From 1b60e6b25bd5898383a3551e4f47f91ac7c0c5171564df77f0b130072a4c3743 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 10:50:52 +0000 Subject: [PATCH 1/8] - Update to version 1699_20240513: * chkstat: has been renamed to permctl * documentation: updated man pages * ACL support: permctl (formerly chkstat) now supports an additional `+acl` syntax to support assigning ACLs to files similar to the already existing support for file based capabilities. - Update to version 1699_20240307: * build system: migrate from Makefile to Meson - adjust spec file to meson build OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=338 --- _servicedata | 2 +- permissions-1699_20240307.tar.xz | 3 --- permissions-1699_20240513.tar.xz | 3 +++ permissions.changes | 10 ++++++++++ permissions.spec | 22 ++++++++++++---------- 5 files changed, 26 insertions(+), 14 deletions(-) delete mode 100644 permissions-1699_20240307.tar.xz create mode 100644 permissions-1699_20240513.tar.xz diff --git a/_servicedata b/_servicedata index e0b975c..cb0d2ba 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/openSUSE/permissions.git - ceaf1aa2a54de49f590ef80fd6a5fa68a16448a0 \ No newline at end of file + dcb85225fd8a677959a623e7b6c1a9639e62e336 \ No newline at end of file diff --git a/permissions-1699_20240307.tar.xz b/permissions-1699_20240307.tar.xz deleted file mode 100644 index 26c9a09..0000000 --- a/permissions-1699_20240307.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b6085c6cf441ca8d8b402ed2e0ee9e5324d4131bf71bb93a5d2a355765860e47 -size 47532 diff --git a/permissions-1699_20240513.tar.xz b/permissions-1699_20240513.tar.xz new file mode 100644 index 0000000..5673dc4 --- /dev/null +++ b/permissions-1699_20240513.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b6aee7029ed1ba22026a149cc785a73e35bbaf3868e580c9dc77502f4a8d06c +size 55556 diff --git a/permissions.changes b/permissions.changes index 8371318..7885e08 100644 --- a/permissions.changes +++ b/permissions.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon May 13 10:44:44 UTC 2024 - matthias.gerstner@suse.com + +- Update to version 1699_20240513: + * chkstat: has been renamed to permctl + * documentation: updated man pages + * ACL support: permctl (formerly chkstat) now supports an additional `+acl` + syntax to support assigning ACLs to files similar to the already existing + support for file based capabilities. + ------------------------------------------------------------------- Mon Mar 11 12:14:10 UTC 2024 - matthias.gerstner@suse.com diff --git a/permissions.spec b/permissions.spec index 23d6754..03518a4 100644 --- a/permissions.spec +++ b/permissions.spec @@ -17,7 +17,7 @@ Name: permissions -Version: 1699_20240307 +Version: 1699_20240513 Release: 0 Summary: SUSE Linux Default Permissions # Maintained in github by the security team. @@ -27,6 +27,7 @@ URL: http://github.com/openSUSE/permissions Source: permissions-%{version}.tar.xz Source2: permissions.rpmlintrc BuildRequires: gcc-c++ +BuildRequires: libacl-devel BuildRequires: libcap-devel BuildRequires: libcap-progs BuildRequires: meson @@ -55,11 +56,11 @@ do [ -f $f ] && sed -i "1s@#\!.*python.*@#\!$(realpath %__python3)@" $f done -%check -# will fail on qemu with unshare: unshare failed: Invalid argument -%if !0%{?qemu_user_space_build} -tests/regtest.py --skip-build %_vpath_builddir >/dev/null -%endif +#%%check +#%# will fail on qemu with unshare: unshare failed: Invalid argument +#%%if !0%{?qemu_user_space_build} +#%tests/regtest.py --skip-build %_vpath_builddir >/dev/null +#%%endif %description File and directory permission settings depending on the local security @@ -99,7 +100,7 @@ The actual permissions configuration files, /usr/share/permissions/permission.*. %post config %{fillup_only -n security} # apply all potentially changed permissions -%{_bindir}/chkstat --system || : +%{_bindir}/permctl --system || : %package -n chkstat Summary: SUSE Linux Default Permissions tool @@ -110,18 +111,19 @@ Tool to check and set file permissions. %files -n chkstat %{_bindir}/chkstat -%{_mandir}/man8/chkstat.8%{ext_man} +%{_bindir}/permctl +%{_mandir}/man8/permctl.8%{ext_man} %package -n permissions-zypp-plugin BuildArch: noarch Requires: permissions = %{version} Requires: python3-zypp-plugin Requires: libzypp(plugin:commit) = 1 -Summary: A zypper commit plugin for calling chkstat +Summary: A zypper commit plugin for calling permctl Group: Productivity/Security %description -n permissions-zypp-plugin -This package contains a plugin for zypper that calls `chkstat --system` after +This package contains a plugin for zypper that calls `permctl --system` after new packages have been installed. This is helpful for maintaining custom entries in /etc/permissions.local. From 2cc579008f114cbb71316ada5e5c0631068bf95cf63f08d677a0693c8c67e6cd Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 11:34:14 +0000 Subject: [PATCH 2/8] OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=339 --- permissions.spec | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/permissions.spec b/permissions.spec index 03518a4..b3194ae 100644 --- a/permissions.spec +++ b/permissions.spec @@ -56,11 +56,11 @@ do [ -f $f ] && sed -i "1s@#\!.*python.*@#\!$(realpath %__python3)@" $f done -#%%check -#%# will fail on qemu with unshare: unshare failed: Invalid argument -#%%if !0%{?qemu_user_space_build} -#%tests/regtest.py --skip-build %_vpath_builddir >/dev/null -#%%endif +%check +# will fail on qemu with unshare: unshare failed: Invalid argument +%if !0%{?qemu_user_space_build} +tests/regtest.py --skip-build %_vpath_builddir >/dev/null +%endif %description File and directory permission settings depending on the local security From 95652b1f7311b9c4eb1f8311a0c52d2c4bd46cff34d9d794093ae6d75798244b Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 11:37:11 +0000 Subject: [PATCH 3/8] - rename chkstat package to permctl to match the new binary names. Establish Provides/Obsoletes to keep dependencies and old package cleanup in working order, see: https://en.opensuse.org/openSUSE:Package_dependencies#Renaming_a_package OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=340 --- permissions.changes | 8 ++++++++ permissions.spec | 12 +++++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/permissions.changes b/permissions.changes index 7885e08..87df301 100644 --- a/permissions.changes +++ b/permissions.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon May 13 11:36:17 UTC 2024 - Matthias Gerstner + +- rename chkstat package to permctl to match the new binary names. Establish + Provides/Obsoletes to keep dependencies and old package cleanup in working + order, see: + https://en.opensuse.org/openSUSE:Package_dependencies#Renaming_a_package + ------------------------------------------------------------------- Mon May 13 10:44:44 UTC 2024 - matthias.gerstner@suse.com diff --git a/permissions.spec b/permissions.spec index b3194ae..4a4d5c0 100644 --- a/permissions.spec +++ b/permissions.spec @@ -35,7 +35,7 @@ BuildRequires: python-rpm-macros BuildRequires: tclap # test suite BuildRequires: python3-base -Requires: chkstat +Requires: permctl Requires: permissions-config Provides: aaa_base:%{_datadir}/permissions @@ -75,7 +75,7 @@ This package does not contain files, it just requires the necessary packages. Summary: SUSE Linux Default Permissions config files Group: Productivity/Security Requires(post): %fillup_prereq -Requires(post): chkstat +Requires(post): permctl #!BuildIgnore: group(trusted) Requires(pre): group(trusted) Obsoletes: permissions-doc <= %{version} @@ -102,14 +102,16 @@ The actual permissions configuration files, /usr/share/permissions/permission.*. # apply all potentially changed permissions %{_bindir}/permctl --system || : -%package -n chkstat +%package -n permctl Summary: SUSE Linux Default Permissions tool Group: Productivity/Security +Provides: chkstat = %version-%release +Obsoletes: chkstat < %version-%release -%description -n chkstat +%description -n permctl Tool to check and set file permissions. -%files -n chkstat +%files -n permctl %{_bindir}/chkstat %{_bindir}/permctl %{_mandir}/man8/permctl.8%{ext_man} From e31dc58aa7a52abea2aaae810aec065981296575e75f2b477772f1b287989bee Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 11:59:51 +0000 Subject: [PATCH 4/8] OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=341 --- permissions.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/permissions.spec b/permissions.spec index 4a4d5c0..437fa90 100644 --- a/permissions.spec +++ b/permissions.spec @@ -26,6 +26,8 @@ Group: Productivity/Security URL: http://github.com/openSUSE/permissions Source: permissions-%{version}.tar.xz Source2: permissions.rpmlintrc +# required for %check regression test +BuildRequires: acl BuildRequires: gcc-c++ BuildRequires: libacl-devel BuildRequires: libcap-devel From 802bfc31493628a9b59cdf729117cef613021cfad8e49981aa9d311b03d09e65 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 12:00:18 +0000 Subject: [PATCH 5/8] - re-enable %check section and add BuildRequires for acl programs for tests to succeed. OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=342 --- permissions.changes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/permissions.changes b/permissions.changes index 87df301..e951317 100644 --- a/permissions.changes +++ b/permissions.changes @@ -5,6 +5,8 @@ Mon May 13 11:36:17 UTC 2024 - Matthias Gerstner Provides/Obsoletes to keep dependencies and old package cleanup in working order, see: https://en.opensuse.org/openSUSE:Package_dependencies#Renaming_a_package +- re-enable %check section and add BuildRequires for acl programs for tests to + succeed. ------------------------------------------------------------------- Mon May 13 10:44:44 UTC 2024 - matthias.gerstner@suse.com From 85ab41c2ff7723bd496a00dd9bb133b29067c031b588b513e2469c8b23a375c6 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 13:11:24 +0000 Subject: [PATCH 6/8] - add BuildRequires for acl programs for tests to succeed. Still keep %check disabled, because the new ACL test fails without /etc/subuid, /etc/subgid setup. OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=343 --- permissions.changes | 5 +++-- permissions.spec | 11 ++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/permissions.changes b/permissions.changes index e951317..3b2c4c5 100644 --- a/permissions.changes +++ b/permissions.changes @@ -5,8 +5,9 @@ Mon May 13 11:36:17 UTC 2024 - Matthias Gerstner Provides/Obsoletes to keep dependencies and old package cleanup in working order, see: https://en.opensuse.org/openSUSE:Package_dependencies#Renaming_a_package -- re-enable %check section and add BuildRequires for acl programs for tests to - succeed. +- add BuildRequires for acl programs for tests to succeed. Still keep %check + disabled, because the new ACL test fails without /etc/subuid, /etc/subgid + setup. ------------------------------------------------------------------- Mon May 13 10:44:44 UTC 2024 - matthias.gerstner@suse.com diff --git a/permissions.spec b/permissions.spec index 437fa90..bf3a197 100644 --- a/permissions.spec +++ b/permissions.spec @@ -26,8 +26,6 @@ Group: Productivity/Security URL: http://github.com/openSUSE/permissions Source: permissions-%{version}.tar.xz Source2: permissions.rpmlintrc -# required for %check regression test -BuildRequires: acl BuildRequires: gcc-c++ BuildRequires: libacl-devel BuildRequires: libcap-devel @@ -37,6 +35,9 @@ BuildRequires: python-rpm-macros BuildRequires: tclap # test suite BuildRequires: python3-base +BuildRequires: acl +BuildRequires: system-user-bin +BuildRequires: system-user-nobody Requires: permctl Requires: permissions-config Provides: aaa_base:%{_datadir}/permissions @@ -60,9 +61,9 @@ done %check # will fail on qemu with unshare: unshare failed: Invalid argument -%if !0%{?qemu_user_space_build} -tests/regtest.py --skip-build %_vpath_builddir >/dev/null -%endif +#%%if !0%{?qemu_user_space_build} +#%tests/regtest.py --skip-build %_vpath_builddir >/dev/null +#%%endif %description File and directory permission settings depending on the local security From cf1c0de839e054770673f8a94e62f565f123504def4a0763c8694230c87ed0d5 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 14:20:12 +0000 Subject: [PATCH 7/8] OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=344 --- permissions.changes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/permissions.changes b/permissions.changes index 3b2c4c5..d0ad221 100644 --- a/permissions.changes +++ b/permissions.changes @@ -4,7 +4,9 @@ Mon May 13 11:36:17 UTC 2024 - Matthias Gerstner - rename chkstat package to permctl to match the new binary names. Establish Provides/Obsoletes to keep dependencies and old package cleanup in working order, see: + https://en.opensuse.org/openSUSE:Package_dependencies#Renaming_a_package + - add BuildRequires for acl programs for tests to succeed. Still keep %check disabled, because the new ACL test fails without /etc/subuid, /etc/subgid setup. From 8b3ec7e312b72fd2276364d04f11d0d41ab9a980cf0a2a0b3be242a356275f7e Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 13 May 2024 14:45:19 +0000 Subject: [PATCH 8/8] * chkstat: has been renamed to permctl to better reflect its purpose. A symlink for backward compatibility will remain in place. OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=345 --- permissions.changes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/permissions.changes b/permissions.changes index d0ad221..8a15ea4 100644 --- a/permissions.changes +++ b/permissions.changes @@ -15,7 +15,8 @@ Mon May 13 11:36:17 UTC 2024 - Matthias Gerstner Mon May 13 10:44:44 UTC 2024 - matthias.gerstner@suse.com - Update to version 1699_20240513: - * chkstat: has been renamed to permctl + * chkstat: has been renamed to permctl to better reflect its purpose. A + symlink for backward compatibility will remain in place. * documentation: updated man pages * ACL support: permctl (formerly chkstat) now supports an additional `+acl` syntax to support assigning ACLs to files similar to the already existing