Hello community, here is the log from the commit of package util-linux for openSUSE:Factory checked in at 2018-04-22 14:29:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/util-linux (Old) and /work/SRC/openSUSE:Factory/.util-linux.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "util-linux" Sun Apr 22 14:29:30 2018 rev:228 rq:596303 version:2.31.1 Changes: -------- --- /work/SRC/openSUSE:Factory/util-linux/python-libmount.changes 2018-03-30 11:55:38.307301981 +0200 +++ /work/SRC/openSUSE:Factory/.util-linux.new/python-libmount.changes 2018-04-22 14:29:31.798919821 +0200 @@ -1,0 +2,12 @@ +Thu Apr 12 17:09:30 CEST 2018 - sbra...@suse.com + +- Integrate pam_keyinit pam module (boo#1081947, su-l.pamd, + runuser-l.pamd, runuser.pamd). + +------------------------------------------------------------------- +Wed Apr 4 04:12:56 CEST 2018 - sbra...@suse.com + +- su.default: Set ALWAYS_SET_PATH default to "yes" (bsc#353876#c7); + add one-time wrapper forcing ALWAYS_SET_PATH on upgrade. + +------------------------------------------------------------------- util-linux-systemd.changes: same change util-linux.changes: same change New: ---- runuser-l.pamd su-l.pamd ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-libmount.spec ++++++ --- /var/tmp/diff_new_pack.0Y62zs/_old 2018-04-22 14:29:33.070873781 +0200 +++ /var/tmp/diff_new_pack.0Y62zs/_new 2018-04-22 14:29:33.070873781 +0200 @@ -73,7 +73,7 @@ %endif Summary: %main_summary License: GPL-2.0-or-later -Group: %group_pl +Group: %main_group BuildRequires: audit-devel BuildRequires: bc BuildRequires: binutils-devel @@ -138,6 +138,8 @@ Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source13: %{_name}.keyring Source14: runuser.pamd +Source15: runuser-l.pamd +Source16: su-l.pamd # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # TODO: split to separate package Source40: klogconsole.tar.xz @@ -172,7 +174,6 @@ Patch6: util-linux-fincore-count.patch # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbra...@suse.com -- Fix lsblk on NVMe. Patch7: util-linux-sysfs-nvme-devno.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -396,7 +397,6 @@ %if %build_util_linux %package -n python-libmount Summary: %summary_pl -License: GPL-2.0-or-later Group: %group_pl %description -n python-libmount @@ -644,9 +644,9 @@ install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser -install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su -install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l +install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su pushd ../klogconsole # klogconsole install @@ -788,6 +788,12 @@ %if %build_util_linux %pre %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service +# Check whether we are upgrading from < Leap 15 or SLE 15 +# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions. +# (bsc#353876#c7) +if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then + touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || : +fi %post %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service @@ -810,6 +816,20 @@ mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE fi done +# %{_sysconfdir}/default/su is tagged as noreplace. +# But we want to upgrade to a more secure default on upgrade. +# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7) +if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su && + grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then + if ! test -f %{_sysconfdir}/default/su.rpmorig ; then + cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig + fi + sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su + echo "One time change of %{_sysconfdir}/default/su was performed." >&2 + echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2 + echo "If it is not intended, you can safely change it back. It will not be changed again." >&2 +fi +rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT %preun %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service ++++++ util-linux-systemd.spec ++++++ --- /var/tmp/diff_new_pack.0Y62zs/_old 2018-04-22 14:29:33.130871610 +0200 +++ /var/tmp/diff_new_pack.0Y62zs/_new 2018-04-22 14:29:33.134871465 +0200 @@ -138,6 +138,8 @@ Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source13: %{_name}.keyring Source14: runuser.pamd +Source15: runuser-l.pamd +Source16: su-l.pamd # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # TODO: split to separate package Source40: klogconsole.tar.xz @@ -172,7 +174,6 @@ Patch6: util-linux-fincore-count.patch # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbra...@suse.com -- Fix lsblk on NVMe. Patch7: util-linux-sysfs-nvme-devno.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -643,9 +644,9 @@ install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser -install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su -install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l +install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su pushd ../klogconsole # klogconsole install @@ -787,6 +788,12 @@ %if %build_util_linux %pre %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service +# Check whether we are upgrading from < Leap 15 or SLE 15 +# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions. +# (bsc#353876#c7) +if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then + touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || : +fi %post %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service @@ -809,6 +816,20 @@ mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE fi done +# %{_sysconfdir}/default/su is tagged as noreplace. +# But we want to upgrade to a more secure default on upgrade. +# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7) +if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su && + grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then + if ! test -f %{_sysconfdir}/default/su.rpmorig ; then + cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig + fi + sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su + echo "One time change of %{_sysconfdir}/default/su was performed." >&2 + echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2 + echo "If it is not intended, you can safely change it back. It will not be changed again." >&2 +fi +rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT %preun %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service ++++++ util-linux.spec ++++++ --- /var/tmp/diff_new_pack.0Y62zs/_old 2018-04-22 14:29:33.162870452 +0200 +++ /var/tmp/diff_new_pack.0Y62zs/_new 2018-04-22 14:29:33.166870307 +0200 @@ -138,6 +138,8 @@ Source12: https://www.kernel.org/pub/linux/utils/util-linux/v2.31/util-linux-%{version}.tar.sign Source13: %{_name}.keyring Source14: runuser.pamd +Source15: runuser-l.pamd +Source16: su-l.pamd # klogconsole, http://opensuse.github.com/kiwi, 7.02.25, git 859dc050 # TODO: split to separate package Source40: klogconsole.tar.xz @@ -172,7 +174,6 @@ Patch6: util-linux-fincore-count.patch # PATCH-FIX-UPSTREAM util-linux-sysfs-nvme-devno.patch bsc1078662 sbra...@suse.com -- Fix lsblk on NVMe. Patch7: util-linux-sysfs-nvme-devno.patch - BuildRoot: %{_tmppath}/%{name}-%{version}-build # %if %build_util_linux @@ -643,9 +644,9 @@ install -m 644 %{SOURCE8} %{buildroot}%{_sysconfdir}/pam.d/login install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/remote install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser -install -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/runuser-l +install -m 644 %{SOURCE15} %{buildroot}%{_sysconfdir}/pam.d/runuser-l install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su -install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/su-l +install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/pam.d/su-l install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/default/su pushd ../klogconsole # klogconsole install @@ -787,6 +788,12 @@ %if %build_util_linux %pre %service_add_pre raw.service rfkill-block@.service rfkill-unblock@.service +# Check whether we are upgrading from < Leap 15 or SLE 15 +# Check for /sbin/su and not /usr/sbin/su, as it exists in all old versions. +# (bsc#353876#c7) +if test -e /bin/su && ! ( LANG=C su --help 2>/dev/null) | grep -q -- --pty ; then + touch %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT 2>/dev/null || : +fi %post %service_add_post raw.service rfkill-block@.service rfkill-unblock@.service @@ -809,6 +816,20 @@ mv %{_sysconfdir}/$PAM_FILE.rpmsave %{_sysconfdir}/$PAM_FILE fi done +# %{_sysconfdir}/default/su is tagged as noreplace. +# But we want to upgrade to a more secure default on upgrade. +# Perform one-time change of ALWAYS_SET_ROOT. (bsc#353876#c7) +if test -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT -a -f %{_sysconfdir}/default/su && + grep -q ^ALWAYS_SET_PATH=no %{_sysconfdir}/default/su ; then + if ! test -f %{_sysconfdir}/default/su.rpmorig ; then + cp -a %{_sysconfdir}/default/su %{_sysconfdir}/default/su.rpmorig + fi + sed -i s/^ALWAYS_SET_PATH=no/ALWAYS_SET_PATH=yes/ %{_sysconfdir}/default/su + echo "One time change of %{_sysconfdir}/default/su was performed." >&2 + echo "ALWAYS_SET_PATH was set to more secure value \"yes\"." >&2 + echo "If it is not intended, you can safely change it back. It will not be changed again." >&2 +fi +rm -f %{_sysconfdir}/default/su.needs_ALWAYS_SET_ROOT %preun %service_del_preun raw.service rfkill-block@.service rfkill-unblock@.service ++++++ runuser-l.pamd ++++++ #%PAM-1.0 # Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line). auth sufficient pam_rootok.so session optional pam_keyinit.so force revoke session include common-session session optional pam_xauth.so ++++++ runuser.pamd ++++++ --- /var/tmp/diff_new_pack.0Y62zs/_old 2018-04-22 14:29:33.398861910 +0200 +++ /var/tmp/diff_new_pack.0Y62zs/_new 2018-04-22 14:29:33.402861766 +0200 @@ -1,5 +1,6 @@ #%PAM-1.0 # Note that runuser requires only "session" setting (and for example "auth sufficient pam_rootok.so" dummy line). auth sufficient pam_rootok.so +session optional pam_keyinit.so revoke session include common-session session optional pam_xauth.so ++++++ su-l.pamd ++++++ #%PAM-1.0 auth sufficient pam_rootok.so auth include common-auth account sufficient pam_rootok.so account include common-account password include common-password session optional pam_keyinit.so force revoke session include common-session session optional pam_xauth.so ++++++ su.default ++++++ --- /var/tmp/diff_new_pack.0Y62zs/_old 2018-04-22 14:29:33.474859159 +0200 +++ /var/tmp/diff_new_pack.0Y62zs/_new 2018-04-22 14:29:33.474859159 +0200 @@ -1,9 +1,12 @@ # Per default, only "su -" will set a new PATH. -# If this variable is changed to "yes" (default is "no"), +# If this variable is set to "yes" (default is "no"), # every su call will overwrite the PATH variable. -ALWAYS_SET_PATH=no +# +# The recommended default is "yes". The default "no" behavior could have +# a security implication in applications that use commands without path. +ALWAYS_SET_PATH=yes -# Default path. +# Default path. PATH=/usr/local/bin:/bin:/usr/bin # Default path for a user invoking su to root.
