security/doas: Update to 6.1

* Update the pkg-message to give users that install/upgrade the port some info about the changed behavior regarding the environment variables. [1] * Make the configuration of target user's sanitized $PATH that is set at compile time more flexible by enabling users to configure it via _GLOBAL_PATH. [2] * Also pet portlint/portclippy by placing USES to the top of the USES block and remove the superfluous occurence of GH_PROJECT while I'm here. Changelog: * Most environment variables are no longer copied to the target user's environment. This avoids corrupting files through use of $HOME, for example. When environment variables are required, keepenv can be set in the doas.conf file. * The target user's sanitized $PATH can be set at compile time to avoid passing malicious executables to the target user's path. https://github.com/slicer69/doas/releases/tag/6.1 PR: 239629 Submitted by: jsmith@resonatingmedia.com (maintainer) Approved by: jsmith@resonatingmedia.com (maintainer) [1] [2] MFH: 2019Q3
svn path=/head/; revision=508097
2019-08-04 15:43:27 +00:00 · 2019-08-04 15:43:27 +00:00 · 2c4ec752b6 · 2021-03-31 03:12:20 +00:00
commit 2c4ec752b6
parent 264424aa5d
3 changed files with 35 additions and 8 deletions
--- a/security/doas/Makefile
+++ b/security/doas/Makefile
@ -1,7 +1,7 @@
 # $FreeBSD$

 PORTNAME=	doas
-PORTVERSION=	6.0p3
+PORTVERSION=	6.1
 CATEGORIES=	security

 MAINTAINER=	jsmith@resonatingmedia.com
@ -12,11 +12,11 @@ LICENSE_COMB=	multi
 LICENSE_FILE_BSD2CLAUSE=	${WRKSRC}/LICENSE
 LICENSE_FILE_ISCL=		${WRKSRC}/LICENSE

+USES=	gmake
 USE_GITHUB=	yes
 GH_ACCOUNT=	slicer69
-GH_PROJECT=	doas

-USES=	gmake
+MAKE_ENV+=	TARGETPATH=-DGLOBAL_PATH='\"${_GLOBAL_PATH}\"'

 BINMODE=	4755

@ -25,6 +25,15 @@ PLIST_FILES=	bin/doas \
 		man/man5/doas.conf.5.gz \
 		man/man1/doas.1.gz

+# These are upstream's default paths that are set for the GLOBAL_PATH variable
+# in doas.h since the 6.1 release. Those paths are then used for target user's
+# PATH variable instead of those of the original user.
+#
+# See also:
+#  * https://github.com/slicer69/doas/blob/6.1/doas.h#L36
+#  * https://github.com/slicer69/doas/releases/tag/6.1
+_GLOBAL_PATH?=	${LOCALBASE}/sbin:${LOCALBASE}/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/${PORTNAME} ${STAGEDIR}${PREFIX}/bin
 	${INSTALL_MAN} ${WRKSRC}/doas.1 ${STAGEDIR}${MAN1PREFIX}/man/man1
--- a/security/doas/distinfo
+++ b/security/doas/distinfo
@ -1,3 +1,3 @@
-TIMESTAMP = 1552317435
-SHA256 (slicer69-doas-6.0p3_GH0.tar.gz) = abf7911df661fd82acc3ff71724b73cf0f2102f8a5379153a1c031b285ed8c97
-SIZE (slicer69-doas-6.0p3_GH0.tar.gz) = 18470
+TIMESTAMP = 1564865652
+SHA256 (slicer69-doas-6.1_GH0.tar.gz) = f6ae5243a711774cd46d5087c544e7feead7e138c6053c030c47489a722033f2
+SIZE (slicer69-doas-6.1_GH0.tar.gz) = 19965
--- a/security/doas/files/pkg-message.in
+++ b/security/doas/files/pkg-message.in
@ -5,9 +5,27 @@ To use doas,

 %%PREFIX%%/etc/doas.conf

-must be created.
+must be created. Refer to doas.conf(5) for further details.

-Refer to doas.conf(5).
+Note: In order to be able to run most desktop (GUI) applications, the user
+needs to have the keepenv keyword specified. If keepenv is not specified then
+key elements, like the user's $HOME variable, will be reset and cause the GUI
+application to crash.
+
+Users who only need to run command line applications can usually get away
+without keepenv.
+
+When in doubt, try to avoid using keepenv as it is less secure to have
+environment variables passed to privileged users.
+EOD
+}
+{ type: upgrade
+  maximum_version: "6.1"
+  message: <<EOD
+With the 6.1 release the transfer of most environment variables (e.g. USER,
+HOME and PATH) from the original user to the target user has changed.
+
+Please refer to doas.conf(5) for further details.
 EOD
 }
 ]