Accepting request 1003917 from home:sbrabec:branches:util-linux-2.38

- Do not set SUID permissions for util-linux-mini.

OBS-URL: https://build.opensuse.org/request/show/1003917
OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=474

util-linux-rpmlintrc

@@ -1,6 +1,6 @@
 # False positives. Libraries outside LD_LIBRARY_PATH use RPATH to find libraries, not ldconfig.
+addFilter("library-without-ldconfig-postin /usr/libexec/build/staging/.*")
 addFilter("library-without-ldconfig-postun /usr/libexec/build/staging/.*")
-addFilter("postin-without-ldconfig /usr/libexec/build/staging/.*")
 # Not applicable for multi flavor build.
 addFilter("invalid-spec-name")
 # Not important, and it simplifies packaging.

util-linux.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Sep 15 12:42:41 UTC 2022 - Stanislav Brabec <sbrabec@suse.com>
+
+- Do not set SUID permissions for util-linux-mini.
+
 -------------------------------------------------------------------
 Mon Sep 12 18:45:58 UTC 2022 - Stanislav Brabec <sbrabec@suse.com>
 

util-linux.spec

@@ -35,12 +35,14 @@
 %define ulbuild base
 %define ulmode bootstrap
 %define ul_extra_bin_sbin 0
+%define ul_suid 0755
 %else
 %if !0%{?usrmerged}
 %define ul_extra_bin_sbin 1
 %else
 %define ul_extra_bin_sbin 0
 %endif
+%define ul_suid 4755
 %endif
 
 %define _name   util-linux
@@ -146,7 +148,6 @@ BuildRequires:  zlib-devel
 %ifarch ppc ppc64 ppc64le
 BuildRequires:  librtas-devel
 %endif
-PreReq:         permissions
 %if "%ulmode" == "full"
 BuildRequires:  bash-completion
 BuildRequires:  file-devel
@@ -155,6 +156,7 @@ BuildRequires:  socat
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  rubygem(asciidoctor)
+PreReq:         permissions
 Requires:       adjtimex
 Requires:       time
 Requires:       which
@@ -619,9 +621,11 @@ echo "$diffs_files" | xargs -r cat
 exit "$result"
 %endif
 
+%if "%ulmode" == "full"
 %verifyscript
 %verify_permissions -e %{ulbindir}/wall -e %{ulbindir}/write -e %{ulbindir}/mount -e %{ulbindir}/umount
 %verify_permissions -e %{ulbindir}/su
+%endif
 
 %pre
 # move outdated pam.d/*.rpmsave files away
@@ -632,10 +636,10 @@ done
 %service_add_pre fstrim.service fstrim.timer
 %endif
 
+%if "%ulmode" == "full"
 %post
 %set_permissions %{ulbindir}/wall %{ulbindir}/write %{ulbindir}/mount %{ulbindir}/umount
 %set_permissions %{ulbindir}/su
-%if "%ulmode" == "full"
 %if ! %{defined no_config}
 #
 # If outdated PAM file is detected, issue a warning.
@@ -763,11 +767,11 @@ rmdir --ignore-fail-on-non-empty /run/run >/dev/null 2>&1 || :
 %if %{ul_extra_bin_sbin}
 /bin/findmnt
 /bin/kill
-%verify(not mode) %attr(4755,root,root) /bin/su
+%verify(not mode) %attr(%ul_suid,root,root) /bin/su
 /bin/dmesg
 /bin/more
-%verify(not mode) %attr(4755,root,root) /bin/mount
+%verify(not mode) %attr(%ul_suid,root,root) /bin/mount
-%verify(not mode) %attr(4755,root,root) /bin/umount
+%verify(not mode) %attr(%ul_suid,root,root) /bin/umount
 /bin/login
 /bin/logger
 /bin/lsblk
@@ -797,7 +801,7 @@ rmdir --ignore-fail-on-non-empty /run/run >/dev/null 2>&1 || :
 /sbin/chcpu
 %endif
 %{ulbindir}/kill
-%verify(not mode) %attr(4755,root,root) %{ulbindir}/su
+%verify(not mode) %attr(%ul_suid,root,root) %{ulbindir}/su
 %{ulbindir}/eject
 %{ulbindir}/cal
 %{ulbindir}/chmem
@@ -841,7 +845,7 @@ rmdir --ignore-fail-on-non-empty /run/run >/dev/null 2>&1 || :
 %{ulbindir}/mcookie
 %{ulbindir}/mesg
 %{ulbindir}/more
-%verify(not mode) %attr(4755,root,root) %{ulbindir}/mount
+%verify(not mode) %attr(%ul_suid,root,root) %{ulbindir}/mount
 %{ulbindir}/namei
 %{ulbindir}/nsenter
 %{ulbindir}/prlimit
@@ -857,7 +861,7 @@ rmdir --ignore-fail-on-non-empty /run/run >/dev/null 2>&1 || :
 %{ulbindir}/taskset
 %{ulbindir}/uclampset
 %{ulbindir}/ul
-%verify(not mode)%attr(4755,root,root)  %{ulbindir}/umount
+%verify(not mode)%attr(%ul_suid,root,root)  %{ulbindir}/umount
 %{ulbindir}/unshare
 %{ulbindir}/mountpoint
 %{ulbindir}/utmpdump