Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2026-05-29 18:08:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apptainer" Fri May 29 18:08:48 2026 rev:43 rq:1355778 version:1.4.5 Changes: -------- --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2026-05-23 23:27:12.052279827 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.1937/apptainer.changes 2026-05-29 18:10:31.934927759 +0200 @@ -1,0 +2,17 @@ +Fri May 29 06:54:25 UTC 2026 - Egbert Eich <[email protected]> + +- Fix CVE-2026-39821 (GO-2026-5026) (bsc#1266656) + Update golang.org/x/net to 0.55.0. + +------------------------------------------------------------------- +Sat May 23 08:13:18 UTC 2026 - Egbert Eich <[email protected]> + +- Add improved handling of suid-starter: + * Add system group `apptainer` + * Make sure, only users belonging to this group are able to + run the application. + * Document this in a README and point user to it if execution + fails. + Building of the 'suid-root' starter is still optional. + +------------------------------------------------------------------- New: ---- README.SUSE-suid ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apptainer.spec ++++++ --- /var/tmp/diff_new_pack.Kms4ZK/_old 2026-05-29 18:10:36.323116605 +0200 +++ /var/tmp/diff_new_pack.Kms4ZK/_new 2026-05-29 18:10:36.331116949 +0200 @@ -38,7 +38,8 @@ Conflicts: singularity-runtime Source0: https://github.com/apptainer/apptainer/archive/v%{version}%{?vers_suffix}/apptainer-%{version}%{?vers_suffix}.tar.gz Source1: README.SUSE -Source2: SUSE.def +Source2: README.SUSE-suid +Source5: SUSE.def Source6: SLE-15SP6.def Source7: SLE-15SP7.def Source8: SLE-16.def @@ -59,6 +60,7 @@ BuildRequires: make BuildRequires: openssl-devel BuildRequires: sysuser-tools +PreReq: permissions Requires: squashfs Requires: squashfuse Recommends: fuse2fs @@ -70,7 +72,6 @@ # Needed for container decryption in userspace, upstream rpms include this # but factory should have this seperately Recommends: gocryptfs -PreReq: permissions # there's no golang for ppc64 & %%ix86, ppc64le does not have non pie builds ExcludeArch: ppc64 ppc64le %ix86 s390 s390x @@ -80,12 +81,14 @@ containers that can be used across host environments. %package suid -Summary: suid starter for Apptainer +Summary: SUID starter for Apptainer +PreReq: permissions Requires: apptainer = %version %description suid This package contains the suid starter for Apptainer. -Do not install unless this is absolutely needed! +DO NOT install unless your use case is not handled by user namespaces! +Check %_defaultdocdir/apptainer-suid/README.SUSE-suid for details. %package sle15_6 Summary: Apptainer Definition File Templates for SLE 15 SP6 @@ -125,7 +128,11 @@ %prep %autosetup -n %{name}-%{version}%{?vers_suffix} -a21 -cp %{S:1} . +cp %{S:1} %{S:2} . +# Patch suid starter to provide informative message for SUSE on exec fail. +sed -i -e "/while executing/s@\(%s: %s\)@\1\\\n\ +Please read %_defaultdocdir/apptainer-suid/README.SUSE-suid \ +for details\\\n@" internal/pkg/util/starter/starter.go %build @@ -160,12 +167,21 @@ %make_install -C builddir V= install -d -m 0755 %{buildroot}/%{_datarootdir}/apptainer/templates -install -m 0644 %{S:2} %{S:10} %{buildroot}/%{_datarootdir}/apptainer/templates +install -m 0644 %{S:5} %{S:10} %{buildroot}/%{_datarootdir}/apptainer/templates %{!?is_opensuse:install -m 0644 %{S:6} %{S:7} %{S:8} %{buildroot}/%{_datarootdir}/apptainer/templates} %fdupes apptainer/examples %fdupes -s %buildroot +%if %{with suid} +echo "g %name -" > system-group-%{name}.conf +%sysusers_generate_pre system-group-%{name}.conf %{name} system-group-%{name}.conf +install -D -m 644 system-group-%{name}.conf %{buildroot}%{_sysusersdir}/system-group-%{name}.conf +# Disallow SUID by default! +sed -i -e "/allow setuid/s@\(.* =\).*@\1 no@" \ + %{buildroot}%{_sysconfdir}/apptainer/apptainer.conf +%endif + %check %if %{with vulncheck} for i in $(find %{buildroot} -executable -and -not -type d -and -not -name "*.debug" -and -not -name "*.so*"); do @@ -174,6 +190,14 @@ done %endif +%pre suid -f %{name}.pre + +%post suid +%set_permissions %{_libexecdir}/apptainer/bin/starter-suid + +%verifyscript suid +%verify_permissions -e %{_libexecdir}/apptainer/bin/starter-suid + %files %doc examples %doc CONTRIBUTING.md @@ -194,7 +218,7 @@ %{_libexecdir}/apptainer/bin/starter %{_libexecdir}/apptainer/lib/offsetpreload.so %{_libexecdir}/apptainer/cni/* -%{_datarootdir}/apptainer/templates/%{basename:%{S:2}} +%{_datarootdir}/apptainer/templates/%{basename:%{S:5}} %dir %{_sysconfdir}/apptainer %config(noreplace) %{_sysconfdir}/apptainer/capability.json %config(noreplace) %{_sysconfdir}/apptainer/cgroups @@ -215,7 +239,9 @@ %if %{with suid} %files suid -%{_libexecdir}/apptainer/bin/starter-suid +%doc %{basename:%{S:2}} +%verify(not mode) %attr(4750, root, apptainer) %{_libexecdir}/apptainer/bin/starter-suid +%{_sysusersdir}/system-group-%{name}.conf %endif %if 0%{!?is_opensuse:1} ++++++ README.SUSE-suid ++++++ # openSUSE/SUSE specific Settings for running in SUID mode openSUSE and SUSE provide the optionally `suid-starter` for apptainer in a separate package `apptainer-suid`. There is support for unprivileged user name spaces where normal, unprivileged users are able to create a user namespace. Most operations needed to run a container will run in this. Thus, it is not recommended to install this package unless there is a use case not handled by user namespaces. For futher informations check: [Security in Apptainer](https://apptainer.org/docs/user/main/security.html) [Apptainer Security Options](https://apptainer.org/docs/user/latest/security_options.html) # Differences in openSUSE and SUSE to the Upstream Default The use of the suid starter is disabled by default - even with the `apptainer-suid` package installed. Thus, the suid-starter will not be used. To enable it, edit `/etc/apptainer/apptainer.conf` and change the value of `allow suid` to `yes`. Beware, that this will change the behavior of apptainer in that it will then use SUID by default. To use user namespace instead, add the `--userns` option to `apptainer run/exec/shell`. Futhermore, the SUID root starter ins executable only for users belonging to the group 'apptainer'. Otherwise, users will get an error message like this one: ``` FATAL: while executing /usr/lib/apptainer/bin/starter-suid: permission denied ``` To add a user to the group apptainer, execute (as root): ``` # usermod -a -G apptainer <user_login> ``` ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.Kms4ZK/_old 2026-05-29 18:10:37.483166528 +0200 +++ /var/tmp/diff_new_pack.Kms4ZK/_new 2026-05-29 18:10:37.535168766 +0200 @@ -1,4 +1,4 @@ -mtime: 1779467248 -commit: 1225775c859fb566a06b933fdb3eab40eecdfdcd29c9a2c1282da257e248a3f5 +mtime: 1780037724 +commit: 79654f665f78ceec6a558d2f3945e5ea3e3427829d33d2257637776cc796af09 url: https://src.opensuse.org/Cluster/apptainer.git ++++++ _service ++++++ --- /var/tmp/diff_new_pack.Kms4ZK/_old 2026-05-29 18:10:37.875183398 +0200 +++ /var/tmp/diff_new_pack.Kms4ZK/_new 2026-05-29 18:10:37.923185464 +0200 @@ -22,7 +22,7 @@ google.golang.org/grpc=google.golang.org/[email protected] </param> <param name="replace"> - golang.org/x/net=golang.org/x/[email protected] + golang.org/x/net=golang.org/x/[email protected] </param> <param name="replace"> golang.org/x/crypto=golang.org/x/[email protected] ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-29 08:55:24.000000000 +0200 @@ -0,0 +1,8 @@ +*.obscpio +*.osc +_build.* +.pbuild +*.obscpio +*.osc +_build.* +.pbuild ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/apptainer/vendor.tar.gz /work/SRC/openSUSE:Factory/.apptainer.new.1937/vendor.tar.gz differ: char 125, line 1
