On 2018-02-25 15:44, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sun, 2018-02-25 at 15:02 +0100, Andreas Beckmann wrote: >> please allow the upgrade of nvidia-modprobe in stretch to a new >> upstream release matching the updated nvidia-graphics-drivers >> package.
> Please go ahead. That was uploaded yesterday, but I just uploaded another fix to sid that may be worthy to be fixed in stretch, too. nvidia-modprobe (a setuid root binary) stopped working for regular users since dash started dropping privileges if euid != uid (like bash has been doing for ages). The fix is a oneliner: call setuid(0) before forking modprobe to preserve permissions through the recursive shell and modprobe invocations needed by our modprobe configuration using install commands. The problem is reproducible in stretch if /bin/sh points to bash instead of dash. The incremental source debdiff is attached. If that is acceptable, please reject 384.111-1~deb9u1 and I'll upload 384.111-2~deb9u1 instead. Andreas
diff --git a/debian/changelog b/debian/changelog index 7deb07b..0adbb7c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +nvidia-modprobe (384.111-2~deb9u1) stretch; urgency=medium + + * Rebuild for stretch. + + -- Andreas Beckmann <[email protected]> Tue, 27 Feb 2018 02:06:17 +0100 + +nvidia-modprobe (384.111-2) unstable; urgency=medium + + * Add setuid.patch to run setuid(0) before forking modprobe to preserve + privileges through shell invocations and recursive modprobe calls. + Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch! + (Closes: #888952) + * Add debian/upstream/metadata. + * Fix new Lintian issues. + * Switch Vcs-* URLs to salsa.debian.org. + + -- Andreas Beckmann <[email protected]> Tue, 27 Feb 2018 01:50:01 +0100 + nvidia-modprobe (384.111-1) unstable; urgency=medium * New upstream release. diff --git a/debian/control b/debian/control index c6963ee..836da1b 100644 --- a/debian/control +++ b/debian/control @@ -12,8 +12,8 @@ Build-Depends: Rules-Requires-Root: binary-targets Standards-Version: 4.1.3 Homepage: https://github.com/NVIDIA/nvidia-modprobe -Vcs-Git: https://anonscm.debian.org/git/pkg-nvidia/nvidia-modprobe.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nvidia/nvidia-modprobe.git +Vcs-Browser: https://salsa.debian.org/nvidia-team/nvidia-modprobe +Vcs-Git: https://salsa.debian.org/nvidia-team/nvidia-modprobe.git Package: nvidia-modprobe Architecture: i386 amd64 armhf ppc64el diff --git a/debian/copyright b/debian/copyright index 0974a69..ad3f83a 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,6 +1,12 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: nvidia-modprobe Source: https://download.nvidia.com/XFree86/nvidia-modprobe/ +Disclaimer: + This package is not part of the GNU/Linux Debian distribution. It is + provided in the contrib archive area as a convenience to Debian users. + The contents of this source package are freely licensed under the Expat + license, but it is only useful in combination with the proprietary + NVIDIA drivers in non-free. Files: * Copyright: Copyright (C) 2004-2017 NVIDIA Corporation diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..57623ce --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +setuid.patch diff --git a/debian/patches/setuid.patch b/debian/patches/setuid.patch new file mode 100644 index 0000000..106df55 --- /dev/null +++ b/debian/patches/setuid.patch @@ -0,0 +1,27 @@ +Author: Hiromasa YOSHIMOTO <[email protected]> +Description: use setuid(0) to preserve privileges over shell invocations + Fixing bug https://bugs.debian.org/734869 dash recently started to drop + privileges if euid != uid. (Bash has been doing that for a long time + already, but is usually not used for /bin/sh.) + The Debian modprobe configuration /etc/modprobe.d/nvidia.conf uses install + commands that require forking a shell from within modprobe to (recursively) + run further modprobe commands. If the shell drops privileges in setuid + contexts, the inner modprobe commands are run unprivileged, failing to load + the modules. + Run setuid(0) before forking modprobe to preserve privileges through to the + inner modprobe commands. +Bug-Debian: https://bugs.debian.org/888952 + +--- nvidia-modprobe-384.111.orig/modprobe-utils/nvidia-modprobe-utils.c ++++ nvidia-modprobe-384.111/modprobe-utils/nvidia-modprobe-utils.c +@@ -374,6 +374,10 @@ static int modprobe_helper(const int pri + */ + silence_current_process(); + ++ /* Workaround for debian's /etc/modprobe.d/nvidia.conf configuration. ++ * See Bug#888952 for details */ ++ setuid(0); ++ + execle(modprobe_path, "modprobe", + module_name, NULL, envp); + diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 7ec9f82..8ebed74 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,2 +1,2 @@ # upstream provides no signatures -debian-watch-may-check-gpg-signature +debian-watch-does-not-check-gpg-signature diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..04277b1 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,3 @@ +Name: nvidia-modprobe +Repository: https://github.com/NVIDIA/nvidia-modprobe.git +Repository-Browse: https://github.com/NVIDIA/nvidia-modprobe
