Hello community, here is the log from the commit of package permissions for openSUSE:Factory checked in at 2018-11-26 10:12:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/permissions (Old) and /work/SRC/openSUSE:Factory/.permissions.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "permissions" Mon Nov 26 10:12:53 2018 rev:120 rq:649630 version:20181116 Changes: -------- --- /work/SRC/openSUSE:Factory/permissions/permissions.changes 2018-11-05 22:49:54.648471693 +0100 +++ /work/SRC/openSUSE:Factory/.permissions.new.19453/permissions.changes 2018-11-26 10:12:59.726246482 +0100 @@ -1,0 +2,13 @@ +Fri Nov 16 15:15:04 UTC 2018 - [email protected] + +- Update to version 20181116: + * zypper-plugin: new plugin to fix bsc#1114383 + +------------------------------------------------------------------- +Mon Nov 12 12:14:18 UTC 2018 - [email protected] + +- Update to version 20181112: + * singularity: remove -suid binaries that have been dropped since version + 2.4 (bsc#1028304) + +------------------------------------------------------------------- Old: ---- permissions-20181030.tar.xz New: ---- permissions-20181116.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ --- /var/tmp/diff_new_pack.htom8Y/_old 2018-11-26 10:13:01.522244376 +0100 +++ /var/tmp/diff_new_pack.htom8Y/_new 2018-11-26 10:13:01.522244376 +0100 @@ -17,7 +17,7 @@ Name: permissions -Version: 20181030 +Version: 20181116 Release: 0 Summary: SUSE Linux Default Permissions # Maintained in github by the security team. @@ -61,4 +61,23 @@ %{_mandir}/man8/chkstat.8%{ext_man} %{_fillupdir}/sysconfig.security +%package -n permissions-zypp-plugin +BuildArch: noarch +Requires: permissions = %version +Requires: python3-zypp-plugin +Requires: libzypp(plugin:commit) = 1 +Summary: A zypper commit plugin for calling chkstat +Group: Productivity/Security + +%description -n permissions-zypp-plugin +This package contains a plugin for zypper that calls `chkstat --system` after +new packages have been installed. This is helpful for maintaining custom +entries in /etc/permissions.local. + +%files -n permissions-zypp-plugin +%dir /usr/lib/zypp +%dir /usr/lib/zypp/plugins +%dir /usr/lib/zypp/plugins/commit +/usr/lib/zypp/plugins/commit/permissions.py + %changelog ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.htom8Y/_old 2018-11-26 10:13:01.554244338 +0100 +++ /var/tmp/diff_new_pack.htom8Y/_new 2018-11-26 10:13:01.558244333 +0100 @@ -1,4 +1,4 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/permissions.git</param> - <param name="changesrevision">2a511608aeccb6f43d94e0086f3878a7465b235a</param></service></servicedata> \ No newline at end of file + <param name="changesrevision">c1107931c09ab5e32fffa7696ab6b09fff553a96</param></service></servicedata> \ No newline at end of file ++++++ permissions-20181030.tar.xz -> permissions-20181116.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181030/Makefile new/permissions-20181116/Makefile --- old/permissions-20181030/Makefile 2018-10-30 13:11:09.000000000 +0100 +++ new/permissions-20181116/Makefile 2018-11-16 16:33:52.000000000 +0100 @@ -11,6 +11,8 @@ mandir=$(datadir)/man man8dir=$(mandir)/man8 man5dir=$(mandir)/man5 +zypp_plugins=$(prefix)/lib/zypp/plugins +zypp_commit_plugins=$(zypp_plugins)/commit FSCAPS_DEFAULT_ENABLED = 1 CPPFLAGS += -DFSCAPS_DEFAULT_ENABLED=$(FSCAPS_DEFAULT_ENABLED) @@ -18,12 +20,13 @@ all: chkstat install: all - @for i in $(bindir) $(suseconfigdir) $(man8dir) $(man5dir) $(fillupdir) $(sysconfdir); \ + @for i in $(bindir) $(suseconfigdir) $(man8dir) $(man5dir) $(fillupdir) $(sysconfdir) $(zypp_commit_plugins); \ do install -d -m 755 $(DESTDIR)$$i; done @install -m 755 chkstat $(DESTDIR)$(bindir) @install -m 644 chkstat.8 $(DESTDIR)$(man8dir) @install -m 644 permissions.5 $(DESTDIR)$(man5dir) @install -m 644 sysconfig.security $(DESTDIR)$(fillupdir) + @install -m 755 zypper-plugin/permissions.py $(DESTDIR)$(zypp_commit_plugins) @for i in permissions{,.local,.easy,.secure,.paranoid}; \ do install -m 644 $$i $(DESTDIR)$(sysconfdir); done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181030/permissions.easy new/permissions-20181116/permissions.easy --- old/permissions-20181030/permissions.easy 2018-10-30 13:11:09.000000000 +0100 +++ new/permissions-20181116/permissions.easy 2018-11-16 16:33:52.000000000 +0100 @@ -341,12 +341,13 @@ +capabilities cap_net_raw,cap_net_admin=ep # singularity (bsc#1028304) -/usr/lib/singularity/bin/expand-suid root:singularity 4750 -/usr/lib/singularity/bin/mount-suid root:singularity 4750 -/usr/lib/singularity/bin/create-suid root:singularity 4750 +# these have been dropped in version 2.4 (see bsc#1111411, comment 4) +#/usr/lib/singularity/bin/expand-suid root:singularity 4750 +#/usr/lib/singularity/bin/create-suid root:singularity 4750 +#/usr/lib/singularity/bin/export-suid root:singularity 4750 +#/usr/lib/singularity/bin/import-suid root:singularity 4750 /usr/lib/singularity/bin/action-suid root:singularity 4750 -/usr/lib/singularity/bin/export-suid root:singularity 4750 -/usr/lib/singularity/bin/import-suid root:singularity 4750 +/usr/lib/singularity/bin/mount-suid root:singularity 4750 /usr/lib/singularity/bin/start-suid root:singularity 4750 # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181030/permissions.local new/permissions-20181116/permissions.local --- old/permissions-20181030/permissions.local 2018-10-30 13:11:09.000000000 +0100 +++ new/permissions-20181116/permissions.local 2018-11-16 16:33:52.000000000 +0100 @@ -9,6 +9,11 @@ # to check or set the modes and ownerships of files and directories in # the installation. # +# If you want chkstat to be run automically after zypper operations, then you +# can install the permissions-zypp-plugin. This is helpful when you are +# entering permissions in this file that get overwritten by package updates. +# The plugin keeps the custom permissions in place. +# # In particular, this file will not be touched during an upgrade of the # installation. It is designed to be a placeholder for local # additions by the administrator of the system to reflect filemodes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181030/permissions.paranoid new/permissions-20181116/permissions.paranoid --- old/permissions-20181030/permissions.paranoid 2018-10-30 13:11:09.000000000 +0100 +++ new/permissions-20181116/permissions.paranoid 2018-11-16 16:33:52.000000000 +0100 @@ -357,12 +357,13 @@ /usr/bin/dumpcap root:root 0755 # singularity (bsc#1028304) -/usr/lib/singularity/bin/expand-suid root:singularity 0750 -/usr/lib/singularity/bin/mount-suid root:singularity 0750 -/usr/lib/singularity/bin/create-suid root:singularity 0750 +# these have been dropped in version 2.4 (see bsc#1111411, comment 4) +#/usr/lib/singularity/bin/expand-suid root:singularity 0750 +#/usr/lib/singularity/bin/create-suid root:singularity 0750 +#/usr/lib/singularity/bin/export-suid root:singularity 0750 +#/usr/lib/singularity/bin/import-suid root:singularity 0750 /usr/lib/singularity/bin/action-suid root:singularity 0750 -/usr/lib/singularity/bin/export-suid root:singularity 0750 -/usr/lib/singularity/bin/import-suid root:singularity 0750 +/usr/lib/singularity/bin/mount-suid root:singularity 0750 /usr/lib/singularity/bin/start-suid root:singularity 0750 # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181030/permissions.secure new/permissions-20181116/permissions.secure --- old/permissions-20181030/permissions.secure 2018-10-30 13:11:09.000000000 +0100 +++ new/permissions-20181116/permissions.secure 2018-11-16 16:33:52.000000000 +0100 @@ -381,12 +381,13 @@ +capabilities cap_net_raw,cap_net_admin=ep # singularity (bsc#1028304) -/usr/lib/singularity/bin/expand-suid root:singularity 4750 -/usr/lib/singularity/bin/mount-suid root:singularity 4750 -/usr/lib/singularity/bin/create-suid root:singularity 4750 +# these have been dropped in version 2.4 (see bsc#1111411, comment 4) +#/usr/lib/singularity/bin/expand-suid root:singularity 4750 +#/usr/lib/singularity/bin/create-suid root:singularity 4750 +#/usr/lib/singularity/bin/export-suid root:singularity 4750 +#/usr/lib/singularity/bin/import-suid root:singularity 4750 /usr/lib/singularity/bin/action-suid root:singularity 4750 -/usr/lib/singularity/bin/export-suid root:singularity 4750 -/usr/lib/singularity/bin/import-suid root:singularity 4750 +/usr/lib/singularity/bin/mount-suid root:singularity 4750 /usr/lib/singularity/bin/start-suid root:singularity 4750 # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181030/zypper-plugin/README.md new/permissions-20181116/zypper-plugin/README.md --- old/permissions-20181030/zypper-plugin/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/permissions-20181116/zypper-plugin/README.md 2018-11-16 16:33:52.000000000 +0100 @@ -0,0 +1,8 @@ +# permissions-zypp-plugin + +This is a simple zypper commit plugin. Its purpose is to call `chkstat +--system` in case a file is installed that is also listed in +`/etc/permissions.local`. This makes it possible to use permissions.local for +applying custom permissions for files that are managed by zypper. Otherwise +the user would need to manually call `chstat` to apply custom permissions +after each zypper update. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/permissions-20181030/zypper-plugin/permissions.py new/permissions-20181116/zypper-plugin/permissions.py --- old/permissions-20181030/zypper-plugin/permissions.py 1970-01-01 01:00:00.000000000 +0100 +++ new/permissions-20181116/zypper-plugin/permissions.py 2018-11-16 16:33:52.000000000 +0100 @@ -0,0 +1,140 @@ +#!/usr/bin/python3 + +# Copyright (c) 2018 SUSE LLC +# +# All Right Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program (see the file COPYING); if not, write to the +# Free Software Foundation, Inc., +# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# +# Authors: +# +# Matthias Gerstner ([email protected]) +# +# See https://doc.opensuse.org/projects/libzypp/HEAD/zypp-plugins.html +# for information about the zypper plugin concept. +# +# Basically we communicate to zypper via stdin/stdout, a special protocol is +# exchanged here. +# +# The COMMITBEGIN and COMMITEND hooks allow to inspect which packages are +# installed or removed. We can't look at individual files, though. Therefore +# we have to blindly call chkstat at the end of each transaction that adds one +# or more packages. + +import os, sys +import zypp_plugin + +def log(*args, **kwargs): + args = ("permissions-zypp-plugin:",) + args + kwargs["file"] = sys.stderr + print(*args, **kwargs) + # not sure why sometimes log lines do not appear in zypper.log? + sys.stderr.flush() + +def callCheckstat(): + import subprocess + # since the plugin's stdout is a communication channel towards zypper we + # need to avoid outputting anything there that's not part of the protocol. + # + # instead redirect stdout to stderr, this should end up in the zypper log + # instead. + + # --set is not required when passing --system, as long CHECK_PERMISSIONS + # is not disabled in /etc/sysconfig/security. If it is then the admin + # hopefuly knows what he's doing on its own. + res = subprocess.call( + ['/usr/bin/chkstat', '--system'], + shell = False, + close_fds = True, + stdout = sys.stderr + ) + + if res != 0: + log("chkstat failed with exit code", res) + +class PermissionsPlugin(zypp_plugin.Plugin): + + def __init__(self): + super().__init__() + # here we keep sets of all files we parsed from /etc/permissions.* + # files + #self.m_permissions = {} + # here we will keep all matches from m_permissions that are actually + # part of this transaction + #self.m_matches = set() + # This is actually not needed currently. In the first place I wanted + # to only call chkstat when a file was added or replaced that is + # listed in permissions.local. Since this information is not easily + # available from zypper we always call chkstat instead. + #self._parsePermissions("/etc/permissions.local", "local") + + def _parsePermissions(self, path, label): + self.m_permissions[label] = set() + permset = self.m_permissions[label] + + try: + with open(path, 'r') as fd: + + for line in fd.readlines(): + line = line.strip() + if not line or line.startswith('#'): + continue + parts = line.split() + if len(parts) != 3: + log("malformed line encountered in", path + ":", line) + continue + permset.add(parts[0]) + except: + log("Failed to parse", path) + + def COMMITEND(self, headers, body): + log("COMMITEND") + + have_new_pkgs = False + + import json + data = json.loads(body) + + for step in data["TransactionStepList"]: + log("Processing", str(step)) + + _type = step.get("type", None) + # we're only looking for new packages being installed (this also + # covers updates). + if not _type or _type != "+": + continue + + stage = step.get("stage", None) + # we're only looking for successful install operations + if not stage or stage != "ok": + continue + + have_new_pkgs = True + break + + if have_new_pkgs: + callCheckstat() + + self.ack() + + def PLUGINBEGIN(self, headers, body): + self.ack() + + def PLUGINEND(self, headers, body): + self.ack() + +plugin = PermissionsPlugin() +plugin.main()
