4 changed files with 187 additions and 133 deletions
--- a/SOURCES/oddjob-cve-2020-10737-reversal-option.patch
+++ b/SOURCES/oddjob-cve-2020-10737-reversal-option.patch
@ -1,113 +0,0 @@
 From 71b0389fbb31833d827f5f0fec18880c2f602753 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Thu, 19 May 2022 13:52:22 +0300
 Subject: [PATCH] mkhomedir: add support for pre-CVE-2020-10737 behavior
 Pre-CVE-2020-10737 behavior was used to allow creating home directories
 on NFS mounts when non-Kerberos authentication method is in use. This is
 exactly the case where a race condition addressed by the CVE-2020-10737
 fix could have happened. However, there are legit use cases where this
 setup is needed.
 Add '-f' option to mkhomedir helper to activate previous behavior. In
 order to enable it, a change to oddjobd-mkhomedir.conf configuration
 file is needed by explicitly adding '-f' option to the executable file
 definition.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050079
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 src/mkhomedir.c                 | 16 +++++++++++++---
 src/oddjobd-mkhomedir.conf.5.in |  9 +++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)
 diff --git a/src/mkhomedir.c b/src/mkhomedir.c
 index be85959..ac813a9 100644
 --- a/src/mkhomedir.c
 +++ b/src/mkhomedir.c
@@ -53,9 +53,11 @@ static const char *skel;
 static const char *skel_dir;
 static struct passwd *pwd;
 static mode_t override_umask;
 +static int owner_mkdir_first = 0;
 #define FLAG_POPULATE	(1 << 0)
 #define FLAG_QUIET	(1 << 1)
 +#define FLAG_OWNER_MKDIR_FIRST (1 << 2)
 /* Given the path of an item somewhere in the skeleton directory, create as
  * identical as possible a copy in the destination tree. */
@@ -158,7 +160,7 @@ copy_single_item(const char *source, const struct stat *sb,
 		 * target user just yet to avoid potential race conditions
 		 * involving symlink attacks when we copy over the skeleton
 		 * tree. */
 -		if (status->level == 0) {
 +		if (status->level == 0 && !owner_mkdir_first) {
 			uid = 0;
 			gid = 0;
 		}
@@ -222,6 +224,9 @@ mkhomedir(const char *user, int flags)
 		       pwd->pw_dir);
 		return HANDLER_INVALID_INVOCATION;
 	}
 +	if (flags & FLAG_OWNER_MKDIR_FIRST) {
 +		owner_mkdir_first = 1;
 +	}
 	if ((lstat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) {
 		/* Figure out which location we're using as a
 		 * template. */
@@ -237,7 +242,7 @@ mkhomedir(const char *user, int flags)
 				int res = nftw(get_skel_dir(), copy_single_item, 5,
 					       FTW_PHYS);
 				/* only now give ownership to the target user */
 -				if (res == 0) {
 +				if (res == 0 && !owner_mkdir_first) {
 					res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);
 				}
@@ -317,8 +322,11 @@ main(int argc, char **argv)
 	umask(override_umask);
 	skel_dir = "/etc/skel";
 -	while ((i = getopt(argc, argv, "nqs:u:")) != -1) {
 +	while ((i = getopt(argc, argv, "nqfs:u:")) != -1) {
 		switch (i) {
 +		case 'f':
 +			flags |= FLAG_OWNER_MKDIR_FIRST;
 +			break;
 		case 'n':
 			flags &= ~FLAG_POPULATE;
 			break;
@@ -339,6 +347,8 @@ main(int argc, char **argv)
 			break;
 		default:
 			fprintf(stderr, "Valid options:\n"
 +				"-f\tCreate home directory initially owned by user, "
 +				"not root. See man page for security issues.\n"
 				"-n\tDo not populate home directories, "
 				"just create them.\n"
 				"-q\tDo not print messages when creating "
 diff --git a/src/oddjobd-mkhomedir.conf.5.in b/src/oddjobd-mkhomedir.conf.5.in
 index d7a2429..6e35ad5 100644
 --- a/src/oddjobd-mkhomedir.conf.5.in
 +++ b/src/oddjobd-mkhomedir.conf.5.in
@@ -10,6 +10,15 @@ directory.
 The mkhomedir helper itself accepts these options:
 .TP
 +-f
 +Restore behavior before CVE-2020-10737 was fixed: create the home directory
 +with user's ownership directly rather than create it as a root and only after
 +populating it change to the user's ownership. The former behavior is insecure
 +but may be used to allow creation of NFS-mounted home directories when
 +non-Kerberos authentication is in use. It is prone for a race condition that
 +could be exploited in the NFS-mounted home directories use case. To avoid
 +CVE-2020-10737, do not use \fB-f\fR option in production environments.
 +.TP
 -q
 Refrain from outputting the usual "Creating home directory..." message when it
 creates a home directory.
 -- 
 2.37.1
--- a/SOURCES/oddjob-libxml2.patch
+++ b/SOURCES/oddjob-libxml2.patch
@ -0,0 +1,28 @@
 From 3d30f6fec556f2eb53671832ae47687ace1fc655 Mon Sep 17 00:00:00 2001
 From: Yaakov Selkowitz <yselkowi@redhat.com>
 Date: Wed, 13 Dec 2023 15:12:32 -0500
 Subject: [PATCH] Fix build with libxml2-2.12.0
 https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.0
 "Several cyclic dependencies in public header files were fixed. As a
 result, certain headers won't include other headers as before."
 ---
 src/oddjobd.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/oddjobd.c b/src/oddjobd.c
 index 44de748..fb63c02 100644
 --- a/src/oddjobd.c
 +++ b/src/oddjobd.c
@@ -47,6 +47,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <dbus/dbus.h>
 +#include <libxml/globals.h>
 #include <libxml/xmlreader.h>
 #ifdef SELINUX_ACLS
 #include <selinux/selinux.h>
 -- 
 2.43.0
--- a/SOURCES/oddjob-override-mask-fix.patch
+++ b/SOURCES/oddjob-override-mask-fix.patch
@ -1,3 +1,117 @@
 From 71b0389fbb31833d827f5f0fec18880c2f602753 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Thu, 19 May 2022 13:52:22 +0300
 Subject: [PATCH 1/2] mkhomedir: add support for pre-CVE-2020-10737 behavior
 Pre-CVE-2020-10737 behavior was used to allow creating home directories
 on NFS mounts when non-Kerberos authentication method is in use. This is
 exactly the case where a race condition addressed by the CVE-2020-10737
 fix could have happened. However, there are legit use cases where this
 setup is needed.
 Add '-f' option to mkhomedir helper to activate previous behavior. In
 order to enable it, a change to oddjobd-mkhomedir.conf configuration
 file is needed by explicitly adding '-f' option to the executable file
 definition.
 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2050079
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 src/mkhomedir.c                 | 16 +++++++++++++---
 src/oddjobd-mkhomedir.conf.5.in |  9 +++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)
 diff --git a/src/mkhomedir.c b/src/mkhomedir.c
 index be85959..ac813a9 100644
 --- a/src/mkhomedir.c
 +++ b/src/mkhomedir.c
@@ -53,9 +53,11 @@ static const char *skel;
 static const char *skel_dir;
 static struct passwd *pwd;
 static mode_t override_umask;
 +static int owner_mkdir_first = 0;
 #define FLAG_POPULATE	(1 << 0)
 #define FLAG_QUIET	(1 << 1)
 +#define FLAG_OWNER_MKDIR_FIRST (1 << 2)
 /* Given the path of an item somewhere in the skeleton directory, create as
  * identical as possible a copy in the destination tree. */
@@ -158,7 +160,7 @@ copy_single_item(const char *source, const struct stat *sb,
 		 * target user just yet to avoid potential race conditions
 		 * involving symlink attacks when we copy over the skeleton
 		 * tree. */
 -		if (status->level == 0) {
 +		if (status->level == 0 && !owner_mkdir_first) {
 			uid = 0;
 			gid = 0;
 		}
@@ -222,6 +224,9 @@ mkhomedir(const char *user, int flags)
 		       pwd->pw_dir);
 		return HANDLER_INVALID_INVOCATION;
 	}
 +	if (flags & FLAG_OWNER_MKDIR_FIRST) {
 +		owner_mkdir_first = 1;
 +	}
 	if ((lstat(pwd->pw_dir, &st) == -1) && (errno == ENOENT)) {
 		/* Figure out which location we're using as a
 		 * template. */
@@ -237,7 +242,7 @@ mkhomedir(const char *user, int flags)
 				int res = nftw(get_skel_dir(), copy_single_item, 5,
 					       FTW_PHYS);
 				/* only now give ownership to the target user */
 -				if (res == 0) {
 +				if (res == 0 && !owner_mkdir_first) {
 					res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);
 				}
@@ -317,8 +322,11 @@ main(int argc, char **argv)
 	umask(override_umask);
 	skel_dir = "/etc/skel";
 -	while ((i = getopt(argc, argv, "nqs:u:")) != -1) {
 +	while ((i = getopt(argc, argv, "nqfs:u:")) != -1) {
 		switch (i) {
 +		case 'f':
 +			flags |= FLAG_OWNER_MKDIR_FIRST;
 +			break;
 		case 'n':
 			flags &= ~FLAG_POPULATE;
 			break;
@@ -339,6 +347,8 @@ main(int argc, char **argv)
 			break;
 		default:
 			fprintf(stderr, "Valid options:\n"
 +				"-f\tCreate home directory initially owned by user, "
 +				"not root. See man page for security issues.\n"
 				"-n\tDo not populate home directories, "
 				"just create them.\n"
 				"-q\tDo not print messages when creating "
 diff --git a/src/oddjobd-mkhomedir.conf.5.in b/src/oddjobd-mkhomedir.conf.5.in
 index d7a2429..6e35ad5 100644
 --- a/src/oddjobd-mkhomedir.conf.5.in
 +++ b/src/oddjobd-mkhomedir.conf.5.in
@@ -10,6 +10,15 @@ directory.
 The mkhomedir helper itself accepts these options:
 .TP
 +-f
 +Restore behavior before CVE-2020-10737 was fixed: create the home directory
 +with user's ownership directly rather than create it as a root and only after
 +populating it change to the user's ownership. The former behavior is insecure
 +but may be used to allow creation of NFS-mounted home directories when
 +non-Kerberos authentication is in use. It is prone for a race condition that
 +could be exploited in the NFS-mounted home directories use case. To avoid
 +CVE-2020-10737, do not use \fB-f\fR option in production environments.
 +.TP
 -q
 Refrain from outputting the usual "Creating home directory..." message when it
 creates a home directory.
 -- 
 2.38.1
 From b800e25258353dbb1a88506123c21ac3298fd2d0 Mon Sep 17 00:00:00 2001
 From: Carlos Santos <casantos@redhat.com>
 Date: Tue, 18 Oct 2022 08:59:16 -0300
--- a/SPECS/oddjob.spec
+++ b/SPECS/oddjob.spec
@ -22,13 +22,15 @@
 Name: oddjob
 Version: 0.34.7
-Release: 7%{?dist}
+Release: 14%{?dist}
 Source0: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz
 Source1: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz.asc
 Patch0: oddjob-cve-2020-10737-reversal-option.patch
 Patch1: oddjob-override-mask-fix.patch
 # Fix build with libxml2-2.12.0
 # https://pagure.io/oddjob/pull-request/24
 Patch2: oddjob-libxml2.patch
 Summary: A D-Bus service which runs odd jobs on behalf of client applications
-License: BSD
+License: BSD-3-Clause
 BuildRequires: make
 BuildRequires:  gcc
 BuildRequires: dbus-devel >= 0.22, dbus-x11, libselinux-devel, libxml2-devel
@ -90,8 +92,8 @@ This package contains a trivial sample oddjob service.
 %prep
 %setup -q
 %patch0 -p1
 %patch1 -p1
 %patch -P2 -p1
 %build
 sample_flag=
@ -190,7 +192,7 @@ touch -r src/oddjob-mkhomedir.conf.in	$RPM_BUILD_ROOT/%{_sysconfdir}/dbus-1/syst
 %post
 if test $1 -eq 1 ; then
-	killall -HUP dbus-daemon  >/dev/null 2>&1
+	killall -HUP dbus-daemon 2>&1 > /dev/null
 fi
 %if %{systemd}
 %systemd_post oddjobd.service
@ -205,7 +207,7 @@ fi
 %endif
 %if %{sysvinit}
 if [ $1 -gt 0 ] ; then
-	/sbin/service oddjobd condrestart >/dev/null 2>&1 || :
+	/sbin/service oddjobd condrestart 2>&1 > /dev/null || :
 fi
 %endif
 exit 0
@ -216,7 +218,7 @@ exit 0
 %endif
 %if %{sysvinit}
 if [ $1 -eq 0 ] ; then
-	/sbin/service oddjobd stop >/dev/null 2>&1
+	/sbin/service oddjobd stop > /dev/null 2>&1
 	/sbin/chkconfig --del oddjobd
 fi
 %endif
@ -243,7 +245,7 @@ if grep -q %{_libdir}/%{name}/mkhomedir $cfg ; then
 	sed -i 's^%{_libdir}/%{name}/mkhomedir^%{_libexecdir}/%{name}/mkhomedir^g' $cfg
 fi
 if test $1 -eq 1 ; then
-	killall -HUP dbus-daemon >/dev/null 2>&1
+	killall -HUP dbus-daemon 2>&1 > /dev/null
 fi
 if [ -f /var/lock/subsys/oddjobd ] ; then
 	%{dbus_send} --system --dest=com.redhat.oddjob /com/redhat/oddjob com.redhat.oddjob.reload
@ -251,24 +253,47 @@ fi
 exit 0
 %changelog
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.34.7-14
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
 * Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 0.34.7-13
 - Rebuilt for MSVSphere 10
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.34.7-13
 - Bump release for June 2024 mass rebuild
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Wed Dec 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 0.34.7-10
 - Fix build with libxml2-2.12.0
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Fri Dec 09 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.7-7
 - Provide a switch to restore pre-CVE-2020-10737 behavior
 - Always set the home directory permissions according to HOME_MODE
 - Resolves: rhbz#2149988
-* Thu Aug 18 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.7-6
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-6
- Add a non-default option to revert behavior for CVE-2020-10737 fix
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 - Resolved: rhbz#2119265
-* Mon Feb 07 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.7-5
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-5
- Fix stdin redirection in RPM scripts
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
  Resolves: rhbz#2041585
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.34.7-4
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
  Related: rhbz#1991688
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.34.7-3
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.34.7-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.34.7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild