Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2018-04-30 22:52:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ntp" Mon Apr 30 22:52:21 2018 rev:115 rq:601632 version:4.2.8p11 Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2018-04-01 17:25:25.009929455 +0200 +++ /work/SRC/openSUSE:Factory/.ntp.new/ntp.changes 2018-04-30 22:52:22.670824669 +0200 @@ -1,0 +2,7 @@ +Tue Apr 24 10:19:39 UTC 2018 - max@suse.com + +- Refactor the key handling in %post so that it does not overwrite + user settings (bsc#1036505) and is more robust against ignored + SIGPIPE (bsc#1090564). + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.sK2oza/_old 2018-04-30 22:52:23.574791686 +0200 +++ /var/tmp/diff_new_pack.sK2oza/_new 2018-04-30 22:52:23.578791540 +0200 @@ -83,6 +83,8 @@ Requires(pre): %{_bindir}/diff Requires(pre): %{_bindir}/grep Requires(pre): pwdutils +Requires(post): /usr/bin/base64 +Requires(post): /usr/bin/gawk Suggests: logrotate Provides: ntp-daemon Provides: xntp = %{version} @@ -273,38 +275,87 @@ fi %post -# Create ntp.keys file -if [ ! -f /etc/ntp.keys ]; then + +getntpconf() { + # Get the value of a single-value ntp.conf directive, first match wins. + awk 'NF >= 2 && $1 == option { print $2; exit } ' "option=$1" $NTPCONF +} + +keyexists() { + # Check whether a key with the given ID exists in the ntp keys file. + awk '$1 == keyno {found = 1} END {exit !found}' "keyno=$1" $KEYSFILE +} + +add_trustedkey() { + # Merge the given key ID into the trustedkey directive. + # Add the directive if it does not yet exist. + FILE=$(mktemp -p /etc) + gawk ' + NF >= 2 && $1 == "trustedkey" { + n = split($0, a) + for (i = 1; i <= n; i++) { + if (a[i] == newkey) newkey = ""; + if (a[i] ~ /^#/ && newkey) { + $(++j) = newkey; newkey = "" + } + $(++j) = a[i]; + } + if (newkey) { $(++j) = newkey; newkey = "" } + } + { print } + ENDFILE { + if (newkey) { print "trustedkey", newkey } + } + ' "newkey=$1" $NTPCONF > $FILE + if ! cmp --quiet $FILE $NTPCONF; then + cat $FILE > $NTPCONF + fi + rm $FILE +} + +NTPCONF=/etc/ntp.conf +KEYSFILE=$(getntpconf keys) +if test -z "$KEYSFILE"; then + KEYSFILE=/etc/ntp.keys + echo "keys $KEYSFILE" >> $NTPCONF +fi + +if [ ! -f $KEYSFILE ]; then FILE=$(mktemp -p /etc) chmod 0640 $FILE chown root:ntp $FILE - mv $FILE /etc/ntp.keys + mv $FILE $KEYSFILE fi -# Make sure we have a key with ID 1, because it is needed -# by the startup scripts. -if awk '$1 == "1" {exit 1}' /etc/ntp.keys; then - KEY=$(tr -dc '[:alnum:]' < /dev/urandom | head -c 20) - echo "1 SHA1 $KEY" >> /etc/ntp.keys -fi -# Are we in update mode? -if [ -f /etc/sysconfig/ntp ]; then - grep -q '^keys /etc/ntp.keys' /etc/ntp.conf || { - echo "# -# Authentication stuff -# -keys /etc/ntp.keys # path for keys file -trustedkey 1 # define trusted keys -requestkey 1 # key (7) for accessing server variables -" >> /etc/ntp.conf -} + +CONTROLKEY=$(getntpconf controlkey) +REQUESTKEY=$(getntpconf requestkey) + +if test -z "$CONTROLKEY"; then + if -n "$REQUESTKEY"; then + CONTROLKEY=$REQUESTKEY + else + for (( CONTROLKEY = 1; CONTROLKEY < 65535; CONTROLKEY++ )); do + keyexists $CONTROLKEY || break + done + fi + echo "controlkey $CONTROLKEY" >> $NTPCONF fi -if [ -f /etc/sysconfig/ntp ]; then - grep -q '^controlkey ' /etc/ntp.conf || { - echo "# -controlkey 1 # key (6) for accessing server variables - " >> /etc/ntp.conf -} + +if test -z "$REQUESTKEY"; then + REQUESTKEY=$CONTROLKEY; + echo "requestkey $REQUESTKEY" >> $NTPCONF fi + +for KEYNO in $REQUESTKEY $CONTROLKEY; do + if ! keyexists $KEYNO; then + KEY=$(head -c 15 /dev/urandom | base64) + echo "$KEYNO SHA1 $KEY" >> $KEYSFILE + fi +done + +add_trustedkey $REQUESTKEY +add_trustedkey $CONTROLKEY + # update from previous permissions if [ -f %{_sysconfdir}/ntp.conf ]; then chown root:ntp %{_sysconfdir}/ntp.conf