monkeysphere: Patch OpenSSH to run the tests in the sandbox

2018-12-20 16:41:00 +01:00 · 2018-12-20 16:41:00 +01:00 · ca0c253a80
parent 1b84b9f725
commit ca0c253a80
2 changed files with 40 additions and 9 deletions
--- a/pkgs/tools/security/monkeysphere/default.nix
+++ b/pkgs/tools/security/monkeysphere/default.nix
@ -2,13 +2,23 @@
 , perl, libassuan, libgcrypt
 , perlPackages, lockfileProgs, gnupg, coreutils
 # For the tests:
-, bash, openssh, which, socat, cpio, hexdump
+, bash, openssh, which, socat, cpio, hexdump, openssl
 }:

-stdenv.mkDerivation rec {
+let
+  # A patch is needed to run the tests inside the Nix sandbox:
+  # /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell"
+  # sshd: "User nixbld not allowed because shell /noshell does not exist"
+  opensshUnsafe = openssh.overrideAttrs (oldAttrs: {
+    patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ];
+  });
+in stdenv.mkDerivation rec {
  name = "monkeysphere-${version}";
  version = "0.42";

+  # The patched OpenSSH binary MUST NOT be used (except in the check phase):
+  disallowedRequisites = [ opensshUnsafe ];
+
  src = fetchurl {
    url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
    sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1";
@ -23,7 +33,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ makeWrapper ];
  buildInputs = [ perl libassuan libgcrypt ]
    ++ stdenv.lib.optional doCheck
-      ([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++
+      ([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++
      (with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ]));

  makeFlags = ''
@ -31,15 +41,19 @@ stdenv.mkDerivation rec {
    DESTDIR=$(out)
  '';

-  # The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run
-  # inside of the sandbox, because nixbld isn't allowed to login via SSH
-  # (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell",
-  # sshd: "User nixbld not allowed because shell /noshell does not exist").
+  # The tests should be run (and succeed) when making changes to this package
+  # but they aren't enabled by default because they "drain" entropy (GnuPG
+  # still uses /dev/random).
  doCheck = false;
-  preCheck = ''
+  preCheck = stdenv.lib.optionalString doCheck ''
    patchShebangs tests/
    patchShebangs src/
-    sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic
+    sed -i \
+      -e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \
+      -e "s,/bin/true,${coreutils}/bin/true," \
+      -e "s,/bin/false,${coreutils}/bin/false," \
+      -e "s,openssl\ req,${openssl}/bin/openssl req," \
+      tests/basic
    sed -i "s/<(hd/<(hexdump/" tests/keytrans
  '';

--- a/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch
+++ b/pkgs/tools/security/monkeysphere/openssh-nixos-sandbox.patch
@ -0,0 +1,17 @@
+diff --git a/auth.c b/auth.c
+index d2a8cd65..811a129f 100644
+--- a/auth.c
+++ b/auth.c
+@@ -580,6 +580,12 @@ getpwnamallow(const char *user)
+ #endif
+ 
+ 	pw = getpwnam(user);
+        if (pw != NULL) {
+		// This is only for testing purposes,
+		// DO NOT USE THIS PATCH IN PRODUCTION!
+		char *shell = "/bin/sh";
+		pw->pw_shell = shell;
+        }
+ 
+ #if defined(_AIX) && defined(HAVE_SETAUTHDB)
+ 	aix_restoreauthdb();