build

   1 #!/bin/bash
   2
   3 #  build -- build version of sudo with Apple-specific patches applied
   4 #  Copyright (C) 2013 Kyle J. McKay.  All rights reserved.
   5 #
   6 #  Permission to use, copy, modify, and distribute this software for any
   7 #  purpose with or without fee is hereby granted, provided that the above
   8 #  copyright notice and this permission notice appear in all copies.
   9 #
  10 #  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  11 #  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  12 #  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  13 #  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  14 #  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15 #  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16 #  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17
  18 # build version 1.0
  19
  20 myname="$0"
  21 while [ -L "$myname" ]; do
  22   oldname="$myname"
  23   myname="$(readlink "$myname")"
  24   case "$myname" in /*) :;; *)
  25     myname="$(dirname "$oldname")/$myname"
  26   esac
  27 done
  28 unset oldname
  29 mydir="$(cd "$(dirname "$myname")" && pwd -P)"
  30 myname="$(basename "$myname")"
  31
  32 case "$mydir" in
  33   *' '*)
  34     echo "error: build directory path contains a space: '$mydir'" >&2
  35     exit 1
  36     ;;
  37 esac
  38
  39 : "${osmaj:=$(sysctl -n kern.osrelease | cut -d. -f1)}"
  40 if [ $osmaj -lt 8 ]; then
  41   echo "error: build os must be at least 10.4" >&2
  42   exit 1
  43 fi
  44
  45 # exit on error
  46 trap 'echo "FAILED COMMAND ($?): ${BASH_COMMAND:-Run $0 using bash -v for details}"' ERR
  47 set -o errexit
  48
  49 cd "$mydir"
  50 umask 022
  51
  52 SUDO174p10='http://www.sudo.ws/sudo/dist/sudo-1.7.10p7.tar.gz'
  53 SUDO174p10_MD5=9faa5ceaf23cca0468d0f5d211bac6e4
  54 SUDO174p10_SHA1=b5beb1a470d1f03b3940aff612f5089244dd773a
  55
  56 SUDO_TGZ="$SUDO174p10"
  57 SUDO_MD5="$SUDO174p10_MD5"
  58 SUDO_SHA1="$SUDO174p10_SHA1"
  59
  60 # Match Apple's sudo man pages use of the man macros for maximum compatibility
  61 # Note that only 10.6.x embeds /etc/sudoers, all other OS X versions embed /private/etc/sudoers
  62 SUDO_CONFIGURE='--prefix=/usr --sysconfdir=/private/etc --with-timedir=/var/db/sudo --with-man'
  63 SUDO_CONFIGURE="$SUDO_CONFIGURE"' --with-noexec=no --with-bsm-audit --with-libraries=bsm --disable-static'
  64 # Since the OS X sudo installation does not include sudoreplay there's little point in allowing io logging
  65 SUDO_CONFIGURE="$SUDO_CONFIGURE"' --without-iologdir'
  66 if [ $osmaj -lt 11 ]; then
  67   # Prior to OS X 10.7 --disable-setreuid, --with-env-editor and --with-password-timeout=0 were used
  68   SUDO_CONFIGURE="$SUDO_CONFIGURE"' --disable-setreuid --with-env-editor --with-password-timeout=0'
  69   # Prior to OS X 10.7 the version of sudo used logged by default to the local2 facility so emulate that
  70   SUDO_CONFIGURE="$SUDO_CONFIGURE"' --with-logfac=local2' # otherwise current default is authpriv facility
  71 fi
  72 if [ $osmaj -lt 9 ]; then
  73   # The OS X 10.4 compiler does not support -fstack-protector in any form
  74   # and neither does the 10.4 linker support -pie
  75   SUDO_CONFIGURE="$SUDO_CONFIGURE"'  --disable-hardening --disable-pie'
  76   # Also add --disable-env-reset because although env reset by default
  77   # is not actually effective until the version of sudo shipped with OS X 10.6
  78   # it is activated by the OS X 10.5 /etc/sudoers file so env reset is
  79   # effectively active starting with OS X 10.5 and need only be disabled for 10.4
  80   SUDO_CONFIGURE="$SUDO_CONFIGURE"'  --disable-env-reset'
  81 fi
  82
  83 DOWNLOADS="$mydir/sources"
  84 BUILD="$mydir/sudo"
  85
  86 PATH="$(getconf PATH)"
  87 export PATH
  88
  89 unset CPATH
  90 unset LIBRARY_PATH
  91 unset DYLD_LIBRARY_PATH
  92 unset MANPATH
  93 export LDFLAGS="$LDFLAGS -Wl,-S,-x,-dead_strip"
  94 if [ $osmaj -ge 9 ]; then
  95   LDFLAGS="$LDFLAGS -Wl,-dead_strip_dylibs,-exported_symbols_list,/dev/null"
  96 else
  97   # The OS X 10.4 linker needs at least one symbol in the file to strip
  98   # and it also needs uninteresting warnings suppressed
  99   LDFLAGS="$LDFLAGS -Wl,-w,-exported_symbols_list,.symbols_list"
 100 fi
 101
 102 strip1=
 103 if ! (tar --strip-path=1 || : ) 2>&1 | grep -Eqi 'unrecognized option|not supported'; then
 104   strip1=--strip-path=1
 105 elif ! (tar --strip-components=1 || : ) 2>&1 | grep -Eqi 'unrecognized option|not supported'; then
 106   strip1=--strip-components=1
 107 fi
 108 if [ -z "$strip1" ]; then
 109   echo "error: Cannot figure out tar option to strip top level path" >&2
 110   exit 1
 111 fi
 112
 113 AGENT1='Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
 114 AGENT2='curl/7.25.0 (unknown-unknown-unknown) libcurl/7.25.0'
 115 CURLOPT="--fail --location --connect-timeout 15 --speed-limit 10240"
 116 CURLOPT0="$CURLOPT -H 'User-Agent:'"
 117 CURLOPT1="$CURLOPT -H 'User-Agent: $AGENT1'"
 118 CURLOPT2="$CURLOPT -H 'User-Agent: $AGENT2'"
 119
 120 die()
 121 {
 122   echo "Fatal: $*" >&2
 123   exit 125;
 124 }
 125
 126 getmd5()
 127 {
 128   openssl dgst -md5 < "$1" 2>/dev/null | sed -e 's/^[^ ][^ ]* //'
 129 }
 130
 131 getsha1()
 132 {
 133   openssl dgst -sha1 < "$1" 2>/dev/null | sed -e 's/^[^ ][^ ]* //'
 134 }
 135
 136 # Usage: downloadfile URL MD5 SHA1
 137 # -> output is full path to downloaded file (will be in $DOWNLOADS)
 138 downloadfile()
 139 {
 140   local url file md5 sha1 bad
 141   url="$1"
 142   file="$(basename "$url")"
 143   md5="$2"
 144   sha1="$3"
 145   local checkmd5 checksha1
 146   if [ ! -d "$DOWNLOADS" ]; then
 147     mkdir "$DOWNLOADS"
 148   fi
 149   if [ -e "$DOWNLOADS/$file" ]; then
 150     checkmd5="$(getmd5 "$DOWNLOADS/$file")"
 151     checksha1="$(getsha1 "$DOWNLOADS/$file")"
 152     if [ "$md5" != "$checkmd5" -o "$sha1" != "$checksha1" ]; then
 153       echo "Wrong md5/sha1 checksum for $DOWNLOADS/$file -- removing" >&2
 154       chmod u+w "$DOWNLOADS/$file"
 155       rm "$DOWNLOADS/$file"
 156     fi
 157   fi
 158   if [ ! -e "$DOWNLOADS/$file" ]; then
 159     eval "curl $CURLOPT0 -o '$DOWNLOADS/$file' '$url'"
 160   fi
 161   if [ ! -e "$DOWNLOADS/$file" ]; then
 162     echo "Failed to download $url" >&2
 163     return 1
 164   fi
 165   checkmd5="$(getmd5 "$DOWNLOADS/$file")"
 166   checksha1="$(getsha1 "$DOWNLOADS/$file")"
 167   bad=
 168   if [ "$md5" != "$checkmd5" ]; then
 169     bad=1
 170     echo "Wrong md5 checksum $checkmd5 (expected $md5) for $DOWNLOADS/$file" >&2
 171   fi
 172   if [ "$sha1" != "$checksha1" ]; then
 173     bad=1
 174     echo "Wrong sha1 checksum $checksha1 (expected $sha1) for $DOWNLOADS/$file" >&2
 175   fi
 176   if [ -n "$bad" ]; then
 177     echo "Checksum verifcation failed for $url" >&2
 178     return 1
 179   fi
 180   echo "$DOWNLOADS/$file"
 181   return 0
 182 }
 183
 184 # return a suitable directory name for a tarball
 185 tgzdir()
 186 {
 187   local tb
 188   tb="$(basename "$1")"
 189   tb="${tb%.gz}"
 190   tb="${tb%.bz2}"
 191   tb="${tb%.tar}"
 192   tb="${tb%.tgz}"
 193   echo "$tb"
 194 }
 195
 196 echo "Fetching/verifying sudo sources tarball" >&2
 197 sudotgz="$(downloadfile "$SUDO_TGZ" "$SUDO_MD5" "$SUDO_SHA1")"
 198 sudodir="$(tgzdir "$sudotgz")"
 199
 200 if [ ! -e "$DOWNLOADS/$sudodir/.extracted" ]; then
 201   echo "Extracting sudo sources from tarball" >&2
 202   rm -rf "$DOWNLOADS/$sudodir" "$BUILD"
 203   mkdir "$DOWNLOADS/$sudodir"
 204   tar -xzf "$sudotgz" -C "$DOWNLOADS/$sudodir" "$strip1"
 205   touch "$DOWNLOADS/$sudodir/.extracted"
 206 fi
 207
 208 if [ ! -e "$DOWNLOADS/$sudodir/.patched" ]; then
 209   [ -e "$DOWNLOADS/$sudodir/.extracted" ] || die "bad extraction"
 210   echo "Patching sudo sources with Apple tweaks" >&2
 211   rm -rf "$BUILD"
 212   cd "$DOWNLOADS/$sudodir"
 213   for pf in "$mydir/patches/"00*.patch.txt; do
 214     echo "$(basename "$pf")" >&2
 215     patch -p1 < "$pf"
 216   done
 217   touch "$DOWNLOADS/$sudodir/.patched"
 218 fi
 219 cd "$mydir"
 220
 221 if [ ! -e "$BUILD/.configured" ]; then
 222   [ -e "$DOWNLOADS/$sudodir/.patched" ] || die "bad patching operation"
 223   echo "Configuring sudo build for OS X" >&2
 224   rm -rf "$BUILD"
 225   mkdir -p "$BUILD"
 226   cd "$BUILD"
 227   if [ $osmaj -lt 9 ]; then
 228     echo __mh_execute_header > .symbols_list
 229   fi
 230   "$DOWNLOADS/$sudodir/configure" $SUDO_CONFIGURE
 231   echo "Stripping CONFIGURE_ARGS to match Apple sudo installation" >&2
 232   perl -i -pe 's/"[^"]+"/""/ if /^#define CONFIGURE_ARGS/' sudo_usage.h
 233   echo "Enabling HAVE_TCSETPGRP which is not set properly with --without-iologdir" >&2
 234   perl -i -pe 's,^/[^/]+/,#define HAVE_TCSETPGRP 1, if /HAVE_TCSETPGRP/' config.h
 235   touch "$BUILD/.configured"
 236 fi
 237 cd "$mydir"
 238
 239 if [ ! -e "$BUILD/.built" ]; then
 240   [ -e "$BUILD/.configured" ] || die "bad configure operation"
 241   echo "Making sudo build for OS X" >&2
 242   make -w -C "$BUILD"
 243   [ -x "$BUILD/sudo" ] || die "build failed"
 244   touch "$BUILD/.built"
 245 fi
 246
 247 echo ""
 248 echo "The newly built sudo executable can be found in the directory:"
 249 echo "        $BUILD"
 250 echo ""
 251 echo "It can be installed with:"
 252 echo "        sudo make -C '$BUILD' install"
 253 echo ""
 254 echo "IMPORTANT: running the above install WILL REPLACE YOUR EXISTING sudo!!!"
 255 echo ""
 256 echo "Try the following to see what will be installed without installing:"
 257 echo "        make -C '$BUILD' -n install"
 258 echo ""
 259 echo "Note that the DESTDIR=/some/dir option can be used to perform a test"
 260 echo "install to a different location first like so:"
 261 echo "        sudo make -C '$BUILD' DESTDIR=/tmp/testsudo install"
 262 echo ""
 263 echo "Using a test installation first can help decide whether or not to go"
 264 echo "ahead with a normal installation."
 265 echo ""