Hello community,
here is the log from the commit of package uid_wrapper for openSUSE:Factory checked in at 2017-07-17 09:02:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/uid_wrapper (Old)
and /work/SRC/openSUSE:Factory/.uid_wrapper.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "uid_wrapper"
Mon Jul 17 09:02:27 2017 rev:6 rq:510083 version:1.2.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/uid_wrapper/uid_wrapper.changes 2016-04-01 13:01:52.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.uid_wrapper.new/uid_wrapper.changes 2017-07-17 09:02:33.920547577 +0200
@@ -1,0 +2,7 @@
+Thu Jul 13 06:54:57 UTC 2017 - asn@cryptomilk.org
+
+- Update to version 1.2.2
+ * Added support for fork'ed and then exec'ed processes
+ * Added support for Alpha
+
+-------------------------------------------------------------------
Old:
----
uid_wrapper-1.2.1.tar.gz
New:
----
uid_wrapper-1.2.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ uid_wrapper.spec ++++++
--- /var/tmp/diff_new_pack.y8LGgc/_old 2017-07-17 09:02:36.180229375 +0200
+++ /var/tmp/diff_new_pack.y8LGgc/_new 2017-07-17 09:02:36.184228812 +0200
@@ -1,7 +1,7 @@
#
# spec file for package uid_wrapper
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@
############################# NOTE ##################################
Name: uid_wrapper
-Version: 1.2.1
+Version: 1.2.2
Release: 0
Summary: A wrapper for privilege seperation
++++++ uid_wrapper-1.2.1.tar.gz -> uid_wrapper-1.2.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uid_wrapper-1.2.1/CMakeLists.txt new/uid_wrapper-1.2.2/CMakeLists.txt
--- old/uid_wrapper-1.2.1/CMakeLists.txt 2016-03-16 14:53:33.000000000 +0100
+++ new/uid_wrapper-1.2.2/CMakeLists.txt 2017-07-13 08:41:33.000000000 +0200
@@ -8,7 +8,7 @@
set(APPLICATION_VERSION_MAJOR "1")
set(APPLICATION_VERSION_MINOR "2")
-set(APPLICATION_VERSION_PATCH "1")
+set(APPLICATION_VERSION_PATCH "2")
set(APPLICATION_VERSION "${APPLICATION_VERSION_MAJOR}.${APPLICATION_VERSION_MINOR}.${APPLICATION_VERSION_PATCH}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uid_wrapper-1.2.1/ChangeLog new/uid_wrapper-1.2.2/ChangeLog
--- old/uid_wrapper-1.2.1/ChangeLog 2016-03-16 14:53:22.000000000 +0100
+++ new/uid_wrapper-1.2.2/ChangeLog 2017-07-13 08:41:33.000000000 +0200
@@ -1,6 +1,10 @@
ChangeLog
==========
+version 1.2.2 (released 2107-07-13)
+ * Added support for fork'ed and then exec'ed processes
+ * Added support for Alpha
+
version 1.2.1 (released 2016-03-16)
* Documented missing options.
* Fixed a comipilation issue with -O3.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uid_wrapper-1.2.1/src/uid_wrapper.c new/uid_wrapper-1.2.2/src/uid_wrapper.c
--- old/uid_wrapper-1.2.1/src/uid_wrapper.c 2016-02-17 17:15:13.000000000 +0100
+++ new/uid_wrapper-1.2.2/src/uid_wrapper.c 2017-07-13 08:41:33.000000000 +0200
@@ -407,6 +407,13 @@
if (handle != NULL) {
break;
}
+
+ /* glibc on Alpha and IA64 is libc.so.6.1 */
+ snprintf(soname, sizeof(soname), "libc.so.%d.1", i);
+ handle = dlopen(soname, flags);
+ if (handle != NULL) {
+ break;
+ }
}
uwrap.libc.handle = handle;
@@ -808,6 +815,66 @@
* UWRAP ID HANDLING
*********************************************************/
+#define GROUP_STRING_SIZE 16384
+
+/**
+ * This function exports all the IDs of the current user so if
+ * we fork and then exec we can setup uid_wrapper in the new process
+ * with those IDs.
+ */
+static void uwrap_export_ids(struct uwrap_thread *id)
+{
+ char groups_str[GROUP_STRING_SIZE] = {0};
+ size_t groups_str_size = sizeof(groups_str);
+ char unsigned_str[32] = {0};
+ int i;
+
+ /* UIDS */
+ snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->ruid);
+ setenv("UID_WRAPPER_INITIAL_RUID", unsigned_str, 1);
+
+ snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->euid);
+ setenv("UID_WRAPPER_INITIAL_EUID", unsigned_str, 1);
+
+ snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->suid);
+ setenv("UID_WRAPPER_INITIAL_SUID", unsigned_str, 1);
+
+ /* GIDS */
+ snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->rgid);
+ setenv("UID_WRAPPER_INITIAL_RGID", unsigned_str, 1);
+
+ snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->egid);
+ setenv("UID_WRAPPER_INITIAL_EGID", unsigned_str, 1);
+
+ snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->sgid);
+ setenv("UID_WRAPPER_INITIAL_SGID", unsigned_str, 1);
+
+ /* GROUPS */
+ snprintf(unsigned_str, sizeof(unsigned_str), "%u", id->ngroups);
+ setenv("UID_WRAPPER_INITIAL_GROUPS_COUNT", unsigned_str, 1);
+
+ for (i = 0; i < id->ngroups; i++) {
+ size_t groups_str_len = strlen(groups_str);
+ size_t groups_str_avail = groups_str_size - groups_str_len;
+ size_t len;
+
+ len = snprintf(unsigned_str, sizeof(unsigned_str), ",%u", id->groups[i]);
+ if (len <= 1) {
+ continue;
+ }
+ if (len < groups_str_avail) {
+ snprintf(groups_str + groups_str_len,
+ groups_str_size - groups_str_len,
+ "%s",
+ i == 0 ? unsigned_str + 1 : unsigned_str);
+ }
+ }
+
+ if (id->ngroups > 0) {
+ setenv("UID_WRAPPER_INITIAL_GROUPS", groups_str, 1);
+ }
+}
+
static void uwrap_thread_prepare(void)
{
struct uwrap_thread *id = uwrap_tls_id;
@@ -852,6 +919,8 @@
return;
}
+ uwrap_export_ids(id);
+
/*
* "Garbage collector" - Inspired by DESTRUCTOR.
* All threads (except one which called fork()) are dead now.. Dave
@@ -877,6 +946,105 @@
UWRAP_UNLOCK_ALL;
}
+/*
+ * This initializes uid_wrapper with the IDs exported to the environment. Those
+ * are normally set after we forked and executed.
+ */
+static void uwrap_init_env(struct uwrap_thread *id)
+{
+ const char *env;
+ int ngroups = 0;
+
+ env = getenv("UID_WRAPPER_INITIAL_RUID");
+ if (env != NULL && env[0] != '\0') {
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Initialize ruid with %s", env);
+ id->ruid = strtoul(env, (char **)NULL, 10);
+ unsetenv("UID_WRAPPER_INITIAL_RUID");
+ }
+
+ env = getenv("UID_WRAPPER_INITIAL_EUID");
+ if (env != NULL && env[0] != '\0') {
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Initalize euid with %s", env);
+ id->euid = strtoul(env, (char **)NULL, 10);
+ unsetenv("UID_WRAPPER_INITIAL_EUID");
+ }
+
+ env = getenv("UID_WRAPPER_INITIAL_SUID");
+ if (env != NULL && env[0] != '\0') {
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Initalize suid with %s", env);
+ id->suid = strtoul(env, (char **)NULL, 10);
+ unsetenv("UID_WRAPPER_INITIAL_SUID");
+ }
+
+ env = getenv("UID_WRAPPER_INITIAL_RGID");
+ if (env != NULL && env[0] != '\0') {
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Initialize ruid with %s", env);
+ id->rgid = strtoul(env, (char **)NULL, 10);
+ unsetenv("UID_WRAPPER_INITIAL_RGID");
+ }
+
+ env = getenv("UID_WRAPPER_INITIAL_EGID");
+ if (env != NULL && env[0] != '\0') {
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Initalize egid with %s", env);
+ id->egid = strtoul(env, (char **)NULL, 10);
+ unsetenv("UID_WRAPPER_INITIAL_EGID");
+ }
+
+ env = getenv("UID_WRAPPER_INITIAL_SGID");
+ if (env != NULL && env[0] != '\0') {
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Initalize sgid with %s", env);
+ id->sgid = strtoul(env, (char **)NULL, 10);
+ unsetenv("UID_WRAPPER_INITIAL_SGID");
+ }
+
+ env = getenv("UID_WRAPPER_INITIAL_GROUPS_COUNT");
+ if (env != NULL && env[0] != '\0') {
+ ngroups = strtol(env, (char **)NULL, 10);
+ unsetenv("UID_WRAPPER_INITIAL_GROUPS_COUNT");
+ }
+
+ if (ngroups > 0) {
+ int i = 0;
+
+ id->ngroups = 0;
+
+ free(id->groups);
+ id->groups = malloc(sizeof(gid_t) * ngroups);
+ if (id->groups == NULL) {
+ UWRAP_LOG(UWRAP_LOG_ERROR,
+ "Unable to allocate memory");
+ exit(-1);
+ }
+
+ env = getenv("UID_WRAPPER_INITIAL_GROUPS");
+ if (env != NULL && env[0] != '\0') {
+ char *groups_str = NULL;
+ char *saveptr = NULL;
+ const char *p = NULL;
+
+ groups_str = strdup(env);
+ if (groups_str == NULL) {
+ exit(-1);
+ }
+
+ p = strtok_r(groups_str, ",", &saveptr);
+ while (p != NULL) {
+ id->groups[i] = strtol(p, (char **)NULL, 10);
+ i++;
+
+ p = strtok_r(NULL, ",", &saveptr);
+ }
+ }
+
+ if (i != ngroups) {
+ exit(-1);
+ }
+
+ UWRAP_LOG(UWRAP_LOG_DEBUG, "Initalize groups with %s", env);
+ id->ngroups = ngroups;
+ }
+}
+
static void uwrap_init(void)
{
const char *env;
@@ -965,6 +1133,8 @@
}
}
+ uwrap_init_env(id);
+
id->enabled = true;
UWRAP_LOG(UWRAP_LOG_DEBUG,
@@ -1894,7 +2064,11 @@
switch (sysno) {
/* gid */
+#ifdef __alpha__
+ case SYS_getxgid:
+#else
case SYS_getgid:
+#endif
#ifdef HAVE_LINUX_32BIT_SYSCALLS
case SYS_getgid32:
#endif
@@ -1963,7 +2137,11 @@
#endif /* SYS_getresgid && HAVE_GETRESGID */
/* uid */
+#ifdef __alpha__
+ case SYS_getxuid:
+#else
case SYS_getuid:
+#endif
#ifdef HAVE_LINUX_32BIT_SYSCALLS
case SYS_getuid32:
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uid_wrapper-1.2.1/tests/CMakeLists.txt new/uid_wrapper-1.2.2/tests/CMakeLists.txt
--- old/uid_wrapper-1.2.1/tests/CMakeLists.txt 2015-10-30 13:42:00.000000000 +0100
+++ new/uid_wrapper-1.2.2/tests/CMakeLists.txt 2017-07-13 08:41:33.000000000 +0200
@@ -21,6 +21,8 @@
add_definitions(-DBSD)
endif (BSD)
+add_executable(mock_exec_uid mock_exec_uid.c)
+
set(UWRAP_UID_TESTS
test_setuid
test_seteuid)
@@ -32,7 +34,7 @@
if (HAVE_SETRESUID)
list(APPEND UWRAP_UID_TESTS test_setresuid test_setuid_euid1 test_setuid_euid2)
if (HAVE_GETRESUID)
- list(APPEND UWRAP_UID_TESTS test_getresuid)
+ list(APPEND UWRAP_UID_TESTS test_getresuid test_fork_exec)
endif (HAVE_GETRESUID)
endif (HAVE_SETRESUID)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/uid_wrapper-1.2.1/tests/mock_exec_uid.c new/uid_wrapper-1.2.2/tests/mock_exec_uid.c
--- old/uid_wrapper-1.2.1/tests/mock_exec_uid.c 1970-01-01 01:00:00.000000000 +0100
+++ new/uid_wrapper-1.2.2/tests/mock_exec_uid.c 2017-07-13 08:41:33.000000000 +0200
@@ -0,0 +1,157 @@
+#include "config.h"
+
+#include