gentoo auto-resync : 05:11:2022 - 03:17:06

6 files changed, 386 insertions, 0 deletions

diff --git a/app-admin/Manifest.gz b/app-admin/Manifest.gz
index 63f4cb8c6d01..a8e3f3bc7790 100644
--- a/app-admin/Manifest.gz
+++ b/app-admin/Manifest.gz
diff --git a/app-admin/helm/Manifest b/app-admin/helm/Manifest
index 42191db6c758..dcf494f48cb2 100644
--- a/app-admin/helm/Manifest
+++ b/app-admin/helm/Manifest
@@ -1,7 +1,10 @@
+DIST helm-3.10.1-deps.tar.xz 125283080 BLAKE2B 3a7354a910174a2b6e80da90da37c7e5884273cdec2657e101e444587f92fcdda243e3539c481a1339bc1c20314ded1126b7953064758756d590bd82fb9bca42 SHA512 99ad12cc7b7b873f3b1988e5f9d53c55b8d54a29081804e6d4f9b233aebaeb9d0454c7e5aff9ca4a370fda96f4fda8f40e5fade3af4075da15340e44ee8f3973
 DIST helm-3.8.1-deps.tar.xz 374838312 BLAKE2B 13700d77faef89828a98b0410f1539c4370848d3f741881dfff4fb6d08b50d152052b4c1fa7ce4fe19d1d08583530c89f9e8ca35ede178b08c05dbecbdf36fbb SHA512 5686ca6c3f9b114032dda78842c3e3d2012f97d5721455aedc204ffae8a6bdafcb5191beaaca0e89cb827a7846fe65658d4440c2982b36b008e8aa235be41736
 DIST helm-3.9.4-deps.tar.xz 126444776 BLAKE2B b506593f17afcc1c4e70b99eed44c2142c114503c92f01c19ae7bbf92867899a9058d80806bb16ff470e1c81bf2490183651d522a242487aa1c5ce29d7f63ad3 SHA512 ed07887c740d74b66d489eb5e0419a3e61cfc575684a8c02b507cb297bdbc12d80beb6a13b502349c3fc9806db16e0d2625d3f13747baf68d108cca22eb9c7c7
+DIST k8s-helm-3.10.1.tar.gz 701955 BLAKE2B 869e93ffdedbfd0dc405b287ca6fcd7dc3943f6d51b13c5482a48589235ada7e080aa8d0fcbd3b640e486c90e795bf563a5c6367f4f6116be6357a6cd1052113 SHA512 5d72ef0031b9988ad3d263ed349dd0e1770ccdbeb0e05e057f375a5b6c3bdf5d214f8d7bd004b8500846269e4acdde6f51206d8c422a4a4af7341baa6cdd348e
 DIST k8s-helm-3.8.1.tar.gz 715683 BLAKE2B 2b0fc2a844f848e2a696be54224c1ca6027bf461c0885b3e082b57a09117b6ebc2500b35f1e6ad03cdc7ad4d0f18b3b6c24a1e79782b1b0492effc6a80031a93 SHA512 c4c3c8272ac4d83fad7dcdd41f81e9123ee71b01b6ebf352c3f3836048d7d240e144a52fd78e156c1957020bb1e4a868059486a4a4c3d37e4be150203a1e6158
 DIST k8s-helm-3.9.4.tar.gz 704880 BLAKE2B c96e474ca882fe0b7ba5d9045f04a4e6af62f4d9d3c735f0ae89d03eac06c0c8118ba1b7ffcb7594ad23707c88c7e10d781de4701b8300e124ae767f8917dae1 SHA512 8a02d094744036bcbfeefdd369b2e5e725c0e08cc2891e07aaebf4656fc62030e91ea00b97c1f8ebe33f2e436927d380b24e416509c944468165d35c892bf846
+EBUILD helm-3.10.1.ebuild 978 BLAKE2B d3d36fbcd394736366b66850182274b2f0997547571fa45a58299d275175ed61aa90247a71ce5d6550adb5f21b620c6f68614189cee61483ca83824a1f9cfd3b SHA512 362cd589b088d817de4df455f315e72763381f449fa0d097c79a8d60fb2936ff2c2f956f2cab2e51a30fdf39d6e3037f77bec029fc4b9667ba7a5878805ca4df
 EBUILD helm-3.8.1.ebuild 970 BLAKE2B 75f992b41d1b1680f444d5a73e714fb404276f19ea6f0ec822f8526da7e6a02e27130fbe66c87a059f378794a18d792c3ba6b455f8cc52af58e6d1f5fe9a4b0b SHA512 9642bfa50f7d572ec38def3d3c9d743f2abef929c4bd30bd3c969223e89c1aedf14109ff3ef97a2f7f2ddcf5a906c79d53aed3ce8250149b6f35d017b5e8f17f
 EBUILD helm-3.9.4.ebuild 977 BLAKE2B d4ec967245e4ebeeb53416d381c6eebde244fd785d0201754ec0fd462353885cd601cb4410cec8e608773258adf93f01cf56d46d4e0e550e138b853c08e61cfd SHA512 479a7d0827015d7d23c1c959c78b377d4ddc2d0eb94d105a2a06efee42f19912cbe0e45c322ed3bdf9771defd980b2fea42d3c1ca641cac1ffb5eccac341553d
 MISC metadata.xml 323 BLAKE2B 5001082c76e55c24c27deced68a33a8fc8c9514b65116aa076ade0bacab00103a19e0807af8187b7bd8b761e64f20c4fab74b998e0f9ec473fb8d2bc9cbe4412 SHA512 a039551d398af15db8fb487b058ad569731376c51f8a23c245e4c14cd8924b960a2dcb286618c9365d21d219a271f1e0c6bcab712cf88920f4fc7fded832d800
diff --git a/app-admin/helm/helm-3.10.1.ebuild b/app-admin/helm/helm-3.10.1.ebuild
new file mode 100644
index 000000000000..9cc7aee7c8c7
--- /dev/null
+++ b/app-admin/helm/helm-3.10.1.ebuild
@@ -0,0 +1,41 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit bash-completion-r1 go-module
+GIT_COMMIT=9f88ccb6aee40b9a0535fcc7efea6055e1ef72c9
+GIT_SHA=9f88ccb6
+MY_PV=${PV/_rc/-rc.}
+
+DESCRIPTION="Kubernetes Package Manager"
+HOMEPAGE="https://github.com/helm/helm https://helm.sh"
+SRC_URI="https://github.com/helm/helm/archive/v${MY_PV}.tar.gz -> k8s-${P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${P}-deps.tar.xz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~riscv"
+
+RESTRICT=" test"
+
+src_compile() {
+	emake \
+		GOFLAGS="${GOFLAGS}" \
+		LDFLAGS="" \
+		GIT_COMMIT=${GIT_COMMIT} \
+		GIT_SHA=${GIT_SHA} \
+		GIT_TAG=v${MY_PV} \
+		GIT_DIRTY=clean \
+		build
+	bin/${PN} completion bash > ${PN}.bash || die
+	bin/${PN} completion zsh > ${PN}.zsh || die
+}
+
+src_install() {
+	newbashcomp ${PN}.bash ${PN}
+	insinto /usr/share/zsh/site-functions
+	newins ${PN}.zsh _${PN}
+
+	dobin bin/${PN}
+	dodoc README.md
+}
diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index 710081740af2..8458d0f18ce6 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,9 +1,11 @@
+AUX sudo-1.9.12-CVE-2022-43995.patch 2162 BLAKE2B c7de0e562aebe7dbb92e793cab7527a43ae6125fd48cffa776a5bb0da57d80d5dff1c7d26c23bc5f647b578c5fe5959913c23f7f9ec84f7a5f887bcb47aa8b2c SHA512 d3e3b74a98a42cd3c55cf0ed5da43dcd5158ec54e614bc41eb8e63b77fbb1a11991cf9d7f705f077b8c474331cd8762bfef717d4c32771eb44789123ffa87714
 AUX sudo-1.9.12-mips-build.patch 1148 BLAKE2B 6c31a0095b7d615b0f8001f2484e2df5aa975b025bb4747344e1b9d55a0544f3e89f02cd7ebfd5a4cdf1712e1887b97ff3443a98ec6884724f70f3505c7ef05d SHA512 da98b5a163f8e843a8aed7736b84c50985180910a3d78a5014c91e958d0d8571f374d8b98803733864b6cbf3c8a938f8655063f491b55411c03f2c34352f505f
 DIST sudo-1.9.11p3.tar.gz 4826520 BLAKE2B f8508f65b514abd9979a11628d8bc0e085b2625993281e7d1f8794a576e88970bda6939d2f2f50d9485f00276970aba3489b19c102eca5625e389c9610f338dd SHA512 ad5c3d623547d1e3016e1a721676fee6d6b7348e77b2c234041e0af40c7220e8934c8c27beef0d12fa6df11708d37de711dacfefc135d26de46abca7f91c55d1
 DIST sudo-1.9.11p3.tar.gz.sig 566 BLAKE2B 8caf03b051222f0446eaf333b48563aa18d52acbd9f7e2d880f0a97043df1ec8d25d87cfd7b1b9543ab8f52f5dacff4cf031fe3e6b94593d576d1d351eb05aa4 SHA512 ea728cddbab50746a2cbb8ce6cb55df3def1c5e806a1d91ec6f2d65c8d246079bdb5799b961ab0da1cc2c347a36d93cc00d32c10856141a467b25e1224876e50
 DIST sudo-1.9.12.tar.gz 4906320 BLAKE2B dfe7e45dab9848e7eec30b9c3e96683b2a90c02c8468507a338cda26d8b28206f511c63c2330e1a33e2b0b2d263211d7e2b222d5729dc0670eaafea09603e586 SHA512 34ee165baa2e37ba2530901d49bf0dad30159f27aeccd2519d4719bf93be8281edff71220a49ba2e41dacaa3c58031de1464df48d75a8caea7b9568a76f80b67
 DIST sudo-1.9.12.tar.gz.sig 566 BLAKE2B 98c80addcea18d320a54473e34111411dc3e67bdec45ae1c34e98c5a95a0e0377b08e7d42d9cbf92f68160f6e5dfb2990e6cd3c773ba20484b15aecfe3104433 SHA512 67c2c0234345ff17ed9bef2a974a37dd7e4ba791bda4e6f1cc90620d6541e4549e1e2a8525b4092bc615ae035cd2f97eb4165e2e671a3056ac10585709045ae2
 EBUILD sudo-1.9.11_p3-r1.ebuild 7412 BLAKE2B 1ddfa12c7fed0f71ba2ed700009aee4dfbdf08aaee350e61e67e0ede62904f0eac97233285b94c820dd3da75c4fc4aa09c31673db42b973f3ac18519ec8fd814 SHA512 13254ff59e0360c2979d6e31d3f9491560cd43a03b03628640426a9535ecde6568706db7037cb4b1e4e74fb555381cc2d42d24b2a4b2b97d7d142179e61df46e
+EBUILD sudo-1.9.12-r1.ebuild 7511 BLAKE2B 49bb251a2a59282c794cd0ef4d48aec76e4c3e2551632cb4b79a5b13239cabab9216e939393f05217da2492876b484801da2864fd36ab26599f73d085f3275c4 SHA512 8126f0bb3579842aa0b8de02a984dbf2ecaa7231e46f6777b5a453c5589d14463df1de7ccc66d373dbc976aa057b1bacc59f8db7a6cbc53ef29bdbf01d3280b1
 EBUILD sudo-1.9.12.ebuild 7470 BLAKE2B 167e7eb6aa3ab20ab4dbfa1e082afa5dd69c44bf43f42aa519e88952c56114b73347a65840365021612f8b4e87ef23d4c6ec4952fde8db38bc1cd4e5b10c5a48 SHA512 e653968c91d7219b60daf53dce5bd2fb16997635b35f07b22fe0974a18c7304b72ad526c5418a5603d315b2ec2667621dfcdc6dcbbf4245739109038a3da179a
 EBUILD sudo-9999.ebuild 7420 BLAKE2B b0b6e8f5e645b6a9b082693ebbfdb2f5ee6e5fc9564b0e74cd9fa03fe061f10c3816f3073bf2922cbfe6e9f8fae78f292fd0fdc1fec213ec6939e879e59259cb SHA512 f3f70b8015ee9a42261514c9206ddf8f91a1eb58a70fd67154884c972cbfec302135a0ae5a3bbfea99f28e953683bdf05deede217a91bf56dae78f385c1748df
 MISC metadata.xml 1107 BLAKE2B a18b1d280445ea98ba686021abf08ab47a5ac590795018c125008f2a8e44f7ea45e256e32a737781030960cb984bc16d8fd23175fd1e88b294e5036c86085367 SHA512 8cacbd9a1a23fc7734c5ad8b95c769b8506ec35490b5e3f69439bf71bd51d1eaf04fe699a82cbb3ac56182195fff570d75e3b20c33d86774480a2939122752a6
diff --git a/app-admin/sudo/files/sudo-1.9.12-CVE-2022-43995.patch b/app-admin/sudo/files/sudo-1.9.12-CVE-2022-43995.patch
new file mode 100644
index 000000000000..2601669eecfd
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.12-CVE-2022-43995.patch
@@ -0,0 +1,53 @@
+Bug: https://bugs.gentoo.org/879209
+Upstream: https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050
+
+From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Fri, 28 Oct 2022 07:29:55 -0600
+Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
+ characters. Starting with sudo 1.8.0 the plaintext password buffer is
+ dynamically sized so it is not safe to assume that it is at least 9 bytes in
+ size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
+
+---
+ plugins/sudoers/auth/passwd.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
+index b2046eca2..0416861e9 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
+ int
+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+-    char sav, *epass;
++    char des_pass[9], *epass;
+     char *pw_epasswd = auth->data;
+     size_t pw_len;
+     int matched = 0;
+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+ 
+     /*
+      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
+-     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
+      */
+-    sav = pass[8];
+     pw_len = strlen(pw_epasswd);
+-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+-	pass[8] = '\0';
++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++	strlcpy(des_pass, pass, sizeof(des_pass));
++	pass = des_pass;
++    }
+ 
+     /*
+      * Normal UN*X password check.
+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+      * only compare the first DESLEN characters in that case.
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+-    pass[8] = sav;
+     if (epass != NULL) {
+ 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ 	    matched = !strncmp(pw_epasswd, epass, DESLEN);
diff --git a/app-admin/sudo/sudo-1.9.12-r1.ebuild b/app-admin/sudo/sudo-1.9.12-r1.ebuild
new file mode 100644
index 000000000000..04850cee909d
--- /dev/null
+++ b/app-admin/sudo/sudo-1.9.12-r1.ebuild
@@ -0,0 +1,287 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit pam libtool tmpfiles toolchain-funcs
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+if [[ ${PV} == 9999 ]] ; then
+	inherit mercurial
+	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sudo.ws.asc
+	inherit verify-sig
+
+	uri_prefix=
+	case ${P} in
+		*_beta*|*_rc*) uri_prefix=beta/ ;;
+	esac
+
+	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+		verify-sig? (
+			https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+			ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+		)"
+	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~sparc-solaris"
+	fi
+
+	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
+fi
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+	sys-libs/zlib:=
+	virtual/libcrypt:=
+	gcrypt? ( dev-libs/libgcrypt:= )
+	ldap? (
+		>=net-nds/openldap-2.1.30-r1:=
+		sasl? (
+			dev-libs/cyrus-sasl
+			net-nds/openldap:=[sasl]
+		)
+	)
+	pam? ( sys-libs/pam )
+	sasl? ( dev-libs/cyrus-sasl )
+	selinux? ( sys-libs/libselinux )
+	skey? ( >=sys-auth/skey-1.1.5-r1 )
+	ssl? ( dev-libs/openssl:0= )
+	sssd? ( sys-auth/sssd[sudo] )
+"
+RDEPEND="
+	${DEPEND}
+	>=app-misc/editor-wrapper-3
+	virtual/editor
+	ldap? ( dev-lang/perl )
+	pam? ( sys-auth/pambase )
+	selinux? ( sec-policy/selinux-sudo )
+	sendmail? ( virtual/mta )
+"
+BDEPEND+="
+	sys-devel/bison
+	virtual/pkgconfig
+"
+
+S="${WORKDIR}/${MY_P}"
+
+REQUIRED_USE="
+	?? ( pam skey )
+	?? ( gcrypt ssl )
+"
+
+MAKEOPTS+=" SAMPLES="
+
+PATCHES=(
+	"${FILESDIR}"/${P}-mips-build.patch
+	"${FILESDIR}"/${P}-CVE-2022-43995.patch
+)
+
+src_prepare() {
+	default
+
+	elibtoolize
+}
+
+set_secure_path() {
+	# First extract the default ROOTPATH from build env
+	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+	case "${SECURE_PATH}" in
+		*/usr/sbin*)
+			;;
+		*)
+			SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+			;;
+	esac
+
+	if [[ -z ${SECURE_PATH} ]] ; then
+		ewarn "	Failed to detect SECURE_PATH, please report this"
+	fi
+
+	# Then remove duplicate path entries
+	cleanpath() {
+		local newpath thisp IFS=:
+		for thisp in $1 ; do
+			if [[ :${newpath}: != *:${thisp}:* ]] ; then
+				newpath+=:${thisp}
+			else
+				einfo "   Duplicate entry ${thisp} removed..."
+			fi
+		done
+		SECURE_PATH=${newpath#:}
+	}
+	cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+	# Finally, strip gcc paths, bug #136027
+	rmpath() {
+		local e newpath thisp IFS=:
+		for thisp in ${SECURE_PATH} ; do
+			for e ; do
+				[[ ${thisp} == ${e} ]] && continue 2 ;
+			done
+			newpath+=:${thisp}
+		done
+		SECURE_PATH=${newpath#:}
+	}
+	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+}
+
+src_configure() {
+	local SECURE_PATH
+
+	set_secure_path
+
+	# bug #767712
+	tc-export PKG_CONFIG
+
+	# - audit: somebody got to explain me how I can test this before I
+	# enable it.. - Diego
+	# - plugindir: autoconf code is crappy and does not delay evaluation
+	# until `make` time, so we have to use a full path here rather than
+	# basing off other values.
+	local myeconfargs=(
+		# We set all of the relevant options by ourselves (patched
+		# into the toolchain) and setting these in the build system
+		# actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+		# (it'll downgrade to =2). So, this has no functional effect on
+		# the hardening for users. It's safe.
+		--disable-hardening
+
+		# requires some python eclass
+		--disable-python
+		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+		--enable-zlib=system
+		--with-editor="${EPREFIX}"/usr/libexec/editor
+		--with-env-editor
+		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+		--with-rundir="${EPREFIX}"/run/sudo
+		--with-vardir="${EPREFIX}"/var/db/sudo
+		--without-linux-audit
+		--without-opie
+		$(use_enable gcrypt)
+		$(use_enable nls)
+		$(use_enable sasl)
+		$(use_enable ssl openssl)
+		$(use_with ldap)
+		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+		$(use_with offensive insults)
+		$(use_with offensive all-insults)
+		$(use_with pam)
+		$(use_with pam pam-login)
+		$(use_with secure-path secure-path "${SECURE_PATH}")
+		$(use_with selinux)
+		$(use_with sendmail)
+		$(use_with skey)
+		$(use_with sssd)
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	if use ldap ; then
+		dodoc README.LDAP.md
+
+		cat <<-EOF > "${T}"/ldap.conf.sudo
+		# See ldap.conf(5) and README.LDAP.md for details
+		# This file should only be readable by root
+
+		# supported directives: host, port, ssl, ldap_version
+		# uri, binddn, bindpw, sudoers_base, sudoers_debug
+		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+		EOF
+
+		if use sasl ; then
+			cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
+			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+			EOF
+		fi
+
+		insinto /etc
+		doins "${T}"/ldap.conf.sudo
+		fperms 0440 /etc/ldap.conf.sudo
+
+		insinto /etc/openldap/schema
+		newins docs/schema.OpenLDAP sudo.schema
+	fi
+
+	if use pam ; then
+		pamd_mimic system-auth sudo auth account session
+		pamd_mimic system-auth sudo-i auth account session
+	fi
+
+	keepdir /var/db/sudo/lectured
+	fperms 0700 /var/db/sudo/lectured
+	# bug #652958
+	fperms 0711 /var/db/sudo
+
+	# Don't install into /run as that is a tmpfs most of the time
+	# (bug #504854)
+	rm -rf "${ED}"/run || die
+
+	# bug #697812
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+	tmpfiles_process sudo.conf
+
+	# bug #652958
+	local sudo_db="${EROOT}/var/db/sudo"
+	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+		chmod 711 "${sudo_db}" || die
+	fi
+
+	if use ldap ; then
+		ewarn
+		ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
+		ewarn
+		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+			ewarn "configured in ${ROOT}/etc/nsswitch.conf."
+			ewarn
+			ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
+			ewarn "  sudoers: ldap files"
+			ewarn
+		fi
+	fi
+	if use prefix ; then
+		ewarn
+		ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
+		ewarn "with root privileges, as follows:"
+		ewarn
+		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
+		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
+		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
+		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+		ewarn
+	fi
+
+	elog "To use the -A (askpass) option, you need to install a compatible"
+	elog "password program from the following list. Starred packages will"
+	elog "automatically register for the use with sudo (but will not force"
+	elog "the -A option):"
+	elog ""
+	elog " [*] net-misc/ssh-askpass-fullscreen"
+	elog "     net-misc/x11-ssh-askpass"
+	elog ""
+	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+	elog "variable to the program you want to use."
+}