sudo 1.8.3_2 security =477

Allow others to run commands as root
Maintained by: wxs@FreeBSD.org
Port Added: unknown
License: not specified in port

---

---

This is the CU version of sudo.

Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity.  The basic philosophy is to
give as few privileges as possible but still allow people to get their
work done.

MAILING LISTS:

Please send bugs, problems, comments, etc to sudo-bugs@courtesan.com
There is a mailing list that receives announcements whenever a new
version of sudo is released.  You can subscribe to it by sending a
message to "majordomo@courtesan.com" that includes the line
"subscribe sudo-announce".  There is also a list for people working
on sudo.  The command to add yourself is "subscribe sudo-workers".

WWW: http://www.courtesan.com/sudo/

CVSWeb : Sources : Main Web Site : Distfiles Availability : PortsMon

---

NOTE: FreshPorts displays only required dependencies information. Optional dependencies are not covered.
Required Libraries: devel/gettext

Required by:
for Run

security/sudosh2 security/sudosh3 sysutils/dtc

---

To install the port: cd /usr/ports/security/sudo/ && make install clean
To add the package: pkg_add -r sudo

---

Configuration Options

===> The following configuration options are available for sudo-1.8.3_2:
     LDAP=off (default) "With LDAP support"
     INSULTS=off (default) "With all insults"
     DISABLE_ROOT_SUDO=off (default) "Disable root sudo"
     DISABLE_AUTH=off (default) "Disable authentication"
     NOARGS_SHELL=off (default) "Enable no arguments shell"
     AUDIT=on (default) "Enable BSM audit support"
===> Use 'make config' to modify these settings

---

Master Sites:

http://www.sudo.ws/sudo/dist/

http://ftp.arcane-networks.fr/pub/mirrors/sudo/

http://sudo.p8ra.de/sudo/dist/

http://sudo.cybermirror.org/

http://sudo-ftp.basemirror.de/

http://core.ring.gr.jp/archives/misc/sudo/

http://www.ring.gr.jp/archives/misc/sudo/

http://ftp.twaren.net/Unix/Security/Sudo/

ftp://ftp.sudo.ws/pub/sudo/

ftp://plier.ucar.edu/pub/sudo/

ftp://obsd.isc.org/pub/sudo/

ftp://ftp.uwsg.indiana.edu/pub/security/sudo/

ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/

ftp://sunsite.ualberta.ca/pub/Mirror/sudo/

ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/

ftp://zoot.tele.dk/pub/sudo/

ftp://ftp.in2p3.fr/pub/sudo/

ftp://ftp.arcane-networks.fr/pub/mirrors/sudo/

ftp://ftp.usbm.de/pub/sudo/

ftp://ftp.cs.tu-berlin.de/pub/misc/sudo/

ftp://ftp.informatik.uni-hamburg.de/pub/os/unix/utils/sudo/

ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/

ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/

ftp://core.ring.gr.jp/pub/misc/sudo/

ftp://ftp.ring.gr.jp/pub/misc/sudo/

ftp://sunsite.icm.edu.pl/packages/sudo/

ftp://mirror.cdmon.com/pub/sudo/

ftp://ftp.twaren.net/Unix/Security/Sudo/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

If you used LDAP and NOPORTDOCS then the documentation directory would be
left behind on install. The upstream Makefile would create the directory
and put sudoers2ldif there, but pkg-plist would not register it properly.

This fix moves sudoers2ldif to 'bin' since it isn't really documentation.
It's installation is still controlled by the LDAP knob though.

Spotted by:     scheidell@

Update to 1.8.3p2

Security:       7c920bb7-4b5f-11e1-9f47-00e0815b8da8

Switch to using MASTER_SITE_SUDO.

- Remove WITH_FBSD10_FIX, is no longer needed

- Use DISTNAME instead of DISTFILES and remove WRKSRC.

Submitted by:   sunpoet@

Fix version number going backwards.

Noticed by:     erwin@

- Update to 1.8.3p1

Fix build on FreeBSD 10

Approved by:    portmgr (miwi)

- Update to 1.8.3.

- Add LDFLAGS to CONFIGURE_ENV and MAKE_ENV (as it was done with LDFLAGS)
- Fix all ports that add {CPP,LD}FLAGS to *_ENV to modify flags instead

PR:             157936
Submitted by:   myself
Exp-runs by:    pav
Approved by:    pav

- Switch to using bsd.port.options.mk.

- Update to 1.8.2
- Now depend on gettext
- While here, use DISTVERSION.

- Remove dead MASTER_SITES.

Noticed by:     The Distilator

Update to 1.8.1p2

Add an AUDIT option, which is off by default for now. I will turn it on
with the next significant bump.

Submitted by:   Mike Kelly (private mail)

Update to 1.8.1p1.
No longer need to worry about etc/sudoers.d problem, as it is no longer
a fatal error.

Fix a typo in pkg-install. Should use -m and not -M for install(1).

Noticed by:     sunpoet@

The install process checks the validity of sudoers before installing
etc/sudoers.d. If you have an sudoers with the includedir directive the
install will fail. Fix this by creating the directory in a pre-install
target.

This should fix "The Great sudo Debacle of 2011" once and for all.

Tested by:      dougb@

Revert the removal of sudoers.d. It is a POLA violation. While here remove
the UPDATING entry as it no longer applies.

We don't install a sudoers.d, remove that from the default sudoers file.

PR:             ports/156305
Submitted by:   Helmut Schneider <jumper99@gmx.de>
                Anatoly Borodin <anatoly.borodin@gmail.com>

Update to 1.8.1. There are a lot of behind-the-scenes changes in this port,
including a plugin system now.

While here, do some whitespace fixes.

Update to 1.7.4p6.

"This release fixes a bug in the I/O logging support that could cause visual
artifacts in full-screen programs such as text editors.  This bug was listed as
fixed in sudo 1.7.4p5 but the fix was merged incorrectly."

Feature safe:   yes

Update to 1.7.4p5.

Special thanks to rea@ for commiting the appropriate VuXML for me. :)

PR:             ports/153939
Submitted by:   rea@
Security:       908f4cf2-1e8b-11e0-a587-001b77d09812
Feature safe:   yes

Work around annoying, but harmless, bug with install(1) using "-b~" by changing
it to use "-b ~".
While here also strip libsudo_noexec.so.

Submitted by:   John Hein (private mail)

Add a bunch of new mirrors and remove dead ones. The mirror list now matches
http://www.sudo.ws/sudo/download_mirrors.html.

Noticed by:     The Distilator

Add two missing files when LDAP knob is on. No need to bump PORTREVISION as it
defaults to off.

Remove SHELL_SETS_HOME knob since as far as I can tell it doesn't do anything
anymore. The configure script still supports it but the behavior is now
controlled by a setting in the configuration file "Defaults env_keep += HOME".

Fix packaging.

PR:             ports/150371
Submitted by:   Sunpoet Po-Chuan Hsieh <sunpoet@sunpoet.net>, dim@

Update to 1.7.4p4 to address a couple of minor bugs and Runas group
vulnerability.
While I'm here also cleanup files/patch-Makefile.in.

Security:       67b514c3-ba8f-11df-8f6e-000c29a67389

Fix package installation by correcting usage of %B and installing a file
to make sure the empty directory is created.

PR:             ports/149912
Submitted by:   Alexey V.Degtyarev <alexey@renatasystems.org>

Strip the binaries by default. No need to bump PORTREVISION for such a
minor change.

PR:             ports/149135
Submitted by:   Anonymous <swell.k@gmail.com>

Update to 1.7.4p3
Install etc/pam.d/sudo and etc/pam.d/sudo.default

Fix problems when upgrading using packages:
 - Always install sudoers.sample.
 - There is no need for pkg-install anymore.
 - Bump PORTREVISION.

Update to 1.7.4p2.

Remove unsupported argument to configure.

PR:             ports/148378
Submitted by:   Jeremy Chadwick <freebsd@jdc.parodius.com>
Feature safe:   yes

Update to 1.7.3

Feature safe:   yes

Update to 1.7.2p7.

Security:       d42e5b66-6ea0-11df-9c8d-00e0815b8da8

- Update to 1.7.2p6 (security fix).

Security:       1a9f678d-48ca-11df-85f8-000c29a67389

- Update to 1.7.2p5. Security fix (1.7.2p4) and general bug fixes beyond that.

Security:       018a84d0-2548-11df-b4a3-00e0815b8da8
Feature safe:   yes

- Fix options screen to have a shorter description.

Noticed by:     garga@

- Update to 1.7.2.2
- Mark jobs safe
- Cleanup whitespace in OPTIONS
- [1] Add ability to specify syslog facility at build time (defaults to local2,
  no functional change)
- [2] Add ability to specify ldap configuration file (defaults to
  ${PREFIX}/etc/ldap.conf, no functional change)

PR:             [2]: ports/127822
Submitted by:   [1]: skreuzer@ (private mail)
                [2]: Sergey Skvortsov <skv@freebsd.org>

- Take maintainer. Thanks Tom for all your hard work on this.

Approved by:    tmclaugh

Add OPTIONS for WITH_DISABLE_ROOT_SUDO, WITH_DISABLE_AUTH, and
WITH_NOARGS_SHELL

Submitted by:   Scott Fultz

Security update for sudo to 1.6.9p20 for CVE 2009-0034

Changes:
- Only use the cached supplementory group vector when matching groups
  for the invoking user. (security)
- When setting the umask, use the union of the user's umask and the
  default value set in sudoers so that we never lower the user's umask
  when running a command.
- Sudo now operates in the C locale again when doing a match against
  sudoers.

PR:             131446
Submitted by:   Eygene Ryabinkin
Security:       vid:13d6d997-f455-11dd-8516-001b77d09812

- Add FTP_PASSIVE_MODE to example env_keep line for pkg utilities and fetch.

Suggested by:   koitsu

Update CONFIGURE_ARGS for how we pass CONFIGURE_TARGET to configure script.
Specifically, newer autoconf (> 2.13) has different semantic of the
configure target. In short, one should use --build=CONFIGURE_TARGET
instead of CONFIGURE_TARGET directly. Otherwise, you will get a warning
and the old semantic may be removed in later autoconf releases.

To workaround this issue, many ports hack the CONFIGURE_TARGET variable
so that it contains the ``--build='' prefix.

To solve this issue, under the fact that some ports still have
configure script generated by the old autoconf, we use runtime detection
in the do-configure target so that the proper argument can be used.

Changes to Mk/*:
 - Add runtime detection magic in bsd.port.mk

- Update to 1.6.9p17
* the -i flag implies resetting the environment as it did prior to
  1.6.9.  The -i and -E flags are now mutually-exclusive.

- Fix pkg-plist, libtool archive is no longer installed.

Prompted by:    pavmail

- Update to 1.6.9p15
* The HOME environment variable is once again preserved by default, as per
  the documentation.

- Finally remember to fix the $FreeBSD$ line in pam file.

- Update to 1.6.9p14

* Check sudoers even if user is found in LDAP so Defaults can take
  effect.
* Fix crash when pam_lastlog is (incorrectly) usesd in session section
  of PAM file.

Update to 1.6.9p12

Changes:
- The ALL command in sudoers now implies SETENV permissions.
- The command search is now performed using the target user's auxiliary
  group vector too.
- Various LDAP code improvements.
- Added passprompt_override flag to sudoers to cause sudo's prompt to be
  used in all cases.  Also set when the -p flag is used.
- New %p prompt escape that expands to the user whose password is being
  prompted, as specified by the rootpw, targetpw and runaspw sudoers
  flags.

- Make fetchable again.  Add my MASTER_SITE_LOCAL to the mix and replace
  a number of outdated sites.

Notified by:    Ferenc Gartner
Approved by:    portmgr (linimon, erwin)

Update to 1.6.9p6
- Sudo now only prints the password prompt if the process is in the
  foreground.

Update to 1.6.9p5:
- Fixed a bug in the IP address matching introduced by the IPV6 merge.
- Fixed sudoedit when used on a non-existent file.
- Groups and netgroups are now valid in an LDAP sudoRunas statement.

Install schema.OpenLDAP into DOCSDIR.

Prompted by:    flz

Update to 1.6.9p4
- IPv6 support added.
- Added notes to default sudoers for handling environmental variables
  related to our pkg_* tools and portupgrade.

- Work around broken configure script and explicitly set location of
  sudo_noexec.so to unbreak NOEXEC option. [1]
- Build using --with-secure-path if SUDO_SECURE_PATH is set when
  building the port.  SUDO_SECURE_PATH should be set to a PATH string.
  [2]
- Don't bother deleting sudo_noexec.la.  Deleting the file after it's
  installed is ugly and since it's not harmful it's not worth patching
  the install.
- Set CONFIGURE_TARGET.

PR:             115442 [1], 115381 [2]
Submitted by:   vd [1], Janos Mohacsi [2]

Fix session stack in default pam file.

Update to 1.6.9p3
- Fixes bug related to supplemental group matching

Update to 1.6.9p2
- Environment handling fix.

Fix PORTVERSION

Noticed by:     ume

- Update to 1.6.9p1
  * Worked around a bug in some PAM implementations that caused a crash
    when no tty was present.
  * Fixed a crash on some platforms in the error logging function.
- Change default pam session stack to pam_permit like su does [1]
- Grab maintainership

Sugested by:    des [1]

- Fix segfault when there is no TTY when executing. [1]
- Temporarilly disable session entry in default pam file because
  pam_lastlog causes users to appear as though they have logged out in
  system logs. [2]

Reported by:    yarodin@gmail.com [1], Paul Fraser <pfraser@gmail.com> [2]
Submitted by:   Todd Miller [1]

Update to 1.6.9

Application changes:
- PAM, since present, is used by default.
- Environment variable handling has changed significantly.
- Sudo checks the user's supplemental group vector so nsswitch order is
  no longer important for group based rules.
(See UPGRADE and CHANGING under share/doc/sudo/ for more.)

Port changes:
- PAM file is no longer clobered on reinstall.
- OPIE option has been removed due to PAM being used by default.
- Selected documentation is now installed.

- Add an option to enable insults

Submitted by:   Dan Casey <dcasey@debtresolve.com>

Install a PAM policy, rather than just suggesting that the admin do so.

Reset mharo due to maintainer-timeouts and no response to PRs.

Hat:            portmgr

fix option text

Reported by: Nick Fishman <kwlogical@bellsouth.net>

- Add LDAP support (off by default)
- OPTIONS'fy
- Remove obsoleted USE_REINPLACE

PR:             ports/95598
Submitted by:   Dmitriy Kirhlarov <dkirhlarov@localhost.oilspace.com>
Approved by:    maintainer timeout (2 weeks)

SHA256ify

Approved by: krion@

- Remove etc/sudoers on deinstall if user haven't modified it

PR:             ports/69288 (based on)
Approved by:    maintainer timeout (mharo; year and a half)

Upgrade to 1.6.8.12

PR:             88865
Submitted by:   Phil Oleson <oz@nixil.net>

Security update to latest release: 1.6.8p9.

<Security Alert>
Summary:
A race condition in Sudo's command pathname handling prior
to Sudo version 1.6.8p9 that could allow a user with Sudo
privileges to run arbitrary commands.
Sudo versions affected:
Sudo versions 1.3.1 up to and including 1.6.8p8.
</Security Alert>

More information about this incident available at:
http://www.sudo.ws/sudo/alerts/path_race.html

Upgrade to 1.6.8p8

update to 1.6.8p7

Upgrade to 1.6.8p6

Update to 1.6.8p5

Update to latest release of sudo

Update to sudo-1.6.3p8, which *really* includes the CDPATH fix, and
another one that does not directly affect FreeBSD (our _PATH_VARTMP
was fine before, too).

Approved by:    mharo (maintainer)

strip out CDPATH

Submitted by:   Peter Pentchev <roam@ringlet.net>

Update to 1.6.8p2

 o Bash exported functions and the CDPATH variable are now stripped from
   the environment passed to the program to be executed.

Update to 1.6.8p1

Submitted by:   many people
Approved by:    portsmgr (marcus)

Update to 1.6.8

Undo yesterdays change after sysutils/porttools suddenly failed.

Kris (bento (noh! pointyhat)) reported it

PR:             ports/58387

[PATCH] security/sudo: Utilize EXAMPLESDIR

        Utilize EXAMPLESDIR to improves layout; i.e.,

          configuration file        -> ${PREFIX}/etc
          sample configuration file -> ${PREFIX}/share/examples/${PORTNAME}

        This change helps if many configuration files and sample ones exist.

PR:             ports/58387
Submitted by:   Hideyuki KURASHINA <rushani@FreeBSD.org>

Add SIZE

Add more MASTER_SITES and remove dead one

Add another MASTER_SITE

Submitted by:   "Michael Sharp" <ms@probsd.org>

Add WITH_SHELL_SETS_HOME knob to security/sudo

PR:             47087
Submitted by:       Stefan Farfeleder <stefan@fafoe.dyndns.org>

upgrade from 1.6.7.4 to 1.6.7.5

PR:             52237
Submitted by:   Sergey A. Osokin <osa@FreeBSD.org.ru>

update from 1.6.6 to 1.6.7p4

PR:             51084
Submitted by:   Sergey A. Osokin  <osa@freebsd.org.ru>

Clear moonlight beckons.
Requiem mors pacem pkg-comment,
And be calm ports tree.

E Nomini Patri, E Fili, E Spiritu Sancti.

Add a patch from the Sudo CVS repository for proper handling of
the PAM transition from echoed to non-echoed input.

PR:             46026
Approved by:    mharo (maintainer)

don't depend on perl

Submitted by:   David Yeske <dyeske@yahoo.com>

remove insults and allow root to use sudo

update to 1.6.6

revert change from this morning

Patch sudo 1.6.5.2 with GlobalInterSec's sudo patch.

update to 1.6.5p2    

update the distfile name    

12 vulnerabilities affecting 31 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities