diff --git a/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch b/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch new file mode 100644 index 0000000..4d3e5bb --- /dev/null +++ b/backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch @@ -0,0 +1,23 @@ +From 050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7 Mon Sep 17 00:00:00 2001 +From: Hs_Yeah +Date: Tue, 19 Sep 2023 03:12:47 +0800 +Subject: [PATCH] Added AmbientCapabilities to nqptp.service.in + +Added AmbientCapabilities=CAP_NET_BIND_SERVICE +so that the systemd service can be used without the capability set on the built nqptp binary. +--- + nqptp.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/nqptp.service.in b/nqptp.service.in +index 6f1eb0c..53e6a2e 100644 +--- a/nqptp.service.in ++++ b/nqptp.service.in +@@ -8,6 +8,7 @@ Before=shairport-sync.service + ExecStart=@prefix@/bin/nqptp + User=nqptp + Group=nqptp ++AmbientCapabilities=CAP_NET_BIND_SERVICE + + [Install] + WantedBy=multi-user.target diff --git a/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch b/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch new file mode 100644 index 0000000..b7f76e3 --- /dev/null +++ b/backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch @@ -0,0 +1,68 @@ +From b5321a88d21b854aaa461dc0f6c226d650309b91 Mon Sep 17 00:00:00 2001 +From: Mike Brady <4265913+mikebrady@users.noreply.github.com> +Date: Tue, 19 Sep 2023 11:08:27 +0100 +Subject: [PATCH] Improve some of the error messages. Remove the setcap command + from Makefile.am, since we are now using an AmbientCapabilities setting in + the systemd service file. + +--- + Makefile.am | 5 +++-- + configure.ac | 2 +- + nqptp-utilities.c | 14 +++++--------- + nqptp.c | 2 +- + 4 files changed, 10 insertions(+), 13 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 78f36d7..d2b3992 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -19,8 +19,9 @@ endif + + install-exec-hook: + if BUILD_FOR_LINUX +-# NQPTP runs as user/group nqptp/nqptp on Linux and uses setcap to access ports 319 and 320 +- setcap 'cap_net_bind_service=+ep' $(bindir)/nqptp ++# Note: NQPTP runs as user/group nqptp/nqptp on Linux. ++# Access is given via AmbientCapabilities in the service file. ++# If you want to run it from the command line, e.g. for debugging, run it as root user. + # no installer for System V + if INSTALL_SYSTEMD_STARTUP + getent group nqptp &>/dev/null || groupadd -r nqptp &>/dev/null +diff --git a/nqptp-utilities.c b/nqptp-utilities.c +index 9d6a95d..9964b22 100644 +--- a/nqptp-utilities.c ++++ b/nqptp-utilities.c +@@ -105,15 +105,11 @@ void open_sockets_at_port(const char *node, uint16_t port, + } + freeaddrinfo(info); + if (sockets_opened == 0) { +- if (port < 1024) +- die("unable to listen on port %d. The error is: \"%s\". NQPTP must run as root to access " +- "this port. Or is another PTP daemon -- possibly another instance on NQPTP -- running " +- "already?", +- port, strerror(errno)); +- else +- die("unable to listen on port %d. The error is: \"%s\". " +- "Is another instance on NQPTP running already?", +- port, strerror(errno)); ++ if (errno == EACCES) { ++ die("nqptp does not have permission to access port %u. It must (a) [Linux only] have been given CAP_NET_BIND_SERVICE capabilities using e.g. setcap or systemd's AmbientCapabilities, or (b) run as root.", port); ++ } else { ++ die("nqptp is unable to listen on port %u. The error is: %d, \"%s\".", port, errno, strerror(errno)); ++ } + } + } + +diff --git a/nqptp.c b/nqptp.c +index e5f2988..a1a3c76 100644 +--- a/nqptp.c ++++ b/nqptp.c +@@ -198,7 +198,7 @@ int main(int argc, char **argv) { + mode_t oldumask = umask(0); + shm_fd = shm_open(NQPTP_INTERFACE_NAME, O_RDWR | O_CREAT, 0644); + if (shm_fd == -1) { +- die("cannot open shared memory \"%s\".", NQPTP_INTERFACE_NAME); ++ die("nqptp cannot open the shared memory \"%s\" for writing. Is another copy of nqptp (e.g. an nqptp daemon) running already?", NQPTP_INTERFACE_NAME); + } + (void)umask(oldumask); + diff --git a/disable-user-group-generation.patch b/disable-user-group-generation.patch new file mode 100644 index 0000000..7430f76 --- /dev/null +++ b/disable-user-group-generation.patch @@ -0,0 +1,13 @@ +Index: nqptp-1.2.4/Makefile.am +=================================================================== +--- nqptp-1.2.4.orig/Makefile.am ++++ nqptp-1.2.4/Makefile.am +@@ -24,8 +24,6 @@ if BUILD_FOR_LINUX + # If you want to run it from the command line, e.g. for debugging, run it as root user. + # no installer for System V + if INSTALL_SYSTEMD_STARTUP +- getent group nqptp &>/dev/null || groupadd -r nqptp &>/dev/null +- getent passwd nqptp &> /dev/null || useradd -r -M -g nqptp -s /usr/sbin/nologin nqptp &>/dev/null + [ -e $(DESTDIR)$(libdir)/systemd/system ] || mkdir -p $(DESTDIR)$(libdir)/systemd/system + # don't replace a service file if it already exists... + [ -e $(DESTDIR)$(libdir)/systemd/system/nqptp.service ] || cp nqptp.service $(DESTDIR)$(libdir)/systemd/system diff --git a/nqptp-1.2.1.tar.gz b/nqptp-1.2.1.tar.gz deleted file mode 100644 index 4a9ae2e..0000000 --- a/nqptp-1.2.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fab700572961ca81addb405e8bd4bd57c47259f91e7e8e0f5f82240c38c63ce5 -size 36566 diff --git a/nqptp-1.2.4.tar.gz b/nqptp-1.2.4.tar.gz new file mode 100644 index 0000000..344f0e5 --- /dev/null +++ b/nqptp-1.2.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1df1d5edd5b713010d6495b3abca4c1cf4ad8fa6029df0abeb9e4de8e0eb707a +size 36885 diff --git a/nqptp-user.conf b/nqptp-user.conf new file mode 100644 index 0000000..dc414dd --- /dev/null +++ b/nqptp-user.conf @@ -0,0 +1,3 @@ +# Type Name ID GECOS [HOME] +g nqptp - - +u nqptp - "nqptp daemon" / /sbin/nologin diff --git a/nqptp.changes b/nqptp.changes index 2913aa5..daa3418 100644 --- a/nqptp.changes +++ b/nqptp.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Tue Sep 3 09:06:57 UTC 2024 - Wolfgang Frisch + +- Backports from 1.2.5-dev + - Add backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch + Remove setcap call. + - Add backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch + Set capability in the systemd unit instead. + +- Add disable-user-group-generation.patch + Disable user/group generation in the Makefile. + Let systemd-sysusers handle this instead. + +- Update to 1.2.4 + - Further changes are introduced to make the communication path between NQPTP + and Shairport Sync resistant to outside interference. These changes have + necessitated changing the SMI interface. The SMI interface is now at + version 10, and Shairport Sync must also be updated to be compatible with + it. + +- Update to 1.2.3 + - Fix CVE-2023-43771: nqptp: NULL pointer dereference caused by invalid + control port message (boo#1213060) + ------------------------------------------------------------------- Mon Jun 26 09:48:09 UTC 2023 - Martin Pluskal diff --git a/nqptp.spec b/nqptp.spec index 3c9f0d3..7625c6f 100644 --- a/nqptp.spec +++ b/nqptp.spec @@ -1,7 +1,7 @@ # # spec file for package nqptp # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,16 +17,24 @@ Name: nqptp -Version: 1.2.1 +Version: 1.2.4 Release: 0 Summary: Not Quite PTP License: GPL-2.0-only URL: https://github.com/mikebrady/nqptp Source0: https://github.com/mikebrady/%{name}/archive/%{version}/%{name}-%{version}.tar.gz +Source1: nqptp-user.conf +# Backported from 1.2.5-dev: +Patch0: backport-050a8c2de9f3e1f4859abf9b36d2f18afd4c34d7.patch +# Backported from 1.2.5-dev: +Patch1: backport-b5321a88d21b854aaa461dc0f6c226d650309b91.patch +Patch2: disable-user-group-generation.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools %{?systemd_ordering} +%sysusers_requires %description nqptp is a daemon that monitors timing data from any PTP clocks – up to 64 – it @@ -37,18 +45,20 @@ It is a companion application to Shairport Sync and provides timing information for AirPlay 2 operation. %prep -%autosetup +%autosetup -p1 %build autoreconf -i -f %configure --with-systemd-startup %make_build +%sysusers_generate_pre %{SOURCE1} nqptp nqptp-user.conf %install %make_install mkdir -p %{buildroot}%{_unitdir} mv %{buildroot}%{_libdir}/systemd/system/%{name}.service \ %{buildroot}%{_unitdir}/%{name}.service +install -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/nqptp.conf %pre %service_add_pre %{name}.service @@ -67,5 +77,6 @@ mv %{buildroot}%{_libdir}/systemd/system/%{name}.service \ %doc README.md RELEASE_NOTES.md %{_bindir}/%{name} %{_unitdir}/%{name}.service +%{_sysusersdir}/nqptp.conf %changelog