From 0d92084f756032ae7f23ebed9873a2a5cd15d16f Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 06:40:48 -0500 Subject: [PATCH 01/24] at: Don't set fancy bits on install --- pkgs/tools/system/at/install.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/system/at/install.patch b/pkgs/tools/system/at/install.patch index 0297d680aa4..35be4af875a 100644 --- a/pkgs/tools/system/at/install.patch +++ b/pkgs/tools/system/at/install.patch @@ -20,7 +20,7 @@ + $(INSTALL) -m 755 -d $(IROOT)$(sbindir) + $(INSTALL) -m 755 -d $(IROOT)$(docdir) + $(INSTALL) -m 755 -d $(IROOT)$(atdocdir) -+ $(INSTALL) -m 6755 -s at $(IROOT)$(bindir) ++ $(INSTALL) -m 0755 -s at $(IROOT)$(bindir) $(LN_S) -f at $(IROOT)$(bindir)/atq $(LN_S) -f at $(IROOT)$(bindir)/atrm - $(INSTALL) -g root -o root -m 755 batch $(IROOT)$(bindir) From 3d5409ac970d624e5c75708e0176ca2e8b3b59b9 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 06:44:14 -0500 Subject: [PATCH 02/24] cron: don't set special permissions --- pkgs/tools/system/cron/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 910bee727bb..13e55405d70 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { hardeningEnable = [ "pie" ]; preBuild = '' - substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 + substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 --replace 4755 0755 makeFlags="DESTROOT=$out CC=cc" # We want to ignore the $glibc/include/paths.h definition of From 714cd37b2150407960305d789d759d5191750b51 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 06:48:04 -0500 Subject: [PATCH 03/24] logcheck: Don't set special permissions --- pkgs/tools/system/logcheck/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/system/logcheck/default.nix b/pkgs/tools/system/logcheck/default.nix index 40cee73dcd2..d551738b1f3 100644 --- a/pkgs/tools/system/logcheck/default.nix +++ b/pkgs/tools/system/logcheck/default.nix @@ -10,6 +10,10 @@ stdenv.mkDerivation rec { sha256 = "1x4skb5nmv2xj8cygj8pq1rd1ws4m2fsibw54yslgdyjri4r2yq7"; }; + prePatch = '' + substituteInPlace Makefile --replace 2750 0750 + ''; + preConfigure = '' substituteInPlace src/logtail --replace "/usr/bin/perl" "${perl}/bin/perl" substituteInPlace src/logtail2 --replace "/usr/bin/perl" "${perl}/bin/perl" From 4d57153659a2c3a47aa297a396f04a6c62d6efbb Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 06:51:16 -0500 Subject: [PATCH 04/24] logkeys: Don't chmod u+s --- pkgs/tools/security/logkeys/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/security/logkeys/default.nix b/pkgs/tools/security/logkeys/default.nix index b856308712f..2d58bcc9a23 100644 --- a/pkgs/tools/security/logkeys/default.nix +++ b/pkgs/tools/security/logkeys/default.nix @@ -15,6 +15,7 @@ stdenv.mkDerivation rec { postPatch = '' substituteInPlace src/Makefile.in --replace 'root' '$(id -u)' substituteInPlace configure --replace '/dev/input' '/tmp' + sed -i '/chmod u+s/d' src/Makefile.in ''; meta = with stdenv.lib; { From 98b2e4816f0f2d638268f896bd79c69c28a4fe77 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 06:54:39 -0500 Subject: [PATCH 05/24] udevil: minor cleanup, fix setuid/setgid problems --- pkgs/applications/misc/udevil/default.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/pkgs/applications/misc/udevil/default.nix b/pkgs/applications/misc/udevil/default.nix index 8ce683ec908..83ebef7f10d 100644 --- a/pkgs/applications/misc/udevil/default.nix +++ b/pkgs/applications/misc/udevil/default.nix @@ -7,8 +7,8 @@ stdenv.mkDerivation { }; buildInputs = [ intltool glib pkgconfig udev ]; configurePhase = '' - substituteInPlace src/Makefile.am --replace "-o root -g root" "" substituteInPlace src/Makefile.in --replace "-o root -g root" "" + substituteInPlace src/Makefile.in --replace 4755 0755 ./configure \ --prefix=$out \ --with-mount-prog=${utillinux}/bin/mount \ @@ -17,10 +17,6 @@ stdenv.mkDerivation { --with-setfacl-prog=${acl.bin}/bin/setfacl \ --sysconfdir=$prefix/etc ''; - preConfigure = '' - cat src/Makefile.am - exit 2 - ''; patches = [ ./device-info-sys-stat.patch ]; meta = { description = "A command line Linux program which mounts and unmounts removable devices without a password, shows device info, and monitors device changes"; From b6caf109897f5860999d73680048640fd8525776 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:04:54 -0500 Subject: [PATCH 06/24] xconq: don't set special perms on install --- pkgs/games/xconq/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index e6e23752953..4bb39762939 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -26,6 +26,7 @@ stdenv.mkDerivation rec { # Fix Makefiles find . -name 'Makefile.in' -exec sed -re 's@^ ( *)(cd|[&][&])@ \1\2@' -i '{}' ';' find . -name 'Makefile.in' -exec sed -e '/chown/d; /chgrp/d' -i '{}' ';' + find . -name 'Makefile.in' -exec sed -e 's/04755/755/g' -i '{}' ';' sed -e '/^ * *[$][(]tcltkdir[)]\/[*][.][*]/d' -i tcltk/Makefile.in # Fix C files From 5d0a8792a745418b7f47b82c8ad32acee58a069d Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:11:02 -0500 Subject: [PATCH 07/24] uucp: Don't chown to 'uucp' user, don't set special perms --- pkgs/tools/misc/uucp/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index 4ef050b409e..39368da68be 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -10,6 +10,12 @@ stdenv.mkDerivation rec { hardeningDisable = [ "format" ]; + prePatch = '' + substituteInPlace Makefile.in \ + --replace 4555 0555 + sed -i '/chown $(OWNER)/d' Makefile.in + ''; + meta = { description = "Unix-unix cp over serial line, also includes cu program"; From 8098e4048bbce82e37603199c56334213e103b91 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:13:54 -0500 Subject: [PATCH 08/24] super: Don't set special perms, don't chown to root --- pkgs/tools/security/super/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/tools/security/super/default.nix b/pkgs/tools/security/super/default.nix index abfdf8eedca..01e5dd4b20b 100644 --- a/pkgs/tools/security/super/default.nix +++ b/pkgs/tools/security/super/default.nix @@ -9,6 +9,12 @@ stdenv.mkDerivation rec { sha256 = "0k476f83w7f45y9jpyxwr00ikv1vhjiq0c26fgjch9hnv18icvwy"; }; + prePatch = '' + substituteInPlace Makefile.in \ + --replace "-o root" "" \ + --replace 04755 755 + ''; + patches = [ (fetchpatch { url = http://anonscm.debian.org/cgit/users/robert/super.git/plain/debian/patches/14-Fix-unchecked-setuid-call.patch; sha256 = "08m9hw4kyfjv0kqns1cqha4v5hkgp4s4z0q1rgif1fnk14xh7wqh"; From 479d9f9cd321910d49f2803f200042dde1c1a8ab Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:18:20 -0500 Subject: [PATCH 09/24] xsokoban: Don't set special bits on install --- pkgs/games/xsokoban/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/games/xsokoban/default.nix b/pkgs/games/xsokoban/default.nix index 47d05b7e3f6..2ec47d5d8b2 100644 --- a/pkgs/games/xsokoban/default.nix +++ b/pkgs/games/xsokoban/default.nix @@ -15,6 +15,10 @@ stdenv.mkDerivation rec { hardeningDisable = [ "format" ]; + prePatch = '' + substituteInPlace Makefile.in --replace 4755 0755 + ''; + preConfigure = '' sed -e 's/getline/my_getline/' -i score.c From 7270b9b425af84a287ed25ae6b976e3dd48696f8 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:22:20 -0500 Subject: [PATCH 10/24] rewritefs: Don't attempt to set special bits --- pkgs/os-specific/linux/rewritefs/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/os-specific/linux/rewritefs/default.nix b/pkgs/os-specific/linux/rewritefs/default.nix index 362f3edbc92..ac796c1fe58 100644 --- a/pkgs/os-specific/linux/rewritefs/default.nix +++ b/pkgs/os-specific/linux/rewritefs/default.nix @@ -13,6 +13,10 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig fuse pcre ]; + prePatch = '' + substituteInPlace Makefile --replace 6755 0755 + ''; + preConfigure = "substituteInPlace Makefile --replace /usr/local $out"; meta = with stdenv.lib; { From b20b2af59fead38ef5d7839580de95106663cbbc Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:24:39 -0500 Subject: [PATCH 11/24] unnethack: override GAMEPERM to not include special bits --- pkgs/games/unnethack/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/unnethack/default.nix b/pkgs/games/unnethack/default.nix index ae32de2e771..ea0186323c0 100644 --- a/pkgs/games/unnethack/default.nix +++ b/pkgs/games/unnethack/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-gamesdir=/tmp/unnethack" ]; + makeFlags = [ "GAMEPERM=744" ]; + postInstall = '' cp -r /tmp/unnethack $out/share/unnethack/profile mv $out/bin/unnethack $out/bin/.wrapped_unnethack From bb1e0b51de9f40639fd4b4fca57421d72fb86df7 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:27:23 -0500 Subject: [PATCH 12/24] torque: Patch out attempts to set special bits --- pkgs/servers/computing/torque/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/servers/computing/torque/default.nix b/pkgs/servers/computing/torque/default.nix index 6d0037f74bd..d0b8567c748 100644 --- a/pkgs/servers/computing/torque/default.nix +++ b/pkgs/servers/computing/torque/default.nix @@ -29,8 +29,9 @@ stdenv.mkDerivation rec { for f in $(find ./ -name Makefile.in); do echo patching $f... - sed -i $f -e '/PBS_MKDIRS/d' + sed -i $f -e '/PBS_MKDIRS/d' -e '/chmod u+s/d' done + ''; postInstall = '' From 7eaa7adf4e7f3e32be85dcf3bd34ffd6b4cf23be Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:31:21 -0500 Subject: [PATCH 13/24] rssh: don't set special bits --- pkgs/shells/rssh/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/shells/rssh/default.nix b/pkgs/shells/rssh/default.nix index b84f5f26685..d3ce1ff1cc2 100644 --- a/pkgs/shells/rssh/default.nix +++ b/pkgs/shells/rssh/default.nix @@ -59,6 +59,12 @@ stdenv.mkDerivation rec { }) ]; + # Run this after to avoid conflict with patches above + postPatch = '' + sed -i '/chmod u+s/d' Makefile.in + ''; + + buildInputs = [ openssh rsync cvs ]; configureFlags = [ From 5e9edcfebefb09fd208c195856b073a4e5769248 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 07:34:53 -0500 Subject: [PATCH 14/24] hiawatha: Don't ask cmake to install w/setuid perms --- pkgs/servers/http/hiawatha/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/servers/http/hiawatha/default.nix b/pkgs/servers/http/hiawatha/default.nix index 26566b2281c..c5dd9f7a577 100644 --- a/pkgs/servers/http/hiawatha/default.nix +++ b/pkgs/servers/http/hiawatha/default.nix @@ -21,6 +21,10 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libxslt zlib libxml2 ] ++ stdenv.lib.optional enableSSL openssl ; + prePatch = '' + substituteInPlace CMakeLists.txt --replace SETUID "" + ''; + cmakeFlags = [ ( if enableSSL then "-DENABLE_TLS=on" else "-DENABLE_TLS=off" ) ( if enableMonitor then "-DENABLE_MONITOR=on" else "-DENABLE_MONITOR=off" ) From 794a4a5ce58dea4f164c53db601ef1af3bc8b2e1 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 16 Jun 2017 10:41:33 -0500 Subject: [PATCH 15/24] xsokoban: Fix OWNER username quoting, maybe fix travis? --- pkgs/games/xsokoban/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/games/xsokoban/default.nix b/pkgs/games/xsokoban/default.nix index 2ec47d5d8b2..814241244e3 100644 --- a/pkgs/games/xsokoban/default.nix +++ b/pkgs/games/xsokoban/default.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation rec { cat >>config.h < Date: Fri, 16 Jun 2017 16:20:06 -0500 Subject: [PATCH 16/24] sudo: fix attempt to set special perms --- pkgs/tools/security/sudo/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index 785ba93f137..d6d979c9914 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -14,6 +14,10 @@ stdenv.mkDerivation rec { sha256 = "07fvh8qy0l1h93lccc625f48d8yp0pkp5rjjykq13pb07ar0x64y"; }; + prePatch = '' + substituteInPlace src/Makefile.in --replace 04755 0755 + ''; + configureFlags = [ "--with-env-editor" "--with-editor=/run/current-system/sw/bin/nano" From 67655caf3707e846c754d905340cf3ff69d06b15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:37:21 +0100 Subject: [PATCH 17/24] cron: document patch --- pkgs/tools/system/cron/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 13e55405d70..4a8babfd630 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -12,6 +12,7 @@ stdenv.mkDerivation { hardeningEnable = [ "pie" ]; preBuild = '' + # do not set sticky bit in /nix/store substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 --replace 4755 0755 makeFlags="DESTROOT=$out CC=cc" From ae147e329f49f2b5c140115c1be3e787727b3d62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:38:50 +0100 Subject: [PATCH 18/24] logcheck: add remark to patch --- pkgs/tools/system/logcheck/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/system/logcheck/default.nix b/pkgs/tools/system/logcheck/default.nix index d551738b1f3..f27a0cbcb99 100644 --- a/pkgs/tools/system/logcheck/default.nix +++ b/pkgs/tools/system/logcheck/default.nix @@ -11,6 +11,7 @@ stdenv.mkDerivation rec { }; prePatch = '' + # do not set sticky bit in nix store. substituteInPlace Makefile --replace 2750 0750 ''; From 9e2f08cdc265b0752f846228712ff891d0abed28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:42:55 +0100 Subject: [PATCH 19/24] sudo: add remark to patch --- pkgs/tools/security/sudo/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix index d6d979c9914..840d24f6e67 100644 --- a/pkgs/tools/security/sudo/default.nix +++ b/pkgs/tools/security/sudo/default.nix @@ -15,6 +15,7 @@ stdenv.mkDerivation rec { }; prePatch = '' + # do not set sticky bit in nix store substituteInPlace src/Makefile.in --replace 04755 0755 ''; From cca6eb62c001f2fb5a06993979e717d04e0dcd7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:43:50 +0100 Subject: [PATCH 20/24] super: add remark to patch --- pkgs/tools/security/super/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/security/super/default.nix b/pkgs/tools/security/super/default.nix index 01e5dd4b20b..866e1f41028 100644 --- a/pkgs/tools/security/super/default.nix +++ b/pkgs/tools/security/super/default.nix @@ -10,6 +10,7 @@ stdenv.mkDerivation rec { }; prePatch = '' + # do not set sticky bit in nix store substituteInPlace Makefile.in \ --replace "-o root" "" \ --replace 04755 755 From ca6bb9098ca3f8fb8fe74de5b113478571010c7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:44:33 +0100 Subject: [PATCH 21/24] uucp: add remark to patch --- pkgs/tools/misc/uucp/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index 39368da68be..acb42a7a8d2 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -11,6 +11,7 @@ stdenv.mkDerivation rec { hardeningDisable = [ "format" ]; prePatch = '' + # do not set sticky bit in nix store substituteInPlace Makefile.in \ --replace 4555 0555 sed -i '/chown $(OWNER)/d' Makefile.in From 878381fd4d61433ba6c880983cd127e9641d38c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:45:35 +0100 Subject: [PATCH 22/24] rewritefs: add remark to patch --- pkgs/os-specific/linux/rewritefs/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/os-specific/linux/rewritefs/default.nix b/pkgs/os-specific/linux/rewritefs/default.nix index ac796c1fe58..8ec46d64600 100644 --- a/pkgs/os-specific/linux/rewritefs/default.nix +++ b/pkgs/os-specific/linux/rewritefs/default.nix @@ -14,6 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig fuse pcre ]; prePatch = '' + # do not set sticky bit in nix store substituteInPlace Makefile --replace 6755 0755 ''; From aa49177091e7fc94b57fefef2f8e46c1ef824d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:46:48 +0100 Subject: [PATCH 23/24] xconq: add remark to patch --- pkgs/games/xconq/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index 4bb39762939..e8e27d7afb6 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -26,6 +26,7 @@ stdenv.mkDerivation rec { # Fix Makefiles find . -name 'Makefile.in' -exec sed -re 's@^ ( *)(cd|[&][&])@ \1\2@' -i '{}' ';' find . -name 'Makefile.in' -exec sed -e '/chown/d; /chgrp/d' -i '{}' ';' + # do not set sticky bit in nix store find . -name 'Makefile.in' -exec sed -e 's/04755/755/g' -i '{}' ';' sed -e '/^ * *[$][(]tcltkdir[)]\/[*][.][*]/d' -i tcltk/Makefile.in From 230c0d461a7941c770f358e2b0829fe344953027 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sat, 17 Jun 2017 10:47:42 +0100 Subject: [PATCH 24/24] udevil: add remark to patch --- pkgs/applications/misc/udevil/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/applications/misc/udevil/default.nix b/pkgs/applications/misc/udevil/default.nix index 83ebef7f10d..9a4b795061b 100644 --- a/pkgs/applications/misc/udevil/default.nix +++ b/pkgs/applications/misc/udevil/default.nix @@ -8,6 +8,7 @@ stdenv.mkDerivation { buildInputs = [ intltool glib pkgconfig udev ]; configurePhase = '' substituteInPlace src/Makefile.in --replace "-o root -g root" "" + # do not set setuid bit in nix store substituteInPlace src/Makefile.in --replace 4755 0755 ./configure \ --prefix=$out \