From: ericonr <ericonr@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] opendoas: set permissions during do_install.
Date: Sat, 16 Jan 2021 00:25:08 +0100 [thread overview]
Message-ID: <20210115232508.TCuAcznTrr85MlUjVx1ZQiiB0Jq9-S7KuFWBKaHymbE@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-27958@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1160 bytes --]
There is an updated pull request by ericonr against master on the void-packages repository
https://github.com/ericonr/void-packages doas
https://github.com/void-linux/void-packages/pull/27958
opendoas: set permissions during do_install.
- setting permissions in a INSTALL script makes the program unusable
between it being unpacked and the INSTALL script actually being run; for
users with other long running post-install steps, e.g. DKMS modules,
this can be a long time where an administrative tool can't be used.
- furthermore, any interruption of the post-install steps or a power
failure will have a much higher probability of leaving the user with a
non suid executable than if it had been set at install time.
- making the binary permissions 4111 isn't necessary; the binary can be
retrieved in multiple manners, so this doesn't offer any protection (and
the binary would be "unprotected" anyway while INSTALL hasn't run yet).
opendoas's makefile can chmod the executable, so we just stop removing the
chmod line from its makefile.
@Duncaen
A patch file from https://github.com/void-linux/void-packages/pull/27958.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-doas-27958.patch --]
[-- Type: text/x-diff, Size: 2775 bytes --]
From 25a8bd7b6b405c2cb89a67aeb3129892d4a70f28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89rico=20Rolim?= <erico.erc@gmail.com>
Date: Fri, 15 Jan 2021 19:44:36 -0300
Subject: [PATCH] opendoas: set permissions during do_install.
- setting permissions in a INSTALL script makes the program unusable
between it being unpacked and the INSTALL script actually being run; for
users with other long running post-install steps, e.g. DKMS modules,
this can be a long time where an administrative tool can't be used.
- furthermore, any interruption of the post-install steps or a power
failure will have a much higher probability of leaving the user with a
non suid executable than if it had been set at install time.
- making the binary permissions 4111 isn't necessary; the binary can be
retrieved in multiple manners, so this doesn't offer any protection (and
the binary would be "unprotected" anyway while INSTALL hasn't run yet).
opendoas's makefile can chmod the executable, so we just stop removing the
chmod line from its makefile.
- also xlintify.
---
srcpkgs/opendoas/INSTALL | 8 --------
srcpkgs/opendoas/template | 8 +++-----
2 files changed, 3 insertions(+), 13 deletions(-)
delete mode 100644 srcpkgs/opendoas/INSTALL
diff --git a/srcpkgs/opendoas/INSTALL b/srcpkgs/opendoas/INSTALL
deleted file mode 100644
index 352dcde82cd..00000000000
--- a/srcpkgs/opendoas/INSTALL
+++ /dev/null
@@ -1,8 +0,0 @@
-#
-# This script sets up correct perms for usr/bin/doas.
-#
-case "${ACTION}" in
-post)
- chmod 4111 usr/bin/doas
- ;;
-esac
diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index f2084305d1e..fb68b70ddeb 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -1,7 +1,7 @@
# Template file for 'opendoas'
pkgname=opendoas
version=6.8
-revision=1
+revision=2
wrksrc="OpenDoas-$version"
build_style=configure
configure_args="--prefix=/usr $(vopt_with 'pam') $(vopt_with 'timestamp')"
@@ -10,7 +10,7 @@ hostmakedepends="bison"
makedepends="$(vopt_if 'pam' 'pam-devel')"
short_desc="Portable OpenBSD doas to execute commands as another user"
maintainer="Duncaen <duncaen@voidlinux.org>"
-license="ISC, BSD-3-clause"
+license="ISC, BSD-3-Clause"
homepage="https://github.com/Duncaen/OpenDoas"
distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
checksum=c53edc59a576cfe8ec8737230e7d0398842a5a8c925e25065463ab632a7eaba9
@@ -19,12 +19,10 @@ build_options="pam timestamp"
build_options_default="pam timestamp"
desc_option_timestamp="enable persistent auth using timestamps"
-
pre_configure() {
cp ${FILESDIR}/doas.pam pam.d__doas__linux
vsed -i GNUmakefile \
- -e '/chown ${BINOWN}:${BINGRP}/d' \
- -e '/chmod ${BINMODE}/d'
+ -e '/chown ${BINOWN}:${BINGRP}/d'
}
post_install() {
next prev parent reply other threads:[~2021-01-15 23:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 23:08 [PR PATCH] " ericonr
2021-01-15 23:21 ` [PR REVIEW] " Duncaen
2021-01-15 23:24 ` [PR PATCH] [Updated] " ericonr
2021-01-15 23:25 ` ericonr [this message]
2021-01-15 23:25 ` [PR REVIEW] " ericonr
2021-01-17 18:58 ` [PR PATCH] [Merged]: " ericonr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210115232508.TCuAcznTrr85MlUjVx1ZQiiB0Jq9-S7KuFWBKaHymbE@z \
--to=ericonr@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).