Date: Sun, 4 Aug 2019 15:43:27 +0000 (UTC) From: Kai Knoblich <kai@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r508097 - in head/security/doas: . files Message-ID: <201908041543.x74FhRXW063540@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kai Date: Sun Aug 4 15:43:27 2019 New Revision: 508097 URL: https://svnweb.freebsd.org/changeset/ports/508097 Log: security/doas: Update to 6.1 * Update the pkg-message to give users that install/upgrade the port some info about the changed behavior regarding the environment variables. [1] * Make the configuration of target user's sanitized $PATH that is set at compile time more flexible by enabling users to configure it via _GLOBAL_PATH. [2] * Also pet portlint/portclippy by placing USES to the top of the USES block and remove the superfluous occurence of GH_PROJECT while I'm here. Changelog: * Most environment variables are no longer copied to the target user's environment. This avoids corrupting files through use of $HOME, for example. When environment variables are required, keepenv can be set in the doas.conf file. * The target user's sanitized $PATH can be set at compile time to avoid passing malicious executables to the target user's path. https://github.com/slicer69/doas/releases/tag/6.1 PR: 239629 Submitted by: jsmith@resonatingmedia.com (maintainer) Approved by: jsmith@resonatingmedia.com (maintainer) [1] [2] MFH: 2019Q3 Modified: head/security/doas/Makefile head/security/doas/distinfo head/security/doas/files/pkg-message.in Modified: head/security/doas/Makefile ============================================================================== --- head/security/doas/Makefile Sun Aug 4 15:34:54 2019 (r508096) +++ head/security/doas/Makefile Sun Aug 4 15:43:27 2019 (r508097) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= doas -PORTVERSION= 6.0p3 +PORTVERSION= 6.1 CATEGORIES= security MAINTAINER= jsmith@resonatingmedia.com @@ -12,11 +12,11 @@ LICENSE_COMB= multi LICENSE_FILE_BSD2CLAUSE= ${WRKSRC}/LICENSE LICENSE_FILE_ISCL= ${WRKSRC}/LICENSE +USES= gmake USE_GITHUB= yes GH_ACCOUNT= slicer69 -GH_PROJECT= doas -USES= gmake +MAKE_ENV+= TARGETPATH=-DGLOBAL_PATH='\"${_GLOBAL_PATH}\"' BINMODE= 4755 @@ -24,6 +24,15 @@ SUB_FILES= pkg-message PLIST_FILES= bin/doas \ man/man5/doas.conf.5.gz \ man/man1/doas.1.gz + +# These are upstream's default paths that are set for the GLOBAL_PATH variable +# in doas.h since the 6.1 release. Those paths are then used for target user's +# PATH variable instead of those of the original user. +# +# See also: +# * https://github.com/slicer69/doas/blob/6.1/doas.h#L36 +# * https://github.com/slicer69/doas/releases/tag/6.1 +_GLOBAL_PATH?= ${LOCALBASE}/sbin:${LOCALBASE}/bin:/usr/sbin:/usr/bin:/sbin:/bin do-install: ${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/bin Modified: head/security/doas/distinfo ============================================================================== --- head/security/doas/distinfo Sun Aug 4 15:34:54 2019 (r508096) +++ head/security/doas/distinfo Sun Aug 4 15:43:27 2019 (r508097) @@ -1,3 +1,3 @@ -TIMESTAMP = 1552317435 -SHA256 (slicer69-doas-6.0p3_GH0.tar.gz) = abf7911df661fd82acc3ff71724b73cf0f2102f8a5379153a1c031b285ed8c97 -SIZE (slicer69-doas-6.0p3_GH0.tar.gz) = 18470 +TIMESTAMP = 1564865652 +SHA256 (slicer69-doas-6.1_GH0.tar.gz) = f6ae5243a711774cd46d5087c544e7feead7e138c6053c030c47489a722033f2 +SIZE (slicer69-doas-6.1_GH0.tar.gz) = 19965 Modified: head/security/doas/files/pkg-message.in ============================================================================== --- head/security/doas/files/pkg-message.in Sun Aug 4 15:34:54 2019 (r508096) +++ head/security/doas/files/pkg-message.in Sun Aug 4 15:43:27 2019 (r508097) @@ -5,9 +5,27 @@ To use doas, %%PREFIX%%/etc/doas.conf -must be created. +must be created. Refer to doas.conf(5) for further details. -Refer to doas.conf(5). +Note: In order to be able to run most desktop (GUI) applications, the user +needs to have the keepenv keyword specified. If keepenv is not specified then +key elements, like the user's $HOME variable, will be reset and cause the GUI +application to crash. + +Users who only need to run command line applications can usually get away +without keepenv. + +When in doubt, try to avoid using keepenv as it is less secure to have +environment variables passed to privileged users. +EOD +} +{ type: upgrade + maximum_version: "6.1" + message: <<EOD +With the 6.1 release the transfer of most environment variables (e.g. USER, +HOME and PATH) from the original user to the target user has changed. + +Please refer to doas.conf(5) for further details. EOD } ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908041543.x74FhRXW063540>