From owner-dev-commits-ports-main@freebsd.org  Wed Sep 15 22:52:00 2021
Return-Path: <owner-dev-commits-ports-main@freebsd.org>
Delivered-To: dev-commits-ports-main@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1F27266FFAC;
 Wed, 15 Sep 2021 22:52:00 +0000 (UTC)
 (envelope-from leres@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4H8wSw0LGFz4vmm;
 Wed, 15 Sep 2021 22:52:00 +0000 (UTC)
 (envelope-from leres@freebsd.org)
Received: from ice.alameda.xse.com (unknown
 [IPv6:2600:1700:a570:e20:f2ad:4eff:fe0b:a065])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate) (Authenticated sender: leres)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 79857292FF;
 Wed, 15 Sep 2021 22:51:59 +0000 (UTC)
 (envelope-from leres@freebsd.org)
Subject: Re: git: c403b7871cf0 - main - securty/sudo: Update to 1.9.8
To: Cy Schubert <cy@FreeBSD.org>, ports-committers@FreeBSD.org,
 dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
References: <202109141650.18EGoo8I031474@gitrepo.freebsd.org>
From: Craig Leres <leres@freebsd.org>
Message-ID: <88bd0117-cc31-8aa6-a0e8-45af8e1e6a9f@freebsd.org>
Date: Wed, 15 Sep 2021 15:51:58 -0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <202109141650.18EGoo8I031474@gitrepo.freebsd.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: dev-commits-ports-main@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the main branch of the FreeBSD ports repository
 <dev-commits-ports-main.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-ports-main>, 
 <mailto:dev-commits-ports-main-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-ports-main/>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Help: <mailto:dev-commits-ports-main-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-ports-main>, 
 <mailto:dev-commits-ports-main-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 22:52:00 -0000


On 9/14/21 9:50 AM, Cy Schubert wrote:
> The branch main has been updated by cy:
> 
> URL:https://cgit.FreeBSD.org/ports/commit/?id=c403b7871cf09f123de4151bb77e8438f342075e
> 
> commit c403b7871cf09f123de4151bb77e8438f342075e
> Author:     Cy Schubert<cy@FreeBSD.org>
> AuthorDate: 2021-09-13 15:32:19 +0000
> Commit:     Cy Schubert<cy@FreeBSD.org>
> CommitDate: 2021-09-14 16:50:22 +0000
> 
>      securty/sudo: Update to 1.9.8
>      
>      Major changes between sudo 1.9.8 and 1.9.7p2:

This version isn't really working for me. I have some nagios checks that 
run from nrpe3 as nagios that need root access. I install files in 
/usr/local/etc/sudoers.d, e.g:

     User_Alias      CHECK_SSLCERT_ADMINS = nagios, leres
     Cmnd_Alias      CHECK_SSLCERT = /usr/local/libexec/check_sslcert
     CHECK_SSLCERT_ADMINS ALL = (root) NOPASSWD: CHECK_SSLCERT

When I run the same command that nrpe3 is running I can see the error:

     zinc 31 % /usr/local/bin/sudo -c root 
/usr/local/libexec/check_sslcert -l 21 
/usr/local/etc/letsencrypt/live/mod.lbl.gov/cert.pem
     sudo: (null): option "use_loginclass" does not take a value
     sudo: error initializing audit plugin sudoers_audit

I tried rebuilding with AUDIT disabled but it doesn't change anything. 
Some of my systems had an older/non-default sudo.conf that had some 
plugins enabled:

     Plugin sudoers_policy sudoers.so
     Plugin sudoers_io sudoers.so
     Plugin sudoers_audit sudoers.so

but switching to the sudo.conf.defaults version (which has these 
commented out) also doesn't help.

I'm so far unable to determine if my config is defective or if the new 
sudo is borked.

		Craig