Index: head/security/sudo/Makefile =================================================================== --- head/security/sudo/Makefile (revision 468827) +++ head/security/sudo/Makefile (revision 468828) @@ -1,117 +1,116 @@ # Created by: erich@rrnet.com # $FreeBSD$ PORTNAME= sudo -PORTVERSION= 1.8.22 -PORTREVISION= 5 +PORTVERSION= 1.8.23 CATEGORIES= security MASTER_SITES= SUDO MAINTAINER= garga@FreeBSD.org COMMENT= Allow others to run commands as root LICENSE= sudo LICENSE_NAME= Sudo license LICENSE_FILE= ${WRKSRC}/doc/LICENSE LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept USES= cpe libtool CPE_VENDOR= todd_miller USE_LDCONFIG= yes GNU_CONFIGURE= yes LDFLAGS+= -lgcc CONFIGURE_ARGS= --sysconfdir=${PREFIX}/etc \ --with-ignore-dot \ --with-tty-tickets \ --with-env-editor \ --with-logincap \ --with-long-otp-prompt OPTIONS_DEFINE= LDAP INSULTS DISABLE_ROOT_SUDO DISABLE_AUTH NOARGS_SHELL \ AUDIT OPIE PAM NLS SSSD DOCS EXAMPLES OPTIONS_RADIO= KERBEROS OPTIONS_DEFAULT= AUDIT PAM OPTIONS_SUB= yes INSULTS_DESC= Enable insults on failures DISABLE_ROOT_SUDO_DESC= Do not allow root to run sudo DISABLE_AUTH_DESC= Do not require authentication by default NOARGS_SHELL_DESC= Run a shell if no arguments are given AUDIT_DESC= Enable BSM audit support KERBEROS_DESC= Enable Kerberos 5 authentication (no PAM support) OPIE_DESC= Enable one-time passwords (no PAM support) SSSD_DESC= Enable SSSD backend support. PAM_PREVENTS= OPIE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT PAM_PREVENTS_MSG= PAM cannot be combined with any other authentication plugin LOGFAC?= authpriv CONFIGURE_ARGS+= --with-logfac=${LOGFAC} # This is intentionally not an option. # SUDO_SECURE_PATH is a PATH string that will override the user's PATH. # ex: make SUDO_SECURE_PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin" .if defined(SUDO_SECURE_PATH) CONFIGURE_ARGS+= --with-secure-path="${SUDO_SECURE_PATH}" .endif NLS_USES= gettext NLS_CONFIGURE_ENABLE= nls NLS_LDFLAGS= -L${LOCALBASE}/lib -lintl NLS_CFLAGS= -I${LOCALBASE}/include INSULTS_CONFIGURE_ON= --with-insults INSULTS_CONFIGURE_ON+= --with-all-insults LDAP_USE= OPENLDAP=yes LDAP_CONFIGURE_ON= --with-ldap=${PREFIX} SUDO_LDAP_CONF?= ldap.conf LDAP_CONFIGURE_ON+= --with-ldap-conf-file=${PREFIX}/etc/${SUDO_LDAP_CONF} DISABLE_ROOT_SUDO_CONFIGURE_ON= --disable-root-sudo DISABLE_AUTH_CONFIGURE_ON= --disable-authentication NOARGS_SHELL_CONFIGURE_ENABLE= noargs-shell AUDIT_CONFIGURE_WITH= bsm-audit PAM_CONFIGURE_ON= --with-pam OPIE_CONFIGURE_ON= --with-opie SSSD_CONFIGURE_ON= --with-sssd SSSD_RUN_DEPENDS= sssd:security/sssd OPTIONS_RADIO_KERBEROS= GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_BASE_USES= gssapi GSSAPI_BASE_CONFIGURE_ON= --with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS} GSSAPI_HEIMDAL_USES= gssapi:heimdal GSSAPI_HEIMDAL_CONFIGURE_ON= --with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS} GSSAPI_MIT_USES= gssapi:mit GSSAPI_MIT_CONFIGURE_ON= --with-kerb5=${GSSAPIBASEDIR} ${GSSAPI_CONFIGURE_ARGS} # This is intentionally not an option. # SUDO_KERB5_INSTANCE is an optional instance string that will be appended to kerberos # principals when to perform authentication. Common choices are "admin" and "sudo". .if defined(SUDO_KERB5_INSTANCE) CONFIGURE_ARGS+= --enable-kerb5-instance="${SUDO_KERB5_INSTANCE}" .endif .include .if ${ARCH} == "arm" CONFIGURE_ARGS+= --disable-pie .endif post-patch: @${REINPLACE_CMD} -E '/install-(binaries|noexec):/,/^$$/ \ s/\$$\(INSTALL\)/& ${STRIP}/;s/-b\~/-b ~/' \ ${WRKSRC}/src/Makefile.in @${REINPLACE_CMD} -e 's,$$(srcdir)/sudoers2ldif $$(DESTDIR)$$(docdir),$$(srcdir)/sudoers2ldif $$(DESTDIR)$$(bindir),' \ ${WRKSRC}/plugins/sudoers/Makefile.in post-install: ${INSTALL_DATA} ${FILESDIR}/pam.conf ${STAGEDIR}${PREFIX}/etc/pam.d/sudo.default ${RM} ${STAGEDIR}${PREFIX}/etc/sudoers ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/sudoreplay ${STRIP_CMD} ${STAGEDIR}${PREFIX}/sbin/visudo .for f in group_file.so libsudo_util.so sudoers.so system_group.so ${STRIP_CMD} ${STAGEDIR}${PREFIX}/libexec/sudo/${f} .endfor .include Index: head/security/sudo/distinfo =================================================================== --- head/security/sudo/distinfo (revision 468827) +++ head/security/sudo/distinfo (revision 468828) @@ -1,3 +1,3 @@ -TIMESTAMP = 1516196577 -SHA256 (sudo-1.8.22.tar.gz) = 7256cb27c20883b14360eddbd17f98922073d104b214cf65aeacf1d9c9b9fd02 -SIZE (sudo-1.8.22.tar.gz) = 3029051 +TIMESTAMP = 1525265231 +SHA256 (sudo-1.8.23.tar.gz) = d863d29b6fc87bc784a3223350e2b28a2ff2c4738f0fb8f1c92bb38c3017e679 +SIZE (sudo-1.8.23.tar.gz) = 3150674 Index: head/security/sudo/files/patch-plugins_sudoers_match.c =================================================================== --- head/security/sudo/files/patch-plugins_sudoers_match.c (revision 468827) +++ head/security/sudo/files/patch-plugins_sudoers_match.c (nonexistent) @@ -1,208 +0,0 @@ ---- plugins/sudoers/match.c Mon Jan 15 10:31:56 2018 -0700 -+++ plugins/sudoers/match.c Tue Apr 24 09:49:28 2018 -0600 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 1998-2005, 2007-2017 -+ * Copyright (c) 1996, 1998-2005, 2007-2018 - * Todd C. Miller - * - * Permission to use, copy, modify, and distribute this software for any -@@ -447,31 +447,20 @@ do_stat(int fd, const char *path, struct - } - - /* -- * On systems with fexecve(2), set the close-on-exec flag on the file -- * descriptor only if the file is not a script. Because scripts need -- * to be executed by an interpreter the fd must remain open for the -- * interpreter to use. -+ * Check whether the fd refers to a shell script with a "#!" shebang. - */ --static void --set_cloexec(int fd) -+static bool -+is_script(int fd) - { -- bool is_script = false; --#ifdef HAVE_FEXECVE -+ bool ret = false; - char magic[2]; - -- /* Check for #! cookie and set is_script. */ - if (read(fd, magic, 2) == 2) { - if (magic[0] == '#' && magic[1] == '!') -- is_script = true; -+ ret = true; - } - (void) lseek(fd, (off_t)0, SEEK_SET); --#endif /* HAVE_FEXECVE */ -- /* -- * Shell scripts go through namei twice and so we can't set the close -- * on exec flag on the fd for fexecve(2). -- */ -- if (!is_script) -- (void)fcntl(fd, F_SETFD, FD_CLOEXEC); -+ return ret; - } - - /* -@@ -500,16 +489,57 @@ open_cmnd(const char *path, const struct - if (fd == -1) - debug_return_bool(false); - -- set_cloexec(fd); -+ (void)fcntl(fd, F_SETFD, FD_CLOEXEC); - *fdp = fd; - debug_return_bool(true); - } - -+static void -+set_cmnd_fd(int fd) -+{ -+ debug_decl(set_cmnd_fd, SUDOERS_DEBUG_MATCH) -+ -+ if (cmnd_fd != -1) -+ close(cmnd_fd); -+ -+ if (fd != -1) { -+ if (def_fdexec == never) { -+ /* Never use fexedcve() */ -+ close(fd); -+ fd = -1; -+ } else if (is_script(fd)) { -+ char fdpath[PATH_MAX]; -+ struct stat sb; -+ int flags; -+ -+ /* We can only use fexecve() on a script if /dev/fd/N exists. */ -+ snprintf(fdpath, sizeof(fdpath), "/dev/fd/%d", fd); -+ if (stat(fdpath, &sb) != 0) { -+ /* Missing /dev/fd file, can't use fexecve(). */ -+ close(fd); -+ fd = -1; -+ } else { -+ /* -+ * Shell scripts go through namei twice so we can't have the -+ * close on exec flag set on the fd for fexecve(2). -+ */ -+ flags = fcntl(fd, F_GETFD) & ~FD_CLOEXEC; -+ (void)fcntl(fd, F_SETFD, flags); -+ } -+ } -+ } -+ -+ cmnd_fd = fd; -+ -+ debug_return; -+} -+ - static bool - command_matches_fnmatch(const char *sudoers_cmnd, const char *sudoers_args, - const struct sudo_digest *digest) - { - struct stat sb; /* XXX - unused */ -+ int fd = -1; - debug_decl(command_matches_fnmatch, SUDOERS_DEBUG_MATCH) - - /* -@@ -522,30 +552,22 @@ command_matches_fnmatch(const char *sudo - if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) - debug_return_bool(false); - if (command_args_match(sudoers_cmnd, sudoers_args)) { -- if (cmnd_fd != -1) { -- close(cmnd_fd); -- cmnd_fd = -1; -- } - /* Open the file for fdexec or for digest matching. */ -- if (!open_cmnd(user_cmnd, digest, &cmnd_fd)) -+ if (!open_cmnd(user_cmnd, digest, &fd)) - goto bad; -- if (!do_stat(cmnd_fd, user_cmnd, &sb)) -+ if (!do_stat(fd, user_cmnd, &sb)) - goto bad; - /* Check digest of user_cmnd since sudoers_cmnd is a pattern. */ -- if (digest != NULL) { -- if (!digest_matches(cmnd_fd, user_cmnd, digest)) -- goto bad; -- if (def_fdexec == never) { -- close(cmnd_fd); -- cmnd_fd = -1; -- } -- } -+ if (digest != NULL && !digest_matches(fd, user_cmnd, digest)) -+ goto bad; -+ set_cmnd_fd(fd); -+ - /* No need to set safe_cmnd since user_cmnd matches sudoers_cmnd */ - debug_return_bool(true); - bad: -- if (cmnd_fd != -1) { -- close(cmnd_fd); -- cmnd_fd = -1; -+ if (fd != -1) { -+ close(fd); -+ fd = -1; - } - debug_return_bool(false); - } -@@ -673,16 +695,7 @@ done: - if (cp != NULL) { - if (command_args_match(sudoers_cmnd, sudoers_args)) { - /* safe_cmnd was set above. */ -- if (cmnd_fd != -1) { -- close(cmnd_fd); -- cmnd_fd = -1; -- } -- if (fd != -1) { -- if (def_fdexec == never) -- close(fd); -- else -- cmnd_fd = fd; -- } -+ set_cmnd_fd(fd); - debug_return_bool(true); - } - } -@@ -728,6 +741,7 @@ digest_matches(int fd, const char *file, - debug_decl(digest_matches, SUDOERS_DEBUG_MATCH) - - file_digest = sudo_filedigest(fd, file, sd->digest_type, &digest_len); -+ lseek(fd, SEEK_SET, (off_t)0); - if (file_digest == NULL) { - /* Warning (if any) printed by sudo_filedigest() */ - goto done; -@@ -826,16 +840,7 @@ command_matches_normal(const char *sudoe - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - goto bad; - } -- if (cmnd_fd != -1) { -- close(cmnd_fd); -- cmnd_fd = -1; -- } -- if (fd != -1) { -- if (def_fdexec == never) -- close(fd); -- else -- cmnd_fd = fd; -- } -+ set_cmnd_fd(fd); - debug_return_bool(true); - bad: - if (fd != -1) -@@ -921,16 +926,7 @@ command_matches_dir(const char *sudoers_ - closedir(dirp); - - if (dent != NULL) { -- if (cmnd_fd != -1) { -- close(cmnd_fd); -- cmnd_fd = -1; -- } -- if (fd != -1) { -- if (def_fdexec == never) -- close(fd); -- else -- cmnd_fd = fd; -- } -+ set_cmnd_fd(fd); - debug_return_bool(true); - } - if (fd != -1) Property changes on: head/security/sudo/files/patch-plugins_sudoers_match.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/sudo/pkg-plist =================================================================== --- head/security/sudo/pkg-plist (revision 468827) +++ head/security/sudo/pkg-plist (revision 468828) @@ -1,103 +1,106 @@ +bin/cvtsudoers bin/sudo bin/sudoedit bin/sudoreplay @sample etc/sudoers.dist etc/sudoers @sample etc/pam.d/sudo.default etc/pam.d/sudo include/sudo_plugin.h libexec/sudo/group_file.so libexec/sudo/libsudo_util.so libexec/sudo/libsudo_util.so.0 libexec/sudo/libsudo_util.so.0.0.0 libexec/sudo/sudo_noexec.so libexec/sudo/sudoers.so libexec/sudo/system_group.so +man/man1/cvtsudoers.1.gz man/man5/sudo.conf.5.gz man/man5/sudoers.5.gz man/man5/sudoers_timestamp.5.gz %%LDAP%%man/man5/sudoers.ldap.5.gz man/man8/sudo.8.gz man/man8/sudo_plugin.8.gz man/man8/sudoedit.8.gz man/man8/sudoreplay.8.gz man/man8/visudo.8.gz sbin/visudo %%LDAP%%bin/sudoers2ldif %%PORTDOCS%%%%DOCSDIR%%/CONTRIBUTORS %%PORTDOCS%%%%DOCSDIR%%/ChangeLog %%PORTDOCS%%%%DOCSDIR%%/HISTORY %%PORTDOCS%%%%DOCSDIR%%/LICENSE %%PORTDOCS%%%%DOCSDIR%%/NEWS %%PORTDOCS%%%%DOCSDIR%%/README %%PORTDOCS%%%%DOCSDIR%%/TROUBLESHOOTING %%PORTDOCS%%%%DOCSDIR%%/UPGRADE %%LDAP%%%%PORTDOCS%%%%DOCSDIR%%/README.LDAP %%LDAP%%%%PORTDOCS%%%%DOCSDIR%%/schema.OpenLDAP %%LDAP%%%%PORTDOCS%%%%DOCSDIR%%/schema.iPlanet %%LDAP%%%%PORTDOCS%%%%DOCSDIR%%/schema.ActiveDirectory %%PORTEXAMPLES%%%%EXAMPLESDIR%%/pam.conf %%PORTEXAMPLES%%%%EXAMPLESDIR%%/sudo.conf %%PORTEXAMPLES%%%%EXAMPLESDIR%%/sudoers %%PORTEXAMPLES%%%%EXAMPLESDIR%%/syslog.conf %%NLS%%share/locale/ca/LC_MESSAGES/sudo.mo %%NLS%%share/locale/ca/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/cs/LC_MESSAGES/sudo.mo %%NLS%%share/locale/cs/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/da/LC_MESSAGES/sudo.mo %%NLS%%share/locale/da/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/de/LC_MESSAGES/sudo.mo %%NLS%%share/locale/de/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/el/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/eo/LC_MESSAGES/sudo.mo %%NLS%%share/locale/eo/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/es/LC_MESSAGES/sudo.mo %%NLS%%share/locale/eu/LC_MESSAGES/sudo.mo %%NLS%%share/locale/eu/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/fi/LC_MESSAGES/sudo.mo %%NLS%%share/locale/fi/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/fr/LC_MESSAGES/sudo.mo %%NLS%%share/locale/fr/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/fur/LC_MESSAGES/sudo.mo %%NLS%%share/locale/fur/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/gl/LC_MESSAGES/sudo.mo %%NLS%%share/locale/hr/LC_MESSAGES/sudo.mo %%NLS%%share/locale/hr/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/hu/LC_MESSAGES/sudo.mo %%NLS%%share/locale/hu/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/it/LC_MESSAGES/sudo.mo %%NLS%%share/locale/it/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/ja/LC_MESSAGES/sudo.mo %%NLS%%share/locale/ja/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/ko/LC_MESSAGES/sudo.mo %%NLS%%share/locale/ko/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/lt/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/nb/LC_MESSAGES/sudo.mo %%NLS%%share/locale/nb/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/nl/LC_MESSAGES/sudo.mo %%NLS%%share/locale/nl/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/nn/LC_MESSAGES/sudo.mo %%NLS%%share/locale/pl/LC_MESSAGES/sudo.mo %%NLS%%share/locale/pl/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/pt_BR/LC_MESSAGES/sudo.mo %%NLS%%share/locale/pt_BR/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/ru/LC_MESSAGES/sudo.mo %%NLS%%share/locale/ru/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/sk/LC_MESSAGES/sudo.mo %%NLS%%share/locale/sk/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/sl/LC_MESSAGES/sudo.mo %%NLS%%share/locale/sl/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/sr/LC_MESSAGES/sudo.mo %%NLS%%share/locale/sr/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/sv/LC_MESSAGES/sudo.mo %%NLS%%share/locale/sv/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/tr/LC_MESSAGES/sudo.mo %%NLS%%share/locale/tr/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/uk/LC_MESSAGES/sudo.mo %%NLS%%share/locale/uk/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/vi/LC_MESSAGES/sudo.mo %%NLS%%share/locale/vi/LC_MESSAGES/sudoers.mo %%NLS%%share/locale/zh_CN/LC_MESSAGES/sudo.mo %%NLS%%share/locale/zh_CN/LC_MESSAGES/sudoers.mo +%%NLS%%share/locale/zh_TW/LC_MESSAGES/sudo.mo @dir etc/sudoers.d @dir /var/db/sudo/lectured @dir /var/db/sudo @dir /var/run/sudo