diff --git a/systemd-232.tar.xz b/systemd-232.tar.xz index 904a437e..04c9ac5d 100644 --- a/systemd-232.tar.xz +++ b/systemd-232.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:a0f63b20f91eeed656a9d2bf9ad453cd7cfbb786663714b9b17886624f5ea69c -size 3211060 +oid sha256:cc6ee1dab9013b879e3ae500b79875651c4462e23a9b9fbeab06597828ee00a3 +size 3211676 diff --git a/systemd-mini.changes b/systemd-mini.changes index ac7b0364..b7ed294e 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Wed Jan 25 15:37:23 UTC 2017 - fbui@suse.com + +- Don't ship ldconfig.service anymore + + This service was introduced to support stateless systems that + support offline /usr updates properly. + + AFAIK we don't support any such system for now, so disable it. If + it's wrong it's easy enough to restore it back. + + Related to bsc#1019470. + +------------------------------------------------------------------- +Wed Jan 25 15:17:06 UTC 2017 - fbui@suse.com + +- Be more consistent with indentation (*no* functional changes) + + Indentation should use 8 spaces now (no tabs). + +------------------------------------------------------------------- +Wed Jan 25 14:38:59 UTC 2017 - fbui@suse.com + +- Import commit 2559bc0c076b58f0a649056e79ca90fe5f1d556c + + 9c4a759ab systemctl: 'show' don't exit with a failure status if the requested property does not exist [SUSE] (bsc#1021062) + f9194193b systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) + 2a6653335 rule: don't automatically online standby memory on s390x (bsc#997682) + +------------------------------------------------------------------- +Wed Jan 25 14:36:34 UTC 2017 - fbui@suse.com + +- Fix permission set on /var/lib/systemd/linger/* + + Those files are created by logind which run with umask(0022), so + they are not world writable and shouldn't be affected by + bsc#1020601. But it's cleaner to not let files forever with their + setuid bit set for no good reason. + +------------------------------------------------------------------- +Wed Jan 25 14:33:04 UTC 2017 - fbui@suse.com + +- Fix permissions set on permanent timer timestamp files (bsc#1020601) (CVE-2016-10156) + + This change makes sure to fix the permissions of the timestamp files + which could have been created by an affected version of systemd. + + Local unprivileged users could have run arbitrary code as root if + systemd previously created world writable suid root files such as + permanent timer stamp files. + ------------------------------------------------------------------- Tue Jan 10 10:54:20 UTC 2017 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 0ea7287b..a0b92de5 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -423,43 +423,44 @@ systemd_cryptsetup_LDFLAGS =\\\ # keep split-usr until all packages have moved their systemd rules to /usr %configure \ - --docdir=%{_docdir}/systemd \ - --with-pamlibdir=/%{_lib}/security \ - --with-dbuspolicydir=%{_sysconfdir}/dbus-1/system.d \ - --with-dbussessionservicedir=%{_datadir}/dbus-1/services \ - --with-dbussystemservicedir=%{_datadir}/dbus-1/system-services \ - --with-certificate-root=%{_sysconfdir}/pki/systemd \ + --docdir=%{_docdir}/systemd \ + --with-pamlibdir=/%{_lib}/security \ + --with-dbuspolicydir=%{_sysconfdir}/dbus-1/system.d \ + --with-dbussessionservicedir=%{_datadir}/dbus-1/services \ + --with-dbussystemservicedir=%{_datadir}/dbus-1/system-services \ + --with-certificate-root=%{_sysconfdir}/pki/systemd \ %if 0%{?bootstrap} - --disable-myhostname \ - --disable-manpages \ + --disable-myhostname \ + --disable-manpages \ %endif - --enable-selinux \ - --enable-split-usr \ - --disable-static \ - --disable-lto \ - --disable-tests \ - --without-kill-user-processes \ - --with-rc-local-script-path-start=/etc/init.d/boot.local \ - --with-rc-local-script-path-stop=/etc/init.d/halt.local \ - --with-debug-shell=/bin/bash \ - --disable-smack \ - --disable-ima \ - --disable-adm-group \ - --disable-wheel-group \ + --enable-selinux \ + --enable-split-usr \ + --disable-static \ + --disable-lto \ + --disable-tests \ + --without-kill-user-processes \ + --with-rc-local-script-path-start=/etc/init.d/boot.local \ + --with-rc-local-script-path-stop=/etc/init.d/halt.local \ + --with-debug-shell=/bin/bash \ + --disable-smack \ + --disable-ima \ + --disable-adm-group \ + --disable-wheel-group \ + --disable-ldconfig \ %if %{without networkd} - --disable-networkd \ + --disable-networkd \ %endif %if %{without machined} - --disable-machined \ + --disable-machined \ %endif %if %{without sysvcompat} - --with-sysvinit-path= \ - --with-sysvrcnd-path= \ + --with-sysvinit-path= \ + --with-sysvrcnd-path= \ %endif %if %{without resolved} - --disable-resolved \ + --disable-resolved \ %endif - --disable-kdbus + --disable-kdbus make %{?_smp_mflags} V=e @@ -663,24 +664,24 @@ systemctl daemon-reexec || : # Try to read default runlevel from the old inittab if it exists if [ ! -e /etc/systemd/system/default.target -a -e /etc/inittab ]; then - runlevel=$(awk -F ':' '$3 == "initdefault" && $1 !~ "^#" { print $2 }' /etc/inittab) - if [ -n "$runlevel" ] ; then - ln -sf /usr/lib/systemd/system/runlevel$runlevel.target /etc/systemd/system/default.target || : - fi + runlevel=$(awk -F ':' '$3 == "initdefault" && $1 !~ "^#" { print $2 }' /etc/inittab) + if [ -n "$runlevel" ] ; then + ln -sf /usr/lib/systemd/system/runlevel$runlevel.target /etc/systemd/system/default.target || : + fi fi # Create default config in /etc at first install. # Later package updates should not overwrite these settings. if [ $1 -eq 1 ]; then - # Enable systemd services according to the distro defaults. - # Note: systemctl might abort prematurely if it fails on one - # unit. - systemctl preset remote-fs.target || : - systemctl preset getty@.service || : - systemctl preset systemd-networkd.service || : - systemctl preset systemd-networkd-wait-online.service || : - systemctl preset systemd-timesyncd.service || : - systemctl preset systemd-resolved.service || : + # Enable systemd services according to the distro defaults. + # Note: systemctl might abort prematurely if it fails on one + # unit. + systemctl preset remote-fs.target || : + systemctl preset getty@.service || : + systemctl preset systemd-networkd.service || : + systemctl preset systemd-networkd-wait-online.service || : + systemctl preset systemd-timesyncd.service || : + systemctl preset systemd-resolved.service || : fi >/dev/null # since v207 /etc/sysctl.conf is no longer parsed, however @@ -691,8 +692,8 @@ fi # migrate any symlink which may refer to the old path for f in $(find /etc/systemd/system -type l -xtype l); do - new_target="/usr$(readlink $f)" - [ -f "$new_target" ] && ln -s -f $new_target $f || : + new_target="/usr$(readlink $f)" + [ -f "$new_target" ] && ln -s -f $new_target $f || : done # Keep tmp.mount if it's been enabled explicitly by the user otherwise @@ -705,6 +706,18 @@ enabled) ;; *) rm -f %{_prefix}/lib/systemd/system/tmp.mount esac +# Same for user lingering created by logind. +for username in $(ls /var/lib/systemd/linger/* 2>/dev/null); do + chmod 0644 $username +done + +# v228 wrongly set world writable suid root permissions on timestamp +# files used by permanent timers. Fix the timestamps that might have +# been created by the affected versions of systemd (bsc#1020601). +for stamp in $(ls /var/lib/systemd/timers/stamp-*.timer 2>/dev/null); do + chmod 0644 $stamp +done + # Convert /var/lib/machines subvolume to make it suitable for # rollbacks, if needed. See bsc#992573. The installer has been fixed # to create it at installation time. @@ -733,35 +746,36 @@ if [ $1 -ge 1 ]; then fi %if ! 0%{?bootstrap} if [ $1 -eq 0 ]; then - pam-config -d --systemd || : + pam-config -d --systemd || : fi %endif %preun if [ $1 -eq 0 ]; then - systemctl disable remote-fs.target || : - systemctl disable getty@.service || : - systemctl disable systemd-networkd.service || : - systemctl disable systemd-networkd-wait-online.service || : - systemctl disable systemd-timesyncd.service || : - systemctl disable systemd-resolved.service || : + systemctl disable remote-fs.target || : + systemctl disable getty@.service || : + systemctl disable systemd-networkd.service || : + systemctl disable systemd-networkd-wait-online.service || : + systemctl disable systemd-timesyncd.service || : + systemctl disable systemd-resolved.service || : - rm -f /etc/systemd/system/default.target + rm -f /etc/systemd/system/default.target fi >/dev/null %pretrans -n udev%{?mini} -p if posix.stat("/lib/udev") and not posix.stat("/usr/lib/udev") then - posix.symlink("/lib/udev", "/usr/lib/udev") + posix.symlink("/lib/udev", "/usr/lib/udev") end %pre -n udev%{?mini} - %regenerate_initrd_post +%regenerate_initrd_post + if test -L /usr/lib/udev -a /lib/udev -ef /usr/lib/udev ; then - rm /usr/lib/udev - mv /lib/udev /usr/lib - ln -s /usr/lib/udev /lib/udev + rm /usr/lib/udev + mv /lib/udev /usr/lib + ln -s /usr/lib/udev /lib/udev elif [ ! -e /lib/udev ]; then - ln -s /usr/lib/udev /lib/udev + ln -s /usr/lib/udev /lib/udev fi # Create "tape"/"input" group which is referenced by some udev rules @@ -806,8 +820,8 @@ systemctl daemon-reload || : %post logger systemd-tmpfiles --create --prefix=%{_localstatedir}/log/journal/ || : if [ "$1" -eq 1 ]; then -# tell journal to start logging on disk if directory didn't exist before - systemctl --no-block restart systemd-journal-flush.service >/dev/null || : + # tell journal to start logging on disk if directory didn't exist before + systemctl --no-block restart systemd-journal-flush.service >/dev/null || : fi %post -n nss-myhostname -p /sbin/ldconfig diff --git a/systemd.changes b/systemd.changes index ac7b0364..b7ed294e 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Wed Jan 25 15:37:23 UTC 2017 - fbui@suse.com + +- Don't ship ldconfig.service anymore + + This service was introduced to support stateless systems that + support offline /usr updates properly. + + AFAIK we don't support any such system for now, so disable it. If + it's wrong it's easy enough to restore it back. + + Related to bsc#1019470. + +------------------------------------------------------------------- +Wed Jan 25 15:17:06 UTC 2017 - fbui@suse.com + +- Be more consistent with indentation (*no* functional changes) + + Indentation should use 8 spaces now (no tabs). + +------------------------------------------------------------------- +Wed Jan 25 14:38:59 UTC 2017 - fbui@suse.com + +- Import commit 2559bc0c076b58f0a649056e79ca90fe5f1d556c + + 9c4a759ab systemctl: 'show' don't exit with a failure status if the requested property does not exist [SUSE] (bsc#1021062) + f9194193b systemctl: remove duplicate entries showed by list-dependencies (#5049) (bsc#1012266) + 2a6653335 rule: don't automatically online standby memory on s390x (bsc#997682) + +------------------------------------------------------------------- +Wed Jan 25 14:36:34 UTC 2017 - fbui@suse.com + +- Fix permission set on /var/lib/systemd/linger/* + + Those files are created by logind which run with umask(0022), so + they are not world writable and shouldn't be affected by + bsc#1020601. But it's cleaner to not let files forever with their + setuid bit set for no good reason. + +------------------------------------------------------------------- +Wed Jan 25 14:33:04 UTC 2017 - fbui@suse.com + +- Fix permissions set on permanent timer timestamp files (bsc#1020601) (CVE-2016-10156) + + This change makes sure to fix the permissions of the timestamp files + which could have been created by an affected version of systemd. + + Local unprivileged users could have run arbitrary code as root if + systemd previously created world writable suid root files such as + permanent timer stamp files. + ------------------------------------------------------------------- Tue Jan 10 10:54:20 UTC 2017 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 5b84fd7a..c1a405c6 100644 --- a/systemd.spec +++ b/systemd.spec @@ -421,43 +421,44 @@ systemd_cryptsetup_LDFLAGS =\\\ # keep split-usr until all packages have moved their systemd rules to /usr %configure \ - --docdir=%{_docdir}/systemd \ - --with-pamlibdir=/%{_lib}/security \ - --with-dbuspolicydir=%{_sysconfdir}/dbus-1/system.d \ - --with-dbussessionservicedir=%{_datadir}/dbus-1/services \ - --with-dbussystemservicedir=%{_datadir}/dbus-1/system-services \ - --with-certificate-root=%{_sysconfdir}/pki/systemd \ + --docdir=%{_docdir}/systemd \ + --with-pamlibdir=/%{_lib}/security \ + --with-dbuspolicydir=%{_sysconfdir}/dbus-1/system.d \ + --with-dbussessionservicedir=%{_datadir}/dbus-1/services \ + --with-dbussystemservicedir=%{_datadir}/dbus-1/system-services \ + --with-certificate-root=%{_sysconfdir}/pki/systemd \ %if 0%{?bootstrap} - --disable-myhostname \ - --disable-manpages \ + --disable-myhostname \ + --disable-manpages \ %endif - --enable-selinux \ - --enable-split-usr \ - --disable-static \ - --disable-lto \ - --disable-tests \ - --without-kill-user-processes \ - --with-rc-local-script-path-start=/etc/init.d/boot.local \ - --with-rc-local-script-path-stop=/etc/init.d/halt.local \ - --with-debug-shell=/bin/bash \ - --disable-smack \ - --disable-ima \ - --disable-adm-group \ - --disable-wheel-group \ + --enable-selinux \ + --enable-split-usr \ + --disable-static \ + --disable-lto \ + --disable-tests \ + --without-kill-user-processes \ + --with-rc-local-script-path-start=/etc/init.d/boot.local \ + --with-rc-local-script-path-stop=/etc/init.d/halt.local \ + --with-debug-shell=/bin/bash \ + --disable-smack \ + --disable-ima \ + --disable-adm-group \ + --disable-wheel-group \ + --disable-ldconfig \ %if %{without networkd} - --disable-networkd \ + --disable-networkd \ %endif %if %{without machined} - --disable-machined \ + --disable-machined \ %endif %if %{without sysvcompat} - --with-sysvinit-path= \ - --with-sysvrcnd-path= \ + --with-sysvinit-path= \ + --with-sysvrcnd-path= \ %endif %if %{without resolved} - --disable-resolved \ + --disable-resolved \ %endif - --disable-kdbus + --disable-kdbus make %{?_smp_mflags} V=e @@ -661,24 +662,24 @@ systemctl daemon-reexec || : # Try to read default runlevel from the old inittab if it exists if [ ! -e /etc/systemd/system/default.target -a -e /etc/inittab ]; then - runlevel=$(awk -F ':' '$3 == "initdefault" && $1 !~ "^#" { print $2 }' /etc/inittab) - if [ -n "$runlevel" ] ; then - ln -sf /usr/lib/systemd/system/runlevel$runlevel.target /etc/systemd/system/default.target || : - fi + runlevel=$(awk -F ':' '$3 == "initdefault" && $1 !~ "^#" { print $2 }' /etc/inittab) + if [ -n "$runlevel" ] ; then + ln -sf /usr/lib/systemd/system/runlevel$runlevel.target /etc/systemd/system/default.target || : + fi fi # Create default config in /etc at first install. # Later package updates should not overwrite these settings. if [ $1 -eq 1 ]; then - # Enable systemd services according to the distro defaults. - # Note: systemctl might abort prematurely if it fails on one - # unit. - systemctl preset remote-fs.target || : - systemctl preset getty@.service || : - systemctl preset systemd-networkd.service || : - systemctl preset systemd-networkd-wait-online.service || : - systemctl preset systemd-timesyncd.service || : - systemctl preset systemd-resolved.service || : + # Enable systemd services according to the distro defaults. + # Note: systemctl might abort prematurely if it fails on one + # unit. + systemctl preset remote-fs.target || : + systemctl preset getty@.service || : + systemctl preset systemd-networkd.service || : + systemctl preset systemd-networkd-wait-online.service || : + systemctl preset systemd-timesyncd.service || : + systemctl preset systemd-resolved.service || : fi >/dev/null # since v207 /etc/sysctl.conf is no longer parsed, however @@ -689,8 +690,8 @@ fi # migrate any symlink which may refer to the old path for f in $(find /etc/systemd/system -type l -xtype l); do - new_target="/usr$(readlink $f)" - [ -f "$new_target" ] && ln -s -f $new_target $f || : + new_target="/usr$(readlink $f)" + [ -f "$new_target" ] && ln -s -f $new_target $f || : done # Keep tmp.mount if it's been enabled explicitly by the user otherwise @@ -703,6 +704,18 @@ enabled) ;; *) rm -f %{_prefix}/lib/systemd/system/tmp.mount esac +# Same for user lingering created by logind. +for username in $(ls /var/lib/systemd/linger/* 2>/dev/null); do + chmod 0644 $username +done + +# v228 wrongly set world writable suid root permissions on timestamp +# files used by permanent timers. Fix the timestamps that might have +# been created by the affected versions of systemd (bsc#1020601). +for stamp in $(ls /var/lib/systemd/timers/stamp-*.timer 2>/dev/null); do + chmod 0644 $stamp +done + # Convert /var/lib/machines subvolume to make it suitable for # rollbacks, if needed. See bsc#992573. The installer has been fixed # to create it at installation time. @@ -731,35 +744,36 @@ if [ $1 -ge 1 ]; then fi %if ! 0%{?bootstrap} if [ $1 -eq 0 ]; then - pam-config -d --systemd || : + pam-config -d --systemd || : fi %endif %preun if [ $1 -eq 0 ]; then - systemctl disable remote-fs.target || : - systemctl disable getty@.service || : - systemctl disable systemd-networkd.service || : - systemctl disable systemd-networkd-wait-online.service || : - systemctl disable systemd-timesyncd.service || : - systemctl disable systemd-resolved.service || : + systemctl disable remote-fs.target || : + systemctl disable getty@.service || : + systemctl disable systemd-networkd.service || : + systemctl disable systemd-networkd-wait-online.service || : + systemctl disable systemd-timesyncd.service || : + systemctl disable systemd-resolved.service || : - rm -f /etc/systemd/system/default.target + rm -f /etc/systemd/system/default.target fi >/dev/null %pretrans -n udev%{?mini} -p if posix.stat("/lib/udev") and not posix.stat("/usr/lib/udev") then - posix.symlink("/lib/udev", "/usr/lib/udev") + posix.symlink("/lib/udev", "/usr/lib/udev") end %pre -n udev%{?mini} - %regenerate_initrd_post +%regenerate_initrd_post + if test -L /usr/lib/udev -a /lib/udev -ef /usr/lib/udev ; then - rm /usr/lib/udev - mv /lib/udev /usr/lib - ln -s /usr/lib/udev /lib/udev + rm /usr/lib/udev + mv /lib/udev /usr/lib + ln -s /usr/lib/udev /lib/udev elif [ ! -e /lib/udev ]; then - ln -s /usr/lib/udev /lib/udev + ln -s /usr/lib/udev /lib/udev fi # Create "tape"/"input" group which is referenced by some udev rules @@ -804,8 +818,8 @@ systemctl daemon-reload || : %post logger systemd-tmpfiles --create --prefix=%{_localstatedir}/log/journal/ || : if [ "$1" -eq 1 ]; then -# tell journal to start logging on disk if directory didn't exist before - systemctl --no-block restart systemd-journal-flush.service >/dev/null || : + # tell journal to start logging on disk if directory didn't exist before + systemctl --no-block restart systemd-journal-flush.service >/dev/null || : fi %post -n nss-myhostname -p /sbin/ldconfig