summary refs log blame commit diff
path: root/pkgs/tools/security/sudo-rs/default.nix
blob: 3cda1cde8322ccc42f823674cb5b97b827df4e6f (plain) (tree) 
a6616e7d712 ^



fd8e069585e ^

a6616e7d712 ^

fdd277ba618 ^

7b5b3f51243 ^

a6616e7d712 ^





















fd8e069585e ^









a6616e7d712 ^







































7b5b3f51243 ^




fdd277ba618 ^

a6616e7d712 ^









1
2
3

4

5

6

7

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

29
30
31
32
33
34
35
36
37

38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

77
78
79
80

81

82
83
84
85
86
87
88
89
90



                 
            
                   
                   
            




















                                                                    








                                                                                                     






































                                                                 



                                         
 








                                                                 
{ lib
, bash
, fetchFromGitHub
, fetchpatch
, installShellFiles
, nix-update-script
, nixosTests
, pam
, pandoc
, rustPlatform
}:

rustPlatform.buildRustPackage rec {
  pname = "sudo-rs";
  version = "0.2.0";

  src = fetchFromGitHub {
    owner = "memorysafety";
    repo = "sudo-rs";
    rev = "v${version}";
    hash = "sha256-Kk5D3387hdl6eGWTSV003r+XajuDh6YgHuqYlj9NnaQ=";
  };
  cargoHash = "sha256-yeMK37tOgJcs9pW3IclpR5WMXx0gMDJ2wcmInxJYbQ8=";

  nativeBuildInputs = [ installShellFiles pandoc ];

  buildInputs = [ pam ];

  patches = [
    (fetchpatch {
      # @R-VdP's patch to work with NixOS' suid wrappers
      name = "Skip self_check when executed as root.patch";
      url = "https://github.com/R-VdP/sudo-rs/commit/a44541dcb36b94f938daaed66b3ff06cfc1c2b40.patch";
      hash = "sha256-PdmOqp/NDjFy8ve4jEOi58e0N9xUnaVKioQwdC5Jf1U=";
    })
  ];

  # Don't attempt to generate the docs in a (pan)Docker container
  postPatch = ''
    substituteInPlace util/generate-docs.sh \
      --replace "/usr/bin/env bash" ${lib.getExe bash} \
      --replace util/pandoc.sh pandoc
  '';

  postInstall = ''
    ./util/generate-docs.sh
    installManPage target/docs/man/*
  '';

  checkFlags = map (t: "--skip=${t}") [
    # Those tests make path assumptions
    "common::command::test::test_build_command_and_args"
    "common::context::tests::test_build_context"
    "common::resolve::test::canonicalization"
    "common::resolve::tests::test_resolve_path"
    "system::tests::kill_test"

    # Assumes $SHELL is an actual shell
    "su::context::tests::su_to_root"

    # Attempts to access /etc files from the build sandbox
    "system::audit::test::secure_open_is_predictable"

    # Assume there is a `daemon` user and group
    "system::interface::test::test_unix_group"
    "system::interface::test::test_unix_user"
    "system::tests::test_get_user_and_group_by_id"

    # This expects some PATH_TZINFO environment var
    "env::environment::tests::test_tzinfo"

    # Unsure why those are failing
    "env::tests::test_environment_variable_filtering"
    "su::context::tests::invalid_shell"
  ];

  passthru = {
    updateScript = nix-update-script { };
    tests = nixosTests.sudo-rs;
  };

  meta = with lib; {
    description = "A memory safe implementation of sudo and su.";
    homepage = "https://github.com/memorysafety/sudo-rs";
    changelog = "${meta.homepage}/blob/v${version}/CHANGELOG.md";
    license = with licenses; [ asl20 mit ];
    maintainers = with maintainers; [ nicoo ];
    platforms = platforms.linux;
  };
}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-28 20:24:55 +0000