Accepting request 1113657 from home:lnussel

new package OBS-URL: https://build.opensuse.org/request/show/1113657 OBS-URL: https://build.opensuse.org/package/show/security/fudo?expand=0&rev=1
2023-09-26 13:37:00 +00:00 · 2023-09-26 13:37:00 +00:00 · ebff6cea9d
commit ebff6cea9d
7 changed files with 172 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/30-fudo-machinectl-shell.rules
+++ b/30-fudo-machinectl-shell.rules
@ -0,0 +1,20 @@
+/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
+
+// create e.g 40-fudo-noauth-xxx and in there set
+// polkit._fudo_noauth_group = "xxx";
+polkit._fudo_noauth_group = null;
+polkit._fudo_selfauth_group = null;
+
+polkit.addRule(function(action, subject) {
+    if (action.id != 'org.freedesktop.machine1.host-shell')
+	  return polkit.Result.NOT_HANDLED;
+
+    if (polkit._fudo_noauth_group && subject.isInGroup(polkit._fudo_noauth_group))
+	  return polkit.Result.YES;
+
+    if (polkit._fudo_selfauth_group && subject.isInGroup(polkit._fudo_selfauth_group))
+	  return polkit.Result.AUTH_SELF;
+
+    return polkit.Result.NOT_HANDLED;
+});
+// vim: syntax=javascript sw=4 et
--- a/50-machinectl-shell-run-env.rules
+++ b/50-machinectl-shell-run-env.rules
@ -0,0 +1,34 @@
+/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
+
+/*
+ * Sample config that allows to run /usr/bin/env without arguments as root.
+ * Install e.g. as /etc/polkit-1/rules.d/50-machinectl-shell-run-env.rules
+ */
+
+polkit.addRule(function(action, subject) {
+    if (action.id != 'org.freedesktop.machine1.host-shell')
+	    return polkit.Result.NOT_HANDLED;
+
+    // check whether a user is in a specific group
+    if (!subject.isInGroup("users"))
+	    return polkit.Result.NOT_HANDLED;
+
+    // or alternatively match a specific user
+    user = subject.user;
+    if (user != 'geeko')
+	    return polkit.Result.NOT_HANDLED;
+
+    // just the path to the program that is run. Matching that might be
+    // dangerous as it allows arbitrary arguments then
+    // program = action.lookup('program');
+
+    // using the full command line is better
+    command_line = action.lookup('command_line');
+
+    polkit.log("running \"" + command_line + "\" as " + user);
+    if (command_line == '/usr/bin/env')
+	    return polkit.Result.YES;
+
+    return polkit.Result.NOT_HANDLED;
+});
+// vim: syntax=javascript sw=4 et
--- a/fudo.changes
+++ b/fudo.changes
@ -0,0 +1,4 @@
+-------------------------------------------------------------------
+Tue Sep 26 07:57:43 UTC 2023 - Ludwig Nussel <lnussel@suse.com>
+
+- initial package
--- a/fudo.sh
+++ b/fudo.sh
@ -0,0 +1,8 @@
+fudo() {
+	[ "$#" -gt 0 -a "${1:0:1}" != '-' ] || { echo "Usage: ${FUNCNAME[0]} COMMAND [ARGS...]"; return 1; }
+	set -- "$(type -P "$1")" "${@:2}"
+	[ -n "$1" ] || { echo "invalid command" >&2; return 1; }
+	machinectl shell -q .host "$@"
+}
+# take over sudo if the real one is not installed
+type -P sudo >/dev/null || alias sudo=fudo
--- a/fudo.spec
+++ b/fudo.spec
@ -0,0 +1,82 @@
+#
+# spec file for package fudo
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           fudo
+Version:        0
+Release:        0
+Summary:        Fake sudo
+License:        MIT
+Source:         30-fudo-machinectl-shell.rules
+Source1:        fudo.sh
+Source2:        50-machinectl-shell-run-env.rules
+BuildRequires:  polkit
+Requires:       polkit
+Requires:       systemd-container
+
+%description
+Fake sudo leveraging machinctl shell and polkit to be able to
+execute commands as root
+
+- just a few lines of shell and js
+- no setuid program
+- no hard to understand config file
+
+%package policy-noauth-wheel
+Summary:        fudo policy no authentication for wheel group
+Requires:       group(wheel)
+Conflicts:      fudo-policy
+Provides:       fudo-policy
+
+%description policy-noauth-wheel
+Members of the wheel group do not need to authenticate when using
+fudo
+
+%package policy-selfauth-wheel
+Summary:        fudo policy wheel group members use own password
+Requires:       group(wheel)
+Conflicts:      fudo-policy
+Provides:       fudo-policy
+
+%description policy-selfauth-wheel
+Members of the wheel group use their own password to authenticate
+as root
+
+%prep
+%setup -q -c -T
+
+%build
+
+%install
+install -D -m 644 %{SOURCE0} %{buildroot}%{_datadir}/polkit-1/rules.d/30-fudo-machinectl-shell.rules
+install -D -m 644 %{SOURCE1} %{buildroot}%{_prefix}%{_sysconfdir}/profile.d/fudo.sh
+install -D -m 644 %{SOURCE2} %{buildroot}%{_docdir}/50-machinectl-shell-run-env.rules
+echo 'polkit._fudo_noauth_group = "wheel";' > %{buildroot}%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-noauth-wheel.rules
+echo 'polkit._fudo_selfauth_group = "wheel";' > %{buildroot}%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-selfauth-wheel.rules
+
+%files
+%{_docdir}/50-machinectl-shell-run-env.rules
+%{_datadir}/polkit-1/rules.d/30-fudo-machinectl-shell.rules
+%{_prefix}%{_sysconfdir}/profile.d/fudo.sh
+
+%files policy-noauth-wheel
+%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-noauth-wheel.rules
+
+%files policy-selfauth-wheel
+%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-selfauth-wheel.rules
+
+%changelog