diff --git a/systemd-mini.changes b/systemd-mini.changes index 82bd34cc..ddffeda8 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 8 10:33:10 UTC 2018 - Thomas.Blume@suse.com + +- align permissions of /etc/machine-id to upstream code (bsc#1092269) + world writeable machine-id is a security issue + ------------------------------------------------------------------- Mon Apr 23 07:45:32 UTC 2018 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 7c164b7b..3c6abe35 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -687,9 +687,11 @@ fi # machine ID in all images. if [ $1 -eq 1 ]; then touch %{_sysconfdir}/machine-id - chmod 666 %{_sysconfdir}/machine-id fi +# check if /etc/machine-id is writeable and change it to readonly +[[ -w %{_sysconfdir}/machine-id ]] && chmod 444 %{_sysconfdir}/machine-id + %if ! 0%{?bootstrap} pam-config --add --systemd || : %endif diff --git a/systemd.changes b/systemd.changes index 82bd34cc..ddffeda8 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 8 10:33:10 UTC 2018 - Thomas.Blume@suse.com + +- align permissions of /etc/machine-id to upstream code (bsc#1092269) + world writeable machine-id is a security issue + ------------------------------------------------------------------- Mon Apr 23 07:45:32 UTC 2018 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 8e20f9a1..a8a133d2 100644 --- a/systemd.spec +++ b/systemd.spec @@ -685,9 +685,11 @@ fi # machine ID in all images. if [ $1 -eq 1 ]; then touch %{_sysconfdir}/machine-id - chmod 666 %{_sysconfdir}/machine-id fi +# check if /etc/machine-id is writeable and change it to readonly +[[ -w %{_sysconfdir}/machine-id ]] && chmod 444 %{_sysconfdir}/machine-id + %if ! 0%{?bootstrap} pam-config --add --systemd || : %endif