From: classabbyamp <classabbyamp@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] hooks/post-install: add check setuid/setgid hook
Date: Mon, 07 Aug 2023 02:40:24 +0200 [thread overview]
Message-ID: <20230807004024.ayS7-JSArcqUcufIiodTZMcWnMyN-yzAaiTw38Lre6s@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-33011@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 382 bytes --]
There is an updated pull request by classabbyamp against master on the void-packages repository
https://github.com/paper42/void-packages setuid-setgid-hook
https://github.com/void-linux/void-packages/pull/33011
hooks/post-install: add check setuid/setgid hook
Closes #32156
cc @ericonr
A patch file from https://github.com/void-linux/void-packages/pull/33011.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-setuid-setgid-hook-33011.patch --]
[-- Type: text/x-diff, Size: 47328 bytes --]
From e7c4d7abe6558674998f92718a178a8fe4117b83 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 18 Sep 2021 13:42:00 +0200
Subject: [PATCH 01/58] hooks/post-install: add check setuid/setgid hook
---
.../post-install/15-check-setuid-setgid.sh | 26 +++++++++++++++++++
1 file changed, 26 insertions(+)
create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh
diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh
new file mode 100644
index 0000000000000..dae87c2b3d5c5
--- /dev/null
+++ b/common/hooks/post-install/15-check-setuid-setgid.sh
@@ -0,0 +1,26 @@
+dofind() {
+ error=
+ for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do
+ matched=
+ for allowed_file in ${!2}; do
+ if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then
+ matched=y
+ break
+ fi
+ done
+ if [ -n "$matched" ]; then
+ echo "$2 file: ${setidfile#$PKGDESTDIR}"
+ else
+ msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n"
+ error=y
+ fi
+ done
+ if [ -n "$error" ]; then
+ msg_error "$2 files not explicitly allowed, please list them in \$$2\n"
+ fi
+}
+
+hook() {
+ dofind 4000 setuid
+ dofind 2000 setgid
+}
From 07a03aa693ca14d9152b8558626bce01d652c59f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 02/58] ecryptfs-utils: add $setuid and $setgid
---
srcpkgs/ecryptfs-utils/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/ecryptfs-utils/template b/srcpkgs/ecryptfs-utils/template
index 6bdc07b97c325..d8faed1cd5546 100644
--- a/srcpkgs/ecryptfs-utils/template
+++ b/srcpkgs/ecryptfs-utils/template
@@ -17,6 +17,8 @@ homepage="http://ecryptfs.org/"
distfiles="http://launchpad.net/ecryptfs/trunk/${version}/+download/${pkgname}_${version}.orig.tar.gz"
checksum=112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f
lib32disabled=yes
+setuid="/usr/bin/mount.ecryptfs_private"
+setgid="/usr/bin/mount.ecryptfs_private"
CPPFLAGS="-D_FILE_OFFSET_BITS=64 -I${XBPS_CROSS_BASE}/usr/include/python2.7"
From 01ea37a585e46ead9632b88bcc3bce783ff3b43c Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:28 +0100
Subject: [PATCH 03/58] cifs-utils: add $setuid and $setgid
---
srcpkgs/cifs-utils/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/cifs-utils/template b/srcpkgs/cifs-utils/template
index 5576b371ca6af..331a0878b36d9 100644
--- a/srcpkgs/cifs-utils/template
+++ b/srcpkgs/cifs-utils/template
@@ -14,6 +14,8 @@ homepage="https://wiki.samba.org/index.php/LinuxCIFS_utils"
distfiles="https://ftp.samba.org/pub/linux-cifs/${pkgname}/${pkgname}-${version}.tar.bz2"
checksum=a7b6940e93250c1676a6fa66b6ead91b78cd43a5fee99cc462459c8b9cf1e6f4
python_version=3
+setuid="/usr/bin/mount.cifs"
+setgid="/usr/bin/mount.cifs"
pre_configure() {
autoreconf -fi
From c45d8096729390fd45678c0932d20e6218d05dfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:48 +0100
Subject: [PATCH 04/58] s-nail: add $setuid
---
srcpkgs/s-nail/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/s-nail/template b/srcpkgs/s-nail/template
index 7a171cea0d274..f8483be178548 100644
--- a/srcpkgs/s-nail/template
+++ b/srcpkgs/s-nail/template
@@ -12,6 +12,7 @@ license="BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, ISC"
homepage="https://git.sdaoden.eu/cgit/s-nail.git"
distfiles="https://www.sdaoden.eu/downloads/s-nail-${version}.tar.xz"
checksum=2714d6b8fb2af3b363fc7c79b76d058753716345d1b6ebcd8870ecd0e4f7ef8c
+setuid="/usr/libexec/s-nail-dotlock"
provides="mail-${version}_${revision}"
From e42d1140c2c0ed32740c22ecc52c9fe01d09409d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:05 +0100
Subject: [PATCH 05/58] opendoas: add $setuid
---
srcpkgs/opendoas/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template
index 5254f280b8015..9e93eaaf26fc4 100644
--- a/srcpkgs/opendoas/template
+++ b/srcpkgs/opendoas/template
@@ -13,6 +13,7 @@ license="ISC, BSD-3-Clause"
homepage="https://github.com/Duncaen/OpenDoas"
distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz"
checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67
+setuid="/usr/bin/doas"
build_options="pam timestamp"
build_options_default="pam timestamp"
From c547737dddf45879d2873a01fa593dafbec162d3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:19 +0100
Subject: [PATCH 06/58] weston: add $setuid
---
srcpkgs/weston/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/weston/template b/srcpkgs/weston/template
index b517c10c98caf..465d5310a9b55 100644
--- a/srcpkgs/weston/template
+++ b/srcpkgs/weston/template
@@ -21,6 +21,7 @@ distfiles="https://wayland.freedesktop.org/releases/${pkgname}-${version}.tar.xz
checksum=5cf5d6ce192e0eb15c1fc861a436bf21b5bb3b91dbdabbdebe83e1f83aa098fe
system_groups="weston-launch"
lib32disabled=yes
+setuid="/usr/bin/weston-launch"
# Package build options
build_options="elogind vaapi"
From 4d337f6eb066fb6d0432d28271349596969ed2c6 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:22:39 +0100
Subject: [PATCH 07/58] enlightenment: set $setuid
---
srcpkgs/enlightenment/template | 3 +++
1 file changed, 3 insertions(+)
diff --git a/srcpkgs/enlightenment/template b/srcpkgs/enlightenment/template
index fb148d8c66931..5400afeeb49fe 100644
--- a/srcpkgs/enlightenment/template
+++ b/srcpkgs/enlightenment/template
@@ -20,6 +20,9 @@ checksum=56db5d206b821b9a8831d26e713e410ac70b2255a6f43fcdf7c01eefde23b7a2
lib32disabled=yes
build_options="wayland"
build_options_default="wayland"
+setuid="/usr/lib/enlightenment/utils/enlightenment_ckpasswd
+ /usr/lib/enlightenment/utils/enlightenment_sys
+ /usr/lib/enlightenment/utils/enlightenment_system"
post_install() {
# Use our native tools to shutdown/suspend.
From e915a2e1fa9116e0cc5ffd554b949d68b4535aca Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:35:48 +0100
Subject: [PATCH 08/58] nfs-utils: add $setuid
---
srcpkgs/nfs-utils/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/nfs-utils/template b/srcpkgs/nfs-utils/template
index 252a7355b6836..363c72c9ab679 100644
--- a/srcpkgs/nfs-utils/template
+++ b/srcpkgs/nfs-utils/template
@@ -15,6 +15,7 @@ homepage="https://www.linux-nfs.org/"
distfiles="${KERNEL_SITE}/utils/${pkgname}/${version}/${pkgname}-${version}.tar.xz"
checksum=5200873e81c4d610e2462fc262fe18135f2dbe78b7979f95accd159ae64d5011
replaces="rpcgen>=0"
+setuid="/usr/bin/mount.nfs"
hostmakedepends="pkg-config libtirpc-devel rpcsvc-proto"
makedepends="libblkid-devel libmount-devel libtirpc-devel
From 2a34c4fb64032e585ce55bdbb38052c0f7d8c42d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:31:52 +0100
Subject: [PATCH 09/58] libcgroup: add $setuid
---
srcpkgs/libcgroup/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/libcgroup/template b/srcpkgs/libcgroup/template
index 18dfd5c9f8e5f..499d9e16cb1b9 100644
--- a/srcpkgs/libcgroup/template
+++ b/srcpkgs/libcgroup/template
@@ -13,6 +13,7 @@ license="LGPL-2.1-only"
homepage="https://github.com/libcgroup/libcgroup"
distfiles="https://github.com/libcgroup/libcgroup/releases/download/v${version%.*}/libcgroup-${version}.tar.gz"
checksum=8d284d896fca1c981b55850e92acd3ad9648a69227c028dda7ae3402af878edd
+setuid="/usr/bin/cgexec"
case "$XBPS_TARGET_MACHINE" in
*-musl) # Add musl-fts implementation
From f29cecb7e598f9de223e1f85a7976a6d315011df Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:34 +0100
Subject: [PATCH 10/58] physlock: add $setuid
---
srcpkgs/physlock/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/physlock/template b/srcpkgs/physlock/template
index 0f091d24444ca..f7faecb982502 100644
--- a/srcpkgs/physlock/template
+++ b/srcpkgs/physlock/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later"
homepage="https://github.com/muennich/physlock"
distfiles="${homepage}/archive/v${version}.tar.gz"
checksum=9ae4716a1e916f141e47a01b439133ca382281ebdcbec1e53f85da6771774bd6
+setuid="/usr/bin/physlock"
CFLAGS="-D_GNU_SOURCE"
From 2a39174bc49cefe3ab2d26938b1a26307ef3f89a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:35 +0100
Subject: [PATCH 11/58] fuse3: add $setuid
---
srcpkgs/fuse3/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/fuse3/template b/srcpkgs/fuse3/template
index 612f909c8e6f6..dbfc79aa8339e 100644
--- a/srcpkgs/fuse3/template
+++ b/srcpkgs/fuse3/template
@@ -15,6 +15,7 @@ changelog="https://raw.githubusercontent.com/libfuse/libfuse/master/ChangeLog.rs
distfiles="https://github.com/libfuse/libfuse/releases/download/fuse-${version}/fuse-${version}.tar.gz"
checksum=13ef77cda531a21c2131f9576042970e98035c0a5f019abf661506efd2d38a4e
conf_files="/etc/fuse.conf"
+setuid="/usr/bin/fusermount3"
# Tests require root
make_check=no
From cd92365e6b5017679588301f1d0127c8f23ec519 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:39 +0100
Subject: [PATCH 12/58] incron: add $setuid
---
srcpkgs/incron/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/incron/template b/srcpkgs/incron/template
index 14222e496d946..fb6cd128ed4aa 100644
--- a/srcpkgs/incron/template
+++ b/srcpkgs/incron/template
@@ -8,6 +8,7 @@ license="X11"
homepage="https://github.com/ar-/incron"
distfiles="https://github.com/ar-/incron/archive/${version}.tar.gz"
checksum=cce80bd723bafce59f35464f2f851d02707e32efa102e2b941ed0e42bdd38f91
+setuid="/usr/bin/incrontab"
make_dirs="/var/spool/incron 0755 root root
/etc/incron.d 0755 root root"
From 08ce1abf4b11296f6a6b5923d2b01f20dbaecff5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:32:36 +0100
Subject: [PATCH 13/58] libpam-policycache: add $setuid
---
srcpkgs/libpam-policycache/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/libpam-policycache/template b/srcpkgs/libpam-policycache/template
index 6777b0856dd67..921fccd61886a 100644
--- a/srcpkgs/libpam-policycache/template
+++ b/srcpkgs/libpam-policycache/template
@@ -12,6 +12,7 @@ homepage="https://github.com/google/libpam-policycache"
distfiles="https://github.com/google/libpam-policycache/archive/v$version.tar.gz"
checksum=d1a074493d3a4076094a79093ec02c8fdd886069b9624d8b6765f7a1e840fae6
CFLAGS="-Wno-error=deprecated-declarations"
+setuid="/usr/bin/pam-escalate-helper"
make_dirs="/etc/libpam-policycache.d 0755 root root
/var/cache/libpam-policycache 0700 root root"
From 0b6ac9275cb089daf711de2b4f176a694d0b23fa Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:55 +0100
Subject: [PATCH 14/58] openssh: add $setuid
---
srcpkgs/openssh/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template
index a5c920fb10b2e..d5d9d93f23091 100644
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@@ -28,6 +28,7 @@ distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${ver
checksum=200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8
conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
make_dirs="/var/chroot/ssh 0755 root root"
+setuid="/usr/libexec/ssh-keysign"
# Package build options
build_options="fido2 gssapi ldns ssl"
From e305c16a90c862648c609e460f348fa0020f72e6 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:17 +0100
Subject: [PATCH 15/58] slock: add $setuid
---
srcpkgs/slock/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/slock/template b/srcpkgs/slock/template
index aa7890a499735..6612c55dcf014 100644
--- a/srcpkgs/slock/template
+++ b/srcpkgs/slock/template
@@ -10,6 +10,7 @@ license="MIT"
homepage="http://tools.suckless.org/slock"
distfiles="http://dl.suckless.org/tools/slock-${version}.tar.gz"
checksum=aee1e3fbf6a277fb625a3838073b979b6483e7baca4ce82f56de1ff192db0e4d
+setuid="/usr/bin/slock"
do_build() {
[ -e ${FILESDIR}/config.h ] && cp ${FILESDIR}/config.h config.h
From c06e999ed28f3494eebf2062022f66a826355148 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:16 +0100
Subject: [PATCH 16/58] polkit: add $setuid
---
srcpkgs/polkit/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/polkit/template b/srcpkgs/polkit/template
index 84ab7453bb9b6..aa7038f0e71c3 100644
--- a/srcpkgs/polkit/template
+++ b/srcpkgs/polkit/template
@@ -21,6 +21,8 @@ changelog="https://gitlab.freedesktop.org/polkit/polkit/-/raw/master/NEWS"
distfiles="${FREEDESKTOP_SITE}/${pkgname}/releases/${pkgname}-${version}.tar.gz"
checksum=9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa
system_accounts="polkitd"
+setuid="/usr/bin/pkexec
+ /usr/lib/polkit-1/polkit-agent-helper-1"
#replaces="polkit-elogind>=0"
#provides="polkit-elogind-${version}_${revision}"
From 93a3dfa641e227300afb0a7b7c5784664752128f Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 17/58] fuse: add $setuid
---
srcpkgs/fuse/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/fuse/template b/srcpkgs/fuse/template
index b4fe1571f575b..fa44380b9f8dc 100644
--- a/srcpkgs/fuse/template
+++ b/srcpkgs/fuse/template
@@ -11,6 +11,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later"
homepage="https://github.com/libfuse/libfuse"
distfiles="${homepage}/releases/download/${pkgname}-${version}/${pkgname}-${version}.tar.gz"
checksum=d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5
+setuid="/usr/bin/fusermount"
pre_configure() {
autoreconf -fi
From 7494879fb9bd894fe10df71e69b2cfd45ad236a3 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:34:35 +0100
Subject: [PATCH 18/58] mariadb: add $setuid
---
srcpkgs/mariadb/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/mariadb/template b/srcpkgs/mariadb/template
index f8987e06ed1c6..53ec5d24fad1d 100644
--- a/srcpkgs/mariadb/template
+++ b/srcpkgs/mariadb/template
@@ -37,6 +37,7 @@ make_dirs="/var/lib/mysql 0700 mysql mysql
/usr/lib/mysql/plugin/auth_pam_tool_dir 0700 mysql root"
CFLAGS="-UNDEBUG"
CXXFLAGS="-UNDEBUG"
+setuid="/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool"
post_patch() {
case "$XBPS_TARGET_MACHINE" in
From 29f41512c5e42d2bab27668cd1182e145f2aee90 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:47:46 +0100
Subject: [PATCH 19/58] spice-gtk: add $setuid
---
srcpkgs/spice-gtk/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/spice-gtk/template b/srcpkgs/spice-gtk/template
index 2d7bed6ddcdd2..06f31b2585a8e 100644
--- a/srcpkgs/spice-gtk/template
+++ b/srcpkgs/spice-gtk/template
@@ -22,6 +22,7 @@ homepage="https://spice-space.org"
changelog="https://gitlab.freedesktop.org/spice/spice-gtk/-/raw/master/CHANGELOG.md"
distfiles="https://spice-space.org/download/gtk/spice-gtk-${version}.tar.xz"
checksum=d8f8b5cbea9184702eeb8cc276a67d72acdb6e36e7c73349fb8445e5bca0969f
+setuid="/usr/libexec/spice-client-glib-usb-acl-helper"
CFLAGS="-Wno-error -Wno-error=unused-but-set-variable"
From 569fedd3b2258d8cdba941ec120b30080d214231 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:49:24 +0100
Subject: [PATCH 20/58] uucp: add $setuid
---
srcpkgs/uucp/template | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/uucp/template b/srcpkgs/uucp/template
index 2b2b6f758fae7..3719a4820ea29 100644
--- a/srcpkgs/uucp/template
+++ b/srcpkgs/uucp/template
@@ -11,7 +11,13 @@ license="GPL-2.0-or-later"
homepage="https://www.gnu.org/software/uucp/uucp.html"
distfiles="${GNU_SITE}/$pkgname/$pkgname-$version.tar.gz"
checksum=060c15bfba6cfd1171ad81f782789032113e199a5aded8f8e0c1c5bd1385b62c
-patch_args="-Np1"
+setuid="/usr/bin/uuname
+ /usr/bin/uuxqt
+ /usr/bin/uucp
+ /usr/bin/cu
+ /usr/bin/uux
+ /usr/bin/uucico
+ /usr/bin/uustat"
system_accounts="_uucp"
_uucp_homedir="/var/spool/uucp"
From bb412a43b6e5dd60c48a00489ec3877a2d828d28 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:31 +0100
Subject: [PATCH 21/58] dar: add $setuid
---
srcpkgs/dar/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/dar/template b/srcpkgs/dar/template
index 51aa02f6aed06..38b46e261a776 100644
--- a/srcpkgs/dar/template
+++ b/srcpkgs/dar/template
@@ -14,6 +14,7 @@ license="GPL-2.0-or-later"
homepage="http://dar.linux.free.fr/"
distfiles="${SOURCEFORGE_SITE}/dar/dar-${version}.tar.gz"
checksum=1c609f691f99e6a868c0a6fcf70d2f5d2adee5dc3c0cbf374e69983129677df5
+setuid="/usr/bin/dar"
if [ "$CROSS_BUILD" ]; then
configure_args+=" --with-gpgme-prefix=${XBPS_CROSS_BASE}/usr
From 770d51c647c7d88893431c8c6dc85ba5b41c4973 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:53:36 +0100
Subject: [PATCH 22/58] keybase: add $setuid
---
srcpkgs/keybase/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/keybase/template b/srcpkgs/keybase/template
index c2dce9dae4733..d41f644080250 100644
--- a/srcpkgs/keybase/template
+++ b/srcpkgs/keybase/template
@@ -16,6 +16,7 @@ license="BSD-3-Clause"
homepage="https://keybase.io/"
distfiles="https://github.com/keybase/client/releases/download/v$version/keybase-v$version.tar.xz"
checksum=5e89792105ce29420e92ebeaf8055db5e7d67de5e181f83f69904356ddeb8c71
+setuid="/usr/bin/keybase-redirector"
post_install() {
vlicense LICENSE
From 151dde4b7a6e0528766e7096b6238d9120e57027 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 23/58] dcron: add $setuid
---
srcpkgs/dcron/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/dcron/template b/srcpkgs/dcron/template
index ab92850344eea..c0eabe30674e7 100644
--- a/srcpkgs/dcron/template
+++ b/srcpkgs/dcron/template
@@ -11,6 +11,7 @@ changelog="https://raw.githubusercontent.com/dubiousjim/dcron/v${version}/CHANGE
distfiles="https://github.com/dubiousjim/dcron/archive/v${version}.tar.gz"
checksum=7c047194b9339b781971b000bf5512c11e856d20a14fe5323d5a1823f04c2a3f
provides="cron-daemon-0_1"
+setuid="/usr/bin/dcrontab"
alternatives="
crond:crond:/etc/sv/dcron
From dd2ee389d5845250dce84f8426b8eb2bd9bc635b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 22:56:15 +0100
Subject: [PATCH 24/58] kbdlight: add $setuid
---
srcpkgs/kbdlight/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/kbdlight/template b/srcpkgs/kbdlight/template
index 32bfec5560a56..4fb408d0dd3e2 100644
--- a/srcpkgs/kbdlight/template
+++ b/srcpkgs/kbdlight/template
@@ -9,6 +9,7 @@ license="MIT"
homepage="https://github.com/hobarrera/kbdlight"
distfiles="https://github.com/hobarrera/${pkgname}/archive/v${version}.tar.gz"
checksum=7d852d544f73e27245b7c21d820ede7c7c3e0992f37fb17cf257fd03e3926bb1
+setuid="/usr/bin/kbdlight"
post_install() {
vlicense LICENCE
From f6ab98464242b6c00c3f90f0bc39b1d6c0d4651b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 25/58] containers: add $setuid
---
srcpkgs/containers/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/containers/template b/srcpkgs/containers/template
index 7f7ebc7f81783..b8509ce477fca 100644
--- a/srcpkgs/containers/template
+++ b/srcpkgs/containers/template
@@ -9,6 +9,8 @@ license="MIT"
homepage="https://github.com/arachsys/containers"
distfiles="https://github.com/arachsys/containers/archive/containers-${version}.tar.gz"
checksum=5f43ffaf9bcfc73032cafeb94fe9596dcfa0b26f0bd2730656c3daa4341d9c02
+setuid="/usr/bin/contain
+ /usr/bin/pseudo"
do_install() {
vbin inject inject-contain
From f747e41a61c1da2cc5c618d29fea0d7a86e8bdfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:34 +0100
Subject: [PATCH 26/58] fcron: add $setuid and $setgid
---
srcpkgs/fcron/template | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/srcpkgs/fcron/template b/srcpkgs/fcron/template
index d3f8567f89274..e8cce723e24a1 100644
--- a/srcpkgs/fcron/template
+++ b/srcpkgs/fcron/template
@@ -32,6 +32,12 @@ homepage="http://fcron.free.fr"
distfiles="$homepage/archives/$pkgname-$version.src.tar.gz"
checksum=f359daa08a63ddfb7fe2f964bb3f5c52244c25aa36f9225a3cc54d36f4681106
+setuid="/usr/bin/fcronsighup
+ /usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+setgid="/usr/bin/fcrondyn
+ /usr/bin/fcrontab"
+
alternatives="
crond:crond:/etc/sv/fcron
crond:crontab:/usr/bin/fcrontab
From a24b005c6e6b22bb839d00687dbbdd72de46b079 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 27/58] glusterfs: add $setuid
---
srcpkgs/glusterfs/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/glusterfs/template b/srcpkgs/glusterfs/template
index 4c53ae9b36347..e3beb986620b4 100644
--- a/srcpkgs/glusterfs/template
+++ b/srcpkgs/glusterfs/template
@@ -18,6 +18,7 @@ license="GPL-2.0-or-later, LGPL-3.0-only"
homepage="https://www.gluster.org/"
distfiles="https://download.gluster.org/pub/gluster/glusterfs/${version%.*}/${version}/${pkgname}-${version}.tar.gz"
checksum=07f360c9b43cb1101a857706494e310328e9d6a4e6b2f0697a3bc3f165c2652a
+setuid="/usr/bin/fusermount-glusterfs"
case "$XBPS_TARGET_MACHINE" in
*-musl) broken="not yet supported";;
From 9cb2e7bbc7b01ba427c2fa0ff7f69291f417deb4 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:55:28 +0100
Subject: [PATCH 28/58] Powermanga: add $setuid
---
srcpkgs/Powermanga/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/Powermanga/template b/srcpkgs/Powermanga/template
index f3b9ef9faf3c1..5c78aeb883025 100644
--- a/srcpkgs/Powermanga/template
+++ b/srcpkgs/Powermanga/template
@@ -11,6 +11,7 @@ license="GPL-3.0-or-later"
homepage="http://linux.tlk.fr/games/Powermanga"
distfiles="https://github.com/brunonymous/Powermanga/archive/${version}.tar.gz"
checksum=010987a3cb27a1f9388a212f637977692284b5616952efa1efae09d2464e9249
+setgid="/usr/bin/powermanga"
pre_configure() {
./bootstrap
From 816140d37bef5b5b5fb2a8ec3e0bb99c405f526d Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:29 +0100
Subject: [PATCH 29/58] cronie: add $setuid
---
srcpkgs/cronie/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/cronie/template b/srcpkgs/cronie/template
index 3f8fbbcc4f308..c4315e9087c57 100644
--- a/srcpkgs/cronie/template
+++ b/srcpkgs/cronie/template
@@ -24,6 +24,7 @@ make_dirs="
/var/spool/anacron 0755 root root"
conf_files="/etc/anacrontab /etc/pam.d/crond /etc/cron.deny"
provides="cron-daemon-0_1"
+setuid="/usr/bin/cronie-crontab"
alternatives="
crond:crond:/etc/sv/cronie
From a90f87b0603e4e0614c0c4302ce381f8c7d0bb04 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 00:55:39 +0100
Subject: [PATCH 30/58] xscreensaver: add $setuid
---
srcpkgs/xscreensaver/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/xscreensaver/template b/srcpkgs/xscreensaver/template
index 581298ad5999f..38de4a9f0642a 100644
--- a/srcpkgs/xscreensaver/template
+++ b/srcpkgs/xscreensaver/template
@@ -18,6 +18,8 @@ homepage="https://www.jwz.org/xscreensaver/"
changelog="https://www.jwz.org/xscreensaver/changelog.html"
distfiles="https://www.jwz.org/xscreensaver/xscreensaver-${version}.tar.gz"
checksum=f534fab85a836de5b8be8e91fc21b80ca7d6a4ed9386ebe207d4be7a4e7499a7
+setuid="/usr/libexec/xscreensaver/xscreensaver-auth
+ /usr/libexec/xscreensaver/sonar"
pre_configure() {
mkdir -p /usr/share/X11/app-defaults
From 342e39a1c7d09ce9db738afd0c91dace08ce9877 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:40:45 +0100
Subject: [PATCH 31/58] pmount: add $setuid
---
srcpkgs/pmount/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/pmount/template b/srcpkgs/pmount/template
index 8a826f4e0fe62..34b34d11d4af4 100644
--- a/srcpkgs/pmount/template
+++ b/srcpkgs/pmount/template
@@ -12,6 +12,8 @@ homepage="http://pmount.alioth.debian.org/"
distfiles="${DEBIAN_SITE}/main/p/${pkgname}/${pkgname}_${version}.orig.tar.bz2"
checksum=db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036
conf_files="/etc/pmount.allow"
+setuid="/usr/bin/pmount
+ /usr/bin/pumount"
post_patch() {
vsed -i -e 's/DATADIRNAME=lib/DATADIRNAME=share/' configure
From a5f0dab0d9c9c2df5d55ea975b797c9dd359abd1 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:54 +0100
Subject: [PATCH 32/58] lxc: add $setuid
---
srcpkgs/lxc/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template
index 40f9cf15b5224..2ec773597a591 100644
--- a/srcpkgs/lxc/template
+++ b/srcpkgs/lxc/template
@@ -17,6 +17,7 @@ license="LGPL-2.1-or-later"
homepage="https://linuxcontainers.org"
distfiles="https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz"
checksum=d8195423bb1e206f8521d24b6cde4789f043960c7cf065990a9cf741dcfd4222
+setuid="/usr/libexec/lxc/lxc-user-nic"
conf_files="/etc/lxc/default.conf"
make_dirs="
From a12f3ab9ec9161b9db0b7db9041aa95e280e9386 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:33 +0100
Subject: [PATCH 33/58] dma: add $setuid and $setgid
---
srcpkgs/dma/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/dma/template b/srcpkgs/dma/template
index 78c71595ec15f..0e3a98865ec36 100644
--- a/srcpkgs/dma/template
+++ b/srcpkgs/dma/template
@@ -13,6 +13,8 @@ homepage="https://github.com/corecode/dma"
distfiles="https://github.com/corecode/dma/archive/v${version}.tar.gz"
checksum=9d4b903f2b750d888f51d668d08d2ea18404dedb0a52cffeb3c81376023c1946
system_accounts="mail"
+setuid="/usr/lib/dma-mbox-create"
+setgid="/usr/bin/dma"
provides="smtp-server-0_1 smtp-forwarder-0_1"
replaces="smtp-server>=0 smtp-forwarder>=0"
From b26a53bbde675b19cc7b702a4ee31fde128076ac Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:50:52 +0100
Subject: [PATCH 34/58] xorg-server: add $setuid
---
srcpkgs/xorg-server/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/xorg-server/template b/srcpkgs/xorg-server/template
index 3ae74c71b005e..b9e44a0126c4f 100644
--- a/srcpkgs/xorg-server/template
+++ b/srcpkgs/xorg-server/template
@@ -30,6 +30,7 @@ provides="xserver-abi-extension-10_1 xserver-abi-input-24_1
xserver-abi-video-25_1 xf86-video-modesetting-1_1"
replaces="xf86-video-modesetting>=0 glamor-egl>=0"
conf_files="/etc/X11/Xwrapper.config"
+setuid="/usr/libexec/Xorg.wrap"
build_options="elogind"
desc_option_elogind="Rootless Xorg support with elogind"
From 3ae9d5035224d30e7ec9d63584278fdadeacf01e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:36:31 +0100
Subject: [PATCH 35/58] opensmtpd: add $setuid and $setgid
---
srcpkgs/opensmtpd/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/opensmtpd/template b/srcpkgs/opensmtpd/template
index 6d20f0159d6be..aaecc539ba9f6 100644
--- a/srcpkgs/opensmtpd/template
+++ b/srcpkgs/opensmtpd/template
@@ -26,6 +26,8 @@ checksum=1b46cd41a1c2738757cc3a0e4aea71f3c6db56def727f7261bcd362583345a07
provides="smtp-forwarder-0_1 smtp-server-0_1"
replaces="smtp-forwarder>=0 smtp-server>=0"
system_accounts="_smtpd _smtpq"
+setuid="/usr/libexec/opensmtpd/lockspool"
+setgid="/usr/bin/smtpctl"
CFLAGS=-D_DEFAULT_SOURCE
From 35a476dd0fef7053ae455bbe0038b3362f7c0e7e Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 01:12:48 +0100
Subject: [PATCH 36/58] arcan: add $setuid
---
srcpkgs/arcan/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/arcan/template b/srcpkgs/arcan/template
index 853e16fcad391..057ce4852c7dc 100644
--- a/srcpkgs/arcan/template
+++ b/srcpkgs/arcan/template
@@ -29,6 +29,7 @@ distfiles="https://github.com/letoram/arcan/archive/${version}.tar.gz
https://github.com/letoram/openal/archive/${_versionOpenal}.tar.gz>openal_arcan.${_versionOpenal}.tar.gz"
checksum="7bf083412bc61555472877313c13116431a0a36fccbf142f97559db43b4a1475
3a50a87c05b67c466a868cc77f8dc7f9cfc9466aeeafcd823daca0d108c504da"
+setuid="/usr/bin/arcan"
export CMAKE_GENERATOR="Unix Makefiles"
From e24eae92a479d3bd7cf0718b31cf15f5b0943351 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:32 +0100
Subject: [PATCH 37/58] davfs2: add $setuid
---
srcpkgs/davfs2/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/davfs2/template b/srcpkgs/davfs2/template
index 1a2f8482e210b..85b44de231a4c 100644
--- a/srcpkgs/davfs2/template
+++ b/srcpkgs/davfs2/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
homepage="https://savannah.nongnu.org/projects/davfs2"
distfiles="${NONGNU_SITE}/${pkgname}/${pkgname}-${version}.tar.gz"
checksum=ce3eb948ece582a51c934ccb0cc70e659839172717caff173f69a5e2af90c5c0
+setuid="/usr/bin/mount.davfs"
CFLAGS="-fcommon"
From 11ed08ea125fbe9877af2a4f1a703ec9ba54fa52 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Wed, 22 Feb 2023 00:57:36 +0100
Subject: [PATCH 38/58] hikari: add $setuid
---
srcpkgs/hikari/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/hikari/template b/srcpkgs/hikari/template
index 64811ea08b143..a5ce6f5783c7d 100644
--- a/srcpkgs/hikari/template
+++ b/srcpkgs/hikari/template
@@ -21,6 +21,7 @@ conf_files="/etc/pam.d/hikari-unlocker /etc/hikari/hikari.conf"
# bmake's -q flag seems to differ in behavior from gnu make which causes the
# build style's handling of the check target not existing to fail.
make_check=no
+setuid="/usr/bin/hikari-unlocker"
pre_build() {
# The hikari Makefile appends to the CFLAGS and LDFLAGS variables;
From 821719012f7303105ba38e43f10e2ca441853502 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:48:49 +0100
Subject: [PATCH 39/58] squid: add $setuid
---
srcpkgs/squid/template | 3 +++
1 file changed, 3 insertions(+)
diff --git a/srcpkgs/squid/template b/srcpkgs/squid/template
index ca758380e900d..5479416ee4008 100644
--- a/srcpkgs/squid/template
+++ b/srcpkgs/squid/template
@@ -58,6 +58,9 @@ checksum=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81
system_accounts="squid"
# squid-conf-tests requires a squid user in the system
make_check=no
+setuid="/usr/libexec/squid/pinger
+ /usr/libexec/squid/basic_pam_auth
+ /usr/libexec/squid/basic_ncsa_auth"
if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
LDFLAGS+=" -latomic"
From 6ecce3fbb529c30933a15b31da46b75c0344079b Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:33:19 +0100
Subject: [PATCH 40/58] libutempter: add $setgid
---
srcpkgs/libutempter/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/libutempter/template b/srcpkgs/libutempter/template
index 3a89e4126cfc2..793a5e8163cd5 100644
--- a/srcpkgs/libutempter/template
+++ b/srcpkgs/libutempter/template
@@ -9,6 +9,7 @@ license="LGPL-2.1-or-later"
homepage="http://freecode.com/projects/libutempter"
distfiles="http://ftp.altlinux.org/pub/people/ldv/utempter/${pkgname}-${version}.tar.gz"
checksum=967fef372f391de501843ad87570c6cf5dabd9651f00f1783090fbc12b2a34cb
+setgid="/usr/lib/utempter/utempter"
libutempter-devel_package() {
depends="${sourcepkg}>=${version}_${revision}"
From 54cbdc148730ba22027da5962feaf6b276519b4a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:44:09 +0100
Subject: [PATCH 41/58] qemu: add $setuid
---
srcpkgs/qemu/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/qemu/template b/srcpkgs/qemu/template
index 48ab199e5686b..d41ed5395b20b 100644
--- a/srcpkgs/qemu/template
+++ b/srcpkgs/qemu/template
@@ -33,6 +33,7 @@ ignore_elf_dirs="/usr/share/qemu"
nostrip_files="hppa-firmware.img openbios-ppc openbios-sparc32 openbios-sparc64
palcode-clipper s390-ccw.img s390-netboot.img u-boot.e500 opensbi-riscv32-generic-fw_dynamic.elf
opensbi-riscv64-generic-fw_dynamic.elf"
+setuid="/usr/libexec/qemu-bridge-helper"
build_options="gtk3 opengl sdl2 spice virgl smartcard numa iscsi jack pulseaudio"
build_options_default="opengl gtk3 virgl sdl2 numa iscsi jack pulseaudio"
From 5d7190989d263ec6bff2da11f9772e0cf05d0d40 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 24 Feb 2023 22:37:52 +0100
Subject: [PATCH 42/58] plocate: add $setgid
---
srcpkgs/plocate/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/plocate/template b/srcpkgs/plocate/template
index 32a64971a2699..bafb61bbab02a 100644
--- a/srcpkgs/plocate/template
+++ b/srcpkgs/plocate/template
@@ -16,6 +16,7 @@ homepage="https://plocate.sesse.net/"
changelog="https://git.sesse.net/?p=plocate;a=blob_plain;f=NEWS;hb=HEAD"
distfiles="https://plocate.sesse.net/download/plocate-${version}.tar.gz"
checksum=d95bc8ee8a9f79b9f69ce63df53fb85b202139f243bbb84c399555eda22e6165
+setgid="/usr/bin/plocate"
system_accounts="_plocate"
From de0f3806b8ab342a2dc760828c8315defc0f9e41 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:21 +0100
Subject: [PATCH 43/58] electron19: add $setuid
---
srcpkgs/electron19/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/electron19/template b/srcpkgs/electron19/template
index 3093248588438..ffa1d020c2209 100644
--- a/srcpkgs/electron19/template
+++ b/srcpkgs/electron19/template
@@ -34,6 +34,7 @@ distfiles="https://github.com/electron/electron/archive/v$version.tar.gz>electro
checksum="d8ee01db95dfe24aa89a67424498b67102a4977ff9a3ccbfbc3f36801fdba7d5
f33363565a3c8868f5f67f0852ccf8d19ada209af8ddd4e27774e50206700464
cc2331a5c35d3dda0035d9cba71c3b8e234bc68e18ffd955b385c1e97062528f"
+setuid="/usr/lib/electron19/chrome-sandbox"
case "$XBPS_TARGET_MACHINE" in
ppc64*-musl) makedepends+=" libucontext-devel" ;;
From f088d537b97367276ab5e4bc8eac654c860da88a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:38 +0100
Subject: [PATCH 44/58] firejail: add $setuid
---
srcpkgs/firejail/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/firejail/template b/srcpkgs/firejail/template
index 0365d6044fec7..e438bb88aa7a2 100644
--- a/srcpkgs/firejail/template
+++ b/srcpkgs/firejail/template
@@ -14,5 +14,6 @@ changelog="https://github.com/netblue30/firejail/raw/master/RELNOTES"
distfiles="https://github.com/netblue30/firejail/archive/${version}.tar.gz"
checksum=fa641abe2f673cef304cee6ef0a8ddb69db7919e0b69752f89762a341a87fabc
conf_files="/etc/firejail/* /etc/apparmor.d/local/firejail-default"
+setuid="/usr/bin/firejail"
nocross=yes
From bcb5f39c6db096e2ebda8495318c88f2c7ad8fcf Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:01:47 +0100
Subject: [PATCH 45/58] hiawatha: add $setuid
---
srcpkgs/hiawatha/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/hiawatha/template b/srcpkgs/hiawatha/template
index 9bb28f1d509d1..8c0305120b68b 100644
--- a/srcpkgs/hiawatha/template
+++ b/srcpkgs/hiawatha/template
@@ -12,10 +12,11 @@ short_desc="Advanced and secure webserver for Unix"
maintainer="Enno Boland <gottox@voidlinux.org>"
license="GPL-2.0-or-later"
homepage="https://hiawatha-webserver.org"
-distfiles="https://hiawatha-webserver.org/files/${pkgname}-${version}.tar.gz"
+distfiles="https://www.hiawatha-webserver.org/files/hiawatha-10/hiawatha-${version}.tar.gz"
checksum=61bf41146c51244769984135529fcffd0f6cb92be18dc12d460effc42f19f50d
conf_files="/etc/${pkgname}/*.conf /etc/${pkgname}/*.xslt"
make_dirs="/var/log/hiawatha 0755 root root"
+setuid="/usr/bin/cgi-wrapper"
XBPS_DISTFILES_MIRROR+=" https://hiawatha-webserver.org/files/hiawatha-${version%%.*}/"
From e93043c43c5e7c27dda2b7006247b9b5221949b0 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:10:26 +0100
Subject: [PATCH 46/58] kismet: add $setuid
---
srcpkgs/kismet/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/kismet/template b/srcpkgs/kismet/template
index 6993c23711560..ba5b8f5ee1dad 100644
--- a/srcpkgs/kismet/template
+++ b/srcpkgs/kismet/template
@@ -18,6 +18,7 @@ homepage="https://www.kismetwireless.net/"
distfiles="http://www.kismetwireless.net/code/${pkgname}-${_realver}.tar.xz"
checksum=f08548e26ca65fa1e567b1debbea1ca4d0e7206bddb96a4f639c90171873e8f7
system_groups="kismet"
+setuid="/usr/bin/kismet_cap_rz_killerbee"
if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then
export LIBS="-latomic"
From d3e82ad5c6d0105a627712a16e6ce868ce88f331 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:32 +0100
Subject: [PATCH 47/58] schroot: add $setuid
---
srcpkgs/schroot/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/schroot/template b/srcpkgs/schroot/template
index e6f6b9f171ad7..86d87b01248b9 100644
--- a/srcpkgs/schroot/template
+++ b/srcpkgs/schroot/template
@@ -56,6 +56,8 @@ checksum="
7bd4e0c2709979362c86a86c10d2b23d290d26e1a2d301a602e829327f483ec1"
nocross=yes
skip_extraction="schroot_${version}-${_debian_version}.debian.tar.xz"
+setuid="/usr/bin/schroot
+ /usr/bin/dchroot"
post_extract() {
bsdtar -xf $XBPS_SRCDISTDIR/schroot-${version}/$skip_extraction
From b264718a4208a332419d36b1a749bebe12880503 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:17:51 +0100
Subject: [PATCH 48/58] x2goserver: add $setgid
---
srcpkgs/x2goserver/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/x2goserver/template b/srcpkgs/x2goserver/template
index 0724ef53a2fa1..83a7595d04fdd 100644
--- a/srcpkgs/x2goserver/template
+++ b/srcpkgs/x2goserver/template
@@ -25,6 +25,7 @@ conf_files="
/etc/x2go/x2goagent.*
/etc/x2go/x2goserver.*
"
+setgid="/usr/lib/x2go/libx2go-server-db-sqlite3-wrapper"
post_install() {
rm -rf "${DESTDIR}/etc/logcheck"
From ade33ebf4e7de95014e8c128f502dbda86a2b6d5 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 25 Feb 2023 12:22:42 +0100
Subject: [PATCH 49/58] virtualbox-ose: add $setuid
---
srcpkgs/virtualbox-ose/template | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/srcpkgs/virtualbox-ose/template b/srcpkgs/virtualbox-ose/template
index 08295489e32ef..fdc0c8c3d73b6 100644
--- a/srcpkgs/virtualbox-ose/template
+++ b/srcpkgs/virtualbox-ose/template
@@ -30,6 +30,12 @@ fi
depends="virtualbox-ose-dkms-${version}_${revision} hicolor-icon-theme desktop-file-utils dbus"
system_groups="vboxusers"
+setuid="/usr/lib/virtualbox/VirtualBoxVM
+ /usr/lib/virtualbox/VBoxNetNAT
+ /usr/lib/virtualbox/VBoxHeadless
+ /usr/lib/virtualbox/VBoxNetDHCP
+ /usr/lib/virtualbox/VBoxNetAdpCtl"
+
do_configure() {
cp ${FILESDIR}/LocalConfig.kmk .
From 3621efb720231c57b3a84db7d968bb997e8e9f54 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 22:50:24 -0400
Subject: [PATCH 50/58] at: explicitly allow setuid
---
srcpkgs/at/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/at/template b/srcpkgs/at/template
index 41bc74404c487..652b1138759f0 100644
--- a/srcpkgs/at/template
+++ b/srcpkgs/at/template
@@ -16,6 +16,8 @@ homepage="https://packages.qa.debian.org/a/at.html"
distfiles="${DEBIAN_SITE}/main/a/${pkgname}/${pkgname}_${version}.orig.tar.gz"
checksum=bb066b389d7c9bb9d84a35738032b85c30cba7d949f758192adc72c9477fd3b8
disable_parallel_build=yes
+setuid="/usr/bin/at"
+setgid="/usr/bin/at"
conf_files="/etc/at.deny"
system_accounts="at"
From 8e5ff9cc6107881797267cad1bf536f00ab9b899 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sun, 3 Apr 2022 00:03:39 -0400
Subject: [PATCH 51/58] 9mount: explicitly allow setuid
---
srcpkgs/9mount/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/9mount/template b/srcpkgs/9mount/template
index 5b1160ad20491..04817c3c3c426 100644
--- a/srcpkgs/9mount/template
+++ b/srcpkgs/9mount/template
@@ -10,6 +10,7 @@ license="ISC"
homepage="http://sqweek.net/code/9mount/"
distfiles="http://sqweek.net/9p/$pkgname-$version.tar.gz"
checksum=820d80b9b478d05ecb022ad658477b37cfc2414a8669c3af17d192a522064c17
+setuid="/usr/bin/9mount /usr/bin/9umount /usr/bin/9bind"
pre_build() {
sed -i '/chown/d' Makefile
From aacd1419e353417ba21ce69248861ba4ba6c49e6 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Sat, 2 Apr 2022 22:20:53 -0400
Subject: [PATCH 52/58] xlockmore: explicitly allow setuid
Setuid root appears required by xlock on systems that use shadow passwords,
according to the README.
Requires confirmation
---
srcpkgs/xlockmore/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/xlockmore/template b/srcpkgs/xlockmore/template
index ff0f0000a8694..40b7ae139062e 100644
--- a/srcpkgs/xlockmore/template
+++ b/srcpkgs/xlockmore/template
@@ -15,6 +15,7 @@ changelog="http://sillycycle.com/xlock/xlockmore.README"
distfiles="http://sillycycle.com/xlock/xlockmore-${version}.tar.xz"
checksum=d511975967ae7355072acdccf6b1bf414f8a16be50ccc8070f13e624623ec772
CFLAGS="-D_DEFAULT_SOURCE"
+setuid="/usr/bin/xlock"
build_options="opengl"
desc_option_opengl="Enable OpenGL modes"
From 06ed1d7cb42bbc2a91c48df3eafc22aa362adb73 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 20:46:33 -0400
Subject: [PATCH 53/58] util-linux: explicitly allow setuid
---
srcpkgs/util-linux/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template
index 99819d02068b3..0f6351e6bcffe 100644
--- a/srcpkgs/util-linux/template
+++ b/srcpkgs/util-linux/template
@@ -23,6 +23,8 @@ license="GPL-2.0-or-later"
homepage="https://www.kernel.org/pub/linux/utils/util-linux/"
distfiles="${KERNEL_SITE}/utils/${pkgname}/v${version%.${version#*.*.}}/${pkgname}-${version}.tar.xz"
checksum=60492a19b44e6cf9a3ddff68325b333b8b52b6c59ce3ebd6a0ecaa4c5117e84f
+setuid="/usr/bin/mount /usr/bin/umount /usr/bin/su /usr/bin/newgrp
+ /usr/bin/chsh /usr/bin/chfn"
# Create uuidd system account for uuidd.
system_accounts="_uuidd"
From 4e1175d0904fbf2af7453e98c8f94b958ca5a286 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:27:55 -0400
Subject: [PATCH 54/58] shadow: explicitly allow setuid
---
srcpkgs/shadow/template | 2 ++
1 file changed, 2 insertions(+)
diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template
index c59d92bfeb54a..279cacf843be9 100644
--- a/srcpkgs/shadow/template
+++ b/srcpkgs/shadow/template
@@ -18,6 +18,8 @@ homepage="https://github.com/shadow-maint/shadow"
distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz"
checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62
conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs"
+setuid="/usr/bin/passwd /usr/bin/gpasswd /usr/bin/expiry /usr/bin/chage
+ /usr/bin/sg /usr/bin/newuidmap /usr/bin/newgidmap"
pre_configure() {
case "$XBPS_TARGET_MACHINE" in
From 000c311077537ce2ddc6708e11a0aa2d63b0fa3b Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 21:58:17 -0400
Subject: [PATCH 55/58] sudo: explicitly allow setuid
---
srcpkgs/sudo/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/sudo/template b/srcpkgs/sudo/template
index 469276b04f544..d5edd3ddafb3f 100644
--- a/srcpkgs/sudo/template
+++ b/srcpkgs/sudo/template
@@ -18,6 +18,7 @@ distfiles="https://www.sudo.ws/dist/sudo-${version}.tar.gz"
checksum=a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62
conf_files="/etc/pam.d/sudo /etc/sudoers"
lib32disabled=yes
+setuid="/usr/bin/sudo"
post_configure() {
case "$XBPS_TARGET_MACHINE" in
From 9e5716dd55fa33dbf0d718620042045d116d54c5 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Tue, 19 Apr 2022 22:17:31 -0400
Subject: [PATCH 56/58] udevil: explicitly allow setuid
---
srcpkgs/udevil/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/udevil/template b/srcpkgs/udevil/template
index b560bdf7589fe..263d0a652102a 100644
--- a/srcpkgs/udevil/template
+++ b/srcpkgs/udevil/template
@@ -13,6 +13,7 @@ license="GPL-3.0-or-later"
homepage="http://ignorantguru.github.io/udevil/"
distfiles="https://github.com/IgnorantGuru/udevil/archive/${version}.tar.gz"
checksum=ad2fd8375bd62622718a04235e9772119459089938dbb78e657955e595822b7c
+setuid="/usr/bin/udevil"
post_patch() {
vsed -i -e '/DATADIRNAME=/s/=.*/=share/' configure
From 0f45e967659a4f1c20d0d307a1e70bf513c7c047 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 15:37:20 -0400
Subject: [PATCH 57/58] thttpd: explicitly allow setuid
The makeweb tool needs sgid. However, thttpd is configured at compile time, and
it's unclear if our config (the default) allows usage of `makeweb`. That tool
also doesn't look like a superb thing to inconditionally ship in the main
package since it can't be configured by the system admin. Perhaps it should be
split into a subpackage?
---
srcpkgs/thttpd/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/thttpd/template b/srcpkgs/thttpd/template
index 13de3fbef35ef..3d288f2ea1cf5 100644
--- a/srcpkgs/thttpd/template
+++ b/srcpkgs/thttpd/template
@@ -9,6 +9,7 @@ license="BSD-2-Clause"
homepage="http://www.acme.com/software/thttpd/"
distfiles="http://www.acme.com/software/thttpd/thttpd-${version}.tar.gz"
checksum=99c09f47da326b1e7b5295c45549d2b65534dce27c44812cf7eef1441681a397
+setgid="/usr/bin/makeweb"
pre_configure() {
vsed -i Makefile.in -e "s,-o bin -g bin,,g"
From f889f1e040825ae056f94a5a213d74c3ab1212d5 Mon Sep 17 00:00:00 2001
From: 0x5c <dev@0x5c.io>
Date: Wed, 20 Apr 2022 17:22:01 -0400
Subject: [PATCH 58/58] mit-krb5: explicitly allow setuid
---
srcpkgs/mit-krb5/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/mit-krb5/template b/srcpkgs/mit-krb5/template
index 683c7e8d32a03..45837ca5e01e6 100644
--- a/srcpkgs/mit-krb5/template
+++ b/srcpkgs/mit-krb5/template
@@ -50,6 +50,7 @@ post_install() {
mit-krb5-client_package() {
short_desc+=" - client programs"
+ setuid="/usr/bin/ksu"
pkg_install() {
for f in uuclient ktutil kswitch gss-client kvno kinit kpasswd \
kdestroy sclient kadmin k5srvutil sim_client klist ksu; do
next prev parent reply other threads:[~2023-08-07 0:40 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-18 12:10 [PR PATCH] " paper42
2022-04-02 22:09 ` [PR PATCH] [Updated] [WIP]: " paper42
2022-04-03 3:59 ` 0x5c
2022-04-03 4:00 ` 0x5c
2022-04-03 15:57 ` [PR REVIEW] " Duncaen
2022-04-04 4:06 ` 0x5c
2022-04-04 4:12 ` 0x5c
2022-04-04 4:13 ` 0x5c
2022-04-06 17:45 ` paper42
2022-04-06 17:54 ` [PR PATCH] [Updated] " paper42
2022-04-20 1:39 ` [PR REVIEW] " 0x5c
2022-04-20 2:07 ` 0x5c
2022-04-20 19:19 ` 0x5c
2022-04-20 19:49 ` 0x5c
2022-04-20 21:21 ` 0x5c
2022-05-30 20:27 ` [PR PATCH] [Updated] " paper42
2023-02-25 11:23 ` paper42
2023-02-25 11:30 ` paper42
2023-08-07 0:40 ` classabbyamp [this message]
2023-09-20 13:29 ` 0x5c
2023-09-20 13:29 ` 0x5c
2023-09-20 13:41 ` 0x5c
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230807004024.ayS7-JSArcqUcufIiodTZMcWnMyN-yzAaiTw38Lre6s@z \
--to=classabbyamp@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).