From 0e4cc6d31be2cb28a95959135adf4ab1fb57ab837afcd6465e15766545c09c1c Mon Sep 17 00:00:00 2001 From: Thomas Blume Date: Tue, 8 May 2018 11:42:09 +0000 Subject: [PATCH 1/2] Accepting request 605303 from home:tsaupe:branches:Base:System align permissions of /etc/machine-id to upstream code (bsc#1092269) OBS-URL: https://build.opensuse.org/request/show/605303 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1028 --- systemd-mini.changes | 6 ++++++ systemd-mini.spec | 4 +++- systemd.changes | 6 ++++++ systemd.spec | 4 +++- 4 files changed, 18 insertions(+), 2 deletions(-) diff --git a/systemd-mini.changes b/systemd-mini.changes index 82bd34cc..ddffeda8 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 8 10:33:10 UTC 2018 - Thomas.Blume@suse.com + +- align permissions of /etc/machine-id to upstream code (bsc#1092269) + world writeable machine-id is a security issue + ------------------------------------------------------------------- Mon Apr 23 07:45:32 UTC 2018 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 7c164b7b..3c6abe35 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -687,9 +687,11 @@ fi # machine ID in all images. if [ $1 -eq 1 ]; then touch %{_sysconfdir}/machine-id - chmod 666 %{_sysconfdir}/machine-id fi +# check if /etc/machine-id is writeable and change it to readonly +[[ -w %{_sysconfdir}/machine-id ]] && chmod 444 %{_sysconfdir}/machine-id + %if ! 0%{?bootstrap} pam-config --add --systemd || : %endif diff --git a/systemd.changes b/systemd.changes index 82bd34cc..ddffeda8 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 8 10:33:10 UTC 2018 - Thomas.Blume@suse.com + +- align permissions of /etc/machine-id to upstream code (bsc#1092269) + world writeable machine-id is a security issue + ------------------------------------------------------------------- Mon Apr 23 07:45:32 UTC 2018 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 8e20f9a1..a8a133d2 100644 --- a/systemd.spec +++ b/systemd.spec @@ -685,9 +685,11 @@ fi # machine ID in all images. if [ $1 -eq 1 ]; then touch %{_sysconfdir}/machine-id - chmod 666 %{_sysconfdir}/machine-id fi +# check if /etc/machine-id is writeable and change it to readonly +[[ -w %{_sysconfdir}/machine-id ]] && chmod 444 %{_sysconfdir}/machine-id + %if ! 0%{?bootstrap} pam-config --add --systemd || : %endif From 98c46ce08da7cf2ad76c2e5769d275431a4ded17e41dc3b7e78652d3892f356b Mon Sep 17 00:00:00 2001 From: Thomas Blume Date: Tue, 8 May 2018 13:55:23 +0000 Subject: [PATCH 2/2] Accepting request 605344 from home:tsaupe:branches:Base:System align permissions of /etc/machine-id to upstream code (bsc#1092269) OBS-URL: https://build.opensuse.org/request/show/605344 OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1029 --- systemd-mini.spec | 2 +- systemd.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd-mini.spec b/systemd-mini.spec index 3c6abe35..87aa79ec 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -690,7 +690,7 @@ if [ $1 -eq 1 ]; then fi # check if /etc/machine-id is writeable and change it to readonly -[[ -w %{_sysconfdir}/machine-id ]] && chmod 444 %{_sysconfdir}/machine-id +[ ! -w %{_sysconfdir}/machine-id ] || chmod 444 %{_sysconfdir}/machine-id %if ! 0%{?bootstrap} pam-config --add --systemd || : diff --git a/systemd.spec b/systemd.spec index a8a133d2..23af17e2 100644 --- a/systemd.spec +++ b/systemd.spec @@ -688,7 +688,7 @@ if [ $1 -eq 1 ]; then fi # check if /etc/machine-id is writeable and change it to readonly -[[ -w %{_sysconfdir}/machine-id ]] && chmod 444 %{_sysconfdir}/machine-id +[ ! -w %{_sysconfdir}/machine-id ] || chmod 444 %{_sysconfdir}/machine-id %if ! 0%{?bootstrap} pam-config --add --systemd || :