#160 add sandboxing support to fink

[Jack Howarth]

The attached patch uses a fink.sb file containing a list of directories to be black-listed in the Apple sandbox. This approach allows the end-user to customized this file if fink builds against /usr/local are desired.

diff -uNr fink-0.41.0/MANIFEST fink-0.41.0.sandbox/MANIFEST
--- fink-0.41.0/MANIFEST        2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0.sandbox/MANIFEST        2016-11-03 13:35:33.000000000 -0400
@@ -24,6 +24,7 @@
 fink.8.in
 fink.conf.5.in
 fink.csh
+fink.sb
 fink.sh
 images/finkDoneFailed.png
 images/finkDonePassed.png
diff -uNr fink-0.41.0/fink.sb fink-0.41.0.sandbox/fink.sb
--- fink-0.41.0/fink.sb 1969-12-31 19:00:00.000000000 -0500
+++ fink-0.41.0.sandbox/fink.sb 2016-11-03 15:20:32.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/local
+/opt/local
diff -uNr fink-0.41.0/install.sh fink-0.41.0.sandbox/install.sh
--- fink-0.41.0/install.sh      2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0.sandbox/install.sh      2016-11-03 13:36:35.000000000 -0400
@@ -70,6 +70,7 @@

 install -c -p -m 755 postinstall.pl "$basepath/lib/fink/"
 install -c -p -m 644 shlibs.default "$basepath/etc/dpkg/"
+install -c -p -m 644 fink.sb "$basepath/etc/"
 install -c -p -m 644 fink.8 "$basepath/share/man/man8/"
 install -c -p -m 644 fink.conf.5 "$basepath/share/man/man5/"
 install -c -p -m 644 images/*.png "$basepath/share/fink/images/"
diff -uNr fink-0.41.0/perlmod/Fink/Services.pm fink-0.41.0.sandbox/perlmod/Fink/Services.pm
--- fink-0.41.0/perlmod/Fink/Services.pm        2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0.sandbox/perlmod/Fink/Services.pm        2016-11-03 15:51:47.000000000 -0400
@@ -594,6 +594,20 @@
                @wrap = map "$_=$ENV{$_}", sort keys %ENV;
                push @wrap, "__CFPREFERENCES_AVOID_DAEMON=1";
                unshift @wrap, 'env' if @wrap;
+               my $sandbox = "$Fink::Config::basepath/etc/fink.sb";
+               if (open my $info, $sandbox) {
+                       my $sandbox_profile = "(version 1) \n";
+                       $sandbox_profile .= "(allow default) \n";
+                       $sandbox_profile .= "(deny file* \n";
+                       while( my $line = <$info>)  {
+                               chomp $line;
+                               $sandbox_profile .= "\t(subpath \"".$line."\"\)\n";
+                       }
+                       $sandbox_profile .= "\)\n";
+                       close $info;
+                       print STDERR $sandbox_profile, "\n" if ($options{debug});
+                       @wrap = (qw| sandbox-exec -p |, $sandbox_profile, @wrap) if -f $sandbox;
+               }
                my $sudo_cmd = "sudo -u " . Fink::Config::build_as_user_group()->{'user'};
                @wrap = (split(' ', $sudo_cmd), @wrap, qw/ sh -c /);
                $wrap_token = "$sudo_cmd [ENV] sh -c ";
diff -uNr fink-0.41.0/t/Services/execute_nonroot_okay.t fink-0.41.0.sandbox/t/Services/execute_nonroot_okay.t
--- fink-0.41.0/t/Services/execute_nonroot_okay.t       2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0.sandbox/t/Services/execute_nonroot_okay.t       2016-11-03 13:38:03.000000000 -0400
@@ -15,6 +15,8 @@
 can_ok('Fink::Config','get_option');   # 4
 can_ok('Fink::Config','set_options');  # 5

+my $config_obj = Fink::Config->new_with_path('basepath/etc/fink.conf');
+
 # need a a safe place to create files

 # OS X 10.2 comes with perl 5.6.0, but File::Temp isn't in core until 5.6.1

The default blacklisting in fink.sb includes /usr/local and /opt/local to avoid any possible interactions with MacPorts.

[Jack Howarth]

Patch to add sandboxing vis fink.sb file of blacklisted directories

[Jack Howarth]

This is also on https://github.com/fink/fink/pull/135.
Also note that the gcc5 and gcc6 packages now require...

Index: gcc5.info
===================================================================
RCS file: /cvsroot/fink/dists/10.9-libcxx/stable/main/finkinfo/languages/gcc5.info,v
retrieving revision 1.9
diff -u -r1.9 gcc5.info
--- gcc5.info   8 Oct 2016 11:03:42 -0000   1.9
+++ gcc5.info   4 Nov 2016 00:05:29 -0000
@@ -71,6 +71,7 @@
    --with-isl=%p \
    --with-mpc=%p \
    --with-system-zlib \
+   --with-local-prefix=\ \
    --program-suffix=-fsf-5
 <<
 InfoTest: <<

and

Index: gcc6.info
===================================================================
RCS file: /cvsroot/fink/dists/10.9-libcxx/stable/main/finkinfo/languages/gcc6.info,v
retrieving revision 1.4
diff -u -r1.4 gcc6.info
--- gcc6.info   8 Oct 2016 20:26:47 -0000   1.4
+++ gcc6.info   4 Nov 2016 00:04:54 -0000
@@ -71,6 +71,7 @@
    --with-isl=%p \
    --with-mpc=%p \
    --with-system-zlib \
+   --with-local-prefix=\ \
    --program-suffix=-fsf-6
 <<
 InfoTest: <<

to avoid a bootstrap failure when configure tries to access /usr/local/include. MacPorts uses this in their Portfiles.

[Jack Howarth]

The completed sandboxing support for the current fink-0.41.0 source base is below...

diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST
--- fink-0.41.0.orig/MANIFEST   2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/MANIFEST        2016-11-05 13:18:29.000000000 -0400
@@ -24,6 +24,8 @@
 fink.8.in
 fink.conf.5.in
 fink.csh
+fink.sb
+fink.sb.5.in
 fink.sh
 images/finkDoneFailed.png
 images/finkDonePassed.png
diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in
--- fink-0.41.0.orig/fink.8.in  2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/fink.8.in       2016-11-05 07:50:59.000000000 -0400
@@ -103,6 +103,19 @@
 .It Cm --no-build-as-nobody
 Force the the unpack, patch, compile, and install phases to be 
 performed as root.
+.It Cm --build-in-sandbox
+Execute packaging within a sandbox which blacklists read access to 
+those directories listed in
+.Pa @PREFIX@/etc/fink.sb.
+This is the default unless overridden by a setting of
+.Pa UseSandbox`: false
+in
+.Pa fink.conf
+configuration file.
+.It Cm --no-build-in-sandbox
+Don't execute within a sandbox, opposite of the
+.Cm --build-in-sandbox
+flag.
 .It Cm -m, --maintainer
 Perform actions useful to package maintainers: run validation on
 the .info file before building and on the .deb after building a
diff -uNr fink-0.41.0.orig/fink.conf.5.in fink-0.41.0/fink.conf.5.in
--- fink-0.41.0.orig/fink.conf.5.in     2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/fink.conf.5.in  2016-11-05 07:52:31.000000000 -0400
@@ -204,6 +204,12 @@
 uses the value of this option in MAKEFLAGS=-j. Running
 .Cm fink configure
 will tell you how many active CPUs/cores are available on your system.
+.It Cm UseSandbox: Ar boolean
+Causes
+.Nm fink
+to execute within a sandbox which blacklists file read access to
+those directories listed in 
+.Pa @PREFIX@/etc/fink.sb
 .It Cm AutoUid: Ar boolean
 This option specifies whether fink should dynamically allocate the UID and GID
 of its unprivileged fink-bld user if that user is absent.
diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb
--- fink-0.41.0.orig/fink.sb    1969-12-31 19:00:00.000000000 -0500
+++ fink-0.41.0/fink.sb 2016-11-05 07:52:55.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/local
+/opt/local
diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in
--- fink-0.41.0.orig/fink.sb.5.in       1969-12-31 19:00:00.000000000 -0500
+++ fink-0.41.0/fink.sb.5.in    2016-11-05 13:19:50.000000000 -0400
Jacks-Mac-Pro:Downloads howarth$ vi fink_sandboxing_v2.diff 
Jacks-Mac-Pro:Downloads howarth$ more fink_sandboxing_v2.diff 
diff -uNr fink-0.41.0.orig/MANIFEST fink-0.41.0/MANIFEST
--- fink-0.41.0.orig/MANIFEST   2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/MANIFEST        2016-11-05 13:18:29.000000000 -0400
@@ -24,6 +24,8 @@
 fink.8.in
 fink.conf.5.in
 fink.csh
+fink.sb
+fink.sb.5.in
 fink.sh
 images/finkDoneFailed.png
 images/finkDonePassed.png
diff -uNr fink-0.41.0.orig/fink.8.in fink-0.41.0/fink.8.in
--- fink-0.41.0.orig/fink.8.in  2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/fink.8.in       2016-11-05 07:50:59.000000000 -0400
@@ -103,6 +103,19 @@
 .It Cm --no-build-as-nobody
 Force the the unpack, patch, compile, and install phases to be 
 performed as root.
+.It Cm --build-in-sandbox
+Execute packaging within a sandbox which blacklists read access to 
+those directories listed in
+.Pa @PREFIX@/etc/fink.sb.
+This is the default unless overridden by a setting of
+.Pa UseSandbox`: false
+in
+.Pa fink.conf
+configuration file.
+.It Cm --no-build-in-sandbox
+Don't execute within a sandbox, opposite of the
+.Cm --build-in-sandbox
+flag.
 .It Cm -m, --maintainer
 Perform actions useful to package maintainers: run validation on
 the .info file before building and on the .deb after building a
diff -uNr fink-0.41.0.orig/fink.conf.5.in fink-0.41.0/fink.conf.5.in
--- fink-0.41.0.orig/fink.conf.5.in     2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/fink.conf.5.in  2016-11-05 07:52:31.000000000 -0400
@@ -204,6 +204,12 @@
 uses the value of this option in MAKEFLAGS=-j. Running
 .Cm fink configure
 will tell you how many active CPUs/cores are available on your system.
+.It Cm UseSandbox: Ar boolean
+Causes
+.Nm fink
+to execute within a sandbox which blacklists file read access to
+those directories listed in 
+.Pa @PREFIX@/etc/fink.sb
 .It Cm AutoUid: Ar boolean
 This option specifies whether fink should dynamically allocate the UID and GID
 of its unprivileged fink-bld user if that user is absent.
diff -uNr fink-0.41.0.orig/fink.sb fink-0.41.0/fink.sb
--- fink-0.41.0.orig/fink.sb    1969-12-31 19:00:00.000000000 -0500
+++ fink-0.41.0/fink.sb 2016-11-05 07:52:55.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/local
+/opt/local
diff -uNr fink-0.41.0.orig/fink.sb.5.in fink-0.41.0/fink.sb.5.in
--- fink-0.41.0.orig/fink.sb.5.in       1969-12-31 19:00:00.000000000 -0500
+++ fink-0.41.0/fink.sb.5.in    2016-11-05 13:19:50.000000000 -0400
@@ -0,0 +1,56 @@
+.\" -*- nroff -*-
+.Dd November 2011
+.Dt FINK.SB 5
+.Sh NAME
+.Nm fink.sb
+.Nd sandboxing configuration file for
+.Xr fink 8
+.Sh SYNOPSIS
+@PREFIX@/etc/fink.sb
+.\"
+.\"
+.\" DESCRIPTION
+.\"
+.\"
+.Sh DESCRIPTION
+When
+.Xr fink 8
+is initially installed it prompts you for whether you wish to enable the
+building of packages within a protected sandbox which blacklists access to
+those directories listed in
+.Nm
+by hand. In general, these options are meant for advanced users only.
+.Pp
+Your
+.Nm
+defaults to blacklisting the following directories
+.Bl -tag -width flag -offset indent -compact
+.It /usr/local
+.It /opt/local
+.El
+.Pp
+The blacklisted directories appear one per line in the file.
+.El
+.\"
+.\"
+.\" AUTHOR
+.\"
+.\"
+.Sh AUTHOR
+This manpage is maintained by the Fink Core Group <fink-core@lists.sourceforge.net>.
+.\"
+.\"
+.\" ACKNOWLEDGEMENTS
+.\"
+.\"
+.Sh ACKNOWLEDGEMENTS
+.Nm fink
+is developed and maintained by The Fink Project (http://www.finkproject.org).
+.\"
+.\"
+.\" SEE ALSO
+.\"
+.\"
+.Sh "SEE ALSO"
+.Xr apt-get 8 ,
+.Xr fink 8
diff -uNr fink-0.41.0.orig/install.sh fink-0.41.0/install.sh
--- fink-0.41.0.orig/install.sh 2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/install.sh      2016-11-05 13:57:10.000000000 -0400
@@ -70,8 +70,10 @@

 install -c -p -m 755 postinstall.pl "$basepath/lib/fink/"
 install -c -p -m 644 shlibs.default "$basepath/etc/dpkg/"
+install -c -p -m 644 fink.sb "$basepath/etc/"
 install -c -p -m 644 fink.8 "$basepath/share/man/man8/"
 install -c -p -m 644 fink.conf.5 "$basepath/share/man/man5/"
+install -c -p -m 644 fink.sb.5 "$basepath/share/man/man5/"
 install -c -p -m 644 images/*.png "$basepath/share/fink/images/"

 # copy executables
diff -uNr fink-0.41.0.orig/perlmod/Fink/Config.pm fink-0.41.0/perlmod/Fink/Config.pm
--- fink-0.41.0.orig/perlmod/Fink/Config.pm     2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/perlmod/Fink/Config.pm  2016-11-05 07:54:40.000000000 -0400
@@ -219,6 +219,7 @@
        map( { $_ => 0 } qw(dontask interactive verbosity keep_build keep_root
                maintainermode showversion use_binary) ),
        map( { $_ => 1 } qw(build_as_nobody) ),
+       map( { $_ => 1 } qw(build_in_sandbox) ),
        map( { $_ => "" } qw(tests validate) ),
        map ( { $_ => [] } qw(include_trees exclude_trees) ),
        map( { $_ => -1 } qw(use_binary) ),
@@ -272,6 +273,7 @@
                        'download pre-compiled packages from the binary distribution '
                        . 'if available'        ],
                [ 'build-as-nobody!'   => \$opts{build_as_nobody},      'see man page'  ],
+               [ 'build-in-sandbox!' => \$opts{build_in_sandbox}, 'see man page'  ],
                [ 'maintainer|m'       => sub {set_checking_opts(\%opts, @_);}, 'see man page'  ],
                [ 'tests:s'            => sub {set_checking_opts(\%opts, @_);}, 'see man page'  ],
                [ 'validate:s'         => sub {set_checking_opts(\%opts, @_);}, 'see man page'  ],
diff -uNr fink-0.41.0.orig/perlmod/Fink/Configure.pm fink-0.41.0/perlmod/Fink/Configure.pm
--- fink-0.41.0.orig/perlmod/Fink/Configure.pm  2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/perlmod/Fink/Configure.pm       2016-11-05 07:58:59.000000000 -0400
@@ -73,8 +73,9 @@
 #  1: Added ConfFileCompatVersion, UseBinaryDist, fink 0.24.0
 #  2: Added MaxBuildJobs, fink 0.30.1 (belated bump)
 #  3: Added AutoUid, AutoUidMin, AutoUidMax, FinkBldUid, fink 0.33.0
+#  4. Added UseSandbox, fink 0.42.0
 #
-our $conf_file_compat_version  = 3;
+our $conf_file_compat_version  = 4;

 =head2 Exported Variables

@@ -137,7 +138,7 @@

 sub choose_misc {
        my $verbose;
-       my ($proxy_prompt, $proxy, $passive_ftp, $same_for_ftp, $binary_dist);
+       my ($proxy_prompt, $proxy, $passive_ftp, $same_for_ftp, $binary_dist, $sandbox_build);
        my ($auto_uid, $uid_min, $uid_max, $fink_conf_uid, $real_uid, $real_gid,
                $do_uid);

@@ -189,6 +190,25 @@
        $config->set_param("UseBinaryDist", $binary_dist ? "true" : "false");

        print "\n";
+       $sandbox_build = $config->param_boolean("UseSandbox");
+
+       # New users should use the sandbox build, but an existing user who
+       # is running "fink configure" should see a default answer of "no"
+       # for this question... To tell these two classes of users apart,
+       # we check to see if the "Verbose" parameter has been set yet.
+       
+       if (!$config->has_param("UseSandbox")) {
+               if ($config->has_param("Verbose")) {
+                       $sandbox_build = 0;
+               } else {
+                       $sandbox_build = 1;
+               }
+       }
+       $sandbox_build =
+               &prompt_boolean("Should Fink try to build packages under ".
+                       "the Apple sandbox mechanism?",
+                       default => $sandbox_build);
+               $config->set_param("UseSandbox", $sandbox_build ? "true" : "false");

        my $v_distribution = version->parse('v'.$config->param("Distribution"));
        if ($v_distribution >= version->parse("v10.7")) {
diff -uNr fink-0.41.0.orig/perlmod/Fink/Services.pm fink-0.41.0/perlmod/Fink/Services.pm
--- fink-0.41.0.orig/perlmod/Fink/Services.pm   2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/perlmod/Fink/Services.pm        2016-11-05 08:03:10.000000000 -0400
@@ -594,6 +594,33 @@
                @wrap = map "$_=$ENV{$_}", sort keys %ENV;
                push @wrap, "__CFPREFERENCES_AVOID_DAEMON=1";
                unshift @wrap, 'env' if @wrap;
+               my $runtime_request = Fink::Config::get_option("build_in_sandbox");
+               my $sandbox_request;
+               if ($runtime_request == 0) { # -no-build-in-sandbox
+                       $sandbox_request = 0;
+               } elsif ($runtime_request == 1) {
+                       $sandbox_request = 1;
+               } elsif ($Fink::Config::config->param_boolean('UseSandbox')) {
+                       $sandbox_request = 1;
+               } else {
+                       $sandbox_request = 0;
+               }
+               if ( $sandbox_request ) {
+                       my $sandbox = "$Fink::Config::basepath/etc/fink.sb";
+                       if (open my $info, $sandbox) {
+                               my $sandbox_profile = "(version 1) \n";
+                               $sandbox_profile .= "(allow default) \n";
+                               $sandbox_profile .= "(deny file* \n";
+                               while( my $line = <$info>)  {
+                                       chomp $line;
+                                       $sandbox_profile .= "\t(subpath \"".$line."\"\)\n";
+                               }
+                               $sandbox_profile .= "\)\n";
+                               close $info;
+                               print STDERR $sandbox_profile, "\n" if ($options{debug});
+                               @wrap = (qw| sandbox-exec -p |, $sandbox_profile, @wrap) if -f $sandbox;
+                       }
+               }
                my $sudo_cmd = "sudo -u " . Fink::Config::build_as_user_group()->{'user'};
                @wrap = (split(' ', $sudo_cmd), @wrap, qw/ sh -c /);
                $wrap_token = "$sudo_cmd [ENV] sh -c ";
diff -uNr fink-0.41.0.orig/setup.sh fink-0.41.0/setup.sh
--- fink-0.41.0.orig/setup.sh   2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/setup.sh        2016-11-05 13:19:23.000000000 -0400
@@ -70,6 +70,10 @@
   | perl -MTime::Local -MPOSIX=strftime -p -e '$d="Date:";if (s/(\.Dd \$$d) (\d+)\/(\d+)\/(\d+) (\d+):(\d+):(\d+) \$/\1/) {$epochtime = timegm($7,$6,$5,$4,$3-1,$2-1900);$datestr = strftime "%B %e, %Y", localtime($epochtime); s/(\.Dd )\$$d/$1$datestr/;}' \
   >fink.conf.5

+sed "s|@PREFIX@|$basepath|g" <fink.sb.5.in \
+  | perl -MTime::Local -MPOSIX=strftime -p -e '$d="Date:";if (s/(\.Dd \$$d) (\d+)\/(\d+)\/(\d+) (\d+):(\d+):(\d+) \$/\1/) {$epochtime = timegm($7,$6,$5,$4,$3-1,$2-1900);$datestr = strftime "%B %e, %Y", localtime($epochtime); s/(\.Dd )\$$d/$1$datestr/;}' \
+  >fink.sb.5
+
 echo "Creating shlibs default file..."
 sed "s|@PREFIX@|$basepath|g" <shlibs.default.in >shlibs.default

diff -uNr fink-0.41.0.orig/t/Services/execute_nonroot_okay.t fink-0.41.0/t/Services/execute_nonroot_okay.t
--- fink-0.41.0.orig/t/Services/execute_nonroot_okay.t  2016-09-20 14:16:24.000000000 -0400
+++ fink-0.41.0/t/Services/execute_nonroot_okay.t       2016-11-05 08:04:11.000000000 -0400
@@ -15,6 +15,8 @@
 can_ok('Fink::Config','get_option');   # 4
 can_ok('Fink::Config','set_options');  # 5

+my $config_obj = Fink::Config->new_with_path('basepath/etc/fink.conf');
+
 # need a a safe place to create files

 # OS X 10.2 comes with perl 5.6.0, but File::Temp isn't in core until 5.6.1

The current sandbox changes provides configuration of fink.conf to add the desired state for the new UseSandbox setting in fink.conf. The changes also provide runtime options of --build-in-sandbox and --no-build-in-sandbox to override the UseSandbox setting in fink.conf.
The sandboxing of fink can easily be verified with 'ps -le | grep sandbox-exec' during a fink build. Which will show...

0 4232 4084 4106 0 31 0 2455672 3064 - S+ 0 ttys027 0:00.01 sudo -u fink-bld sandbox-exec -p (version 1) ^J(allow default) ^J(deny file* ^J^I(subpath "/usr/local")^J^I(subpath "/opt/local")^J)^J env CCACHE_DIR=/sw/var/ccache CFLAGS=-D_DARWIN_NO_64_BIT_INODE -O2 -g -Wall CPPFLAGS=-I/sw/include HOME=/tmp/fink-build-HOME.RCOdx6VWFB INFOPATH=/sw/share/info:/sw/info:/usr/share/info LDFLAGS=-L/sw/lib MACOSX_DEPLOYMENT_TARGET=10.11 MAKEFLAGS=-j8 MANPATH=/sw/share/man:/usr/share/man:/Applications/Xcode.app/Contents/Developer/usr/share/man:/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/share/man:/sw/lib/perl5/5.18.2/man PATH=/sw/var/lib/fink/path-prefix-libcxx:/sw/var/lib/fink/path-prefix-clang:/sw/bin:/sw/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/opt/X11/bin PERL5LIB=/sw/lib/perl5:/sw/lib/perl5/darwin PWD=/sw/src/fink.build/cvs-1.12.13-18 SHLVL=2 TERM=xterm-256color __CFPREFERENCES_AVOID_DAEMON=1 sh -c /tmp/fink.5o7aZ

for 'UseSandbox: true"' in fink.conf or --build-in-sandbox on the fink command line. The usage of sandbox-exec won't be seen for either 'UseSandbox: false"' in fink.conf or --no-build-in-sandbox on the fink command line.

[Jack Howarth]

This patch has been supplanted by the newly proposed one on https://sourceforge.net/p/fink/patches/161/.