Summary: | sys-libs/ncurses: consider passing --disable-setuid-environ | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sam James <sam> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ionen |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=904247 https://github.com/kovidgoyal/kitty/issues/6842 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sam James
2024-04-28 03:37:23 UTC
I think I'll likely chuck this in to 6.5 but I wanted to file this so the reasoning was clear. There's also: * --disable-root-access --disable-root-access Compile with environment restriction, so most file-access is limited when running as root, or via a setuid/setgid application. * --disable-root-environ Compile with environment restriction, so certain environment variables are not available when running as root. These are (for example $TERMINFO) those that allow the search path for the terminfo or termcap entry to be customized. Disabling the root environment variables also disables the setuid environment variables by default. Use the --disable-setuid-environ option to modify this behavior. (In reply to Sam James from comment #2) > There's also: > * --disable-root-access > > --disable-root-access > Compile with environment restriction, so most file-access is limited > when running as root, or via a setuid/setgid application. > https://github.com/kovidgoyal/kitty/issues/6842 ... so maybe we'll leave it for now, or reserve --disable-root-access + --disable-root-environ for USE=hardened. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ef4afbd75c2c6e8262d2de04930398dfbce1d1bc commit ef4afbd75c2c6e8262d2de04930398dfbce1d1bc Author: Sam James <sam@gentoo.org> AuthorDate: 2024-04-28 03:49:27 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-04-28 04:02:12 +0000 sys-libs/ncurses: tweaks to 6.5 * Cleanup PATCH_DATES as new release means starting anew * Cleanup whitespace left over from opaque settings * Pass --enable-fvisibility * Pass --disable-setuid-environ (bug #930806) * Add a TODO wrt gpm/PDEPEND/circular dep Closes: https://bugs.gentoo.org/930806 Signed-off-by: Sam James <sam@gentoo.org> .../{ncurses-6.5.ebuild => ncurses-6.5-r1.ebuild} | 85 ++++------------------ 1 file changed, 14 insertions(+), 71 deletions(-) As far as kitty goes, should ideally rely on installing the kitty-terminfo package on the remote distro, which I'd assume users can do if they have root access. Not to say whether should enable this or not, but I think it's not much of a blocker. kitty does implement a lot of hacks (including for shell integration) that try to workaround the fact distros haven't setup the files it needs (either local or remotely) that are otherwise unneeded. Albeit, if enabled, it indeed probably wouldn't hurt to have a way to disable it for the few users that really want this. So USE=hardened or something else that could be default-on everywhere could be fine. (In reply to Ionen Wolkens from comment #6) > Albeit, if enabled, it indeed probably wouldn't hurt to have a way to > disable it for the few users that really want this. So USE=hardened or > something else that could be default-on everywhere could be fine. ..then again, I could imagine the place where it may annoy the most people are things are like install cds, and likely wouldn't want it to be a default there. |