pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/sudo Update security/sudo package to 1.7.0.
details: https://anonhg.NetBSD.org/pkgsrc/rev/275224e316f4
branches: trunk
changeset: 553969:275224e316f4
user: taca <taca%pkgsrc.org@localhost>
date: Thu Feb 05 13:48:12 2009 +0000
description:
Update security/sudo package to 1.7.0.
* pkgsrc change: relax restriction to kerberos package.
What's new in Sudo 1.7.0?
* Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
* Sudoers now supports a #include facility to allow the inclusion of other
sudoers-format files.
* Sudo's -l (list) flag has been enhanced:
o applicable Defaults options are now listed
o a command argument can be specified for testing whether a user
may run a specific command.
o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored.
* Password and group data is now cached for fast lookups.
* The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
* Visudo will now warn about aliases that are defined but not used.
* The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is "files", even
when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
* Support for /etc/environment on AIX and Linux. If sudo is run
with the -i flag, the contents of /etc/environment are used to
populate the new environment that is passed to the command being
run.
* If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
* A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
* A new Defaults option, "env_file" that refers to a file containing
environment variables to be set in the command being run.
* A new flag, -n, may be used to indicate that sudo should not
prompt the user for a password and, instead, exit with an error
if authentication is required.
* If sudo needs to prompt for a password and it is unable to disable
echo (and no askpass program is defined), it will refuse to run
unless the "visiblepw" Defaults option has been specified.
* Prior to version 1.7.0, hitting enter/return at the Password: prompt
would exit sudo. In sudo 1.7.0 and beyond, this is treated as
an empty password. To exit sudo, the user must press ^C or ^D
at the prompt.
* visudo will now check the sudoers file owner and mode in -c (check)
mode when the -s (strict) flag is specified.
diffstat:
security/sudo/Makefile | 7 ++++---
security/sudo/PLIST | 3 ++-
security/sudo/distinfo | 15 +++++++--------
security/sudo/options.mk | 5 ++---
security/sudo/patches/patch-aa | 25 +++++++++++++------------
security/sudo/patches/patch-af | 21 +++++++++++++++------
security/sudo/patches/patch-ag | 32 ++++++++++++++++++++++++--------
security/sudo/patches/patch-ai | 16 ----------------
8 files changed, 67 insertions(+), 57 deletions(-)
diffs (300 lines):
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/Makefile
--- a/security/sudo/Makefile Thu Feb 05 13:46:36 2009 +0000
+++ b/security/sudo/Makefile Thu Feb 05 13:48:12 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.113 2008/06/30 15:53:41 taca Exp $
+# $NetBSD: Makefile,v 1.114 2009/02/05 13:48:12 taca Exp $
#
-DISTNAME= sudo-1.6.9p17
+DISTNAME= sudo-1.7.0
CATEGORIES= security
MASTER_SITES= http://www.courtesan.com/sudo/dist/ \
ftp://ftp.courtesan.com/pub/sudo/ \
@@ -24,6 +24,7 @@
GNU_CONFIGURE= yes
BUILD_DEFS+= VARBASE
PKG_DESTDIR_SUPPORT= destdir
+PLIST_VARS+= ldap
.include "../../mk/bsd.prefs.mk"
@@ -31,7 +32,7 @@
CONFIGURE_ENV+= NROFFPROG=${CAT:Q}
CONFIGURE_ENV+= mansectsu=8
CONFIGURE_ENV+= mansectform=5
-CONFIGURE_ARGS+= --disable-root-mailer
+CONFIGURE_ARGS+= --disable-root-mailer --with-ignore-dot
CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR:Q}
CONFIGURE_ARGS+= --with-timedir=${VARBASE:Q}/run/sudo
CONFIGURE_ARGS+= --with-logpath=${VARBASE:Q}/log/sudo.log
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/PLIST
--- a/security/sudo/PLIST Thu Feb 05 13:46:36 2009 +0000
+++ b/security/sudo/PLIST Thu Feb 05 13:48:12 2009 +0000
@@ -1,8 +1,9 @@
-@comment $NetBSD: PLIST,v 1.2 2008/03/29 14:16:58 taca Exp $
+@comment $NetBSD: PLIST,v 1.3 2009/02/05 13:48:12 taca Exp $
bin/sudo
bin/sudoedit
libexec/sudo_noexec.so
man/man5/sudoers.5
+${PLIST.ldap}man/man5/sudoers.ldap.5
man/man8/sudo.8
man/man8/sudoedit.8
man/man8/visudo.8
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/distinfo
--- a/security/sudo/distinfo Thu Feb 05 13:46:36 2009 +0000
+++ b/security/sudo/distinfo Thu Feb 05 13:48:12 2009 +0000
@@ -1,9 +1,8 @@
-$NetBSD: distinfo,v 1.56 2008/06/30 15:53:41 taca Exp $
+$NetBSD: distinfo,v 1.57 2009/02/05 13:48:12 taca Exp $
-SHA1 (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 576a584eee413e12294cbd2ca6f445e51a1cb103
-RMD160 (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 4d1a4bb3558ddeaa4c8c095067a5696afb6ea50a
-Size (sudo-1.6.9p17-200805130/sudo-1.6.9p17.tar.gz) = 593534 bytes
-SHA1 (patch-aa) = 4e1bfcf3f8ea831e682d2c0a34df4746ee95899e
-SHA1 (patch-af) = cd9eac03f4d78a5b9d2702bc7e1952a26ea8ca92
-SHA1 (patch-ag) = a2eb0b1b0aef7325e14cbd5fed8d517b5b4eba2d
-SHA1 (patch-ai) = d28c1288955a443a726928723400b4d32d546b71
+SHA1 (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 77bb230148b305e8608a3e552f1747507a84a55c
+RMD160 (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 62c1dbe97a4b46ea2352023ecb8b30dc4afedf58
+Size (sudo-1.7.0-200805130/sudo-1.7.0.tar.gz) = 744311 bytes
+SHA1 (patch-aa) = b5a7c0b6fc0355b78f3d661afc62d20f4dcc1318
+SHA1 (patch-af) = 41b41124744b36feb7f65d5b706874c06e096744
+SHA1 (patch-ag) = 0ae45801e8146bab8bb998fdc48b1fd05b56f96b
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/options.mk
--- a/security/sudo/options.mk Thu Feb 05 13:46:36 2009 +0000
+++ b/security/sudo/options.mk Thu Feb 05 13:48:12 2009 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.15 2008/03/11 15:52:51 taca Exp $
+# $NetBSD: options.mk,v 1.16 2009/02/05 13:48:12 taca Exp $
#
PKG_OPTIONS_VAR= PKG_OPTIONS.sudo
@@ -21,8 +21,6 @@
.endif
.if !empty(PKG_OPTIONS:Mkerberos)
-KRB5_ACCEPTED= heimdal
-IS_BUILTIN.heimdal= no
. include "../../mk/krb5.buildlink3.mk"
CONFIGURE_ARGS+= --without-kerb4
CONFIGURE_ARGS+= --with-kerb5
@@ -35,6 +33,7 @@
DL_AUTO_VARS= yes
CONFIGURE_ARGS+= --with-ldap=${BUILDLINK_PREFIX.openldap-client}
CONFIGURE_ARGS+= --with-ldap-conf-file=${PKG_SYSCONFDIR}/ldap.conf
+PLIST.ldap= yes
.endif
.if !empty(PKG_OPTIONS:Mskey)
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/patches/patch-aa
--- a/security/sudo/patches/patch-aa Thu Feb 05 13:46:36 2009 +0000
+++ b/security/sudo/patches/patch-aa Thu Feb 05 13:48:12 2009 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-aa,v 1.19 2008/03/29 14:16:58 taca Exp $
+$NetBSD: patch-aa,v 1.20 2009/02/05 13:48:12 taca Exp $
---- Makefile.in.orig 2008-03-24 04:43:51.000000000 +0900
+--- Makefile.in.orig 2008-12-04 05:40:58.000000000 +0900
+++ Makefile.in
-@@ -188,7 +188,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
+@@ -197,7 +197,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
sudo_noexec.la: sudo_noexec.lo
@@ -10,10 +10,10 @@
+ $(LIBTOOL) --mode=link $(CC) -module $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
# Uncomment the following if you want "make distclean" to clean the parser
- @DEV@PARSESRCS = sudo.tab.h sudo.tab.c lex.yy.c def_data.c def_data.h
-@@ -304,35 +304,35 @@ sudoers.man:: sudoers.man.in
-
- sudoers.cat: sudoers.man
+ @DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h
+@@ -399,36 +399,36 @@ sudoers.ldap.cat: sudoers.ldap.man
+ ChangeLog:
+ cvs2cl --follow-only trunk
-install: install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-man
+install: install-dirs install-binaries @INSTALL_NOEXEC@ install-man
@@ -27,13 +27,13 @@
install-binaries: $(PROGS)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo
-+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 4511 -s sudo $(DESTDIR)$(sudodir)
++ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 4511 -s sudo $(DESTDIR)$(sudodir)/sudo
rm -f $(DESTDIR)$(sudodir)/sudoedit
ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
-@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh
-+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s visudo $(DESTDIR)$(visudodir)
-+@SELINUX@ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s sesh $(DESTDIR)$(libexecdir)
++ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
++@SELINUX@ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0511 -s sesh $(DESTDIR)$(libexecdir)/sesh
install-noexec: sudo_noexec.la
- test -f .libs/$(noexecfile) && $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir)
@@ -42,9 +42,8 @@
install-sudoers:
test -f $(DESTDIR)$(sudoersdir)/sudoers || \
- $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \
-- $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers
+ $(INSTALL) -o $(sudoers_uid) -g $(sudoers_gid) -m $(sudoers_mode) \
-+ $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)
+ $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers
install-man:
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
@@ -53,8 +52,10 @@
ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
+- @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
+ $(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
++ @LDAP@$(INSTALL) -o $(install_uid) -g $(install_gid) -m 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@MAN_POSTINSTALL@
check:
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/patches/patch-af
--- a/security/sudo/patches/patch-af Thu Feb 05 13:46:36 2009 +0000
+++ b/security/sudo/patches/patch-af Thu Feb 05 13:48:12 2009 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-af,v 1.20 2008/03/11 15:52:51 taca Exp $
+$NetBSD: patch-af,v 1.21 2009/02/05 13:48:12 taca Exp $
---- configure.in.orig 2008-02-20 03:27:32.000000000 +0900
+--- configure.in.orig 2008-12-10 06:13:01.000000000 +0900
+++ configure.in
-@@ -142,7 +142,6 @@ else
+@@ -153,7 +153,6 @@ else
fi
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
@@ -10,7 +10,7 @@
dnl
dnl Deprecated --with options (these all warn or generate an error)
-@@ -265,6 +264,19 @@ AC_ARG_WITH(csops, [ --with-csops
+@@ -277,6 +276,19 @@ AC_ARG_WITH(csops, [ --with-csops
;;
esac])
@@ -30,12 +30,21 @@
AC_ARG_WITH(passwd, [ --without-passwd don't use passwd/shadow file for authentication],
[case $with_passwd in
yes|no) AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
-@@ -1661,7 +1673,7 @@ fi
+@@ -1716,7 +1728,7 @@ fi
if test ${with_logincap-'no'} != "no"; then
- AC_CHECK_HEADERS(login_cap.h, [LCMAN=""
+ AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=""
case "$OS" in
- freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
+ dragonfly*|freebsd*|netbsd*) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
esac
])
+@@ -2148,6 +2160,8 @@ if test ${with_kerb5-'no'} != "no" -a -z
+ AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"])
+ ])
+ AUTH_OBJS="$AUTH_OBJS kerb5.o"
++fi
++if test ${with_kerb5-'no'} != "no"; then
+ _LIBS="$LIBS"
+ LIBS="${LIBS} ${SUDO_LIBS}"
+ AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc)
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/patches/patch-ag
--- a/security/sudo/patches/patch-ag Thu Feb 05 13:46:36 2009 +0000
+++ b/security/sudo/patches/patch-ag Thu Feb 05 13:48:12 2009 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-ag,v 1.12 2008/03/11 15:52:51 taca Exp $
+$NetBSD: patch-ag,v 1.13 2009/02/05 13:48:12 taca Exp $
---- configure.orig 2008-02-20 03:27:07.000000000 +0900
+--- configure.orig 2008-12-10 06:04:36.000000000 +0900
+++ configure
-@@ -1441,7 +1441,7 @@ Fine tuning of the installation director
+@@ -1451,7 +1451,7 @@ Fine tuning of the installation director
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
@@ -11,7 +11,7 @@
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
-@@ -1511,6 +1511,7 @@ Optional Packages:
+@@ -1523,6 +1523,7 @@ Optional Packages:
--with-devel add development options
--with-efence link with -lefence for malloc() debugging
--with-csops add CSOps standard options
@@ -19,7 +19,7 @@
--without-passwd don't use passwd/shadow file for authentication
--with-skey=DIR enable S/Key support
--with-opie=DIR enable OPIE support
-@@ -2138,7 +2139,6 @@ else
+@@ -2163,7 +2164,6 @@ else
fi
test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
@@ -27,7 +27,7 @@
-@@ -2330,6 +2330,23 @@ fi
+@@ -2356,6 +2356,23 @@ fi
@@ -51,12 +51,28 @@
# Check whether --with-passwd was given.
if test "${with_passwd+set}" = set; then
withval=$with_passwd; case $with_passwd in
-@@ -13717,7 +13734,7 @@ if test `eval echo '${'$as_ac_Header'}'`
+@@ -14091,7 +14108,7 @@ if test `eval echo '${'$as_ac_Header'}'`
_ACEOF
- LCMAN=""
+ LOGINCAP_USAGE='[-c class|-] '; LCMAN=""
case "$OS" in
- freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
+ dragonfly*|freebsd*|netbsd*) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
esac
+@@ -21080,11 +21098,12 @@ fi
+
+ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ AUTH_OBJS="$AUTH_OBJS kerb5.o"
+- _LIBS="$LIBS"
+- LIBS="${LIBS} ${SUDO_LIBS}"
+-
+
++fi
+
++if test ${with_kerb5-'no'} != "no"; then
++_LIBS="$LIBS"
++LIBS="${LIBS} ${SUDO_LIBS}"
+ for ac_func in krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc
+ do
+ as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
diff -r a8c2b8d222a4 -r 275224e316f4 security/sudo/patches/patch-ai
--- a/security/sudo/patches/patch-ai Thu Feb 05 13:46:36 2009 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
-$NetBSD: patch-ai,v 1.4 2008/03/11 15:52:51 taca Exp $
-
---- auth/kerb5.c.orig 2008-02-14 07:17:41.000000000 +0900
-+++ auth/kerb5.c
-@@ -220,11 +220,7 @@ kerb5_verify(pw, pass, auth)
-
- done:
- if (opts) {
--#ifdef HAVE_HEIMDAL
-- krb5_get_init_creds_opt_free(opts);
--#else
- krb5_get_init_creds_opt_free(sudo_context, opts);
--#endif
- }
- if (creds)
- krb5_free_cred_contents(sudo_context, creds);
Home |
Main Index |
Thread Index |
Old Index