1 |
commit: 8607cad379185ee6b427dc78dcf7c5fcd90de541 |
2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Feb 8 11:56:06 2018 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Feb 8 11:56:55 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8607cad3 |
7 |
|
8 |
sys-apps/man-db: Revump to drop seccomp again. It segfaults. |
9 |
|
10 |
Might re-add seccomp once 2.8.1 has been released. |
11 |
|
12 |
Package-Manager: Portage-2.3.24, Repoman-2.3.6 |
13 |
|
14 |
.../files/man-db-2.8.0-refactor_drop_privs.patch | 120 -------------------- |
15 |
.../man-db/files/man-db-2.8.0-seccomp_suid.patch | 126 --------------------- |
16 |
...n-db-2.8.0-r1.ebuild => man-db-2.8.0-r2.ebuild} | 7 +- |
17 |
3 files changed, 2 insertions(+), 251 deletions(-) |
18 |
|
19 |
diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch |
20 |
deleted file mode 100644 |
21 |
index 87db57afb9e..00000000000 |
22 |
--- a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch |
23 |
+++ /dev/null |
24 |
@@ -1,120 +0,0 @@ |
25 |
-From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001 |
26 |
-From: Colin Watson <cjwatson@××××××.org> |
27 |
-Date: Wed, 7 Feb 2018 12:23:15 +0000 |
28 |
-Subject: Refactor do_system_drop_privs |
29 |
- |
30 |
-Now that we have pipecmd_pre_exec, this can be simplified quite a bit. |
31 |
- |
32 |
-* lib/security.c (drop_privs): New function. |
33 |
-(do_system_drop_privs_child, do_system_drop_privs): Remove. |
34 |
-* lib/security.h (drop_privs): Add prototype. |
35 |
-(do_system_drop_privs): Remove prototype. |
36 |
-* src/man.c (make_browser): Add drop_privs pre-exec hook to browser |
37 |
-command. |
38 |
-(format_display): Call browser using pipeline_run rather than |
39 |
-do_system_drop_privs, since it now has a pre-exec hook to drop |
40 |
-privileges. |
41 |
---- |
42 |
- lib/security.c | 37 +++---------------------------------- |
43 |
- lib/security.h | 2 +- |
44 |
- src/man.c | 7 +++++-- |
45 |
- 3 files changed, 9 insertions(+), 37 deletions(-) |
46 |
- |
47 |
-diff --git a/lib/security.c b/lib/security.c |
48 |
-index 6e84de8..c9b365d 100644 |
49 |
---- a/lib/security.c |
50 |
-+++ b/lib/security.c |
51 |
-@@ -158,42 +158,11 @@ void regain_effective_privs (void) |
52 |
- #endif /* MAN_OWNER */ |
53 |
- } |
54 |
- |
55 |
--#ifdef MAN_OWNER |
56 |
--void do_system_drop_privs_child (void *data) |
57 |
-+/* Pipeline command pre-exec hook to permanently drop privileges. */ |
58 |
-+void drop_privs (void *data ATTRIBUTE_UNUSED) |
59 |
- { |
60 |
-- pipeline *p = data; |
61 |
-- |
62 |
-+#ifdef MAN_OWNER |
63 |
- if (idpriv_drop ()) |
64 |
- gripe_set_euid (); |
65 |
-- exit (pipeline_run (p)); |
66 |
--} |
67 |
--#endif /* MAN_OWNER */ |
68 |
-- |
69 |
--/* The safest way to execute a pipeline with no effective privileges is to |
70 |
-- * fork, permanently drop privileges in the child, run the pipeline from the |
71 |
-- * child, and wait for it to die. |
72 |
-- * |
73 |
-- * It is possible to use saved IDs to avoid the fork, since effective IDs |
74 |
-- * are copied to saved IDs on execve; we used to do this. However, forking |
75 |
-- * is not expensive enough to justify the extra code. |
76 |
-- * |
77 |
-- * Note that this frees the supplied pipeline. |
78 |
-- */ |
79 |
--int do_system_drop_privs (pipeline *p) |
80 |
--{ |
81 |
--#ifdef MAN_OWNER |
82 |
-- pipecmd *child_cmd; |
83 |
-- pipeline *child; |
84 |
-- int status; |
85 |
-- |
86 |
-- child_cmd = pipecmd_new_function ("unprivileged child", |
87 |
-- do_system_drop_privs_child, NULL, p); |
88 |
-- child = pipeline_new_commands (child_cmd, NULL); |
89 |
-- status = pipeline_run (child); |
90 |
-- |
91 |
-- pipeline_free (p); |
92 |
-- return status; |
93 |
--#else /* !MAN_OWNER */ |
94 |
-- return pipeline_run (p); |
95 |
- #endif /* MAN_OWNER */ |
96 |
- } |
97 |
-diff --git a/lib/security.h b/lib/security.h |
98 |
-index 7545502..851127d 100644 |
99 |
---- a/lib/security.h |
100 |
-+++ b/lib/security.h |
101 |
-@@ -27,7 +27,7 @@ |
102 |
- /* security.c */ |
103 |
- extern void drop_effective_privs (void); |
104 |
- extern void regain_effective_privs (void); |
105 |
--extern int do_system_drop_privs (struct pipeline *p); |
106 |
-+extern void drop_privs (void *data); |
107 |
- extern void init_security (void); |
108 |
- extern int running_setuid (void); |
109 |
- extern struct passwd *get_man_owner (void); |
110 |
-diff --git a/src/man.c b/src/man.c |
111 |
-index 959d6cc..ff7ebc7 100644 |
112 |
---- a/src/man.c |
113 |
-+++ b/src/man.c |
114 |
-@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file, |
115 |
- static pipeline *make_browser (const char *pattern, const char *file) |
116 |
- { |
117 |
- pipeline *p; |
118 |
-+ pipecmd *cmd; |
119 |
- char *browser = xmalloc (1); |
120 |
- int found_percent_s = 0; |
121 |
- char *percent; |
122 |
-@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file) |
123 |
- free (esc_file); |
124 |
- } |
125 |
- |
126 |
-- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL); |
127 |
-+ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL); |
128 |
-+ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL); |
129 |
-+ p = pipeline_new_commands (cmd, NULL); |
130 |
- pipeline_ignore_signals (p, 1); |
131 |
- free (browser); |
132 |
- |
133 |
-@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp, |
134 |
- pipeline *browser; |
135 |
- debug ("Trying browser: %s\n", candidate); |
136 |
- browser = make_browser (candidate, htmlfile); |
137 |
-- disp_status = do_system_drop_privs (browser); |
138 |
-+ disp_status = pipeline_run (browser); |
139 |
- if (!disp_status) |
140 |
- break; |
141 |
- } |
142 |
--- |
143 |
-cgit v1.0-41-gc330 |
144 |
- |
145 |
|
146 |
diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch |
147 |
deleted file mode 100644 |
148 |
index f513ee8cca6..00000000000 |
149 |
--- a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch |
150 |
+++ /dev/null |
151 |
@@ -1,126 +0,0 @@ |
152 |
-From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001 |
153 |
-From: Colin Watson <cjwatson@××××××.org> |
154 |
-Date: Wed, 7 Feb 2018 13:44:30 +0000 |
155 |
-Subject: [PATCH] Fix manconv under seccomp when man is setuid |
156 |
- |
157 |
-We must drop privileges before loading the sandbox. |
158 |
- |
159 |
-Reported by Lars Wendler. |
160 |
- |
161 |
-* src/manconv_client.c (manconv_pre_exec): New function. |
162 |
-(manconv_stdin): Move setuid hack to ... |
163 |
-(add_manconv): ... here, now implemented using a custom pre-exec hook. |
164 |
-We no longer have a fall-through if dropping privileges fails, since |
165 |
-that's now harder to do and wasn't really necessary in the first place. |
166 |
---- |
167 |
- src/manconv_client.c | 80 +++++++++++++++++++++++++++++----------------------- |
168 |
- 1 file changed, 45 insertions(+), 35 deletions(-) |
169 |
- |
170 |
-diff --git a/src/manconv_client.c b/src/manconv_client.c |
171 |
-index d6e010b0..41ce4790 100644 |
172 |
---- a/src/manconv_client.c |
173 |
-+++ b/src/manconv_client.c |
174 |
-@@ -56,41 +56,6 @@ static void manconv_stdin (void *data) |
175 |
- struct manconv_codes *codes = data; |
176 |
- pipeline *p; |
177 |
- |
178 |
--#ifdef MAN_OWNER |
179 |
-- /* iconv_open may not work correctly in setuid processes; in GNU |
180 |
-- * libc, gconv modules may be linked against other gconv modules and |
181 |
-- * rely on RPATH $ORIGIN to load those modules from the correct |
182 |
-- * path, but $ORIGIN is disabled in setuid processes. It is |
183 |
-- * impossible to reset libc's idea of setuidness without creating a |
184 |
-- * whole new process image. Therefore, if the calling process is |
185 |
-- * setuid, we must drop privileges and execute manconv. |
186 |
-- * |
187 |
-- * If dropping privileges fails, fall through to the in-process |
188 |
-- * code, as in some situations it may actually manage to work. |
189 |
-- */ |
190 |
-- if (running_setuid () && !idpriv_drop ()) { |
191 |
-- char **from_code; |
192 |
-- char *sources = NULL; |
193 |
-- pipecmd *cmd; |
194 |
-- |
195 |
-- for (from_code = codes->from; *from_code; ++from_code) { |
196 |
-- sources = appendstr (sources, *from_code, NULL); |
197 |
-- if (*(from_code + 1)) |
198 |
-- sources = appendstr (sources, ":", NULL); |
199 |
-- } |
200 |
-- |
201 |
-- cmd = pipecmd_new_args (MANCONV, "-f", sources, |
202 |
-- "-t", codes->to, NULL); |
203 |
-- free (sources); |
204 |
-- |
205 |
-- if (quiet >= 2) |
206 |
-- pipecmd_arg (cmd, "-q"); |
207 |
-- |
208 |
-- pipecmd_exec (cmd); |
209 |
-- /* never returns */ |
210 |
-- } |
211 |
--#endif /* MAN_OWNER */ |
212 |
-- |
213 |
- p = decompress_fdopen (dup (STDIN_FILENO)); |
214 |
- pipeline_start (p); |
215 |
- manconv (p, codes->from, codes->to); |
216 |
-@@ -98,6 +63,17 @@ static void manconv_stdin (void *data) |
217 |
- pipeline_free (p); |
218 |
- } |
219 |
- |
220 |
-+#ifdef MAN_OWNER |
221 |
-+static void manconv_pre_exec (void *data) |
222 |
-+{ |
223 |
-+ /* We must drop privileges before loading the sandbox, since our |
224 |
-+ * seccomp filter doesn't allow setresuid and friends. |
225 |
-+ */ |
226 |
-+ drop_privs (NULL); |
227 |
-+ sandbox_load (data); |
228 |
-+} |
229 |
-+#endif /* MAN_OWNER */ |
230 |
-+ |
231 |
- static void free_manconv_codes (void *data) |
232 |
- { |
233 |
- struct manconv_codes *codes = data; |
234 |
-@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target) |
235 |
- name = appendstr (name, " -t ", codes->to, NULL); |
236 |
- if (quiet >= 2) |
237 |
- name = appendstr (name, " -q", NULL); |
238 |
-+ |
239 |
-+#ifdef MAN_OWNER |
240 |
-+ /* iconv_open may not work correctly in setuid processes; in GNU |
241 |
-+ * libc, gconv modules may be linked against other gconv modules and |
242 |
-+ * rely on RPATH $ORIGIN to load those modules from the correct |
243 |
-+ * path, but $ORIGIN is disabled in setuid processes. It is |
244 |
-+ * impossible to reset libc's idea of setuidness without creating a |
245 |
-+ * whole new process image. Therefore, if the calling process is |
246 |
-+ * setuid, we must drop privileges and execute manconv. |
247 |
-+ */ |
248 |
-+ if (running_setuid ()) { |
249 |
-+ char **from_code; |
250 |
-+ char *sources = NULL; |
251 |
-+ |
252 |
-+ cmd = pipecmd_new_args (MANCONV, "-f", NULL); |
253 |
-+ for (from_code = codes->from; *from_code; ++from_code) { |
254 |
-+ sources = appendstr (sources, *from_code, NULL); |
255 |
-+ if (*(from_code + 1)) |
256 |
-+ sources = appendstr (sources, ":", NULL); |
257 |
-+ } |
258 |
-+ pipecmd_arg (cmd, sources); |
259 |
-+ free (sources); |
260 |
-+ pipecmd_args (cmd, "-t", codes->to, NULL); |
261 |
-+ if (quiet >= 2) |
262 |
-+ pipecmd_arg (cmd, "-q"); |
263 |
-+ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free, |
264 |
-+ sandbox); |
265 |
-+ free (name); |
266 |
-+ free_manconv_codes (codes); |
267 |
-+ pipeline_command (p, cmd); |
268 |
-+ return; |
269 |
-+ } |
270 |
-+#endif /* MAN_OWNER */ |
271 |
-+ |
272 |
- cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes, |
273 |
- codes); |
274 |
- free (name); |
275 |
--- |
276 |
-2.16.1 |
277 |
- |
278 |
|
279 |
diff --git a/sys-apps/man-db/man-db-2.8.0-r1.ebuild b/sys-apps/man-db/man-db-2.8.0-r2.ebuild |
280 |
similarity index 93% |
281 |
rename from sys-apps/man-db/man-db-2.8.0-r1.ebuild |
282 |
rename to sys-apps/man-db/man-db-2.8.0-r2.ebuild |
283 |
index 1ff3ca11d5c..cb7cf8d1c4e 100644 |
284 |
--- a/sys-apps/man-db/man-db-2.8.0-r1.ebuild |
285 |
+++ b/sys-apps/man-db/man-db-2.8.0-r2.ebuild |
286 |
@@ -12,7 +12,7 @@ SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" |
287 |
LICENSE="GPL-3" |
288 |
SLOT="0" |
289 |
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" |
290 |
-IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib" |
291 |
+IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" |
292 |
|
293 |
CDEPEND=" |
294 |
!sys-apps/man |
295 |
@@ -21,7 +21,6 @@ CDEPEND=" |
296 |
berkdb? ( sys-libs/db:= ) |
297 |
gdbm? ( sys-libs/gdbm:= ) |
298 |
!berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) |
299 |
- seccomp? ( sys-libs/libseccomp ) |
300 |
zlib? ( sys-libs/zlib ) |
301 |
" |
302 |
DEPEND=" |
303 |
@@ -40,8 +39,6 @@ RDEPEND=" |
304 |
PDEPEND="manpager? ( app-text/manpager )" |
305 |
|
306 |
PATCHES=( |
307 |
- "${FILESDIR}/${P}-refactor_drop_privs.patch" |
308 |
- "${FILESDIR}/${P}-seccomp_suid.patch" |
309 |
"${FILESDIR}/${P}-libseccomp_automagic.patch" |
310 |
) |
311 |
|
312 |
@@ -65,7 +62,7 @@ src_configure() { |
313 |
--with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" |
314 |
$(use_enable nls) |
315 |
$(use_enable static-libs static) |
316 |
- $(use_with seccomp libseccomp) |
317 |
+ --without-libseccomp |
318 |
--with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) |
319 |
) |
320 |
econf "${myeconfargs[@]}" |