GNU bug report logs -
#48986
[PATCH] gnu: opendoas: Fix restricted path "safepath".
Previous Next
Reported by: Brice Waegeneire <brice <at> waegenei.re>
Date: Sat, 12 Jun 2021 21:25:03 UTC
Severity: normal
Tags: patch
Done: Brice Waegeneire <brice <at> waegenei.re>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48986 in the body.
You can then email your comments to 48986 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#48986; Package
guix-patches.
(Sat, 12 Jun 2021 21:25:04 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Brice Waegeneire <brice <at> waegenei.re>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 12 Jun 2021 21:25:04 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
OpenDoas look for binaries in safepath when a rule specify a relative
command, such as “permit keepenv :wheel cmd guix”.
* gnu/packages/admin.scm (opendoas)[phases]: Rename 'fix-install' phase
to 'pre-configure', run it before 'configure' and add a substitution for
safepath.
---
gnu/packages/admin.scm | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 12eb659039..80d12fc2a3 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -41,6 +41,7 @@
;;; Copyright © 2021 Hyunseok Kim <lasnesne <at> lagunposprasihopre.org>
;;; Copyright © 2021 David Larsson <david.larsson <at> selfhosted.xyz>
;;; Copyright © 2021 WinterHound <winterhound <at> yandex.com>
+;;; Copyright © 2021 Brice Waegeneire <brice <at> waegenei.re>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -1699,18 +1700,25 @@ commands and their arguments.")
(arguments
`(#:phases
(modify-phases %standard-phases
+ (add-before 'configure 'pre-configure
+ (lambda* (#:key outputs #:allow-other-keys)
+ (substitute* "GNUmakefile"
+ (("^\tchown.*$") ""))
+ (substitute* "doas.c"
+ (("safepath =" match)
+ (string-append match " \""
+ "/run/setuid-programs:"
+ "/run/current-system/profile/bin:"
+ "/run/current-system/profile/sbin:"
+ "\" ")))
+ #t))
(replace 'configure
;; The configure script doesn't accept most of the default flags.
(lambda* (#:key configure-flags #:allow-other-keys)
;; The configure script can be told which compiler to use only
;; through environment variables.
(setenv "CC" ,(cc-for-target))
- (apply invoke "./configure" configure-flags)))
- (add-before 'install 'fix-makefile
- (lambda* (#:key outputs #:allow-other-keys)
- (substitute* "GNUmakefile"
- (("^\tchown.*$") ""))
- #t)))
+ (apply invoke "./configure" configure-flags))))
#:configure-flags
(list (string-append "--prefix=" (assoc-ref %outputs "out"))
"--with-timestamp")
--
2.31.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#48986; Package
guix-patches.
(Wed, 16 Jun 2021 20:54:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 48986 <at> debbugs.gnu.org (full text, mbox):
Hi Brice,
Brice Waegeneire <brice <at> waegenei.re> skribis:
> OpenDoas look for binaries in safepath when a rule specify a relative
> command, such as “permit keepenv :wheel cmd guix”.
>
> * gnu/packages/admin.scm (opendoas)[phases]: Rename 'fix-install' phase
> to 'pre-configure', run it before 'configure' and add a substitution for
> safepath.
You could maybe move the comment above to admin.scm, right above
(substitute* "doas.c" …).
Otherwise LGTM, thanks!
Ludo’.
Reply sent
to
Brice Waegeneire <brice <at> waegenei.re>:
You have taken responsibility.
(Sat, 19 Jun 2021 21:49:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Brice Waegeneire <brice <at> waegenei.re>:
bug acknowledged by developer.
(Sat, 19 Jun 2021 21:49:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 48986-done <at> debbugs.gnu.org (full text, mbox):
Ludo’,
Thank you for the review.
Ludovic Courtès <ludo <at> gnu.org> writes:
> Hi Brice,
>
> Brice Waegeneire <brice <at> waegenei.re> skribis:
>
>> OpenDoas look for binaries in safepath when a rule specify a relative
>> command, such as “permit keepenv :wheel cmd guix”.
>>
>> * gnu/packages/admin.scm (opendoas)[phases]: Rename 'fix-install' phase
>> to 'pre-configure', run it before 'configure' and add a substitution for
>> safepath.
>
> You could maybe move the comment above to admin.scm, right above
> (substitute* "doas.c" …).
Done.
> Otherwise LGTM, thanks!
Pushed as eb939109b9c06a09e1534a403745bd362b653d95.
Cheers,
- Brice
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 18 Jul 2021 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 279 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.