From c5f9cf7b15d12420d4ded0320abcf000b24561d6 Mon Sep 17 00:00:00 2001 From: tron Date: Thu, 5 Feb 2009 17:00:25 +0000 Subject: Pullup ticket #2688 - requested by taca sudo: security update Revisions pulled up: - security/sudo/Makefile 1.114 - security/sudo/PLIST 1.3 - security/sudo/distinfo 1.57 - security/sudo/options.mk 1.16 - security/sudo/patches/patch-aa 1.20 - security/sudo/patches/patch-af 1.21 - security/sudo/patches/patch-ag 1.13 - security/sudo/patches/patch-ai delete --- Module Name: pkgsrc Committed By: taca Date: Thu Feb 5 13:48:12 UTC 2009 Modified Files: pkgsrc/security/sudo: Makefile PLIST distinfo options.mk pkgsrc/security/sudo/patches: patch-aa patch-af patch-ag Removed Files: pkgsrc/security/sudo/patches: patch-ai Log Message: Update security/sudo package to 1.7.0. * pkgsrc change: relax restriction to kerberos package. What's new in Sudo 1.7.0? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. * visudo will now check the sudoers file owner and mode in -c (check) mode when the -s (strict) flag is specified. --- security/sudo/Makefile | 7 ++++--- security/sudo/PLIST | 3 ++- security/sudo/distinfo | 15 +++++++-------- security/sudo/options.mk | 5 ++--- security/sudo/patches/patch-aa | 25 +++++++++++++------------ security/sudo/patches/patch-af | 21 +++++++++++++++------ security/sudo/patches/patch-ag | 32 ++++++++++++++++++++++++-------- security/sudo/patches/patch-ai | 16 ---------------- 8 files changed, 67 insertions(+), 57 deletions(-) delete mode 100644 security/sudo/patches/patch-ai diff --git a/security/sudo/Makefile b/security/sudo/Makefile index 22ba17e8ebe..89c55442034 100644 --- a/security/sudo/Makefile +++ b/security/sudo/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.113 2008/06/30 15:53:41 taca Exp $ +# $NetBSD: Makefile,v 1.113.10.1 2009/02/05 17:00:25 tron Exp $ # -DISTNAME= sudo-1.6.9p17 +DISTNAME= sudo-1.7.0 CATEGORIES= security MASTER_SITES= http://www.courtesan.com/sudo/dist/ \ ftp://ftp.courtesan.com/pub/sudo/ \ @@ -24,6 +24,7 @@ OWN_DIRS+= ${VARBASE}/run GNU_CONFIGURE= yes BUILD_DEFS+= VARBASE PKG_DESTDIR_SUPPORT= destdir +PLIST_VARS+= ldap .include "../../mk/bsd.prefs.mk" @@ -31,7 +32,7 @@ PKG_DESTDIR_SUPPORT= destdir CONFIGURE_ENV+= NROFFPROG=${CAT:Q} CONFIGURE_ENV+= mansectsu=8 CONFIGURE_ENV+= mansectform=5 -CONFIGURE_ARGS+= --disable-root-mailer +CONFIGURE_ARGS+= --disable-root-mailer --with-ignore-dot CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q} CONFIGURE_ARGS+= --with-timedir=${VARBASE:Q}/run/sudo CONFIGURE_ARGS+= --with-logpath=${VARBASE:Q}/log/sudo.log diff --git a/security/sudo/PLIST b/security/sudo/PLIST index 04c859afe82..186f1d1e02d 100644 --- a/security/sudo/PLIST +++ b/security/sudo/PLIST @@ -1,8 +1,9 @@ -@comment $NetBSD: PLIST,v 1.2 2008/03/29 14:16:58 taca Exp $ +@comment $NetBSD: PLIST,v 1.2.12.1 2009/02/05 17:00:25 tron Exp $ bin/sudo bin/sudoedit libexec/sudo_noexec.so man/man5/sudoers.5 +${PLIST.ldap}man/man5/sudoers.ldap.5 man/man8/sudo.8 man/man8/sudoedit.8 man/man8/visudo.8 diff --git a/security/sudo/distinfo b/security/sudo/distinfo index 79eea48d855..28c3d6af93d 100644 --- a/security/sudo/distinfo +++ b/security/sudo/distinfo @@ -1,9 +1,8 @@ -$NetBSD: distinfo,v 1.56 2008/06/30 15:53:41 taca Exp $ +$NetBSD: distinfo,v 1.56.10.1 2009/02/05 17:00:25 tron Exp $ -SHA1 (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 576a584eee413e12294cbd2ca6f445e51a1cb103 -RMD160 (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 4d1a4bb3558ddeaa4c8c095067a5696afb6ea50a -Size (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 593534 bytes -SHA1 (patch-aa) = 4e1bfcf3f8ea831e682d2c0a34df4746ee95899e -SHA1 (patch-af) = cd9eac03f4d78a5b9d2702bc7e1952a26ea8ca92 -SHA1 (patch-ag) = a2eb0b1b0aef7325e14cbd5fed8d517b5b4eba2d -SHA1 (patch-ai) = d28c1288955a443a726928723400b4d32d546b71 +SHA1 (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 77bb230148b305e8608a3e552f1747507a84a55c +RMD160 (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 62c1dbe97a4b46ea2352023ecb8b30dc4afedf58 +Size (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 744311 bytes +SHA1 (patch-aa) = b5a7c0b6fc0355b78f3d661afc62d20f4dcc1318 +SHA1 (patch-af) = 41b41124744b36feb7f65d5b706874c06e096744 +SHA1 (patch-ag) = 0ae45801e8146bab8bb998fdc48b1fd05b56f96b diff --git a/security/sudo/options.mk b/security/sudo/options.mk index 2a3223bd894..70db5ee5ea0 100644 --- a/security/sudo/options.mk +++ b/security/sudo/options.mk @@ -1,4 +1,4 @@ -# $NetBSD: options.mk,v 1.15 2008/03/11 15:52:51 taca Exp $ +# $NetBSD: options.mk,v 1.15.12.1 2009/02/05 17:00:25 tron Exp $ # PKG_OPTIONS_VAR= PKG_OPTIONS.sudo @@ -21,8 +21,6 @@ CONFIGURE_ARGS+= --without-pam .endif .if !empty(PKG_OPTIONS:Mkerberos) -KRB5_ACCEPTED= heimdal -IS_BUILTIN.heimdal= no . include "../../mk/krb5.buildlink3.mk" CONFIGURE_ARGS+= --without-kerb4 CONFIGURE_ARGS+= --with-kerb5 @@ -35,6 +33,7 @@ CONFIGURE_ARGS+= --without-kerb5 DL_AUTO_VARS= yes CONFIGURE_ARGS+= --with-ldap=${BUILDLINK_PREFIX.openldap-client} CONFIGURE_ARGS+= --with-ldap-conf-file=${PKG_SYSCONFDIR}/ldap.conf +PLIST.ldap= yes .endif .if !empty(PKG_OPTIONS:Mskey) diff --git a/security/sudo/patches/patch-aa b/security/sudo/patches/patch-aa index 80705df3382..3227b55ed42 100644 --- a/security/sudo/patches/patch-aa +++ b/security/sudo/patches/patch-aa @@ -1,8 +1,8 @@ -$NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $ +$NetBSD: patch-aa,v 1.19.12.1 2009/02/05 17:00:25 tron Exp $ ---- Makefile.in.orig 2008-03-24 04:43:51.000000000 +0900 +--- Makefile.in.orig 2008-12-04 05:40:58.000000000 +0900 +++ Makefile.in -@@ -188,7 +188,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c +@@ -197,7 +197,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c sudo_noexec.la: sudo_noexec.lo @@ -10,10 +10,10 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $ + $(LIBTOOL) --mode=link $(CC) -module $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) # Uncomment the following if you want "make distclean" to clean the parser - @DEV@PARSESRCS = sudo.tab.h sudo.tab.c lex.yy.c def_data.c def_data.h -@@ -304,35 +304,35 @@ sudoers.man:: sudoers.man.in - - sudoers.cat: sudoers.man + @DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h +@@ -399,36 +399,36 @@ sudoers.ldap.cat: sudoers.ldap.man + ChangeLog: + cvs2cl --follow-only trunk -install: install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-man +install: install-dirs install-binaries @INSTALL_NOEXEC@ install-man @@ -27,13 +27,13 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $ install-binaries: $(PROGS) - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo -+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 4511 -s sudo $(DESTDIR)$(sudodir) ++ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 4511 -s sudo $(DESTDIR)$(sudodir)/sudo rm -f $(DESTDIR)$(sudodir)/sudoedit ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo -@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh -+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s visudo $(DESTDIR)$(visudodir) -+@SELINUX@ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s sesh $(DESTDIR)$(libexecdir) ++ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0111 -s visudo $(DESTDIR)$(visudodir)/visudo ++@SELINUX@ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s sesh $(DESTDIR)$(libexecdir)/sesh install-noexec: sudo_noexec.la - test -f .libs/$(noexecfile) && $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir) @@ -42,9 +42,8 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $ install-sudoers: test -f $(DESTDIR)$(sudoersdir)/sudoers || \ - $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \ -- $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers + $(INSTALL) -o $(sudoers_uid) -g $(sudoers_gid) -m $(sudoers_mode) \ -+ $(srcdir)/sudoers $(DESTDIR)$(sudoersdir) + $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers install-man: - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) @@ -53,8 +52,10 @@ $NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $ ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) +- @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) + $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) + $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) ++ @LDAP@$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) @MAN_POSTINSTALL@ check: diff --git a/security/sudo/patches/patch-af b/security/sudo/patches/patch-af index 13ff0e6e969..65141041a01 100644 --- a/security/sudo/patches/patch-af +++ b/security/sudo/patches/patch-af @@ -1,8 +1,8 @@ -$NetBSD: patch-af,v 1.20 2008/03/11 15:52:51 taca Exp $ +$NetBSD: patch-af,v 1.20.12.1 2009/02/05 17:00:25 tron Exp $ ---- configure.in.orig 2008-02-20 03:27:32.000000000 +0900 +--- configure.in.orig 2008-12-10 06:13:01.000000000 +0900 +++ configure.in -@@ -142,7 +142,6 @@ else +@@ -153,7 +153,6 @@ else fi test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin' test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin' @@ -10,7 +10,7 @@ $NetBSD: patch-af,v 1.20 2008/03/11 15:52:51 taca Exp $ dnl dnl Deprecated --with options (these all warn or generate an error) -@@ -265,6 +264,19 @@ AC_ARG_WITH(csops, [ --with-csops +@@ -277,6 +276,19 @@ AC_ARG_WITH(csops, [ --with-csops ;; esac]) @@ -30,12 +30,21 @@ $NetBSD: patch-af,v 1.20 2008/03/11 15:52:51 taca Exp $ AC_ARG_WITH(passwd, [ --without-passwd don't use passwd/shadow file for authentication], [case $with_passwd in yes|no) AC_MSG_CHECKING(whether to use shadow/passwd file authentication) -@@ -1661,7 +1673,7 @@ fi +@@ -1716,7 +1728,7 @@ fi if test ${with_logincap-'no'} != "no"; then - AC_CHECK_HEADERS(login_cap.h, [LCMAN="" + AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN="" case "$OS" in - freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil" + dragonfly*|freebsd*|netbsd*) SUDO_LIBS="${SUDO_LIBS} -lutil" ;; esac ]) +@@ -2148,6 +2160,8 @@ if test ${with_kerb5-'no'} != "no" -a -z + AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"]) + ]) + AUTH_OBJS="$AUTH_OBJS kerb5.o" ++fi ++if test ${with_kerb5-'no'} != "no"; then + _LIBS="$LIBS" + LIBS="${LIBS} ${SUDO_LIBS}" + AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc) diff --git a/security/sudo/patches/patch-ag b/security/sudo/patches/patch-ag index 8b2c5abd65e..06f2f3febdc 100644 --- a/security/sudo/patches/patch-ag +++ b/security/sudo/patches/patch-ag @@ -1,8 +1,8 @@ -$NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $ +$NetBSD: patch-ag,v 1.12.12.1 2009/02/05 17:00:25 tron Exp $ ---- configure.orig 2008-02-20 03:27:07.000000000 +0900 +--- configure.orig 2008-12-10 06:04:36.000000000 +0900 +++ configure -@@ -1441,7 +1441,7 @@ Fine tuning of the installation director +@@ -1451,7 +1451,7 @@ Fine tuning of the installation director --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] @@ -11,7 +11,7 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] -@@ -1511,6 +1511,7 @@ Optional Packages: +@@ -1523,6 +1523,7 @@ Optional Packages: --with-devel add development options --with-efence link with -lefence for malloc() debugging --with-csops add CSOps standard options @@ -19,7 +19,7 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $ --without-passwd don't use passwd/shadow file for authentication --with-skey=DIR enable S/Key support --with-opie=DIR enable OPIE support -@@ -2138,7 +2139,6 @@ else +@@ -2163,7 +2164,6 @@ else fi test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin' test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin' @@ -27,7 +27,7 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $ -@@ -2330,6 +2330,23 @@ fi +@@ -2356,6 +2356,23 @@ fi @@ -51,12 +51,28 @@ $NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $ # Check whether --with-passwd was given. if test "${with_passwd+set}" = set; then withval=$with_passwd; case $with_passwd in -@@ -13717,7 +13734,7 @@ if test `eval echo '${'$as_ac_Header'}'` +@@ -14091,7 +14108,7 @@ if test `eval echo '${'$as_ac_Header'}'` _ACEOF - LCMAN="" + LOGINCAP_USAGE='[-c class|-] '; LCMAN="" case "$OS" in - freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil" + dragonfly*|freebsd*|netbsd*) SUDO_LIBS="${SUDO_LIBS} -lutil" ;; esac +@@ -21080,11 +21098,12 @@ fi + + rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + AUTH_OBJS="$AUTH_OBJS kerb5.o" +- _LIBS="$LIBS" +- LIBS="${LIBS} ${SUDO_LIBS}" +- + ++fi + ++if test ${with_kerb5-'no'} != "no"; then ++_LIBS="$LIBS" ++LIBS="${LIBS} ${SUDO_LIBS}" + for ac_func in krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc + do + as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` diff --git a/security/sudo/patches/patch-ai b/security/sudo/patches/patch-ai deleted file mode 100644 index 84e6770b5a3..00000000000 --- a/security/sudo/patches/patch-ai +++ /dev/null @@ -1,16 +0,0 @@ -$NetBSD: patch-ai,v 1.4 2008/03/11 15:52:51 taca Exp $ - ---- auth/kerb5.c.orig 2008-02-14 07:17:41.000000000 +0900 -+++ auth/kerb5.c -@@ -220,11 +220,7 @@ kerb5_verify(pw, pass, auth) - - done: - if (opts) { --#ifdef HAVE_HEIMDAL -- krb5_get_init_creds_opt_free(opts); --#else - krb5_get_init_creds_opt_free(sudo_context, opts); --#endif - } - if (creds) - krb5_free_cred_contents(sudo_context, creds); -- cgit v1.2.3