From owner-dev-commits-ports-branches@freebsd.org  Tue Sep 14 19:40:13 2021
Return-Path: <owner-dev-commits-ports-branches@freebsd.org>
Delivered-To: dev-commits-ports-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E4D7E66F41D;
 Tue, 14 Sep 2021 19:40:13 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4H8DG55zXtz4jkx;
 Tue, 14 Sep 2021 19:40:13 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id AE7F6201D0;
 Tue, 14 Sep 2021 19:40:13 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 18EJeDkq054591;
 Tue, 14 Sep 2021 19:40:13 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 18EJeDKF054588;
 Tue, 14 Sep 2021 19:40:13 GMT (envelope-from git)
Date: Tue, 14 Sep 2021 19:40:13 GMT
Message-Id: <202109141940.18EJeDKF054588@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
 dev-commits-ports-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: 79b90357fc19 - 2021Q3 - securty/sudo: Update to 1.9.8
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: ports
X-Git-Refname: refs/heads/2021Q3
X-Git-Reftype: branch
X-Git-Commit: 79b90357fc19f404d4196c08a70c039d5f2bef06
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-ports-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the quarterly branches of the FreeBSD ports repository
 <dev-commits-ports-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-ports-branches>, 
 <mailto:dev-commits-ports-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-ports-branches/>
List-Post: <mailto:dev-commits-ports-branches@freebsd.org>
List-Help: <mailto:dev-commits-ports-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-ports-branches>, 
 <mailto:dev-commits-ports-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 19:40:14 -0000

The branch 2021Q3 has been updated by cy:

URL: https://cgit.FreeBSD.org/ports/commit/?id=79b90357fc19f404d4196c08a70c039d5f2bef06

commit 79b90357fc19f404d4196c08a70c039d5f2bef06
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2021-09-13 15:32:19 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2021-09-14 19:39:20 +0000

    securty/sudo: Update to 1.9.8
    
    Major changes between sudo 1.9.8 and 1.9.7p2:
    
     * It is now possible to transparently intercepting sub-commands
       executed by the original command run via sudo.  Intercept support
       is implemented using LD_PRELOAD (or the equivalent supported by
       the system) and so has some limitations.  The two main limitations
       are that only dynamic executables are supported and only the
       execl, execle, execlp, execv, execve, execvp, and execvpe library
       functions are currently intercepted. Its main use case is to
       support restricting privileged shells run via sudo.
    
       To support this, there is a new "intercept" Defaults setting and
       an INTERCEPT command tag that can be used in sudoers.  For example:
    
        Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
        Defaults!SHELLS intercept
    
       would cause sudo to run the listed shells in intercept mode.
       This can also be set on a per-rule basis.  For example:
    
        Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
        chuck ALL = INTERCEPT: SHELLS
    
       would only apply intercept mode to user "chuck" when running one
       of the listed shells.
    
       In intercept mode, sudo will not prompt for a password before
       running a sub-command and will not allow a set-user-ID or
       set-group-ID program to be run by default.  The new
       intercept_authenticate and intercept_allow_setid sudoers settings
       can be used to change this behavior.
    
     * The new "log_subcmds" sudoers setting can be used to log additional
       commands run in a privileged shell.  It uses the same mechanism as
       the intercept support described above and has the same limitations.
    
     * Support for logging sudo_logsrvd errors via syslog or to a file.
       Previously, most sudo_logsrvd errors were only visible in the
       debug log.
    
     * Better diagnostics when there is a TLS certificate validation error.
    
     * Using the "+=" or "-=" operators in a Defaults setting that takes
       a string, not a list, now produces a warning from sudo and a
       syntax error from inside visudo.
    
     * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
       had no effect when creating I/O log parent directories if the I/O log
       file name ended with the string "XXXXXX".
    
     * Fixed a bug in the sudoers custom prompt code where the size
       parameter that was passed to the strlcpy() function was incorrect.
       No overflow was possible since the correct amount of memory was
       already pre-allocated.
    
     * The mksigname and mksiglist helper programs are now built with
       the host compiler, not the target compiler, when cross-compiling.
       Bug #989.
    
     * Fixed compilation error when the --enable-static-sudoers configure
       option was specified.  This was due to a typo introduced in sudo
       1.9.7.  GitHub PR #113.
    
    Submitted by:   cy
    PR:             258479
    Approved by:    garga (maintainer)
    
    (cherry picked from commit c403b7871cf09f123de4151bb77e8438f342075e)
---
 security/sudo/Makefile  | 2 +-
 security/sudo/distinfo  | 6 +++---
 security/sudo/pkg-plist | 1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/security/sudo/Makefile b/security/sudo/Makefile
index 02cc14eadfe6..3c5596713765 100644
--- a/security/sudo/Makefile
+++ b/security/sudo/Makefile
@@ -1,7 +1,7 @@
 # Created by: erich@rrnet.com
 
 PORTNAME=	sudo
-PORTVERSION=	1.9.7p2
+PORTVERSION=	1.9.8
 CATEGORIES=	security
 MASTER_SITES=	SUDO
 
diff --git a/security/sudo/distinfo b/security/sudo/distinfo
index c9deff435f3f..eef4b7cc918b 100644
--- a/security/sudo/distinfo
+++ b/security/sudo/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1627665930
-SHA256 (sudo-1.9.7p2.tar.gz) = 28b5ee725dbf89a7852f42f309ca877d2810a9531b4eecfe59f3a84b6b4afca8
-SIZE (sudo-1.9.7p2.tar.gz) = 4200036
+TIMESTAMP = 1631546736
+SHA256 (sudo-1.9.8.tar.gz) = f1735de999804ea1af068fba6a82cb6674ea64c789813b29266fd3b16cb294e6
+SIZE (sudo-1.9.8.tar.gz) = 4301188
diff --git a/security/sudo/pkg-plist b/security/sudo/pkg-plist
index e06c5866f6b1..71a8b1c75710 100644
--- a/security/sudo/pkg-plist
+++ b/security/sudo/pkg-plist
@@ -14,6 +14,7 @@ libexec/sudo/libsudo_util.so.0
 libexec/sudo/libsudo_util.so.0.0.0
 %%PYTHON%%libexec/sudo/python_plugin.so
 libexec/sudo/sample_approval.so
+libexec/sudo/sudo_intercept.so
 libexec/sudo/sudo_noexec.so
 libexec/sudo/sudoers.so
 libexec/sudo/system_group.so