From patchwork Mon Feb 22 15:07:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erich Ericson X-Patchwork-Id: 1877 Return-Path: Delivered-To: patchwork@archlinux.org Received: from mail.archlinux.org [95.216.189.61] by patchwork.archlinux.org with IMAP (fetchmail-6.4.16) for (single-drop); Mon, 22 Feb 2021 15:08:19 +0000 (UTC) Received: from mail.archlinux.org by mail.archlinux.org with LMTP id qOpiGePIM2C+LgQAK+/4rw (envelope-from ) for ; Mon, 22 Feb 2021 15:08:19 +0000 Received: from luna.archlinux.org (luna.archlinux.org [IPv6:2a01:4f8:160:3033::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.archlinux.org (Postfix) with ESMTPS id 954884126C2; Mon, 22 Feb 2021 15:08:18 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 3D3B22C5E5; Mon, 22 Feb 2021 15:08:18 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 73FBB2C5E4 for ; Mon, 22 Feb 2021 15:07:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on luna.archlinux.org X-Spam-Level: X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED=0.1, DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,FREEMAIL_FROM=0.5, RCVD_IN_DNSWL_NONE=-0.0001,SPF_HELO_NONE=0.001, T_DMARC_POLICY_NONE=0.01,T_DMARC_SIMPLE_DKIM=0.01 autolearn=no autolearn_force=no version=3.4.4 X-Spam-BL-Results: [127.0.5.0] Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) by luna.archlinux.org (Postfix) with ESMTPS for ; Mon, 22 Feb 2021 15:07:39 +0000 (UTC) Received: by mail-oi1-x231.google.com with SMTP id w1so14287849oic.0 for ; Mon, 22 Feb 2021 07:07:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=HkAglGyzSKCN0ou6KaiHcrCNm3WexkLDzEdl1IH0bg0=; b=ruwAkKSV70JDbqDw9aCmpb3YIcqHxj5c+SiqYV0hAsF5BXeTJoHrZeyJIC6HNw8RVF gxjrqLfslJ5pGe1/Fl9Kyi3st1R8eJ2PJBXV/BGNnBgHpWkxYay+q9ge8XgMS+a/GjYF feEyyYjQ909eF3AXs8wZvpIsxPX3zB90iT81B3gFXgANmsi/UzWjXoeFRRmEeRr5aftm DTo8chLsqktycvrS3rmyL6bbI5ZBKkyxtF/FOSkrNaRpbvGUWWHcr/CcTdz7gwppfVBa 3kVlfHsIsaU6u7nLQzJjiVI4xqimFKM1/hPJNKMzlQnqaHSnjv9eD1ccB8k928ZCqdTs p/ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=HkAglGyzSKCN0ou6KaiHcrCNm3WexkLDzEdl1IH0bg0=; b=UFkCZOtOm1DR35I2f5WqRsOJxpbjurTmxa1CQp1s5gH6TBQjeDtwku0v0JKxkNeRGX Dyu+VCoLBc1A/TxViOtjfEwWzXRF6ly+g4gO4Ewp6JhrNn10zlyClJEDSwas6Uisq6uW 067q98PWUfyHyCnTR1SBZOMk8Gs0yETwIW9glNZ0biUNfo7a4/KHBs9aDZc/1QENdPxx dKE79+SPIOHThVTC6OTwXNvVmyqOJ/D2bO9MktTGeapMdmXBObsjEGnQGSN41tfxtz9Q EKyvnZ2/b00S7y6JA70zY/Zd67HbUk3y3ewNLpMkby/sAeICIdWWMB9B4RA5/ybIPBat zEsQ== X-Gm-Message-State: AOAM533y/U6S6F9U+rf4c6N/rZJYqXZYZq9pB14KMGkjQ9vfSBG6z25U yzS2Qk7+cUdBgYNJZ/aVNjH/WFDOW9VnDg6uuI15XVgEopg= X-Google-Smtp-Source: ABdhPJxjt5ZIbA1M74cSI6K+c+otQOFksmJauoGBZBy3TgIfTZqDqoeXHkZvK/1Zc1HNfvTB2jzWscmggCZgZY09hkI= X-Received: by 2002:a05:6808:304:: with SMTP id i4mr3796126oie.145.1614006455698; Mon, 22 Feb 2021 07:07:35 -0800 (PST) MIME-Version: 1.0 From: Erich Ericson Date: Mon, 22 Feb 2021 16:07:37 +0100 Message-ID: To: pacman-dev@lists.archlinux.org Subject: [pacman-dev] [PATCH] doas makepkg support X-BeenThere: pacman-dev@lists.archlinux.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussion list for pacman development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Discussion list for pacman development Errors-To: pacman-dev-bounces@lists.archlinux.org Sender: "pacman-dev" Authentication-Results: mail.archlinux.org; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=ruwAkKSV; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (mail.archlinux.org: domain of pacman-dev-bounces@lists.archlinux.org designates 2a01:4f8:160:3033::2 as permitted sender) smtp.mailfrom=pacman-dev-bounces@lists.archlinux.org X-Rspamd-Queue-Id: 954884126C2 X-Spamd-Result: default: False [0.59 / 15.00]; HAS_REPLYTO(0.00)[pacman-dev@lists.archlinux.org]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : SPF not aligned (relaxed),none]; FREEMAIL_FROM(0.00)[gmail.com]; R_DKIM_REJECT(1.00)[gmail.com:s=20161025]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[pacman-dev@lists.archlinux.org]; TO_DN_NONE(0.00)[]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:160:3033::2]; DKIM_TRACE(0.00)[gmail.com:-]; NEURAL_HAM(-0.00)[-1.000]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; FROM_NEQ_ENVFROM(0.00)[fakefakefans@gmail.com,pacman-dev-bounces@lists.archlinux.org]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Server: mail.archlinux.org The following patches should enable doas support for privilege escalation in makepkg as well as document the absence thereof in binary verification. As doas gained a little traction over the last weeks and with its presence in the official repos it seems like a cheap, yet beneficial patch to the featureset of makepkg. It might not be an exhaustive patchset as I don't know all of makepkg's and libmakepkg's intricacies, but it has been tested by me and seems to work as expected. Nonetheless those patches should "point in the right direction". From 10ffa30e21e94801c444704362342610e49034ab Mon Sep 17 00:00:00 2001 From: Erich Ericson Date: Sun, 21 Feb 2021 01:12:04 +0100 Subject: [PATCH] doas privilege escalation in makepkg Signed-off-by: Erich Ericson --- scripts/makepkg.sh.in | 2 ++ 1 file changed, 2 insertions(+) fi } diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index b39433f3..47b3001d 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -232,6 +232,8 @@ run_pacman() { cmd=("$PACMAN_PATH" "${PACMAN_OPTS[@]}" "$@") if type -p sudo >/dev/null; then cmd=(sudo "${cmd[@]}") + elif type -p doas >/dev/null; then + cmd=(doas "${cmd[@]}") else cmd=(su root -c "$(printf '%q ' "${cmd[@]}")") fi -- 2.30.1 From 2a455f2adc1bc87ed6b1d23261c8f911a7cc066b Mon Sep 17 00:00:00 2001 From: Erich Ericson Date: Sun, 21 Feb 2021 17:35:26 +0100 Subject: [PATCH] add prompting support for doas binary Signed-off-by: Erich Ericson --- scripts/libmakepkg/executable/sudo.sh.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/libmakepkg/executable/sudo.sh.in b/scripts/libmakepkg/executable/sudo.sh.in index 9e50a76b..4d701946 100644 --- a/scripts/libmakepkg/executable/sudo.sh.in +++ b/scripts/libmakepkg/executable/sudo.sh.in @@ -29,8 +29,8 @@ executable_functions+=('executable_sudo') executable_sudo() { if (( DEP_BIN || RMDEPS || INSTALL )); then - if ! type -p sudo >/dev/null; then - warning "$(gettext "Cannot find the %s binary. Will use %s to acquire root privileges.")" "sudo" "su" + if ! type -p sudo >/dev/null || ! type -p doas >/dev/null; then + warning "$(gettext "Cannot find neither the %s nor %s binary. Will use %s to acquire root privileges.")" "sudo" "doas" "su" fi