diff options
author | José Romildo Malaquias <malaquias@gmail.com> | 2020-05-14 08:37:55 -0300 |
---|---|---|
committer | José Romildo Malaquias <malaquias@gmail.com> | 2020-05-24 00:22:53 -0300 |
commit | fa8bd535fc659c7d2ce5d271c5002c83659ebc0a (patch) | |
tree | 205c1d191e955e8b3ddcbbcceeb5771fdfd390c9 | |
parent | eec1f2ac5372c9b9148368a7ee4a5c3b2b358ff7 (diff) | |
download | nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.gz nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.bz2 nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.lz nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.xz nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.zst nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.zip |
enlightenment.enlightenment: fix setuid wrappers
4 files changed, 124 insertions, 40 deletions
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix index ed8381f7d8d..3a7ab64510b 100644 --- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix +++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix @@ -63,7 +63,12 @@ in fi ''; - security.wrappers = (import "${e.enlightenment}/e-wrappers.nix").security.wrappers; + # Wrappers for programs installed by enlightenment that should be setuid + security.wrappers = { + enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd"; + enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys"; + enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system"; + }; environment.etc."X11/xkb".source = xcfg.xkbDir; diff --git a/pkgs/desktops/enlightenment/0001-wrapped-setuid-executables.patch b/pkgs/desktops/enlightenment/0001-wrapped-setuid-executables.patch new file mode 100644 index 00000000000..55a3501ef8b --- /dev/null +++ b/pkgs/desktops/enlightenment/0001-wrapped-setuid-executables.patch @@ -0,0 +1,114 @@ +From a1e54ae0097a3b6a0dabf4639fe8bc594c4f602d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Romildo=20Malaquias?= <malaquias@gmail.com> +Date: Thu, 14 May 2020 16:36:34 -0300 +Subject: [PATCH] wrapped setuid executables + +Installing programs with root ownership and setuid/setgid permissions +in /nix/store is not allowed. They should be wrapped in the +enlightenment service module, and the wrapped ones should be used +instead. +--- + meson/meson_inst.sh | 4 ++-- + src/bin/e_auth.c | 6 ++---- + src/bin/e_fm/e_fm_main_eeze.c | 6 +++--- + src/bin/e_start_main.c | 2 +- + src/bin/e_system.c | 2 +- + 5 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/meson/meson_inst.sh b/meson/meson_inst.sh +index 321143e40..cd2399306 100755 +--- a/meson/meson_inst.sh ++++ b/meson/meson_inst.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + + for x in "$@" ; do +- chown root "$DESTDIR/$x" +- chmod a=rx,u+xs "$DESTDIR/$x" ++ echo TODO: chown root "$DESTDIR/$x" ++ echo TODO: chmod a=rx,u+xs "$DESTDIR/$x" + done +diff --git a/src/bin/e_auth.c b/src/bin/e_auth.c +index 8b0aa6641..63c68c4bc 100644 +--- a/src/bin/e_auth.c ++++ b/src/bin/e_auth.c +@@ -12,8 +12,7 @@ e_auth_begin(char *passwd) + if (pwlen == 0) goto out; + + snprintf(buf, sizeof(buf), +- "%s/enlightenment/utils/enlightenment_ckpasswd pw", +- e_prefix_lib_get()); ++ "/run/wrappers/bin/enlightenment_ckpasswd pw"); + exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL); + if (!exe) goto out; + if (ecore_exe_send(exe, passwd, pwlen) != EINA_TRUE) goto out; +@@ -47,8 +46,7 @@ e_auth_polkit_begin(char *passwd, const char *cookie, unsigned int uid) + if (pwlen == 0) goto out; + + snprintf(buf, sizeof(buf), +- "%s/enlightenment/utils/enlightenment_ckpasswd pk", +- e_prefix_lib_get()); ++ "/run/wrappers/bin/enlightenment_ckpasswd pk"); + exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL); + if (!exe) goto out; + snprintf(buf, sizeof(buf), "%s %u %s", cookie, uid, passwd); +diff --git a/src/bin/e_fm/e_fm_main_eeze.c b/src/bin/e_fm/e_fm_main_eeze.c +index 9b10b3117..0f0aa5b53 100644 +--- a/src/bin/e_fm/e_fm_main_eeze.c ++++ b/src/bin/e_fm/e_fm_main_eeze.c +@@ -318,7 +318,7 @@ _e_fm_main_eeze_volume_eject(E_Volume *v) + { + char buf[PATH_MAX]; + +- snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx)); ++ snprintf(buf, sizeof(buf), "/run/wrappers/bin/enlightenment_sys"); + eeze_disk_mount_wrapper_set(v->disk, buf); + } + v->guard = ecore_timer_loop_add(E_FM_EJECT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_eject_timeout, v); +@@ -512,7 +512,7 @@ _e_fm_main_eeze_volume_unmount(E_Volume *v) + { + char buf[PATH_MAX]; + +- snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx)); ++ snprintf(buf, sizeof(buf), "/run/wrappers/bin/enlightenment_sys"); + eeze_disk_mount_wrapper_set(v->disk, buf); + } + v->guard = ecore_timer_loop_add(E_FM_UNMOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_unmount_timeout, v); +@@ -548,7 +548,7 @@ _e_fm_main_eeze_volume_mount(E_Volume *v) + { + char buf2[PATH_MAX]; + +- snprintf(buf2, sizeof(buf2), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx)); ++ snprintf(buf2, sizeof(buf2), "/run/wrappers/bin/enlightenment_sys"); + eeze_disk_mount_wrapper_set(v->disk, buf2); + } + v->guard = ecore_timer_loop_add(E_FM_MOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_mount_timeout, v); +diff --git a/src/bin/e_start_main.c b/src/bin/e_start_main.c +index 8534a7a8e..f0f0061a4 100644 +--- a/src/bin/e_start_main.c ++++ b/src/bin/e_start_main.c +@@ -709,7 +709,7 @@ main(int argc, char **argv) + "E_ALERT_FONT_DIR=%s/data/fonts", eina_prefix_data_get(pfx)); + putenv(buf2); + snprintf(buf3, sizeof(buf3), +- "E_ALERT_SYSTEM_BIN=%s/enlightenment/utils/enlightenment_system", eina_prefix_lib_get(pfx)); ++ "E_ALERT_SYSTEM_BIN=/run/wrappers/bin/enlightenment_system"); + putenv(buf3); + + if ((valgrind_mode || valgrind_tool) && +diff --git a/src/bin/e_system.c b/src/bin/e_system.c +index 1e7aabb64..5084933a1 100644 +--- a/src/bin/e_system.c ++++ b/src/bin/e_system.c +@@ -132,7 +132,7 @@ _system_spawn(void) + else _respawn_count = 0; + if (_respawn_count > 5) return; + snprintf(buf, sizeof(buf), +- "%s/enlightenment/utils/enlightenment_system", e_prefix_lib_get()); ++ "/run/wrappers/bin/enlightenment_system"); + _system_exe = ecore_exe_pipe_run + (buf, ECORE_EXE_NOT_LEADER | ECORE_EXE_TERM_WITH_PARENT | + ECORE_EXE_PIPE_READ | ECORE_EXE_PIPE_WRITE, NULL); +-- +2.26.2 + diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix index 7eb9c66b312..833a3ba29ac 100644 --- a/pkgs/desktops/enlightenment/enlightenment.nix +++ b/pkgs/desktops/enlightenment/enlightenment.nix @@ -48,20 +48,10 @@ stdenv.mkDerivation rec { ; patches = [ - # Some programs installed by enlightenment (to set the cpu frequency, - # for instance) need root ownership and setuid/setgid permissions, which - # are not allowed for files in /nix/store. Instead of allowing the - # installer to try to do this, the file $out/e-wrappers.nix is created, - # containing the needed configuration for wrapping those programs. It - # can be used in the enlightenment module. The idea is: - # - # 1) rename the original binary adding the extension .orig - # 2) wrap the renamed binary at /run/wrappers/bin/ - # 3) create a new symbolic link using the original binary name (in the - # original directory where enlightenment wants it) pointing to the - # wrapper - - ./enlightenment.suid-exes.patch + # Executables cannot be made setuid in nix store. They should be + # wrapped in the enlightenment service module, and the wrapped + # executables should be used instead. + ./0001-wrapped-setuid-executables.patch ]; postPatch = '' diff --git a/pkgs/desktops/enlightenment/enlightenment.suid-exes.patch b/pkgs/desktops/enlightenment/enlightenment.suid-exes.patch deleted file mode 100644 index f53f6ffa7ca..00000000000 --- a/pkgs/desktops/enlightenment/enlightenment.suid-exes.patch +++ /dev/null @@ -1,25 +0,0 @@ ---- enlightenment-0.22.0.orig/meson/meson_inst.sh 2017-09-25 10:55:43.000000000 -0300 -+++ enlightenment-0.22.0/meson/meson_inst.sh 2017-11-15 08:31:03.336844920 -0200 -@@ -1,6 +1,19 @@ --#!/bin/sh -+#!/bin/sh -x -+ -+w="$out"/e-wrappers.nix -+ -+echo "# Wrappers for programs installed by enlightenment that should be setuid" > $w -+echo "" >> $w -+echo "{" >> $w -+echo " security.wrappers = {" >> $w - - for x in "$@" ; do -- chown root "$DESTDIR/$x" -- chmod a=rx,u+xs "$DESTDIR/$x" -+ f="$DESTDIR$x"; -+ b=$(basename "$f".orig) -+ mv -v "$f" "$f".orig -+ ln -sv /run/wrappers/bin/"$b" "$f" -+ echo " \"$b\".source = \"$f.orig\";" >> $w - done -+ -+echo " };" >> $w -+echo "}" >> $w |