From 657e98f770c820f37e6d51155dff99217fcd1fd8161c99ed573d7e3a5721d4d4 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Thu, 31 Aug 2017 09:37:22 +0000 Subject: [PATCH] Accepting request 519891 from home:Andreas_Schwab:Factory - Disable obsolete libnsl and NIS support - remove-nss-nis-compat.patch: remove nis and compat from default NSS configs - nsswitch.conf: Likewise OBS-URL: https://build.opensuse.org/request/show/519891 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=473 --- glibc-testsuite.changes | 8 ++ glibc-testsuite.spec | 22 ++-- glibc-utils.changes | 8 ++ glibc-utils.spec | 22 ++-- glibc.changes | 8 ++ glibc.spec | 22 ++-- nsswitch.conf | 15 +-- remove-nss-nis-compat.patch | 207 ++++++++++++++++++++++++++++++++++++ 8 files changed, 257 insertions(+), 55 deletions(-) create mode 100644 remove-nss-nis-compat.patch diff --git a/glibc-testsuite.changes b/glibc-testsuite.changes index f8c1b5d..7dda998 100644 --- a/glibc-testsuite.changes +++ b/glibc-testsuite.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 31 07:06:20 UTC 2017 - schwab@suse.de + +- Disable obsolete libnsl and NIS support +- remove-nss-nis-compat.patch: remove nis and compat from default NSS + configs +- nsswitch.conf: Likewise + ------------------------------------------------------------------- Tue Aug 29 07:13:42 UTC 2017 - schwab@suse.de diff --git a/glibc-testsuite.spec b/glibc-testsuite.spec index 54d1bef..0eea146 100644 --- a/glibc-testsuite.spec +++ b/glibc-testsuite.spec @@ -277,6 +277,8 @@ Patch1001: dl-runtime-resolve-opt-avx512f.patch Patch1002: libpthread-compat-wrappers.patch # PATCH-FIX-UPSTREAM Do not use __builtin_types_compatible_p in C++ mode (BZ #21930) Patch1003: math-c++-compat.patch +# PATCH-FIX-UPSTREAM Remove nis and compat from default NSS configs +Patch1004: remove-nss-nis-compat.patch ### # Patches awaiting upstream approval @@ -510,6 +512,7 @@ rm nscd/s-stamp %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 %patch2000 -p1 %patch2001 -p1 @@ -677,7 +680,7 @@ configure_and_build_glibc() { --enable-kernel=%{enablekernel} \ --with-bugurl=http://bugs.opensuse.org \ --enable-bind-now \ - --enable-obsolete-rpc --enable-obsolete-nsl \ + --enable-obsolete-rpc \ --disable-timezone-tools # Should we enable --enable-systemtap? # Should we enable --enable-nss-crypt to build use freebl3 hash functions? @@ -769,12 +772,6 @@ pushd crypt_blowfish-%{crypt_bf_version} make man popd -####################################################################### -### -### CHECK -### -####################################################################### - %check %if %{build_testsuite} # The testsuite will fail if asneeded is used @@ -916,6 +913,9 @@ export RPM_BUILD_ROOT mkdir -p %{buildroot}/%{_lib}/obsolete %endif +# remove nsl compat library +rm -f %{buildroot}%{_libdir}/libnsl* + # Miscelanna: install -m 0700 glibc_post_upgrade %{buildroot}%{_sbindir} @@ -1192,8 +1192,6 @@ exit 0 %endif /%{_lib}/libnsl-%{libversion}.so /%{_lib}/libnsl.so.1 -/%{_lib}/libnss_compat-%{libversion}.so -/%{_lib}/libnss_compat.so.2 /%{_lib}/libnss_db-%{libversion}.so /%{_lib}/libnss_db.so.2 /%{_lib}/libnss_dns-%{libversion}.so @@ -1202,10 +1200,6 @@ exit 0 /%{_lib}/libnss_files.so.2 /%{_lib}/libnss_hesiod-%{libversion}.so /%{_lib}/libnss_hesiod.so.2 -/%{_lib}/libnss_nis-%{libversion}.so -/%{_lib}/libnss_nis.so.2 -/%{_lib}/libnss_nisplus-%{libversion}.so -/%{_lib}/libnss_nisplus.so.2 /%{_lib}/libpthread-%{libversion}.so /%{_lib}/libpthread.so.0 /%{_lib}/libresolv-%{libversion}.so @@ -1318,7 +1312,6 @@ exit 0 %{_libdir}/libm-%{libversion}.a %{_libdir}/libmvec.a %endif -%{_libdir}/libnsl.a %{_libdir}/libpthread.a %{_libdir}/libresolv.a %{_libdir}/librt.a @@ -1374,7 +1367,6 @@ exit 0 %{_libdir}/libowcrypt_p.a %{_libdir}/libpthread_p.a %{_libdir}/libresolv_p.a -%{_libdir}/libnsl_p.a %{_libdir}/librt_p.a %{_libdir}/librpcsvc_p.a %{_libdir}/libutil_p.a diff --git a/glibc-utils.changes b/glibc-utils.changes index f8c1b5d..7dda998 100644 --- a/glibc-utils.changes +++ b/glibc-utils.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 31 07:06:20 UTC 2017 - schwab@suse.de + +- Disable obsolete libnsl and NIS support +- remove-nss-nis-compat.patch: remove nis and compat from default NSS + configs +- nsswitch.conf: Likewise + ------------------------------------------------------------------- Tue Aug 29 07:13:42 UTC 2017 - schwab@suse.de diff --git a/glibc-utils.spec b/glibc-utils.spec index a01e197..f22169a 100644 --- a/glibc-utils.spec +++ b/glibc-utils.spec @@ -277,6 +277,8 @@ Patch1001: dl-runtime-resolve-opt-avx512f.patch Patch1002: libpthread-compat-wrappers.patch # PATCH-FIX-UPSTREAM Do not use __builtin_types_compatible_p in C++ mode (BZ #21930) Patch1003: math-c++-compat.patch +# PATCH-FIX-UPSTREAM Remove nis and compat from default NSS configs +Patch1004: remove-nss-nis-compat.patch ### # Patches awaiting upstream approval @@ -510,6 +512,7 @@ rm nscd/s-stamp %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 %patch2000 -p1 %patch2001 -p1 @@ -677,7 +680,7 @@ configure_and_build_glibc() { --enable-kernel=%{enablekernel} \ --with-bugurl=http://bugs.opensuse.org \ --enable-bind-now \ - --enable-obsolete-rpc --enable-obsolete-nsl \ + --enable-obsolete-rpc \ --disable-timezone-tools # Should we enable --enable-systemtap? # Should we enable --enable-nss-crypt to build use freebl3 hash functions? @@ -769,12 +772,6 @@ pushd crypt_blowfish-%{crypt_bf_version} make man popd -####################################################################### -### -### CHECK -### -####################################################################### - %check %if %{build_testsuite} # The testsuite will fail if asneeded is used @@ -916,6 +913,9 @@ export RPM_BUILD_ROOT mkdir -p %{buildroot}/%{_lib}/obsolete %endif +# remove nsl compat library +rm -f %{buildroot}%{_libdir}/libnsl* + # Miscelanna: install -m 0700 glibc_post_upgrade %{buildroot}%{_sbindir} @@ -1192,8 +1192,6 @@ exit 0 %endif /%{_lib}/libnsl-%{libversion}.so /%{_lib}/libnsl.so.1 -/%{_lib}/libnss_compat-%{libversion}.so -/%{_lib}/libnss_compat.so.2 /%{_lib}/libnss_db-%{libversion}.so /%{_lib}/libnss_db.so.2 /%{_lib}/libnss_dns-%{libversion}.so @@ -1202,10 +1200,6 @@ exit 0 /%{_lib}/libnss_files.so.2 /%{_lib}/libnss_hesiod-%{libversion}.so /%{_lib}/libnss_hesiod.so.2 -/%{_lib}/libnss_nis-%{libversion}.so -/%{_lib}/libnss_nis.so.2 -/%{_lib}/libnss_nisplus-%{libversion}.so -/%{_lib}/libnss_nisplus.so.2 /%{_lib}/libpthread-%{libversion}.so /%{_lib}/libpthread.so.0 /%{_lib}/libresolv-%{libversion}.so @@ -1318,7 +1312,6 @@ exit 0 %{_libdir}/libm-%{libversion}.a %{_libdir}/libmvec.a %endif -%{_libdir}/libnsl.a %{_libdir}/libpthread.a %{_libdir}/libresolv.a %{_libdir}/librt.a @@ -1374,7 +1367,6 @@ exit 0 %{_libdir}/libowcrypt_p.a %{_libdir}/libpthread_p.a %{_libdir}/libresolv_p.a -%{_libdir}/libnsl_p.a %{_libdir}/librt_p.a %{_libdir}/librpcsvc_p.a %{_libdir}/libutil_p.a diff --git a/glibc.changes b/glibc.changes index f8c1b5d..7dda998 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 31 07:06:20 UTC 2017 - schwab@suse.de + +- Disable obsolete libnsl and NIS support +- remove-nss-nis-compat.patch: remove nis and compat from default NSS + configs +- nsswitch.conf: Likewise + ------------------------------------------------------------------- Tue Aug 29 07:13:42 UTC 2017 - schwab@suse.de diff --git a/glibc.spec b/glibc.spec index b0dbb5d..c4d594c 100644 --- a/glibc.spec +++ b/glibc.spec @@ -283,6 +283,8 @@ Patch1001: dl-runtime-resolve-opt-avx512f.patch Patch1002: libpthread-compat-wrappers.patch # PATCH-FIX-UPSTREAM Do not use __builtin_types_compatible_p in C++ mode (BZ #21930) Patch1003: math-c++-compat.patch +# PATCH-FIX-UPSTREAM Remove nis and compat from default NSS configs +Patch1004: remove-nss-nis-compat.patch ### # Patches awaiting upstream approval @@ -516,6 +518,7 @@ rm nscd/s-stamp %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 %patch2000 -p1 %patch2001 -p1 @@ -683,7 +686,7 @@ configure_and_build_glibc() { --enable-kernel=%{enablekernel} \ --with-bugurl=http://bugs.opensuse.org \ --enable-bind-now \ - --enable-obsolete-rpc --enable-obsolete-nsl \ + --enable-obsolete-rpc \ --disable-timezone-tools # Should we enable --enable-systemtap? # Should we enable --enable-nss-crypt to build use freebl3 hash functions? @@ -775,12 +778,6 @@ pushd crypt_blowfish-%{crypt_bf_version} make man popd -####################################################################### -### -### CHECK -### -####################################################################### - %check %if %{build_testsuite} # The testsuite will fail if asneeded is used @@ -922,6 +919,9 @@ export RPM_BUILD_ROOT mkdir -p %{buildroot}/%{_lib}/obsolete %endif +# remove nsl compat library +rm -f %{buildroot}%{_libdir}/libnsl* + # Miscelanna: install -m 0700 glibc_post_upgrade %{buildroot}%{_sbindir} @@ -1198,8 +1198,6 @@ exit 0 %endif /%{_lib}/libnsl-%{libversion}.so /%{_lib}/libnsl.so.1 -/%{_lib}/libnss_compat-%{libversion}.so -/%{_lib}/libnss_compat.so.2 /%{_lib}/libnss_db-%{libversion}.so /%{_lib}/libnss_db.so.2 /%{_lib}/libnss_dns-%{libversion}.so @@ -1208,10 +1206,6 @@ exit 0 /%{_lib}/libnss_files.so.2 /%{_lib}/libnss_hesiod-%{libversion}.so /%{_lib}/libnss_hesiod.so.2 -/%{_lib}/libnss_nis-%{libversion}.so -/%{_lib}/libnss_nis.so.2 -/%{_lib}/libnss_nisplus-%{libversion}.so -/%{_lib}/libnss_nisplus.so.2 /%{_lib}/libpthread-%{libversion}.so /%{_lib}/libpthread.so.0 /%{_lib}/libresolv-%{libversion}.so @@ -1324,7 +1318,6 @@ exit 0 %{_libdir}/libm-%{libversion}.a %{_libdir}/libmvec.a %endif -%{_libdir}/libnsl.a %{_libdir}/libpthread.a %{_libdir}/libresolv.a %{_libdir}/librt.a @@ -1380,7 +1373,6 @@ exit 0 %{_libdir}/libowcrypt_p.a %{_libdir}/libpthread_p.a %{_libdir}/libresolv_p.a -%{_libdir}/libnsl_p.a %{_libdir}/librt_p.a %{_libdir}/librpcsvc_p.a %{_libdir}/libutil_p.a diff --git a/nsswitch.conf b/nsswitch.conf index fbd63fd..fcf5e1a 100644 --- a/nsswitch.conf +++ b/nsswitch.conf @@ -22,12 +22,9 @@ # For more information, please read the nsswitch.conf.5 manual page. # -# passwd: files nis -# shadow: files nis -# group: files nis - -passwd: compat [NOTFOUND=return] files -group: compat [NOTFOUND=return] files +passwd: files +group: files +shadow: files hosts: files dns networks: files dns @@ -37,11 +34,9 @@ protocols: files rpc: files ethers: files netmasks: files -netgroup: files nis +netgroup: files publickey: files bootparams: files -automount: files nis +automount: files aliases: files - - diff --git a/remove-nss-nis-compat.patch b/remove-nss-nis-compat.patch new file mode 100644 index 0000000..4a78c5c --- /dev/null +++ b/remove-nss-nis-compat.patch @@ -0,0 +1,207 @@ +2017-08-29 Steve Ellcey + + * grp/initgroups.c: Include config.h. + (DEFAULT_CONFIG): New macro. + (internal_getgrouplist): Use DEFAULT_CONFIG. + * nscd/initgrcache.c (addinitgroupsX): Likewise. + * nss/nsswitch.c (__nss_disable_nscd): Likewise. + (DEFAULT_DEFCONFIG): New macro. + (__nss_database_lookup): Use DEFAULT_DEFCONFIG. + * nss/grp-lookup.c: Include config.h + (DEFAULT_CONFIG): Set definition based on LINK_OBSOLETE_NSL. + * nss/pwd-lookup.c (DEFAULT_CONFIG): Likewise. + * nss/spwd-lookup.c (DEFAULT_CONFIG): Likewise. + * manual/nss.texi: Update default values section. + + +Index: glibc-2.26/grp/initgroups.c +=================================================================== +--- glibc-2.26.orig/grp/initgroups.c ++++ glibc-2.26/grp/initgroups.c +@@ -26,10 +26,16 @@ + #include + #include + #include ++#include + + #include "../nscd/nscd-client.h" + #include "../nscd/nscd_proto.h" + ++#ifdef LINK_OBSOLETE_NSL ++# define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#else ++# define DEFAULT_CONFIG "files" ++#endif + + /* Type of the lookup function. */ + typedef enum nss_status (*initgroups_dyn_function) (const char *, gid_t, +@@ -84,7 +90,7 @@ internal_getgrouplist (const char *user, + &__nss_initgroups_database) < 0) + { + if (__nss_group_database == NULL) +- no_more = __nss_database_lookup ("group", NULL, "compat files", ++ no_more = __nss_database_lookup ("group", NULL, DEFAULT_CONFIG, + &__nss_group_database); + + __nss_initgroups_database = __nss_group_database; +Index: glibc-2.26/manual/nss.texi +=================================================================== +--- glibc-2.26.orig/manual/nss.texi ++++ glibc-2.26/manual/nss.texi +@@ -318,13 +318,17 @@ The @code{passwd}, @code{group}, and @co + traditionally handled in a special way. The appropriate files in the + @file{/etc} directory are read but if an entry with a name starting + with a @code{+} character is found NIS is used. This kind of lookup +-remains possible by using the special lookup service @code{compat} +-and the default value for the three databases above is +-@code{compat [NOTFOUND=return] files}. ++remains possible if @theglibc{} was configured with the ++@code{--enable-obsolete-nsl} option and the special lookup service ++@code{compat} is used. If @theglibc{} was configured with the ++@code{--enable-obsolete-nsl} option the default value for the three ++databases above is @code{compat [NOTFOUND=return] files}. If the ++@code{--enable-obsolete-nsl} option was not used the default value ++for the services is @code{files}. + +-For all other databases the default value is +-@code{nis [NOTFOUND=return] files}. This solution gives the best +-chance to be correct since NIS and file based lookups are used. ++For all other databases the default value is @code{files} unless ++@theglibc{} was configured with @code{--enable-obsolete-rpc} option, in ++which case it the default value is @code{nis [NOTFOUND=return] files}. + + @cindex optimizing NSS + A second point is that the user should try to optimize the lookup +Index: glibc-2.26/nscd/initgrcache.c +=================================================================== +--- glibc-2.26.orig/nscd/initgrcache.c ++++ glibc-2.26/nscd/initgrcache.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include "dbg_log.h" + #include "nscd.h" +@@ -34,6 +35,11 @@ + + #include "../nss/nsswitch.h" + ++#ifdef LINK_OBSOLETE_NSL ++# define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#else ++# define DEFAULT_CONFIG "files" ++#endif + + /* Type of the lookup function. */ + typedef enum nss_status (*initgroups_dyn_function) (const char *, gid_t, +@@ -85,8 +91,7 @@ addinitgroupsX (struct database_dyn *db, + int no_more; + + if (group_database == NULL) +- no_more = __nss_database_lookup ("group", NULL, +- "compat [NOTFOUND=return] files", ++ no_more = __nss_database_lookup ("group", NULL, DEFAULT_CONFIG, + &group_database); + else + no_more = 0; +Index: glibc-2.26/nss/grp-lookup.c +=================================================================== +--- glibc-2.26.orig/nss/grp-lookup.c ++++ glibc-2.26/nss/grp-lookup.c +@@ -16,7 +16,13 @@ + License along with the GNU C Library; if not, see + . */ + ++#include ++ + #define DATABASE_NAME group +-#define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#ifdef LINK_OBSOLETE_NSL ++# define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#else ++# define DEFAULT_CONFIG "files" ++#endif + + #include "XXX-lookup.c" +Index: glibc-2.26/nss/nsswitch.c +=================================================================== +--- glibc-2.26.orig/nss/nsswitch.c ++++ glibc-2.26/nss/nsswitch.c +@@ -40,6 +40,15 @@ + #include "nsswitch.h" + #include "../nscd/nscd_proto.h" + #include ++#include ++ ++#ifdef LINK_OBSOLETE_NSL ++# define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++# define DEFAULT_DEFCONFIG "nis [NOTFOUND=return] files" ++#else ++# define DEFAULT_CONFIG "files" ++# define DEFAULT_DEFCONFIG "files" ++#endif + + /* Prototypes for the local functions. */ + static name_database *nss_parse_file (const char *fname) internal_function; +@@ -151,8 +160,7 @@ __nss_database_lookup (const char *datab + or null to use the most common default. */ + if (*ni == NULL) + { +- *ni = nss_parse_service_list (defconfig +- ?: "nis [NOTFOUND=return] files"); ++ *ni = nss_parse_service_list (defconfig ?: DEFAULT_DEFCONFIG); + if (*ni != NULL) + { + /* Record the memory we've just allocated in defconfig_entries list, +@@ -848,8 +856,8 @@ __nss_disable_nscd (void (*cb) (size_t, + is_nscd = true; + + /* Find all the relevant modules so that the init functions are called. */ +- nss_load_all_libraries ("passwd", "compat [NOTFOUND=return] files"); +- nss_load_all_libraries ("group", "compat [NOTFOUND=return] files"); ++ nss_load_all_libraries ("passwd", DEFAULT_CONFIG); ++ nss_load_all_libraries ("group", DEFAULT_CONFIG); + nss_load_all_libraries ("hosts", "dns [!UNAVAIL=return] files"); + nss_load_all_libraries ("services", NULL); + +Index: glibc-2.26/nss/pwd-lookup.c +=================================================================== +--- glibc-2.26.orig/nss/pwd-lookup.c ++++ glibc-2.26/nss/pwd-lookup.c +@@ -16,7 +16,13 @@ + License along with the GNU C Library; if not, see + . */ + ++#include ++ + #define DATABASE_NAME passwd +-#define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#ifdef LINK_OBSOLETE_NSL ++# define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#else ++# define DEFAULT_CONFIG "files" ++#endif + + #include "XXX-lookup.c" +Index: glibc-2.26/nss/spwd-lookup.c +=================================================================== +--- glibc-2.26.orig/nss/spwd-lookup.c ++++ glibc-2.26/nss/spwd-lookup.c +@@ -16,8 +16,14 @@ + License along with the GNU C Library; if not, see + . */ + ++#include ++ + #define DATABASE_NAME shadow + #define ALTERNATE_NAME passwd +-#define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#ifdef LINK_OBSOLETE_NSL ++# define DEFAULT_CONFIG "compat [NOTFOUND=return] files" ++#else ++# define DEFAULT_CONFIG "files" ++#endif + + #include "XXX-lookup.c"