From 41cce513ff13c7076d45f514cb9fbd65ffac7a5c Mon Sep 17 00:00:00 2001 From: D3vil0p3r Date: Sat, 10 Feb 2024 02:43:22 +0100 Subject: [PATCH] unix-privesc-check: init at 1.4 --- .../by-name/un/unix-privesc-check/package.nix | 87 +++++++++++++++++++ .../unix-privesc-check.patch | 20 +++++ 2 files changed, 107 insertions(+) create mode 100644 pkgs/by-name/un/unix-privesc-check/package.nix create mode 100644 pkgs/by-name/un/unix-privesc-check/unix-privesc-check.patch diff --git a/pkgs/by-name/un/unix-privesc-check/package.nix b/pkgs/by-name/un/unix-privesc-check/package.nix new file mode 100644 index 000000000000..5ac7a6d29de1 --- /dev/null +++ b/pkgs/by-name/un/unix-privesc-check/package.nix @@ -0,0 +1,87 @@ +{ lib +, resholve +, fetchurl +, gawk +, bash +, binutils +, coreutils +, file +, findutils +, glibc +, gnugrep +, gnused +, nettools +, openssh +, postgresql +, ps +, util-linux +, which +}: + +# resholve does not yet support `finalAttrs` call pattern hence `rec` +# https://github.com/abathur/resholve/issues/107 +resholve.mkDerivation rec { + pname = "unix-privesc-check"; + version = "1.4"; + + src = fetchurl { + url = "https://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-${version}.tar.gz"; + hash = "sha256-4fhef2n6ut0jdWo9dqDj2GSyHih2O2DOLmGBKQ0cGWk="; + }; + + patches = [ + ./unix-privesc-check.patch # https://github.com/NixOS/nixpkgs/pull/287629#issuecomment-1944428796 + ]; + + solutions = { + unix-privesc-check = { + scripts = [ "bin/unix-privesc-check" ]; + interpreter = "${bash}/bin/bash"; + inputs = [ + gawk + bash + binutils # for strings command + coreutils + file + findutils # for xargs command + glibc # for ldd command + gnugrep + gnused + nettools + openssh + postgresql # for psql command + ps + util-linux # for swapon command + which + ]; + fake = { + external = [ + "lanscan" # lanscan exists only for HP-UX OS + "mount" # Getting same error described in https://github.com/abathur/resholve/issues/29 + "passwd" # Getting same error described in https://github.com/abathur/resholve/issues/29 + ]; + }; + execer = [ + "cannot:${glibc.bin}/bin/ldd" + "cannot:${postgresql}/bin/psql" + "cannot:${openssh}/bin/ssh-add" + "cannot:${util-linux.bin}/bin/swapon" + ]; + }; + }; + + installPhase = '' + runHook preInstall + install -Dm 755 unix-privesc-check $out/bin/unix-privesc-check + runHook postInstall + ''; + + meta = with lib; { + description = "Find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps"; + mainProgram = "unix-privesc-check"; + homepage = "https://pentestmonkey.net/tools/audit/unix-privesc-check"; + maintainers = with maintainers; [ d3vil0p3r ]; + platforms = platforms.unix; + license = licenses.gpl2Plus; + }; +} diff --git a/pkgs/by-name/un/unix-privesc-check/unix-privesc-check.patch b/pkgs/by-name/un/unix-privesc-check/unix-privesc-check.patch new file mode 100644 index 000000000000..e0d3ab0bff56 --- /dev/null +++ b/pkgs/by-name/un/unix-privesc-check/unix-privesc-check.patch @@ -0,0 +1,20 @@ +--- a/unix-privesc-check 2024-02-14 20:21:24.725453661 +0100 ++++ b/unix-privesc-check 2024-02-14 20:21:46.577446690 +0100 +@@ -484,17 +484,6 @@ + # Set path so we can access usual directories. HPUX and some linuxes don't have sbin in the path. + PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin; export PATH + +-# Check dependent programs are installed +-# Assume "which" is installed! +-PROGS="ls awk grep cat mount xargs file ldd strings" +-for PROG in $PROGS; do +- which $PROG 2>&1 > /dev/null +- if [ ! $? = "0" ]; then +- echo "ERROR: Dependend program '$PROG' is mising. Can't run. Sorry!" +- exit 1 +- fi +-done +- + banner + + section "Recording hostname"