New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trousers: 0.3.14 -> 0.3.15 #110897
trousers: 0.3.14 -> 0.3.15 #110897
Conversation
This is a semi-automatic executed nixpkgs-review which is checked by a human on a best effort basis and does not build all packages (e.g. lumo, tensorflow or pytorch). Result of 3 packages marked as broken and skipped:
10 packages built:
|
+#ifndef ALLOW_NON_TSS_CONFIG_FILE | ||
/* make sure user/group TSS owns the conf file */ | ||
if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { | ||
if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { | ||
LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, | ||
@@ -775,6 +776,7 @@ | ||
LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); | ||
LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like this should be upstreamed, there's nothing nixos specific
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed.
It looks like it's this way since the introduction of the package in nixpkgs (#2129). Maybe @alexanderkjeldaas knows why the patch has not been upstreamed?
This probably should be not a blocker to pull in the fixes for the security issues though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if this is exposed in a module, we can align the user so that it's the same when being used.
Motivation for this change
Fix CVE-2020-24332, CVE-2020-24330 and CVE-2020-24331.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)Result of
nixpkgs-review
run on x86_64-linux 13 packages marked as broken and skipped:
10 packages built: