Introducing macOS support

Due to the dedicated work by Gordon Bergling, the doas command now builds and runs on macOS. This release contains no functionality changes, just the ability to build and run on macOS. Please see the README file for build instructions for all platforms.

Code reorganization, fix Linux crash, remove numeric UID matches

This release mostly reoganizes the code required to port doas to multiple platforms, moving the necessary functions into the compat sub-directory. Thanks to amalleo25 for all the work on this change.

6.2p1 also fixes a crash on Linux systems when a specified user on the command line did not match a valid entry in the doas.conf file.

In the past, doas would first try to find an exact username match when the "-u" flag was used and, if one could not be found, it would try to find a matching numeric UID. Now doas requires that an exact username be specified when "-u" is used. This avoids confusion (and, on Linux, fuzzy matches when a username begins with a number). This means "doas -u 0" can no longer be used to run a command as root, and "duas -u 1000" is not ambigious if there is a user with the name "1000" on the system.

Linux group permissions, bug fix and optimizations

This release brings about a few improvements to the doas code. Most of the adjustment affect Linux users, but there are improvements across the board.

1. Group permissions of the original user are now dropped on Linux. This prevents the original user's group access from interfering with the target user's owned files. Group permissions were already dropped on FreeBSD (and I believe) NetBSD, and this brings doas's Linux behaviour into line with the other systems.

2. Added -Wall to compiler to make sure we catch all compiler warnings, tested with both Clang and GCC.

3. Fixed a couple of compiler warnings that get rid of either unneeded variables or introduce sanity checks on return functions. This should make doas more secure, across platforms/compilers.

4. Added build-time optimizations. doas is now built with -O2 passed to the compiler. This can be overruled by modifying the OPT variable when it is passed to make/gmake. eg. make OPT="".

doas ported to illumos

This release ports doas to the illumos platform, allowing doas to build and run on SmartOS and OpenIndiana. Some documentation and Makefile changes were also introduced to assist with doas building as part of the pkgsrc collection. No run-time changes or new features were introduced with this release.

Prevent passing environment variables we do not need

Removed the transfer of most environment variables, such as USER, HOME, and PATH from the original user to the target user. Passing these variables could cause files in the wrong path or home directory to be read (or written to), which resulted in potential security problems.

This has been changed so that only DISPLAY and TERM are passed to the new environment. This is fine for running command line programs. When GUI programs need to be run, "keepenv" can be added to the user's doas.conf entry. The keepenv option results in variables like HOME being copied to the target user, allowing GUI programs to run. See the doas.conf manual page for further details.

Many thanks to Sander Bos for reporting this issue and explaining
how it can be exploited.

This release also adds the ability to pass a customized PATH to target users. The new PATH can be set at compile time in the Makefile. The default path is provided in the Makefile for reference and commented
out.

Added NetBSD support

This release introduces NetBSD support and has been tested on NetBSD 8.1. This seemed overdue since the port originated from work-in-progress patches that were trying to get doas running on NetBSD.

This port of doas has now been tested and confirmed to work on FreeBSD 11.x, NetBSD 8.1, and Debian 9.

Minor fix for Linux password prompt

This release fixes an error where the doas password prompt on Linux could echo the password. (Does not seem to be a problem on other platforms.)

Also fixed some compiler warnings on Linux and a compiler build error on FreeBSD.

Bug fix for -n flag

Updated doas.c with patch from arthepsy. Fixes -n flag
so if a password prompt is required, doas will automatically fail.

Restrict searched path

This release restricts the PATH doas will search to find an executable specified by the "cmd" keyword in doas.conf. This prevents the user from placing an executable with an identical name in a custom path. For example if we allow the user to run "foobar" they should only be allowed to run /usr/bin/foobar or /usr/local/bin/foobar, not /home/user/evil/foobar.

To accomplish this change we also import strlcpy and strlcat from OpenBSD, allowing doas to compile on Linux. This should also make the Linux port more secure as we no longer rely on less secure Linux string functions.

Updating to match upstream, fix running on DragonFlyBSD

This release features three improvements of note.

1. Our code has been patched to reflect changes to OpenBSD's doas (version 6.0). This should make it easier to keep up with future changes/improvements from OpenBSD.
2. This doas port should now work on DragonFlyBSD.
3. Documentation has been updated to mention -- prefix to commands involving parameters. Useful for Linux users. And the documentation includes a note mentioning the persist keyword will not work on Linux or FreeBSD.