commit permissions.17695 for openSUSE:Leap:15.3:Update
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package permissions.17695 for openSUSE:Leap:15.3:Update checked in at 2022-10-22 12:01:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.3:Update/permissions.17695 (Old) and /work/SRC/openSUSE:Leap:15.3:Update/.permissions.17695.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "permissions.17695" Sat Oct 22 12:01:41 2022 rev:1 rq:1010216 version:20200127 Changes: -------- New Changes file: --- /dev/null 2022-09-22 01:15:49.935626371 +0200 +++ /work/SRC/openSUSE:Leap:15.3:Update/.permissions.17695.new.2275/permissions.changes 2022-10-22 12:01:42.122598939 +0200 @@ -0,0 +1,1967 @@ +------------------------------------------------------------------- +Tue Oct 11 11:44:00 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20200127: + * fix regression introduced by backport of security fix (bsc#1203911) + +------------------------------------------------------------------- +Wed Sep 14 08:42:37 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20200127: + * chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252) + +------------------------------------------------------------------- +Fri Jul 15 10:49:24 UTC 2022 - matthias.gerstner@suse.com + +- Update to version 20200127: + * postfix: add postlog setgid for maildrop binary (bsc#1201385) + +------------------------------------------------------------------- +Thu Dec 09 09:52:44 UTC 2021 - matthias.gerstner@suse.com + +- Update to version 20200127: + * base this fork on a SLE-15-SP3 branch instead of on the Factory branch. + The Factory branch contains too many unknowns for the far-off Leap 15.3 + codebase. + * add a couple of cleanup changes that we can on Leap 15.3: + - etc/permissions: remove unnecessary static dirs and devices + - etc/permissions: remove legacy RPM directory entries + - etc/permissions: remove outdated sudo directories + +------------------------------------------------------------------- +Wed Nov 17 10:36:46 UTC 2021 - matthias.gerstner@suse.com + +- Update to version 20200127: + * Makefile: Leap 15.3 still uses /etc, so adjust the installation setup + +------------------------------------------------------------------- +Tue Nov 16 10:33:04 UTC 2021 - matthias.gerstner@suse.com + +- Update to version 20181225: + * mgetty: faxq-helper now finally reside in /usr/libexec + * libksysguard5: Updated path for ksgrd_network_helper + * kdesu: Updated path for kdesud + * sbin_dirs cleanup: these binaries have already been moved to /usr/sbin + * mariadb: revert auth_pam_tool to /usr/lib{,64} again + * cleanup: revert virtualbox back to plain /usr/lib + * cleanup: remove deprecated /etc/ssh/sshd_config + * hawk_invoke is not part of newer hawk2 packages anymore + * cleanup: texlive-filesystem: public now resides in libexec + * cleanup: authbind: helper now resides in libexec + * cleanup: polkit: the agent now also resides in libexec + * libexec cleanup: 'inn' news binaries now reside in libexec + * whitelist please (bsc#1183669) + * Fix enlightenment paths + * usbauth: drop compatibility variable for libexec + * usbauth: Updated path for usbauth-npriv + * profiles: finish usage of variable for polkit-agent-helper-1 + * Makefile: fix custom flags support when using make command line variables + * added information about know limitations of this approach + * Makefile: compile with LFO support to fix 32-bit emulation on 64-bit hosts (bsc#1178476) + * Makefile: support CXXFLAGS and LDFLAGS override / extension via make/env variables (bsc#1178475) + * profiles: prepare /usr/sbin versions of profile entries (bsc#1029961) + * profiles: use new variables feature to remove redundant entries + * profiles: remove now superfluous squid pinger paths (bsc#1171569) + * tests: implement basic tests for new the new variable feature + * tests: avoid redundant specification of test names by using class names + * regtests: split up base types and actual test implementation + * man pages: add documentation about variables, update copyrights + * chkstat: implement support for variables in profile paths + * chkstat: prepare reuse of config file locations + * chkstat: fix some typos and whitespace + * etc/permissions: remove unnecessary, duplicate, outdated entries + * etc/permissions: remove trailing whitespace + * ksgrd_network_helper: remove obviously wrong path + * adjust squid pinger path (bsc#1171569) + * mgetty: remove long dead (or never existing) locks directory (bsc#1171882) + * squid: remove basic_pam_auth which doesn't need special perms (bsc#1171569) + * cleanup now useless /usr/lib entries after move to /usr/libexec (bsc#1171164) + * drop (f)ping capabilities in favor of ICMP_PROTO sockets (bsc#1174504) + * whitelist Xorg setuid-root wrapper (bsc#1175867) + * screen: remove /run/uscreens covered by systemd-tmpfiles (bsc#1171879) + * Add /usr/libexec for cockpit-session as new path + * physlock: whitelist with tight restrictions (bsc#1175720) + * mtr-packet: stop requiring dialout group + * etc/permissions: fix mtr permission + * list_permissions: improve output format + * list_permissions: support globbing in --path argument + * list_permissions: implement simplifications suggested in PR#92 + * list_permissions: new tool for better path configuration overview + * regtest: support new getcap output format in libcap-2.42 + * regtest: print individual test case errors to stderr + * etc/permissions: remove static /var/spool/* dirs + * etc/permissions: remove outdated entries + * etc/permissions: remove unnecessary static dirs and devices + * screen: remove now unused /var/run/uscreens + * Revert "etc/permissions: remove entries for bind-chrootenv" + * rework permissions.local text (boo#1173221) + * dbus-1: adjust to new libexec dir location (bsc#1171164) + * permission profiles: reinstate kdesud for kde5 + * etc/permissions: remove entries for bind-chrootenv + * etc/permissions: remove traceroute entry + * VirtualBox: remove outdated entry which is only a symlink any more + * /bin/su: remove path refering to symlink + * etc/permissions: remove legacy RPM directory entries + * /etc/permissions: remove outdated sudo directories + * singularity: remove outdated setuid-binary entries + * chromium: remove now unneeded chrome_sandbox entry (bsc#1163588) + * dbus-1: remove deprecated alternative paths + * PolicyKit: remove outdated entries last used in SLE-11 + * pcp: remove no longer needed / conflicting entries + * gnats: remove entries for package removed from Factory + * kdelibs4: remove entries for package removed from Factory + * v4l-base: remove entries for package removed from Factory + * mailman: remove entries for package deleted from Factory + * gnome-pty-helper: remove dead entry no longer part of the vte package + * gnokii: remove entries for package no longer in Factory + * xawtv (v4l-conf): correct group ownership in easy profile + * systemd-journal: remove unnecessary profile entries + * thttp: make makeweb entry usable in the secure profile (bsc#1171580) + * profiles: add entries for enlightenment (bsc#1171686) + * permissions fixed profile: utempter: reinstate libexec compatibility entry + * chkstat: fix sign conversion warnings on non 32-bit architectures + * chkstat: allow simultaneous use of `--set` and `--system` + * regtest: adjust TestUnkownOwnership test to new warning output behaviour + * whitelist texlive public binary (bsc#1171686) + * fixed permissions: adjust to new libexec dir location (bsc#1171164) + * chkstat: don't print warning about unknown user/group by default + * Makefile: link with --as-needed, move libs to the end of the command line + * setuid bit for cockpit (bsc#1169614) + * Fix paranoid mode for newgidmap and newuidmap (boo#1171173) + * chkstat: collectProfilePaths(): use directory_iterator to simplify code + * chkstat: collectProfilePaths(): prefer /usr over /etc + * regtest: add relative symlink corner case to TestSymlinkBehaviour + * Chkstat::parseProfile(): avoid use of raw pointer + * parseSysconfig(): only emmit warning if value is non-empty + * incorporate a bunch of PR #56 review comments + * regtest: add test for correct ownership change + * chkstat: final pass over refactored code + * chkstat: finish refactoring of safeOpen() + * chkstat: improve/fix output of mismatches + * chkstat: support numerical owner/group specification in profiles + * chkstat: safeOpen: simplify path handling by using a std::string + * chkstat regtest: support debug build + * chkstat: start refactoring of safe_open() -> safeOpen() + * chkstat: processEntries: pull out change logic into applyChanges() + * chkstat: processEntries: pull out safety check logic + * chkstat: processEntries: separate printing code and simplify ownership flags + * chkstat: processEntries: also add file_status and *_ok flags to EntryContext + * chkstat: processEntries: also add caps to EntryContext + * chkstat: also move fd_path into EntryContext + * chkstat: processEntries(): introduce EntryContext data structure + * chkstat: introduce class type to deal with capabilities + * chkstat: overhaul of the main entry processing loop + * chkstat: smaller cleanup of Chkstat::run() + * chkstat: remove last global variables `root` and `rootl` + * chkstat: refactor parsing of permission profiles + * chkstat: replace global `permlist` by STL map + * chkstat: remove now obsolete usage() function + * chkstat: refactor collection of permission files + * regtest: support --after-test-enter-shell + * chkstat: change global euid variable into const class member + * chkstat: replace global level, nlevel by a vector data structure + * chkstat: refactor check_fscaps_enabled() + * chkstat: refactor parse_sysconfig as a member function Chkstat::parseSysconfig + * chkstat: introduce separate processArguments() and refactor --files logic + * chkstat: replace C style chkecklist by std::set + * chkstat: refactor command line parsing + * allow /usr/libexec in addition to /usr/lib (bsc#1171164) + * whitelist s390-tools setgid bit on log directory (bsc#1167163) + * whitelist WMP (bsc#1161335) + * regtest: improve readability of path variables by using literals + * regtest: adjust test suite to new path locations in /usr/share/permissions + * regtest: only catch explicit FileNotFoundError + * regtest: provide valid home directory in /root + * regtest: mount permissions src repository in /usr/src/permissions + * regtest: move initialialization of TestBase paths into the prepare() function + * chkstat: suppport new --config-root command line option + * fix spelling of icingacmd group + * chkstat: fix readline() on platforms with unsigned char + * remove capability whitelisting for radosgw + * whitelist ceph log directory (bsc#1150366) + * adjust testsuite to post CVE-2020-8013 link handling + * testsuite: add option to not mount /proc + * do not follow symlinks that are the final path element: CVE-2020-8013 + * add a test for symlinked directories + * fix relative symlink handling + * include cpp compat headers, not C headers + * Move permissions and permissions.* except .local to /usr/share/permissions + * regtest: fix the static PATH list which was missing /usr/bin + * regtest: also unshare the PID namespace to support /proc mounting + * regtest: bindMount(): explicitly reject read-only recursive mounts + * Makefile: force remove upon clean target to prevent bogus errors + * regtest: by default automatically (re)build chkstat before testing + * regtest: add test for symlink targets + * regtest: make capability setting tests optional + * regtest: fix capability assertion helper logic + * regtests: add another test case that catches set*id or caps in world-writable sub-trees ++++ 1770 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.3:Update/.permissions.17695.new.2275/permissions.changes New: ---- _service _servicedata permissions-20200127.tar.xz permissions.changes permissions.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ permissions.spec ++++++ # # spec file for package permissions # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: permissions Version: 20200127 Release: 0 Summary: SUSE Linux Default Permissions # Maintained in github by the security team. License: GPL-2.0+ Group: Productivity/Security Url: http://github.com/openSUSE/permissions Source: permissions-%{version}.tar.xz BuildRequires: libcap-devel BuildRequires: python3 #!BuildIgnore: group(trusted) Requires(post): %fillup_prereq Requires(pre): group(trusted) Provides: aaa_base:%{_sysconfdir}/permissions %description Permission settings of files and directories depending on the local security settings. The local security setting (easy, secure, or paranoid) can be configured in /etc/sysconfig/security. %prep %setup -q %build make %{?_smp_mflags} CFLAGS="-W -Wall %{optflags}" FSCAPS_DEFAULT_ENABLED=0 %install %make_install fillupdir=%{_fillupdir} %check # we can't test with sanitizers in SLE15, compiler is too old for some of them tests/regtest.py --skip-make %post %{fillup_only -n security} # apply all potentially changed permissions %{_bindir}/chkstat --system %files %config %{_sysconfdir}/permissions %config %{_sysconfdir}/permissions.easy %config %{_sysconfdir}/permissions.secure %config %{_sysconfdir}/permissions.paranoid %config(noreplace) %{_sysconfdir}/permissions.local %{_bindir}/chkstat %{_mandir}/man5/permissions.5%{ext_man} %{_mandir}/man8/chkstat.8%{ext_man} %{_fillupdir}/sysconfig.security %package -n permissions-zypp-plugin BuildArch: noarch Requires: permissions = %version Requires: python3-zypp-plugin Requires: libzypp(plugin:commit) = 1 Summary: A zypper commit plugin for calling chkstat Group: Productivity/Security %description -n permissions-zypp-plugin This package contains a plugin for zypper that calls `chkstat --system` after new packages have been installed. This is helpful for maintaining custom entries in /etc/permissions.local. %files -n permissions-zypp-plugin %dir /usr/lib/zypp %dir /usr/lib/zypp/plugins %dir /usr/lib/zypp/plugins/commit /usr/lib/zypp/plugins/commit/permissions.py %changelog ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/openSUSE/permissions.git</param> <param name="scm">git</param> <param name="versionformat">20200127</param> <param name="changesgenerate">enable</param> <param name="revision">Leap-15.3</param> </service> <service name="recompress" mode="disabled"> <param name="file">*.tar</param> <param name="compression">xz</param> </service> </services> ++++++ _servicedata ++++++ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/permissions.git</param> <param name="changesrevision">19ddeda4ab3788b59df6273415f9ba55a82a56fc</param></service></servicedata> (No newline at EOF)
participants (1)
-
Source-Sync