From nobody Mon Aug 26 13:19:40 2024
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wsrqx1q60z5SvBx;
	Mon, 26 Aug 2024 13:19:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Wsrqx12xVz4XgK;
	Mon, 26 Aug 2024 13:19:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1724678381;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=SkWEYHkuoGZR4wE48OO3e8uweWg4+YbgOgj83XlbUxs=;
	b=B+NnTqwyDVwEZQ2cO3PkfF3gyF+jB2+I3OEFeWxBRQyf/e+JwF9MywQGB989YZ/WUE0Gef
	/uJ8Mt3PceS9l8STw+lFx+B5LIuiVGF/UJuiRAwam4hmzHOLuQwonGZrIYaylPJ6aHmAoX
	RB/JEhXX0Ppda7ujeaGRAudbYPgIikfNXkSM6JSlrw/oRVCE0Su8afe8M01+pfxIYLjqhs
	eOlzeAkmNECnCliZdkFofmkYLPYxSOZhabJUbDF4O0lC9kjkLBjDbR3WuWMZJAVd/neAwp
	7yVV1D106aOe1ocVaaz8xyEXzLs9xU91H3wlTsxPyWqCS32WzHVvfptFTqxZUA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1724678381; a=rsa-sha256; cv=none;
	b=IIrTLDAN5IhYzdkZPYv/EfmlyCzBiF8tbjnW3EBvWXe4vHFpVq8EI731tCo9VyiFw71BxY
	asIjEFt1WaM+fMkKeHM6UJLlr1dkJRZToZVrP0MnfMWbo6kdaf+e+iStE5htBWqLOzUlGA
	kmUTwAskdb7Xfc9ko8WlWle6CHYX7vznou2bCFR5wh+40lcxy5rztwvTlagBVyfved9Cq5
	lElnUqV1CSyVb0Z+Wno1iu98FB0gik93ZlxuGsj53NYZOxxEae23opDjFyb5NHbCgHMnCT
	5aW0qLEOCy1bERnjtvq12XRwKShEviLEdRg/Ti913YeXzIlnv15UDLmIHr+Oag==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1724678381;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=SkWEYHkuoGZR4wE48OO3e8uweWg4+YbgOgj83XlbUxs=;
	b=CWzwpA2xoGgcugTeXZDvG2h/T8Mwko5z3ldZL66r9nLXCMGWBc/ys21yV+0EIJcKqH6Z0D
	i+uQ/48+wU1OesokeIKGxR21pfOWKWY9jRF5v0EfJ5KaD+JrRRoGGtUG/WqsYESNuBPdw2
	Ro0rky1OmTnKizz/tVwgtaTFJxLdix9VMFt1HHDHNFmgdHK2VfvEHPPBWvylg9Ei2alZH7
	vR2FFOia2+jqt30iQj/FI/BwCqgtMsT6kIUViz7KCLRpbfOsvpjaL93yIfCx4qRslrQ1dT
	QqX9Dt8uLxjQfVLvxCtCZfpraBR9fkY4cofuFwGfli7TQzC9UyZhnrctofpZ6w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Wsrqx0X6Cz17M1;
	Mon, 26 Aug 2024 13:19:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 47QDJeHM050416;
	Mon, 26 Aug 2024 13:19:40 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 47QDJeB9050413;
	Mon, 26 Aug 2024 13:19:40 GMT
	(envelope-from git)
Date: Mon, 26 Aug 2024 13:19:40 GMT
Message-Id: <202408261319.47QDJeB9050413@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Joe Marcus Clarke <marcus@FreeBSD.org>
Subject: git: 50fa622e205d - main - net/tac_plus4: Be explicit about
  the runtime user
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-all@freebsd.org
Sender: owner-dev-commits-ports-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: marcus
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 50fa622e205ddf49a05f975e5d55b1486d4a5cb8
Auto-Submitted: auto-generated

The branch main has been updated by marcus:

URL: https://cgit.FreeBSD.org/ports/commit/?id=50fa622e205ddf49a05f975e5d55b1486d4a5cb8

commit 50fa622e205ddf49a05f975e5d55b1486d4a5cb8
Author:     Joe Marcus Clarke <marcus@FreeBSD.org>
AuthorDate: 2024-08-26 13:17:33 +0000
Commit:     Joe Marcus Clarke <marcus@FreeBSD.org>
CommitDate: 2024-08-26 13:17:33 +0000

    net/tac_plus4: Be explicit about the runtime user
    
    It occurred to me that the tacacs user is set only at build time.  So,
    if someone assigned a different uid to their runtime tacacs user, the
    daemon would, by default, run under uid 559. So, add a default
    "-U tacacs" to the flags.
    
    While here, fix a typo in the man page.
---
 net/tac_plus4/Makefile                    |  7 ++++---
 net/tac_plus4/files/patch-choose_authen.c | 12 +++++-------
 net/tac_plus4/files/patch-tac__plus.8.in  | 14 ++++++++++++++
 net/tac_plus4/files/patch-users_guide.in  |  7 ++++---
 net/tac_plus4/files/tac_plus.in           |  2 +-
 5 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/net/tac_plus4/Makefile b/net/tac_plus4/Makefile
index cbc35c024f21..cf74514cde9d 100644
--- a/net/tac_plus4/Makefile
+++ b/net/tac_plus4/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	tac_plus
 PORTVERSION=	F4.0.4.28
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net security
 MASTER_SITES=	ftp://ftp.shrubbery.net/pub/${PORTNAME}/
 DISTNAME=	tacacs-${PORTVERSION}
@@ -14,9 +14,10 @@ GNU_CONFIGURE_MANPREFIX=	${PREFIX}/share
 USES=		bison cpe perl5 libtool
 USE_PERL5=	build
 USE_RC_SUBR=	tac_plus
+SUB_LIST=	TACACS_USER=${USERS}
 USE_LDCONFIG=	yes
-CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g tacacs 2>/dev/null || echo '559') \
-		--with-userid=$$(/usr/bin/id -u tacacs 2>/dev/null || echo '559')
+CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g ${GROUPS} 2>/dev/null || echo '559') \
+		--with-userid=$$(/usr/bin/id -u ${USERS} 2>/dev/null || echo '559')
 
 CPE_VENDOR=	cisco
 
diff --git a/net/tac_plus4/files/patch-choose_authen.c b/net/tac_plus4/files/patch-choose_authen.c
index ccfe7badd3ab..da3b778ac85e 100644
--- a/net/tac_plus4/files/patch-choose_authen.c
+++ b/net/tac_plus4/files/patch-choose_authen.c
@@ -1,6 +1,6 @@
 --- choose_authen.c.orig	2012-04-16 21:42:55 UTC
 +++ choose_authen.c
-@@ -130,12 +130,29 @@ choose_login(struct authen_data *data, s
+@@ -130,10 +130,27 @@ choose_login(struct authen_data *data, struct authen_t
  #else /* SKEY */
  	    report(LOG_ERR,
  		   "%s %s: user %s s/key support has not been compiled in",
@@ -10,8 +10,8 @@
 +		   name ? name : "<unknown>");
  	    return(CHOOSE_FAILED);
  #endif	/* SKEY */
- 	}
- 
++	}
++
 +	if (cfg_passwd && STREQ(cfg_passwd, "opie")) {
 +	    if (debug & DEBUG_PASSWD_FLAG)
 +		report(LOG_DEBUG, "%s %s: user %s requires opie",
@@ -27,8 +27,6 @@
 +			name ? name : "<unknown>");
 +		return(CHOOSE_FAILED);
 +#endif /* OPIE */
-+	}
-+
+ 	}
+ 
  	/* Does this user require aceclnt */
- 	cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE);
- 	if (cfg_passwd && STREQ(cfg_passwd, "aceclnt")) {
diff --git a/net/tac_plus4/files/patch-tac__plus.8.in b/net/tac_plus4/files/patch-tac__plus.8.in
new file mode 100644
index 000000000000..585a4e8e9972
--- /dev/null
+++ b/net/tac_plus4/files/patch-tac__plus.8.in
@@ -0,0 +1,14 @@
+--- tac_plus.8.in.orig	2024-08-26 12:52:38 UTC
++++ tac_plus.8.in
+@@ -206,8 +206,10 @@ in addition to logging to syslogd. Useful for debuggin
+ /dev/console 
+ in addition to logging to syslogd. Useful for debugging.
+ .\"
+-.TP \-U <setuid username>
++.TP
++.B \-U <setuid username>
+ Specify the username or UID to
++.B
+ .IR setuid(2).
+ If the daemon was compiled with a specific UID, this option overrides that
+ value.
diff --git a/net/tac_plus4/files/patch-users_guide.in b/net/tac_plus4/files/patch-users_guide.in
index 8c839cf8669d..6f4b5ae9fecd 100644
--- a/net/tac_plus4/files/patch-users_guide.in
+++ b/net/tac_plus4/files/patch-users_guide.in
@@ -1,17 +1,18 @@
 --- users_guide.in.orig	2011-05-27 22:11:57 UTC
 +++ users_guide.in
-@@ -164,7 +164,10 @@ for S/KEY in the Makefile.  I got my S/K
+@@ -164,8 +164,11 @@ suggest you try a web search for s/key source code.
  crimelab.com but now it appears the only source is ftp.bellcore.com. I
  suggest you try a web search for s/key source code.
  
 -Note: S/KEY is a trademark of Bell Communications Research (Bellcore).
 +To use OPIE, you must have built tac_plus with the -DWITH_OPIE flag.
-+
+ 
 +Note: S/KEY and OPIE are a trademark of Bell Communications Research 
 +(Bellcore).
- 
++
  Should you need them, there are routines for accessing password files
  (getpwnam,setpwent,endpwent,setpwfile) in pw.c.
+ 
 @@ -414,7 +417,16 @@ be authenticated via s/key, as follows:
        login = skey
      }
diff --git a/net/tac_plus4/files/tac_plus.in b/net/tac_plus4/files/tac_plus.in
index eb92cb03126c..d4c8743216f8 100644
--- a/net/tac_plus4/files/tac_plus.in
+++ b/net/tac_plus4/files/tac_plus.in
@@ -24,7 +24,7 @@ rcvar=tac_plus_enable
 command="%%PREFIX%%/sbin/tac_plus"
 pidfile="/var/run/${name}.pid"
 tac_plus_enable=${tac_plus_enable:-"NO"}
-tac_plus_flags=${tac_plus_flags:-}
+tac_plus_flags=${tac_plus_flags:-"-U %%TACACS_USER%%"}
 tac_plus_profiles=${tac_plus_profiles:-}
 tac_plus_configfile=${tac_plus_configfile:-"%%PREFIX%%/etc/tac_plus.conf"}