Created attachment 216961 [details]
security/acme.sh: Backport fix for running under sudo
* Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash
* While here, add missing files to pkg-plist
poudriere: OK -- testport on 12.1-RELEASE-p7 amd64
partial duplicate of https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248425
(In reply to Dan Langille from comment #1)
Oops! My tree was at r543917 (2020-08-01 13:08:55 -0400). Shall I re-spin the patch?
(In reply to John W. O'Brien from comment #2)
No need to redo.
I want to understand this:
if [ -n "$SUDO_COMMAND" ]; then
#it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
_endswith "$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1
If SUDO_COMMAND is not null
exit with the string:
"$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells
I think that tells the user: "you need to be doing it this way"
Am I following?
(In reply to Dan Langille from comment #3)
That sounds about right. At a high level, it recognizes any command ending with "/bin/su" and any command found in /etc/shells as a sane sudo environment, and anything else as sufficiently problematic to warrant scolding the user and requiring --force.
Without this patch, only /bin/su (exact) and /bin/bash (exact) are considered sane, which means doing something obvious like
sudo -i -u acme
acme.sh # ...
triggers the scolding on FreeBSD.
A commit references this bug:
Date: Sun Aug 2 17:16:31 UTC 2020
New revision: 543980
Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash
Submitted by: John W. O'Brien <firstname.lastname@example.org>
Is this worth sending upstream? If so, I will, and let them decide what to do.
(In reply to Dan Langille from comment #6)
This was obtained from an upstream pull request.