nodejs: prevent calling setgroups(), setuid(), setgid()

These syscalls are blocked by seccomp.
This commit is contained in:
Leonid Pliushch 2019-09-23 01:41:28 +03:00
parent 2ddfca3aa1
commit 0eacbc0a93
2 changed files with 32 additions and 0 deletions

View File

@ -2,6 +2,7 @@ TERMUX_PKG_HOMEPAGE=https://nodejs.org/
TERMUX_PKG_DESCRIPTION="Platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications"
TERMUX_PKG_LICENSE="MIT"
TERMUX_PKG_VERSION=12.10.0
TERMUX_PKG_REVISION=1
TERMUX_PKG_SRCURL=https://nodejs.org/dist/v${TERMUX_PKG_VERSION}/node-v${TERMUX_PKG_VERSION}.tar.xz
TERMUX_PKG_SHA256=2515b87c60921f22514a58830e86e54831daa2453d0e82f2ed7ab02134ee30cd
# Note that we do not use a shared libuv to avoid an issue with the Android

View File

@ -0,0 +1,31 @@
diff -uNr node-v12.10.0/deps/uv/src/unix/process.c node-v12.10.0.mod/deps/uv/src/unix/process.c
--- node-v12.10.0/deps/uv/src/unix/process.c 2019-09-04 18:36:23.000000000 +0300
+++ node-v12.10.0.mod/deps/uv/src/unix/process.c 2019-09-23 01:39:39.069030779 +0300
@@ -351,27 +351,6 @@
_exit(127);
}
- if (options->flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) {
- /* When dropping privileges from root, the `setgroups` call will
- * remove any extraneous groups. If we don't call this, then
- * even though our uid has dropped, we may still have groups
- * that enable us to do super-user things. This will fail if we
- * aren't root, so don't bother checking the return value, this
- * is just done as an optimistic privilege dropping function.
- */
- SAVE_ERRNO(setgroups(0, NULL));
- }
-
- if ((options->flags & UV_PROCESS_SETGID) && setgid(options->gid)) {
- uv__write_int(error_fd, UV__ERR(errno));
- _exit(127);
- }
-
- if ((options->flags & UV_PROCESS_SETUID) && setuid(options->uid)) {
- uv__write_int(error_fd, UV__ERR(errno));
- _exit(127);
- }
-
if (options->env != NULL) {
environ = options->env;
}