Merge branch 'hardened-stdenv' into staging

3 files changed, 81 insertions, 0 deletions

diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix
new file mode 100644
index 000000000000..5d788af1682e
--- /dev/null
+++ b/pkgs/tools/networking/lsh/default.nix
@@ -0,0 +1,51 @@
+{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam
+, nettools, lsof, procps }:
+
+stdenv.mkDerivation rec {
+  name = "lsh-2.0.4";
+  src = fetchurl {
+    url = "mirror://gnu/lsh/${name}.tar.gz";
+    sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091";
+  };
+
+  patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ];
+
+  preConfigure = ''
+    # Patch `lsh-make-seed' so that it can gather enough entropy.
+    sed -i "src/lsh-make-seed.c" \
+        -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ;
+            s|/usr/bin/netstat|${nettools}/bin/netstat|g ;
+            s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ;
+            s|/bin/vmstat|${procps}/bin/vmstat|g ;
+            s|/bin/ps|${procps}/bin/sp|g ;
+            s|/usr/bin/w|${procps}/bin/w|g ;
+            s|/usr/bin/df|$(type -P df)|g ;
+            s|/usr/bin/ipcs|$(type -P ipcs)|g ;
+            s|/usr/bin/uptime|$(type -P uptime)|g"
+
+    # Skip the `configure' script that checks whether /dev/ptmx & co. work as
+    # expected, because it relies on impurities (for instance, /dev/pts may
+    # be unavailable in chroots.)
+    export lsh_cv_sys_unix98_ptys=yes
+  '';
+
+  NIX_CFLAGS_COMPILE = "-std=gnu90";
+
+  buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ];
+
+  meta = {
+    description = "GPL'd implementation of the SSH protocol";
+
+    longDescription = ''
+      lsh is a free implementation (in the GNU sense) of the ssh
+      version 2 protocol, currently being standardised by the IETF
+      SECSH working group.
+    '';
+
+    homepage = http://www.lysator.liu.se/~nisse/lsh/;
+    license = stdenv.lib.licenses.gpl2Plus;
+
+    maintainers = [ ];
+    platforms = [ "x86_64-linux" ];
+  };
+}
diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch
new file mode 100644
index 000000000000..9dd81de3fbc1
--- /dev/null
+++ b/pkgs/tools/networking/lsh/lshd-no-root-login.patch
@@ -0,0 +1,16 @@
+Correctly handle the `--no-root-login' option.
+
+--- lsh-2.0.4/src/lshd.c	2006-05-01 13:47:44.000000000 +0200
++++ lsh-2.0.4/src/lshd.c	2009-09-08 12:20:36.000000000 +0200
+@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str
+       self->allow_root = 1;
+       break;
+ 
++    case OPT_NO_ROOT_LOGIN:
++      self->allow_root = 0;
++      break;
++
+     case OPT_KERBEROS_PASSWD:
+       self->pw_helper = PATH_KERBEROS_HELPER;
+       break;
+
diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch
new file mode 100644
index 000000000000..6a6156855c51
--- /dev/null
+++ b/pkgs/tools/networking/lsh/pam-service-name.patch
@@ -0,0 +1,14 @@
+Tell `lsh-pam-checkpw', the PAM password helper program, to use a more
+descriptive service name.
+
+--- lsh-2.0.4/src/lsh-pam-checkpw.c	2003-02-16 22:30:10.000000000 +0100
++++ lsh-2.0.4/src/lsh-pam-checkpw.c	2008-11-28 16:16:58.000000000 +0100
+@@ -38,7 +38,7 @@
+ #include <security/pam_appl.h>
+ 
+ #define PWD_MAXLEN 1024
+-#define SERVICE_NAME "other"
++#define SERVICE_NAME "lshd"
+ #define TIMEOUT 600 
+ 
+ static int