rpms
/
oddjob
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta
...
pull from: rpms:c10-beta
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'c9' and 'c10-beta' have entirely different histories.
c9 ... c10-beta

4 changed files with 180 additions and 133 deletions
Show Stats

113
SOURCES/oddjob-cve-2020-10737-reversal-option.patch
Unescape View File

@ -1,113 +0,0 @@
From 71b0389fbb31833d827f5f0fec18880c2f602753 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 19 May 2022 13:52:22 +0300
Subject: [PATCH] mkhomedir: add support for pre-CVE-2020-10737 behavior
Pre-CVE-2020-10737 behavior was used to allow creating home directories
on NFS mounts when non-Kerberos authentication method is in use. This is
exactly the case where a race condition addressed by the CVE-2020-10737
fix could have happened. However, there are legit use cases where this
setup is needed.
Add '-f' option to mkhomedir helper to activate previous behavior. In
order to enable it, a change to oddjobd-mkhomedir.conf configuration
file is needed by explicitly adding '-f' option to the executable file
definition.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050079
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/mkhomedir.c | 16 +++++++++++++---
src/oddjobd-mkhomedir.conf.5.in | 9 +++++++++
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/src/mkhomedir.c b/src/mkhomedir.c
index be85959..ac813a9 100644
--- a/src/mkhomedir.c
+++ b/src/mkhomedir.c
@@ -53,9 +53,11 @@ static const char *skel;
static const char *skel_dir;
static struct passwd *pwd;
static mode_t override_umask;
+static int owner_mkdir_first = 0;
#define FLAG_POPULATE (1 << 0)
#define FLAG_QUIET (1 << 1)
+#define FLAG_OWNER_MKDIR_FIRST (1 << 2)
/* Given the path of an item somewhere in the skeleton directory, create as
* identical as possible a copy in the destination tree. */
@@ -158,7 +160,7 @@ copy_single_item(const char *source, const struct stat *sb,
* target user just yet to avoid potential race conditions
* involving symlink attacks when we copy over the skeleton
* tree. */
- if (status->level == 0) {
+ if (status->level == 0 && !owner_mkdir_first) {
uid = 0;
gid = 0;
}
@@ -222,6 +224,9 @@ mkhomedir(const char *user, int flags)
pwd->pw_dir);
return HANDLER_INVALID_INVOCATION;
}
+ if (flags & FLAG_OWNER_MKDIR_FIRST) {
+ owner_mkdir_first = 1;
+ }
if ((lstat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) {
/* Figure out which location we're using as a
* template. */
@@ -237,7 +242,7 @@ mkhomedir(const char *user, int flags)
int res = nftw(get_skel_dir(), copy_single_item, 5,
FTW_PHYS);
/* only now give ownership to the target user */
- if (res == 0) {
+ if (res == 0 && !owner_mkdir_first) {
res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);
}
@@ -317,8 +322,11 @@ main(int argc, char **argv)
umask(override_umask);
skel_dir = "/etc/skel";
- while ((i = getopt(argc, argv, "nqs:u:")) != -1) {
+ while ((i = getopt(argc, argv, "nqfs:u:")) != -1) {
switch (i) {
+ case 'f':
+ flags |= FLAG_OWNER_MKDIR_FIRST;
+ break;
case 'n':
flags &= ~FLAG_POPULATE;
break;
@@ -339,6 +347,8 @@ main(int argc, char **argv)
break;
default:
fprintf(stderr, "Valid options:\n"
+ "-f\tCreate home directory initially owned by user, "
+ "not root. See man page for security issues.\n"
"-n\tDo not populate home directories, "
"just create them.\n"
"-q\tDo not print messages when creating "
diff --git a/src/oddjobd-mkhomedir.conf.5.in b/src/oddjobd-mkhomedir.conf.5.in
index d7a2429..6e35ad5 100644
--- a/src/oddjobd-mkhomedir.conf.5.in
+++ b/src/oddjobd-mkhomedir.conf.5.in
@@ -10,6 +10,15 @@ directory.
The mkhomedir helper itself accepts these options:
.TP
+-f
+Restore behavior before CVE-2020-10737 was fixed: create the home directory
+with user's ownership directly rather than create it as a root and only after
+populating it change to the user's ownership. The former behavior is insecure
+but may be used to allow creation of NFS-mounted home directories when
+non-Kerberos authentication is in use. It is prone for a race condition that
+could be exploited in the NFS-mounted home directories use case. To avoid
+CVE-2020-10737, do not use \fB-f\fR option in production environments.
+.TP
-q
Refrain from outputting the usual "Creating home directory..." message when it
creates a home directory.
--
2.37.1

28
SOURCES/oddjob-libxml2.patch
Unescape View File

@ -0,0 +1,28 @@
From 3d30f6fec556f2eb53671832ae47687ace1fc655 Mon Sep 17 00:00:00 2001
From: Yaakov Selkowitz <yselkowi@redhat.com>
Date: Wed, 13 Dec 2023 15:12:32 -0500
Subject: [PATCH] Fix build with libxml2-2.12.0
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.0
"Several cyclic dependencies in public header files were fixed. As a
result, certain headers won't include other headers as before."
---
src/oddjobd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/oddjobd.c b/src/oddjobd.c
index 44de748..fb63c02 100644
--- a/src/oddjobd.c
+++ b/src/oddjobd.c
@@ -47,6 +47,7 @@
#include <string.h>
#include <unistd.h>
#include <dbus/dbus.h>
+#include <libxml/globals.h>
#include <libxml/xmlreader.h>
#ifdef SELINUX_ACLS
#include <selinux/selinux.h>
--
2.43.0

114
SOURCES/oddjob-override-mask-fix.patch
Unescape View File

@ -1,3 +1,117 @@
From 71b0389fbb31833d827f5f0fec18880c2f602753 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 19 May 2022 13:52:22 +0300
Subject: [PATCH 1/2] mkhomedir: add support for pre-CVE-2020-10737 behavior
Pre-CVE-2020-10737 behavior was used to allow creating home directories
on NFS mounts when non-Kerberos authentication method is in use. This is
exactly the case where a race condition addressed by the CVE-2020-10737
fix could have happened. However, there are legit use cases where this
setup is needed.
Add '-f' option to mkhomedir helper to activate previous behavior. In
order to enable it, a change to oddjobd-mkhomedir.conf configuration
file is needed by explicitly adding '-f' option to the executable file
definition.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050079
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/mkhomedir.c | 16 +++++++++++++---
src/oddjobd-mkhomedir.conf.5.in | 9 +++++++++
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/src/mkhomedir.c b/src/mkhomedir.c
index be85959..ac813a9 100644
--- a/src/mkhomedir.c
+++ b/src/mkhomedir.c
@@ -53,9 +53,11 @@ static const char *skel;
static const char *skel_dir;
static struct passwd *pwd;
static mode_t override_umask;
+static int owner_mkdir_first = 0;
#define FLAG_POPULATE (1 << 0)
#define FLAG_QUIET (1 << 1)
+#define FLAG_OWNER_MKDIR_FIRST (1 << 2)
/* Given the path of an item somewhere in the skeleton directory, create as
* identical as possible a copy in the destination tree. */
@@ -158,7 +160,7 @@ copy_single_item(const char *source, const struct stat *sb,
* target user just yet to avoid potential race conditions
* involving symlink attacks when we copy over the skeleton
* tree. */
- if (status->level == 0) {
+ if (status->level == 0 && !owner_mkdir_first) {
uid = 0;
gid = 0;
}
@@ -222,6 +224,9 @@ mkhomedir(const char *user, int flags)
pwd->pw_dir);
return HANDLER_INVALID_INVOCATION;
}
+ if (flags & FLAG_OWNER_MKDIR_FIRST) {
+ owner_mkdir_first = 1;
+ }
if ((lstat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) {
/* Figure out which location we're using as a
* template. */
@@ -237,7 +242,7 @@ mkhomedir(const char *user, int flags)
int res = nftw(get_skel_dir(), copy_single_item, 5,
FTW_PHYS);
/* only now give ownership to the target user */
- if (res == 0) {
+ if (res == 0 && !owner_mkdir_first) {
res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);
}
@@ -317,8 +322,11 @@ main(int argc, char **argv)
umask(override_umask);
skel_dir = "/etc/skel";
- while ((i = getopt(argc, argv, "nqs:u:")) != -1) {
+ while ((i = getopt(argc, argv, "nqfs:u:")) != -1) {
switch (i) {
+ case 'f':
+ flags |= FLAG_OWNER_MKDIR_FIRST;
+ break;
case 'n':
flags &= ~FLAG_POPULATE;
break;
@@ -339,6 +347,8 @@ main(int argc, char **argv)
break;
default:
fprintf(stderr, "Valid options:\n"
+ "-f\tCreate home directory initially owned by user, "
+ "not root. See man page for security issues.\n"
"-n\tDo not populate home directories, "
"just create them.\n"
"-q\tDo not print messages when creating "
diff --git a/src/oddjobd-mkhomedir.conf.5.in b/src/oddjobd-mkhomedir.conf.5.in
index d7a2429..6e35ad5 100644
--- a/src/oddjobd-mkhomedir.conf.5.in
+++ b/src/oddjobd-mkhomedir.conf.5.in
@@ -10,6 +10,15 @@ directory.
The mkhomedir helper itself accepts these options:
.TP
+-f
+Restore behavior before CVE-2020-10737 was fixed: create the home directory
+with user's ownership directly rather than create it as a root and only after
+populating it change to the user's ownership. The former behavior is insecure
+but may be used to allow creation of NFS-mounted home directories when
+non-Kerberos authentication is in use. It is prone for a race condition that
+could be exploited in the NFS-mounted home directories use case. To avoid
+CVE-2020-10737, do not use \fB-f\fR option in production environments.
+.TP
-q
Refrain from outputting the usual "Creating home directory..." message when it
creates a home directory.
--
2.38.1
From b800e25258353dbb1a88506123c21ac3298fd2d0 Mon Sep 17 00:00:00 2001
From: Carlos Santos <casantos@redhat.com>
Date: Tue, 18 Oct 2022 08:59:16 -0300

58
SPECS/oddjob.spec
Unescape View File

@ -22,13 +22,15 @@
Name: oddjob
Version: 0.34.7
Release: 7%{?dist}
Release: 13%{?dist}
Source0: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz
Source1: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz.asc
Patch0: oddjob-cve-2020-10737-reversal-option.patch
Patch1: oddjob-override-mask-fix.patch
# Fix build with libxml2-2.12.0
# https://pagure.io/oddjob/pull-request/24
Patch2: oddjob-libxml2.patch
Summary: A D-Bus service which runs odd jobs on behalf of client applications
License: BSD
License: BSD-3-Clause
BuildRequires: make
BuildRequires: gcc
BuildRequires: dbus-devel >= 0.22, dbus-x11, libselinux-devel, libxml2-devel
@ -90,8 +92,8 @@ This package contains a trivial sample oddjob service.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch -P2 -p1
%build
sample_flag=
@ -190,7 +192,7 @@ touch -r src/oddjob-mkhomedir.conf.in $RPM_BUILD_ROOT/%{_sysconfdir}/dbus-1/syst
%post
if test $1 -eq 1 ; then
killall -HUP dbus-daemon >/dev/null 2>&1
killall -HUP dbus-daemon 2>&1 > /dev/null
fi
%if %{systemd}
%systemd_post oddjobd.service
@ -205,7 +207,7 @@ fi
%endif
%if %{sysvinit}
if [ $1 -gt 0 ] ; then
/sbin/service oddjobd condrestart >/dev/null 2>&1 || :
/sbin/service oddjobd condrestart 2>&1 > /dev/null || :
fi
%endif
exit 0
@ -216,7 +218,7 @@ exit 0
%endif
%if %{sysvinit}
if [ $1 -eq 0 ] ; then
/sbin/service oddjobd stop >/dev/null 2>&1
/sbin/service oddjobd stop > /dev/null 2>&1
/sbin/chkconfig --del oddjobd
fi
%endif
@ -243,7 +245,7 @@ if grep -q %{_libdir}/%{name}/mkhomedir $cfg ; then
sed -i 's^%{_libdir}/%{name}/mkhomedir^%{_libexecdir}/%{name}/mkhomedir^g' $cfg
fi
if test $1 -eq 1 ; then
killall -HUP dbus-daemon >/dev/null 2>&1
killall -HUP dbus-daemon 2>&1 > /dev/null
fi
if [ -f /var/lock/subsys/oddjobd ] ; then
%{dbus_send} --system --dest=com.redhat.oddjob /com/redhat/oddjob com.redhat.oddjob.reload
@ -251,24 +253,40 @@ fi
exit 0
%changelog
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.34.7-13
- Bump release for June 2024 mass rebuild
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Dec 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 0.34.7-10
- Fix build with libxml2-2.12.0
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec 09 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.7-7
- Provide a switch to restore pre-CVE-2020-10737 behavior
- Always set the home directory permissions according to HOME_MODE
- Resolves: rhbz#2149988
* Thu Aug 18 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.7-6
- Add a non-default option to revert behavior for CVE-2020-10737 fix
- Resolved: rhbz#2119265
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Feb 07 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.7-5
- Fix stdin redirection in RPM scripts
Resolves: rhbz#2041585
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.34.7-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.34.7-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.34.7-3
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save