forked from pool/util-linux
Accepting request 596302 from home:sbrabec:branches:util-linux-b1081947
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, runuser-l.pamd, runuser.pamd). - su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7); add one-time wrapper forcing ALWAYS_SET_PATH on upgrade. OBS-URL: https://build.opensuse.org/request/show/596302 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=372
This commit is contained in:
parent
881c2a7ddb
commit
3629134835
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
|
||||
|
||||
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
|
||||
runuser-l.pamd, runuser.pamd).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
|
||||
|
||||
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
|
||||
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
||||
|
||||
|
@ -73,7 +73,7 @@ Name: python-libmount
|
||||
%endif
|
||||
Summary: %main_summary
|
||||
License: GPL-2.0-or-later
|
||||
Group: %group_pl
|
||||
Group: %main_group
|
||||
BuildRequires: audit-devel
|
||||
BuildRequires: bc
|
||||
BuildRequires: binutils-devel
|
||||
@ -138,6 +138,8 @@ Source11: su.default
|
||||
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
||||
Source13: %{_name}.keyring
|
||||
Source14: runuser.pamd
|
||||
Source15: runuser-l.pamd
|
||||
Source16: su-l.pamd
|
||||
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
||||
# TODO: split to separate package
|
||||
Source40: klogconsole.tar.xz
|
||||
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
|
||||
Patch6: util-linux-fincore-count.patch
|
||||
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
||||
Patch7: util-linux-sysfs-nvme-devno.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
#
|
||||
%if %build_util_linux
|
||||
@ -396,7 +397,6 @@ SMP systems.
|
||||
%if %build_util_linux
|
||||
%package -n python-libmount
|
||||
Summary: %summary_pl
|
||||
License: GPL-2.0-or-later
|
||||
Group: %group_pl
|
||||
|
||||
%description -n python-libmount
|
||||
@ -644,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
||||
pushd ../klogconsole
|
||||
# klogconsole install
|
||||
@ -788,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
||||
%if %build_util_linux
|
||||
%pre
|
||||
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
# Check whether we are upgrading from < Leap 15 or SLE 15
|
||||
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
||||
# (bsc#353876#c7)
|
||||
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
||||
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
||||
fi
|
||||
|
||||
%post
|
||||
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
@ -810,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
||||
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
||||
fi
|
||||
done
|
||||
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||
# But we want to upgrade to a more secure default on upgrade.
|
||||
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
||||
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
||||
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
||||
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||
fi
|
||||
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
||||
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
||||
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
||||
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
||||
fi
|
||||
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
||||
|
||||
%preun
|
||||
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
|
6
runuser-l.pamd
Normal file
6
runuser-l.pamd
Normal file
@ -0,0 +1,6 @@
|
||||
#%PAM-1.0
|
||||
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
|
||||
auth sufficient pam_rootok.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include common-session
|
||||
session optional pam_xauth.so
|
@ -1,5 +1,6 @@
|
||||
#%PAM-1.0
|
||||
# Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line).
|
||||
auth sufficient pam_rootok.so
|
||||
session optional pam_keyinit.so revoke
|
||||
session include common-session
|
||||
session optional pam_xauth.so
|
||||
|
9
su-l.pamd
Normal file
9
su-l.pamd
Normal file
@ -0,0 +1,9 @@
|
||||
#%PAM-1.0
|
||||
auth sufficient pam_rootok.so
|
||||
auth include common-auth
|
||||
account sufficient pam_rootok.so
|
||||
account include common-account
|
||||
password include common-password
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include common-session
|
||||
session optional pam_xauth.so
|
@ -1,7 +1,10 @@
|
||||
# Per default, only "su -" will set a new PATH.
|
||||
# If this variable is changed to "yes" (default is "no"),
|
||||
# If this variable is set to "yes" (default is "no"),
|
||||
# every su call will overwrite the PATH variable.
|
||||
ALWAYS_SET_PATH=no
|
||||
#
|
||||
# The recommended default is "yes". The default "no" behavior could have
|
||||
# a security implication in applications that use commands without path.
|
||||
ALWAYS_SET_PATH=yes
|
||||
|
||||
# Default path.
|
||||
PATH=/usr/local/bin:/bin:/usr/bin
|
||||
|
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
|
||||
|
||||
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
|
||||
runuser-l.pamd, runuser.pamd).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
|
||||
|
||||
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
|
||||
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
||||
|
||||
|
@ -138,6 +138,8 @@ Source11: su.default
|
||||
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
||||
Source13: %{_name}.keyring
|
||||
Source14: runuser.pamd
|
||||
Source15: runuser-l.pamd
|
||||
Source16: su-l.pamd
|
||||
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
||||
# TODO: split to separate package
|
||||
Source40: klogconsole.tar.xz
|
||||
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
|
||||
Patch6: util-linux-fincore-count.patch
|
||||
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
||||
Patch7: util-linux-sysfs-nvme-devno.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
#
|
||||
%if %build_util_linux
|
||||
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
||||
pushd ../klogconsole
|
||||
# klogconsole install
|
||||
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
||||
%if %build_util_linux
|
||||
%pre
|
||||
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
# Check whether we are upgrading from < Leap 15 or SLE 15
|
||||
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
||||
# (bsc#353876#c7)
|
||||
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
||||
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
||||
fi
|
||||
|
||||
%post
|
||||
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
||||
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
||||
fi
|
||||
done
|
||||
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||
# But we want to upgrade to a more secure default on upgrade.
|
||||
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
||||
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
||||
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
||||
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||
fi
|
||||
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
||||
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
||||
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
||||
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
||||
fi
|
||||
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
||||
|
||||
%preun
|
||||
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
|
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 12 17:09:30 CEST 2018 - sbrabec@suse.com
|
||||
|
||||
- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd,
|
||||
runuser-l.pamd, runuser.pamd).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 4 04:12:56 CEST 2018 - sbrabec@suse.com
|
||||
|
||||
- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7);
|
||||
add one-time wrapper forcing ALWAYS_SET_PATH on upgrade.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 20 13:02:18 CET 2018 - kukuk@suse.de
|
||||
|
||||
|
@ -138,6 +138,8 @@ Source11: su.default
|
||||
Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign
|
||||
Source13: %{_name}.keyring
|
||||
Source14: runuser.pamd
|
||||
Source15: runuser-l.pamd
|
||||
Source16: su-l.pamd
|
||||
# klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050
|
||||
# TODO: split to separate package
|
||||
Source40: klogconsole.tar.xz
|
||||
@ -172,7 +174,6 @@ Patch5: util-linux-cramfs.patch
|
||||
Patch6: util-linux-fincore-count.patch
|
||||
# PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbrabec@suse.com -- Fix lsblk on NVMe.
|
||||
Patch7: util-linux-sysfs-nvme-devno.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
#
|
||||
%if %build_util_linux
|
||||
@ -643,9 +644,9 @@ install -m 644 %{SOURCE51} %{buildroot}%{_sysconfdir}/blkid.conf
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login
|
||||
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser
|
||||
install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||
install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l
|
||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su
|
||||
install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||
install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l
|
||||
install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su
|
||||
pushd ../klogconsole
|
||||
# klogconsole install
|
||||
@ -787,6 +788,12 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
||||
%if %build_util_linux
|
||||
%pre
|
||||
%service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
# Check whether we are upgrading from < Leap 15 or SLE 15
|
||||
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
||||
# (bsc#353876#c7)
|
||||
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
||||
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
||||
fi
|
||||
|
||||
%post
|
||||
%service_add_post raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
@ -809,6 +816,20 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
||||
mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE
|
||||
fi
|
||||
done
|
||||
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||
# But we want to upgrade to a more secure default on upgrade.
|
||||
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
||||
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
||||
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
||||
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||
fi
|
||||
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
||||
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
||||
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
||||
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
||||
fi
|
||||
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
||||
|
||||
%preun
|
||||
%service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service
|
||||
|
Loading…
Reference in New Issue
Block a user