Bug 248434 - security/acme: Backport fix for running under sudo
Summary: security/acme: Backport fix for running under sudo
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL: https://github.com/acmesh-official/ac...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-02 16:08 UTC by John W. O'Brien
Modified: 2020-08-02 17:25 UTC (History)
1 user (show)

See Also:
john: maintainer-feedback? (dvl)


Attachments
security/acme.sh: Backport fix for running under sudo (5.70 KB, patch)
2020-08-02 16:08 UTC, John W. O'Brien
john: maintainer-approval? (dvl)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John W. O'Brien 2020-08-02 16:08:38 UTC
Created attachment 216961 [details]
security/acme.sh: Backport fix for running under sudo

Changelog
=========

*   Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash
*   While here, add missing files to pkg-plist


QA
==

portlint: OK
poudriere: OK -- testport on 12.1-RELEASE-p7 amd64
Comment 1 Dan Langille freebsd_committer 2020-08-02 16:12:04 UTC
partial duplicate of https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248425
Comment 2 John W. O'Brien 2020-08-02 16:19:19 UTC
(In reply to Dan Langille from comment #1)
Oops! My tree was at r543917 (2020-08-01 13:08:55 -0400). Shall I re-spin the patch?
Comment 3 Dan Langille freebsd_committer 2020-08-02 16:28:27 UTC
(In reply to John W. O'Brien from comment #2)
No need to redo.

I want to understand this:

    if [ -n "$SUDO_COMMAND" ]; then
      #it's a normal user doing "sudo su", or `sudo -i` or `sudo -s`
      _endswith "$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells >/dev/null 2>&1
      return $?
    fi


If SUDO_COMMAND is not null

exit with the string:

"$SUDO_COMMAND" /bin/su || grep "^$SUDO_COMMAND\$" /etc/shells

I think that tells the user: "you need to be doing it this way"

Am I following?
Comment 4 John W. O'Brien 2020-08-02 16:46:47 UTC
(In reply to Dan Langille from comment #3)

That sounds about right. At a high level, it recognizes any command ending with "/bin/su" and any command found in /etc/shells as a sane sudo environment, and anything else as sufficiently problematic to warrant scolding the user and requiring --force.

Without this patch, only /bin/su (exact) and /bin/bash (exact) are considered sane, which means doing something obvious like

    sudo -i -u acme
    acme.sh # ...

triggers the scolding on FreeBSD.
Comment 5 commit-hook freebsd_committer 2020-08-02 17:16:52 UTC
A commit references this bug:

Author: dvl
Date: Sun Aug  2 17:16:31 UTC 2020
New revision: 543980
URL: https://svnweb.freebsd.org/changeset/ports/543980

Log:
  Enable acme.sh to recognize sane sudo commands besides /bin/su and /bin/bash

  PR:		248434
  Submitted by:	John W. O'Brien <john@saltant.com>

Changes:
  head/security/acme.sh/Makefile
  head/security/acme.sh/files/patch-acme.sh
Comment 6 Dan Langille freebsd_committer 2020-08-02 17:17:31 UTC
Is this worth sending upstream? If so, I will, and let them decide what to do.
Comment 7 John W. O'Brien 2020-08-02 17:24:12 UTC
(In reply to Dan Langille from comment #6)

This was obtained from an upstream pull request.

https://github.com/acmesh-official/acme.sh/pull/2574
Comment 8 Dan Langille freebsd_committer 2020-08-02 17:25:47 UTC
Thank you