Bug 248434

Summary: security/acme: Backport fix for running under sudo
Product: Ports & Packages Reporter: John W. O'Brien <john>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: dvl
Priority: --- Flags: john: maintainer-feedback? (dvl)
Version: Latest   
Hardware: Any   
OS: Any   
URL: https://github.com/acmesh-official/acme.sh/pull/2574
Attachments:
Description Flags
security/acme.sh: Backport fix for running under sudo john: maintainer-approval? (dvl)

Description John W. O'Brien 2020-08-02 16:08:38 UTC 
Created attachment 216961 [details]
security/acme.sh: Backport fix for running under sudo

Changelog
=========

*   Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash
*   While here, add missing files to pkg-plist


QA
==

portlint: OK
poudriere: OK -- testport on 12.1-RELEASE-p7 amd64
Comment 1 Dan Langille freebsd_committer freebsd_triage 2020-08-02 16:12:04 UTC 
partial duplicate of https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248425
Comment 2 John W. O'Brien 2020-08-02 16:19:19 UTC 
(In reply to Dan Langille from comment #1)
Oops! My tree was at r543917 (2020-08-01 13:08:55 -0400). Shall I re-spin the patch?
Comment 3 Dan Langille freebsd_committer freebsd_triage 2020-08-02 16:28:27 UTC 
(In reply to John W. O'Brien from comment #2)
No need to redo.

I want to understand this:

    if [ -n "$SUDO_COMMAND" ]; then
      #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
      _endswith "$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1
      return $?
    fi


If SUDO_COMMAND is not null

exit with the string:

"$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells

I think that tells the user: "you need to be doing it this way"

Am I following?
Comment 4 John W. O'Brien 2020-08-02 16:46:47 UTC 
(In reply to Dan Langille from comment #3)

That sounds about right. At a high level, it recognizes any command ending with "/bin/su" and any command found in /etc/shells as a sane sudo environment, and anything else as sufficiently problematic to warrant scolding the user and requiring --force.

Without this patch, only /bin/su (exact) and /bin/bash (exact) are considered sane, which means doing something obvious like

    sudo -i -u acme
    acme.sh # ...

triggers the scolding on FreeBSD.
Comment 5 commit-hook freebsd_committer freebsd_triage 2020-08-02 17:16:52 UTC 
A commit references this bug:

Author: dvl
Date: Sun Aug  2 17:16:31 UTC 2020
New revision: 543980
URL: https://svnweb.freebsd.org/changeset/ports/543980

Log:
  Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash

  PR:		248434
  Submitted by:	John W. O'Brien <john@saltant.com>

Changes:
  head/security/acme.sh/Makefile
  head/security/acme.sh/files/patch-acme.sh
Comment 6 Dan Langille freebsd_committer freebsd_triage 2020-08-02 17:17:31 UTC 
Is this worth sending upstream? If so, I will, and let them decide what to do.
Comment 7 John W. O'Brien 2020-08-02 17:24:12 UTC 
(In reply to Dan Langille from comment #6)

This was obtained from an upstream pull request.

https://github.com/acmesh-official/acme.sh/pull/2574
Comment 8 Dan Langille freebsd_committer freebsd_triage 2020-08-02 17:25:47 UTC 
Thank you