Accepting request 627387 from home:luizluca:branches:network:utilities

here we go again: - Add firewalld service file - Fix some rpmlint warnings: * 0001_fix_setgroup.patch (gh#NetworkBlockDevice/nbd#79) * Workaround macro-in-comment (rpmlint bug) OBS-URL: https://build.opensuse.org/request/show/627387 OBS-URL: https://build.opensuse.org/package/show/network:utilities/nbd?expand=0&rev=58
2018-08-13 08:48:32 +00:00 · 2018-08-13 08:48:32 +00:00 · 3c69fdc662
commit 3c69fdc662
parent 8f8287197a
4 changed files with 71 additions and 4 deletions
--- a/0001_fix_setgroup.patch
+++ b/0001_fix_setgroup.patch
@ -0,0 +1,30 @@
+From 0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed Mon Sep 17 00:00:00 2001
+From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+Date: Tue, 24 Jul 2018 15:59:39 -0300
+Subject: [PATCH] server: clean supplementary groups when setuid
+Upstream: merged
+References: https://github.com/NetworkBlockDevice/nbd/commit/0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed
+References: gh#NetworkBlockDevice/nbd#79
+References: https://github.com/NetworkBlockDevice/nbd/pull/79 
+
+When nbd-server drops privileges, it was leaving supplementary
+groups untouched. As nbd-server was normally dropping from root,
+nbd-server kept membership to root supplementary groups.
+
+Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+---
+ nbd-server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/nbd-server.c b/nbd-server.c
+index 1d1f4c8d..b0720ea1 100644
+--- a/nbd-server.c
+++ b/nbd-server.c
+@@ -3470,6 +3470,7 @@ void dousers(const gchar *const username, const gchar *const groupname) {
+ 			str = g_strdup_printf("Invalid user name: %s", username);
+ 			err(str);
+ 		}
+		setgroups(0, NULL);
+ 		if(setuid(pw->pw_uid)<0) {
+ 			err("Could not set UID: %m");
+ 		}
--- a/nbd.changes
+++ b/nbd.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jul 24 19:31:37 UTC 2018 - luizluca@gmail.com
+
+- Add firewalld service file
+- Fix some rpmlint warnings:
+  * 0001_fix_setgroup.patch (gh#NetworkBlockDevice/nbd#79)
+  * Workaround macro-in-comment (rpmlint bug)
+
 -------------------------------------------------------------------
 Mon Jul  9 14:47:47 UTC 2018 - mpluskal@suse.com

--- a/nbd.firewalld
+++ b/nbd.firewalld
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>NBD</short>
+  <description>The Network Block Device is a Linux-originated lightweight block access protocol that allows one to export a block device to a client.</description>
+  <port protocol="tcp" port="10809"/>
+</service>
--- a/nbd.spec
+++ b/nbd.spec
@ -16,6 +16,12 @@
 #


+%if 0%{?suse_version} >= 1500
+%define use_firewalld 1
+%else
+%define use_firewalld 0
+%endif
+
 Name:           nbd
 Version:        3.17
 Release:        0
@ -28,6 +34,10 @@ Source1:        %{name}-server.service
 Source3:        config.example
 Source4:        nbd-server.sysconfig
 Source5:        nbd-client.service
+#%%if %%{use_firewalld}
+Source10:       nbd.firewalld
+#%%endif
+Patch1:         0001_fix_setgroup.patch
 BuildRequires:  pkgconfig
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(glib-2.0) >= 2.26.0
@ -56,6 +66,7 @@ configure the nbd devices on the client side.

 %prep
 %setup -q
+%patch1 -p1

 %build
 %configure
@ -82,6 +93,11 @@ touch %{buildroot}%{_sysconfdir}/nbd-server/allow
 install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/nbd-server/config.example
 install -D -p -m 0644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.%{name}-server

+# install firewall information file
+%if %{use_firewalld}
+install -D -m 644 %{SOURCE10} %{buildroot}%{_libexecdir}/firewalld/services/%{name}.xml
+%endif
+
 %post
 export DISABLE_RESTART_ON_UPDATE=yes
 %service_add_post %{name}-server.service
@ -93,10 +109,12 @@ if test -e %{_sysconfdir}/nbd-server.conf; then
  grep -vE '^(#|[[:blank:]]*$)' %{_sysconfdir}/nbd-server.conf |
  while read port file opts; do
    if test -z "$generic"; then
-      echo > %{_sysconfdir}/nbd-server/config
-      echo "[generic]" >> %{_sysconfdir}/nbd-server/config
-      echo "	# No generic options yet" >> %{_sysconfdir}/nbd-server/config
-      echo >> %{_sysconfdir}/nbd-server/config
+      cat >%{_sysconfdir}/nbd-server/config <<-EOF
+
+	[generic]
+	   # No generic options yet
+
+	EOF
      generic=1
    fi
    FN=${file%/*}
@ -137,5 +155,10 @@ fi
 %dir %{_libexecdir}/modules-load.d/
 %{_libexecdir}/modules-load.d/nbd.conf
 %{_fillupdir}/sysconfig.%{name}-server
+%if %{use_firewalld}
+%dir %{_libexecdir}/firewalld
+%dir %{_libexecdir}/firewalld/services
+%{_libexecdir}/firewalld/services/%{name}.xml
+%endif

 %changelog