1
0
forked from pool/util-linux

Accepting request 596302 from home:sbrabec:branches:util-linux-b1081947

- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
  runuser-l.pamd, runuser.pamd).
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
  add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.

OBS-URL: https://build.opensuse.org/request/show/596302
OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=372
This commit is contained in:
Stanislav Brabec 2018-04-13 11:36:33 +00:00 committed by Git OBS Bridge
parent 881c2a7ddb
commit 3629134835
10 changed files with 131 additions and 14 deletions

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
runuser-l.pamd, runuser.pamd).
-------------------------------------------------------------------
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de

View File

@ -73,7 +73,7 @@ Name: python-libmount
%endif %endif
Summary: %main_summary Summary: %main_summary
License: GPL-2.0-or-later License: GPL-2.0-or-later
Group: %group_pl Group: %main_group
BuildRequires: audit-devel BuildRequires: audit-devel
BuildRequires: bc BuildRequires: bc
BuildRequires: binutils-devel BuildRequires: binutils-devel
@ -138,6 +138,8 @@ Source11: su.default
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
Source13: %{_name}.keyring Source13: %{_name}.keyring
Source14: runuser.pamd Source14: runuser.pamd
Source15: runuser-l.pamd
Source16: su-l.pamd
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
# TODO: split to separate package # TODO: split to separate package
Source40: klogconsole.tar.xz Source40: klogconsole.tar.xz
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
Patch6: util-linux-fincore-count.patch Patch6: util-linux-fincore-count.patch
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe. # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
Patch7: util-linux-sysfs-nvme-devno.patch Patch7: util-linux-sysfs-nvme-devno.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
# #
%if %build_util_linux %if %build_util_linux
@ -396,7 +397,6 @@ SMP systems.
%if %build_util_linux %if %build_util_linux
%package -n python-libmount %package -n python-libmount
Summary: %summary_pl Summary: %summary_pl
License: GPL-2.0-or-later
Group: %group_pl Group: %group_pl
%description -n python-libmount %description -n python-libmount
@ -644,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
pushd ../klogconsole pushd ../klogconsole
# klogconsole install # klogconsole install
@ -788,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux %if %build_util_linux
%pre %pre
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post %post
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
@ -810,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
fi fi
done done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun %preun
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service

6
runuser-l.pamd Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
auth sufficient pam_rootok.so
session optional pam_keyinit.so force revoke
session include common-session
session optional pam_xauth.so

View File

@ -1,5 +1,6 @@
#%PAM-1.0 #%PAM-1.0
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line). # Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
auth sufficient pam_rootok.so auth sufficient pam_rootok.so
session optional pam_keyinit.so revoke
session include common-session session include common-session
session optional pam_xauth.so session optional pam_xauth.so

9
su-l.pamd Normal file
View File

@ -0,0 +1,9 @@
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session optional pam_xauth.so

View File

@ -1,9 +1,12 @@
# Per default, only "su -" will set a new PATH. # Per default, only "su -" will set a new PATH.
# If this variable is changed to "yes" (default is "no"), # If this variable is set to "yes" (default is "no"),
# every su call will overwrite the PATH variable. # every su call will overwrite the PATH variable.
ALWAYS_SET_PATH=no #
# The recommended default is "yes". The default "no" behavior could have
# a security implication in applications that use commands without path.
ALWAYS_SET_PATH=yes
# Default path. # Default path.
PATH=/usr/local/bin:/bin:/usr/bin PATH=/usr/local/bin:/bin:/usr/bin
# Default path for a user invoking su to root. # Default path for a user invoking su to root.

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
runuser-l.pamd, runuser.pamd).
-------------------------------------------------------------------
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de

View File

@ -138,6 +138,8 @@ Source11: su.default
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
Source13: %{_name}.keyring Source13: %{_name}.keyring
Source14: runuser.pamd Source14: runuser.pamd
Source15: runuser-l.pamd
Source16: su-l.pamd
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
# TODO: split to separate package # TODO: split to separate package
Source40: klogconsole.tar.xz Source40: klogconsole.tar.xz
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
Patch6: util-linux-fincore-count.patch Patch6: util-linux-fincore-count.patch
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe. # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
Patch7: util-linux-sysfs-nvme-devno.patch Patch7: util-linux-sysfs-nvme-devno.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
# #
%if %build_util_linux %if %build_util_linux
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
pushd ../klogconsole pushd ../klogconsole
# klogconsole install # klogconsole install
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux %if %build_util_linux
%pre %pre
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post %post
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
fi fi
done done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun %preun
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
runuser-l.pamd, runuser.pamd).
-------------------------------------------------------------------
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de

View File

@ -138,6 +138,8 @@ Source11: su.default
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
Source13: %{_name}.keyring Source13: %{_name}.keyring
Source14: runuser.pamd Source14: runuser.pamd
Source15: runuser-l.pamd
Source16: su-l.pamd
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
# TODO: split to separate package # TODO: split to separate package
Source40: klogconsole.tar.xz Source40: klogconsole.tar.xz
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
Patch6: util-linux-fincore-count.patch Patch6: util-linux-fincore-count.patch
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe. # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
Patch7: util-linux-sysfs-nvme-devno.patch Patch7: util-linux-sysfs-nvme-devno.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
# #
%if %build_util_linux %if %build_util_linux
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
pushd ../klogconsole pushd ../klogconsole
# klogconsole install # klogconsole install
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux %if %build_util_linux
%pre %pre
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post %post
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
fi fi
done done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun %preun
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service