From 3c69fdc6620c015c7fde5fe8c78120748f633fb13fc313087721759a3653715c Mon Sep 17 00:00:00 2001
From: Martin Pluskal <mpluskal@suse.com>
Date: Mon, 13 Aug 2018 08:48:32 +0000
Subject: [PATCH] Accepting request 627387 from
 home:luizluca:branches:network:utilities

here we go again:

- Add firewalld service file
- Fix some rpmlint warnings:
  * 0001_fix_setgroup.patch (gh#NetworkBlockDevice/nbd#79)
  * Workaround macro-in-comment (rpmlint bug)

OBS-URL: https://build.opensuse.org/request/show/627387
OBS-URL: https://build.opensuse.org/package/show/network:utilities/nbd?expand=0&rev=58
---
 0001_fix_setgroup.patch | 30 ++++++++++++++++++++++++++++++
 nbd.changes             |  8 ++++++++
 nbd.firewalld           |  6 ++++++
 nbd.spec                | 31 +++++++++++++++++++++++++++----
 4 files changed, 71 insertions(+), 4 deletions(-)
 create mode 100644 0001_fix_setgroup.patch
 create mode 100644 nbd.firewalld

diff --git a/0001_fix_setgroup.patch b/0001_fix_setgroup.patch
new file mode 100644
index 0000000..750559c
--- /dev/null
+++ b/0001_fix_setgroup.patch
@@ -0,0 +1,30 @@
+From 0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed Mon Sep 17 00:00:00 2001
+From: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+Date: Tue, 24 Jul 2018 15:59:39 -0300
+Subject: [PATCH] server: clean supplementary groups when setuid
+Upstream: merged
+References: https://github.com/NetworkBlockDevice/nbd/commit/0cd9e3ba2a0f54d930d813bfde9ff9d57a12d9ed
+References: gh#NetworkBlockDevice/nbd#79
+References: https://github.com/NetworkBlockDevice/nbd/pull/79 
+
+When nbd-server drops privileges, it was leaving supplementary
+groups untouched. As nbd-server was normally dropping from root,
+nbd-server kept membership to root supplementary groups.
+
+Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
+---
+ nbd-server.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/nbd-server.c b/nbd-server.c
+index 1d1f4c8d..b0720ea1 100644
+--- a/nbd-server.c
++++ b/nbd-server.c
+@@ -3470,6 +3470,7 @@ void dousers(const gchar *const username, const gchar *const groupname) {
+ 			str = g_strdup_printf("Invalid user name: %s", username);
+ 			err(str);
+ 		}
++		setgroups(0, NULL);
+ 		if(setuid(pw->pw_uid)<0) {
+ 			err("Could not set UID: %m");
+ 		}
diff --git a/nbd.changes b/nbd.changes
index 4c93f34..f0b2f2b 100644
--- a/nbd.changes
+++ b/nbd.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jul 24 19:31:37 UTC 2018 - luizluca@gmail.com
+
+- Add firewalld service file
+- Fix some rpmlint warnings:
+  * 0001_fix_setgroup.patch (gh#NetworkBlockDevice/nbd#79)
+  * Workaround macro-in-comment (rpmlint bug)
+
 -------------------------------------------------------------------
 Mon Jul  9 14:47:47 UTC 2018 - mpluskal@suse.com
 
diff --git a/nbd.firewalld b/nbd.firewalld
new file mode 100644
index 0000000..a85bcdd
--- /dev/null
+++ b/nbd.firewalld
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>NBD</short>
+  <description>The Network Block Device is a Linux-originated lightweight block access protocol that allows one to export a block device to a client.</description>
+  <port protocol="tcp" port="10809"/>
+</service>
diff --git a/nbd.spec b/nbd.spec
index 89c15eb..625bb62 100644
--- a/nbd.spec
+++ b/nbd.spec
@@ -16,6 +16,12 @@
 #
 
 
+%if 0%{?suse_version} >= 1500
+%define use_firewalld 1
+%else
+%define use_firewalld 0
+%endif
+
 Name:           nbd
 Version:        3.17
 Release:        0
@@ -28,6 +34,10 @@ Source1:        %{name}-server.service
 Source3:        config.example
 Source4:        nbd-server.sysconfig
 Source5:        nbd-client.service
+#%%if %%{use_firewalld}
+Source10:       nbd.firewalld
+#%%endif
+Patch1:         0001_fix_setgroup.patch
 BuildRequires:  pkgconfig
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(glib-2.0) >= 2.26.0
@@ -56,6 +66,7 @@ configure the nbd devices on the client side.
 
 %prep
 %setup -q
+%patch1 -p1
 
 %build
 %configure
@@ -82,6 +93,11 @@ touch %{buildroot}%{_sysconfdir}/nbd-server/allow
 install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/nbd-server/config.example
 install -D -p -m 0644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.%{name}-server
 
+# install firewall information file
+%if %{use_firewalld}
+install -D -m 644 %{SOURCE10} %{buildroot}%{_libexecdir}/firewalld/services/%{name}.xml
+%endif
+
 %post
 export DISABLE_RESTART_ON_UPDATE=yes
 %service_add_post %{name}-server.service
@@ -93,10 +109,12 @@ if test -e %{_sysconfdir}/nbd-server.conf; then
   grep -vE '^(#|[[:blank:]]*$)' %{_sysconfdir}/nbd-server.conf |
   while read port file opts; do
     if test -z "$generic"; then
-      echo > %{_sysconfdir}/nbd-server/config
-      echo "[generic]" >> %{_sysconfdir}/nbd-server/config
-      echo "	# No generic options yet" >> %{_sysconfdir}/nbd-server/config
-      echo >> %{_sysconfdir}/nbd-server/config
+      cat >%{_sysconfdir}/nbd-server/config <<-EOF
+
+	[generic]
+	   # No generic options yet
+
+	EOF
       generic=1
     fi
     FN=${file%/*}
@@ -137,5 +155,10 @@ fi
 %dir %{_libexecdir}/modules-load.d/
 %{_libexecdir}/modules-load.d/nbd.conf
 %{_fillupdir}/sysconfig.%{name}-server
+%if %{use_firewalld}
+%dir %{_libexecdir}/firewalld
+%dir %{_libexecdir}/firewalld/services
+%{_libexecdir}/firewalld/services/%{name}.xml
+%endif
 
 %changelog