From 9ff63910c4aa625663015af2e31622e72ef9b96d Mon Sep 17 00:00:00 2001 From: Leonid Pliushch Date: Mon, 23 Sep 2019 01:48:47 +0300 Subject: [PATCH] nodejs-lts: prevent calling setgroups(), setuid(), setgid( --- packages/nodejs-lts/build.sh | 1 + .../deps-uv-src-unix-process.c.patch | 31 +++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 packages/nodejs-lts/deps-uv-src-unix-process.c.patch diff --git a/packages/nodejs-lts/build.sh b/packages/nodejs-lts/build.sh index 165787615..79f18ef89 100644 --- a/packages/nodejs-lts/build.sh +++ b/packages/nodejs-lts/build.sh @@ -2,6 +2,7 @@ TERMUX_PKG_HOMEPAGE=https://nodejs.org/ TERMUX_PKG_DESCRIPTION="Platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications" TERMUX_PKG_LICENSE="MIT" TERMUX_PKG_VERSION=10.16.3 +TERMUX_PKG_REVISION=1 TERMUX_PKG_SRCURL=https://nodejs.org/dist/v${TERMUX_PKG_VERSION}/node-v${TERMUX_PKG_VERSION}.tar.xz TERMUX_PKG_SHA256=7bf1123d7415964775b8f81fe6ec6dd5c3c08abb42bb71dfe4409dbeeba26bbd # Note that we do not use a shared libuv to avoid an issue with the Android diff --git a/packages/nodejs-lts/deps-uv-src-unix-process.c.patch b/packages/nodejs-lts/deps-uv-src-unix-process.c.patch new file mode 100644 index 000000000..bed8b0b2c --- /dev/null +++ b/packages/nodejs-lts/deps-uv-src-unix-process.c.patch @@ -0,0 +1,31 @@ +diff -uNr node-v12.10.0/deps/uv/src/unix/process.c node-v12.10.0.mod/deps/uv/src/unix/process.c +--- node-v12.10.0/deps/uv/src/unix/process.c 2019-09-04 18:36:23.000000000 +0300 ++++ node-v12.10.0.mod/deps/uv/src/unix/process.c 2019-09-23 01:39:39.069030779 +0300 +@@ -351,27 +351,6 @@ + _exit(127); + } + +- if (options->flags & (UV_PROCESS_SETUID | UV_PROCESS_SETGID)) { +- /* When dropping privileges from root, the `setgroups` call will +- * remove any extraneous groups. If we don't call this, then +- * even though our uid has dropped, we may still have groups +- * that enable us to do super-user things. This will fail if we +- * aren't root, so don't bother checking the return value, this +- * is just done as an optimistic privilege dropping function. +- */ +- SAVE_ERRNO(setgroups(0, NULL)); +- } +- +- if ((options->flags & UV_PROCESS_SETGID) && setgid(options->gid)) { +- uv__write_int(error_fd, UV__ERR(errno)); +- _exit(127); +- } +- +- if ((options->flags & UV_PROCESS_SETUID) && setuid(options->uid)) { +- uv__write_int(error_fd, UV__ERR(errno)); +- _exit(127); +- } +- + if (options->env != NULL) { + environ = options->env; + }