Index: head/security/sudo/Makefile
===================================================================
--- head/security/sudo/Makefile	(revision 468128)
+++ head/security/sudo/Makefile	(revision 468129)
@@ -1,117 +1,117 @@
 # Created by: erich@rrnet.com
 # $FreeBSD$
 
 PORTNAME=	sudo
 PORTVERSION=	1.8.22
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	SUDO
 
 MAINTAINER=	garga@FreeBSD.org
 COMMENT=	Allow others to run commands as root
 
 LICENSE=	sudo
 LICENSE_NAME=	Sudo license
 LICENSE_FILE=	${WRKSRC}/doc/LICENSE
 LICENSE_PERMS=	dist-mirror dist-sell pkg-mirror pkg-sell auto-accept
 
 USES=		cpe libtool
 CPE_VENDOR=	todd_miller
 USE_LDCONFIG=	yes
 GNU_CONFIGURE=	yes
 LDFLAGS+=	-lgcc
 
 CONFIGURE_ARGS=	--sysconfdir=${PREFIX}/etc \
 		--with-ignore-dot \
 		--with-tty-tickets \
 		--with-env-editor \
 		--with-logincap \
 		--with-long-otp-prompt
 
 OPTIONS_DEFINE=	LDAP INSULTS DISABLE_ROOT_SUDO DISABLE_AUTH NOARGS_SHELL \
 		AUDIT OPIE PAM NLS SSSD DOCS EXAMPLES
 OPTIONS_RADIO=	KERBEROS
 OPTIONS_DEFAULT=	AUDIT PAM
 OPTIONS_SUB=	yes
 
 INSULTS_DESC=	Enable insults on failures
 DISABLE_ROOT_SUDO_DESC=	Do not allow root to run sudo
 DISABLE_AUTH_DESC=	Do not require authentication by default
 NOARGS_SHELL_DESC=	Run a shell if no arguments are given
 AUDIT_DESC=	Enable BSM audit support
 KERBEROS_DESC=	Enable Kerberos 5 authentication (no PAM support)
 OPIE_DESC=	Enable one-time passwords (no PAM support)
 SSSD_DESC=	Enable SSSD backend support.
 
 PAM_PREVENTS=	OPIE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
 PAM_PREVENTS_MSG=	PAM cannot be combined with any other authentication plugin
 
 LOGFAC?=	authpriv
 CONFIGURE_ARGS+=	--with-logfac=${LOGFAC}
 
 # This is intentionally not an option.
 # SUDO_SECURE_PATH is a PATH string that will override the user's PATH.
 # ex: make SUDO_SECURE_PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin"
 .if defined(SUDO_SECURE_PATH)
 CONFIGURE_ARGS+=	--with-secure-path="${SUDO_SECURE_PATH}"
 .endif
 
 NLS_USES=	gettext
 NLS_CONFIGURE_ENABLE=	nls
 NLS_LDFLAGS=	-L${LOCALBASE}/lib -lintl
 NLS_CFLAGS=	-I${LOCALBASE}/include
 
 INSULTS_CONFIGURE_ON=	--with-insults
 INSULTS_CONFIGURE_ON+=	--with-all-insults
 
 LDAP_USE=	OPENLDAP=yes
 LDAP_CONFIGURE_ON=	--with-ldap=${PREFIX}
 SUDO_LDAP_CONF?=	ldap.conf
 LDAP_CONFIGURE_ON+=	--with-ldap-conf-file=${PREFIX}/etc/${SUDO_LDAP_CONF}
 
 DISABLE_ROOT_SUDO_CONFIGURE_ON=	--disable-root-sudo
 DISABLE_AUTH_CONFIGURE_ON=	--disable-authentication
 NOARGS_SHELL_CONFIGURE_ENABLE=	noargs-shell
 AUDIT_CONFIGURE_WITH=	bsm-audit
 PAM_CONFIGURE_ON=	--with-pam
 OPIE_CONFIGURE_ON=	--with-opie
 SSSD_CONFIGURE_ON=	--with-sssd
 SSSD_RUN_DEPENDS=	sssd:security/sssd
 
 OPTIONS_RADIO_KERBEROS=	GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
 GSSAPI_BASE_USES=	gssapi
 GSSAPI_BASE_CONFIGURE_ON=	--with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 GSSAPI_HEIMDAL_USES=	gssapi:heimdal
 GSSAPI_HEIMDAL_CONFIGURE_ON=	--with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 GSSAPI_MIT_USES=	gssapi:mit
 GSSAPI_MIT_CONFIGURE_ON=	--with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS}
 # This is intentionally not an option.
 # SUDO_KERB5_INSTANCE is an optional instance string that will be appended to kerberos
 # principals when to perform authentication. Common choices are "admin" and "sudo".
 .if defined(SUDO_KERB5_INSTANCE)
 CONFIGURE_ARGS+=	--enable-kerb5-instance="${SUDO_KERB5_INSTANCE}"
 .endif
 
 .include <bsd.port.options.mk>
 
 .if ${ARCH} == "arm"
 CONFIGURE_ARGS+=	--disable-pie
 .endif
 
 post-patch:
 	@${REINPLACE_CMD} -E '/install-(binaries|noexec):/,/^$$/ \
 		s/\$$\(INSTALL\)/& ${STRIP}/;s/-b\~/-b ~/' \
 		${WRKSRC}/src/Makefile.in
 	@${REINPLACE_CMD} -e 's,$$(srcdir)/sudoers2ldif $$(DESTDIR)$$(docdir),$$(srcdir)/sudoers2ldif $$(DESTDIR)$$(bindir),' \
 		${WRKSRC}/plugins/sudoers/Makefile.in
 
 post-install:
 	${INSTALL_DATA} ${FILESDIR}/pam.conf ${STAGEDIR}${PREFIX}/etc/pam.d/sudo.default
 	${RM} ${STAGEDIR}${PREFIX}/etc/sudoers
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/sudoreplay
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/visudo
 .for f in group_file.so libsudo_util.so sudoers.so system_group.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/sudo/${f}
 .endfor
 
 .include <bsd.port.mk>
Index: head/security/sudo/files/patch-fix-fexecve
===================================================================
--- head/security/sudo/files/patch-fix-fexecve	(nonexistent)
+++ head/security/sudo/files/patch-fix-fexecve	(revision 468129)
@@ -0,0 +1,92 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1524502491 21600
+# Node ID 30f7c5d64104cdbae5c0a63e57aeec1d188c0f5b
+# Parent  a786a841f30a60c5f18b4ec476f8a749135d48ec
+We can only use fexecve() on a script if /dev/fd/N exists.
+Some systems, such as FreeBSD, don't have /dev/fd mounted
+by default.  Bug #831
+
+diff -r a786a841f30a -r 30f7c5d64104 plugins/sudoers/match.c
+--- plugins/sudoers/match.c	Sun Apr 22 06:58:53 2018 -0600
++++ plugins/sudoers/match.c	Mon Apr 23 10:54:51 2018 -0600
+@@ -487,32 +487,22 @@
+     debug_return_bool(stat(path, sb) == 0);
+ }
+ 
++#ifdef HAVE_FEXECVE
+ /*
+- * On systems with fexecve(2), set the close-on-exec flag on the file
+- * descriptor only if the file is not a script.  Because scripts need
+- * to be executed by an interpreter the fd must remain open for the
+- * interpreter to use.
++ * Check whether the fd refers to a shell script with a "#!" shebang.
+  */
+-static void
+-set_cloexec(int fd)
++static bool
++is_script(int fd)
+ {
+-    bool is_script = false;
+-#ifdef HAVE_FEXECVE
++    bool ret = false;
+     char magic[2];
+ 
+-    /* Check for #! cookie and set is_script. */
+     if (read(fd, magic, 2) == 2) {
+ 	if (magic[0] == '#' && magic[1] == '!')
+-	    is_script = true;
++	    ret = true;
+     }
+     (void) lseek(fd, (off_t)0, SEEK_SET);
+-#endif /* HAVE_FEXECVE */
+-    /*
+-     * Shell scripts go through namei twice and so we can't set the close
+-     * on exec flag on the fd for fexecve(2).
+-     */
+-    if (!is_script)
+-	(void)fcntl(fd, F_SETFD, FD_CLOEXEC);
++    return ret;
+ }
+ 
+ /*
+@@ -541,10 +531,36 @@
+     if (fd == -1)
+ 	debug_return_bool(false);
+ 
+-    set_cloexec(fd);
++    if (is_script(fd)) {
++	char fdpath[PATH_MAX];
++	struct stat sb;
++
++	/* We can only use fexecve() on a script if /dev/fd/N exists. */
++	snprintf(fdpath, sizeof(fdpath), "/dev/fd/%d", fd);
++	if (stat(fdpath, &sb) != 0) {
++	    close(fd);
++	    debug_return_bool(false);
++	}
++
++	/*
++	 * Shell scripts go through namei twice so we can't set the
++	 * close on exec flag on the fd for fexecve(2).
++	 */
++    } else {
++	/* Not a script, close on exec is safe. */
++	(void)fcntl(fd, F_SETFD, FD_CLOEXEC);
++    }
++
+     *fdp = fd;
+     debug_return_bool(true);
+ }
++#else /* HAVE_FEXECVE */
++static bool
++open_cmnd(const char *path, const struct sudo_digest *digest, int *fdp)
++{
++    return true;
++}
++#endif /* HAVE_FEXECVE */
+ 
+ static bool
+ command_matches_fnmatch(const char *sudoers_cmnd, const char *sudoers_args,
+

Property changes on: head/security/sudo/files/patch-fix-fexecve
___________________________________________________________________
Added: fbsd:nokeywords
## -0,0 +1 ##
+yes
\ No newline at end of property
Added: svn:eol-style
## -0,0 +1 ##
+native
\ No newline at end of property
Added: svn:mime-type
## -0,0 +1 ##
+text/plain
\ No newline at end of property