- Mark jobs safe
- Cleanup whitespace in OPTIONS
- [1] Add ability to specify syslog facility at build time (defaults to local2,
no functional change)
- [2] Add ability to specify ldap configuration file (defaults to
${PREFIX}/etc/ldap.conf, no functional change)
PR: [2]: ports/127822
Submitted by: [1]: skreuzer@ (private mail)
[2]: Sergey Skvortsov <skv@freebsd.org>
Changes:
- Only use the cached supplementory group vector when matching groups
for the invoking user. (security)
- When setting the umask, use the union of the user's umask and the
default value set in sudoers so that we never lower the user's umask
when running a command.
- Sudo now operates in the C locale again when doing a match against
sudoers.
PR: 131446
Submitted by: Eygene Ryabinkin
Security: vid:13d6d997-f455-11dd-8516-001b77d09812
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.
To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.
To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.
Changes to Mk/*:
- Add runtime detection magic in bsd.port.mk
- Remove CONFIGURE_TARGET hack in various bsd.*.mk
- USE_GNOME=gnometarget is now an no-op
Changes to individual ports, other than removing the CONFIGURE_TARGET hack:
= pkg-plist changed (due to the ugly CONFIGURE_TARGET prefix in * executables)
- comms/gnuradio
- science/abinit
- science/elmer-fem
- science/elmer-matc
- science/elmer-meshgen2d
- science/elmerfront
- science/elmerpost
= use x86_64 as ARCH
- devel/g-wrap
= other changes
- print/magicfilter
GNU_CONFIGURE -> HAS_CONFIGURE since it's not generated by autoconf
Total # of ports modified: 1,027
Total # of ports affected: ~7,000 (set GNU_CONFIGURE to yes)
PR: 126524 (obsoletes 52917)
Submitted by: rafan
Tested on: two pointyhat 7-amd64 exp runs (by pav)
Approved by: portmgr (pav)
* The HOME environment variable is once again preserved by default, as per
the documentation.
- Finally remember to fix the $FreeBSD$ line in pam file.
* Check sudoers even if user is found in LDAP so Defaults can take
effect.
* Fix crash when pam_lastlog is (incorrectly) usesd in session section
of PAM file.
Changes:
- The ALL command in sudoers now implies SETENV permissions.
- The command search is now performed using the target user's auxiliary
group vector too.
- Various LDAP code improvements.
- Added passprompt_override flag to sudoers to cause sudo's prompt to be
used in all cases. Also set when the -p flag is used.
- New %p prompt escape that expands to the user whose password is being
prompted, as specified by the rootpw, targetpw and runaspw sudoers
flags.
- Fixed a bug in the IP address matching introduced by the IPV6 merge.
- Fixed sudoedit when used on a non-existent file.
- Groups and netgroups are now valid in an LDAP sudoRunas statement.
sudo_noexec.so to unbreak NOEXEC option. [1]
- Build using --with-secure-path if SUDO_SECURE_PATH is set when
building the port. SUDO_SECURE_PATH should be set to a PATH string.
[2]
- Don't bother deleting sudo_noexec.la. Deleting the file after it's
installed is ugly and since it's not harmful it's not worth patching
the install.
- Set CONFIGURE_TARGET.
PR: 115442 [1], 115381 [2]
Submitted by: vd [1], Janos Mohacsi [2]
* Worked around a bug in some PAM implementations that caused a crash
when no tty was present.
* Fixed a crash on some platforms in the error logging function.
- Change default pam session stack to pam_permit like su does [1]
- Grab maintainership
Sugested by: des [1]
- Temporarilly disable session entry in default pam file because
pam_lastlog causes users to appear as though they have logged out in
system logs. [2]
Reported by: yarodin@gmail.com [1], Paul Fraser <pfraser@gmail.com> [2]
Submitted by: Todd Miller [1]
Application changes:
- PAM, since present, is used by default.
- Environment variable handling has changed significantly.
- Sudo checks the user's supplemental group vector so nsswitch order is
no longer important for group based rules.
(See UPGRADE and CHANGING under share/doc/sudo/ for more.)
Port changes:
- PAM file is no longer clobered on reinstall.
- OPIE option has been removed due to PAM being used by default.
- Selected documentation is now installed.
<Security Alert>
Summary:
A race condition in Sudo's command pathname handling prior
to Sudo version 1.6.8p9 that could allow a user with Sudo
privileges to run arbitrary commands.
Sudo versions affected:
Sudo versions 1.3.1 up to and including 1.6.8p8.
</Security Alert>
More information about this incident available at:
http://www.sudo.ws/sudo/alerts/path_race.html
