Github messages for voidlinux
 help / color / mirror / Atom feed
* [PR PATCH] hooks/post-install: add check setuid/setgid hook
@ 2021-09-18 12:10 paper42
  2022-04-02 22:09 ` [PR PATCH] [Updated] [WIP]: " paper42
                   ` (20 more replies)
  0 siblings, 21 replies; 22+ messages in thread
From: paper42 @ 2021-09-18 12:10 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 372 bytes --]

There is a new pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 2039 bytes --]

From 3f8e8d1713e82f48a0df2a5f2790002c7c898984 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 1/2] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 000000000000..3e864cb24c91
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in $(eval "echo \${$2}"); do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 4fb142694cb1306685ca22da4874ba27571f42cc Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 14:10:00 +0200
Subject: [PATCH 2/2] opendoas: explicitly allow setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index e70c2509cbfe..c5f77c45169e 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -14,6 +14,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=c9070ae745d0f1bbe68ef0783a3958cd011b409959f65fd100e6b42b8ad6b162
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR PATCH] [Updated] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
@ 2022-04-02 22:09 ` paper42
  2022-04-03  3:59 ` 0x5c
                   ` (19 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: paper42 @ 2022-04-02 22:09 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

[WIP]: hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 2039 bytes --]

From 5454e6404159f662c3ef289210b6d4f859fcaff9 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 1/2] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 000000000000..3e864cb24c91
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in $(eval "echo \${$2}"); do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 0a2b7cd99661b3ea9e9a243442cfc3cec4cccd12 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 14:10:00 +0200
Subject: [PATCH 2/2] opendoas: explicitly allow setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 685cd45da59b..8ce229503c2e 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -14,6 +14,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
  2022-04-02 22:09 ` [PR PATCH] [Updated] [WIP]: " paper42
@ 2022-04-03  3:59 ` 0x5c
  2022-04-03  4:00 ` 0x5c
                   ` (18 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-03  3:59 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 312 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1086771429

Comment:
If we'll need an xlint for the setgid, would it make sense to have it require an explanatory comment (like for `make_check=no`)? If so, we should already start adding those.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
  2022-04-02 22:09 ` [PR PATCH] [Updated] [WIP]: " paper42
  2022-04-03  3:59 ` 0x5c
@ 2022-04-03  4:00 ` 0x5c
  2022-04-03 15:57 ` [PR REVIEW] " Duncaen
                   ` (17 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-03  4:00 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 316 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1086771429

Comment:
If we'll need an xlint for the set{u,g}id, would it make sense to have it require an explanatory comment (like for `make_check=no`)? If so, we should already start adding those.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR REVIEW] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (2 preceding siblings ...)
  2022-04-03  4:00 ` 0x5c
@ 2022-04-03 15:57 ` Duncaen
  2022-04-04  4:06 ` 0x5c
                   ` (16 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: Duncaen @ 2022-04-03 15:57 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 257 bytes --]

New review comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#discussion_r841242393

Comment:
You can use `${!2}` here instead of subshell+eval:

```
$ bash -c 'set -- a b; b=bar; echo ${!2}'
bar
```

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (3 preceding siblings ...)
  2022-04-03 15:57 ` [PR REVIEW] " Duncaen
@ 2022-04-04  4:06 ` 0x5c
  2022-04-04  4:12 ` 0x5c
                   ` (15 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-04  4:06 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1454 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1087087080

Comment:
Going through the list, there's some odd ones I'm not sure what to do with

- [ ] `Powermanga`, uses sgid `root:games`, except that we don't have a `games` user, it is not being created, and the package has no  INSTALL script to chown it.
    See [Arch Wiki](https://wiki.archlinux.org/title/Users_and_groups#User_groups) and [Debian Wiki](https://wiki.debian.org/SystemGroups#Groups_with_an_associated_user).
- [ ] `containers`, has suid binaries `/usr/bin/{contain,pseudo}` as `root:root`, but the [README](https://github.com/arachsys/containers) mentions situations where suid should not be installed.

There's also some packages I barely comprehend in the first place and will not attempt to allow/fix

- [ ] `arcan`, a "Combined display server, multimedia framework and game engine". (Wouldn't a game engine preferably not run as root?)
- [ ] all instances of `chrome-sandbox`, since I do not know how those work

Packages I can tell need setuid/setgid are being marked as allowed and pushed to [`0x5c:suid`](https://github.com/0x5c/void-packages/tree/suid) as I go through the list.

I'll be making PRs to void-packages directly for packages that appear to not need suid/sgid, as was the case for vpsm: https://github.com/void-linux/void-packages/pull/36489. I'll list those here if there's more.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (4 preceding siblings ...)
  2022-04-04  4:06 ` 0x5c
@ 2022-04-04  4:12 ` 0x5c
  2022-04-04  4:13 ` 0x5c
                   ` (14 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-04  4:12 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1562 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1087087080

Comment:
Going through the list, there's some odd ones I'm not sure what to do with

- [ ] `Powermanga`, uses sgid `root:games`, except that we don't have a `games` user, it is not being created, and the package has no  INSTALL script to chown it.
    See [Arch Wiki](https://wiki.archlinux.org/title/Users_and_groups#User_groups) and [Debian Wiki](https://wiki.debian.org/SystemGroups#Groups_with_an_associated_user).
- [ ] `containers`, has suid binaries `/usr/bin/{contain,pseudo}` as `root:root`, but the [README](https://github.com/arachsys/containers) mentions situations where suid should not be installed.

There's also some packages I barely comprehend in the first place and will not attempt to allow/fix

- [ ] `arcan`, a "Combined display server, multimedia framework and game engine". (Wouldn't a game engine preferably not run as root?)
- [ ] all instances of `chrome-sandbox`, since I do not know how those work
- [ ] all `mount.*` tools, hard to test and no idea how they work in relation to `mount` itself being suid

Packages I can tell need setuid/setgid are being marked as allowed and pushed to [`0x5c:suid`](https://github.com/0x5c/void-packages/tree/suid) as I go through the list.

I'll be making PRs to void-packages directly for packages that appear to not need suid/sgid, as was the case for vpsm: https://github.com/void-linux/void-packages/pull/36489. I'll list those here if there's more.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (5 preceding siblings ...)
  2022-04-04  4:12 ` 0x5c
@ 2022-04-04  4:13 ` 0x5c
  2022-04-06 17:45 ` paper42
                   ` (13 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-04  4:13 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 1563 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1087087080

Comment:
Going through the list, there's some odd ones I'm not sure what to do with

- [ ] `Powermanga`, uses sgid `root:games`, except that we don't have a `games` group, it is not being created, and the package has no  INSTALL script to chown it.
    See [Arch Wiki](https://wiki.archlinux.org/title/Users_and_groups#User_groups) and [Debian Wiki](https://wiki.debian.org/SystemGroups#Groups_with_an_associated_user).
- [ ] `containers`, has suid binaries `/usr/bin/{contain,pseudo}` as `root:root`, but the [README](https://github.com/arachsys/containers) mentions situations where suid should not be installed.

There's also some packages I barely comprehend in the first place and will not attempt to allow/fix

- [ ] `arcan`, a "Combined display server, multimedia framework and game engine". (Wouldn't a game engine preferably not run as root?)
- [ ] all instances of `chrome-sandbox`, since I do not know how those work
- [ ] all `mount.*` tools, hard to test and no idea how they work in relation to `mount` itself being suid

Packages I can tell need setuid/setgid are being marked as allowed and pushed to [`0x5c:suid`](https://github.com/0x5c/void-packages/tree/suid) as I go through the list.

I'll be making PRs to void-packages directly for packages that appear to not need suid/sgid, as was the case for vpsm: https://github.com/void-linux/void-packages/pull/36489. I'll list those here if there's more.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (6 preceding siblings ...)
  2022-04-04  4:13 ` 0x5c
@ 2022-04-06 17:45 ` paper42
  2022-04-06 17:54 ` [PR PATCH] [Updated] " paper42
                   ` (12 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: paper42 @ 2022-04-06 17:45 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 427 bytes --]

New comment by paper42 on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1090553274

Comment:
> If we'll need an xlint for the set{u,g}id, would it make sense to have it require an explanatory comment (like for `make_check=no`)? If so, we should already start adding those.

I don't think we should require a comment. If something is not obvious, we can always add the comment.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR PATCH] [Updated] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (7 preceding siblings ...)
  2022-04-06 17:45 ` paper42
@ 2022-04-06 17:54 ` paper42
  2022-04-20  1:39 ` [PR REVIEW] " 0x5c
                   ` (11 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: paper42 @ 2022-04-06 17:54 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

[WIP]: hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 2022 bytes --]

From 491c4aed5a70e5bef553971f9fa8c7568cf752ae Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 1/2] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 000000000000..dae87c2b3d5c
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in ${!2}; do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 9b1d04d4b8b02862bc631a200121447bfe1c4fc5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 6 Apr 2022 19:52:46 +0200
Subject: [PATCH 2/2] opendoas: explicitly allow setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 685cd45da59b..8ce229503c2e 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -14,6 +14,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR REVIEW] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (8 preceding siblings ...)
  2022-04-06 17:54 ` [PR PATCH] [Updated] " paper42
@ 2022-04-20  1:39 ` 0x5c
  2022-04-20  2:07 ` 0x5c
                   ` (10 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-20  1:39 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

New review comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#discussion_r853656441

Comment:
I observe in other hooks printed test tends to be prefixed by 3 spaces. Should that be the case for that print?

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR REVIEW] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (9 preceding siblings ...)
  2022-04-20  1:39 ` [PR REVIEW] " 0x5c
@ 2022-04-20  2:07 ` 0x5c
  2022-04-20 19:19 ` 0x5c
                   ` (9 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-20  2:07 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

New review comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#discussion_r853656441

Comment:
I observe in other hooks printed text tends to be prefixed by 3 spaces. Should that be the case for that print?

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR REVIEW] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (10 preceding siblings ...)
  2022-04-20  2:07 ` 0x5c
@ 2022-04-20 19:19 ` 0x5c
  2022-04-20 19:49 ` 0x5c
                   ` (8 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-20 19:19 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

New review comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#discussion_r853656441

Comment:
I observe in other hooks that printed text tends to be prefixed by 3 spaces. Should that be the case for that print?

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (11 preceding siblings ...)
  2022-04-20 19:19 ` 0x5c
@ 2022-04-20 19:49 ` 0x5c
  2022-04-20 21:21 ` 0x5c
                   ` (7 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-20 19:49 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 485 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1104395234

Comment:
In https://github.com/0x5c/void-packages/commit/9cd5290e4778a727a9b20351014d3462e2edf70c I allowed thttpd's `makeweb` command. However, it's not configurable (except at compile-time) and allows normal users to create a subdirectory of the main www dir. This seems somewhat dangerous and like something that should not be part of the main package.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (12 preceding siblings ...)
  2022-04-20 19:49 ` 0x5c
@ 2022-04-20 21:21 ` 0x5c
  2022-05-30 20:27 ` [PR PATCH] [Updated] " paper42
                   ` (6 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2022-04-20 21:21 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 212 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1104466930

Comment:
`mit-krb5-client` is now the first example of this working on subpackages

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR PATCH] [Updated] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (13 preceding siblings ...)
  2022-04-20 21:21 ` 0x5c
@ 2022-05-30 20:27 ` paper42
  2023-02-25 11:23 ` paper42
                   ` (5 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: paper42 @ 2022-05-30 20:27 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

[WIP]: hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 2022 bytes --]

From b3f8309cfecd78a60ea6746695242e8af05dd53b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 1/2] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 000000000000..dae87c2b3d5c
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in ${!2}; do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 64492fa676e0b8d69bd2f005e165433f342eec31 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 6 Apr 2022 19:52:46 +0200
Subject: [PATCH 2/2] opendoas: explicitly allow setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 685cd45da59b..8ce229503c2e 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -14,6 +14,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR PATCH] [Updated] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (14 preceding siblings ...)
  2022-05-30 20:27 ` [PR PATCH] [Updated] " paper42
@ 2023-02-25 11:23 ` paper42
  2023-02-25 11:30 ` paper42
                   ` (4 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: paper42 @ 2023-02-25 11:23 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

[WIP]: hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 46855 bytes --]

From c26a08ebbe98f57cc818ba6e8bf8731f2289b36c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 01/58] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 000000000000..dae87c2b3d5c
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in ${!2}; do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 3c6258f0e87105ba15e200b19927d57b3ac9a8d0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:33 +0100
Subject: [PATCH 02/58] xlockmore: add $setuid

---
 srcpkgs/xlockmore/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xlockmore/template b/srcpkgs/xlockmore/template
index 2cee0181924d..c9b9b1b0764e 100644
--- a/srcpkgs/xlockmore/template
+++ b/srcpkgs/xlockmore/template
@@ -15,6 +15,7 @@ changelog="http://sillycycle.com/xlock/xlockmore.README"
 distfiles="http://sillycycle.com/xlock/xlockmore-${version}.tar.xz"
 checksum=0118b2d4b28303c335426cd6ca844b4776e4b71adb1d344f2ec087b57616c21a
 CFLAGS="-D_DEFAULT_SOURCE"
+setuid="/usr/bin/xlock"
 
 build_options="opengl"
 desc_option_opengl="Enable OpenGL modes"

From 57b5e78305bbf5a1ccc665916f9dde14d8d30660 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 03/58] ecryptfs-utils: add $setuid and $setgid

---
 srcpkgs/ecryptfs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/ecryptfs-utils/template b/srcpkgs/ecryptfs-utils/template
index 6bdc07b97c32..d8faed1cd554 100644
--- a/srcpkgs/ecryptfs-utils/template
+++ b/srcpkgs/ecryptfs-utils/template
@@ -17,6 +17,8 @@ homepage="http://ecryptfs.org/"
 distfiles="http://launchpad.net/ecryptfs/trunk/${version}/+download/${pkgname}_${version}.orig.tar.gz"
 checksum=112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f
 lib32disabled=yes
+setuid="/usr/bin/mount.ecryptfs_private"
+setgid="/usr/bin/mount.ecryptfs_private"
 
 CPPFLAGS="-D_FILE_OFFSET_BITS=64 -I${XBPS_CROSS_BASE}/usr/include/python2.7"
 

From 53ed390cccafc4cf926f570cdd2b086bf57ecc6c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:28 +0100
Subject: [PATCH 04/58] cifs-utils: add $setuid and $setgid

---
 srcpkgs/cifs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/cifs-utils/template b/srcpkgs/cifs-utils/template
index 5576b371ca6a..331a0878b36d 100644
--- a/srcpkgs/cifs-utils/template
+++ b/srcpkgs/cifs-utils/template
@@ -14,6 +14,8 @@ homepage="https://wiki.samba.org/index.php/LinuxCIFS_utils"
 distfiles="https://ftp.samba.org/pub/linux-cifs/${pkgname}/${pkgname}-${version}.tar.bz2"
 checksum=a7b6940e93250c1676a6fa66b6ead91b78cd43a5fee99cc462459c8b9cf1e6f4
 python_version=3
+setuid="/usr/bin/mount.cifs"
+setgid="/usr/bin/mount.cifs"
 
 pre_configure() {
 	autoreconf -fi

From f0743b6e5ca5441391e25a20e2f46a65b2a46e9c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:35:19 +0100
Subject: [PATCH 05/58] mit-krb5: add $setuid

---
 srcpkgs/mit-krb5/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mit-krb5/template b/srcpkgs/mit-krb5/template
index a67bae19764a..f354b5cbea67 100644
--- a/srcpkgs/mit-krb5/template
+++ b/srcpkgs/mit-krb5/template
@@ -13,6 +13,7 @@ license="MIT"
 homepage="http://web.mit.edu/kerberos"
 distfiles="${homepage}/dist/krb5/${version%.*}/krb5-${version}.tar.gz"
 checksum=e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719
+setuid="/usr/bin/ksu"
 
 post_patch() {
 	vsed -e "/LDFLAGS=/d" -i src/build-tools/krb5-config.in

From 84534840e6df4ce1d3592611ee81341379e6009c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:49:56 +0100
Subject: [PATCH 06/58] udevil: add $setuid

---
 srcpkgs/udevil/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/udevil/template b/srcpkgs/udevil/template
index b560bdf7589f..263d0a652102 100644
--- a/srcpkgs/udevil/template
+++ b/srcpkgs/udevil/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="http://ignorantguru.github.io/udevil/"
 distfiles="https://github.com/IgnorantGuru/udevil/archive/${version}.tar.gz"
 checksum=ad2fd8375bd62622718a04235e9772119459089938dbb78e657955e595822b7c
+setuid="/usr/bin/udevil"
 
 post_patch() {
 	vsed -i -e '/DATADIRNAME=/s/=.*/=share/' configure

From 1ac66c0fe223997b16ef6a4f4a5034884b05c103 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:48 +0100
Subject: [PATCH 07/58] s-nail: add $setuid

---
 srcpkgs/s-nail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/s-nail/template b/srcpkgs/s-nail/template
index 7a171cea0d27..f8483be17854 100644
--- a/srcpkgs/s-nail/template
+++ b/srcpkgs/s-nail/template
@@ -12,6 +12,7 @@ license="BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, ISC"
 homepage="https://git.sdaoden.eu/cgit/s-nail.git"
 distfiles="https://www.sdaoden.eu/downloads/s-nail-${version}.tar.xz"
 checksum=2714d6b8fb2af3b363fc7c79b76d058753716345d1b6ebcd8870ecd0e4f7ef8c
+setuid="/usr/libexec/s-nail-dotlock"
 
 provides="mail-${version}_${revision}"
 

From 81ee23513cc7b844ee8458da3fb2a2117c4f2841 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:48:16 +0100
Subject: [PATCH 08/58] util-linux: add $setuid

---
 srcpkgs/util-linux/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template
index 2530c51d17b9..6a9c0ccdcc0c 100644
--- a/srcpkgs/util-linux/template
+++ b/srcpkgs/util-linux/template
@@ -23,6 +23,12 @@ license="GPL-2.0-or-later"
 homepage="https://www.kernel.org/pub/linux/utils/util-linux/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/v${version%.${version#*.*.}}/${pkgname}-${version}.tar.xz"
 checksum=60492a19b44e6cf9a3ddff68325b333b8b52b6c59ce3ebd6a0ecaa4c5117e84f
+setuid="/usr/bin/chsh
+ /usr/bin/chfn
+ /usr/bin/su
+ /usr/bin/mount
+ /usr/bin/newgrp
+ /usr/bin/umount"
 
 # Create uuidd system account for uuidd.
 system_accounts="_uuidd"

From d6afa25459183d17c524d501bea02ca4d9c4134a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:05 +0100
Subject: [PATCH 09/58] opendoas: add $setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 5254f280b801..9e93eaaf26fc 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -13,6 +13,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

From 7e0d812ba20d70d0f762924663939970697c6b97 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:19 +0100
Subject: [PATCH 10/58] weston: add $setuid

---
 srcpkgs/weston/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/weston/template b/srcpkgs/weston/template
index b517c10c98ca..465d5310a9b5 100644
--- a/srcpkgs/weston/template
+++ b/srcpkgs/weston/template
@@ -21,6 +21,7 @@ distfiles="https://wayland.freedesktop.org/releases/${pkgname}-${version}.tar.xz
 checksum=5cf5d6ce192e0eb15c1fc861a436bf21b5bb3b91dbdabbdebe83e1f83aa098fe
 system_groups="weston-launch"
 lib32disabled=yes
+setuid="/usr/bin/weston-launch"
 
 # Package build options
 build_options="elogind vaapi"

From 7edd5f589e2bcf5b38a3cb9b688b223df4bdee00 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:22:39 +0100
Subject: [PATCH 11/58] enlightenment: set $setuid

---
 srcpkgs/enlightenment/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/enlightenment/template b/srcpkgs/enlightenment/template
index ec1a084618db..d6406be26df8 100644
--- a/srcpkgs/enlightenment/template
+++ b/srcpkgs/enlightenment/template
@@ -20,6 +20,9 @@ checksum=56db5d206b821b9a8831d26e713e410ac70b2255a6f43fcdf7c01eefde23b7a2
 lib32disabled=yes
 build_options="wayland"
 build_options_default="wayland"
+setuid="/usr/lib/enlightenment/utils/enlightenment_ckpasswd
+ /usr/lib/enlightenment/utils/enlightenment_sys
+ /usr/lib/enlightenment/utils/enlightenment_system"
 
 if [ "$CROSS_BUILD" -a "$build_option_wayland" ]; then
 	hostmakedepends+=" wayland-devel"

From 3d37f6501dda418bf964a4838f2a2c865852a3c8 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:35:48 +0100
Subject: [PATCH 12/58] nfs-utils: add $setuid

---
 srcpkgs/nfs-utils/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/nfs-utils/template b/srcpkgs/nfs-utils/template
index 252a7355b683..363c72c9ab67 100644
--- a/srcpkgs/nfs-utils/template
+++ b/srcpkgs/nfs-utils/template
@@ -15,6 +15,7 @@ homepage="https://www.linux-nfs.org/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/${version}/${pkgname}-${version}.tar.xz"
 checksum=5200873e81c4d610e2462fc262fe18135f2dbe78b7979f95accd159ae64d5011
 replaces="rpcgen>=0"
+setuid="/usr/bin/mount.nfs"
 
 hostmakedepends="pkg-config libtirpc-devel rpcsvc-proto"
 makedepends="libblkid-devel libmount-devel libtirpc-devel

From 1efdc4b88293416d6f037b5e5311e8fcc337b26f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:31:52 +0100
Subject: [PATCH 13/58] libcgroup: add $setuid

---
 srcpkgs/libcgroup/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libcgroup/template b/srcpkgs/libcgroup/template
index 18dfd5c9f8e5..499d9e16cb1b 100644
--- a/srcpkgs/libcgroup/template
+++ b/srcpkgs/libcgroup/template
@@ -13,6 +13,7 @@ license="LGPL-2.1-only"
 homepage="https://github.com/libcgroup/libcgroup"
 distfiles="https://github.com/libcgroup/libcgroup/releases/download/v${version%.*}/libcgroup-${version}.tar.gz"
 checksum=8d284d896fca1c981b55850e92acd3ad9648a69227c028dda7ae3402af878edd
+setuid="/usr/bin/cgexec"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl)	# Add musl-fts implementation

From d00546e311d50b57c0f0565a540bb8f16adf0ba0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:34 +0100
Subject: [PATCH 14/58] physlock: add $setuid

---
 srcpkgs/physlock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/physlock/template b/srcpkgs/physlock/template
index 0f091d24444c..f7faecb98250 100644
--- a/srcpkgs/physlock/template
+++ b/srcpkgs/physlock/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later"
 homepage="https://github.com/muennich/physlock"
 distfiles="${homepage}/archive/v${version}.tar.gz"
 checksum=9ae4716a1e916f141e47a01b439133ca382281ebdcbec1e53f85da6771774bd6
+setuid="/usr/bin/physlock"
 
 CFLAGS="-D_GNU_SOURCE"
 

From b4b21c8bbfa94da38d990f15b2a4910bcea3c344 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:35 +0100
Subject: [PATCH 15/58] fuse3: add $setuid

---
 srcpkgs/fuse3/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse3/template b/srcpkgs/fuse3/template
index 5fcf41be2e86..bd7bb00ee8ed 100644
--- a/srcpkgs/fuse3/template
+++ b/srcpkgs/fuse3/template
@@ -14,6 +14,7 @@ changelog="https://raw.githubusercontent.com/libfuse/libfuse/master/ChangeLog.rs
 distfiles="https://github.com/libfuse/libfuse/releases/download/fuse-${version}/fuse-${version}.tar.xz"
 checksum=6cd0759944c9aeb3d078b24a97b8a5cd5d49a0b8b7f15f85f32ac0c8a662fb6e
 conf_files="/etc/fuse.conf"
+setuid="/usr/bin/fusermount3"
 # Tests require root
 make_check=no
 

From f39d2ef2d8678e5987fd1bb7fb2b7164d7481bb7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:39 +0100
Subject: [PATCH 16/58] incron: add $setuid

---
 srcpkgs/incron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/incron/template b/srcpkgs/incron/template
index 14222e496d94..fb6cd128ed4a 100644
--- a/srcpkgs/incron/template
+++ b/srcpkgs/incron/template
@@ -8,6 +8,7 @@ license="X11"
 homepage="https://github.com/ar-/incron"
 distfiles="https://github.com/ar-/incron/archive/${version}.tar.gz"
 checksum=cce80bd723bafce59f35464f2f851d02707e32efa102e2b941ed0e42bdd38f91
+setuid="/usr/bin/incrontab"
 
 make_dirs="/var/spool/incron 0755 root root
  /etc/incron.d 0755 root root"

From af1704542a6e3fedbbb1779d8255a95390522ce2 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:32:36 +0100
Subject: [PATCH 17/58] libpam-policycache: add $setuid

---
 srcpkgs/libpam-policycache/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libpam-policycache/template b/srcpkgs/libpam-policycache/template
index 6777b0856dd6..921fccd61886 100644
--- a/srcpkgs/libpam-policycache/template
+++ b/srcpkgs/libpam-policycache/template
@@ -12,6 +12,7 @@ homepage="https://github.com/google/libpam-policycache"
 distfiles="https://github.com/google/libpam-policycache/archive/v$version.tar.gz"
 checksum=d1a074493d3a4076094a79093ec02c8fdd886069b9624d8b6765f7a1e840fae6
 CFLAGS="-Wno-error=deprecated-declarations"
+setuid="/usr/bin/pam-escalate-helper"
 
 make_dirs="/etc/libpam-policycache.d 0755 root root
  /var/cache/libpam-policycache 0700 root root"

From 15b987b2fa3936853c2683f4b32a4445b1e8b6a0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:55 +0100
Subject: [PATCH 18/58] openssh: add $setuid

---
 srcpkgs/openssh/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template
index 3adadcdbac33..adb2604ef937 100644
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@@ -26,6 +26,7 @@ distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${ver
 checksum=3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46
 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
 make_dirs="/var/chroot/ssh 0755 root root"
+setuid="/usr/libexec/ssh-keysign"
 
 # Package build options
 build_options="fido2 gssapi ldns ssl"

From 4251413cb47de6a83b795b5e38c1d08199efab5e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:17 +0100
Subject: [PATCH 19/58] slock: add $setuid

---
 srcpkgs/slock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/slock/template b/srcpkgs/slock/template
index aa7890a49973..6612c55dcf01 100644
--- a/srcpkgs/slock/template
+++ b/srcpkgs/slock/template
@@ -10,6 +10,7 @@ license="MIT"
 homepage="http://tools.suckless.org/slock"
 distfiles="http://dl.suckless.org/tools/slock-${version}.tar.gz"
 checksum=aee1e3fbf6a277fb625a3838073b979b6483e7baca4ce82f56de1ff192db0e4d
+setuid="/usr/bin/slock"
 
 do_build() {
 	[ -e ${FILESDIR}/config.h ] && cp ${FILESDIR}/config.h config.h

From 95606cbccfd48f3d1208e7cde500a14159b257d7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:49:38 +0100
Subject: [PATCH 20/58] thttpd: add $setgid

---
 srcpkgs/thttpd/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/thttpd/template b/srcpkgs/thttpd/template
index 13de3fbef35e..3d288f2ea1cf 100644
--- a/srcpkgs/thttpd/template
+++ b/srcpkgs/thttpd/template
@@ -9,6 +9,7 @@ license="BSD-2-Clause"
 homepage="http://www.acme.com/software/thttpd/"
 distfiles="http://www.acme.com/software/thttpd/thttpd-${version}.tar.gz"
 checksum=99c09f47da326b1e7b5295c45549d2b65534dce27c44812cf7eef1441681a397
+setgid="/usr/bin/makeweb"
 
 pre_configure() {
 	vsed -i Makefile.in -e "s,-o bin -g bin,,g"

From a90b62ba208cc559b0e6809ba2ecc93d7ff9572a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:16 +0100
Subject: [PATCH 21/58] polkit: add $setuid

---
 srcpkgs/polkit/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/polkit/template b/srcpkgs/polkit/template
index 84ab7453bb9b..aa7038f0e71c 100644
--- a/srcpkgs/polkit/template
+++ b/srcpkgs/polkit/template
@@ -21,6 +21,8 @@ changelog="https://gitlab.freedesktop.org/polkit/polkit/-/raw/master/NEWS"
 distfiles="${FREEDESKTOP_SITE}/${pkgname}/releases/${pkgname}-${version}.tar.gz"
 checksum=9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa
 system_accounts="polkitd"
+setuid="/usr/bin/pkexec
+ /usr/lib/polkit-1/polkit-agent-helper-1"
 #replaces="polkit-elogind>=0"
 #provides="polkit-elogind-${version}_${revision}"
 

From 70032bd83ff0591ded0601ce6e8ebea10cdbef82 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 22/58] fuse: add $setuid

---
 srcpkgs/fuse/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse/template b/srcpkgs/fuse/template
index b4fe1571f575..fa44380b9f8d 100644
--- a/srcpkgs/fuse/template
+++ b/srcpkgs/fuse/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
 homepage="https://github.com/libfuse/libfuse"
 distfiles="${homepage}/releases/download/${pkgname}-${version}/${pkgname}-${version}.tar.gz"
 checksum=d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5
+setuid="/usr/bin/fusermount"
 
 pre_configure() {
 	autoreconf -fi

From 5b6195e4a0de9a6678620d175964239ef213282d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:34:35 +0100
Subject: [PATCH 23/58] mariadb: add $setuid

---
 srcpkgs/mariadb/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mariadb/template b/srcpkgs/mariadb/template
index 71409f89930c..c594e7ea10a3 100644
--- a/srcpkgs/mariadb/template
+++ b/srcpkgs/mariadb/template
@@ -37,6 +37,7 @@ make_dirs="/var/lib/mysql 0700 mysql mysql
  /usr/lib/mysql/plugin/auth_pam_tool_dir 0700 mysql root"
 CFLAGS="-UNDEBUG"
 CXXFLAGS="-UNDEBUG"
+setuid="/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool"
 
 post_patch() {
 	case "$XBPS_TARGET_MACHINE" in

From f4e9baee9ffaf1f65978dd1534e3014f2c166417 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:46 +0100
Subject: [PATCH 24/58] spice-gtk: add $setuid

---
 srcpkgs/spice-gtk/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/spice-gtk/template b/srcpkgs/spice-gtk/template
index 3afa0268ee9f..dee6a7c8285c 100644
--- a/srcpkgs/spice-gtk/template
+++ b/srcpkgs/spice-gtk/template
@@ -22,6 +22,7 @@ homepage="https://spice-space.org"
 changelog="https://gitlab.freedesktop.org/spice/spice-gtk/-/raw/master/CHANGELOG.md"
 distfiles="https://spice-space.org/download/gtk/${pkgname}-${version}.tar.xz"
 checksum=d8f8b5cbea9184702eeb8cc276a67d72acdb6e36e7c73349fb8445e5bca0969f
+setuid="/usr/libexec/spice-client-glib-usb-acl-helper"
 
 CFLAGS="-Wno-error -Wno-error=unused-but-set-variable"
 

From 26ca573399430baaaba67ce1c310346cae84b423 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:49:24 +0100
Subject: [PATCH 25/58] uucp: add $setuid

---
 srcpkgs/uucp/template | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/uucp/template b/srcpkgs/uucp/template
index 2b2b6f758fae..3719a4820ea2 100644
--- a/srcpkgs/uucp/template
+++ b/srcpkgs/uucp/template
@@ -11,7 +11,13 @@ license="GPL-2.0-or-later"
 homepage="https://www.gnu.org/software/uucp/uucp.html"
 distfiles="${GNU_SITE}/$pkgname/$pkgname-$version.tar.gz"
 checksum=060c15bfba6cfd1171ad81f782789032113e199a5aded8f8e0c1c5bd1385b62c
-patch_args="-Np1"
+setuid="/usr/bin/uuname
+ /usr/bin/uuxqt
+ /usr/bin/uucp
+ /usr/bin/cu
+ /usr/bin/uux
+ /usr/bin/uucico
+ /usr/bin/uustat"
 
 system_accounts="_uucp"
 _uucp_homedir="/var/spool/uucp"

From 2475ef7eeffb56c6499adfc56f0882512772544d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:31 +0100
Subject: [PATCH 26/58] dar: add $setuid

---
 srcpkgs/dar/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dar/template b/srcpkgs/dar/template
index c289909e8122..979ec2f21d93 100644
--- a/srcpkgs/dar/template
+++ b/srcpkgs/dar/template
@@ -14,6 +14,7 @@ license="GPL-2.0-or-later"
 homepage="http://dar.linux.free.fr/"
 distfiles="${SOURCEFORGE_SITE}/dar/dar-${version}.tar.gz"
 checksum=3fea9ff9e55fb9827e17a080de7d1a2605b82c2320c0dec969071efefdbfd097
+setuid="/usr/bin/dar"
 
 if [ "$CROSS_BUILD" ]; then
 	configure_args+=" --with-gpgme-prefix=${XBPS_CROSS_BASE}/usr

From c5816d4ac329df9869f6291d54e87fcb4e83a0bf Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:53:36 +0100
Subject: [PATCH 27/58] keybase: add $setuid

---
 srcpkgs/keybase/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/keybase/template b/srcpkgs/keybase/template
index 8db0a57472f7..708f116059d5 100644
--- a/srcpkgs/keybase/template
+++ b/srcpkgs/keybase/template
@@ -16,6 +16,7 @@ license="BSD-3-Clause"
 homepage="https://keybase.io/"
 distfiles="https://github.com/keybase/client/releases/download/v$version/keybase-v$version.tar.xz"
 checksum=5e89792105ce29420e92ebeaf8055db5e7d67de5e181f83f69904356ddeb8c71
+setuid="/usr/bin/keybase-redirector"
 
 post_install() {
 	vlicense LICENSE

From 6a2522a88dc7d677eda896b96361094b449af370 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 28/58] dcron: add $setuid

---
 srcpkgs/dcron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dcron/template b/srcpkgs/dcron/template
index ab92850344ee..c0eabe30674e 100644
--- a/srcpkgs/dcron/template
+++ b/srcpkgs/dcron/template
@@ -11,6 +11,7 @@ changelog="https://raw.githubusercontent.com/dubiousjim/dcron/v${version}/CHANGE
 distfiles="https://github.com/dubiousjim/dcron/archive/v${version}.tar.gz"
 checksum=7c047194b9339b781971b000bf5512c11e856d20a14fe5323d5a1823f04c2a3f
 provides="cron-daemon-0_1"
+setuid="/usr/bin/dcrontab"
 
 alternatives="
  crond:crond:/etc/sv/dcron

From fc7754829ae176b66e0f327f9496fbd7dd36b915 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:56:15 +0100
Subject: [PATCH 29/58] kbdlight: add $setuid

---
 srcpkgs/kbdlight/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kbdlight/template b/srcpkgs/kbdlight/template
index 32bfec5560a5..4fb408d0dd3e 100644
--- a/srcpkgs/kbdlight/template
+++ b/srcpkgs/kbdlight/template
@@ -9,6 +9,7 @@ license="MIT"
 homepage="https://github.com/hobarrera/kbdlight"
 distfiles="https://github.com/hobarrera/${pkgname}/archive/v${version}.tar.gz"
 checksum=7d852d544f73e27245b7c21d820ede7c7c3e0992f37fb17cf257fd03e3926bb1
+setuid="/usr/bin/kbdlight"
 
 post_install() {
 	vlicense LICENCE

From 0d5ae92ca9d57c35920d44c9982c1c0ddcbe6f58 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 30/58] containers: add $setuid

---
 srcpkgs/containers/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/containers/template b/srcpkgs/containers/template
index 7f7ebc7f8178..b8509ce477fc 100644
--- a/srcpkgs/containers/template
+++ b/srcpkgs/containers/template
@@ -9,6 +9,8 @@ license="MIT"
 homepage="https://github.com/arachsys/containers"
 distfiles="https://github.com/arachsys/containers/archive/containers-${version}.tar.gz"
 checksum=5f43ffaf9bcfc73032cafeb94fe9596dcfa0b26f0bd2730656c3daa4341d9c02
+setuid="/usr/bin/contain
+ /usr/bin/pseudo"
 
 do_install() {
 	vbin inject inject-contain

From cb4b83f5b7537edfd6fe8bbe266aee5e1d408543 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 31/58] fcron: add $setuid and $setgid

---
 srcpkgs/fcron/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/fcron/template b/srcpkgs/fcron/template
index d3f8567f8927..e8cce723e24a 100644
--- a/srcpkgs/fcron/template
+++ b/srcpkgs/fcron/template
@@ -32,6 +32,12 @@ homepage="http://fcron.free.fr"
 distfiles="$homepage/archives/$pkgname-$version.src.tar.gz"
 checksum=f359daa08a63ddfb7fe2f964bb3f5c52244c25aa36f9225a3cc54d36f4681106
 
+setuid="/usr/bin/fcronsighup
+ /usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+setgid="/usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+
 alternatives="
  crond:crond:/etc/sv/fcron
  crond:crontab:/usr/bin/fcrontab

From 958814ae0b47ed592d93614ca3935fc191c283e1 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 32/58] glusterfs: add $setuid

---
 srcpkgs/glusterfs/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/glusterfs/template b/srcpkgs/glusterfs/template
index 993fde9a321c..b293783cb34c 100644
--- a/srcpkgs/glusterfs/template
+++ b/srcpkgs/glusterfs/template
@@ -18,6 +18,7 @@ license="GPL-2.0-or-later, LGPL-3.0-only"
 homepage="https://www.gluster.org/"
 distfiles="https://download.gluster.org/pub/gluster/glusterfs/${version%.*}/${version}/${pkgname}-${version}.tar.gz"
 checksum=07f360c9b43cb1101a857706494e310328e9d6a4e6b2f0697a3bc3f165c2652a
+setuid="/usr/bin/fusermount-glusterfs"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl) broken="not yet supported";;

From 51adb9b20a9be029d9d415ac7098c4541baf45d4 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:55:28 +0100
Subject: [PATCH 33/58] Powermanga: add $setuid

---
 srcpkgs/Powermanga/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/Powermanga/template b/srcpkgs/Powermanga/template
index f3b9ef9faf3c..5c78aeb88302 100644
--- a/srcpkgs/Powermanga/template
+++ b/srcpkgs/Powermanga/template
@@ -11,6 +11,7 @@ license="GPL-3.0-or-later"
 homepage="http://linux.tlk.fr/games/Powermanga"
 distfiles="https://github.com/brunonymous/Powermanga/archive/${version}.tar.gz"
 checksum=010987a3cb27a1f9388a212f637977692284b5616952efa1efae09d2464e9249
+setgid="/usr/bin/powermanga"
 
 pre_configure() {
 	./bootstrap

From a12da74ac84ce1224cd47a5efc8f2cbcf8c6945b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 34/58] cronie: add $setuid

---
 srcpkgs/cronie/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/cronie/template b/srcpkgs/cronie/template
index 3f8fbbcc4f30..c4315e9087c5 100644
--- a/srcpkgs/cronie/template
+++ b/srcpkgs/cronie/template
@@ -24,6 +24,7 @@ make_dirs="
 	/var/spool/anacron 0755 root root"
 conf_files="/etc/anacrontab /etc/pam.d/crond /etc/cron.deny"
 provides="cron-daemon-0_1"
+setuid="/usr/bin/cronie-crontab"
 
 alternatives="
  crond:crond:/etc/sv/cronie

From b52bf23435262285acd98d3ee08a6d7cf94c00c7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:55:39 +0100
Subject: [PATCH 35/58] xscreensaver: add $setuid

---
 srcpkgs/xscreensaver/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/xscreensaver/template b/srcpkgs/xscreensaver/template
index 581298ad5999..38de4a9f0642 100644
--- a/srcpkgs/xscreensaver/template
+++ b/srcpkgs/xscreensaver/template
@@ -18,6 +18,8 @@ homepage="https://www.jwz.org/xscreensaver/"
 changelog="https://www.jwz.org/xscreensaver/changelog.html"
 distfiles="https://www.jwz.org/xscreensaver/xscreensaver-${version}.tar.gz"
 checksum=f534fab85a836de5b8be8e91fc21b80ca7d6a4ed9386ebe207d4be7a4e7499a7
+setuid="/usr/libexec/xscreensaver/xscreensaver-auth
+ /usr/libexec/xscreensaver/sonar"
 
 pre_configure() {
 	mkdir -p /usr/share/X11/app-defaults

From 2b9ea7097dce84de7e3edb168a23ec1349a438e2 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:45 +0100
Subject: [PATCH 36/58] pmount: add $setuid

---
 srcpkgs/pmount/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/pmount/template b/srcpkgs/pmount/template
index 8a826f4e0fe6..34b34d11d4af 100644
--- a/srcpkgs/pmount/template
+++ b/srcpkgs/pmount/template
@@ -12,6 +12,8 @@ homepage="http://pmount.alioth.debian.org/"
 distfiles="${DEBIAN_SITE}/main/p/${pkgname}/${pkgname}_${version}.orig.tar.bz2"
 checksum=db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036
 conf_files="/etc/pmount.allow"
+setuid="/usr/bin/pmount
+ /usr/bin/pumount"
 
 post_patch() {
 	vsed -i -e 's/DATADIRNAME=lib/DATADIRNAME=share/' configure

From 9d2e697d26908f4d6eb42a25957ea8ea6c7d466d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:49:19 +0100
Subject: [PATCH 37/58] sudo: add $setuid

---
 srcpkgs/sudo/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/sudo/template b/srcpkgs/sudo/template
index f1278024f4ff..43d3088d0002 100644
--- a/srcpkgs/sudo/template
+++ b/srcpkgs/sudo/template
@@ -18,6 +18,7 @@ distfiles="https://www.sudo.ws/dist/sudo-${version}.tar.gz"
 checksum=b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539
 conf_files="/etc/pam.d/sudo /etc/sudoers"
 lib32disabled=yes
+setuid="/usr/bin/sudo"
 
 post_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From 01e567e0b7913da3814dae50ee247404480b59b1 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:54 +0100
Subject: [PATCH 38/58] lxc: add $setuid

---
 srcpkgs/lxc/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template
index 40f9cf15b522..2ec773597a59 100644
--- a/srcpkgs/lxc/template
+++ b/srcpkgs/lxc/template
@@ -17,6 +17,7 @@ license="LGPL-2.1-or-later"
 homepage="https://linuxcontainers.org"
 distfiles="https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz"
 checksum=d8195423bb1e206f8521d24b6cde4789f043960c7cf065990a9cf741dcfd4222
+setuid="/usr/libexec/lxc/lxc-user-nic"
 
 conf_files="/etc/lxc/default.conf"
 make_dirs="

From ebc9d3009350a0a84f9f3d2c1076d9b09d82ce7b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 39/58] dma: add $setuid and $setgid

---
 srcpkgs/dma/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/dma/template b/srcpkgs/dma/template
index 78c71595ec15..0e3a98865ec3 100644
--- a/srcpkgs/dma/template
+++ b/srcpkgs/dma/template
@@ -13,6 +13,8 @@ homepage="https://github.com/corecode/dma"
 distfiles="https://github.com/corecode/dma/archive/v${version}.tar.gz"
 checksum=9d4b903f2b750d888f51d668d08d2ea18404dedb0a52cffeb3c81376023c1946
 system_accounts="mail"
+setuid="/usr/lib/dma-mbox-create"
+setgid="/usr/bin/dma"
 
 provides="smtp-server-0_1 smtp-forwarder-0_1"
 replaces="smtp-server>=0 smtp-forwarder>=0"

From 724c982fca66e69d703b9e0536f898f9b89a2303 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:52 +0100
Subject: [PATCH 40/58] xorg-server: add $setuid

---
 srcpkgs/xorg-server/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xorg-server/template b/srcpkgs/xorg-server/template
index b4d24434a24f..b34cd8e256ff 100644
--- a/srcpkgs/xorg-server/template
+++ b/srcpkgs/xorg-server/template
@@ -30,6 +30,7 @@ provides="xserver-abi-extension-10_1 xserver-abi-input-24_1
  xserver-abi-video-25_1 xf86-video-modesetting-1_1"
 replaces="xf86-video-modesetting>=0 glamor-egl>=0"
 conf_files="/etc/X11/Xwrapper.config"
+setuid="/usr/libexec/Xorg.wrap"
 
 build_options="elogind"
 desc_option_elogind="Rootless Xorg support with elogind"

From 6f865b7090dede05af04b37fa5e8a43ce32fa1fe Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:31 +0100
Subject: [PATCH 41/58] opensmtpd: add $setuid and $setgid

---
 srcpkgs/opensmtpd/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/opensmtpd/template b/srcpkgs/opensmtpd/template
index ab0b2e6a10ab..b608b9707471 100644
--- a/srcpkgs/opensmtpd/template
+++ b/srcpkgs/opensmtpd/template
@@ -26,6 +26,8 @@ checksum=51bf05312fe56764748faab9e63170bfbb7c7d84a37c4117b62b2681eb3a4d17
 provides="smtp-forwarder-0_1 smtp-server-0_1"
 replaces="smtp-forwarder>=0 smtp-server>=0"
 system_accounts="_smtpd _smtpq"
+setuid="/usr/libexec/opensmtpd/lockspool"
+setgid="/usr/bin/smtpctl"
 
 CFLAGS=-D_DEFAULT_SOURCE
 

From 030ae950fe7a823291b19ec7dae9d101c6793241 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:12:48 +0100
Subject: [PATCH 42/58] arcan: add $setuid

---
 srcpkgs/arcan/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/arcan/template b/srcpkgs/arcan/template
index 7be9652eccf3..4b3e49602fe5 100644
--- a/srcpkgs/arcan/template
+++ b/srcpkgs/arcan/template
@@ -29,6 +29,7 @@ distfiles="https://github.com/letoram/arcan/archive/${version}.tar.gz
  https://github.com/letoram/openal/archive/${_versionOpenal}.tar.gz>openal_arcan.${_versionOpenal}.tar.gz"
 checksum="7bf083412bc61555472877313c13116431a0a36fccbf142f97559db43b4a1475
  3a50a87c05b67c466a868cc77f8dc7f9cfc9466aeeafcd823daca0d108c504da"
+setuid="/usr/bin/arcan"
 
 export CMAKE_GENERATOR="Unix Makefiles"
 

From c70f784aaaa1dce0acd10d98776fb4de566c9255 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:26 +0100
Subject: [PATCH 43/58] at: add $setuid and $setgid

---
 srcpkgs/at/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/at/template b/srcpkgs/at/template
index 41bc74404c48..652b1138759f 100644
--- a/srcpkgs/at/template
+++ b/srcpkgs/at/template
@@ -16,6 +16,8 @@ homepage="https://packages.qa.debian.org/a/at.html"
 distfiles="${DEBIAN_SITE}/main/a/${pkgname}/${pkgname}_${version}.orig.tar.gz"
 checksum=bb066b389d7c9bb9d84a35738032b85c30cba7d949f758192adc72c9477fd3b8
 disable_parallel_build=yes
+setuid="/usr/bin/at"
+setgid="/usr/bin/at"
 
 conf_files="/etc/at.deny"
 system_accounts="at"

From c283b85906177d710683d483b85f9fe8c575a791 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:32 +0100
Subject: [PATCH 44/58] davfs2: add $setuid

---
 srcpkgs/davfs2/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/davfs2/template b/srcpkgs/davfs2/template
index 1a2f8482e210..85b44de231a4 100644
--- a/srcpkgs/davfs2/template
+++ b/srcpkgs/davfs2/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="https://savannah.nongnu.org/projects/davfs2"
 distfiles="${NONGNU_SITE}/${pkgname}/${pkgname}-${version}.tar.gz"
 checksum=ce3eb948ece582a51c934ccb0cc70e659839172717caff173f69a5e2af90c5c0
+setuid="/usr/bin/mount.davfs"
 
 CFLAGS="-fcommon"
 

From c526957b4ab87498c0ef79b5dd6573bd32994472 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 45/58] hikari: add $setuid

---
 srcpkgs/hikari/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/hikari/template b/srcpkgs/hikari/template
index 64811ea08b14..a5ce6f5783c7 100644
--- a/srcpkgs/hikari/template
+++ b/srcpkgs/hikari/template
@@ -21,6 +21,7 @@ conf_files="/etc/pam.d/hikari-unlocker /etc/hikari/hikari.conf"
 # bmake's -q flag seems to differ in behavior from gnu make which causes the
 # build style's handling of the check target not existing to fail.
 make_check=no
+setuid="/usr/bin/hikari-unlocker"
 
 pre_build() {
 	# The hikari Makefile appends to the CFLAGS and LDFLAGS variables;

From 3345671bc7fa8b7e11fb431eb4017b451fefd0fd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:48:49 +0100
Subject: [PATCH 46/58] squid: add $setuid

---
 srcpkgs/squid/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/squid/template b/srcpkgs/squid/template
index 49b9eb9d7b91..9ae78bc3850a 100644
--- a/srcpkgs/squid/template
+++ b/srcpkgs/squid/template
@@ -58,6 +58,9 @@ checksum=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81
 system_accounts="squid"
 # squid-conf-tests requires a squid user in the system
 make_check=no
+setuid="/usr/libexec/squid/pinger
+ /usr/libexec/squid/basic_pam_auth
+ /usr/libexec/squid/basic_ncsa_auth"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	makedepends+=" libatomic-devel"

From 6f7f2650baf40711b717fe9722c17e0d214948c7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:19 +0100
Subject: [PATCH 47/58] libutempter: add $setgid

---
 srcpkgs/libutempter/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libutempter/template b/srcpkgs/libutempter/template
index 3a89e4126cfc..793a5e8163cd 100644
--- a/srcpkgs/libutempter/template
+++ b/srcpkgs/libutempter/template
@@ -9,6 +9,7 @@ license="LGPL-2.1-or-later"
 homepage="http://freecode.com/projects/libutempter"
 distfiles="http://ftp.altlinux.org/pub/people/ldv/utempter/${pkgname}-${version}.tar.gz"
 checksum=967fef372f391de501843ad87570c6cf5dabd9651f00f1783090fbc12b2a34cb
+setgid="/usr/lib/utempter/utempter"
 
 libutempter-devel_package() {
 	depends="${sourcepkg}>=${version}_${revision}"

From ba3a888e174b704ee77ab4f5fca0ba5a22147dd5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:46:44 +0100
Subject: [PATCH 48/58] shadow: add $setuid

---
 srcpkgs/shadow/template | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template
index c59d92bfeb54..045005d6244e 100644
--- a/srcpkgs/shadow/template
+++ b/srcpkgs/shadow/template
@@ -18,6 +18,13 @@ homepage="https://github.com/shadow-maint/shadow"
 distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz"
 checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62
 conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs"
+setuid="/usr/bin/sg
+ /usr/bin/expiry
+ /usr/bin/gpasswd
+ /usr/bin/newuidmap
+ /usr/bin/passwd
+ /usr/bin/chage
+ /usr/bin/newgidmap"
 
 pre_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From d72fc22228f59bce16249712afd61238d2ddcb4c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:09 +0100
Subject: [PATCH 49/58] qemu: add $setuid

---
 srcpkgs/qemu/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/qemu/template b/srcpkgs/qemu/template
index 48ab199e5686..d41ed5395b20 100644
--- a/srcpkgs/qemu/template
+++ b/srcpkgs/qemu/template
@@ -33,6 +33,7 @@ ignore_elf_dirs="/usr/share/qemu"
 nostrip_files="hppa-firmware.img openbios-ppc openbios-sparc32 openbios-sparc64
  palcode-clipper s390-ccw.img s390-netboot.img u-boot.e500 opensbi-riscv32-generic-fw_dynamic.elf
  opensbi-riscv64-generic-fw_dynamic.elf"
+setuid="/usr/libexec/qemu-bridge-helper"
 
 build_options="gtk3 opengl sdl2 spice virgl smartcard numa iscsi jack pulseaudio"
 build_options_default="opengl gtk3 virgl sdl2 numa iscsi jack pulseaudio"

From 649e47734ce1b5f29a10c8c76804b05ca9c44064 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:52 +0100
Subject: [PATCH 50/58] plocate: add $setgid

---
 srcpkgs/plocate/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/plocate/template b/srcpkgs/plocate/template
index f288bcf8dd32..0017bbce0dd5 100644
--- a/srcpkgs/plocate/template
+++ b/srcpkgs/plocate/template
@@ -16,6 +16,7 @@ homepage="https://plocate.sesse.net/"
 changelog="https://git.sesse.net/?p=plocate;a=blob_plain;f=NEWS;hb=HEAD"
 distfiles="https://plocate.sesse.net/download/plocate-${version}.tar.gz"
 checksum=939657050b70719b01ce04fc1c8b64270062a0d53da2c72eafbe036a1964e12c
+setgid="/usr/bin/plocate"
 
 system_accounts="_plocate"
 

From 85a04364fd08147f1853f628268de737b8365e76 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:22 +0100
Subject: [PATCH 51/58] 9mount: add $setuid

---
 srcpkgs/9mount/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/9mount/template b/srcpkgs/9mount/template
index 5b1160ad2049..c17d16298857 100644
--- a/srcpkgs/9mount/template
+++ b/srcpkgs/9mount/template
@@ -10,6 +10,9 @@ license="ISC"
 homepage="http://sqweek.net/code/9mount/"
 distfiles="http://sqweek.net/9p/$pkgname-$version.tar.gz"
 checksum=820d80b9b478d05ecb022ad658477b37cfc2414a8669c3af17d192a522064c17
+setuid="/usr/bin/9bind
+ /usr/bin/9mount
+ /usr/bin/9umount"
 
 pre_build() {
 	sed -i '/chown/d' Makefile

From 62ac3083fdcb6ffc7a151dcc416d3f4047f5c57d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:21 +0100
Subject: [PATCH 52/58] electron19: add $setuid

---
 srcpkgs/electron19/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/electron19/template b/srcpkgs/electron19/template
index 068136be7623..06a3e6e0ef46 100644
--- a/srcpkgs/electron19/template
+++ b/srcpkgs/electron19/template
@@ -34,6 +34,7 @@ distfiles="https://github.com/electron/electron/archive/v$version.tar.gz>electro
 checksum="d8ee01db95dfe24aa89a67424498b67102a4977ff9a3ccbfbc3f36801fdba7d5
  f33363565a3c8868f5f67f0852ccf8d19ada209af8ddd4e27774e50206700464
  cc2331a5c35d3dda0035d9cba71c3b8e234bc68e18ffd955b385c1e97062528f"
+setuid="/usr/lib/electron19/chrome-sandbox"
 
 case "$XBPS_TARGET_MACHINE" in
 	ppc64*-musl) makedepends+=" libucontext-devel" ;;

From 2aa829474dbc1c240ffd913ed29051613cb9b83e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:38 +0100
Subject: [PATCH 53/58] firejail: add $setuid

---
 srcpkgs/firejail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/firejail/template b/srcpkgs/firejail/template
index 0365d6044fec..e438bb88aa7a 100644
--- a/srcpkgs/firejail/template
+++ b/srcpkgs/firejail/template
@@ -14,5 +14,6 @@ changelog="https://github.com/netblue30/firejail/raw/master/RELNOTES"
 distfiles="https://github.com/netblue30/firejail/archive/${version}.tar.gz"
 checksum=fa641abe2f673cef304cee6ef0a8ddb69db7919e0b69752f89762a341a87fabc
 conf_files="/etc/firejail/* /etc/apparmor.d/local/firejail-default"
+setuid="/usr/bin/firejail"
 
 nocross=yes

From 27b6462b94b2cf182057c2613c9abe0f2803c6e0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:47 +0100
Subject: [PATCH 54/58] hiawatha: add $setuid

---
 srcpkgs/hiawatha/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/hiawatha/template b/srcpkgs/hiawatha/template
index 04377f40b88b..7f2887cc68fb 100644
--- a/srcpkgs/hiawatha/template
+++ b/srcpkgs/hiawatha/template
@@ -12,10 +12,11 @@ short_desc="Advanced and secure webserver for Unix"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later"
 homepage="https://hiawatha-webserver.org"
-distfiles="${homepage}/files/${pkgname}-${version}.tar.gz"
+distfiles="https://www.hiawatha-webserver.org/files/hiawatha-10/hiawatha-${version}.tar.gz"
 checksum=61bf41146c51244769984135529fcffd0f6cb92be18dc12d460effc42f19f50d
 conf_files="/etc/${pkgname}/*.conf /etc/${pkgname}/*.xslt"
 make_dirs="/var/log/hiawatha 0755 root root"
+setuid="/usr/bin/cgi-wrapper"
 
 post_install() {
 	vsv hiawatha

From 62e526846d19b653fc5b28022f93cfa5223eb858 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:10:26 +0100
Subject: [PATCH 55/58] kismet: add $setuid

---
 srcpkgs/kismet/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kismet/template b/srcpkgs/kismet/template
index 48a0fc5fa6f1..b789aecc5a3e 100644
--- a/srcpkgs/kismet/template
+++ b/srcpkgs/kismet/template
@@ -18,6 +18,7 @@ homepage="https://www.kismetwireless.net/"
 distfiles="http://www.kismetwireless.net/code/${pkgname}-${_realver}.tar.xz"
 checksum=2149cceac5526508653f4d02dcf7a694e3da3dc000a2372a1ee4bf9988279781
 system_groups="kismet"
+setuid="/usr/bin/kismet_cap_rz_killerbee"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	makedepends+=" libatomic-devel"

From 6e895cc3f81f15f0cabd6991fa1733e2b92b4b16 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:32 +0100
Subject: [PATCH 56/58] schroot: add $setuid

---
 srcpkgs/schroot/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/schroot/template b/srcpkgs/schroot/template
index 36f6ee83b9a9..5204bffd1938 100644
--- a/srcpkgs/schroot/template
+++ b/srcpkgs/schroot/template
@@ -56,6 +56,8 @@ checksum="
  7bd4e0c2709979362c86a86c10d2b23d290d26e1a2d301a602e829327f483ec1"
 nocross=yes
 skip_extraction="schroot_${version}-${_debian_version}.debian.tar.xz"
+setuid="/usr/bin/schroot
+ /usr/bin/dchroot"
 
 post_extract() {
 	bsdtar -xf $XBPS_SRCDISTDIR/schroot-${version}/$skip_extraction

From 445e7615eb8af8179622e5275cf75acc62a7e928 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:51 +0100
Subject: [PATCH 57/58] x2goserver: add $setgid

---
 srcpkgs/x2goserver/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/x2goserver/template b/srcpkgs/x2goserver/template
index 0724ef53a2fa..83a7595d04fd 100644
--- a/srcpkgs/x2goserver/template
+++ b/srcpkgs/x2goserver/template
@@ -25,6 +25,7 @@ conf_files="
  /etc/x2go/x2goagent.*
  /etc/x2go/x2goserver.*
 "
+setgid="/usr/lib/x2go/libx2go-server-db-sqlite3-wrapper"
 
 post_install() {
 	rm -rf "${DESTDIR}/etc/logcheck"

From dd42f6d27c0753de21219ded90c73beedae46ad3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:22:42 +0100
Subject: [PATCH 58/58] virtualbox-ose: add $setuid

---
 srcpkgs/virtualbox-ose/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/virtualbox-ose/template b/srcpkgs/virtualbox-ose/template
index 4efc26f7da06..8ef1181930ce 100644
--- a/srcpkgs/virtualbox-ose/template
+++ b/srcpkgs/virtualbox-ose/template
@@ -30,6 +30,12 @@ fi
 
 depends="virtualbox-ose-dkms-${version}_${revision} hicolor-icon-theme desktop-file-utils dbus"
 system_groups="vboxusers"
+setuid="/usr/lib/virtualbox/VirtualBoxVM
+ /usr/lib/virtualbox/VBoxNetNAT
+ /usr/lib/virtualbox/VBoxHeadless
+ /usr/lib/virtualbox/VBoxNetDHCP
+ /usr/lib/virtualbox/VBoxNetAdpCtl"
+
 
 do_configure() {
 	cp ${FILESDIR}/LocalConfig.kmk .

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR PATCH] [Updated] [WIP]: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (15 preceding siblings ...)
  2023-02-25 11:23 ` paper42
@ 2023-02-25 11:30 ` paper42
  2023-08-07  0:40 ` [PR PATCH] [Updated] " classabbyamp
                   ` (3 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: paper42 @ 2023-02-25 11:30 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

[WIP]: hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 47184 bytes --]

From c26a08ebbe98f57cc818ba6e8bf8731f2289b36c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 01/58] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 000000000000..dae87c2b3d5c
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in ${!2}; do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 0ceea9b62aa43a9d0bdf352bf7f8baca01058f7a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 02/58] ecryptfs-utils: add $setuid and $setgid

---
 srcpkgs/ecryptfs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/ecryptfs-utils/template b/srcpkgs/ecryptfs-utils/template
index 6bdc07b97c32..d8faed1cd554 100644
--- a/srcpkgs/ecryptfs-utils/template
+++ b/srcpkgs/ecryptfs-utils/template
@@ -17,6 +17,8 @@ homepage="http://ecryptfs.org/"
 distfiles="http://launchpad.net/ecryptfs/trunk/${version}/+download/${pkgname}_${version}.orig.tar.gz"
 checksum=112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f
 lib32disabled=yes
+setuid="/usr/bin/mount.ecryptfs_private"
+setgid="/usr/bin/mount.ecryptfs_private"
 
 CPPFLAGS="-D_FILE_OFFSET_BITS=64 -I${XBPS_CROSS_BASE}/usr/include/python2.7"
 

From 67b3ee6446a5590b4401ea7233d5ebf487dc8e68 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:28 +0100
Subject: [PATCH 03/58] cifs-utils: add $setuid and $setgid

---
 srcpkgs/cifs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/cifs-utils/template b/srcpkgs/cifs-utils/template
index 5576b371ca6a..331a0878b36d 100644
--- a/srcpkgs/cifs-utils/template
+++ b/srcpkgs/cifs-utils/template
@@ -14,6 +14,8 @@ homepage="https://wiki.samba.org/index.php/LinuxCIFS_utils"
 distfiles="https://ftp.samba.org/pub/linux-cifs/${pkgname}/${pkgname}-${version}.tar.bz2"
 checksum=a7b6940e93250c1676a6fa66b6ead91b78cd43a5fee99cc462459c8b9cf1e6f4
 python_version=3
+setuid="/usr/bin/mount.cifs"
+setgid="/usr/bin/mount.cifs"
 
 pre_configure() {
 	autoreconf -fi

From 408fcd18959169201d82f57c8db129b0dd091a92 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:48 +0100
Subject: [PATCH 04/58] s-nail: add $setuid

---
 srcpkgs/s-nail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/s-nail/template b/srcpkgs/s-nail/template
index 7a171cea0d27..f8483be17854 100644
--- a/srcpkgs/s-nail/template
+++ b/srcpkgs/s-nail/template
@@ -12,6 +12,7 @@ license="BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, ISC"
 homepage="https://git.sdaoden.eu/cgit/s-nail.git"
 distfiles="https://www.sdaoden.eu/downloads/s-nail-${version}.tar.xz"
 checksum=2714d6b8fb2af3b363fc7c79b76d058753716345d1b6ebcd8870ecd0e4f7ef8c
+setuid="/usr/libexec/s-nail-dotlock"
 
 provides="mail-${version}_${revision}"
 

From 8cc5b9e91f1268311961be019aa40f27a7c9a0f9 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:05 +0100
Subject: [PATCH 05/58] opendoas: add $setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 5254f280b801..9e93eaaf26fc 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -13,6 +13,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

From a9c7abc26ecb18b5d2a9afa75e06948e483f507a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:19 +0100
Subject: [PATCH 06/58] weston: add $setuid

---
 srcpkgs/weston/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/weston/template b/srcpkgs/weston/template
index b517c10c98ca..465d5310a9b5 100644
--- a/srcpkgs/weston/template
+++ b/srcpkgs/weston/template
@@ -21,6 +21,7 @@ distfiles="https://wayland.freedesktop.org/releases/${pkgname}-${version}.tar.xz
 checksum=5cf5d6ce192e0eb15c1fc861a436bf21b5bb3b91dbdabbdebe83e1f83aa098fe
 system_groups="weston-launch"
 lib32disabled=yes
+setuid="/usr/bin/weston-launch"
 
 # Package build options
 build_options="elogind vaapi"

From 172cac70c2ffaa7d3bf67ecf7df7dc5ab46703e0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:22:39 +0100
Subject: [PATCH 07/58] enlightenment: set $setuid

---
 srcpkgs/enlightenment/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/enlightenment/template b/srcpkgs/enlightenment/template
index ec1a084618db..d6406be26df8 100644
--- a/srcpkgs/enlightenment/template
+++ b/srcpkgs/enlightenment/template
@@ -20,6 +20,9 @@ checksum=56db5d206b821b9a8831d26e713e410ac70b2255a6f43fcdf7c01eefde23b7a2
 lib32disabled=yes
 build_options="wayland"
 build_options_default="wayland"
+setuid="/usr/lib/enlightenment/utils/enlightenment_ckpasswd
+ /usr/lib/enlightenment/utils/enlightenment_sys
+ /usr/lib/enlightenment/utils/enlightenment_system"
 
 if [ "$CROSS_BUILD" -a "$build_option_wayland" ]; then
 	hostmakedepends+=" wayland-devel"

From 15d264d24966f39df29e4bc0fa5c83e82bdbdfca Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:35:48 +0100
Subject: [PATCH 08/58] nfs-utils: add $setuid

---
 srcpkgs/nfs-utils/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/nfs-utils/template b/srcpkgs/nfs-utils/template
index 252a7355b683..363c72c9ab67 100644
--- a/srcpkgs/nfs-utils/template
+++ b/srcpkgs/nfs-utils/template
@@ -15,6 +15,7 @@ homepage="https://www.linux-nfs.org/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/${version}/${pkgname}-${version}.tar.xz"
 checksum=5200873e81c4d610e2462fc262fe18135f2dbe78b7979f95accd159ae64d5011
 replaces="rpcgen>=0"
+setuid="/usr/bin/mount.nfs"
 
 hostmakedepends="pkg-config libtirpc-devel rpcsvc-proto"
 makedepends="libblkid-devel libmount-devel libtirpc-devel

From 048922a34f4d3c0c5916d9f2ca4af61ec45dd5c6 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:31:52 +0100
Subject: [PATCH 09/58] libcgroup: add $setuid

---
 srcpkgs/libcgroup/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libcgroup/template b/srcpkgs/libcgroup/template
index 18dfd5c9f8e5..499d9e16cb1b 100644
--- a/srcpkgs/libcgroup/template
+++ b/srcpkgs/libcgroup/template
@@ -13,6 +13,7 @@ license="LGPL-2.1-only"
 homepage="https://github.com/libcgroup/libcgroup"
 distfiles="https://github.com/libcgroup/libcgroup/releases/download/v${version%.*}/libcgroup-${version}.tar.gz"
 checksum=8d284d896fca1c981b55850e92acd3ad9648a69227c028dda7ae3402af878edd
+setuid="/usr/bin/cgexec"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl)	# Add musl-fts implementation

From 9068b5420468aad37fe7901ba4f12e1c92b8e57d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:34 +0100
Subject: [PATCH 10/58] physlock: add $setuid

---
 srcpkgs/physlock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/physlock/template b/srcpkgs/physlock/template
index 0f091d24444c..f7faecb98250 100644
--- a/srcpkgs/physlock/template
+++ b/srcpkgs/physlock/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later"
 homepage="https://github.com/muennich/physlock"
 distfiles="${homepage}/archive/v${version}.tar.gz"
 checksum=9ae4716a1e916f141e47a01b439133ca382281ebdcbec1e53f85da6771774bd6
+setuid="/usr/bin/physlock"
 
 CFLAGS="-D_GNU_SOURCE"
 

From fc59b7e5e08d87b5fa16c2cad932bef073686e43 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:35 +0100
Subject: [PATCH 11/58] fuse3: add $setuid

---
 srcpkgs/fuse3/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse3/template b/srcpkgs/fuse3/template
index 5fcf41be2e86..bd7bb00ee8ed 100644
--- a/srcpkgs/fuse3/template
+++ b/srcpkgs/fuse3/template
@@ -14,6 +14,7 @@ changelog="https://raw.githubusercontent.com/libfuse/libfuse/master/ChangeLog.rs
 distfiles="https://github.com/libfuse/libfuse/releases/download/fuse-${version}/fuse-${version}.tar.xz"
 checksum=6cd0759944c9aeb3d078b24a97b8a5cd5d49a0b8b7f15f85f32ac0c8a662fb6e
 conf_files="/etc/fuse.conf"
+setuid="/usr/bin/fusermount3"
 # Tests require root
 make_check=no
 

From a13510201c63aabafc3ebe18dd48122484a65ff5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:39 +0100
Subject: [PATCH 12/58] incron: add $setuid

---
 srcpkgs/incron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/incron/template b/srcpkgs/incron/template
index 14222e496d94..fb6cd128ed4a 100644
--- a/srcpkgs/incron/template
+++ b/srcpkgs/incron/template
@@ -8,6 +8,7 @@ license="X11"
 homepage="https://github.com/ar-/incron"
 distfiles="https://github.com/ar-/incron/archive/${version}.tar.gz"
 checksum=cce80bd723bafce59f35464f2f851d02707e32efa102e2b941ed0e42bdd38f91
+setuid="/usr/bin/incrontab"
 
 make_dirs="/var/spool/incron 0755 root root
  /etc/incron.d 0755 root root"

From f5cb5962c815cf27f3d685682575c07a45add43d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:32:36 +0100
Subject: [PATCH 13/58] libpam-policycache: add $setuid

---
 srcpkgs/libpam-policycache/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libpam-policycache/template b/srcpkgs/libpam-policycache/template
index 6777b0856dd6..921fccd61886 100644
--- a/srcpkgs/libpam-policycache/template
+++ b/srcpkgs/libpam-policycache/template
@@ -12,6 +12,7 @@ homepage="https://github.com/google/libpam-policycache"
 distfiles="https://github.com/google/libpam-policycache/archive/v$version.tar.gz"
 checksum=d1a074493d3a4076094a79093ec02c8fdd886069b9624d8b6765f7a1e840fae6
 CFLAGS="-Wno-error=deprecated-declarations"
+setuid="/usr/bin/pam-escalate-helper"
 
 make_dirs="/etc/libpam-policycache.d 0755 root root
  /var/cache/libpam-policycache 0700 root root"

From a7f8104e59eb135d25b19c0734d77b085c068134 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:55 +0100
Subject: [PATCH 14/58] openssh: add $setuid

---
 srcpkgs/openssh/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template
index 3adadcdbac33..adb2604ef937 100644
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@@ -26,6 +26,7 @@ distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${ver
 checksum=3f66dbf1655fb45f50e1c56da62ab01218c228807b21338d634ebcdf9d71cf46
 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
 make_dirs="/var/chroot/ssh 0755 root root"
+setuid="/usr/libexec/ssh-keysign"
 
 # Package build options
 build_options="fido2 gssapi ldns ssl"

From 888bcaa250e33aeb0e74c5069bd9044ff3c20a1e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:17 +0100
Subject: [PATCH 15/58] slock: add $setuid

---
 srcpkgs/slock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/slock/template b/srcpkgs/slock/template
index aa7890a49973..6612c55dcf01 100644
--- a/srcpkgs/slock/template
+++ b/srcpkgs/slock/template
@@ -10,6 +10,7 @@ license="MIT"
 homepage="http://tools.suckless.org/slock"
 distfiles="http://dl.suckless.org/tools/slock-${version}.tar.gz"
 checksum=aee1e3fbf6a277fb625a3838073b979b6483e7baca4ce82f56de1ff192db0e4d
+setuid="/usr/bin/slock"
 
 do_build() {
 	[ -e ${FILESDIR}/config.h ] && cp ${FILESDIR}/config.h config.h

From 4f58216ba7a7af8502b73bb38be2fca53736d6dd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:16 +0100
Subject: [PATCH 16/58] polkit: add $setuid

---
 srcpkgs/polkit/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/polkit/template b/srcpkgs/polkit/template
index 84ab7453bb9b..aa7038f0e71c 100644
--- a/srcpkgs/polkit/template
+++ b/srcpkgs/polkit/template
@@ -21,6 +21,8 @@ changelog="https://gitlab.freedesktop.org/polkit/polkit/-/raw/master/NEWS"
 distfiles="${FREEDESKTOP_SITE}/${pkgname}/releases/${pkgname}-${version}.tar.gz"
 checksum=9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa
 system_accounts="polkitd"
+setuid="/usr/bin/pkexec
+ /usr/lib/polkit-1/polkit-agent-helper-1"
 #replaces="polkit-elogind>=0"
 #provides="polkit-elogind-${version}_${revision}"
 

From 7b70c0f66060841de07fbff7397168362b10d8c0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 17/58] fuse: add $setuid

---
 srcpkgs/fuse/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse/template b/srcpkgs/fuse/template
index b4fe1571f575..fa44380b9f8d 100644
--- a/srcpkgs/fuse/template
+++ b/srcpkgs/fuse/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
 homepage="https://github.com/libfuse/libfuse"
 distfiles="${homepage}/releases/download/${pkgname}-${version}/${pkgname}-${version}.tar.gz"
 checksum=d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5
+setuid="/usr/bin/fusermount"
 
 pre_configure() {
 	autoreconf -fi

From 8b8f64102aab35468d3c3ae0d3ffa0ecd97dd9d3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:34:35 +0100
Subject: [PATCH 18/58] mariadb: add $setuid

---
 srcpkgs/mariadb/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mariadb/template b/srcpkgs/mariadb/template
index 71409f89930c..c594e7ea10a3 100644
--- a/srcpkgs/mariadb/template
+++ b/srcpkgs/mariadb/template
@@ -37,6 +37,7 @@ make_dirs="/var/lib/mysql 0700 mysql mysql
  /usr/lib/mysql/plugin/auth_pam_tool_dir 0700 mysql root"
 CFLAGS="-UNDEBUG"
 CXXFLAGS="-UNDEBUG"
+setuid="/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool"
 
 post_patch() {
 	case "$XBPS_TARGET_MACHINE" in

From c73a0de47fb6a920d4fc849fa77ac24ee221bbb3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:46 +0100
Subject: [PATCH 19/58] spice-gtk: add $setuid

---
 srcpkgs/spice-gtk/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/spice-gtk/template b/srcpkgs/spice-gtk/template
index 3afa0268ee9f..dee6a7c8285c 100644
--- a/srcpkgs/spice-gtk/template
+++ b/srcpkgs/spice-gtk/template
@@ -22,6 +22,7 @@ homepage="https://spice-space.org"
 changelog="https://gitlab.freedesktop.org/spice/spice-gtk/-/raw/master/CHANGELOG.md"
 distfiles="https://spice-space.org/download/gtk/${pkgname}-${version}.tar.xz"
 checksum=d8f8b5cbea9184702eeb8cc276a67d72acdb6e36e7c73349fb8445e5bca0969f
+setuid="/usr/libexec/spice-client-glib-usb-acl-helper"
 
 CFLAGS="-Wno-error -Wno-error=unused-but-set-variable"
 

From eebac9f62fb9b3125a9571b784cae0be9e2d073f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:49:24 +0100
Subject: [PATCH 20/58] uucp: add $setuid

---
 srcpkgs/uucp/template | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/uucp/template b/srcpkgs/uucp/template
index 2b2b6f758fae..3719a4820ea2 100644
--- a/srcpkgs/uucp/template
+++ b/srcpkgs/uucp/template
@@ -11,7 +11,13 @@ license="GPL-2.0-or-later"
 homepage="https://www.gnu.org/software/uucp/uucp.html"
 distfiles="${GNU_SITE}/$pkgname/$pkgname-$version.tar.gz"
 checksum=060c15bfba6cfd1171ad81f782789032113e199a5aded8f8e0c1c5bd1385b62c
-patch_args="-Np1"
+setuid="/usr/bin/uuname
+ /usr/bin/uuxqt
+ /usr/bin/uucp
+ /usr/bin/cu
+ /usr/bin/uux
+ /usr/bin/uucico
+ /usr/bin/uustat"
 
 system_accounts="_uucp"
 _uucp_homedir="/var/spool/uucp"

From bdd1dd20d0be42f1cfcb54dbe724299b94171651 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:31 +0100
Subject: [PATCH 21/58] dar: add $setuid

---
 srcpkgs/dar/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dar/template b/srcpkgs/dar/template
index c289909e8122..979ec2f21d93 100644
--- a/srcpkgs/dar/template
+++ b/srcpkgs/dar/template
@@ -14,6 +14,7 @@ license="GPL-2.0-or-later"
 homepage="http://dar.linux.free.fr/"
 distfiles="${SOURCEFORGE_SITE}/dar/dar-${version}.tar.gz"
 checksum=3fea9ff9e55fb9827e17a080de7d1a2605b82c2320c0dec969071efefdbfd097
+setuid="/usr/bin/dar"
 
 if [ "$CROSS_BUILD" ]; then
 	configure_args+=" --with-gpgme-prefix=${XBPS_CROSS_BASE}/usr

From 4b56dd67bd93216087d795a811dd27504702b7ab Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:53:36 +0100
Subject: [PATCH 22/58] keybase: add $setuid

---
 srcpkgs/keybase/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/keybase/template b/srcpkgs/keybase/template
index 8db0a57472f7..708f116059d5 100644
--- a/srcpkgs/keybase/template
+++ b/srcpkgs/keybase/template
@@ -16,6 +16,7 @@ license="BSD-3-Clause"
 homepage="https://keybase.io/"
 distfiles="https://github.com/keybase/client/releases/download/v$version/keybase-v$version.tar.xz"
 checksum=5e89792105ce29420e92ebeaf8055db5e7d67de5e181f83f69904356ddeb8c71
+setuid="/usr/bin/keybase-redirector"
 
 post_install() {
 	vlicense LICENSE

From 11d5b382ec88dba7e10f89b47819b52931d4a413 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 23/58] dcron: add $setuid

---
 srcpkgs/dcron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dcron/template b/srcpkgs/dcron/template
index ab92850344ee..c0eabe30674e 100644
--- a/srcpkgs/dcron/template
+++ b/srcpkgs/dcron/template
@@ -11,6 +11,7 @@ changelog="https://raw.githubusercontent.com/dubiousjim/dcron/v${version}/CHANGE
 distfiles="https://github.com/dubiousjim/dcron/archive/v${version}.tar.gz"
 checksum=7c047194b9339b781971b000bf5512c11e856d20a14fe5323d5a1823f04c2a3f
 provides="cron-daemon-0_1"
+setuid="/usr/bin/dcrontab"
 
 alternatives="
  crond:crond:/etc/sv/dcron

From 7355c848584290f7b1eed2afe0a9902f3df4b79f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:56:15 +0100
Subject: [PATCH 24/58] kbdlight: add $setuid

---
 srcpkgs/kbdlight/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kbdlight/template b/srcpkgs/kbdlight/template
index 32bfec5560a5..4fb408d0dd3e 100644
--- a/srcpkgs/kbdlight/template
+++ b/srcpkgs/kbdlight/template
@@ -9,6 +9,7 @@ license="MIT"
 homepage="https://github.com/hobarrera/kbdlight"
 distfiles="https://github.com/hobarrera/${pkgname}/archive/v${version}.tar.gz"
 checksum=7d852d544f73e27245b7c21d820ede7c7c3e0992f37fb17cf257fd03e3926bb1
+setuid="/usr/bin/kbdlight"
 
 post_install() {
 	vlicense LICENCE

From ae038160ca5f1f0809c4f006dcacf04f1205652e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 25/58] containers: add $setuid

---
 srcpkgs/containers/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/containers/template b/srcpkgs/containers/template
index 7f7ebc7f8178..b8509ce477fc 100644
--- a/srcpkgs/containers/template
+++ b/srcpkgs/containers/template
@@ -9,6 +9,8 @@ license="MIT"
 homepage="https://github.com/arachsys/containers"
 distfiles="https://github.com/arachsys/containers/archive/containers-${version}.tar.gz"
 checksum=5f43ffaf9bcfc73032cafeb94fe9596dcfa0b26f0bd2730656c3daa4341d9c02
+setuid="/usr/bin/contain
+ /usr/bin/pseudo"
 
 do_install() {
 	vbin inject inject-contain

From cbd1032e690eda7210d53570bc623a1005e7342b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 26/58] fcron: add $setuid and $setgid

---
 srcpkgs/fcron/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/fcron/template b/srcpkgs/fcron/template
index d3f8567f8927..e8cce723e24a 100644
--- a/srcpkgs/fcron/template
+++ b/srcpkgs/fcron/template
@@ -32,6 +32,12 @@ homepage="http://fcron.free.fr"
 distfiles="$homepage/archives/$pkgname-$version.src.tar.gz"
 checksum=f359daa08a63ddfb7fe2f964bb3f5c52244c25aa36f9225a3cc54d36f4681106
 
+setuid="/usr/bin/fcronsighup
+ /usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+setgid="/usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+
 alternatives="
  crond:crond:/etc/sv/fcron
  crond:crontab:/usr/bin/fcrontab

From 0dc5eb5a2f33f8aa1ded67c40d25ba15f224fe24 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 27/58] glusterfs: add $setuid

---
 srcpkgs/glusterfs/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/glusterfs/template b/srcpkgs/glusterfs/template
index 993fde9a321c..b293783cb34c 100644
--- a/srcpkgs/glusterfs/template
+++ b/srcpkgs/glusterfs/template
@@ -18,6 +18,7 @@ license="GPL-2.0-or-later, LGPL-3.0-only"
 homepage="https://www.gluster.org/"
 distfiles="https://download.gluster.org/pub/gluster/glusterfs/${version%.*}/${version}/${pkgname}-${version}.tar.gz"
 checksum=07f360c9b43cb1101a857706494e310328e9d6a4e6b2f0697a3bc3f165c2652a
+setuid="/usr/bin/fusermount-glusterfs"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl) broken="not yet supported";;

From d6fe8a3f1809687c9d3efbe30dcd5aa47e84176b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:55:28 +0100
Subject: [PATCH 28/58] Powermanga: add $setuid

---
 srcpkgs/Powermanga/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/Powermanga/template b/srcpkgs/Powermanga/template
index f3b9ef9faf3c..5c78aeb88302 100644
--- a/srcpkgs/Powermanga/template
+++ b/srcpkgs/Powermanga/template
@@ -11,6 +11,7 @@ license="GPL-3.0-or-later"
 homepage="http://linux.tlk.fr/games/Powermanga"
 distfiles="https://github.com/brunonymous/Powermanga/archive/${version}.tar.gz"
 checksum=010987a3cb27a1f9388a212f637977692284b5616952efa1efae09d2464e9249
+setgid="/usr/bin/powermanga"
 
 pre_configure() {
 	./bootstrap

From 8eb134f1d56b96df326611f34efd9647a7dfb2cf Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 29/58] cronie: add $setuid

---
 srcpkgs/cronie/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/cronie/template b/srcpkgs/cronie/template
index 3f8fbbcc4f30..c4315e9087c5 100644
--- a/srcpkgs/cronie/template
+++ b/srcpkgs/cronie/template
@@ -24,6 +24,7 @@ make_dirs="
 	/var/spool/anacron 0755 root root"
 conf_files="/etc/anacrontab /etc/pam.d/crond /etc/cron.deny"
 provides="cron-daemon-0_1"
+setuid="/usr/bin/cronie-crontab"
 
 alternatives="
  crond:crond:/etc/sv/cronie

From 913e018e7456247e17b0e07591b1dce186e8fcfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:55:39 +0100
Subject: [PATCH 30/58] xscreensaver: add $setuid

---
 srcpkgs/xscreensaver/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/xscreensaver/template b/srcpkgs/xscreensaver/template
index 581298ad5999..38de4a9f0642 100644
--- a/srcpkgs/xscreensaver/template
+++ b/srcpkgs/xscreensaver/template
@@ -18,6 +18,8 @@ homepage="https://www.jwz.org/xscreensaver/"
 changelog="https://www.jwz.org/xscreensaver/changelog.html"
 distfiles="https://www.jwz.org/xscreensaver/xscreensaver-${version}.tar.gz"
 checksum=f534fab85a836de5b8be8e91fc21b80ca7d6a4ed9386ebe207d4be7a4e7499a7
+setuid="/usr/libexec/xscreensaver/xscreensaver-auth
+ /usr/libexec/xscreensaver/sonar"
 
 pre_configure() {
 	mkdir -p /usr/share/X11/app-defaults

From 3457df51660e3f895e90f7dddf43fa9de3f26b11 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:45 +0100
Subject: [PATCH 31/58] pmount: add $setuid

---
 srcpkgs/pmount/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/pmount/template b/srcpkgs/pmount/template
index 8a826f4e0fe6..34b34d11d4af 100644
--- a/srcpkgs/pmount/template
+++ b/srcpkgs/pmount/template
@@ -12,6 +12,8 @@ homepage="http://pmount.alioth.debian.org/"
 distfiles="${DEBIAN_SITE}/main/p/${pkgname}/${pkgname}_${version}.orig.tar.bz2"
 checksum=db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036
 conf_files="/etc/pmount.allow"
+setuid="/usr/bin/pmount
+ /usr/bin/pumount"
 
 post_patch() {
 	vsed -i -e 's/DATADIRNAME=lib/DATADIRNAME=share/' configure

From 907718b2c5cf31bbe0a293ec8386fc0bad24359d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:54 +0100
Subject: [PATCH 32/58] lxc: add $setuid

---
 srcpkgs/lxc/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template
index 40f9cf15b522..2ec773597a59 100644
--- a/srcpkgs/lxc/template
+++ b/srcpkgs/lxc/template
@@ -17,6 +17,7 @@ license="LGPL-2.1-or-later"
 homepage="https://linuxcontainers.org"
 distfiles="https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz"
 checksum=d8195423bb1e206f8521d24b6cde4789f043960c7cf065990a9cf741dcfd4222
+setuid="/usr/libexec/lxc/lxc-user-nic"
 
 conf_files="/etc/lxc/default.conf"
 make_dirs="

From 27d418a7cd7e1a5a7c98eea59ccc019191ea2919 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 33/58] dma: add $setuid and $setgid

---
 srcpkgs/dma/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/dma/template b/srcpkgs/dma/template
index 78c71595ec15..0e3a98865ec3 100644
--- a/srcpkgs/dma/template
+++ b/srcpkgs/dma/template
@@ -13,6 +13,8 @@ homepage="https://github.com/corecode/dma"
 distfiles="https://github.com/corecode/dma/archive/v${version}.tar.gz"
 checksum=9d4b903f2b750d888f51d668d08d2ea18404dedb0a52cffeb3c81376023c1946
 system_accounts="mail"
+setuid="/usr/lib/dma-mbox-create"
+setgid="/usr/bin/dma"
 
 provides="smtp-server-0_1 smtp-forwarder-0_1"
 replaces="smtp-server>=0 smtp-forwarder>=0"

From 1c7e1a48bd31ddab971cfcb16873c020552b4b04 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:52 +0100
Subject: [PATCH 34/58] xorg-server: add $setuid

---
 srcpkgs/xorg-server/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xorg-server/template b/srcpkgs/xorg-server/template
index b4d24434a24f..b34cd8e256ff 100644
--- a/srcpkgs/xorg-server/template
+++ b/srcpkgs/xorg-server/template
@@ -30,6 +30,7 @@ provides="xserver-abi-extension-10_1 xserver-abi-input-24_1
  xserver-abi-video-25_1 xf86-video-modesetting-1_1"
 replaces="xf86-video-modesetting>=0 glamor-egl>=0"
 conf_files="/etc/X11/Xwrapper.config"
+setuid="/usr/libexec/Xorg.wrap"
 
 build_options="elogind"
 desc_option_elogind="Rootless Xorg support with elogind"

From 5c9b4543581a2f294c06f21c8534356847aaea85 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:31 +0100
Subject: [PATCH 35/58] opensmtpd: add $setuid and $setgid

---
 srcpkgs/opensmtpd/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/opensmtpd/template b/srcpkgs/opensmtpd/template
index ab0b2e6a10ab..b608b9707471 100644
--- a/srcpkgs/opensmtpd/template
+++ b/srcpkgs/opensmtpd/template
@@ -26,6 +26,8 @@ checksum=51bf05312fe56764748faab9e63170bfbb7c7d84a37c4117b62b2681eb3a4d17
 provides="smtp-forwarder-0_1 smtp-server-0_1"
 replaces="smtp-forwarder>=0 smtp-server>=0"
 system_accounts="_smtpd _smtpq"
+setuid="/usr/libexec/opensmtpd/lockspool"
+setgid="/usr/bin/smtpctl"
 
 CFLAGS=-D_DEFAULT_SOURCE
 

From 1d20ed721b722690b91b24eb4639b239325a87de Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:12:48 +0100
Subject: [PATCH 36/58] arcan: add $setuid

---
 srcpkgs/arcan/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/arcan/template b/srcpkgs/arcan/template
index 7be9652eccf3..4b3e49602fe5 100644
--- a/srcpkgs/arcan/template
+++ b/srcpkgs/arcan/template
@@ -29,6 +29,7 @@ distfiles="https://github.com/letoram/arcan/archive/${version}.tar.gz
  https://github.com/letoram/openal/archive/${_versionOpenal}.tar.gz>openal_arcan.${_versionOpenal}.tar.gz"
 checksum="7bf083412bc61555472877313c13116431a0a36fccbf142f97559db43b4a1475
  3a50a87c05b67c466a868cc77f8dc7f9cfc9466aeeafcd823daca0d108c504da"
+setuid="/usr/bin/arcan"
 
 export CMAKE_GENERATOR="Unix Makefiles"
 

From 3e5f51ea29f2560569bb448c6a6121261f8f4e6a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:32 +0100
Subject: [PATCH 37/58] davfs2: add $setuid

---
 srcpkgs/davfs2/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/davfs2/template b/srcpkgs/davfs2/template
index 1a2f8482e210..85b44de231a4 100644
--- a/srcpkgs/davfs2/template
+++ b/srcpkgs/davfs2/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="https://savannah.nongnu.org/projects/davfs2"
 distfiles="${NONGNU_SITE}/${pkgname}/${pkgname}-${version}.tar.gz"
 checksum=ce3eb948ece582a51c934ccb0cc70e659839172717caff173f69a5e2af90c5c0
+setuid="/usr/bin/mount.davfs"
 
 CFLAGS="-fcommon"
 

From 640ba156b68e40a2910a88919e1f0db63c2a7801 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 38/58] hikari: add $setuid

---
 srcpkgs/hikari/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/hikari/template b/srcpkgs/hikari/template
index 64811ea08b14..a5ce6f5783c7 100644
--- a/srcpkgs/hikari/template
+++ b/srcpkgs/hikari/template
@@ -21,6 +21,7 @@ conf_files="/etc/pam.d/hikari-unlocker /etc/hikari/hikari.conf"
 # bmake's -q flag seems to differ in behavior from gnu make which causes the
 # build style's handling of the check target not existing to fail.
 make_check=no
+setuid="/usr/bin/hikari-unlocker"
 
 pre_build() {
 	# The hikari Makefile appends to the CFLAGS and LDFLAGS variables;

From 8360ba13fd0fad3a7a019c6d05806f841fd58765 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:48:49 +0100
Subject: [PATCH 39/58] squid: add $setuid

---
 srcpkgs/squid/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/squid/template b/srcpkgs/squid/template
index 49b9eb9d7b91..9ae78bc3850a 100644
--- a/srcpkgs/squid/template
+++ b/srcpkgs/squid/template
@@ -58,6 +58,9 @@ checksum=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81
 system_accounts="squid"
 # squid-conf-tests requires a squid user in the system
 make_check=no
+setuid="/usr/libexec/squid/pinger
+ /usr/libexec/squid/basic_pam_auth
+ /usr/libexec/squid/basic_ncsa_auth"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	makedepends+=" libatomic-devel"

From 1124cb66992cc3abfd5c0ec53c1659cf62012a77 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:19 +0100
Subject: [PATCH 40/58] libutempter: add $setgid

---
 srcpkgs/libutempter/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libutempter/template b/srcpkgs/libutempter/template
index 3a89e4126cfc..793a5e8163cd 100644
--- a/srcpkgs/libutempter/template
+++ b/srcpkgs/libutempter/template
@@ -9,6 +9,7 @@ license="LGPL-2.1-or-later"
 homepage="http://freecode.com/projects/libutempter"
 distfiles="http://ftp.altlinux.org/pub/people/ldv/utempter/${pkgname}-${version}.tar.gz"
 checksum=967fef372f391de501843ad87570c6cf5dabd9651f00f1783090fbc12b2a34cb
+setgid="/usr/lib/utempter/utempter"
 
 libutempter-devel_package() {
 	depends="${sourcepkg}>=${version}_${revision}"

From 41a0fbdece00a08c09e5c9da722f15ea7266743b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:09 +0100
Subject: [PATCH 41/58] qemu: add $setuid

---
 srcpkgs/qemu/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/qemu/template b/srcpkgs/qemu/template
index 48ab199e5686..d41ed5395b20 100644
--- a/srcpkgs/qemu/template
+++ b/srcpkgs/qemu/template
@@ -33,6 +33,7 @@ ignore_elf_dirs="/usr/share/qemu"
 nostrip_files="hppa-firmware.img openbios-ppc openbios-sparc32 openbios-sparc64
  palcode-clipper s390-ccw.img s390-netboot.img u-boot.e500 opensbi-riscv32-generic-fw_dynamic.elf
  opensbi-riscv64-generic-fw_dynamic.elf"
+setuid="/usr/libexec/qemu-bridge-helper"
 
 build_options="gtk3 opengl sdl2 spice virgl smartcard numa iscsi jack pulseaudio"
 build_options_default="opengl gtk3 virgl sdl2 numa iscsi jack pulseaudio"

From 571ea7855be96edcc9111beae7caad6c0204ab3f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:52 +0100
Subject: [PATCH 42/58] plocate: add $setgid

---
 srcpkgs/plocate/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/plocate/template b/srcpkgs/plocate/template
index f288bcf8dd32..0017bbce0dd5 100644
--- a/srcpkgs/plocate/template
+++ b/srcpkgs/plocate/template
@@ -16,6 +16,7 @@ homepage="https://plocate.sesse.net/"
 changelog="https://git.sesse.net/?p=plocate;a=blob_plain;f=NEWS;hb=HEAD"
 distfiles="https://plocate.sesse.net/download/plocate-${version}.tar.gz"
 checksum=939657050b70719b01ce04fc1c8b64270062a0d53da2c72eafbe036a1964e12c
+setgid="/usr/bin/plocate"
 
 system_accounts="_plocate"
 

From 4b052b992f80bdae80938e8385f172c70788924f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:21 +0100
Subject: [PATCH 43/58] electron19: add $setuid

---
 srcpkgs/electron19/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/electron19/template b/srcpkgs/electron19/template
index 068136be7623..06a3e6e0ef46 100644
--- a/srcpkgs/electron19/template
+++ b/srcpkgs/electron19/template
@@ -34,6 +34,7 @@ distfiles="https://github.com/electron/electron/archive/v$version.tar.gz>electro
 checksum="d8ee01db95dfe24aa89a67424498b67102a4977ff9a3ccbfbc3f36801fdba7d5
  f33363565a3c8868f5f67f0852ccf8d19ada209af8ddd4e27774e50206700464
  cc2331a5c35d3dda0035d9cba71c3b8e234bc68e18ffd955b385c1e97062528f"
+setuid="/usr/lib/electron19/chrome-sandbox"
 
 case "$XBPS_TARGET_MACHINE" in
 	ppc64*-musl) makedepends+=" libucontext-devel" ;;

From 43aa49083503c0b72a2c830b4e16c585eb25c785 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:38 +0100
Subject: [PATCH 44/58] firejail: add $setuid

---
 srcpkgs/firejail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/firejail/template b/srcpkgs/firejail/template
index 0365d6044fec..e438bb88aa7a 100644
--- a/srcpkgs/firejail/template
+++ b/srcpkgs/firejail/template
@@ -14,5 +14,6 @@ changelog="https://github.com/netblue30/firejail/raw/master/RELNOTES"
 distfiles="https://github.com/netblue30/firejail/archive/${version}.tar.gz"
 checksum=fa641abe2f673cef304cee6ef0a8ddb69db7919e0b69752f89762a341a87fabc
 conf_files="/etc/firejail/* /etc/apparmor.d/local/firejail-default"
+setuid="/usr/bin/firejail"
 
 nocross=yes

From 9ff37c2acbf0edeac9950a17a480a16cb1948641 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:47 +0100
Subject: [PATCH 45/58] hiawatha: add $setuid

---
 srcpkgs/hiawatha/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/hiawatha/template b/srcpkgs/hiawatha/template
index 04377f40b88b..7f2887cc68fb 100644
--- a/srcpkgs/hiawatha/template
+++ b/srcpkgs/hiawatha/template
@@ -12,10 +12,11 @@ short_desc="Advanced and secure webserver for Unix"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later"
 homepage="https://hiawatha-webserver.org"
-distfiles="${homepage}/files/${pkgname}-${version}.tar.gz"
+distfiles="https://www.hiawatha-webserver.org/files/hiawatha-10/hiawatha-${version}.tar.gz"
 checksum=61bf41146c51244769984135529fcffd0f6cb92be18dc12d460effc42f19f50d
 conf_files="/etc/${pkgname}/*.conf /etc/${pkgname}/*.xslt"
 make_dirs="/var/log/hiawatha 0755 root root"
+setuid="/usr/bin/cgi-wrapper"
 
 post_install() {
 	vsv hiawatha

From 50e2acfb55e0e6ba16e0b901c46766af0c78bda7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:10:26 +0100
Subject: [PATCH 46/58] kismet: add $setuid

---
 srcpkgs/kismet/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kismet/template b/srcpkgs/kismet/template
index 48a0fc5fa6f1..b789aecc5a3e 100644
--- a/srcpkgs/kismet/template
+++ b/srcpkgs/kismet/template
@@ -18,6 +18,7 @@ homepage="https://www.kismetwireless.net/"
 distfiles="http://www.kismetwireless.net/code/${pkgname}-${_realver}.tar.xz"
 checksum=2149cceac5526508653f4d02dcf7a694e3da3dc000a2372a1ee4bf9988279781
 system_groups="kismet"
+setuid="/usr/bin/kismet_cap_rz_killerbee"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	makedepends+=" libatomic-devel"

From 610306f2a020c41ce5431f0d899a07aeff22d8ef Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:32 +0100
Subject: [PATCH 47/58] schroot: add $setuid

---
 srcpkgs/schroot/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/schroot/template b/srcpkgs/schroot/template
index 36f6ee83b9a9..5204bffd1938 100644
--- a/srcpkgs/schroot/template
+++ b/srcpkgs/schroot/template
@@ -56,6 +56,8 @@ checksum="
  7bd4e0c2709979362c86a86c10d2b23d290d26e1a2d301a602e829327f483ec1"
 nocross=yes
 skip_extraction="schroot_${version}-${_debian_version}.debian.tar.xz"
+setuid="/usr/bin/schroot
+ /usr/bin/dchroot"
 
 post_extract() {
 	bsdtar -xf $XBPS_SRCDISTDIR/schroot-${version}/$skip_extraction

From bb02e93246a97e6848910593e062b2591d59c90e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:51 +0100
Subject: [PATCH 48/58] x2goserver: add $setgid

---
 srcpkgs/x2goserver/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/x2goserver/template b/srcpkgs/x2goserver/template
index 0724ef53a2fa..83a7595d04fd 100644
--- a/srcpkgs/x2goserver/template
+++ b/srcpkgs/x2goserver/template
@@ -25,6 +25,7 @@ conf_files="
  /etc/x2go/x2goagent.*
  /etc/x2go/x2goserver.*
 "
+setgid="/usr/lib/x2go/libx2go-server-db-sqlite3-wrapper"
 
 post_install() {
 	rm -rf "${DESTDIR}/etc/logcheck"

From 5ab140e94a56ca645213d317f52e50c23600d01e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:22:42 +0100
Subject: [PATCH 49/58] virtualbox-ose: add $setuid

---
 srcpkgs/virtualbox-ose/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/virtualbox-ose/template b/srcpkgs/virtualbox-ose/template
index 4efc26f7da06..8ef1181930ce 100644
--- a/srcpkgs/virtualbox-ose/template
+++ b/srcpkgs/virtualbox-ose/template
@@ -30,6 +30,12 @@ fi
 
 depends="virtualbox-ose-dkms-${version}_${revision} hicolor-icon-theme desktop-file-utils dbus"
 system_groups="vboxusers"
+setuid="/usr/lib/virtualbox/VirtualBoxVM
+ /usr/lib/virtualbox/VBoxNetNAT
+ /usr/lib/virtualbox/VBoxHeadless
+ /usr/lib/virtualbox/VBoxNetDHCP
+ /usr/lib/virtualbox/VBoxNetAdpCtl"
+
 
 do_configure() {
 	cp ${FILESDIR}/LocalConfig.kmk .

From 54db7f4c933f1bedc4c8ec9094b92bf94bce1ed3 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 22:50:24 -0400
Subject: [PATCH 50/58] at: explicitly allow setuid

---
 srcpkgs/at/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/at/template b/srcpkgs/at/template
index 41bc74404c48..652b1138759f 100644
--- a/srcpkgs/at/template
+++ b/srcpkgs/at/template
@@ -16,6 +16,8 @@ homepage="https://packages.qa.debian.org/a/at.html"
 distfiles="${DEBIAN_SITE}/main/a/${pkgname}/${pkgname}_${version}.orig.tar.gz"
 checksum=bb066b389d7c9bb9d84a35738032b85c30cba7d949f758192adc72c9477fd3b8
 disable_parallel_build=yes
+setuid="/usr/bin/at"
+setgid="/usr/bin/at"
 
 conf_files="/etc/at.deny"
 system_accounts="at"

From 2d3c6a7884f4de4a276f577c4dec686b15cb1380 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 00:03:39 -0400
Subject: [PATCH 51/58] 9mount: explicitly allow setuid

---
 srcpkgs/9mount/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/9mount/template b/srcpkgs/9mount/template
index 5b1160ad2049..04817c3c3c42 100644
--- a/srcpkgs/9mount/template
+++ b/srcpkgs/9mount/template
@@ -10,6 +10,7 @@ license="ISC"
 homepage="http://sqweek.net/code/9mount/"
 distfiles="http://sqweek.net/9p/$pkgname-$version.tar.gz"
 checksum=820d80b9b478d05ecb022ad658477b37cfc2414a8669c3af17d192a522064c17
+setuid="/usr/bin/9mount /usr/bin/9umount /usr/bin/9bind"
 
 pre_build() {
 	sed -i '/chown/d' Makefile

From c78b9d21ae72d8b880369dece8547b386366810a Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sat, 2 Apr 2022 22:20:53 -0400
Subject: [PATCH 52/58] xlockmore: explicitly allow setuid

Setuid root appears required by xlock on systems that use shadow passwords,
according to the README.

Requires confirmation
---
 srcpkgs/xlockmore/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xlockmore/template b/srcpkgs/xlockmore/template
index 2cee0181924d..c9b9b1b0764e 100644
--- a/srcpkgs/xlockmore/template
+++ b/srcpkgs/xlockmore/template
@@ -15,6 +15,7 @@ changelog="http://sillycycle.com/xlock/xlockmore.README"
 distfiles="http://sillycycle.com/xlock/xlockmore-${version}.tar.xz"
 checksum=0118b2d4b28303c335426cd6ca844b4776e4b71adb1d344f2ec087b57616c21a
 CFLAGS="-D_DEFAULT_SOURCE"
+setuid="/usr/bin/xlock"
 
 build_options="opengl"
 desc_option_opengl="Enable OpenGL modes"

From d6f9faffcb4eac5ee22acaf75c90a87b8c6eb4c7 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 20:46:33 -0400
Subject: [PATCH 53/58] util-linux: explicitly allow setuid

---
 srcpkgs/util-linux/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template
index 2530c51d17b9..3aed9934beb5 100644
--- a/srcpkgs/util-linux/template
+++ b/srcpkgs/util-linux/template
@@ -23,6 +23,8 @@ license="GPL-2.0-or-later"
 homepage="https://www.kernel.org/pub/linux/utils/util-linux/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/v${version%.${version#*.*.}}/${pkgname}-${version}.tar.xz"
 checksum=60492a19b44e6cf9a3ddff68325b333b8b52b6c59ce3ebd6a0ecaa4c5117e84f
+setuid="/usr/bin/mount /usr/bin/umount /usr/bin/su /usr/bin/newgrp
+ /usr/bin/chsh /usr/bin/chfn"
 
 # Create uuidd system account for uuidd.
 system_accounts="_uuidd"

From 3beea24409efd71bafe2829858fa6fb6ce04f2d8 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:27:55 -0400
Subject: [PATCH 54/58] shadow: explicitly allow setuid

---
 srcpkgs/shadow/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template
index c59d92bfeb54..279cacf843be 100644
--- a/srcpkgs/shadow/template
+++ b/srcpkgs/shadow/template
@@ -18,6 +18,8 @@ homepage="https://github.com/shadow-maint/shadow"
 distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz"
 checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62
 conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs"
+setuid="/usr/bin/passwd /usr/bin/gpasswd /usr/bin/expiry /usr/bin/chage
+ /usr/bin/sg /usr/bin/newuidmap /usr/bin/newgidmap"
 
 pre_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From 961212bb3b8535e1e0ceb63f94eb37908d2e8cb2 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:58:17 -0400
Subject: [PATCH 55/58] sudo: explicitly allow setuid

---
 srcpkgs/sudo/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/sudo/template b/srcpkgs/sudo/template
index f1278024f4ff..43d3088d0002 100644
--- a/srcpkgs/sudo/template
+++ b/srcpkgs/sudo/template
@@ -18,6 +18,7 @@ distfiles="https://www.sudo.ws/dist/sudo-${version}.tar.gz"
 checksum=b9a0b1ae0f1ddd9be7f3eafe70be05ee81f572f6f536632c44cd4101bb2a8539
 conf_files="/etc/pam.d/sudo /etc/sudoers"
 lib32disabled=yes
+setuid="/usr/bin/sudo"
 
 post_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From 528ed53e42c5b1e335cb54496bafd6c16191ce35 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 22:17:31 -0400
Subject: [PATCH 56/58] udevil: explicitly allow setuid

---
 srcpkgs/udevil/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/udevil/template b/srcpkgs/udevil/template
index b560bdf7589f..263d0a652102 100644
--- a/srcpkgs/udevil/template
+++ b/srcpkgs/udevil/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="http://ignorantguru.github.io/udevil/"
 distfiles="https://github.com/IgnorantGuru/udevil/archive/${version}.tar.gz"
 checksum=ad2fd8375bd62622718a04235e9772119459089938dbb78e657955e595822b7c
+setuid="/usr/bin/udevil"
 
 post_patch() {
 	vsed -i -e '/DATADIRNAME=/s/=.*/=share/' configure

From e08c73769d6e75b9d0e802e81f9c250edbd6445b Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 15:37:20 -0400
Subject: [PATCH 57/58] thttpd: explicitly allow setuid

The makeweb tool needs sgid. However, thttpd is configured at compile time, and
it's unclear if our config (the default) allows usage of `makeweb`. That tool
also doesn't look like a superb thing to inconditionally ship in the main
package since it can't be configured by the system admin. Perhaps it should be
split into a subpackage?
---
 srcpkgs/thttpd/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/thttpd/template b/srcpkgs/thttpd/template
index 13de3fbef35e..3d288f2ea1cf 100644
--- a/srcpkgs/thttpd/template
+++ b/srcpkgs/thttpd/template
@@ -9,6 +9,7 @@ license="BSD-2-Clause"
 homepage="http://www.acme.com/software/thttpd/"
 distfiles="http://www.acme.com/software/thttpd/thttpd-${version}.tar.gz"
 checksum=99c09f47da326b1e7b5295c45549d2b65534dce27c44812cf7eef1441681a397
+setgid="/usr/bin/makeweb"
 
 pre_configure() {
 	vsed -i Makefile.in -e "s,-o bin -g bin,,g"

From 97bf7c974e97447266f35a7e600f2c8373b82982 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 17:22:01 -0400
Subject: [PATCH 58/58] mit-krb5: explicitly allow setuid

---
 srcpkgs/mit-krb5/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mit-krb5/template b/srcpkgs/mit-krb5/template
index a67bae19764a..8ba1a0ed56d5 100644
--- a/srcpkgs/mit-krb5/template
+++ b/srcpkgs/mit-krb5/template
@@ -42,6 +42,7 @@ post_install() {
 
 mit-krb5-client_package() {
 	short_desc+=" - client programs"
+	setuid="/usr/bin/ksu"
 	pkg_install() {
 		for f in uuclient ktutil kswitch gss-client kvno kinit kpasswd \
 			kdestroy sclient kadmin k5srvutil sim_client klist ksu; do

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: [PR PATCH] [Updated] hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (16 preceding siblings ...)
  2023-02-25 11:30 ` paper42
@ 2023-08-07  0:40 ` classabbyamp
  2023-09-20 13:29 ` 0x5c
                   ` (2 subsequent siblings)
  20 siblings, 0 replies; 22+ messages in thread
From: classabbyamp @ 2023-08-07  0:40 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 382 bytes --]

There is an updated pull request by classabbyamp against master on the void-packages repository

https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011

hooks/post-install: add check setuid/setgid hook
Closes #32156

cc @ericonr

A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 47328 bytes --]

From e7c4d7abe6558674998f92718a178a8fe4117b83 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 01/58] hooks/post-install: add check setuid/setgid hook

---
 .../post-install/15-check-setuid-setgid.sh    | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh

diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 0000000000000..dae87c2b3d5c5
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+	error=
+	for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+		matched=
+		for allowed_file in ${!2}; do
+			if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+				matched=y
+				break
+			fi
+		done
+		if [ -n "$matched" ]; then
+			echo "$2 file: ${setidfile#$PKGDESTDIR}"
+		else
+			msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+			error=y
+		fi
+	done
+	if [ -n "$error" ]; then
+		msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+	fi
+}
+
+hook() {
+	dofind 4000 setuid
+	dofind 2000 setgid
+}

From 07a03aa693ca14d9152b8558626bce01d652c59f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 02/58] ecryptfs-utils: add $setuid and $setgid

---
 srcpkgs/ecryptfs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/ecryptfs-utils/template b/srcpkgs/ecryptfs-utils/template
index 6bdc07b97c325..d8faed1cd5546 100644
--- a/srcpkgs/ecryptfs-utils/template
+++ b/srcpkgs/ecryptfs-utils/template
@@ -17,6 +17,8 @@ homepage="http://ecryptfs.org/"
 distfiles="http://launchpad.net/ecryptfs/trunk/${version}/+download/${pkgname}_${version}.orig.tar.gz"
 checksum=112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f
 lib32disabled=yes
+setuid="/usr/bin/mount.ecryptfs_private"
+setgid="/usr/bin/mount.ecryptfs_private"
 
 CPPFLAGS="-D_FILE_OFFSET_BITS=64 -I${XBPS_CROSS_BASE}/usr/include/python2.7"
 

From 01ea37a585e46ead9632b88bcc3bce783ff3b43c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:28 +0100
Subject: [PATCH 03/58] cifs-utils: add $setuid and $setgid

---
 srcpkgs/cifs-utils/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/cifs-utils/template b/srcpkgs/cifs-utils/template
index 5576b371ca6af..331a0878b36d9 100644
--- a/srcpkgs/cifs-utils/template
+++ b/srcpkgs/cifs-utils/template
@@ -14,6 +14,8 @@ homepage="https://wiki.samba.org/index.php/LinuxCIFS_utils"
 distfiles="https://ftp.samba.org/pub/linux-cifs/${pkgname}/${pkgname}-${version}.tar.bz2"
 checksum=a7b6940e93250c1676a6fa66b6ead91b78cd43a5fee99cc462459c8b9cf1e6f4
 python_version=3
+setuid="/usr/bin/mount.cifs"
+setgid="/usr/bin/mount.cifs"
 
 pre_configure() {
 	autoreconf -fi

From c45d8096729390fd45678c0932d20e6218d05dfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:48 +0100
Subject: [PATCH 04/58] s-nail: add $setuid

---
 srcpkgs/s-nail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/s-nail/template b/srcpkgs/s-nail/template
index 7a171cea0d274..f8483be178548 100644
--- a/srcpkgs/s-nail/template
+++ b/srcpkgs/s-nail/template
@@ -12,6 +12,7 @@ license="BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, ISC"
 homepage="https://git.sdaoden.eu/cgit/s-nail.git"
 distfiles="https://www.sdaoden.eu/downloads/s-nail-${version}.tar.xz"
 checksum=2714d6b8fb2af3b363fc7c79b76d058753716345d1b6ebcd8870ecd0e4f7ef8c
+setuid="/usr/libexec/s-nail-dotlock"
 
 provides="mail-${version}_${revision}"
 

From e42d1140c2c0ed32740c22ecc52c9fe01d09409d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:05 +0100
Subject: [PATCH 05/58] opendoas: add $setuid

---
 srcpkgs/opendoas/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 5254f280b8015..9e93eaaf26fc4 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -13,6 +13,7 @@ license="ISC, BSD-3-Clause"
 homepage="https://github.com/Duncaen/OpenDoas"
 distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
 checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
 
 build_options="pam timestamp"
 build_options_default="pam timestamp"

From c547737dddf45879d2873a01fa593dafbec162d3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:19 +0100
Subject: [PATCH 06/58] weston: add $setuid

---
 srcpkgs/weston/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/weston/template b/srcpkgs/weston/template
index b517c10c98caf..465d5310a9b55 100644
--- a/srcpkgs/weston/template
+++ b/srcpkgs/weston/template
@@ -21,6 +21,7 @@ distfiles="https://wayland.freedesktop.org/releases/${pkgname}-${version}.tar.xz
 checksum=5cf5d6ce192e0eb15c1fc861a436bf21b5bb3b91dbdabbdebe83e1f83aa098fe
 system_groups="weston-launch"
 lib32disabled=yes
+setuid="/usr/bin/weston-launch"
 
 # Package build options
 build_options="elogind vaapi"

From 4d337f6eb066fb6d0432d28271349596969ed2c6 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:22:39 +0100
Subject: [PATCH 07/58] enlightenment: set $setuid

---
 srcpkgs/enlightenment/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/enlightenment/template b/srcpkgs/enlightenment/template
index fb148d8c66931..5400afeeb49fe 100644
--- a/srcpkgs/enlightenment/template
+++ b/srcpkgs/enlightenment/template
@@ -20,6 +20,9 @@ checksum=56db5d206b821b9a8831d26e713e410ac70b2255a6f43fcdf7c01eefde23b7a2
 lib32disabled=yes
 build_options="wayland"
 build_options_default="wayland"
+setuid="/usr/lib/enlightenment/utils/enlightenment_ckpasswd
+ /usr/lib/enlightenment/utils/enlightenment_sys
+ /usr/lib/enlightenment/utils/enlightenment_system"
 
 post_install() {
 	# Use our native tools to shutdown/suspend.

From e915a2e1fa9116e0cc5ffd554b949d68b4535aca Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:35:48 +0100
Subject: [PATCH 08/58] nfs-utils: add $setuid

---
 srcpkgs/nfs-utils/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/nfs-utils/template b/srcpkgs/nfs-utils/template
index 252a7355b6836..363c72c9ab679 100644
--- a/srcpkgs/nfs-utils/template
+++ b/srcpkgs/nfs-utils/template
@@ -15,6 +15,7 @@ homepage="https://www.linux-nfs.org/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/${version}/${pkgname}-${version}.tar.xz"
 checksum=5200873e81c4d610e2462fc262fe18135f2dbe78b7979f95accd159ae64d5011
 replaces="rpcgen>=0"
+setuid="/usr/bin/mount.nfs"
 
 hostmakedepends="pkg-config libtirpc-devel rpcsvc-proto"
 makedepends="libblkid-devel libmount-devel libtirpc-devel

From 2a34c4fb64032e585ce55bdbb38052c0f7d8c42d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:31:52 +0100
Subject: [PATCH 09/58] libcgroup: add $setuid

---
 srcpkgs/libcgroup/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libcgroup/template b/srcpkgs/libcgroup/template
index 18dfd5c9f8e5f..499d9e16cb1b9 100644
--- a/srcpkgs/libcgroup/template
+++ b/srcpkgs/libcgroup/template
@@ -13,6 +13,7 @@ license="LGPL-2.1-only"
 homepage="https://github.com/libcgroup/libcgroup"
 distfiles="https://github.com/libcgroup/libcgroup/releases/download/v${version%.*}/libcgroup-${version}.tar.gz"
 checksum=8d284d896fca1c981b55850e92acd3ad9648a69227c028dda7ae3402af878edd
+setuid="/usr/bin/cgexec"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl)	# Add musl-fts implementation

From f29cecb7e598f9de223e1f85a7976a6d315011df Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:34 +0100
Subject: [PATCH 10/58] physlock: add $setuid

---
 srcpkgs/physlock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/physlock/template b/srcpkgs/physlock/template
index 0f091d24444ca..f7faecb982502 100644
--- a/srcpkgs/physlock/template
+++ b/srcpkgs/physlock/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later"
 homepage="https://github.com/muennich/physlock"
 distfiles="${homepage}/archive/v${version}.tar.gz"
 checksum=9ae4716a1e916f141e47a01b439133ca382281ebdcbec1e53f85da6771774bd6
+setuid="/usr/bin/physlock"
 
 CFLAGS="-D_GNU_SOURCE"
 

From 2a39174bc49cefe3ab2d26938b1a26307ef3f89a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:35 +0100
Subject: [PATCH 11/58] fuse3: add $setuid

---
 srcpkgs/fuse3/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse3/template b/srcpkgs/fuse3/template
index 612f909c8e6f6..dbfc79aa8339e 100644
--- a/srcpkgs/fuse3/template
+++ b/srcpkgs/fuse3/template
@@ -15,6 +15,7 @@ changelog="https://raw.githubusercontent.com/libfuse/libfuse/master/ChangeLog.rs
 distfiles="https://github.com/libfuse/libfuse/releases/download/fuse-${version}/fuse-${version}.tar.gz"
 checksum=13ef77cda531a21c2131f9576042970e98035c0a5f019abf661506efd2d38a4e
 conf_files="/etc/fuse.conf"
+setuid="/usr/bin/fusermount3"
 # Tests require root
 make_check=no
 

From cd92365e6b5017679588301f1d0127c8f23ec519 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:39 +0100
Subject: [PATCH 12/58] incron: add $setuid

---
 srcpkgs/incron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/incron/template b/srcpkgs/incron/template
index 14222e496d946..fb6cd128ed4aa 100644
--- a/srcpkgs/incron/template
+++ b/srcpkgs/incron/template
@@ -8,6 +8,7 @@ license="X11"
 homepage="https://github.com/ar-/incron"
 distfiles="https://github.com/ar-/incron/archive/${version}.tar.gz"
 checksum=cce80bd723bafce59f35464f2f851d02707e32efa102e2b941ed0e42bdd38f91
+setuid="/usr/bin/incrontab"
 
 make_dirs="/var/spool/incron 0755 root root
  /etc/incron.d 0755 root root"

From 08ce1abf4b11296f6a6b5923d2b01f20dbaecff5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:32:36 +0100
Subject: [PATCH 13/58] libpam-policycache: add $setuid

---
 srcpkgs/libpam-policycache/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libpam-policycache/template b/srcpkgs/libpam-policycache/template
index 6777b0856dd67..921fccd61886a 100644
--- a/srcpkgs/libpam-policycache/template
+++ b/srcpkgs/libpam-policycache/template
@@ -12,6 +12,7 @@ homepage="https://github.com/google/libpam-policycache"
 distfiles="https://github.com/google/libpam-policycache/archive/v$version.tar.gz"
 checksum=d1a074493d3a4076094a79093ec02c8fdd886069b9624d8b6765f7a1e840fae6
 CFLAGS="-Wno-error=deprecated-declarations"
+setuid="/usr/bin/pam-escalate-helper"
 
 make_dirs="/etc/libpam-policycache.d 0755 root root
  /var/cache/libpam-policycache 0700 root root"

From 0b6ac9275cb089daf711de2b4f176a694d0b23fa Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:55 +0100
Subject: [PATCH 14/58] openssh: add $setuid

---
 srcpkgs/openssh/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template
index a5c920fb10b2e..d5d9d93f23091 100644
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@@ -28,6 +28,7 @@ distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${ver
 checksum=200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
 make_dirs="/var/chroot/ssh 0755 root root"
+setuid="/usr/libexec/ssh-keysign"
 
 # Package build options
 build_options="fido2 gssapi ldns ssl"

From e305c16a90c862648c609e460f348fa0020f72e6 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:17 +0100
Subject: [PATCH 15/58] slock: add $setuid

---
 srcpkgs/slock/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/slock/template b/srcpkgs/slock/template
index aa7890a499735..6612c55dcf014 100644
--- a/srcpkgs/slock/template
+++ b/srcpkgs/slock/template
@@ -10,6 +10,7 @@ license="MIT"
 homepage="http://tools.suckless.org/slock"
 distfiles="http://dl.suckless.org/tools/slock-${version}.tar.gz"
 checksum=aee1e3fbf6a277fb625a3838073b979b6483e7baca4ce82f56de1ff192db0e4d
+setuid="/usr/bin/slock"
 
 do_build() {
 	[ -e ${FILESDIR}/config.h ] && cp ${FILESDIR}/config.h config.h

From c06e999ed28f3494eebf2062022f66a826355148 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:16 +0100
Subject: [PATCH 16/58] polkit: add $setuid

---
 srcpkgs/polkit/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/polkit/template b/srcpkgs/polkit/template
index 84ab7453bb9b6..aa7038f0e71c3 100644
--- a/srcpkgs/polkit/template
+++ b/srcpkgs/polkit/template
@@ -21,6 +21,8 @@ changelog="https://gitlab.freedesktop.org/polkit/polkit/-/raw/master/NEWS"
 distfiles="${FREEDESKTOP_SITE}/${pkgname}/releases/${pkgname}-${version}.tar.gz"
 checksum=9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa
 system_accounts="polkitd"
+setuid="/usr/bin/pkexec
+ /usr/lib/polkit-1/polkit-agent-helper-1"
 #replaces="polkit-elogind>=0"
 #provides="polkit-elogind-${version}_${revision}"
 

From 93a3dfa641e227300afb0a7b7c5784664752128f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 17/58] fuse: add $setuid

---
 srcpkgs/fuse/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/fuse/template b/srcpkgs/fuse/template
index b4fe1571f575b..fa44380b9f8dc 100644
--- a/srcpkgs/fuse/template
+++ b/srcpkgs/fuse/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
 homepage="https://github.com/libfuse/libfuse"
 distfiles="${homepage}/releases/download/${pkgname}-${version}/${pkgname}-${version}.tar.gz"
 checksum=d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5
+setuid="/usr/bin/fusermount"
 
 pre_configure() {
 	autoreconf -fi

From 7494879fb9bd894fe10df71e69b2cfd45ad236a3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:34:35 +0100
Subject: [PATCH 18/58] mariadb: add $setuid

---
 srcpkgs/mariadb/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mariadb/template b/srcpkgs/mariadb/template
index f8987e06ed1c6..53ec5d24fad1d 100644
--- a/srcpkgs/mariadb/template
+++ b/srcpkgs/mariadb/template
@@ -37,6 +37,7 @@ make_dirs="/var/lib/mysql 0700 mysql mysql
  /usr/lib/mysql/plugin/auth_pam_tool_dir 0700 mysql root"
 CFLAGS="-UNDEBUG"
 CXXFLAGS="-UNDEBUG"
+setuid="/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool"
 
 post_patch() {
 	case "$XBPS_TARGET_MACHINE" in

From 29f41512c5e42d2bab27668cd1182e145f2aee90 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:46 +0100
Subject: [PATCH 19/58] spice-gtk: add $setuid

---
 srcpkgs/spice-gtk/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/spice-gtk/template b/srcpkgs/spice-gtk/template
index 2d7bed6ddcdd2..06f31b2585a8e 100644
--- a/srcpkgs/spice-gtk/template
+++ b/srcpkgs/spice-gtk/template
@@ -22,6 +22,7 @@ homepage="https://spice-space.org"
 changelog="https://gitlab.freedesktop.org/spice/spice-gtk/-/raw/master/CHANGELOG.md"
 distfiles="https://spice-space.org/download/gtk/spice-gtk-${version}.tar.xz"
 checksum=d8f8b5cbea9184702eeb8cc276a67d72acdb6e36e7c73349fb8445e5bca0969f
+setuid="/usr/libexec/spice-client-glib-usb-acl-helper"
 
 CFLAGS="-Wno-error -Wno-error=unused-but-set-variable"
 

From 569fedd3b2258d8cdba941ec120b30080d214231 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:49:24 +0100
Subject: [PATCH 20/58] uucp: add $setuid

---
 srcpkgs/uucp/template | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/uucp/template b/srcpkgs/uucp/template
index 2b2b6f758fae7..3719a4820ea29 100644
--- a/srcpkgs/uucp/template
+++ b/srcpkgs/uucp/template
@@ -11,7 +11,13 @@ license="GPL-2.0-or-later"
 homepage="https://www.gnu.org/software/uucp/uucp.html"
 distfiles="${GNU_SITE}/$pkgname/$pkgname-$version.tar.gz"
 checksum=060c15bfba6cfd1171ad81f782789032113e199a5aded8f8e0c1c5bd1385b62c
-patch_args="-Np1"
+setuid="/usr/bin/uuname
+ /usr/bin/uuxqt
+ /usr/bin/uucp
+ /usr/bin/cu
+ /usr/bin/uux
+ /usr/bin/uucico
+ /usr/bin/uustat"
 
 system_accounts="_uucp"
 _uucp_homedir="/var/spool/uucp"

From bb412a43b6e5dd60c48a00489ec3877a2d828d28 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:31 +0100
Subject: [PATCH 21/58] dar: add $setuid

---
 srcpkgs/dar/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dar/template b/srcpkgs/dar/template
index 51aa02f6aed06..38b46e261a776 100644
--- a/srcpkgs/dar/template
+++ b/srcpkgs/dar/template
@@ -14,6 +14,7 @@ license="GPL-2.0-or-later"
 homepage="http://dar.linux.free.fr/"
 distfiles="${SOURCEFORGE_SITE}/dar/dar-${version}.tar.gz"
 checksum=1c609f691f99e6a868c0a6fcf70d2f5d2adee5dc3c0cbf374e69983129677df5
+setuid="/usr/bin/dar"
 
 if [ "$CROSS_BUILD" ]; then
 	configure_args+=" --with-gpgme-prefix=${XBPS_CROSS_BASE}/usr

From 770d51c647c7d88893431c8c6dc85ba5b41c4973 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:53:36 +0100
Subject: [PATCH 22/58] keybase: add $setuid

---
 srcpkgs/keybase/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/keybase/template b/srcpkgs/keybase/template
index c2dce9dae4733..d41f644080250 100644
--- a/srcpkgs/keybase/template
+++ b/srcpkgs/keybase/template
@@ -16,6 +16,7 @@ license="BSD-3-Clause"
 homepage="https://keybase.io/"
 distfiles="https://github.com/keybase/client/releases/download/v$version/keybase-v$version.tar.xz"
 checksum=5e89792105ce29420e92ebeaf8055db5e7d67de5e181f83f69904356ddeb8c71
+setuid="/usr/bin/keybase-redirector"
 
 post_install() {
 	vlicense LICENSE

From 151dde4b7a6e0528766e7096b6238d9120e57027 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 23/58] dcron: add $setuid

---
 srcpkgs/dcron/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/dcron/template b/srcpkgs/dcron/template
index ab92850344eea..c0eabe30674e7 100644
--- a/srcpkgs/dcron/template
+++ b/srcpkgs/dcron/template
@@ -11,6 +11,7 @@ changelog="https://raw.githubusercontent.com/dubiousjim/dcron/v${version}/CHANGE
 distfiles="https://github.com/dubiousjim/dcron/archive/v${version}.tar.gz"
 checksum=7c047194b9339b781971b000bf5512c11e856d20a14fe5323d5a1823f04c2a3f
 provides="cron-daemon-0_1"
+setuid="/usr/bin/dcrontab"
 
 alternatives="
  crond:crond:/etc/sv/dcron

From dd2ee389d5845250dce84f8426b8eb2bd9bc635b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:56:15 +0100
Subject: [PATCH 24/58] kbdlight: add $setuid

---
 srcpkgs/kbdlight/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kbdlight/template b/srcpkgs/kbdlight/template
index 32bfec5560a56..4fb408d0dd3e2 100644
--- a/srcpkgs/kbdlight/template
+++ b/srcpkgs/kbdlight/template
@@ -9,6 +9,7 @@ license="MIT"
 homepage="https://github.com/hobarrera/kbdlight"
 distfiles="https://github.com/hobarrera/${pkgname}/archive/v${version}.tar.gz"
 checksum=7d852d544f73e27245b7c21d820ede7c7c3e0992f37fb17cf257fd03e3926bb1
+setuid="/usr/bin/kbdlight"
 
 post_install() {
 	vlicense LICENCE

From f6ab98464242b6c00c3f90f0bc39b1d6c0d4651b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 25/58] containers: add $setuid

---
 srcpkgs/containers/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/containers/template b/srcpkgs/containers/template
index 7f7ebc7f81783..b8509ce477fca 100644
--- a/srcpkgs/containers/template
+++ b/srcpkgs/containers/template
@@ -9,6 +9,8 @@ license="MIT"
 homepage="https://github.com/arachsys/containers"
 distfiles="https://github.com/arachsys/containers/archive/containers-${version}.tar.gz"
 checksum=5f43ffaf9bcfc73032cafeb94fe9596dcfa0b26f0bd2730656c3daa4341d9c02
+setuid="/usr/bin/contain
+ /usr/bin/pseudo"
 
 do_install() {
 	vbin inject inject-contain

From f747e41a61c1da2cc5c618d29fea0d7a86e8bdfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 26/58] fcron: add $setuid and $setgid

---
 srcpkgs/fcron/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/fcron/template b/srcpkgs/fcron/template
index d3f8567f89274..e8cce723e24a1 100644
--- a/srcpkgs/fcron/template
+++ b/srcpkgs/fcron/template
@@ -32,6 +32,12 @@ homepage="http://fcron.free.fr"
 distfiles="$homepage/archives/$pkgname-$version.src.tar.gz"
 checksum=f359daa08a63ddfb7fe2f964bb3f5c52244c25aa36f9225a3cc54d36f4681106
 
+setuid="/usr/bin/fcronsighup
+ /usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+setgid="/usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+
 alternatives="
  crond:crond:/etc/sv/fcron
  crond:crontab:/usr/bin/fcrontab

From a24b005c6e6b22bb839d00687dbbdd72de46b079 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 27/58] glusterfs: add $setuid

---
 srcpkgs/glusterfs/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/glusterfs/template b/srcpkgs/glusterfs/template
index 4c53ae9b36347..e3beb986620b4 100644
--- a/srcpkgs/glusterfs/template
+++ b/srcpkgs/glusterfs/template
@@ -18,6 +18,7 @@ license="GPL-2.0-or-later, LGPL-3.0-only"
 homepage="https://www.gluster.org/"
 distfiles="https://download.gluster.org/pub/gluster/glusterfs/${version%.*}/${version}/${pkgname}-${version}.tar.gz"
 checksum=07f360c9b43cb1101a857706494e310328e9d6a4e6b2f0697a3bc3f165c2652a
+setuid="/usr/bin/fusermount-glusterfs"
 
 case "$XBPS_TARGET_MACHINE" in
 	*-musl) broken="not yet supported";;

From 9cb2e7bbc7b01ba427c2fa0ff7f69291f417deb4 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:55:28 +0100
Subject: [PATCH 28/58] Powermanga: add $setuid

---
 srcpkgs/Powermanga/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/Powermanga/template b/srcpkgs/Powermanga/template
index f3b9ef9faf3c1..5c78aeb883025 100644
--- a/srcpkgs/Powermanga/template
+++ b/srcpkgs/Powermanga/template
@@ -11,6 +11,7 @@ license="GPL-3.0-or-later"
 homepage="http://linux.tlk.fr/games/Powermanga"
 distfiles="https://github.com/brunonymous/Powermanga/archive/${version}.tar.gz"
 checksum=010987a3cb27a1f9388a212f637977692284b5616952efa1efae09d2464e9249
+setgid="/usr/bin/powermanga"
 
 pre_configure() {
 	./bootstrap

From 816140d37bef5b5b5fb2a8ec3e0bb99c405f526d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 29/58] cronie: add $setuid

---
 srcpkgs/cronie/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/cronie/template b/srcpkgs/cronie/template
index 3f8fbbcc4f308..c4315e9087c57 100644
--- a/srcpkgs/cronie/template
+++ b/srcpkgs/cronie/template
@@ -24,6 +24,7 @@ make_dirs="
 	/var/spool/anacron 0755 root root"
 conf_files="/etc/anacrontab /etc/pam.d/crond /etc/cron.deny"
 provides="cron-daemon-0_1"
+setuid="/usr/bin/cronie-crontab"
 
 alternatives="
  crond:crond:/etc/sv/cronie

From a90f87b0603e4e0614c0c4302ce381f8c7d0bb04 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:55:39 +0100
Subject: [PATCH 30/58] xscreensaver: add $setuid

---
 srcpkgs/xscreensaver/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/xscreensaver/template b/srcpkgs/xscreensaver/template
index 581298ad5999f..38de4a9f0642a 100644
--- a/srcpkgs/xscreensaver/template
+++ b/srcpkgs/xscreensaver/template
@@ -18,6 +18,8 @@ homepage="https://www.jwz.org/xscreensaver/"
 changelog="https://www.jwz.org/xscreensaver/changelog.html"
 distfiles="https://www.jwz.org/xscreensaver/xscreensaver-${version}.tar.gz"
 checksum=f534fab85a836de5b8be8e91fc21b80ca7d6a4ed9386ebe207d4be7a4e7499a7
+setuid="/usr/libexec/xscreensaver/xscreensaver-auth
+ /usr/libexec/xscreensaver/sonar"
 
 pre_configure() {
 	mkdir -p /usr/share/X11/app-defaults

From 342e39a1c7d09ce9db738afd0c91dace08ce9877 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:45 +0100
Subject: [PATCH 31/58] pmount: add $setuid

---
 srcpkgs/pmount/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/pmount/template b/srcpkgs/pmount/template
index 8a826f4e0fe62..34b34d11d4af4 100644
--- a/srcpkgs/pmount/template
+++ b/srcpkgs/pmount/template
@@ -12,6 +12,8 @@ homepage="http://pmount.alioth.debian.org/"
 distfiles="${DEBIAN_SITE}/main/p/${pkgname}/${pkgname}_${version}.orig.tar.bz2"
 checksum=db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036
 conf_files="/etc/pmount.allow"
+setuid="/usr/bin/pmount
+ /usr/bin/pumount"
 
 post_patch() {
 	vsed -i -e 's/DATADIRNAME=lib/DATADIRNAME=share/' configure

From a5f0dab0d9c9c2df5d55ea975b797c9dd359abd1 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:54 +0100
Subject: [PATCH 32/58] lxc: add $setuid

---
 srcpkgs/lxc/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template
index 40f9cf15b5224..2ec773597a591 100644
--- a/srcpkgs/lxc/template
+++ b/srcpkgs/lxc/template
@@ -17,6 +17,7 @@ license="LGPL-2.1-or-later"
 homepage="https://linuxcontainers.org"
 distfiles="https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz"
 checksum=d8195423bb1e206f8521d24b6cde4789f043960c7cf065990a9cf741dcfd4222
+setuid="/usr/libexec/lxc/lxc-user-nic"
 
 conf_files="/etc/lxc/default.conf"
 make_dirs="

From a12f3ab9ec9161b9db0b7db9041aa95e280e9386 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 33/58] dma: add $setuid and $setgid

---
 srcpkgs/dma/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/dma/template b/srcpkgs/dma/template
index 78c71595ec15f..0e3a98865ec36 100644
--- a/srcpkgs/dma/template
+++ b/srcpkgs/dma/template
@@ -13,6 +13,8 @@ homepage="https://github.com/corecode/dma"
 distfiles="https://github.com/corecode/dma/archive/v${version}.tar.gz"
 checksum=9d4b903f2b750d888f51d668d08d2ea18404dedb0a52cffeb3c81376023c1946
 system_accounts="mail"
+setuid="/usr/lib/dma-mbox-create"
+setgid="/usr/bin/dma"
 
 provides="smtp-server-0_1 smtp-forwarder-0_1"
 replaces="smtp-server>=0 smtp-forwarder>=0"

From b26a53bbde675b19cc7b702a4ee31fde128076ac Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:52 +0100
Subject: [PATCH 34/58] xorg-server: add $setuid

---
 srcpkgs/xorg-server/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xorg-server/template b/srcpkgs/xorg-server/template
index 3ae74c71b005e..b9e44a0126c4f 100644
--- a/srcpkgs/xorg-server/template
+++ b/srcpkgs/xorg-server/template
@@ -30,6 +30,7 @@ provides="xserver-abi-extension-10_1 xserver-abi-input-24_1
  xserver-abi-video-25_1 xf86-video-modesetting-1_1"
 replaces="xf86-video-modesetting>=0 glamor-egl>=0"
 conf_files="/etc/X11/Xwrapper.config"
+setuid="/usr/libexec/Xorg.wrap"
 
 build_options="elogind"
 desc_option_elogind="Rootless Xorg support with elogind"

From 3ae9d5035224d30e7ec9d63584278fdadeacf01e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:31 +0100
Subject: [PATCH 35/58] opensmtpd: add $setuid and $setgid

---
 srcpkgs/opensmtpd/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/opensmtpd/template b/srcpkgs/opensmtpd/template
index 6d20f0159d6be..aaecc539ba9f6 100644
--- a/srcpkgs/opensmtpd/template
+++ b/srcpkgs/opensmtpd/template
@@ -26,6 +26,8 @@ checksum=1b46cd41a1c2738757cc3a0e4aea71f3c6db56def727f7261bcd362583345a07
 provides="smtp-forwarder-0_1 smtp-server-0_1"
 replaces="smtp-forwarder>=0 smtp-server>=0"
 system_accounts="_smtpd _smtpq"
+setuid="/usr/libexec/opensmtpd/lockspool"
+setgid="/usr/bin/smtpctl"
 
 CFLAGS=-D_DEFAULT_SOURCE
 

From 35a476dd0fef7053ae455bbe0038b3362f7c0e7e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:12:48 +0100
Subject: [PATCH 36/58] arcan: add $setuid

---
 srcpkgs/arcan/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/arcan/template b/srcpkgs/arcan/template
index 853e16fcad391..057ce4852c7dc 100644
--- a/srcpkgs/arcan/template
+++ b/srcpkgs/arcan/template
@@ -29,6 +29,7 @@ distfiles="https://github.com/letoram/arcan/archive/${version}.tar.gz
  https://github.com/letoram/openal/archive/${_versionOpenal}.tar.gz>openal_arcan.${_versionOpenal}.tar.gz"
 checksum="7bf083412bc61555472877313c13116431a0a36fccbf142f97559db43b4a1475
  3a50a87c05b67c466a868cc77f8dc7f9cfc9466aeeafcd823daca0d108c504da"
+setuid="/usr/bin/arcan"
 
 export CMAKE_GENERATOR="Unix Makefiles"
 

From e24eae92a479d3bd7cf0718b31cf15f5b0943351 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:32 +0100
Subject: [PATCH 37/58] davfs2: add $setuid

---
 srcpkgs/davfs2/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/davfs2/template b/srcpkgs/davfs2/template
index 1a2f8482e210b..85b44de231a4c 100644
--- a/srcpkgs/davfs2/template
+++ b/srcpkgs/davfs2/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="https://savannah.nongnu.org/projects/davfs2"
 distfiles="${NONGNU_SITE}/${pkgname}/${pkgname}-${version}.tar.gz"
 checksum=ce3eb948ece582a51c934ccb0cc70e659839172717caff173f69a5e2af90c5c0
+setuid="/usr/bin/mount.davfs"
 
 CFLAGS="-fcommon"
 

From 11ed08ea125fbe9877af2a4f1a703ec9ba54fa52 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 38/58] hikari: add $setuid

---
 srcpkgs/hikari/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/hikari/template b/srcpkgs/hikari/template
index 64811ea08b143..a5ce6f5783c7d 100644
--- a/srcpkgs/hikari/template
+++ b/srcpkgs/hikari/template
@@ -21,6 +21,7 @@ conf_files="/etc/pam.d/hikari-unlocker /etc/hikari/hikari.conf"
 # bmake's -q flag seems to differ in behavior from gnu make which causes the
 # build style's handling of the check target not existing to fail.
 make_check=no
+setuid="/usr/bin/hikari-unlocker"
 
 pre_build() {
 	# The hikari Makefile appends to the CFLAGS and LDFLAGS variables;

From 821719012f7303105ba38e43f10e2ca441853502 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:48:49 +0100
Subject: [PATCH 39/58] squid: add $setuid

---
 srcpkgs/squid/template | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/srcpkgs/squid/template b/srcpkgs/squid/template
index ca758380e900d..5479416ee4008 100644
--- a/srcpkgs/squid/template
+++ b/srcpkgs/squid/template
@@ -58,6 +58,9 @@ checksum=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81
 system_accounts="squid"
 # squid-conf-tests requires a squid user in the system
 make_check=no
+setuid="/usr/libexec/squid/pinger
+ /usr/libexec/squid/basic_pam_auth
+ /usr/libexec/squid/basic_ncsa_auth"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	LDFLAGS+=" -latomic"

From 6ecce3fbb529c30933a15b31da46b75c0344079b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:19 +0100
Subject: [PATCH 40/58] libutempter: add $setgid

---
 srcpkgs/libutempter/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/libutempter/template b/srcpkgs/libutempter/template
index 3a89e4126cfc2..793a5e8163cd5 100644
--- a/srcpkgs/libutempter/template
+++ b/srcpkgs/libutempter/template
@@ -9,6 +9,7 @@ license="LGPL-2.1-or-later"
 homepage="http://freecode.com/projects/libutempter"
 distfiles="http://ftp.altlinux.org/pub/people/ldv/utempter/${pkgname}-${version}.tar.gz"
 checksum=967fef372f391de501843ad87570c6cf5dabd9651f00f1783090fbc12b2a34cb
+setgid="/usr/lib/utempter/utempter"
 
 libutempter-devel_package() {
 	depends="${sourcepkg}>=${version}_${revision}"

From 54cbdc148730ba22027da5962feaf6b276519b4a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:09 +0100
Subject: [PATCH 41/58] qemu: add $setuid

---
 srcpkgs/qemu/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/qemu/template b/srcpkgs/qemu/template
index 48ab199e5686b..d41ed5395b20b 100644
--- a/srcpkgs/qemu/template
+++ b/srcpkgs/qemu/template
@@ -33,6 +33,7 @@ ignore_elf_dirs="/usr/share/qemu"
 nostrip_files="hppa-firmware.img openbios-ppc openbios-sparc32 openbios-sparc64
  palcode-clipper s390-ccw.img s390-netboot.img u-boot.e500 opensbi-riscv32-generic-fw_dynamic.elf
  opensbi-riscv64-generic-fw_dynamic.elf"
+setuid="/usr/libexec/qemu-bridge-helper"
 
 build_options="gtk3 opengl sdl2 spice virgl smartcard numa iscsi jack pulseaudio"
 build_options_default="opengl gtk3 virgl sdl2 numa iscsi jack pulseaudio"

From 5d7190989d263ec6bff2da11f9772e0cf05d0d40 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:52 +0100
Subject: [PATCH 42/58] plocate: add $setgid

---
 srcpkgs/plocate/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/plocate/template b/srcpkgs/plocate/template
index 32a64971a2699..bafb61bbab02a 100644
--- a/srcpkgs/plocate/template
+++ b/srcpkgs/plocate/template
@@ -16,6 +16,7 @@ homepage="https://plocate.sesse.net/"
 changelog="https://git.sesse.net/?p=plocate;a=blob_plain;f=NEWS;hb=HEAD"
 distfiles="https://plocate.sesse.net/download/plocate-${version}.tar.gz"
 checksum=d95bc8ee8a9f79b9f69ce63df53fb85b202139f243bbb84c399555eda22e6165
+setgid="/usr/bin/plocate"
 
 system_accounts="_plocate"
 

From de0f3806b8ab342a2dc760828c8315defc0f9e41 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:21 +0100
Subject: [PATCH 43/58] electron19: add $setuid

---
 srcpkgs/electron19/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/electron19/template b/srcpkgs/electron19/template
index 3093248588438..ffa1d020c2209 100644
--- a/srcpkgs/electron19/template
+++ b/srcpkgs/electron19/template
@@ -34,6 +34,7 @@ distfiles="https://github.com/electron/electron/archive/v$version.tar.gz>electro
 checksum="d8ee01db95dfe24aa89a67424498b67102a4977ff9a3ccbfbc3f36801fdba7d5
  f33363565a3c8868f5f67f0852ccf8d19ada209af8ddd4e27774e50206700464
  cc2331a5c35d3dda0035d9cba71c3b8e234bc68e18ffd955b385c1e97062528f"
+setuid="/usr/lib/electron19/chrome-sandbox"
 
 case "$XBPS_TARGET_MACHINE" in
 	ppc64*-musl) makedepends+=" libucontext-devel" ;;

From f088d537b97367276ab5e4bc8eac654c860da88a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:38 +0100
Subject: [PATCH 44/58] firejail: add $setuid

---
 srcpkgs/firejail/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/firejail/template b/srcpkgs/firejail/template
index 0365d6044fec7..e438bb88aa7a2 100644
--- a/srcpkgs/firejail/template
+++ b/srcpkgs/firejail/template
@@ -14,5 +14,6 @@ changelog="https://github.com/netblue30/firejail/raw/master/RELNOTES"
 distfiles="https://github.com/netblue30/firejail/archive/${version}.tar.gz"
 checksum=fa641abe2f673cef304cee6ef0a8ddb69db7919e0b69752f89762a341a87fabc
 conf_files="/etc/firejail/* /etc/apparmor.d/local/firejail-default"
+setuid="/usr/bin/firejail"
 
 nocross=yes

From bcb5f39c6db096e2ebda8495318c88f2c7ad8fcf Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:47 +0100
Subject: [PATCH 45/58] hiawatha: add $setuid

---
 srcpkgs/hiawatha/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/hiawatha/template b/srcpkgs/hiawatha/template
index 9bb28f1d509d1..8c0305120b68b 100644
--- a/srcpkgs/hiawatha/template
+++ b/srcpkgs/hiawatha/template
@@ -12,10 +12,11 @@ short_desc="Advanced and secure webserver for Unix"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="GPL-2.0-or-later"
 homepage="https://hiawatha-webserver.org"
-distfiles="https://hiawatha-webserver.org/files/${pkgname}-${version}.tar.gz"
+distfiles="https://www.hiawatha-webserver.org/files/hiawatha-10/hiawatha-${version}.tar.gz"
 checksum=61bf41146c51244769984135529fcffd0f6cb92be18dc12d460effc42f19f50d
 conf_files="/etc/${pkgname}/*.conf /etc/${pkgname}/*.xslt"
 make_dirs="/var/log/hiawatha 0755 root root"
+setuid="/usr/bin/cgi-wrapper"
 
 XBPS_DISTFILES_MIRROR+=" https://hiawatha-webserver.org/files/hiawatha-${version%%.*}/"
 

From e93043c43c5e7c27dda2b7006247b9b5221949b0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:10:26 +0100
Subject: [PATCH 46/58] kismet: add $setuid

---
 srcpkgs/kismet/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/kismet/template b/srcpkgs/kismet/template
index 6993c23711560..ba5b8f5ee1dad 100644
--- a/srcpkgs/kismet/template
+++ b/srcpkgs/kismet/template
@@ -18,6 +18,7 @@ homepage="https://www.kismetwireless.net/"
 distfiles="http://www.kismetwireless.net/code/${pkgname}-${_realver}.tar.xz"
 checksum=f08548e26ca65fa1e567b1debbea1ca4d0e7206bddb96a4f639c90171873e8f7
 system_groups="kismet"
+setuid="/usr/bin/kismet_cap_rz_killerbee"
 
 if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
 	export LIBS="-latomic"

From d3e82ad5c6d0105a627712a16e6ce868ce88f331 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:32 +0100
Subject: [PATCH 47/58] schroot: add $setuid

---
 srcpkgs/schroot/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/schroot/template b/srcpkgs/schroot/template
index e6f6b9f171ad7..86d87b01248b9 100644
--- a/srcpkgs/schroot/template
+++ b/srcpkgs/schroot/template
@@ -56,6 +56,8 @@ checksum="
  7bd4e0c2709979362c86a86c10d2b23d290d26e1a2d301a602e829327f483ec1"
 nocross=yes
 skip_extraction="schroot_${version}-${_debian_version}.debian.tar.xz"
+setuid="/usr/bin/schroot
+ /usr/bin/dchroot"
 
 post_extract() {
 	bsdtar -xf $XBPS_SRCDISTDIR/schroot-${version}/$skip_extraction

From b264718a4208a332419d36b1a749bebe12880503 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:51 +0100
Subject: [PATCH 48/58] x2goserver: add $setgid

---
 srcpkgs/x2goserver/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/x2goserver/template b/srcpkgs/x2goserver/template
index 0724ef53a2fa1..83a7595d04fdd 100644
--- a/srcpkgs/x2goserver/template
+++ b/srcpkgs/x2goserver/template
@@ -25,6 +25,7 @@ conf_files="
  /etc/x2go/x2goagent.*
  /etc/x2go/x2goserver.*
 "
+setgid="/usr/lib/x2go/libx2go-server-db-sqlite3-wrapper"
 
 post_install() {
 	rm -rf "${DESTDIR}/etc/logcheck"

From ade33ebf4e7de95014e8c128f502dbda86a2b6d5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:22:42 +0100
Subject: [PATCH 49/58] virtualbox-ose: add $setuid

---
 srcpkgs/virtualbox-ose/template | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/srcpkgs/virtualbox-ose/template b/srcpkgs/virtualbox-ose/template
index 08295489e32ef..fdc0c8c3d73b6 100644
--- a/srcpkgs/virtualbox-ose/template
+++ b/srcpkgs/virtualbox-ose/template
@@ -30,6 +30,12 @@ fi
 
 depends="virtualbox-ose-dkms-${version}_${revision} hicolor-icon-theme desktop-file-utils dbus"
 system_groups="vboxusers"
+setuid="/usr/lib/virtualbox/VirtualBoxVM
+ /usr/lib/virtualbox/VBoxNetNAT
+ /usr/lib/virtualbox/VBoxHeadless
+ /usr/lib/virtualbox/VBoxNetDHCP
+ /usr/lib/virtualbox/VBoxNetAdpCtl"
+
 
 do_configure() {
 	cp ${FILESDIR}/LocalConfig.kmk .

From 3621efb720231c57b3a84db7d968bb997e8e9f54 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 22:50:24 -0400
Subject: [PATCH 50/58] at: explicitly allow setuid

---
 srcpkgs/at/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/at/template b/srcpkgs/at/template
index 41bc74404c487..652b1138759f0 100644
--- a/srcpkgs/at/template
+++ b/srcpkgs/at/template
@@ -16,6 +16,8 @@ homepage="https://packages.qa.debian.org/a/at.html"
 distfiles="${DEBIAN_SITE}/main/a/${pkgname}/${pkgname}_${version}.orig.tar.gz"
 checksum=bb066b389d7c9bb9d84a35738032b85c30cba7d949f758192adc72c9477fd3b8
 disable_parallel_build=yes
+setuid="/usr/bin/at"
+setgid="/usr/bin/at"
 
 conf_files="/etc/at.deny"
 system_accounts="at"

From 8e5ff9cc6107881797267cad1bf536f00ab9b899 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 00:03:39 -0400
Subject: [PATCH 51/58] 9mount: explicitly allow setuid

---
 srcpkgs/9mount/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/9mount/template b/srcpkgs/9mount/template
index 5b1160ad20491..04817c3c3c426 100644
--- a/srcpkgs/9mount/template
+++ b/srcpkgs/9mount/template
@@ -10,6 +10,7 @@ license="ISC"
 homepage="http://sqweek.net/code/9mount/"
 distfiles="http://sqweek.net/9p/$pkgname-$version.tar.gz"
 checksum=820d80b9b478d05ecb022ad658477b37cfc2414a8669c3af17d192a522064c17
+setuid="/usr/bin/9mount /usr/bin/9umount /usr/bin/9bind"
 
 pre_build() {
 	sed -i '/chown/d' Makefile

From aacd1419e353417ba21ce69248861ba4ba6c49e6 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sat, 2 Apr 2022 22:20:53 -0400
Subject: [PATCH 52/58] xlockmore: explicitly allow setuid

Setuid root appears required by xlock on systems that use shadow passwords,
according to the README.

Requires confirmation
---
 srcpkgs/xlockmore/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/xlockmore/template b/srcpkgs/xlockmore/template
index ff0f0000a8694..40b7ae139062e 100644
--- a/srcpkgs/xlockmore/template
+++ b/srcpkgs/xlockmore/template
@@ -15,6 +15,7 @@ changelog="http://sillycycle.com/xlock/xlockmore.README"
 distfiles="http://sillycycle.com/xlock/xlockmore-${version}.tar.xz"
 checksum=d511975967ae7355072acdccf6b1bf414f8a16be50ccc8070f13e624623ec772
 CFLAGS="-D_DEFAULT_SOURCE"
+setuid="/usr/bin/xlock"
 
 build_options="opengl"
 desc_option_opengl="Enable OpenGL modes"

From 06ed1d7cb42bbc2a91c48df3eafc22aa362adb73 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 20:46:33 -0400
Subject: [PATCH 53/58] util-linux: explicitly allow setuid

---
 srcpkgs/util-linux/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template
index 99819d02068b3..0f6351e6bcffe 100644
--- a/srcpkgs/util-linux/template
+++ b/srcpkgs/util-linux/template
@@ -23,6 +23,8 @@ license="GPL-2.0-or-later"
 homepage="https://www.kernel.org/pub/linux/utils/util-linux/"
 distfiles="${KERNEL_SITE}/utils/${pkgname}/v${version%.${version#*.*.}}/${pkgname}-${version}.tar.xz"
 checksum=60492a19b44e6cf9a3ddff68325b333b8b52b6c59ce3ebd6a0ecaa4c5117e84f
+setuid="/usr/bin/mount /usr/bin/umount /usr/bin/su /usr/bin/newgrp
+ /usr/bin/chsh /usr/bin/chfn"
 
 # Create uuidd system account for uuidd.
 system_accounts="_uuidd"

From 4e1175d0904fbf2af7453e98c8f94b958ca5a286 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:27:55 -0400
Subject: [PATCH 54/58] shadow: explicitly allow setuid

---
 srcpkgs/shadow/template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template
index c59d92bfeb54a..279cacf843be9 100644
--- a/srcpkgs/shadow/template
+++ b/srcpkgs/shadow/template
@@ -18,6 +18,8 @@ homepage="https://github.com/shadow-maint/shadow"
 distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz"
 checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62
 conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs"
+setuid="/usr/bin/passwd /usr/bin/gpasswd /usr/bin/expiry /usr/bin/chage
+ /usr/bin/sg /usr/bin/newuidmap /usr/bin/newgidmap"
 
 pre_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From 000c311077537ce2ddc6708e11a0aa2d63b0fa3b Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:58:17 -0400
Subject: [PATCH 55/58] sudo: explicitly allow setuid

---
 srcpkgs/sudo/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/sudo/template b/srcpkgs/sudo/template
index 469276b04f544..d5edd3ddafb3f 100644
--- a/srcpkgs/sudo/template
+++ b/srcpkgs/sudo/template
@@ -18,6 +18,7 @@ distfiles="https://www.sudo.ws/dist/sudo-${version}.tar.gz"
 checksum=a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62
 conf_files="/etc/pam.d/sudo /etc/sudoers"
 lib32disabled=yes
+setuid="/usr/bin/sudo"
 
 post_configure() {
 	case "$XBPS_TARGET_MACHINE" in

From 9e5716dd55fa33dbf0d718620042045d116d54c5 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 22:17:31 -0400
Subject: [PATCH 56/58] udevil: explicitly allow setuid

---
 srcpkgs/udevil/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/udevil/template b/srcpkgs/udevil/template
index b560bdf7589fe..263d0a652102a 100644
--- a/srcpkgs/udevil/template
+++ b/srcpkgs/udevil/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
 homepage="http://ignorantguru.github.io/udevil/"
 distfiles="https://github.com/IgnorantGuru/udevil/archive/${version}.tar.gz"
 checksum=ad2fd8375bd62622718a04235e9772119459089938dbb78e657955e595822b7c
+setuid="/usr/bin/udevil"
 
 post_patch() {
 	vsed -i -e '/DATADIRNAME=/s/=.*/=share/' configure

From 0f45e967659a4f1c20d0d307a1e70bf513c7c047 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 15:37:20 -0400
Subject: [PATCH 57/58] thttpd: explicitly allow setuid

The makeweb tool needs sgid. However, thttpd is configured at compile time, and
it's unclear if our config (the default) allows usage of `makeweb`. That tool
also doesn't look like a superb thing to inconditionally ship in the main
package since it can't be configured by the system admin. Perhaps it should be
split into a subpackage?
---
 srcpkgs/thttpd/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/thttpd/template b/srcpkgs/thttpd/template
index 13de3fbef35ef..3d288f2ea1cf5 100644
--- a/srcpkgs/thttpd/template
+++ b/srcpkgs/thttpd/template
@@ -9,6 +9,7 @@ license="BSD-2-Clause"
 homepage="http://www.acme.com/software/thttpd/"
 distfiles="http://www.acme.com/software/thttpd/thttpd-${version}.tar.gz"
 checksum=99c09f47da326b1e7b5295c45549d2b65534dce27c44812cf7eef1441681a397
+setgid="/usr/bin/makeweb"
 
 pre_configure() {
 	vsed -i Makefile.in -e "s,-o bin -g bin,,g"

From f889f1e040825ae056f94a5a213d74c3ab1212d5 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 17:22:01 -0400
Subject: [PATCH 58/58] mit-krb5: explicitly allow setuid

---
 srcpkgs/mit-krb5/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/mit-krb5/template b/srcpkgs/mit-krb5/template
index 683c7e8d32a03..45837ca5e01e6 100644
--- a/srcpkgs/mit-krb5/template
+++ b/srcpkgs/mit-krb5/template
@@ -50,6 +50,7 @@ post_install() {
 
 mit-krb5-client_package() {
 	short_desc+=" - client programs"
+	setuid="/usr/bin/ksu"
 	pkg_install() {
 		for f in uuclient ktutil kswitch gss-client kvno kinit kpasswd \
 			kdestroy sclient kadmin k5srvutil sim_client klist ksu; do

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (17 preceding siblings ...)
  2023-08-07  0:40 ` [PR PATCH] [Updated] " classabbyamp
@ 2023-09-20 13:29 ` 0x5c
  2023-09-20 13:29 ` 0x5c
  2023-09-20 13:41 ` 0x5c
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2023-09-20 13:29 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 308 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1727734996

Comment:
I don't think that 9cb2e7b is safe to have, considering that sgid is supposed to be for group `:games` which we don't have. This results in the game having sgid `:root`.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (18 preceding siblings ...)
  2023-09-20 13:29 ` 0x5c
@ 2023-09-20 13:29 ` 0x5c
  2023-09-20 13:41 ` 0x5c
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2023-09-20 13:29 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 313 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1727734996

Comment:
I don't think that 9cb2e7b is safe to have, considering that that sgid is supposed to be for group `:games` which we don't have. This results in the game having sgid `:root`.

^ permalink raw reply	[flat|nested] 22+ messages in thread

* Re: hooks/post-install: add check setuid/setgid hook
  2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
                   ` (19 preceding siblings ...)
  2023-09-20 13:29 ` 0x5c
@ 2023-09-20 13:41 ` 0x5c
  20 siblings, 0 replies; 22+ messages in thread
From: 0x5c @ 2023-09-20 13:41 UTC (permalink / raw)
  To: ml

[-- Attachment #1: Type: text/plain, Size: 316 bytes --]

New comment by 0x5c on void-packages repository

https://github.com/void-linux/void-packages/pull/33011#issuecomment-1727758661

Comment:
For electron's `chrome-sandbox`, this comment suggests that they should not be packaged anymore.
https://github.com/void-linux/void-packages/issues/32156#issuecomment-887705175

^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2023-09-20 13:41 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-18 12:10 [PR PATCH] hooks/post-install: add check setuid/setgid hook paper42
2022-04-02 22:09 ` [PR PATCH] [Updated] [WIP]: " paper42
2022-04-03  3:59 ` 0x5c
2022-04-03  4:00 ` 0x5c
2022-04-03 15:57 ` [PR REVIEW] " Duncaen
2022-04-04  4:06 ` 0x5c
2022-04-04  4:12 ` 0x5c
2022-04-04  4:13 ` 0x5c
2022-04-06 17:45 ` paper42
2022-04-06 17:54 ` [PR PATCH] [Updated] " paper42
2022-04-20  1:39 ` [PR REVIEW] " 0x5c
2022-04-20  2:07 ` 0x5c
2022-04-20 19:19 ` 0x5c
2022-04-20 19:49 ` 0x5c
2022-04-20 21:21 ` 0x5c
2022-05-30 20:27 ` [PR PATCH] [Updated] " paper42
2023-02-25 11:23 ` paper42
2023-02-25 11:30 ` paper42
2023-08-07  0:40 ` [PR PATCH] [Updated] " classabbyamp
2023-09-20 13:29 ` 0x5c
2023-09-20 13:29 ` 0x5c
2023-09-20 13:41 ` 0x5c

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).