Hello community, here is the log from the commit of package trousers for openSUSE:Factory checked in at 2020-05-23 17:26:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/trousers (Old) and /work/SRC/openSUSE:Factory/.trousers.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "trousers" Sat May 23 17:26:43 2020 rev:45 rq:807580 version:0.3.14 Changes: -------- --- /work/SRC/openSUSE:Factory/trousers/trousers.changes 2020-02-20 14:55:41.730325165 +0100 +++ /work/SRC/openSUSE:Factory/.trousers.new.2738/trousers.changes 2020-05-23 17:28:03.583488378 +0200 @@ -1,0 +2,27 @@ +Wed May 20 10:05:51 UTC 2020 - Matthias Gerstner <matthias.gerst...@suse.com> + +- get rid of %pre/%post logic that fixes the old packaging bug. Turns out + %pretrans and %posttrans had their purpose before, because the logic needed + to run before old files owned by the package got deleted. But I'm not + reimplementing this strange logic in Lua ... users that didn't get the fix + yet will have to live with it. + +------------------------------------------------------------------- +Wed May 20 08:59:54 UTC 2020 - Matthias Gerstner <matthias.gerst...@suse.com> + +- fix a potential tss user to root privilege escalation when running tcsd + (bsc#1164472). To do this run tcsd as the 'tss' user right away to prevent + badly designed privilege drop and initialization code to run. +- add bsc1164472.patch: additionally harden operation of tcsd when running as + root. No longer follow symlinks in /var/lib/tpm. Drop gid to tss main group. + require /etc/tcsd.conf to be owned by root:tss mode 0640. + +------------------------------------------------------------------- +Wed May 13 12:14:32 UTC 2020 - matthias.gerst...@suse.com + +- add correct Requires(pre) and change %pretrans and %posttrans into %pre and + %post. %pretrans can't have any dependencies and therefore can only be + %implemented in lua. This currently leads to build errors "/bin/sh: no such + file or directory". + +------------------------------------------------------------------- New: ---- 91-trousers.rules bsc1164472.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ trousers.spec ++++++ --- /var/tmp/diff_new_pack.dhONRb/_old 2020-05-23 17:28:04.331489997 +0200 +++ /var/tmp/diff_new_pack.dhONRb/_new 2020-05-23 17:28:04.335490005 +0200 @@ -27,15 +27,15 @@ Source0: http://downloads.sf.net/trousers/%{name}-%{version}.tar.gz Source1: tcsd.service Source2: baselibs.conf +Source3: 91-trousers.rules Patch0: fix-lto.patch +Patch1: bsc1164472.patch BuildRequires: gtk2-devel BuildRequires: libtool BuildRequires: openssl-devel BuildRequires: pkg-config BuildRequires: systemd-rpm-macros -# for 'stat' for the hack in %pretrans -BuildRequires: coreutils -Requires(pre): user(tss) +BuildRequires: udev BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -81,6 +81,7 @@ %prep %setup -q -c %{name}-%{version} %patch0 -p1 +%patch1 -p1 %build CC=gcc @@ -107,48 +108,28 @@ rm -v %{buildroot}/%{_lib}/libtspi.{so,la} mv -v %{buildroot}/%{_lib}/*.a %{buildroot}%{_libdir} +# we want to run tcsd as tss user right away. therefore we need to install a +# suitable udev rule file. this conflicts somewhat with tpm2-0-tss, but both +# rules files are compatible at the moment. trousers has a lower priority than +# tpm2-0-tss in case both should be installed. The tss user is shared between +# both packages anyways already. +mkdir -p %{buildroot}%{_udevrulesdir} +install -m 0644 %{SOURCE3} %{buildroot}%{_udevrulesdir} + %pre %service_add_pre tcsd.service -%pretrans -# this scriplet and the counterpart in %posttrans work around a packaging bug -# that was present in all trousers packages since around 2008 until 2018. -# /var/lib/tpm/system.data.* was wrongly packaged as runtime state data -# instead of package resource data in /usr/share. After removal of these files -# from packaging, during updating they will be deleted. Since users could have -# created their own versions of the files already (by taking ownership of a -# TPM) we want to keep those files in place. -# -# to achieve this we use the ownership of /var/lib/tpm as an indicator. -# Versions that still wrongly package those files also had the ownership of -# the directory wrong. Therefore if the directory is not owned by the tss user -# we apply a backup and restore logic. -[ ! -d "%{tpmstatedir}" ] && exit 0 -OWNER=`/usr/bin/stat -c "%U" "%{tpmstatedir}"` -[ "$OWNER" = "tss" ] && exit 0 -for data in system.data.auth system.data.noauth; do - file="%{tpmstatedir}/${data}" - [ ! -e "$file" ] && continue - cp -p $file ${file}.rpmsave - echo "saving backup of $file" -done - %post %service_add_post tcsd.service +%_bindir/udevadm trigger -s tpm || : -%posttrans -# see pretrans for an explanation of this -for data in system.data.auth system.data.noauth; do - file="%{tpmstatedir}/${data}" - # nothing to restore here - [ ! -e "${file}.rpmsave" ] && continue - # for some reason the to-be-restored file already exists? ignore. - [ -e "${file}" ] && continue - # restore the original file - echo "restoring backup of $file" - mv --no-target-directory ${file}.rpmsave ${file} - chown --no-dereference tss:tss "${file}" -done +# bsc#1164472: adjust potential root ownership to allow tcsd to open the file +# as unprivileged user. Be careful not to follow a symlink target. +system_data=%{tpmstatedir}/system.data + +if [ -e "${system_data}" ]; then + chown --no-dereference tss:tss %{tpmstatedir}/system.data +fi %postun %service_del_postun tcsd.service @@ -162,7 +143,7 @@ %files %defattr(-,root,root) -%config(noreplace) %attr(600,tss,tss) %{_sysconfdir}/tcsd.conf +%config(noreplace) %attr(640,root,tss) %{_sysconfdir}/tcsd.conf %doc README README.selinux AUTHORS ChangeLog LICENSE NICETOHAVES TODO doc/* %{_mandir}/man5/* %{_mandir}/man8/* @@ -170,6 +151,7 @@ %{_sbindir}/tcsd %{_sbindir}/rctcsd %{_unitdir}/tcsd.service +%{_udevrulesdir}/91-trousers.rules %files devel %defattr(-,root,root) ++++++ 91-trousers.rules ++++++ KERNEL=="tpm[0-9]*", MODE="0660", OWNER="tss" ++++++ bsc1164472.patch ++++++ Index: trousers-0.3.14/src/tcs/ps/tcsps.c =================================================================== --- trousers-0.3.14.orig/src/tcs/ps/tcsps.c +++ trousers-0.3.14/src/tcs/ps/tcsps.c @@ -72,7 +72,7 @@ get_file() } /* open and lock the file */ - system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); + system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); if (system_ps_fd < 0) { LogError("system PS: open() of %s failed: %s", tcsd_options.system_ps_file, strerror(errno)); Index: trousers-0.3.14/src/tcsd/svrside.c =================================================================== --- trousers-0.3.14.orig/src/tcsd/svrside.c +++ trousers-0.3.14/src/tcsd/svrside.c @@ -473,6 +473,7 @@ main(int argc, char **argv) } return TCSERR(TSS_E_INTERNAL_ERROR); } + setgid(pwd->pw_gid); setuid(pwd->pw_uid); #endif #endif Index: trousers-0.3.14/src/tcsd/tcsd_conf.c =================================================================== --- trousers-0.3.14.orig/src/tcsd/tcsd_conf.c +++ trousers-0.3.14/src/tcsd/tcsd_conf.c @@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) #ifndef SOLARIS struct group *grp; struct passwd *pw; - mode_t mode = (S_IRUSR|S_IWUSR); + mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); #endif /* SOLARIS */ TSS_RESULT result; @@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) } /* make sure user/group TSS owns the conf file */ - if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { + if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, - TSS_USER_NAME, TSS_GROUP_NAME); + "root", TSS_GROUP_NAME); return TCSERR(TSS_E_INTERNAL_ERROR); } - /* make sure only the tss user can manipulate the config file */ + /* make sure only the tss user can read (but not manipulate) the config file */ if (((stat_buf.st_mode & 0777) ^ mode) != 0) { - LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); + LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); return TCSERR(TSS_E_INTERNAL_ERROR); } #endif /* SOLARIS */ ++++++ tcsd.service ++++++ --- /var/tmp/diff_new_pack.dhONRb/_old 2020-05-23 17:28:04.403490153 +0200 +++ /var/tmp/diff_new_pack.dhONRb/_new 2020-05-23 17:28:04.403490153 +0200 @@ -4,6 +4,7 @@ [Service] Type=forking ExecStart=/usr/sbin/tcsd +User=tss [Install] WantedBy=multi-user.target
