diff options
author | Kai Knoblich <kai@FreeBSD.org> | 2019-08-04 15:43:27 +0000 |
---|---|---|
committer | Kai Knoblich <kai@FreeBSD.org> | 2019-08-04 15:43:27 +0000 |
commit | 2c4ec752b6aab18fd834b47a950931e8238bea42 (patch) | |
tree | 56ca64ce85d28e8ad9985b3011e015e82dbc2d23 /security/doas | |
parent | 264424aa5d6d0bedf3f8020dabb22f01b95b9028 (diff) | |
download | ports-2c4ec752b6aab18fd834b47a950931e8238bea42.tar.gz ports-2c4ec752b6aab18fd834b47a950931e8238bea42.zip |
security/doas: Update to 6.1
* Update the pkg-message to give users that install/upgrade the port some
info about the changed behavior regarding the environment variables. [1]
* Make the configuration of target user's sanitized $PATH that is set at
compile time more flexible by enabling users to configure it via
_GLOBAL_PATH. [2]
* Also pet portlint/portclippy by placing USES to the top of the USES block
and remove the superfluous occurence of GH_PROJECT while I'm here.
Changelog:
* Most environment variables are no longer copied to the target user's
environment. This avoids corrupting files through use of $HOME, for
example.
When environment variables are required, keepenv can be set in the
doas.conf file.
* The target user's sanitized $PATH can be set at compile time to avoid
passing malicious executables to the target user's path.
https://github.com/slicer69/doas/releases/tag/6.1
PR: 239629
Submitted by: jsmith@resonatingmedia.com (maintainer)
Approved by: jsmith@resonatingmedia.com (maintainer) [1] [2]
MFH: 2019Q3
Notes
Notes:
svn path=/head/; revision=508097
Diffstat (limited to 'security/doas')
-rw-r--r-- | security/doas/Makefile | 15 | ||||
-rw-r--r-- | security/doas/distinfo | 6 | ||||
-rw-r--r-- | security/doas/files/pkg-message.in | 22 |
3 files changed, 35 insertions, 8 deletions
diff --git a/security/doas/Makefile b/security/doas/Makefile index b906add081ad..9b7d9306afb4 100644 --- a/security/doas/Makefile +++ b/security/doas/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= doas -PORTVERSION= 6.0p3 +PORTVERSION= 6.1 CATEGORIES= security MAINTAINER= jsmith@resonatingmedia.com @@ -12,11 +12,11 @@ LICENSE_COMB= multi LICENSE_FILE_BSD2CLAUSE= ${WRKSRC}/LICENSE LICENSE_FILE_ISCL= ${WRKSRC}/LICENSE +USES= gmake USE_GITHUB= yes GH_ACCOUNT= slicer69 -GH_PROJECT= doas -USES= gmake +MAKE_ENV+= TARGETPATH=-DGLOBAL_PATH='\"${_GLOBAL_PATH}\"' BINMODE= 4755 @@ -25,6 +25,15 @@ PLIST_FILES= bin/doas \ man/man5/doas.conf.5.gz \ man/man1/doas.1.gz +# These are upstream's default paths that are set for the GLOBAL_PATH variable +# in doas.h since the 6.1 release. Those paths are then used for target user's +# PATH variable instead of those of the original user. +# +# See also: +# * https://github.com/slicer69/doas/blob/6.1/doas.h#L36 +# * https://github.com/slicer69/doas/releases/tag/6.1 +_GLOBAL_PATH?= ${LOCALBASE}/sbin:${LOCALBASE}/bin:/usr/sbin:/usr/bin:/sbin:/bin + do-install: ${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/bin ${INSTALL_MAN} ${WRKSRC}/doas.1 ${STAGEDIR}${MAN1PREFIX}/man/man1 diff --git a/security/doas/distinfo b/security/doas/distinfo index 1e00fd7b167a..5fa1c0b0f1fc 100644 --- a/security/doas/distinfo +++ b/security/doas/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1552317435 -SHA256 (slicer69-doas-6.0p3_GH0.tar.gz) = abf7911df661fd82acc3ff71724b73cf0f2102f8a5379153a1c031b285ed8c97 -SIZE (slicer69-doas-6.0p3_GH0.tar.gz) = 18470 +TIMESTAMP = 1564865652 +SHA256 (slicer69-doas-6.1_GH0.tar.gz) = f6ae5243a711774cd46d5087c544e7feead7e138c6053c030c47489a722033f2 +SIZE (slicer69-doas-6.1_GH0.tar.gz) = 19965 diff --git a/security/doas/files/pkg-message.in b/security/doas/files/pkg-message.in index cb6c3f4e13c3..9febb5615a54 100644 --- a/security/doas/files/pkg-message.in +++ b/security/doas/files/pkg-message.in @@ -5,9 +5,27 @@ To use doas, %%PREFIX%%/etc/doas.conf -must be created. +must be created. Refer to doas.conf(5) for further details. -Refer to doas.conf(5). +Note: In order to be able to run most desktop (GUI) applications, the user +needs to have the keepenv keyword specified. If keepenv is not specified then +key elements, like the user's $HOME variable, will be reset and cause the GUI +application to crash. + +Users who only need to run command line applications can usually get away +without keepenv. + +When in doubt, try to avoid using keepenv as it is less secure to have +environment variables passed to privileged users. +EOD +} +{ type: upgrade + maximum_version: "6.1" + message: <<EOD +With the 6.1 release the transfer of most environment variables (e.g. USER, +HOME and PATH) from the original user to the target user has changed. + +Please refer to doas.conf(5) for further details. EOD } ] |