Bug 239629

Summary: security/doas: Update to 6.1
Product: Ports & Packages Reporter: jsmith
Component: Individual Port(s)Assignee: Kai Knoblich <kai>
Status: Closed FIXED    
Severity: Affects Some People CC: jsmith, kai
Priority: --- Flags: kai: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://github.com/slicer69/doas/releases/tag/6.1
Attachments:
Description Flags
Port patch to upgrade port to 6.1
none
doas-6.1-revised.patch jsmith: maintainer-approval+

Description jsmith 2019-08-03 21:00:48 UTC
Created attachment 206256 [details]
Port patch to upgrade port to 6.1

The attached port updates security/doas to upstream version 6.1. This change introduces two important changes:

1. Most environment variables are no longer copied to the target user's environment. This avoids corrupting files through use of $HOME, for example. When environment variables are required, keepenv can be set in the doas.conf file.

2. The target user's sanitized $PATH can be set at compile time to avoid passing malicious executables to the target user's path.
Comment 1 Kai Knoblich freebsd_committer 2019-08-04 10:41:32 UTC
Created attachment 206269 [details]
doas-6.1-revised.patch

Hi,

thank you for the patch. It compiles fine and I did some improvements as the 6.1 release uses now a hardcoded variable that is then used for the PATH environment variable of the target user.

The revised patch is based upon your initial patch with following modifications/improvements:

- Define a _GLOBAL_PATH variable that contains upstream's default value. That variable will be passed to MAKE_ENV as TARGETPATH. This avoids patching and users can easily change the value for their needs.

- Update the pkg-message for new users with an explanation taken from doas.conf(5) and also add a short note for users that are upgrading to the 6.1 release.

- Sort the port's Makefile variable to pet portlint/portclippy and remove the redundant use of GH_PROJECT - it's derived automatically from PORTNAME.

If you are fine with these changes, please set the "maintainer-approval" flag of the attachment to "+".
Comment 2 commit-hook freebsd_committer 2019-08-04 15:44:18 UTC
A commit references this bug:

Author: kai
Date: Sun Aug  4 15:43:28 UTC 2019
New revision: 508097
URL: https://svnweb.freebsd.org/changeset/ports/508097

Log:
  security/doas: Update to 6.1

  * Update the pkg-message to give users that install/upgrade the port some
    info about the changed behavior regarding the environment variables. [1]

  * Make the configuration of target user's sanitized $PATH that is set at
    compile time more flexible by enabling users to configure it via
    _GLOBAL_PATH. [2]

  * Also pet portlint/portclippy by placing USES to the top of the USES block
    and remove the superfluous occurence of GH_PROJECT while I'm here.

  Changelog:

  * Most environment variables are no longer copied to the target user's
    environment. This avoids corrupting files through use of $HOME, for
    example.

    When environment variables are required, keepenv can be set in the
    doas.conf file.

  * The target user's sanitized $PATH can be set at compile time to avoid
    passing malicious executables to the target user's path.

  https://github.com/slicer69/doas/releases/tag/6.1

  PR:		239629
  Submitted by:	jsmith@resonatingmedia.com (maintainer)
  Approved by:	jsmith@resonatingmedia.com (maintainer) [1] [2]
  MFH:		2019Q3

Changes:
  head/security/doas/Makefile
  head/security/doas/distinfo
  head/security/doas/files/pkg-message.in
Comment 3 Kai Knoblich freebsd_committer 2019-08-04 15:45:33 UTC
Committed to the head branch, thank you for the quick approval!

Still waiting for the approval of the ports-secteam to commit it to the 2019Q3 branch.
Comment 4 commit-hook freebsd_committer 2019-08-05 09:18:38 UTC
A commit references this bug:

Author: kai
Date: Mon Aug  5 09:17:46 UTC 2019
New revision: 508148
URL: https://svnweb.freebsd.org/changeset/ports/508148

Log:
  MFH: r506905 r508097

  security/doas: Convert pkg-message to UCL

  security/doas: Update to 6.1

  * Update the pkg-message to give users that install/upgrade the port some
    info about the changed behavior regarding the environment variables. [1]

  * Make the configuration of target user's sanitized $PATH that is set at
    compile time more flexible by enabling users to configure it via
    _GLOBAL_PATH. [2]

  * Also pet portlint/portclippy by placing USES to the top of the USES block
    and remove the superfluous occurence of GH_PROJECT while I'm here.

  Changelog:

  * Most environment variables are no longer copied to the target user's
    environment. This avoids corrupting files through use of $HOME, for
    example.

    When environment variables are required, keepenv can be set in the
    doas.conf file.

  * The target user's sanitized $PATH can be set at compile time to avoid
    passing malicious executables to the target user's path.

  https://github.com/slicer69/doas/releases/tag/6.1

  PR:		239629
  Submitted by:	jsmith@resonatingmedia.com (maintainer)
  Approved by:	jsmith@resonatingmedia.com (maintainer) [1] [2]
  Approved by:	ports-secteam (joneum)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/security/doas/Makefile
  branches/2019Q3/security/doas/distinfo
  branches/2019Q3/security/doas/files/pkg-message.in
Comment 5 Kai Knoblich freebsd_committer 2019-08-05 09:22:25 UTC
Committed to the 2019Q3 branch, all done!
Comment 6 commit-hook freebsd_committer 2019-08-09 21:14:16 UTC
A commit references this bug:

Author: kai
Date: Fri Aug  9 21:13:57 UTC 2019
New revision: 508483
URL: https://svnweb.freebsd.org/changeset/ports/508483

Log:
  security/vuxml: Document security/doas issues

  PR:		239629

Changes:
  head/security/vuxml/vuln.xml
Comment 7 commit-hook freebsd_committer 2019-08-15 21:23:37 UTC
A commit references this bug:

Author: kai
Date: Thu Aug 15 21:22:37 UTC 2019
New revision: 509055
URL: https://svnweb.freebsd.org/changeset/ports/509055

Log:
  security/vuxml: Update entry for security/doas

  * Add a reference to OpenBSD's tech mailinglist that explains the issues
    with doas(1)'s environmetal security in further detail.
  * Clarify the origins of the reporting sources and fix a grammar nit.

  PR:		239629
  Reported by:	Sander Bos

Changes:
  head/security/vuxml/vuln.xml