Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package trousers for openSUSE:Factory checked in at 2026-04-20 16:14:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trousers (Old) and /work/SRC/openSUSE:Factory/.trousers.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trousers" Mon Apr 20 16:14:28 2026 rev:56 rq:1348229 version:0.3.15 Changes: -------- --- /work/SRC/openSUSE:Factory/trousers/trousers.changes 2024-02-26 19:50:59.606061158 +0100 +++ /work/SRC/openSUSE:Factory/.trousers.new.11940/trousers.changes 2026-04-20 16:15:04.906560419 +0200 @@ -1,0 +2,6 @@ +Mon Apr 20 12:28:25 UTC 2026 - Matthias Gerstner <[email protected]> + +- add setid-hardening.patch (bsc#1262318): detect privilege drop errors, also + drop supplementary group membership. + +------------------------------------------------------------------- New: ---- setid-hardening.patch ----------(New B)---------- New: - add setid-hardening.patch (bsc#1262318): detect privilege drop errors, also drop supplementary group membership. ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trousers.spec ++++++ --- /var/tmp/diff_new_pack.diQWrQ/_old 2026-04-20 16:15:05.686592560 +0200 +++ /var/tmp/diff_new_pack.diQWrQ/_new 2026-04-20 16:15:05.686592560 +0200 @@ -1,7 +1,7 @@ # # spec file for package trousers # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,7 @@ Source2: baselibs.conf Source3: 91-trousers.rules Patch0: fix-lto.patch +Patch1: setid-hardening.patch BuildRequires: gtk2-devel BuildRequires: libtool BuildRequires: openssl-devel ++++++ setid-hardening.patch ++++++ Index: trousers-0.3.15/src/tcsd/svrside.c =================================================================== --- trousers-0.3.15.orig/src/tcsd/svrside.c +++ trousers-0.3.15/src/tcsd/svrside.c @@ -39,6 +39,7 @@ #include "tcsps.h" #include "tcsd.h" #include "req_mgr.h" +#include "grp.h" struct tcsd_config tcsd_options; struct tpm_properties tpm_metrics; @@ -473,8 +474,15 @@ main(int argc, char **argv) } return TCSERR(TSS_E_INTERNAL_ERROR); } - setgid(pwd->pw_gid); - setuid(pwd->pw_uid); + + /* the service can be started by systemd with the correct target + * privileges already */ + if (getuid() != pwd->pw_uid) { + if (setgid(pwd->pw_gid) != 0 || setgroups(0, NULL) != 0 || setuid(pwd->pw_uid) != 0) { + LogError("Dropping privileges failed: %s", strerror(errno)); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + } #endif #endif
