Bug 248434 - security/acme: Backport fix for running under sudo
Summary: security/acme: Backport fix for running under sudo
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL: https://github.com/acmesh-official/ac...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-02 16:08 UTC by John W. O'Brien
Modified: 2020-08-02 17:25 UTC (History)
1 user (show)

See Also:
john: maintainer-feedback? (dvl)

Attachments
security/acme.sh: Backport fix for running under sudo (5.70 KB, patch)
2020-08-02 16:08 UTC, John W. O'Brien 		john: maintainer-approval? (dvl)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John W. O'Brien 2020-08-02 16:08:38 UTC 
Created attachment 216961 [details]
security/acme.sh: Backport fix for running under sudo

Changelog
=========

*   Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash
*   While here, add missing files to pkg-plist


QA
==

portlint: OK
poudriere: OK -- testport on 12.1-RELEASE-p7 amd64
Comment 1 Dan Langille freebsd_committer freebsd_triage 2020-08-02 16:12:04 UTC 
partial duplicate of https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248425
Comment 2 John W. O'Brien 2020-08-02 16:19:19 UTC 
(In reply to Dan Langille from comment #1)
Oops! My tree was at r543917 (2020-08-01 13:08:55 -0400). Shall I re-spin the patch?
Comment 3 Dan Langille freebsd_committer freebsd_triage 2020-08-02 16:28:27 UTC 
(In reply to John W. O'Brien from comment #2)
No need to redo.

I want to understand this:

    if [ -n "$SUDO_COMMAND" ]; then
      #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
      _endswith "$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1
      return $?
    fi


If SUDO_COMMAND is not null

exit with the string:

"$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells

I think that tells the user: "you need to be doing it this way"

Am I following?
Comment 4 John W. O'Brien 2020-08-02 16:46:47 UTC 
(In reply to Dan Langille from comment #3)

That sounds about right. At a high level, it recognizes any command ending with "/bin/su" and any command found in /etc/shells as a sane sudo environment, and anything else as sufficiently problematic to warrant scolding the user and requiring --force.

Without this patch, only /bin/su (exact) and /bin/bash (exact) are considered sane, which means doing something obvious like

    sudo -i -u acme
    acme.sh # ...

triggers the scolding on FreeBSD.
Comment 5 commit-hook freebsd_committer freebsd_triage 2020-08-02 17:16:52 UTC 
A commit references this bug:

Author: dvl
Date: Sun Aug  2 17:16:31 UTC 2020
New revision: 543980
URL: https://svnweb.freebsd.org/changeset/ports/543980

Log:
  Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash

  PR:		248434
  Submitted by:	John W. O'Brien <john@saltant.com>

Changes:
  head/security/acme.sh/Makefile
  head/security/acme.sh/files/patch-acme.sh
Comment 6 Dan Langille freebsd_committer freebsd_triage 2020-08-02 17:17:31 UTC 
Is this worth sending upstream? If so, I will, and let them decide what to do.
Comment 7 John W. O'Brien 2020-08-02 17:24:12 UTC 
(In reply to Dan Langille from comment #6)

This was obtained from an upstream pull request.

https://github.com/acmesh-official/acme.sh/pull/2574
Comment 8 Dan Langille freebsd_committer freebsd_triage 2020-08-02 17:25:47 UTC 
Thank you