head 1.5; access; symbols pkgsrc-2013Q2:1.5.0.10 pkgsrc-2013Q2-base:1.5 pkgsrc-2012Q4:1.5.0.8 pkgsrc-2012Q4-base:1.5 pkgsrc-2011Q4:1.5.0.6 pkgsrc-2011Q4-base:1.5 pkgsrc-2011Q2:1.5.0.4 pkgsrc-2011Q2-base:1.5 pkgsrc-2009Q4:1.5.0.2 pkgsrc-2009Q4-base:1.5 pkgsrc-2008Q4:1.4.0.12 pkgsrc-2008Q4-base:1.4 pkgsrc-2008Q3:1.4.0.10 pkgsrc-2008Q3-base:1.4 cube-native-xorg:1.4.0.8 cube-native-xorg-base:1.4 pkgsrc-2008Q2:1.4.0.6 pkgsrc-2008Q2-base:1.4 cwrapper:1.4.0.4 pkgsrc-2008Q1:1.4.0.2 pkgsrc-2008Q1-base:1.4 pkgsrc-2007Q4:1.3.0.4 pkgsrc-2007Q4-base:1.3 pkgsrc-2007Q3:1.3.0.2 pkgsrc-2007Q3-base:1.3 pkgsrc-2007Q2:1.1.0.4 pkgsrc-2007Q2-base:1.1 pkgsrc-2007Q1:1.1.0.2; locks; strict; comment @# @; 1.5 date 2009.02.05.13.48.12; author taca; state dead; branches; next 1.4; 1.4 date 2008.03.11.15.52.51; author taca; state Exp; branches 1.4.12.1; next 1.3; 1.3 date 2007.07.23.16.38.37; author tls; state dead; branches; next 1.2; 1.2 date 2007.07.02.06.04.03; author tls; state Exp; branches; next 1.1; 1.1 date 2007.06.25.23.53.28; author tls; state Exp; branches 1.1.2.1; next ; 1.4.12.1 date 2009.02.05.17.00.25; author tron; state dead; branches; next ; 1.1.2.1 date 2007.06.25.23.53.28; author ghen; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2007.06.26.11.59.28; author ghen; state Exp; branches; next ; desc @@ 1.5 log @Update security/sudo package to 1.7.0. * pkgsrc change: relax restriction to kerberos package. What's new in Sudo 1.7.0? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. * visudo will now check the sudoers file owner and mode in -c (check) mode when the -s (strict) flag is specified. @ text @$NetBSD: patch-ai,v 1.4 2008/03/11 15:52:51 taca Exp $ --- auth/kerb5.c.orig 2008-02-14 07:17:41.000000000 +0900 +++ auth/kerb5.c @@@@ -220,11 +220,7 @@@@ kerb5_verify(pw, pass, auth) done: if (opts) { -#ifdef HAVE_HEIMDAL - krb5_get_init_creds_opt_free(opts); -#else krb5_get_init_creds_opt_free(sudo_context, opts); -#endif } if (creds) krb5_free_cred_contents(sudo_context, creds); @ 1.4 log @Update sudo package to 1.6.9p14. pkgsrc changes: - Explict to depends security/heimdal package when kerberos option is specified. PR pkg/37999 should be fixed. Change: 646) Sudo will now set the nproc resource limit to unlimited on Linux systems to work around Linux's setuid() resource limit semantics. On PAM systems the resource limits will be reset by pam_limits.so before the command is executed. 647) SELinux support that can be used to implement role based access control (RBAC). A role and (optional) type may be specified in sudoers or on the command line. These are then used in the security context that the command is run as. 648) Fixed a Kerberos 5 compilation problem with MIT Kerberos. Sudo 1.6.9p13 released. 649) Fixed an invalid assumption in the PAM conversation function introduced in version 1.6.9p9. The conversation function may be called for non-password reading purposes as well. 650) Fixed freeing an uninitialized pointer in -l mode, introduced in version 1.6.9p13. 651) Check /etc/sudoers after LDAP even if the user was found in LDAP. This allows Defaults options in /etc/sudoers to take effect. 652) Add missing checks for enforcing mode in SELinux RBAC mode. Sudo 1.6.9p14 released. @ text @d1 1 a1 1 $NetBSD$ @ 1.4.12.1 log @Pullup ticket #2688 - requested by taca sudo: security update Revisions pulled up: - security/sudo/Makefile 1.114 - security/sudo/PLIST 1.3 - security/sudo/distinfo 1.57 - security/sudo/options.mk 1.16 - security/sudo/patches/patch-aa 1.20 - security/sudo/patches/patch-af 1.21 - security/sudo/patches/patch-ag 1.13 - security/sudo/patches/patch-ai delete --- Module Name: pkgsrc Committed By: taca Date: Thu Feb 5 13:48:12 UTC 2009 Modified Files: pkgsrc/security/sudo: Makefile PLIST distinfo options.mk pkgsrc/security/sudo/patches: patch-aa patch-af patch-ag Removed Files: pkgsrc/security/sudo/patches: patch-ai Log Message: Update security/sudo package to 1.7.0. * pkgsrc change: relax restriction to kerberos package. What's new in Sudo 1.7.0? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. * visudo will now check the sudoers file owner and mode in -c (check) mode when the -s (strict) flag is specified. @ text @d1 1 a1 1 $NetBSD: patch-ai,v 1.4 2008/03/11 15:52:51 taca Exp $ @ 1.3 log @Update sudo to 1.6.9. We don't take the new default of PAM and no other authentication; that can be enabled by adding pam to the package options if users desire. @ text @d1 1 a1 1 $NetBSD: patch-ai,v 1.2 2007/07/02 06:04:03 tls Exp $ d3 11 a13 23 --- auth/kerb5.c.orig 2005-03-29 23:38:36.000000000 -0500 +++ auth/kerb5.c 2007-07-02 01:44:01.000000000 -0400 @@@@ -57,7 +57,7 @@@@ #ifdef HAVE_HEIMDAL # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1) # define krb5_free_data_contents(c, d) krb5_data_free(d) -# define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */ +# define ENCTYPE_DES_CBC_MD5 0 /* 0 is wildcard */ #else # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data) #endif @@@@ -269,12 +269,11 @@@@ * and enctype is currently ignored anyhow.) */ if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0, - ENCTYPE_DES_CBC_MD5, &keyblock))) { + 0, &keyblock))) { /* Keytab or service key does not exist. */ log_error(NO_EXIT, "%s: host service key not found: %s", auth_name, error_message(error)); - error = 0; goto cleanup; d15 2 a16 1 if (keyblock) @ 1.2 log @On some hosts, this package's configure script fails to detech Heimdal (in fact, it's not clear that there is a good way to do so). The resulting configuration works fine *except* if it encounters a host that has 3DES but no DES service keys in its keytab. Fix this by explicitly passing 0 ("default enctype") to Kerberos. @ text @d1 1 a1 1 $NetBSD: $ @ 1.1 log @Add file omitted from previous commit. @ text @d4 1 a4 1 +++ auth/kerb5.c 2007-06-25 04:51:20.000000000 -0400 d14 7 a20 1 @@@@ -274,7 +274,6 @@@@ @ 1.1.2.1 log @file patch-ai was added on branch pkgsrc-2007Q1 on 2007-06-26 11:59:28 +0000 @ text @d1 21 @ 1.1.2.2 log @Pullup ticket 2121, 2122 - requested by tls security fix for sudo - pkgsrc/security/sudo/Makefile 1.90 - pkgsrc/security/sudo/distinfo 1.35 - pkgsrc/security/sudo/patches/patch-ah 1.5 - pkgsrc/security/sudo/patches/patch-ai 1.1 Module Name: pkgsrc Committed By: tls Date: Mon Jun 25 09:53:42 UTC 2007 Modified Files: pkgsrc/security/sudo: Makefile distinfo pkgsrc/security/sudo/patches: patch-ah Log Message: Fix privilege-escalation vulnerability with PKG_OPTIONS.sudo=kerberos: cleanse environment of variables that alter behavior of Kerberos library so the user can't override the default keytab location, and do *not* ignore missing keytab errors. Prevents root compromise via spoofed KDC on systems with Kerberos libraries but no host key in keytab, no keytab, or keytab overidden via environment. Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES only. Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch of sudo (presently beta) but equivalent (though not as clean). --- Module Name: pkgsrc Committed By: tls Date: Mon Jun 25 23:53:28 UTC 2007 Added Files: pkgsrc/security/sudo/patches: patch-ai Log Message: Add file omitted from previous commit. @ text @a0 21 $NetBSD$ --- auth/kerb5.c.orig 2005-03-29 23:38:36.000000000 -0500 +++ auth/kerb5.c 2007-06-25 04:51:20.000000000 -0400 @@@@ -57,7 +57,7 @@@@ #ifdef HAVE_HEIMDAL # define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1) # define krb5_free_data_contents(c, d) krb5_data_free(d) -# define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */ +# define ENCTYPE_DES_CBC_MD5 0 /* 0 is wildcard */ #else # define extract_name(c, p) (krb5_princ_component(c, p, 1)->data) #endif @@@@ -274,7 +274,6 @@@@ log_error(NO_EXIT, "%s: host service key not found: %s", auth_name, error_message(error)); - error = 0; goto cleanup; } if (keyblock) @