Merged
Conversation
Bot-wxt1221
pushed a commit
that referenced
this pull request
Aug 26, 2024
Strongly inspired by the forgejo counterpart[1], for the following
reasons:
* The feature is broken with the current module and crashes on
authentication with the following stacktrace (with a PAM service
`gitea` added):
server # Stack trace of thread 1008:
server # #0 0x00007f3116917dfb __nptl_setxid (libc.so.6 + 0x8ddfb)
server # #1 0x00007f3116980ae6 setuid (libc.so.6 + 0xf6ae6)
server # #2 0x00007f30cc80f420 _unix_run_helper_binary (pam_unix.so + 0x5420)
server # #3 0x00007f30cc8108c9 _unix_verify_password (pam_unix.so + 0x68c9)
server # #4 0x00007f30cc80e1b5 pam_sm_authenticate (pam_unix.so + 0x41b5)
server # #5 0x00007f3116a84e5b _pam_dispatch (libpam.so.0 + 0x3e5b)
server # #6 0x00007f3116a846a3 pam_authenticate (libpam.so.0 + 0x36a3)
server # #7 0x00000000029b1e7a n/a (.gitea-wrapped + 0x25b1e7a)
server # #8 0x000000000047c7e4 n/a (.gitea-wrapped + 0x7c7e4)
server # ELF object binary architecture: AMD x86-64
server #
server # [ 42.420827] gitea[897]: pam_unix(gitea:auth): unix_chkpwd abnormal exit: 159
server # [ 42.423142] gitea[897]: pam_unix(gitea:auth): authentication failure; logname= uid=998 euid=998 tty= ruser= rhost= user=snenskek
It only worked after turning off multiple sandbox settings and adding
`shadow` as supplementary group to `gitea.service`.
I'm not willing to maintain additional multiple sandbox settings for
different features, especially given that it was probably not used for
quite a long time:
* There was no PR or bugreport about sandboxing issues related to
PAM.
* Ever since the module exists, it used the user `gitea`, i.e. it had
never read-access to `/etc/shadow`.
* Upstream has it disabled by default[2].
If somebody really needs it, it can still be brought back by an overlay
updating `tags` accordingly and modifying the systemd service config.
[1] 07641a9
[2] https://docs.gitea.com/usage/authentication#pam-pluggable-authentication-module
Bot-wxt1221
pushed a commit
that referenced
this pull request
Dec 8, 2024
Added bolt-launcher, an alternative launcher for Runescape 3 / Old School Runescape. https://github.com/Adamcake/Bolt/releases/tag/0.9.0 bolt-launcher: add plugin loader for rs3 Building the app with luajit, which allows for Runescape 3 plugin loading. bolt-launcher: add runescape 3 dependencies Added Runescape 3 dependencies inside the buildFHSEnv, so that it can be used by the binary (downloaded from the internet by bolt-launcher itself, hence why the fhs env is needed here). bolt-launcher: fix dependency issues Added libbolt-plugin.so into $out/lib, which allows the program to use the Runescape 3 plugin loader. Also updated the mainProgram as well as runScript so that the program can be ran from nix run instead of just being able to be ran manually. Add feature flags for RS3 and HDOSAndRuneLite as well as .desktop and icon file support (#1) * Add enable flags for RS3 and HDOSAndRuneLite * Add .desktop and icon * Fix formatting w/ nixfmt * Remove enableHDOSAndRuneLite feature flag * Fix formatting Co-authored-by: Thomas King <thomas@tomking.io>
Bot-wxt1221
pushed a commit
that referenced
this pull request
Dec 17, 2024
Driving NixOS#237216 forward.
Bot-wxt1221
pushed a commit
that referenced
this pull request
Dec 17, 2024
Bot-wxt1221
pushed a commit
that referenced
this pull request
Jan 6, 2025
nixosTests.cryptpad started failing recently. Investigating the issue shows that seccomp has become problematic during the init phase, (e.g. this can be reproduced by removing the customize directory in /var/lib/cryptpad): machine # [ 10.774365] systemd-coredump[864]: Process 756 (node) of user 65513 dumped core. machine # machine # Module libgcc_s.so.1 without build-id. machine # Module libstdc++.so.6 without build-id. machine # Module libicudata.so.74 without build-id. machine # Module libicuuc.so.74 without build-id. machine # Module libicui18n.so.74 without build-id. machine # Module libz.so.1 without build-id. machine # Module node without build-id. machine # Stack trace of thread 756: machine # #0 0x00007ff951974dcb fchown (libc.so.6 + 0x107dcb) machine # #1 0x00007ff95490d0c0 uv__fs_copyfile (libuv.so.1 + 0x150c0) machine # #2 0x00007ff95490d89a uv__fs_work (libuv.so.1 + 0x1589a) machine # #3 0x00007ff954910c76 uv_fs_copyfile (libuv.so.1 + 0x18c76) machine # #4 0x0000000000eb8a39 _ZN4node2fsL8CopyFileERKN2v820FunctionCallbackInfoINS1_5ValueEEE (node + 0xab8a39) machine # #5 0x0000000001cda5e2 Builtins_CallApiCallbackGeneric (node + 0x18da5e2) [...] machine # [ 10.877468] cryptpad[685]: /nix/store/h4yhhxpfm03c5rgz91q7jrvknh596ly2-cryptpad-2024.12.0/bin/cryptpad: line 3: 756 Bad system call (core dumped) "/nix/store/fkyp1bm5gll9adnfcj92snyym524mdrj-nodejs-22.11.0/bin/node" "/nix/store/h4yhhxpfm03c5rgz91q7jrvknh596ly2-cryptpad-2024.12.0/lib/node_modules/cryptpad/scripts/build.js" nodejs 20.18 rightly did not require chown when the source and destination are the same owner (heck, the script does not run as root so even if it is not blocked there is no way it'd work with a different owner...) For now just allow chown calls again, this is not worth wasting more time. Fixes NixOS#370717
Bot-wxt1221
pushed a commit
that referenced
this pull request
Feb 18, 2025
This test crashes the python interpreter in libx265_encode_stream: ``` #0 0x00007feefe2a7a7e in free () from /nix/store/81mi7m3k3wsiz9rrrg636sx21psj20hc-glibc-2.40-66/lib/libc.so.6 No symbol table info available. #1 0x00007fee98059295 in av_free (ptr=<optimized out>) at libavutil/mem.c:243 No locals. #2 0x00007fee98059352 in av_freep (arg=<optimized out>) at libavutil/mem.c:253 val = <optimized out> #3 0x00007fee997a4713 in libx265_encode_frame (avctx=<optimized out>, pkt=<optimized out>, pic=<optimized out>, got_packet=0x7ffe35c7e3f4) at libavcodec/libx265.c:821 [...] #4 0x00007fee99526ff6 in ff_encode_encode_cb (avctx=avctx@entry=0x16d1f00, avpkt=avpkt@entry=0x16ad440, frame=0x16f5e80, got_packet=got_packet@entry=0x7ffe35c7e3f4) at libavcodec/encode.c:254 codec = 0x7fee9a25e5c0 <ff_libx265_encoder> [...] ```
Bot-wxt1221
pushed a commit
that referenced
this pull request
Feb 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.