public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

monkeysphere: Patch OpenSSH to run the tests in the sandbox

Browse Source
This commit is contained in:
Michael Weiss 2018-12-20 16:41:00 +01:00
parent 1b84b9f725
commit ca0c253a80
2 changed files with 40 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
pkgs/tools/security/monkeysphere/default.nix
View File

@ -2,13 +2,23 @@
, perl, libassuan, libgcrypt , perl, libassuan, libgcrypt
, perlPackages, lockfileProgs, gnupg, coreutils , perlPackages, lockfileProgs, gnupg, coreutils
# For the tests: # For the tests:
, bash, openssh, which, socat, cpio, hexdump , bash, openssh, which, socat, cpio, hexdump, openssl
}: }:
stdenv.mkDerivation rec { let
# A patch is needed to run the tests inside the Nix sandbox:
# /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell"
# sshd: "User nixbld not allowed because shell /noshell does not exist"
opensshUnsafe = openssh.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ];
});
in stdenv.mkDerivation rec {
name = "monkeysphere-${version}"; name = "monkeysphere-${version}";
version = "0.42"; version = "0.42";
# The patched OpenSSH binary MUST NOT be used (except in the check phase):
disallowedRequisites = [ opensshUnsafe ];
src = fetchurl { src = fetchurl {
url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz"; url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1"; sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1";
@ -23,7 +33,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ makeWrapper ]; nativeBuildInputs = [ makeWrapper ];
buildInputs = [ perl libassuan libgcrypt ] buildInputs = [ perl libassuan libgcrypt ]
++ stdenv.lib.optional doCheck ++ stdenv.lib.optional doCheck
([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++ ([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++
(with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ])); (with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ]));
makeFlags = '' makeFlags = ''
@ -31,15 +41,19 @@ stdenv.mkDerivation rec {
DESTDIR=$(out) DESTDIR=$(out)
''; '';
# The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run # The tests should be run (and succeed) when making changes to this package
# inside of the sandbox, because nixbld isn't allowed to login via SSH # but they aren't enabled by default because they "drain" entropy (GnuPG
# (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell", # still uses /dev/random).
# sshd: "User nixbld not allowed because shell /noshell does not exist").
doCheck = false; doCheck = false;
preCheck = '' preCheck = stdenv.lib.optionalString doCheck ''
patchShebangs tests/ patchShebangs tests/
patchShebangs src/ patchShebangs src/
sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic sed -i \
-e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \
-e "s,/bin/true,${coreutils}/bin/true," \
-e "s,/bin/false,${coreutils}/bin/false," \
-e "s,openssl\ req,${openssl}/bin/openssl req," \
tests/basic
sed -i "s/<(hd/<(hexdump/" tests/keytrans sed -i "s/<(hd/<(hexdump/" tests/keytrans
''; '';

17
pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch Normal file
View File

@ -0,0 +1,17 @@
diff --git a/auth.c b/auth.c
index d2a8cd65..811a129f 100644
--- a/auth.c
+++ b/auth.c
@@ -580,6 +580,12 @@ getpwnamallow(const char *user)
#endif
pw = getpwnam(user);
+ if (pw != NULL) {
+ // This is only for testing purposes,
+ // DO NOT USE THIS PATCH IN PRODUCTION!
+ char *shell = "/bin/sh";
+ pw->pw_shell = shell;
+ }
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_restoreauthdb();