aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDrew DeVault <sir@cmpwn.com>2021-01-28 12:39:59 -0500
committerKevin Daudt <kdaudt@alpinelinux.org>2021-01-28 18:54:15 +0000
commit304fda73a09c8b915358ef47629b877a38030887 (patch)
treea61cac9af16a50e03206674e033e1907eaa338d2
parente7d73bb63159f5ada24bd1d738b6892008ae411a (diff)
downloadaports-304fda73a09c8b915358ef47629b877a38030887.tar.gz
aports-304fda73a09c8b915358ef47629b877a38030887.tar.bz2
aports-304fda73a09c8b915358ef47629b877a38030887.tar.xz
main/doas: security upgrade to 6.6.1
patch out PATH reset vulnerability
-rw-r--r--community/doas/APKBUILD28
-rw-r--r--community/doas/reset-path.patch42
2 files changed, 58 insertions, 12 deletions
diff --git a/community/doas/APKBUILD b/community/doas/APKBUILD
index 41344d16f4..619a5a00a9 100644
--- a/community/doas/APKBUILD
+++ b/community/doas/APKBUILD
@@ -1,40 +1,44 @@
# Maintainer: Drew DeVault <sir@cmpwn.com>
pkgname=doas
-pkgver=6.0
+pkgver=6.6.1
pkgrel=0
-pkgdesc="OpenBSD's temporary privledge escalation tool"
+pkgdesc="OpenBSD's temporary privilege escalation tool"
url="https://github.com/Duncaen/OpenDoas"
arch="all"
license="BSD"
makedepends="bison"
subpackages="$pkgname-doc"
source="
- $pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$pkgver.tar.gz
- doas.conf
+ $pkgname-$pkgver.tar.gz::https://github.com/Duncaen/OpenDoas/archive/v$pkgver.tar.gz
+ reset-path.patch
"
builddir="$srcdir/OpenDoas-$pkgver"
options="$options suid"
build() {
- cd "$builddir"
./configure \
--prefix=/usr \
- --enable-static \
- --without-pam
+ --without-pam \
+ --with-timestamp
make
}
check() {
- cd "$builddir"
# doas -v returns 1
./doas -v || test $? = 1
}
package() {
- cd "$builddir"
make install DESTDIR="$pkgdir"
- install -Dm440 "$srcdir"/doas.conf "$pkgdir"/etc/doas.conf
+ install -d "$pkgdir"/etc
+ cat > "$pkgdir"/etc/doas.conf <<-EOF
+ # see doas.conf(5) for configuration details
+
+ # Uncomment to allow group "wheel" to become root
+ # permit persist :wheel
+ EOF
+ chmod 440 "$pkgdir"/etc/doas.conf
}
-sha512sums="2bf5e00895a45d87785e7a494a1506844afd843ef5375e0b0e3795ebc24712bb941c6feeb87e426e41a240d40aca9b4c099f77220745bb7142a7a4b303441f60 doas-6.0.tar.gz
-5035ae91293953b292c430334e949e11e5b482c5c91c7f018ac8286a791568a3006499649f487547a262291c0968618522fbc14acb5e2faa2af52accf15bbc49 doas.conf"
+sha512sums="390e0e139a2641be22c4493c3ed755d9cb4091f4ab8d590123b7c8c4f2f116cea3b3500926ff191fb98d92192ca9e92118cbcbeb463a7833763e00c65603e678 doas-6.6.1.tar.gz
+cb3a0e3767ec22fbab6e0535ee8f31ec525a3debf6c9dfdecd78668a6a3ea3d4a3e6a8d4717fe0f5e07f0a3c9d099a6be8e880c0b8f00588482409465cda86f8 reset-path.patch"
diff --git a/community/doas/reset-path.patch b/community/doas/reset-path.patch
new file mode 100644
index 0000000000..17596f30c2
--- /dev/null
+++ b/community/doas/reset-path.patch
@@ -0,0 +1,42 @@
+From 3b1d856055ae1e9e4a15884b539bd4fee6aff1d5 Mon Sep 17 00:00:00 2001
+From: Duncan Overbruck <mail@duncano.de>
+Date: Thu, 28 Jan 2021 17:58:34 +0100
+Subject: [PATCH] correctly reset path for rules without specific command
+
+This is a fixup for commit 01c658f8c45cb92a343be5f32aa6da70b2032168
+where the behaviour was changed to not inherit the PATH variable
+by default.
+---
+ doas.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/doas.c b/doas.c
+index e253905..98e354c 100644
+--- a/doas.c
++++ b/doas.c
+@@ -379,12 +379,22 @@ main(int argc, char **argv)
+ rule->options & PERSIST);
+ #endif
+
++#ifdef HAVE_LOGIN_CAP_H
++ if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
++ LOGIN_SETPATH |
++ LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
++ LOGIN_SETUSER) != 0)
++ errx(1, "failed to set user context for target");
++#else
+ if (setresgid(targpw->pw_gid, targpw->pw_gid, targpw->pw_gid) != 0)
+ err(1, "setresgid");
+ if (initgroups(targpw->pw_name, targpw->pw_gid) != 0)
+ err(1, "initgroups");
+ if (setresuid(target, target, target) != 0)
+ err(1, "setresuid");
++ if (setenv("PATH", safepath, 1) == -1)
++ err(1, "failed to set PATH '%s'", safepath);
++#endif
+
+ if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
+ cwd = "(failed)";
+--
+2.30.0
+