unix-privesc-check: init at 1.4

2 files changed, 107 insertions, 0 deletions

diff --git a/pkgs/by-name/un/unix-privesc-check/package.nix b/pkgs/by-name/un/unix-privesc-check/package.nix
new file mode 100644
index 000000000000..5ac7a6d29de1
--- /dev/null
+++ b/pkgs/by-name/un/unix-privesc-check/package.nix
@@ -0,0 +1,87 @@
+{ lib
+, resholve
+, fetchurl
+, gawk
+, bash
+, binutils
+, coreutils
+, file
+, findutils
+, glibc
+, gnugrep
+, gnused
+, nettools
+, openssh
+, postgresql
+, ps
+, util-linux
+, which
+}:
+
+# resholve does not yet support `finalAttrs` call pattern hence `rec`
+# https://github.com/abathur/resholve/issues/107
+resholve.mkDerivation rec {
+  pname = "unix-privesc-check";
+  version = "1.4";
+
+  src = fetchurl {
+    url = "https://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-${version}.tar.gz";
+    hash = "sha256-4fhef2n6ut0jdWo9dqDj2GSyHih2O2DOLmGBKQ0cGWk=";
+  };
+
+  patches = [
+    ./unix-privesc-check.patch # https://github.com/NixOS/nixpkgs/pull/287629#issuecomment-1944428796
+  ];
+
+  solutions = {
+    unix-privesc-check = {
+      scripts = [ "bin/unix-privesc-check" ];
+      interpreter = "${bash}/bin/bash";
+      inputs = [
+        gawk
+        bash
+        binutils # for strings command
+        coreutils
+        file
+        findutils # for xargs command
+        glibc  # for ldd command
+        gnugrep
+        gnused
+        nettools
+        openssh
+        postgresql # for psql command
+        ps
+        util-linux # for swapon command
+        which
+      ];
+      fake = {
+        external = [
+            "lanscan" # lanscan exists only for HP-UX OS
+            "mount" # Getting same error described in https://github.com/abathur/resholve/issues/29
+            "passwd" # Getting same error described in https://github.com/abathur/resholve/issues/29
+        ];
+      };
+      execer = [
+        "cannot:${glibc.bin}/bin/ldd"
+        "cannot:${postgresql}/bin/psql"
+        "cannot:${openssh}/bin/ssh-add"
+        "cannot:${util-linux.bin}/bin/swapon"
+      ];
+    };
+  };
+
+  installPhase = ''
+    runHook preInstall
+    install -Dm 755 unix-privesc-check $out/bin/unix-privesc-check
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "Find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps";
+    mainProgram = "unix-privesc-check";
+    homepage = "https://pentestmonkey.net/tools/audit/unix-privesc-check";
+    maintainers = with maintainers; [ d3vil0p3r ];
+    platforms = platforms.unix;
+    license = licenses.gpl2Plus;
+  };
+}
diff --git a/pkgs/by-name/un/unix-privesc-check/unix-privesc-check.patch b/pkgs/by-name/un/unix-privesc-check/unix-privesc-check.patch
new file mode 100644
index 000000000000..e0d3ab0bff56
--- /dev/null
+++ b/pkgs/by-name/un/unix-privesc-check/unix-privesc-check.patch
@@ -0,0 +1,20 @@
+--- a/unix-privesc-check	2024-02-14 20:21:24.725453661 +0100
++++ b/unix-privesc-check	2024-02-14 20:21:46.577446690 +0100
+@@ -484,17 +484,6 @@
+ # Set path so we can access usual directories.  HPUX and some linuxes don't have sbin in the path.
+ PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin; export PATH
+ 
+-# Check dependent programs are installed
+-# Assume "which" is installed!
+-PROGS="ls awk grep cat mount xargs file ldd strings"
+-for PROG in $PROGS; do
+-	which $PROG 2>&1 > /dev/null
+-	if [ ! $? = "0" ]; then
+-		echo "ERROR: Dependend program '$PROG' is mising.  Can't run.  Sorry!"
+-		exit 1
+-	fi
+-done
+-
+ banner
+ 
+ section "Recording hostname"