forked from pool/util-linux
Accepting request 700496 from home:sbrabec:branches:util-linux-2.33.1
Depends on https://build.opensuse.org/request/show/700494! - Fix problems in reading of login.defs values (bsc#1121197, util-linux-login_defs-priority1.patch, util-linux-login_defs-priority2.patch, util-linux-login_defs-SYS_UID.patch). - Perform one-time reset of /etc/default/su (bsc#1121197). - Add virtual symbols for login.defs compatibility (bsc#1121197). - Add login.defs safety check util-linux-login_defs-check.sh (bsc#1121197). - Drop bc BuildRequires: not needed. OBS-URL: https://build.opensuse.org/request/show/700496 OBS-URL: https://build.opensuse.org/package/show/Base:System/util-linux?expand=0&rev=398
This commit is contained in:
parent
686870baf8
commit
fed1a56686
@ -1,9 +1,26 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 2 23:51:45 CEST 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Fix problems in reading of login.defs values (bsc#1121197,
|
||||||
|
util-linux-login_defs-priority1.patch,
|
||||||
|
util-linux-login_defs-priority2.patch,
|
||||||
|
util-linux-login_defs-SYS_UID.patch).
|
||||||
|
- Perform one-time reset of /etc/default/su (bsc#1121197).
|
||||||
|
- Add virtual symbols for login.defs compatibility (bsc#1121197).
|
||||||
|
- Add login.defs safety check util-linux-login_defs-check.sh
|
||||||
|
(bsc#1121197).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
|
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
- Integrate pam_keyinit pam module to login
|
- Integrate pam_keyinit pam module to login
|
||||||
(boo#1081947, login.pamd, remote.pamd).
|
(boo#1081947, login.pamd, remote.pamd).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
- Drop bc BuildRequires: not needed.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
|
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
|
||||||
|
|
||||||
|
@ -75,7 +75,6 @@ Summary: %main_summary
|
|||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
Group: %main_group
|
Group: %main_group
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: bc
|
|
||||||
BuildRequires: binutils-devel
|
BuildRequires: binutils-devel
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: gettext-devel
|
BuildRequires: gettext-devel
|
||||||
@ -127,6 +126,7 @@ Release: 0
|
|||||||
Url: https://www.kernel.org/pub/linux/utils/util-linux/
|
Url: https://www.kernel.org/pub/linux/utils/util-linux/
|
||||||
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
|
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
|
||||||
Source1: util-linux-rpmlintrc
|
Source1: util-linux-rpmlintrc
|
||||||
|
Source2: util-linux-login_defs-check.sh
|
||||||
Source4: raw.service
|
Source4: raw.service
|
||||||
Source5: etc.raw
|
Source5: etc.raw
|
||||||
Source6: etc_filesystems
|
Source6: etc_filesystems
|
||||||
@ -145,6 +145,12 @@ Source51: blkid.conf
|
|||||||
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
|
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
|
||||||
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
|
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
|
||||||
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
|
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
|
||||||
|
Patch3: util-linux-login_defs-priority1.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
|
||||||
|
Patch4: util-linux-login_defs-priority2.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
|
||||||
|
Patch5: util-linux-login_defs-SYS_UID.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
#
|
#
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
@ -174,6 +180,10 @@ Provides: s390-32
|
|||||||
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
|
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
|
||||||
Provides: uuid-runtime = %{version}-%{release}
|
Provides: uuid-runtime = %{version}-%{release}
|
||||||
Obsoletes: uuid-runtime <= 2.19.1
|
Obsoletes: uuid-runtime <= 2.19.1
|
||||||
|
# All login.defs variables require support from shadow side.
|
||||||
|
# Upgrade this symbol version only if new variables appear!
|
||||||
|
# Verify by shadow-login_defs-check.sh from shadow source package.
|
||||||
|
Requires: login_defs-support-for-util-linux >= 2.33.1
|
||||||
#
|
#
|
||||||
# Using "Requires" here would lend itself to help upgrading, but since
|
# Using "Requires" here would lend itself to help upgrading, but since
|
||||||
# util-linux is in the initial bootstrap, that is not a good thing to do:
|
# util-linux is in the initial bootstrap, that is not a good thing to do:
|
||||||
@ -380,11 +390,16 @@ library.
|
|||||||
%endif
|
%endif
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{_name}-%{version}
|
%setup -q -n %{_name}-%{version}
|
||||||
|
cp -a %{S:2} .
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
bash ./util-linux-login_defs-check.sh
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
#
|
#
|
||||||
#BEGIN SYSTEMD SAFETY CHECK
|
#BEGIN SYSTEMD SAFETY CHECK
|
||||||
@ -720,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
|||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
%pre
|
%pre
|
||||||
%service_add_pre raw.service
|
%service_add_pre raw.service
|
||||||
# Check whether we are upgrading from < Leap 15 or SLE 15
|
|
||||||
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
|
||||||
# (bsc#353876#c7)
|
|
||||||
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
|
||||||
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
|
||||||
fi
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post raw.service
|
%service_add_post raw.service
|
||||||
@ -749,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# %{_sysconfdir}/default/su is tagged as noreplace.
|
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||||
# But we want to upgrade to a more secure default on upgrade.
|
# But we want to migrate variables to /etc/login.defs (bsc#1121197).
|
||||||
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
# Perform one-time config replace.
|
||||||
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
|
||||||
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
if test -f %{_sysconfdir}/default/su.rpmnew ; then
|
||||||
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||||
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||||
fi
|
fi
|
||||||
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
|
||||||
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
|
||||||
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
|
||||||
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun raw.service
|
%service_del_preun raw.service
|
||||||
|
20
su.default
20
su.default
@ -1,14 +1,8 @@
|
|||||||
# Per default, only "su -" will set a new PATH.
|
# /etc/default/su is an override for /etc/login.defs for su and runuser
|
||||||
# If this variable is set to "yes" (default is "no"),
|
# (It is also read as a fallback for login.)
|
||||||
# every su call will overwrite the PATH variable.
|
#
|
||||||
|
# See /etc/login.defs, su(1) or runuser(1) for more.
|
||||||
|
#
|
||||||
|
# List of su/runuser variables:
|
||||||
|
# ALWAYS_SET_PATH, ENV_PATH, ENV_ROOTPATH, ENV_SUPATH, FAIL_DELAY
|
||||||
#
|
#
|
||||||
# The recommended default is "yes". The default "no" behavior could have
|
|
||||||
# a security implication in applications that use commands without path.
|
|
||||||
ALWAYS_SET_PATH=yes
|
|
||||||
|
|
||||||
# Default path.
|
|
||||||
PATH=/usr/local/bin:/bin:/usr/bin
|
|
||||||
|
|
||||||
# Default path for a user invoking su to root.
|
|
||||||
SUPATH=/usr/sbin:/bin:/usr/bin:/sbin
|
|
||||||
|
|
||||||
|
60
util-linux-login_defs-SYS_UID.patch
Normal file
60
util-linux-login_defs-SYS_UID.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 0d37969cbe2cb85d9c01f78071528a8a7c789f96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stanislav Brabec <sbrabec@suse.cz>
|
||||||
|
Date: Wed, 24 Apr 2019 11:16:53 +0200
|
||||||
|
Subject: [PATCH] lslogins: Fix discrepancies of SYS_UID_MIN
|
||||||
|
|
||||||
|
util-linux does not contain useradd. Its most popular implementation
|
||||||
|
comes from shadow. SYS_UID_MIN is one of common parameters. Its
|
||||||
|
hardcoded fallback value is equal to 101 in shadow useradd (see
|
||||||
|
shadow-4.6/libmisc/find_new_uid.c: get_ranges()), but 201 in
|
||||||
|
login-utils/lslogins.c.
|
||||||
|
|
||||||
|
Let lslogins use the same fallback as useradd from shadow.
|
||||||
|
|
||||||
|
Hopefully most distros define its custom value of SYS_UID_MIN in
|
||||||
|
/etc/login.defs, so this problem is not visible.
|
||||||
|
|
||||||
|
login-utils/lslogins.1 does not mention its default at all. Add a
|
||||||
|
reference and improve text of lslogins(1) to prevent off-by-one
|
||||||
|
interpretation.
|
||||||
|
|
||||||
|
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
|
||||||
|
Signed-off-by: Karel Zak <kzak@redhat.com>
|
||||||
|
---
|
||||||
|
login-utils/lslogins.1 | 6 +++---
|
||||||
|
login-utils/lslogins.c | 2 +-
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/login-utils/lslogins.1 b/login-utils/lslogins.1
|
||||||
|
index 5aa14c706..f003ef264 100644
|
||||||
|
--- a/login-utils/lslogins.1
|
||||||
|
+++ b/login-utils/lslogins.1
|
||||||
|
@@ -92,9 +92,9 @@ Display information related to login by password (see also \fB\-afL).
|
||||||
|
Raw output (no columnation).
|
||||||
|
.TP
|
||||||
|
\fB\-s\fR, \fB\-\-system\-accs\fR
|
||||||
|
-Show system accounts. These are by default all accounts with a UID below 1000
|
||||||
|
-(non-inclusive), with the exception of either nobody or nfsnobody (UID 65534).
|
||||||
|
-This hardcoded default maybe overwritten by parameters SYS_UID_MIN and SYS_UID_MAX in
|
||||||
|
+Show system accounts. These are by default all accounts with a UID between 101 and 999
|
||||||
|
+(inclusive), with the exception of either nobody or nfsnobody (UID 65534).
|
||||||
|
+This hardcoded default may be overwritten by parameters SYS_UID_MIN and SYS_UID_MAX in
|
||||||
|
the file /etc/login.defs.
|
||||||
|
.TP
|
||||||
|
\fB\-\-time\-format\fR \fItype\fP
|
||||||
|
diff --git a/login-utils/lslogins.c b/login-utils/lslogins.c
|
||||||
|
index efb20a4f7..3d9c9b97a 100644
|
||||||
|
--- a/login-utils/lslogins.c
|
||||||
|
+++ b/login-utils/lslogins.c
|
||||||
|
@@ -74,7 +74,7 @@ static int lslogins_flag;
|
||||||
|
|
||||||
|
#define UL_UID_MIN 1000
|
||||||
|
#define UL_UID_MAX 60000
|
||||||
|
-#define UL_SYS_UID_MIN 201
|
||||||
|
+#define UL_SYS_UID_MIN 101
|
||||||
|
#define UL_SYS_UID_MAX 999
|
||||||
|
|
||||||
|
/* we use the value of outmode to determine
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
58
util-linux-login_defs-check.sh
Normal file
58
util-linux-login_defs-check.sh
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Extract list of variables supported by su/runuser.
|
||||||
|
#
|
||||||
|
# If you edit this file, you will probably need to edit
|
||||||
|
# shadow-login_defs-check.sh from shadow sources in a similar way.
|
||||||
|
|
||||||
|
set -o errexit
|
||||||
|
|
||||||
|
echo -n "Checking login.defs variables in util-linux... " >&2
|
||||||
|
(
|
||||||
|
grep -rh getlogindefs . |
|
||||||
|
sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
|
||||||
|
grep -rh logindefs_setenv . |
|
||||||
|
sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
|
||||||
|
) | LC_ALL=C sort -u >util-linux-login_defs-vars.lst
|
||||||
|
|
||||||
|
if test $(sha1sum util-linux-login_defs-vars.lst | sed 's/ .*$//') != a9c56a10a4b5a0afb63c9208b8ca0cb1b46a8429 ; then
|
||||||
|
|
||||||
|
echo "does not match!" >&2
|
||||||
|
echo "Checksum is: $(sha1sum util-linux-login_defs-vars.lst | sed 's/ .*$//')" >&2
|
||||||
|
|
||||||
|
cat >&2 <<EOF
|
||||||
|
|
||||||
|
You have to perform following steps:
|
||||||
|
|
||||||
|
Check whether the error is false positive (script failed to extract
|
||||||
|
variables) or true positive (variable list changed).
|
||||||
|
|
||||||
|
If it is false positive:
|
||||||
|
- Fix this script.
|
||||||
|
- The same fix is needed in shadow package in shadow-login_defs-check.sh.
|
||||||
|
|
||||||
|
If it is true positive:
|
||||||
|
- Check-out shadow package and call shadow-login_defs-check.sh.
|
||||||
|
- Compare its output shadow-login_defs-check-util-linux.lst with
|
||||||
|
util-linux-login_defs-vars.lst in the util-linux build directory.
|
||||||
|
- Update shadow shadow-login_defs-util-linux.patch, if needed.
|
||||||
|
- If shadow-login_defs-util-linux.patch was updated, update
|
||||||
|
login_defs-support-for-util-linux symbol version in both shadow and
|
||||||
|
util-linux spec files accordingly.
|
||||||
|
- Update checksum in this script.
|
||||||
|
- Possibly update su.default with these new list of su/runuser specific
|
||||||
|
variables:
|
||||||
|
EOF
|
||||||
|
echo -n " " >&2
|
||||||
|
(
|
||||||
|
grep -rh getlogindefs login-utils/su-common.c |
|
||||||
|
sed -n 's/^.*getlogindefs[a-z_]*("\([A-Z0-9_]*\)".*$/\1/p'
|
||||||
|
grep -rh logindefs_setenv login-utils/su-common.c |
|
||||||
|
sed -n 's/^.*logindefs_setenv*("[A-Z0-9_]*", "\([A-Z0-9_]*\)".*$/\1/p'
|
||||||
|
) | LC_ALL=C sort -u | tr '\n' ' ' | sed 's/ /, /g;s/, $//' >&2
|
||||||
|
echo -e '\n' >&2
|
||||||
|
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "OK" >&2
|
||||||
|
fi
|
39
util-linux-login_defs-priority1.patch
Normal file
39
util-linux-login_defs-priority1.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 15a191f6d30dfe202a080a3d90968b63d695a29f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stanislav Brabec <sbrabec@suse.cz>
|
||||||
|
Date: Thu, 10 Jan 2019 01:28:53 +0100
|
||||||
|
Subject: [PATCH 1/2] su-common.c: prefer /etc/default/su over login.defs
|
||||||
|
|
||||||
|
su(1) documentation says:
|
||||||
|
/etc/default/su command specific logindef config file
|
||||||
|
/etc/login.defs global logindef config file
|
||||||
|
|
||||||
|
It indirectly indicates that /etc/default/su should take precedence
|
||||||
|
over /etc/login.defs.
|
||||||
|
|
||||||
|
But the reverse is true. It is not possible to define ENV_PATH in
|
||||||
|
/etc/login.defs and then make su specific customization in
|
||||||
|
/etc/default/su. We need to change read order to match the documented
|
||||||
|
behavior.
|
||||||
|
|
||||||
|
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
|
||||||
|
---
|
||||||
|
login-utils/su-common.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/login-utils/su-common.c b/login-utils/su-common.c
|
||||||
|
index e0604e246..19074247c 100644
|
||||||
|
--- a/login-utils/su-common.c
|
||||||
|
+++ b/login-utils/su-common.c
|
||||||
|
@@ -1229,8 +1229,8 @@ static void load_config(void *data)
|
||||||
|
struct su_context *su = (struct su_context *) data;
|
||||||
|
|
||||||
|
DBG(MISC, ul_debug("loading logindefs"));
|
||||||
|
- logindefs_load_file(su->runuser ? _PATH_LOGINDEFS_RUNUSER : _PATH_LOGINDEFS_SU);
|
||||||
|
logindefs_load_file(_PATH_LOGINDEFS);
|
||||||
|
+ logindefs_load_file(su->runuser ? _PATH_LOGINDEFS_RUNUSER : _PATH_LOGINDEFS_SU);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
74
util-linux-login_defs-priority2.patch
Normal file
74
util-linux-login_defs-priority2.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From 86f42e5a2a9d8a483ad0ca85fdf090172fb4d385 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stanislav Brabec <sbrabec@suse.cz>
|
||||||
|
Date: Thu, 10 Jan 2019 01:28:54 +0100
|
||||||
|
Subject: [PATCH 2/2] su-common.c: prefer ENV_SUPATH over ENV_ROOTPATH
|
||||||
|
|
||||||
|
ENV_SUPATH and ENV_ROOTPATH are equivalent and ENV_ROOTPATH takes
|
||||||
|
precedence in both login and su. It makes no sense. More logical would be
|
||||||
|
precedence of ENV_SUPATH in su and ENV_ROOTPATH in login.
|
||||||
|
|
||||||
|
Signed-off-by: Stanislav Brabec <sbrabec@suse.cz>
|
||||||
|
---
|
||||||
|
login-utils/login.1 | 2 +-
|
||||||
|
login-utils/runuser.1 | 2 +-
|
||||||
|
login-utils/su-common.c | 4 ++--
|
||||||
|
login-utils/su.1 | 2 +-
|
||||||
|
4 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/login-utils/login.1 b/login-utils/login.1
|
||||||
|
index cb8addec3..b73eae147 100644
|
||||||
|
--- a/login-utils/login.1
|
||||||
|
+++ b/login-utils/login.1
|
||||||
|
@@ -282,7 +282,7 @@ a regular user logs in. The default value is
|
||||||
|
(string)
|
||||||
|
.RS 4
|
||||||
|
If set, it will be used to define the PATH environment variable when
|
||||||
|
-the superuser logs in. The default value is
|
||||||
|
+the superuser logs in. ENV_ROOTPATH takes precedence. The default value is
|
||||||
|
.I /usr\:/local\:/sbin:\:/usr\:/local\:/bin:\:/sbin:\:/bin:\:/usr\:/sbin:\:/usr\:/bin
|
||||||
|
.RE
|
||||||
|
.SH FILES
|
||||||
|
diff --git a/login-utils/runuser.1 b/login-utils/runuser.1
|
||||||
|
index bf0d02471..221672200 100644
|
||||||
|
--- a/login-utils/runuser.1
|
||||||
|
+++ b/login-utils/runuser.1
|
||||||
|
@@ -183,7 +183,7 @@ default value is
|
||||||
|
.B ENV_SUPATH
|
||||||
|
(string)
|
||||||
|
.RS 4
|
||||||
|
-Defines the PATH environment variable for root. The default value is
|
||||||
|
+Defines the PATH environment variable for root. ENV_SUPATH takes precedence. The default value is
|
||||||
|
.IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
|
||||||
|
.RE
|
||||||
|
.PP
|
||||||
|
diff --git a/login-utils/su-common.c b/login-utils/su-common.c
|
||||||
|
index 19074247c..0e44eb87c 100644
|
||||||
|
--- a/login-utils/su-common.c
|
||||||
|
+++ b/login-utils/su-common.c
|
||||||
|
@@ -989,8 +989,8 @@ static void setenv_path(const struct passwd *pw)
|
||||||
|
if (pw->pw_uid)
|
||||||
|
rc = logindefs_setenv("PATH", "ENV_PATH", _PATH_DEFPATH);
|
||||||
|
|
||||||
|
- else if ((rc = logindefs_setenv("PATH", "ENV_ROOTPATH", NULL)) != 0)
|
||||||
|
- rc = logindefs_setenv("PATH", "ENV_SUPATH", _PATH_DEFPATH_ROOT);
|
||||||
|
+ else if ((rc = logindefs_setenv("PATH", "ENV_SUPATH", NULL)) != 0)
|
||||||
|
+ rc = logindefs_setenv("PATH", "ENV_ROOTPATH", _PATH_DEFPATH_ROOT);
|
||||||
|
|
||||||
|
if (rc)
|
||||||
|
err(EXIT_FAILURE, _("failed to set the PATH environment variable"));
|
||||||
|
diff --git a/login-utils/su.1 b/login-utils/su.1
|
||||||
|
index d6a064fd2..5ae6d6b2d 100644
|
||||||
|
--- a/login-utils/su.1
|
||||||
|
+++ b/login-utils/su.1
|
||||||
|
@@ -209,7 +209,7 @@ default value is
|
||||||
|
.B ENV_SUPATH
|
||||||
|
(string)
|
||||||
|
.RS 4
|
||||||
|
-Defines the PATH environment variable for root. The default value is
|
||||||
|
+Defines the PATH environment variable for root. ENV_SUPATH takes precedence. The default value is
|
||||||
|
.IR /usr/local/sbin:\:/usr/local/bin:\:/sbin:\:/bin:\:/usr/sbin:\:/usr/bin .
|
||||||
|
.RE
|
||||||
|
.PP
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,9 +1,26 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 2 23:51:45 CEST 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Fix problems in reading of login.defs values (bsc#1121197,
|
||||||
|
util-linux-login_defs-priority1.patch,
|
||||||
|
util-linux-login_defs-priority2.patch,
|
||||||
|
util-linux-login_defs-SYS_UID.patch).
|
||||||
|
- Perform one-time reset of /etc/default/su (bsc#1121197).
|
||||||
|
- Add virtual symbols for login.defs compatibility (bsc#1121197).
|
||||||
|
- Add login.defs safety check util-linux-login_defs-check.sh
|
||||||
|
(bsc#1121197).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
|
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
- Integrate pam_keyinit pam module to login
|
- Integrate pam_keyinit pam module to login
|
||||||
(boo#1081947, login.pamd, remote.pamd).
|
(boo#1081947, login.pamd, remote.pamd).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 4 13:00:08 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||||
|
|
||||||
|
- Drop bc BuildRequires: not needed.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
|
Thu Feb 21 10:36:48 UTC 2019 - Martin Wilck <mwilck@suse.com>
|
||||||
|
|
||||||
|
@ -75,7 +75,6 @@ Summary: %main_summary
|
|||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
Group: %main_group
|
Group: %main_group
|
||||||
BuildRequires: audit-devel
|
BuildRequires: audit-devel
|
||||||
BuildRequires: bc
|
|
||||||
BuildRequires: binutils-devel
|
BuildRequires: binutils-devel
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: gettext-devel
|
BuildRequires: gettext-devel
|
||||||
@ -127,6 +126,7 @@ Release: 0
|
|||||||
Url: https://www.kernel.org/pub/linux/utils/util-linux/
|
Url: https://www.kernel.org/pub/linux/utils/util-linux/
|
||||||
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
|
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
|
||||||
Source1: util-linux-rpmlintrc
|
Source1: util-linux-rpmlintrc
|
||||||
|
Source2: util-linux-login_defs-check.sh
|
||||||
Source4: raw.service
|
Source4: raw.service
|
||||||
Source5: etc.raw
|
Source5: etc.raw
|
||||||
Source6: etc_filesystems
|
Source6: etc_filesystems
|
||||||
@ -145,6 +145,12 @@ Source51: blkid.conf
|
|||||||
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
|
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
|
||||||
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
|
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
|
||||||
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
|
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
|
||||||
|
Patch3: util-linux-login_defs-priority1.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
|
||||||
|
Patch4: util-linux-login_defs-priority2.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
|
||||||
|
Patch5: util-linux-login_defs-SYS_UID.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
#
|
#
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
@ -174,6 +180,10 @@ Provides: s390-32
|
|||||||
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
|
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
|
||||||
Provides: uuid-runtime = %{version}-%{release}
|
Provides: uuid-runtime = %{version}-%{release}
|
||||||
Obsoletes: uuid-runtime <= 2.19.1
|
Obsoletes: uuid-runtime <= 2.19.1
|
||||||
|
# All login.defs variables require support from shadow side.
|
||||||
|
# Upgrade this symbol version only if new variables appear!
|
||||||
|
# Verify by shadow-login_defs-check.sh from shadow source package.
|
||||||
|
Requires: login_defs-support-for-util-linux >= 2.33.1
|
||||||
#
|
#
|
||||||
# Using "Requires" here would lend itself to help upgrading, but since
|
# Using "Requires" here would lend itself to help upgrading, but since
|
||||||
# util-linux is in the initial bootstrap, that is not a good thing to do:
|
# util-linux is in the initial bootstrap, that is not a good thing to do:
|
||||||
@ -380,11 +390,16 @@ library.
|
|||||||
%endif
|
%endif
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{_name}-%{version}
|
%setup -q -n %{_name}-%{version}
|
||||||
|
cp -a %{S:2} .
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
bash ./util-linux-login_defs-check.sh
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
#
|
#
|
||||||
#BEGIN SYSTEMD SAFETY CHECK
|
#BEGIN SYSTEMD SAFETY CHECK
|
||||||
@ -720,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
|||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
%pre
|
%pre
|
||||||
%service_add_pre raw.service
|
%service_add_pre raw.service
|
||||||
# Check whether we are upgrading from < Leap 15 or SLE 15
|
|
||||||
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
|
||||||
# (bsc#353876#c7)
|
|
||||||
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
|
||||||
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
|
||||||
fi
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post raw.service
|
%service_add_post raw.service
|
||||||
@ -749,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# %{_sysconfdir}/default/su is tagged as noreplace.
|
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||||
# But we want to upgrade to a more secure default on upgrade.
|
# But we want to migrate variables to /etc/login.defs (bsc#1121197).
|
||||||
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
# Perform one-time config replace.
|
||||||
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
|
||||||
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
if test -f %{_sysconfdir}/default/su.rpmnew ; then
|
||||||
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||||
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||||
fi
|
fi
|
||||||
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
|
||||||
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
|
||||||
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
|
||||||
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun raw.service
|
%service_del_preun raw.service
|
||||||
|
@ -1,3 +1,15 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 2 23:51:45 CEST 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
|
- Fix problems in reading of login.defs values (bsc#1121197,
|
||||||
|
util-linux-login_defs-priority1.patch,
|
||||||
|
util-linux-login_defs-priority2.patch,
|
||||||
|
util-linux-login_defs-SYS_UID.patch).
|
||||||
|
- Perform one-time reset of /etc/default/su (bsc#1121197).
|
||||||
|
- Add virtual symbols for login.defs compatibility (bsc#1121197).
|
||||||
|
- Add login.defs safety check util-linux-login_defs-check.sh
|
||||||
|
(bsc#1121197).
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
|
Mon Mar 4 15:23:27 CET 2019 - sbrabec@suse.com
|
||||||
|
|
||||||
|
@ -126,6 +126,7 @@ Release: 0
|
|||||||
Url: https://www.kernel.org/pub/linux/utils/util-linux/
|
Url: https://www.kernel.org/pub/linux/utils/util-linux/
|
||||||
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
|
Source: https://www.kernel.org/pub/linux/utils/util-linux/v2.33/util-linux-%{version}.tar.xz
|
||||||
Source1: util-linux-rpmlintrc
|
Source1: util-linux-rpmlintrc
|
||||||
|
Source2: util-linux-login_defs-check.sh
|
||||||
Source4: raw.service
|
Source4: raw.service
|
||||||
Source5: etc.raw
|
Source5: etc.raw
|
||||||
Source6: etc_filesystems
|
Source6: etc_filesystems
|
||||||
@ -144,6 +145,12 @@ Source51: blkid.conf
|
|||||||
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
|
Patch0: make-sure-sbin-resp-usr-sbin-are-in-PATH.diff
|
||||||
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
|
Patch1: libmount-print-a-blacklist-hint-for-unknown-filesyst.patch
|
||||||
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
|
Patch2: Add-documentation-on-blacklisted-modules-to-mount-8-.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority1.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
|
||||||
|
Patch3: util-linux-login_defs-priority1.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-priority2.patch bsc1121197 sbrabec@suse.com -- Fix priorities of login.defs values.
|
||||||
|
Patch4: util-linux-login_defs-priority2.patch
|
||||||
|
# PATCH-FIX-UPSTREAM util-linux-login_defs-SYS_UID.patch bsc1121197 sbrabec@suse.com -- Fix discrepancies in SYS_UID* fallback.
|
||||||
|
Patch5: util-linux-login_defs-SYS_UID.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
#
|
#
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
@ -173,6 +180,10 @@ Provides: s390-32
|
|||||||
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
|
# uuid-runtime appeared in SLE11 SP1 to SLE11 SP3
|
||||||
Provides: uuid-runtime = %{version}-%{release}
|
Provides: uuid-runtime = %{version}-%{release}
|
||||||
Obsoletes: uuid-runtime <= 2.19.1
|
Obsoletes: uuid-runtime <= 2.19.1
|
||||||
|
# All login.defs variables require support from shadow side.
|
||||||
|
# Upgrade this symbol version only if new variables appear!
|
||||||
|
# Verify by shadow-login_defs-check.sh from shadow source package.
|
||||||
|
Requires: login_defs-support-for-util-linux >= 2.33.1
|
||||||
#
|
#
|
||||||
# Using "Requires" here would lend itself to help upgrading, but since
|
# Using "Requires" here would lend itself to help upgrading, but since
|
||||||
# util-linux is in the initial bootstrap, that is not a good thing to do:
|
# util-linux is in the initial bootstrap, that is not a good thing to do:
|
||||||
@ -379,11 +390,16 @@ library.
|
|||||||
%endif
|
%endif
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{_name}-%{version}
|
%setup -q -n %{_name}-%{version}
|
||||||
|
cp -a %{S:2} .
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
%patch4 -p1
|
||||||
|
%patch5 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
bash ./util-linux-login_defs-check.sh
|
||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
#
|
#
|
||||||
#BEGIN SYSTEMD SAFETY CHECK
|
#BEGIN SYSTEMD SAFETY CHECK
|
||||||
@ -719,12 +735,6 @@ ln -sf /sbin/service %{buildroot}/usr/sbin/rcfstrim
|
|||||||
%if %build_util_linux
|
%if %build_util_linux
|
||||||
%pre
|
%pre
|
||||||
%service_add_pre raw.service
|
%service_add_pre raw.service
|
||||||
# Check whether we are upgrading from < Leap 15 or SLE 15
|
|
||||||
# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions.
|
|
||||||
# (bsc#353876#c7)
|
|
||||||
if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then
|
|
||||||
touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || :
|
|
||||||
fi
|
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%service_add_post raw.service
|
%service_add_post raw.service
|
||||||
@ -748,19 +758,19 @@ for PAM_FILE in default/su pam.d/su pam.d/su-l ; do
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
# %{_sysconfdir}/default/su is tagged as noreplace.
|
# %{_sysconfdir}/default/su is tagged as noreplace.
|
||||||
# But we want to upgrade to a more secure default on upgrade.
|
# But we want to migrate variables to /etc/login.defs (bsc#1121197).
|
||||||
# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7)
|
# Perform one-time config replace.
|
||||||
if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su &&
|
if ! grep -q "^# /etc/default/su is an override" %{_sysconfdir}/default/su ; then
|
||||||
grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then
|
if test -f %{_sysconfdir}/default/su.rpmnew ; then
|
||||||
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
if ! test -f %{_sysconfdir}/default/su.rpmorig ; then
|
||||||
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig
|
||||||
fi
|
fi
|
||||||
sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su
|
mv %{_sysconfdir}/default/su.rpmnew %{_sysconfdir}/default/su
|
||||||
echo "One time change of %{_sysconfdir}/default/su was performed." >&2
|
echo "One time clean-up of %{_sysconfdir}/default/su was performed." >&2
|
||||||
echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2
|
echo "Original contents was saved to %{_sysconfdir}/default/su.rpmorig." >&2
|
||||||
echo "If it is not intended, you can safely change it back. It will not be changed again." >&2
|
echo "Please edit %{_sysconfdir}/login.defs or %{_sysconfdir}/default/su to restore your customization." >&2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT
|
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%service_del_preun raw.service
|
%service_del_preun raw.service
|
||||||
|
Loading…
Reference in New Issue
Block a user