forked from pool/permissions
Accepting request 780264 from home:mkraus:branches:Base:System
- Update to version 20200228: * chkstat: fix readline() on platforms with unsigned char - Update to version 20200227: * remove capability whitelisting for radosgw * whitelist ceph log directory (bsc#1150366) * adjust testsuite to post CVE-2020-8013 link handling * testsuite: add option to not mount /proc * do not follow symlinks that are the final path element: CVE-2020-8013 * add a test for symlinked directories * fix relative symlink handling * include cpp compat headers, not C headers * Move permissions and permissions.* except .local to /usr/share/permissions * regtest: fix the static PATH list which was missing /usr/bin * regtest: also unshare the PID namespace to support /proc mounting * regtest: bindMount(): explicitly reject read-only recursive mounts * Makefile: force remove upon clean target to prevent bogus errors * regtest: by default automatically (re)build chkstat before testing * regtest: add test for symlink targets * regtest: make capability setting tests optional * regtest: fix capability assertion helper logic * regtests: add another test case that catches set*id or caps in world-writable sub-trees * regtest: add another test that catches when privilege bits are set for special files * regtest: add test case for user owned symlinks * regtest: employ subuid and subgid feature in user namespace * regtest: add another test case that covers unknown user/group config * regtest: add another test that checks rejection of insecure mixed-owner paths * regtest: add test that checks for rejection of world-writable paths * regtest: add test for detection of unexpected parent directory ownership * regtest: add further helper functions, allow access to main instance OBS-URL: https://build.opensuse.org/request/show/780264 OBS-URL: https://build.opensuse.org/package/show/Base:System/permissions?expand=0&rev=252
This commit is contained in:
parent
a115569e05
commit
c1a2fada58
@ -1,4 +1,4 @@
|
|||||||
<servicedata>
|
<servicedata>
|
||||||
<service name="tar_scm">
|
<service name="tar_scm">
|
||||||
<param name="url">https://github.com/openSUSE/permissions.git</param>
|
<param name="url">https://github.com/openSUSE/permissions.git</param>
|
||||||
<param name="changesrevision">8676fc316fb0b9eb56ad9d354b8cafb8b1f2f258</param></service></servicedata>
|
<param name="changesrevision">bfa5f7c7437b3fa939b0a88007e2d1cc6de605c9</param></service></servicedata>
|
@ -3,4 +3,4 @@
|
|||||||
version=`date '+%Y%m%d'`
|
version=`date '+%Y%m%d'`
|
||||||
|
|
||||||
echo "setting version to ${version}"
|
echo "setting version to ${version}"
|
||||||
sed -E -i -e "s/^%define VERSION [0-9]+/%define VERSION ${version}/" permissions.spec
|
sed -E -i -e "s/^%define VERSION_DATE [0-9]+/%define VERSION_DATE ${version}/" permissions.spec
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:b7378f25982ade8a1983cb891bc5ee3962f1380d85b458078850686b65b9c895
|
|
||||||
size 21532
|
|
3
permissions-20200228.tar.xz
Normal file
3
permissions-20200228.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:b779962f0f1ae43ef95a987d842861d65ddfabaa442204ce5d8bc7b3e4134c59
|
||||||
|
size 36196
|
@ -1,3 +1,58 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Feb 28 12:00:44 UTC 2020 - malte.kraus@suse.com
|
||||||
|
|
||||||
|
- Update to version 20200228:
|
||||||
|
* chkstat: fix readline() on platforms with unsigned char
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 27 12:29:29 UTC 2020 - malte.kraus@suse.com
|
||||||
|
|
||||||
|
- Update to version 20200227:
|
||||||
|
* remove capability whitelisting for radosgw
|
||||||
|
* whitelist ceph log directory (bsc#1150366)
|
||||||
|
* adjust testsuite to post CVE-2020-8013 link handling
|
||||||
|
* testsuite: add option to not mount /proc
|
||||||
|
* do not follow symlinks that are the final path element: CVE-2020-8013
|
||||||
|
* add a test for symlinked directories
|
||||||
|
* fix relative symlink handling
|
||||||
|
* include cpp compat headers, not C headers
|
||||||
|
* Move permissions and permissions.* except .local to /usr/share/permissions
|
||||||
|
* regtest: fix the static PATH list which was missing /usr/bin
|
||||||
|
* regtest: also unshare the PID namespace to support /proc mounting
|
||||||
|
* regtest: bindMount(): explicitly reject read-only recursive mounts
|
||||||
|
* Makefile: force remove upon clean target to prevent bogus errors
|
||||||
|
* regtest: by default automatically (re)build chkstat before testing
|
||||||
|
* regtest: add test for symlink targets
|
||||||
|
* regtest: make capability setting tests optional
|
||||||
|
* regtest: fix capability assertion helper logic
|
||||||
|
* regtests: add another test case that catches set*id or caps in world-writable sub-trees
|
||||||
|
* regtest: add another test that catches when privilege bits are set for special files
|
||||||
|
* regtest: add test case for user owned symlinks
|
||||||
|
* regtest: employ subuid and subgid feature in user namespace
|
||||||
|
* regtest: add another test case that covers unknown user/group config
|
||||||
|
* regtest: add another test that checks rejection of insecure mixed-owner paths
|
||||||
|
* regtest: add test that checks for rejection of world-writable paths
|
||||||
|
* regtest: add test for detection of unexpected parent directory ownership
|
||||||
|
* regtest: add further helper functions, allow access to main instance
|
||||||
|
* regtest: introduce some basic coloring support to improve readability
|
||||||
|
* regtest: sort imports, another piece of rationale
|
||||||
|
* regtest: add capability test case
|
||||||
|
* regtest: improve error flagging of test cases and introduce warnings
|
||||||
|
* regtest: support caps
|
||||||
|
* regtest: add a couple of command line parameter test cases
|
||||||
|
* regtest: add another test that checks whether the default profile works
|
||||||
|
* regtests: add tests for correct application of local profiles
|
||||||
|
* regtest: add further test cases that test correct profile application
|
||||||
|
* regtest: simplify test implementation and readability
|
||||||
|
* regtest: add helpers for permissions.d per package profiles
|
||||||
|
* regtest: support read-only bind mounts, also bind-mount permissions repo
|
||||||
|
* tests: introduce a regression test suite for chkstat
|
||||||
|
* Makefile: allow to build test version programmatically
|
||||||
|
* README.md: add basic readme file that explains the repository's purpose
|
||||||
|
* chkstat: change and harmonize coding style
|
||||||
|
* chkstat: switch to C++ compilation unit
|
||||||
|
- add suse_version to end of permissions package version
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Feb 13 12:10:41 UTC 2020 - malte.kraus@suse.com
|
Thu Feb 13 12:10:41 UTC 2020 - malte.kraus@suse.com
|
||||||
|
|
||||||
|
@ -16,26 +16,28 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
%define VERSION 20200213
|
%define VERSION_DATE 20200228
|
||||||
|
|
||||||
Name: permissions
|
Name: permissions
|
||||||
Version: %{VERSION}
|
Version: %{VERSION_DATE}.%{suse_version}
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: SUSE Linux Default Permissions
|
Summary: SUSE Linux Default Permissions
|
||||||
# Maintained in github by the security team.
|
# Maintained in github by the security team.
|
||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
URL: http://github.com/openSUSE/permissions
|
URL: http://github.com/openSUSE/permissions
|
||||||
Source: permissions-%{version}.tar.xz
|
Source: permissions-%{VERSION_DATE}.tar.xz
|
||||||
Source1: fix_version.sh
|
Source1: fix_version.sh
|
||||||
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: libcap-devel
|
BuildRequires: libcap-devel
|
||||||
|
BuildRequires: libcap-progs
|
||||||
Requires: chkstat
|
Requires: chkstat
|
||||||
Requires: permissions-config
|
Requires: permissions-config
|
||||||
Recommends: permissions-doc
|
Recommends: permissions-doc
|
||||||
Provides: aaa_base:%{_sysconfdir}/permissions
|
Provides: aaa_base:%{_datadir}/permissions
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q -n permissions-%{VERSION_DATE}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0
|
make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0
|
||||||
@ -43,6 +45,10 @@ make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0
|
|||||||
%install
|
%install
|
||||||
%make_install fillupdir=%{_fillupdir}
|
%make_install fillupdir=%{_fillupdir}
|
||||||
|
|
||||||
|
# regression tests disabled for the moment, needs adjustment for the new /usr/share world
|
||||||
|
#%check
|
||||||
|
#tests/regtest.py
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Permission settings of files and directories depending on the local
|
Permission settings of files and directories depending on the local
|
||||||
security settings. The local security setting ("easy", "secure", or "paranoid")
|
security settings. The local security setting ("easy", "secure", or "paranoid")
|
||||||
@ -55,11 +61,11 @@ This package does not contain files, it just requires the necessary packages.
|
|||||||
%package doc
|
%package doc
|
||||||
Summary: SUSE Linux Default Permissions documentation
|
Summary: SUSE Linux Default Permissions documentation
|
||||||
Group: Documentation/Man
|
Group: Documentation/Man
|
||||||
Version: %{suse_version}_%{VERSION}
|
Version: %{suse_version}_%{VERSION_DATE}
|
||||||
Release: 0
|
Release: 0
|
||||||
|
|
||||||
%description doc
|
%description doc
|
||||||
Documentation for the permission files /etc/permissions*.
|
Documentation for the permission files /usr/share/permissions/permissions*.
|
||||||
|
|
||||||
%files doc
|
%files doc
|
||||||
%{_mandir}/man5/permissions.5%{ext_man}
|
%{_mandir}/man5/permissions.5%{ext_man}
|
||||||
@ -67,7 +73,7 @@ Documentation for the permission files /etc/permissions*.
|
|||||||
%package config
|
%package config
|
||||||
Summary: SUSE Linux Default Permissions config files
|
Summary: SUSE Linux Default Permissions config files
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
Version: %{suse_version}_%{VERSION}
|
Version: %{suse_version}_%{VERSION_DATE}
|
||||||
Release: 0
|
Release: 0
|
||||||
Requires(post): %fillup_prereq
|
Requires(post): %fillup_prereq
|
||||||
Requires(post): chkstat
|
Requires(post): chkstat
|
||||||
@ -75,13 +81,15 @@ Requires(post): chkstat
|
|||||||
Requires(pre): group(trusted)
|
Requires(pre): group(trusted)
|
||||||
|
|
||||||
%description config
|
%description config
|
||||||
The actual permissions configuration files, /etc/permission.*.
|
The actual permissions configuration files, /usr/share/permissions/permission.*.
|
||||||
|
|
||||||
%files config
|
%files config
|
||||||
%config %{_sysconfdir}/permissions
|
%defattr(644, root, root, 755)
|
||||||
%config %{_sysconfdir}/permissions.easy
|
%dir %{_datadir}/permissions
|
||||||
%config %{_sysconfdir}/permissions.secure
|
%{_datadir}/permissions/permissions
|
||||||
%config %{_sysconfdir}/permissions.paranoid
|
%{_datadir}/permissions/permissions.easy
|
||||||
|
%{_datadir}/permissions/permissions.secure
|
||||||
|
%{_datadir}/permissions/permissions.paranoid
|
||||||
%config(noreplace) %{_sysconfdir}/permissions.local
|
%config(noreplace) %{_sysconfdir}/permissions.local
|
||||||
%{_fillupdir}/sysconfig.security
|
%{_fillupdir}/sysconfig.security
|
||||||
|
|
||||||
@ -93,7 +101,7 @@ The actual permissions configuration files, /etc/permission.*.
|
|||||||
%package -n chkstat
|
%package -n chkstat
|
||||||
Summary: SUSE Linux Default Permissions tool
|
Summary: SUSE Linux Default Permissions tool
|
||||||
Group: Productivity/Security
|
Group: Productivity/Security
|
||||||
Version: %{suse_version}_%{VERSION}
|
Version: %{suse_version}_%{VERSION_DATE}
|
||||||
Release: 0
|
Release: 0
|
||||||
|
|
||||||
%description -n chkstat
|
%description -n chkstat
|
||||||
@ -105,7 +113,7 @@ Tool to check and set file permissions.
|
|||||||
|
|
||||||
%package -n permissions-zypp-plugin
|
%package -n permissions-zypp-plugin
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
Requires: permissions = %{VERSION}
|
Requires: permissions = %{VERSION_DATE}.%{suse_version}
|
||||||
Requires: python3-zypp-plugin
|
Requires: python3-zypp-plugin
|
||||||
Requires: libzypp(plugin:commit) = 1
|
Requires: libzypp(plugin:commit) = 1
|
||||||
Summary: A zypper commit plugin for calling chkstat
|
Summary: A zypper commit plugin for calling chkstat
|
||||||
|
Loading…
Reference in New Issue
Block a user