xscreensaver: add suid wrapper patch

This adds a patch for XScreenSaver that ensures that the suid wrapper for xscreensaver-auth is run correctly. The patch is a simple update to drivers/xscreensaver.c that inserts /run/wrappers/bin before the DEFAULT_PATH_PREFIX, which is the directory for xscreensaver hacks/demos, and should be preserved. The wrapper directory can be modified in the derivation, or even disabled. Co-authored-by: Anderson Torres <torres.anderson.85@protonmail.com>
2023-11-23 12:29:34 -08:00 · 2023-11-23 12:29:34 -08:00 · 2034ea01b9
commit 2034ea01b9
parent 45c7026247
2 changed files with 51 additions and 0 deletions
--- a/pkgs/by-name/xs/xscreensaver/package.nix
+++ b/pkgs/by-name/xs/xscreensaver/package.nix
@ -26,6 +26,9 @@
 , systemd
 , forceInstallAllHacks ? true
 , withSystemd ? lib.meta.availableOn stdenv.hostPlatform systemd
+, nixosTests
+, substituteAll
+, wrapperPrefix ? "/run/wrappers/bin"
 }:

 stdenv.mkDerivation (finalAttrs: {
@ -75,6 +78,13 @@ stdenv.mkDerivation (finalAttrs: {
    popd
  '';

+  patches = [
+    (substituteAll {
+      src = ./xscreensaver-wrapper-prefix.patch;
+      inherit wrapperPrefix;
+    })
+  ];
+
  preConfigure = ''
    # Fix installation paths for GTK resources.
    sed -e 's%@GTK_DATADIR@%@datadir@% ; s%@PO_DATADIR@%@datadir@%' \
@ -105,6 +115,10 @@ stdenv.mkDerivation (finalAttrs: {
    cp -f $(find hacks -type f -perm -111 "!" -name "*.*" ) "$out/libexec/xscreensaver"
  '';

+  passthru.tests = {
+    xscreensaver = nixosTests.xscreensaver;
+  };
+
  meta = {
    homepage = "https://www.jwz.org/xscreensaver/";
    description = "A set of screensavers";
--- a/pkgs/by-name/xs/xscreensaver/xscreensaver-wrapper-prefix.patch
+++ b/pkgs/by-name/xs/xscreensaver/xscreensaver-wrapper-prefix.patch
@ -0,0 +1,37 @@
+--- a/driver/xscreensaver.c
+++ b/driver/xscreensaver.c
+@@ -253,6 +253,8 @@
+ #undef MAX
+ #define MAX(x,y)((x)>(y)?(x):(y))
+ 
+/* Define the default wrapper prefix here, for NixOS */
+#define NIXOS_WRAPPER_PREFIX "@wrapperPrefix@"
+ 
+ /* Globals used in this file.
+  */
+@@ -632,12 +634,24 @@ handle_sigchld (Display *dpy, Bool blanked_p)
+ static void
+ hack_environment (void)
+ {
+  static const char *wrapper_path = NIXOS_WRAPPER_PREFIX;
+   static const char *def_path = DEFAULT_PATH_PREFIX;
+   const char *opath = getenv("PATH");
+   char *npath;
+   if (! opath) opath = "/bin:/usr/bin";  /* WTF */
+-  npath = (char *) malloc(strlen(def_path) + strlen(opath) + 20);
+  /* NOTE: The NixOS patch adds extra margin than what would be expected for a
+     single extra ":" PATH separator to account for UTF-32 encoding. The
+     original 20 bytes would have only accounted for UTF-16 safely (the path
+     concatenation would have needed 28 bytes of margin at minimum for UTF-32).
+   */
+  npath = (char *) malloc(strlen(wrapper_path) + strlen(def_path) + strlen(opath) + 32);
+   strcpy (npath, "PATH=");
+  if (wrapper_path && *wrapper_path)
+    {
+      strcat (npath, wrapper_path);
+      strcat (npath, ":");
+    }
+
+   strcat (npath, def_path);
+   strcat (npath, ":");
+   strcat (npath, opath);