Hello community, here is the log from the commit of package permissions for openSUSE:Factory checked in at 2020-03-06 21:23:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/permissions (Old) and /work/SRC/openSUSE:Factory/.permissions.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions" Fri Mar 6 21:23:21 2020 rev:132 rq:780979 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2020-02-21 16:40:25.925802159 +0100 +++ /work/SRC/openSUSE:Factory/.permissions.new.26092/permissions.changes 2020-03-06 21:23:24.365419871 +0100 @@ -1,0 +2,55 @@ +Fri Feb 28 12:00:44 UTC 2020 - malte.kr...@suse.com + +- Update to version 20200228: + * chkstat: fix readline() on platforms with unsigned char + +------------------------------------------------------------------- +Thu Feb 27 12:29:29 UTC 2020 - malte.kr...@suse.com + +- Update to version 20200227: + * remove capability whitelisting for radosgw + * whitelist ceph log directory (bsc#1150366) + * adjust testsuite to post CVE-2020-8013 link handling + * testsuite: add option to not mount /proc + * do not follow symlinks that are the final path element: CVE-2020-8013 + * add a test for symlinked directories + * fix relative symlink handling + * include cpp compat headers, not C headers + * Move permissions and permissions.* except .local to /usr/share/permissions + * regtest: fix the static PATH list which was missing /usr/bin + * regtest: also unshare the PID namespace to support /proc mounting + * regtest: bindMount(): explicitly reject read-only recursive mounts + * Makefile: force remove upon clean target to prevent bogus errors + * regtest: by default automatically (re)build chkstat before testing + * regtest: add test for symlink targets + * regtest: make capability setting tests optional + * regtest: fix capability assertion helper logic + * regtests: add another test case that catches set*id or caps in world-writable sub-trees + * regtest: add another test that catches when privilege bits are set for special files + * regtest: add test case for user owned symlinks + * regtest: employ subuid and subgid feature in user namespace + * regtest: add another test case that covers unknown user/group config + * regtest: add another test that checks rejection of insecure mixed-owner paths + * regtest: add test that checks for rejection of world-writable paths + * regtest: add test for detection of unexpected parent directory ownership + * regtest: add further helper functions, allow access to main instance + * regtest: introduce some basic coloring support to improve readability + * regtest: sort imports, another piece of rationale + * regtest: add capability test case + * regtest: improve error flagging of test cases and introduce warnings + * regtest: support caps + * regtest: add a couple of command line parameter test cases + * regtest: add another test that checks whether the default profile works + * regtests: add tests for correct application of local profiles + * regtest: add further test cases that test correct profile application + * regtest: simplify test implementation and readability + * regtest: add helpers for permissions.d per package profiles + * regtest: support read-only bind mounts, also bind-mount permissions repo + * tests: introduce a regression test suite for chkstat + * Makefile: allow to build test version programmatically + * README.md: add basic readme file that explains the repository's purpose + * chkstat: change and harmonize coding style + * chkstat: switch to C++ compilation unit +- add suse_version to end of permissions package version + +------------------------------------------------------------------- Old: ---- permissions-20200213.tar.xz New: ---- permissions-20200228.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ --- /var/tmp/diff_new_pack.Us6QpT/_old 2020-03-06 21:23:24.849420138 +0100 +++ /var/tmp/diff_new_pack.Us6QpT/_new 2020-03-06 21:23:24.853420141 +0100 @@ -16,26 +16,28 @@ # -%define VERSION 20200213 +%define VERSION_DATE 20200228 Name: permissions -Version: %{VERSION} +Version: %{VERSION_DATE}.%{suse_version} Release: 0 Summary: SUSE Linux Default Permissions # Maintained in github by the security team. License: GPL-2.0-or-later Group: Productivity/Security URL: http://github.com/openSUSE/permissions -Source: permissions-%{version}.tar.xz +Source: permissions-%{VERSION_DATE}.tar.xz Source1: fix_version.sh +BuildRequires: gcc-c++ BuildRequires: libcap-devel +BuildRequires: libcap-progs Requires: chkstat Requires: permissions-config Recommends: permissions-doc -Provides: aaa_base:%{_sysconfdir}/permissions +Provides: aaa_base:%{_datadir}/permissions %prep -%setup -q +%setup -q -n permissions-%{VERSION_DATE} %build make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0 @@ -43,6 +45,10 @@ %install %make_install fillupdir=%{_fillupdir} +# regression tests disabled for the moment, needs adjustment for the new /usr/share world +#%check +#tests/regtest.py + %description Permission settings of files and directories depending on the local security settings. The local security setting ("easy", "secure", or "paranoid") @@ -55,11 +61,11 @@ %package doc Summary: SUSE Linux Default Permissions documentation Group: Documentation/Man -Version: %{suse_version}_%{VERSION} +Version: %{suse_version}_%{VERSION_DATE} Release: 0 %description doc -Documentation for the permission files /etc/permissions*. +Documentation for the permission files /usr/share/permissions/permissions*. %files doc %{_mandir}/man5/permissions.5%{ext_man} @@ -67,7 +73,7 @@ %package config Summary: SUSE Linux Default Permissions config files Group: Productivity/Security -Version: %{suse_version}_%{VERSION} +Version: %{suse_version}_%{VERSION_DATE} Release: 0 Requires(post): %fillup_prereq Requires(post): chkstat @@ -75,13 +81,15 @@ Requires(pre): group(trusted) %description config -The actual permissions configuration files, /etc/permission.*. +The actual permissions configuration files, /usr/share/permissions/permission.*. %files config -%config %{_sysconfdir}/permissions -%config %{_sysconfdir}/permissions.easy -%config %{_sysconfdir}/permissions.secure -%config %{_sysconfdir}/permissions.paranoid +%defattr(644, root, root, 755) +%dir %{_datadir}/permissions +%{_datadir}/permissions/permissions +%{_datadir}/permissions/permissions.easy +%{_datadir}/permissions/permissions.secure +%{_datadir}/permissions/permissions.paranoid %config(noreplace) %{_sysconfdir}/permissions.local %{_fillupdir}/sysconfig.security @@ -93,7 +101,7 @@ %package -n chkstat Summary: SUSE Linux Default Permissions tool Group: Productivity/Security -Version: %{suse_version}_%{VERSION} +Version: %{suse_version}_%{VERSION_DATE} Release: 0 %description -n chkstat @@ -105,7 +113,7 @@ %package -n permissions-zypp-plugin BuildArch: noarch -Requires: permissions = %{VERSION} +Requires: permissions = %{VERSION_DATE}.%{suse_version} Requires: python3-zypp-plugin Requires: libzypp(plugin:commit) = 1 Summary: A zypper commit plugin for calling chkstat ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.Us6QpT/_old 2020-03-06 21:23:24.877420154 +0100 +++ /var/tmp/diff_new_pack.Us6QpT/_new 2020-03-06 21:23:24.877420154 +0100 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/permissions.git</param> - <param name="changesrevision">8676fc316fb0b9eb56ad9d354b8cafb8b1f2f258</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">bfa5f7c7437b3fa939b0a88007e2d1cc6de605c9</param></service></servicedata> \ No newline at end of file ++++++ fix_version.sh ++++++ --- /var/tmp/diff_new_pack.Us6QpT/_old 2020-03-06 21:23:24.889420161 +0100 +++ /var/tmp/diff_new_pack.Us6QpT/_new 2020-03-06 21:23:24.889420161 +0100 @@ -3,4 +3,4 @@ version=`date '+%Y%m%d'` echo "setting version to ${version}" -sed -E -i -e "s/^%define VERSION [0-9]+/%define VERSION ${version}/" permissions.spec +sed -E -i -e "s/^%define VERSION_DATE [0-9]+/%define VERSION_DATE ${version}/" permissions.spec ++++++ permissions-20200213.tar.xz -> permissions-20200228.tar.xz ++++++ ++++ 5007 lines of diff (skipped)