From 5454e6404159f662c3ef289210b6d4f859fcaff9 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 18 Sep 2021 13:42:00 +0200 Subject: [PATCH 1/2] hooks/post-install: add check setuid/setgid hook --- .../post-install/15-check-setuid-setgid.sh | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh new file mode 100644 index 000000000000..3e864cb24c91 --- /dev/null +++ b/common/hooks/post-install/15-check-setuid-setgid.sh @@ -0,0 +1,26 @@ +dofind() { + error= + for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do + matched= + for allowed_file in $(eval "echo \${$2}"); do + if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then + matched=y + break + fi + done + if [ -n "$matched" ]; then + echo "$2 file: ${setidfile#$PKGDESTDIR}" + else + msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n" + error=y + fi + done + if [ -n "$error" ]; then + msg_error "$2 files not explicitly allowed, please list them in \$$2\n" + fi +} + +hook() { + dofind 4000 setuid + dofind 2000 setgid +} From 0a2b7cd99661b3ea9e9a243442cfc3cec4cccd12 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 18 Sep 2021 14:10:00 +0200 Subject: [PATCH 2/2] opendoas: explicitly allow setuid --- srcpkgs/opendoas/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template index 685cd45da59b..8ce229503c2e 100644 --- a/srcpkgs/opendoas/template +++ b/srcpkgs/opendoas/template @@ -14,6 +14,7 @@ license="ISC, BSD-3-Clause" homepage="https://github.com/Duncaen/OpenDoas" distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz" checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67 +setuid="/usr/bin/doas" build_options="pam timestamp" build_options_default="pam timestamp"