git: 2030729b0ff7 - main - security/sudo-rs: add new port, rust re-implementation of sudo

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Koichiro Iwao <meta_at_FreeBSD.org>
Date: Tue, 08 Apr 2025 00:21:19 UTC
The branch main has been updated by meta:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2030729b0ff7207ccd185bce1d1e2400d20fb4fe

commit 2030729b0ff7207ccd185bce1d1e2400d20fb4fe
Author:     Marc Schoolderman <marc@trifectatech.org>
AuthorDate: 2025-04-04 15:21:59 +0000
Commit:     Koichiro Iwao <meta@FreeBSD.org>
CommitDate: 2025-04-08 00:20:48 +0000

    security/sudo-rs: add new port, rust re-implementation of sudo
    
    Reviewed by:    meta, mikael
    PR:             285861
    WWW:            https://github.com/trifectatechfoundation/sudo-rs/
---
 security/sudo-rs/Makefile       | 78 +++++++++++++++++++++++++++++++++++++++++
 security/sudo-rs/distinfo       | 15 ++++++++
 security/sudo-rs/files/pam.conf | 16 +++++++++
 security/sudo-rs/files/sudoers  | 73 ++++++++++++++++++++++++++++++++++++++
 security/sudo-rs/pkg-descr      |  6 ++++
 security/sudo-rs/pkg-plist      | 10 ++++++
 6 files changed, 198 insertions(+)

diff --git a/security/sudo-rs/Makefile b/security/sudo-rs/Makefile
new file mode 100644
index 000000000000..0541804b25f7
--- /dev/null
+++ b/security/sudo-rs/Makefile
@@ -0,0 +1,78 @@
+PORTNAME=	sudo-rs
+PORTVERSION=	0.2.5
+DISTVERSIONPREFIX=	v
+CATEGORIES=	security
+
+MAINTAINER=	marc@trifectatech.org
+COMMENT=	Allow others to run commands as root
+WWW=		https://trifectatech.org/initiatives/privilege-boundary/
+
+LICENSE=	APACHE20 MIT
+LICENSE_COMB=	dual
+LICENSE_FILE_APACHE20=	${WRKSRC}/LICENSE-APACHE
+LICENSE_FILE_MIT=	${WRKSRC}/LICENSE-MIT
+
+BUILD_DEPENDS=	pandoc:${PORTSDIR}/textproc/hs-pandoc
+
+USES=		cargo
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	trifectatechfoundation
+GH_TAGNAME=	main
+
+CARGO_CRATES=	diff-0.1.13 \
+		glob-0.3.2 \
+		libc-0.2.170 \
+		log-0.4.26 \
+		pretty_assertions-1.4.1 \
+		yansi-1.0.1
+
+.if !defined(USER) || ${USER} == root
+CARGO_TEST=	no
+.endif
+
+PLIST_SUB+=	RS_SUFFIX=${RS_SUFFIX}
+
+PORTDOCS=	CHANGELOG.md CONTRIBUTING.md COPYRIGHT LICENSE-* README.md \
+		SECURITY.md
+
+OPTIONS_DEFINE=	COEXIST DOCS
+OPTIONS_SUB=	yes
+
+COEXIST_DESC=			Install using -rs prefix to coexist with security/sudo
+COEXIST_CONFLICTS_INSTALL_OFF=	sudo
+COEXIST_VARS=			RS_SUFFIX=-rs
+
+post-patch:
+	${REINPLACE_CMD} -E -e "s:(/usr/local)?/etc:${LOCALBASE}/etc:" ${WRKSRC}/src/sudo/mod.rs
+
+post-build:
+.for man in sudo.8 visudo.8 sudoers.5
+	@${MKDIR} ${WRKDIR}/docs/man
+	pandoc -s -t man ${WRKSRC}/docs/man/${man}.md -o ${WRKDIR}/docs/man/${man}
+.endfor
+
+post-install:
+	${MV} ${STAGEDIR}${PREFIX}/bin/visudo ${STAGEDIR}${PREFIX}/sbin/visudo${RS_SUFFIX}
+	${INSTALL_MAN} ${WRKDIR}/docs/man/sudo.8 ${STAGEDIR}${PREFIX}/share/man/man8/sudo${RS_SUFFIX}.8
+	${INSTALL_MAN} ${WRKDIR}/docs/man/visudo.8 ${STAGEDIR}${PREFIX}/share/man/man8/visudo${RS_SUFFIX}.8
+	${INSTALL_MAN} ${WRKDIR}/docs/man/sudoers.5 ${STAGEDIR}${PREFIX}/share/man/man5/sudoers${RS_SUFFIX}.5
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/sudoers.d
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/pam.d
+	${MKDIR} ${STAGEDIR}/var/run/sudo
+	${MKDIR} ${STAGEDIR}/var/db/sudo
+# we are not going to try to replace 'su', since that is part of FreeBSD itself
+	${RM} ${STAGEDIR}${PREFIX}/bin/su
+
+post-install-COEXIST-on:
+	${MV} ${STAGEDIR}${PREFIX}/bin/sudo ${STAGEDIR}${PREFIX}/bin/sudo${RS_SUFFIX}
+
+post-install-COEXIST-off:
+	${INSTALL_DATA} ${FILESDIR}/pam.conf ${STAGEDIR}${PREFIX}/etc/pam.d/sudo.default
+	${INSTALL_DATA} ${FILESDIR}/sudoers ${STAGEDIR}${PREFIX}/etc/sudoers.dist
+
+post-install-DOCS-on:
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR}
+
+.include <bsd.port.mk>
diff --git a/security/sudo-rs/distinfo b/security/sudo-rs/distinfo
new file mode 100644
index 000000000000..5d7966a4ccbf
--- /dev/null
+++ b/security/sudo-rs/distinfo
@@ -0,0 +1,15 @@
+TIMESTAMP = 1743665625
+SHA256 (rust/crates/diff-0.1.13.crate) = 56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8
+SIZE (rust/crates/diff-0.1.13.crate) = 46216
+SHA256 (rust/crates/glob-0.3.2.crate) = a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2
+SIZE (rust/crates/glob-0.3.2.crate) = 22359
+SHA256 (rust/crates/libc-0.2.170.crate) = 875b3680cb2f8f71bdcf9a30f38d48282f5d3c95cbf9b3fa57269bb5d5c06828
+SIZE (rust/crates/libc-0.2.170.crate) = 760076
+SHA256 (rust/crates/log-0.4.26.crate) = 30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e
+SIZE (rust/crates/log-0.4.26.crate) = 47022
+SHA256 (rust/crates/pretty_assertions-1.4.1.crate) = 3ae130e2f271fbc2ac3a40fb1d07180839cdbbe443c7a27e1e3c13c5cac0116d
+SIZE (rust/crates/pretty_assertions-1.4.1.crate) = 78952
+SHA256 (rust/crates/yansi-1.0.1.crate) = cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049
+SIZE (rust/crates/yansi-1.0.1.crate) = 75497
+SHA256 (trifectatechfoundation-sudo-rs-v0.2.5-main_GH0.tar.gz) = 0eb28fe7aacd79505c2949a4318d079a39151d9646e057ff6f362e8f2706cfb5
+SIZE (trifectatechfoundation-sudo-rs-v0.2.5-main_GH0.tar.gz) = 707844
diff --git a/security/sudo-rs/files/pam.conf b/security/sudo-rs/files/pam.conf
new file mode 100644
index 000000000000..e70ff2093eea
--- /dev/null
+++ b/security/sudo-rs/files/pam.conf
@@ -0,0 +1,16 @@
+# PAM configuration for the "sudo" service
+#
+
+# auth
+auth		include		system
+
+# account
+account		include		system
+
+# session
+# XXX: pam_lastlog (used in system) causes users to appear as though
+# they are no longer logged in in system logs.
+session		required	pam_permit.so
+
+# password
+password	include		system
diff --git a/security/sudo-rs/files/sudoers b/security/sudo-rs/files/sudoers
new file mode 100644
index 000000000000..99ef7934c811
--- /dev/null
+++ b/security/sudo-rs/files/sudoers
@@ -0,0 +1,73 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+
+## Defaults specification
+##
+## Preserve editor environment variables for visudo.
+## To preserve these for all commands, remove the "!visudo" qualifier.
+Defaults!/usr/local/sbin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL"
+##
+## Use a hard-coded PATH instead of the user's to find commands.
+## This also helps prevent poorly written scripts from running
+## arbitrary commands under sudo.
+Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+##
+## Uncomment if needed to preserve environmental variables related to the
+## FreeBSD pkg utility and fetch.
+# Defaults     env_keep += "PKG_CACHEDIR PKG_DBDIR FTP_PASSIVE_MODE"
+##
+## Additionally uncomment if needed to preserve environmental variables
+## related to portupgrade
+# Defaults     env_keep += "PORTSDIR PORTS_INDEX PORTS_DBDIR PACKAGES PKGTOOLS_CONF"
+##
+## You may wish to keep some of the following environment variables
+## when running commands via sudo.
+##
+## Locale settings
+# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+##
+## X11 resource path settings
+# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+##
+## Desktop path settings
+# Defaults env_keep += "QTDIR KDEDIR"
+##
+## Allow sudo-run commands to inherit the callers' ConsoleKit session
+# Defaults env_keep += "XDG_SESSION_COOKIE"
+##
+## Uncomment to enable special input methods.  Care should be taken as
+## this may allow users to subvert the command being run via sudo.
+# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+##
+## Uncomment to disable "use_pty" when running commands as root.
+## Commands run as non-root users will run in a pseudo-terminal,
+## not the user's own terminal, to prevent command injection.
+# Defaults>root !use_pty
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL:ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+# %wheel ALL=(ALL:ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
+
+## Uncomment to allow members of group sudo to execute any command
+# %sudo	ALL=(ALL:ALL) ALL
+
+## Uncomment to allow any user to run sudo if they know the password
+## of the user they are running the command as (root by default).
+# Defaults targetpw  # Ask for the password of the target user
+# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+
+## Read drop-in files from /usr/local/etc/sudoers.d
+@includedir sudoers.d
diff --git a/security/sudo-rs/pkg-descr b/security/sudo-rs/pkg-descr
new file mode 100644
index 000000000000..e02b45a024ad
--- /dev/null
+++ b/security/sudo-rs/pkg-descr
@@ -0,0 +1,6 @@
+Sudo-rs is a memory safe re-implementation of the sudo utility.
+
+Sudo is a program designed to allow a sysadmin to give limited root
+privileges to users and log root activity.  The basic philosophy is to
+give as few privileges as possible but still allow people to get their
+work done.
diff --git a/security/sudo-rs/pkg-plist b/security/sudo-rs/pkg-plist
new file mode 100644
index 000000000000..e8bdee449e15
--- /dev/null
+++ b/security/sudo-rs/pkg-plist
@@ -0,0 +1,10 @@
+@(,,4755) bin/sudo%%RS_SUFFIX%%
+sbin/visudo%%RS_SUFFIX%%
+share/man/man5/sudoers%%RS_SUFFIX%%.5.gz
+share/man/man8/sudo%%RS_SUFFIX%%.8.gz
+share/man/man8/visudo%%RS_SUFFIX%%.8.gz
+%%NO_COEXIST%%@sample etc/pam.d/sudo.default etc/pam.d/sudo
+%%NO_COEXIST%%@sample etc/sudoers.dist etc/sudoers
+@dir etc/sudoers.d
+@dir /var/db/sudo
+@dir /var/run/sudo