From b73a2c2aa4abff718f86b72f70a8f95525c4e05e Mon Sep 17 00:00:00 2001 From: Ximon Eighteen <3304436+ximon18@users.noreply.github.com> Date: Fri, 9 Aug 2024 10:54:39 +0200 Subject: [PATCH] Proof-of-concept use of Ploutos to create RPM and DEB packages (#72) * WIP * WIP * Test DEB too. * Move package.metadata to the workspace member Cargo.toml because cargo read-manifest complains otherwise about missing package.name in the root Cargo.toml. * Install clang for libclang needed by sudo-pam-sys build.rs. * Add copyright needed by cargo-deb. * Move copyright key to correct TOML table? * Add maintainer key needed by cargo-deb. * Install libclang for Debian/Ubuntu builds. * Also install libpam-dev. * Maintainer must contain an email address or else Lintian complains with error malformed-contact. * Extended description must be defined or else Lintian complains with error extended-description-is-empty. * Add a test script. * Setuid in DEB as well as RPM packages. * Should the paths be relative to the workspace root? * Use workspace inheritance and standard Cargo settings where possible instead of custom packaging tool settings. * Fix rpmlint warning 'invalid-license Apache-2.0' by using the correct license string. * TOML syntax fix. * Work around apt error 'E: Packages were downgraded and -y was used without --allow-downgrades.' presumably due to existing sudo package by same name but higher version. * Oops, don't break Cargo workspace project relationship. * Package conflicts with existing sudo package, but presumably test install still fails when the original sudo package is present. * Ah cargo-deb *does* support Breaks and Replaces. * Play nicely with the existing sudo package. * Fix path to maintainer-scripts. * Use the release Ploutos v7. --- .github/workflows/pkg.yml | 23 +++++++++++++++++++++++ Cargo.toml | 2 ++ pkg/deb/postinst | 2 ++ pkg/rpm/scriptlets.toml | 4 ++++ pkg/test-scripts/test-sudo-rs.sh | 10 ++++++++++ sudo/Cargo.toml | 28 ++++++++++++++++++++++++++++ 6 files changed, 69 insertions(+) create mode 100644 .github/workflows/pkg.yml create mode 100644 pkg/deb/postinst create mode 100644 pkg/rpm/scriptlets.toml create mode 100755 pkg/test-scripts/test-sudo-rs.sh diff --git a/.github/workflows/pkg.yml b/.github/workflows/pkg.yml new file mode 100644 index 000000000..afc2e20d5 --- /dev/null +++ b/.github/workflows/pkg.yml @@ -0,0 +1,23 @@ +on: + push: + workflow_dispatch: + +jobs: + package: + uses: NLnetLabs/ploutos/.github/workflows/pkg-rust.yml@v7 + with: + workspace_package: sudo + + package_build_rules: | + pkg: sudo-rs + image: + - "rockylinux:8" + - "ubuntu:jammy" + target: x86_64 + + package_test_scripts_path: pkg/test-scripts/test-sudo-rs.sh + + deb_extra_build_packages: libclang-dev libpam-dev + + rpm_extra_build_packages: pam-devel clang + rpm_scriptlets_path: pkg/rpm/scriptlets.toml diff --git a/Cargo.toml b/Cargo.toml index dce9822bd..7b330d111 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -19,6 +19,8 @@ license = "Apache-2.0 OR MIT" edition = "2021" repository = "https://github.com/memorysafety/sudo-rs" homepage = "https://github.com/memorysafety/sudo-rs" +description = "A memory safe implementation of sudo and su" +readme = "README.md" publish = true [workspace.dependencies] diff --git a/pkg/deb/postinst b/pkg/deb/postinst new file mode 100644 index 000000000..e9c777ad9 --- /dev/null +++ b/pkg/deb/postinst @@ -0,0 +1,2 @@ +#!/bin/bash -e +chmod +s /usr/bin/sudo-rs diff --git a/pkg/rpm/scriptlets.toml b/pkg/rpm/scriptlets.toml new file mode 100644 index 000000000..6b660c7a4 --- /dev/null +++ b/pkg/rpm/scriptlets.toml @@ -0,0 +1,4 @@ +post_install_script = ''' +#!/bin/bash -e +chmod +s /usr/bin/sudo-rs +''' diff --git a/pkg/test-scripts/test-sudo-rs.sh b/pkg/test-scripts/test-sudo-rs.sh new file mode 100755 index 000000000..bff9fc916 --- /dev/null +++ b/pkg/test-scripts/test-sudo-rs.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -eo pipefail +set -x + +case $1 in + post-install|post-upgrade) + [[ $(find /usr/bin/sudo-rs -perm -g=s -exec echo SUDO-RS-HAS-SETUID \;) == "SUDO-RS-HAS-SETUID" ]] + ;; +esac diff --git a/sudo/Cargo.toml b/sudo/Cargo.toml index 1d14c0612..30f6097c7 100644 --- a/sudo/Cargo.toml +++ b/sudo/Cargo.toml @@ -6,6 +6,8 @@ license.workspace = true repository.workspace = true homepage.workspace = true publish.workspace = true +readme.workspace = true +description.workspace = true categories = ["command-line-interface"] [dependencies] @@ -14,3 +16,29 @@ sudo-system.workspace = true sudo-cli.workspace = true sudoers.workspace = true sudo-pam.workspace = true + +[package.metadata.deb] +name = "sudo-rs" +copyright = "Copyright (c) 2022-2023 Internet Security Research Group" +maintainer = "Prossimo (ISRG) " +maintainer-scripts = "../pkg/deb/" +# Until we think it is safe to actually replace the real sudo package, don't +# mark it as breaking or replacing the real sudo package and don't attempt to +# overwrite /usr/bin/sudo, instead explicitly via assets install it under new +# name /usr/bin/sudo-rs +#breaks = "sudo" +#replaces = "sudo" +assets = [ + ["target/release/sudo", "/usr/bin/sudo-rs", "755"] +] + +[package.metadata.generate-rpm] +# See: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses +license = "ASL 2.0" +# Until we think it is safe to actually replace the real sudo package, don't +# mark it as obsoleting the real sudo package and don't attempt to overwrite +# /usr/bin/sudo, instead install it under new name /usr/bin/sudo-rs. +#obsoletes = "sudo" +assets = [ + { source = "target/release/sudo", dest = "/usr/bin/sudo-rs", mode = "755" } +]