Loading pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch 0 → 100644 +25 −0 Original line number Diff line number Diff line From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Mon, 13 Nov 2023 20:24:54 +0000 Subject: [PATCH] don't sanatize the environment --- checksec | 3 --- 1 file changed, 3 deletions(-) diff --git a/checksec b/checksec index 4fc3c31..135223a 100755 --- a/checksec +++ b/checksec @@ -2,9 +2,6 @@ # Do not edit this file directly, this file is generated from the files # in the src directory. Any updates to this file will be overwritten when generated -# sanitize the environment before run -[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@" - # --- Modified Version --- # Name : checksec.sh # Version : 1.7.0 -- 2.42.0 pkgs/os-specific/linux/checksec/default.nix +54 −8 Original line number Diff line number Diff line { lib , stdenv , fetchpatch , fetchFromGitHub , makeWrapper , testers , runCommand # dependencies , binutils , coreutils , curl , elfutils , file , findutils , binutils-unwrapped , gawk , glibc , coreutils , sysctl , gnugrep , gnused , openssl , procps , sysctl , wget , which # tests , checksec }: stdenv.mkDerivation rec { Loading @@ -24,6 +40,13 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch # Tool would sanitize the environment, removing the PATH set by our wrapper. ./0002-don-t-sanatize-the-environment.patch # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. (fetchpatch { url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; }) ]; nativeBuildInputs = [ Loading @@ -33,22 +56,45 @@ stdenv.mkDerivation rec { installPhase = let path = lib.makeBinPath [ findutils binutils coreutils curl elfutils file binutils-unwrapped sysctl findutils gawk gnugrep gnused openssl procps sysctl wget which ]; in '' mkdir -p $out/bin install checksec $out/bin substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" substituteInPlace $out/bin/checksec \ --replace "/bin/sed" "${gnused}/bin/sed" \ --replace "/usr/bin/id" "${coreutils}/bin/id" \ --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" wrapProgram $out/bin/checksec \ --prefix PATH : ${path} ''; passthru.tests = { version = testers.testVersion { package = checksec; version = "v${version}"; }; debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' checksec --debug_report || exit 1 echo "OK" touch $out ''; }; meta = with lib; { description = "Tool for checking security bits on executables"; homepage = "https://www.trapkit.de/tools/checksec/"; Loading Loading
pkgs/os-specific/linux/checksec/0002-don-t-sanatize-the-environment.patch 0 → 100644 +25 −0 Original line number Diff line number Diff line From 3b047ab4271919856ae0a3dee3a03a24045c0016 Mon Sep 17 00:00:00 2001 From: Paul Meyer <49727155+katexochen@users.noreply.github.com> Date: Mon, 13 Nov 2023 20:24:54 +0000 Subject: [PATCH] don't sanatize the environment --- checksec | 3 --- 1 file changed, 3 deletions(-) diff --git a/checksec b/checksec index 4fc3c31..135223a 100755 --- a/checksec +++ b/checksec @@ -2,9 +2,6 @@ # Do not edit this file directly, this file is generated from the files # in the src directory. Any updates to this file will be overwritten when generated -# sanitize the environment before run -[[ "$(env | /bin/sed -r -e '/^(PWD|SHLVL|_)=/d')" ]] && exec -c "$0" "$@" - # --- Modified Version --- # Name : checksec.sh # Version : 1.7.0 -- 2.42.0
pkgs/os-specific/linux/checksec/default.nix +54 −8 Original line number Diff line number Diff line { lib , stdenv , fetchpatch , fetchFromGitHub , makeWrapper , testers , runCommand # dependencies , binutils , coreutils , curl , elfutils , file , findutils , binutils-unwrapped , gawk , glibc , coreutils , sysctl , gnugrep , gnused , openssl , procps , sysctl , wget , which # tests , checksec }: stdenv.mkDerivation rec { Loading @@ -24,6 +40,13 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch # Tool would sanitize the environment, removing the PATH set by our wrapper. ./0002-don-t-sanatize-the-environment.patch # Fix the exit code of debug_report command. Check if PR 226 was merged when upgrading version. (fetchpatch { url = "https://github.com/slimm609/checksec.sh/commit/851ebff6972f122fde5507f1883e268bbff1f23d.patch"; hash = "sha256-DOcVF+oPGIR9VSbqE+EqWlcNANEvou1gV8qBvJLGLBE="; }) ]; nativeBuildInputs = [ Loading @@ -33,22 +56,45 @@ stdenv.mkDerivation rec { installPhase = let path = lib.makeBinPath [ findutils binutils coreutils curl elfutils file binutils-unwrapped sysctl findutils gawk gnugrep gnused openssl procps sysctl wget which ]; in '' mkdir -p $out/bin install checksec $out/bin substituteInPlace $out/bin/checksec --replace /lib/libc.so.6 ${glibc.out}/lib/libc.so.6 substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" substituteInPlace $out/bin/checksec \ --replace "/bin/sed" "${gnused}/bin/sed" \ --replace "/usr/bin/id" "${coreutils}/bin/id" \ --replace "/lib/libc.so.6" "${glibc}/lib/libc.so.6" wrapProgram $out/bin/checksec \ --prefix PATH : ${path} ''; passthru.tests = { version = testers.testVersion { package = checksec; version = "v${version}"; }; debug-report = runCommand "debug-report" { buildInputs = [ checksec ]; } '' checksec --debug_report || exit 1 echo "OK" touch $out ''; }; meta = with lib; { description = "Tool for checking security bits on executables"; homepage = "https://www.trapkit.de/tools/checksec/"; Loading
