| 1 |
commit: 8607cad379185ee6b427dc78dcf7c5fcd90de541 |
| 2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu Feb 8 11:56:06 2018 +0000 |
| 4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Feb 8 11:56:55 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8607cad3 |
| 7 |
|
| 8 |
sys-apps/man-db: Revump to drop seccomp again. It segfaults. |
| 9 |
|
| 10 |
Might re-add seccomp once 2.8.1 has been released. |
| 11 |
|
| 12 |
Package-Manager: Portage-2.3.24, Repoman-2.3.6 |
| 13 |
|
| 14 |
.../files/man-db-2.8.0-refactor_drop_privs.patch | 120 -------------------- |
| 15 |
.../man-db/files/man-db-2.8.0-seccomp_suid.patch | 126 --------------------- |
| 16 |
...n-db-2.8.0-r1.ebuild => man-db-2.8.0-r2.ebuild} | 7 +- |
| 17 |
3 files changed, 2 insertions(+), 251 deletions(-) |
| 18 |
|
| 19 |
diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch |
| 20 |
deleted file mode 100644 |
| 21 |
index 87db57afb9e..00000000000 |
| 22 |
--- a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch |
| 23 |
+++ /dev/null |
| 24 |
@@ -1,120 +0,0 @@ |
| 25 |
-From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001 |
| 26 |
-From: Colin Watson <cjwatson@××××××.org> |
| 27 |
-Date: Wed, 7 Feb 2018 12:23:15 +0000 |
| 28 |
-Subject: Refactor do_system_drop_privs |
| 29 |
- |
| 30 |
-Now that we have pipecmd_pre_exec, this can be simplified quite a bit. |
| 31 |
- |
| 32 |
-* lib/security.c (drop_privs): New function. |
| 33 |
-(do_system_drop_privs_child, do_system_drop_privs): Remove. |
| 34 |
-* lib/security.h (drop_privs): Add prototype. |
| 35 |
-(do_system_drop_privs): Remove prototype. |
| 36 |
-* src/man.c (make_browser): Add drop_privs pre-exec hook to browser |
| 37 |
-command. |
| 38 |
-(format_display): Call browser using pipeline_run rather than |
| 39 |
-do_system_drop_privs, since it now has a pre-exec hook to drop |
| 40 |
-privileges. |
| 41 |
---- |
| 42 |
- lib/security.c | 37 +++---------------------------------- |
| 43 |
- lib/security.h | 2 +- |
| 44 |
- src/man.c | 7 +++++-- |
| 45 |
- 3 files changed, 9 insertions(+), 37 deletions(-) |
| 46 |
- |
| 47 |
-diff --git a/lib/security.c b/lib/security.c |
| 48 |
-index 6e84de8..c9b365d 100644 |
| 49 |
---- a/lib/security.c |
| 50 |
-+++ b/lib/security.c |
| 51 |
-@@ -158,42 +158,11 @@ void regain_effective_privs (void) |
| 52 |
- #endif /* MAN_OWNER */ |
| 53 |
- } |
| 54 |
- |
| 55 |
--#ifdef MAN_OWNER |
| 56 |
--void do_system_drop_privs_child (void *data) |
| 57 |
-+/* Pipeline command pre-exec hook to permanently drop privileges. */ |
| 58 |
-+void drop_privs (void *data ATTRIBUTE_UNUSED) |
| 59 |
- { |
| 60 |
-- pipeline *p = data; |
| 61 |
-- |
| 62 |
-+#ifdef MAN_OWNER |
| 63 |
- if (idpriv_drop ()) |
| 64 |
- gripe_set_euid (); |
| 65 |
-- exit (pipeline_run (p)); |
| 66 |
--} |
| 67 |
--#endif /* MAN_OWNER */ |
| 68 |
-- |
| 69 |
--/* The safest way to execute a pipeline with no effective privileges is to |
| 70 |
-- * fork, permanently drop privileges in the child, run the pipeline from the |
| 71 |
-- * child, and wait for it to die. |
| 72 |
-- * |
| 73 |
-- * It is possible to use saved IDs to avoid the fork, since effective IDs |
| 74 |
-- * are copied to saved IDs on execve; we used to do this. However, forking |
| 75 |
-- * is not expensive enough to justify the extra code. |
| 76 |
-- * |
| 77 |
-- * Note that this frees the supplied pipeline. |
| 78 |
-- */ |
| 79 |
--int do_system_drop_privs (pipeline *p) |
| 80 |
--{ |
| 81 |
--#ifdef MAN_OWNER |
| 82 |
-- pipecmd *child_cmd; |
| 83 |
-- pipeline *child; |
| 84 |
-- int status; |
| 85 |
-- |
| 86 |
-- child_cmd = pipecmd_new_function ("unprivileged child", |
| 87 |
-- do_system_drop_privs_child, NULL, p); |
| 88 |
-- child = pipeline_new_commands (child_cmd, NULL); |
| 89 |
-- status = pipeline_run (child); |
| 90 |
-- |
| 91 |
-- pipeline_free (p); |
| 92 |
-- return status; |
| 93 |
--#else /* !MAN_OWNER */ |
| 94 |
-- return pipeline_run (p); |
| 95 |
- #endif /* MAN_OWNER */ |
| 96 |
- } |
| 97 |
-diff --git a/lib/security.h b/lib/security.h |
| 98 |
-index 7545502..851127d 100644 |
| 99 |
---- a/lib/security.h |
| 100 |
-+++ b/lib/security.h |
| 101 |
-@@ -27,7 +27,7 @@ |
| 102 |
- /* security.c */ |
| 103 |
- extern void drop_effective_privs (void); |
| 104 |
- extern void regain_effective_privs (void); |
| 105 |
--extern int do_system_drop_privs (struct pipeline *p); |
| 106 |
-+extern void drop_privs (void *data); |
| 107 |
- extern void init_security (void); |
| 108 |
- extern int running_setuid (void); |
| 109 |
- extern struct passwd *get_man_owner (void); |
| 110 |
-diff --git a/src/man.c b/src/man.c |
| 111 |
-index 959d6cc..ff7ebc7 100644 |
| 112 |
---- a/src/man.c |
| 113 |
-+++ b/src/man.c |
| 114 |
-@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file, |
| 115 |
- static pipeline *make_browser (const char *pattern, const char *file) |
| 116 |
- { |
| 117 |
- pipeline *p; |
| 118 |
-+ pipecmd *cmd; |
| 119 |
- char *browser = xmalloc (1); |
| 120 |
- int found_percent_s = 0; |
| 121 |
- char *percent; |
| 122 |
-@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file) |
| 123 |
- free (esc_file); |
| 124 |
- } |
| 125 |
- |
| 126 |
-- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL); |
| 127 |
-+ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL); |
| 128 |
-+ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL); |
| 129 |
-+ p = pipeline_new_commands (cmd, NULL); |
| 130 |
- pipeline_ignore_signals (p, 1); |
| 131 |
- free (browser); |
| 132 |
- |
| 133 |
-@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp, |
| 134 |
- pipeline *browser; |
| 135 |
- debug ("Trying browser: %s\n", candidate); |
| 136 |
- browser = make_browser (candidate, htmlfile); |
| 137 |
-- disp_status = do_system_drop_privs (browser); |
| 138 |
-+ disp_status = pipeline_run (browser); |
| 139 |
- if (!disp_status) |
| 140 |
- break; |
| 141 |
- } |
| 142 |
--- |
| 143 |
-cgit v1.0-41-gc330 |
| 144 |
- |
| 145 |
|
| 146 |
diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch |
| 147 |
deleted file mode 100644 |
| 148 |
index f513ee8cca6..00000000000 |
| 149 |
--- a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch |
| 150 |
+++ /dev/null |
| 151 |
@@ -1,126 +0,0 @@ |
| 152 |
-From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001 |
| 153 |
-From: Colin Watson <cjwatson@××××××.org> |
| 154 |
-Date: Wed, 7 Feb 2018 13:44:30 +0000 |
| 155 |
-Subject: [PATCH] Fix manconv under seccomp when man is setuid |
| 156 |
- |
| 157 |
-We must drop privileges before loading the sandbox. |
| 158 |
- |
| 159 |
-Reported by Lars Wendler. |
| 160 |
- |
| 161 |
-* src/manconv_client.c (manconv_pre_exec): New function. |
| 162 |
-(manconv_stdin): Move setuid hack to ... |
| 163 |
-(add_manconv): ... here, now implemented using a custom pre-exec hook. |
| 164 |
-We no longer have a fall-through if dropping privileges fails, since |
| 165 |
-that's now harder to do and wasn't really necessary in the first place. |
| 166 |
---- |
| 167 |
- src/manconv_client.c | 80 +++++++++++++++++++++++++++++----------------------- |
| 168 |
- 1 file changed, 45 insertions(+), 35 deletions(-) |
| 169 |
- |
| 170 |
-diff --git a/src/manconv_client.c b/src/manconv_client.c |
| 171 |
-index d6e010b0..41ce4790 100644 |
| 172 |
---- a/src/manconv_client.c |
| 173 |
-+++ b/src/manconv_client.c |
| 174 |
-@@ -56,41 +56,6 @@ static void manconv_stdin (void *data) |
| 175 |
- struct manconv_codes *codes = data; |
| 176 |
- pipeline *p; |
| 177 |
- |
| 178 |
--#ifdef MAN_OWNER |
| 179 |
-- /* iconv_open may not work correctly in setuid processes; in GNU |
| 180 |
-- * libc, gconv modules may be linked against other gconv modules and |
| 181 |
-- * rely on RPATH $ORIGIN to load those modules from the correct |
| 182 |
-- * path, but $ORIGIN is disabled in setuid processes. It is |
| 183 |
-- * impossible to reset libc's idea of setuidness without creating a |
| 184 |
-- * whole new process image. Therefore, if the calling process is |
| 185 |
-- * setuid, we must drop privileges and execute manconv. |
| 186 |
-- * |
| 187 |
-- * If dropping privileges fails, fall through to the in-process |
| 188 |
-- * code, as in some situations it may actually manage to work. |
| 189 |
-- */ |
| 190 |
-- if (running_setuid () && !idpriv_drop ()) { |
| 191 |
-- char **from_code; |
| 192 |
-- char *sources = NULL; |
| 193 |
-- pipecmd *cmd; |
| 194 |
-- |
| 195 |
-- for (from_code = codes->from; *from_code; ++from_code) { |
| 196 |
-- sources = appendstr (sources, *from_code, NULL); |
| 197 |
-- if (*(from_code + 1)) |
| 198 |
-- sources = appendstr (sources, ":", NULL); |
| 199 |
-- } |
| 200 |
-- |
| 201 |
-- cmd = pipecmd_new_args (MANCONV, "-f", sources, |
| 202 |
-- "-t", codes->to, NULL); |
| 203 |
-- free (sources); |
| 204 |
-- |
| 205 |
-- if (quiet >= 2) |
| 206 |
-- pipecmd_arg (cmd, "-q"); |
| 207 |
-- |
| 208 |
-- pipecmd_exec (cmd); |
| 209 |
-- /* never returns */ |
| 210 |
-- } |
| 211 |
--#endif /* MAN_OWNER */ |
| 212 |
-- |
| 213 |
- p = decompress_fdopen (dup (STDIN_FILENO)); |
| 214 |
- pipeline_start (p); |
| 215 |
- manconv (p, codes->from, codes->to); |
| 216 |
-@@ -98,6 +63,17 @@ static void manconv_stdin (void *data) |
| 217 |
- pipeline_free (p); |
| 218 |
- } |
| 219 |
- |
| 220 |
-+#ifdef MAN_OWNER |
| 221 |
-+static void manconv_pre_exec (void *data) |
| 222 |
-+{ |
| 223 |
-+ /* We must drop privileges before loading the sandbox, since our |
| 224 |
-+ * seccomp filter doesn't allow setresuid and friends. |
| 225 |
-+ */ |
| 226 |
-+ drop_privs (NULL); |
| 227 |
-+ sandbox_load (data); |
| 228 |
-+} |
| 229 |
-+#endif /* MAN_OWNER */ |
| 230 |
-+ |
| 231 |
- static void free_manconv_codes (void *data) |
| 232 |
- { |
| 233 |
- struct manconv_codes *codes = data; |
| 234 |
-@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target) |
| 235 |
- name = appendstr (name, " -t ", codes->to, NULL); |
| 236 |
- if (quiet >= 2) |
| 237 |
- name = appendstr (name, " -q", NULL); |
| 238 |
-+ |
| 239 |
-+#ifdef MAN_OWNER |
| 240 |
-+ /* iconv_open may not work correctly in setuid processes; in GNU |
| 241 |
-+ * libc, gconv modules may be linked against other gconv modules and |
| 242 |
-+ * rely on RPATH $ORIGIN to load those modules from the correct |
| 243 |
-+ * path, but $ORIGIN is disabled in setuid processes. It is |
| 244 |
-+ * impossible to reset libc's idea of setuidness without creating a |
| 245 |
-+ * whole new process image. Therefore, if the calling process is |
| 246 |
-+ * setuid, we must drop privileges and execute manconv. |
| 247 |
-+ */ |
| 248 |
-+ if (running_setuid ()) { |
| 249 |
-+ char **from_code; |
| 250 |
-+ char *sources = NULL; |
| 251 |
-+ |
| 252 |
-+ cmd = pipecmd_new_args (MANCONV, "-f", NULL); |
| 253 |
-+ for (from_code = codes->from; *from_code; ++from_code) { |
| 254 |
-+ sources = appendstr (sources, *from_code, NULL); |
| 255 |
-+ if (*(from_code + 1)) |
| 256 |
-+ sources = appendstr (sources, ":", NULL); |
| 257 |
-+ } |
| 258 |
-+ pipecmd_arg (cmd, sources); |
| 259 |
-+ free (sources); |
| 260 |
-+ pipecmd_args (cmd, "-t", codes->to, NULL); |
| 261 |
-+ if (quiet >= 2) |
| 262 |
-+ pipecmd_arg (cmd, "-q"); |
| 263 |
-+ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free, |
| 264 |
-+ sandbox); |
| 265 |
-+ free (name); |
| 266 |
-+ free_manconv_codes (codes); |
| 267 |
-+ pipeline_command (p, cmd); |
| 268 |
-+ return; |
| 269 |
-+ } |
| 270 |
-+#endif /* MAN_OWNER */ |
| 271 |
-+ |
| 272 |
- cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes, |
| 273 |
- codes); |
| 274 |
- free (name); |
| 275 |
--- |
| 276 |
-2.16.1 |
| 277 |
- |
| 278 |
|
| 279 |
diff --git a/sys-apps/man-db/man-db-2.8.0-r1.ebuild b/sys-apps/man-db/man-db-2.8.0-r2.ebuild |
| 280 |
similarity index 93% |
| 281 |
rename from sys-apps/man-db/man-db-2.8.0-r1.ebuild |
| 282 |
rename to sys-apps/man-db/man-db-2.8.0-r2.ebuild |
| 283 |
index 1ff3ca11d5c..cb7cf8d1c4e 100644 |
| 284 |
--- a/sys-apps/man-db/man-db-2.8.0-r1.ebuild |
| 285 |
+++ b/sys-apps/man-db/man-db-2.8.0-r2.ebuild |
| 286 |
@@ -12,7 +12,7 @@ SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" |
| 287 |
LICENSE="GPL-3" |
| 288 |
SLOT="0" |
| 289 |
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" |
| 290 |
-IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib" |
| 291 |
+IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" |
| 292 |
|
| 293 |
CDEPEND=" |
| 294 |
!sys-apps/man |
| 295 |
@@ -21,7 +21,6 @@ CDEPEND=" |
| 296 |
berkdb? ( sys-libs/db:= ) |
| 297 |
gdbm? ( sys-libs/gdbm:= ) |
| 298 |
!berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) |
| 299 |
- seccomp? ( sys-libs/libseccomp ) |
| 300 |
zlib? ( sys-libs/zlib ) |
| 301 |
" |
| 302 |
DEPEND=" |
| 303 |
@@ -40,8 +39,6 @@ RDEPEND=" |
| 304 |
PDEPEND="manpager? ( app-text/manpager )" |
| 305 |
|
| 306 |
PATCHES=( |
| 307 |
- "${FILESDIR}/${P}-refactor_drop_privs.patch" |
| 308 |
- "${FILESDIR}/${P}-seccomp_suid.patch" |
| 309 |
"${FILESDIR}/${P}-libseccomp_automagic.patch" |
| 310 |
) |
| 311 |
|
| 312 |
@@ -65,7 +62,7 @@ src_configure() { |
| 313 |
--with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" |
| 314 |
$(use_enable nls) |
| 315 |
$(use_enable static-libs static) |
| 316 |
- $(use_with seccomp libseccomp) |
| 317 |
+ --without-libseccomp |
| 318 |
--with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) |
| 319 |
) |
| 320 |
econf "${myeconfargs[@]}" |
Archives