monkeysphere: Patch OpenSSH to run the tests in the sandbox

This commit is contained in:
Michael Weiss 2018-12-20 16:41:00 +01:00
parent 1b84b9f725
commit ca0c253a80
2 changed files with 40 additions and 9 deletions

View File

@ -2,13 +2,23 @@
, perl, libassuan, libgcrypt
, perlPackages, lockfileProgs, gnupg, coreutils
# For the tests:
, bash, openssh, which, socat, cpio, hexdump
, bash, openssh, which, socat, cpio, hexdump, openssl
}:
stdenv.mkDerivation rec {
let
# A patch is needed to run the tests inside the Nix sandbox:
# /etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell"
# sshd: "User nixbld not allowed because shell /noshell does not exist"
opensshUnsafe = openssh.overrideAttrs (oldAttrs: {
patches = oldAttrs.patches ++ [ ./openssh-nixos-sandbox.patch ];
});
in stdenv.mkDerivation rec {
name = "monkeysphere-${version}";
version = "0.42";
# The patched OpenSSH binary MUST NOT be used (except in the check phase):
disallowedRequisites = [ opensshUnsafe ];
src = fetchurl {
url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_${version}.orig.tar.gz";
sha256 = "1haqgjxm8v2xnhc652lx79p2cqggb9gxgaf19w9l9akar2qmdjf1";
@ -23,7 +33,7 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ makeWrapper ];
buildInputs = [ perl libassuan libgcrypt ]
++ stdenv.lib.optional doCheck
([ gnupg openssh which socat cpio hexdump lockfileProgs ] ++
([ gnupg opensshUnsafe which socat cpio hexdump lockfileProgs ] ++
(with perlPackages; [ CryptOpenSSLRSA CryptOpenSSLBignum ]));
makeFlags = ''
@ -31,15 +41,19 @@ stdenv.mkDerivation rec {
DESTDIR=$(out)
'';
# The tests "drain" entropy (GnuPG still uses /dev/random) and they don't run
# inside of the sandbox, because nixbld isn't allowed to login via SSH
# (/etc/passwd: "nixbld:x:1000:100:Nix build user:/build:/noshell",
# sshd: "User nixbld not allowed because shell /noshell does not exist").
# The tests should be run (and succeed) when making changes to this package
# but they aren't enabled by default because they "drain" entropy (GnuPG
# still uses /dev/random).
doCheck = false;
preCheck = ''
preCheck = stdenv.lib.optionalString doCheck ''
patchShebangs tests/
patchShebangs src/
sed -i "s,/usr/sbin/sshd,${openssh}/bin/sshd," tests/basic
sed -i \
-e "s,/usr/sbin/sshd,${opensshUnsafe}/bin/sshd," \
-e "s,/bin/true,${coreutils}/bin/true," \
-e "s,/bin/false,${coreutils}/bin/false," \
-e "s,openssl\ req,${openssl}/bin/openssl req," \
tests/basic
sed -i "s/<(hd/<(hexdump/" tests/keytrans
'';

View File

@ -0,0 +1,17 @@
diff --git a/auth.c b/auth.c
index d2a8cd65..811a129f 100644
--- a/auth.c
+++ b/auth.c
@@ -580,6 +580,12 @@ getpwnamallow(const char *user)
#endif
pw = getpwnam(user);
+ if (pw != NULL) {
+ // This is only for testing purposes,
+ // DO NOT USE THIS PATCH IN PRODUCTION!
+ char *shell = "/bin/sh";
+ pw->pw_shell = shell;
+ }
#if defined(_AIX) && defined(HAVE_SETAUTHDB)
aix_restoreauthdb();