Hello community,
here is the log from the commit of package at for openSUSE:Factory checked in
at 2013-11-20 10:23:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/at (Old)
and /work/SRC/openSUSE:Factory/.at.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "at"
Changes:
--------
--- /work/SRC/openSUSE:Factory/at/at.changes 2013-10-22 14:50:20.000000000
+0200
+++ /work/SRC/openSUSE:Factory/.at.new/at.changes 2013-11-20
10:23:26.000000000 +0100
@@ -1,0 +2,8 @@
+Tue Nov 12 15:37:29 UTC 2013 - mvysko...@suse.com
+
+- use old privs model (fixes bnc#849720)
+ * at-backport-old-privs.patch
+- do not install sysvinit script and service file together
+- add sticky bit to atjobs
+
+-------------------------------------------------------------------
New:
----
at-backport-old-privs.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ at.spec ++++++
--- /var/tmp/diff_new_pack.zsUHR9/_old 2013-11-20 10:23:27.000000000 +0100
+++ /var/tmp/diff_new_pack.zsUHR9/_new 2013-11-20 10:23:27.000000000 +0100
@@ -62,6 +62,8 @@
#PATCH-FIX-OPENSUSE Set pid dir to /run not /var/run
Patch22: at-piddir.patch
Patch23: at-secure_getenv.patch
+#PATCH-FIX-OPENSUSE backport privs from 3.1.8 (bnc#849720)
+Patch24: at-backport-old-privs.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %{_sbindir}/useradd %{_sbindir}/groupadd %fillup_prereq
%insserv_prereq
PreReq: permissions
@@ -98,6 +100,8 @@
%patch21 -p1
%patch22
%patch23 -p1
+%patch24 -p1
+
%build
rm -fv y.tab.c y.tab.h lex.yy.c lex.yy.o y.tab.o
autoreconf -fiv
@@ -107,10 +111,11 @@
--with-selinux \
--with-daemon_username=at \
--with-daemon_groupname=at
+
make %{?_smp_mflags}
%install
-mkdir -p $RPM_BUILD_ROOT/etc/{init.d,pam.d}
+mkdir -p $RPM_BUILD_ROOT/etc/pam.d
mkdir -p $RPM_BUILD_ROOT/usr/{bin,sbin,share/man/man{1,5,8}}
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
export CFLAGS="$RPM_OPT_FLAGS"
@@ -119,15 +124,20 @@
# Don't install docs here in this way
mkdir docs
mv $RPM_BUILD_ROOT/%{_prefix}/doc/at/* docs/
+
+%if ! %{has_systemd}
+mkdir -p $RPM_BUILD_ROOT/etc/init.d
install %SOURCE1 $RPM_BUILD_ROOT/etc/init.d/atd
ln -sf ../../etc/init.d/atd $RPM_BUILD_ROOT%{_sbindir}/rcatd
-install -m644 %SOURCE2 $RPM_BUILD_ROOT/etc/pam.d/atd
-install -m644 %SOURCE3 $RPM_BUILD_ROOT/var/adm/fillup-templates
-%if 0%{?has_systemd}
+%else
install -D -m 0644 %{S:5} %{buildroot}%{_unitdir}/atd.service
%{__install} -D -m 0755 %{S:4}
%{buildroot}%{_prefix}/lib/systemd/system-sleep/atd.sh
+ln -sf ../../%{_sbindir}/service $RPM_BUILD_ROOT%{_sbindir}/rcatd
%endif
+install -m644 %SOURCE2 $RPM_BUILD_ROOT/etc/pam.d/atd
+install -m644 %SOURCE3 $RPM_BUILD_ROOT/var/adm/fillup-templates
+
%pre
%{_sbindir}/groupadd -g 25 -o -r at 2> /dev/null || :
%{_sbindir}/useradd -r -o -g at -u 25 -s /bin/bash -c "Batch jobs daemon" -d
/var/spool/atjobs at 2> /dev/null || :
@@ -148,20 +158,22 @@
rm -f etc/init.d/at
%{insserv_cleanup}
fi
-%{fillup_and_insserv -n atd atd }
%set_permissions /usr/bin/at
%if 0%{?has_systemd}
%service_add_post atd.service
+%else
+%{fillup_and_insserv -n atd atd }
%endif
%verifyscript
%verify_permissions -e /usr/bin/at
%postun
-%restart_on_update atd
%insserv_cleanup
%if 0%{?has_systemd}
%service_del_postun atd.service
+%else
+%restart_on_update atd
%endif
%files
@@ -169,7 +181,6 @@
%doc Problems Copyright COPYING README ChangeLog timespec
%config(noreplace) /etc/at.deny
%{_sbindir}/rcatd
-%config /etc/init.d/atd
%config %attr(644,root,root) /etc/pam.d/atd
%verify(not mode) %attr(4750,root,trusted) %{_bindir}/at
%{_bindir}/atq
@@ -179,12 +190,14 @@
%{_sbindir}/atd
%{_sbindir}/atrun
%attr(700,at,at) %dir /var/spool/atspool
-%attr(700,at,at) %dir /var/spool/atjobs
+%attr(1770,at,at) %dir /var/spool/atjobs
%attr(600,at,at) /var/spool/atjobs/.SEQ
/var/adm/fillup-templates/sysconfig.atd
%if 0%{?has_systemd}
%{_unitdir}/atd.service
%{_prefix}/lib/systemd/system-sleep/atd.sh
+%else
+%config /etc/init.d/atd
%endif
%changelog
++++++ at-backport-old-privs.patch ++++++
From: Michal Vyskocil <mvysko...@suse.com>
Subject: Backport old privs
at since 3.10 have substantially changed the priviledge model, which is tied to
Debian setup of at. As SUSE does use a different layout, this patch introduces
back the PRIV_START/PRIV_END + fchown where needed.
References: https://bugzilla.novell.com/show_bug.cgi?id=849720
---
at.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
Index: at-3.1.13/at.c
===================================================================
--- at-3.1.13.orig/at.c
+++ at-3.1.13/at.c
@@ -154,18 +154,11 @@ sigc(int signo)
/* If the user presses ^C, remove the spool file and exit
*/
if (fcreated) {
- /*
PRIV_START
- We need the unprivileged uid here since the file is owned by the real
- (not effective) uid.
- */
- setregid(real_gid, effective_gid);
unlink(atfile);
- setregid(effective_gid, real_gid);
- /*
+
PRIV_END
- */
}
exit(EXIT_FAILURE);
}
@@ -325,18 +318,14 @@ writefile(time_t runtimer, char queue)
* bit. Yes, this is a kluge.
*/
cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR);
- seteuid(real_uid);
if ((fd = open(atfile, O_CREAT | O_EXCL | O_TRUNC | O_WRONLY, S_IRUSR))
== -1)
perr("Cannot create atjob file %.500s", atfile);
- seteuid(effective_uid);
if ((fd2 = dup(fd)) < 0)
perr("Error in dup() of job file");
- /*
if (fchown(fd2, real_uid, real_gid) != 0)
perr("Cannot give away file");
- */
PRIV_END
@@ -679,11 +668,7 @@ process_jobs(int argc, char **argv, int
switch (what) {
case ATRM:
- /*
- We need the unprivileged uid here since the file is owned
by the real
- (not effective) uid.
- */
- setregid(real_gid, effective_gid);
+ PRIV_START
if (queue == '=') {
fprintf(stderr, "Warning: deleting running job\n");
@@ -693,7 +678,7 @@ process_jobs(int argc, char **argv, int
rc = EXIT_FAILURE;
}
- setregid(effective_gid, real_gid);
+ PRIV_END
done = 1;
break;
@@ -703,21 +688,25 @@ process_jobs(int argc, char **argv, int
FILE *fp;
int ch;
- setregid(real_gid, effective_gid);
- fp = fopen(dirent->d_name, "r");
+ PRIV_START
+
+ fp = fopen(dirent->d_name, "r");
+
+ PRIV_END
if (fp) {
while ((ch = getc(fp)) != EOF) {
putchar(ch);
}
done = 1;
+ PRIV_START
fclose(fp);
+ PRIV_END
}
else {
perr("Cannot open %.500s", dirent->d_name);
rc = EXIT_FAILURE;
}
- setregid(effective_gid, real_gid);
}
break;
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
