[arch-commits] Commit in man-db/repos (8 files)
Andreas Radke
andyrtr at archlinux.org
Thu Feb 8 19:42:51 UTC 2018
Date: Thursday, February 8, 2018 @ 19:42:50
Author: andyrtr
Revision: 316466
archrelease: copy trunk to testing-x86_64
Added:
man-db/repos/testing-x86_64/
man-db/repos/testing-x86_64/PKGBUILD
(from rev 316465, man-db/trunk/PKGBUILD)
man-db/repos/testing-x86_64/convert-mans
(from rev 316465, man-db/trunk/convert-mans)
man-db/repos/testing-x86_64/fix_manconv_under_seccomp_when_man_is_setuid.diff
(from rev 316465, man-db/trunk/fix_manconv_under_seccomp_when_man_is_setuid.diff)
man-db/repos/testing-x86_64/man-db.install
(from rev 316465, man-db/trunk/man-db.install)
man-db/repos/testing-x86_64/man-db.service
(from rev 316465, man-db/trunk/man-db.service)
man-db/repos/testing-x86_64/man-db.timer
(from rev 316465, man-db/trunk/man-db.timer)
man-db/repos/testing-x86_64/refactor_do_system_drop_privs.diff
(from rev 316465, man-db/trunk/refactor_do_system_drop_privs.diff)
---------------------------------------------------+
PKGBUILD | 77 ++++++++++++
convert-mans | 11 +
fix_manconv_under_seccomp_when_man_is_setuid.diff | 127 ++++++++++++++++++++
man-db.install | 11 +
man-db.service | 12 +
man-db.timer | 7 +
refactor_do_system_drop_privs.diff | 121 +++++++++++++++++++
7 files changed, 366 insertions(+)
Copied: man-db/repos/testing-x86_64/PKGBUILD (from rev 316465, man-db/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2018-02-08 19:42:50 UTC (rev 316466)
@@ -0,0 +1,77 @@
+# $Id$
+# Maintainer: Andreas Radke <andyrtr at archlinux.org>
+# Contributor: Sergej Pupykin <sergej at aur.archlinux.org>
+
+pkgname=man-db
+pkgver=2.8.0
+pkgrel=2
+pkgdesc="A utility for reading man pages"
+arch=('x86_64')
+url="http://www.nongnu.org/man-db/"
+license=('GPL' 'LGPL')
+groups=('base')
+depends=( 'bash' 'gdbm' 'zlib' 'groff' 'libpipeline' 'less' 'libseccomp')
+makedepends=('po4a')
+optdepends=('gzip')
+backup=('etc/man_db.conf')
+conflicts=('man')
+provides=('man')
+replaces=('man')
+install=${pkgname}.install
+source=(https://download-mirror.savannah.gnu.org/releases/man-db/$pkgname-$pkgver.tar.xz{,.sig}
+ fix_manconv_under_seccomp_when_man_is_setuid.diff
+ refactor_do_system_drop_privs.diff
+ convert-mans
+ man-db.{timer,service})
+sha512sums=('06f52ecd6e7ced858a32117ea4be3ed5fc3d4428cb810d31b85dd75556e999f5badc6eb81f642b56afe2a697462ccca9fd8cc5ecfbd40f132d5a74f84f316d39'
+ 'SKIP'
+ 'd9a16db27cb6bf4d6d134f2e18d8eedf136ac258a2ad76fdd59ff617bf532fe474eef39856d623c7773eb6e0f8de76f0eaaee846ef4dc02a84b6f62e449821d7'
+ '1ab8fc3a88dec9dae05fdbfaac8d1c8d37be203f0d37734ef7fbe802590a8d682a9c55ec84608e42e34b2b7cf1640c63c094c733a7f7c21b07e0c9d0e891db03'
+ '0b159285da20008f0fc0afb21f1eaebd39e8df5b0594880aa0e8a913b656608b8d16bb8d279d9e62d7aae52f62cb9b2fc49e237c6711f4a5170972b38d345535'
+ '2ed529500fbe18ba00ac7a6fc4c9da59e396464afb256db33f462b1127e497916602370e65e485c8d788c839f5b1b1130028502f61e1cc9ec8571ad6dd993738'
+ '76f8d51866418b612a72deaf3b07134d416a6d014dd3883fa78e08683c6b08553f483a4384ac87da25ac9896faa4807842fc69c42950cefe3c1c0590883aa600')
+validpgpkeys=('AC0A4FF12611B6FCCF01C111393587D97D86500B') # Colin Watson <cjwatson at debian.org>
+
+prepare() {
+ cd ${pkgname}-${pkgver}
+ patch -Np1 -i $srcdir/refactor_do_system_drop_privs.diff
+ # FS#57436
+ patch -Np1 -i $srcdir/fix_manconv_under_seccomp_when_man_is_setuid.diff
+}
+
+build() {
+ cd ${pkgname}-${pkgver}
+ ./configure --prefix=/usr \
+ --sbindir=/usr/bin \
+ --sysconfdir=/etc \
+ --libexecdir=/usr/lib \
+ --with-db=gdbm \
+ --disable-setuid \
+ --enable-cache-owner=root \
+ --enable-mandirs=GNU \
+ --with-sections="1 n l 8 3 0 2 5 4 9 6 7"
+ make
+}
+
+check() {
+ cd ${pkgname}-${pkgver}
+ make check
+}
+
+package() {
+ cd ${pkgname}-${pkgver}
+ make DESTDIR=${pkgdir} install
+
+ # part of groff pkg
+ rm -f ${pkgdir}/usr/bin/zsoelim
+
+ # script from LFS to convert manpages, see
+ # http://www.linuxfromscratch.org/lfs/view/6.4/chapter06/man-db.html
+ install -D -m755 ${srcdir}/convert-mans ${pkgdir}/usr/bin/convert-mans
+
+ # install man-db update timer
+ install -D -m644 ${srcdir}/man-db.timer ${pkgdir}/usr/lib/systemd/system/man-db.timer
+ install -D -m644 ${srcdir}/man-db.service ${pkgdir}/usr/lib/systemd/system/man-db.service
+ install -d -m755 ${pkgdir}/usr/lib/systemd/system/multi-user.target.wants
+ ln -s ../man-db.timer ${pkgdir}//usr/lib/systemd/system/multi-user.target.wants/man-db.timer
+}
Copied: man-db/repos/testing-x86_64/convert-mans (from rev 316465, man-db/trunk/convert-mans)
===================================================================
--- testing-x86_64/convert-mans (rev 0)
+++ testing-x86_64/convert-mans 2018-02-08 19:42:50 UTC (rev 316466)
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+FROM="$1"
+TO="$2"
+shift ; shift
+while [ $# -gt 0 ]
+do
+ FILE="$1"
+ shift
+ iconv -f "$FROM" -t "$TO" "$FILE" >.tmp.iconv
+ mv .tmp.iconv "$FILE"
+done
Copied: man-db/repos/testing-x86_64/fix_manconv_under_seccomp_when_man_is_setuid.diff (from rev 316465, man-db/trunk/fix_manconv_under_seccomp_when_man_is_setuid.diff)
===================================================================
--- testing-x86_64/fix_manconv_under_seccomp_when_man_is_setuid.diff (rev 0)
+++ testing-x86_64/fix_manconv_under_seccomp_when_man_is_setuid.diff 2018-02-08 19:42:50 UTC (rev 316466)
@@ -0,0 +1,127 @@
+From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson at debian.org>
+Date: Wed, 7 Feb 2018 13:44:30 +0000
+Subject: Fix manconv under seccomp when man is setuid
+
+We must drop privileges before loading the sandbox.
+
+Reported by Lars Wendler.
+
+* src/manconv_client.c (manconv_pre_exec): New function.
+(manconv_stdin): Move setuid hack to ...
+(add_manconv): ... here, now implemented using a custom pre-exec hook.
+We no longer have a fall-through if dropping privileges fails, since
+that's now harder to do and wasn't really necessary in the first place.
+---
+ src/manconv_client.c | 80 +++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 45 insertions(+), 35 deletions(-)
+
+diff --git a/src/manconv_client.c b/src/manconv_client.c
+index d6e010b..41ce479 100644
+--- a/src/manconv_client.c
++++ b/src/manconv_client.c
+@@ -56,41 +56,6 @@ static void manconv_stdin (void *data)
+ struct manconv_codes *codes = data;
+ pipeline *p;
+
+-#ifdef MAN_OWNER
+- /* iconv_open may not work correctly in setuid processes; in GNU
+- * libc, gconv modules may be linked against other gconv modules and
+- * rely on RPATH $ORIGIN to load those modules from the correct
+- * path, but $ORIGIN is disabled in setuid processes. It is
+- * impossible to reset libc's idea of setuidness without creating a
+- * whole new process image. Therefore, if the calling process is
+- * setuid, we must drop privileges and execute manconv.
+- *
+- * If dropping privileges fails, fall through to the in-process
+- * code, as in some situations it may actually manage to work.
+- */
+- if (running_setuid () && !idpriv_drop ()) {
+- char **from_code;
+- char *sources = NULL;
+- pipecmd *cmd;
+-
+- for (from_code = codes->from; *from_code; ++from_code) {
+- sources = appendstr (sources, *from_code, NULL);
+- if (*(from_code + 1))
+- sources = appendstr (sources, ":", NULL);
+- }
+-
+- cmd = pipecmd_new_args (MANCONV, "-f", sources,
+- "-t", codes->to, NULL);
+- free (sources);
+-
+- if (quiet >= 2)
+- pipecmd_arg (cmd, "-q");
+-
+- pipecmd_exec (cmd);
+- /* never returns */
+- }
+-#endif /* MAN_OWNER */
+-
+ p = decompress_fdopen (dup (STDIN_FILENO));
+ pipeline_start (p);
+ manconv (p, codes->from, codes->to);
+@@ -98,6 +63,17 @@ static void manconv_stdin (void *data)
+ pipeline_free (p);
+ }
+
++#ifdef MAN_OWNER
++static void manconv_pre_exec (void *data)
++{
++ /* We must drop privileges before loading the sandbox, since our
++ * seccomp filter doesn't allow setresuid and friends.
++ */
++ drop_privs (NULL);
++ sandbox_load (data);
++}
++#endif /* MAN_OWNER */
++
+ static void free_manconv_codes (void *data)
+ {
+ struct manconv_codes *codes = data;
+@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target)
+ name = appendstr (name, " -t ", codes->to, NULL);
+ if (quiet >= 2)
+ name = appendstr (name, " -q", NULL);
++
++#ifdef MAN_OWNER
++ /* iconv_open may not work correctly in setuid processes; in GNU
++ * libc, gconv modules may be linked against other gconv modules and
++ * rely on RPATH $ORIGIN to load those modules from the correct
++ * path, but $ORIGIN is disabled in setuid processes. It is
++ * impossible to reset libc's idea of setuidness without creating a
++ * whole new process image. Therefore, if the calling process is
++ * setuid, we must drop privileges and execute manconv.
++ */
++ if (running_setuid ()) {
++ char **from_code;
++ char *sources = NULL;
++
++ cmd = pipecmd_new_args (MANCONV, "-f", NULL);
++ for (from_code = codes->from; *from_code; ++from_code) {
++ sources = appendstr (sources, *from_code, NULL);
++ if (*(from_code + 1))
++ sources = appendstr (sources, ":", NULL);
++ }
++ pipecmd_arg (cmd, sources);
++ free (sources);
++ pipecmd_args (cmd, "-t", codes->to, NULL);
++ if (quiet >= 2)
++ pipecmd_arg (cmd, "-q");
++ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free,
++ sandbox);
++ free (name);
++ free_manconv_codes (codes);
++ pipeline_command (p, cmd);
++ return;
++ }
++#endif /* MAN_OWNER */
++
+ cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes,
+ codes);
+ free (name);
+--
+cgit v1.0-41-gc330
+
+
Copied: man-db/repos/testing-x86_64/man-db.install (from rev 316465, man-db/trunk/man-db.install)
===================================================================
--- testing-x86_64/man-db.install (rev 0)
+++ testing-x86_64/man-db.install 2018-02-08 19:42:50 UTC (rev 316466)
@@ -0,0 +1,11 @@
+post_upgrade() {
+ # force database rebuild as recommended per upstream
+ if [ "`vercmp $2 2.7.0`" -lt 0 ]; then
+ echo "(re)building database..."
+ mandb -c --quiet
+ fi
+}
+
+post_remove() {
+ rm -rf /var/cache/man
+}
Copied: man-db/repos/testing-x86_64/man-db.service (from rev 316465, man-db/trunk/man-db.service)
===================================================================
--- testing-x86_64/man-db.service (rev 0)
+++ testing-x86_64/man-db.service 2018-02-08 19:42:50 UTC (rev 316466)
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update man-db cache
+RequiresMountsFor=/var/cache/man
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/mkdir -p /var/cache/man
+ExecStart=/usr/bin/mandb
+CPUSchedulingPolicy=batch
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
Copied: man-db/repos/testing-x86_64/man-db.timer (from rev 316465, man-db/trunk/man-db.timer)
===================================================================
--- testing-x86_64/man-db.timer (rev 0)
+++ testing-x86_64/man-db.timer 2018-02-08 19:42:50 UTC (rev 316466)
@@ -0,0 +1,7 @@
+[Unit]
+Description=Daily man-db cache update
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1d
+Persistent=true
Copied: man-db/repos/testing-x86_64/refactor_do_system_drop_privs.diff (from rev 316465, man-db/trunk/refactor_do_system_drop_privs.diff)
===================================================================
--- testing-x86_64/refactor_do_system_drop_privs.diff (rev 0)
+++ testing-x86_64/refactor_do_system_drop_privs.diff 2018-02-08 19:42:50 UTC (rev 316466)
@@ -0,0 +1,121 @@
+From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson at debian.org>
+Date: Wed, 7 Feb 2018 12:23:15 +0000
+Subject: Refactor do_system_drop_privs
+
+Now that we have pipecmd_pre_exec, this can be simplified quite a bit.
+
+* lib/security.c (drop_privs): New function.
+(do_system_drop_privs_child, do_system_drop_privs): Remove.
+* lib/security.h (drop_privs): Add prototype.
+(do_system_drop_privs): Remove prototype.
+* src/man.c (make_browser): Add drop_privs pre-exec hook to browser
+command.
+(format_display): Call browser using pipeline_run rather than
+do_system_drop_privs, since it now has a pre-exec hook to drop
+privileges.
+---
+ lib/security.c | 37 +++----------------------------------
+ lib/security.h | 2 +-
+ src/man.c | 7 +++++--
+ 3 files changed, 9 insertions(+), 37 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 6e84de8..c9b365d 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -158,42 +158,11 @@ void regain_effective_privs (void)
+ #endif /* MAN_OWNER */
+ }
+
+-#ifdef MAN_OWNER
+-void do_system_drop_privs_child (void *data)
++/* Pipeline command pre-exec hook to permanently drop privileges. */
++void drop_privs (void *data ATTRIBUTE_UNUSED)
+ {
+- pipeline *p = data;
+-
++#ifdef MAN_OWNER
+ if (idpriv_drop ())
+ gripe_set_euid ();
+- exit (pipeline_run (p));
+-}
+-#endif /* MAN_OWNER */
+-
+-/* The safest way to execute a pipeline with no effective privileges is to
+- * fork, permanently drop privileges in the child, run the pipeline from the
+- * child, and wait for it to die.
+- *
+- * It is possible to use saved IDs to avoid the fork, since effective IDs
+- * are copied to saved IDs on execve; we used to do this. However, forking
+- * is not expensive enough to justify the extra code.
+- *
+- * Note that this frees the supplied pipeline.
+- */
+-int do_system_drop_privs (pipeline *p)
+-{
+-#ifdef MAN_OWNER
+- pipecmd *child_cmd;
+- pipeline *child;
+- int status;
+-
+- child_cmd = pipecmd_new_function ("unprivileged child",
+- do_system_drop_privs_child, NULL, p);
+- child = pipeline_new_commands (child_cmd, NULL);
+- status = pipeline_run (child);
+-
+- pipeline_free (p);
+- return status;
+-#else /* !MAN_OWNER */
+- return pipeline_run (p);
+ #endif /* MAN_OWNER */
+ }
+diff --git a/lib/security.h b/lib/security.h
+index 7545502..851127d 100644
+--- a/lib/security.h
++++ b/lib/security.h
+@@ -27,7 +27,7 @@
+ /* security.c */
+ extern void drop_effective_privs (void);
+ extern void regain_effective_privs (void);
+-extern int do_system_drop_privs (struct pipeline *p);
++extern void drop_privs (void *data);
+ extern void init_security (void);
+ extern int running_setuid (void);
+ extern struct passwd *get_man_owner (void);
+diff --git a/src/man.c b/src/man.c
+index 959d6cc..ff7ebc7 100644
+--- a/src/man.c
++++ b/src/man.c
+@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file,
+ static pipeline *make_browser (const char *pattern, const char *file)
+ {
+ pipeline *p;
++ pipecmd *cmd;
+ char *browser = xmalloc (1);
+ int found_percent_s = 0;
+ char *percent;
+@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file)
+ free (esc_file);
+ }
+
+- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL);
++ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL);
++ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL);
++ p = pipeline_new_commands (cmd, NULL);
+ pipeline_ignore_signals (p, 1);
+ free (browser);
+
+@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp,
+ pipeline *browser;
+ debug ("Trying browser: %s\n", candidate);
+ browser = make_browser (candidate, htmlfile);
+- disp_status = do_system_drop_privs (browser);
++ disp_status = pipeline_run (browser);
+ if (!disp_status)
+ break;
+ }
+--
+cgit v1.0-41-gc330
+
+
More information about the arch-commits
mailing list