Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11]) by narn.NetBSD.org (Postfix) with ESMTP id 85F9363C07F for ; Thu, 5 Feb 2009 17:00:28 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 0) id 3A96863B124; Thu, 5 Feb 2009 17:00:28 +0000 (UTC) Received: from cvs.netbsd.org (unknown [IPv6:2001:4f8:4:7:2e0:81ff:fe25:eab4]) by mail.netbsd.org (Postfix) with ESMTP id E444463B116 for ; Thu, 5 Feb 2009 17:00:25 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id CEFDE175D0; Thu, 5 Feb 2009 17:00:25 +0000 (UTC) From: Matthias Scheler Subject: CVS commit: [pkgsrc-2008Q4] pkgsrc/security/sudo To: pkgsrc-changes@NetBSD.org Reply-To: tron@netbsd.org Message-Id: <20090205170025.CEFDE175D0@cvs.netbsd.org> Date: Thu, 5 Feb 2009 17:00:25 +0000 (UTC) Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes Precedence: list Module Name: pkgsrc Committed By: tron Date: Thu Feb 5 17:00:25 UTC 2009 Modified Files: pkgsrc/security/sudo [pkgsrc-2008Q4]: Makefile PLIST distinfo options.mk pkgsrc/security/sudo/patches [pkgsrc-2008Q4]: patch-aa patch-af patch-ag Removed Files: pkgsrc/security/sudo/patches [pkgsrc-2008Q4]: patch-ai Log Message: Pullup ticket #2688 - requested by taca sudo: security update Revisions pulled up: - security/sudo/Makefile 1.114 - security/sudo/PLIST 1.3 - security/sudo/distinfo 1.57 - security/sudo/options.mk 1.16 - security/sudo/patches/patch-aa 1.20 - security/sudo/patches/patch-af 1.21 - security/sudo/patches/patch-ag 1.13 - security/sudo/patches/patch-ai delete --- Module Name: pkgsrc Committed By: taca Date: Thu Feb 5 13:48:12 UTC 2009 Modified Files: pkgsrc/security/sudo: Makefile PLIST distinfo options.mk pkgsrc/security/sudo/patches: patch-aa patch-af patch-ag Removed Files: pkgsrc/security/sudo/patches: patch-ai Log Message: Update security/sudo package to 1.7.0. * pkgsrc change: relax restriction to kerberos package. What's new in Sudo 1.7.0? * Rewritten parser that converts sudoers into a set of data structures. This eliminates a number of ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command. It also adds support for per-command Defaults specifications. * Sudoers now supports a #include facility to allow the inclusion of other sudoers-format files. * Sudo's -l (list) flag has been enhanced: o applicable Defaults options are now listed o a command argument can be specified for testing whether a user may run a specific command. o a new -U flag can be used in conjunction with "sudo -l" to allow root (or a user with "sudo ALL") list another user's privileges. * A new -g flag has been added to allow the user to specify a primary group to run the command as. The sudoers syntax has been extended to include a group section in the Runas specification. * A uid may now be used anywhere a username is valid. * The "secure_path" run-time Defaults option has been restored. * Password and group data is now cached for fast lookups. * The file descriptor at which sudo starts closing all open files is now configurable via sudoers and, optionally, the command line. * Visudo will now warn about aliases that are defined but not used. * The -i and -s command line flags now take an optional command to be run via the shell. Previously, the argument was passed to the shell as a script to run. * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.: sudoers: ldap files to check LDAP, then /etc/sudoers. The default is "files", even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. * Support for /etc/environment on AIX and Linux. If sudo is run with the -i flag, the contents of /etc/environment are used to populate the new environment that is passed to the command being run. * If no terminal is available or if the new -A flag is specified, sudo will use a helper program to read the password if one is configured. Typically, this is a graphical password prompter such as ssh-askpass. * A new Defaults option, "mailfrom" that sets the value of the "From:" field in the warning/error mail. If unspecified, the login name of the invoking user is used. * A new Defaults option, "env_file" that refers to a file containing environment variables to be set in the command being run. * A new flag, -n, may be used to indicate that sudo should not prompt the user for a password and, instead, exit with an error if authentication is required. * If sudo needs to prompt for a password and it is unable to disable echo (and no askpass program is defined), it will refuse to run unless the "visiblepw" Defaults option has been specified. * Prior to version 1.7.0, hitting enter/return at the Password: prompt would exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password. To exit sudo, the user must press ^C or ^D at the prompt. * visudo will now check the sudoers file owner and mode in -c (check) mode when the -s (strict) flag is specified. To generate a diff of this commit: cvs rdiff -r1.113 -r1.113.10.1 pkgsrc/security/sudo/Makefile cvs rdiff -r1.2 -r1.2.12.1 pkgsrc/security/sudo/PLIST cvs rdiff -r1.56 -r1.56.10.1 pkgsrc/security/sudo/distinfo cvs rdiff -r1.15 -r1.15.12.1 pkgsrc/security/sudo/options.mk cvs rdiff -r1.19 -r1.19.12.1 pkgsrc/security/sudo/patches/patch-aa cvs rdiff -r1.20 -r1.20.12.1 pkgsrc/security/sudo/patches/patch-af cvs rdiff -r1.12 -r1.12.12.1 pkgsrc/security/sudo/patches/patch-ag cvs rdiff -r1.4 -r0 pkgsrc/security/sudo/patches/patch-ai Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.