Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package kismet for openSUSE:Factory checked in at 2023-02-11 21:56:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kismet (Old) and /work/SRC/openSUSE:Factory/.kismet.new.1848 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kismet" Sat Feb 11 21:56:54 2023 rev:56 rq:1064256 version:2022_08_R1 Changes: -------- --- /work/SRC/openSUSE:Factory/kismet/kismet.changes 2022-08-30 14:49:02.300052805 +0200 +++ /work/SRC/openSUSE:Factory/.kismet.new.1848/kismet.changes 2023-02-11 21:57:36.511729048 +0100 @@ -1,0 +2,15 @@ +Thu Jan 26 18:55:19 UTC 2023 - Wolfgang Frisch <wolfgang.fri...@suse.com> + +- Drop unnecessary root privileges in the systemd unit (bsc#1207654). + * switch from old-style user/group mgmt to sysusers. +- Disable overly strict hardenings that would break some capture binaries, + e.g. kismet_cap_linux_wifi. +- Remove superfluous executable bits from CSS files. + +------------------------------------------------------------------- +Tue Jan 3 07:40:34 UTC 2023 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_kismet.service.patch + +------------------------------------------------------------------- Old: ---- kismet-rpmlintrc New: ---- harden_kismet.service.patch kismet.sysusers ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kismet.spec ++++++ --- /var/tmp/diff_new_pack.I6DWIy/_old 2023-02-11 21:57:37.587735747 +0100 +++ /var/tmp/diff_new_pack.I6DWIy/_new 2023-02-11 21:57:37.591735772 +0100 @@ -1,7 +1,7 @@ # # spec file for package kismet # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,8 +30,9 @@ URL: https://www.kismetwireless.net/ #Git-Clone: https://github.com/kismetwireless/kismet.git Source: https://github.com/kismetwireless/kismet/archive/%{name}-%{realver}.tar.gz -Source1: %{name}-rpmlintrc +Source2: %{name}.sysusers Patch0: kismet-fix-build.patch +Patch1: harden_kismet.service.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: libcap-devel @@ -42,6 +43,8 @@ BuildRequires: protobuf-c BuildRequires: python3 BuildRequires: python3-setuptools +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnm) BuildRequires: pkgconfig(libpcre) @@ -72,10 +75,14 @@ Requires(pre): permissions Requires(pre): shadow Provides: group(kismet) +Provides: user(kismet) %if 0%{with ubertooth} Recommends: kismet-capture-ubertooth-one %endif -%{?systemd_requires} +%{?systemd_ordering} +%{?sysusers_requires} + +%global homedir %{_localstatedir}/lib/%{name} %description Kismet is a wireless network and device detector, sniffer, wardriving @@ -294,6 +301,9 @@ find . -type f -name "Makefile*" -exec sed -i 's|setup.py install|setup.py install --root=$(DESTDIR)|g' {} \; # Fix wrong-script-end-of-line-encoding sed -i 's/\r$//' http_data/css/layout.css +# rpmlint will complain about missing shebangs otherwise +chmod a-x http_data/css/*.css +%patch1 -p1 %build %limit_build -m 2500 @@ -304,6 +314,8 @@ make %{?_smp_mflags} all make %{?_smp_mflags} plugins +%sysusers_generate_pre %{SOURCE2} %{name} %{name}.conf + %install export INSTUSR=`id -un` export INSTGRP=`id -gn` @@ -314,15 +326,17 @@ install -D -m 0644 packaging/systemd/kismet.service %{buildroot}%{_unitdir}/%{name}.service install -d %{buildroot}%{_sbindir} ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} -# kistmet systemwide plugin dir +install -D -m 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf +# kismet home dir +install -m 750 -d %{buildroot}%{homedir} +# kismet systemwide plugin dir install -d %{buildroot}%{_libdir}/kismet/ # install kismet plugins install -D plugin-alertsyslog/alertsyslog.so %{buildroot}%{_libdir}/kismet/alertsyslog.so %fdupes -s %{buildroot}%{_datadir}/kismet -%pre +%pre -f %{name}.pre %service_add_pre %{name}.service -getent group kismet >/dev/null || groupadd -r kismet %verifyscript %verify_permissions -e %{_bindir}/kismet_cap_linux_bluetooth @@ -335,7 +349,6 @@ %service_add_post %{name}.service %set_permissions %{_bindir}/kismet_cap_linux_bluetooth %set_permissions %{_bindir}/kismet_cap_linux_wifi -exit 0 %postun %service_del_postun %{name}.service @@ -366,6 +379,9 @@ %{_sbindir}/rc%{name} %dir %{_libdir}/kismet/ %{_libdir}/kismet/alertsyslog.so +%{_sysusersdir}/%{name}.conf +# +%attr(750,%{name},%{name}) %dir %{homedir} %files logtools %{_bindir}/kismetdb_clean ++++++ harden_kismet.service.patch ++++++ Index: kismet-kismet-2022-08-R1/packaging/systemd/kismet.service.in =================================================================== --- kismet-kismet-2022-08-R1.orig/packaging/systemd/kismet.service.in +++ kismet-kismet-2022-08-R1/packaging/systemd/kismet.service.in @@ -4,8 +4,20 @@ ConditionPathExists=@prefix@/bin/kismet After=network.target auditd.service [Service] -User=root -Group=root +ProtectSystem=full +ProtectHome=true +ProtectControlGroups=true + +# The following hardenings break capture plug-ins +# with elevated filesystem capabilities. +# ProtectHostname=true +# ProtectKernelModules=true +# ProtectKernelLogs=true +# RestrictRealtime=true + +User=kismet +Group=kismet +WorkingDirectory=/var/lib/kismet Type=simple ExecStart=@prefix@/bin/kismet --no-ncurses-wrapper KillMode=process ++++++ kismet.sysusers ++++++ # Type Name ID GECOS Home directory Shell u kismet - "Kismet packet sniffer" /var/lib/kismet /sbin/nologin g kismet - m kismet kismet
