From 8607cad379185ee6b427dc78dcf7c5fcd90de541 Mon Sep 17 00:00:00 2001 From: Lars Wendler Date: Thu, 8 Feb 2018 12:56:06 +0100 Subject: sys-apps/man-db: Revump to drop seccomp again. It segfaults. Might re-add seccomp once 2.8.1 has been released. Package-Manager: Portage-2.3.24, Repoman-2.3.6 --- .../files/man-db-2.8.0-refactor_drop_privs.patch | 120 -------------------- .../man-db/files/man-db-2.8.0-seccomp_suid.patch | 126 --------------------- sys-apps/man-db/man-db-2.8.0-r1.ebuild | 123 -------------------- sys-apps/man-db/man-db-2.8.0-r2.ebuild | 120 ++++++++++++++++++++ 4 files changed, 120 insertions(+), 369 deletions(-) delete mode 100644 sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch delete mode 100644 sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch delete mode 100644 sys-apps/man-db/man-db-2.8.0-r1.ebuild create mode 100644 sys-apps/man-db/man-db-2.8.0-r2.ebuild (limited to 'sys-apps/man-db') diff --git a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch b/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch deleted file mode 100644 index 87db57afb9eb..000000000000 --- a/sys-apps/man-db/files/man-db-2.8.0-refactor_drop_privs.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 24624eaf853158856b8fd0a6f78c873475a16686 Mon Sep 17 00:00:00 2001 -From: Colin Watson -Date: Wed, 7 Feb 2018 12:23:15 +0000 -Subject: Refactor do_system_drop_privs - -Now that we have pipecmd_pre_exec, this can be simplified quite a bit. - -* lib/security.c (drop_privs): New function. -(do_system_drop_privs_child, do_system_drop_privs): Remove. -* lib/security.h (drop_privs): Add prototype. -(do_system_drop_privs): Remove prototype. -* src/man.c (make_browser): Add drop_privs pre-exec hook to browser -command. -(format_display): Call browser using pipeline_run rather than -do_system_drop_privs, since it now has a pre-exec hook to drop -privileges. ---- - lib/security.c | 37 +++---------------------------------- - lib/security.h | 2 +- - src/man.c | 7 +++++-- - 3 files changed, 9 insertions(+), 37 deletions(-) - -diff --git a/lib/security.c b/lib/security.c -index 6e84de8..c9b365d 100644 ---- a/lib/security.c -+++ b/lib/security.c -@@ -158,42 +158,11 @@ void regain_effective_privs (void) - #endif /* MAN_OWNER */ - } - --#ifdef MAN_OWNER --void do_system_drop_privs_child (void *data) -+/* Pipeline command pre-exec hook to permanently drop privileges. */ -+void drop_privs (void *data ATTRIBUTE_UNUSED) - { -- pipeline *p = data; -- -+#ifdef MAN_OWNER - if (idpriv_drop ()) - gripe_set_euid (); -- exit (pipeline_run (p)); --} --#endif /* MAN_OWNER */ -- --/* The safest way to execute a pipeline with no effective privileges is to -- * fork, permanently drop privileges in the child, run the pipeline from the -- * child, and wait for it to die. -- * -- * It is possible to use saved IDs to avoid the fork, since effective IDs -- * are copied to saved IDs on execve; we used to do this. However, forking -- * is not expensive enough to justify the extra code. -- * -- * Note that this frees the supplied pipeline. -- */ --int do_system_drop_privs (pipeline *p) --{ --#ifdef MAN_OWNER -- pipecmd *child_cmd; -- pipeline *child; -- int status; -- -- child_cmd = pipecmd_new_function ("unprivileged child", -- do_system_drop_privs_child, NULL, p); -- child = pipeline_new_commands (child_cmd, NULL); -- status = pipeline_run (child); -- -- pipeline_free (p); -- return status; --#else /* !MAN_OWNER */ -- return pipeline_run (p); - #endif /* MAN_OWNER */ - } -diff --git a/lib/security.h b/lib/security.h -index 7545502..851127d 100644 ---- a/lib/security.h -+++ b/lib/security.h -@@ -27,7 +27,7 @@ - /* security.c */ - extern void drop_effective_privs (void); - extern void regain_effective_privs (void); --extern int do_system_drop_privs (struct pipeline *p); -+extern void drop_privs (void *data); - extern void init_security (void); - extern int running_setuid (void); - extern struct passwd *get_man_owner (void); -diff --git a/src/man.c b/src/man.c -index 959d6cc..ff7ebc7 100644 ---- a/src/man.c -+++ b/src/man.c -@@ -1481,6 +1481,7 @@ static pipeline *make_roff_command (const char *dir, const char *file, - static pipeline *make_browser (const char *pattern, const char *file) - { - pipeline *p; -+ pipecmd *cmd; - char *browser = xmalloc (1); - int found_percent_s = 0; - char *percent; -@@ -1526,7 +1527,9 @@ static pipeline *make_browser (const char *pattern, const char *file) - free (esc_file); - } - -- p = pipeline_new_command_args ("/bin/sh", "-c", browser, NULL); -+ cmd = pipecmd_new_args ("/bin/sh", "-c", browser, NULL); -+ pipecmd_pre_exec (cmd, drop_privs, NULL, NULL); -+ p = pipeline_new_commands (cmd, NULL); - pipeline_ignore_signals (p, 1); - free (browser); - -@@ -2021,7 +2024,7 @@ static void format_display (pipeline *decomp, - pipeline *browser; - debug ("Trying browser: %s\n", candidate); - browser = make_browser (candidate, htmlfile); -- disp_status = do_system_drop_privs (browser); -+ disp_status = pipeline_run (browser); - if (!disp_status) - break; - } --- -cgit v1.0-41-gc330 - diff --git a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch b/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch deleted file mode 100644 index f513ee8cca67..000000000000 --- a/sys-apps/man-db/files/man-db-2.8.0-seccomp_suid.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 10027a400d6a05f463f3981e1191a2f35d0cc02b Mon Sep 17 00:00:00 2001 -From: Colin Watson -Date: Wed, 7 Feb 2018 13:44:30 +0000 -Subject: [PATCH] Fix manconv under seccomp when man is setuid - -We must drop privileges before loading the sandbox. - -Reported by Lars Wendler. - -* src/manconv_client.c (manconv_pre_exec): New function. -(manconv_stdin): Move setuid hack to ... -(add_manconv): ... here, now implemented using a custom pre-exec hook. -We no longer have a fall-through if dropping privileges fails, since -that's now harder to do and wasn't really necessary in the first place. ---- - src/manconv_client.c | 80 +++++++++++++++++++++++++++++----------------------- - 1 file changed, 45 insertions(+), 35 deletions(-) - -diff --git a/src/manconv_client.c b/src/manconv_client.c -index d6e010b0..41ce4790 100644 ---- a/src/manconv_client.c -+++ b/src/manconv_client.c -@@ -56,41 +56,6 @@ static void manconv_stdin (void *data) - struct manconv_codes *codes = data; - pipeline *p; - --#ifdef MAN_OWNER -- /* iconv_open may not work correctly in setuid processes; in GNU -- * libc, gconv modules may be linked against other gconv modules and -- * rely on RPATH $ORIGIN to load those modules from the correct -- * path, but $ORIGIN is disabled in setuid processes. It is -- * impossible to reset libc's idea of setuidness without creating a -- * whole new process image. Therefore, if the calling process is -- * setuid, we must drop privileges and execute manconv. -- * -- * If dropping privileges fails, fall through to the in-process -- * code, as in some situations it may actually manage to work. -- */ -- if (running_setuid () && !idpriv_drop ()) { -- char **from_code; -- char *sources = NULL; -- pipecmd *cmd; -- -- for (from_code = codes->from; *from_code; ++from_code) { -- sources = appendstr (sources, *from_code, NULL); -- if (*(from_code + 1)) -- sources = appendstr (sources, ":", NULL); -- } -- -- cmd = pipecmd_new_args (MANCONV, "-f", sources, -- "-t", codes->to, NULL); -- free (sources); -- -- if (quiet >= 2) -- pipecmd_arg (cmd, "-q"); -- -- pipecmd_exec (cmd); -- /* never returns */ -- } --#endif /* MAN_OWNER */ -- - p = decompress_fdopen (dup (STDIN_FILENO)); - pipeline_start (p); - manconv (p, codes->from, codes->to); -@@ -98,6 +63,17 @@ static void manconv_stdin (void *data) - pipeline_free (p); - } - -+#ifdef MAN_OWNER -+static void manconv_pre_exec (void *data) -+{ -+ /* We must drop privileges before loading the sandbox, since our -+ * seccomp filter doesn't allow setresuid and friends. -+ */ -+ drop_privs (NULL); -+ sandbox_load (data); -+} -+#endif /* MAN_OWNER */ -+ - static void free_manconv_codes (void *data) - { - struct manconv_codes *codes = data; -@@ -139,6 +115,40 @@ void add_manconv (pipeline *p, const char *source, const char *target) - name = appendstr (name, " -t ", codes->to, NULL); - if (quiet >= 2) - name = appendstr (name, " -q", NULL); -+ -+#ifdef MAN_OWNER -+ /* iconv_open may not work correctly in setuid processes; in GNU -+ * libc, gconv modules may be linked against other gconv modules and -+ * rely on RPATH $ORIGIN to load those modules from the correct -+ * path, but $ORIGIN is disabled in setuid processes. It is -+ * impossible to reset libc's idea of setuidness without creating a -+ * whole new process image. Therefore, if the calling process is -+ * setuid, we must drop privileges and execute manconv. -+ */ -+ if (running_setuid ()) { -+ char **from_code; -+ char *sources = NULL; -+ -+ cmd = pipecmd_new_args (MANCONV, "-f", NULL); -+ for (from_code = codes->from; *from_code; ++from_code) { -+ sources = appendstr (sources, *from_code, NULL); -+ if (*(from_code + 1)) -+ sources = appendstr (sources, ":", NULL); -+ } -+ pipecmd_arg (cmd, sources); -+ free (sources); -+ pipecmd_args (cmd, "-t", codes->to, NULL); -+ if (quiet >= 2) -+ pipecmd_arg (cmd, "-q"); -+ pipecmd_pre_exec (cmd, manconv_pre_exec, sandbox_free, -+ sandbox); -+ free (name); -+ free_manconv_codes (codes); -+ pipeline_command (p, cmd); -+ return; -+ } -+#endif /* MAN_OWNER */ -+ - cmd = pipecmd_new_function (name, &manconv_stdin, &free_manconv_codes, - codes); - free (name); --- -2.16.1 - diff --git a/sys-apps/man-db/man-db-2.8.0-r1.ebuild b/sys-apps/man-db/man-db-2.8.0-r1.ebuild deleted file mode 100644 index 1ff3ca11d5c7..000000000000 --- a/sys-apps/man-db/man-db-2.8.0-r1.ebuild +++ /dev/null @@ -1,123 +0,0 @@ -# Copyright 1999-2018 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit ltprune user versionator - -DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" -HOMEPAGE="http://www.nongnu.org/man-db/" -SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" - -LICENSE="GPL-3" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" -IUSE="berkdb +gdbm +manpager nls seccomp selinux static-libs zlib" - -CDEPEND=" - !sys-apps/man - >=dev-libs/libpipeline-1.5.0 - sys-apps/groff - berkdb? ( sys-libs/db:= ) - gdbm? ( sys-libs/gdbm:= ) - !berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) - seccomp? ( sys-libs/libseccomp ) - zlib? ( sys-libs/zlib ) -" -DEPEND=" - ${CDEPEND} - app-arch/xz-utils - virtual/pkgconfig - nls? ( - >=app-text/po4a-0.45 - sys-devel/gettext - ) -" -RDEPEND=" - ${CDEPEND} - selinux? ( sec-policy/selinux-mandb ) -" -PDEPEND="manpager? ( app-text/manpager )" - -PATCHES=( - "${FILESDIR}/${P}-refactor_drop_privs.patch" - "${FILESDIR}/${P}-seccomp_suid.patch" - "${FILESDIR}/${P}-libseccomp_automagic.patch" -) - -pkg_setup() { - # Create user now as Makefile in src_install does setuid/chown - enewgroup man 15 - enewuser man 13 -1 /usr/share/man man - - if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 - ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings" - fi -} - -src_configure() { - export ac_cv_lib_z_gzopen=$(usex zlib) - local myeconfargs=( - --docdir='$(datarootdir)'/doc/${PF} - --with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d - --enable-setuid - --enable-cache-owner=man - --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" - $(use_enable nls) - $(use_enable static-libs static) - $(use_with seccomp libseccomp) - --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) - ) - econf "${myeconfargs[@]}" - - # Disable color output from groff so that the manpager can add it. #184604 - sed -i \ - -e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \ - src/man_db.conf || die -} - -src_install() { - default - dodoc docs/{HACKING,TODO} - prune_libtool_files - - exeinto /etc/cron.daily - newexe "${FILESDIR}"/man-db.cron man-db #289884 -} - -pkg_preinst() { - local cachedir="${EROOT}var/cache/man" - # If the system was already exploited, and the attacker is hiding in the - # cachedir of the old man-db, let's wipe them out. - # see bug #602588 comment 18 - local _replacing_version= - local _setgid_vuln=0 - for _replacing_version in ${REPLACING_VERSIONS}; do - if version_is_at_least '2.7.6.1-r2' "${_replacing_version}"; then - debug-print "Skipping security bug #602588 ... existing installation (${_replacing_version}) should not be affected!" - else - _setgid_vuln=1 - debug-print "Applying cleanup for security bug #602588" - fi - done - [[ ${_setgid_vuln} -eq 1 ]] && rm -rf "${cachedir}" - - # Fall back to recreating the cachedir - if [[ ! -d ${cachedir} ]] ; then - mkdir -p "${cachedir}" || die - chown man:man "${cachedir}" || die - fi - - # Update the whatis cache - if [[ -f ${cachedir}/whatis ]] ; then - einfo "Cleaning ${cachedir} from sys-apps/man" - find "${cachedir}" -type f '!' '(' -name index.bt -o -name index.db ')' -delete - fi -} - -pkg_postinst() { - if [[ $(get_version_component_range 2 ${REPLACING_VERSIONS}) -lt 7 ]] ; then - einfo "Rebuilding man-db from scratch with new database format!" - mandb --quiet --create - fi -} diff --git a/sys-apps/man-db/man-db-2.8.0-r2.ebuild b/sys-apps/man-db/man-db-2.8.0-r2.ebuild new file mode 100644 index 000000000000..cb7cf8d1c4e8 --- /dev/null +++ b/sys-apps/man-db/man-db-2.8.0-r2.ebuild @@ -0,0 +1,120 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit ltprune user versionator + +DESCRIPTION="a man replacement that utilizes berkdb instead of flat files" +HOMEPAGE="http://www.nongnu.org/man-db/" +SRC_URI="mirror://nongnu/${PN}/${P}.tar.xz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-linux ~arm-linux ~x86-linux" +IUSE="berkdb +gdbm +manpager nls selinux static-libs zlib" + +CDEPEND=" + !sys-apps/man + >=dev-libs/libpipeline-1.5.0 + sys-apps/groff + berkdb? ( sys-libs/db:= ) + gdbm? ( sys-libs/gdbm:= ) + !berkdb? ( !gdbm? ( sys-libs/gdbm:= ) ) + zlib? ( sys-libs/zlib ) +" +DEPEND=" + ${CDEPEND} + app-arch/xz-utils + virtual/pkgconfig + nls? ( + >=app-text/po4a-0.45 + sys-devel/gettext + ) +" +RDEPEND=" + ${CDEPEND} + selinux? ( sec-policy/selinux-mandb ) +" +PDEPEND="manpager? ( app-text/manpager )" + +PATCHES=( + "${FILESDIR}/${P}-libseccomp_automagic.patch" +) + +pkg_setup() { + # Create user now as Makefile in src_install does setuid/chown + enewgroup man 15 + enewuser man 13 -1 /usr/share/man man + + if (use gdbm && use berkdb) || (use !gdbm && use !berkdb) ; then #496150 + ewarn "Defaulting to USE=gdbm due to ambiguous berkdb/gdbm USE flag settings" + fi +} + +src_configure() { + export ac_cv_lib_z_gzopen=$(usex zlib) + local myeconfargs=( + --docdir='$(datarootdir)'/doc/${PF} + --with-systemdtmpfilesdir="${EPREFIX}"/usr/lib/tmpfiles.d + --enable-setuid + --enable-cache-owner=man + --with-sections="1 1p 8 2 3 3p 4 5 6 7 9 0p tcl n l p o 1x 2x 3x 4x 5x 6x 7x 8x" + $(use_enable nls) + $(use_enable static-libs static) + --without-libseccomp + --with-db=$(usex gdbm gdbm $(usex berkdb db gdbm)) + ) + econf "${myeconfargs[@]}" + + # Disable color output from groff so that the manpager can add it. #184604 + sed -i \ + -e '/^#DEFINE.*\<[nt]roff\>/{s:^#::;s:$: -c:}' \ + src/man_db.conf || die +} + +src_install() { + default + dodoc docs/{HACKING,TODO} + prune_libtool_files + + exeinto /etc/cron.daily + newexe "${FILESDIR}"/man-db.cron man-db #289884 +} + +pkg_preinst() { + local cachedir="${EROOT}var/cache/man" + # If the system was already exploited, and the attacker is hiding in the + # cachedir of the old man-db, let's wipe them out. + # see bug #602588 comment 18 + local _replacing_version= + local _setgid_vuln=0 + for _replacing_version in ${REPLACING_VERSIONS}; do + if version_is_at_least '2.7.6.1-r2' "${_replacing_version}"; then + debug-print "Skipping security bug #602588 ... existing installation (${_replacing_version}) should not be affected!" + else + _setgid_vuln=1 + debug-print "Applying cleanup for security bug #602588" + fi + done + [[ ${_setgid_vuln} -eq 1 ]] && rm -rf "${cachedir}" + + # Fall back to recreating the cachedir + if [[ ! -d ${cachedir} ]] ; then + mkdir -p "${cachedir}" || die + chown man:man "${cachedir}" || die + fi + + # Update the whatis cache + if [[ -f ${cachedir}/whatis ]] ; then + einfo "Cleaning ${cachedir} from sys-apps/man" + find "${cachedir}" -type f '!' '(' -name index.bt -o -name index.db ')' -delete + fi +} + +pkg_postinst() { + if [[ $(get_version_component_range 2 ${REPLACING_VERSIONS}) -lt 7 ]] ; then + einfo "Rebuilding man-db from scratch with new database format!" + mandb --quiet --create + fi +} -- cgit v1.2.3-65-gdbad