July 2015 - openSUSE Commits - openSUSE Mailing Lists

commit openldap2.3937 for openSUSE:13.1:Update
by root＠hilbert.suse.de 31 Jul '15

31 Jul '15

Hello community, here is the log from the commit of package openldap2.3937 for openSUSE:13.1:Update checked in at 2015-07-31 09:10:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/openldap2.3937 (Old) and /work/SRC/openSUSE:13.1:Update/.openldap2.3937.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openldap2.3937" Changes: -------- New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.1:Update/.openldap2.3937.new/openldap2-client.changes 2015-07-31 09:10:15.000000000 +0200 @@ -0,0 +1,2186 @@ +------------------------------------------------------------------- +Mon Jun 17 14:37:45 UTC 2013 - jengelh(a)inai.de + +- For now, avoid automatic use of libdb-6_0 by explicitly selecting + libdb-4_8 as BuildRequire. + +------------------------------------------------------------------- +Mon Mar 25 16:08:21 UTC 2013 - jengelh(a)inai.de + +- Put static libs into openldap2-devel-static and relieve + openldap2-devel of static-only deps + +------------------------------------------------------------------- +Sat Nov 17 12:06:23 CET 2012 - ro(a)suse.de + +- fix check-build.sh for kernel > 3.0 + +------------------------------------------------------------------- +Fri Nov 16 09:52:42 UTC 2012 - rhafer(a)suse.com + +- Fixed initscript to avoid endless loop when no configuration + is present in /etc/openldap/slapd.d/ (bnc#767464) +- cleaned up SLES10 buildrequires and dependencies +- removed support for building on SLES9, didn't work anyway anymore +- Don't buildrequire krb5-mini on Distributions where it does not + exist + +------------------------------------------------------------------- +Fri Oct 26 12:38:46 UTC 2012 - rhafer(a)suse.com + +- enabled mdb backend +- Update to 2.4.33 + * Added slapd-meta cn=config support + * Fixed slapd alock handling on Windows (ITS#7361) + * Fixed slapd acl handling with zero-length values (ITS#7350) + * Fixed slapd syncprov to not reference ops inside a lock (ITS#7172) + * Fixed slapd delta-syncrepl MMR with large attribute values (ITS#7354) + * Fixed slapd slapd_rw_destroy function (ITS#7390) + * Fixed slapd-ldap idassert bind handling (ITS#7403) + * Fixed slapo-constraint with multiple modifications (ITS#7168) + Changes in 2.4.32: + * Added slappasswd loadable module support (ITS#7284) + * Fixed tools to not clobber SASL_NOCANON (ITS#7271) + * Fixed libldap function declarations (ITS#7293) + * Fixed libldap double free (ITS#7270) + * Fixed libldap debug level setting (ITS#7290) + * Fixed libldap gettime() regression (ITS#6262) + * Fixed libldap sasl handling (ITS#7118, ITS#7133) + * Fixed libldap to correctly free socket with TLS (ITS#7241) + * Fixed slapd config index renumbering (ITS#6987) + * Fixed slapd duplicate error response (ITS#7076) + * Fixed slapd parsing of PermissiveModify control (ITS#7298) + * Fixed slapd-bdb/hdb cache hang under high load (ITS#7222) + * Fixed slapd-bdb/hdb alias checking (ITS#7303) + * Fixed slapd-bdb/hdb olcDbConfig changes work immediately (ITS#7338) + * Fixed slapd-ldap to encode user DN during password change (ITS#7319) + * Fixed slapd-ldap assertion when proxying to MS AD (ITS#6851) + * Fixed slapd-ldap monitoring (ITS#7182, ITS#7225) + * Fixed slapd-perl panic (ITS#7325) + * Fixed slapo-accesslog memory leaks with sync replication (ITS#7292) + * Fixed slapo-syncprov memory leaks with sync replication (ITS#7292) + +------------------------------------------------------------------- +Fri Oct 26 08:44:23 UTC 2012 - coolo(a)suse.com + +- add explicit buildrequire on groff - needed to build manuals + +------------------------------------------------------------------- +Tue Oct 16 07:38:01 UTC 2012 - coolo(a)suse.com + +- buildrequire krb5-mini in openldap2-client to avoid cycle +- move Summary out of the %if as prepare_spec is confused about + the license otherwise + +------------------------------------------------------------------- +Thu May 10 09:22:52 UTC 2012 - rhafer(a)suse.de + +- update to 2.4.31 + * Added slapo-accesslog support for reqEntryUUID (ITS#6656) + * Fixed libldap IPv6 URL detection (ITS#7194) + * Fixed libldap rebinding on failed connection (ITS#7207) + * Fixed slapd listener initialization (ITS#7233) + * Fixed slapd cn=config with olcTLSVerifyClient (ITS#7197) + * Fixed slapd delta-syncrepl fallback on non-leaf error (ITS#7195) + * Fixed slapd to reject MMR setups with bad serverID setting + (ITS#7200) + * Fixed slapd approxIndexer key generation (ITS#7203) + * Fixed slapd modification of olcSuffix (ITS#7205) + * Fixed slapd schema validation with missing definitions + (ITS#7224) + * Fixed slapd syncrepl -c with supplied CSN values (ITS#7245) + * Fixed slapd-bdb/hdb idlcache with only one element (ITS#7231) + * Fixed slapo-accesslog deadlock with non-logged write ops + (ITS#7088) + * Fixed slapo-syncprov sessionlog check (ITS#7218) + * Fixed slapo-syncprov entry leak (ITS#7234) + * Fixed slapo-syncprov startup initialization (ITS#7235) + +------------------------------------------------------------------- +Mon Apr 23 07:08:13 UTC 2012 - rhafer(a)suse.de + +- Disabled testsuite for now. Causes problems in the buildserivce + +------------------------------------------------------------------- +Tue Mar 6 12:23:35 UTC 2012 - rhafer(a)suse.de + +- Update to 2.4.30 + * Fixed libldap socket polling for writes (ITS#7167) + * Fixed liblutil string modifications (ITS#7174) + * Fixed slapd crash when attrsOnly is true (ITS#7143) + * Fixed slapd syncrepl delete handling (ITS#7052,ITS#7162) + * Fixed slapo-pcache time-to-refesh handling (ITS#7178) + * Fixed slapo-syncprov loop detection (ITS#6024) + +------------------------------------------------------------------- +Mon Feb 27 14:14:23 UTC 2012 - rhafer(a)suse.de + +- Update to 2.4.29 + * Fixed slapd cn=config modification of first schema element + (ITS#7098) + * Fixed slapd operation reuse (ITS#7107) + * Fixed slapd blocked writers to not interfere with pool pause + (ITS#7115) + * Fixed slapd connection loop connindex usage (ITS#7131) + * Fixed slapd double mutex unlock via connection_done (ITS#7125) + * Fixed slapd check order in connection_write (ITS#7113) + * Fixed slapd slapadd to exit on failure (ITS#7142) + * Fixed slapd syncrepl reference to freed memory + (ITS#7127,ITS#7132) + * Fixed slapd syncrepl to ignore some errors on delete + (ITS#7052) + * Fixed slapd syncrepl to handle missing oldRDN (ITS#7144) + * Fixed slapd-monitor compare op to update cached entry + (ITS#7123) + * Fixed slapo-syncprov with already abandoned operation + (ITS#7150) +- Included patches from RE24 branch: + * only poll sockets for write as needed (ITS#7167, bnc#749082) + * sycnrepl Fixes (ITS#7162) + +------------------------------------------------------------------- +Wed Dec 7 11:10:19 UTC 2011 - cfarrell(a)suse.com + +- license update: OLDAP-2.8 + SPDX format (http://www.spdx.org/licenses) + +------------------------------------------------------------------- +Fri Dec 2 16:11:01 UTC 2011 - rhafer(a)suse.de + +- Update to 2.4.28 + * Fixed back-mdb out of order slapadd (ITS#7090) + changes in OpenLDAP 2.4.27 Release (2011/11/24): + * Added slapd delta-syncrepl MMR (ITS#6734,ITS#7029,ITS#7031) + * Fixed ldapmodify crash with LDIF controls (ITS#7039) + * Fixed ldapsearch to honor timeout and timelimit (ITS#7009) + * Fixed libldap endless looping (ITS#7035) + * Fixed libldap TLS to not check hostname when using 'allow' + (ITS#7014) + * Fixed slapadd common code into slapcommon (ITS#6737) + * Fixed slapd backend connection initialization (ITS#6993) + * Fixed slapd frontend DB parsing in cn=config (ITS#7016) + * Fixed slapd hang with {numbered} overlay insertion (ITS#7030) + * Fixed slapd inet_ntop usage (ITS#6925) + * Fixed slapd cn=config deletion of bitmasks (ITS#7083) + * Fixed slapd cn=config modify replace/delete crash (ITS#7065) + * Fixed slapd schema UTF8StringNormalize with 0 length values + (ITS#7059) + * Fixed slapd with dynamic acls for cn=config (ITS#7066) + * Fixed slapd response callbacks (ITS#6059,ITS#7062) + * Fixed slapd no_connection warnings with ldapi + (ITS#6548,ITS#7092) + * Fixed slapd return code processing (ITS#7060) + * Fixed slapd sl_malloc various issues (ITS#6437) + * Fixed slapd startup behavior (ITS#6848) + * Fixed slapd syncrepl crash with non-replicated ops (ITS#6892) + * Fixed slapd syncrepl with modrdn (ITS#7000,ITS#6472) + * Fixed slapd syncrepl timeout when using refreshAndPersist + (ITS#6999) + * Fixed slapd syncrepl deletes need a non-empty CSN (ITS#7052) + * Fixed slapd syncrepl glue for empty suffix (ITS#7037) + * Fixed slapd results cleanup (ITS#6763,ITS#7053) + * Fixed slapd validation of args for TLSCertificateFile + (ITS#7012) + * Fixed slapd-bdb/hdb to build entry DN based on parent DN + (ITS#5326) + * Fixed slapd-hdb with zero-length entries (ITS#7073) + * Fixed slapd-hdb duplicate entries in subtree IDL cache + (ITS#6983) + * Fixed slapo-pcache response cleanup (ITS#6981) + * Fixed slapo-ppolicy pwdAllowUserChange behavior (ITS#7021) + * Fixed slapo-sssvlv issue with greaterThanorEqual (ITS#6985) + * Fixed slapo-sssvlv to only return requested attrs (ITS#7061) + * Fixed slapo-syncprov DSA attribute filtering for Persist mode + (ITS#7019) + * Fixed slapo-syncprov when consumer has newer state of our SID + (ITS#7040) + * Fixed slapo-syncprov crash (ITS#7025) ++++ 1989 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.openldap2.3937.new/openldap2-client.changes New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.1:Update/.openldap2.3937.new/openldap2.changes 2015-07-31 09:10:15.000000000 +0200 @@ -0,0 +1,2196 @@ +------------------------------------------------------------------- +Thu Jul 23 08:15:56 UTC 2015 - vpereira(a)suse.com + +- Apply the following security fixes: + CVE-2015-1546: openldap2: slapd crash in valueReturnFilter cleanup (bnc#916914) + CVE-2015-1545: openldap2: slapd crashes on search with deref control and empty attr list (bnc#916897) + In addition, apply a functional bug fix: + Prevent connection-0 (internal connection) from show up in the monitor backend (bnc#905959) + + +------------------------------------------------------------------- +Mon Jun 17 14:37:45 UTC 2013 - jengelh(a)inai.de + +- For now, avoid automatic use of libdb-6_0 by explicitly selecting + libdb-4_8 as BuildRequire. + +------------------------------------------------------------------- +Mon Mar 25 16:08:21 UTC 2013 - jengelh(a)inai.de + +- Put static libs into openldap2-devel-static and relieve + openldap2-devel of static-only deps + +------------------------------------------------------------------- +Sat Nov 17 12:06:23 CET 2012 - ro(a)suse.de + +- fix check-build.sh for kernel > 3.0 + +------------------------------------------------------------------- +Fri Nov 16 09:52:42 UTC 2012 - rhafer(a)suse.com + +- Fixed initscript to avoid endless loop when no configuration + is present in /etc/openldap/slapd.d/ (bnc#767464) +- cleaned up SLES10 buildrequires and dependencies +- removed support for building on SLES9, didn't work anyway anymore +- Don't buildrequire krb5-mini on Distributions where it does not + exist + +------------------------------------------------------------------- +Fri Oct 26 12:38:46 UTC 2012 - rhafer(a)suse.com + +- enabled mdb backend +- Update to 2.4.33 + * Added slapd-meta cn=config support + * Fixed slapd alock handling on Windows (ITS#7361) + * Fixed slapd acl handling with zero-length values (ITS#7350) + * Fixed slapd syncprov to not reference ops inside a lock (ITS#7172) + * Fixed slapd delta-syncrepl MMR with large attribute values (ITS#7354) + * Fixed slapd slapd_rw_destroy function (ITS#7390) + * Fixed slapd-ldap idassert bind handling (ITS#7403) + * Fixed slapo-constraint with multiple modifications (ITS#7168) + Changes in 2.4.32: + * Added slappasswd loadable module support (ITS#7284) + * Fixed tools to not clobber SASL_NOCANON (ITS#7271) + * Fixed libldap function declarations (ITS#7293) + * Fixed libldap double free (ITS#7270) + * Fixed libldap debug level setting (ITS#7290) + * Fixed libldap gettime() regression (ITS#6262) + * Fixed libldap sasl handling (ITS#7118, ITS#7133) + * Fixed libldap to correctly free socket with TLS (ITS#7241) + * Fixed slapd config index renumbering (ITS#6987) + * Fixed slapd duplicate error response (ITS#7076) + * Fixed slapd parsing of PermissiveModify control (ITS#7298) + * Fixed slapd-bdb/hdb cache hang under high load (ITS#7222) + * Fixed slapd-bdb/hdb alias checking (ITS#7303) + * Fixed slapd-bdb/hdb olcDbConfig changes work immediately (ITS#7338) + * Fixed slapd-ldap to encode user DN during password change (ITS#7319) + * Fixed slapd-ldap assertion when proxying to MS AD (ITS#6851) + * Fixed slapd-ldap monitoring (ITS#7182, ITS#7225) + * Fixed slapd-perl panic (ITS#7325) + * Fixed slapo-accesslog memory leaks with sync replication (ITS#7292) + * Fixed slapo-syncprov memory leaks with sync replication (ITS#7292) + +------------------------------------------------------------------- +Fri Oct 26 08:44:23 UTC 2012 - coolo(a)suse.com + +- add explicit buildrequire on groff - needed to build manuals + +------------------------------------------------------------------- +Tue Oct 16 07:38:01 UTC 2012 - coolo(a)suse.com + +- buildrequire krb5-mini in openldap2-client to avoid cycle +- move Summary out of the %if as prepare_spec is confused about + the license otherwise + +------------------------------------------------------------------- +Thu May 10 09:22:52 UTC 2012 - rhafer(a)suse.de + +- update to 2.4.31 + * Added slapo-accesslog support for reqEntryUUID (ITS#6656) + * Fixed libldap IPv6 URL detection (ITS#7194) + * Fixed libldap rebinding on failed connection (ITS#7207) + * Fixed slapd listener initialization (ITS#7233) + * Fixed slapd cn=config with olcTLSVerifyClient (ITS#7197) + * Fixed slapd delta-syncrepl fallback on non-leaf error (ITS#7195) + * Fixed slapd to reject MMR setups with bad serverID setting + (ITS#7200) + * Fixed slapd approxIndexer key generation (ITS#7203) + * Fixed slapd modification of olcSuffix (ITS#7205) + * Fixed slapd schema validation with missing definitions + (ITS#7224) + * Fixed slapd syncrepl -c with supplied CSN values (ITS#7245) + * Fixed slapd-bdb/hdb idlcache with only one element (ITS#7231) + * Fixed slapo-accesslog deadlock with non-logged write ops + (ITS#7088) + * Fixed slapo-syncprov sessionlog check (ITS#7218) + * Fixed slapo-syncprov entry leak (ITS#7234) + * Fixed slapo-syncprov startup initialization (ITS#7235) + +------------------------------------------------------------------- +Mon Apr 23 07:08:13 UTC 2012 - rhafer(a)suse.de + +- Disabled testsuite for now. Causes problems in the buildserivce + +------------------------------------------------------------------- +Tue Mar 6 12:23:35 UTC 2012 - rhafer(a)suse.de + +- Update to 2.4.30 + * Fixed libldap socket polling for writes (ITS#7167) + * Fixed liblutil string modifications (ITS#7174) + * Fixed slapd crash when attrsOnly is true (ITS#7143) + * Fixed slapd syncrepl delete handling (ITS#7052,ITS#7162) + * Fixed slapo-pcache time-to-refesh handling (ITS#7178) + * Fixed slapo-syncprov loop detection (ITS#6024) + +------------------------------------------------------------------- +Mon Feb 27 14:14:23 UTC 2012 - rhafer(a)suse.de + +- Update to 2.4.29 + * Fixed slapd cn=config modification of first schema element + (ITS#7098) + * Fixed slapd operation reuse (ITS#7107) + * Fixed slapd blocked writers to not interfere with pool pause + (ITS#7115) + * Fixed slapd connection loop connindex usage (ITS#7131) + * Fixed slapd double mutex unlock via connection_done (ITS#7125) + * Fixed slapd check order in connection_write (ITS#7113) + * Fixed slapd slapadd to exit on failure (ITS#7142) + * Fixed slapd syncrepl reference to freed memory + (ITS#7127,ITS#7132) + * Fixed slapd syncrepl to ignore some errors on delete + (ITS#7052) + * Fixed slapd syncrepl to handle missing oldRDN (ITS#7144) + * Fixed slapd-monitor compare op to update cached entry + (ITS#7123) + * Fixed slapo-syncprov with already abandoned operation + (ITS#7150) +- Included patches from RE24 branch: + * only poll sockets for write as needed (ITS#7167, bnc#749082) + * sycnrepl Fixes (ITS#7162) + +------------------------------------------------------------------- +Wed Dec 7 11:10:19 UTC 2011 - cfarrell(a)suse.com + +- license update: OLDAP-2.8 + SPDX format (http://www.spdx.org/licenses) + +------------------------------------------------------------------- +Fri Dec 2 16:11:01 UTC 2011 - rhafer(a)suse.de + +- Update to 2.4.28 + * Fixed back-mdb out of order slapadd (ITS#7090) + changes in OpenLDAP 2.4.27 Release (2011/11/24): + * Added slapd delta-syncrepl MMR (ITS#6734,ITS#7029,ITS#7031) + * Fixed ldapmodify crash with LDIF controls (ITS#7039) + * Fixed ldapsearch to honor timeout and timelimit (ITS#7009) + * Fixed libldap endless looping (ITS#7035) + * Fixed libldap TLS to not check hostname when using 'allow' + (ITS#7014) + * Fixed slapadd common code into slapcommon (ITS#6737) + * Fixed slapd backend connection initialization (ITS#6993) + * Fixed slapd frontend DB parsing in cn=config (ITS#7016) + * Fixed slapd hang with {numbered} overlay insertion (ITS#7030) + * Fixed slapd inet_ntop usage (ITS#6925) + * Fixed slapd cn=config deletion of bitmasks (ITS#7083) + * Fixed slapd cn=config modify replace/delete crash (ITS#7065) + * Fixed slapd schema UTF8StringNormalize with 0 length values + (ITS#7059) + * Fixed slapd with dynamic acls for cn=config (ITS#7066) + * Fixed slapd response callbacks (ITS#6059,ITS#7062) + * Fixed slapd no_connection warnings with ldapi + (ITS#6548,ITS#7092) + * Fixed slapd return code processing (ITS#7060) + * Fixed slapd sl_malloc various issues (ITS#6437) + * Fixed slapd startup behavior (ITS#6848) + * Fixed slapd syncrepl crash with non-replicated ops (ITS#6892) + * Fixed slapd syncrepl with modrdn (ITS#7000,ITS#6472) + * Fixed slapd syncrepl timeout when using refreshAndPersist + (ITS#6999) + * Fixed slapd syncrepl deletes need a non-empty CSN (ITS#7052) + * Fixed slapd syncrepl glue for empty suffix (ITS#7037) + * Fixed slapd results cleanup (ITS#6763,ITS#7053) + * Fixed slapd validation of args for TLSCertificateFile + (ITS#7012) + * Fixed slapd-bdb/hdb to build entry DN based on parent DN + (ITS#5326) + * Fixed slapd-hdb with zero-length entries (ITS#7073) + * Fixed slapd-hdb duplicate entries in subtree IDL cache ++++ 1999 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.openldap2.3937.new/openldap2.changes New: ---- 0001-build-adjustments.dif 0002-slapd.conf.dif 0003-LDAPI-socket-location.dif 0004-libldap-use-gethostbyname_r.dif 0005-pie-compile.dif 0006-No-Build-date-and-time-in-binaries.dif 0007-Recover-on-DB-version-change.dif 0008-ITS-7723-fix-reference-counting.patch 0009-In-monitor-backend-do-not-return-Connection0-entries.patch 0010-ITS-ITS-8027-require-non-empty-AttributeList.patch 0011-ITS-8046-fix-vrFilter_free.patch DB_CONFIG README.dynamic-overlays README.update addonschema.tar.gz baselibs.conf check-build.sh openldap-2.3.37.dif openldap-2.3.37.tgz openldap-2.4.33.tgz openldap-rc.tgz openldap2-client.changes openldap2-client.spec openldap2.changes openldap2.spec pre_checkin.sh sasl-slapd.conf schema2ldif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ # # spec file for package openldap2-client # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define run_test_suite 0 Name: openldap2-client Summary: The OpenLDAP commandline client tools License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients BuildRequires: cyrus-sasl-devel BuildRequires: groff BuildRequires: libopenssl-devel BuildRequires: libtool %if %sles_version == 10 BuildRequires: -libopenssl-devel BuildRequires: -pwdutils BuildRequires: openssl-devel %endif Version: 2.4.33 Release: 0 Url: http://www.openldap.org %if "%{name}" == "openldap2" BuildRequires: libdb-4_8-devel BuildRequires: openslp-devel BuildRequires: tcpd-devel BuildRequires: unixODBC-devel %if %sles_version == 10 BuildRequires: -libdb-4_8-devel BuildRequires: libdb-4_5-devel %endif Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep %else %if 0%{?suse_version} >= 1140 # avoid cycle with krb5 BuildRequires: krb5-mini %endif Conflicts: openldap-client Requires: libldap-2_4-2 = %{version} %endif Source: openldap-%{version}.tgz Source1: openldap-rc.tgz Source2: addonschema.tar.gz Source3: DB_CONFIG Source4: sasl-slapd.conf Source5: README.update Source6: README.dynamic-overlays Source7: schema2ldif Source100: openldap-2.3.37.tgz Patch1: 0001-build-adjustments.dif Patch2: 0002-slapd.conf.dif Patch3: 0003-LDAPI-socket-location.dif Patch4: 0004-libldap-use-gethostbyname_r.dif Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch100: openldap-2.3.37.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" %description The Lightweight Directory Access Protocol (LDAP) is used to access online directory services. It runs directly over TCP and can be used to access a stand-alone LDAP directory service or to access a directory service that has an X.500 back-end. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End Group: Productivity/Networking/LDAP/Servers Requires: openldap2 = %{version} Requires: perl = %{perl_version} %description -n openldap2-back-perl The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End Group: Productivity/Networking/LDAP/Servers Requires: openldap2 = %{version} Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz %description -n openldap2-back-meta The OpenLDAP Meta back-end is able to perform basic LDAP proxying with respect to a set of remote LDAP servers. The information contained in these servers can be presented as belonging to a single Directory Information Tree (DIT). %package -n openldap2-back-sql Summary: OpenLDAP SQL Back-End Group: Productivity/Networking/LDAP/Servers Requires: openldap2 = %{version} %description -n openldap2-back-sql The primary purpose of this OpenLDAP backend is to present information stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. %package -n openldap2-doc Summary: OpenLDAP Documentation Group: Documentation/Other Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README %if 0%{?suse_version} > 1110 BuildArch: noarch %endif %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts %else %description This package contains the OpenLDAP client utilities. %package -n openldap2-devel Summary: Libraries, Header Files and Documentation for OpenLDAP Group: Development/Libraries/C and C++ # bug437293 %ifarch ppc64 Obsoletes: openldap2-devel-64bit %endif # Conflicts: openldap-devel Requires: libldap-2_4-2 = %{version} %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and documentation. %package -n openldap2-devel-static Summary: Static libraries for the OpenLDAP libraries Group: Development/Libraries/C and C++ Requires: openldap2-devel = %version %if %sles_version == 10 Requires: openssl-devel %else Requires: libopenssl-devel %endif Requires: cyrus-sasl-devel %description -n openldap2-devel-static This package provides the static versions of the OpenLDAP libraries for development. %package -n libldap-2_4-2 Summary: OpenLDAP Client Libraries Group: Productivity/Networking/LDAP/Clients %description -n libldap-2_4-2 This package contains the OpenLDAP client libraries. %endif %prep %setup -q -n openldap-%{version} -a1 -a2 -b100 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37 %patch100 %build %{?suse_update_config:%{suse_update_config -f build}} libtoolize --force autoreconf export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" export STRIP="" %configure \ --localstatedir=/var/run/slapd \ --libexecdir=/usr/lib/openldap \ --enable-wrappers \ --enable-spasswd \ --enable-modules \ --enable-shared \ --enable-dynamic \ --with-tls \ --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ %if "%{name}" == "openldap2" --enable-aci \ --enable-bdb \ --enable-hdb \ --enable-rewrite \ --enable-ldap=yes \ --enable-meta=mod \ --enable-monitor=yes \ --enable-perl=mod \ --enable-sql=mod \ --enable-mdb=yes \ --enable-slp \ --enable-overlays=mod \ --enable-syncprov=yes \ --enable-ppolicy=yes \ %else --disable-slapd \ %endif --enable-lmpasswd \ --with-yielding-select make depend make %{?jobs:-j%jobs} %if "%{name}" == "openldap2" %if %suse_version < 1130 # build a static slapcat binary from the OpenLDAP 2.3 release # to be able to update existing databases cd ../openldap-2.3.37 %{?suse_update_config:%{suse_update_config -f build}} libtoolize --force #aclocal -I build autoreconf export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED" ./configure --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/run/slapd --libexecdir=/usr/lib/openldap \ --libdir=%{_libdir} --mandir=%{_mandir} --enable-aci \ --enable-hdb --enable-bdb --enable-ldbm --enable-crypt \ --enable-ipv6=no \ --enable-ldap --enable-monitor --enable-meta --enable-rewrite \ --enable-dynamic=no --enable-shared=no make depend make %{?jobs:-j%jobs} %endif %endif %check %if %run_test_suite # calculate the base port to be use in the test-suite SLAPD_BASEPORT=10000 if [ -f /.buildenv ] ; then . /.buildenv SLAPD_BASEPORT=$(($SLAPD_BASEPORT + ${BUILD_INCARNATION:-0} * 10)) fi export SLAPD_BASEPORT %ifnarch %arm alpha rm -f tests/scripts/test019-syncreplication-cascade rm -f tests/scripts/test022-ppolicy rm -f tests/scripts/test023-refint rm -f tests/scripts/test033-glue-syncrepl #rm -f tests/scripts/test036-meta-concurrency #rm -f tests/scripts/test039-glue-ldap-concurrency rm -f tests/scripts/test043-delta-syncrepl #rm -f tests/scripts/test045-syncreplication-proxied rm -f tests/scripts/test048-syncrepl-multiproxy rm -f tests/scripts/test050-syncrepl-multimaster rm -f tests/scripts/test058-syncrepl-asymmetric make SLAPD_DEBUG=0 test %endif %endif %install mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/usr/sbin make STRIP="" DESTDIR=$RPM_BUILD_ROOT install install -m 755 rc.ldap $RPM_BUILD_ROOT/etc/init.d/ldap ln -sf ../../etc/init.d/ldap $RPM_BUILD_ROOT/usr/sbin/rcldap mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so* chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so* chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so* install -m 755 %{SOURCE7} $RPM_BUILD_ROOT/usr/sbin/schema2ldif %if "%{name}" == "openldap2" %define DOCDIR %{_defaultdocdir}/%{name} mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/ install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d` rm -rf doc/guide/release install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \ $RPM_BUILD_ROOT/%{DOCDIR}/images \ $RPM_BUILD_ROOT/%{DOCDIR}/drafts install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts install -m 644 ANNOUNCEMENT \ COPYRIGHT \ LICENSE \ README \ CHANGES \ %{SOURCE5} \ %{SOURCE6} \ $RPM_BUILD_ROOT/%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif* rm -f $RPM_BUILD_ROOT/var/run/slapd/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples %if %suse_version < 1130 # install 2.3 slapcat install -m 755 ../openldap-2.3.37/servers/slapd/slapcat $RPM_BUILD_ROOT/usr/sbin/openldap-2.3-slapcat %endif %endif rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <<EOF /var/adm/fillup-templates/sysconfig.openldap %config /etc/init.d/ldap %config /etc/sysconfig/SuSEfirewall2.d/services/openldap /usr/sbin/rcldap /usr/sbin/slap* %dir /etc/openldap %dir %attr(0770, ldap, ldap) /etc/openldap/slapd.d %dir /etc/openldap/schema %config /etc/openldap/schema/*.schema %config /etc/openldap/schema/*.ldif %config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf %config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG %config /var/lib/ldap/DB_CONFIG.example %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default %config(noreplace) /etc/sasl2/slapd.conf %dir /usr/lib/openldap %dir /usr/lib/openldap/modules /usr/lib/openldap/modules/accesslog* /usr/lib/openldap/modules/auditlog* /usr/lib/openldap/modules/collect* /usr/lib/openldap/modules/constraint* /usr/lib/openldap/modules/dds* /usr/lib/openldap/modules/deref* /usr/lib/openldap/modules/dyngroup* /usr/lib/openldap/modules/dynlist* /usr/lib/openldap/modules/memberof* /usr/lib/openldap/modules/pcache* /usr/lib/openldap/modules/refint* /usr/lib/openldap/modules/retcode* /usr/lib/openldap/modules/rwm* /usr/lib/openldap/modules/seqmod* /usr/lib/openldap/modules/sssvlv* /usr/lib/openldap/modules/translucent* /usr/lib/openldap/modules/unique* /usr/lib/openldap/modules/valsort* /usr/lib/openldap/slapd %dir %attr(0700, ldap, ldap) /var/lib/ldap %dir %attr(0755, ldap, ldap) %ghost /var/run/slapd %doc %{_mandir}/man8/sl* %doc %{_mandir}/man5/slapd.* %doc %{_mandir}/man5/slapd-bdb.* %doc %{_mandir}/man5/slapd-config.* %doc %{_mandir}/man5/slapd-hdb.* %doc %{_mandir}/man5/slapd-ldbm.* %doc %{_mandir}/man5/slapd-ldap.* %doc %{_mandir}/man5/slapd-ldif.* %doc %{_mandir}/man5/slapd-mdb.* %doc %{_mandir}/man5/slapd-monitor.* %doc %{_mandir}/man5/slapd-relay.* %doc %{_mandir}/man5/slapo-* %dir %{DOCDIR} %doc %{DOCDIR}/ANNOUNCEMENT %doc %{DOCDIR}/COPYRIGHT %doc %{DOCDIR}/LICENSE %doc %{DOCDIR}/README* %doc %{DOCDIR}/CHANGES %doc %{DOCDIR}/slapd.ldif.default EOF %if %suse_version < 1130 cat >>openldap2.filelist <<EOF /usr/sbin/openldap-2.3-slapcat EOF %endif # cat > openldap2-client.filelist <<EOF %dir /etc/openldap %config(noreplace) /etc/openldap/ldap.conf /etc/openldap/ldap.conf.default /usr/bin/ldapadd /usr/bin/ldapcompare /usr/bin/ldapdelete /usr/bin/ldapexop /usr/bin/ldapmodify /usr/bin/ldapmodrdn /usr/bin/ldapsearch /usr/bin/ldappasswd /usr/bin/ldapurl /usr/bin/ldapwhoami /usr/sbin/schema2ldif %doc %{_mandir}/man1/ldap* %doc %{_mandir}/man5/ldap.conf* %doc %{_mandir}/man5/ldif.* EOF cat > libldap.filelist <<EOF %{_libdir}/liblber*.so.* %{_libdir}/libldap*.so.* EOF cat > openldap2-devel.filelist <<EOF /usr/include/*.h %{_libdir}/liblber.so %{_libdir}/libldap*.so %doc %{_mandir}/man3/ber* %doc %{_mandir}/man3/lber* %doc %{_mandir}/man3/ld_errno* %doc %{_mandir}/man3/ldap* EOF cat > openldap2-devel-static.filelist <<-EOF %_libdir/liblber.a %_libdir/libldap*.a EOF cat > openldap2-back-perl.filelist <<EOF /usr/lib/openldap/modules/back_perl* %doc %{_mandir}/man5/slapd-perl.* EOF cat > openldap2-back-meta.filelist <<EOF /usr/lib/openldap/modules/back_meta* %doc %{_mandir}/man5/slapd-meta.* EOF cat > openldap2-back-sql.filelist <<EOF /usr/lib/openldap/modules/back_sql* %doc %{_mandir}/man5/slapd-sql.* %doc servers/slapd/back-sql/examples %doc servers/slapd/back-sql/docs/bugs %doc servers/slapd/back-sql/docs/install EOF cat >openldap2-doc.filelist <<EOF %dir %{DOCDIR} %doc %{DOCDIR}/drafts %doc %{DOCDIR}/adminguide %doc %{DOCDIR}/images EOF #remove files from other spec file %if "%{name}" == "openldap2" cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \ openldap2-devel-static.filelist | %else cat openldap2.filelist openldap2-back-perl.filelist \ openldap2-back-meta.filelist openldap2-back-sql.filelist \ openldap2-doc.filelist | %endif grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do rm -rf $RPM_BUILD_ROOT$name done %if "%{name}" == "openldap2" %pre /usr/sbin/groupadd -g 70 -o -r ldap 2> /dev/null || : /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d \ /var/lib/ldap ldap 2> /dev/null || : # try to figure out if a db update is needed if [ ${1:-0} -gt 1 ] && [ -f /usr/lib/openldap/slapd ] && /usr/bin/strings /usr/lib/openldap/slapd | \ grep "slapd 2.3" 2>&1 > /dev/null; then # create a backup of the schema shipped with 2.3 # at least core.schema changed between 2.3 and 2.4 TEMPDIR=`mktemp -d /etc/openldap/schema.backup.XXXXXX` echo "Schema backup created in $TEMPDIR" cp -p --remove-destination /etc/openldap/schema/* $TEMPDIR echo $TEMPDIR > /etc/openldap/UPDATE_NEEDED ; fi %post if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then cp /etc/sasl2/slapd.conf /etc/sasl2/slapd.conf.rpmnew cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf fi %{fillup_and_insserv -n openldap ldap} %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER} %preun %stop_on_removal ldap %postun %restart_on_update ldap %insserv_cleanup %files -f openldap2.filelist %defattr(-,root,root) %files -n openldap2-back-perl -f openldap2-back-perl.filelist %defattr(-,root,root) %files -n openldap2-back-meta -f openldap2-back-meta.filelist %defattr(-,root,root) %files -n openldap2-back-sql -f openldap2-back-sql.filelist %defattr(-,root,root) %files -n openldap2-doc -f openldap2-doc.filelist %defattr(-,root,root) %else %post -n libldap-2_4-2 -p /sbin/ldconfig %postun -n libldap-2_4-2 -p /sbin/ldconfig %files -f openldap2-client.filelist %defattr(-,root,root) %files -n libldap-2_4-2 -f libldap.filelist %defattr(-,root,root) %files -n openldap2-devel -f openldap2-devel.filelist %defattr(-,root,root) %files -n openldap2-devel-static -f openldap2-devel-static.filelist %defattr(-,root,root) %endif %changelog ++++++ openldap2.spec ++++++ # # spec file for package openldap2 # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define run_test_suite 0 Name: openldap2 Summary: The OpenLDAP Server License: OLDAP-2.8 Group: Productivity/Networking/LDAP/Clients BuildRequires: cyrus-sasl-devel BuildRequires: groff BuildRequires: libopenssl-devel BuildRequires: libtool %if %sles_version == 10 BuildRequires: -libopenssl-devel BuildRequires: -pwdutils BuildRequires: openssl-devel %endif Version: 2.4.33 Release: 0 Url: http://www.openldap.org %if "%{name}" == "openldap2" BuildRequires: libdb-4_8-devel BuildRequires: openslp-devel BuildRequires: tcpd-devel BuildRequires: unixODBC-devel %if %sles_version == 10 BuildRequires: -libdb-4_8-devel BuildRequires: libdb-4_5-devel %endif Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep %else %if 0%{?suse_version} >= 1140 # avoid cycle with krb5 BuildRequires: krb5-mini %endif Conflicts: openldap-client Requires: libldap-2_4-2 = %{version} %endif Source: openldap-%{version}.tgz Source1: openldap-rc.tgz Source2: addonschema.tar.gz Source3: DB_CONFIG Source4: sasl-slapd.conf Source5: README.update Source6: README.dynamic-overlays Source7: schema2ldif Patch8: 0008-ITS-7723-fix-reference-counting.patch Patch9: 0009-In-monitor-backend-do-not-return-Connection0-entries.patch Patch10: 0010-ITS-ITS-8027-require-non-empty-AttributeList.patch Patch11: 0011-ITS-8046-fix-vrFilter_free.patch Source100: openldap-2.3.37.tgz Patch1: 0001-build-adjustments.dif Patch2: 0002-slapd.conf.dif Patch3: 0003-LDAPI-socket-location.dif Patch4: 0004-libldap-use-gethostbyname_r.dif Patch5: 0005-pie-compile.dif Patch6: 0006-No-Build-date-and-time-in-binaries.dif Patch7: 0007-Recover-on-DB-version-change.dif Patch100: openldap-2.3.37.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" %description The Lightweight Directory Access Protocol (LDAP) is used to access online directory services. It runs directly over TCP and can be used to access a stand-alone LDAP directory service or to access a directory service that has an X.500 back-end. %package -n openldap2-back-perl Summary: OpenLDAP Perl Back-End Group: Productivity/Networking/LDAP/Servers Requires: openldap2 = %{version} Requires: perl = %{perl_version} %description -n openldap2-back-perl The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. %package -n openldap2-back-meta Summary: OpenLDAP Meta Back-End Group: Productivity/Networking/LDAP/Servers Requires: openldap2 = %{version} Provides: openldap2:/usr/share/man/man5/slapd-meta.5.gz %description -n openldap2-back-meta The OpenLDAP Meta back-end is able to perform basic LDAP proxying with respect to a set of remote LDAP servers. The information contained in these servers can be presented as belonging to a single Directory Information Tree (DIT). %package -n openldap2-back-sql Summary: OpenLDAP SQL Back-End Group: Productivity/Networking/LDAP/Servers Requires: openldap2 = %{version} %description -n openldap2-back-sql The primary purpose of this OpenLDAP backend is to present information stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. %package -n openldap2-doc Summary: OpenLDAP Documentation Group: Documentation/Other Provides: openldap2:/usr/share/doc/packages/openldap2/drafts/README %if 0%{?suse_version} > 1110 BuildArch: noarch %endif %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts %else %description This package contains the OpenLDAP client utilities. %package -n openldap2-devel Summary: Libraries, Header Files and Documentation for OpenLDAP Group: Development/Libraries/C and C++ # bug437293 %ifarch ppc64 Obsoletes: openldap2-devel-64bit %endif # Conflicts: openldap-devel Requires: libldap-2_4-2 = %{version} %description -n openldap2-devel This package provides the OpenLDAP libraries, header files, and documentation. %package -n openldap2-devel-static Summary: Static libraries for the OpenLDAP libraries Group: Development/Libraries/C and C++ Requires: openldap2-devel = %version %if %sles_version == 10 Requires: openssl-devel %else Requires: libopenssl-devel %endif Requires: cyrus-sasl-devel %description -n openldap2-devel-static This package provides the static versions of the OpenLDAP libraries for development. %package -n libldap-2_4-2 Summary: OpenLDAP Client Libraries Group: Productivity/Networking/LDAP/Clients %description -n libldap-2_4-2 This package contains the OpenLDAP client libraries. %endif %prep %setup -q -n openldap-%{version} -a1 -a2 -b100 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37 %patch100 %build %{?suse_update_config:%{suse_update_config -f build}} libtoolize --force autoreconf export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED -DLDAP_CONNECTIONLESS -DSLAP_CONFIG_DELETE" export STRIP="" %configure \ --localstatedir=/var/run/slapd \ --libexecdir=/usr/lib/openldap \ --enable-wrappers \ --enable-spasswd \ --enable-modules \ --enable-shared \ --enable-dynamic \ --with-tls \ --with-cyrus-sasl \ --enable-crypt \ --enable-ipv6=yes \ %if "%{name}" == "openldap2" --enable-aci \ --enable-bdb \ --enable-hdb \ --enable-rewrite \ --enable-ldap=yes \ --enable-meta=mod \ --enable-monitor=yes \ --enable-perl=mod \ --enable-sql=mod \ --enable-mdb=yes \ --enable-slp \ --enable-overlays=mod \ --enable-syncprov=yes \ --enable-ppolicy=yes \ %else --disable-slapd \ %endif --enable-lmpasswd \ --with-yielding-select make depend make %{?jobs:-j%jobs} %if "%{name}" == "openldap2" %if %suse_version < 1130 # build a static slapcat binary from the OpenLDAP 2.3 release # to be able to update existing databases cd ../openldap-2.3.37 %{?suse_update_config:%{suse_update_config -f build}} libtoolize --force #aclocal -I build autoreconf export CFLAGS="$RPM_OPT_FLAGS -Wno-format-extra-args -fno-strict-aliasing -DLDAP_DEPRECATED" ./configure --prefix=/usr --exec-prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/run/slapd --libexecdir=/usr/lib/openldap \ --libdir=%{_libdir} --mandir=%{_mandir} --enable-aci \ --enable-hdb --enable-bdb --enable-ldbm --enable-crypt \ --enable-ipv6=no \ --enable-ldap --enable-monitor --enable-meta --enable-rewrite \ --enable-dynamic=no --enable-shared=no make depend make %{?jobs:-j%jobs} %endif %endif %check %if %run_test_suite # calculate the base port to be use in the test-suite SLAPD_BASEPORT=10000 if [ -f /.buildenv ] ; then . /.buildenv SLAPD_BASEPORT=$(($SLAPD_BASEPORT + ${BUILD_INCARNATION:-0} * 10)) fi export SLAPD_BASEPORT %ifnarch %arm alpha rm -f tests/scripts/test019-syncreplication-cascade rm -f tests/scripts/test022-ppolicy rm -f tests/scripts/test023-refint rm -f tests/scripts/test033-glue-syncrepl #rm -f tests/scripts/test036-meta-concurrency #rm -f tests/scripts/test039-glue-ldap-concurrency rm -f tests/scripts/test043-delta-syncrepl #rm -f tests/scripts/test045-syncreplication-proxied rm -f tests/scripts/test048-syncrepl-multiproxy rm -f tests/scripts/test050-syncrepl-multimaster rm -f tests/scripts/test058-syncrepl-asymmetric make SLAPD_DEBUG=0 test %endif %endif %install mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/usr/sbin make STRIP="" DESTDIR=$RPM_BUILD_ROOT install install -m 755 rc.ldap $RPM_BUILD_ROOT/etc/init.d/ldap ln -sf ../../etc/init.d/ldap $RPM_BUILD_ROOT/usr/sbin/rcldap mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2 install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2/slapd.conf install -m 755 -d $RPM_BUILD_ROOT/var/lib/ldap chmod a+x $RPM_BUILD_ROOT/%{_libdir}/liblber.so* chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap_r.so* chmod a+x $RPM_BUILD_ROOT/%{_libdir}/libldap.so* install -m 755 %{SOURCE7} $RPM_BUILD_ROOT/usr/sbin/schema2ldif %if "%{name}" == "openldap2" %define DOCDIR %{_defaultdocdir}/%{name} mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates install -m 644 sysconfig.openldap $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.openldap install -m 644 *.schema $RPM_BUILD_ROOT/etc/openldap/schema install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG install -m 644 $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/var/lib/ldap/DB_CONFIG.example install -d $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/ install -m 644 SuSEfirewall2.openldap $RPM_BUILD_ROOT/etc/sysconfig/SuSEfirewall2.d/services/openldap rm -f `find doc/guide ! -name *.html -a ! -name *.gif -a ! -name *.png -a ! -type d` rm -rf doc/guide/release install -d $RPM_BUILD_ROOT/%{DOCDIR}/adminguide \ $RPM_BUILD_ROOT/%{DOCDIR}/images \ $RPM_BUILD_ROOT/%{DOCDIR}/drafts install -m 644 doc/guide/admin/* $RPM_BUILD_ROOT/%{DOCDIR}/adminguide install -m 644 doc/guide/images/*.gif $RPM_BUILD_ROOT/%{DOCDIR}/images install -m 644 doc/drafts/* $RPM_BUILD_ROOT/%{DOCDIR}/drafts install -m 644 ANNOUNCEMENT \ COPYRIGHT \ LICENSE \ README \ CHANGES \ %{SOURCE5} \ %{SOURCE6} \ $RPM_BUILD_ROOT/%{DOCDIR} install -m 644 servers/slapd/slapd.ldif \ $RPM_BUILD_ROOT/%{DOCDIR}/slapd.ldif.default rm -f $RPM_BUILD_ROOT/etc/openldap/DB_CONFIG.example rm -f $RPM_BUILD_ROOT/etc/openldap/schema/README rm -f $RPM_BUILD_ROOT/etc/openldap/slapd.ldif* rm -f $RPM_BUILD_ROOT/var/run/slapd/openldap-data/DB_CONFIG.example mv servers/slapd/back-sql/rdbms_depend servers/slapd/back-sql/examples %if %suse_version < 1130 # install 2.3 slapcat install -m 755 ../openldap-2.3.37/servers/slapd/slapcat $RPM_BUILD_ROOT/usr/sbin/openldap-2.3-slapcat %endif %endif rm -f $RPM_BUILD_ROOT/usr/lib/openldap/modules/*.a rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-dnssrv.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-ndb.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-null.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-passwd.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-shell.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-sock.5 rm -f $RPM_BUILD_ROOT/usr/share/man/man5/slapd-tcl.5 # Remove *.la files, libtool does not handle this correct rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la #put filelists into files cat >openldap2.filelist <<EOF /var/adm/fillup-templates/sysconfig.openldap %config /etc/init.d/ldap %config /etc/sysconfig/SuSEfirewall2.d/services/openldap /usr/sbin/rcldap /usr/sbin/slap* %dir /etc/openldap %dir %attr(0770, ldap, ldap) /etc/openldap/slapd.d %dir /etc/openldap/schema %config /etc/openldap/schema/*.schema %config /etc/openldap/schema/*.ldif %config(noreplace) %attr(640, root, ldap) /etc/openldap/slapd.conf %config(noreplace) %attr(640, ldap, ldap) /var/lib/ldap/DB_CONFIG %config /var/lib/ldap/DB_CONFIG.example %attr(640, root, ldap) /%{_sysconfdir}/openldap/slapd.conf.default %config(noreplace) /etc/sasl2/slapd.conf %dir /usr/lib/openldap %dir /usr/lib/openldap/modules /usr/lib/openldap/modules/accesslog* /usr/lib/openldap/modules/auditlog* /usr/lib/openldap/modules/collect* /usr/lib/openldap/modules/constraint* /usr/lib/openldap/modules/dds* /usr/lib/openldap/modules/deref* /usr/lib/openldap/modules/dyngroup* /usr/lib/openldap/modules/dynlist* /usr/lib/openldap/modules/memberof* /usr/lib/openldap/modules/pcache* /usr/lib/openldap/modules/refint* /usr/lib/openldap/modules/retcode* /usr/lib/openldap/modules/rwm* /usr/lib/openldap/modules/seqmod* /usr/lib/openldap/modules/sssvlv* /usr/lib/openldap/modules/translucent* /usr/lib/openldap/modules/unique* /usr/lib/openldap/modules/valsort* /usr/lib/openldap/slapd %dir %attr(0700, ldap, ldap) /var/lib/ldap %dir %attr(0755, ldap, ldap) %ghost /var/run/slapd %doc %{_mandir}/man8/sl* %doc %{_mandir}/man5/slapd.* %doc %{_mandir}/man5/slapd-bdb.* %doc %{_mandir}/man5/slapd-config.* %doc %{_mandir}/man5/slapd-hdb.* %doc %{_mandir}/man5/slapd-ldbm.* %doc %{_mandir}/man5/slapd-ldap.* %doc %{_mandir}/man5/slapd-ldif.* %doc %{_mandir}/man5/slapd-mdb.* %doc %{_mandir}/man5/slapd-monitor.* %doc %{_mandir}/man5/slapd-relay.* %doc %{_mandir}/man5/slapo-* %dir %{DOCDIR} %doc %{DOCDIR}/ANNOUNCEMENT %doc %{DOCDIR}/COPYRIGHT %doc %{DOCDIR}/LICENSE %doc %{DOCDIR}/README* %doc %{DOCDIR}/CHANGES %doc %{DOCDIR}/slapd.ldif.default EOF %if %suse_version < 1130 cat >>openldap2.filelist <<EOF /usr/sbin/openldap-2.3-slapcat EOF %endif # cat > openldap2-client.filelist <<EOF %dir /etc/openldap %config(noreplace) /etc/openldap/ldap.conf /etc/openldap/ldap.conf.default /usr/bin/ldapadd /usr/bin/ldapcompare /usr/bin/ldapdelete /usr/bin/ldapexop /usr/bin/ldapmodify /usr/bin/ldapmodrdn /usr/bin/ldapsearch /usr/bin/ldappasswd /usr/bin/ldapurl /usr/bin/ldapwhoami /usr/sbin/schema2ldif %doc %{_mandir}/man1/ldap* %doc %{_mandir}/man5/ldap.conf* %doc %{_mandir}/man5/ldif.* EOF cat > libldap.filelist <<EOF %{_libdir}/liblber*.so.* %{_libdir}/libldap*.so.* EOF cat > openldap2-devel.filelist <<EOF /usr/include/*.h %{_libdir}/liblber.so %{_libdir}/libldap*.so %doc %{_mandir}/man3/ber* %doc %{_mandir}/man3/lber* %doc %{_mandir}/man3/ld_errno* %doc %{_mandir}/man3/ldap* EOF cat > openldap2-devel-static.filelist <<-EOF %_libdir/liblber.a %_libdir/libldap*.a EOF cat > openldap2-back-perl.filelist <<EOF /usr/lib/openldap/modules/back_perl* %doc %{_mandir}/man5/slapd-perl.* EOF cat > openldap2-back-meta.filelist <<EOF /usr/lib/openldap/modules/back_meta* %doc %{_mandir}/man5/slapd-meta.* EOF cat > openldap2-back-sql.filelist <<EOF /usr/lib/openldap/modules/back_sql* %doc %{_mandir}/man5/slapd-sql.* %doc servers/slapd/back-sql/examples %doc servers/slapd/back-sql/docs/bugs %doc servers/slapd/back-sql/docs/install EOF cat >openldap2-doc.filelist <<EOF %dir %{DOCDIR} %doc %{DOCDIR}/drafts %doc %{DOCDIR}/adminguide %doc %{DOCDIR}/images EOF #remove files from other spec file %if "%{name}" == "openldap2" cat openldap2-client.filelist libldap.filelist openldap2-devel.filelist \ openldap2-devel-static.filelist | %else cat openldap2.filelist openldap2-back-perl.filelist \ openldap2-back-meta.filelist openldap2-back-sql.filelist \ openldap2-doc.filelist | %endif grep -v "%dir " |sed -e "s|^.* ||" |grep "^/" |while read name ; do rm -rf $RPM_BUILD_ROOT$name done %if "%{name}" == "openldap2" %pre /usr/sbin/groupadd -g 70 -o -r ldap 2> /dev/null || : /usr/sbin/useradd -r -o -g ldap -u 76 -s /bin/bash -c "User for OpenLDAP" -d \ /var/lib/ldap ldap 2> /dev/null || : # try to figure out if a db update is needed if [ ${1:-0} -gt 1 ] && [ -f /usr/lib/openldap/slapd ] && /usr/bin/strings /usr/lib/openldap/slapd | \ grep "slapd 2.3" 2>&1 > /dev/null; then # create a backup of the schema shipped with 2.3 # at least core.schema changed between 2.3 and 2.4 TEMPDIR=`mktemp -d /etc/openldap/schema.backup.XXXXXX` echo "Schema backup created in $TEMPDIR" cp -p --remove-destination /etc/openldap/schema/* $TEMPDIR echo $TEMPDIR > /etc/openldap/UPDATE_NEEDED ; fi %post if [ ${1:-0} -gt 1 ] && [ -f %{_libdir}/sasl2/slapd.conf ] ; then cp /etc/sasl2/slapd.conf /etc/sasl2/slapd.conf.rpmnew cp %{_libdir}/sasl2/slapd.conf /etc/sasl2/slapd.conf fi %{fillup_and_insserv -n openldap ldap} %{remove_and_set -n openldap OPENLDAP_RUN_DB_RECOVER} %preun %stop_on_removal ldap %postun %restart_on_update ldap %insserv_cleanup %files -f openldap2.filelist %defattr(-,root,root) %files -n openldap2-back-perl -f openldap2-back-perl.filelist %defattr(-,root,root) %files -n openldap2-back-meta -f openldap2-back-meta.filelist %defattr(-,root,root) %files -n openldap2-back-sql -f openldap2-back-sql.filelist %defattr(-,root,root) %files -n openldap2-doc -f openldap2-doc.filelist %defattr(-,root,root) %else %post -n libldap-2_4-2 -p /sbin/ldconfig %postun -n libldap-2_4-2 -p /sbin/ldconfig %files -f openldap2-client.filelist %defattr(-,root,root) %files -n libldap-2_4-2 -f libldap.filelist %defattr(-,root,root) %files -n openldap2-devel -f openldap2-devel.filelist %defattr(-,root,root) %files -n openldap2-devel-static -f openldap2-devel-static.filelist %defattr(-,root,root) %endif %changelog ++++++ 0001-build-adjustments.dif ++++++ >From 39e5cc1cbae0f7c64ba242357a5d50f23a8475ba Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <rhafer(a)suse.de> Date: Wed, 16 Jun 2010 14:04:07 +0200 Subject: build-adjustments - Adjusted modules path - don't use automake macro diff --git a/build/top.mk b/build/top.mk index 14e291e..633c9a4 100644 --- a/build/top.mk +++ b/build/top.mk @@ -40,7 +40,7 @@ libdir = @libdir@ libexecdir = @libexecdir@ localstatedir = @localstatedir@ mandir = @mandir@ -moduledir = @libexecdir@$(ldap_subdir) +moduledir = @libexecdir@/modules sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@$(ldap_subdir) diff --git a/configure.in b/configure.in index 792cf0c..6c357ee 100644 --- a/configure.in +++ b/configure.in @@ -69,7 +69,9 @@ dnl Determine host platform dnl we try not to use this for much AC_CANONICAL_TARGET([]) -AM_INIT_AUTOMAKE([$OL_PACKAGE],[$OL_VERSION], [no defines])dnl +AC_PROG_MAKE_SET +PACKAGE=$OL_PACKAGE +VERSION=$OL_VERSION AC_SUBST(PACKAGE)dnl AC_SUBST(VERSION)dnl AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package) -- 1.7.10.4 ++++++ 0002-slapd.conf.dif ++++++ >From a8be17d4a1db1c6ee24b328f3f34e21ccb02ca3f Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <rhafer(a)suse.de> Date: Wed, 16 Jun 2010 14:05:49 +0200 Subject: slapd.conf diff --git a/servers/slapd/slapd.conf b/servers/slapd/slapd.conf index 4938b85..9caf292 100644 --- a/servers/slapd/slapd.conf +++ b/servers/slapd/slapd.conf @@ -3,6 +3,10 @@ # This file should NOT be world readable. # include %SYSCONFDIR%/schema/core.schema +include %SYSCONFDIR%/schema/cosine.schema +include %SYSCONFDIR%/schema/inetorgperson.schema +include %SYSCONFDIR%/schema/rfc2307bis.schema +include %SYSCONFDIR%/schema/yast.schema # Define global ACLs to disable default read access. @@ -10,8 +14,8 @@ include %SYSCONFDIR%/schema/core.schema # service AND an understanding of referrals. #referral ldap://root.openldap.org -pidfile %LOCALSTATEDIR%/run/slapd.pid -argsfile %LOCALSTATEDIR%/run/slapd.args +pidfile %LOCALSTATEDIR%/slapd.pid +argsfile %LOCALSTATEDIR%/slapd.args # Load dynamic backend modules: # modulepath %MODULEDIR% @@ -26,20 +30,30 @@ argsfile %LOCALSTATEDIR%/run/slapd.args # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: -# Root DSE: allow anyone to read it -# Subschema (sub)entry DSE: allow anyone to read it -# Other DSEs: -# Allow self write access -# Allow authenticated users read access -# Allow anonymous users to authenticate -# Directives needed to implement policy: -# access to dn.base="" by * read -# access to dn.base="cn=Subschema" by * read -# access to * -# by self write -# by users read -# by anonymous auth -# +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access to user password +# Allow anonymous users to authenticate +# Allow read access to everything else +# Directives needed to implement policy: +access to dn.base="" + by * read + +access to dn.base="cn=Subschema" + by * read + +access to attrs=userPassword,userPKCS12 + by self write + by * auth + +access to attrs=shadowLastChange + by self write + by * read + +access to * + by * read + # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") @@ -52,6 +66,8 @@ argsfile %LOCALSTATEDIR%/run/slapd.args database bdb suffix "dc=my-domain,dc=com" +checkpoint 1024 5 +cachesize 10000 rootdn "cn=Manager,dc=my-domain,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. @@ -60,6 +76,6 @@ rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. -directory %LOCALSTATEDIR%/openldap-data +directory /var/lib/ldap # Indices to maintain index objectClass eq -- 1.7.10.4 ++++++ 0003-LDAPI-socket-location.dif ++++++ >From 73f1a31ec1d90872ac6f09ffac5adfb199eba963 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <rhafer(a)suse.de> Date: Wed, 16 Jun 2010 14:06:42 +0200 Subject: LDAPI socket location diff --git a/include/ldap_defaults.h b/include/ldap_defaults.h index 9dba666..b9780bc 100644 --- a/include/ldap_defaults.h +++ b/include/ldap_defaults.h @@ -39,7 +39,7 @@ #define LDAP_ENV_PREFIX "LDAP" /* default ldapi:// socket */ -#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" +#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "ldapi" /* * SLAPD DEFINITIONS -- 1.7.10.4 ++++++ 0004-libldap-use-gethostbyname_r.dif ++++++ >From a36c907fe49e96a304c294a0d46b34c374c29c7f Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <rhafer(a)suse.de> Date: Wed, 16 Jun 2010 14:08:03 +0200 Subject: libldap use gethostbyname_r diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c index 3510aec..666cdad 100644 --- a/libraries/libldap/util-int.c +++ b/libraries/libldap/util-int.c @@ -52,7 +52,7 @@ extern int h_errno; #ifndef LDAP_R_COMPILE # undef HAVE_REENTRANT_FUNCTIONS # undef HAVE_CTIME_R -# undef HAVE_GETHOSTBYNAME_R +/* # undef HAVE_GETHOSTBYNAME_R */ # undef HAVE_GETHOSTBYADDR_R #else @@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) #define BUFSTART (1024-32) #define BUFMAX (32*1024-32) -#if defined(LDAP_R_COMPILE) +#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) static char *safe_realloc( char **buf, int len ); #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) -- 1.7.10.4 ++++++ 0005-pie-compile.dif ++++++ >From 60edf86023da15db7be5935c85826e16d2b78648 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <rhafer(a)suse.de> Date: Fri, 12 Nov 2010 09:39:11 +0100 Subject: pie compile diff --git a/build/top.mk b/build/top.mk index 633c9a4..c67289d 100644 --- a/build/top.mk +++ b/build/top.mk @@ -107,7 +107,7 @@ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) LTSTATIC = @LTSTATIC@ LTLINK = $(LIBTOOL) --mode=link \ - $(CC) $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) + $(CC) -pie $(LTSTATIC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS) LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=compile \ $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c @@ -116,7 +116,7 @@ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ - $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c + $(CC) $(LT_CFLAGS) $(PIE_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c LTLINK_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=link \ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_MOD) @@ -206,7 +206,7 @@ SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LI # Our Defaults CC = $(AC_CC) DEFS = $(LDAP_INCPATH) $(XINCPATH) $(XDEFS) $(AC_DEFS) $(DEFINES) -CFLAGS = $(AC_CFLAGS) $(DEFS) +CFLAGS = -fPIE $(AC_CFLAGS) $(DEFS) LDFLAGS = $(LDAP_LIBPATH) $(AC_LDFLAGS) $(XLDFLAGS) LIBS = $(XLIBS) $(XXLIBS) $(AC_LIBS) $(XXXLIBS) diff --git a/servers/slapd/back-bdb/Makefile.in b/servers/slapd/back-bdb/Makefile.in index da7da0c..dcb6d92 100644 --- a/servers/slapd/back-bdb/Makefile.in +++ b/servers/slapd/back-bdb/Makefile.in @@ -33,6 +33,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-bdb" BUILD_MOD = @BUILD_BDB@ +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_BDB@_DEFS) MOD_LIBS = $(BDB_LIBS) diff --git a/servers/slapd/back-hdb/Makefile.in b/servers/slapd/back-hdb/Makefile.in index 5af828f..6f43f7b 100644 --- a/servers/slapd/back-hdb/Makefile.in +++ b/servers/slapd/back-hdb/Makefile.in @@ -37,6 +37,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-hdb" BUILD_MOD = @BUILD_HDB@ +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_HDB@_DEFS) MOD_LIBS = $(BDB_LIBS) diff --git a/servers/slapd/back-ldap/Makefile.in b/servers/slapd/back-ldap/Makefile.in index 392d92e..3a0663d 100644 --- a/servers/slapd/back-ldap/Makefile.in +++ b/servers/slapd/back-ldap/Makefile.in @@ -26,6 +26,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-ldap" BUILD_MOD = @BUILD_LDAP@ +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_LDAP@_DEFS) diff --git a/servers/slapd/back-ldif/Makefile.in b/servers/slapd/back-ldif/Makefile.in index 5e4abc1..1e8c454 100644 --- a/servers/slapd/back-ldif/Makefile.in +++ b/servers/slapd/back-ldif/Makefile.in @@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-ldif" BUILD_MOD = yes +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(yes_DEFS) diff --git a/servers/slapd/back-mdb/Makefile.in b/servers/slapd/back-mdb/Makefile.in index 9b01d2a..e37520a 100644 --- a/servers/slapd/back-mdb/Makefile.in +++ b/servers/slapd/back-mdb/Makefile.in @@ -34,6 +34,8 @@ MDB_SUBDIR = $(srcdir)/$(LDAP_LIBDIR)/libmdb BUILD_OPT = "--enable-mdb" BUILD_MOD = @BUILD_MDB@ +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_MDB@_DEFS) MOD_LIBS = $(MDB_LIBS) diff --git a/servers/slapd/back-monitor/Makefile.in b/servers/slapd/back-monitor/Makefile.in index 9aecdbc..11c962c 100644 --- a/servers/slapd/back-monitor/Makefile.in +++ b/servers/slapd/back-monitor/Makefile.in @@ -30,6 +30,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-monitor" BUILD_MOD = @BUILD_MONITOR@ +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_MONITOR@_DEFS) diff --git a/servers/slapd/back-relay/Makefile.in b/servers/slapd/back-relay/Makefile.in index 90ea4b3..ff2f429 100644 --- a/servers/slapd/back-relay/Makefile.in +++ b/servers/slapd/back-relay/Makefile.in @@ -22,6 +22,8 @@ LDAP_LIBDIR= ../../../libraries BUILD_OPT = "--enable-relay" BUILD_MOD = @BUILD_RELAY@ +PIE_CFLAGS="-fPIE" + mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_RELAY@_DEFS) -- 1.7.10.4 ++++++ 0006-No-Build-date-and-time-in-binaries.dif ++++++ >From a7a37111026ccb9fddfeedc22606b80d8d75557f Mon Sep 17 00:00:00 2001 From: Cristian Rodriguez <cristian.rodriguez(a)opensuse.org> Date: Tue, 5 Oct 2010 13:59:40 +0200 Subject: No Build date and time in binaries This avoids build-compare failures and unhelpful rebuilds/republishes in the openSUSE buildservice. diff --git a/build/mkversion b/build/mkversion index 3fd9565..dd9a998 100755 --- a/build/mkversion +++ b/build/mkversion @@ -50,7 +50,7 @@ if test $# != 1 ; then fi APPLICATION=$1 -WHOWHERE="$USER@`uname -n`:`pwd`" +WHOWHERE="opensuse-buildservice(a)opensuse.org" cat << __EOF__ /* This work is part of OpenLDAP Software <http://www.openldap.org/>. @@ -72,7 +72,7 @@ static const char copyright[] = "COPYING RESTRICTIONS APPLY\n"; $static $const char $SYMBOL[] = -"@(#) \$$PACKAGE: $APPLICATION $VERSION (" __DATE__ " " __TIME__ ") \$\n" +"@(#) \$$PACKAGE: $APPLICATION $VERSION \$\n" "\t$WHOWHERE\n"; __EOF__ -- 1.7.10.4 ++++++ 0007-Recover-on-DB-version-change.dif ++++++ >From 895fa6d9b49344e1a92f7df3ed65458519e22f98 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <rhafer(a)suse.de> Date: Tue, 5 Oct 2010 14:20:22 +0200 Subject: Recover on DB version change If the libdb Version changed try to recover the database. Note: This will only succeed if only the format of transaction logs changed. diff --git a/servers/slapd/back-bdb/init.c b/servers/slapd/back-bdb/init.c index ac5a6d5..fea5cb4 100644 --- a/servers/slapd/back-bdb/init.c +++ b/servers/slapd/back-bdb/init.c @@ -330,6 +330,13 @@ shm_retry: rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, flags | do_recover, bdb->bi_dbenv_mode ); + if ( rc == DB_VERSION_MISMATCH ) { + Debug( LDAP_DEBUG_ANY, + LDAP_XSTRING(bdb_db_open) ": bdb version change detected " + "trying to recover\n", 0, 0, 0 ); + rc = (bdb->bi_dbenv->open)( bdb->bi_dbenv, dbhome, + flags | DB_RECOVER, bdb->bi_dbenv_mode ); + } if ( rc ) { /* Regular open failed, probably a missing shm environment. * Start over, do a recovery. -- 1.7.10.4 ++++++ 0008-ITS-7723-fix-reference-counting.patch ++++++ >From 742d3e4a6a1f62c3c3ae1e9341f3615b4705a701 Mon Sep 17 00:00:00 2001 From: Jan Synacek <jsynacek(a)redhat.com> Date: Wed, 13 Nov 2013 09:06:54 +0100 Subject: [PATCH] ITS#7723 fix reference counting --- libraries/librewrite/session.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libraries/librewrite/session.c b/libraries/librewrite/session.c index 28f2551..7c59d14 100644 --- a/libraries/librewrite/session.c +++ b/libraries/librewrite/session.c @@ -161,6 +161,7 @@ rewrite_session_find( #ifdef USE_REWRITE_LDAP_PVT_THREADS if ( session ) { ldap_pvt_thread_mutex_lock( &session->ls_mutex ); + session->ls_count++; } ldap_pvt_thread_rdwr_runlock( &info->li_cookies_mutex ); #endif /* USE_REWRITE_LDAP_PVT_THREADS */ @@ -178,6 +179,7 @@ rewrite_session_return( ) { assert( session != NULL ); + session->ls_count--; ldap_pvt_thread_mutex_unlock( &session->ls_mutex ); } -- 1.8.3.1 ++++++ 0009-In-monitor-backend-do-not-return-Connection0-entries.patch ++++++ >From d4b247e43fe1ea1b3713f3d8f493422d5adcc537 Mon Sep 17 00:00:00 2001 From: HouzuoGuo <guohouzuo(a)gmail.com> Date: Fri, 13 Mar 2015 16:14:10 +0100 Subject: [PATCH] In monitor backend, do not return Connection0 entries as they are created for internal use only. --- servers/slapd/back-monitor/conn.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/servers/slapd/back-monitor/conn.c b/servers/slapd/back-monitor/conn.c index c1995b0..2d27738 100644 --- a/servers/slapd/back-monitor/conn.c +++ b/servers/slapd/back-monitor/conn.c @@ -454,6 +454,11 @@ monitor_subsys_conn_create( c != NULL; c = connection_next( c, &connindex ) ) { + /* Connection 0 is created by connection_client_setup for internal use only */ + if (c->c_connid == 0) { + continue; + } + monitor_entry_t *mp; if ( conn_create( mi, c, &e, ms ) != SLAP_CB_CONTINUE -- 2.1.4 ++++++ 0010-ITS-ITS-8027-require-non-empty-AttributeList.patch ++++++ >From 7a5a98577a0481d864ca7fe05b9b32274d4d1fb5 Mon Sep 17 00:00:00 2001 From: Howard Chu <hyc(a)openldap.org> Date: Mon, 19 Jan 2015 22:25:53 +0000 Subject: [PATCH] ITS#8027 require non-empty AttributeList --- servers/slapd/overlays/deref.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c index 9420e3e..05aa890 100644 --- a/servers/slapd/overlays/deref.c +++ b/servers/slapd/overlays/deref.c @@ -183,7 +183,8 @@ deref_parseCtrl ( ber_len_t cnt = sizeof(struct berval); ber_len_t off = 0; - if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR ) + if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR + || !cnt ) { rs->sr_text = "Dereference control: derefSpec decoding error"; rs->sr_err = LDAP_PROTOCOL_ERROR; -- 1.7.10.4 ++++++ 0011-ITS-8046-fix-vrFilter_free.patch ++++++ >From 2f1a2dd329b91afe561cd06b872d09630d4edb6a Mon Sep 17 00:00:00 2001 From: Howard Chu <hyc(a)openldap.org> Date: Wed, 4 Feb 2015 02:03:55 +0000 Subject: [PATCH] ITS#8046 fix vrFilter_free --- servers/slapd/filter.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c index b859f73..22c81c8 100644 --- a/servers/slapd/filter.c +++ b/servers/slapd/filter.c @@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber, void vrFilter_free( Operation *op, ValuesReturnFilter *vrf ) { - ValuesReturnFilter *p, *next; + ValuesReturnFilter *next; - if ( vrf == NULL ) { - return; - } - - for ( p = vrf; p != NULL; p = next ) { - next = p->vrf_next; + for ( ; vrf != NULL; vrf = next ) { + next = vrf->vrf_next; switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) { case LDAP_FILTER_PRESENT: -- 1.7.10.4 ++++++ DB_CONFIG ++++++ set_cachesize 0 15000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 set_lk_max_locks 30000 set_lk_max_objects 30000 set_flags DB_LOG_AUTOREMOVE ++++++ README.dynamic-overlays ++++++ Most of the OpenLDAP overlays are now compiled as dynamic modules in our packages. If you want to use any of these in your setup make sure to put the correct "olcModuleLoad" or "moduleload" statements in your configuration. For details please see the slapd-config(5) and slapd.conf(5) manpages (depending on which config mechanism you use). For a list of the list of included dynamic modules see the "/usr/lib/openldap/modules/" directory. For convenience and backwards compatibility some overlays are are still compiled statically into the slapd binary. To see which overlays that are call "/usr/lib/openldap/slapd -VVV". Currently these are: syncprov (the provider part of syncrepl replication) ppolicy (a LDAP Password Policy implementation) Documentations for the overlays can be found in the respective man pages (named "slapo-<overlay-name>") or the OpenLDAP Administration Guide which is part of the "openldap2-doc" package. ++++++ README.update ++++++ Updating from OpenLDAP 2.3.X to 2.4.X ===================================== Changed Database format: Due change in the "BDB"-backend's index database format, existing bdb-databases need to be reloaded from LDIF completely. This is normally done during the package installation/update. This might not work in all setups and for that database dumps of all bdb/hdb databases are created during the update. You can find the database dump of each bdb database in the database directory for that database (default: /var/lib/ldap/). The file name is "ldapbak.ldif.X" where "X" presents the number of the database. If the database backups where not created during the package update for some reason, you can do them manually by using the command: /usr/sbin/openldap-2.3-slapcat -T c \ -f /etc/openldap/schema.backup.XXXXXX/slapd.conf.update Before dumping the database you should remove the db's enviroment (the __db*-file in /var/lib/ldap) To reload the databases please use the tool "slapadd". Other Changes: For additional information on important changes and upgrade instructions, please have a look a the OpenLDAP Administrator's Guide. You can find in at: /usr/share/doc/packages/openldap2/guide/admin/guide.html or online at: http://www.openldap.org/doc/admin24/ ++++++ baselibs.conf ++++++ libldap-2_4-2 provides "openldap2-client-<targettype> = <version>" obsoletes "openldap2-client-<targettype> <= <version>" openldap2-devel requires -openldap2-<targettype> requires "libldap-2_4-2-<targettype> = <version>" ++++++ check-build.sh ++++++ #!/bin/bash # Copyright (c) 2003 SuSE Linux AG, Germany. All rights reserved. # get kernel version OFS="$IFS" ; IFS=".-" ; version=(`uname -r`) ; IFS="$OIFS" if test ${version[0]} -gt 2 ; then : # okay elif test ${version[0]} -lt 2 -o ${version[1]} -lt 6 -o ${version[2]} -lt 11 ; then echo "FATAL: kernel too old, need kernel >= 2.6.11 for this package" 1>&2 exit 1 fi exit 0 ++++++ openldap-2.3.37.dif ++++++ Index: build/top.mk =================================================================== --- build/top.mk.orig +++ build/top.mk @@ -39,7 +39,7 @@ libdir = @libdir@ libexecdir = @libexecdir@ localstatedir = @localstatedir@ mandir = @mandir@ -moduledir = @libexecdir@$(ldap_subdir) +moduledir = @libexecdir@/modules sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ sysconfdir = @sysconfdir@$(ldap_subdir) @@ -58,7 +58,7 @@ INSTALL_PROGRAM = $(INSTALL) INSTALL_DATA = $(INSTALL) -m 644 INSTALL_SCRIPT = $(INSTALL) -STRIP = -s +#STRIP = -s LINT = lint 5LINT = 5lint Index: configure.in =================================================================== --- configure.in.orig +++ configure.in @@ -64,7 +64,9 @@ dnl Determine host platform dnl we try not to use this for much AC_CANONICAL_TARGET([]) -AM_INIT_AUTOMAKE([$OL_PACKAGE],[$OL_VERSION], [no defines])dnl +AC_PROG_MAKE_SET +PACKAGE=$OL_PACKAGE +VERSION=$OL_VERSION AC_SUBST(PACKAGE)dnl AC_SUBST(VERSION)dnl AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package) Index: servers/slapd/aclparse.c =================================================================== --- servers/slapd/aclparse.c.orig +++ servers/slapd/aclparse.c @@ -662,7 +662,7 @@ parse_acl( if ( rc != LDAP_SUCCESS ) { char buf[ SLAP_TEXT_BUFLEN ]; - snprintf( buf, sizeof( buf ), "%s: line %d: " + snprintf( buf, sizeof( buf ), " attr \"%s\" normalization failed (%d: %s)", fname, lineno, a->acl_attrs[ 0 ].an_name.bv_val, rc, text ); Index: libraries/liblunicode/Makefile.in =================================================================== --- libraries/liblunicode/Makefile.in.orig +++ libraries/liblunicode/Makefile.in @@ -35,6 +35,9 @@ $(XXDIR)/uctable.h: $(XXDIR)/ucgendat.c $(MAKE) ucgendat ./ucgendat $(srcdir)/UnicodeData.txt -x $(srcdir)/CompositionExclusions.txt +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + ucgendat: $(XLIBS) ucgendat.o $(LTLINK) -o $@ ucgendat.o $(LIBS) Index: libraries/liblutil/Makefile.in =================================================================== --- libraries/liblutil/Makefile.in.orig +++ libraries/liblutil/Makefile.in @@ -19,6 +19,9 @@ PROGRAM = testavl LDAP_INCDIR= ../../include LDAP_LIBDIR= ../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + NT_SRCS = ntservice.c NT_OBJS = ntservice.o slapdmsg.res Index: servers/slapd/Makefile.in =================================================================== --- servers/slapd/Makefile.in.orig +++ servers/slapd/Makefile.in @@ -69,6 +69,9 @@ SLAPD_DYNAMIC_BACKENDS=@SLAPD_DYNAMIC_BA SLAPI_LIBS=@LIBSLAPI@ @SLAPI_LIBS@ +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + XDEFS = $(MODULES_CPPFLAGS) XLDFLAGS = $(MODULES_LDFLAGS) Index: servers/slurpd/Makefile.in =================================================================== --- servers/slurpd/Makefile.in.orig +++ servers/slurpd/Makefile.in @@ -38,6 +38,9 @@ BUILD_SRV = @BUILD_SLURPD@ all-local-srv: $(PROGRAMS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + # $(LTHREAD_LIBS) must be last! XLIBS = $(SLURPD_L) XXLIBS = $(SLURPD_LIBS) $(SECURITY_LIBS) $(LUTIL_LIBS) Index: servers/slapd/back-bdb/Makefile.in =================================================================== --- servers/slapd/back-bdb/Makefile.in.orig +++ servers/slapd/back-bdb/Makefile.in @@ -37,6 +37,9 @@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_BDB@_DEFS) MOD_LIBS = $(LDBM_LIBS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) Index: servers/slapd/back-hdb/Makefile.in =================================================================== --- servers/slapd/back-hdb/Makefile.in.orig +++ servers/slapd/back-hdb/Makefile.in @@ -39,6 +39,9 @@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_HDB@_DEFS) MOD_LIBS = $(LDBM_LIBS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) Index: servers/slapd/back-ldbm/Makefile.in =================================================================== --- servers/slapd/back-ldbm/Makefile.in.orig +++ servers/slapd/back-ldbm/Makefile.in @@ -36,6 +36,9 @@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_LDBM@_DEFS) MOD_LIBS = $(LDBM_LIBS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) Index: servers/slapd/overlays/Makefile.in =================================================================== --- servers/slapd/overlays/Makefile.in.orig +++ servers/slapd/overlays/Makefile.in @@ -41,6 +41,9 @@ LTONLY_MOD = $(LTONLY_mod) LDAP_INCDIR= ../../../include LDAP_LIBDIR= ../../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + MOD_DEFS = -DSLAPD_IMPORT shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) Index: servers/slapd/back-relay/Makefile.in =================================================================== --- servers/slapd/back-relay/Makefile.in.orig +++ servers/slapd/back-relay/Makefile.in @@ -24,6 +24,9 @@ BUILD_MOD = @BUILD_RELAY@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_RELAY@_DEFS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) $(REWRITE) Index: servers/slapd/back-ldif/Makefile.in =================================================================== --- servers/slapd/back-ldif/Makefile.in.orig +++ servers/slapd/back-ldif/Makefile.in @@ -25,6 +25,9 @@ BUILD_MOD = yes mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(yes_DEFS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) Index: libraries/librewrite/Makefile.in =================================================================== --- libraries/librewrite/Makefile.in.orig +++ libraries/librewrite/Makefile.in @@ -26,6 +26,9 @@ OBJS = config.o context.o info.o ldapmap LDAP_INCDIR= ../../include LDAP_LIBDIR= ../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + LIBRARY = librewrite.a PROGRAMS = rewrite XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) \ Index: servers/slapd/back-ldap/Makefile.in =================================================================== --- servers/slapd/back-ldap/Makefile.in.orig +++ servers/slapd/back-ldap/Makefile.in @@ -27,6 +27,9 @@ BUILD_MOD = @BUILD_LDAP@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_LDAP@_DEFS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) Index: servers/slapd/back-monitor/Makefile.in =================================================================== --- servers/slapd/back-monitor/Makefile.in.orig +++ servers/slapd/back-monitor/Makefile.in @@ -33,6 +33,9 @@ BUILD_MOD = @BUILD_MONITOR@ mod_DEFS = -DSLAPD_IMPORT MOD_DEFS = $(@BUILD_MONITOR@_DEFS) +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) Index: servers/slapd/modify.c =================================================================== --- servers/slapd/modify.c.orig +++ servers/slapd/modify.c @@ -1,4 +1,4 @@ -/* $OpenLDAP: pkg/ldap/servers/slapd/modify.c,v 1.227.2.25 2007/01/02 21:43:56 kurt Exp $ */ +/* $OpenLDAP: pkg/ldap/servers/slapd/modify.c,v 1.227.2.26 2007/09/04 03:42:37 hyc Exp $ */ /* This work is part of OpenLDAP Software <http://www.openldap.org/>. * * Copyright 1998-2007 The OpenLDAP Foundation. @@ -734,6 +734,7 @@ int slap_mods_check( "%s: value #%ld normalization failed", ml->sml_type.bv_val, (long) nvals ); *text = textbuf; + BER_BVZERO( &ml->sml_nvalues[nvals] ); return rc; } } Index: servers/slapd/back-bdb/modrdn.c =================================================================== --- servers/slapd/back-bdb/modrdn.c.orig +++ servers/slapd/back-bdb/modrdn.c @@ -729,6 +729,8 @@ retry: /* transaction retry */ } else { rs->sr_err = LDAP_X_NO_OPERATION; ltid = NULL; + /* Only free attrs if they were dup'd. */ + if ( dummy.e_attrs == e->e_attrs ) dummy.e_attrs = NULL; goto return_results; } Index: libraries/liblber/Makefile.in =================================================================== --- libraries/liblber/Makefile.in.orig +++ libraries/liblber/Makefile.in @@ -34,6 +34,9 @@ PROGRAMS= dtest etest idtest LDAP_INCDIR= ../../include LDAP_LIBDIR= ../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) XXLIBS = NT_LINK_LIBS = $(AC_LIBS) Index: libraries/libldap/Makefile.in =================================================================== --- libraries/libldap/Makefile.in.orig +++ libraries/libldap/Makefile.in @@ -42,6 +42,9 @@ OBJS = bind.lo open.lo result.lo error.l LDAP_INCDIR= ../../include LDAP_LIBDIR= ../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + LIB_DEFS = -DLDAP_LIBRARY XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(LDAP_LIBLUTIL_A) Index: libraries/libldap_r/Makefile.in =================================================================== --- libraries/libldap_r/Makefile.in.orig +++ libraries/libldap_r/Makefile.in @@ -49,6 +49,9 @@ OBJS = threads.lo rdwr.lo tpool.lo rq.l LDAP_INCDIR= ../../include LDAP_LIBDIR= ../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + LIB_DEFS = -DLDAP_LIBRARY XDEFS = -DLDAP_R_COMPILE -I$(XXDIR) Index: servers/slapd/back-meta/Makefile.in =================================================================== --- servers/slapd/back-meta/Makefile.in.orig +++ servers/slapd/back-meta/Makefile.in @@ -23,6 +23,9 @@ OBJS = init.lo config.lo search.lo bind. LDAP_INCDIR= ../../../include LDAP_LIBDIR= ../../../libraries +PIE_CFLAGS="-fPIE" +PIE_LDFLAGS="-pie" + BUILD_OPT = "--enable-meta" BUILD_MOD = @BUILD_META@ Index: libraries/libldap/os-ip.c =================================================================== --- libraries/libldap/os-ip.c.orig +++ libraries/libldap/os-ip.c @@ -646,7 +646,7 @@ ldap_host_connected_to( Sockbuf *sb, con char *herr; #ifdef NI_MAXHOST char hbuf[NI_MAXHOST]; -#elif defined( MAXHOSTNAMELEN +#elif defined( MAXHOSTNAMELEN ) char hbuf[MAXHOSTNAMELEN]; #else char hbuf[256]; Index: include/ldap_pvt_thread.h =================================================================== --- include/ldap_pvt_thread.h.orig +++ include/ldap_pvt_thread.h @@ -61,8 +61,6 @@ ldap_pvt_thread_set_concurrency LDAP_P(( /* LARGE stack. Will be twice as large on 64 bit machine. */ #define LDAP_PVT_THREAD_STACK_SIZE ( 1 * 1024 * 1024 * sizeof(void *) ) /* May be explicitly defined to zero to disable it */ -#elif LDAP_PVT_THREAD_STACK_SIZE == 0 -#undef LDAP_PVT_THREAD_SET_STACK_SIZE #endif #endif /* !LDAP_PVT_THREAD_H_DONE */ Index: libraries/liblutil/getpeereid.c =================================================================== --- libraries/liblutil/getpeereid.c.orig +++ libraries/liblutil/getpeereid.c @@ -13,7 +13,9 @@ * top-level directory of the distribution or, alternatively, at * <http://www.OpenLDAP.org/license.html>. */ - +#ifndef _GNU_SOURCE +#define _GNU_SOURCE 1 /* Needed for glibc struct ucred */ +#endif #include "portable.h" #ifndef HAVE_GETPEEREID ++++++ pre_checkin.sh ++++++ #!/bin/bash echo -n "Generating openldap2-client " cp openldap2.changes openldap2-client.changes cp openldap2.spec openldap2-client.spec perl -pi -e "s/^Name:.*openldap2$/Name: openldap2-client/g" openldap2-client.spec perl -pi -e "s/^Summary:.*Server$/Summary: The OpenLDAP commandline client tools/" openldap2-client.spec osc service localrun format_spec_file echo "Done." ++++++ sasl-slapd.conf ++++++ mech_list: gssapi digest-md5 cram-md5 external ++++++ schema2ldif ++++++ #!/bin/bash # # This is a simple tool to convert OpenLDAP Schema files to # LDIF suitable for usage with OpenLDAP's dynamic configuration # backend (cn=config) # # usage: # schema2ldif <input file> # # The generated LDIF is printed to stdout. # if [ -z "$1" ]; then echo 'usage: schema2ldif <input file>' exit; fi cn=`basename $1 .schema` echo "dn: cn=$cn,cn=schema,cn=config"; echo "objectclass: olcSchemaConfig"; echo "cn: $cn"; /usr/bin/awk ' BEGIN { buffer = ""; width=78 ; } function wrap(data) { if (length(data) > 0) { do { print substr(data,0,width); data = " " substr(data, width+1); } while (length(data) > 1 ) }; } /^[\t ]*$/ {wrap(buffer); buffer=""; print "#"; next; } /^#.*$/ { wrap(buffer); buffer=""; print $0; next } /^[\t ]+/ { gsub("^[\t ]+",""); buffer = buffer " " $0; next; } { wrap(buffer); $1 = tolower($1) ; gsub("^objectclass$","olcObjectclasses:",$1) gsub("^attributetype$","olcAttributeTypes:",$1) gsub("^objectidentifier$","olcObjectIdentifier:",$1) buffer = $0; } END { wrap(buffer); print "" } ' "$@"

1 0

commit lxc for openSUSE:13.1:Update
by root＠hilbert.suse.de 30 Jul '15

30 Jul '15

Hello community, here is the log from the commit of package lxc for openSUSE:13.1:Update checked in at 2015-07-30 13:11:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/lxc (Old) and /work/SRC/openSUSE:13.1:Update/.lxc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "lxc" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.4fPH0H/_old 2015-07-30 13:11:53.000000000 +0200 +++ /var/tmp/diff_new_pack.4fPH0H/_new 2015-07-30 13:11:53.000000000 +0200 @@ -1 +1 @@ -<link package='lxc.2479' cicount='copy' /> +<link package='lxc.3936' cicount='copy' />

1 0

commit lxc.3936 for openSUSE:13.1:Update
by root＠hilbert.suse.de 30 Jul '15

30 Jul '15

Hello community, here is the log from the commit of package lxc.3936 for openSUSE:13.1:Update checked in at 2015-07-30 13:11:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/lxc.3936 (Old) and /work/SRC/openSUSE:13.1:Update/.lxc.3936.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "lxc.3936" Changes: -------- New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.1:Update/.lxc.3936.new/lxc.changes 2015-07-30 13:11:51.000000000 +0200 @@ -0,0 +1,341 @@ +------------------------------------------------------------------- +Thu Jul 23 10:06:47 UTC 2015 - jslaby(a)suse.com + +- Added CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch + (bnc#938523) + +------------------------------------------------------------------- +Mon Jan 13 16:11:49 UTC 2014 - jslaby(a)suse.com + +- config_ipv6-run-inet_pton-on-the-addr-value-without-.patch: + config_ipv6: run inet_pton on the addr value without mask + (bnc#851760) + +------------------------------------------------------------------- +Fri Sep 20 14:46:37 UTC 2013 - jslaby(a)suse.com + +- lxc-opensuse-add-perl-base-to-prerequisities.patch: lxc-opensuse: + add perl-base to prerequisities (bnc#839873) + +------------------------------------------------------------------- +Tue Sep 10 15:32:28 UTC 2013 - cbosdonnat(a)suse.com + +- opensuse-systemd-shutdown.patch: Fixed opensuse template to + workaround lxc-shutdown problem with systemd (bnc#839388) + +------------------------------------------------------------------- +Wed Apr 24 08:58:04 UTC 2013 - jslaby(a)suse.com + +- update to 0.9.0 + * configure-support-suse-s-docbook-to-man.patch: added to support + our docbook-to-man + * configure-find-seccomp-using-pkg-config.patch: add support for + our libsseccomp being under /usr/include/libseccomp... + * autogenned.patch: the two above applied by autogen.sh to the sources + * remove a ton of patches which are upstream now: + 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch + lxc-autodev.patch + lxc-cgroup-already-running.patch + lxc-opensuse-12.2.patch + lxc-opensuse-12.3.patch + lxc-opensuse-clonefixes.patch + lxc-opensuse-extend-base.patch + lxc-opensuse-proper-failure.patch + lxc-opensuse-tmpfs.patch + pivot-root_shared.patch +- Remove obsolete info from README.SUSE + +------------------------------------------------------------------- +Thu Mar 7 15:34:34 UTC 2013 - fcrozat(a)suse.com + +- Ensure update repository directory is correctly created + (bnc#804435). + +------------------------------------------------------------------- +Tue Feb 26 14:33:41 UTC 2013 - mvyskocil(a)suse.com + +- clean cache if a distro version in template does not match + with files in a cache (bnc#804435#c19) + +------------------------------------------------------------------- +Tue Feb 26 09:58:10 UTC 2013 - mvyskocil(a)suse.com + +- run zypper ar only if .repo file does not exists + fixes a partial created repos (bnc#804435#c16) + +------------------------------------------------------------------- +Wed Feb 20 16:21:03 UTC 2013 - fcrozat(a)suse.com + +- Add lxc-opensuse-12.3.patch: update template to openSUSE 12.3 + +------------------------------------------------------------------- +Tue Feb 19 10:59:39 UTC 2013 - jslaby(a)suse.com + +- lxc-opensuse-extend-base.patch: lxc-opensuse: extend base + (bnc#804232) +- lxc-opensuse-proper-failure.patch: lxc-opensuse: proper failure +- remove change-hwaddr-on-clone.patch as it was fixed upstream + already + +------------------------------------------------------------------- +Mon Jan 21 09:26:57 UTC 2013 - fcrozat(a)suse.com + +- Update pivot-root_shared.patch with upstream patch to build with + old version of kernel headers. +- Check for /etc/init.d/boot.cgroup presence before starting it in + %post. + +------------------------------------------------------------------- +Fri Jan 11 15:56:54 UTC 2013 - fcrozat(a)suse.com + +- Release 0.8.0: + + add support for autodetection of gateway address + + add support for LVM2 and btrfs snapshot in lxc-clone + + add support for apparmor + + support nested cgroups + + lxc no longer depends on perl + + add support for container hooks (pre-start, mount, start, stop, + umount, post-stop) + + templates are moved to /usr/share/lxc/templates +- Remove + Accurately-detect-whether-a-system-supports-clone_children.patch: + merged upstream. +- Add lxc-opensuse-clonefixes.patch: fix openSUSE template + regarding cloning. +- Add 0001-Ensure-btrfs-subvolume-is-destroyed-on-error.patch: fix + btrfs subvolume when removing a container. +- Add lxc-autodev.patch: fill /dev when starting container (needed + for systemd). +- Update lxc-opensuse-12.2.patch: switch to systemd in container. + +------------------------------------------------------------------- +Fri Jan 11 15:30:21 UTC 2013 - fcrozat(a)suse.com + +- Add lxc-opensuse-12.1-fixbuild.patch: fix openSUSE 12.1 container + build. +- Add lxc-opensuse-12.2.patch: + + switch openSUSE template to 12.2 + + install iputils in the default configuration + + autoconfigure gateway if possible + + detect if network is set to 0.0.0.0 and configure DHCP + + bind mount /etc/resolv.conf in container +- Add use-relative-paths-for-container.patch, + fix-lxc-clone-mount-entries.patch and update sles + template: use relative paths for container mount points, fixes + lxc-clone dropping some lxc.mount entries (bnc#789387). +- Add Requires(post) dependency on aaa_base (bnc#786970) for + openSUSE < 12.3. +- Add dhcpcd in default installation in openSUSE template (bnc#776169). +- Add change-hwaddr-on-clone.patch: modify MAC address when cloning + a container (git) +- Add wait-until-container-is-stopped.patch: if destroying a + running container, wait until it is stopped before destroying it. +- Ensure lxc-createconfig uses opensuse template by default. +- Ensure lxc-createconfig correctly detect cidr (bnc#773234). +- Add pivot-root_shared.patch: fix pivot root when / is mounted as + shared (default on 12.3 and later). + +------------------------------------------------------------------- +Fri Apr 20 13:53:41 UTC 2012 - fcrozat(a)suse.com + +- Add various fixes to opensuse template : + + create /etc/hostname as symlink to /etc/HOSTNAME + (lxc-clone fix) + + fix inadequate space in lxc.mount config (lxc-clone fix) + + disable network in container if not configured + + configure network scripts properly +- Add lxc-snapshot-btrfs-lvm.patch: backport snapshot support, + using btrfs or lvm2. +- Add lxc-opensuse-tmpfs.patch: ensure container shutting down is + correctly detected by LXC. + +------------------------------------------------------------------- +Fri Apr 13 11:36:16 UTC 2012 - fcrozat(a)suse.com + +- Add lxc-createconfig script to easy LXC configuration + (bnc#723950). + +------------------------------------------------------------------- +Tue Mar 6 21:11:54 CET 2012 - jslaby(a)suse.de + +- Accurately detect whether a system supports clone_children + (bnc#750470) + +------------------------------------------------------------------- +Tue Jan 10 15:41:45 UTC 2012 - fcrozat(a)suse.com + +- Drop lxc-file_caps.patch, it is SLES specific, since openSUSE is + now shipping with file capabilities enabled. + +------------------------------------------------------------------- +Fri Jan 6 15:51:32 UTC 2012 - fcrozat(a)suse.com + +- Update lxc-opensuse-12.1.patch to correctly generate containers + on x86 (bnc#739315). +- Backport some fixes from SLES 11 SP2: + - Add lxc-checkconfig-kernel-3.patch and lxc-file_caps.patch: + fix detection of kernel 3.x and file capabilities (bnc#720845). + - Fix example path in manpages (bnc#723946). + +------------------------------------------------------------------- +Tue Oct 25 11:35:10 UTC 2011 - fcrozat(a)suse.com + +- Add console to opensuse securetty, since we are in a container. + +------------------------------------------------------------------- +Tue Oct 25 09:32:01 UTC 2011 - fcrozat(a)suse.com + +- Add lxc-opensuse-12.1.patch: create openSUSE 12.1 containers now +- Add Recommends on build package, which is used by opensuse + template. +- Update README.SUSE to current status for cgroups mountpoint + +------------------------------------------------------------------- +Fri Sep 2 08:26:28 UTC 2011 - fcrozat(a)suse.com + +- Fix license tag, it is LGPLv2.1+ (using LGPLv2+ tag to be + consistent). ++++ 144 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.lxc.3936.new/lxc.changes New: ---- CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch README.SUSE autogenned.patch config_ipv6-run-inet_pton-on-the-addr-value-without-.patch configure-find-seccomp-using-pkg-config.patch configure-support-suse-s-docbook-to-man.patch lxc-0.9.0.tar.gz lxc-createconfig.in lxc-opensuse-add-perl-base-to-prerequisities.patch lxc.changes lxc.spec opensuse-systemd-shutdown.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ # # spec file for package lxc # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: lxc Version: 0.9.0 Release: 0 Url: http://lxc.sourceforge.net/ Summary: Linux containers implementation License: LGPL-2.1+ Group: System/Management Source: http://lxc.sourceforge.net/download/lxc/%{name}-%{version}.tar.gz Source1: README.SUSE Source2: lxc-createconfig.in #see autogenned.patch for these two: Source3: configure-support-suse-s-docbook-to-man.patch Source4: configure-find-seccomp-using-pkg-config.patch Patch0: autogenned.patch Patch1: opensuse-systemd-shutdown.patch Patch2: lxc-opensuse-add-perl-base-to-prerequisities.patch Patch3: config_ipv6-run-inet_pton-on-the-addr-value-without-.patch Patch4: CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils BuildRequires: docbook2x BuildRequires: libapparmor-devel BuildRequires: libcap-devel %ifarch %ix86 x86_64 %if 0%{?suse_version} >= 1230 BuildRequires: libseccomp-devel %endif %endif BuildRequires: libxslt BuildRequires: lsb-release BuildRequires: pkg-config %if 0%{?suse_version} >= 1130 BuildRequires: linux-glibc-devel %else BuildRequires: linux-kernel-headers %endif Requires: /sbin/setcap Requires: rsync %if 0%{?suse_version} < 1230 Requires(post): aaa_base %endif # needed to create openSUSE containers using template Recommends: build %description It provides commands to create and manage containers. It contains a full featured container with the isolation/virtualization of the pids, the ipc, the utsname, the mount points, /proc, /sys, the network and it takes into account the control groups. It is very light, flexible, and provides a set of tools around the container like the monitoring with asynchronous events notification, or the freeze of the container. This package is useful to create Virtual Private Server, or to run isolated applications like bash or sshd. %package devel Summary: Development library for lxc License: LGPL-2.1 Group: Development/Libraries/C and C++ Requires: %name = %version %description devel Lxc header files and library needed for development of containers. %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %build %configure --disable-examples %__make %{?_smp_mflags} %__cp %{SOURCE1} . %__rm -rf .doc %__mkdir_p .doc/examples %__cp doc/examples/*.conf .doc/examples %install %makeinstall install -d -m 755 %{buildroot}/var/lib/lxc find %buildroot -type f -name '*.la' -delete ./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig %clean %__rm -rf %buildroot %post /sbin/ldconfig %if 0%{?suse_version} < 1230 if [ -x /etc/init.d/boot.cgroup ]; then %fillup_and_insserv -f -Y boot.cgroup /etc/init.d/boot.cgroup start 2>/dev/null >/dev/null || : fi %endif %postun /sbin/ldconfig %if 0%{?suse_version} < 1230 %insserv_cleanup %endif %files %defattr(-,root,root) %doc AUTHORS MAINTAINERS COPYING README doc/FAQ.txt %doc README.SUSE %doc .doc/examples %dir %{_sysconfdir}/%{name}/ %config %{_sysconfdir}/%{name}/default.conf %{_libdir}/lib%{name}.so.* %{_libexecdir}/%name %{_libdir}/%name %{_datadir}/%name %dir /var/lib/lxc %{_bindir}/%{name}-* %{_mandir}/man[^3]/* %files devel %defattr(-,root,root) %{_includedir}/%name %{_libdir}/lib%{name}.so %{_libdir}/pkgconfig/%{name}.pc %changelog ++++++ CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch ++++++ From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber(a)ubuntu.com> Date: Thu, 16 Jul 2015 16:37:51 -0400 Subject: CVE-2015-1334: Don't use the container's /proc during attach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 5c3fcae78b63ac9dd56e36075903921bd9461f9e References: bnc#938523 A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: Stéphane Graber <stgraber(a)ubuntu.com> Signed-off-by: Jiri Slaby <jslaby(a)suse.com> [backport to 0.9] --- src/lxc/lxc_attach.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) --- a/src/lxc/lxc_attach.c +++ b/src/lxc/lxc_attach.c @@ -24,9 +24,11 @@ #define _GNU_SOURCE #include <unistd.h> #include <errno.h> +#include <fcntl.h> #include <pwd.h> #include <stdlib.h> #include <sys/param.h> +#include <sys/stat.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> @@ -140,6 +142,48 @@ Options :\n\ .checker = NULL, }; +static int lsm_set_label_at(int procfd, char *lsm_label) +{ + int labelfd = -1; + int ret = 0; + int size; + char *command = NULL; + + labelfd = openat(procfd, "self/attr/current", O_RDWR); + if (labelfd < 0) { + SYSERROR("Unable to open LSM label"); + ret = -1; + goto out; + } + + command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); + if (!command) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + size = sprintf(command, "changeprofile %s", lsm_label); + if (size < 0) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + if (write(labelfd, command, size + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } +out: + free(command); + + if (labelfd != -1) + close(labelfd); + + return ret; +} + int main(int argc, char *argv[]) { int ret; @@ -395,10 +439,17 @@ int main(int argc, char *argv[]) close(cgroup_ipc_sockets[1]); if ((namespace_flags & CLONE_NEWNS)) { - if (attach_apparmor(init_ctx->aa_profile) < 0) { + int procfd = open("/proc", O_DIRECTORY | O_RDONLY); + if (procfd < 0) { + SYSERROR("Unable to open /proc"); + return -1; + } + if (lsm_set_label_at(procfd, init_ctx->aa_profile) < 0) { ERROR("failed switching apparmor profiles"); return -1; } + /* we don't need proc anymore */ + close(procfd); } /* A description of the purpose of this functionality is ++++++ README.SUSE ++++++ To mount the control group file system just run: /sbin/insserv boot.cgroup and /sys/fs/cgroup will be mounted for cgroup automatically. ++++++ autogenned.patch ++++++ It contains the effect of these patches: configure-find-seccomp-using-pkg-config.patch configure-support-suse-s-docbook-to-man.patch diff --git a/configure b/configure index dfb8e42..ee5faae 100755 --- a/configure +++ b/configure @@ -659,9 +659,6 @@ ENABLE_LUA_FALSE ENABLE_LUA_TRUE PYTHONDEV_LIBS PYTHONDEV_CFLAGS -PKG_CONFIG_LIBDIR -PKG_CONFIG_PATH -PKG_CONFIG pkgpyexecdir pyexecdir pkgpythondir @@ -676,6 +673,10 @@ ENABLE_PYTHON_TRUE ENABLE_EXAMPLES_FALSE ENABLE_EXAMPLES_TRUE SECCOMP_LIBS +SECCOMP_CFLAGS +PKG_CONFIG_LIBDIR +PKG_CONFIG_PATH +PKG_CONFIG ENABLE_SECCOMP_FALSE ENABLE_SECCOMP_TRUE APPARMOR_LIBS @@ -806,10 +807,12 @@ LDFLAGS LIBS CPPFLAGS CPP -PYTHON PKG_CONFIG PKG_CONFIG_PATH PKG_CONFIG_LIBDIR +SECCOMP_CFLAGS +SECCOMP_LIBS +PYTHON PYTHONDEV_CFLAGS PYTHONDEV_LIBS LUA_CFLAGS @@ -1468,12 +1471,16 @@ Some influential environment variables: CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if you have headers in a nonstandard directory <include dir> CPP C preprocessor - PYTHON the Python interpreter PKG_CONFIG path to pkg-config utility PKG_CONFIG_PATH directories to add to pkg-config's search path PKG_CONFIG_LIBDIR path overriding pkg-config's built-in search path + SECCOMP_CFLAGS + C compiler flags for SECCOMP, overriding pkg-config + SECCOMP_LIBS + linker flags for SECCOMP, overriding pkg-config + PYTHON the Python interpreter PYTHONDEV_CFLAGS C compiler flags for PYTHONDEV, overriding pkg-config PYTHONDEV_LIBS @@ -4821,7 +4828,7 @@ if test "x$enable_doc" = "xyes" -o "x$enable_doc" = "xauto"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for docbook2x-man" >&5 $as_echo_n "checking for docbook2x-man... " >&6; } - for name in docbook2x-man db2x_docbook2man; do + for name in docbook2x-man db2x_docbook2man docbook-to-man; do if "$name" --help >/dev/null 2>&1; then db2xman="$name" break; @@ -5034,113 +5041,6 @@ else fi -if test -z "$ENABLE_SECCOMP_TRUE"; then : - ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" -if test "x$ac_cv_header_seccomp_h" = xyes; then : - -else - as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 -fi - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 -$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } -if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lseccomp $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char seccomp_init (); -int -main () -{ -return seccomp_init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_seccomp_seccomp_init=yes -else - ac_cv_lib_seccomp_seccomp_init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 -$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } -if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBSECCOMP 1 -_ACEOF - - LIBS="-lseccomp $LIBS" - -else - as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 -fi - - SECCOMP_LIBS=-lseccomp - -fi - -# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 -ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include <seccomp.h> -" -if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_SCMP_FILTER_CTX 1 -_ACEOF - - -fi - - -# Configuration examples -# Check whether --enable-examples was given. -if test "${enable_examples+set}" = set; then : - enableval=$enable_examples; -else - enable_examples=yes -fi - - if test "x$enable_examples" = "xyes"; then - ENABLE_EXAMPLES_TRUE= - ENABLE_EXAMPLES_FALSE='#' -else - ENABLE_EXAMPLES_TRUE='#' - ENABLE_EXAMPLES_FALSE= -fi - - -# Python3 module and scripts -# Check whether --enable-python was given. -if test "${enable_python+set}" = set; then : - enableval=$enable_python; enable_python=yes -else - enable_python=no -fi - - if test "x$enable_python" = "xyes"; then - ENABLE_PYTHON_TRUE= - ENABLE_PYTHON_FALSE='#' -else - ENABLE_PYTHON_TRUE='#' - ENABLE_PYTHON_FALSE= -fi - - @@ -5261,6 +5161,247 @@ $as_echo "no" >&6; } PKG_CONFIG="" fi fi +if test -z "$ENABLE_SECCOMP_TRUE"; then : + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SECCOMP" >&5 +$as_echo_n "checking for SECCOMP... " >&6; } + +if test -n "$SECCOMP_CFLAGS"; then + pkg_cv_SECCOMP_CFLAGS="$SECCOMP_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SECCOMP_CFLAGS=`$PKG_CONFIG --cflags "libseccomp" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$SECCOMP_LIBS"; then + pkg_cv_SECCOMP_LIBS="$SECCOMP_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libseccomp\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libseccomp") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SECCOMP_LIBS=`$PKG_CONFIG --libs "libseccomp" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SECCOMP_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libseccomp" 2>&1` + else + SECCOMP_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libseccomp" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$SECCOMP_PKG_ERRORS" >&5 + + + ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" +if test "x$ac_cv_header_seccomp_h" = xyes; then : + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 +$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } +if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lseccomp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char seccomp_init (); +int +main () +{ +return seccomp_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_seccomp_seccomp_init=yes +else + ac_cv_lib_seccomp_seccomp_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 +$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } +if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSECCOMP 1 +_ACEOF + + LIBS="-lseccomp $LIBS" + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + SECCOMP_LIBS=-lseccomp + + +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + ac_fn_c_check_header_mongrel "$LINENO" "seccomp.h" "ac_cv_header_seccomp_h" "$ac_includes_default" +if test "x$ac_cv_header_seccomp_h" = xyes; then : + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for seccomp_init in -lseccomp" >&5 +$as_echo_n "checking for seccomp_init in -lseccomp... " >&6; } +if ${ac_cv_lib_seccomp_seccomp_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lseccomp $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char seccomp_init (); +int +main () +{ +return seccomp_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_seccomp_seccomp_init=yes +else + ac_cv_lib_seccomp_seccomp_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_seccomp_seccomp_init" >&5 +$as_echo "$ac_cv_lib_seccomp_seccomp_init" >&6; } +if test "x$ac_cv_lib_seccomp_seccomp_init" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBSECCOMP 1 +_ACEOF + + LIBS="-lseccomp $LIBS" + +else + as_fn_error $? "You must install the seccomp development package in order to compile lxc" "$LINENO" 5 +fi + + SECCOMP_LIBS=-lseccomp + + +else + SECCOMP_CFLAGS=$pkg_cv_SECCOMP_CFLAGS + SECCOMP_LIBS=$pkg_cv_SECCOMP_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + +fi + +# HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 +OLD_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS $SECCOMP_CFLAGS" +ac_fn_c_check_type "$LINENO" "scmp_filter_ctx" "ac_cv_type_scmp_filter_ctx" "#include <seccomp.h> +" +if test "x$ac_cv_type_scmp_filter_ctx" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_SCMP_FILTER_CTX 1 +_ACEOF + + +fi + +CFLAGS="$OLD_CFLAGS" + +# Configuration examples +# Check whether --enable-examples was given. +if test "${enable_examples+set}" = set; then : + enableval=$enable_examples; +else + enable_examples=yes +fi + + if test "x$enable_examples" = "xyes"; then + ENABLE_EXAMPLES_TRUE= + ENABLE_EXAMPLES_FALSE='#' +else + ENABLE_EXAMPLES_TRUE='#' + ENABLE_EXAMPLES_FALSE= +fi + + +# Python3 module and scripts +# Check whether --enable-python was given. +if test "${enable_python+set}" = set; then : + enableval=$enable_python; enable_python=yes +else + enable_python=no +fi + + if test "x$enable_python" = "xyes"; then + ENABLE_PYTHON_TRUE= + ENABLE_PYTHON_FALSE='#' +else + ENABLE_PYTHON_TRUE='#' + ENABLE_PYTHON_FALSE= +fi + + if test -z "$ENABLE_PYTHON_TRUE"; then : diff --git a/src/lxc/Makefile.in b/src/lxc/Makefile.in index d6841c6..b97b429 100644 --- a/src/lxc/Makefile.in +++ b/src/lxc/Makefile.in @@ -65,7 +65,7 @@ so_PROGRAMS = liblxc.so$(EXEEXT) @HAVE_FGETLN_TRUE@@HAVE_GETLINE_FALSE@am__append_4 = ../include/getline.c ../include/getline.h @ENABLE_APPARMOR_TRUE@am__append_5 = -DHAVE_APPARMOR @USE_CONFIGPATH_LOGS_TRUE@am__append_6 = -DUSE_CONFIGPATH_LOGS -@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP +@ENABLE_SECCOMP_TRUE@am__append_7 = -DHAVE_SECCOMP $(SECCOMP_CFLAGS) @ENABLE_SECCOMP_TRUE@am__append_8 = seccomp.c @ENABLE_PYTHON_TRUE@am__append_9 = lxc-device lxc-ls \ @ENABLE_PYTHON_TRUE@ lxc-start-ephemeral @@ -344,6 +344,7 @@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +SECCOMP_CFLAGS = @SECCOMP_CFLAGS@ SECCOMP_LIBS = @SECCOMP_LIBS@ SED = @SED@ SET_MAKE = @SET_MAKE@ ++++++ config_ipv6-run-inet_pton-on-the-addr-value-without-.patch ++++++ From: Serge Hallyn <serge.hallyn(a)ubuntu.com> Date: Fri, 23 Aug 2013 12:45:15 -0500 Subject: config_ipv6: run inet_pton on the addr value without mask Patch-mainline: no References: bnc#851760 otherwise a "$addr/$mask" results in failure. Signed-off-by: Serge Hallyn <serge.hallyn(a)ubuntu.com> Signed-off-by: Jiri Slaby <jslaby(a)suse.cz> --- src/lxc/confile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Index: lxc-0.9.0/src/lxc/confile.c =================================================================== --- lxc-0.9.0.orig/src/lxc/confile.c +++ lxc-0.9.0/src/lxc/confile.c @@ -745,8 +745,8 @@ static int config_network_ipv6(const cha inet6dev->prefix = atoi(netmask); } - if (!inet_pton(AF_INET6, value, &inet6dev->addr)) { - SYSERROR("invalid ipv6 address: %s", value); + if (!inet_pton(AF_INET6, valdup, &inet6dev->addr)) { + SYSERROR("invalid ipv6 address: %s", valdup); free(valdup); return -1; } ++++++ configure-find-seccomp-using-pkg-config.patch ++++++ From: Jiri Slaby <jslaby(a)suse.cz> Date: Wed, 24 Apr 2013 10:46:21 +0200 Subject: configure: find seccomp using pkg-config Patch-mainline: no On suse we have the header in a subdir inside /usr/include, so pkgconfig has t obe used to find out proper CFLAGS. Signed-off-by: Jiri Slaby <jslaby(a)suse.cz> --- configure.ac | 12 +++++++++--- src/lxc/Makefile.am | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index ef6122e..630027a 100644 --- a/configure.ac +++ b/configure.ac @@ -113,12 +113,18 @@ fi AM_CONDITIONAL([ENABLE_SECCOMP], [test "x$enable_seccomp" = "xyes"]) AM_COND_IF([ENABLE_SECCOMP], - [AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) - AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) - AC_SUBST([SECCOMP_LIBS], [-lseccomp])]) + [PKG_CHECK_MODULES([SECCOMP],[libseccomp],[],[ + AC_CHECK_HEADER([seccomp.h],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) + AC_CHECK_LIB([seccomp], [seccomp_init],[],[AC_MSG_ERROR([You must install the seccomp development package in order to compile lxc])]) + AC_SUBST([SECCOMP_LIBS], [-lseccomp]) + ]) + ]) # HAVE_SCMP_FILTER_CTX=1 will tell us we have libseccomp api >= 1.0.0 +OLD_CFLAGS="$CFLAGS" +CFLAGS="$CFLAGS $SECCOMP_CFLAGS" AC_CHECK_TYPES([scmp_filter_ctx], [], [], [#include <seccomp.h>]) +CFLAGS="$OLD_CFLAGS" # Configuration examples AC_ARG_ENABLE([examples], diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index ebeca466..5798c93 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -104,7 +104,7 @@ AM_CFLAGS += -DUSE_CONFIGPATH_LOGS endif if ENABLE_SECCOMP -AM_CFLAGS += -DHAVE_SECCOMP +AM_CFLAGS += -DHAVE_SECCOMP $(SECCOMP_CFLAGS) liblxc_so_SOURCES += seccomp.c endif -- 1.8.2.1 ++++++ configure-support-suse-s-docbook-to-man.patch ++++++ From: Jiri Slaby <jslaby(a)suse.cz> Date: Wed, 24 Apr 2013 10:33:34 +0200 Subject: configure: support suse's docbook-to-man Patch-mainline: no When finding docbook2x-man... Signed-off-by: Jiri Slaby <jslaby(a)suse.cz> --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/configure.ac +++ b/configure.ac @@ -67,7 +67,7 @@ if test "x$enable_doc" = "xyes" -o "x$en db2xman="" AC_MSG_CHECKING(for docbook2x-man) - for name in docbook2x-man db2x_docbook2man; do + for name in docbook2x-man db2x_docbook2man docbook-to-man; do if "$name" --help >/dev/null 2>&1; then db2xman="$name" break; ++++++ lxc-createconfig.in ++++++ #!/bin/bash # # lxc: linux Container library # Authors: # Mike Friesenegger <mikef(a)suse.com> # Daniel Lezcano <daniel.lezcano(a)free.fr> # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA usage() { echo "usage: lxc-createconfig -n <name> [-i <ipaddr/cidr>] [-b <bridge>] [-t <template]" } help() { usage echo echo "creates a lxc container config file which can be in" echo "turn used by lxc-create to create the lxc system object." echo echo "Options:" echo "name : name of the container" echo "ipaddr : ip address/cidr of the container" echo "bridge : bridge device for container (br0 if undefined)" echo "template : template is an accessible template script (opensuse if undefined)" } shortoptions='hn:i:b:t:' longoptions='help,name:,ipaddr:,bridge:,template:' lxc_confpath=$HOME templatedir=@LXCTEMPLATEDIR@ lxc_bridge=br0 lxc_template=opensuse getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") if [ $? != 0 ]; then usage exit 1; fi eval set -- "$getopt" while true; do case "$1" in -h|--help) help exit 1 ;; -n|--name) shift lxc_name=$1 lxc_confname=$lxc_name.config shift ;; -i|--ipaddr) shift lxc_ipaddr=$1 shift ;; -b|--bridge) shift lxc_bridge=$1 shift ;; -t|--template) shift lxc_template=$1 shift ;; --) shift break;; *) echo $1 usage exit 1 ;; esac done if [ -z "$lxc_name" ]; then echo "no container name specified" usage exit 1 fi if [ -f "$lxc_confpath/$lxc_confname" ]; then echo "'$lxc_confname' already exists" exit 1 fi if [ ! -z "$lxc_ipaddr" ]; then echo $lxc_ipaddr | grep -E '/(([^C9]{0,1}[0-9])|(3[0-2]))$' if [ $? -ne 0 ]; then echo "$lxc_ipaddr is missing a cidr" usage exit 1 fi fi if [ -z "$lxc_ipaddr" ]; then lxc_ipaddr=DHCP fi if [ ! -z $lxc_bridge ]; then brctl show | grep $lxc_bridge >/dev/null if [ $? -ne 0 ]; then echo "$lxc_bridge not defined" exit 1 fi fi if [ ! -z $lxc_template ]; then type ${templatedir}/lxc-$lxc_template >/dev/null if [ $? -ne 0 ]; then echo "unknown template '$lxc_template'" exit 1 fi fi echo echo "Container Name = " $lxc_name echo "IP Address = " $lxc_ipaddr echo "Bridge = " $lxc_bridge echo echo -n "Create container config? (n): " read ANSWER if [ "$ANSWER" != "y" -a "$ANSWER" != "Y" ] then exit 1 fi echo echo "Creating container config $lxc_confpath/$lxc_confname" # generate a MAC for the IP lxc_hwaddr="02:00:`(date ; cat /proc/interrupts ) | md5sum | sed -r 's/^(.{8}).*$/\1/;s/([0-9a-f]{2})/\1:/g;s/:$//;'`" cat >"$lxc_confpath/$lxc_confname" <<%% lxc.network.type = veth lxc.network.flags = up lxc.network.link = $lxc_bridge lxc.network.hwaddr = $lxc_hwaddr %% if [ ! $lxc_ipaddr = "DHCP" ]; then cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.ipv4 = $lxc_ipaddr %% fi cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.name = eth0 %% echo echo "Run 'lxc-create -n $lxc_name -f $lxc_confpath/$lxc_confname -t $lxc_template' to create the lxc system object." ++++++ lxc-opensuse-add-perl-base-to-prerequisities.patch ++++++ From: Jiri Slaby <jslaby(a)suse.cz> Date: Fri, 20 Sep 2013 16:39:50 +0200 Subject: lxc-opensuse: add perl-base to prerequisities Patch-mainline: submitted sep 20 2013 References: bnc#839873 It is needed by insserv-compat. Signed-off-by: Jiri Slaby <jslaby(a)suse.cz> --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 1fc7e21..3005e40 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -125,7 +125,7 @@ download_opensuse() zypper --root $cache/partial-$arch-packages --non-interactive in --auto-agree-with-licenses --download-only zypper lxc patterns-openSUSE-base bash iputils sed tar rsyslog || return 1 cat > $cache/partial-$arch-packages/opensuse.conf << EOF Preinstall: aaa_base bash coreutils diffutils -Preinstall: filesystem fillup glibc grep insserv-compat +Preinstall: filesystem fillup glibc grep insserv-compat perl-base Preinstall: libbz2-1 libgcc_s1 libncurses5 pam Preinstall: permissions libreadline6 rpm sed tar libz1 libselinux1 Preinstall: liblzma5 libcap2 libacl1 libattr1 -- 1.8.4 ++++++ opensuse-systemd-shutdown.patch ++++++ diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 77ef6b2..7c614c2 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -88,6 +88,9 @@ EOF ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty(a)tty3.service ln -s ../getty@.service $rootfs/etc/systemd/system/getty.target.wants/getty(a)tty4.service + # copy host poweroff target as sigpwr target to make shutdown work + # see https://wiki.archlinux.org/index.php/Linux_Containers#Container_cannot_be_s… + cp /usr/lib/systemd/system/poweroff.target $rootfs/usr/lib/systemd/system/sigpwr.target touch $rootfs/etc/sysconfig/kernel

1 0

commit lxc.3935 for openSUSE:13.2:Update
by root＠hilbert.suse.de 30 Jul '15

30 Jul '15

Hello community, here is the log from the commit of package lxc.3935 for openSUSE:13.2:Update checked in at 2015-07-30 11:15:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/lxc.3935 (Old) and /work/SRC/openSUSE:13.2:Update/.lxc.3935.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "lxc.3935" Changes: -------- New Changes file: --- /dev/null 2015-07-22 21:25:44.928025004 +0200 +++ /work/SRC/openSUSE:13.2:Update/.lxc.3935.new/lxc.changes 2015-07-30 11:15:19.000000000 +0200 @@ -0,0 +1,549 @@ +------------------------------------------------------------------- +Thu Jul 23 09:23:19 UTC 2015 - jslaby(a)suse.com + +- Added CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch + (bnc#938522) +- Added CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch + (bnc#938523) + +------------------------------------------------------------------- +Sat Sep 27 05:12:44 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- update to 1.0.6, which includes the following changes/fixes: + rootfs_is_blockdev: don't run if no rootfs is specified + confile: sanity-check netdev->type before setting netdev->priv elements + Fix typo in previous patch + Remove mention of mountcgroups in ubuntu.common config + remove mountcgroup hook entirely + Add SIGPWR support to lxc_init + Sysvinit script fixes + unprivileged containers: use next available nic name if unspecified + fix typo in btrfs error msg + apparmor: Allow slave bind mounts + provide an example SELinux policy for older releases + print a helpful message if creating unpriv container with no idmap + use non-thread-safe getpwuid and getpwgid for android + btrfs: support recursive subvolume deletion (v2) + fix '--log-priority' --> '--logpriority' in main + Fix a file descriptor leak in the daemonization + Fix a file descriptor leak in the monitord spawn + Ensure /dev/pts directory exists on pts setup + Do not allow snapshots of LVM backed containers + add lxc.console.logpath + coverity: don't use newname after null check + coverity: malloc the right size for btrs_node tree + introduce --with-distro=raspbian + cgmanager get/set: clean up child (v2) + Add extra debugging + Fix typo in the previous commit... + do_mount_entry: add nexec, nosuid, nodev, rdonly flags if needed at remount + command socket: use hash if needed + monitor: fix sockname calculation for long lxcpaths + show additional info if btrfs subvolume deletion fails (issue #315) + ignore SIGKILL (CTRL-C) and SIGQUIT (CTRL-\) - issue #313 + chmod container dir to 0770 (v2) + build: Fix support for split build and source dirs + mount_entry: use statvfs + lxc_mount_auto_mounts: honor existing nodev etc at remounts + statvfs: do nothing if statvfs does not exist (android/bionic) + Prevent compiler warning by initializing ifindex + build: don't remove configuration template on clean + build: Make setup.py run from srcdir to avoid distutils errors + handle hashed command socket names (v2) + lxc-cgm: fix issue with nested chowning + Report container exit status to monitord + support use of 'all' containers when cgmanager supports it + log: fix quiet mode + Fix build error(ISO C90 specs violation) in lxc.c + lxc_map_ids: don't do bogus chekc for newgidmap + lxc_map_ids: add a comment + clean autodev dir on container exit + As discussed on ML, do not clean autodev dir on reboot + Fix build failure due to slightly different rmdir + Fix presentation of IPv6 addresses and gateway + + lxc-start: Add -F (foreground) option + + all: Discontinue the use of in-line comments (stable) + all: Include hostname in DHCP requests + all: Switch from arch command to uname -m + altlinux: bugfixes + archlinux: Properly set default locale in /etc/locale.conf + centos template: prevent mingetty from calling vhangup(2) + download: Have wget retry 3 times + download: Make --keyserver actually work + gentoo: keep original uid/gid of files/dirs when installing + gentoo: Use portageq to determine portage distdir + plamo: keep original uid/gid of files/dirs when installing + plamo: bugfix template + ssh: send hostname to dhcp server + ubuntu: don't check for $rootfs/run/shm + ubuntu: add help string + + lxc-test-{unpriv,usernic.in}: make sure to chgrp as well + lxc-test-unpriv: test lxc-clone -s + tests: Call sync before testing a shutdown + tests: Copy the download cache when available [v2] + Fix the unprivileged tests cgroup management + + doc: Mention that veth.pair is ignored for unpriv + doc: Add mention that veth.pair is ignored for unpriv in Japanese man + doc: Add -F option to Japanese lxc-start(1) + doc: Update the description of SELinux in Japanese lxc.container.conf(5) + doc: Add 'zfs' to the parameter of -B option in lxc-create(1) + doc: add lxc.console.logpath to Japanese lxc.container.conf(5) + doc: language correction + doc: Fix Japanese translation of lxc.container.conf(5) + doc: Add destroy option to lxc-snapshot(1) + doc: Add description about ignoring lxc.cgroup.use when using cgmanager +- delete: 0002-lxc-autostart-helper-working-even-if-action-is-not-a.patch +- delete: 0003-lxc-autostart-helper-working-even-if-var-lock-subsys.patch + +------------------------------------------------------------------- +Fri Aug 15 14:43:35 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- third patch to get lxc-autostart-helper to work on openSUSE + * 0003-lxc-autostart-helper-working-even-if-var-lock-subsys.patch + +------------------------------------------------------------------- +Fri Aug 15 13:04:48 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- added another patch to ensure correct operation of lxc.service systemd-unit + * 0002-lxc-autostart-helper-working-even-if-action-is-not-a.patch + +------------------------------------------------------------------- +Thu Aug 14 19:26:33 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- added patch to ensure correct operation of lxc.service systemd-unit + * 0001-systemd-Ensure-action-is-defined.patch + +------------------------------------------------------------------- +Wed Aug 6 19:38:55 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- update to 1.0.5 + * seccomp profile + * core: Fix unprivileged containers to work with recent kernels. + * core: Fix building with -Werror=maybe-uninitialized. + * core: seccomp: Don't fail on unresolvable syscalls. + * core: lxc-init: Don't force dropping capabilities. + * core: configure: Split -lcap and -lselinux out of LIBS. + * core: configure: Fix expansion of libexecdir. + * core: seccomp: Support 'all' arch sections. + * core: seccomp: Fix 32-bit rules. + * core: seccomp: Enable a default filter for all templates. + * core: Fix corruption in write_config. + * core: attach: Fix querying for the current personality. + * core: cgmanager: Have cgm_set and cgm_get use absolute paths when possible. + * core: cgmanager: Make sure @value is null-terminated in cgm_get. + * core: optimization of signal filtering/parsing code. + * core: apparmor: Allow hugetlbfs by default (similar to tmpfs and restricted by the hugetlb cgroup controller). + * core: Fix find_fstype_cb to ignore blank lines and comments. + * lxc-autostart: Actually respect -P when passed. + * lxc-attach: Fix typo in usage. + * lxc-start: propagate the container exit code. + * lxc-stop: Fix incorrect timeout handling. + * lxc-device: Support --version. + * lxc-ls: Support --version. + * lxc-start-ephemeral: Support --version. + * tests: Avoid the download template when possible. + * tests: Don't fail when HOME isn't defined. + * tests: apparmor: Always end messages with a newline. + * tests: Clarify error message and fix return codes. + * tests: lxc-test-ubuntu doesn't actually need bind9-host. + * lxc-debian: standardize formatting. + * lxc-debian: fix formatting. + * python3: Fix attach_wait and threads. + +------------------------------------------------------------------- +Fri Jun 13 19:33:04 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- fixed the build errors + +------------------------------------------------------------------- +Fri Jun 13 18:24:48 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- update to 1.0.4; disable lua and excluded lxc-top, as lua-dependencies are not available + +------------------------------------------------------------------- +Sat May 17 18:57:22 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- added --enable-lua to compile lxc with lua support (for lxc-top) + +------------------------------------------------------------------- +Sat May 17 13:14:01 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- added "Requires: lua", as lxc-top needs it + +------------------------------------------------------------------- +Mon May 5 13:08:04 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- added file /usr/sbin/rxlcx that links to /usr/sbin/service + +------------------------------------------------------------------- +Mon May 5 10:14:06 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- upgrade to version 1.0.3 +- deleted patch patch_bash_completion.d_lxc.patch, as it is included upstream already +- added file /usr/sbin/init.lxc + +------------------------------------------------------------------- +Sun Mar 2 09:06:57 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- patch now including headers and signoff + +------------------------------------------------------------------- +Sun Mar 2 08:57:35 UTC 2014 - opensuse_buildservice(a)ojkastl.de + +- updated sources to 1.0.0 ++++ 352 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.lxc.3935.new/lxc.changes New: ---- 0001-systemd-Ensure-action-is-defined.patch CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch README.SUSE lxc-1.0.6.tar.gz lxc-createconfig.in lxc.changes lxc.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lxc.spec ++++++ # # spec file for package lxc # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: lxc Version: 1.0.6 Release: 0 Url: http://linuxcontainers.org/ Summary: Userspace tools for the Linux kernel containers License: LGPL-2.1+ Group: System/Management Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz Source1: README.SUSE Source2: lxc-createconfig.in Patch1: 0001-systemd-Ensure-action-is-defined.patch Patch2: CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch Patch3: CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: docbook-utils BuildRequires: docbook2x BuildRequires: libapparmor-devel BuildRequires: libcap-devel %ifarch %ix86 x86_64 BuildRequires: libseccomp-devel %endif BuildRequires: libxslt BuildRequires: linux-glibc-devel BuildRequires: lsb-release BuildRequires: pkg-config BuildRequires: python3-devel %if 0%{?suse_version} >= 1210 BuildRequires: systemd %endif Requires: /sbin/setcap Requires: rsync %{?systemd_requires} # needed to create openSUSE containers using template Recommends: build %description It provides commands to create and manage containers. It contains a full featured container with the isolation/virtualization of the pids, the ipc, the utsname, the mount points, /proc, /sys, the network and it takes into account the control groups. It is very light, flexible, and provides a set of tools around the container like the monitoring with asynchronous events notification, or the freeze of the container. This package is useful to create Virtual Private Server, or to run isolated applications like bash or sshd. %package devel Summary: Development library for lxc License: LGPL-2.1 Group: Development/Libraries/C and C++ Requires: %name = %version %description devel Lxc header files and library needed for development of containers. %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %build chmod 755 configure %configure --disable-examples --with-init-script=systemd %__make %{?_smp_mflags} %__cp %{SOURCE1} . %__rm -rf .doc %__mkdir_p .doc/examples %__cp doc/examples/*.conf .doc/examples %install %makeinstall install -d -m 755 %{buildroot}/var/lib/lxc find %buildroot -type f -name '*.la' -delete chmod u-s %{buildroot}/usr/lib/lxc/lxc-user-nic ./config.status --file=%{buildroot}%{_bindir}/lxc-createconfig:%{S:2} chmod a+x %{buildroot}%{_bindir}/lxc-createconfig ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rc%name %clean %__rm -rf %buildroot %pre %service_add_pre lxc.service %post /sbin/ldconfig %service_add_post lxc.service %preun %service_del_preun lxc.service %postun /sbin/ldconfig %service_del_postun lxc.service %files %defattr(-,root,root) %doc AUTHORS MAINTAINERS COPYING README doc/FAQ.txt %doc README.SUSE %doc .doc/examples %dir %{_sysconfdir}/%{name}/ %config %{_sysconfdir}/%{name}/default.conf %{_libdir}/lib%{name}.so.* %{_libexecdir}/%name %{_libdir}/%name %{_datadir}/%name %dir /var/lib/lxc %{_bindir}/%{name}-* %exclude %{_bindir}/%{name}-top %{_sbindir}/init.lxc %{_sbindir}/rclxc %{_mandir}/man[^3]/* %_unitdir/%{name}.service %python3_sitearch/%{name}/ %python3_sitearch/_%{name}* %dir %{_sysconfdir}/apparmor.d %dir %{_sysconfdir}/apparmor.d/abstractions %dir %{_sysconfdir}/apparmor.d/abstractions/lxc %config %{_sysconfdir}/apparmor.d/abstractions/lxc/container-base %config %{_sysconfdir}/apparmor.d/abstractions/lxc/start-container %config %{_sysconfdir}/apparmor.d/lxc-containers %dir %{_sysconfdir}/apparmor.d/lxc %config %{_sysconfdir}/apparmor.d/lxc/lxc-default %config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-mounting %config %{_sysconfdir}/apparmor.d/lxc/lxc-default-with-nesting %config %{_sysconfdir}/apparmor.d/usr.bin.lxc-start %config %{_sysconfdir}/bash_completion.d/%{name} %files devel %defattr(-,root,root) %{_includedir}/%name %{_libdir}/lib%{name}.so %{_libdir}/pkgconfig/%{name}.pc %changelog ++++++ 0001-systemd-Ensure-action-is-defined.patch ++++++ >From 82dddfc2d3c26db922f105111a439e43f5ce7172 Mon Sep 17 00:00:00 2001 From: Martin Pitt <martin.pitt(a)ubuntu.com> Date: Thu, 31 Jul 2014 08:53:54 +0200 Subject: [PATCH 1/2] systemd: Ensure action() is defined If /etc/rc.d/init.d/functions is not present or does not define an action() function, provide a simple fallback using "echo". Signed-off-by: Martin Pitt <martin.pitt(a)ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn(a)ubuntu.com> --- config/init/sysvinit/lxc.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/init/sysvinit/lxc.in b/config/init/sysvinit/lxc.in index 4bfd0f0..c4c0c75 100644 --- a/config/init/sysvinit/lxc.in +++ b/config/init/sysvinit/lxc.in @@ -45,6 +45,13 @@ STOPOPTS="-a -s" test ! -r "$sysconfdir"/rc.d/init.d/functions || . "$sysconfdir"/rc.d/init.d/functions +# provide action() fallback +if ! type action >/dev/null 2>&1; then + action() { + echo "$@" + } +fi + # Source any configurable options test ! -r "$sysconfdir"/sysconfig/lxc || . "$sysconfdir"/sysconfig/lxc -- 2.0.4 ++++++ CVE-2015-1331-lxclock-use-run-lxc-lock-rather-than-r.patch ++++++ From: Serge Hallyn <serge.hallyn(a)ubuntu.com> Date: Fri, 3 Jul 2015 09:26:17 -0500 Subject: CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 72cf81f6a3404e35028567db2c99a90406e9c6e6 References: bnc#938522 This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by: Serge Hallyn <serge.hallyn(a)ubuntu.com> Signed-off-by: Tyler Hicks <tyhicks(a)canonical.com> Acked-by: Stéphane Graber <stgraber(a)ubuntu.com> Signed-off-by: Jiri Slaby <jslaby(a)suse.com> --- src/lxc/lxclock.c | 38 ++++++++++---------------------------- src/tests/locktests.c | 2 +- 2 files changed, 11 insertions(+), 29 deletions(-) --- a/src/lxc/lxclock.c +++ b/src/lxc/lxclock.c @@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, char *rundir; /* lockfile will be: - * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root + * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root * or - * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root + * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root */ - /* length of "/lock/lxc/" + $lxcpath + "/" + $lxcname + '\0' */ - len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 2; + /* length of "/lxc/lock/" + $lxcpath + "/" + $lxcname + '\0' */ + len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 2; rundir = get_rundir(); if (!rundir) return NULL; @@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, return NULL; } - ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p); + ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p); if (ret < 0 || ret >= len) { free(dest); free(rundir); @@ -128,31 +128,13 @@ static char *lxclock_name(const char *p, } ret = mkdir_p(dest, 0755); if (ret < 0) { - /* fall back to "/tmp/" $(id -u) "/lxc/" $lxcpath / $lxcname + '\0' */ - int l2 = 33 + strlen(n) + strlen(p); - if (l2 > len) { - char *d; - d = realloc(dest, l2); - if (!d) { - free(dest); - free(rundir); - return NULL; - } - len = l2; - dest = d; - } - ret = snprintf(dest, len, "/tmp/%d/lxc/%s", geteuid(), p); - if (ret < 0 || ret >= len) { - free(dest); - free(rundir); - return NULL; - } - ret = snprintf(dest, len, "/tmp/%d/lxc/%s/%s", geteuid(), p, n); - } else - ret = snprintf(dest, len, "%s/lock/lxc/%s/%s", rundir, p, n); + free(dest); + free(rundir); + return NULL; + } + ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n); free(rundir); - if (ret < 0 || ret >= len) { free(dest); return NULL; --- a/src/tests/locktests.c +++ b/src/tests/locktests.c @@ -122,7 +122,7 @@ int main(int argc, char *argv[]) exit(1); } struct stat sb; - char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/"; + char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/"; ret = stat(pathname, &sb); if (ret != 0) { fprintf(stderr, "%d: filename %s not created\n", __LINE__, ++++++ CVE-2015-1334-Don-t-use-the-container-s-proc-during-.patch ++++++ From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber(a)ubuntu.com> Date: Thu, 16 Jul 2015 16:37:51 -0400 Subject: CVE-2015-1334: Don't use the container's /proc during attach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch-mainline: yes Git-commit: 5c3fcae78b63ac9dd56e36075903921bd9461f9e References: bnc#938523 A user could otherwise over-mount /proc and prevent the apparmor profile or selinux label from being written which combined with a modified /bin/sh or other commonly used binary would lead to unconfined code execution. Reported-by: Roman Fiedler Signed-off-by: Stéphane Graber <stgraber(a)ubuntu.com> Signed-off-by: Jiri Slaby <jslaby(a)suse.com> --- src/lxc/attach.c | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 93 insertions(+), 4 deletions(-) --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -76,6 +76,82 @@ lxc_log_define(lxc_attach, lxc); +int lsm_set_label_at(int procfd, int on_exec, char* lsm_label) { + int labelfd = -1; + int ret = 0; + const char* name; + char* command = NULL; + + name = lsm_name(); + + if (strcmp(name, "nop") == 0) + goto out; + + if (strcmp(name, "none") == 0) + goto out; + + /* We don't support on-exec with AppArmor */ + if (strcmp(name, "AppArmor") == 0) + on_exec = 0; + + if (on_exec) { + labelfd = openat(procfd, "self/attr/exec", O_RDWR); + } + else { + labelfd = openat(procfd, "self/attr/current", O_RDWR); + } + + if (labelfd < 0) { + SYSERROR("Unable to open LSM label"); + ret = -1; + goto out; + } + + if (strcmp(name, "AppArmor") == 0) { + int size; + + command = malloc(strlen(lsm_label) + strlen("changeprofile ") + 1); + if (!command) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + size = sprintf(command, "changeprofile %s", lsm_label); + if (size < 0) { + SYSERROR("Failed to write apparmor profile"); + ret = -1; + goto out; + } + + if (write(labelfd, command, size + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } + } + else if (strcmp(name, "SELinux") == 0) { + if (write(labelfd, lsm_label, strlen(lsm_label) + 1) < 0) { + SYSERROR("Unable to set LSM label"); + ret = -1; + goto out; + } + } + else { + ERROR("Unable to restore label for unknown LSM: %s", name); + ret = -1; + goto out; + } + +out: + free(command); + + if (labelfd != -1) + close(labelfd); + + return ret; +} + static struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid) { struct lxc_proc_context_info *info = calloc(1, sizeof(*info)); @@ -588,6 +664,7 @@ struct attach_clone_payload { struct lxc_proc_context_info* init_ctx; lxc_attach_exec_t exec_function; void* exec_payload; + int procfd; }; static int attach_child_main(void* data); @@ -640,6 +717,7 @@ int lxc_attach(const char* name, const c char* cwd; char* new_cwd; int ipc_sockets[2]; + int procfd; signed long personality; if (!options) @@ -849,6 +927,13 @@ int lxc_attach(const char* name, const c rexit(-1); } + procfd = open("/proc", O_DIRECTORY | O_RDONLY); + if (procfd < 0) { + SYSERROR("Unable to open /proc"); + shutdown(ipc_sockets[1], SHUT_RDWR); + rexit(-1); + } + /* attach now, create another subprocess later, since pid namespaces * only really affect the children of the current process */ @@ -876,7 +961,8 @@ int lxc_attach(const char* name, const c .options = options, .init_ctx = init_ctx, .exec_function = exec_function, - .exec_payload = exec_payload + .exec_payload = exec_payload, + .procfd = procfd }; /* We use clone_parent here to make this subprocess a direct child of * the initial process. Then this intermediate process can exit and @@ -914,6 +1000,7 @@ static int attach_child_main(void* data) { struct attach_clone_payload* payload = (struct attach_clone_payload*)data; int ipc_socket = payload->ipc_socket; + int procfd = payload->procfd; lxc_attach_options_t* options = payload->options; struct lxc_proc_context_info* init_ctx = payload->init_ctx; #if HAVE_SYS_PERSONALITY_H @@ -1039,12 +1126,11 @@ static int attach_child_main(void* data) close(ipc_socket); /* set new apparmor profile/selinux context */ - if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM)) { + if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { int on_exec; on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; - ret = lsm_process_label_set(init_ctx->lsm_label, 0, on_exec); - if (ret < 0) { + if (lsm_set_label_at(procfd, on_exec, init_ctx->lsm_label) < 0) { rexit(-1); } } @@ -1095,6 +1181,9 @@ static int attach_child_main(void* data) } } + /* we don't need proc anymore */ + close(procfd); + /* we're done, so we can now do whatever the user intended us to do */ rexit(payload->exec_function(payload->exec_payload)); } ++++++ README.SUSE ++++++ To mount the control group file system just run: /sbin/insserv boot.cgroup and /sys/fs/cgroup will be mounted for cgroup automatically. === lxc-user-nic === If you want to use this tool as a user, set the sticky bit by: # chmod u+s /usr/bin/lxc-user-nic and update /etc/permissions.local accordingly. ++++++ lxc-createconfig.in ++++++ #!/bin/bash # # lxc: linux Container library # Authors: # Mike Friesenegger <mikef(a)suse.com> # Daniel Lezcano <daniel.lezcano(a)free.fr> # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA usage() { echo "usage: lxc-createconfig -n <name> [-i <ipaddr/cidr>] [-b <bridge>] [-t <template]" } help() { usage echo echo "creates a lxc container config file which can be in" echo "turn used by lxc-create to create the lxc system object." echo echo "Options:" echo "name : name of the container" echo "ipaddr : ip address/cidr of the container" echo "bridge : bridge device for container (br0 if undefined)" echo "template : template is an accessible template script (opensuse if undefined)" } shortoptions='hn:i:b:t:' longoptions='help,name:,ipaddr:,bridge:,template:' lxc_confpath=$HOME templatedir=@LXCTEMPLATEDIR@ lxc_bridge=br0 lxc_template=opensuse getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") if [ $? != 0 ]; then usage exit 1; fi eval set -- "$getopt" while true; do case "$1" in -h|--help) help exit 1 ;; -n|--name) shift lxc_name=$1 lxc_confname=$lxc_name.config shift ;; -i|--ipaddr) shift lxc_ipaddr=$1 shift ;; -b|--bridge) shift lxc_bridge=$1 shift ;; -t|--template) shift lxc_template=$1 shift ;; --) shift break;; *) echo $1 usage exit 1 ;; esac done if [ -z "$lxc_name" ]; then echo "no container name specified" usage exit 1 fi if [ -f "$lxc_confpath/$lxc_confname" ]; then echo "'$lxc_confname' already exists" exit 1 fi if [ ! -z "$lxc_ipaddr" ]; then echo $lxc_ipaddr | grep -E '/(([^C9]{0,1}[0-9])|(3[0-2]))$' if [ $? -ne 0 ]; then echo "$lxc_ipaddr is missing a cidr" usage exit 1 fi fi if [ -z "$lxc_ipaddr" ]; then lxc_ipaddr=DHCP fi if [ ! -z $lxc_bridge ]; then brctl show | grep $lxc_bridge >/dev/null if [ $? -ne 0 ]; then echo "$lxc_bridge not defined" exit 1 fi fi if [ ! -z $lxc_template ]; then type ${templatedir}/lxc-$lxc_template >/dev/null if [ $? -ne 0 ]; then echo "unknown template '$lxc_template'" exit 1 fi fi echo echo "Container Name = " $lxc_name echo "IP Address = " $lxc_ipaddr echo "Bridge = " $lxc_bridge echo echo -n "Create container config? (n): " read ANSWER if [ "$ANSWER" != "y" -a "$ANSWER" != "Y" ] then exit 1 fi echo echo "Creating container config $lxc_confpath/$lxc_confname" # generate a MAC for the IP lxc_hwaddr="02:00:`(date ; cat /proc/interrupts ) | md5sum | sed -r 's/^(.{8}).*$/\1/;s/([0-9a-f]{2})/\1:/g;s/:$//;'`" cat >"$lxc_confpath/$lxc_confname" <<%% lxc.network.type = veth lxc.network.flags = up lxc.network.link = $lxc_bridge lxc.network.hwaddr = $lxc_hwaddr %% if [ ! $lxc_ipaddr = "DHCP" ]; then cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.ipv4 = $lxc_ipaddr %% fi cat >>"$lxc_confpath/$lxc_confname" <<%% lxc.network.name = eth0 %% echo echo "Run 'lxc-create -n $lxc_name -f $lxc_confpath/$lxc_confname -t $lxc_template' to create the lxc system object."

1 0

commit patchinfo.3899 for openSUSE:13.2:Update
by root＠hilbert.suse.de 29 Jul '15

29 Jul '15

Hello community, here is the log from the commit of package patchinfo.3899 for openSUSE:13.2:Update checked in at 2015-07-29 10:43:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/patchinfo.3899 (Old) and /work/SRC/openSUSE:13.2:Update/.patchinfo.3899.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "patchinfo.3899" Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo incident="3899"> <category>recommended</category> <rating>moderate</rating> <packager>sumski</packager> <summary>Recommended udpate for Qt5, KDE Frameworks 5 and Plasma 5</summary> <description>This recommended update provides Qt 5.4.2, KDE Frameworks 5.11.0 and Plasma 5.3.2 with various fixes and improvements. For a detailed description of all changes and fixes please refer to: Qt5: https://blog.qt.io/blog/2015/06/02/qt-5-4-2-released/ KDE Frameworks 5: https://www.kde.org/announcements/kde-frameworks-5.11.0.php Plasma 5: https://www.kde.org/announcements/plasma-5.3.2.php</description> <relogin_needed/> <issue tracker="kde" id="345797"/> <issue tracker="kde" id="347817"/> <issue tracker="kde" id="348212"/> <issue tracker="kde" id="344525"/> <issue tracker="bnc" id="931167"/> <issue tracker="kde" id="344183"/> <issue tracker="kde" id="346768"/> <issue tracker="kde" id="332692"/> <issue tracker="kde" id="341773"/> <issue tracker="kde" id="343329"/> <issue tracker="kde" id="345174"/> <issue tracker="kde" id="346214"/> <issue tracker="kde" id="346920"/> <issue tracker="kde" id="342752"/> <issue tracker="kde" id="345973"/> <issue tracker="kde" id="346148"/> <issue tracker="kde" id="348510"/> <issue tracker="kde" id="347231"/> <issue tracker="kde" id="342438"/> <issue tracker="kde" id="344614"/> <issue tracker="kde" id="347353"/> <issue tracker="kde" id="343255"/> <issue tracker="kde" id="346498"/> <issue tracker="kde" id="341930"/> <issue tracker="kde" id="343551"/> <issue tracker="kde" id="348472"/> <issue tracker="kde" id="346496"/> <issue tracker="kde" id="345411"/> <issue tracker="kde" id="346559"/> <issue tracker="kde" id="344638"/> <issue tracker="kde" id="338195"/> <issue tracker="kde" id="340326"/> <issue tracker="kde" id="345787"/> <issue tracker="kde" id="347143"/> <issue tracker="kde" id="347254"/> <issue tracker="kde" id="342605"/> <issue tracker="kde" id="345149"/> <issue tracker="kde" id="345614"/> <issue tracker="kde" id="345758"/> <issue tracker="kde" id="346673"/> <issue tracker="kde" id="346710"/> <issue tracker="kde" id="346870"/> <issue tracker="kde" id="348324"/> </patchinfo>

1 0

commit threadweaver for openSUSE:13.2:Update
by root＠hilbert.suse.de 29 Jul '15

29 Jul '15

Hello community, here is the log from the commit of package threadweaver for openSUSE:13.2:Update checked in at 2015-07-29 10:43:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/threadweaver (Old) and /work/SRC/openSUSE:13.2:Update/.threadweaver.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "threadweaver" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.OTpd9F/_old 2015-07-29 10:43:27.000000000 +0200 +++ /var/tmp/diff_new_pack.OTpd9F/_new 2015-07-29 10:43:27.000000000 +0200 @@ -1 +1 @@ -<link package='threadweaver.3757' cicount='copy' /> +<link package='threadweaver.3899' cicount='copy' />

1 0

commit systemsettings5 for openSUSE:13.2:Update
by root＠hilbert.suse.de 29 Jul '15

29 Jul '15

Hello community, here is the log from the commit of package systemsettings5 for openSUSE:13.2:Update checked in at 2015-07-29 10:43:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/systemsettings5 (Old) and /work/SRC/openSUSE:13.2:Update/.systemsettings5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "systemsettings5" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.BZEbSo/_old 2015-07-29 10:43:26.000000000 +0200 +++ /var/tmp/diff_new_pack.BZEbSo/_new 2015-07-29 10:43:26.000000000 +0200 @@ -1 +1 @@ -<link package='systemsettings5.3666' cicount='copy' /> +<link package='systemsettings5.3899' cicount='copy' />

1 0

commit sonnet for openSUSE:13.2:Update
by root＠hilbert.suse.de 29 Jul '15

29 Jul '15

Hello community, here is the log from the commit of package sonnet for openSUSE:13.2:Update checked in at 2015-07-29 10:43:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/sonnet (Old) and /work/SRC/openSUSE:13.2:Update/.sonnet.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "sonnet" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.iT0Piv/_old 2015-07-29 10:43:23.000000000 +0200 +++ /var/tmp/diff_new_pack.iT0Piv/_new 2015-07-29 10:43:23.000000000 +0200 @@ -1 +1 @@ -<link package='sonnet.3757' cicount='copy' /> +<link package='sonnet.3899' cicount='copy' />

1 0

commit solid for openSUSE:13.2:Update
by root＠hilbert.suse.de 29 Jul '15

29 Jul '15

Hello community, here is the log from the commit of package solid for openSUSE:13.2:Update checked in at 2015-07-29 10:43:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/solid (Old) and /work/SRC/openSUSE:13.2:Update/.solid.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "solid" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.ZacHGR/_old 2015-07-29 10:43:21.000000000 +0200 +++ /var/tmp/diff_new_pack.ZacHGR/_new 2015-07-29 10:43:21.000000000 +0200 @@ -1 +1 @@ -<link package='solid.3757' cicount='copy' /> +<link package='solid.3899' cicount='copy' />

1 0

commit powerdevil5 for openSUSE:13.2:Update
by root＠hilbert.suse.de 29 Jul '15

29 Jul '15

Hello community, here is the log from the commit of package powerdevil5 for openSUSE:13.2:Update checked in at 2015-07-29 10:43:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/powerdevil5 (Old) and /work/SRC/openSUSE:13.2:Update/.powerdevil5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "powerdevil5" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.qX5HIS/_old 2015-07-29 10:43:20.000000000 +0200 +++ /var/tmp/diff_new_pack.qX5HIS/_new 2015-07-29 10:43:20.000000000 +0200 @@ -1 +1 @@ -<link package='powerdevil5.3666' cicount='copy' /> +<link package='powerdevil5.3899' cicount='copy' />

1 0