[arch-commits] Commit in man-db/trunk (3 files)
Andreas Radke
andyrtr at archlinux.org
Fri Feb 9 18:19:04 UTC 2018
Date: Friday, February 9, 2018 @ 18:19:03
Author: andyrtr
Revision: 316532
upgpkg: man-db 2.8.1-1
upstream update 2.8.1
Modified:
man-db/trunk/PKGBUILD
Deleted:
man-db/trunk/fix_manconv_under_seccomp_when_man_is_setuid.diff
man-db/trunk/refactor_do_system_drop_privs.diff
---------------------------------------------------+
PKGBUILD | 22 ---
fix_manconv_under_seccomp_when_man_is_setuid.diff | 127 --------------------
refactor_do_system_drop_privs.diff | 121 -------------------
3 files changed, 6 insertions(+), 264 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-02-09 18:16:57 UTC (rev 316531)
+++ PKGBUILD 2018-02-09 18:19:03 UTC (rev 316532)
@@ -3,8 +3,8 @@
# Contributor: Sergej Pupykin <sergej at aur.archlinux.org>
pkgname=man-db
-pkgver=2.8.0
-pkgrel=2
+pkgver=2.8.1
+pkgrel=1
pkgdesc="A utility for reading man pages"
arch=('x86_64')
url="http://www.nongnu.org/man-db/"
@@ -18,27 +18,17 @@
provides=('man')
replaces=('man')
install=${pkgname}.install
-source=(https://download-mirror.savannah.gnu.org/releases/man-db/$pkgname-$pkgver.tar.xz{,.sig}
- fix_manconv_under_seccomp_when_man_is_setuid.diff
- refactor_do_system_drop_privs.diff
+source=(#https://download-mirror.savannah.gnu.org/releases/man-db/$pkgname-$pkgver.tar.xz{,.sig}
+ https://savannah.nongnu.org/download/man-db/$pkgname-$pkgver.tar.xz{,.asc}
convert-mans
man-db.{timer,service})
-sha512sums=('06f52ecd6e7ced858a32117ea4be3ed5fc3d4428cb810d31b85dd75556e999f5badc6eb81f642b56afe2a697462ccca9fd8cc5ecfbd40f132d5a74f84f316d39'
+validpgpkeys=('AC0A4FF12611B6FCCF01C111393587D97D86500B') # Colin Watson <cjwatson at debian.org>
+sha512sums=('82e75df32eb8575f47c3f36b5f2bbc827776747abfa39af589802e6566636c0771df0ee3197cb2bec3318c3055ff4e9d04c7da13b3bc6ea8a1ea1b1340554ef0'
'SKIP'
- 'd9a16db27cb6bf4d6d134f2e18d8eedf136ac258a2ad76fdd59ff617bf532fe474eef39856d623c7773eb6e0f8de76f0eaaee846ef4dc02a84b6f62e449821d7'
- '1ab8fc3a88dec9dae05fdbfaac8d1c8d37be203f0d37734ef7fbe802590a8d682a9c55ec84608e42e34b2b7cf1640c63c094c733a7f7c21b07e0c9d0e891db03'
'0b159285da20008f0fc0afb21f1eaebd39e8df5b0594880aa0e8a913b656608b8d16bb8d279d9e62d7aae52f62cb9b2fc49e237c6711f4a5170972b38d345535'
'2ed529500fbe18ba00ac7a6fc4c9da59e396464afb256db33f462b1127e497916602370e65e485c8d788c839f5b1b1130028502f61e1cc9ec8571ad6dd993738'
'76f8d51866418b612a72deaf3b07134d416a6d014dd3883fa78e08683c6b08553f483a4384ac87da25ac9896faa4807842fc69c42950cefe3c1c0590883aa600')
-validpgpkeys=('AC0A4FF12611B6FCCF01C111393587D97D86500B') # Colin Watson <cjwatson at debian.org>
-prepare() {
- cd ${pkgname}-${pkgver}
- patch -Np1 -i $srcdir/refactor_do_system_drop_privs.diff
- # FS#57436
- patch -Np1 -i $srcdir/fix_manconv_under_seccomp_when_man_is_setuid.diff
-}
-
build() {
cd ${pkgname}-${pkgver}
./configure --prefix=/usr \
Deleted: fix_manconv_under_seccomp_when_man_is_setuid.diff
===================================================================
--- fix_manconv_under_seccomp_when_man_is_setuid.diff 2018-02-09 18:16:57 UTC (rev 316531)
+++ fix_manconv_under_seccomp_when_man_is_setuid.diff 2018-02-09 18:19:03 UTC (rev 316532)
@@ -1,127 +0,0 @@
-From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson at debian.org>
-Date: Wed, 7 Feb 2018 13:44:30 +0000
-Subject: Fix manconv under seccomp when man is setuid
-
-We must drop privileges before loading the sandbox.
-
-Reported by Lars Wendler.
-
-* src/manconv_client.c (manconv_pre_exec): New function.
-(manconv_stdin): Move setuid hack to ...
-(add_manconv): ... here, now implemented using a custom pre-exec hook.
-We no longer have a fall-through if dropping privileges fails, since
-that's now harder to do and wasn't really necessary in the first place.
----
- src/manconv_client.c | 80 +++++++++++++++++++++++++++++-----------------------
- 1 file changed, 45 insertions(+), 35 deletions(-)
-
-diff --git a/src/manconv_client.c b/src/manconv_client.c
-index d6e010b..41ce479 100644
---- a/src/manconv_client.c
-+++ b/src/manconv_client.c
-@@ -56,41 +56,6 @@ static void manconv_stdin (void *data)
- struct manconv_codes *codes = data;
- pipeline *p;
-
--#ifdef MAN_OWNER
-- /* iconv_open may not work correctly in setuid processes; in GNU
-- * libc, gconv modules may be linked against other gconv modules and
-- * rely on RPATH $ORIGIN to load those modules from the correct
-- * path, but $ORIGIN is disabled in setuid processes. It is
-- * impossible to reset libc's idea of setuidness without creating a
-- * whole new process image. Therefore, if the calling process is
-- * setuid, we must drop privileges and execute manconv.
-- *
-- * If dropping privileges fails, fall through to the in-process
-- * code, as in some situations it may actually manage to work.
-- */
-- if (running_setuid () && !idpriv_drop ()) {
-- char **from_code;
-- char *sources = NULL;
-- pipecmd *cmd;
--
-- for (from_code = codes->from; *from_code; ++from_code) {
-- sources = appendstr (sources, *from_code, NULL);
-- if (*(from_code + 1))
-- sources = appendstr (sources, ":", NULL);
-- }
--
-- cmd = pipecmd_new_args (MANCONV, "-f", sources,
-- "-t", codes->to, NULL);
-- free (sources);
--
-- if (quiet >= 2)
-- pipecmd_arg (cmd, "-q");
--
-- pipecmd_exec (cmd);
-- /* never returns */
-- }
--#endif /* MAN_OWNER */
--
- p = decompress_fdopen (dup (STDIN_FILENO));
- pipeline_start (p);
- manconv (p, codes->from, codes->to);
-@@ -98,6 +63,17 @@ static void manconv_stdin (void *data)
- pipeline_free (p);
- }
-
-+#ifdef MAN_OWNER
-+static void manconv_pre_exec (void *data)
-+{
-+ /* We must drop privileges before loading the sandbox, since our
-+ * seccomp filter doesn't allow setresuid and friends.
-+ */
-+ drop_privs (NULL);
-+ sandbox_load (data);
-+}
-+#endif /* MAN_OWNER */
-+
- static void free_manconv_codes (void *data)
- {
- struct manconv_codes *codes = data;
-@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target)
- name = appendstr (name, " -t ", codes->to, NULL);
- if (quiet >= 2)
- name = appendstr (name, " -q", NULL);
-+
-+#ifdef MAN_OWNER
-+ /* iconv_open may not work correctly in setuid processes; in GNU
-+ * libc, gconv modules may be linked against other gconv modules and
-+ * rely on RPATH $ORIGIN to load those modules from the correct
-+ * path, but $ORIGIN is disabled in setuid processes. It is
-+ * impossible to reset libc's idea of setuidness without creating a
-+ * whole new process image. Therefore, if the calling process is
-+ * setuid, we must drop privileges and execute manconv.
-+ */
-+ if (running_setuid ()) {
-+ char **from_code;
-+ char *sources = NULL;
-+
-+ cmd = pipecmd_new_args (MANCONV, "-f", NULL);
-+ for (from_code = codes->from; *from_code; ++from_code) {
-+ sources = appendstr (sources, *from_code, NULL);
-+ if (*(from_code + 1))
-+ sources = appendstr (sources, ":", NULL);
-+ }
-+ pipecmd_arg (cmd, sources);
-+ free (sources);
-+ pipecmd_args (cmd, "-t", codes->to, NULL);
-+ if (quiet >= 2)
-+ pipecmd_arg (cmd, "-q");
-+ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free,
-+ sandbox);
-+ free (name);
-+ free_manconv_codes (codes);
-+ pipeline_command (p, cmd);
-+ return;
-+ }
-+#endif /* MAN_OWNER */
-+
- cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes,
- codes);
- free (name);
---
-cgit v1.0-41-gc330
-
-
Deleted: refactor_do_system_drop_privs.diff
===================================================================
--- refactor_do_system_drop_privs.diff 2018-02-09 18:16:57 UTC (rev 316531)
+++ refactor_do_system_drop_privs.diff 2018-02-09 18:19:03 UTC (rev 316532)
@@ -1,121 +0,0 @@
-From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001
-From: Colin Watson <cjwatson at debian.org>
-Date: Wed, 7 Feb 2018 12:23:15 +0000
-Subject: Refactor do_system_drop_privs
-
-Now that we have pipecmd_pre_exec, this can be simplified quite a bit.
-
-* lib/security.c (drop_privs): New function.
-(do_system_drop_privs_child, do_system_drop_privs): Remove.
-* lib/security.h (drop_privs): Add prototype.
-(do_system_drop_privs): Remove prototype.
-* src/man.c (make_browser): Add drop_privs pre-exec hook to browser
-command.
-(format_display): Call browser using pipeline_run rather than
-do_system_drop_privs, since it now has a pre-exec hook to drop
-privileges.
----
- lib/security.c | 37 +++----------------------------------
- lib/security.h | 2 +-
- src/man.c | 7 +++++--
- 3 files changed, 9 insertions(+), 37 deletions(-)
-
-diff --git a/lib/security.c b/lib/security.c
-index 6e84de8..c9b365d 100644
---- a/lib/security.c
-+++ b/lib/security.c
-@@ -158,42 +158,11 @@ void regain_effective_privs (void)
- #endif /* MAN_OWNER */
- }
-
--#ifdef MAN_OWNER
--void do_system_drop_privs_child (void *data)
-+/* Pipeline command pre-exec hook to permanently drop privileges. */
-+void drop_privs (void *data ATTRIBUTE_UNUSED)
- {
-- pipeline *p = data;
--
-+#ifdef MAN_OWNER
- if (idpriv_drop ())
- gripe_set_euid ();
-- exit (pipeline_run (p));
--}
--#endif /* MAN_OWNER */
--
--/* The safest way to execute a pipeline with no effective privileges is to
-- * fork, permanently drop privileges in the child, run the pipeline from the
-- * child, and wait for it to die.
-- *
-- * It is possible to use saved IDs to avoid the fork, since effective IDs
-- * are copied to saved IDs on execve; we used to do this. However, forking
-- * is not expensive enough to justify the extra code.
-- *
-- * Note that this frees the supplied pipeline.
-- */
--int do_system_drop_privs (pipeline *p)
--{
--#ifdef MAN_OWNER
-- pipecmd *child_cmd;
-- pipeline *child;
-- int status;
--
-- child_cmd = pipecmd_new_function ("unprivileged child",
-- do_system_drop_privs_child, NULL, p);
-- child = pipeline_new_commands (child_cmd, NULL);
-- status = pipeline_run (child);
--
-- pipeline_free (p);
-- return status;
--#else /* !MAN_OWNER */
-- return pipeline_run (p);
- #endif /* MAN_OWNER */
- }
-diff --git a/lib/security.h b/lib/security.h
-index 7545502..851127d 100644
---- a/lib/security.h
-+++ b/lib/security.h
-@@ -27,7 +27,7 @@
- /* security.c */
- extern void drop_effective_privs (void);
- extern void regain_effective_privs (void);
--extern int do_system_drop_privs (struct pipeline *p);
-+extern void drop_privs (void *data);
- extern void init_security (void);
- extern int running_setuid (void);
- extern struct passwd *get_man_owner (void);
-diff --git a/src/man.c b/src/man.c
-index 959d6cc..ff7ebc7 100644
---- a/src/man.c
-+++ b/src/man.c
-@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file,
- static pipeline *make_browser (const char *pattern, const char *file)
- {
- pipeline *p;
-+ pipecmd *cmd;
- char *browser = xmalloc (1);
- int found_percent_s = 0;
- char *percent;
-@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file)
- free (esc_file);
- }
-
-- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL);
-+ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL);
-+ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL);
-+ p = pipeline_new_commands (cmd, NULL);
- pipeline_ignore_signals (p, 1);
- free (browser);
-
-@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp,
- pipeline *browser;
- debug ("Trying browser: %s\n", candidate);
- browser = make_browser (candidate, htmlfile);
-- disp_status = do_system_drop_privs (browser);
-+ disp_status = pipeline_run (browser);
- if (!disp_status)
- break;
- }
---
-cgit v1.0-41-gc330
-
-
More information about the arch-commits
mailing list