From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D561E158087 for ; Fri, 28 Jan 2022 05:30:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D98162BC001; Fri, 28 Jan 2022 05:30:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 47A7A2BC001 for ; Fri, 28 Jan 2022 05:30:47 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 32245343283 for ; Fri, 28 Jan 2022 05:30:46 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 898D71EF for ; Fri, 28 Jan 2022 05:30:44 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1643347643.e0862b8a3b3df10038b5dea127018415cdb94f63.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-apps/util-linux/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-apps/util-linux/util-linux-2.37.3-r1.ebuild sys-apps/util-linux/util-linux-9999.ebuild X-VCS-Directories: sys-apps/util-linux/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: e0862b8a3b3df10038b5dea127018415cdb94f63 X-VCS-Branch: master Date: Fri, 28 Jan 2022 05:30:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 5c8d4d9a-a40f-4ee3-975d-cecc5a6aa6c0 X-Archives-Hash: 97f999475806181c7d855ff27f63a392 commit: e0862b8a3b3df10038b5dea127018415cdb94f63 Author: Sam James gentoo org> AuthorDate: Fri Jan 28 05:27:23 2022 +0000 Commit: Sam James gentoo org> CommitDate: Fri Jan 28 05:27:23 2022 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0862b8a sys-apps/util-linux: force installed su(1) to be suid su(1) is almost useless without suid and on balance, it's more likely that people will have USE="-suid" in make.conf (globally) rather than desperately wanting to strip su(1) of its suid bits. This avoids such users having a "broken" (or dysfunctional) su(1). Users wishing to truly have a no-suid su(1) can e.g. use Portage's 'suidctl' feature or strip it out via e.g. a bashrc hook. Note that shadow's su(1) (the default implementation until recently) always forced suid su anyway. Closes: https://bugs.gentoo.org/832092 Signed-off-by: Sam James gentoo.org> ...nux-9999.ebuild => util-linux-2.37.3-r1.ebuild} | 23 +++++++++++++++++++++- sys-apps/util-linux/util-linux-9999.ebuild | 16 +++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/sys-apps/util-linux/util-linux-9999.ebuild b/sys-apps/util-linux/util-linux-2.37.3-r1.ebuild similarity index 91% copy from sys-apps/util-linux/util-linux-9999.ebuild copy to sys-apps/util-linux/util-linux-2.37.3-r1.ebuild index 3fdf6c85b949..bc61b04a195e 100644 --- a/sys-apps/util-linux/util-linux-9999.ebuild +++ b/sys-apps/util-linux/util-linux-2.37.3-r1.ebuild @@ -16,7 +16,7 @@ if [[ ${PV} == 9999 ]] ; then EGIT_REPO_URI="https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git" else [[ "${PV}" = *_rc* ]] || \ - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" + KEYWORDS="~alpha amd64 arm ~arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux" SRC_URI="https://www.kernel.org/pub/linux/utils/util-linux/v${PV:0:4}/${MY_P}.tar.xz" fi @@ -84,6 +84,18 @@ RESTRICT="!test? ( test )" S="${WORKDIR}/${MY_P}" +PATCHES=( + "${FILESDIR}"/${PN}-2.37.1-agetty_ctrl-c_erase.patch #804972 + "${FILESDIR}"/${PN}-2.37.2-ioctl_ns-test-hang.patch # upstream test hang patch +) + +pkg_pretend() { + if use su && ! use suid ; then + elog "su will be installed as suid despite USE=-suid (bug #832092)" + elog "To use su without suid, see e.g. Portage's suidctl feature." + fi +} + src_prepare() { default @@ -291,6 +303,15 @@ multilib_src_install_all() { newpamd "${FILESDIR}/su-l.pamd" su-l fi + if use su && ! use suid ; then + # Always force suid su, even when USE=-suid, as su is useless + # for the overwhelming-majority case without suid. + # Users who wish to truly have a no-suid su can strip it out + # via e.g. Portage's suidctl or some other hook. + # See bug #832092 + fperms u+s /bin/su + fi + # Note: # Bash completion for "runuser" command is provided by same file which # would also provide bash completion for "su" command. However, we don't diff --git a/sys-apps/util-linux/util-linux-9999.ebuild b/sys-apps/util-linux/util-linux-9999.ebuild index 3fdf6c85b949..658e0639ff89 100644 --- a/sys-apps/util-linux/util-linux-9999.ebuild +++ b/sys-apps/util-linux/util-linux-9999.ebuild @@ -84,6 +84,13 @@ RESTRICT="!test? ( test )" S="${WORKDIR}/${MY_P}" +pkg_pretend() { + if use su && ! use suid ; then + elog "su will be installed as suid despite USE=-suid (bug #832092)" + elog "To use su without suid, see e.g. Portage's suidctl feature." + fi +} + src_prepare() { default @@ -291,6 +298,15 @@ multilib_src_install_all() { newpamd "${FILESDIR}/su-l.pamd" su-l fi + if use su && ! use suid ; then + # Always force suid su, even when USE=-suid, as su is useless + # for the overwhelming-majority case without suid. + # Users who wish to truly have a no-suid su can strip it out + # via e.g. Portage's suidctl or some other hook. + # See bug #832092 + fperms u+s /bin/su + fi + # Note: # Bash completion for "runuser" command is provided by same file which # would also provide bash completion for "su" command. However, we don't