Hello community, here is the log from the commit of package lxc for openSUSE:Factory checked in at 2019-04-24 13:57:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lxc (Old) and /work/SRC/openSUSE:Factory/.lxc.new.5536 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lxc" Wed Apr 24 13:57:21 2019 rev:85 rq:697202 version:3.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/lxc/lxc.changes 2019-04-17 10:10:35.126927970 +0200 +++ /work/SRC/openSUSE:Factory/.lxc.new.5536/lxc.changes 2019-04-24 13:57:22.219989135 +0200 @@ -1,0 +2,7 @@ +Sat Apr 20 10:35:36 UTC 2019 - Aleksa Sarai <[email protected]> + +- Rework /var/adm/update-messages handling to be far less complicated, and more + packaging-friendly (by update-messages be owned by the rpm) as well as + storing the update message in a autoconf-templated source file. + +------------------------------------------------------------------- New: ---- missing_setuid.txt.in ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ --- /var/tmp/diff_new_pack.Fn3rT3/_old 2019-04-24 13:57:23.427988379 +0200 +++ /var/tmp/diff_new_pack.Fn3rT3/_new 2019-04-24 13:57:23.427988379 +0200 @@ -23,31 +23,14 @@ # In later versions of openSUSE's permissions config, lxc-user-nic was # whitelisted with a setuid bit enabled -- but in order to allow building on # old distros we must not make it setuid on pre-15.1 distros. See bsc#988348. -%if 0%{suse_version} >= 1510 -%define setuid_mode 04750 -%else -%define setuid_mode 0750 +%if 0%{suse_version} < 1510 +%define old_permissions 1 %endif +%define setuid_mode 0%{!?old_permissions:4}750 -%define _pre_update_message(B:S:n:) \ - %%define um_pkgname %{?-n:%{-n*}}%{!?-n:%{name}} \ - %%define um_suffix %{?-S:%{-S*}}%{!?-S:untitled} \ - %%define um_prefix %{?-B:%{buildroot}}/var/adm/update-messages/%{um_pkgname}-%{version}-%{release}- \ - %%define um_path %{um_prefix}%{um_suffix}.txt - -# add_update_message [-aB] [-S <suffix=untitled>] [-n <pkgname={name}>] -# Adds new update message with the given suffix and package name. -# Use -B to apply to the {buildroot} rather than the host system. -%define add_update_message(BS:n:) ( \ - %{expand:%_pre_update_message %{-B} %{-S} %{-n}} \ - tee >>%{um_path} ) - -# del_update_messages [-B] [-n <pkgname={name}>] -# Delete all update-messages that exist for the given package. -# Use -B to apply to the {buildroot} rather than the host system. -%define del_update_messages(Bn:) ( \ - %{expand:%_pre_update_message -S * %{-B} %{-n}} \ - ( shopt -s nullglob ; rm -f -- %{um_path} ) ) +# XXX: Really should be included (in some form) in standard openSUSE macros. +# suse_install_update_message is useless for subpackages. +%define _updatemessagedir /var/adm/update-messages %define shlib_version 1 Name: lxc @@ -62,6 +45,7 @@ Source2: %{name}.keyring Source3: lxc-createconfig.in Source90: openSUSE-apparmor.conf +Source91: missing_setuid.txt.in BuildRequires: gcc BuildRequires: automake BuildRequires: libtool @@ -109,6 +93,7 @@ Group: System/Libraries Requires(pre): permissions Requires(post): permissions +Requires(post): findutils # Older SLE versions didn't have -abstractions but instead had -profiles # (though Leap has -abstractions regardless of it being based on SLE). We only # need them to not have to own /etc/apparmor.d/abstractions. @@ -154,8 +139,27 @@ --with-systemdsystemunitdir=%{_unitdir} make %{?_smp_mflags} +# Ensure that shlib_version was correct. +lxc_api_version="$(echo "@LXC_ABI_MAJOR@" | ./config.status --file -)" +[ "$lxc_api_version" = "%{shlib_version}" ] + # openSUSE-specific templated files. ./config.status --file=lxc-createconfig:%{S:3} +./config.status --file=missing_setuid.txt:%{S:91} + +# Add an additional warning header if the distro is old enough that +# /etc/permissions should already be whitelisting lxc-user-nic. +%if ! 0%{?old_permissions} +patch missing_setuid.txt <<EOF +--- a/missing_setuid.txt ++++ b/missing_setuid.txt +@@ -0,0 +1,4 @@ ++NOTE: It appears you are running on a new-enough distribution that this warning ++ should not have appeared. If you are not using a "paranoid" profile, ++ please report this as a bug using <https://bugs.opensuse.org/>. ++ +EOF +%endif %install %make_install @@ -197,47 +201,19 @@ /sbin/ldconfig %set_permissions %{_libexecdir}/%{name}/lxc-user-nic -# Remove any existing update messages if we're reinstalling. -[ "$1" -gt 1 ] && %{del_update_messages -n liblxc%{shlib_version}} ||: - -[ -u %{_libexecdir}/%{name}/lxc-user-nic ] || \ -%{add_update_message -n liblxc%{shlib_version} -S missing_setuid} <<EOF -%if 0%{suse_version} >= 1510 -NOTE: It appears you are running on a new-enough distribution that this warning - should not have appeared. If you are not using a "paranoid" profile, - please report this as a bug at <https://bugzilla.opensuse.org/>. - -%endif -Due to your /etc/permissions configuration (which might be caused by an -outdated permissions package), the lxc-user-nic helper binary has been -installed with a missing setuid bit. This setuid helper is required in order -for LXC unprivileged containers to operate, and has already been reviewed by -the SUSE security team and added to the Factory permissions setuid -whitelist[1]. - -No action has been taken to fix this configuration problem (in case this was -intentional, and to avoid breaking openSUSE packaging guidelines), so your -administrator will have to fix this manually. +# Remove any existing update messages if we're reinstalling. I'm a bit +# surprised this isn't done automatically. We don't do this on postun because +# we should keep around past package update messages. +[ "$1" -gt 1 ] && \ + find %{_updatemessagedir} -xtype f \ + -name 'liblxc%{shlib_version}-%{version}-%{release}-*.txt' -delete + +# If lxc-user-nic doesn't have setuid we need to copy the update-message. +[ -u %{_libexecdir}/%{name}/lxc-user-nic ] || + cp %{_defaultdocdir}/liblxc%{shlib_version}/missing_setuid.txt \ + %{_updatemessagedir}/liblxc%{shlib_version}-%{version}-%{release}-missing_setuid.txt -In order to fix this, add the following line to /etc/permissions.local (this is -necessary to avoid losing the setuid bit during package updates or causing -audit warnings): - - %{_libexecdir}/%{name}/lxc-user-nic root:kvm 04750 - -and then add the setuid bit to the helper: - - chmod u+s %{_libexecdir}/%{name}/lxc-user-nic - -... or you can re-install liblxc%{shlib_version}. - -[1]: https://bugzilla.opensuse.org/show_bug.cgi?id=988348 -EOF - -%postun -n liblxc%{shlib_version} -/sbin/ldconfig -# Remove update messages if we're *uninstalling* but not reinstalling. -[ "$1" -eq 0 ] && %{del_update_messages -n liblxc%{shlib_version}} ||: +%postun -n liblxc%{shlib_version} -p /sbin/ldconfig %verifyscript -n liblxc%{shlib_version} %verify_permissions -e %{_libexecdir}/%{name}/lxc-user-nic @@ -295,6 +271,11 @@ %config %{_sysconfdir}/apparmor.d/lxc-* %config %{_sysconfdir}/apparmor.d/lxc/* +# In order to avoid fun issues with update-messages we store update-messages in +# docdir and then copy them in post to /var/adm/update-messages if it makes +# sense. +%doc missing_setuid.txt + %files -n liblxc-devel %defattr(-,root,root) %{_libdir}/lib%{name}.so ++++++ lxc-createconfig.in ++++++ --- /var/tmp/diff_new_pack.Fn3rT3/_old 2019-04-24 13:57:23.455988361 +0200 +++ /var/tmp/diff_new_pack.Fn3rT3/_new 2019-04-24 13:57:23.459988359 +0200 @@ -1,22 +1,22 @@ #!/bin/bash +# @configure_input@ -# # lxc: linux Container library - +# # Authors: # Mike Friesenegger <[email protected]> # Daniel Lezcano <[email protected]> - +# # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. - +# # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. - +# # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++++++ missing_setuid.txt.in ++++++ Due to your /etc/permissions configuration (which might be caused by an outdated permissions package), the lxc-user-nic helper binary has been installed with a missing setuid bit. This setuid helper is required in order for LXC unprivileged containers to operate, and has already been reviewed by the SUSE security team and added to the Factory permissions setuid whitelist[1]. No action has been taken to fix this configuration problem (in case this was intentional, and to avoid breaking openSUSE packaging guidelines), so your administrator will have to fix this manually. In order to fix this, add the following line to /etc/permissions.local (this is necessary to avoid losing the setuid bit during package updates or causing audit warnings): @libexecdir@/lxc/lxc-user-nic root:kvm 04750 and then add the setuid bit to the helper: chmod u+s @libexecdir@/lxc/lxc-user-nic ... or you can re-install liblxc@LXC_ABI_MAJOR@. [1]: https://bugzilla.opensuse.org/show_bug.cgi?id=988348
