* [PATCH 1/2] gnu: shadow: Use 'modify-phases'.
2017-01-19 20:06 Shadow -> 4.4 contact.ng0
@ 2017-01-19 20:06 ` contact.ng0
2017-01-20 5:19 ` Leo Famulari
2017-01-19 20:06 ` [PATCH 2/2] gnu: shadow: Update to 4.4 contact.ng0
` (2 subsequent siblings)
3 siblings, 1 reply; 14+ messages in thread
From: contact.ng0 @ 2017-01-19 20:06 UTC (permalink / raw)
To: guix-devel; +Cc: ng0
From: ng0 <ng0@libertad.pw>
* gnu/packages/admin.scm (shadow): Use 'modify-phases'.
---
gnu/packages/admin.scm | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index a785ddb0d..ed02258ed 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -12,7 +12,7 @@
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Peter Feigl <peter.feigl@nexoid.at>
;;; Copyright © 2016 John J. Foerch <jjfoerch@earthlink.net>
-;;; Coypright © 2016 ng0 <ng0@we.make.ritual.n0.is>
+;;; Coypright © 2016, 2017 ng0 <contact.ng0@cryptolab.net>
;;; Coypright © 2016 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Coypright © 2016 John Darrington <jmd@gnu.org>
;;;
@@ -283,27 +283,27 @@ client and server, a telnet client and server, and an rsh client and server.")
(arguments
'(;; Assume System V `setpgrp (void)', which is the default on GNU
;; variants (`AC_FUNC_SETPGRP' is not cross-compilation capable.)
- #:configure-flags '("--with-libpam" "ac_cv_func_setpgrp_void=yes")
+ #:configure-flags
+ '("--with-libpam" "ac_cv_func_setpgrp_void=yes")
- #:phases (alist-cons-before
- 'build 'set-nscd-file-name
- (lambda* (#:key inputs #:allow-other-keys)
- ;; Use the right file name for nscd.
- (let ((libc (assoc-ref inputs "libc")))
- (substitute* "lib/nscd.c"
- (("/usr/sbin/nscd")
- (string-append libc "/sbin/nscd")))))
- (alist-cons-after
- 'install 'remove-groups
- (lambda* (#:key outputs #:allow-other-keys)
- ;; Remove `groups', which is already provided by Coreutils.
- (let* ((out (assoc-ref outputs "out"))
- (bin (string-append out "/bin"))
- (man (string-append out "/share/man")))
- (delete-file (string-append bin "/groups"))
- (for-each delete-file (find-files man "^groups\\."))
- #t))
- %standard-phases))))
+ #:phases
+ (modify-phases %standard-phases
+ (add-before 'build 'set-nscd-file-name
+ (lambda* (#:key inputs #:allow-other-keys)
+ ;; Use the right file name for nscd.
+ (let ((libc (assoc-ref inputs "libc")))
+ (substitute* "lib/nscd.c"
+ (("/usr/sbin/nscd")
+ (string-append libc "/sbin/nscd"))))))
+ (add-after 'install 'remove-groups
+ (lambda* (#:key outputs #:allow-other-keys)
+ ;; Remove `groups', which is already provided by Coreutils.
+ (let* ((out (assoc-ref outputs "out"))
+ (bin (string-append out "/bin"))
+ (man (string-append out "/share/man")))
+ (delete-file (string-append bin "/groups"))
+ (for-each delete-file (find-files man "^groups\\."))
+ #t))))))
(inputs (if (string-suffix? "-linux"
(or (%current-target-system)
--
2.11.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/2] gnu: shadow: Update to 4.4.
2017-01-19 20:06 Shadow -> 4.4 contact.ng0
2017-01-19 20:06 ` [PATCH 1/2] gnu: shadow: Use 'modify-phases' contact.ng0
@ 2017-01-19 20:06 ` contact.ng0
2017-01-20 5:18 ` Leo Famulari
2017-01-19 20:15 ` Shadow -> 4.4 contact.ng0
2017-01-20 5:16 ` Leo Famulari
3 siblings, 1 reply; 14+ messages in thread
From: contact.ng0 @ 2017-01-19 20:06 UTC (permalink / raw)
To: guix-devel; +Cc: ng0
From: ng0 <ng0@libertad.pw>
* gnu/packages/admin.scm (shadow): Update to 4.4.
[source]: Adjust URL.
* gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add patch.
---
gnu/local.mk | 1 +
gnu/packages/admin.scm | 9 ++++---
.../patches/shadow-4.4-su-snprintf-fix.patch | 29 ++++++++++++++++++++++
3 files changed, 35 insertions(+), 4 deletions(-)
create mode 100644 gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 2da8b82db..4446519b0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -875,6 +875,7 @@ dist_patch_DATA = \
%D%/packages/patches/seq24-rename-mutex.patch \
%D%/packages/patches/serf-comment-style-fix.patch \
%D%/packages/patches/serf-deflate-buckets-test-fix.patch \
+ %D%/packages/patches/shadow-4.4-su-snprintf-fix.patch \
%D%/packages/patches/slim-session.patch \
%D%/packages/patches/slim-config.patch \
%D%/packages/patches/slim-sigusr1.patch \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index ed02258ed..48f3328b1 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -270,15 +270,16 @@ client and server, a telnet client and server, and an rsh client and server.")
(define-public shadow
(package
(name "shadow")
- (version "4.2.1")
+ (version "4.4")
(source (origin
(method url-fetch)
(uri (string-append
- "http://pkg-shadow.alioth.debian.org/releases/"
- name "-" version ".tar.xz"))
+ "https://github.com/shadow-maint/shadow/releases/"
+ "download/" version "/shadow-" version ".tar.xz"))
+ (patches (search-patches "shadow-4.4-su-snprintf-fix.patch"))
(sha256
(base32
- "0h9x1zdbq0pqmygmc1x459jraiqw4gqz8849v268crk78z8r621v"))))
+ "0g7hf55ar2pafg5g3ldx0fwzjk36wf4xb21p4ndanbjm3c2a9ab1"))))
(build-system gnu-build-system)
(arguments
'(;; Assume System V `setpgrp (void)', which is the default on GNU
diff --git a/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch b/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch
new file mode 100644
index 000000000..45667c8e4
--- /dev/null
+++ b/gnu/packages/patches/shadow-4.4-su-snprintf-fix.patch
@@ -0,0 +1,29 @@
+fix from upstream
+
+From 67d2bb6e0a5ac124ce1f026dd5723217b1493194 Mon Sep 17 00:00:00 2001
+From: Serge Hallyn <serge@hallyn.com>
+Date: Sun, 18 Sep 2016 21:31:18 -0500
+Subject: [PATCH] su.c: fix missing length argument to snprintf
+
+---
+ src/su.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 0c50a9456afd..93ffd2fbe2b4 100644
+--- a/src/su.c
++++ b/src/su.c
+@@ -373,8 +373,8 @@ static void prepare_pam_close_session (void)
+ stderr);
+ (void) kill (-pid_child, caught);
+
+- snprintf (kill_msg, _(" ...killed.\n"));
+- snprintf (wait_msg, _(" ...waiting for child to terminate.\n"));
++ snprintf (kill_msg, 256, _(" ...killed.\n"));
++ snprintf (wait_msg, 256, _(" ...waiting for child to terminate.\n"));
+
+ (void) signal (SIGALRM, kill_child);
+ (void) alarm (2);
+--
+2.11.0.rc2
+
--
2.11.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-01-19 20:06 Shadow -> 4.4 contact.ng0
2017-01-19 20:06 ` [PATCH 1/2] gnu: shadow: Use 'modify-phases' contact.ng0
2017-01-19 20:06 ` [PATCH 2/2] gnu: shadow: Update to 4.4 contact.ng0
@ 2017-01-19 20:15 ` contact.ng0
2017-01-20 5:16 ` Leo Famulari
3 siblings, 0 replies; 14+ messages in thread
From: contact.ng0 @ 2017-01-19 20:15 UTC (permalink / raw)
To: guix-devel
contact.ng0@cryptolab.net writes:
> Question: I don't prefer to crash and burn systems, which test is enough to show that it works? Reconfiguring one of my own systems?
And because the previous git send-email aborted in the middle:
The new source on github is referenced on the debian page. I
compared releases on debian and github and they use github now.
--
♥Ⓐ ng0 -- https://www.inventati.org/patternsinthechaos/
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-01-19 20:06 Shadow -> 4.4 contact.ng0
` (2 preceding siblings ...)
2017-01-19 20:15 ` Shadow -> 4.4 contact.ng0
@ 2017-01-20 5:16 ` Leo Famulari
2017-01-20 11:02 ` ng0
2017-01-20 21:07 ` Ludovic Courtès
3 siblings, 2 replies; 14+ messages in thread
From: Leo Famulari @ 2017-01-20 5:16 UTC (permalink / raw)
To: contact.ng0; +Cc: guix-devel
On Thu, Jan 19, 2017 at 08:06:34PM +0000, contact.ng0@cryptolab.net wrote:
> Question: I don't prefer to crash and burn systems, which test is
> enough to show that it works? Reconfiguring one of my own systems?
Yes. If it breaks your system, you can always reboot into an earlier
system generation. Another option is to use a VM. I tested both cases,
and it works for me.
Would anyone else like to test it?
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-01-20 5:16 ` Leo Famulari
@ 2017-01-20 11:02 ` ng0
2017-02-11 18:47 ` Leo Famulari
2017-01-20 21:07 ` Ludovic Courtès
1 sibling, 1 reply; 14+ messages in thread
From: ng0 @ 2017-01-20 11:02 UTC (permalink / raw)
To: guix-devel
Leo Famulari <leo@famulari.name> writes:
> On Thu, Jan 19, 2017 at 08:06:34PM +0000, contact.ng0@cryptolab.net wrote:
>> Question: I don't prefer to crash and burn systems, which test is
>> enough to show that it works? Reconfiguring one of my own systems?
>
> Yes. If it breaks your system, you can always reboot into an earlier
> system generation. Another option is to use a VM. I tested both cases,
> and it works for me.
>
> Would anyone else like to test it?
I have just reconfigured my system and I can login, and use
sudo. More testing wasn't done.
By the way, why don't we build 'shadow' with SELinux support?
I know everyone is busy, but I think we really should get that
hardening plan going - or at least come up with a plan on what we
want now and who's interested/will be involved, etc.
--
♥Ⓐ ng0 -- https://www.inventati.org/patternsinthechaos/
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-01-20 11:02 ` ng0
@ 2017-02-11 18:47 ` Leo Famulari
2017-02-11 19:48 ` ng0
0 siblings, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2017-02-11 18:47 UTC (permalink / raw)
To: ng0; +Cc: guix-devel
On Fri, Jan 20, 2017 at 11:02:05AM +0000, ng0 wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Thu, Jan 19, 2017 at 08:06:34PM +0000, contact.ng0@cryptolab.net wrote:
> >> Question: I don't prefer to crash and burn systems, which test is
> >> enough to show that it works? Reconfiguring one of my own systems?
> >
> > Yes. If it breaks your system, you can always reboot into an earlier
> > system generation. Another option is to use a VM. I tested both cases,
> > and it works for me.
> >
> > Would anyone else like to test it?
>
> I have just reconfigured my system and I can login, and use
> sudo. More testing wasn't done.
I just pushed the patches, after adding a link to the source of the
snprintf patch.
> By the way, why don't we build 'shadow' with SELinux support?
> I know everyone is busy, but I think we really should get that
> hardening plan going - or at least come up with a plan on what we
> want now and who's interested/will be involved, etc.
I agree that we should get moving on this. The project is waiting for
some person or group to start working on it. I'm sure we'd all like to
see progress but many of us are at the limit of how much work we can do.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-02-11 18:47 ` Leo Famulari
@ 2017-02-11 19:48 ` ng0
2017-02-11 20:28 ` Leo Famulari
0 siblings, 1 reply; 14+ messages in thread
From: ng0 @ 2017-02-11 19:48 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On 17-02-11 13:47:23, Leo Famulari wrote:
> On Fri, Jan 20, 2017 at 11:02:05AM +0000, ng0 wrote:
> > Leo Famulari <leo@famulari.name> writes:
> >
> > > On Thu, Jan 19, 2017 at 08:06:34PM +0000, contact.ng0@cryptolab.net wrote:
> > >> Question: I don't prefer to crash and burn systems, which test is
> > >> enough to show that it works? Reconfiguring one of my own systems?
> > >
> > > Yes. If it breaks your system, you can always reboot into an earlier
> > > system generation. Another option is to use a VM. I tested both cases,
> > > and it works for me.
> > >
> > > Would anyone else like to test it?
> >
> > I have just reconfigured my system and I can login, and use
> > sudo. More testing wasn't done.
>
> I just pushed the patches, after adding a link to the source of the
> snprintf patch.
Thanks!
> > By the way, why don't we build 'shadow' with SELinux support?
Are there any reasons _against_ configuring 'shadow' with SELinux
support?
> > I know everyone is busy, but I think we really should get that
> > hardening plan going - or at least come up with a plan on what we
> > want now and who's interested/will be involved, etc.
>
> I agree that we should get moving on this. The project is waiting for
> some person or group to start working on it. I'm sure we'd all like to
> see progress but many of us are at the limit of how much work we can do.
I need to clean up a bit, but I have decided to dedicate some portion of
my time to connecting bits and pieces in this area. I made it to part of
my roadmap of the GuixSD blend I create, at least some parts of
hardening. One person is working on finishing SELinux afaik, I just
decided to stick to the libcs. But as you wrote, time is limited.
--
ng0 -- https://www.inventati.org/patternsinthechaos/
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-02-11 19:48 ` ng0
@ 2017-02-11 20:28 ` Leo Famulari
2017-02-17 9:58 ` ng0
0 siblings, 1 reply; 14+ messages in thread
From: Leo Famulari @ 2017-02-11 20:28 UTC (permalink / raw)
To: guix-devel
On Sat, Feb 11, 2017 at 07:48:07PM +0000, ng0 wrote:
> Are there any reasons _against_ configuring 'shadow' with SELinux
> support?
I'm not that familiar with SELinux, so I can't say one way or the other.
There were some scattered discussions about SELinux in GuixSD at FOSDEM,
but I'm not sure if we drew any conclusions or not.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-02-11 20:28 ` Leo Famulari
@ 2017-02-17 9:58 ` ng0
0 siblings, 0 replies; 14+ messages in thread
From: ng0 @ 2017-02-17 9:58 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On 17-02-11 15:28:22, Leo Famulari wrote:
> On Sat, Feb 11, 2017 at 07:48:07PM +0000, ng0 wrote:
> > Are there any reasons _against_ configuring 'shadow' with SELinux
> > support?
>
> I'm not that familiar with SELinux, so I can't say one way or the other.
> There were some scattered discussions about SELinux in GuixSD at FOSDEM,
> but I'm not sure if we drew any conclusions or not.
>
The SELinux function is based on/originated in a patch from Gentoo.
Gentoo does not default to SELinux in sys-apps/shadow, it's only when
you set your whole system up to use selinux.
It adds the dependencies on the packages "libselinux" and "libsemanage".
I think we should add it once there is a consent on how to SELinux in
GuixSD.
--
ng0 -- https://www.inventati.org/patternsinthechaos/
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Shadow -> 4.4
2017-01-20 5:16 ` Leo Famulari
2017-01-20 11:02 ` ng0
@ 2017-01-20 21:07 ` Ludovic Courtès
1 sibling, 0 replies; 14+ messages in thread
From: Ludovic Courtès @ 2017-01-20 21:07 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> On Thu, Jan 19, 2017 at 08:06:34PM +0000, contact.ng0@cryptolab.net wrote:
>> Question: I don't prefer to crash and burn systems, which test is
>> enough to show that it works? Reconfiguring one of my own systems?
>
> Yes. If it breaks your system, you can always reboot into an earlier
> system generation. Another option is to use a VM. I tested both cases,
> and it works for me.
“make check-system TESTS=basic” is rather fast (as long as you don’t
have to build QEMU and Linux-libre) and should catch serious issues.
Ludo’.
^ permalink raw reply [flat|nested] 14+ messages in thread