monkeysphere: Patch OpenSSH to run the tests in the sandbox
This commit is contained in:
parent
1b84b9f725
commit
ca0c253a80
@ -2,13 +2,23 @@
|
||||
, perl, libassuan, libgcrypt
|
||||
, perlPackages, lockfileProgs, gnupg, coreutils
|
||||
# For the tests:
|
||||
, bash, openssh, which, socat, cpio, hexdump
|
||||
, bash, openssh, which, socat, cpio, hexdump, openssl
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
let
|
||||
# A patch is needed to run the tests inside the Nix sandbox:
|
||||
# /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell"
|
||||
# sshd: "User nixbld not allowed because shell /noshell does not exist"
|
||||
opensshUnsafe = openssh.overrideAttrs (oldAttrs: {
|
||||
patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ];
|
||||
});
|
||||
in stdenv.mkDerivation rec {
|
||||
name = "monkeysphere-${version}";
|
||||
version = "0.42";
|
||||
|
||||
# The patched OpenSSH binary MUST NOT be used (except in the check phase):
|
||||
disallowedRequisites = [ opensshUnsafe ];
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
|
||||
sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1";
|
||||
@ -23,7 +33,7 @@ stdenv.mkDerivation rec {
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
buildInputs = [ perl libassuan libgcrypt ]
|
||||
++ stdenv.lib.optional doCheck
|
||||
([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++
|
||||
([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++
|
||||
(with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ]));
|
||||
|
||||
makeFlags = ''
|
||||
@ -31,15 +41,19 @@ stdenv.mkDerivation rec {
|
||||
DESTDIR=$(out)
|
||||
'';
|
||||
|
||||
# The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run
|
||||
# inside of the sandbox, because nixbld isn't allowed to login via SSH
|
||||
# (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell",
|
||||
# sshd: "User nixbld not allowed because shell /noshell does not exist").
|
||||
# The tests should be run (and succeed) when making changes to this package
|
||||
# but they aren't enabled by default because they "drain" entropy (GnuPG
|
||||
# still uses /dev/random).
|
||||
doCheck = false;
|
||||
preCheck = ''
|
||||
preCheck = stdenv.lib.optionalString doCheck ''
|
||||
patchShebangs tests/
|
||||
patchShebangs src/
|
||||
sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic
|
||||
sed -i \
|
||||
-e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \
|
||||
-e "s,/bin/true,${coreutils}/bin/true," \
|
||||
-e "s,/bin/false,${coreutils}/bin/false," \
|
||||
-e "s,openssl\ req,${openssl}/bin/openssl req," \
|
||||
tests/basic
|
||||
sed -i "s/<(hd/<(hexdump/" tests/keytrans
|
||||
'';
|
||||
|
||||
|
17
pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch
Normal file
17
pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch
Normal file
@ -0,0 +1,17 @@
|
||||
diff --git a/auth.c b/auth.c
|
||||
index d2a8cd65..811a129f 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -580,6 +580,12 @@ getpwnamallow(const char *user)
|
||||
#endif
|
||||
|
||||
pw = getpwnam(user);
|
||||
+ if (pw != NULL) {
|
||||
+ // This is only for testing purposes,
|
||||
+ // DO NOT USE THIS PATCH IN PRODUCTION!
|
||||
+ char *shell = "/bin/sh";
|
||||
+ pw->pw_shell = shell;
|
||||
+ }
|
||||
|
||||
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
|
||||
aix_restoreauthdb();
|
Loading…
Reference in New Issue
Block a user