forked from pool/util-linux
Accepting request 596302 from home:sbrabec:branches:util-linux-b1081947
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, runuser-l.pamd, runuser.pamd). - su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7); add one-time wrapper forcing ALWAYS_SET_PATH on upgrade. OBS-URL: https://build.opensuse.org/request/show/596302 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=372
This commit is contained in:
parent
881c2a7ddb
commit
3629134835
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
|
||||||
|
runuser-l.pamd, runuser.pamd).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
|
||||||
|
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
||||||
|
|
||||||
|
@ -73,7 +73,7 @@ Name: python-libmount
|
|||||||
%endif
|
%endif
|
||||||
Summary: %main_summary
|
Summary: %main_summary
|
||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
Group: %group_pl
|
Group: %main_group
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: bc
|
BuildRequires: bc
|
||||||
BuildRequires: binutils-devel
|
BuildRequires: binutils-devel
|
||||||
@ -138,6 +138,8 @@ Source11: su.default
|
|||||||
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
||||||
Source13: %{_name}.keyring
|
Source13: %{_name}.keyring
|
||||||
Source14: runuser.pamd
|
Source14: runuser.pamd
|
||||||
|
Source15: runuser-l.pamd
|
||||||
|
Source16: su-l.pamd
|
||||||
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
||||||
# TODO: split to separate package
|
# TODO: split to separate package
|
||||||
Source40: klogconsole.tar.xz
|
Source40: klogconsole.tar.xz
|
||||||
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
|
|||||||
Patch6: util-linux-fincore-count.patch
|
Patch6: util-linux-fincore-count.patch
|
||||||
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
||||||
Patch7: util-linux-sysfs-nvme-devno.patch
|
Patch7: util-linux-sysfs-nvme-devno.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
#
|
#
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
@ -396,7 +397,6 @@ SMP systems.
|
|||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
%package -n python-libmount
|
%package -n python-libmount
|
||||||
Summary: %summary_pl
|
Summary: %summary_pl
|
||||||
License: GPL-2.0-or-later
|
|
||||||
Group: %group_pl
|
Group: %group_pl
|
||||||
|
|
||||||
%description -n python-libmount
|
%description -n python-libmount
|
||||||
@ -644,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
|
|||||||
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
||||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
||||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
||||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
||||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||||
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
||||||
pushd ../klogconsole
|
pushd ../klogconsole
|
||||||
# klogconsole install
|
# klogconsole install
|
||||||
@ -788,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
|||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
%pre
|
%pre
|
||||||
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
|
# Check whether we are upgrading from < Leap 15 or SLE 15
|
||||||
|
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
||||||
|
# (bsc#353876#c7)
|
||||||
|
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
||||||
|
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
||||||
|
fi
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
@ -810,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
|||||||
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||||
|
# But we want to upgrade to a more secure default on upgrade.
|
||||||
|
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
||||||
|
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
||||||
|
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
||||||
|
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||||
|
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||||
|
fi
|
||||||
|
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
||||||
|
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
||||||
|
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
||||||
|
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
||||||
|
fi
|
||||||
|
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
|
6
runuser-l.pamd
Normal file
6
runuser-l.pamd
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
|
||||||
|
auth sufficient pam_rootok.so
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include common-session
|
||||||
|
session optional pam_xauth.so
|
@ -1,5 +1,6 @@
|
|||||||
#%PAM-1.0
|
#%PAM-1.0
|
||||||
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
|
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
|
||||||
auth sufficient pam_rootok.so
|
auth sufficient pam_rootok.so
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
session include common-session
|
session include common-session
|
||||||
session optional pam_xauth.so
|
session optional pam_xauth.so
|
||||||
|
9
su-l.pamd
Normal file
9
su-l.pamd
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth sufficient pam_rootok.so
|
||||||
|
auth include common-auth
|
||||||
|
account sufficient pam_rootok.so
|
||||||
|
account include common-account
|
||||||
|
password include common-password
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include common-session
|
||||||
|
session optional pam_xauth.so
|
@ -1,9 +1,12 @@
|
|||||||
# Per default, only "su -" will set a new PATH.
|
# Per default, only "su -" will set a new PATH.
|
||||||
# If this variable is changed to "yes" (default is "no"),
|
# If this variable is set to "yes" (default is "no"),
|
||||||
# every su call will overwrite the PATH variable.
|
# every su call will overwrite the PATH variable.
|
||||||
ALWAYS_SET_PATH=no
|
#
|
||||||
|
# The recommended default is "yes". The default "no" behavior could have
|
||||||
|
# a security implication in applications that use commands without path.
|
||||||
|
ALWAYS_SET_PATH=yes
|
||||||
|
|
||||||
# Default path.
|
# Default path.
|
||||||
PATH=/usr/local/bin:/bin:/usr/bin
|
PATH=/usr/local/bin:/bin:/usr/bin
|
||||||
|
|
||||||
# Default path for a user invoking su to root.
|
# Default path for a user invoking su to root.
|
||||||
|
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
|
||||||
|
runuser-l.pamd, runuser.pamd).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
|
||||||
|
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
||||||
|
|
||||||
|
@ -138,6 +138,8 @@ Source11: su.default
|
|||||||
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
||||||
Source13: %{_name}.keyring
|
Source13: %{_name}.keyring
|
||||||
Source14: runuser.pamd
|
Source14: runuser.pamd
|
||||||
|
Source15: runuser-l.pamd
|
||||||
|
Source16: su-l.pamd
|
||||||
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
||||||
# TODO: split to separate package
|
# TODO: split to separate package
|
||||||
Source40: klogconsole.tar.xz
|
Source40: klogconsole.tar.xz
|
||||||
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
|
|||||||
Patch6: util-linux-fincore-count.patch
|
Patch6: util-linux-fincore-count.patch
|
||||||
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
||||||
Patch7: util-linux-sysfs-nvme-devno.patch
|
Patch7: util-linux-sysfs-nvme-devno.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
#
|
#
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
|
|||||||
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
||||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
||||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
||||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
||||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||||
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
||||||
pushd ../klogconsole
|
pushd ../klogconsole
|
||||||
# klogconsole install
|
# klogconsole install
|
||||||
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
|||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
%pre
|
%pre
|
||||||
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
|
# Check whether we are upgrading from < Leap 15 or SLE 15
|
||||||
|
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
||||||
|
# (bsc#353876#c7)
|
||||||
|
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
||||||
|
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
||||||
|
fi
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
|||||||
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||||
|
# But we want to upgrade to a more secure default on upgrade.
|
||||||
|
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
||||||
|
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
||||||
|
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
||||||
|
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||||
|
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||||
|
fi
|
||||||
|
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
||||||
|
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
||||||
|
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
||||||
|
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
||||||
|
fi
|
||||||
|
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
|
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
|
||||||
|
runuser-l.pamd, runuser.pamd).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
|
||||||
|
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
||||||
|
|
||||||
|
@ -138,6 +138,8 @@ Source11: su.default
|
|||||||
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
||||||
Source13: %{_name}.keyring
|
Source13: %{_name}.keyring
|
||||||
Source14: runuser.pamd
|
Source14: runuser.pamd
|
||||||
|
Source15: runuser-l.pamd
|
||||||
|
Source16: su-l.pamd
|
||||||
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
||||||
# TODO: split to separate package
|
# TODO: split to separate package
|
||||||
Source40: klogconsole.tar.xz
|
Source40: klogconsole.tar.xz
|
||||||
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
|
|||||||
Patch6: util-linux-fincore-count.patch
|
Patch6: util-linux-fincore-count.patch
|
||||||
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
||||||
Patch7: util-linux-sysfs-nvme-devno.patch
|
Patch7: util-linux-sysfs-nvme-devno.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
#
|
#
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
|
|||||||
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
||||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
||||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
||||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
||||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||||
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
||||||
pushd ../klogconsole
|
pushd ../klogconsole
|
||||||
# klogconsole install
|
# klogconsole install
|
||||||
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
|||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
%pre
|
%pre
|
||||||
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
|
# Check whether we are upgrading from < Leap 15 or SLE 15
|
||||||
|
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
||||||
|
# (bsc#353876#c7)
|
||||||
|
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
||||||
|
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
||||||
|
fi
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
|||||||
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||||
|
# But we want to upgrade to a more secure default on upgrade.
|
||||||
|
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
||||||
|
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
||||||
|
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
||||||
|
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||||
|
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||||
|
fi
|
||||||
|
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
||||||
|
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
||||||
|
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
||||||
|
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
||||||
|
fi
|
||||||
|
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
||||||
|
Loading…
Reference in New Issue
Block a user