ports/115381: [PATCH] security/sudo: [SUMMARIZE CHANGES]

Fri Aug 10 14:20:02 UTC 2007

>Number:         115381
>Category:       ports
>Synopsis:       [PATCH] security/sudo: [SUMMARIZE CHANGES]
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 10 14:20:00 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Janos Mohacsi
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
NIIF/HUNGARNET
>Environment:
System: FreeBSD scone.ki.iif.hu 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Jun 27 18:22:17 CEST 2007
>Description:
- Add possibility to specify additonal path to default secure_path.
This is important since the environment resetting is rather different after 
1.6.9 than earlier in sudo. This is documented also in OpenBSD:
http://www.undeadly.org/cgi?action=article&sid=20070726192925
- small cosmetical changes in the Makefile

Port maintainer (tmclaugh at FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.77
>How-To-Repeat:

Possibilities to set safe PATH is important. Especially integrating 
/usr/local/... since some tools are using 
#!/bin/env python 
consruction and /usr/local/bin is not set as a default secure_path....


>Fix:

--- sudo-1.6.9.3_2.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/security/sudo.orig/Makefile /usr/ports/security/sudo/Makefile
--- /usr/ports/security/sudo.orig/Makefile	2007-08-06 09:40:47.000000000 +0200
+++ /usr/ports/security/sudo/Makefile	2007-08-10 16:00:35.000000000 +0200
@@ -7,7 +7,7 @@
 
 PORTNAME=	sudo
 PORTVERSION=	1.6.9.3
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://www.sudo.ws/sudo/dist/ \
 		http://probsd.org/sudoftp/ \
@@ -37,7 +37,9 @@
 
 OPTIONS=	LDAP	"With LDAP support" off \
 		INSULTS "With all insults" off \
-		SHELL_SETS_HOME "Set HOME env to target user in shell mode" off
+		SHELL_SETS_HOME "Set HOME env to target user in shell mode" off \
+		LOCAL_BIN "use /usr/local/bin in the search PATH" off \
+		LOCAL_SBIN "use /usr/local/sbin in the search PATH" off \
 
 .include <bsd.port.pre.mk>
 
@@ -59,6 +61,19 @@
 CONFIGURE_ARGS+=--enable-shell-sets-home
 .endif
 
+SUDO_SECURE_PATH_DEF="/bin:/usr/bin:/usr/sbin:/sbin"
+.if defined(WITH_LOCAL_BIN) && defined(WITH_LOCAL_SBIN)
+SUDO_SECURE_PATH="${SUDO_SECURE_PATH_DEF}:${LOCALBASE}/bin:${LOCALBASE}/sbin"
+.elif defined(WITH_LOCAL_BIN)
+SUDO_SECURE_PATH="${SUDO_SECURE_PATH_DEF}:${LOCALBASE}/bin"
+.elif defined(WITH_LOCAL_SBIN)
+SUDO_SECURE_PATH="${SUDO_SECURE_PATH_DEF}:${LOCALBASE}/sbin"
+.endif
+
+.if defined(WITH_LOCAL_BIN) || defined(WITH_LOCAL_SBIN)
+CONFIGURE_ARGS+=--with-secure-path="${SUDO_SECURE_PATH}"
+.endif
+
 MAN5=		sudoers.5
 MAN8=		sudo.8 visudo.8
 MLINKS=		sudo.8 sudoedit.8
@@ -69,7 +84,7 @@
 	${INSTALL_DATA} ${FILESDIR}/pam.conf ${PREFIX}/etc/pam.d/sudo.default
 
 	if [ ! -e ${PREFIX}/etc/pam.d/sudo ]; then \
-		cp -p ${PREFIX}/etc/pam.d/sudo.default \
+		${CP} -p ${PREFIX}/etc/pam.d/sudo.default \
 		${PREFIX}/etc/pam.d/sudo ;\
 	fi
 
--- sudo-1.6.9.3_2.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

