doas: 6.0 -> 6.6 #74184

r-ryantm · 2019-11-25T18:51:59Z

Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/doas/versions.

meta.description for doas is: '"Executes the given command as another user"'.

meta.homepage for doas is: '"https://github.com/Duncaen/OpenDoas"

Release on GitHub

Compare changes on GitHub

Checks done (click to expand)

built on NixOS
The tests defined in passthru.tests, if any, passed
0 of 0 passed binary check by having a zero exit code.
0 of 0 passed binary check by having the new version present in output.
found 6.6 with grep in /nix/store/0fjcg1snr9b2cf867f2c0fklna6ddcx9-doas-6.6
directory tree listing: https://gist.github.com/198c5be2ca3f81921ac909440e6806b4
du listing: https://gist.github.com/afaa608290b67f7c8de95f833e732278

Rebuild report (if merged into master) (click to expand)

3 total rebuild path(s)

1 package rebuild(s)

1 x86_64-linux rebuild(s)
1 i686-linux rebuild(s)
0 x86_64-darwin rebuild(s)
1 aarch64-linux rebuild(s)

First fifty rebuilds by attrpath
doas

Instructions to test this update (click to expand)

Either download from Cachix:

nix-store -r /nix/store/0fjcg1snr9b2cf867f2c0fklna6ddcx9-doas-6.6 \
  --option binary-caches 'https://cache.nixos.org/ https://r-ryantm.cachix.org/' \
  --option trusted-public-keys '
  r-ryantm.cachix.org-1:gkUbLkouDAyvBdpBX0JOdIiD2/DP1ldF3Z3Y6Gqcc4c=
  cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
  '

(r-ryantm's Cachix cache is only trusted for this store-path realization.)

Or, build yourself:

nix-build -A doas https://github.com/r-ryantm/nixpkgs/archive/6f76b94ef1971050df368d94796ffb36e567a63e.tar.gz

After you've downloaded or built it, look at the files and if there are any, run the binaries:

ls -la /nix/store/0fjcg1snr9b2cf867f2c0fklna6ddcx9-doas-6.6
ls -la /nix/store/0fjcg1snr9b2cf867f2c0fklna6ddcx9-doas-6.6/bin

Experimental: CVE security report (click to expand)

CVEs resolved by this update:

CVEs introduced by this update:
none

CVEs present in both versions:
none

cc @cstrahan for testing.

nh2 · 2019-12-16T03:34:30Z

The CVEs mentioned seem to be for https://github.com/slicer69/doas while the package we have at hand is https://github.com/Duncaen/OpenDoas.

ryantm · 2019-12-21T14:49:46Z

@nh2 Thanks. I've added an issue for it and I'll adjust the CVE reporting to exclude these ones.

mokulus · 2020-02-07T22:10:16Z

@cstrahan, @ryantm could any of you merge this? This seems to have been abandoned because of that CVE false positive :/

ryantm · 2020-02-08T01:44:32Z

@mokulus did anyone test it?

mokulus · 2020-02-08T11:04:10Z

I've tested it with
sudo nix-build -A doas https://github.com/r-ryantm/nixpkgs/archive/6f76b94ef1971050df368d94796ffb36e567a63e.tar.gz
, but I cannot use it because of the error:
doas: not installed setuid.

I think it's worth to add to docs that you need to add doas to security.wrappers

mokulus · 2020-02-09T16:08:43Z

There has to be more work done on doas.

doas needs to be installed with uid set -- it should be done automatically, like with sudo or there should be a notice to use security.wrappers.

Makefile also tries to move some files to /etc/pam.d/, which fails. Without pam doas prints Operation not permitted. In journalctl you can then see:

Feb 07 21:19:50 nixos doas[9339]: pam_warn(doas:auth): function=[pam_sm_authenticate] flags=0 service=[doas] terminal=[pts/2] user=[mat] ruser=[mat] rhost=[<unknown>]

Feb 07 21:19:50 nixos doas[9339]: failed auth for mat

So this package needs: something similar to how sudo is installed - it should have 4755 perm and should install this file in /etc/pam.d. There should also be an option to configure /etc/doas.conf or a notice that you should use environment.etc

adisbladis · 2020-05-02T10:44:59Z

This version bump is on master (cherry-picked from #86488).
Let's move the discussion about any work required there.

doas: 6.0 -> 6.6

6f76b94

ofborg bot requested a review from cstrahan November 25, 2019 19:10

ofborg bot added 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 labels Nov 25, 2019

ryantm added the 1.severity: security label Nov 26, 2019

ryantm removed the 1.severity: security label Dec 21, 2019

cole-h mentioned this pull request May 1, 2020

nixos/doas: init #86488

Merged

10 tasks

adisbladis closed this May 2, 2020

r-ryantm deleted the auto-update/doas branch May 3, 2020 15:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

doas: 6.0 -> 6.6 #74184

doas: 6.0 -> 6.6 #74184

r-ryantm commented Nov 25, 2019

nh2 commented Dec 16, 2019

ryantm commented Dec 21, 2019

mokulus commented Feb 7, 2020

ryantm commented Feb 8, 2020

mokulus commented Feb 8, 2020 •

edited

mokulus commented Feb 9, 2020

adisbladis commented May 2, 2020 •

edited

doas: 6.0 -> 6.6 #74184

doas: 6.0 -> 6.6 #74184

Conversation

r-ryantm commented Nov 25, 2019

nh2 commented Dec 16, 2019

ryantm commented Dec 21, 2019

mokulus commented Feb 7, 2020

ryantm commented Feb 8, 2020

mokulus commented Feb 8, 2020 • edited

mokulus commented Feb 9, 2020

adisbladis commented May 2, 2020 • edited

mokulus commented Feb 8, 2020 •

edited

adisbladis commented May 2, 2020 •

edited