Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2016-09-05 21:13:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ntp" Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2016-06-13 21:54:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ntp.new/ntp.changes 2016-09-05 21:13:34.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Aug 25 07:22:49 UTC 2016 - josef.moellers@suse.com + +- Make the resolver task change user and group IDs to the same + values as the main task. (bnc#988028, ntp-usrgrp-resolver.patch) + +------------------------------------------------------------------- New: ---- ntp-usrgrp-resolver.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.ZmuaBz/_old 2016-09-05 21:13:36.000000000 +0200 +++ /var/tmp/diff_new_pack.ZmuaBz/_new 2016-09-05 21:13:36.000000000 +0200 @@ -57,6 +57,7 @@ Patch22: ntp-sigchld.patch Patch23: ntp-processname.patch Patch24: ntp-daemonize.patch +Patch25: ntp-usrgrp-resolver.patch BuildRequires: autoconf BuildRequires: avahi-compat-mDNSResponder-devel @@ -130,6 +131,7 @@ %patch22 -p1 %patch23 %patch24 +%patch25 -p1 # fix DOS line breaks sed -i 's/\r//g' html/scripts/{footer.txt,style.css} ++++++ ntp-usrgrp-resolver.patch ++++++ Index: ntp-4.2.8p8/libntp/work_fork.c =================================================================== --- ntp-4.2.8p8.orig/libntp/work_fork.c +++ ntp-4.2.8p8/libntp/work_fork.c @@ -33,6 +33,9 @@ static RETSIGTYPE worker_sighup(int); static void send_worker_home_atexit(void); static void cleanup_after_child(blocking_child *); +# pragma weak set_user_group_ids +void set_user_group_ids(void); + /* === functions === */ /* * exit_worker() @@ -494,6 +497,8 @@ fork_blocking_child( c->pid = getpid(); worker_process = TRUE; + if (NULL != &set_user_group_ids) + set_user_group_ids(); /* * Change the process name of the child to avoid confusion * about ntpd trunning twice. Index: ntp-4.2.8p8/ntpd/ntpd.c =================================================================== --- ntp-4.2.8p8.orig/ntpd/ntpd.c +++ ntp-4.2.8p8/ntpd/ntpd.c @@ -518,6 +518,211 @@ set_process_priority(void) } #endif /* !SIM */ +#ifndef SIM +static int +detach_from_terminal( + int pipe_fds[2], + long wait_sync, + const char *logfilename + ) +{ +# ifndef HAVE_WORKING_FORK + return 0; +# else + int rc; + int exit_code; +# if !defined(HAVE_SETSID) && !defined(HAVE_SETPGID) && defined(TIOCNOTTY) + int fid; +# endif /* TIOCNOTTY */ +# ifdef _AIX + struct sigaction sa; +# endif + + rc = fork(); + if (-1 == rc) { + exit_code = (errno) ? errno : -1; + msyslog(LOG_ERR, "fork: %m"); + return exit_code; + } + if (rc > 0) { + /* parent */ + exit_code = wait_child_sync_if(pipe_fds[0], + wait_sync); + return exit_code; + } + + /* + * child/daemon + * close all open files excepting waitsync_fd_to_close. + * msyslog() unreliable until after init_logging(). + */ + closelog(); + if (syslog_file != NULL) { + fclose(syslog_file); + syslog_file = NULL; + syslogit = TRUE; + } + close_all_except(waitsync_fd_to_close); + INSIST(0 == open("/dev/null", 0) && 1 == dup2(0, 1) \ + && 2 == dup2(0, 2)); + + init_logging(progname, 0, TRUE); + /* we lost our logfile (if any) daemonizing */ + setup_logfile(logfilename); + +# ifdef SYS_DOMAINOS + { + uid_$t puid; + status_$t st; + + proc2_$who_am_i(&puid); + proc2_$make_server(&puid, &st); + } +# endif /* SYS_DOMAINOS */ +# ifdef HAVE_SETSID + if (setsid() == (pid_t)-1) + msyslog(LOG_ERR, "setsid(): %m"); +# elif defined(HAVE_SETPGID) + if (setpgid(0, 0) == -1) + msyslog(LOG_ERR, "setpgid(): %m"); +# else /* !HAVE_SETSID && !HAVE_SETPGID follows */ +# ifdef TIOCNOTTY + fid = open("/dev/tty", 2); + if (fid >= 0) { + ioctl(fid, (u_long)TIOCNOTTY, NULL); + close(fid); + } +# endif /* TIOCNOTTY */ + ntp_setpgrp(0, getpid()); +# endif /* !HAVE_SETSID && !HAVE_SETPGID */ +# ifdef _AIX + /* Don't get killed by low-on-memory signal. */ + sa.sa_handler = catch_danger; + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sigaction(SIGDANGER, &sa, NULL); +# endif /* _AIX */ +# endif /* HAVE_WORKING_FORK */ + + return 0; +} + +/* + * Map user name/number to user ID +*/ +static int +map_user( + ) +{ + if (isdigit((unsigned char)*user)) { + sw_uid = (uid_t)strtoul(user, &endp, 0); + if (*endp != '\0') + goto getuser; + + if ((pw = getpwuid(sw_uid)) != NULL) { + free(user); + user = estrdup(pw->pw_name); + sw_gid = pw->pw_gid; + } else { + errno = 0; + msyslog(LOG_ERR, "Cannot find user ID %s", user); + return 0; + } + + } else { +getuser: + errno = 0; + if ((pw = getpwnam(user)) != NULL) { + sw_uid = pw->pw_uid; + sw_gid = pw->pw_gid; + } else { + if (errno) + msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user); + else + msyslog(LOG_ERR, "Cannot find user `%s'", user); + return 0; + } + } + + return 1; +} + +/* + * Map group name/number to group ID +*/ +static int +map_group( + ) +{ + if (isdigit((unsigned char)*group)) { + sw_gid = (gid_t)strtoul(group, &endp, 0); + if (*endp != '\0') + goto getgroup; + } else { +getgroup: + if ((gr = getgrnam(group)) != NULL) { + sw_gid = gr->gr_gid; + } else { + errno = 0; + msyslog(LOG_ERR, "Cannot find group `%s'", group); + return 0; + } + } + + return 1; +} + +/* + * change (effective) user and group IDs, also initialize the supplementary group access list + */ +int +set_user_group_ids( + ) +{ + if (NULL != user && 0 == sw_uid) { + if (0 == map_user()) + exit (-1); + } + if (NULL != group != NULL && 0 == sw_gid) { + if (0 == map_group()) + exit (-1); + } + + if (user && initgroups(user, sw_gid)) { + msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user); + return 0; + } + if (group && setgid(sw_gid)) { + msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); + return 0; + } + if (group && setegid(sw_gid)) { + msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); + return 0; + } + if (group) { + if (0 != setgroups(1, &sw_gid)) { + msyslog(LOG_ERR, "setgroups(1, %d) failed: %m", sw_gid); + return 0; + } + } + else if (pw) + if (0 != initgroups(pw->pw_name, pw->pw_gid)) { + msyslog(LOG_ERR, "initgroups(<%s>, %d) filed: %m", pw->pw_name, pw->pw_gid); + return 0; + } + if (user && setuid(sw_uid)) { + msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); + return 0; + } + if (user && seteuid(sw_uid)) { + msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); + return 0; + } + + return 1; +} +#endif /* !SIM */ /* * Main program. Initialize us, disconnect us from the tty if necessary, @@ -542,13 +747,8 @@ ntpdmain( # if defined(HAVE_WORKING_FORK) long wait_sync = 0; int pipe_fds[2]; - int rc; int exit_code; -# ifdef _AIX - struct sigaction sa; -# endif # if !defined(HAVE_SETSID) && !defined (HAVE_SETPGID) && defined(TIOCNOTTY) - int fid; # endif # endif /* HAVE_WORKING_FORK*/ # ifdef SCO5_CLOCK @@ -730,73 +930,8 @@ ntpdmain( * Detach us from the terminal. May need an #ifndef GIZMO. */ if (!nofork) { - -# ifdef HAVE_WORKING_FORK - rc = fork(); - if (-1 == rc) { - exit_code = (errno) ? errno : -1; - msyslog(LOG_ERR, "fork: %m"); - exit(exit_code); - } - if (rc > 0) { - /* parent */ - exit_code = wait_child_sync_if(pipe_fds[0], - wait_sync); - exit(exit_code); - } - - /* - * child/daemon - * close all open files excepting waitsync_fd_to_close. - * msyslog() unreliable until after init_logging(). - */ - closelog(); - if (syslog_file != NULL) { - fclose(syslog_file); - syslog_file = NULL; - syslogit = TRUE; - } - close_all_except(waitsync_fd_to_close); - INSIST(0 == open("/dev/null", 0) && 1 == dup2(0, 1) \ - && 2 == dup2(0, 2)); - - init_logging(progname, 0, TRUE); - /* we lost our logfile (if any) daemonizing */ - setup_logfile(logfilename); - -# ifdef SYS_DOMAINOS - { - uid_$t puid; - status_$t st; - - proc2_$who_am_i(&puid); - proc2_$make_server(&puid, &st); - } -# endif /* SYS_DOMAINOS */ -# ifdef HAVE_SETSID - if (setsid() == (pid_t)-1) - msyslog(LOG_ERR, "setsid(): %m"); -# elif defined(HAVE_SETPGID) - if (setpgid(0, 0) == -1) - msyslog(LOG_ERR, "setpgid(): %m"); -# else /* !HAVE_SETSID && !HAVE_SETPGID follows */ -# ifdef TIOCNOTTY - fid = open("/dev/tty", 2); - if (fid >= 0) { - ioctl(fid, (u_long)TIOCNOTTY, NULL); - close(fid); - } -# endif /* TIOCNOTTY */ - ntp_setpgrp(0, getpid()); -# endif /* !HAVE_SETSID && !HAVE_SETPGID */ -# ifdef _AIX - /* Don't get killed by low-on-memory signal. */ - sa.sa_handler = catch_danger; - sigemptyset(&sa.sa_mask); - sa.sa_flags = SA_RESTART; - sigaction(SIGDANGER, &sa, NULL); -# endif /* _AIX */ -# endif /* HAVE_WORKING_FORK */ + if ((exit_code = detach_from_terminal(pipe_fds, wait_sync, logfilename)) != 0) + exit(exit_code); } # ifdef SCO5_CLOCK @@ -967,54 +1102,6 @@ ntpdmain( } # endif /* HAVE_LINUX_CAPABILITIES || HAVE_SOLARIS_PRIVS */ - if (user != NULL) { - if (isdigit((unsigned char)*user)) { - sw_uid = (uid_t)strtoul(user, &endp, 0); - if (*endp != '\0') - goto getuser; - - if ((pw = getpwuid(sw_uid)) != NULL) { - free(user); - user = estrdup(pw->pw_name); - sw_gid = pw->pw_gid; - } else { - errno = 0; - msyslog(LOG_ERR, "Cannot find user ID %s", user); - exit (-1); - } - - } else { -getuser: - errno = 0; - if ((pw = getpwnam(user)) != NULL) { - sw_uid = pw->pw_uid; - sw_gid = pw->pw_gid; - } else { - if (errno) - msyslog(LOG_ERR, "getpwnam(%s) failed: %m", user); - else - msyslog(LOG_ERR, "Cannot find user `%s'", user); - exit (-1); - } - } - } - if (group != NULL) { - if (isdigit((unsigned char)*group)) { - sw_gid = (gid_t)strtoul(group, &endp, 0); - if (*endp != '\0') - goto getgroup; - } else { -getgroup: - if ((gr = getgrnam(group)) != NULL) { - sw_gid = gr->gr_gid; - } else { - errno = 0; - msyslog(LOG_ERR, "Cannot find group `%s'", group); - exit (-1); - } - } - } - if (chrootdir ) { /* make sure cwd is inside the jail: */ if (chdir(chrootdir)) { @@ -1046,37 +1133,8 @@ getgroup: exit(-1); } # endif /* HAVE_SOLARIS_PRIVS */ - if (user && initgroups(user, sw_gid)) { - msyslog(LOG_ERR, "Cannot initgroups() to user `%s': %m", user); - exit (-1); - } - if (group && setgid(sw_gid)) { - msyslog(LOG_ERR, "Cannot setgid() to group `%s': %m", group); - exit (-1); - } - if (group && setegid(sw_gid)) { - msyslog(LOG_ERR, "Cannot setegid() to group `%s': %m", group); - exit (-1); - } - if (group) { - if (0 != setgroups(1, &sw_gid)) { - msyslog(LOG_ERR, "setgroups(1, %d) failed: %m", sw_gid); - exit (-1); - } - } - else if (pw) - if (0 != initgroups(pw->pw_name, pw->pw_gid)) { - msyslog(LOG_ERR, "initgroups(<%s>, %d) filed: %m", pw->pw_name, pw->pw_gid); - exit (-1); - } - if (user && setuid(sw_uid)) { - msyslog(LOG_ERR, "Cannot setuid() to user `%s': %m", user); + if (0 == set_user_group_ids()) exit (-1); - } - if (user && seteuid(sw_uid)) { - msyslog(LOG_ERR, "Cannot seteuid() to user `%s': %m", user); - exit (-1); - } # if !defined(HAVE_LINUX_CAPABILITIES) && !defined(HAVE_SOLARIS_PRIVS) /* @@ -1651,3 +1709,4 @@ no_debug( } # endif /* !DEBUG */ #endif /* !SIM && !SYS_WINNT */ +