From e7c4d7abe6558674998f92718a178a8fe4117b83 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 18 Sep 2021 13:42:00 +0200 Subject: [PATCH 01/58] hooks/post-install: add check setuid/setgid hook --- .../post-install/15-check-setuid-setgid.sh | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 common/hooks/post-install/15-check-setuid-setgid.sh diff --git a/common/hooks/post-install/15-check-setuid-setgid.sh b/common/hooks/post-install/15-check-setuid-setgid.sh new file mode 100644 index 0000000000000..dae87c2b3d5c5 --- /dev/null +++ b/common/hooks/post-install/15-check-setuid-setgid.sh @@ -0,0 +1,26 @@ +dofind() { + error= + for setidfile in $(find "$PKGDESTDIR" -type f -perm -"$1"); do + matched= + for allowed_file in ${!2}; do + if [ "$PKGDESTDIR$allowed_file" = "$setidfile" ]; then + matched=y + break + fi + done + if [ -n "$matched" ]; then + echo "$2 file: ${setidfile#$PKGDESTDIR}" + else + msg_red "not allowed $2 file: ${setidfile#$PKGDESTDIR}\n" + error=y + fi + done + if [ -n "$error" ]; then + msg_error "$2 files not explicitly allowed, please list them in \$$2\n" + fi +} + +hook() { + dofind 4000 setuid + dofind 2000 setgid +} From 07a03aa693ca14d9152b8558626bce01d652c59f Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:33 +0100 Subject: [PATCH 02/58] ecryptfs-utils: add $setuid and $setgid --- srcpkgs/ecryptfs-utils/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/ecryptfs-utils/template b/srcpkgs/ecryptfs-utils/template index 6bdc07b97c325..d8faed1cd5546 100644 --- a/srcpkgs/ecryptfs-utils/template +++ b/srcpkgs/ecryptfs-utils/template @@ -17,6 +17,8 @@ homepage="http://ecryptfs.org/" distfiles="http://launchpad.net/ecryptfs/trunk/${version}/+download/${pkgname}_${version}.orig.tar.gz" checksum=112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f lib32disabled=yes +setuid="/usr/bin/mount.ecryptfs_private" +setgid="/usr/bin/mount.ecryptfs_private" CPPFLAGS="-D_FILE_OFFSET_BITS=64 -I${XBPS_CROSS_BASE}/usr/include/python2.7" From 01ea37a585e46ead9632b88bcc3bce783ff3b43c Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:28 +0100 Subject: [PATCH 03/58] cifs-utils: add $setuid and $setgid --- srcpkgs/cifs-utils/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/cifs-utils/template b/srcpkgs/cifs-utils/template index 5576b371ca6af..331a0878b36d9 100644 --- a/srcpkgs/cifs-utils/template +++ b/srcpkgs/cifs-utils/template @@ -14,6 +14,8 @@ homepage="https://wiki.samba.org/index.php/LinuxCIFS_utils" distfiles="https://ftp.samba.org/pub/linux-cifs/${pkgname}/${pkgname}-${version}.tar.bz2" checksum=a7b6940e93250c1676a6fa66b6ead91b78cd43a5fee99cc462459c8b9cf1e6f4 python_version=3 +setuid="/usr/bin/mount.cifs" +setgid="/usr/bin/mount.cifs" pre_configure() { autoreconf -fi From c45d8096729390fd45678c0932d20e6218d05dfd Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:44:48 +0100 Subject: [PATCH 04/58] s-nail: add $setuid --- srcpkgs/s-nail/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/s-nail/template b/srcpkgs/s-nail/template index 7a171cea0d274..f8483be178548 100644 --- a/srcpkgs/s-nail/template +++ b/srcpkgs/s-nail/template @@ -12,6 +12,7 @@ license="BSD-4-Clause, BSD-3-Clause, BSD-2-Clause, ISC" homepage="https://git.sdaoden.eu/cgit/s-nail.git" distfiles="https://www.sdaoden.eu/downloads/s-nail-${version}.tar.xz" checksum=2714d6b8fb2af3b363fc7c79b76d058753716345d1b6ebcd8870ecd0e4f7ef8c +setuid="/usr/libexec/s-nail-dotlock" provides="mail-${version}_${revision}" From e42d1140c2c0ed32740c22ecc52c9fe01d09409d Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:36:05 +0100 Subject: [PATCH 05/58] opendoas: add $setuid --- srcpkgs/opendoas/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/opendoas/template b/srcpkgs/opendoas/template index 5254f280b8015..9e93eaaf26fc4 100644 --- a/srcpkgs/opendoas/template +++ b/srcpkgs/opendoas/template @@ -13,6 +13,7 @@ license="ISC, BSD-3-Clause" homepage="https://github.com/Duncaen/OpenDoas" distfiles="https://github.com/Duncaen/OpenDoas/archive/v${version}.tar.gz" checksum=6da058a0e70b7543bc60624389b0b00b686189ec933828c522bf8b2600495a67 +setuid="/usr/bin/doas" build_options="pam timestamp" build_options_default="pam timestamp" From c547737dddf45879d2873a01fa593dafbec162d3 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:50:19 +0100 Subject: [PATCH 06/58] weston: add $setuid --- srcpkgs/weston/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/weston/template b/srcpkgs/weston/template index b517c10c98caf..465d5310a9b55 100644 --- a/srcpkgs/weston/template +++ b/srcpkgs/weston/template @@ -21,6 +21,7 @@ distfiles="https://wayland.freedesktop.org/releases/${pkgname}-${version}.tar.xz checksum=5cf5d6ce192e0eb15c1fc861a436bf21b5bb3b91dbdabbdebe83e1f83aa098fe system_groups="weston-launch" lib32disabled=yes +setuid="/usr/bin/weston-launch" # Package build options build_options="elogind vaapi" From 4d337f6eb066fb6d0432d28271349596969ed2c6 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 01:22:39 +0100 Subject: [PATCH 07/58] enlightenment: set $setuid --- srcpkgs/enlightenment/template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/srcpkgs/enlightenment/template b/srcpkgs/enlightenment/template index fb148d8c66931..5400afeeb49fe 100644 --- a/srcpkgs/enlightenment/template +++ b/srcpkgs/enlightenment/template @@ -20,6 +20,9 @@ checksum=56db5d206b821b9a8831d26e713e410ac70b2255a6f43fcdf7c01eefde23b7a2 lib32disabled=yes build_options="wayland" build_options_default="wayland" +setuid="/usr/lib/enlightenment/utils/enlightenment_ckpasswd + /usr/lib/enlightenment/utils/enlightenment_sys + /usr/lib/enlightenment/utils/enlightenment_system" post_install() { # Use our native tools to shutdown/suspend. From e915a2e1fa9116e0cc5ffd554b949d68b4535aca Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:35:48 +0100 Subject: [PATCH 08/58] nfs-utils: add $setuid --- srcpkgs/nfs-utils/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/nfs-utils/template b/srcpkgs/nfs-utils/template index 252a7355b6836..363c72c9ab679 100644 --- a/srcpkgs/nfs-utils/template +++ b/srcpkgs/nfs-utils/template @@ -15,6 +15,7 @@ homepage="https://www.linux-nfs.org/" distfiles="${KERNEL_SITE}/utils/${pkgname}/${version}/${pkgname}-${version}.tar.xz" checksum=5200873e81c4d610e2462fc262fe18135f2dbe78b7979f95accd159ae64d5011 replaces="rpcgen>=0" +setuid="/usr/bin/mount.nfs" hostmakedepends="pkg-config libtirpc-devel rpcsvc-proto" makedepends="libblkid-devel libmount-devel libtirpc-devel From 2a34c4fb64032e585ce55bdbb38052c0f7d8c42d Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:31:52 +0100 Subject: [PATCH 09/58] libcgroup: add $setuid --- srcpkgs/libcgroup/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/libcgroup/template b/srcpkgs/libcgroup/template index 18dfd5c9f8e5f..499d9e16cb1b9 100644 --- a/srcpkgs/libcgroup/template +++ b/srcpkgs/libcgroup/template @@ -13,6 +13,7 @@ license="LGPL-2.1-only" homepage="https://github.com/libcgroup/libcgroup" distfiles="https://github.com/libcgroup/libcgroup/releases/download/v${version%.*}/libcgroup-${version}.tar.gz" checksum=8d284d896fca1c981b55850e92acd3ad9648a69227c028dda7ae3402af878edd +setuid="/usr/bin/cgexec" case "$XBPS_TARGET_MACHINE" in *-musl) # Add musl-fts implementation From f29cecb7e598f9de223e1f85a7976a6d315011df Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:37:34 +0100 Subject: [PATCH 10/58] physlock: add $setuid --- srcpkgs/physlock/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/physlock/template b/srcpkgs/physlock/template index 0f091d24444ca..f7faecb982502 100644 --- a/srcpkgs/physlock/template +++ b/srcpkgs/physlock/template @@ -11,6 +11,7 @@ license="GPL-2.0-or-later" homepage="https://github.com/muennich/physlock" distfiles="${homepage}/archive/v${version}.tar.gz" checksum=9ae4716a1e916f141e47a01b439133ca382281ebdcbec1e53f85da6771774bd6 +setuid="/usr/bin/physlock" CFLAGS="-D_GNU_SOURCE" From 2a39174bc49cefe3ab2d26938b1a26307ef3f89a Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:35 +0100 Subject: [PATCH 11/58] fuse3: add $setuid --- srcpkgs/fuse3/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/fuse3/template b/srcpkgs/fuse3/template index 612f909c8e6f6..dbfc79aa8339e 100644 --- a/srcpkgs/fuse3/template +++ b/srcpkgs/fuse3/template @@ -15,6 +15,7 @@ changelog="https://raw.githubusercontent.com/libfuse/libfuse/master/ChangeLog.rs distfiles="https://github.com/libfuse/libfuse/releases/download/fuse-${version}/fuse-${version}.tar.gz" checksum=13ef77cda531a21c2131f9576042970e98035c0a5f019abf661506efd2d38a4e conf_files="/etc/fuse.conf" +setuid="/usr/bin/fusermount3" # Tests require root make_check=no From cd92365e6b5017679588301f1d0127c8f23ec519 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:39 +0100 Subject: [PATCH 12/58] incron: add $setuid --- srcpkgs/incron/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/incron/template b/srcpkgs/incron/template index 14222e496d946..fb6cd128ed4aa 100644 --- a/srcpkgs/incron/template +++ b/srcpkgs/incron/template @@ -8,6 +8,7 @@ license="X11" homepage="https://github.com/ar-/incron" distfiles="https://github.com/ar-/incron/archive/${version}.tar.gz" checksum=cce80bd723bafce59f35464f2f851d02707e32efa102e2b941ed0e42bdd38f91 +setuid="/usr/bin/incrontab" make_dirs="/var/spool/incron 0755 root root /etc/incron.d 0755 root root" From 08ce1abf4b11296f6a6b5923d2b01f20dbaecff5 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:32:36 +0100 Subject: [PATCH 13/58] libpam-policycache: add $setuid --- srcpkgs/libpam-policycache/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/libpam-policycache/template b/srcpkgs/libpam-policycache/template index 6777b0856dd67..921fccd61886a 100644 --- a/srcpkgs/libpam-policycache/template +++ b/srcpkgs/libpam-policycache/template @@ -12,6 +12,7 @@ homepage="https://github.com/google/libpam-policycache" distfiles="https://github.com/google/libpam-policycache/archive/v$version.tar.gz" checksum=d1a074493d3a4076094a79093ec02c8fdd886069b9624d8b6765f7a1e840fae6 CFLAGS="-Wno-error=deprecated-declarations" +setuid="/usr/bin/pam-escalate-helper" make_dirs="/etc/libpam-policycache.d 0755 root root /var/cache/libpam-policycache 0700 root root" From 0b6ac9275cb089daf711de2b4f176a694d0b23fa Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:36:55 +0100 Subject: [PATCH 14/58] openssh: add $setuid --- srcpkgs/openssh/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/openssh/template b/srcpkgs/openssh/template index a5c920fb10b2e..d5d9d93f23091 100644 --- a/srcpkgs/openssh/template +++ b/srcpkgs/openssh/template @@ -28,6 +28,7 @@ distfiles="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${ver checksum=200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd" make_dirs="/var/chroot/ssh 0755 root root" +setuid="/usr/libexec/ssh-keysign" # Package build options build_options="fido2 gssapi ldns ssl" From e305c16a90c862648c609e460f348fa0020f72e6 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:47:17 +0100 Subject: [PATCH 15/58] slock: add $setuid --- srcpkgs/slock/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/slock/template b/srcpkgs/slock/template index aa7890a499735..6612c55dcf014 100644 --- a/srcpkgs/slock/template +++ b/srcpkgs/slock/template @@ -10,6 +10,7 @@ license="MIT" homepage="http://tools.suckless.org/slock" distfiles="http://dl.suckless.org/tools/slock-${version}.tar.gz" checksum=aee1e3fbf6a277fb625a3838073b979b6483e7baca4ce82f56de1ff192db0e4d +setuid="/usr/bin/slock" do_build() { [ -e ${FILESDIR}/config.h ] && cp ${FILESDIR}/config.h config.h From c06e999ed28f3494eebf2062022f66a826355148 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:40:16 +0100 Subject: [PATCH 16/58] polkit: add $setuid --- srcpkgs/polkit/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/polkit/template b/srcpkgs/polkit/template index 84ab7453bb9b6..aa7038f0e71c3 100644 --- a/srcpkgs/polkit/template +++ b/srcpkgs/polkit/template @@ -21,6 +21,8 @@ changelog="https://gitlab.freedesktop.org/polkit/polkit/-/raw/master/NEWS" distfiles="${FREEDESKTOP_SITE}/${pkgname}/releases/${pkgname}-${version}.tar.gz" checksum=9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa system_accounts="polkitd" +setuid="/usr/bin/pkexec + /usr/lib/polkit-1/polkit-agent-helper-1" #replaces="polkit-elogind>=0" #provides="polkit-elogind-${version}_${revision}" From 93a3dfa641e227300afb0a7b7c5784664752128f Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:34 +0100 Subject: [PATCH 17/58] fuse: add $setuid --- srcpkgs/fuse/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/fuse/template b/srcpkgs/fuse/template index b4fe1571f575b..fa44380b9f8dc 100644 --- a/srcpkgs/fuse/template +++ b/srcpkgs/fuse/template @@ -11,6 +11,7 @@ license="GPL-2.0-or-later, LGPL-2.1-or-later" homepage="https://github.com/libfuse/libfuse" distfiles="${homepage}/releases/download/${pkgname}-${version}/${pkgname}-${version}.tar.gz" checksum=d0e69d5d608cc22ff4843791ad097f554dd32540ddc9bed7638cc6fea7c1b4b5 +setuid="/usr/bin/fusermount" pre_configure() { autoreconf -fi From 7494879fb9bd894fe10df71e69b2cfd45ad236a3 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:34:35 +0100 Subject: [PATCH 18/58] mariadb: add $setuid --- srcpkgs/mariadb/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/mariadb/template b/srcpkgs/mariadb/template index f8987e06ed1c6..53ec5d24fad1d 100644 --- a/srcpkgs/mariadb/template +++ b/srcpkgs/mariadb/template @@ -37,6 +37,7 @@ make_dirs="/var/lib/mysql 0700 mysql mysql /usr/lib/mysql/plugin/auth_pam_tool_dir 0700 mysql root" CFLAGS="-UNDEBUG" CXXFLAGS="-UNDEBUG" +setuid="/usr/lib/mysql/plugin/auth_pam_tool_dir/auth_pam_tool" post_patch() { case "$XBPS_TARGET_MACHINE" in From 29f41512c5e42d2bab27668cd1182e145f2aee90 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:47:46 +0100 Subject: [PATCH 19/58] spice-gtk: add $setuid --- srcpkgs/spice-gtk/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/spice-gtk/template b/srcpkgs/spice-gtk/template index 2d7bed6ddcdd2..06f31b2585a8e 100644 --- a/srcpkgs/spice-gtk/template +++ b/srcpkgs/spice-gtk/template @@ -22,6 +22,7 @@ homepage="https://spice-space.org" changelog="https://gitlab.freedesktop.org/spice/spice-gtk/-/raw/master/CHANGELOG.md" distfiles="https://spice-space.org/download/gtk/spice-gtk-${version}.tar.xz" checksum=d8f8b5cbea9184702eeb8cc276a67d72acdb6e36e7c73349fb8445e5bca0969f +setuid="/usr/libexec/spice-client-glib-usb-acl-helper" CFLAGS="-Wno-error -Wno-error=unused-but-set-variable" From 569fedd3b2258d8cdba941ec120b30080d214231 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 00:49:24 +0100 Subject: [PATCH 20/58] uucp: add $setuid --- srcpkgs/uucp/template | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/srcpkgs/uucp/template b/srcpkgs/uucp/template index 2b2b6f758fae7..3719a4820ea29 100644 --- a/srcpkgs/uucp/template +++ b/srcpkgs/uucp/template @@ -11,7 +11,13 @@ license="GPL-2.0-or-later" homepage="https://www.gnu.org/software/uucp/uucp.html" distfiles="${GNU_SITE}/$pkgname/$pkgname-$version.tar.gz" checksum=060c15bfba6cfd1171ad81f782789032113e199a5aded8f8e0c1c5bd1385b62c -patch_args="-Np1" +setuid="/usr/bin/uuname + /usr/bin/uuxqt + /usr/bin/uucp + /usr/bin/cu + /usr/bin/uux + /usr/bin/uucico + /usr/bin/uustat" system_accounts="_uucp" _uucp_homedir="/var/spool/uucp" From bb412a43b6e5dd60c48a00489ec3877a2d828d28 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:31 +0100 Subject: [PATCH 21/58] dar: add $setuid --- srcpkgs/dar/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/dar/template b/srcpkgs/dar/template index 51aa02f6aed06..38b46e261a776 100644 --- a/srcpkgs/dar/template +++ b/srcpkgs/dar/template @@ -14,6 +14,7 @@ license="GPL-2.0-or-later" homepage="http://dar.linux.free.fr/" distfiles="${SOURCEFORGE_SITE}/dar/dar-${version}.tar.gz" checksum=1c609f691f99e6a868c0a6fcf70d2f5d2adee5dc3c0cbf374e69983129677df5 +setuid="/usr/bin/dar" if [ "$CROSS_BUILD" ]; then configure_args+=" --with-gpgme-prefix=${XBPS_CROSS_BASE}/usr From 770d51c647c7d88893431c8c6dc85ba5b41c4973 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 22:53:36 +0100 Subject: [PATCH 22/58] keybase: add $setuid --- srcpkgs/keybase/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/keybase/template b/srcpkgs/keybase/template index c2dce9dae4733..d41f644080250 100644 --- a/srcpkgs/keybase/template +++ b/srcpkgs/keybase/template @@ -16,6 +16,7 @@ license="BSD-3-Clause" homepage="https://keybase.io/" distfiles="https://github.com/keybase/client/releases/download/v$version/keybase-v$version.tar.xz" checksum=5e89792105ce29420e92ebeaf8055db5e7d67de5e181f83f69904356ddeb8c71 +setuid="/usr/bin/keybase-redirector" post_install() { vlicense LICENSE From 151dde4b7a6e0528766e7096b6238d9120e57027 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:33 +0100 Subject: [PATCH 23/58] dcron: add $setuid --- srcpkgs/dcron/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/dcron/template b/srcpkgs/dcron/template index ab92850344eea..c0eabe30674e7 100644 --- a/srcpkgs/dcron/template +++ b/srcpkgs/dcron/template @@ -11,6 +11,7 @@ changelog="https://raw.githubusercontent.com/dubiousjim/dcron/v${version}/CHANGE distfiles="https://github.com/dubiousjim/dcron/archive/v${version}.tar.gz" checksum=7c047194b9339b781971b000bf5512c11e856d20a14fe5323d5a1823f04c2a3f provides="cron-daemon-0_1" +setuid="/usr/bin/dcrontab" alternatives=" crond:crond:/etc/sv/dcron From dd2ee389d5845250dce84f8426b8eb2bd9bc635b Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 22:56:15 +0100 Subject: [PATCH 24/58] kbdlight: add $setuid --- srcpkgs/kbdlight/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/kbdlight/template b/srcpkgs/kbdlight/template index 32bfec5560a56..4fb408d0dd3e2 100644 --- a/srcpkgs/kbdlight/template +++ b/srcpkgs/kbdlight/template @@ -9,6 +9,7 @@ license="MIT" homepage="https://github.com/hobarrera/kbdlight" distfiles="https://github.com/hobarrera/${pkgname}/archive/v${version}.tar.gz" checksum=7d852d544f73e27245b7c21d820ede7c7c3e0992f37fb17cf257fd03e3926bb1 +setuid="/usr/bin/kbdlight" post_install() { vlicense LICENCE From f6ab98464242b6c00c3f90f0bc39b1d6c0d4651b Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:29 +0100 Subject: [PATCH 25/58] containers: add $setuid --- srcpkgs/containers/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/containers/template b/srcpkgs/containers/template index 7f7ebc7f81783..b8509ce477fca 100644 --- a/srcpkgs/containers/template +++ b/srcpkgs/containers/template @@ -9,6 +9,8 @@ license="MIT" homepage="https://github.com/arachsys/containers" distfiles="https://github.com/arachsys/containers/archive/containers-${version}.tar.gz" checksum=5f43ffaf9bcfc73032cafeb94fe9596dcfa0b26f0bd2730656c3daa4341d9c02 +setuid="/usr/bin/contain + /usr/bin/pseudo" do_install() { vbin inject inject-contain From f747e41a61c1da2cc5c618d29fea0d7a86e8bdfd Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:34 +0100 Subject: [PATCH 26/58] fcron: add $setuid and $setgid --- srcpkgs/fcron/template | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/srcpkgs/fcron/template b/srcpkgs/fcron/template index d3f8567f89274..e8cce723e24a1 100644 --- a/srcpkgs/fcron/template +++ b/srcpkgs/fcron/template @@ -32,6 +32,12 @@ homepage="http://fcron.free.fr" distfiles="$homepage/archives/$pkgname-$version.src.tar.gz" checksum=f359daa08a63ddfb7fe2f964bb3f5c52244c25aa36f9225a3cc54d36f4681106 +setuid="/usr/bin/fcronsighup + /usr/bin/fcrondyn + /usr/bin/fcrontab" +setgid="/usr/bin/fcrondyn + /usr/bin/fcrontab" + alternatives=" crond:crond:/etc/sv/fcron crond:crontab:/usr/bin/fcrontab From a24b005c6e6b22bb839d00687dbbdd72de46b079 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:36 +0100 Subject: [PATCH 27/58] glusterfs: add $setuid --- srcpkgs/glusterfs/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/glusterfs/template b/srcpkgs/glusterfs/template index 4c53ae9b36347..e3beb986620b4 100644 --- a/srcpkgs/glusterfs/template +++ b/srcpkgs/glusterfs/template @@ -18,6 +18,7 @@ license="GPL-2.0-or-later, LGPL-3.0-only" homepage="https://www.gluster.org/" distfiles="https://download.gluster.org/pub/gluster/glusterfs/${version%.*}/${version}/${pkgname}-${version}.tar.gz" checksum=07f360c9b43cb1101a857706494e310328e9d6a4e6b2f0697a3bc3f165c2652a +setuid="/usr/bin/fusermount-glusterfs" case "$XBPS_TARGET_MACHINE" in *-musl) broken="not yet supported";; From 9cb2e7bbc7b01ba427c2fa0ff7f69291f417deb4 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:55:28 +0100 Subject: [PATCH 28/58] Powermanga: add $setuid --- srcpkgs/Powermanga/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/Powermanga/template b/srcpkgs/Powermanga/template index f3b9ef9faf3c1..5c78aeb883025 100644 --- a/srcpkgs/Powermanga/template +++ b/srcpkgs/Powermanga/template @@ -11,6 +11,7 @@ license="GPL-3.0-or-later" homepage="http://linux.tlk.fr/games/Powermanga" distfiles="https://github.com/brunonymous/Powermanga/archive/${version}.tar.gz" checksum=010987a3cb27a1f9388a212f637977692284b5616952efa1efae09d2464e9249 +setgid="/usr/bin/powermanga" pre_configure() { ./bootstrap From 816140d37bef5b5b5fb2a8ec3e0bb99c405f526d Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:29 +0100 Subject: [PATCH 29/58] cronie: add $setuid --- srcpkgs/cronie/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/cronie/template b/srcpkgs/cronie/template index 3f8fbbcc4f308..c4315e9087c57 100644 --- a/srcpkgs/cronie/template +++ b/srcpkgs/cronie/template @@ -24,6 +24,7 @@ make_dirs=" /var/spool/anacron 0755 root root" conf_files="/etc/anacrontab /etc/pam.d/crond /etc/cron.deny" provides="cron-daemon-0_1" +setuid="/usr/bin/cronie-crontab" alternatives=" crond:crond:/etc/sv/cronie From a90f87b0603e4e0614c0c4302ce381f8c7d0bb04 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 00:55:39 +0100 Subject: [PATCH 30/58] xscreensaver: add $setuid --- srcpkgs/xscreensaver/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/xscreensaver/template b/srcpkgs/xscreensaver/template index 581298ad5999f..38de4a9f0642a 100644 --- a/srcpkgs/xscreensaver/template +++ b/srcpkgs/xscreensaver/template @@ -18,6 +18,8 @@ homepage="https://www.jwz.org/xscreensaver/" changelog="https://www.jwz.org/xscreensaver/changelog.html" distfiles="https://www.jwz.org/xscreensaver/xscreensaver-${version}.tar.gz" checksum=f534fab85a836de5b8be8e91fc21b80ca7d6a4ed9386ebe207d4be7a4e7499a7 +setuid="/usr/libexec/xscreensaver/xscreensaver-auth + /usr/libexec/xscreensaver/sonar" pre_configure() { mkdir -p /usr/share/X11/app-defaults From 342e39a1c7d09ce9db738afd0c91dace08ce9877 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:40:45 +0100 Subject: [PATCH 31/58] pmount: add $setuid --- srcpkgs/pmount/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/pmount/template b/srcpkgs/pmount/template index 8a826f4e0fe62..34b34d11d4af4 100644 --- a/srcpkgs/pmount/template +++ b/srcpkgs/pmount/template @@ -12,6 +12,8 @@ homepage="http://pmount.alioth.debian.org/" distfiles="${DEBIAN_SITE}/main/p/${pkgname}/${pkgname}_${version}.orig.tar.bz2" checksum=db38fc290b710e8e9e9d442da2fb627d41e13b3ee80326c15cc2595ba00ea036 conf_files="/etc/pmount.allow" +setuid="/usr/bin/pmount + /usr/bin/pumount" post_patch() { vsed -i -e 's/DATADIRNAME=lib/DATADIRNAME=share/' configure From a5f0dab0d9c9c2df5d55ea975b797c9dd359abd1 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:33:54 +0100 Subject: [PATCH 32/58] lxc: add $setuid --- srcpkgs/lxc/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/lxc/template b/srcpkgs/lxc/template index 40f9cf15b5224..2ec773597a591 100644 --- a/srcpkgs/lxc/template +++ b/srcpkgs/lxc/template @@ -17,6 +17,7 @@ license="LGPL-2.1-or-later" homepage="https://linuxcontainers.org" distfiles="https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz" checksum=d8195423bb1e206f8521d24b6cde4789f043960c7cf065990a9cf741dcfd4222 +setuid="/usr/libexec/lxc/lxc-user-nic" conf_files="/etc/lxc/default.conf" make_dirs=" From a12f3ab9ec9161b9db0b7db9041aa95e280e9386 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:33 +0100 Subject: [PATCH 33/58] dma: add $setuid and $setgid --- srcpkgs/dma/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/dma/template b/srcpkgs/dma/template index 78c71595ec15f..0e3a98865ec36 100644 --- a/srcpkgs/dma/template +++ b/srcpkgs/dma/template @@ -13,6 +13,8 @@ homepage="https://github.com/corecode/dma" distfiles="https://github.com/corecode/dma/archive/v${version}.tar.gz" checksum=9d4b903f2b750d888f51d668d08d2ea18404dedb0a52cffeb3c81376023c1946 system_accounts="mail" +setuid="/usr/lib/dma-mbox-create" +setgid="/usr/bin/dma" provides="smtp-server-0_1 smtp-forwarder-0_1" replaces="smtp-server>=0 smtp-forwarder>=0" From b26a53bbde675b19cc7b702a4ee31fde128076ac Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:50:52 +0100 Subject: [PATCH 34/58] xorg-server: add $setuid --- srcpkgs/xorg-server/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/xorg-server/template b/srcpkgs/xorg-server/template index 3ae74c71b005e..b9e44a0126c4f 100644 --- a/srcpkgs/xorg-server/template +++ b/srcpkgs/xorg-server/template @@ -30,6 +30,7 @@ provides="xserver-abi-extension-10_1 xserver-abi-input-24_1 xserver-abi-video-25_1 xf86-video-modesetting-1_1" replaces="xf86-video-modesetting>=0 glamor-egl>=0" conf_files="/etc/X11/Xwrapper.config" +setuid="/usr/libexec/Xorg.wrap" build_options="elogind" desc_option_elogind="Rootless Xorg support with elogind" From 3ae9d5035224d30e7ec9d63584278fdadeacf01e Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:36:31 +0100 Subject: [PATCH 35/58] opensmtpd: add $setuid and $setgid --- srcpkgs/opensmtpd/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/opensmtpd/template b/srcpkgs/opensmtpd/template index 6d20f0159d6be..aaecc539ba9f6 100644 --- a/srcpkgs/opensmtpd/template +++ b/srcpkgs/opensmtpd/template @@ -26,6 +26,8 @@ checksum=1b46cd41a1c2738757cc3a0e4aea71f3c6db56def727f7261bcd362583345a07 provides="smtp-forwarder-0_1 smtp-server-0_1" replaces="smtp-forwarder>=0 smtp-server>=0" system_accounts="_smtpd _smtpq" +setuid="/usr/libexec/opensmtpd/lockspool" +setgid="/usr/bin/smtpctl" CFLAGS=-D_DEFAULT_SOURCE From 35a476dd0fef7053ae455bbe0038b3362f7c0e7e Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 01:12:48 +0100 Subject: [PATCH 36/58] arcan: add $setuid --- srcpkgs/arcan/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/arcan/template b/srcpkgs/arcan/template index 853e16fcad391..057ce4852c7dc 100644 --- a/srcpkgs/arcan/template +++ b/srcpkgs/arcan/template @@ -29,6 +29,7 @@ distfiles="https://github.com/letoram/arcan/archive/${version}.tar.gz https://github.com/letoram/openal/archive/${_versionOpenal}.tar.gz>openal_arcan.${_versionOpenal}.tar.gz" checksum="7bf083412bc61555472877313c13116431a0a36fccbf142f97559db43b4a1475 3a50a87c05b67c466a868cc77f8dc7f9cfc9466aeeafcd823daca0d108c504da" +setuid="/usr/bin/arcan" export CMAKE_GENERATOR="Unix Makefiles" From e24eae92a479d3bd7cf0718b31cf15f5b0943351 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:32 +0100 Subject: [PATCH 37/58] davfs2: add $setuid --- srcpkgs/davfs2/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/davfs2/template b/srcpkgs/davfs2/template index 1a2f8482e210b..85b44de231a4c 100644 --- a/srcpkgs/davfs2/template +++ b/srcpkgs/davfs2/template @@ -13,6 +13,7 @@ license="GPL-3.0-or-later" homepage="https://savannah.nongnu.org/projects/davfs2" distfiles="${NONGNU_SITE}/${pkgname}/${pkgname}-${version}.tar.gz" checksum=ce3eb948ece582a51c934ccb0cc70e659839172717caff173f69a5e2af90c5c0 +setuid="/usr/bin/mount.davfs" CFLAGS="-fcommon" From 11ed08ea125fbe9877af2a4f1a703ec9ba54fa52 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Wed, 22 Feb 2023 00:57:36 +0100 Subject: [PATCH 38/58] hikari: add $setuid --- srcpkgs/hikari/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/hikari/template b/srcpkgs/hikari/template index 64811ea08b143..a5ce6f5783c7d 100644 --- a/srcpkgs/hikari/template +++ b/srcpkgs/hikari/template @@ -21,6 +21,7 @@ conf_files="/etc/pam.d/hikari-unlocker /etc/hikari/hikari.conf" # bmake's -q flag seems to differ in behavior from gnu make which causes the # build style's handling of the check target not existing to fail. make_check=no +setuid="/usr/bin/hikari-unlocker" pre_build() { # The hikari Makefile appends to the CFLAGS and LDFLAGS variables; From 821719012f7303105ba38e43f10e2ca441853502 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:48:49 +0100 Subject: [PATCH 39/58] squid: add $setuid --- srcpkgs/squid/template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/srcpkgs/squid/template b/srcpkgs/squid/template index ca758380e900d..5479416ee4008 100644 --- a/srcpkgs/squid/template +++ b/srcpkgs/squid/template @@ -58,6 +58,9 @@ checksum=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81 system_accounts="squid" # squid-conf-tests requires a squid user in the system make_check=no +setuid="/usr/libexec/squid/pinger + /usr/libexec/squid/basic_pam_auth + /usr/libexec/squid/basic_ncsa_auth" if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then LDFLAGS+=" -latomic" From 6ecce3fbb529c30933a15b31da46b75c0344079b Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:33:19 +0100 Subject: [PATCH 40/58] libutempter: add $setgid --- srcpkgs/libutempter/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/libutempter/template b/srcpkgs/libutempter/template index 3a89e4126cfc2..793a5e8163cd5 100644 --- a/srcpkgs/libutempter/template +++ b/srcpkgs/libutempter/template @@ -9,6 +9,7 @@ license="LGPL-2.1-or-later" homepage="http://freecode.com/projects/libutempter" distfiles="http://ftp.altlinux.org/pub/people/ldv/utempter/${pkgname}-${version}.tar.gz" checksum=967fef372f391de501843ad87570c6cf5dabd9651f00f1783090fbc12b2a34cb +setgid="/usr/lib/utempter/utempter" libutempter-devel_package() { depends="${sourcepkg}>=${version}_${revision}" From 54cbdc148730ba22027da5962feaf6b276519b4a Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:44:09 +0100 Subject: [PATCH 41/58] qemu: add $setuid --- srcpkgs/qemu/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/qemu/template b/srcpkgs/qemu/template index 48ab199e5686b..d41ed5395b20b 100644 --- a/srcpkgs/qemu/template +++ b/srcpkgs/qemu/template @@ -33,6 +33,7 @@ ignore_elf_dirs="/usr/share/qemu" nostrip_files="hppa-firmware.img openbios-ppc openbios-sparc32 openbios-sparc64 palcode-clipper s390-ccw.img s390-netboot.img u-boot.e500 opensbi-riscv32-generic-fw_dynamic.elf opensbi-riscv64-generic-fw_dynamic.elf" +setuid="/usr/libexec/qemu-bridge-helper" build_options="gtk3 opengl sdl2 spice virgl smartcard numa iscsi jack pulseaudio" build_options_default="opengl gtk3 virgl sdl2 numa iscsi jack pulseaudio" From 5d7190989d263ec6bff2da11f9772e0cf05d0d40 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Fri, 24 Feb 2023 22:37:52 +0100 Subject: [PATCH 42/58] plocate: add $setgid --- srcpkgs/plocate/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/plocate/template b/srcpkgs/plocate/template index 32a64971a2699..bafb61bbab02a 100644 --- a/srcpkgs/plocate/template +++ b/srcpkgs/plocate/template @@ -16,6 +16,7 @@ homepage="https://plocate.sesse.net/" changelog="https://git.sesse.net/?p=plocate;a=blob_plain;f=NEWS;hb=HEAD" distfiles="https://plocate.sesse.net/download/plocate-${version}.tar.gz" checksum=d95bc8ee8a9f79b9f69ce63df53fb85b202139f243bbb84c399555eda22e6165 +setgid="/usr/bin/plocate" system_accounts="_plocate" From de0f3806b8ab342a2dc760828c8315defc0f9e41 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 12:01:21 +0100 Subject: [PATCH 43/58] electron19: add $setuid --- srcpkgs/electron19/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/electron19/template b/srcpkgs/electron19/template index 3093248588438..ffa1d020c2209 100644 --- a/srcpkgs/electron19/template +++ b/srcpkgs/electron19/template @@ -34,6 +34,7 @@ distfiles="https://github.com/electron/electron/archive/v$version.tar.gz>electro checksum="d8ee01db95dfe24aa89a67424498b67102a4977ff9a3ccbfbc3f36801fdba7d5 f33363565a3c8868f5f67f0852ccf8d19ada209af8ddd4e27774e50206700464 cc2331a5c35d3dda0035d9cba71c3b8e234bc68e18ffd955b385c1e97062528f" +setuid="/usr/lib/electron19/chrome-sandbox" case "$XBPS_TARGET_MACHINE" in ppc64*-musl) makedepends+=" libucontext-devel" ;; From f088d537b97367276ab5e4bc8eac654c860da88a Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 12:01:38 +0100 Subject: [PATCH 44/58] firejail: add $setuid --- srcpkgs/firejail/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/firejail/template b/srcpkgs/firejail/template index 0365d6044fec7..e438bb88aa7a2 100644 --- a/srcpkgs/firejail/template +++ b/srcpkgs/firejail/template @@ -14,5 +14,6 @@ changelog="https://github.com/netblue30/firejail/raw/master/RELNOTES" distfiles="https://github.com/netblue30/firejail/archive/${version}.tar.gz" checksum=fa641abe2f673cef304cee6ef0a8ddb69db7919e0b69752f89762a341a87fabc conf_files="/etc/firejail/* /etc/apparmor.d/local/firejail-default" +setuid="/usr/bin/firejail" nocross=yes From bcb5f39c6db096e2ebda8495318c88f2c7ad8fcf Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 12:01:47 +0100 Subject: [PATCH 45/58] hiawatha: add $setuid --- srcpkgs/hiawatha/template | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/srcpkgs/hiawatha/template b/srcpkgs/hiawatha/template index 9bb28f1d509d1..8c0305120b68b 100644 --- a/srcpkgs/hiawatha/template +++ b/srcpkgs/hiawatha/template @@ -12,10 +12,11 @@ short_desc="Advanced and secure webserver for Unix" maintainer="Enno Boland " license="GPL-2.0-or-later" homepage="https://hiawatha-webserver.org" -distfiles="https://hiawatha-webserver.org/files/${pkgname}-${version}.tar.gz" +distfiles="https://www.hiawatha-webserver.org/files/hiawatha-10/hiawatha-${version}.tar.gz" checksum=61bf41146c51244769984135529fcffd0f6cb92be18dc12d460effc42f19f50d conf_files="/etc/${pkgname}/*.conf /etc/${pkgname}/*.xslt" make_dirs="/var/log/hiawatha 0755 root root" +setuid="/usr/bin/cgi-wrapper" XBPS_DISTFILES_MIRROR+=" https://hiawatha-webserver.org/files/hiawatha-${version%%.*}/" From e93043c43c5e7c27dda2b7006247b9b5221949b0 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 12:10:26 +0100 Subject: [PATCH 46/58] kismet: add $setuid --- srcpkgs/kismet/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/kismet/template b/srcpkgs/kismet/template index 6993c23711560..ba5b8f5ee1dad 100644 --- a/srcpkgs/kismet/template +++ b/srcpkgs/kismet/template @@ -18,6 +18,7 @@ homepage="https://www.kismetwireless.net/" distfiles="http://www.kismetwireless.net/code/${pkgname}-${_realver}.tar.xz" checksum=f08548e26ca65fa1e567b1debbea1ca4d0e7206bddb96a4f639c90171873e8f7 system_groups="kismet" +setuid="/usr/bin/kismet_cap_rz_killerbee" if [ "$XBPS_TARGET_NO_ATOMIC8" ]; then export LIBS="-latomic" From d3e82ad5c6d0105a627712a16e6ce868ce88f331 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 12:17:32 +0100 Subject: [PATCH 47/58] schroot: add $setuid --- srcpkgs/schroot/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/schroot/template b/srcpkgs/schroot/template index e6f6b9f171ad7..86d87b01248b9 100644 --- a/srcpkgs/schroot/template +++ b/srcpkgs/schroot/template @@ -56,6 +56,8 @@ checksum=" 7bd4e0c2709979362c86a86c10d2b23d290d26e1a2d301a602e829327f483ec1" nocross=yes skip_extraction="schroot_${version}-${_debian_version}.debian.tar.xz" +setuid="/usr/bin/schroot + /usr/bin/dchroot" post_extract() { bsdtar -xf $XBPS_SRCDISTDIR/schroot-${version}/$skip_extraction From b264718a4208a332419d36b1a749bebe12880503 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 12:17:51 +0100 Subject: [PATCH 48/58] x2goserver: add $setgid --- srcpkgs/x2goserver/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/x2goserver/template b/srcpkgs/x2goserver/template index 0724ef53a2fa1..83a7595d04fdd 100644 --- a/srcpkgs/x2goserver/template +++ b/srcpkgs/x2goserver/template @@ -25,6 +25,7 @@ conf_files=" /etc/x2go/x2goagent.* /etc/x2go/x2goserver.* " +setgid="/usr/lib/x2go/libx2go-server-db-sqlite3-wrapper" post_install() { rm -rf "${DESTDIR}/etc/logcheck" From ade33ebf4e7de95014e8c128f502dbda86a2b6d5 Mon Sep 17 00:00:00 2001 From: Michal Vasilek Date: Sat, 25 Feb 2023 12:22:42 +0100 Subject: [PATCH 49/58] virtualbox-ose: add $setuid --- srcpkgs/virtualbox-ose/template | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/srcpkgs/virtualbox-ose/template b/srcpkgs/virtualbox-ose/template index 08295489e32ef..fdc0c8c3d73b6 100644 --- a/srcpkgs/virtualbox-ose/template +++ b/srcpkgs/virtualbox-ose/template @@ -30,6 +30,12 @@ fi depends="virtualbox-ose-dkms-${version}_${revision} hicolor-icon-theme desktop-file-utils dbus" system_groups="vboxusers" +setuid="/usr/lib/virtualbox/VirtualBoxVM + /usr/lib/virtualbox/VBoxNetNAT + /usr/lib/virtualbox/VBoxHeadless + /usr/lib/virtualbox/VBoxNetDHCP + /usr/lib/virtualbox/VBoxNetAdpCtl" + do_configure() { cp ${FILESDIR}/LocalConfig.kmk . From 3621efb720231c57b3a84db7d968bb997e8e9f54 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Sun, 3 Apr 2022 22:50:24 -0400 Subject: [PATCH 50/58] at: explicitly allow setuid --- srcpkgs/at/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/at/template b/srcpkgs/at/template index 41bc74404c487..652b1138759f0 100644 --- a/srcpkgs/at/template +++ b/srcpkgs/at/template @@ -16,6 +16,8 @@ homepage="https://packages.qa.debian.org/a/at.html" distfiles="${DEBIAN_SITE}/main/a/${pkgname}/${pkgname}_${version}.orig.tar.gz" checksum=bb066b389d7c9bb9d84a35738032b85c30cba7d949f758192adc72c9477fd3b8 disable_parallel_build=yes +setuid="/usr/bin/at" +setgid="/usr/bin/at" conf_files="/etc/at.deny" system_accounts="at" From 8e5ff9cc6107881797267cad1bf536f00ab9b899 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Sun, 3 Apr 2022 00:03:39 -0400 Subject: [PATCH 51/58] 9mount: explicitly allow setuid --- srcpkgs/9mount/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/9mount/template b/srcpkgs/9mount/template index 5b1160ad20491..04817c3c3c426 100644 --- a/srcpkgs/9mount/template +++ b/srcpkgs/9mount/template @@ -10,6 +10,7 @@ license="ISC" homepage="http://sqweek.net/code/9mount/" distfiles="http://sqweek.net/9p/$pkgname-$version.tar.gz" checksum=820d80b9b478d05ecb022ad658477b37cfc2414a8669c3af17d192a522064c17 +setuid="/usr/bin/9mount /usr/bin/9umount /usr/bin/9bind" pre_build() { sed -i '/chown/d' Makefile From aacd1419e353417ba21ce69248861ba4ba6c49e6 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Sat, 2 Apr 2022 22:20:53 -0400 Subject: [PATCH 52/58] xlockmore: explicitly allow setuid Setuid root appears required by xlock on systems that use shadow passwords, according to the README. Requires confirmation --- srcpkgs/xlockmore/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/xlockmore/template b/srcpkgs/xlockmore/template index ff0f0000a8694..40b7ae139062e 100644 --- a/srcpkgs/xlockmore/template +++ b/srcpkgs/xlockmore/template @@ -15,6 +15,7 @@ changelog="http://sillycycle.com/xlock/xlockmore.README" distfiles="http://sillycycle.com/xlock/xlockmore-${version}.tar.xz" checksum=d511975967ae7355072acdccf6b1bf414f8a16be50ccc8070f13e624623ec772 CFLAGS="-D_DEFAULT_SOURCE" +setuid="/usr/bin/xlock" build_options="opengl" desc_option_opengl="Enable OpenGL modes" From 06ed1d7cb42bbc2a91c48df3eafc22aa362adb73 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Tue, 19 Apr 2022 20:46:33 -0400 Subject: [PATCH 53/58] util-linux: explicitly allow setuid --- srcpkgs/util-linux/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template index 99819d02068b3..0f6351e6bcffe 100644 --- a/srcpkgs/util-linux/template +++ b/srcpkgs/util-linux/template @@ -23,6 +23,8 @@ license="GPL-2.0-or-later" homepage="https://www.kernel.org/pub/linux/utils/util-linux/" distfiles="${KERNEL_SITE}/utils/${pkgname}/v${version%.${version#*.*.}}/${pkgname}-${version}.tar.xz" checksum=60492a19b44e6cf9a3ddff68325b333b8b52b6c59ce3ebd6a0ecaa4c5117e84f +setuid="/usr/bin/mount /usr/bin/umount /usr/bin/su /usr/bin/newgrp + /usr/bin/chsh /usr/bin/chfn" # Create uuidd system account for uuidd. system_accounts="_uuidd" From 4e1175d0904fbf2af7453e98c8f94b958ca5a286 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Tue, 19 Apr 2022 21:27:55 -0400 Subject: [PATCH 54/58] shadow: explicitly allow setuid --- srcpkgs/shadow/template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/srcpkgs/shadow/template b/srcpkgs/shadow/template index c59d92bfeb54a..279cacf843be9 100644 --- a/srcpkgs/shadow/template +++ b/srcpkgs/shadow/template @@ -18,6 +18,8 @@ homepage="https://github.com/shadow-maint/shadow" distfiles="${homepage}/releases/download/${version}/shadow-${version}.tar.xz" checksum=a3ad4630bdc41372f02a647278a8c3514844295d36eefe68ece6c3a641c1ae62 conf_files="/etc/pam.d/* /etc/default/* /etc/login.defs" +setuid="/usr/bin/passwd /usr/bin/gpasswd /usr/bin/expiry /usr/bin/chage + /usr/bin/sg /usr/bin/newuidmap /usr/bin/newgidmap" pre_configure() { case "$XBPS_TARGET_MACHINE" in From 000c311077537ce2ddc6708e11a0aa2d63b0fa3b Mon Sep 17 00:00:00 2001 From: 0x5c Date: Tue, 19 Apr 2022 21:58:17 -0400 Subject: [PATCH 55/58] sudo: explicitly allow setuid --- srcpkgs/sudo/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/sudo/template b/srcpkgs/sudo/template index 469276b04f544..d5edd3ddafb3f 100644 --- a/srcpkgs/sudo/template +++ b/srcpkgs/sudo/template @@ -18,6 +18,7 @@ distfiles="https://www.sudo.ws/dist/sudo-${version}.tar.gz" checksum=a08318b1c4bc8582c004d4cd9ae2903abc549e7e46ba815e41fe81d1c0782b62 conf_files="/etc/pam.d/sudo /etc/sudoers" lib32disabled=yes +setuid="/usr/bin/sudo" post_configure() { case "$XBPS_TARGET_MACHINE" in From 9e5716dd55fa33dbf0d718620042045d116d54c5 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Tue, 19 Apr 2022 22:17:31 -0400 Subject: [PATCH 56/58] udevil: explicitly allow setuid --- srcpkgs/udevil/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/udevil/template b/srcpkgs/udevil/template index b560bdf7589fe..263d0a652102a 100644 --- a/srcpkgs/udevil/template +++ b/srcpkgs/udevil/template @@ -13,6 +13,7 @@ license="GPL-3.0-or-later" homepage="http://ignorantguru.github.io/udevil/" distfiles="https://github.com/IgnorantGuru/udevil/archive/${version}.tar.gz" checksum=ad2fd8375bd62622718a04235e9772119459089938dbb78e657955e595822b7c +setuid="/usr/bin/udevil" post_patch() { vsed -i -e '/DATADIRNAME=/s/=.*/=share/' configure From 0f45e967659a4f1c20d0d307a1e70bf513c7c047 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Wed, 20 Apr 2022 15:37:20 -0400 Subject: [PATCH 57/58] thttpd: explicitly allow setuid The makeweb tool needs sgid. However, thttpd is configured at compile time, and it's unclear if our config (the default) allows usage of `makeweb`. That tool also doesn't look like a superb thing to inconditionally ship in the main package since it can't be configured by the system admin. Perhaps it should be split into a subpackage? --- srcpkgs/thttpd/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/thttpd/template b/srcpkgs/thttpd/template index 13de3fbef35ef..3d288f2ea1cf5 100644 --- a/srcpkgs/thttpd/template +++ b/srcpkgs/thttpd/template @@ -9,6 +9,7 @@ license="BSD-2-Clause" homepage="http://www.acme.com/software/thttpd/" distfiles="http://www.acme.com/software/thttpd/thttpd-${version}.tar.gz" checksum=99c09f47da326b1e7b5295c45549d2b65534dce27c44812cf7eef1441681a397 +setgid="/usr/bin/makeweb" pre_configure() { vsed -i Makefile.in -e "s,-o bin -g bin,,g" From f889f1e040825ae056f94a5a213d74c3ab1212d5 Mon Sep 17 00:00:00 2001 From: 0x5c Date: Wed, 20 Apr 2022 17:22:01 -0400 Subject: [PATCH 58/58] mit-krb5: explicitly allow setuid --- srcpkgs/mit-krb5/template | 1 + 1 file changed, 1 insertion(+) diff --git a/srcpkgs/mit-krb5/template b/srcpkgs/mit-krb5/template index 683c7e8d32a03..45837ca5e01e6 100644 --- a/srcpkgs/mit-krb5/template +++ b/srcpkgs/mit-krb5/template @@ -50,6 +50,7 @@ post_install() { mit-krb5-client_package() { short_desc+=" - client programs" + setuid="/usr/bin/ksu" pkg_install() { for f in uuclient ktutil kswitch gss-client kvno kinit kpasswd \ kdestroy sclient kadmin k5srvutil sim_client klist ksu; do