summary refs log tree commit diff
diff options
context:
space:
mode:
authorJosé Romildo Malaquias <malaquias@gmail.com>2020-05-14 08:37:55 -0300
committerJosé Romildo Malaquias <malaquias@gmail.com>2020-05-24 00:22:53 -0300
commitfa8bd535fc659c7d2ce5d271c5002c83659ebc0a (patch)
tree205c1d191e955e8b3ddcbbcceeb5771fdfd390c9
parenteec1f2ac5372c9b9148368a7ee4a5c3b2b358ff7 (diff)
downloadnixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar
nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.gz
nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.bz2
nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.lz
nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.xz
nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.tar.zst
nixpkgs-fa8bd535fc659c7d2ce5d271c5002c83659ebc0a.zip
enlightenment.enlightenment: fix setuid wrappers
Diffstat
-rw-r--r--nixos/modules/services/x11/desktop-managers/enlightenment.nix7


-rw-r--r--pkgs/desktops/enlightenment/0001-wrapped-setuid-executables.patch114


-rw-r--r--pkgs/desktops/enlightenment/enlightenment.nix18


-rw-r--r--pkgs/desktops/enlightenment/enlightenment.suid-exes.patch25


4 files changed, 124 insertions, 40 deletions
diff --git a/nixos/modules/services/x11/desktop-managers/enlightenment.nix b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
index ed8381f7d8d..3a7ab64510b 100644
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@@ -63,7 +63,12 @@ in
       fi
     '';
 
-    security.wrappers = (import "${e.enlightenment}/e-wrappers.nix").security.wrappers;
+    # Wrappers for programs installed by enlightenment that should be setuid
+    security.wrappers = {
+      enlightenment_ckpasswd.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_ckpasswd";
+      enlightenment_sys.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_sys";
+      enlightenment_system.source = "${pkgs.enlightenment.enlightenment}/lib/enlightenment/utils/enlightenment_system";
+    };
 
     environment.etc."X11/xkb".source = xcfg.xkbDir;
 
diff --git a/pkgs/desktops/enlightenment/0001-wrapped-setuid-executables.patch b/pkgs/desktops/enlightenment/0001-wrapped-setuid-executables.patch
new file mode 100644
index 00000000000..55a3501ef8b
--- /dev/null
+++ b/pkgs/desktops/enlightenment/0001-wrapped-setuid-executables.patch
@@ -0,0 +1,114 @@
+From a1e54ae0097a3b6a0dabf4639fe8bc594c4f602d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Romildo=20Malaquias?= <malaquias@gmail.com>
+Date: Thu, 14 May 2020 16:36:34 -0300
+Subject: [PATCH] wrapped setuid executables
+
+Installing programs with root ownership and setuid/setgid permissions
+in /nix/store is not allowed. They should be wrapped in the
+enlightenment service module, and the wrapped ones should be used
+instead.
+---
+ meson/meson_inst.sh           | 4 ++--
+ src/bin/e_auth.c              | 6 ++----
+ src/bin/e_fm/e_fm_main_eeze.c | 6 +++---
+ src/bin/e_start_main.c        | 2 +-
+ src/bin/e_system.c            | 2 +-
+ 5 files changed, 9 insertions(+), 11 deletions(-)
+
+diff --git a/meson/meson_inst.sh b/meson/meson_inst.sh
+index 321143e40..cd2399306 100755
+--- a/meson/meson_inst.sh
++++ b/meson/meson_inst.sh
+@@ -1,6 +1,6 @@
+ #!/bin/sh
+ 
+ for x in "$@" ; do
+-	chown root "$DESTDIR/$x"
+-	chmod a=rx,u+xs "$DESTDIR/$x"
++	echo TODO: chown root "$DESTDIR/$x"
++	echo TODO: chmod a=rx,u+xs "$DESTDIR/$x"
+ done
+diff --git a/src/bin/e_auth.c b/src/bin/e_auth.c
+index 8b0aa6641..63c68c4bc 100644
+--- a/src/bin/e_auth.c
++++ b/src/bin/e_auth.c
+@@ -12,8 +12,7 @@ e_auth_begin(char *passwd)
+    if (pwlen == 0) goto out;
+ 
+    snprintf(buf, sizeof(buf),
+-            "%s/enlightenment/utils/enlightenment_ckpasswd pw",
+-            e_prefix_lib_get());
++            "/run/wrappers/bin/enlightenment_ckpasswd pw");
+    exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL);
+    if (!exe) goto out;
+    if (ecore_exe_send(exe, passwd, pwlen) != EINA_TRUE) goto out;
+@@ -47,8 +46,7 @@ e_auth_polkit_begin(char *passwd, const char *cookie, unsigned int uid)
+    if (pwlen == 0) goto out;
+ 
+    snprintf(buf, sizeof(buf),
+-            "%s/enlightenment/utils/enlightenment_ckpasswd pk",
+-            e_prefix_lib_get());
++            "/run/wrappers/bin/enlightenment_ckpasswd pk");
+    exe = ecore_exe_pipe_run(buf, ECORE_EXE_PIPE_WRITE, NULL);
+    if (!exe) goto out;
+    snprintf(buf, sizeof(buf), "%s %u %s", cookie, uid, passwd);
+diff --git a/src/bin/e_fm/e_fm_main_eeze.c b/src/bin/e_fm/e_fm_main_eeze.c
+index 9b10b3117..0f0aa5b53 100644
+--- a/src/bin/e_fm/e_fm_main_eeze.c
++++ b/src/bin/e_fm/e_fm_main_eeze.c
+@@ -318,7 +318,7 @@ _e_fm_main_eeze_volume_eject(E_Volume *v)
+      {
+         char buf[PATH_MAX];
+ 
+-        snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
++        snprintf(buf, sizeof(buf), "/run/wrappers/bin/enlightenment_sys");
+         eeze_disk_mount_wrapper_set(v->disk, buf);
+      }
+    v->guard = ecore_timer_loop_add(E_FM_EJECT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_eject_timeout, v);
+@@ -512,7 +512,7 @@ _e_fm_main_eeze_volume_unmount(E_Volume *v)
+      {
+         char buf[PATH_MAX];
+ 
+-        snprintf(buf, sizeof(buf), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
++        snprintf(buf, sizeof(buf), "/run/wrappers/bin/enlightenment_sys");
+         eeze_disk_mount_wrapper_set(v->disk, buf);
+      }
+    v->guard = ecore_timer_loop_add(E_FM_UNMOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_unmount_timeout, v);
+@@ -548,7 +548,7 @@ _e_fm_main_eeze_volume_mount(E_Volume *v)
+      {
+         char buf2[PATH_MAX];
+ 
+-        snprintf(buf2, sizeof(buf2), "%s/enlightenment/utils/enlightenment_sys", eina_prefix_lib_get(pfx));
++        snprintf(buf2, sizeof(buf2), "/run/wrappers/bin/enlightenment_sys");
+         eeze_disk_mount_wrapper_set(v->disk, buf2);
+      }
+    v->guard = ecore_timer_loop_add(E_FM_MOUNT_TIMEOUT, (Ecore_Task_Cb)_e_fm_main_eeze_vol_mount_timeout, v);
+diff --git a/src/bin/e_start_main.c b/src/bin/e_start_main.c
+index 8534a7a8e..f0f0061a4 100644
+--- a/src/bin/e_start_main.c
++++ b/src/bin/e_start_main.c
+@@ -709,7 +709,7 @@ main(int argc, char **argv)
+             "E_ALERT_FONT_DIR=%s/data/fonts", eina_prefix_data_get(pfx));
+    putenv(buf2);
+    snprintf(buf3, sizeof(buf3),
+-            "E_ALERT_SYSTEM_BIN=%s/enlightenment/utils/enlightenment_system", eina_prefix_lib_get(pfx));
++            "E_ALERT_SYSTEM_BIN=/run/wrappers/bin/enlightenment_system");
+    putenv(buf3);
+ 
+    if ((valgrind_mode || valgrind_tool) &&
+diff --git a/src/bin/e_system.c b/src/bin/e_system.c
+index 1e7aabb64..5084933a1 100644
+--- a/src/bin/e_system.c
++++ b/src/bin/e_system.c
+@@ -132,7 +132,7 @@ _system_spawn(void)
+    else _respawn_count = 0;
+    if (_respawn_count > 5) return;
+    snprintf(buf, sizeof(buf),
+-            "%s/enlightenment/utils/enlightenment_system", e_prefix_lib_get());
++            "/run/wrappers/bin/enlightenment_system");
+    _system_exe = ecore_exe_pipe_run
+      (buf, ECORE_EXE_NOT_LEADER | ECORE_EXE_TERM_WITH_PARENT |
+       ECORE_EXE_PIPE_READ | ECORE_EXE_PIPE_WRITE, NULL);
+-- 
+2.26.2
+
diff --git a/pkgs/desktops/enlightenment/enlightenment.nix b/pkgs/desktops/enlightenment/enlightenment.nix
index 7eb9c66b312..833a3ba29ac 100644
--- a/pkgs/desktops/enlightenment/enlightenment.nix
+++ b/pkgs/desktops/enlightenment/enlightenment.nix
@@ -48,20 +48,10 @@ stdenv.mkDerivation rec {
   ;
 
   patches = [
-    # Some programs installed by enlightenment (to set the cpu frequency,
-    # for instance) need root ownership and setuid/setgid permissions, which
-    # are not allowed for files in /nix/store. Instead of allowing the
-    # installer to try to do this, the file $out/e-wrappers.nix is created,
-    # containing the needed configuration for wrapping those programs. It
-    # can be used in the enlightenment module. The idea is:
-    #
-    #  1) rename the original binary adding the extension .orig
-    #  2) wrap the renamed binary at /run/wrappers/bin/
-    #  3) create a new symbolic link using the original binary name (in the
-    #     original directory where enlightenment wants it) pointing to the
-    #     wrapper
-
-    ./enlightenment.suid-exes.patch
+    # Executables cannot be made setuid in nix store. They should be
+    # wrapped in the enlightenment service module, and the wrapped
+    # executables should be used instead.
+    ./0001-wrapped-setuid-executables.patch
   ];
 
   postPatch = ''
diff --git a/pkgs/desktops/enlightenment/enlightenment.suid-exes.patch b/pkgs/desktops/enlightenment/enlightenment.suid-exes.patch
deleted file mode 100644
index f53f6ffa7ca..00000000000
--- a/pkgs/desktops/enlightenment/enlightenment.suid-exes.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- enlightenment-0.22.0.orig/meson/meson_inst.sh	2017-09-25 10:55:43.000000000 -0300
-+++ enlightenment-0.22.0/meson/meson_inst.sh	2017-11-15 08:31:03.336844920 -0200
-@@ -1,6 +1,19 @@
--#!/bin/sh
-+#!/bin/sh -x
-+
-+w="$out"/e-wrappers.nix
-+
-+echo "# Wrappers for programs installed by enlightenment that should be setuid" > $w
-+echo "" >> $w
-+echo "{" >> $w
-+echo "  security.wrappers = {" >> $w
- 
- for x in "$@" ; do
--	chown root "$DESTDIR/$x"
--	chmod a=rx,u+xs "$DESTDIR/$x"
-+	f="$DESTDIR$x";
-+	b=$(basename "$f".orig)
-+	mv -v "$f" "$f".orig
-+	ln -sv /run/wrappers/bin/"$b" "$f"
-+	echo "    \"$b\".source = \"$f.orig\";" >> $w
- done
-+
-+echo "  };" >> $w
-+echo "}" >> $w

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-17 18:19:23 +0000