SLFO-pool/mlocate
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main mlocate revision b9396f763b4d1d6aefc74ab850d19ff7

Browse Source
This commit is contained in:
Adrian Schröter 2024-05-03 16:47:13 +02:00
commit 4ab8b670c4
10 changed files with 584 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
mlocate-0.26.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

304
mlocate.changes Normal file
View File

@ -0,0 +1,304 @@
-------------------------------------------------------------------
Thu Feb 29 12:12:02 UTC 2024 - Jiri Srain <jsrain@suse.com>
- add bcond for building without AppArmor support (for ALP code
base)
-------------------------------------------------------------------
Thu Jan 25 07:40:47 UTC 2024 - Peter Simons <psimons@suse.com>
- Remove the post-install scriptlet introduced earlier. It turns
out that "chmod" call opened a security vulnerability that
allowed users with write access to /var/lib/mlocate to obtain
read/write access to arbitrary files on the system, possibly
facilitating privilege escalation to root. [bsc#1218896,
CVE-2023-32190]
-------------------------------------------------------------------
Mon Jan 8 11:10:30 UTC 2024 - Frederic Crozat <fcrozat@suse.com>
- Drop url from source, fedorahosted.org is no longer running.
-------------------------------------------------------------------
Wed Dec 13 17:16:03 UTC 2023 - Jean Delvare <jdelvare@suse.com>
- Add a post-install scriptlet to fix incorrect database
permissions (bsc#1188933). Modified:
* mlocate.spec
-------------------------------------------------------------------
Fri Mar 17 11:14:00 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>
- Set umask 0022 before running /usr/bin/updatedb (boo#1209409)
-------------------------------------------------------------------
Fri Feb 3 15:35:01 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Remove ProtectKernelModules from systemd unit as it makes files
inaccessible that are then not visible for locate (bsc#1207884)
-------------------------------------------------------------------
Wed Sep 14 13:16:44 UTC 2022 - Peter Simons <psimons@suse.com>
- Pass "--shell=/bin/sh" to "su" when running the "updatedb"
command so that we don't depend on the "${RUN_UPDATEDB_AS}"
user's login shell. Since that user is "nobody" by default, the
login shell will oftentimes be "/bin/false". [jsc#PED-1717]
-------------------------------------------------------------------
Wed Oct 6 14:16:25 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Modified:
* mlocate.service
-------------------------------------------------------------------
Fri Sep 11 16:14:56 UTC 2020 - Hans-Peter Jansen <hpj@urpla.net>
- Require apparmor-abstractions, because apparmor.service fails with
"Could not open 'tunables/global'" error otherwise. [bsc#1195144]
-------------------------------------------------------------------
Tue Dec 4 11:11:51 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Reduce amount of emitted %service_* boilerplate.
-------------------------------------------------------------------
Fri Nov 30 06:27:56 UTC 2018 - erictorres4@protonmail.com
- Add systemd service and timer units [boo#1115408]
- Add rc symlinks for backwards compatibility
- Add BuildRequires for systemd-rpm-macros
- Minor correction to summary, change 'an' to 'a'
- Add commands for registering systemd unit files in install scripts
- Update files list to include systemd units
- Remove dependency on cron
- Move logic from cron script to systemd service unit
- Remove all variables except RUN_UPDATEDB_AS from sysconfig.locate
-------------------------------------------------------------------
Fri Sep 7 13:16:39 UTC 2018 - suse-beta@cboltz.de
- add capability rules to updatedb AppArmor profile to allow running
it as root (boo#1089594#c4)
-------------------------------------------------------------------
Thu May 10 09:13:26 UTC 2018 - tchvatal@suse.com
- Add apparmor profile bsc#1089594
-------------------------------------------------------------------
Thu Nov 23 13:52:07 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
Fri Aug 25 08:20:29 UTC 2017 - tchvatal@suse.com
- Require user nobody wrt bsc#1055634
-------------------------------------------------------------------
Mon Jul 10 08:45:24 UTC 2017 - tchvatal@suse.com
- We moved locks to /run thus do not rely on symlinks
-------------------------------------------------------------------
Thu Feb 16 09:53:52 UTC 2017 - tchvatal@suse.com
- Update the umask also in su section where it could be nulled
wrt bsc#1019440
-------------------------------------------------------------------
Mon Aug 29 12:50:37 UTC 2016 - tchvatal@suse.com
- Reduce dependencies a bit
- Update updatedb.conf wrt bnc#994663
-------------------------------------------------------------------
Wed Jan 20 10:58:56 UTC 2016 - tchvatal@suse.com
- Cron file updates:
- Remove the ac/battery detection that does not work
- Exit with 1 when the updatedb is not executable
-------------------------------------------------------------------
Wed Jan 20 10:53:55 UTC 2016 - tchvatal@suse.com
- Add more mounts to exclude in updatedb.conf
-------------------------------------------------------------------
Fri Aug 21 07:23:52 UTC 2015 - tchvatal@suse.com
- Specify umask to allow user redefine the value in login.defs
bnc#941296
-------------------------------------------------------------------
Sat Oct 25 17:09:31 UTC 2014 - tchvatal@suse.com
- Remove mention of the locate group that was obsoleted.
fixes bnc#902588
-------------------------------------------------------------------
Wed Jun 11 11:09:08 UTC 2014 - tchvatal@suse.com
- Enable testsuite.
-------------------------------------------------------------------
Mon May 5 08:04:23 UTC 2014 - tchvatal@suse.com
- Remove some duped fs from PRUNEFS variable.
-------------------------------------------------------------------
Tue Apr 15 09:52:00 UTC 2014 - tchvatal@suse.com
- Update once more to always hit the same code and to avoid
regressions that are hit only under some setup scenarios.
-------------------------------------------------------------------
Thu Apr 3 11:29:08 UTC 2014 - tchvatal@suse.com
- Fix a bug where empty RUN_UPDATEDB_AS="" caused cron fail with
unknown arguments if the compat values were empty.
-------------------------------------------------------------------
Wed Mar 19 09:09:44 UTC 2014 - tchvatal@suse.com
- Also respect the UPDATEDB_ when not running as root in the
cron job.
-------------------------------------------------------------------
Mon Mar 17 08:44:54 UTC 2014 - tchvatal@suse.com
- Move the UPDATEDB_ variables parsing to cron service to have
it working there as the upstream bash config is not exactly
shell interpreted. bnc#861955.
- Sadly this way if user runs updatedb by hand it gets not
properly populated, but at least the cron works with backcompat
way.
-------------------------------------------------------------------
Fri Mar 14 08:24:29 UTC 2014 - tchvatal@suse.com
- Include findutils-locate variables in updatedb.conf if user
still have them specified. bnc#861955
* This ensures we can still load the variables user can specified
in the /etc/sysconfig/locate namely UPDATEDB_PRUNEPATHS and
UPDATEDB_PRUNEFS
-------------------------------------------------------------------
Fri Mar 14 08:18:22 UTC 2014 - tchvatal@suse.com
- Cleanup with spec-cleaner.
-------------------------------------------------------------------
Fri Mar 14 08:17:01 UTC 2014 - tchvatal@suse.com
- Update comments in sysconfig.locate a bit to reflect reality.
-------------------------------------------------------------------
Tue Oct 29 13:10:50 UTC 2013 - tchvatal@suse.com
- As discussed run updatedb as nobody and do not use the locate
group at all. Wrt bnc#847801.
-------------------------------------------------------------------
Mon Sep 9 18:32:41 UTC 2013 - tchvatal@suse.com
- Recommend the language package.
-------------------------------------------------------------------
Wed Jun 12 13:40:30 UTC 2013 - tchvatal@suse.com
- Add missing space to description of package.
-------------------------------------------------------------------
Mon Jun 3 12:09:09 UTC 2013 - tchvatal@suse.com
- Add COPYING to %docs macro as reported by cfarrell.
-------------------------------------------------------------------
Mon Jun 3 11:41:23 UTC 2013 - cfarrell@suse.com
- license update: GPL-2.0
Multiple instances of (c) Red Hat GPL-2.0 licensing
-------------------------------------------------------------------
Thu May 30 11:29:26 UTC 2013 - tchvatal@suse.com
- Fixup provide/obsolete to really work + cleanup spec
-------------------------------------------------------------------
Thu May 30 10:49:45 UTC 2013 - tchvatal@suse.com
- More work wrt previous change. Provide/obsolete findutils-locate.
-------------------------------------------------------------------
Thu May 30 09:26:59 UTC 2013 - tchvatal@suse.com
- Do not use sgid but require user to be in group locate
in order to be able to search.
-------------------------------------------------------------------
Sun Dec 2 11:04:25 UTC 2012 - tchvatal@suse.com
- Whitespace / format the spec a bit.
-------------------------------------------------------------------
Tue Nov 20 20:54:44 UTC 2012 - tchvatal@suse.com
- Try to shutup the suid error.
-------------------------------------------------------------------
Tue Nov 20 20:51:58 UTC 2012 - tchvatal@suse.com
- Run the perm stuff only on new enough suse.
-------------------------------------------------------------------
Tue Nov 20 20:45:46 UTC 2012 - tchvatal@suse.com
- Update the verify to adhere specs.
-------------------------------------------------------------------
Tue Nov 20 20:42:25 UTC 2012 - tchvatal@suse.com
- Adhere to specs to exit 0 on pre.
-------------------------------------------------------------------
Tue Nov 20 20:39:51 UTC 2012 - tchvatal@suse.com
- Add buildroot definition to have it on sle
-------------------------------------------------------------------
Tue Nov 20 20:33:41 UTC 2012 - tchvatal@suse.com
- require pwdutils for pre phase
-------------------------------------------------------------------
Mon Nov 12 14:29:49 UTC 2012 - tchvatal@suse.com
- silence error about PIE, thanks to darix for suggestions on irc.
-------------------------------------------------------------------
Mon Nov 12 13:45:07 UTC 2012 - tchvatal@suse.com
- version bump to latest
-------------------------------------------------------------------
Mon Oct 31 14:56:45 UTC 2011 - prusnak@opensuse.org
- spec cleanup
-------------------------------------------------------------------
Fri Aug 5 07:57:11 UTC 2011 - tchvatal@novell.com
- Update the docs list
-------------------------------------------------------------------
Thu Aug 4 20:03:44 UTC 2011 - tchvatal@novell.com
- Punt useless clean section
-------------------------------------------------------------------
Thu Aug 4 14:37:22 UTC 2011 - tchvatal@novell.com
- Initial version 0.24 of mlocate package

34
mlocate.service Normal file
View File

@ -0,0 +1,34 @@
[Unit]
Description=Update locate database
Documentation=man:updatedb
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=read-only
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=oneshot
ExecStart=/bin/sh -c \
"chown -R ${RUN_UPDATEDB_AS}:root /var/lib/mlocate && \
su --shell=/bin/sh ${RUN_UPDATEDB_AS} -c 'umask 0022; /usr/bin/updatedb'"
# Unfortunately, the umask we set here is lost because we invoke updatedb
# through 'su' to change to the user ${RUN_UPDATEDB_AS}. See bnc#941296 and
# bnc#1209409 for further details.
UMask=0022
# Alter the priority of the updatedb process
Nice=19
IOSchedulingClass=2
IOSchedulingPriority=7
# Load sysconfig
EnvironmentFile=/etc/sysconfig/locate

143
mlocate.spec Normal file
View File

@ -0,0 +1,143 @@
#
# spec file for package mlocate
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%bcond_without apparmor
#Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir}
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: mlocate
Version: 0.26
Release: 0
Summary: A utility for finding files by name
License: GPL-2.0-only
Group: System/Monitoring
URL: https://pagure.io/mlocate
Source0: %{name}-%{version}.tar.xz
Source1: updatedb.conf
Source2: sysconfig.locate
# apparmor profile
Source3: usr.bin.locate
Source4: usr.bin.updatedb
Source5: mlocate.timer
Source6: mlocate.service
BuildRequires: gettext-tools
BuildRequires: grep
BuildRequires: sed
BuildRequires: systemd-rpm-macros
BuildRequires: xz
%if %{with apparmor}
Requires: apparmor-abstractions
%endif
Requires(post): %fillup_prereq
Recommends: %{name}-lang = %{version}
Provides: findutils:%{_bindir}/locate
# findutils is at version 4.5 so we need newer
# provides here to get it really obsoleted
Provides: findutils-locate = 5.%{version}
Obsoletes: findutils-locate < 5.%{version}
%if 0%{?suse_version} > 1320
Requires: user(nobody)
%endif
%description
A new locate implementation. The m character
stands for merging, because updatedb reuses the
existing database to avoid re-reading most of the
file system.
%lang_package
%prep
%setup -q
# do not check for visibilty by default as we go with nobody
sed -i \
-e 's:conf_check_visibility = true:conf_check_visibility = false:g' \
src/conf.c
%build
export CFLAGS="%{optflags} -fPIE"
export LDFLAGS="-pie"
%configure \
--localstatedir=%{_localstatedir}/lib \
--enable-nls \
--disable-rpath
make groupname=nobody %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} groupname=nobody install
%find_lang %{name} || echo -n >> %{name}.lang
# DB file
mkdir -p %{buildroot}%{_localstatedir}/lib/%{name}
echo -n >> %{buildroot}%{_localstatedir}/lib/%{name}/%{name}.db
# Config
mkdir -p %{buildroot}%{_sysconfdir}
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}
# Sysconfig settings
install -D -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.locate
# systemd units
install -D -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/mlocate.timer
install -D -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/mlocate.service
# rc symlink
mkdir -p %{buildroot}%{_sbindir}
ln -s /usr/sbin/service %{buildroot}/%{_sbindir}/rcmlocate
# apparmor
%if %{with apparmor}
install -D -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.locate
install -D -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.updatedb
%endif
%check
make check %{?_smp_mflags}
%pre
%service_add_pre mlocate.service mlocate.timer
%post
%{fillup_only -n locate}
%service_add_post mlocate.service mlocate.timer
%preun
%service_del_preun mlocate.service mlocate.timer
%postun
%service_del_postun mlocate.service mlocate.timer
%files
%license COPYING
%doc AUTHORS ChangeLog README NEWS
%config(noreplace) %{_sysconfdir}/updatedb.conf
%attr(0755,root,root) %{_bindir}/locate
%{_bindir}/updatedb
%{_mandir}/man*/*
%{_unitdir}/mlocate.timer
%{_unitdir}/mlocate.service
%dir %{_localstatedir}/lib/mlocate
%ghost %{_localstatedir}/lib/mlocate/mlocate.db
%{_fillupdir}/*
%if %{with apparmor}
%dir %{_sysconfdir}/apparmor.d/
%{_sysconfdir}/apparmor.d/*
%endif
%{_sbindir}/rcmlocate
%files lang -f %{name}.lang
%changelog

12
mlocate.timer Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Daily locate database update
Documentation=man:updatedb
[Timer]
OnCalendar=daily
AccuracySec=12h
Unit=mlocate.service
Persistent=true
[Install]
WantedBy=timers.target

18
sysconfig.locate Normal file
View File

@ -0,0 +1,18 @@
## Path: Applications/Locate
## Description: Configuration of updatedb
#
# NOTE: These variables only apply to systemd updatedb service only
# NOTE: For the app-wide settings see /etc/updatedb.conf
#
## Type: string(nobody, root, ...)
## Default: nobody
#
# updatedb can be run under specified user privileges
# It runs the "find" command as this user. Some people think this is a
# security hole if set to 'root' (because some directory information can
# be read which is normally protected). Others think it is useful to hold
# all files in the database.
# So if you want full information in locate db, set RUN_UPDATEDB_AS=root.
# If you want security use RUN_UPDATEDB_AS=nobody.
#
RUN_UPDATEDB_AS=nobody

17
updatedb.conf Normal file
View File

@ -0,0 +1,17 @@
# /etc/updatedb.conf: config file for mlocate
# This file sets variables that are used by updatedb.
# For more info, see the updatedb.conf(5) manpage.
# Filesystems that are pruned from updatedb database
PRUNEFS="9p afs anon_inodefs auto autofs bdev binfmt binfmt_misc ceph fuse.ceph cgroup cifs coda configfs cramfs cpuset debugfs devfs devpts devtmps ecryptfs eventpollfs exofs futexfs ftpfs fuse fusectl gfs gfs2 gpfs hostfs hugetlbfs inotifyfs iso9660 jffs2 lustre misc mqueue ncpfs nfs NFS nfs4 nfsd nnpfs ocfs ocfs2 pipefs proc ramfs rpc_pipefs securityfs selinuxfs sfs shfs smbfs sockfs spufs sshfs subfs supermount sysfs tmpfs ubifs udf usbfs vboxsf vperfctrfs"
# Paths which are pruned from updatedb database
PRUNEPATHS="/tmp /var/tmp /var/cache /var/lock /var/run /var/spool /mnt /cdrom /usr/tmp /proc /media /sys /.snapshots /var/run/media"
# Folder names that are pruned from updatedb database
PRUNENAMES = ".git .hg .svn .bzr .arch-ids {arch} CVS"
# Skip bind mounts.
# DISABLED for bnc#994663 and to avoid btrfs subvolume issues
PRUNE_BIND_MOUNTS="no"

11
usr.bin.locate Normal file
View File

@ -0,0 +1,11 @@
# Last Modified: Fri Apr 13 22:23:29 2018
#include <tunables/global>
/usr/bin/locate {
#include <abstractions/base>
#include <abstractions/nameservice>
/usr/bin/locate mr,
/var/lib/mlocate/mlocate.db r,
}

19
usr.bin.updatedb Normal file
View File

@ -0,0 +1,19 @@
# Last Modified: Fri Apr 13 21:57:17 2018
#include <tunables/global>
/usr/bin/updatedb {
#include <abstractions/base>
capability dac_override,
capability dac_read_search,
capability fowner,
/ r,
/**/ r,
/etc/updatedb.conf r,
/usr/bin/updatedb mr,
owner /proc/@{pid}/mounts r,
/var/lib/mlocate/mlocate.db rwk,
/var/lib/mlocate/mlocate.db.?????? rw,
}