Hello community, here is the log from the commit of package backintime for openSUSE:Factory checked in at 2017-05-17 10:55:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/backintime (Old) and /work/SRC/openSUSE:Factory/.backintime.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "backintime" Wed May 17 10:55:39 2017 rev:17 rq:495451 version:1.1.20 Changes: -------- --- /work/SRC/openSUSE:Factory/backintime/backintime.changes 2015-09-30 05:51:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.backintime.new/backintime.changes 2017-05-17 10:55:42.391412480 +0200 @@ -1,0 +2,196 @@ +Mon May 15 16:21:23 UTC 2017 - [email protected] + +- Remove rpmlintrc following security review + +------------------------------------------------------------------- +Thu Apr 20 06:37:17 UTC 2017 - [email protected] + +- Update to 1.1.20 + * backport security fix: polkit CheckAuthorization: race condition in privilege authorization (CVE-2017-7572, boo#1032717) +- Don't store passwords given to polkit helper + * backintime-polkit_priv_downgrade.patch +- Backport security hardening measures (boo#1007723) + * backintime-security_hardening_backport.patch +- Fix Requires and BuildRequires + * No longer requires xterm + * Note: backintime requires python3-keyring (not py2), but not available in openSUSE yet +- Delete udev configuration files on uninstall +- Merge doc subpackage into main package + +------------------------------------------------------------------- +Sat Oct 29 15:55:16 UTC 2016 - [email protected] + +- Added a new script for launching backintime as root from desktop + (boo#1006356) + +------------------------------------------------------------------- +Tue Jan 12 13:05:33 UTC 2016 - [email protected] + +- Remove unnecessary patch that was already applied by upstream: + * backintime-1.1.10-AttributeError-About-Dialog.patch +- Remove the workaround for x-terminal-emulator. Upstream developed + a new dialog to avoid this problem. +- Version bump to 1.1.12. + Upstream changelog: + + * Fix bug: remove x-terminal-emulator dependency (#515) + * Fix bug: AttributeError in About Dialog (#515) + +------------------------------------------------------------------- +Mon Jan 11 14:31:31 UTC 2016 - [email protected] + +- backintime-qt4 uses x-terminal-emulator to open a terminal with a + man page in the menus Help->Help and Help->Config File Help. + However, openSUSE does not have x-terminal-emulator, instead it + has xdg-terminal that does not work because it can only accept + one argument. Thus, the solution was to replace + x-terminal-emulator with xterm. Now, everything in the Help menu + is working properly. + +------------------------------------------------------------------- +Mon Jan 11 01:00:28 UTC 2016 - [email protected] + +- Remove unnecessary BuildRoot in spec file. +- Change package URL to https://github.com/bit-team/backintime . +- Add patch backintime-1.1.10-AttributeError-About-Dialog.patch to + fix upstream issue #515. For more information, see: + https://github.com/bit-team/backintime/issues/515 +- Fix doc path so that the buttons Authors, Translations, and + License in About dialog work properly. + +------------------------------------------------------------------- +Sun Jan 10 23:07:48 UTC 2016 - [email protected] + +- Remove the patch: + backintime-AttributeError_if_keyring_is_missing.patch + since the addressed issue was already solved by upstream. +- Change source URL to github. +- Run spec-cleaner. +- Version bump to 1.1.10. + Upstream changelog: + + * Fix bug: failed to remove empty lock file (#505) Add Icon + 'show-hidden' (#507) + * Add Modify for Full System Backup button to settings page, to + change some profile settings + * Fix bug: Restore the correct file owner and group fail if + they are not present in system (#58) + * add get|set_list_value to configfile + * Fix bug: QObject::startTimer error on closing app + * subclass ApplicationInstance in GUIApplicationInstance to + reduce redundant code + * speed up app start by adding snapshots to timeline in + background thread + * add warning on failed permission restore (#58) + * add unittest (thanks to Dorian, Alexandre, Aurélien and + Gregory from IAGL) + * Fix bug: FileNotFoundError while starting pw-cache from + source + * continue an unfinished new_snapshot if possible (#400) + * Fix bug: suppress warning about failed inhibit suspend if run + as root (#500) + * Fix bug: UI blocked/greyed out while removing snapshot (#487) + * Fix bug: pw-cache failed on leftover PID file, using + ApplicationInstance now (#468) + * Fix bug: failed to parse some arguments (#492) + * Fix bug: failed to start GUI if launched from systray icon + * Fix bug: deleted snapshot is still listed in Timeline if + using mode SSH (#493) + * Fix bug: PermissionError while deleting readonly files on + sshfs mounted share (#490) + * Add Nautilus-like shortcuts for navigating in file browser + (#483) + * speed up mounting of SSH+encrypted profiles + * Fix bug: creat new encrypted profiles with encfs >= 1.8.0 + failed (#477) + * Fix bug: AttributeError in common/tools.py if keyring is + missing (#473) + * Fix bug: remote rename of 'new_snapshot' folder sometimes + isn't recognized locally; rename local now + (https://answers.launchpad.net/questions/271792) + * Move source code and bug tracking to GitHub + +------------------------------------------------------------------- +Tue Oct 20 12:55:29 UTC 2015 - [email protected] + +- Backport the upstream patch to fix the issue #473. + * The patch backintime-fix-crash-run-user.patch is not + necessary anymore and then it was removed. + +------------------------------------------------------------------- +Mon Oct 19 20:19:16 UTC 2015 - [email protected] + +- Add a patch to temporarily fix a bug in which backintime crashes + if it is executed as user. For more information, see: + https://github.com/bit-team/backintime/issues/473 + +------------------------------------------------------------------- +Mon Oct 19 15:33:59 UTC 2015 - [email protected] + +- Clean spec file. +- Version bump to 1.1.8. + Upstream changelog: + + * Fix bug: unlock private SSH key run into 5sec timeout if + password is empty + * show current app name and profile ID in syslog + (https://launchpad.net/bugs/906213) + * Fix bug: BiT freeze when activate 'Decode path' in 'Snapshot + Log View' + * Show 'Profiles' dropdown only in 'Last Log Viewer', add + 'Snapshots' dropdown in 'Snapshot Log Viewer' + (https://launchpad.net/bugs/1478219) + * Fix bug: empty grey window appears when starting the gui as + root (https://launchpad.net/bugs/1493020) + * do not restore permission if they are identical with current + permissions + * Fix bug: gnu_find_suffix_support doesn't set back to True + (https://launchpad.net/bugs/1487781) + * security issue: do not run user-callback in a shell + * add option to not log user-callback output + * Fix lintian warning dbus-policy-without-send-destination + * apply timestamps-in-gzip.patch from Debian + backintime/1.1.6-1 package + * run multiple smart-remove jobs in one screen session + (https://launchpad.net/bugs/1487781) + * add error messages if PID file creation fail + * Fix bug: dbus exception if dbus systembus is not running + * Fix bug: depend on virtual package cron-daemon instead of + cron for compatiblity with other cron implementations + (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776856) + * Fix bug: wasn't able to start from alternate install dir + (https://launchpad.net/bugs/478689) + * Fix bug: wasn't able to start from source dir + * Add Warning about unsupported filesystems + * use native Python code to check mountpoint + * Add expert option for stdout and stderr redirection in + cronjobs (https://answers.launchpad.net/questions/270105) + * Fix bug: 'Inhibit Suspend' fails with + 'org.freedesktop.PowerManagement.Inhibit' + (https://launchpad.net/bugs/1485242) + * Fix bug: No mounting while selecting a secondary profile in + the gui (https://launchpad.net/bugs/1481267) + * remove shebang in common/askpass.py and + common/create-manpage-backintime-config.py + * Fix bug: fix for bug #1419466 broke crontab on Slackware + (https://launchpad.net/bugs/1478576) + * Fix bug: fix for bug #1431305 broke pw-cache on Ubuntu + (https://launchpad.net/bugs/1431305) + * Fix bash-complete + * show 'man backintime' on Help; remove link to + backintime.le-web.org (https://launchpad.net/bugs/1475995) + * add --debug argument + * Fix bug: Settings accepted empty strings for + Host/User/Profile-ID (https://launchpad.net/bugs/1477733) + * Fix bug: IndexError on 'check_remote_commands' due to too + long args (https://launchpad.net/bugs/1471930) + * add --local-backup, --no-local-backup and --delete option to + restore on command-line (https://launchpad.net/bugs/1467239) + * add 'backup on restore' option to confirm dialog + * add check-config command for command-line + * rewrite command-line argument parsing. Now using argparse + * add expert option SSH command prefix + * Fix bug: Makefile has no uninstall target + (https://launchpad.net/bugs/1469152) + +------------------------------------------------------------------- Old: ---- backintime-1.1.6.tar.gz backintime.rpmlintrc New: ---- backintime-1.1.20.tar.gz backintime-polkit_priv_downgrade.patch backintime-security_hardening_backport.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ backintime.spec ++++++ --- /var/tmp/diff_new_pack.d8aIsy/_old 2017-05-17 10:55:43.135307829 +0200 +++ /var/tmp/diff_new_pack.d8aIsy/_new 2017-05-17 10:55:43.139307266 +0200 @@ -1,7 +1,7 @@ # # spec file for package backintime # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,37 +17,38 @@ Name: backintime -Version: 1.1.6 +Version: 1.1.20 Release: 0 Summary: Back In Time is a simple backup tool for Linux, inspired by "flyback project" License: GPL-2.0+ Group: Productivity/Archiving/Backup -Url: http://backintime.le-web.org/ -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch -Source: https://launchpad.net/%{name}/1.1/%{version}/+download/%{name}-%{version}.tar.gz +Url: https://github.com/bit-team/backintime +Source: https://github.com/bit-team/backintime/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: %{name}.png -Source99: %{name}.rpmlintrc # PATCH-FEATURE-OPENSUSE %%{name}-ssh-agent_only_if_password.patch -- [email protected] Patch0: %{name}-ssh-agent_only_if_password.patch - +# PATCH-FEATURE-OPENSUSE %%{name}-polkit_priv_downgrade.patch boo#1007723 +Patch1: %{name}-polkit_priv_downgrade.patch +# PATCH-FIX-UPSTREAM %%{name}-security_hardening_backport.patch boo#1007723 +Patch2: %{name}-security_hardening_backport.patch BuildRequires: fdupes -BuildRequires: openssh +BuildRequires: hicolor-icon-theme BuildRequires: python3-devel -BuildRequires: sshfs BuildRequires: update-desktop-files Requires: cron -Requires: libnotify-tools +Requires: dbus-1-python3 Requires: openssh -Requires: python-notify Requires: python3 +#Not yet available in openSUSE +#Requires: python3-keyring Requires: rsync Recommends: encfs -Recommends: python-keyring Recommends: sshfs - -Conflicts: backintime-kde Conflicts: backintime-gnome +Conflicts: backintime-kde +Obsoletes: backintime-doc < %{version} +Provides: backintime-doc = %{version}-%{release} +BuildArch: noarch %description Back In Time is a simple backup tool for Linux, inspired by "flyback project". @@ -60,20 +61,12 @@ * what folders to backup; and * backup frequency (manual, every hour, every day, every month). -%package doc -Summary: Documentation for %{name} -Group: Productivity/Archiving/Backup -Requires: %{name} = %{version} -BuildArch: noarch - -%description doc -Documentation and help files for %{name}. - %package qt4 - Summary: Back In Time Qt4 GUI Group: Productivity/Archiving/Backup Requires: %{name} = %{version} +Requires: dbus-1-python3 +Requires: libnotify-tools Requires: polkit Requires: python3-qt4 @@ -81,13 +74,20 @@ This package has a Qt4 GUI for %{name}. %lang_package + %prep -%setup -q -n %{name}-%{version} +%setup -q %patch0 -p1 +%patch1 +%patch2 %build -sed -i -e "s|/share/doc/backintime|/share/doc/packages/backintime|g" common/config.py */Makefile.template +# Fix documentation directories. +sed -i -e "s|'doc'|'doc/packages'|g" common/config.py +sed -i -e "s|'backintime-common'|'backintime'|g" common/config.py +sed -i -e "s|/share/doc/|/share/doc/packages/|g" common/configure qt4/configure +sed -i -e "s|backintime-common|backintime|g" common/configure qt4/configure # Fix icon name. sed -i 's/Icon=document-save/Icon=backintime/g' qt4/backintime-qt4.desktop @@ -104,62 +104,57 @@ %install pushd common -%{?make_install} %{!?make_install:%makeinstall} +%make_install popd pushd qt4 -%{?make_install} %{!?make_install:%makeinstall} +%make_install popd -# Fix doc directory. -mkdir -p %{buildroot}/%{_docdir}/%{name} -cp -rf %{buildroot}/%{_docdir}/%{name}-common/* %{buildroot}/%{_docdir}/%{name}/ - -# Remove unneeded files. -rm -r %{buildroot}%{_datadir}/doc/qt +# Remove unmaintained documentation. +rm -r %{buildroot}%{_docdir}/qt install -D -m 644 %{SOURCE1} %{buildroot}/%{_datadir}/pixmaps/%{name}.png +# Fix duplicated files. +%fdupes %{buildroot}%{_datadir}/icons/hicolor/ + # Fix executable permissions. chmod a+x %{buildroot}%{_datadir}/%{name}/common/askpass.py +chmod a+x %{buildroot}%{_datadir}/%{name}/common/bcolors.py chmod a+x %{buildroot}%{_datadir}/%{name}/common/create-manpage-backintime-config.py +chmod a+x %{buildroot}%{_datadir}/%{name}/common/sshMaxArg.py %suse_update_desktop_file %{name}-qt4 System Backup %suse_update_desktop_file %{name}-qt4-root System Backup %find_lang %{name} --without-kde --without-gnome -%clean -rm -rf %{buildroot} +%post +%desktop_database_post +%icon_theme_cache_post + +%postun +%desktop_database_postun +%icon_theme_cache_postun +rm -f %{_sysconfdir}/udev/rules.d/99-backintime-*.rules %files %defattr(-,root,root) -%{_sysconfdir}/xdg/autostart/backintime.desktop %{_bindir}/%{name} %{_bindir}/%{name}-askpass %{_datadir}/%{name}/ +%{_datadir}/icons/hicolor/*/actions/show-hidden.svg %{_datadir}/pixmaps/%{name}.png %{_datadir}/bash-completion -%{_mandir}/man1/%{name}-askpass.1.gz -%{_mandir}/man1/%{name}-config.1.gz -%{_mandir}/man1/%{name}.1.gz -%{_docdir}/%{name}/AUTHORS -%{_docdir}/%{name}/CHANGES -%{_docdir}/%{name}/LICENSE -%{_docdir}/%{name}/README -%{_docdir}/%{name}/VERSION +%{_docdir}/%{name}/ +%{_mandir}/man1/%{name}-askpass.1%{ext_man} +%{_mandir}/man1/%{name}-config.1%{ext_man} +%{_mandir}/man1/%{name}.1%{ext_man} +%{_sysconfdir}/xdg/autostart/backintime.desktop %exclude %{_docdir}/%{name}-*/ %exclude %{_datadir}/%{name}/qt4 %exclude %{_datadir}/%{name}/plugins -%files doc -%defattr(-,root,root) -%exclude %{_docdir}/%{name}/AUTHORS -%exclude %{_docdir}/%{name}/CHANGES -%exclude %{_docdir}/%{name}/LICENSE -%exclude %{_docdir}/%{name}/README -%exclude %{_docdir}/%{name}/VERSION -%{_docdir}/%{name}/ - %files lang -f %{name}.lang %defattr(-,root,root) %if 0%{?suse_version} < 1120 @@ -170,18 +165,19 @@ %files qt4 %defattr(-,root,root) %{_bindir}/%{name}-qt4 +%{_bindir}/%{name}-qt4_polkit %{_datadir}/applications/%{name}-qt4.desktop %{_datadir}/applications/%{name}-qt4-root.desktop %{_datadir}/%{name}/qt4 %{_datadir}/%{name}/plugins -%{_docdir}/%{name}-qt4/ -%{_mandir}/man1/%{name}-qt4.1.gz %dir %{_datadir}/dbus-1 %dir %{_datadir}/dbus-1/system-services %{_datadir}/dbus-1/system-services/net.launchpad.backintime.serviceHelper.service %dir %{_datadir}/polkit-1 %dir %{_datadir}/polkit-1/actions %{_datadir}/polkit-1/actions/net.launchpad.backintime.policy +%{_docdir}/%{name}-qt4/ +%{_mandir}/man1/%{name}-qt4.1%{ext_man} %dir %{_sysconfdir}/dbus-1 %dir %{_sysconfdir}/dbus-1/system.d %config %{_sysconfdir}/dbus-1/system.d/net.launchpad.backintime.serviceHelper.conf ++++++ backintime-1.1.6.tar.gz -> backintime-1.1.20.tar.gz ++++++ ++++ 102309 lines of diff (skipped) ++++++ backintime-polkit_priv_downgrade.patch ++++++ --- qt4/net.launchpad.backintime.policy 2016-01-11 19:07:58.000000000 +0100 +++ qt4/net.launchpad.backintime.policy 2017-03-29 13:45:08.384966405 +0200 @@ -14,7 +14,7 @@ <defaults> <allow_any>auth_admin</allow_any> <allow_inactive>auth_admin</allow_inactive> - <allow_active>auth_admin_keep</allow_active> + <allow_active>auth_admin</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/backintime-qt4</annotate> <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate> @@ -25,8 +25,8 @@ <description gettext-domain="backintime">This will install Udev rules which will start Back In Time if a drive get connected.</description> <defaults> <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin_keep</allow_inactive> - <allow_active>auth_admin_keep</allow_active> + <allow_inactive>auth_admin</allow_inactive> + <allow_active>auth_admin</allow_active> </defaults> </action> @@ -35,8 +35,8 @@ <description gettext-domain="backintime">This will delete Udev rules.</description> <defaults> <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin_keep</allow_inactive> - <allow_active>auth_admin_keep</allow_active> + <allow_inactive>auth_admin</allow_inactive> + <allow_active>auth_admin</allow_active> </defaults> </action> ++++++ backintime-security_hardening_backport.patch ++++++ --- common/backintime.orig +++ common/backintime @@ -24,4 +24,4 @@ else APP_PATH=$(readlink -m "${CUR_PATH}/../share/backintime/common") fi -python3 $APP_PATH/backintime.py "$@" +python3 -Es $APP_PATH/backintime.py "$@" --- common/backintime-askpass.orig +++ common/backintime-askpass @@ -28,4 +28,4 @@ else APP_PATH=$(readlink -m "${CUR_PATH}/../share/backintime/common") fi -python3 $APP_PATH/askpass.py "$@" +python3 -Es $APP_PATH/askpass.py "$@" --- common/config.py.orig +++ common/config.py @@ -36,7 +36,7 @@ import sshtools import encfstools import password import pluginmanager -from exceptions import PermissionDeniedByPolicy, InvalidChar +from exceptions import PermissionDeniedByPolicy, InvalidChar, InvalidCmd, LimitExceeded _=gettext.gettext @@ -930,7 +930,7 @@ class Config( configfile.ConfigFileWithP self.set_profile_bool_value( 'snapshots.backup_on_restore.enabled', value, profile_id ) def is_run_nice_from_cron_enabled( self, profile_id = None ): - #?Run cronjobs with 'nice \-n 19'. This will give BackInTime the + #?Run cronjobs with 'nice \-n19'. This will give BackInTime the #?lowest CPU priority to not interupt any other working process. return self.get_profile_bool_value( 'snapshots.cron.nice', self.DEFAULT_RUN_NICE_FROM_CRON, profile_id ) @@ -955,7 +955,7 @@ class Config( configfile.ConfigFileWithP self.set_profile_bool_value( 'snapshots.user_backup.ionice', value, profile_id ) def is_run_nice_on_remote_enabled(self, profile_id = None): - #?Run rsync and other commands on remote host with 'nice \-n 19' + #?Run rsync and other commands on remote host with 'nice \-n19' return self.get_profile_bool_value('snapshots.ssh.nice', self.DEFAULT_RUN_NICE_ON_REMOTE, profile_id) def set_run_nice_on_remote_enabled(self, value, profile_id = None): @@ -1530,7 +1530,7 @@ class Config( configfile.ConfigFileWithP self.set_profile_str_value('snapshots.path.uuid', uuid, profile_id) try: self.setupUdev.addRule(self.cron_cmd(profile_id), uuid) - except InvalidChar as e: + except (InvalidChar, InvalidCmd, LimitExceeded) as e: logger.error(str(e), self) self.notify_error(str(e)) return False @@ -1560,7 +1560,7 @@ class Config( configfile.ConfigFileWithP if self.is_run_ionice_from_cron_enabled(profile_id) and tools.check_command('ionice'): cmd = tools.which('ionice') + ' -c2 -n7 ' + cmd if self.is_run_nice_from_cron_enabled( profile_id ) and tools.check_command('nice'): - cmd = tools.which('nice') + ' -n 19 ' + cmd + cmd = tools.which('nice') + ' -n19 ' + cmd return cmd if __name__ == "__main__": --- common/exceptions.py.orig +++ common/exceptions.py @@ -39,6 +39,20 @@ class InvalidChar(BackInTimeException): def __str__(self): return self.msg +class InvalidCmd(BackInTimeException): + def __init__(self, msg): + self.msg = msg + + def __str__(self): + return self.msg + +class LimitExceeded(BackInTimeException): + def __init__(self, msg): + self.msg = msg + + def __str__(self): + return self.msg + class PermissionDeniedByPolicy(BackInTimeException): def __init__(self, msg): self.msg = msg --- common/password.py.orig +++ common/password.py @@ -52,7 +52,7 @@ class Password_Cache(tools.Daemon): os.mkdir(pw_cache_path, 0o700) else: os.chmod(pw_cache_path, 0o700) - super(Password_Cache, self).__init__(self.config.get_password_cache_pid(), *args, **kwargs) + super(Password_Cache, self).__init__(self.config.get_password_cache_pid(), umask=0o077, *args, **kwargs) self.db_keyring = {} self.db_usr = {} self.fifo = password_ipc.FIFO(self.config.get_password_cache_fifo()) --- common/tools.py.orig +++ common/tools.py @@ -53,7 +53,7 @@ except ImportError: import configfile import logger from applicationinstance import ApplicationInstance -from exceptions import Timeout, InvalidChar, PermissionDeniedByPolicy +from exceptions import Timeout, InvalidChar, InvalidCmd, LimitExceeded, PermissionDeniedByPolicy ON_AC = 0 ON_BATTERY = 1 @@ -379,7 +379,7 @@ def _execute( cmd, callback = None, user def is_process_alive( pid ): try: - os.kill( pid, 0 ) #this will raise an exception if the pid is not valid + os.kill(pid, 0) #this will raise an exception if the pid is not valid except: return False @@ -1231,6 +1231,10 @@ class SetupUdev(object): except dbus.exceptions.DBusException as e: if e._dbus_error_name == 'net.launchpad.backintime.InvalidChar': raise InvalidChar(str(e)) + elif e._dbus_error_name == 'net.launchpad.backintime.InvalidCmd': + raise InvalidCmd(str(e)) + elif e._dbus_error_name == 'net.launchpad.backintime.LimitExceeded': + raise LimitExceeded(str(e)) else: raise @@ -1299,11 +1303,12 @@ class Daemon: License CC BY-SA 3.0 http://www.jejik.com/articles/2007/02/a_simple_unix_linux_daemon_in_python/ """ - def __init__(self, pidfile = None, stdin='/dev/null', stdout='/dev/stdout', stderr='/dev/null'): + def __init__(self, pidfile = None, stdin='/dev/null', stdout='/dev/stdout', stderr='/dev/null', umask=0o022): self.stdin = stdin self.stdout = stdout self.stderr = stderr self.pidfile = pidfile + self.umask = umask if pidfile: self.appInstance = ApplicationInstance(pidfile, auto_exit = False, flock = False) @@ -1327,7 +1332,7 @@ class Daemon: logger.debug('decouple from parent environment', self) os.chdir("/") os.setsid() - os.umask(0) + os.umask(self.umask) # do second fork try: --- qt4/backintime-qt4.orig +++ qt4/backintime-qt4 @@ -28,4 +28,4 @@ else APP_PATH=$(readlink -m "${CUR_PATH}/../share/backintime/qt4") fi -python3 ${APP_PATH}/app.py "$@" +python3 -Es ${APP_PATH}/app.py "$@" --- qt4/net.launchpad.backintime.serviceHelper.conf.orig +++ qt4/net.launchpad.backintime.serviceHelper.conf @@ -7,13 +7,11 @@ <!-- Only root can own the service --> <policy user="root"> <allow own="net.launchpad.backintime.serviceHelper"/> - <allow send_destination="net.launchpad.backintime.serviceHelper"/> - <allow send_interface="net.launchpad.backintime.serviceHelper.UdevRules"/> + <allow send_destination="net.launchpad.backintime.serviceHelper" send_interface="net.launchpad.backintime.serviceHelper.UdevRules"/> </policy> <!-- Allow anyone to invoke methods on the interfaces --> <policy context="default"> - <deny own="net.launchpad.backintime.serviceHelper"/> - <allow send_destination="net.launchpad.backintime.serviceHelper"/> + <allow send_destination="net.launchpad.backintime.serviceHelper" send_interface="net.launchpad.backintime.serviceHelper.UdevRules"/> </policy> </busconfig> --- qt4/net.launchpad.backintime.serviceHelper.service.orig +++ qt4/net.launchpad.backintime.serviceHelper.service @@ -1,4 +1,4 @@ [D-BUS Service] Name=net.launchpad.backintime.serviceHelper -Exec=/usr/bin/python3 /usr/share/backintime/qt4/serviceHelper.py +Exec=/usr/bin/python3 -Es /usr/share/backintime/qt4/serviceHelper.py User=root --- qt4/serviceHelper.py.orig +++ qt4/serviceHelper.py @@ -79,6 +79,12 @@ UDEV_RULES_PATH = '/etc/udev/rules.d/99- class InvalidChar(dbus.DBusException): _dbus_error_name = 'net.launchpad.backintime.InvalidChar' +class InvalidCmd(dbus.DBusException): + _dbus_error_name = 'net.launchpad.backintime.InvalidCmd' + +class LimitExceeded(dbus.DBusException): + _dbus_error_name = 'net.launchpad.backintime.LimitExceeded' + class PermissionDeniedByPolicy(dbus.DBusException): _dbus_error_name = 'com.ubuntu.DeviceDriver.PermissionDeniedByPolicy' @@ -93,10 +99,61 @@ class UdevRules(dbus.service.Object): self.tmpDict = {} #find su path - proc = Popen(['which', 'su'], stdout = PIPE) - self.su = proc.communicate()[0].strip().decode() - if proc.returncode or not self.su: - self.su = '/bin/su' + self.su = self._which('su', '/bin/su') + self.backintime = self._which('backintime', '/usr/bin/backintime') + self.nice = self._which('nice', '/usr/bin/nice') + self.ionice = self._which('ionice', '/usr/bin/ionice') + self.max_rules = 100 + self.max_users = 20 + self.max_cmd_len = 100 + + def _which(self, exe, fallback): + proc = Popen(['which', exe], stdout = PIPE) + ret = proc.communicate()[0].strip().decode() + if proc.returncode or not ret: + return fallback + + return ret + + def _validateCmd(self, cmd): + + if cmd.find("&&") != -1: + raise InvalidCmd("Parameter 'cmd' contains '&&' concatenation") + # make sure it starts with an absolute path + elif not cmd.startswith(os.path.sep): + raise InvalidCmd("Parameter 'cmd' does not start with '/'") + + parts = cmd.split() + + # make sure only well known commands and switches are used + whitelist = ( + (self.nice, ("-n")), + (self.ionice, ("-c", "-n")), + ) + + for c, switches in whitelist: + if parts and parts[0] == c: + parts.pop(0) + for sw in switches: + while parts and parts[0].startswith(sw): + parts.pop(0) + + if not parts: + raise InvalidCmd("Parameter 'cmd' does not contain the backintime command") + elif parts[0] != self.backintime: + raise InvalidCmd("Parameter 'cmd' contains non-whitelisted cmd/parameter (%s)" % parts[0]) + + def _checkLimits(self, owner, cmd): + + if len(self.tmpDict.get(owner, [])) >= self.max_rules: + raise LimitExceeded("Maximum number of cached rules reached (%d)" + % self.max_rules) + elif len(self.tmpDict) >= self.max_users: + raise LimitExceeded("Maximum number of cached users reached (%d)" + % self.max_users) + elif len(cmd) > self.max_cmd_len: + raise LimitExceeded("Maximum length of command line reached (%d)" + % self.max_cmd_len) @dbus.service.method("net.launchpad.backintime.serviceHelper.UdevRules", in_signature='ss', out_signature='', @@ -117,10 +174,14 @@ class UdevRules(dbus.service.Object): raise InvalidChar("Parameter 'uuid' contains invalid character(s) %s" % '|'.join(set(chars)) ) + self._validateCmd(cmd) + info = SenderInfo(sender, conn) user = info.connectionUnixUser() owner = info.nameOwner() + self._checkLimits(owner, cmd) + #create su command sucmd = "%s - '%s' -c '%s'" %(self.su, user, cmd) #create Udev rule ++++++ backintime-ssh-agent_only_if_password.patch ++++++ --- /var/tmp/diff_new_pack.d8aIsy/_old 2017-05-17 10:55:43.495257191 +0200 +++ /var/tmp/diff_new_pack.d8aIsy/_new 2017-05-17 10:55:43.499256628 +0200 @@ -1,14 +1,15 @@ -diff -Pdpru backintime-1.1.4.orig/common/sshtools.py backintime-1.1.4/common/sshtools.py ---- backintime-1.1.4.orig/common/sshtools.py 2015-03-22 23:45:40.000000000 +0100 -+++ backintime-1.1.4/common/sshtools.py 2015-06-09 18:11:41.811995216 +0200 -@@ -97,7 +97,11 @@ class SSH(mount.MountControl): - 'But this can make troubles with passphrase-less keys.' - %{'path': self.private_key_file}) +Index: backintime-1.1.8/common/sshtools.py +=================================================================== +--- backintime-1.1.8.orig/common/sshtools.py ++++ backintime-1.1.8/common/sshtools.py +@@ -105,7 +105,11 @@ class SSH(mount.MountControl): + %{'path': self.private_key_file}, + self) self.private_key_fingerprint = self.private_key_file - self.unlock_ssh_agent() + -+ # ssh without password makes only sense if you have enabled passwordless ssh keys. -+ # In this case there is no need to use the keyring at all. ++ # ssh without password makes only sense if you have enabled passwordless ++ # ssh keys. In this case there is no need to use the keyring at all. + if not self.password == None: + self.unlock_ssh_agent()
