pool/permissions
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 103176 from Base:System

Browse Source 
- add duplicate entries for / and /usr (bnc#745622)

- add scripts for automatic package sumission
- drop zypp-refresh-wrapper (bnc#738677)

OBS-URL: https://build.opensuse.org/request/show/103176
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/permissions?expand=0&rev=73
This commit is contained in:
Stephan Kulow 2012-02-08 14:41:09 +00:00 committed by Git OBS Bridge
commit 51b5d528e2
5 changed files with 16 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
0001-disable-run-time-fscaps-detection-bnc-728312.diff
View File

@ -1,140 +0,0 @@
From 94311258bfdf3ad86938bd50aaef4a83ca04eae5 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Mon, 7 Nov 2011 10:34:38 +0100
Subject: [PATCH] disable run time fscaps detection (bnc#728312)
PERMISSIONS_FSCAPS setting in /etc/sysconfig/security allows to enable
them again.
---
chkstat.8 | 5 +++--
chkstat.c | 40 ++++++++++++++++++++++++++++------------
2 files changed, 31 insertions(+), 14 deletions(-)
diff --git a/chkstat.8 b/chkstat.8
index 3492e21..364a237 100644
--- a/chkstat.8
+++ b/chkstat.8
@@ -52,8 +52,9 @@ Opposite of --set, ie warn only but don't make actual changes
Omit printing the output header lines.
.TP
.IR \-\-fscaps,\ \-\-no\-fscaps
-Force or disable use of fscaps. Default is to automatically
-determine whether the running kernel supports fscaps.
+Enable or disable use of fscaps. In system mode the setting of
+PERMISSIONS_FSCAPS determines whether fscaps are on or off when this
+option is not set.
.TP
.IR \-\-examine\ file
Check permissions for this file instead of all files listed in the permissions files.
diff --git a/chkstat.c b/chkstat.c
index e5c9b15..8682c3e 100644
--- a/chkstat.c
+++ b/chkstat.c
@@ -54,6 +54,7 @@ int nlevel;
char** level;
int do_set = -1;
int default_set = 1;
+int have_fscaps = -1;
char** permfiles = NULL;
int npermfiles = 0;
char* force_level;
@@ -281,6 +282,24 @@ parse_sysconf(const char* file)
//fprintf(stderr, "invalid value for CHECK_PERMISSIONS (must be 'set', 'warn' or 'no')\n");
}
}
+ else if (have_fscaps == -1 && !strncmp(p, "PERMISSIONS_FSCAPS=", 19))
+ {
+ p+=19;
+ if (isquote(*p))
+ ++p;
+ if (!strncmp(p, "yes", 3))
+ {
+ p+=3;
+ if (isquote(*p) || !*p)
+ have_fscaps=1;
+ }
+ else if (!strncmp(p, "no", 2))
+ {
+ p+=2;
+ if (isquote(*p) || !*p)
+ have_fscaps=0;
+ }
+ }
}
fclose(fp);
return 0;
@@ -515,18 +534,18 @@ check_fscaps_enabled()
{
FILE* fp;
char line[128];
- int have_fscaps = FSCAPS_DEFAULT_ENABLED;
+ int val = FSCAPS_DEFAULT_ENABLED;
if ((fp = fopen("/sys/kernel/fscaps", "r")) == 0)
{
goto out;
}
if (readline(fp, line, sizeof(line)))
{
- have_fscaps = atoi(line);
+ val = atoi(line);
}
fclose(fp);
out:
- return have_fscaps;
+ return val;
}
int
@@ -552,7 +571,6 @@ main(int argc, char **argv)
int fd, r;
int errors = 0;
cap_t caps = NULL;
- int have_fscaps = -1;
while (argc > 1)
{
@@ -692,9 +710,6 @@ main(int argc, char **argv)
break;
}
- if (have_fscaps == -1)
- have_fscaps = check_fscaps_enabled();
-
if (systemmode)
{
const char file[] = "/etc/sysconfig/security";
@@ -747,6 +762,11 @@ main(int argc, char **argv)
permfiles = &argv[1];
}
+ if (have_fscaps == 1 && !check_fscaps_enabled())
+ {
+ fprintf(stderr, "Warning: running kernel does not support fscaps\n");
+ }
+
if (do_set == -1)
do_set = 0;
@@ -802,7 +822,7 @@ main(int argc, char **argv)
}
if (!strncmp(p, "+capabilities ", 14))
{
- if (!have_fscaps)
+ if (have_fscaps != 1)
continue;
p += 14;
caps = cap_from_text(p);
@@ -900,10 +920,6 @@ main(int argc, char **argv)
printf("Checking permissions and ownerships - using the permissions files\n");
for (i = 0; i < npermfiles; i++)
printf("\t%s\n", permfiles[i]);
- if (!have_fscaps)
- {
- printf("kernel has fscaps support disabled.\n");
- }
if (rootl)
{
printf("Using root %s\n", root);
--
1.7.3.4

3
permissions-2011.09.23.1037.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e54213911d37826ed7e9fa5170b3b74c36ada247a0a82110ef63acec40e562a6
size 19062

3
permissions-2012.02.08.0914.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cd991f98910bedf87f755c6e961970f4001529aff6c1526f715dd16d913c6918
size 20350

11
permissions.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Wed Feb 8 08:15:50 UTC 2012 - lnussel@suse.de
- add duplicate entries for / and /usr (bnc#745622)
-------------------------------------------------------------------
Tue Feb 7 12:09:17 UTC 2012 - lnussel@suse.de
- add scripts for automatic package sumission
- drop zypp-refresh-wrapper (bnc#738677)
-------------------------------------------------------------------
Mon Nov 7 09:39:43 UTC 2011 - lnussel@suse.de

6
permissions.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package permissions
#
# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -24,13 +24,12 @@ Name: permissions
License: GPL-2.0+
Group: Productivity/Security
AutoReqProv: on
Version: 2011.09.23.1037
Version: 2012.02.08.0914
Release: 1
Provides: aaa_base:/etc/permissions
PreReq: %fillup_prereq
Summary: SUSE Linux Default Permissions
Source: permissions-%{version}.tar.bz2
Patch0: 0001-disable-run-time-fscaps-detection-bnc-728312.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Url: http://gitorious.org/opensuse/permissions
@ -49,7 +48,6 @@ Authors:
%prep
%setup -q
%patch0 -p1
%build
make %{?_smp_mflags} CFLAGS="-W -Wall $RPM_OPT_FLAGS" FSCAPS_DEFAULT_ENABLED=0