CVS commit: pkgsrc/security/opendoas

["Paolo Vincenzo Olivo" <vins%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   vins
Date:           Sun Dec  7 12:21:56 UTC 2025

Modified Files:
        pkgsrc/security/opendoas: Makefile distinfo
        pkgsrc/security/opendoas/patches: patch-GNUmakefile
Added Files:
        pkgsrc/security/opendoas/patches: patch-configure patch-doas.c
            patch-doas.h

Log Message:
security/opendoas: some fixes


To generate a diff of this commit:
cvs rdiff -u -r1.8 -r1.9 pkgsrc/security/opendoas/Makefile
cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/opendoas/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/opendoas/patches/patch-GNUmakefile
cvs rdiff -u -r0 -r1.1 pkgsrc/security/opendoas/patches/patch-configure \
    pkgsrc/security/opendoas/patches/patch-doas.h
cvs rdiff -u -r0 -r1.3 pkgsrc/security/opendoas/patches/patch-doas.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/opendoas/Makefile
diff -u pkgsrc/security/opendoas/Makefile:1.8 pkgsrc/security/opendoas/Makefile:1.9
--- pkgsrc/security/opendoas/Makefile:1.8       Sun Nov 30 16:57:34 2025
+++ pkgsrc/security/opendoas/Makefile   Sun Dec  7 12:21:56 2025
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.8 2025/11/30 16:57:34 vins Exp $
+# $NetBSD: Makefile,v 1.9 2025/12/07 12:21:56 vins Exp $
 
 DISTNAME=      opendoas-6.8.2
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=duncaen/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}
@@ -29,7 +29,6 @@ EGDIR=        share/examples/${PKGBASE}
 
 .include "../../mk/bsd.prefs.mk"
 
-CONFIGURE_ENV+=                OS=${LOWER_OPSYS}
 CONFIGURE_ARGS+=       --prefix=${PREFIX}
 CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFDIR}
 CONFIGURE_ARGS+=       --mandir=${PREFIX}/${PKGMANDIR}

Index: pkgsrc/security/opendoas/distinfo
diff -u pkgsrc/security/opendoas/distinfo:1.6 pkgsrc/security/opendoas/distinfo:1.7
--- pkgsrc/security/opendoas/distinfo:1.6       Mon Jul  4 08:25:58 2022
+++ pkgsrc/security/opendoas/distinfo   Sun Dec  7 12:21:56 2025
@@ -1,6 +1,9 @@
-$NetBSD: distinfo,v 1.6 2022/07/04 08:25:58 pin Exp $
+$NetBSD: distinfo,v 1.7 2025/12/07 12:21:56 vins Exp $
 
 BLAKE2s (opendoas-6.8.2.tar.gz) = c1d3b95656013d11fcf629f06dfeda6e80e33907ed25c9488d4d30755423c71f
 SHA512 (opendoas-6.8.2.tar.gz) = 4a93ff477413c859ba2702e688fa4f83248fff85e61e12336838a1e9aa1a8d9963a9782e4bc5e58e8d04b86c2c8ceb6b235ae9d3b32b3e548a2514a43653137d
 Size (opendoas-6.8.2.tar.gz) = 32430 bytes
-SHA1 (patch-GNUmakefile) = d301c0334ce6ac7992d61681e1852a301557d300
+SHA1 (patch-GNUmakefile) = a4cbff5e9a20440db9a20a81f8b629df7230b1c2
+SHA1 (patch-configure) = 5e94ee35eb6a1392adf7e41b1524ab64cf4e6eb7
+SHA1 (patch-doas.c) = 9226e8a3a6e6766b5b884e493b8dccba0d8f31ff
+SHA1 (patch-doas.h) = 2c1088eac51aed8df485f509917d9c61416273d7

Index: pkgsrc/security/opendoas/patches/patch-GNUmakefile
diff -u pkgsrc/security/opendoas/patches/patch-GNUmakefile:1.1 pkgsrc/security/opendoas/patches/patch-GNUmakefile:1.2
--- pkgsrc/security/opendoas/patches/patch-GNUmakefile:1.1      Fri Jan  1 14:28:57 2021
+++ pkgsrc/security/opendoas/patches/patch-GNUmakefile  Sun Dec  7 12:21:56 2025
@@ -1,7 +1,7 @@
-$NetBSD: patch-GNUmakefile,v 1.1 2021/01/01 14:28:57 pin Exp $
+$NetBSD: patch-GNUmakefile,v 1.2 2025/12/07 12:21:56 vins Exp $
 
-- Allow build as an unpriviliged user.
-- Install configuration files in EGDIR.
+* Allow build as an unpriviliged user.
+* Install configuration files in EGDIR.
 
 --- GNUmakefile.orig   2020-11-14 15:44:04.000000000 +0000
 +++ GNUmakefile

Added files:

Index: pkgsrc/security/opendoas/patches/patch-configure
diff -u /dev/null pkgsrc/security/opendoas/patches/patch-configure:1.1
--- /dev/null   Sun Dec  7 12:21:56 2025
+++ pkgsrc/security/opendoas/patches/patch-configure    Sun Dec  7 12:21:56 2025
@@ -0,0 +1,43 @@
+$NetBSD: patch-configure,v 1.1 2025/12/07 12:21:56 vins Exp $
+
+* Correct value assignment to GID_MAX.
+* Fix compiler host detection, by renaming HOST variable.
+
+--- configure.orig     2022-01-26 16:01:11.000000000 +0000
++++ configure
+@@ -54,7 +54,7 @@ for x; do
+       --sysconfdir) SYSCONFDIR=$var ;;
+       --pamdir) PAMDIR=$var ;;
+       --build) BUILD=$var ;;
+-      --host) HOST=$var ;;
++      --host) HOSTCC=$var ;;
+       --target) TARGET=$var ;;
+       --enable-debug) DEBUG=yes ;;
+       --enable-static) BUILD_STATIC=yes ;;
+@@ -65,7 +65,7 @@ for x; do
+       --with-timestamp) WITHOUT_TIMESTAMP= ;;
+       --without-timestamp) WITHOUT_TIMESTAMP=yes ;;
+       --uid-max) UID_MAX=$var ;;
+-      --gid-max) UID_MAX=$var ;;
++      --gid-max) GID_MAX=$var ;;
+       --help|-h) usage ;;
+       *) die "Error: unknown option $opt" ;;
+       esac
+@@ -84,13 +84,13 @@ cat <<! >$CONFIG_H
+ if [ -z "$BUILD" ]; then
+       BUILD="$(uname -m)-unknown-$(uname -s | tr '[:upper:]' '[:lower:]')"
+ fi
+-if [ -z "$HOST" ]; then
++if [ -z "$HOSTCC" ]; then
+       [ -z "$TARGET" ] && TARGET=$BUILD
+-      HOST=$TARGET
++      HOSTCC=$TARGET
+ fi
+ if [ -z "$TARGET" ]; then
+-      [ -z "$HOST" ] && HOST=$BUILD
+-      TARGET=$HOST
++      [ -z "$HOSTCC" ] && HOSTCC=$BUILD
++      TARGET=$HOSTCC
+ fi
+ 
+ if [ -z "$OS" ]; then
Index: pkgsrc/security/opendoas/patches/patch-doas.h
diff -u /dev/null pkgsrc/security/opendoas/patches/patch-doas.h:1.1
--- /dev/null   Sun Dec  7 12:21:56 2025
+++ pkgsrc/security/opendoas/patches/patch-doas.h       Sun Dec  7 12:21:56 2025
@@ -0,0 +1,15 @@
+$NetBSD: patch-doas.h,v 1.1 2025/12/07 12:21:56 vins Exp $
+
+Change permit to be more bits away from deny.
+
+--- doas.h.orig        2025-12-07 12:02:39.178742668 +0000
++++ doas.h
+@@ -36,7 +36,7 @@ struct passwd;
+ char **prepenv(const struct rule *, const struct passwd *,
+     const struct passwd *);
+ 
+-#define PERMIT        1
++#define PERMIT        -1
+ #define DENY  2
+ 
+ #define NOPASS                0x1

Index: pkgsrc/security/opendoas/patches/patch-doas.c
diff -u /dev/null pkgsrc/security/opendoas/patches/patch-doas.c:1.3
--- /dev/null   Sun Dec  7 12:21:56 2025
+++ pkgsrc/security/opendoas/patches/patch-doas.c       Sun Dec  7 12:21:56 2025
@@ -0,0 +1,49 @@
+$NetBSD: patch-doas.c,v 1.3 2025/12/07 12:21:56 vins Exp $
+
+Backport commit from OpenBSD/src, which attempts to make doas more
+resistant to rowhammer attacks.
+https://github.com/openbsd/src/commit/38599afa1d1d1f14a897b01350e8ce94486e1788
+
+--- doas.c.orig        2025-12-07 11:59:21.090136657 +0000
++++ doas.c
+@@ -148,6 +148,8 @@ permit(uid_t uid, gid_t *groups, int ngr
+                       *lastr = rules[i];
+       }
+       if (!*lastr)
++              return -1;
++      if ((*lastr)->action == PERMIT)
+               return 0;
+       return (*lastr)->action == PERMIT;
+ }
+@@ -184,6 +186,7 @@ checkconfig(const char *confpath, int ar
+     uid_t uid, gid_t *groups, int ngroups, uid_t target)
+ {
+       const struct rule *rule;
++      int rv;
+ 
+       if (setresuid(uid, uid, uid) != 0)
+               err(1, "setresuid");
+@@ -192,8 +195,9 @@ checkconfig(const char *confpath, int ar
+       if (!argc)
+               exit(0);
+ 
+-      if (permit(uid, groups, ngroups, &rule, target, argv[0],
+-          (const char **)argv + 1)) {
++      rv = permit(uid, groups, ngroups, &rule, target, argv[0],
++              (const char **)argv + 1);
++      if (rv == 0) {
+               printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
+               exit(0);
+       } else {
+@@ -347,8 +351,9 @@ main(int argc, char **argv)
+       }
+ 
+       cmd = argv[0];
+-      if (!permit(uid, groups, ngroups, &rule, target, cmd,
+-          (const char **)argv + 1)) {
++      rv = permit(uid, groups, ngroups, &rule, target, cmd,
++      (const char **)argv + 1);
++      if (rv != 0) {
+               syslog(LOG_AUTHPRIV | LOG_NOTICE,
+                   "command not permitted for %s: %s", mypw->pw_name, cmdline);
+               errc(1, EPERM, NULL);