From patchwork Wed Apr 20 08:49:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Abramov X-Patchwork-Id: 38700 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1B13627BBEA; Wed, 20 Apr 2022 09:50:23 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id A8A4727BBE9 for ; Wed, 20 Apr 2022 09:50:22 +0100 (BST) Received: from localhost ([::1]:45118 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nh62V-0002rk-Vf for patchwork@mira.cbaines.net; Wed, 20 Apr 2022 04:50:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40556) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh62D-0002pv-U4 for guix-patches@gnu.org; Wed, 20 Apr 2022 04:50:01 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51167) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nh62D-0007ef-Jm for guix-patches@gnu.org; Wed, 20 Apr 2022 04:50:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nh62D-0005rV-I1 for guix-patches@gnu.org; Wed, 20 Apr 2022 04:50:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH 1/1] gnu: openssh: Trust /gnu/store directory References: <20220420084724.3514-1-levenson@mmer.org> In-Reply-To: <20220420084724.3514-1-levenson@mmer.org> Resent-From: Alexey Abramov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 Apr 2022 08:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55034@debbugs.gnu.org Received: via spool by 55034-submit@debbugs.gnu.org id=B55034.165044457722497 (code B ref 55034); Wed, 20 Apr 2022 08:50:01 +0000 Received: (at 55034) by debbugs.gnu.org; 20 Apr 2022 08:49:37 +0000 Received: from localhost ([127.0.0.1]:45064 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh61p-0005qn-8b for submit@debbugs.gnu.org; Wed, 20 Apr 2022 04:49:37 -0400 Received: from mail.mmer.org ([178.22.65.174]:42636) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh61n-0005qW-48 for 55034@debbugs.gnu.org; Wed, 20 Apr 2022 04:49:36 -0400 Received: from mail.mmer.org (localhost [127.0.0.1]) by mail.mmer.org (OpenSMTPD) with ESMTP id 006a2452 for <55034@debbugs.gnu.org>; Wed, 20 Apr 2022 08:49:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mmer.org; h=from:to :subject:date:message-id:mime-version:content-transfer-encoding; s=dkim; bh=LtNwpHJknbw5KJ5sdKJeMhmSIv+rtfLJ193/hPVKO0E=; b=n+79 XnRqqmgHTVL8HBl57ZxflpyPfcS0NsZN8c8z/CFcUjUZgzaAEzm0Waa4rW/NsbUr NSPo3Oh68B8d/0mxskp9oxLMFc2twWgJbhbF7H/dsnCT/C83b2ewQxAt6IN8Gs3G SB7eOnQsVUWc1xk4q6ZolVaeIIiZ0/s1zii72jg= Received: from delta (j74182.upc-j.chello.nl [24.132.74.182]) by mail.mmer.org (OpenSMTPD) with ESMTPSA id 109659b1 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for <55034@debbugs.gnu.org>; Wed, 20 Apr 2022 08:49:25 +0000 (UTC) Date: Wed, 20 Apr 2022 10:49:13 +0200 Message-Id: <20220420084913.4113-1-levenson@mmer.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Alexey Abramov X-ACL-Warn: , Alexey Abramov via Guix-patches X-Patchwork-Original-From: Alexey Abramov via Guix-patches via From: Alexey Abramov X-getmail-retrieved-from-mailbox: Patches * gnu/local.mk (dist_patch_DATA): Add the patch * gnu/packages/patches/openssh-trust-gnu-store-directory.patch: Patch it * gnu/packages/ssh.scm (openssh[source]): Use it. --- gnu/local.mk | 1 + .../openssh-trust-gnu-store-directory.patch | 35 +++++++++++++++++++ gnu/packages/ssh.scm | 3 +- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssh-trust-gnu-store-directory.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0e721236d9..449a990846 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1569,6 +1569,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjdk-15-xcursor-no-dynamic.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ %D%/packages/patches/openssh-hurd.patch \ + %D%/packages/patches/openssh-trust-gnu-store-directory.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ %D%/packages/patches/openrgb-unbundle-hueplusplus.patch \ %D%/packages/patches/opensles-add-license-file.patch \ diff --git a/gnu/packages/patches/openssh-trust-gnu-store-directory.patch b/gnu/packages/patches/openssh-trust-gnu-store-directory.patch new file mode 100644 index 0000000000..b50dc8fd6a --- /dev/null +++ b/gnu/packages/patches/openssh-trust-gnu-store-directory.patch @@ -0,0 +1,35 @@ +From a840e4b10961fb2b1b6b0f93e5b2b367887ed691 Mon Sep 17 00:00:00 2001 +From: Alexey Abramov +Date: Sun, 21 Nov 2021 12:21:28 +0100 +Subject: [PATCH] Trust /gnu/store directory + +--- + misc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/misc.c b/misc.c +index 0134d69..01f1660 100644 +--- a/misc.c ++++ b/misc.c +@@ -2146,6 +2146,7 @@ int + safe_path(const char *name, struct stat *stp, const char *pw_dir, + uid_t uid, char *err, size_t errlen) + { ++ static const char gnu_store[] = "/gnu/store"; + char buf[PATH_MAX], homedir[PATH_MAX]; + char *cp; + int comparehome = 0; +@@ -2178,6 +2179,10 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, + } + strlcpy(buf, cp, sizeof(buf)); + ++ /* If are past the Guix /gnu/store then we can stop */ ++ if (strcmp(gnu_store, buf) == 0) ++ break; ++ + if (stat(buf, &st) == -1 || + (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || + (st.st_mode & 022) != 0) { +-- +2.33.1 + diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 8a61b6e97a..8dd7f1727a 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -189,7 +189,8 @@ (define-public openssh (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" "openssh-" version ".tar.gz")) - (patches (search-patches "openssh-hurd.patch")) + (patches (search-patches "openssh-hurd.patch" + "openssh-trust-gnu-store-directory.patch")) (sha256 (base32 "1ry5prcax0134v6srkgznpl9ch5snkgq7yvjqvd8c5mbnxa7cjgx"))))