From ca0c253a8066d32518e015e1befa27879fffcde0 Mon Sep 17 00:00:00 2001 From: Michael Weiss Date: Thu, 20 Dec 2018 16:41:00 +0100 Subject: [PATCH] monkeysphere: Patch OpenSSH to run the tests in the sandbox --- pkgs/tools/security/monkeysphere/default.nix | 32 +++++++++++++------ .../monkeysphere/openssh-nixos-sandbox.patch | 17 ++++++++++ 2 files changed, 40 insertions(+), 9 deletions(-) create mode 100644 pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch diff --git a/pkgs/tools/security/monkeysphere/default.nix b/pkgs/tools/security/monkeysphere/default.nix index b1c36871fe6b..46be3b98c550 100644 --- a/pkgs/tools/security/monkeysphere/default.nix +++ b/pkgs/tools/security/monkeysphere/default.nix @@ -2,13 +2,23 @@ , perl, libassuan, libgcrypt , perlPackages, lockfileProgs, gnupg, coreutils # For the tests: -, bash, openssh, which, socat, cpio, hexdump +, bash, openssh, which, socat, cpio, hexdump, openssl }: -stdenv.mkDerivation rec { +let + # A patch is needed to run the tests inside the Nix sandbox: + # /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell" + # sshd: "User nixbld not allowed because shell /noshell does not exist" + opensshUnsafe = openssh.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ]; + }); +in stdenv.mkDerivation rec { name = "monkeysphere-${version}"; version = "0.42"; + # The patched OpenSSH binary MUST NOT be used (except in the check phase): + disallowedRequisites = [ opensshUnsafe ]; + src = fetchurl { url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz"; sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1"; @@ -23,7 +33,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ makeWrapper ]; buildInputs = [ perl libassuan libgcrypt ] ++ stdenv.lib.optional doCheck - ([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++ + ([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++ (with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ])); makeFlags = '' @@ -31,15 +41,19 @@ stdenv.mkDerivation rec { DESTDIR=$(out) ''; - # The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run - # inside of the sandbox, because nixbld isn't allowed to login via SSH - # (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell", - # sshd: "User nixbld not allowed because shell /noshell does not exist"). + # The tests should be run (and succeed) when making changes to this package + # but they aren't enabled by default because they "drain" entropy (GnuPG + # still uses /dev/random). doCheck = false; - preCheck = '' + preCheck = stdenv.lib.optionalString doCheck '' patchShebangs tests/ patchShebangs src/ - sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic + sed -i \ + -e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \ + -e "s,/bin/true,${coreutils}/bin/true," \ + -e "s,/bin/false,${coreutils}/bin/false," \ + -e "s,openssl\ req,${openssl}/bin/openssl req," \ + tests/basic sed -i "s/<(hd/<(hexdump/" tests/keytrans ''; diff --git a/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch b/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch new file mode 100644 index 000000000000..2a9a1fc8dfa9 --- /dev/null +++ b/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch @@ -0,0 +1,17 @@ +diff --git a/auth.c b/auth.c +index d2a8cd65..811a129f 100644 +--- a/auth.c ++++ b/auth.c +@@ -580,6 +580,12 @@ getpwnamallow(const char *user) + #endif + + pw = getpwnam(user); ++ if (pw != NULL) { ++ // This is only for testing purposes, ++ // DO NOT USE THIS PATCH IN PRODUCTION! ++ char *shell = "/bin/sh"; ++ pw->pw_shell = shell; ++ } + + #if defined(_AIX) && defined(HAVE_SETAUTHDB) + aix_restoreauthdb();