From 781ab443c2170a80621920ea40bfc773553630fc Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 12 Aug 2021 14:25:43 +0200 Subject: [PATCH] nixos/doas: fix recursive calls to doas Previously, for processes launched by doas the unwrapped doas binary preceded the setuid-wrapped doas binary in PATH. This caused error `doas: not installed setuid` when running doas from processes launched by doas. doas seems to short-circuit the PATH lookup when called like `doas -u myuser doas -u myuser ...` so the error doesn't appear in this case. --- nixos/tests/doas.nix | 7 +++++++ .../doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/nixos/tests/doas.nix b/nixos/tests/doas.nix index 9c0a4bdc7563..5e9ce4b2c799 100644 --- a/nixos/tests/doas.nix +++ b/nixos/tests/doas.nix @@ -78,6 +78,13 @@ import ./make-test-python.nix ( 'su - test7 -c "SSH_AUTH_SOCK=HOLEY doas env"' ): raise Exception("failed to exclude SSH_AUTH_SOCK") + + # Test that the doas setuid wrapper precedes the unwrapped version in PATH after + # calling doas. + # The PATH set by doas is defined in + # ../../pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch + with subtest("recursive calls to doas from subprocesses should succeed"): + machine.succeed('doas -u test0 sh -c "doas -u test0 true"') ''; } ) diff --git a/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch b/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch index d1a1997ba1f6..a22781269d8b 100644 --- a/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch +++ b/pkgs/tools/security/doas/0001-add-NixOS-specific-dirs-to-safe-PATH.patch @@ -15,7 +15,7 @@ index e253905..2fdb20f 100644 main(int argc, char **argv) { const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:" -+ "/run/current-system/sw/bin:/run/current-system/sw/sbin:/run/wrappers/bin:" ++ "/run/wrappers/bin:/run/current-system/sw/bin:/run/current-system/sw/sbin:" "/usr/local/bin:/usr/local/sbin"; const char *confpath = NULL; char *shargv[] = { NULL, NULL };