From 3629134835b37246916ece094f40f7e62571f363245cdd693d19d5409bed5f4e Mon Sep 17 00:00:00 2001 From: Stanislav Brabec Date: Fri, 13 Apr 2018 11:36:33 +0000 Subject: [PATCH] Accepting request 596302 from home:sbrabec:branches:util-linux-b1081947 - Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, runuser-l.pamd, runuser.pamd). - su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7); add one-time wrapper forcing ALWAYS_SET_PATH on upgrade. OBS-URL: https://build.opensuse.org/request/show/596302 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=372 --- python-libmount.changes | 12 ++++++++++++ python-libmount.spec | 30 +++++++++++++++++++++++++----- runuser-l.pamd | 6 ++++++ runuser.pamd | 1 + su-l.pamd | 9 +++++++++ su.default | 9 ++++++--- util-linux-systemd.changes | 12 ++++++++++++ util-linux-systemd.spec | 27 ++++++++++++++++++++++++--- util-linux.changes | 12 ++++++++++++ util-linux.spec | 27 ++++++++++++++++++++++++--- 10 files changed, 131 insertions(+), 14 deletions(-) create mode 100644 runuser-l.pamd create mode 100644 su-l.pamd diff --git a/python-libmount.changes b/python-libmount.changes index fd0d2f8..b936d23 100644 --- a/python-libmount.changes +++ b/python-libmount.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com + +- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, + runuser-l.pamd, runuser.pamd). + +------------------------------------------------------------------- +Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com + +- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7); + add one-time wrapper forcing ALWAYS_SET_PATH on upgrade. + ------------------------------------------------------------------- Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de diff --git a/python-libmount.spec b/python-libmount.spec index 7f433e3..deb5e2e 100644 --- a/python-libmount.spec +++ b/python-libmount.spec @@ -73,7 +73,7 @@ Name: python-libmount %endif Summary: %main_summary License: GPL-2.0-or-later -Group: %group_pl +Group: %main_group BuildRequires: audit-devel BuildRequires: bc BuildRequires: binutils-devel @@ -138,6 +138,8 @@ Source11: su.default Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source13: %{_name}.keyring Source14: runuser.pamd +Source15: runuser-l.pamd +Source16: su-l.pamd # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # TODO: split to separate package Source40: klogconsole.tar.xz @@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch Patch6: util-linux-fincore-count.patch # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe. Patch7: util-linux-sysfs-nvme-devno.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -396,7 +397,6 @@ SMP systems. %if %build_util_linux %package -n python-libmount Summary: %summary_pl -License: GPL-2.0-or-later Group: %group_pl %description -n python-libmount @@ -644,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser -install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su -install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l +install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su pushd ../klogconsole # klogconsole install @@ -788,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim %if %build_util_linux %pre %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service +# Check whether we are upgrading from < Leap 15 or SLE 15 +# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions. +# (bsc#353876#c7) +if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then + touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || : +fi %post %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service @@ -810,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE fi done +# %{_sysconfdir}/default/su is tagged as noreplace. +# But we want to upgrade to a more secure default on upgrade. +# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7) +if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su && + grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then + if ! test -f %{_sysconfdir}/default/su.rpmorig ; then + cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig + fi + sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su + echo "One time change of %{_sysconfdir}/default/su was performed." >&2 + echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2 + echo "If it is not intended, you can safely change it back. It will not be changed again." >&2 +fi +rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT %preun %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service diff --git a/runuser-l.pamd b/runuser-l.pamd new file mode 100644 index 0000000..cc01ebb --- /dev/null +++ b/runuser-l.pamd @@ -0,0 +1,6 @@ +#%PAM-1.0 +# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line). +auth sufficient pam_rootok.so +session optional pam_keyinit.so force revoke +session include common-session +session optional pam_xauth.so diff --git a/runuser.pamd b/runuser.pamd index 15d79c9..47f600b 100644 --- a/runuser.pamd +++ b/runuser.pamd @@ -1,5 +1,6 @@ #%PAM-1.0 # Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line). auth sufficient pam_rootok.so +session optional pam_keyinit.so revoke session include common-session session optional pam_xauth.so diff --git a/su-l.pamd b/su-l.pamd new file mode 100644 index 0000000..d4e4241 --- /dev/null +++ b/su-l.pamd @@ -0,0 +1,9 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +auth include common-auth +account sufficient pam_rootok.so +account include common-account +password include common-password +session optional pam_keyinit.so force revoke +session include common-session +session optional pam_xauth.so diff --git a/su.default b/su.default index 62d1702..89fc7e2 100644 --- a/su.default +++ b/su.default @@ -1,9 +1,12 @@ # Per default, only "su -" will set a new PATH. -# If this variable is changed to "yes" (default is "no"), +# If this variable is set to "yes" (default is "no"), # every su call will overwrite the PATH variable. -ALWAYS_SET_PATH=no +# +# The recommended default is "yes". The default "no" behavior could have +# a security implication in applications that use commands without path. +ALWAYS_SET_PATH=yes -# Default path. +# Default path. PATH=/usr/local/bin:/bin:/usr/bin # Default path for a user invoking su to root. diff --git a/util-linux-systemd.changes b/util-linux-systemd.changes index fd0d2f8..b936d23 100644 --- a/util-linux-systemd.changes +++ b/util-linux-systemd.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com + +- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, + runuser-l.pamd, runuser.pamd). + +------------------------------------------------------------------- +Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com + +- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7); + add one-time wrapper forcing ALWAYS_SET_PATH on upgrade. + ------------------------------------------------------------------- Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de diff --git a/util-linux-systemd.spec b/util-linux-systemd.spec index 3a3d229..f0f866e 100644 --- a/util-linux-systemd.spec +++ b/util-linux-systemd.spec @@ -138,6 +138,8 @@ Source11: su.default Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source13: %{_name}.keyring Source14: runuser.pamd +Source15: runuser-l.pamd +Source16: su-l.pamd # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # TODO: split to separate package Source40: klogconsole.tar.xz @@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch Patch6: util-linux-fincore-count.patch # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe. Patch7: util-linux-sysfs-nvme-devno.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser -install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su -install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l +install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su pushd ../klogconsole # klogconsole install @@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim %if %build_util_linux %pre %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service +# Check whether we are upgrading from < Leap 15 or SLE 15 +# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions. +# (bsc#353876#c7) +if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then + touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || : +fi %post %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service @@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE fi done +# %{_sysconfdir}/default/su is tagged as noreplace. +# But we want to upgrade to a more secure default on upgrade. +# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7) +if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su && + grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then + if ! test -f %{_sysconfdir}/default/su.rpmorig ; then + cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig + fi + sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su + echo "One time change of %{_sysconfdir}/default/su was performed." >&2 + echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2 + echo "If it is not intended, you can safely change it back. It will not be changed again." >&2 +fi +rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT %preun %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service diff --git a/util-linux.changes b/util-linux.changes index fd0d2f8..b936d23 100644 --- a/util-linux.changes +++ b/util-linux.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com + +- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, + runuser-l.pamd, runuser.pamd). + +------------------------------------------------------------------- +Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com + +- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7); + add one-time wrapper forcing ALWAYS_SET_PATH on upgrade. + ------------------------------------------------------------------- Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de diff --git a/util-linux.spec b/util-linux.spec index b9b7cf8..e8b2986 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -138,6 +138,8 @@ Source11: su.default Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source13: %{_name}.keyring Source14: runuser.pamd +Source15: runuser-l.pamd +Source16: su-l.pamd # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # TODO: split to separate package Source40: klogconsole.tar.xz @@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch Patch6: util-linux-fincore-count.patch # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe. Patch7: util-linux-sysfs-nvme-devno.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser -install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su -install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l +install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su pushd ../klogconsole # klogconsole install @@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim %if %build_util_linux %pre %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service +# Check whether we are upgrading from < Leap 15 or SLE 15 +# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions. +# (bsc#353876#c7) +if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then + touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || : +fi %post %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service @@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE fi done +# %{_sysconfdir}/default/su is tagged as noreplace. +# But we want to upgrade to a more secure default on upgrade. +# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7) +if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su && + grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then + if ! test -f %{_sysconfdir}/default/su.rpmorig ; then + cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig + fi + sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su + echo "One time change of %{_sysconfdir}/default/su was performed." >&2 + echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2 + echo "If it is not intended, you can safely change it back. It will not be changed again." >&2 +fi +rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT %preun %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service