summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authortaca <taca@pkgsrc.org>2009-02-05 13:48:12 +0000
committertaca <taca@pkgsrc.org>2009-02-05 13:48:12 +0000
commitff4641fd172031a44be086d1d06fe971b50ed8a2 (patch)
tree4a7994f253a5df2234fb4ac42e6525c729e220e1 /security
parent94064fb9faf7d0ba4410fde316a575a9a90e4df5 (diff)
downloadpkgsrc-ff4641fd172031a44be086d1d06fe971b50ed8a2.tar.gz
Update security/sudo package to 1.7.0.
* pkgsrc change: relax restriction to kerberos package. What's new in Sudo 1.7.0? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. * visudo will now check the sudoers file owner and mode in -c (check) mode when the -s (strict) flag is specified.
Diffstat (limited to 'security')
-rw-r--r--security/sudo/Makefile7
-rw-r--r--security/sudo/PLIST3
-rw-r--r--security/sudo/distinfo15
-rw-r--r--security/sudo/options.mk5
-rw-r--r--security/sudo/patches/patch-aa25
-rw-r--r--security/sudo/patches/patch-af21
-rw-r--r--security/sudo/patches/patch-ag32
-rw-r--r--security/sudo/patches/patch-ai16
8 files changed, 67 insertions, 57 deletions
diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 22ba17e8ebe..ebf21be54af 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.113 2008/06/30 15:53:41 taca Exp $
+# $NetBSD: Makefile,v 1.114 2009/02/05 13:48:12 taca Exp $
#
-DISTNAME= sudo-1.6.9p17
+DISTNAME= sudo-1.7.0
CATEGORIES= security
MASTER_SITES= http://www.courtesan.com/sudo/dist/ \
ftp://ftp.courtesan.com/pub/sudo/ \
@@ -24,6 +24,7 @@ OWN_DIRS+= ${VARBASE}/run
GNU_CONFIGURE= yes
BUILD_DEFS+= VARBASE
PKG_DESTDIR_SUPPORT= destdir
+PLIST_VARS+= ldap
.include "../../mk/bsd.prefs.mk"
@@ -31,7 +32,7 @@ PKG_DESTDIR_SUPPORT= destdir
CONFIGURE_ENV+= NROFFPROG=${CAT:Q}
CONFIGURE_ENV+= mansectsu=8
CONFIGURE_ENV+= mansectform=5
-CONFIGURE_ARGS+= --disable-root-mailer
+CONFIGURE_ARGS+= --disable-root-mailer --with-ignore-dot
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q}
CONFIGURE_ARGS+= --with-timedir=${VARBASE:Q}/run/sudo
CONFIGURE_ARGS+= --with-logpath=${VARBASE:Q}/log/sudo.log
diff --git a/security/sudo/PLIST b/security/sudo/PLIST
index 04c859afe82..2bbd1a3247a 100644
--- a/security/sudo/PLIST
+++ b/security/sudo/PLIST
@@ -1,8 +1,9 @@
-@comment $NetBSD: PLIST,v 1.2 2008/03/29 14:16:58 taca Exp $
+@comment $NetBSD: PLIST,v 1.3 2009/02/05 13:48:12 taca Exp $
bin/sudo
bin/sudoedit
libexec/sudo_noexec.so
man/man5/sudoers.5
+${PLIST.ldap}man/man5/sudoers.ldap.5
man/man8/sudo.8
man/man8/sudoedit.8
man/man8/visudo.8
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index 79eea48d855..179b31058da 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.56 2008/06/30 15:53:41 taca Exp $
+$NetBSD: distinfo,v 1.57 2009/02/05 13:48:12 taca Exp $
-SHA1 (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 576a584eee413e12294cbd2ca6f445e51a1cb103
-RMD160 (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 4d1a4bb3558ddeaa4c8c095067a5696afb6ea50a
-Size (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 593534 bytes
-SHA1 (patch-aa) = 4e1bfcf3f8ea831e682d2c0a34df4746ee95899e
-SHA1 (patch-af) = cd9eac03f4d78a5b9d2702bc7e1952a26ea8ca92
-SHA1 (patch-ag) = a2eb0b1b0aef7325e14cbd5fed8d517b5b4eba2d
-SHA1 (patch-ai) = d28c1288955a443a726928723400b4d32d546b71
+SHA1 (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 77bb230148b305e8608a3e552f1747507a84a55c
+RMD160 (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 62c1dbe97a4b46ea2352023ecb8b30dc4afedf58
+Size (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 744311 bytes
+SHA1 (patch-aa) = b5a7c0b6fc0355b78f3d661afc62d20f4dcc1318
+SHA1 (patch-af) = 41b41124744b36feb7f65d5b706874c06e096744
+SHA1 (patch-ag) = 0ae45801e8146bab8bb998fdc48b1fd05b56f96b
diff --git a/security/sudo/options.mk b/security/sudo/options.mk
index 2a3223bd894..252bce3ca23 100644
--- a/security/sudo/options.mk
+++ b/security/sudo/options.mk
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.15 2008/03/11 15:52:51 taca Exp $
+# $NetBSD: options.mk,v 1.16 2009/02/05 13:48:12 taca Exp $
#
PKG_OPTIONS_VAR= PKG_OPTIONS.sudo
@@ -21,8 +21,6 @@ CONFIGURE_ARGS+= --without-pam
.endif
.if !empty(PKG_OPTIONS:Mkerberos)
-KRB5_ACCEPTED= heimdal
-IS_BUILTIN.heimdal= no
. include "../../mk/krb5.buildlink3.mk"
CONFIGURE_ARGS+= --without-kerb4
CONFIGURE_ARGS+= --with-kerb5
@@ -35,6 +33,7 @@ CONFIGURE_ARGS+= --without-kerb5
DL_AUTO_VARS= yes
CONFIGURE_ARGS+= --with-ldap=${BUILDLINK_PREFIX.openldap-client}
CONFIGURE_ARGS+= --with-ldap-conf-file=${PKG_SYSCONFDIR}/ldap.conf
+PLIST.ldap= yes
.endif
.if !empty(PKG_OPTIONS:Mskey)
diff --git a/security/sudo/patches/patch-aa b/security/sudo/patches/patch-aa
index 80705df3382..314191f6768 100644
--- a/security/sudo/patches/patch-aa
+++ b/security/sudo/patches/patch-aa
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $
+$NetBSD: patch-aa,v 1.20 2009/02/05 13:48:12 taca Exp $
---- Makefile.in.orig 2008-03-24 04:43:51.000000000 +0900
+--- Makefile.in.orig 2008-12-04 05:40:58.000000000 +0900
+++ Makefile.in
-@@ -188,7 +188,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
+@@ -197,7 +197,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
sudo_noexec.la: sudo_noexec.lo
@@ -10,10 +10,10 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $
+ $(LIBTOOL) --mode=link $(CC) -module $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
# Uncomment the following if you want "make distclean" to clean the parser
- @DEV@PARSESRCS = sudo.tab.h sudo.tab.c lex.yy.c def_data.c def_data.h
-@@ -304,35 +304,35 @@ sudoers.man:: sudoers.man.in
-
- sudoers.cat: sudoers.man
+ @DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h
+@@ -399,36 +399,36 @@ sudoers.ldap.cat: sudoers.ldap.man
+ ChangeLog:
+ cvs2cl --follow-only trunk
-install: install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-man
+install: install-dirs install-binaries @INSTALL_NOEXEC@ install-man
@@ -27,13 +27,13 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $
install-binaries: $(PROGS)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo
-+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 4511 -s sudo $(DESTDIR)$(sudodir)
++ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 4511 -s sudo $(DESTDIR)$(sudodir)/sudo
rm -f $(DESTDIR)$(sudodir)/sudoedit
ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
-@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh
-+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s visudo $(DESTDIR)$(visudodir)
-+@SELINUX@ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s sesh $(DESTDIR)$(libexecdir)
++ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
++@SELINUX@ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s sesh $(DESTDIR)$(libexecdir)/sesh
install-noexec: sudo_noexec.la
- test -f .libs/$(noexecfile) && $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir)
@@ -42,9 +42,8 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $
install-sudoers:
test -f $(DESTDIR)$(sudoersdir)/sudoers || \
- $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \
-- $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers
+ $(INSTALL) -o $(sudoers_uid) -g $(sudoers_gid) -m $(sudoers_mode) \
-+ $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)
+ $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers
install-man:
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
@@ -53,8 +52,10 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $
ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
+- @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
++ @LDAP@$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@MAN_POSTINSTALL@
check:
diff --git a/security/sudo/patches/patch-af b/security/sudo/patches/patch-af
index 13ff0e6e969..ca9e8169052 100644
--- a/security/sudo/patches/patch-af
+++ b/security/sudo/patches/patch-af
@@ -1,8 +1,8 @@
-$NetBSD: patch-af,v 1.20 2008/03/11 15:52:51 taca Exp $
+$NetBSD: patch-af,v 1.21 2009/02/05 13:48:12 taca Exp $
---- configure.in.orig 2008-02-20 03:27:32.000000000 +0900
+--- configure.in.orig 2008-12-10 06:13:01.000000000 +0900
+++ configure.in
-@@ -142,7 +142,6 @@ else
+@@ -153,7 +153,6 @@ else
fi
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
@@ -10,7 +10,7 @@ $NetBSD: patch-af,v 1.20 2008/03/11 15:52:51 taca Exp $
dnl
dnl Deprecated --with options (these all warn or generate an error)
-@@ -265,6 +264,19 @@ AC_ARG_WITH(csops, [ --with-csops
+@@ -277,6 +276,19 @@ AC_ARG_WITH(csops, [ --with-csops
;;
esac])
@@ -30,12 +30,21 @@ $NetBSD: patch-af,v 1.20 2008/03/11 15:52:51 taca Exp $
AC_ARG_WITH(passwd, [ --without-passwd don't use passwd/shadow file for authentication],
[case $with_passwd in
yes|no) AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
-@@ -1661,7 +1673,7 @@ fi
+@@ -1716,7 +1728,7 @@ fi
if test ${with_logincap-'no'} != "no"; then
- AC_CHECK_HEADERS(login_cap.h, [LCMAN=""
+ AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=""
case "$OS" in
- freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
+ dragonfly*|freebsd*|netbsd*) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
esac
])
+@@ -2148,6 +2160,8 @@ if test ${with_kerb5-'no'} != "no" -a -z
+ AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"])
+ ])
+ AUTH_OBJS="$AUTH_OBJS kerb5.o"
++fi
++if test ${with_kerb5-'no'} != "no"; then
+ _LIBS="$LIBS"
+ LIBS="${LIBS} ${SUDO_LIBS}"
+ AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc)
diff --git a/security/sudo/patches/patch-ag b/security/sudo/patches/patch-ag
index 8b2c5abd65e..e5895e8f988 100644
--- a/security/sudo/patches/patch-ag
+++ b/security/sudo/patches/patch-ag
@@ -1,8 +1,8 @@
-$NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $
+$NetBSD: patch-ag,v 1.13 2009/02/05 13:48:12 taca Exp $
---- configure.orig 2008-02-20 03:27:07.000000000 +0900
+--- configure.orig 2008-12-10 06:04:36.000000000 +0900
+++ configure
-@@ -1441,7 +1441,7 @@ Fine tuning of the installation director
+@@ -1451,7 +1451,7 @@ Fine tuning of the installation director
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
@@ -11,7 +11,7 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
-@@ -1511,6 +1511,7 @@ Optional Packages:
+@@ -1523,6 +1523,7 @@ Optional Packages:
--with-devel add development options
--with-efence link with -lefence for malloc() debugging
--with-csops add CSOps standard options
@@ -19,7 +19,7 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $
--without-passwd don't use passwd/shadow file for authentication
--with-skey=DIR enable S/Key support
--with-opie=DIR enable OPIE support
-@@ -2138,7 +2139,6 @@ else
+@@ -2163,7 +2164,6 @@ else
fi
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
@@ -27,7 +27,7 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $
-@@ -2330,6 +2330,23 @@ fi
+@@ -2356,6 +2356,23 @@ fi
@@ -51,12 +51,28 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $
# Check whether --with-passwd was given.
if test "${with_passwd+set}" = set; then
withval=$with_passwd; case $with_passwd in
-@@ -13717,7 +13734,7 @@ if test `eval echo '${'$as_ac_Header'}'`
+@@ -14091,7 +14108,7 @@ if test `eval echo '${'$as_ac_Header'}'`
_ACEOF
- LCMAN=""
+ LOGINCAP_USAGE='[-c class|-] '; LCMAN=""
case "$OS" in
- freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
+ dragonfly*|freebsd*|netbsd*) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
esac
+@@ -21080,11 +21098,12 @@ fi
+
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ AUTH_OBJS="$AUTH_OBJS kerb5.o"
+- _LIBS="$LIBS"
+- LIBS="${LIBS} ${SUDO_LIBS}"
+-
+
++fi
+
++if test ${with_kerb5-'no'} != "no"; then
++_LIBS="$LIBS"
++LIBS="${LIBS} ${SUDO_LIBS}"
+ for ac_func in krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc
+ do
+ as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
diff --git a/security/sudo/patches/patch-ai b/security/sudo/patches/patch-ai
deleted file mode 100644
index 84e6770b5a3..00000000000
--- a/security/sudo/patches/patch-ai
+++ /dev/null
@@ -1,16 +0,0 @@
-$NetBSD: patch-ai,v 1.4 2008/03/11 15:52:51 taca Exp $
-
---- auth/kerb5.c.orig 2008-02-14 07:17:41.000000000 +0900
-+++ auth/kerb5.c
-@@ -220,11 +220,7 @@ kerb5_verify(pw, pass, auth)
-
- done:
- if (opts) {
--#ifdef HAVE_HEIMDAL
-- krb5_get_init_creds_opt_free(opts);
--#else
- krb5_get_init_creds_opt_free(sudo_context, opts);
--#endif
- }
- if (creds)
- krb5_free_cred_contents(sudo_context, creds);