It ships with setuid-root permissions just to mlockall(2) before dropping privileges; no idea what's going on with Linux, but on OpenBSD this syscall does not need root, so replace their whole dance with a single #ifdef'd mlockall() and ship the program default permissions.
I don't use this, but consider upstream's "secure" default actively insecure and would like to stop packaging one setuid-root program less in our tree. Feedback? Objection? OK? Regardless of this, gringotts is already partially broken for me, but perhaps it still works fine for some users? Sometimes it segfaults on start, somtimes it starts, but then displays rectangles instead of letters everywhere: $ Gringotts версия 1.2.10 (libGringotts 1.2.1) © 2002 Germano Rizzo <man...@users.sourceforge.net> выпущено под GNU General Public License (GPL) v.2 или более поздней Смотрите COPYING или http://www.gnu.org/copyleft/gpl.html (gringotts:86459): Pango-WARNING **: 13:14:44.848: failed to create cairo scaled font, expect ugly output. the offending font is 'Iosevka 9.9990234375' (gringotts:86459): Pango-WARNING **: 13:14:44.848: font_face status is: <unknown error status> (gringotts:86459): Pango-WARNING **: 13:14:44.848: scaled_font status is: out of memory [these two repeat a few times] (Uninstalling the isoveka fonts makes gringotts show actual text, but then my Xfce desktop environment shows rectangles instead of letters...) Index: Makefile =================================================================== RCS file: /cvs/ports/security/gringotts/Makefile,v diff -u -p -r1.23 Makefile --- Makefile 27 Sep 2023 16:34:31 -0000 1.23 +++ Makefile 18 Nov 2023 12:15:33 -0000 @@ -1,7 +1,7 @@ COMMENT= GTK+2 secure notes manager DISTNAME= gringotts-1.2.10 -REVISION= 4 +REVISION= 5 CATEGORIES= security MAINTAINER= Pierre-Emmanuel Andre <p...@openbsd.org> @@ -27,5 +27,9 @@ CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/ CONFIGURE_ARGS= --disable-env-check \ --enable-root-filter \ --enable-attach-limit + +post-install: + # mlockall(2) does not need root privileges + chmod -s ${PREFIX}/bin/gringotts .include <bsd.port.mk> Index: patches/patch-src_grg_safe_c =================================================================== RCS file: patches/patch-src_grg_safe_c diff -N patches/patch-src_grg_safe_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_grg_safe_c 13 Nov 2023 12:36:25 -0000 @@ -0,0 +1,27 @@ +Skip all setuid(2) code to avoid u+s permissions, mlockall(2) still works + +Index: src/grg_safe.c +--- src/grg_safe.c.orig ++++ src/grg_safe.c +@@ -95,6 +95,13 @@ static gboolean grg_kver_ge (int a, int b, int c) { + gboolean + grg_mlockall_and_drop_root_privileges(void) + { ++#ifdef __OpenBSD__ ++ if (mlockall(MCL_CURRENT | MCL_FUTURE) == -1) { ++ g_critical(_("mlockall: %s"), strerror(errno)); ++ return FALSE; ++ } ++ return TRUE; ++#else + /* drop eventual group root privileges */ + setgid(getgid()); + setgid(getgid()); /* twice for counter "saved IDs", cfr. */ +@@ -181,6 +188,7 @@ grg_mlockall_and_drop_root_privileges(void) + } + + return TRUE; ++#endif /* __OpenBSD__ */ + } + + static void Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/gringotts/pkg/PLIST,v diff -u -p -r1.3 PLIST --- pkg/PLIST 11 Mar 2022 19:53:26 -0000 1.3 +++ pkg/PLIST 13 Nov 2023 12:41:13 -0000 @@ -1,6 +1,4 @@ -@mode 4555 @bin bin/gringotts -@mode share/doc/gringotts/ share/doc/gringotts/FAQ share/doc/gringotts/README