net/tac_plus4: Be explicit about the runtime user

It occurred to me that the tacacs user is set only at build time.  So,
if someone assigned a different uid to their runtime tacacs user, the
daemon would, by default, run under uid 559. So, add a default
"-U tacacs" to the flags.

While here, fix a typo in the man page.

net/tac_plus4/Makefile

@@ -1,6 +1,6 @@
 PORTNAME=	tac_plus
 PORTVERSION=	F4.0.4.28
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net security
 MASTER_SITES=	ftp://ftp.shrubbery.net/pub/${PORTNAME}/
 DISTNAME=	tacacs-${PORTVERSION}
@@ -14,9 +14,10 @@ GNU_CONFIGURE_MANPREFIX=	${PREFIX}/share
 USES=		bison cpe perl5 libtool
 USE_PERL5=	build
 USE_RC_SUBR=	tac_plus
+SUB_LIST=	TACACS_USER=${USERS}
 USE_LDCONFIG=	yes
-CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g tacacs 2>/dev/null || echo '559') \
-		--with-userid=$$(/usr/bin/id -u tacacs 2>/dev/null || echo '559')
+CONFIGURE_ARGS=	--with-groupid=$$(/usr/bin/id -g ${GROUPS} 2>/dev/null || echo '559') \
+		--with-userid=$$(/usr/bin/id -u ${USERS} 2>/dev/null || echo '559')
 
 CPE_VENDOR=	cisco
 

net/tac_plus4/files/patch-choose_authen.c

@@ -1,6 +1,6 @@
 --- choose_authen.c.orig	2012-04-16 21:42:55 UTC
 +++ choose_authen.c
-@@ -130,12 +130,29 @@ choose_login(struct authen_data *data, s
+@@ -130,10 +130,27 @@ choose_login(struct authen_data *data, struct authen_t
  #else /* SKEY */
  	    report(LOG_ERR,
  		   "%s %s: user %s s/key support has not been compiled in",
@@ -10,8 +10,8 @@
 +		   name ? name : "<unknown>");
  	    return(CHOOSE_FAILED);
  #endif	/* SKEY */
- 	}
- 
++	}
++
 +	if (cfg_passwd && STREQ(cfg_passwd, "opie")) {
 +	    if (debug & DEBUG_PASSWD_FLAG)
 +		report(LOG_DEBUG, "%s %s: user %s requires opie",
@@ -27,8 +27,6 @@
 +			name ? name : "<unknown>");
 +		return(CHOOSE_FAILED);
 +#endif /* OPIE */
-+	}
-+
+ 	}
+ 
  	/* Does this user require aceclnt */
- 	cfg_passwd = cfg_get_login_secret(name, TAC_PLUS_RECURSE);
- 	if (cfg_passwd && STREQ(cfg_passwd, "aceclnt")) {

net/tac_plus4/files/patch-tac__plus.8.in

@@ -0,0 +1,14 @@
+--- tac_plus.8.in.orig	2024-08-26 12:52:38 UTC
++++ tac_plus.8.in
+@@ -206,8 +206,10 @@ in addition to logging to syslogd. Useful for debuggin
+ /dev/console 
+ in addition to logging to syslogd. Useful for debugging.
+ .\"
+-.TP \-U <setuid username>
++.TP
++.B \-U <setuid username>
+ Specify the username or UID to
++.B
+ .IR setuid(2).
+ If the daemon was compiled with a specific UID, this option overrides that
+ value.

net/tac_plus4/files/patch-users_guide.in

@@ -1,17 +1,18 @@
 --- users_guide.in.orig	2011-05-27 22:11:57 UTC
 +++ users_guide.in
-@@ -164,7 +164,10 @@ for S/KEY in the Makefile.  I got my S/K
+@@ -164,8 +164,11 @@ suggest you try a web search for s/key source code.
  crimelab.com but now it appears the only source is ftp.bellcore.com. I
  suggest you try a web search for s/key source code.
  
 -Note: S/KEY is a trademark of Bell Communications Research (Bellcore).
 +To use OPIE, you must have built tac_plus with the -DWITH_OPIE flag.
-+
+ 
 +Note: S/KEY and OPIE are a trademark of Bell Communications Research 
 +(Bellcore).
- 
++
  Should you need them, there are routines for accessing password files
  (getpwnam,setpwent,endpwent,setpwfile) in pw.c.
+ 
 @@ -414,7 +417,16 @@ be authenticated via s/key, as follows:
        login = skey
      }

net/tac_plus4/files/tac_plus.in

@@ -24,7 +24,7 @@ rcvar=tac_plus_enable
 command="%%PREFIX%%/sbin/tac_plus"
 pidfile="/var/run/${name}.pid"
 tac_plus_enable=${tac_plus_enable:-"NO"}
-tac_plus_flags=${tac_plus_flags:-}
+tac_plus_flags=${tac_plus_flags:-"-U %%TACACS_USER%%"}
 tac_plus_profiles=${tac_plus_profiles:-}
 tac_plus_configfile=${tac_plus_configfile:-"%%PREFIX%%/etc/tac_plus.conf"}