ stx_postprocess_rootfs() {
|
||||
sed -i -e '/^l .*resolv.conf$/d' ${IMAGE_ROOTFS}/etc/default/volatiles/00_core
|
||||
sed -i -e '/^f .*resolv.conf none$/d' ${IMAGE_ROOTFS}/etc/default/volatiles/00_core
|
||||
|
||||
for srv in $(echo apache2 kubelet cinder-init glance-api glance-init glance-registry keystone-init \
|
||||
for srv in $(echo lighttpd kubelet cinder-init glance-api glance-init glance-registry \
|
||||
neutron-init nova-compute nova-consoleauth nova-console nova-init nova-network \
|
||||
nova-xvpvncproxy nova-spicehtml5proxy openvswitch \
|
||||
registry-token-server)
|
||||
@ -46,6 +46,24 @@ stx_postprocess_rootfs() {
|
||||
done
|
||||
cd $CPWD
|
||||
|
||||
# OpenLdap:
|
||||
# To avoid install conflicts, we need to post run a number of
|
||||
# commands. But openldap packages are getting renamed to libldap-.
|
||||
# Consequently pkg_postinstall_ontarget_openldap-config fails.
|
||||
# So this here is really a hack to get the build moving forward.
|
||||
# Lastly, we need to take a look at the right user and group
|
||||
# permission settings
|
||||
|
||||
cp ${IMAGE_ROOTFS}/usr/share/starlingx/slapd.service ${IMAGE_ROOTFS}/lib/systemd/system/slapd.service
|
||||
cp ${IMAGE_ROOTFS}/usr/share/starlingx/slapd.sysconfig ${IMAGE_ROOTFS}/etc/sysconfig/slapd
|
||||
|
||||
chmod 644 ${IMAGE_ROOTFS}//lib/systemd/system/slapd.service
|
||||
chmod 644 ${IMAGE_ROOTFS}/etc/openldap/*
|
||||
chmod 755 ${IMAGE_ROOTFS}/etc/openldap
|
||||
chmod 755 ${IMAGE_ROOTFS}/etc/openldap/slapd.d
|
||||
|
||||
|
||||
|
||||
# Issue 11 etcd:
|
||||
# Once the ansible-playbook runs it resets ETCD_DATA_DIR to
|
||||
# /opt/etcd/19.01/controller.etcd in /etc/etcd/etcd.conf
|
||||
@ -56,8 +74,14 @@ stx_postprocess_rootfs() {
|
||||
mkdir -p ${IMAGE_ROOTFS}/opt/etcd
|
||||
chown etcd:etcd ${IMAGE_ROOTFS}/opt/etcd
|
||||
|
||||
# keystone hacks
|
||||
# Fix python packages' permissions
|
||||
find ${IMAGE_ROOTFS}/${libdir}/python2.7/site-packages/ -name PKG-INFO -exec chmod 644 {} +
|
||||
chmod 644 ${IMAGE_ROOTFS}/${libdir}/python2.7/site-packages/docker_registry_core-2.0.3-py2.7.egg-info/namespace_packages.txt
|
||||
|
||||
# Puppet hacks
|
||||
sed -i -e 's:puppet apply : puppet apply --hiera_config=/etc/puppet/hiera.yaml :g' ${IMAGE_ROOTFS}/usr/bin/puppet-manifest-apply.sh
|
||||
|
||||
# Fake being redhat for dev purpose only. This must be removed
|
||||
cat > ${IMAGE_ROOTFS}/etc/redhat-release << \EOF
|
||||
CentOS Linux release 7.3.1611 (Core)
|
||||
|
@ -35,6 +35,9 @@ EXTRA_USERS_PARAMS_CONFIG = "\
|
||||
useradd -p '' ceph; \
|
||||
groupadd ceph; \
|
||||
usermod -a -G ceph ceph; \
|
||||
useradd -p '' ldap; \
|
||||
groupadd ldap; \
|
||||
usermod -a -G ldap ldap; \
|
||||
"
|
||||
|
||||
EXTRA_IMAGE_FEATURES += " empty-root-password"
|
||||
@ -102,16 +105,20 @@ PREFERRED_PROVIDER_virtual/kernel = "linux-yocto"
|
||||
|
||||
PREFERRED_VERSION_keyutils = "1.5.10"
|
||||
PREFERRED_VERSION_python-voluptuous = "0.8.9"
|
||||
PREFERRED_VERSION_python3-cherrypy = "git"
|
||||
PREFERRED_VERSION_python-cheroot = "git"
|
||||
PREFERRED_VERSION_python3-cheroot = "git"
|
||||
PREFERRED_VERSION_python3-cherrypy = "18.2.0"
|
||||
PREFERRED_VERSION_python-cheroot = "7.0.0"
|
||||
PREFERRED_VERSION_python3-cheroot = "7.0.0"
|
||||
PREFERRED_VERSION_python-cherrypy = "git"
|
||||
PREFERRED_VERSION_pythonkeystoneauth1 = "3.17.1"
|
||||
PREFERRED_VERSION_drbd-utils = "8.4.3rc1"
|
||||
PREFERRED_VERSION_python-pyyaml = "3.13"
|
||||
PREFERRED_VERSION_python-cmd2 = "0.6.8"
|
||||
PREFERRED_VERSION_python-expect = "4.6.0"
|
||||
PREFERRED_VERSION_python-pika = "0.10.0%"
|
||||
# From meta-cloud-services TBD
|
||||
# PREFERRED_VERSION_openldap = "2.4.39"
|
||||
|
||||
# Used by:
|
||||
# neutron-init
|
||||
# glance-init
|
||||
CONTROLLER_IP = "0.0.0.0"
|
||||
CONTROLLER_IP = "127.0.0.1"
|
||||
|
@ -180,4 +180,9 @@ RDEPENDS_packagegroup-stx-python = " \
|
||||
python-configshell \
|
||||
python2-os-service-types \
|
||||
python-coverage \
|
||||
python-pexpect \
|
||||
python-trove \
|
||||
python-colorama \
|
||||
python-debtcollector \
|
||||
mysql-python \
|
||||
"
|
||||
|
@ -69,6 +69,7 @@ RDEPENDS_packagegroup-stx-openldap = " \
|
||||
openldap-bin \
|
||||
openldap-slapd \
|
||||
openldap-config \
|
||||
openldap-dev \
|
||||
"
|
||||
|
||||
RDEPENDS_packagegroup-stx-kube = "\
|
||||
@ -117,6 +118,9 @@ RDEPENDS_packagegroup-stx-misc = "\
|
||||
hiera \
|
||||
gssproxy \
|
||||
polkit \
|
||||
e2fsprogs-resize2fs \
|
||||
libmysqld libmysqlclient libmysqlclient-r libmysqlclient-dev libmysqlclient-r-dev \
|
||||
nss-pam-ldapd \
|
||||
"
|
||||
|
||||
RDEPENDS_packagegroup-stx-puppet = "\
|
||||
|
@ -0,0 +1,26 @@
|
||||
From 32efd8d303556b43005f26715bd8264886e17420 Mon Sep 17 00:00:00 2001
|
||||
From: "Sar Ashki, Babak" <Babak.SarAshki@windriver.com>
|
||||
Date: Wed, 11 Dec 2019 17:24:17 -0800
|
||||
Subject: [PATCH] puppet-manifests integ: set correct ldap module path
|
||||
|
||||
OE installs ldap modules under libexec.
|
||||
---
|
||||
puppet-manifests/src/modules/platform/manifests/ldap.pp | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/puppet-manifests/src/modules/platform/manifests/ldap.pp b/puppet-manifests/src/modules/platform/manifests/ldap.pp
|
||||
index b3d6ee71..7205e7d3 100644
|
||||
--- a/puppet-manifests/src/modules/platform/manifests/ldap.pp
|
||||
+++ b/puppet-manifests/src/modules/platform/manifests/ldap.pp
|
||||
@@ -53,7 +53,7 @@ class platform::ldap::server::local
|
||||
-e 's:serverID.*:serverID ${server_id}:' \\
|
||||
-e 's:credentials.*:credentials=${admin_pw}:' \\
|
||||
-e 's:^rootpw .*:rootpw ${admin_hashed_pw}:' \\
|
||||
- -e 's:modulepath .*:modulepath /usr/lib64/openldap:' \\
|
||||
+ -e 's:modulepath .*:modulepath /usr/libexec/openldap:' \\
|
||||
/etc/openldap/slapd.conf",
|
||||
onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf'
|
||||
}
|
||||
--
|
||||
2.23.0
|
||||
|
@ -11,7 +11,10 @@ LICENSE = "Apache-2.0"
|
||||
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
|
||||
|
||||
SRC_URI = "git://opendev.org/starlingx/config.git;protocol=${PROTOCOL};rev=${SRCREV};branch=${BRANCH}"
|
||||
SRC_URI = " \
|
||||
git://opendev.org/starlingx/config.git;protocol=${PROTOCOL};rev=${SRCREV};branch=${BRANCH} \
|
||||
file://0001-puppet-manifests-integ-set-correct-ldap-module-path.patch \
|
||||
"
|
||||
|
||||
DEPENDS = "\
|
||||
puppet \
|
||||
|
@ -4,7 +4,8 @@ After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=rabbitmq
|
||||
User=root
|
||||
Environment=HOME=/home/root
|
||||
WorkingDirectory=/var/lib/rabbitmq
|
||||
LogsDirectory=rabbitmq
|
||||
ExecStartPre=/usr/bin/rabbitmq-server-setup
|
||||
|
27
recipes-extended/sudo/files/sudo-1.6.7p5-strip.patch
Normal file
27
recipes-extended/sudo/files/sudo-1.6.7p5-strip.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 8a045c3880e06f5fcf69a73c4029d6725e17f7bc Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Sykora <tosykora@redhat.com>
|
||||
Date: Fri, 19 Aug 2016 13:49:25 +0200
|
||||
Subject: [PATCH 01/10] We do not strip
|
||||
|
||||
rebased from:
|
||||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
---
|
||||
install-sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install-sh b/install-sh
|
||||
index 6944fba..49d383a 100755
|
||||
--- a/install-sh
|
||||
+++ b/install-sh
|
||||
@@ -147,7 +147,7 @@ while ${MORETODO} ; do
|
||||
fi
|
||||
;;
|
||||
X-s)
|
||||
- STRIPIT=true
|
||||
+ #STRIPIT=true
|
||||
;;
|
||||
X--)
|
||||
shift
|
||||
--
|
||||
2.7.4
|
||||
|
27
recipes-extended/sudo/files/sudo-1.7.2p1-envdebug.patch
Normal file
27
recipes-extended/sudo/files/sudo-1.7.2p1-envdebug.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Sykora <tosykora@redhat.com>
|
||||
Date: Fri, 19 Aug 2016 14:07:35 +0200
|
||||
Subject: [PATCH 02/10] Added "Enviroment debugging" message
|
||||
|
||||
rebased from:
|
||||
Patch2: sudo-1.7.2p1-envdebug.patch
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 9feddfd..39a2d86 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug,
|
||||
[AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
|
||||
[ case "$enableval" in
|
||||
yes) AC_MSG_RESULT(yes)
|
||||
- AC_DEFINE(ENV_DEBUG)
|
||||
+ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
|
||||
;;
|
||||
no) AC_MSG_RESULT(no)
|
||||
;;
|
||||
--
|
||||
2.7.4
|
||||
|
@ -0,0 +1,161 @@
|
||||
From 0f303a2de843c31afb03b558dfb7287be79e6e17 Mon Sep 17 00:00:00 2001
|
||||
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
|
||||
Date: Thu, 26 Jul 2018 12:31:29 -0600
|
||||
Subject: [PATCH] Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors
|
||||
from pam_acct_mgmt() if authentication is disabled for the user. Bug #843
|
||||
|
||||
---
|
||||
plugins/sudoers/auth/bsdauth.c | 2 +-
|
||||
plugins/sudoers/auth/pam.c | 10 +++++++++-
|
||||
plugins/sudoers/auth/sudo_auth.c | 4 ++--
|
||||
plugins/sudoers/auth/sudo_auth.h | 6 +++---
|
||||
plugins/sudoers/check.c | 4 +++-
|
||||
plugins/sudoers/sudoers.h | 2 +-
|
||||
6 files changed, 19 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c
|
||||
index 444cd337..390263d3 100644
|
||||
--- a/plugins/sudoers/auth/bsdauth.c
|
||||
+++ b/plugins/sudoers/auth/bsdauth.c
|
||||
@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con
|
||||
}
|
||||
|
||||
int
|
||||
-bsdauth_approval(struct passwd *pw, sudo_auth *auth)
|
||||
+bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
|
||||
{
|
||||
struct bsdauth_state *state = auth->data;
|
||||
debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH)
|
||||
diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
|
||||
index 347289da..a4749448 100644
|
||||
--- a/plugins/sudoers/auth/pam.c
|
||||
+++ b/plugins/sudoers/auth/pam.c
|
||||
@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
|
||||
}
|
||||
|
||||
int
|
||||
-sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
|
||||
+sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
|
||||
{
|
||||
const char *s;
|
||||
int *pam_status = (int *) auth->data;
|
||||
@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
|
||||
"is your account locked?"));
|
||||
debug_return_int(AUTH_FATAL);
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
+ /* Ignore if user is exempt from password restrictions. */
|
||||
+ if (exempt)
|
||||
+ debug_return_int(AUTH_SUCCESS);
|
||||
+ /* New password required, try to change it. */
|
||||
log_warningx(0, N_("Account or password is "
|
||||
"expired, reset your password and try again"));
|
||||
*pam_status = pam_chauthtok(pamh,
|
||||
@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
|
||||
N_("unable to change expired password: %s"), s);
|
||||
debug_return_int(AUTH_FAILURE);
|
||||
case PAM_AUTHTOK_EXPIRED:
|
||||
+ /* Ignore if user is exempt from password restrictions. */
|
||||
+ if (exempt)
|
||||
+ debug_return_int(AUTH_SUCCESS);
|
||||
+ /* Password expired, cannot be updated by user. */
|
||||
log_warningx(0,
|
||||
N_("Password expired, contact your system administrator"));
|
||||
debug_return_int(AUTH_FATAL);
|
||||
diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
|
||||
index 6ef9bd72..5d9382dc 100644
|
||||
--- a/plugins/sudoers/auth/sudo_auth.c
|
||||
+++ b/plugins/sudoers/auth/sudo_auth.c
|
||||
@@ -163,7 +163,7 @@ sudo_auth_init(struct passwd *pw)
|
||||
* Returns true on success, false on failure and -1 on error.
|
||||
*/
|
||||
int
|
||||
-sudo_auth_approval(struct passwd *pw, int validated)
|
||||
+sudo_auth_approval(struct passwd *pw, int validated, bool exempt)
|
||||
{
|
||||
sudo_auth *auth;
|
||||
debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH)
|
||||
@@ -171,7 +171,7 @@ sudo_auth_approval(struct passwd *pw, int validated)
|
||||
/* Call approval routines. */
|
||||
for (auth = auth_switch; auth->name; auth++) {
|
||||
if (auth->approval && !IS_DISABLED(auth)) {
|
||||
- int status = (auth->approval)(pw, auth);
|
||||
+ int status = (auth->approval)(pw, auth, exempt);
|
||||
if (status != AUTH_SUCCESS) {
|
||||
/* Assume error msg already printed. */
|
||||
log_auth_failure(validated, 0);
|
||||
diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h
|
||||
index ea5ed9cd..9ae69cd5 100644
|
||||
--- a/plugins/sudoers/auth/sudo_auth.h
|
||||
+++ b/plugins/sudoers/auth/sudo_auth.h
|
||||
@@ -31,7 +31,7 @@ typedef struct sudo_auth {
|
||||
int (*init)(struct passwd *pw, struct sudo_auth *auth);
|
||||
int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth);
|
||||
int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback);
|
||||
- int (*approval)(struct passwd *pw, struct sudo_auth *auth);
|
||||
+ int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt);
|
||||
int (*cleanup)(struct passwd *pw, struct sudo_auth *auth);
|
||||
int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth);
|
||||
int (*end_session)(struct passwd *pw, struct sudo_auth *auth);
|
||||
@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv;
|
||||
/* Prototypes for standalone methods */
|
||||
int bsdauth_init(struct passwd *pw, sudo_auth *auth);
|
||||
int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
|
||||
-int bsdauth_approval(struct passwd *pw, sudo_auth *auth);
|
||||
+int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
|
||||
int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth);
|
||||
int sudo_aix_init(struct passwd *pw, sudo_auth *auth);
|
||||
int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback);
|
||||
@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth);
|
||||
int sudo_pam_init(struct passwd *pw, sudo_auth *auth);
|
||||
int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth);
|
||||
int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
|
||||
-int sudo_pam_approval(struct passwd *pw, sudo_auth *auth);
|
||||
+int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
|
||||
int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth);
|
||||
int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);
|
||||
int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth);
|
||||
diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
|
||||
index ed49d63a..486a80d8 100644
|
||||
--- a/plugins/sudoers/check.c
|
||||
+++ b/plugins/sudoers/check.c
|
||||
@@ -175,6 +175,7 @@ check_user(int validated, int mode)
|
||||
{
|
||||
struct passwd *auth_pw;
|
||||
int ret = -1;
|
||||
+ bool exempt = false;
|
||||
debug_decl(check_user, SUDOERS_DEBUG_AUTH)
|
||||
|
||||
/*
|
||||
@@ -194,6 +195,7 @@ check_user(int validated, int mode)
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
|
||||
!def_authenticate ? "authentication disabled" :
|
||||
"user exempt from authentication");
|
||||
+ exempt = true;
|
||||
ret = true;
|
||||
goto done;
|
||||
}
|
||||
@@ -218,7 +220,7 @@ check_user(int validated, int mode)
|
||||
done:
|
||||
if (ret == true) {
|
||||
/* The approval function may disallow a user post-authentication. */
|
||||
- ret = sudo_auth_approval(auth_pw, validated);
|
||||
+ ret = sudo_auth_approval(auth_pw, validated, exempt);
|
||||
}
|
||||
sudo_auth_cleanup(auth_pw);
|
||||
sudo_pw_delref(auth_pw);
|
||||
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
|
||||
index 57db74c1..956cb084 100644
|
||||
--- a/plugins/sudoers/sudoers.h
|
||||
+++ b/plugins/sudoers/sudoers.h
|
||||
@@ -265,7 +265,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv
|
||||
int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
|
||||
int sudo_auth_end_session(struct passwd *pw);
|
||||
int sudo_auth_init(struct passwd *pw);
|
||||
-int sudo_auth_approval(struct passwd *pw, int validated);
|
||||
+int sudo_auth_approval(struct passwd *pw, int validated, bool exempt);
|
||||
int sudo_auth_cleanup(struct passwd *pw);
|
||||
|
||||
/* set_perms.c */
|
||||
--
|
||||
2.13.6
|
||||
|
@ -0,0 +1,70 @@
|
||||
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
|
||||
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
|
||||
@@ -34,7 +34,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "%them" }
|
||||
+ { "usergroup": "them" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
@@ -42,7 +42,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "%: non UNIX 0 c" }
|
||||
+ { "nonunixgroup": " non UNIX 0 c" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
@@ -50,7 +50,7 @@
|
||||
},
|
||||
{
|
||||
"Binding": [
|
||||
- { "username": "+net" }
|
||||
+ { "netgroup": "net" }
|
||||
],
|
||||
"Options": [
|
||||
{ "set_home": true }
|
||||
diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
|
||||
--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
|
||||
@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
|
||||
#
|
||||
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
|
||||
+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
|
||||
|
||||
#
|
||||
DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
|
||||
--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
|
||||
@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
|
||||
LEXTRACE("ERROR "); /* empty string */
|
||||
LEXRETURN(ERROR);
|
||||
}
|
||||
- if (prev_state == INITIAL) {
|
||||
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
|
||||
switch (sudoerslval.string[0]) {
|
||||
case '%':
|
||||
if (sudoerslval.string[1] == '\0' ||
|
||||
diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
|
||||
--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
|
||||
@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
|
||||
LEXTRACE("ERROR "); /* empty string */
|
||||
LEXRETURN(ERROR);
|
||||
}
|
||||
- if (prev_state == INITIAL) {
|
||||
+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
|
||||
switch (sudoerslval.string[0]) {
|
||||
case '%':
|
||||
if (sudoerslval.string[1] == '\0' ||
|
@ -0,0 +1,27 @@
|
||||
diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
|
||||
--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
|
||||
@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
|
||||
if (ldap_conf.search_filter)
|
||||
sz += strlen(ldap_conf.search_filter);
|
||||
|
||||
- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
|
||||
- sz += 29 + sudo_ldap_value_len(pw->pw_name);
|
||||
+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
|
||||
+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
|
||||
|
||||
/* Add space for primary and supplementary groups and gids */
|
||||
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
|
||||
@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
|
||||
CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
|
||||
CHECK_STRLCAT(buf, ")", sz);
|
||||
|
||||
+ /* Append user uid */
|
||||
+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
|
||||
+ (void) strlcat(buf, "(sudoUser=#", sz);
|
||||
+ (void) strlcat(buf, gidbuf, sz);
|
||||
+ (void) strlcat(buf, ")", sz);
|
||||
+
|
||||
/* Append primary group and gid */
|
||||
if (grp != NULL) {
|
||||
CHECK_STRLCAT(buf, "(sudoUser=%", sz);
|
@ -0,0 +1,89 @@
|
||||
diff -up sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/cvtsudoers.c
|
||||
--- sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing 2018-06-28 11:24:25.966475241 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/cvtsudoers.c 2018-06-28 11:26:40.215025493 +0200
|
||||
@@ -321,6 +321,15 @@ main(int argc, char *argv[])
|
||||
sudo_fatalx("error: unhandled input %d", input_format);
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * cvtsudoers group filtering doesn't work if def_match_group_by_gid
|
||||
+ * is set to true by default (at compile-time). It cannot be set to false
|
||||
+ * because cvtsudoers doesn't apply the parsed Defaults.
|
||||
+ *
|
||||
+ * Related: sudo-1.8.23-legacy-group-processing.patch
|
||||
+ */
|
||||
+ def_match_group_by_gid = def_legacy_group_processing = false;
|
||||
+
|
||||
/* Apply filters. */
|
||||
filter_userspecs(conf);
|
||||
filter_defaults(conf);
|
||||
diff -up sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/defaults.c
|
||||
--- sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/defaults.c 2018-06-28 11:24:25.966475241 +0200
|
||||
@@ -87,6 +87,7 @@ static struct early_default early_defaul
|
||||
{ I_FQDN },
|
||||
#endif
|
||||
{ I_MATCH_GROUP_BY_GID },
|
||||
+ { I_LEGACY_GROUP_PROCESSING },
|
||||
{ I_GROUP_PLUGIN },
|
||||
{ I_RUNAS_DEFAULT },
|
||||
{ I_SUDOERS_LOCALE },
|
||||
@@ -488,6 +489,8 @@ init_defaults(void)
|
||||
}
|
||||
|
||||
/* First initialize the flags. */
|
||||
+ def_legacy_group_processing = true;
|
||||
+ def_match_group_by_gid = true;
|
||||
#ifdef LONG_OTP_PROMPT
|
||||
def_long_otp_prompt = true;
|
||||
#endif
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.c
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-28 11:24:25.966475241 +0200
|
||||
@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Ignore case when matching group names"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "legacy_group_processing", T_FLAG,
|
||||
+ N_("Don't pre-resolve all group names"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.h
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-28 11:24:25.967475238 +0200
|
||||
@@ -226,6 +226,8 @@
|
||||
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
|
||||
#define I_CASE_INSENSITIVE_GROUP 113
|
||||
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
|
||||
+#define I_LEGACY_GROUP_PROCESSING 114
|
||||
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.in
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-28 11:24:25.967475238 +0200
|
||||
@@ -357,3 +357,6 @@ case_insensitive_user
|
||||
case_insensitive_group
|
||||
T_FLAG
|
||||
"Ignore case when matching group names"
|
||||
+legacy_group_processing
|
||||
+ T_FLAG
|
||||
+ "Don't pre-resolve all group names"
|
||||
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/sudoers.c
|
||||
--- sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-28 11:24:25.967475238 +0200
|
||||
@@ -209,6 +209,10 @@ sudoers_policy_init(void *info, char * c
|
||||
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
|
||||
ret = true;
|
||||
|
||||
+ if (!def_match_group_by_gid || !def_legacy_group_processing) {
|
||||
+ def_match_group_by_gid = false;
|
||||
+ def_legacy_group_processing = false;
|
||||
+ }
|
||||
cleanup:
|
||||
if (!restore_perms())
|
||||
ret = -1;
|
61
recipes-extended/sudo/files/sudo-1.8.23-nowaitopt.patch
Normal file
61
recipes-extended/sudo/files/sudo-1.8.23-nowaitopt.patch
Normal file
@ -0,0 +1,61 @@
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
|
||||
@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
|
||||
N_("Don't pre-resolve all group names"),
|
||||
NULL,
|
||||
}, {
|
||||
+ "cmnd_no_wait", T_FLAG,
|
||||
+ N_("Don't fork and wait for the command to finish, just exec it"),
|
||||
+ NULL,
|
||||
+ }, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
};
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
|
||||
@@ -228,6 +228,8 @@
|
||||
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
|
||||
#define I_LEGACY_GROUP_PROCESSING 114
|
||||
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
|
||||
+#define I_CMND_NO_WAIT 115
|
||||
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
|
||||
--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
|
||||
@@ -360,3 +360,6 @@ case_insensitive_group
|
||||
legacy_group_processing
|
||||
T_FLAG
|
||||
"Don't pre-resolve all group names"
|
||||
+cmnd_no_wait
|
||||
+ T_FLAG
|
||||
+ "Don't fork and wait for the command to finish, just exec it"
|
||||
diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
|
||||
diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
|
||||
--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
|
||||
+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
|
||||
@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
|
||||
def_match_group_by_gid = false;
|
||||
def_legacy_group_processing = false;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
|
||||
+ * and I/O logging. This will cause sudo to execute the given command
|
||||
+ * directly instead of forking a separate process for it.
|
||||
+ */
|
||||
+ if (def_cmnd_no_wait) {
|
||||
+ def_pam_setcred = false;
|
||||
+ def_pam_session = false;
|
||||
+ def_use_pty = false;
|
||||
+ def_log_input = false;
|
||||
+ def_log_output = false;
|
||||
+ }
|
||||
+
|
||||
cleanup:
|
||||
if (!restore_perms())
|
||||
ret = -1;
|
@ -0,0 +1,32 @@
|
||||
diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in
|
||||
--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-05-23 13:38:08.347538854 +0200
|
||||
+++ sudo-1.8.23/doc/Makefile.in 2018-05-23 13:38:12.806523146 +0200
|
||||
@@ -345,10 +345,16 @@ install-doc: install-dirs
|
||||
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
|
||||
echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
|
||||
ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
|
||||
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
|
||||
+ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
|
||||
+ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
|
||||
else \
|
||||
rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
|
||||
echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
|
||||
ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
|
||||
+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
|
||||
+ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
|
||||
+ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
|
||||
fi
|
||||
|
||||
install-plugin:
|
||||
@@ -363,8 +369,9 @@ uninstall:
|
||||
$(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
|
||||
$(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
|
||||
$(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
|
||||
- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
|
||||
- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
|
||||
+ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
|
||||
+ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
|
||||
+ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
|
||||
|
||||
splint:
|
||||
|
90
recipes-extended/sudo/files/sudo-1.8.6p7-logsudouser.patch
Normal file
90
recipes-extended/sudo/files/sudo-1.8.6p7-logsudouser.patch
Normal file
@ -0,0 +1,90 @@
|
||||
From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Sykora <tosykora@redhat.com>
|
||||
Date: Wed, 17 Aug 2016 10:12:11 +0200
|
||||
Subject: [PATCH] Sudo logs username root instead of realuser
|
||||
|
||||
RHEL7 sudo logs username root instead of realuser in /var/log/secure
|
||||
|
||||
Rebased from:
|
||||
Patch50: sudo-1.8.6p7-logsudouser.patch
|
||||
|
||||
Resolves:
|
||||
rhbz#1312486
|
||||
---
|
||||
plugins/sudoers/logging.c | 14 +++++++-------
|
||||
plugins/sudoers/sudoers.h | 1 +
|
||||
2 files changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
|
||||
index 45cae67..74b2220 100644
|
||||
--- a/plugins/sudoers/logging.c
|
||||
+++ b/plugins/sudoers/logging.c
|
||||
@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg)
|
||||
* Log the full line, breaking into multiple syslog(3) calls if necessary
|
||||
*/
|
||||
fmt = _("%8s : %s");
|
||||
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
|
||||
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
|
||||
for (p = msg; *p != '\0'; ) {
|
||||
len = strlen(p);
|
||||
if (len > maxlen) {
|
||||
@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg)
|
||||
save = *tmp;
|
||||
*tmp = '\0';
|
||||
|
||||
- mysyslog(pri, fmt, user_name, p);
|
||||
+ mysyslog(pri, fmt, sudo_user_name, p);
|
||||
|
||||
*tmp = save; /* restore saved character */
|
||||
|
||||
@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg)
|
||||
for (p = tmp; *p == ' '; p++)
|
||||
continue;
|
||||
} else {
|
||||
- mysyslog(pri, fmt, user_name, p);
|
||||
+ mysyslog(pri, fmt, sudo_user_name, p);
|
||||
p += len;
|
||||
}
|
||||
fmt = _("%8s : (command continued) %s");
|
||||
- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
|
||||
+ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
|
||||
}
|
||||
|
||||
sudoers_setlocale(oldlocale, NULL);
|
||||
@@ -179,10 +179,10 @@ do_logfile(const char *msg)
|
||||
timestr = "invalid date";
|
||||
if (def_log_host) {
|
||||
len = asprintf(&full_line, "%s : %s : HOST=%s : %s",
|
||||
- timestr, user_name, user_srunhost, msg);
|
||||
+ timestr, sudo_user_name, user_srunhost, msg);
|
||||
} else {
|
||||
len = asprintf(&full_line, "%s : %s : %s",
|
||||
- timestr, user_name, msg);
|
||||
+ timestr, sudo_user_name, msg);
|
||||
}
|
||||
if (len == -1) {
|
||||
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||
@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...)
|
||||
|
||||
if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL)
|
||||
timestr = "invalid date";
|
||||
- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name);
|
||||
+ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name);
|
||||
va_start(ap, fmt);
|
||||
(void) vfprintf(mail, fmt, ap);
|
||||
va_end(ap);
|
||||
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
|
||||
index cfd5abb..c69a043 100644
|
||||
--- a/plugins/sudoers/sudoers.h
|
||||
+++ b/plugins/sudoers/sudoers.h
|
||||
@@ -180,6 +180,7 @@ struct sudo_user {
|
||||
/*
|
||||
* Shortcuts for sudo_user contents.
|
||||
*/
|
||||
+#define sudo_user_name (sudo_user.pw->pw_name)
|
||||
#define user_name (sudo_user.name)
|
||||
#define user_uid (sudo_user.uid)
|
||||
#define user_gid (sudo_user.gid)
|
||||
--
|
||||
2.7.4
|
||||
|
@ -2,17 +2,57 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
|
||||
|
||||
# This bbappend replaces stx sudo-config
|
||||
|
||||
SRC_URI += "file://sysadmin"
|
||||
DEPENDS += " \
|
||||
openldap \
|
||||
libgcrypt \
|
||||
"
|
||||
|
||||
SRC_URI += " \
|
||||
file://sysadmin \
|
||||
file://sudo-1.6.7p5-strip.patch \
|
||||
file://sudo-1.7.2p1-envdebug.patch \
|
||||
file://sudo-1.8.23-sudoldapconfman.patch \
|
||||
file://sudo-1.8.23-legacy-group-processing.patch \
|
||||
file://sudo-1.8.23-ldapsearchuidfix.patch \
|
||||
file://sudo-1.8.6p7-logsudouser.patch \
|
||||
file://sudo-1.8.23-nowaitopt.patch \
|
||||
file://sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch \
|
||||
file://sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch \
|
||||
"
|
||||
|
||||
EXTRA_OECONF += " \
|
||||
--with-pam-login \
|
||||
--with-editor=/bin/vi \
|
||||
--with-env-editor \
|
||||
--with-ignore-dot \
|
||||
--with-tty-tickets \
|
||||
--with-ldap \
|
||||
--with-ldap-conf-file="${sysconfdir}/sudo-ldap.conf" \
|
||||
--with-passprompt="[sudo] password for %Zp: " \
|
||||
--with-linux-audit \
|
||||
--with-sssd \
|
||||
"
|
||||
|
||||
|
||||
do_install_append () {
|
||||
install -m644 ${S}/../sysadmin ${D}/${sysconfdir}/sudoers.d/sysadmin
|
||||
install -m755 -d ${D}/${sysconfdir}/openldap/schema
|
||||
install -m644 ${S}/doc/schema.OpenLDAP ${D}/${sysconfdir}/openldap/schema/sudo.schema
|
||||
}
|
||||
|
||||
pkg_postinst_ontarget_sudo_append () {
|
||||
SYSADMIN_P="4SuW8cnXFyxsk"
|
||||
/usr/sbin/groupadd sys_protected
|
||||
/usr/sbin/useradd -m -g sys_protected -G root \
|
||||
-d /home/sysadmin -p $SYSADMIN_P \
|
||||
-s /bin/sh sysadmin 2> /dev/null || :
|
||||
|
||||
# We do this with extrausers_config.bbclass
|
||||
#SYSADMIN_P="4SuW8cnXFyxsk"
|
||||
#/usr/sbin/groupadd sys_protected
|
||||
#/usr/sbin/useradd -m -g sys_protected -G root \
|
||||
# -d /home/sysadmin -p $SYSADMIN_P \
|
||||
# -s /bin/sh sysadmin 2> /dev/null || :
|
||||
|
||||
/usr/bin/chage -d0 sysadmin
|
||||
}
|
||||
|
||||
# This means sudo package only owns files
|
||||
# to avoid install conflict with openldap on
|
||||
# /etc/openldap. Sure there is a better way.
|
||||
DIRFILES = "1"
|
||||
|
21
recipes-support/openldap/files/stx-slapd.service
Normal file
21
recipes-support/openldap/files/stx-slapd.service
Normal file
@ -0,0 +1,21 @@
|
||||
[Unit]
|
||||
Description=OpenLDAP Server Daemon
|
||||
After=syslog.target network-online.target
|
||||
Documentation=man:slapd
|
||||
Documentation=man:slapd-config
|
||||
Documentation=man:slapd-hdb
|
||||
Documentation=man:slapd-mdb
|
||||
Documentation=file:///usr/share/doc/openldap-servers/guide.html
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
RuntimeDirectory=openldap
|
||||
StateDirectory=openldap-data
|
||||
# PIDFile=/var/run/openldap/slapd.pid
|
||||
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
|
||||
EnvironmentFile=/etc/sysconfig/slapd
|
||||
ExecStartPre=/usr/libexec/openldap/check-config.sh
|
||||
ExecStart=/usr/sbin/slapd -u root -h ${SLAPD_URLS} $SLAPD_OPTIONS
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -34,6 +34,7 @@ SRC_URI += " \
|
||||
file://0021-openldap-and-stx-source-and-config-files.patch \
|
||||
file://0022-ltb-project-openldap-ppolicy-check-password-1.1.patch \
|
||||
file://0001-stx-openldap-config-files.patch \
|
||||
file://stx-slapd.service \
|
||||
"
|
||||
|
||||
inherit pkgconfig
|
||||
@ -49,6 +50,9 @@ DEPENDS += " \
|
||||
|
||||
RDEPENDS_${PN}_append = " bash"
|
||||
|
||||
# Do not remove libtool la files slapd.conf uses ppolicy.la
|
||||
REMOVE_LIBTOOL_LA = "0"
|
||||
|
||||
|
||||
# Defaults:
|
||||
# --enable-bdb=no
|
||||
@ -130,9 +134,9 @@ do_install_append () {
|
||||
install -m 0755 libexec-generate-server-cert.sh ${D}/${libexecdir}/openldap/generate-server-cert.sh
|
||||
install -m 0755 libexec-update-ppolicy-schema.sh ${D}/${libexecdir}/openldap/update-ppolicy-schema.sh
|
||||
|
||||
install -m 0644 slapd.service ${D}/${systemd_system_unitdir}/stx-slapd.service
|
||||
install -m 0644 ${S}/../stx-slapd.service ${D}/${systemd_system_unitdir}/stx-slapd.service
|
||||
install -m 0755 -d ${D}/${sysconfdir}/sysconfig
|
||||
install -m 0644 slapd.sysconfig ${D}/${sysconfdir}/sysconfig/slapd.sysconfig
|
||||
install -m 0644 slapd.sysconfig ${D}/${sysconfdir}/sysconfig/slapd
|
||||
install -m 0755 -d ${D}/${datadir}/openldap-servers
|
||||
install -m 0644 slapd.ldif ${D}/${datadir}/openldap-servers/slapd.ldif
|
||||
install -m 0750 -d ${D}/${sysconfdir}/openldap/slapd.d
|
||||
@ -143,12 +147,17 @@ do_install_append () {
|
||||
mkdir -p ${D}/${sysconfdir}/rc.d/init.d
|
||||
install -m 755 initscript ${D}/${sysconfdir}/rc.d/init.d/openldap
|
||||
install -d -m 740 ${D}/${sysconfdir}/openldap
|
||||
install -m 600 slapd.conf ${D}/${sysconfdir}/openldap/slapd.conf
|
||||
install -m 600 initial_config.ldif ${D}/${sysconfdir}/openldap/initial_config.ldif
|
||||
install -m 644 slapd.conf ${D}/${sysconfdir}/openldap/slapd.conf
|
||||
install -m 644 initial_config.ldif ${D}/${sysconfdir}/openldap/initial_config.ldif
|
||||
|
||||
install -d ${D}/${datadir}/starlingx
|
||||
install -m 644 slapd.service ${D}/${datadir}/starlingx/slapd.service
|
||||
install -m 644 ${S}/../stx-slapd.service ${D}/${datadir}/starlingx/slapd.service
|
||||
install -m 644 slapd.sysconfig ${D}/${datadir}/starlingx/slapd.sysconfig
|
||||
|
||||
#cd ${S}/
|
||||
#oe_runmake -e -C servers/slapd/overlays DESTDIR=${D} install
|
||||
sed -i -e 's:\(/sbin/runuser\):/usr\1:g' ${D}/usr/libexec/openldap/functions
|
||||
|
||||
}
|
||||
|
||||
FILES_openldap-config = " \
|
||||
@ -158,11 +167,14 @@ FILES_openldap-config = " \
|
||||
${datadir}/starlingx/slapd.sysconfig \
|
||||
"
|
||||
|
||||
pkg_postinst_ontarget_libldap-${PN}_append () {
|
||||
cp ${datadir}/starlingx/slapd.service ${systemd_system_unitdir}/slapd.service
|
||||
chmod 644 ${systemd_system_unitdir}/slapd.service
|
||||
cp ${datadir}/starlingx/slapd.sysconfig ${sysconfdir}/sysconfig/slapd
|
||||
}
|
||||
#pkg_postinst_ontarget_libldap-2.4_append () {
|
||||
# cp /usr/share/starlingx/slapd.service ${systemd_system_unitdir}/slapd.service
|
||||
# chmod 644 ${systemd_system_unitdir}/slapd.service
|
||||
# cp ${datadir}/starlingx/slapd.sysconfig ${sysconfdir}/sysconfig/slapd
|
||||
# systemctl daemon-reload
|
||||
# chmod 755 /etc/openldap
|
||||
# chmod 755 /etc/openldap/slapd.d
|
||||
#}
|
||||
|
||||
FILES_${PN}_append = " \
|
||||
${datadir}/openldap-servers/ \
|
||||
|
Loading…
x
Reference in New Issue
Block a user