Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package watchman for openSUSE:Factory
checked in at 2022-01-10 23:53:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/watchman (Old)
and /work/SRC/openSUSE:Factory/.watchman.new.1892 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "watchman"
Mon Jan 10 23:53:46 2022 rev:6 rq:945357 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/watchman/watchman.changes 2020-06-02
14:43:34.388457203 +0200
+++ /work/SRC/openSUSE:Factory/.watchman.new.1892/watchman.changes
2022-01-10 23:54:23.688845963 +0100
@@ -1,0 +2,15 @@
+Mon Jan 10 15:01:24 UTC 2022 - Matthias Gerstner <matthias.gerst...@suse.com>
+
+- ship README.suse that explains how to use the template systemd units
+- add user writable bit for systemd service and socket files
+- properly handle state directory creation in /run/watchman/$USER-state. The
+ former approach was susceptible to a local privilege escalation using
+ symlinks (CVE-2022-21944, bsc#1194470).
+
+-------------------------------------------------------------------
+Wed Jan 5 10:42:27 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Modified:
+ * watchman@.service
+
+-------------------------------------------------------------------
New:
----
README.suse
watchman_create_state_dir
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ watchman.spec ++++++
--- /var/tmp/diff_new_pack.9viBVf/_old 2022-01-10 23:54:24.216846426 +0100
+++ /var/tmp/diff_new_pack.9viBVf/_new 2022-01-10 23:54:24.224846433 +0100
@@ -1,7 +1,7 @@
#
# spec file for package watchman
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -31,6 +31,8 @@
Source1: watchman.conf
Source2: watchman@.service
Source3: watchman@.socket
+Source4: watchman_create_state_dir
+Source5: README.suse
# prevent the build system overwriting the autotools docdir in a hard-coded way
Patch0: %{name}_4.7.0_makefile-am.diff
Patch1: 0001-Replaced-memset-calls-with-appopriate-C-11-init-or-a.patch
@@ -184,11 +186,16 @@
install -m 0644 %{SOURCE1} %{build_tmpfile_conf}
%define build_unitdir %{buildroot}%{_unitdir}
-install -D -m 444 %{SOURCE2} %{build_unitdir}/%{name}@.service
-install -D -m 444 %{SOURCE3} %{build_unitdir}/%{name}@.socket
+install -D -m 644 %{SOURCE2} %{build_unitdir}/%{name}@.service
+install -D -m 644 %{SOURCE3} %{build_unitdir}/%{name}@.socket
%define tmpfile_conf %{_tmpfilesdir}/%{name}.conf
+mkdir -p %{buildroot}/%{_libexecdir}/watchman
+install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/watchman/create_state_dir
+
+install -m 644 %{SOURCE5} %{buildroot}/%{docdir}/README.suse
+
%files
%doc %docdir
%{_bindir}/watchman
@@ -197,6 +204,8 @@
%if 0%{?sle_version} <= 120200
%dir %{_tmpfilesdir}
%endif
+%dir %{_libexecdir}/watchman/
+%{_libexecdir}/watchman/create_state_dir
%{tmpfile_conf}
# avoid rpmlint warning tmpfile-not-in-filelist
@@ -226,7 +235,6 @@
%service_add_post %{name}@.socket %{name}@.service
# to initially create the statedir without reboot
# NOTE: This macro is not available in older versions of systemd-rpm-macros,
-# causing builds on openSUSE_Leap < 42_2 to fail currently.
%tmpfiles_create %{tmpfile_conf}
%preun
++++++ README.suse ++++++
The SUSE packaging of watchman ships a systemd service and socket unit that
can be used for running a system wide per-user instance of watchman via
systemd. To do so you need to execute the following commands as root:
TARGETUSER=myuser
systemctl enable watchman@${TARGETUSER}.socket
systemctl enable watchman@${TARGETUSER}.service
systemctl start watchman@${TARGETUSER}.socket
After doing so any `watchman` invocations you perform as `$USER` should talk
to the systemd controlled instance of watchman.
++++++ watchman@.service ++++++
--- /var/tmp/diff_new_pack.9viBVf/_old 2022-01-10 23:54:24.300846499 +0100
+++ /var/tmp/diff_new_pack.9viBVf/_new 2022-01-10 23:54:24.300846499 +0100
@@ -4,6 +4,17 @@
Conflicts=shutdown.target
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=read-only
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
ExecStart=/usr/bin/watchman --foreground --inetd
ExecStop=/usr/bin/pkill -u %i -x watchman
Restart=on-failure
++++++ watchman@.socket ++++++
--- /var/tmp/diff_new_pack.9viBVf/_old 2022-01-10 23:54:24.316846514 +0100
+++ /var/tmp/diff_new_pack.9viBVf/_new 2022-01-10 23:54:24.316846514 +0100
@@ -7,14 +7,14 @@
SocketMode=0640
SocketUser=%i
SocketGroup=users
-# the mode for the implicitly created, intermediate %i-state directory
-DirectoryMode=0750
-# this explicitly sets the ownership of the user's state directory
-# there seems to be no built-in way to achieve this via systemd options
-# this needs to be post-start, because otherwise the directory is not yet
-# created by systemd
-ExecStartPost=/usr/bin/chown %i:users /run/watchman/%i-state
-
+# the mode for any implicitly created, intermediate %i-state directories
+DirectoryMode=0700
+# run as the unprivileged target user (for ExecStartPRe below)
+User=%i
+# this explicitly creates the user's state directory
+# this needs to be pre-start, because we want to make sure the state directory
+# is sane before systemd starts using it.
+ExecStartPre=/usr/libexec/watchman/create_state_dir /run/watchman/%i-state
[Install]
WantedBy=sockets.target
++++++ watchman_create_state_dir ++++++
#!/bin/bash
if [ $# -ne 1 ]; then
echo "$0: <path-to-state-dir>" 1>&2
exit 1
fi
STATE_DIR="$1"
cd -P "$STATE_DIR" 2>/dev/null
if [ $? -eq 0 ]; then
if [ `pwd` != "$STATE_DIR" ]; then
echo "$STATE_DIR: appears to be a symlink" 1>&2
exit 1
fi
# state directory already exists. make sure it is has correct ownership.
owner=`stat -c "%U" .`
if [ "$owner" == "$USER" ]; then
# state dir is sane
exit 0
fi
echo "$STATE_DIR: already existing with bad ownership" 1>&2
exit 1
else
mkdir -m2700 "$STATE_DIR"
fi
