commit: bd7638e41c495c39e041519496b1fb2c5f700d7d Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> AuthorDate: Wed Sep 3 21:06:08 2025 +0000 Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> CommitDate: Wed Sep 3 21:06:34 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd7638e4
app-admin/sudo-rs: Revbump, keyword Make package actually usable on a real system. Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> app-admin/sudo-rs/files/sudoers-rs | 139 ++++++++++++++++++++++++++++++ app-admin/sudo-rs/sudo-rs-0.2.8-r1.ebuild | 61 ------------- app-admin/sudo-rs/sudo-rs-0.2.8-r2.ebuild | 107 +++++++++++++++++++++++ 3 files changed, 246 insertions(+), 61 deletions(-) diff --git a/app-admin/sudo-rs/files/sudoers-rs b/app-admin/sudo-rs/files/sudoers-rs new file mode 100644 index 000000000000..e60cee42defb --- /dev/null +++ b/app-admin/sudo-rs/files/sudoers-rs @@ -0,0 +1,139 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +# +# Cmnd_Alias DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \ +# /usr/bin/truss, /usr/bin/bpftrace, \ +# /usr/bin/dtrace, /usr/bin/dtruss +# +# Cmnd_Alias PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \ +# /usr/bin/yum, /usr/bin/dnf, /usr/bin/zypper, \ +# /usr/bin/pacman + +## +## Defaults specification +## +## Preserve editor environment variables for visudo. +## To preserve these for all commands, remove the "!visudo" qualifier. +Defaults!/usr/sbin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" +## +## Use a hard-coded PATH instead of the user's to find commands. +## This also helps prevent poorly written scripts from running +## arbitrary commands under sudo. +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/21/bin:/usr/lib/llvm/20/bin:/etc/eselect/wine/bin" +## +## You may wish to keep some of the following environment variables +## when running commands via sudo. +## +## Locale settings +# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +## +## Run X applications through sudo; HOME is used to find the +## .Xauthority file. Note that other programs use HOME to find +## configuration files and this may lead to privilege escalation! +# Defaults env_keep += "HOME" +## +## X11 resource path settings +# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +## +## Desktop path settings +# Defaults env_keep += "QTDIR KDEDIR" +## +## Allow sudo-run commands to inherit the callers' ConsoleKit session +# Defaults env_keep += "XDG_SESSION_COOKIE" +## +## Uncomment to enable special input methods. Care should be taken as +## this may allow users to subvert the command being run via sudo. +# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## +## Uncomment to disable "use_pty" when running commands as root. +## Commands run as non-root users will run in a pseudo-terminal, +## not the user's own terminal, to prevent command injection. +# Defaults>root !use_pty +## +## Uncomment to run commands in the background by default. +## This can be used to prevent sudo from consuming user input while +## a non-interactive command runs if "use_pty" or I/O logging are +## enabled. Some commands may not run properly in the background. +# Defaults exec_background +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +## Sudo will create up to 2,176,782,336 I/O logs before recycling them. +## Set maxseq to a smaller number if you don't have unlimited disk space. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!/usr/local/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output +# Defaults maxseq = 1000 +## +## Uncomment to disable intercept and log_subcmds for debuggers and +## tracers. Otherwise, anything that uses ptrace(2) will be unable +## to run under sudo if intercept_type is set to "trace". +# Defaults!DEBUGGERS !intercept, !log_subcmds +## +## Uncomment to disable intercept and log_subcmds for package managers. +## Some package scripts run a huge number of commands, which is made +## slower by these options and also can clutter up the logs. +# Defaults!PKGMAN !intercept, !log_subcmds +## +## Uncomment to disable PAM silent mode. Otherwise messages by PAM +## modules such as pam_faillock will not be printed. +# Defaults !pam_silent + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL:ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL:ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL:ALL) NOPASSWD: ALL + +## Uncomment to allow members of group sudo to execute any command +# %sudo ALL=(ALL:ALL) ALL + +## Uncomment to allow any user to run sudo if they know the password +## of the user they are running the command as (root by default). +# Defaults targetpw # Ask for the password of the target user +# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw' + +## Read drop-in files from /etc/sudoers.d +@includedir /etc/sudoers.d diff --git a/app-admin/sudo-rs/sudo-rs-0.2.8-r1.ebuild b/app-admin/sudo-rs/sudo-rs-0.2.8-r1.ebuild deleted file mode 100644 index 0a3756d57814..000000000000 --- a/app-admin/sudo-rs/sudo-rs-0.2.8-r1.ebuild +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright 2025 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -# Autogenerated by pycargoebuild 0.15.0 - -EAPI=8 - -CRATES=" - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] - [email protected] -" - -inherit cargo - -DESCRIPTION="A memory safe implementation of sudo and su." -HOMEPAGE="https://github.com/trifectatechfoundation/sudo-rs"; -SRC_URI=" - https://github.com/trifectatechfoundation/${PN}/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz - ${CARGO_CRATE_URIS} -" - -LICENSE="|| ( Apache-2.0 MIT )" -# Dependent crate licenses -LICENSE+=" || ( Apache-2.0 MIT )" -SLOT="0" -#KEYWORDS="~amd64" - -RDEPEND=" - !app-admin/sudo - !sys-apps/util-linux[su] - !sys-apps/shadow[su] -" - -QA_FLAGS_IGNORED="usr/bin/.*" - -DOCS=( - README.md - SECURITY.md - CHANGELOG.md -) - -PATCHES=( - # disable tests that require root access - "${FILESDIR}/sudo-rs-0.2.8-tests.patch" -) - -src_install() { - cargo_src_install - - dodoc "${DOCS[@]}" - - local man dest - for man in docs/man/*.?.man; do - dest="${man##*/}" - newman "${man}" "${dest%.man}" - done -} diff --git a/app-admin/sudo-rs/sudo-rs-0.2.8-r2.ebuild b/app-admin/sudo-rs/sudo-rs-0.2.8-r2.ebuild new file mode 100644 index 000000000000..b862fea732c8 --- /dev/null +++ b/app-admin/sudo-rs/sudo-rs-0.2.8-r2.ebuild @@ -0,0 +1,107 @@ +# Copyright 2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# Autogenerated by pycargoebuild 0.15.0 + +EAPI=8 + +CRATES=" + [email protected] + [email protected] + [email protected] + [email protected] + [email protected] + [email protected] +" + +inherit pam cargo + +DESCRIPTION="A memory safe implementation of sudo and su." +HOMEPAGE="https://github.com/trifectatechfoundation/sudo-rs"; +SRC_URI=" + https://github.com/trifectatechfoundation/${PN}/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz + ${CARGO_CRATE_URIS} +" + +LICENSE="|| ( Apache-2.0 MIT )" +# Dependent crate licenses +LICENSE+=" || ( Apache-2.0 MIT )" +SLOT="0" +KEYWORDS="~amd64" + +IUSE="pam su system-names" + +RDEPEND=" + system-names? ( + !app-admin/sudo + su? ( + !sys-apps/util-linux[su] + !sys-apps/shadow[su] + ) + ) +" + +QA_FLAGS_IGNORED="usr/bin/.*" + +DOCS=( + README.md + SECURITY.md + CHANGELOG.md +) + +PATCHES=( + # disable tests that require root access + "${FILESDIR}/sudo-rs-0.2.8-tests.patch" +) + +src_prepare() { + if ! use system-names; then + find "${S}" -name '*.rs' -or -name 'Cargo.toml' -print0 \ + | xargs --null sed -r -e 's:"(sudo|visudo|su|su-l)":"\1-rs": ; s:"sudo-i":"sudo-rs-i":' -i || die + elif ! use su; then + find "${S}" -name '*.rs' -or -name 'Cargo.toml' -print0 \ + | xargs --null sed -r -e 's:"(su|su-l)":"\1-rs":' -i || die + fi + + default +} + +src_install() { + cargo_src_install + + local ext=$(usex system-names '' '-rs') + local -a binaries=( + {sudo,visudo}${ext} + ) + if use system-names && use su; then + binaries+=( su ) + else + binaries+=( su${ext} ) + fi + + dodoc "${DOCS[@]}" + + local man dest + for man in docs/man/*.?.man; do + dest="${man##*/}" + dest="${dest%.man}" + dest="${dest/./${ext}.}" + newman "${man}" "${dest}" + done + + fperms 4755 $(printf -- '/usr/bin/%s\n' "${binaries[@]}") + + insinto /etc + doins "${FILESDIR}"/sudoers-rs + + keepdir /etc/sudoers.d + + if use pam; then + pamd_mimic system-auth sudo${ext} auth account session + pamd_mimic system-auth sudo${ext}-i auth account session + + if use su; then + pamd_mimic system-auth su${ext}-l auth account session + fi + fi +}
