diff options
Diffstat (limited to 'pkgs/tools/security/monkeysphere/default.nix')
-rw-r--r-- | pkgs/tools/security/monkeysphere/default.nix | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/pkgs/tools/security/monkeysphere/default.nix b/pkgs/tools/security/monkeysphere/default.nix index 0ce44b11acc54..114ba57e17005 100644 --- a/pkgs/tools/security/monkeysphere/default.nix +++ b/pkgs/tools/security/monkeysphere/default.nix @@ -2,13 +2,23 @@ , perl, libassuan, libgcrypt , perlPackages, lockfileProgs, gnupg, coreutils # For the tests: -, bash, openssh, which, socat, cpio, hexdump +, bash, openssh, which, socat, cpio, hexdump, openssl }: -stdenv.mkDerivation rec { +let + # A patch is needed to run the tests inside the Nix sandbox: + # /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell" + # sshd: "User nixbld not allowed because shell /noshell does not exist" + opensshUnsafe = openssh.overrideAttrs (oldAttrs: { + patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ]; + }); +in stdenv.mkDerivation rec { name = "monkeysphere-${version}"; version = "0.42"; + # The patched OpenSSH binary MUST NOT be used (except in the check phase): + disallowedRequisites = [ opensshUnsafe ]; + src = fetchurl { url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz"; sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1"; @@ -23,7 +33,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ makeWrapper ]; buildInputs = [ perl libassuan libgcrypt ] ++ stdenv.lib.optional doCheck - ([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++ + ([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++ (with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ])); makeFlags = '' @@ -31,15 +41,19 @@ stdenv.mkDerivation rec { DESTDIR=$(out) ''; - # The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run - # inside of the sandbox, because nixbld isn't allowed to login via SSH - # (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell", - # sshd: "User nixbld not allowed because shell /noshell does not exist"). + # The tests should be run (and succeed) when making changes to this package + # but they aren't enabled by default because they "drain" entropy (GnuPG + # still uses /dev/random). doCheck = false; - preCheck = '' + preCheck = stdenv.lib.optionalString doCheck '' patchShebangs tests/ patchShebangs src/ - sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic + sed -i \ + -e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \ + -e "s,/bin/true,${coreutils}/bin/true," \ + -e "s,/bin/false,${coreutils}/bin/false," \ + -e "s,openssl\ req,${openssl}/bin/openssl req," \ + tests/basic sed -i "s/<(hd/<(hexdump/" tests/keytrans ''; |