3
0
forked from pool/util-linux

Accepting request 700496 from home:sbrabec:branches:util-linux-2.33.1

Depends on https://build.opensuse.org/request/show/700494!
- Fix problems in reading of login.defs values (bsc#1121197,
  util-linux-login_defs-priority1.patch,
  util-linux-login_defs-priority2.patch,
  util-linux-login_defs-SYS_UID.patch).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Add virtual symbols for login.defs compatibility (bsc#1121197).
- Add login.defs safety check util-linux-login_defs-check.sh
  (bsc#1121197).
- Drop bc BuildRequires: not needed.

OBS-URL: https://build.opensuse.org/request/show/700496
OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=398
This commit is contained in:
Stanislav Brabec 2019-05-09 15:58:55 +00:00 committed by Git OBS Bridge
parent 686870baf8
commit fed1a56686
11 changed files with 365 additions and 66 deletions

View File

@ -1,9 +1,26 @@
-------------------------------------------------------------------
Thu May 2 23:51:45 CEST 2019 - sbrabec@suse.com
- Fix problems in reading of login.defs values (bsc#1121197,
util-linux-login_defs-priority1.patch,
util-linux-login_defs-priority2.patch,
util-linux-login_defs-SYS_UID.patch).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Add virtual symbols for login.defs compatibility (bsc#1121197).
- Add login.defs safety check util-linux-login_defs-check.sh
(bsc#1121197).
-------------------------------------------------------------------
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
- Integrate pam_keyinit pam module to login
(boo#1081947, login.pamd, remote.pamd).
-------------------------------------------------------------------
Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop bc BuildRequires: not needed.
-------------------------------------------------------------------
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>

View File

@ -75,7 +75,6 @@ Summary: %main_summary
License: GPL-2.0-or-later
Group: %main_group
BuildRequires: audit-devel
BuildRequires: bc
BuildRequires: binutils-devel
BuildRequires: fdupes
BuildRequires: gettext-devel
@ -127,6 +126,7 @@ Release: 0
Url: https://www.kernel.org/pub/linux/utils/util-linux/
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
Source1: util-linux-rpmlintrc
Source2: util-linux-login_defs-check.sh
Source4: raw.service
Source5: etc.raw
Source6: etc_filesystems
@ -145,6 +145,12 @@ Source51: blkid.conf
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
Patch3: util-linux-login_defs-priority1.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
Patch4: util-linux-login_defs-priority2.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
Patch5: util-linux-login_defs-SYS_UID.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -174,6 +180,10 @@ Provides: s390-32
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
Provides: uuid-runtime = %{version}-%{release}
Obsoletes: uuid-runtime <= 2.19.1
# All login.defs variables require support from shadow side.
# Upgrade this symbol version only if new variables appear!
# Verify by shadow-login_defs-check.sh from shadow source package.
Requires: login_defs-support-for-util-linux >= 2.33.1
#
# Using "Requires" here would lend itself to help upgrading, but since
# util-linux is in the initial bootstrap, that is not a good thing to do:
@ -380,11 +390,16 @@ library.
%endif
%prep
%setup -q -n %{_name}-%{version}
cp -a %{S:2} .
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
bash ./util-linux-login_defs-check.sh
%if %build_util_linux
#
#BEGIN SYSTEMD SAFETY CHECK
@ -720,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux
%pre
%service_add_pre raw.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post
%service_add_post raw.service
@ -749,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
fi
done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
# But we want to migrate variables to /etc/login.defs (bsc#1121197).
# Perform one-time config replace.
if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
if test -f %{_sysconfdir}/default/su.rpmnew ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun
%service_del_preun raw.service

View File

@ -1,14 +1,8 @@
# Per default, only "su -" will set a new PATH.
# If this variable is set to "yes" (default is "no"),
# every su call will overwrite the PATH variable.
# /etc/default/su is an override for /etc/login.defs for su and runuser
# (It is also read as a fallback for login.)
#
# See /etc/login.defs, su(1) or runuser(1) for more.
#
# List of su/runuser variables:
# ALWAYS_SET_PATH, ENV_PATH, ENV_ROOTPATH, ENV_SUPATH, FAIL_DELAY
#
# The recommended default is "yes". The default "no" behavior could have
# a security implication in applications that use commands without path.
ALWAYS_SET_PATH=yes
# Default path.
PATH=/usr/local/bin:/bin:/usr/bin
# Default path for a user invoking su to root.
SUPATH=/usr/sbin:/bin:/usr/bin:/sbin

View File

@ -0,0 +1,60 @@
From 0d37969cbe2cb85d9c01f78071528a8a7c789f96 Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Wed, 24 Apr 2019 11:16:53 +0200
Subject: [PATCH] lslogins: Fix discrepancies of SYS_UID_MIN
util-linux does not contain useradd. Its most popular implementation
comes from shadow. SYS_UID_MIN is one of common parameters. Its
hardcoded fallback value is equal to 101 in shadow useradd (see
shadow-4.6/libmisc/find_new_uid.c: get_ranges()), but 201 in
login-utils/lslogins.c.
Let lslogins use the same fallback as useradd from shadow.
Hopefully most distros define its custom value of SYS_UID_MIN in
/etc/login.defs, so this problem is not visible.
login-utils/lslogins.1 does not mention its default at all. Add a
reference and improve text of lslogins(1) to prevent off-by-one
interpretation.
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
login-utils/lslogins.1 | 6 +++---
login-utils/lslogins.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/login-utils/lslogins.1 b/login-utils/lslogins.1
index 5aa14c706..f003ef264 100644
--- a/login-utils/lslogins.1
+++ b/login-utils/lslogins.1
@@ -92,9 +92,9 @@ Display information related to login by password (see also \fB\-afL).
Raw output (no columnation).
.TP
\fB\-s\fR, \fB\-\-system\-accs\fR
-Show system accounts. These are by default all accounts with a UID below 1000
-(non-inclusive), with the exception of either nobody or nfsnobody (UID 65534).
-This hardcoded default maybe overwritten by parameters SYS_UID_MIN and SYS_UID_MAX in
+Show system accounts.  These are by default all accounts with a UID between 101 and 999
+(inclusive), with the exception of either nobody or nfsnobody (UID 65534).
+This hardcoded default may be overwritten by parameters SYS_UID_MIN and SYS_UID_MAX in
the file /etc/login.defs.
.TP
\fB\-\-time\-format\fR \fItype\fP
diff --git a/login-utils/lslogins.c b/login-utils/lslogins.c
index efb20a4f7..3d9c9b97a 100644
--- a/login-utils/lslogins.c
+++ b/login-utils/lslogins.c
@@ -74,7 +74,7 @@ static int lslogins_flag;
#define UL_UID_MIN 1000
#define UL_UID_MAX 60000
-#define UL_SYS_UID_MIN 201
+#define UL_SYS_UID_MIN 101
#define UL_SYS_UID_MAX 999
/* we use the value of outmode to determine
--
2.21.0

View File

@ -0,0 +1,58 @@
#!/bin/bash
# Extract list of variables supported by su/runuser.
#
# If you edit this file, you will probably need to edit
# shadow-login_defs-check.sh from shadow sources in a similar way.
set -o errexit
echo -n "Checking login.defs variables in util-linux... " >&2
(
grep -rh getlogindefs . |
sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
grep -rh logindefs_setenv . |
sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
) | LC_ALL=C sort -u >util-linux-login_defs-vars.lst
if test $(sha1sum util-linux-login_defs-vars.lst | sed 's/ .*$//') != a9c56a10a4b5a0afb63c9208b8ca0cb1b46a8429 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum util-linux-login_defs-vars.lst | sed 's/ .*$//')" >&2
cat >&2 <<EOF
You have to perform following steps:
Check whether the error is false positive (script failed to extract
variables) or true positive (variable list changed).
If it is false positive:
- Fix this script.
- The same fix is needed in shadow package in shadow-login_defs-check.sh.
If it is true positive:
- Check-out shadow package and call shadow-login_defs-check.sh.
- Compare its output shadow-login_defs-check-util-linux.lst with
util-linux-login_defs-vars.lst in the util-linux build directory.
- Update shadow shadow-login_defs-util-linux.patch, if needed.
- If shadow-login_defs-util-linux.patch was updated, update
login_defs-support-for-util-linux symbol version in both shadow and
util-linux spec files accordingly.
- Update checksum in this script.
- Possibly update su.default with these new list of su/runuser specific
variables:
EOF
echo -n " " >&2
(
grep -rh getlogindefs login-utils/su-common.c |
sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
grep -rh logindefs_setenv login-utils/su-common.c |
sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
) | LC_ALL=C sort -u | tr '\n' ' ' | sed 's/ /, /g;s/, $//' >&2
echo -e '\n' >&2
exit 1
else
echo "OK" >&2
fi

View File

@ -0,0 +1,39 @@
From 15a191f6d30dfe202a080a3d90968b63d695a29f Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Thu, 10 Jan 2019 01:28:53 +0100
Subject: [PATCH 1/2] su-common.c: prefer /etc/default/su over login.defs
su(1) documentation says:
/etc/default/su command specific logindef config file
/etc/login.defs global logindef config file
It indirectly indicates that /etc/default/su should take precedence
over /etc/login.defs.
But the reverse is true. It is not possible to define ENV_PATH in
/etc/login.defs and then make su specific customization in
/etc/default/su. We need to change read order to match the documented
behavior.
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
---
login-utils/su-common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/login-utils/su-common.c b/login-utils/su-common.c
index e0604e246..19074247c 100644
--- a/login-utils/su-common.c
+++ b/login-utils/su-common.c
@@ -1229,8 +1229,8 @@ static void load_config(void *data)
struct su_context *su = (struct su_context *) data;
DBG(MISC, ul_debug("loading logindefs"));
- logindefs_load_file(su->runuser ? _PATH_LOGINDEFS_RUNUSER : _PATH_LOGINDEFS_SU);
logindefs_load_file(_PATH_LOGINDEFS);
+ logindefs_load_file(su->runuser ? _PATH_LOGINDEFS_RUNUSER : _PATH_LOGINDEFS_SU);
}
/*
--
2.20.1

View File

@ -0,0 +1,74 @@
From 86f42e5a2a9d8a483ad0ca85fdf090172fb4d385 Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Thu, 10 Jan 2019 01:28:54 +0100
Subject: [PATCH 2/2] su-common.c: prefer ENV_SUPATH over ENV_ROOTPATH
ENV_SUPATH and ENV_ROOTPATH are equivalent and ENV_ROOTPATH takes
precedence in both login and su. It makes no sense. More logical would be
precedence of ENV_SUPATH in su and ENV_ROOTPATH in login.
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
---
login-utils/login.1 | 2 +-
login-utils/runuser.1 | 2 +-
login-utils/su-common.c | 4 ++--
login-utils/su.1 | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/login-utils/login.1 b/login-utils/login.1
index cb8addec3..b73eae147 100644
--- a/login-utils/login.1
+++ b/login-utils/login.1
@@ -282,7 +282,7 @@ a regular user logs in. The default value is
(string)
.RS 4
If set, it will be used to define the PATH environment variable when
-the superuser logs in. The default value is
+the superuser logs in. ENV_ROOTPATH takes precedence. The default value is
.I /usr\:/local\:/sbin:\:/usr\:/local\:/bin:\:/sbin:\:/bin:\:/usr\:/sbin:\:/usr\:/bin
.RE
.SH FILES
diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
index bf0d02471..221672200 100644
--- a/login-utils/runuser.1
+++ b/login-utils/runuser.1
@@ -183,7 +183,7 @@ default value is
.B ENV_SUPATH
(string)
.RS 4
-Defines the PATH environment variable for root. The default value is
+Defines the PATH environment variable for root. ENV_SUPATH takes precedence. The default value is
.IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
.RE
.PP
diff --git a/login-utils/su-common.c b/login-utils/su-common.c
index 19074247c..0e44eb87c 100644
--- a/login-utils/su-common.c
+++ b/login-utils/su-common.c
@@ -989,8 +989,8 @@ static void setenv_path(const struct passwd *pw)
if (pw->pw_uid)
rc = logindefs_setenv("PATH", "ENV_PATH", _PATH_DEFPATH);
- else if ((rc = logindefs_setenv("PATH", "ENV_ROOTPATH", NULL)) != 0)
- rc = logindefs_setenv("PATH", "ENV_SUPATH", _PATH_DEFPATH_ROOT);
+ else if ((rc = logindefs_setenv("PATH", "ENV_SUPATH", NULL)) != 0)
+ rc = logindefs_setenv("PATH", "ENV_ROOTPATH", _PATH_DEFPATH_ROOT);
if (rc)
err(EXIT_FAILURE, _("failed to set the PATH environment variable"));
diff --git a/login-utils/su.1 b/login-utils/su.1
index d6a064fd2..5ae6d6b2d 100644
--- a/login-utils/su.1
+++ b/login-utils/su.1
@@ -209,7 +209,7 @@ default value is
.B ENV_SUPATH
(string)
.RS 4
-Defines the PATH environment variable for root. The default value is
+Defines the PATH environment variable for root. ENV_SUPATH takes precedence. The default value is
.IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
.RE
.PP
--
2.20.1

View File

@ -1,9 +1,26 @@
-------------------------------------------------------------------
Thu May 2 23:51:45 CEST 2019 - sbrabec@suse.com
- Fix problems in reading of login.defs values (bsc#1121197,
util-linux-login_defs-priority1.patch,
util-linux-login_defs-priority2.patch,
util-linux-login_defs-SYS_UID.patch).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Add virtual symbols for login.defs compatibility (bsc#1121197).
- Add login.defs safety check util-linux-login_defs-check.sh
(bsc#1121197).
-------------------------------------------------------------------
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
- Integrate pam_keyinit pam module to login
(boo#1081947, login.pamd, remote.pamd).
-------------------------------------------------------------------
Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
- Drop bc BuildRequires: not needed.
-------------------------------------------------------------------
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>

View File

@ -75,7 +75,6 @@ Summary: %main_summary
License: GPL-2.0-or-later
Group: %main_group
BuildRequires: audit-devel
BuildRequires: bc
BuildRequires: binutils-devel
BuildRequires: fdupes
BuildRequires: gettext-devel
@ -127,6 +126,7 @@ Release: 0
Url: https://www.kernel.org/pub/linux/utils/util-linux/
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
Source1: util-linux-rpmlintrc
Source2: util-linux-login_defs-check.sh
Source4: raw.service
Source5: etc.raw
Source6: etc_filesystems
@ -145,6 +145,12 @@ Source51: blkid.conf
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
Patch3: util-linux-login_defs-priority1.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
Patch4: util-linux-login_defs-priority2.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
Patch5: util-linux-login_defs-SYS_UID.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -174,6 +180,10 @@ Provides: s390-32
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
Provides: uuid-runtime = %{version}-%{release}
Obsoletes: uuid-runtime <= 2.19.1
# All login.defs variables require support from shadow side.
# Upgrade this symbol version only if new variables appear!
# Verify by shadow-login_defs-check.sh from shadow source package.
Requires: login_defs-support-for-util-linux >= 2.33.1
#
# Using "Requires" here would lend itself to help upgrading, but since
# util-linux is in the initial bootstrap, that is not a good thing to do:
@ -380,11 +390,16 @@ library.
%endif
%prep
%setup -q -n %{_name}-%{version}
cp -a %{S:2} .
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
bash ./util-linux-login_defs-check.sh
%if %build_util_linux
#
#BEGIN SYSTEMD SAFETY CHECK
@ -720,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux
%pre
%service_add_pre raw.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post
%service_add_post raw.service
@ -749,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
fi
done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
# But we want to migrate variables to /etc/login.defs (bsc#1121197).
# Perform one-time config replace.
if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
if test -f %{_sysconfdir}/default/su.rpmnew ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun
%service_del_preun raw.service

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu May 2 23:51:45 CEST 2019 - sbrabec@suse.com
- Fix problems in reading of login.defs values (bsc#1121197,
util-linux-login_defs-priority1.patch,
util-linux-login_defs-priority2.patch,
util-linux-login_defs-SYS_UID.patch).
- Perform one-time reset of /etc/default/su (bsc#1121197).
- Add virtual symbols for login.defs compatibility (bsc#1121197).
- Add login.defs safety check util-linux-login_defs-check.sh
(bsc#1121197).
-------------------------------------------------------------------
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com

View File

@ -126,6 +126,7 @@ Release: 0
Url: https://www.kernel.org/pub/linux/utils/util-linux/
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
Source1: util-linux-rpmlintrc
Source2: util-linux-login_defs-check.sh
Source4: raw.service
Source5: etc.raw
Source6: etc_filesystems
@ -144,6 +145,12 @@ Source51: blkid.conf
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
Patch3: util-linux-login_defs-priority1.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
Patch4: util-linux-login_defs-priority2.patch
# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
Patch5: util-linux-login_defs-SYS_UID.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %build_util_linux
@ -173,6 +180,10 @@ Provides: s390-32
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
Provides: uuid-runtime = %{version}-%{release}
Obsoletes: uuid-runtime <= 2.19.1
# All login.defs variables require support from shadow side.
# Upgrade this symbol version only if new variables appear!
# Verify by shadow-login_defs-check.sh from shadow source package.
Requires: login_defs-support-for-util-linux >= 2.33.1
#
# Using "Requires" here would lend itself to help upgrading, but since
# util-linux is in the initial bootstrap, that is not a good thing to do:
@ -379,11 +390,16 @@ library.
%endif
%prep
%setup -q -n %{_name}-%{version}
cp -a %{S:2} .
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
bash ./util-linux-login_defs-check.sh
%if %build_util_linux
#
#BEGIN SYSTEMD SAFETY CHECK
@ -719,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
%if %build_util_linux
%pre
%service_add_pre raw.service
# Check whether we are upgrading from < Leap 15 or SLE 15
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
# (bsc#353876#c7)
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
fi
%post
%service_add_post raw.service
@ -748,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
fi
done
# %{_sysconfdir}/default/su is tagged as noreplace.
# But we want to upgrade to a more secure default on upgrade.
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
# But we want to migrate variables to /etc/login.defs (bsc#1121197).
# Perform one-time config replace.
if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
if test -f %{_sysconfdir}/default/su.rpmnew ; then
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
fi
mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
fi
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
fi
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
%preun
%service_del_preun raw.service