SHA256
1
0
forked from pool/systemd

Accepting request 452442 from home:fbui:systemd:Factory

- Don't ship ldconfig.service anymore
  This service was introduced to support stateless systems that
  support offline /usr updates properly.
  AFAIK we don't support any such system for now, so disable it. If
  it's wrong it's easy enough to restore it back.
  Related to bsc#1019470.

- Be more consistent with indentation (*no* functional changes)
  Indentation should use 8 spaces now (no tabs).

- Import commit 2559bc0c076b58f0a649056e79ca90fe5f1d556c
  9c4a759ab systemctl: 'show' don't exit with a failure status if the requested property does not exist [SUSE] (bsc#1021062)
  f9194193b systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266)
  2a6653335 rule: don't automatically online standby memory on s390x (bsc#997682)

- Fix permission set on /var/lib/systemd/linger/*
  Those files are created by logind which run with umask(0022), so
  they are not world writable and shouldn't be affected by
  bsc#1020601. But it's cleaner to not let files forever with their
  setuid bit set for no good reason.

- Fix permissions set on permanent timer timestamp files (bsc#1020601) (CVE-2016-10156)
  This change makes sure to fix the permissions of the timestamp files
  which could have been created by an affected version of systemd.
  Local unprivileged users could have run arbitrary code as root if
  systemd previously created world writable suid root files such as
  permanent timer stamp files.

OBS-URL: https://build.opensuse.org/request/show/452442
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=967
This commit is contained in:
Franck Bui 2017-01-25 16:13:23 +00:00 committed by Git OBS Bridge
parent fc9cb37b75
commit 4994b8e166
5 changed files with 248 additions and 118 deletions

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a0f63b20f91eeed656a9d2bf9ad453cd7cfbb786663714b9b17886624f5ea69c
size 3211060
oid sha256:cc6ee1dab9013b879e3ae500b79875651c4462e23a9b9fbeab06597828ee00a3
size 3211676

View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Wed Jan 25 15:37:23 UTC 2017 - fbui@suse.com
- Don't ship ldconfig.service anymore
This service was introduced to support stateless systems that
support offline /usr updates properly.
AFAIK we don't support any such system for now, so disable it. If
it's wrong it's easy enough to restore it back.
Related to bsc#1019470.
-------------------------------------------------------------------
Wed Jan 25 15:17:06 UTC 2017 - fbui@suse.com
- Be more consistent with indentation (*no* functional changes)
Indentation should use 8 spaces now (no tabs).
-------------------------------------------------------------------
Wed Jan 25 14:38:59 UTC 2017 - fbui@suse.com
- Import commit 2559bc0c076b58f0a649056e79ca90fe5f1d556c
9c4a759ab systemctl: 'show' don't exit with a failure status if the requested property does not exist [SUSE] (bsc#1021062)
f9194193b systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266)
2a6653335 rule: don't automatically online standby memory on s390x (bsc#997682)
-------------------------------------------------------------------
Wed Jan 25 14:36:34 UTC 2017 - fbui@suse.com
- Fix permission set on /var/lib/systemd/linger/*
Those files are created by logind which run with umask(0022), so
they are not world writable and shouldn't be affected by
bsc#1020601. But it's cleaner to not let files forever with their
setuid bit set for no good reason.
-------------------------------------------------------------------
Wed Jan 25 14:33:04 UTC 2017 - fbui@suse.com
- Fix permissions set on permanent timer timestamp files (bsc#1020601) (CVE-2016-10156)
This change makes sure to fix the permissions of the timestamp files
which could have been created by an affected version of systemd.
Local unprivileged users could have run arbitrary code as root if
systemd previously created world writable suid root files such as
permanent timer stamp files.
-------------------------------------------------------------------
Tue Jan 10 10:54:20 UTC 2017 - fbui@suse.com

View File

@ -446,6 +446,7 @@ systemd_cryptsetup_LDFLAGS =\\\
--disable-ima \
--disable-adm-group \
--disable-wheel-group \
--disable-ldconfig \
%if %{without networkd}
--disable-networkd \
%endif
@ -705,6 +706,18 @@ enabled) ;;
*) rm -f %{_prefix}/lib/systemd/system/tmp.mount
esac
# Same for user lingering created by logind.
for username in $(ls /var/lib/systemd/linger/* 2>/dev/null); do
chmod 0644 $username
done
# v228 wrongly set world writable suid root permissions on timestamp
# files used by permanent timers. Fix the timestamps that might have
# been created by the affected versions of systemd (bsc#1020601).
for stamp in $(ls /var/lib/systemd/timers/stamp-*.timer 2>/dev/null); do
chmod 0644 $stamp
done
# Convert /var/lib/machines subvolume to make it suitable for
# rollbacks, if needed. See bsc#992573. The installer has been fixed
# to create it at installation time.
@ -756,6 +769,7 @@ end
%pre -n udev%{?mini}
%regenerate_initrd_post
if test -L /usr/lib/udev -a /lib/udev -ef /usr/lib/udev ; then
rm /usr/lib/udev
mv /lib/udev /usr/lib

View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Wed Jan 25 15:37:23 UTC 2017 - fbui@suse.com
- Don't ship ldconfig.service anymore
This service was introduced to support stateless systems that
support offline /usr updates properly.
AFAIK we don't support any such system for now, so disable it. If
it's wrong it's easy enough to restore it back.
Related to bsc#1019470.
-------------------------------------------------------------------
Wed Jan 25 15:17:06 UTC 2017 - fbui@suse.com
- Be more consistent with indentation (*no* functional changes)
Indentation should use 8 spaces now (no tabs).
-------------------------------------------------------------------
Wed Jan 25 14:38:59 UTC 2017 - fbui@suse.com
- Import commit 2559bc0c076b58f0a649056e79ca90fe5f1d556c
9c4a759ab systemctl: 'show' don't exit with a failure status if the requested property does not exist [SUSE] (bsc#1021062)
f9194193b systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266)
2a6653335 rule: don't automatically online standby memory on s390x (bsc#997682)
-------------------------------------------------------------------
Wed Jan 25 14:36:34 UTC 2017 - fbui@suse.com
- Fix permission set on /var/lib/systemd/linger/*
Those files are created by logind which run with umask(0022), so
they are not world writable and shouldn't be affected by
bsc#1020601. But it's cleaner to not let files forever with their
setuid bit set for no good reason.
-------------------------------------------------------------------
Wed Jan 25 14:33:04 UTC 2017 - fbui@suse.com
- Fix permissions set on permanent timer timestamp files (bsc#1020601) (CVE-2016-10156)
This change makes sure to fix the permissions of the timestamp files
which could have been created by an affected version of systemd.
Local unprivileged users could have run arbitrary code as root if
systemd previously created world writable suid root files such as
permanent timer stamp files.
-------------------------------------------------------------------
Tue Jan 10 10:54:20 UTC 2017 - fbui@suse.com

View File

@ -444,6 +444,7 @@ systemd_cryptsetup_LDFLAGS =\\\
--disable-ima \
--disable-adm-group \
--disable-wheel-group \
--disable-ldconfig \
%if %{without networkd}
--disable-networkd \
%endif
@ -703,6 +704,18 @@ enabled) ;;
*) rm -f %{_prefix}/lib/systemd/system/tmp.mount
esac
# Same for user lingering created by logind.
for username in $(ls /var/lib/systemd/linger/* 2>/dev/null); do
chmod 0644 $username
done
# v228 wrongly set world writable suid root permissions on timestamp
# files used by permanent timers. Fix the timestamps that might have
# been created by the affected versions of systemd (bsc#1020601).
for stamp in $(ls /var/lib/systemd/timers/stamp-*.timer 2>/dev/null); do
chmod 0644 $stamp
done
# Convert /var/lib/machines subvolume to make it suitable for
# rollbacks, if needed. See bsc#992573. The installer has been fixed
# to create it at installation time.
@ -754,6 +767,7 @@ end
%pre -n udev%{?mini}
%regenerate_initrd_post
if test -L /usr/lib/udev -a /lib/udev -ef /usr/lib/udev ; then
rm /usr/lib/udev
mv /lib/udev /usr/lib