From 09fe1c2523cf0a521330df00108896aee69ea0fb Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 13 Jun 2024 03:36:28 +0300 Subject: [PATCH] import rpm-ostree-2024.3-3.el9_4 --- .gitignore | 2 +- .rpm-ostree.metadata | 2 +- ...0001-cliwrap-rpm-mark-eval-E-as-safe.patch | 56 ++++ ...sswd-create-etc-g-shadow-with-mode-0.patch | 83 +++++ ...0002-unit-chmod-etc-g-shadow-to-0000.patch | 79 +++++ .../0003-shadow-Adjust-all-deployments.patch | 314 ++++++++++++++++++ SPECS/rpm-ostree.spec | 59 +++- 7 files changed, 588 insertions(+), 7 deletions(-) create mode 100644 SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch create mode 100644 SOURCES/0001-passwd-create-etc-g-shadow-with-mode-0.patch create mode 100644 SOURCES/0002-unit-chmod-etc-g-shadow-to-0000.patch create mode 100644 SOURCES/0003-shadow-Adjust-all-deployments.patch diff --git a/.gitignore b/.gitignore index 001c245..baf56a9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/rpm-ostree-2023.7.tar.xz +SOURCES/rpm-ostree-2024.3.tar.xz diff --git a/.rpm-ostree.metadata b/.rpm-ostree.metadata index f3a8734..70ef8b8 100644 --- a/.rpm-ostree.metadata +++ b/.rpm-ostree.metadata @@ -1 +1 @@ -f1517a7a0d68d59b17694a8baadca6cf30739e7e SOURCES/rpm-ostree-2023.7.tar.xz +dc6e0ea9f33f162b5ca2d1ea1cb79ec7f9f7d71c SOURCES/rpm-ostree-2024.3.tar.xz diff --git a/SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch b/SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch new file mode 100644 index 0000000..ae137d0 --- /dev/null +++ b/SOURCES/0001-cliwrap-rpm-mark-eval-E-as-safe.patch @@ -0,0 +1,56 @@ +From d02993e30078db2a04820065ccbf22bd56d0d064 Mon Sep 17 00:00:00 2001 +From: Jonathan Lebon +Date: Thu, 22 Feb 2024 14:44:50 -0500 +Subject: [PATCH] cliwrap/rpm: mark `--eval`/`-E` as safe + +This is sometimes used in scripts to query aspects of the host system. +E.g. this is used by Fedora's pkg-config: + +https://src.fedoraproject.org/rpms/pkgconf/blob/95c0bbee/f/pkg-config.in#_6 + +This in turn gets hit by kdump which runs dracut which has modules that +runs `pkgconf` to query some directory paths. +--- + rust/src/cliwrap/rpm.rs | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/rust/src/cliwrap/rpm.rs b/rust/src/cliwrap/rpm.rs +index c6ed5901..3332f76c 100644 +--- a/rust/src/cliwrap/rpm.rs ++++ b/rust/src/cliwrap/rpm.rs +@@ -19,6 +19,12 @@ fn new_rpm_app() -> Command { + .long("version") + .action(clap::ArgAction::Version), + ) ++ .arg( ++ Arg::new("eval") ++ .long("eval") ++ .short('E') ++ .action(clap::ArgAction::Set), ++ ) + .arg( + Arg::new("package") + .help("package") +@@ -130,6 +136,19 @@ mod tests { + Ok(()) + } + ++ #[test] ++ fn test_eval() -> Result<()> { ++ assert_eq!( ++ disposition(SystemHostType::OstreeHost, &["-E", "%{_target_cpu}"])?, ++ RunDisposition::Ok ++ ); ++ assert_eq!( ++ disposition(SystemHostType::OstreeHost, &["--eval=%{_target_cpu}}"])?, ++ RunDisposition::Ok ++ ); ++ Ok(()) ++ } ++ + #[test] + fn test_query_file() -> Result<()> { + assert_eq!( +-- +2.43.2 + diff --git a/SOURCES/0001-passwd-create-etc-g-shadow-with-mode-0.patch b/SOURCES/0001-passwd-create-etc-g-shadow-with-mode-0.patch new file mode 100644 index 0000000..a4262ad --- /dev/null +++ b/SOURCES/0001-passwd-create-etc-g-shadow-with-mode-0.patch @@ -0,0 +1,83 @@ +From ef2638c1ffd77bc6fd9a80a92c965b06a8f284df Mon Sep 17 00:00:00 2001 +From: Jonathan Lebon +Date: Tue, 19 Mar 2024 15:20:43 -0400 +Subject: [PATCH 1/3] passwd: create `/etc/[g]shadow` with mode 0 + +Because of how our composes work, we need to manually inject +passwd-related things before installing packages. A somewhat recent +regression in that area made it so that the `/etc/shadow` and +`/etc/gshadow` files were created with default permissions (0644), which +meant they were world readable. + +Fix this by explicitly setting their modes to 0. Ideally, we would rely +on the canonical permissions set in the `setup` package here, but it's +tricky to fix that without reworking how we install `setup` and handle +`passwd` treefile options. + +Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to +`etc/{passwd,group}`"). + +Fixes #4401 +--- + rust/src/passwd.rs | 14 ++++++++++++++ + tests/compose/libbasic-test.sh | 5 +++++ + 2 files changed, 19 insertions(+) + +diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs +index 821497d8..a64f6468 100644 +--- a/rust/src/passwd.rs ++++ b/rust/src/passwd.rs +@@ -418,6 +418,12 @@ fn write_data_from_treefile( + let db = rootfs.open(target_passwd_path).map(BufReader::new)?; + let shadow_name = target.shadow_file(); + let target_shadow_path = format!("{}{}", dest_path, shadow_name); ++ // Ideally these permissions come from `setup`, which is the package ++ // that owns these files: ++ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96 ++ // But at this point of the compose, the rootfs is completely empty; we ++ // haven't started unpacking things yet. So we need to hardcode it here. ++ let shadow_perms = cap_std::fs::Permissions::from_mode(0); + + match target { + PasswdKind::User => { +@@ -427,6 +433,10 @@ fn write_data_from_treefile( + for user in entries { + writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?; + } ++ target_shadow ++ .get_mut() ++ .as_file_mut() ++ .set_permissions(shadow_perms)?; + Ok(()) + }) + .with_context(|| format!("Writing {target_shadow_path}"))?; +@@ -438,6 +448,10 @@ fn write_data_from_treefile( + for group in entries { + writeln!(target_shadow, "{}:::", group.name)?; + } ++ target_shadow ++ .get_mut() ++ .as_file_mut() ++ .set_permissions(shadow_perms)?; + Ok(()) + }) + .with_context(|| format!("Writing {target_shadow_path}"))?; +diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh +index 78ad72b1..df790e89 100644 +--- a/tests/compose/libbasic-test.sh ++++ b/tests/compose/libbasic-test.sh +@@ -22,6 +22,11 @@ validate_passwd group + ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt + assert_file_has_content_literal passwd.txt '00644 ' + ++ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt ++assert_file_has_content_literal shadow.txt '00000 ' ++ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt ++assert_file_has_content_literal gshadow.txt '00000 ' ++ + ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt + assert_file_has_content_literal useradd.txt HOME=/var/home + +-- +2.44.0 + diff --git a/SOURCES/0002-unit-chmod-etc-g-shadow-to-0000.patch b/SOURCES/0002-unit-chmod-etc-g-shadow-to-0000.patch new file mode 100644 index 0000000..95a665b --- /dev/null +++ b/SOURCES/0002-unit-chmod-etc-g-shadow-to-0000.patch @@ -0,0 +1,79 @@ +From 715298d909551b7d6b42ee6f9c38675f22034dde Mon Sep 17 00:00:00 2001 +From: jbtrystram +Date: Thu, 21 Mar 2024 17:27:21 +0100 +Subject: [PATCH 2/3] unit: chmod /etc/[g]shadow[-] to 0000 + +fdb879c introduced a regression where /etc/[g]shadow[-] files where +created with default permissions: 0644 + +This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000 +before interactive login is allowed on a system. + +This will fix the systems that were deployed with the above issue. + +We keep the stamp in /etc to account for the case where a deployment +with this unit is rolled back. If we used /var, the stamp would have +stayed but the fix would not be re-applied on the next update. +--- + Makefile-daemon.am | 1 + + packaging/rpm-ostree.spec.in | 5 +++++ + src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++ + 3 files changed, 25 insertions(+) + create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service + +diff --git a/Makefile-daemon.am b/Makefile-daemon.am +index 4233d90d..f96f49a9 100644 +--- a/Makefile-daemon.am ++++ b/Makefile-daemon.am +@@ -60,6 +60,7 @@ systemdunit_service_file_names = \ + rpm-ostreed-automatic.service \ + rpm-ostree-bootstatus.service \ + rpm-ostree-countme.service \ ++ rpm-ostree-fix-shadow-mode.service \ + $(NULL) + + systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names)) +diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in +index e83db7f3..cbe3e031 100644 +--- a/packaging/rpm-ostree.spec.in ++++ b/packaging/rpm-ostree.spec.in +@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \ + # Setup rpm-ostree-countme.timer according to presets + %post + %systemd_post rpm-ostree-countme.timer ++# Only enable on rpm-ostree based systems and manually force unit enablement to ++# explicitly ignore presets for this security fix ++if [ -e /run/ostree-booted ]; then ++ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/ ++fi + + %preun + %systemd_preun rpm-ostree-countme.timer +diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service +new file mode 100644 +index 00000000..4aea7462 +--- /dev/null ++++ b/src/daemon/rpm-ostree-fix-shadow-mode.service +@@ -0,0 +1,19 @@ ++[Unit] ++# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`. ++# This makes sure to fix permissions on systems that were deployed with the wrong permissions. ++Description=Update permissions for /etc/shadow ++Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6 ++ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp ++ConditionPathExists=/run/ostree-booted ++# Make sure this is started before any unprivileged (interactive) user has access to the system. ++Before=systemd-user-sessions.service ++ ++[Service] ++Type=oneshot ++ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow ++ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow- ++ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp ++RemainAfterExit=yes ++ ++[Install] ++WantedBy=multi-user.target +-- +2.44.0 + diff --git a/SOURCES/0003-shadow-Adjust-all-deployments.patch b/SOURCES/0003-shadow-Adjust-all-deployments.patch new file mode 100644 index 0000000..b320e87 --- /dev/null +++ b/SOURCES/0003-shadow-Adjust-all-deployments.patch @@ -0,0 +1,314 @@ +From 1ec5618144e2d5e76caedba9cdcddb2d7ca1d8f7 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Fri, 12 Apr 2024 12:59:54 -0400 +Subject: [PATCH 3/3] shadow: Adjust all deployments + +It was pointed out that in the previous change here we missed +the fact that the previous deployments were accessible. + +- Move the logic into Rust, adding unit tests +- Change the code to iterate over all deployments +- Add an integration test too + +Note: A likely future enhancement here will be to finally +deny unprivileged access to non-default roots; cc +https://github.com/ostreedev/ostree/issues/3211 +--- + rust/src/lib.rs | 2 +- + rust/src/main.rs | 1 + + rust/src/passwd.rs | 124 ++++++++++++++++++ + src/daemon/rpm-ostree-fix-shadow-mode.service | 12 +- + tests/kolainst/destructive/shadow | 80 +++++++++++ + 5 files changed, 214 insertions(+), 5 deletions(-) + create mode 100755 tests/kolainst/destructive/shadow + +diff --git a/rust/src/lib.rs b/rust/src/lib.rs +index e244158b..a65e669b 100644 +--- a/rust/src/lib.rs ++++ b/rust/src/lib.rs +@@ -979,7 +979,7 @@ mod normalization; + mod origin; + mod ostree_prepareroot; + pub(crate) use self::origin::*; +-mod passwd; ++pub mod passwd; + use passwd::*; + mod console_progress; + pub(crate) use self::console_progress::*; +diff --git a/rust/src/main.rs b/rust/src/main.rs +index 5a3c04d0..bf10d45d 100644 +--- a/rust/src/main.rs ++++ b/rust/src/main.rs +@@ -28,6 +28,7 @@ async fn inner_async_main(args: Vec) -> Result { + match *arg { + // Add custom Rust commands here, and also in `libmain.cxx` if user-visible. + "countme" => rpmostree_rust::countme::entrypoint(args).map(|_| 0), ++ "fix-shadow-perms" => rpmostree_rust::passwd::fix_shadow_perms_entrypoint(args).map(|_| 0), + "cliwrap" => rpmostree_rust::cliwrap::entrypoint(args).map(|_| 0), + // A hidden wrapper to intercept some binaries in RPM scriptlets. + "scriptlet-intercept" => builtins::scriptlet_intercept::entrypoint(args).map(|_| 0), +diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs +index a64f6468..f0a6da31 100644 +--- a/rust/src/passwd.rs ++++ b/rust/src/passwd.rs +@@ -30,6 +30,10 @@ const DEFAULT_MODE: u32 = 0o644; + static DEFAULT_PERMS: Lazy = Lazy::new(|| Permissions::from_mode(DEFAULT_MODE)); + static PWGRP_SHADOW_FILES: &[&str] = &["shadow", "gshadow", "subuid", "subgid"]; + static USRLIB_PWGRP_FILES: &[&str] = &["passwd", "group"]; ++// This stamp file signals the original fix which only changed the booted deployment ++const SHADOW_MODE_FIXED_STAMP_OLD: &str = "etc/.rpm-ostree-shadow-mode-fixed.stamp"; ++// And this one is written by the newer logic that changes all deployments ++const SHADOW_MODE_FIXED_STAMP: &str = "etc/.rpm-ostree-shadow-mode-fixed2.stamp"; + + // Lock/backup files that should not be in the base commit (TODO fix). + static PWGRP_LOCK_AND_BACKUP_FILES: &[&str] = &[ +@@ -363,6 +367,86 @@ impl PasswdKind { + } + } + ++/// Due to a prior bug, the build system had some deployments with a world-readable ++/// shadow file. This fixes a given deployment. ++#[context("Fixing shadow permissions")] ++pub(crate) fn fix_shadow_perms_in_root(root: &Dir) -> Result { ++ let zero_perms = Permissions::from_mode(0); ++ let mut changed = false; ++ for path in ["etc/shadow", "etc/shadow-", "etc/gshadow", "etc/gshadow-"] { ++ let metadata = if let Some(meta) = root ++ .symlink_metadata_optional(path) ++ .context("Querying metadata")? ++ { ++ meta ++ } else { ++ tracing::debug!("No path {path}"); ++ continue; ++ }; ++ let mode = metadata.mode() & !libc::S_IFMT; ++ // Don't touch the file if it's already correct ++ if mode == 0 { ++ continue; ++ } ++ let f = root.open(path).with_context(|| format!("Opening {path}"))?; ++ f.set_permissions(zero_perms.clone()) ++ .with_context(|| format!("chmod: {path}"))?; ++ println!("Adjusted mode for {path}"); ++ changed = true; ++ } ++ // Write our stamp file ++ root.write(SHADOW_MODE_FIXED_STAMP, "") ++ .context(SHADOW_MODE_FIXED_STAMP)?; ++ // And clean up the old one ++ root.remove_file_optional(SHADOW_MODE_FIXED_STAMP_OLD) ++ .with_context(|| format!("Removing old {SHADOW_MODE_FIXED_STAMP_OLD}"))?; ++ Ok(changed) ++} ++ ++/// Due to a prior bug, the build system had some deployments with a world-readable ++/// shadow file. This fixes all deployments. ++pub(crate) fn fix_shadow_perms_in_sysroot(sysroot: &ostree::Sysroot) -> Result { ++ let deployments = sysroot.deployments(); ++ // TODO add a nicer api for this to ostree-rs ++ let sysroot_fd = ++ Dir::reopen_dir(unsafe { &std::os::fd::BorrowedFd::borrow_raw(sysroot.fd()) })?; ++ let mut changed = false; ++ for deployment in deployments { ++ let path = sysroot.deployment_dirpath(&deployment); ++ let dir = sysroot_fd.open_dir(&path)?; ++ if fix_shadow_perms_in_root(&dir) ++ .with_context(|| format!("Deployment index={}", deployment.index()))? ++ { ++ println!( ++ "Adjusted shadow files in deployment index={} {}.{}", ++ deployment.index(), ++ deployment.csum(), ++ deployment.bootserial() ++ ); ++ changed = true; ++ } ++ } ++ Ok(changed) ++} ++ ++/// The main entrypoint for updating /etc/{,g}shadow permissions across ++/// all deployments. ++pub fn fix_shadow_perms_entrypoint(_args: &[&str]) -> Result<()> { ++ let cancellable = gio::Cancellable::NONE; ++ let sysroot = ostree::Sysroot::new_default(); ++ sysroot.set_mount_namespace_in_use(); ++ sysroot.lock()?; ++ sysroot.load(cancellable)?; ++ let changed = fix_shadow_perms_in_sysroot(&sysroot)?; ++ if changed { ++ // We already printed per deployment, so this one is just ++ // a debug-level log. ++ tracing::debug!("Updated shadow/gshadow permissions"); ++ } ++ sysroot.unlock(); ++ Ok(()) ++} ++ + // This function writes the static passwd/group data from the treefile to the + // target root filesystem. + fn write_data_from_treefile( +@@ -1070,3 +1154,43 @@ impl PasswdEntries { + Ok(()) + } + } ++ ++#[test] ++fn test_shadow_perms() -> Result<()> { ++ let root = &cap_tempfile::tempdir(cap_std::ambient_authority())?; ++ root.create_dir("etc")?; ++ root.write("etc/shadow", "some shadow")?; ++ root.write("etc/gshadow", "some gshadow")?; ++ root.set_permissions("etc/gshadow", Permissions::from_mode(0))?; ++ ++ assert!(fix_shadow_perms_in_root(root)?); ++ assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?); ++ assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?); ++ // Verify idempotence ++ assert!(!fix_shadow_perms_in_root(root)?); ++ assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?); ++ assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?); ++ ++ Ok(()) ++} ++ ++#[test] ++/// Verify the scenario of updating from a previously fixed root ++fn test_shadow_perms_from_orig_fix() -> Result<()> { ++ let root = &cap_tempfile::tempdir(cap_std::ambient_authority())?; ++ root.create_dir("etc")?; ++ root.write("etc/shadow", "some shadow")?; ++ root.set_permissions("etc/shadow", Permissions::from_mode(0))?; ++ root.write("etc/gshadow", "some gshadow")?; ++ root.set_permissions("etc/gshadow", Permissions::from_mode(0))?; ++ // Write the original stamp file ++ root.write(SHADOW_MODE_FIXED_STAMP_OLD, "")?; ++ ++ // No changes ++ assert!(!fix_shadow_perms_in_root(root)?); ++ // Except we should have updated to the new stamp file ++ assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?); ++ assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?); ++ ++ Ok(()) ++} +diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service +index 4aea7462..121bc74e 100644 +--- a/src/daemon/rpm-ostree-fix-shadow-mode.service ++++ b/src/daemon/rpm-ostree-fix-shadow-mode.service +@@ -3,17 +3,21 @@ + # This makes sure to fix permissions on systems that were deployed with the wrong permissions. + Description=Update permissions for /etc/shadow + Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6 +-ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp ++# This new stamp file is written by the Rust code, and obsoletes ++# the old /etc/.rpm-ostree-shadow-mode-fixed.stamp ++ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed2.stamp + ConditionPathExists=/run/ostree-booted ++# Because we read the sysroot ++RequiresMountsFor=/boot + # Make sure this is started before any unprivileged (interactive) user has access to the system. + Before=systemd-user-sessions.service + + [Service] + Type=oneshot +-ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow +-ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow- +-ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp ++ExecStart=rpm-ostree fix-shadow-perms + RemainAfterExit=yes ++# So we can remount /sysroot writable in our own namespace ++MountFlags=slave + + [Install] + WantedBy=multi-user.target +diff --git a/tests/kolainst/destructive/shadow b/tests/kolainst/destructive/shadow +new file mode 100755 +index 00000000..7caf84c0 +--- /dev/null ++++ b/tests/kolainst/destructive/shadow +@@ -0,0 +1,80 @@ ++#!/bin/bash ++# ++# Copyright (C) 2024 Red Hat Inc. ++# ++# This library is free software; you can redistribute it and/or ++# modify it under the terms of the GNU Lesser General Public ++# License as published by the Free Software Foundation; either ++# version 2 of the License, or (at your option) any later version. ++# ++# This library is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public ++# License along with this library; if not, write to the ++# Free Software Foundation, Inc., 59 Temple Place - Suite 330, ++# Boston, MA 02111-1307, USA. ++ ++set -euo pipefail ++ ++. ${KOLA_EXT_DATA}/libtest.sh ++ ++set -x ++ ++cd $(mktemp -d) ++ ++service=rpm-ostree-fix-shadow-mode.service ++stamp=/etc/.rpm-ostree-shadow-mode-fixed2.stamp ++ ++case "${AUTOPKGTEST_REBOOT_MARK:-}" in ++"") ++ ++libtest_prepare_fully_offline ++libtest_enable_repover 0 ++ ++systemctl status ${service} || true ++rm -vf /etc/.rpm-ostree-shadow-mode* ++chmod 0644 /etc/gshadow ++ ++# Verify running the service once fixes things ++systemctl restart $service ++assert_has_file "${stamp}" ++assert_streq "$(stat -c '%f' /etc/gshadow)" 8000 ++ ++# Now *undo* the fix, so that the current (then old) deployment ++# is broken still, and ensure after reboot that it's fixed ++# in both. ++ ++chmod 0644 /etc/gshadow ++rm -vf /etc/.rpm-ostree* ++ ++booted_commit=$(rpm-ostree status --json | jq -r '.deployments[0].checksum') ++ostree refs ${booted_commit} --create vmcheck2 ++rpm-ostree rebase :vmcheck2 ++ ++/tmp/autopkgtest-reboot "1" ++;; ++"1") ++ ++systemctl status $service ++assert_has_file "${stamp}" ++ ++verified=0 ++for f in $(ls /ostree/deploy/*/deploy/*/etc/{,g}shadow{,-}); do ++ verified=$(($verified + 1)) ++ assert_streq "$(stat -c '%f' $f)" 8000 ++ echo "ok ${f}" ++done ++assert_streq "$verified" 8 ++ ++journalctl -b -u $service --grep="Adjusted shadow files in deployment" | tee out.txt ++assert_streq "$(wc -l < out.txt)" 2 ++ ++echo "ok shadow" ++ ++;; ++*) echo "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}"; exit 1;; ++ ++esac +-- +2.44.0 + diff --git a/SPECS/rpm-ostree.spec b/SPECS/rpm-ostree.spec index bacec67..5709341 100644 --- a/SPECS/rpm-ostree.spec +++ b/SPECS/rpm-ostree.spec @@ -3,14 +3,19 @@ Summary: Hybrid image/package system Name: rpm-ostree -Version: 2023.7 -Release: 1%{?dist} +Version: 2024.3 +Release: 3%{?dist} License: LGPLv2+ URL: https://github.com/coreos/rpm-ostree # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot" # in the upstream git. It also contains vendored Rust sources. Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz +Patch0: 0001-cliwrap-rpm-mark-eval-E-as-safe.patch +Patch1: 0001-passwd-create-etc-g-shadow-with-mode-0.patch +Patch2: 0002-unit-chmod-etc-g-shadow-to-0000.patch +Patch3: 0003-shadow-Adjust-all-deployments.patch + ExclusiveArch: %{rust_arches} BuildRequires: make @@ -39,7 +44,7 @@ BuildRequires: rust %endif # For the autofiles bits below -BuildRequires: /usr/bin/python3 +BuildRequires: python3-devel # We always run autogen.sh BuildRequires: autoconf automake libtool git # For docs @@ -200,8 +205,8 @@ for line in sys.argv[1:]: else: sys.stderr.write('{0} did not match any files\n'.format(line)) EOF -PYTHON=python3 -if ! test -x /usr/bin/python3; then +PYTHON='%{python3}' +if ! test -x '%{python3}'; then PYTHON=python2 fi $PYTHON autofiles.py > files \ @@ -229,6 +234,13 @@ $PYTHON autofiles.py > files.devel \ '%{_datadir}/gtk-doc/html/*' \ '%{_datadir}/gir-1.0/*-1.0.gir' +%post +# Only enable on rpm-ostree based systems and manually force unit enablement to +# explicitly ignore presets for this security fix +if [ -e /run/ostree-booted ]; then + ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/ +fi + %files -f files %doc COPYING.GPL COPYING.LGPL LICENSE README.md @@ -237,6 +249,43 @@ $PYTHON autofiles.py > files.devel \ %files devel -f files.devel %changelog +* Tue Apr 16 2024 Joseph Marrero - 2024.3-3 +- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 + Resolves: #RHEL-31852 + +* Fri Apr 05 2024 Joseph Marrero - 2024.3-2 +- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 + Resolves: #RHEL-31852 + +* Sun Feb 25 2024 Joseph Marrero - 2024.3-1 +- https://github.com/coreos/rpm-ostree/releases/tag/v2024.3 + Backport https://github.com/coreos/rpm-ostree/commit/fe586621e5014d14f92b913338171a02ed29e6cc + Resolves: #RHEL-26186 + +* Wed Jan 24 2024 Joseph Marrero - 2024.2-1 +- https://github.com/coreos/rpm-ostree/releases/tag/v2024.2 + Resolves: #RHEL-11294 + +* Wed Jan 03 2024 Colin Walters - 2024.1-2 +- https://github.com/coreos/rpm-ostree/releases/tag/v2024.1 + Resolves: #RHEL-11294 + +* Mon Dec 18 2023 Joseph Marrero - 2023.12-1 +- https://github.com/coreos/rpm-ostree/releases/tag/v2023.12 + Resolves: #RHEL-11294 + +* Wed Dec 13 2023 Joseph Marrero - 2023.11-1 +- https://github.com/coreos/rpm-ostree/releases/tag/v2023.11 + Resolves: #RHEL-11294 + +* Thu Oct 05 2023 Joseph Marrero - 2023.8-3 +- Use python macros and devel package + Resolves: #RHEL-11892 + +* Mon Oct 02 2023 Colin Walters - 2023.8-2 +- https://github.com/coreos/rpm-ostree/releases/tag/v2023.8 + https://issues.redhat.com/browse/RHEL-11294 + * Sat Aug 26 2023 Joseph Marrero - 2023.7-1 - https://github.com/coreos/rpm-ostree/releases/tag/v2023.7 Resolves: rhbz#2234352