trousers: 0.3.14 -> 0.3.15 #110897
trousers: 0.3.14 -> 0.3.15 #110897
Conversation
|
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 3 packages marked as broken and skipped:
10 packages built:
|
| +#ifndef ALLOW_NON_TSS_CONFIG_FILE | ||
| /* make sure user/group TSS owns the conf file */ | ||
| if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { | ||
| if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { | ||
| LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, | ||
| @@ -775,6 +776,7 @@ | ||
| LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); | ||
| LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); |
There was a problem hiding this comment.
I feel like this should be upstreamed, there's nothing nixos specific
There was a problem hiding this comment.
Agreed.
It looks like it's this way since the introduction of the package in nixpkgs (#2129). Maybe @alexanderkjeldaas knows why the patch has not been upstreamed?
This probably should be not a blocker to pull in the fixes for the security issues though.
There was a problem hiding this comment.
if this is exposed in a module, we can align the user so that it's the same when being used.
Motivation for this change
Fix CVE-2020-24332, CVE-2020-24330 and CVE-2020-24331.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)Result of
nixpkgs-reviewrun on x86_64-linux 13 packages marked as broken and skipped:
10 packages built: