sudo: own patch for logging the SSH_CLIENT env variable

Signed-off-by: Raphaël Marichez <falco@gentoo.org>

12 files changed, 260 insertions, 0 deletions

diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p11 b/app-admin/sudo/files/digest-sudo-1.6.8_p11
new file mode 100644
index 0000000..a0e605f
--- /dev/null
+++ b/app-admin/sudo/files/digest-sudo-1.6.8_p11
@@ -0,0 +1 @@
+MD5 2b4dbbcec2865adbe12c5693097a6d2c sudo-1.6.8p11.tar.gz 585581
diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p12 b/app-admin/sudo/files/digest-sudo-1.6.8_p12
new file mode 100644
index 0000000..b0063e9
--- /dev/null
+++ b/app-admin/sudo/files/digest-sudo-1.6.8_p12
@@ -0,0 +1 @@
+MD5 b29893c06192df6230dd5f340f3badf5 sudo-1.6.8p12.tar.gz 585643
diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 b/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1
new file mode 100644
index 0000000..02e4692
--- /dev/null
+++ b/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1
@@ -0,0 +1,3 @@
+MD5 b29893c06192df6230dd5f340f3badf5 sudo-1.6.8p12.tar.gz 585643
+RMD160 d7ff9f18ca0973615258c2e975300b94567451d5 sudo-1.6.8p12.tar.gz 585643
+SHA256 56f7d86032538a4a98d90af3742903a09ba16d6db82b593e4a47605f87fa581a sudo-1.6.8p12.tar.gz 585643
diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p9 b/app-admin/sudo/files/digest-sudo-1.6.8_p9
new file mode 100644
index 0000000..0629e17
--- /dev/null
+++ b/app-admin/sudo/files/digest-sudo-1.6.8_p9
@@ -0,0 +1 @@
+MD5 6d0346abd16914956bc7ea4f17fc85fb sudo-1.6.8p9.tar.gz 585509
diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2
new file mode 100644
index 0000000..89fdc9a
--- /dev/null
+++ b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2
@@ -0,0 +1,3 @@
+MD5 6d0346abd16914956bc7ea4f17fc85fb sudo-1.6.8p9.tar.gz 585509
+RMD160 c1c719504476ab9ac11e0421716d149120463e33 sudo-1.6.8p9.tar.gz 585509
+SHA256 68f5b3e4f5572d816cf4d23616432286da7ba96ac58c17fef23046f12c88f440 sudo-1.6.8p9.tar.gz 585509
diff --git a/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff b/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff
new file mode 100644
index 0000000..be6da5c
--- /dev/null
+++ b/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff
@@ -0,0 +1,43 @@
+--- logging.b.c	2006-01-21 15:49:27.000000000 +0100
++++ logging.c	2006-01-21 18:47:05.000000000 +0100
+@@ -301,9 +301,9 @@
+     else
+ 	message = "unknown error ; ";
+ 
+-    easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s",
++    easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s ; SSH_CLIENT=%s",
+ 	message, user_tty, user_cwd, *user_runas, user_cmnd,
+-	user_args ? " " : "", user_args ? user_args : "");
++	user_args ? " " : "", user_args ? user_args : "", user_ssh_client ? user_ssh_client : "" );
+ 
+     mail_auth(status, logline);		/* send mail based on status */
+ 
+--- env.b.c	2005-02-06 16:37:01.000000000 +0100
++++ env.c	2006-01-21 18:42:41.000000000 +0100
+@@ -183,6 +183,8 @@
+ 		    user_prompt = *ep + 12;
+ 		else if (strncmp("SUDO_USER=", *ep, 10) == 0)
+ 		    prev_user = *ep + 10;
++		else if (strncmp("SSH_CLIENT=", *ep, 11) == 0)
++		    user_ssh_client = *ep + 11;
+ 		continue;
+ 	    case 'T':
+ 		if (strncmp("TZ=", *ep, 3) == 0)
+--- sudo.b.h	2005-03-24 00:44:46.000000000 +0100
++++ sudo.h	2006-01-21 18:51:34.000000000 +0100
+@@ -38,6 +38,7 @@
+     struct stat *cmnd_stat;
+     char *path;
+     char *shell;
++    char *user_ssh_client;
+     char *tty;
+     char  cwd[PATH_MAX];
+     char *host;
+@@ -127,6 +128,7 @@
+ #define user_shell		(sudo_user.shell)
+ #define user_tty		(sudo_user.tty)
+ #define user_cwd		(sudo_user.cwd)
++#define user_ssh_client		(sudo_user.user_ssh_client)
+ #define user_runas		(sudo_user.runas)
+ #define user_cmnd		(sudo_user.cmnd)
+ #define user_args		(sudo_user.cmnd_args)
diff --git a/app-admin/sudo/files/sudo b/app-admin/sudo/files/sudo
new file mode 100644
index 0000000..8fc562d
--- /dev/null
+++ b/app-admin/sudo/files/sudo
@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth       required	pam_stack.so service=system-auth
+account    required	pam_stack.so service=system-auth
+password   required	pam_stack.so service=system-auth
+session	   required	pam_stack.so service=system-auth
diff --git a/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff b/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff
new file mode 100644
index 0000000..540ee74
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff
@@ -0,0 +1,46 @@
+diff -uNr -r sudo-1.6.8p12-orig/env.c sudo-1.6.8p12/env.c
+--- sudo-1.6.8p12-orig/env.c	2007-03-04 18:32:36.000000000 +0100
++++ sudo-1.6.8p12/env.c	2007-03-04 18:32:06.000000000 +0100
+@@ -200,6 +200,8 @@
+ 		    user_prompt = *ep + 12;
+ 		else if (strncmp("SUDO_USER=", *ep, 10) == 0)
+ 		    prev_user = *ep + 10;
++		else if (strncmp("SSH_CLIENT=", *ep, 11) == 0)
++		    user_ssh_client = *ep + 11;
+ 		continue;
+ 	    case 'T':
+ 		if (strncmp("TZ=", *ep, 3) == 0)
+diff -uNr -r sudo-1.6.8p12-orig/logging.c sudo-1.6.8p12/logging.c
+--- sudo-1.6.8p12-orig/logging.c	2004-05-17 22:08:46.000000000 +0200
++++ sudo-1.6.8p12/logging.c	2007-03-04 18:32:06.000000000 +0100
+@@ -301,9 +301,9 @@
+     else
+ 	message = "unknown error ; ";
+ 
+-    easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s",
++    easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s ; SSH_CLIENT=%s",
+ 	message, user_tty, user_cwd, *user_runas, user_cmnd,
+-	user_args ? " " : "", user_args ? user_args : "");
++	user_args ? " " : "", user_args ? user_args : "", user_ssh_client ? user_ssh_client : "" );
+ 
+     mail_auth(status, logline);		/* send mail based on status */
+ 
+diff -uNr -r sudo-1.6.8p12-orig/sudo.h sudo-1.6.8p12/sudo.h
+--- sudo-1.6.8p12-orig/sudo.h	2005-03-24 00:44:46.000000000 +0100
++++ sudo-1.6.8p12/sudo.h	2007-03-04 18:32:06.000000000 +0100
+@@ -38,6 +38,7 @@
+     struct stat *cmnd_stat;
+     char *path;
+     char *shell;
++    char *user_ssh_client;
+     char *tty;
+     char  cwd[PATH_MAX];
+     char *host;
+@@ -127,6 +128,7 @@
+ #define user_shell		(sudo_user.shell)
+ #define user_tty		(sudo_user.tty)
+ #define user_cwd		(sudo_user.cwd)
++#define user_ssh_client	(sudo_user.user_ssh_client)
+ #define user_runas		(sudo_user.runas)
+ #define user_cmnd		(sudo_user.cmnd)
+ #define user_args		(sudo_user.cmnd_args)
diff --git a/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff b/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff
new file mode 100644
index 0000000..bb2570e
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff
@@ -0,0 +1,10 @@
+--- ldap.c.orig	2005-06-16 22:55:41.047152568 +0100
++++ ldap.c	2005-06-16 22:56:49.707714576 +0100
+@@ -539,6 +539,7 @@
+     else MATCH_S("ssl",     ldap_conf.ssl)
+     else MATCH_B("tls_checkpeer",   ldap_conf.tls_checkpeer)
+     else MATCH_S("tls_cacertfile",  ldap_conf.tls_cacertfile)
++    else MATCH_S("tls_cacert",      ldap_conf.tls_cacertfile)
+     else MATCH_S("tls_cacertdir",   ldap_conf.tls_cacertdir)
+     else MATCH_S("tls_randfile",    ldap_conf.tls_random_file)
+     else MATCH_S("tls_ciphers",     ldap_conf.tls_cipher_suite)
diff --git a/app-admin/sudo/files/sudo-ldap_timelimit.diff b/app-admin/sudo/files/sudo-ldap_timelimit.diff
new file mode 100644
index 0000000..2c13ba4
--- /dev/null
+++ b/app-admin/sudo/files/sudo-ldap_timelimit.diff
@@ -0,0 +1,76 @@
+diff -urN sudo-1.6.8p8/ldap.c sudo-1.6.8p8-patched/ldap.c
+--- sudo-1.6.8p8/ldap.c	2004-12-01 03:28:46.000000000 +0000
++++ sudo-1.6.8p8-patched/ldap.c	2005-06-22 08:14:59.000000000 +0000
+@@ -82,6 +82,8 @@
+   char *bindpw;
+   char *base;
+   char *ssl;
++  int  bind_timelimit;
++  int  timelimit;
+   int  tls_checkpeer;
+   char *tls_cacertfile;
+   char *tls_cacertdir;
+@@ -545,6 +547,8 @@
+     else MATCH_S("tls_cert",        ldap_conf.tls_certfile)
+     else MATCH_S("tls_key",         ldap_conf.tls_keyfile)
+     else MATCH_I("ldap_version", ldap_conf.version)
++    else MATCH_I("bind_timelimit",  ldap_conf.bind_timelimit)
++    else MATCH_I("timelimit",       ldap_conf.timelimit)
+     else MATCH_S("uri",     ldap_conf.uri)
+     else MATCH_S("binddn",  ldap_conf.binddn)
+     else MATCH_S("bindpw",  ldap_conf.bindpw)
+@@ -566,6 +570,8 @@
+   if (!ldap_conf.version) ldap_conf.version=3;
+   if (!ldap_conf.port) ldap_conf.port=389;
+   if (!ldap_conf.host) ldap_conf.host=estrdup("localhost");
++  if (!ldap_conf.bind_timelimit) ldap_conf.bind_timelimit=30;
++  if (!ldap_conf.timelimit) ldap_conf.timelimit=30;
+ 
+ 
+   if (ldap_conf.debug>1) {
+@@ -589,6 +595,10 @@
+                  ldap_conf.binddn : "(anonymous)");
+     printf("bindpw       %s\n", ldap_conf.bindpw ?
+                  ldap_conf.bindpw : "(anonymous)");
++    printf("bind_timelimit  %d\n", ldap_conf.bind_timelimit ?
++                 ldap_conf.bind_timelimit : 30);
++    printf("timelimit    %d\n", ldap_conf.timelimit ?
++                 ldap_conf.timelimit : 30);
+ #ifdef HAVE_LDAP_START_TLS_S
+     printf("ssl          %s\n", ldap_conf.ssl ?
+                  ldap_conf.ssl    : "(no)");
+@@ -772,6 +782,34 @@
+   }
+ #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
+ 
++  /* setup timelimit options */
++
++SET_OPTI(LDAP_OPT_TIMELIMIT, "TIMELIMIT", timelimit);
++
++#ifdef LDAP_X_OPT_CONNECT_TIMEOUT
++  int timeout;
++  timeout = ldap_conf.bind_timelimit * 1000;
++
++  SET_OPTI(LDAP_X_OPT_CONNECT_TIMEOUT, "X_OPT_CONNECT_TIMEOUT", timeout);
++#endif  
++
++#ifdef LDAP_OPT_NETWORK_TIMEOUT
++  if (ldap_conf.debug>1) fprintf(stderr, "setting bind_timelimit to %d\n", \
++      ldap_conf.bind_timelimit);
++
++  struct timeval tv;
++
++  tv.tv_sec = ldap_conf.bind_timelimit;
++  tv.tv_usec = 0;
++
++  rc = ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
++    
++  if (rc != LDAP_OPT_SUCCESS) {
++    fprintf(stderr, "bind_timelimit ldap_set_option failed: %s\n", ldap_err2string(rc));
++    return VALIDATE_ERROR;
++  }
++#endif  
++
+   /* attempt connect */
+ #ifdef HAVE_LDAP_INITIALIZE
+   if (ldap_conf.uri) {
diff --git a/app-admin/sudo/files/sudo-skeychallengeargs.diff b/app-admin/sudo/files/sudo-skeychallengeargs.diff
new file mode 100644
index 0000000..3c90cfa
--- /dev/null
+++ b/app-admin/sudo/files/sudo-skeychallengeargs.diff
@@ -0,0 +1,15 @@
+--- sudo-1.6.7p5/auth/rfc1938.c	2003-04-16 01:39:15.000000000 +0100
++++ sudo-1.6.7p5/auth/rfc1938.c.new	2004-09-17 20:01:00.996902672 +0100
+@@ -64,11 +64,7 @@
+ #if defined(HAVE_SKEY)
+ # include <skey.h>
+ # define RFC1938				skey
+-#  ifdef __NetBSD__
+-#   define rfc1938challenge(a,b,c,d)	skeychallenge((a),(b),(c),(d))
+-#  else
+-#   define rfc1938challenge(a,b,c,d)	skeychallenge((a),(b),(c))
+-#  endif
++#  define rfc1938challenge(a,b,c,d)	skeychallenge((a),(b),(c),(d))
+ # define rfc1938verify(a,b)		skeyverify((a),(b))
+ #elif defined(HAVE_OPIE)
+ # include <opie.h>
diff --git a/app-admin/sudo/files/sudoers b/app-admin/sudo/files/sudoers
new file mode 100644
index 0000000..4642d50
--- /dev/null
+++ b/app-admin/sudo/files/sudoers
@@ -0,0 +1,55 @@
+# sudoers file.
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# See the sudoers man page for the details on how to write a sudoers file.
+#
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# Defaults specification
+
+# Reset environment by default
+Defaults	env_reset
+
+# Uncomment to allow users in group wheel to export variables
+# Defaults:%wheel	!env_reset
+
+# Allow users in group users to export specific variables
+# Defaults:%users	env_keep=TZ
+
+# Allow specific user to bypass env_delete for TERMCAP
+# Defaults:user     env_delete-=TERMCAP
+
+# Set default EDITOR to vi, and do not allow visudo to use EDITOR/VISUAL.
+# Defaults	editor=/usr/bin/vim, !env_editor
+
+# Runas alias specification
+
+# *** REMEMBER ***************************************************
+# * GIVING SUDO ACCESS TO USERS ALLOWS THEM TO RUN THE SPECIFIED *
+# * COMMANDS WITH ELEVATED PRIVILEGES.                           *
+# *                                                              *
+# * NEVER PERMIT UNTRUSTED USERS TO ACCESS SUDO.                 *
+# ****************************************************************
+
+# User privilege specification
+root	ALL=(ALL) ALL
+
+# Uncomment to allow people in group wheel to run all commands
+# %wheel	ALL=(ALL)	ALL
+
+# Same thing without a password
+# %wheel	ALL=(ALL)	NOPASSWD: ALL
+
+# Users in group www are allowed to  edit httpd.conf and ftpd.conf
+# using sudoedit, or sudo -e, without a password.
+# %www		ALL=(ALL)	NOPASSWD: sudoedit /etc/httpd.conf, /etc/ftpd.conf
+
+# Samples
+# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
+# %users  localhost=/sbin/shutdown -h now