Dominique Leuenberger 2018-04-22 12:29:30 +00:00 committed by Git OBS Bridge
commit 2a3a2c0b97
10 changed files with 131 additions and 14 deletions

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
runuser-l.pamd, runuser.pamd).
-------------------------------------------------------------------
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
-------------------------------------------------------------------
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de

View File

@ -73,7 +73,7 @@ Name: python-libmount
%endif
Summary: %main_summary
License: GPL-2.0-or-later
Group: %group_pl
Group: %main_group
BuildRequires: audit-devel
BuildRequires: bc
BuildRequires: binutils-devel
@ -138,6 +138,8 @@ Source11: su.default
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
Source13: %{_name}.keyring
Source14: runuser.pamd
Source15: runuser-l.pamd
Source16: su-l.pamd
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
# TODO: split to separate package
Source40: klogconsole.tar.xz
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
Patch6: util-linux-fincore-count.patch
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
Patch7: util-linux-sysfs-nvme-devno.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -396,7 +397,6 @@ SMP systems.
%if %build_util_linux
%package -n python-libmount
Summary: %summary_pl
License: GPL-2.0-or-later
Group: %group_pl
%description -n python-libmount
@ -644,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
pushd ../klogconsole
# klogconsole install
@ -788,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux
%pre
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
@ -810,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
fi
done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service

6
runuser-l.pamd Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
auth sufficient pam_rootok.so
session optional pam_keyinit.so force revoke
session include common-session
session optional pam_xauth.so

View File

@ -1,5 +1,6 @@
#%PAM-1.0
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
auth sufficient pam_rootok.so
session optional pam_keyinit.so revoke
session include common-session
session optional pam_xauth.so

9
su-l.pamd Normal file
View File

@ -0,0 +1,9 @@
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session optional pam_xauth.so

View File

@ -1,9 +1,12 @@
# Per default, only "su -" will set a new PATH.
# If this variable is changed to "yes" (default is "no"),
# If this variable is set to "yes" (default is "no"),
# every su call will overwrite the PATH variable.
ALWAYS_SET_PATH=no
#
# The recommended default is "yes". The default "no" behavior could have
# a security implication in applications that use commands without path.
ALWAYS_SET_PATH=yes
# Default path.
# Default path.
PATH=/usr/local/bin:/bin:/usr/bin
# Default path for a user invoking su to root.

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
runuser-l.pamd, runuser.pamd).
-------------------------------------------------------------------
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
-------------------------------------------------------------------
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de

View File

@ -138,6 +138,8 @@ Source11: su.default
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
Source13: %{_name}.keyring
Source14: runuser.pamd
Source15: runuser-l.pamd
Source16: su-l.pamd
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
# TODO: split to separate package
Source40: klogconsole.tar.xz
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
Patch6: util-linux-fincore-count.patch
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
Patch7: util-linux-sysfs-nvme-devno.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
pushd ../klogconsole
# klogconsole install
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux
%pre
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
fi
done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
runuser-l.pamd, runuser.pamd).
-------------------------------------------------------------------
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
-------------------------------------------------------------------
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de

View File

@ -138,6 +138,8 @@ Source11: su.default
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
Source13: %{_name}.keyring
Source14: runuser.pamd
Source15: runuser-l.pamd
Source16: su-l.pamd
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
# TODO: split to separate package
Source40: klogconsole.tar.xz
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
Patch6: util-linux-fincore-count.patch
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
Patch7: util-linux-sysfs-nvme-devno.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
pushd ../klogconsole
# klogconsole install
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux
%pre
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
fi
done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service