Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doas: 6.0 -> 6.6 #74184

Closed
wants to merge 1 commit into from
Closed

doas: 6.0 -> 6.6 #74184

wants to merge 1 commit into from

Conversation

@r-ryantm
Copy link
Contributor

r-ryantm commented Nov 25, 2019

Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/doas/versions.

meta.description for doas is: '"Executes the given command as another user"'.

meta.homepage for doas is: '"https://github.com/Duncaen/OpenDoas"

Release on GitHub

Compare changes on GitHub

Checks done (click to expand)
Rebuild report (if merged into master) (click to expand)

3 total rebuild path(s)

1 package rebuild(s)

1 x86_64-linux rebuild(s)
1 i686-linux rebuild(s)
0 x86_64-darwin rebuild(s)
1 aarch64-linux rebuild(s)

First fifty rebuilds by attrpath
doas

Instructions to test this update (click to expand)

Either download from Cachix:

nix-store -r /nix/store/0fjcg1snr9b2cf867f2c0fklna6ddcx9-doas-6.6 \
  --option binary-caches 'https://cache.nixos.org/ https://r-ryantm.cachix.org/' \
  --option trusted-public-keys '
  r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=
  cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
  '

(r-ryantm's Cachix cache is only trusted for this store-path realization.)

Or, build yourself:

nix-build -A doas https://github.com/r-ryantm/nixpkgs/archive/6f76b94ef1971050df368d94796ffb36e567a63e.tar.gz

After you've downloaded or built it, look at the files and if there are any, run the binaries:

ls -la /nix/store/0fjcg1snr9b2cf867f2c0fklna6ddcx9-doas-6.6
ls -la /nix/store/0fjcg1snr9b2cf867f2c0fklna6ddcx9-doas-6.6/bin

Experimental: CVE security report (click to expand)

CVEs resolved by this update:

CVEs introduced by this update:
none

CVEs present in both versions:
none


cc @cstrahan for testing.

@nh2
Copy link
Contributor

nh2 commented Dec 16, 2019

The CVEs mentioned seem to be for https://github.com/slicer69/doas while the package we have at hand is https://github.com/Duncaen/OpenDoas.

@ryantm
Copy link
Member

ryantm commented Dec 21, 2019

@nh2 Thanks. I've added an issue for it and I'll adjust the CVE reporting to exclude these ones.

@mokulus
Copy link

mokulus commented Feb 7, 2020

@cstrahan, @ryantm could any of you merge this? This seems to have been abandoned because of that CVE false positive :/

@ryantm
Copy link
Member

ryantm commented Feb 8, 2020

@mokulus did anyone test it?

@mokulus
Copy link

mokulus commented Feb 8, 2020

I've tested it with
sudo nix-build -A doas https://github.com/r-ryantm/nixpkgs/archive/6f76b94ef1971050df368d94796ffb36e567a63e.tar.gz
, but I cannot use it because of the error:
doas: not installed setuid.

I think it's worth to add to docs that you need to add doas to security.wrappers

@mokulus
Copy link

mokulus commented Feb 9, 2020

There has to be more work done on doas.

doas needs to be installed with uid set -- it should be done automatically, like with sudo or there should be a notice to use security.wrappers.

Makefile also tries to move some files to /etc/pam.d/, which fails. Without pam doas prints Operation not permitted. In journalctl you can then see:

Feb 07 21:19:50 nixos doas[9339]: pam_warn(doas:auth): function=[pam_sm_authenticate] flags=0 service=[doas] terminal=[pts/2] user=[mat] ruser=[mat] rhost=[<unknown>]

Feb 07 21:19:50 nixos doas[9339]: failed auth for mat

So this package needs: something similar to how sudo is installed - it should have 4755 perm and should install this file in /etc/pam.d. There should also be an option to configure /etc/doas.conf or a notice that you should use environment.etc

@cole-h cole-h mentioned this pull request May 1, 2020
7 of 10 tasks complete
@adisbladis
Copy link
Member

adisbladis commented May 2, 2020

This version bump is on master (cherry-picked from #86488).
Let's move the discussion about any work required there.

@adisbladis adisbladis closed this May 2, 2020
@r-ryantm r-ryantm deleted the r-ryantm:auto-update/doas branch May 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
You can’t perform that action at this time.