Merge #26628: treewide: setuid/setgid fallout

2017-06-17 13:23:39 +02:00 · 2017-06-17 13:23:39 +02:00 · d88c0cf867
commit d88c0cf867
parent 0d4431cfe9 230c0d461a
15 changed files with 56 additions and 9 deletions
--- a/pkgs/applications/misc/udevil/default.nix
+++ b/pkgs/applications/misc/udevil/default.nix
@ -7,8 +7,9 @@ stdenv.mkDerivation {
  };
  buildInputs = [ intltool glib pkgconfig udev ];
  configurePhase = ''
-    substituteInPlace src/Makefile.am --replace "-o root -g root" ""
    substituteInPlace src/Makefile.in --replace "-o root -g root" ""
+    # do not set setuid bit in nix store
+    substituteInPlace src/Makefile.in --replace 4755 0755
    ./configure \
      --prefix=$out \
      --with-mount-prog=${utillinux}/bin/mount \
@ -17,10 +18,6 @@ stdenv.mkDerivation {
      --with-setfacl-prog=${acl.bin}/bin/setfacl \
      --sysconfdir=$prefix/etc
  '';
-  preConfigure = ''
-    cat src/Makefile.am
-    exit 2
-  '';
  patches = [ ./device-info-sys-stat.patch ];
  meta = {
    description = "A command line Linux program which mounts and unmounts removable devices without a password, shows device info, and monitors device changes";
--- a/pkgs/games/unnethack/default.nix
+++ b/pkgs/games/unnethack/default.nix
@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
                     "--with-gamesdir=/tmp/unnethack"
                   ];

+  makeFlags = [ "GAMEPERM=744" ];
+
  postInstall = ''
    cp -r /tmp/unnethack $out/share/unnethack/profile
    mv $out/bin/unnethack $out/bin/.wrapped_unnethack
--- a/pkgs/games/xconq/default.nix
+++ b/pkgs/games/xconq/default.nix
@ -26,6 +26,8 @@ stdenv.mkDerivation rec {
    # Fix Makefiles
    find . -name 'Makefile.in' -exec sed -re 's@^        ( *)(cd|[&][&])@	\1\2@' -i '{}' ';'
    find . -name 'Makefile.in' -exec sed -e '/chown/d; /chgrp/d' -i '{}' ';'
+    # do not set sticky bit in nix store
+    find . -name 'Makefile.in' -exec sed -e 's/04755/755/g' -i '{}' ';'
    sed -e '/^			* *[$][(]tcltkdir[)]\/[*][.][*]/d' -i tcltk/Makefile.in

    # Fix C files
--- a/pkgs/games/xsokoban/default.nix
+++ b/pkgs/games/xsokoban/default.nix
@ -15,6 +15,10 @@ stdenv.mkDerivation rec {

  hardeningDisable = [ "format" ];

+  prePatch = ''
+    substituteInPlace Makefile.in --replace 4755 0755
+  '';
+
  preConfigure = ''
    sed -e 's/getline/my_getline/' -i score.c

@ -22,7 +26,7 @@ stdenv.mkDerivation rec {
    cat >>config.h <<EOF
    #define HERE "@nixos-packaged"
    #define WWW 0
-    #define OWNER "'$(whoami)'"
+    #define OWNER "$(whoami)"
    #define ROOTDIR "$out/lib/xsokoban"
    #define ANYLEVEL 1
    #define SCOREFILE ".xsokoban-score"
--- a/pkgs/os-specific/linux/rewritefs/default.nix
+++ b/pkgs/os-specific/linux/rewritefs/default.nix
@ -13,6 +13,11 @@ stdenv.mkDerivation rec {
 
  buildInputs = [ pkgconfig fuse pcre ];

+  prePatch = ''
+    # do not set sticky bit in nix store
+    substituteInPlace Makefile --replace 6755 0755
+  '';
+
  preConfigure = "substituteInPlace Makefile --replace /usr/local $out";

  meta = with stdenv.lib; {
--- a/pkgs/servers/computing/torque/default.nix
+++ b/pkgs/servers/computing/torque/default.nix
@ -29,8 +29,9 @@ stdenv.mkDerivation rec {

   for f in $(find ./ -name Makefile.in); do
     echo patching $f...
-     sed -i $f -e '/PBS_MKDIRS/d'
+     sed -i $f -e '/PBS_MKDIRS/d' -e '/chmod u+s/d'
   done
+
  '';

  postInstall = ''
--- a/pkgs/servers/http/hiawatha/default.nix
+++ b/pkgs/servers/http/hiawatha/default.nix
@ -21,6 +21,10 @@ stdenv.mkDerivation rec {

  buildInputs =  [ cmake libxslt zlib libxml2 ] ++ stdenv.lib.optional enableSSL openssl ;

+  prePatch = ''
+    substituteInPlace CMakeLists.txt --replace SETUID ""
+  '';
+
  cmakeFlags = [
    ( if enableSSL then "-DENABLE_TLS=on" else "-DENABLE_TLS=off" )
    ( if enableMonitor then "-DENABLE_MONITOR=on" else "-DENABLE_MONITOR=off" )
--- a/pkgs/shells/rssh/default.nix
+++ b/pkgs/shells/rssh/default.nix
@ -59,6 +59,12 @@ stdenv.mkDerivation rec {
    })
  ];

+  # Run this after to avoid conflict with patches above
+  postPatch = ''
+    sed -i '/chmod u+s/d' Makefile.in
+  '';
+
+
  buildInputs = [ openssh rsync cvs ];

  configureFlags = [
--- a/pkgs/tools/misc/uucp/default.nix
+++ b/pkgs/tools/misc/uucp/default.nix
@ -10,6 +10,13 @@ stdenv.mkDerivation rec {

  hardeningDisable = [ "format" ];

+  prePatch = ''
+    # do not set sticky bit in nix store
+    substituteInPlace Makefile.in \
+      --replace 4555 0555
+    sed -i '/chown $(OWNER)/d' Makefile.in
+  '';
+
  meta = {
    description = "Unix-unix cp over serial line, also includes cu program";

--- a/pkgs/tools/security/logkeys/default.nix
+++ b/pkgs/tools/security/logkeys/default.nix
@ -15,6 +15,7 @@ stdenv.mkDerivation rec {
  postPatch = ''
    substituteInPlace src/Makefile.in --replace 'root' '$(id -u)'
    substituteInPlace configure --replace '/dev/input' '/tmp'
+    sed -i '/chmod u+s/d' src/Makefile.in
 '';

  meta = with stdenv.lib; {
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@ -14,6 +14,11 @@ stdenv.mkDerivation rec {
    sha256 = "07fvh8qy0l1h93lccc625f48d8yp0pkp5rjjykq13pb07ar0x64y";
  };

+  prePatch = ''
+    # do not set sticky bit in nix store
+    substituteInPlace src/Makefile.in --replace 04755 0755
+  '';
+
  configureFlags = [
    "--with-env-editor"
    "--with-editor=/run/current-system/sw/bin/nano"
--- a/pkgs/tools/security/super/default.nix
+++ b/pkgs/tools/security/super/default.nix
@ -9,6 +9,13 @@ stdenv.mkDerivation rec {
    sha256 = "0k476f83w7f45y9jpyxwr00ikv1vhjiq0c26fgjch9hnv18icvwy";
  };

+  prePatch = ''
+    # do not set sticky bit in nix store
+    substituteInPlace Makefile.in \
+      --replace "-o root" "" \
+      --replace 04755 755
+  '';
+
  patches = [
   (fetchpatch { url = http://anonscm.debian.org/cgit/users/robert/super.git/plain/debian/patches/14-Fix-unchecked-setuid-call.patch;
                 sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh";
--- a/pkgs/tools/system/at/install.patch
+++ b/pkgs/tools/system/at/install.patch
@ -20,7 +20,7 @@
 +	$(INSTALL) -m 755 -d $(IROOT)$(sbindir)
 +	$(INSTALL) -m 755 -d $(IROOT)$(docdir)
 +	$(INSTALL) -m 755 -d $(IROOT)$(atdocdir)
-+	$(INSTALL) -m 6755 -s at $(IROOT)$(bindir)
+	$(INSTALL) -m 0755 -s at $(IROOT)$(bindir)
 	$(LN_S) -f at $(IROOT)$(bindir)/atq
 	$(LN_S) -f at $(IROOT)$(bindir)/atrm
 -	$(INSTALL) -g root -o root -m 755 batch $(IROOT)$(bindir)
--- a/pkgs/tools/system/cron/default.nix
+++ b/pkgs/tools/system/cron/default.nix
@ -12,7 +12,8 @@ stdenv.mkDerivation {
  hardeningEnable = [ "pie" ];

  preBuild = ''
-    substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755
+    # do not set sticky bit in /nix/store 
+    substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 --replace 4755 0755
    makeFlags="DESTROOT=$out CC=cc"

    # We want to ignore the $glibc/include/paths.h definition of
--- a/pkgs/tools/system/logcheck/default.nix
+++ b/pkgs/tools/system/logcheck/default.nix
@ -10,6 +10,11 @@ stdenv.mkDerivation rec {
    sha256 = "1x4skb5nmv2xj8cygj8pq1rd1ws4m2fsibw54yslgdyjri4r2yq7";
  };

+  prePatch = ''
+    # do not set sticky bit in nix store.
+    substituteInPlace Makefile --replace 2750 0750
+  '';
+
  preConfigure = ''
    substituteInPlace src/logtail --replace "/usr/bin/perl" "${perl}/bin/perl"
    substituteInPlace src/logtail2 --replace "/usr/bin/perl" "${perl}/bin/perl"