Hello community, here is the log from the commit of package sarg for openSUSE:Factory checked in at 2020-03-01 21:27:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sarg (Old) and /work/SRC/openSUSE:Factory/.sarg.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sarg" Sun Mar 1 21:27:44 2020 rev:36 rq:780343 version:2.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/sarg/sarg.changes 2020-01-31 23:58:31.127689777 +0100 +++ /work/SRC/openSUSE:Factory/.sarg.new.26092/sarg.changes 2020-03-01 21:28:14.200583615 +0100 @@ -1,0 +2,7 @@ +Thu Feb 27 13:33:54 UTC 2020 - Matthias Gerstner <matthias.gerst...@suse.com> + +- replace the three nearly identical cron job scripts by a central one +- run the cron job as the unprivileged squid user/group which increases + security. (bsc#1150554, bsc#1156643) + +------------------------------------------------------------------- Old: ---- cron.daily.sarg cron.monthly.sarg cron.weekly.sarg New: ---- cron.sarg ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sarg.spec ++++++ --- /var/tmp/diff_new_pack.QDiHCN/_old 2020-03-01 21:28:15.984587239 +0100 +++ /var/tmp/diff_new_pack.QDiHCN/_new 2020-03-01 21:28:15.988587247 +0100 @@ -27,15 +27,13 @@ Summary: Squid Analysis Report Generator License: GPL-2.0-or-later Group: Productivity/Networking/Web/Utilities -Url: http://sarg.sourceforge.net/ +URL: http://sarg.sourceforge.net/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz Source1: sarg.conf Source2: http://www.initzero.it/products/opensource/sarg-reports/download/sarg-reports Source3: sarg.hosts Source4: sysconfig.sarg -Source5: cron.daily.sarg -Source6: cron.weekly.sarg -Source7: cron.monthly.sarg +Source5: cron.sarg Source8: sarg-reports.1.gz Source9: sarg-apache.conf Source10: platform_suse.gif @@ -49,6 +47,8 @@ BuildRequires: libtool BuildRequires: openldap2-devel BuildRequires: pcre-devel +# required for the squid user/group +BuildRequires: squid Requires(post): %fillup_prereq Recommends: cron Recommends: http_proxy @@ -91,9 +91,14 @@ install -m 644 %{SOURCE3} %{buildroot}%{_datadir}/%{name}/sarg.hosts install -d %{buildroot}%{_fillupdir} install -m 644 %{SOURCE4} %{buildroot}%{_fillupdir} -install -D -m 755 %{SOURCE5} %{buildroot}%{_sysconfdir}/cron.daily/suse.de-sarg -install -D -m 755 %{SOURCE6} %{buildroot}%{_sysconfdir}/cron.weekly/suse.de-sarg -install -D -m 755 %{SOURCE7} %{buildroot}%{_sysconfdir}/cron.monthly/suse.de-sarg +install -d %{buildroot}%{_libexecdir}/%{name} +install -m 755 %{SOURCE5} %{buildroot}/%{_libexecdir}/%{name}/suse.de-sarg +install -d %{buildroot}%{_sysconfdir}/cron.daily +install -d %{buildroot}%{_sysconfdir}/cron.weekly +install -d %{buildroot}%{_sysconfdir}/cron.monthly +ln -s %{_libexecdir}/%{name}/suse.de-sarg %{buildroot}%{_sysconfdir}/cron.daily/ +ln -s %{_libexecdir}/%{name}/suse.de-sarg %{buildroot}%{_sysconfdir}/cron.weekly/ +ln -s %{_libexecdir}/%{name}/suse.de-sarg %{buildroot}%{_sysconfdir}/cron.monthly/ install -d -m 755 %{buildroot}%{_mandir}/man8 install -m 644 %{SOURCE8} %{buildroot}%{_mandir}/man8 @@ -106,15 +111,19 @@ %dir %{_sysconfdir}/cron.daily %dir %{_sysconfdir}/cron.weekly %dir %{_sysconfdir}/cron.monthly -%{_sysconfdir}/cron.*/suse.de-sarg +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/suse.de-sarg +%{_sysconfdir}/cron.weekly/suse.de-sarg +%{_sysconfdir}/cron.daily/suse.de-sarg +%{_sysconfdir}/cron.monthly/suse.de-sarg %dir /etc/apache2 %dir /etc/apache2/conf.d %config(noreplace) %{_sysconfdir}/apache2/conf.d/sarg-apache.conf %{_bindir}/sarg %{_sbindir}/sarg-reports %dir %{_datadir}/%{name} -%dir /srv/www/sarg -/srv/www/sarg/platform_suse.gif +%attr(-,squid,squid) %dir /srv/www/sarg +%attr(-,squid,squid) /srv/www/sarg/platform_suse.gif %{_datadir}/%{name}/css.tpl %{_datadir}/%{name}/exclude_codes %{_datadir}/%{name}/sarg.conf ++++++ cron.daily.sarg -> cron.sarg ++++++ --- /work/SRC/openSUSE:Factory/sarg/cron.daily.sarg 2011-09-23 12:45:15.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.sarg.new.26092/cron.sarg 2020-03-01 21:28:13.980583168 +0100 @@ -16,6 +16,19 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin export PATH +CRON_DIR=`echo "$0" | cut -d '/' -f 3` +CRON_FREQ=`echo "$CRON_DIR" | cut -d '.' -f 2` + +case "$CRON_FREQ" in + daily) ;; + montly) ;; + weekly) ;; + *) + echo "Failed to determine cron frequency" 1>&2 + exit 1 + ;; +esac + # # get information from /etc/sysconfig # @@ -25,7 +38,7 @@ if [ -n "$RUN_SARGREPORT" -a "$RUN_SARGREPORT" = "yes" -a \ -x /usr/sbin/sarg-reports ]; then - /usr/sbin/sarg-reports daily + /usr/sbin/sarg-reports "$CRON_FREQ" fi exit 0 ++++++ sarg-reports ++++++ --- /var/tmp/diff_new_pack.QDiHCN/_old 2020-03-01 21:28:16.088587451 +0100 +++ /var/tmp/diff_new_pack.QDiHCN/_new 2020-03-01 21:28:16.092587459 +0100 @@ -255,6 +255,38 @@ exclude_from_log } +try_privdrop () +{ + EGID=`id -g` + if [ "$EUID" -ne 0 -a "$EGID" -ne 0 ]; then + return + fi + + # if the output directory is owned by an unprivileged user then we need to + # drop privileges to it to avoid security issues. + local TARGET_UID=`/usr/bin/stat -c '%u' "$HTMLOUT"` + local TARGET_GID=`/usr/bin/stat -c '%g' "$HTMLOUT"` + + if [ -z "${TARGET_UID}" -o -z "${TARGET_GID}" ]; then + echo "error determining uid/gid of $HTMLOUT" 1>&2 + exit 1 + fi + + if [ "$EUID" -eq "${TARGET_UID}" -a "$EGID" -eq "${TARGET_GID}" ]; then + return + fi + + # okay we need to re-execute ourselves with lower privileges + exec /usr/bin/setpriv --inh-caps -all \ + --ruid "${TARGET_UID}" \ + --rgid "${TARGET_GID}" \ + --init-groups \ + --reset-env \ + $0 "$@" +} + +try_privdrop "$@" + case $1 in manual) manual @@ -283,7 +315,7 @@ echo " today, Create Today report" echo " daily, Create Daily report" echo " weekly, Create Weekly report" - echo " montly, Create Monthly report" + echo " monthly, Create Monthly report" exit 0 esac
