Date: Fri, 10 Aug 2007 16:18:47 +0200 (CEST) From: Janos Mohacsi <janos.mohacsi@bsd.hu> To: FreeBSD-gnats-submit@FreeBSD.org Cc: tmclaugh@FreeBSD.org Subject: ports/115381: [PATCH] security/sudo: [SUMMARIZE CHANGES] Message-ID: <200708101418.l7AEIlV7040237@scone.ki.iif.hu> Resent-Message-ID: <200708101420.l7AEK10E014419@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 115381 >Category: ports >Synopsis: [PATCH] security/sudo: [SUMMARIZE CHANGES] >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Aug 10 14:20:00 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Janos Mohacsi >Release: FreeBSD 7.0-CURRENT i386 >Organization: NIIF/HUNGARNET >Environment: System: FreeBSD scone.ki.iif.hu 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Jun 27 18:22:17 CEST 2007 >Description: - Add possibility to specify additonal path to default secure_path. This is important since the environment resetting is rather different after 1.6.9 than earlier in sudo. This is documented also in OpenBSD: http://www.undeadly.org/cgi?action=article&sid=20070726192925 - small cosmetical changes in the Makefile Port maintainer (tmclaugh@FreeBSD.org) is cc'd. Generated with FreeBSD Port Tools 0.77 >How-To-Repeat: Possibilities to set safe PATH is important. Especially integrating /usr/local/... since some tools are using #!/bin/env python consruction and /usr/local/bin is not set as a default secure_path.... >Fix: --- sudo-1.6.9.3_2.patch begins here --- diff -ruN --exclude=CVS /usr/ports/security/sudo.orig/Makefile /usr/ports/security/sudo/Makefile --- /usr/ports/security/sudo.orig/Makefile 2007-08-06 09:40:47.000000000 +0200 +++ /usr/ports/security/sudo/Makefile 2007-08-10 16:00:35.000000000 +0200 @@ -7,7 +7,7 @@ PORTNAME= sudo PORTVERSION= 1.6.9.3 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security MASTER_SITES= http://www.sudo.ws/sudo/dist/ \ http://probsd.org/sudoftp/ \ @@ -37,7 +37,9 @@ OPTIONS= LDAP "With LDAP support" off \ INSULTS "With all insults" off \ - SHELL_SETS_HOME "Set HOME env to target user in shell mode" off + SHELL_SETS_HOME "Set HOME env to target user in shell mode" off \ + LOCAL_BIN "use /usr/local/bin in the search PATH" off \ + LOCAL_SBIN "use /usr/local/sbin in the search PATH" off \ .include <bsd.port.pre.mk> @@ -59,6 +61,19 @@ CONFIGURE_ARGS+=--enable-shell-sets-home .endif +SUDO_SECURE_PATH_DEF="/bin:/usr/bin:/usr/sbin:/sbin" +.if defined(WITH_LOCAL_BIN) && defined(WITH_LOCAL_SBIN) +SUDO_SECURE_PATH="${SUDO_SECURE_PATH_DEF}:${LOCALBASE}/bin:${LOCALBASE}/sbin" +.elif defined(WITH_LOCAL_BIN) +SUDO_SECURE_PATH="${SUDO_SECURE_PATH_DEF}:${LOCALBASE}/bin" +.elif defined(WITH_LOCAL_SBIN) +SUDO_SECURE_PATH="${SUDO_SECURE_PATH_DEF}:${LOCALBASE}/sbin" +.endif + +.if defined(WITH_LOCAL_BIN) || defined(WITH_LOCAL_SBIN) +CONFIGURE_ARGS+=--with-secure-path="${SUDO_SECURE_PATH}" +.endif + MAN5= sudoers.5 MAN8= sudo.8 visudo.8 MLINKS= sudo.8 sudoedit.8 @@ -69,7 +84,7 @@ ${INSTALL_DATA} ${FILESDIR}/pam.conf ${PREFIX}/etc/pam.d/sudo.default if [ ! -e ${PREFIX}/etc/pam.d/sudo ]; then \ - cp -p ${PREFIX}/etc/pam.d/sudo.default \ + ${CP} -p ${PREFIX}/etc/pam.d/sudo.default \ ${PREFIX}/etc/pam.d/sudo ;\ fi --- sudo-1.6.9.3_2.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708101418.l7AEIlV7040237>