diff options
| author | Michael Weiss <dev.primeos@gmail.com> | 2018-12-20 16:41:00 +0100 |
|---|---|---|
| committer | Michael Weiss <dev.primeos@gmail.com> | 2018-12-20 16:50:20 +0100 |
| commit | ca0c253a8066d32518e015e1befa27879fffcde0 (patch) | |
| tree | 060a8ca72532cabb7f58b1e7b306464edf3b5997 /pkgs/tools | |
| parent | 1b84b9f7252205750246eeea56abcff765d56805 (diff) | |
monkeysphere: Patch OpenSSH to run the tests in the sandbox
Diffstat (limited to 'pkgs/tools')
| -rw-r--r-- | pkgs/tools/security/monkeysphere/default.nix | 32 | ||||
| -rw-r--r-- | pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch | 17 |
2 files changed, 40 insertions, 9 deletions
diff --git a/pkgs/tools/security/monkeysphere/default.nix b/pkgs/tools/security/monkeysphere/default.nix index b1c36871fe6b9..46be3b98c5503 100644 --- a/pkgs/tools/security/monkeysphere/default.nix +++ b/pkgs/tools/security/monkeysphere/default.nix @@ -2,13 +2,23 @@ , perl, libassuan, libgcrypt , perlPackages, lockfileProgs, gnupg, coreutils # For the tests: -, bash, openssh, which, socat, cpio, hexdump +, bash, openssh, which, socat, cpio, hexdump, openssl }: -stdenv.mkDerivation rec { +let + # A patch is needed to run the tests inside the Nix sandbox: + # /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell" + # sshd: "User nixbld not allowed because shell /noshell does not exist" + opensshUnsafe = openssh.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ]; + }); +in stdenv.mkDerivation rec { name = "monkeysphere-${version}"; version = "0.42"; + # The patched OpenSSH binary MUST NOT be used (except in the check phase): + disallowedRequisites = [ opensshUnsafe ]; + src = fetchurl { url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz"; sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1"; @@ -23,7 +33,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ makeWrapper ]; buildInputs = [ perl libassuan libgcrypt ] ++ stdenv.lib.optional doCheck - ([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++ + ([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++ (with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ])); makeFlags = '' @@ -31,15 +41,19 @@ stdenv.mkDerivation rec { DESTDIR=$(out) ''; - # The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run - # inside of the sandbox, because nixbld isn't allowed to login via SSH - # (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell", - # sshd: "User nixbld not allowed because shell /noshell does not exist"). + # The tests should be run (and succeed) when making changes to this package + # but they aren't enabled by default because they "drain" entropy (GnuPG + # still uses /dev/random). doCheck = false; - preCheck = '' + preCheck = stdenv.lib.optionalString doCheck '' patchShebangs tests/ patchShebangs src/ - sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic + sed -i \ + -e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \ + -e "s,/bin/true,${coreutils}/bin/true," \ + -e "s,/bin/false,${coreutils}/bin/false," \ + -e "s,openssl\ req,${openssl}/bin/openssl req," \ + tests/basic sed -i "s/<(hd/<(hexdump/" tests/keytrans ''; diff --git a/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch b/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch new file mode 100644 index 0000000000000..2a9a1fc8dfa94 --- /dev/null +++ b/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch @@ -0,0 +1,17 @@ +diff --git a/auth.c b/auth.c +index d2a8cd65..811a129f 100644 +--- a/auth.c ++++ b/auth.c +@@ -580,6 +580,12 @@ getpwnamallow(const char *user) + #endif + + pw = getpwnam(user); ++ if (pw != NULL) { ++ // This is only for testing purposes, ++ // DO NOT USE THIS PATCH IN PRODUCTION! ++ char *shell = "/bin/sh"; ++ pw->pw_shell = shell; ++ } + + #if defined(_AIX) && defined(HAVE_SETAUTHDB) + aix_restoreauthdb(); |