Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package proftpd for openSUSE:Factory checked in at 2021-10-29 22:34:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/proftpd (Old) and /work/SRC/openSUSE:Factory/.proftpd.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "proftpd" Fri Oct 29 22:34:34 2021 rev:42 rq:928151 version:1.3.6e Changes: -------- --- /work/SRC/openSUSE:Factory/proftpd/proftpd.changes 2020-11-30 09:54:11.601798039 +0100 +++ /work/SRC/openSUSE:Factory/.proftpd.new.1890/proftpd.changes 2021-10-29 22:35:40.051714625 +0200 @@ -1,0 +2,8 @@ +Wed Oct 20 13:16:36 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_proftpd.service.patch + Modified: + * proftpd.service + +------------------------------------------------------------------- New: ---- harden_proftpd.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ proftpd.spec ++++++ --- /var/tmp/diff_new_pack.fYlGY6/_old 2021-10-29 22:35:40.595714831 +0200 +++ /var/tmp/diff_new_pack.fYlGY6/_new 2021-10-29 22:35:40.599714832 +0200 @@ -47,6 +47,7 @@ Patch104: %{name}-no_BuildDate.patch #RPMLINT-FIX-openSUSE: env-script-interpreter Patch105: %{name}_env-script-interpreter.patch +Patch106: harden_proftpd.service.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #BuildRequires: gpg-offline BuildRequires: fdupes @@ -154,6 +155,7 @@ %patch103 %patch104 %patch105 +%patch106 -p1 %build rm contrib/mod_wrap.c ++++++ harden_proftpd.service.patch ++++++ Index: proftpd-1.3.6e/contrib/dist/rpm/proftpd.service =================================================================== --- proftpd-1.3.6e.orig/contrib/dist/rpm/proftpd.service +++ proftpd-1.3.6e/contrib/dist/rpm/proftpd.service @@ -4,6 +4,18 @@ Wants=network-online.target After=network-online.target nss-lookup.target local-fs.target remote-fs.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions Type = simple Environment = PROFTPD_OPTIONS= EnvironmentFile = -/etc/sysconfig/proftpd ++++++ proftpd.service ++++++ --- /var/tmp/diff_new_pack.fYlGY6/_old 2021-10-29 22:35:40.703714872 +0200 +++ /var/tmp/diff_new_pack.fYlGY6/_new 2021-10-29 22:35:40.703714872 +0200 @@ -3,6 +3,18 @@ After=systemd-user-sessions.service network.target nss-lookup.target local-fs.target remote-fs.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions ExecStart=/usr/sbin/proftpd --nodaemon ExecReload=/bin/kill -HUP $MAINPID
