Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package permissions for openSUSE:Factory checked in at 2024-05-23 15:34:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/permissions (Old) and /work/SRC/openSUSE:Factory/.permissions.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions" Thu May 23 15:34:04 2024 rev:165 rq:1175459 version:1699_20240521 Changes: -------- --- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2024-05-17 20:03:44.400297693 +0200 +++ /work/SRC/openSUSE:Factory/.permissions.new.24587/permissions.changes 2024-05-23 15:34:05.333065163 +0200 @@ -1,0 +2,6 @@ +Tue May 21 07:40:14 UTC 2024 - [email protected] + +- Update to version 1699_20240521: + * permctl: return special exit code in --warn mode if entries need fixing + +------------------------------------------------------------------- Old: ---- permissions-1699_20240513.tar.xz New: ---- permissions-1699_20240521.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ --- /var/tmp/diff_new_pack.sPCtHa/_old 2024-05-23 15:34:07.621148192 +0200 +++ /var/tmp/diff_new_pack.sPCtHa/_new 2024-05-23 15:34:07.621148192 +0200 @@ -17,7 +17,7 @@ Name: permissions -Version: 1699_20240513 +Version: 1699_20240521 Release: 0 Summary: SUSE Linux Default Permissions # Maintained in github by the security team. ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.sPCtHa/_old 2024-05-23 15:34:07.661149643 +0200 +++ /var/tmp/diff_new_pack.sPCtHa/_new 2024-05-23 15:34:07.665149789 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/permissions.git</param> - <param name="changesrevision">dcb85225fd8a677959a623e7b6c1a9639e62e336</param></service></servicedata> + <param name="changesrevision">18d7b13cb3a52656d68280c41f10507f338eca1b</param></service></servicedata> (No newline at EOF) ++++++ permissions-1699_20240513.tar.xz -> permissions-1699_20240521.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-1699_20240513/man/permctl.8 new/permissions-1699_20240521/man/permctl.8 --- old/permissions-1699_20240513/man/permctl.8 2024-05-13 11:47:01.000000000 +0200 +++ new/permissions-1699_20240521/man/permctl.8 2024-05-21 09:39:11.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: permctl .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 04/30/2024 +.\" Date: 05/15/2024 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" -.TH "PERMCTL" "8" "04/30/2024" "\ \&" "\ \&" +.TH "PERMCTL" "8" "05/15/2024" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -94,6 +94,9 @@ .RS 4 Allow to operate without mounted /proc file system\&. This is an unsafe mode that must only be used in controlled environments where unprivileged users can\(cqt influence file system operation\&. .RE +.SH "EXIT STATUS" +.sp +permctl returns 1 if any fatal errors have been encountered that prevented it from determining or adjusting file permissions\&. It returns 2 if \fB\-\-warn\fR was given and one or more entries need fixing\&. In all other cases it returns 0\&. .SH "EXAMPLES" .sp .if n \{\ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-1699_20240513/man/permctl.adoc new/permissions-1699_20240521/man/permctl.adoc --- old/permissions-1699_20240513/man/permctl.adoc 2024-05-13 11:47:01.000000000 +0200 +++ new/permissions-1699_20240521/man/permctl.adoc 2024-05-21 09:39:11.000000000 +0200 @@ -66,6 +66,13 @@ that must only be used in controlled environments where unprivileged users can't influence file system operation. +EXIT STATUS +----------- + +permctl returns 1 if any fatal errors have been encountered that prevented it +from determining or adjusting file permissions. It returns 2 if *--warn* was +given and one or more entries need fixing. In all other cases it returns 0. + EXAMPLES -------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-1699_20240513/src/entryproc.cpp new/permissions-1699_20240521/src/entryproc.cpp --- old/permissions-1699_20240513/src/entryproc.cpp 2024-05-13 11:47:01.000000000 +0200 +++ new/permissions-1699_20240521/src/entryproc.cpp 2024-05-21 09:39:11.000000000 +0200 @@ -22,15 +22,15 @@ m_path = entry.file.substr(args.root_path.getValue().length()); } -bool EntryProcessor::process(const bool have_proc) { +EntryProcessor::Result EntryProcessor::process(const bool have_proc) { if (!resolveOwnership()) { // these don't count as errors currently, could be that some // package is just not installed and thus user/groups are missing. - return true; + return Result::ENTRY_SKIPPED; } if (const auto res = safeOpen(); res != OpenRes::CONTINUE) { - return res == OpenRes::SKIP ? true : false; + return res == OpenRes::SKIP ? Result::ENTRY_SKIPPED : Result::FAILED; } assert (m_fd.valid()); @@ -52,7 +52,7 @@ } if (!getCapabilities()) { - return false; + return Result::FAILED; } if (!m_acl.setFromFile(m_safe_path)) { @@ -63,7 +63,7 @@ if (!checkNeedsFixing()) { // nothing to do - return true; + return Result::ENTRY_GOOD; } /* @@ -74,11 +74,11 @@ if (!m_apply_changes) { // we don't need to do anything more - return true; + return Result::ENTRY_BAD; } if (!isSafeToApply()) { - return false; + return Result::FAILED; } if (m_euid != 0) { @@ -88,7 +88,7 @@ m_need_fix_ownership = false; } - return applyChanges(); + return applyChanges() ? Result::ENTRY_FIXED : Result::FAILED; } bool EntryProcessor::resolveOwnership() { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-1699_20240513/src/entryproc.h new/permissions-1699_20240521/src/entryproc.h --- old/permissions-1699_20240513/src/entryproc.h 2024-05-13 11:47:01.000000000 +0200 +++ new/permissions-1699_20240521/src/entryproc.h 2024-05-21 09:39:11.000000000 +0200 @@ -14,6 +14,16 @@ * would be performed. Or it can actually apply necessary changes. **/ class EntryProcessor { +public: // types + + enum class Result { + ENTRY_GOOD, ///< The entry was validated and file status is good. + ENTRY_BAD, ///< The entry would need fixing but apply_changes is not set. + ENTRY_FIXED, ///< The entry needed fixing and has been fixed. + ENTRY_SKIPPED, ///< The entry was skipped, because the file is not present or otherwise checking it was not possible. + FAILED ///< a fatal error condition was encountered, entry status is unknown. + }; + public: // functions EntryProcessor(const ProfileEntry &entry, const CmdlineArgs &args, const bool apply_changes); @@ -28,7 +38,7 @@ * \param[in] have_proc Whether a /proc mount is available. If not then * no changes will be applied in the file system for security reasons. **/ - bool process(const bool have_proc); + Result process(const bool have_proc); protected: // types diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-1699_20240513/src/permctl.cpp new/permissions-1699_20240521/src/permctl.cpp --- old/permissions-1699_20240513/src/permctl.cpp 2024-05-13 11:47:01.000000000 +0200 +++ new/permissions-1699_20240521/src/permctl.cpp 2024-05-21 09:39:11.000000000 +0200 @@ -335,6 +335,7 @@ int PermCtl::processEntries() { size_t errors = 0; + size_t bad_entries = 0; if (m_apply_changes && !m_have_proc) { if (m_allow_no_proc) { @@ -356,13 +357,18 @@ if (!needToCheck(processor.path())) continue; - if (!processor.process(m_have_proc)) + if (const auto res = processor.process(m_have_proc); res == EntryProcessor::Result::FAILED) errors++; + else if (res == EntryProcessor::Result::ENTRY_BAD) + bad_entries++; } if (errors) { std::cerr << "ERROR: not all operations were successful." << std::endl; return 1; + } else if (bad_entries && !m_apply_changes) { + // indicate that entries need fixing if m_args.only_warn is set. + return 2; } return 0;
