Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ntpsec for openSUSE:Factory checked in at 2021-10-15 23:03:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntpsec (Old) and /work/SRC/openSUSE:Factory/.ntpsec.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntpsec" Fri Oct 15 23:03:34 2021 rev:19 rq:925147 version:1.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/ntpsec/ntpsec.changes 2021-06-14 23:11:37.460808881 +0200 +++ /work/SRC/openSUSE:Factory/.ntpsec.new.1890/ntpsec.changes 2021-10-15 23:03:47.282089954 +0200 @@ -1,0 +2,10 @@ +Tue Oct 12 06:17:37 UTC 2021 - Johannes Segitz <[email protected]> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_ntp-wait.service.patch + * harden_ntpd.service.patch + * harden_ntplogtemp.service.patch + * harden_ntpviz-daily.service.patch + * harden_ntpviz-weekly.service.patch + +------------------------------------------------------------------- New: ---- harden_ntp-wait.service.patch harden_ntpd.service.patch harden_ntplogtemp.service.patch harden_ntpviz-daily.service.patch harden_ntpviz-weekly.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntpsec.spec ++++++ --- /var/tmp/diff_new_pack.6Prgh6/_old 2021-10-15 23:03:48.054090504 +0200 +++ /var/tmp/diff_new_pack.6Prgh6/_new 2021-10-15 23:03:48.058090507 +0200 @@ -28,6 +28,11 @@ Source3: %{name}.changes Source4: logrotate.ntp Source8: ntp.conf +Patch0: harden_ntp-wait.service.patch +Patch1: harden_ntpd.service.patch +Patch2: harden_ntplogtemp.service.patch +Patch3: harden_ntpviz-daily.service.patch +Patch4: harden_ntpviz-weekly.service.patch BuildRequires: asciidoc BuildRequires: avahi-compat-mDNSResponder-devel BuildRequires: bison @@ -112,6 +117,11 @@ # there is no actual reason for 3.18 gpsd version sed -i -e 's:, condition="ver >= num(3, 18)"::' \ pylib/wscript +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build %global _lto_cflags %{nil} ++++++ harden_ntp-wait.service.patch ++++++ Index: ntpsec-1.2.1/etc/ntp-wait.service =================================================================== --- ntpsec-1.2.1.orig/etc/ntp-wait.service +++ ntpsec-1.2.1/etc/ntp-wait.service @@ -7,6 +7,16 @@ Conflicts=systemd-timesyncd.service ConditionCapability=CAP_SYS_TIME [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions Type=oneshot ExecStart=@BINDIR@/ntpwait -s 1 -n 30000 RemainAfterExit=yes ++++++ harden_ntpd.service.patch ++++++ Index: ntpsec-1.2.1/etc/ntpd.service =================================================================== --- ntpsec-1.2.1.orig/etc/ntpd.service +++ ntpsec-1.2.1/etc/ntpd.service @@ -9,6 +9,16 @@ Conflicts=systemd-timesyncd.service [Service] Type=forking PrivateTmp=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions ExecStart=@SBINDIR@/ntpd -g -N -u ntp:ntp # Specifying -g on the command line allows ntpd to make large adjustments to # the clock on boot. However, if Restart=yes is set, a malicious (or broken) ++++++ harden_ntplogtemp.service.patch ++++++ Index: ntpsec-1.2.1/etc/ntplogtemp.service =================================================================== --- ntpsec-1.2.1.orig/etc/ntplogtemp.service +++ ntpsec-1.2.1/etc/ntplogtemp.service @@ -3,5 +3,15 @@ Documentation=man:ntplogtemp(1) Description=Temperature information logger for ntpviz [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions Type=simple ExecStart=@BINDIR@/ntplogtemp -o -l /var/log/ntpstats/temps ++++++ harden_ntpviz-daily.service.patch ++++++ Index: ntpsec-1.2.1/etc/ntpviz-daily.service =================================================================== --- ntpsec-1.2.1.orig/etc/ntpviz-daily.service +++ ntpsec-1.2.1/etc/ntpviz-daily.service @@ -4,6 +4,16 @@ Description=Graph daily information for Requisite=ntpd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions Type=simple IOSchedulingClass=idle ExecStart=@BINDIR@/ntpviz -w l -p 1 -o /var/www/localhost/htdocs/day ++++++ harden_ntpviz-weekly.service.patch ++++++ Index: ntpsec-1.2.1/etc/ntpviz-weekly.service =================================================================== --- ntpsec-1.2.1.orig/etc/ntpviz-weekly.service +++ ntpsec-1.2.1/etc/ntpviz-weekly.service @@ -4,6 +4,16 @@ Description=Graph weekly information for Requisite=ntpd.service [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions Type=simple IOSchedulingClass=idle ExecStart=@BINDIR@/ntpviz -w l -p 7 -o /var/www/localhost/htdocs/week
