[Pkg-freeipa-devel] [Git][freeipa-team/oddjob][master] 22 commits: Add a README for pagure
Timo Aaltonen
gitlab at salsa.debian.org
Mon Jun 1 20:21:42 BST 2020
Timo Aaltonen pushed to branch master at FreeIPA packaging / oddjob
Commits:
858fff45 by Nalin Dahyabhai at 2017-02-07T18:25:07-05:00
Add a README for pagure
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
7b5f63cc by Nalin Dahyabhai at 2017-02-26T01:37:33-05:00
Change how prepend_user_name interacts with args
Change how the prepend_user_name attribute interacts with arguments that
are to be passed to the helper - the calling user's name is still
prepended to the list of arguments received in the D-Bus request, but
now arguments included in the helper configuration are prepended first,
so the order is now:
["helper" binary] ["helper" command line args] [user name] [args from request]
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
5112d316 by Nalin Dahyabhai at 2017-02-26T01:41:11-05:00
Try to better document arguments in helper "exec"
Try to be more explicit about helper node "exec" attributes being able
to include arguments, and add an example of it to the oddjobd.conf(5)
man page. Prompted by out of band conversation with Johannes Kastl.
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
59f6a1d8 by Nalin Dahyabhai at 2017-02-26T02:00:30-05:00
Docs and .spec updates
Resync .spec file with Fedora.
Update "prepend_user_name" behavior to be less surprising when used in
combination with "argument_passing_method" set to "cmdline".
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
720211bb by Orion Poplawski at 2019-05-08T09:01:19-06:00
Change /var/run -> /run in systemd service file
Signed-off-by: Orion Poplawski <orion at nwra.com>
- - - - -
3e26e372 by Alexander Bokovoy at 2019-10-08T12:24:41+03:00
Only process SELinux contexts if SELinux is not disabled
When operating under SELinux disabled, do not try to retrieve SELinux
context of the D-Bus sender because it will fail with a D-Bus error
message that confuses users in the logs and breaks operations.
Resolves: rhbz#1578150
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9648f39b by Alexander Bokovoy at 2019-10-08T12:31:54+03:00
Remove reference to selinux/flask.h
- - - - -
f7aedc45 by Timo Aaltonen at 2020-03-30T16:52:56+03:00
Merge branch 'upstream'
- - - - -
b376a165 by Timo Aaltonen at 2020-03-30T16:53:55+03:00
bump the version
- - - - -
10b8aaa1 by Nalin Dahyabhai at 2020-05-07T18:43:54+00:00
CVE-2020-10737: defer setting permissions on newly-created home directories
mkhomedir: add a patch from Matthias Gerstner of the SUSE security team
to defer setting permissions on newly-created home directories until
after we've finished populating them, to prevent possible interference
and attacks from the user who will eventually be given access to the new
home directory, while it's still being populated (CVE-2020-10737).
Author: Matthias Gerstner
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
be691e6f by Nalin Dahyabhai at 2020-05-07T14:56:01-04:00
tag 0.34.5
- Update our copy of the .spec file to match Fedora's.
- Update REPOSITORY in the top-level Makefile to point to pagure.io
instead of guessing based on the "remote" git repo, which with pagure
can be a fork.
- Bump version to 0.34.5.
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
bfc35f37 by Nalin Dahyabhai at 2020-05-07T19:09:11+00:00
Merge #3 `Change /var/run -> /run in systemd service file`
- - - - -
a4bfc81f by Nalin Dahyabhai at 2020-05-07T19:09:38+00:00
Relicense buffer.h
Overlooked this when correcting the license for buffer.c in 2007.
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
aec160b3 by Nalin Dahyabhai at 2020-05-07T15:14:38-04:00
tag 0.34.6
Signed-off-by: Nalin Dahyabhai <nalin at redhat.com>
- - - - -
8eb34579 by Timo Aaltonen at 2020-06-01T19:32:55+03:00
Merge branch 'upstream'
- - - - -
85abb694 by Timo Aaltonen at 2020-06-01T19:45:19+03:00
bump the version
- - - - -
6cc9565d by Timo Aaltonen at 2020-06-01T20:08:28+03:00
watch: Updated.
- - - - -
d831a2e8 by Timo Aaltonen at 2020-06-01T21:19:22+03:00
dont-run-dbus-launch.diff, control, rules: Run dbus-daemon directly for tests, depend on dbus instead of dbus-x11, and enable tests. (Closes: #836119)
- - - - -
7ef2fc52 by Timo Aaltonen at 2020-06-01T21:19:45+03:00
source/options: Add README.md to diff-ignore.
- - - - -
4115d14d by Timo Aaltonen at 2020-06-01T22:18:05+03:00
Migrate to debhelper-compat, bump to 12.
- - - - -
2d2e2137 by Timo Aaltonen at 2020-06-01T22:19:58+03:00
Bump policy to 4.5.0, update urls.
- - - - -
86f18680 by Timo Aaltonen at 2020-06-01T22:20:19+03:00
releasing package oddjob version 0.34.6-1
- - - - -
22 changed files:
- Makefile.am
- + README.md
- configure.ac
- debian/changelog
- − debian/compat
- debian/control
- debian/copyright
- debian/oddjob-mkhomedir.install
- debian/oddjob.install
- + debian/patches/dont-run-dbus-launch.diff
- + debian/patches/series
- debian/rules
- + debian/source/options
- debian/watch
- oddjob.spec
- scripts/oddjobd.service.in
- src/buffer.h
- src/mkhomedir.c
- src/oddjob_dbus.c
- src/oddjob_dbus.h
- src/oddjobd.c
- src/oddjobd.conf.5.in
Changes:
=====================================
Makefile.am
=====================================
@@ -1,6 +1,7 @@
SUBDIRS = src scripts python sample tests doc
EXTRA_DIST = oddjob.spec oddjobconfig.dtd.in QUICKSTART TODO doc/oddjob.html
+ACLOCAL_AMFLAGS = -I m4
CONFIGURE_DEPENDENCIES = $(top_srcdir)/oddjob.spec
VERSION=$(shell grep ^Version: $(top_srcdir)/oddjob.spec | awk '{print $$NF}')
@@ -16,7 +17,7 @@ tag: compare_versions
force-tag: compare_versions
git tag -f $(TAG)
-REPOSITORY=$(shell git config remote.origin.url 2> /dev/null || /bin/pwd)
+REPOSITORY=ssh://git@pagure.io/oddjob.git
ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
archive:
=====================================
README.md
=====================================
@@ -0,0 +1,25 @@
+oddjob
+======
+
+The **oddjobd** service receives requests to do things over the
+[D-Bus](http://www.freedesktop.org/wiki/Software/dbus) system bus. Depending
+on whether or not the requesting user is authorized to have **oddjobd** do what
+it asked, the daemon will spawn a helper process to actually do the work. When
+the helper exits, **oddjobd** collects its output and exit status and sends
+them back to the original requester.
+
+It's kind of like [CGI](http://en.wikipedia.org/wiki/Common_Gateway_Interface),
+except it's for D-Bus instead of a web server.
+
+Documentation
+=============
+The [original docs](https://pagure.io/oddjob/raw/master/f/doc/oddjob.html) are
+brief but comprehensive. And there's always a [to-do
+list](https://pagure.io/oddjob/blob/master/f/TODO).
+
+Get It!
+=======
+The current release is stable. Go ahead and
+[download](https://releases.pagure.org/oddjob/) it and give it a go. The
+_oddjob_ package is also available in prepackaged form in Fedora and recent
+releases of your friendly neighborhood Enterprise Linux.
=====================================
configure.ac
=====================================
@@ -1,4 +1,4 @@
-AC_INIT(oddjob,0.34.3)
+AC_INIT(oddjob,0.34.4)
AC_PREREQ(2.59)
PACKAGE_NAME_CAPS=`echo $PACKAGE_NAME | tr '[a-z]' '[A-Z]'`
AC_DEFINE_UNQUOTED(PACKAGE_NAME_CAPS,"$PACKAGE_NAME_CAPS",[Define to the package name, in caps.])
=====================================
debian/changelog
=====================================
@@ -1,3 +1,16 @@
+oddjob (0.34.6-1) unstable; urgency=medium
+
+ * New upstream release. (Closes: #956352, #960089)
+ * watch: Updated.
+ * dont-run-dbus-launch.diff, control, rules: Run dbus-daemon directly
+ for tests, depend on dbus instead of dbus-x11, and enable tests.
+ (Closes: #836119)
+ * source/options: Add README.md to diff-ignore.
+ * Migrate to debhelper-compat, bump to 12.
+ * Bump policy to 4.5.0, update urls.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 01 Jun 2020 22:20:10 +0300
+
oddjob (0.34.3-4) unstable; urgency=medium
* control, postinst: Depend on systemd and move the trigger check after
=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-9
=====================================
debian/control
=====================================
@@ -4,10 +4,8 @@ Priority: optional
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at lists.alioth.debian.org>
Uploaders: Timo Aaltonen <tjaalton at debian.org>
Build-Depends:
- debhelper (>= 9),
- dh-autoreconf,
- dh-systemd,
- dbus-x11,
+ debhelper-compat (= 12),
+ dbus,
libdbus-1-dev,
libkrb5-dev,
libldap2-dev,
@@ -18,10 +16,10 @@ Build-Depends:
pkg-config,
systemd,
xmlto,
-Standards-Version: 3.9.6
-Homepage: https://www.fedorahosted.org/oddjob/
-Vcs-Git: git://anonscm.debian.org/pkg-freeipa/oddjob.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-freeipa/oddjob.git
+Standards-Version: 4.5.0
+Homepage: https://pagure.io/oddjob/
+Vcs-Git: https://salsa.debian.org/freeipa-team/oddjob.git
+Vcs-Browser: https://salsa.debian.org/freeipa-team/oddjob
Package: oddjob
Architecture: any
=====================================
debian/copyright
=====================================
@@ -1,6 +1,6 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: oddjob
-Source: https://www.fedorahosted.org/oddjob/
+Source: https://pagure.io/oddjob/
Files: *
Copyright: 2005-2015 Red Hat, Inc.
=====================================
debian/oddjob-mkhomedir.install
=====================================
@@ -1,7 +1,7 @@
etc/dbus-1/system.d/oddjob-mkhomedir.conf
etc/oddjobd.conf.d/oddjobd-mkhomedir.conf
lib/*/security/pam_oddjob_mkhomedir.so
-usr/lib/*/oddjob/mkhomedir
+usr/libexec/oddjob/mkhomedir
usr/share/man/man5/oddjob-mkhomedir.conf.5
usr/share/man/man5/oddjobd-mkhomedir.conf.5
usr/share/man/man8/pam_oddjob_mkhomedir.8
=====================================
debian/oddjob.install
=====================================
@@ -3,7 +3,7 @@ etc/oddjobd.conf
etc/oddjobd.conf.d/oddjobd-introspection.conf
lib/systemd/system/oddjobd.service
usr/bin/oddjob_request
-usr/lib/*/oddjob/sanity.sh
+usr/libexec/oddjob/sanity.sh
usr/sbin/oddjobd
usr/share/man/man1/oddjob_request.1
usr/share/man/man5/oddjob.conf.5
=====================================
debian/patches/dont-run-dbus-launch.diff
=====================================
@@ -0,0 +1,16 @@
+--- a/tests/test-oddjobd.sh
++++ b/tests/test-oddjobd.sh
+@@ -3,7 +3,12 @@
+ # Start the session bus and arrange for it to be stopped when we exit.
+ #
+ DBUS_SESSION_BUS_PID=
+-eval `dbus-launch --sh-syntax`
++
++dbus-daemon --fork --session --print-address=3 --print-pid=4 \
++ 3> dbus-session-bus-address 4> dbus-session-bus-pid
++export DBUS_SESSION_BUS_ADDRESS="$(cat dbus-session-bus-address)"
++DBUS_SESSION_BUS_PID="$(cat dbus-session-bus-pid)"
++
+ if test -z "$DBUS_SESSION_BUS_PID" ; then
+ echo Error starting session bus.
+ exit 1
=====================================
debian/patches/series
=====================================
@@ -0,0 +1 @@
+dont-run-dbus-launch.diff
=====================================
debian/rules
=====================================
@@ -5,7 +5,7 @@ DPKG_EXPORT_BUILDFLAGS = 1
include /usr/share/dpkg/default.mk
%:
- dh $@ --with autoreconf,systemd
+ dh $@
override_dh_auto_configure:
dh_auto_configure -- \
@@ -21,8 +21,6 @@ override_dh_auto_configure:
--with-selinux-labels \
--without-python
-override_dh_auto_test:
-
override_dh_install:
# purge .la files
find $(CURDIR)/debian/tmp -name "*.la" -type f -exec rm -f "{}" \;
@@ -31,4 +29,7 @@ override_dh_install:
mv $(CURDIR)/debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/security \
$(CURDIR)/debian/tmp/lib/${DEB_HOST_MULTIARCH}/
- dh_install --fail-missing
+ dh_install
+
+override_dh_missing:
+ dh_missing --fail-missing
=====================================
debian/source/options
=====================================
@@ -0,0 +1 @@
+extend-diff-ignore = README.md
=====================================
debian/watch
=====================================
@@ -1,2 +1,2 @@
version=3
-https://fedorahosted.org/released/oddjob/ oddjob-(.*)\.tar\.gz
+https://releases.pagure.org/oddjob/ oddjob-(.*)\.tar\.gz
=====================================
oddjob.spec
=====================================
@@ -21,16 +21,15 @@
%endif
Name: oddjob
-Version: 0.34.3
+Version: 0.34.6
Release: 1%{?dist}
-Source0: http://fedorahosted.org/released/oddjob/oddjob-%{version}.tar.gz
-#Source1: http://fedorahosted.org/released/oddjob/oddjob-%{version}.tar.gz.sig
+Source0: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz
+Source1: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz.sig
Summary: A D-Bus service which runs odd jobs on behalf of client applications
License: BSD
-Group: System Environment/Daemons
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: gcc
BuildRequires: dbus-devel >= 0.22, dbus-x11, libselinux-devel, libxml2-devel
-BuildRequires: pam-devel, python-devel, pkgconfig
+BuildRequires: pam-devel, pkgconfig
BuildRequires: cyrus-sasl-devel, krb5-devel, openldap-devel
BuildRequires: docbook-dtds, xmlto
%if %{systemd}
@@ -49,7 +48,7 @@ Requires: dbus
# for "killall"
Requires(post): psmisc
Obsoletes: oddjob-devel < 0.30, oddjob-libs < 0.30, oddjob-python < 0.30
-URL: http://www.fedorahosted.org/oddjob
+URL: https://pagure.io/oddjob
%if %{systemd}
BuildRequires: systemd-units
@@ -70,7 +69,6 @@ oddjob is a D-Bus service which performs particular tasks for clients which
connect to it and issue requests using the system-wide message bus.
%package mkhomedir
-Group: System Environment/Daemons
Summary: An oddjob helper which creates and populates home directories
Requires: %{name} = %{version}-%{release}
Requires(post): %{dbus_send}, grep, sed, psmisc
@@ -81,7 +79,6 @@ pam_oddjob_mkhomedir module to create a home directory for a user
at login-time.
%package sample
-Group: System Environment/Daemons
Summary: A sample oddjob service.
Requires: %{name} = %{version}-%{release}
@@ -140,11 +137,7 @@ chmod -x src/reload src/mkhomedirfor src/mkmyhomedir
touch -r src/oddjobd-mkhomedir.conf.in $RPM_BUILD_ROOT/%{_sysconfdir}/oddjobd.conf.d/oddjobd-mkhomedir.conf
touch -r src/oddjob-mkhomedir.conf.in $RPM_BUILD_ROOT/%{_sysconfdir}/dbus-1/system.d/oddjob-mkhomedir.conf
-%clean
-rm -fr "$RPM_BUILD_ROOT"
-
%files
-%defattr(-,root,root,-)
%doc *.dtd COPYING NEWS QUICKSTART doc/oddjob.html src/reload
%if ! %{build_sample_subpackage}
%doc sample-install-root/sample
@@ -169,7 +162,6 @@ rm -fr "$RPM_BUILD_ROOT"
%{_mandir}/*/oddjobd-introspection.*
%files mkhomedir
-%defattr(-,root,root)
%doc src/mkhomedirfor src/mkmyhomedir
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/mkhomedir
@@ -186,7 +178,6 @@ rm -fr "$RPM_BUILD_ROOT"
%if %{build_sample_subpackage}
%files sample
-%defattr(-,root,root)
%{_libdir}/%{name}/oddjob-sample.sh
%config %{_sysconfdir}/dbus-*/system.d/oddjob-sample.conf
%config %{_sysconfdir}/oddjobd.conf.d/oddjobd-sample.conf
@@ -255,6 +246,56 @@ fi
exit 0
%changelog
+* Thu May 7 2020 Nalin Dahyabhai <nalin at redhat.com> - 0.34.6-1
+- update license on src/buffer.h
+- change /var/run -> /run in systemd service file (Orion Poplawski)
+
+* Thu May 7 2020 Nalin Dahyabhai <nalin at redhat.com> - 0.34.5-1
+- apply patch from Matthias Gerstner of the SUSE security team to fix a
+ possible race condition in the mkhomedir helper (CVE-2020-10737)
+- only process SELinux contexts if SELinux is not disabled (Alexander Bokovoy)
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.4-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.4-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Dec 4 2018 Nalin Dahyabhai <nalin at redhat.com> - 0.34.4-7
+- Drop Python 2 build-time dependency, which hasn't been used since we turned
+ off building the python bindings years ago (#1595853, #1642502).
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Mar 19 2018 Iryna Shcherbina <ishcherb at redhat.com> - 0.34.4-5
+- Update Python 2 dependency declarations to new packaging standards
+ (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sun Feb 26 2017 Nalin Dahyabhai <nalin at redhat.com> - 0.34.4-1
+- when "prepend_user_name" is used, the user name is now added to the helper's
+ command line after arguments that were specified in the helper "exec"
+ attribute
+- resync with Fedora packaging
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng at fedoraproject.org> - 0.34.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
* Fri Jul 10 2015 Nalin Dahyabhai <nalin at redhat.com> - 0.34.3-1
- tweak initialization so that we set up for providing our D-Bus APIs before we
register our names with the bus, so that we can handle any requests that
=====================================
scripts/oddjobd.service.in
=====================================
@@ -4,8 +4,8 @@ After=syslog.target network.target dbus.service
[Service]
Type=simple
-PIDFile=/var/run/oddjobd.pid
-ExecStart=@sbindir@/oddjobd -n -p /var/run/oddjobd.pid -t 300
+PIDFile=/run/oddjobd.pid
+ExecStart=@sbindir@/oddjobd -n -p /run/oddjobd.pid -t 300
[Install]
WantedBy=multi-user.target
=====================================
src/buffer.h
=====================================
@@ -1,21 +1,31 @@
/*
- * Copyright 2005 Red Hat, Inc.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Library General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Library General Public License for more details.
- *
- * You should have received a copy of the GNU Library General Public
- * License along with this program; if not, write to the Free
- * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
- * MA 02111-1307, USA
- *
+ Copyright 2005 Red Hat, Inc.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the
+ distribution.
+ * Neither the name of Red Hat, Inc., nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+ OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef oddjob_buffer_h
=====================================
src/mkhomedir.c
=====================================
@@ -61,9 +61,11 @@ static mode_t override_umask;
* identical as possible a copy in the destination tree. */
static int
copy_single_item(const char *source, const struct stat *sb,
- int flag, struct FTW *unused_s)
+ int flag, struct FTW *status)
{
- int sfd, dfd, i;
+ uid_t uid = pwd->pw_uid;
+ gid_t gid = pwd->pw_gid;
+ int sfd, dfd, i, res;
char target[PATH_MAX + 1], newpath[PATH_MAX + 1];
unsigned char buf[BUFSIZ];
/* Generate the name of the new item. */
@@ -152,12 +154,24 @@ copy_single_item(const char *source, const struct stat *sb,
}
return 0;
case FTW_D:
+ /* It's the home directory itself. Don't give it to the
+ * target user just yet to avoid potential race conditions
+ * involving symlink attacks when we copy over the skeleton
+ * tree. */
+ if (status->level == 0) {
+ uid = 0;
+ gid = 0;
+ }
+
/* It's a directory. Make one with the same name and
* permissions, but owned by the target user. */
- if ((oddjob_selinux_mkdir(newpath,
- sb->st_mode & ~override_umask,
- pwd->pw_uid, pwd->pw_gid) != 0) &&
- (errno != EEXIST)) {
+ res = oddjob_selinux_mkdir(newpath,
+ sb->st_mode & ~override_umask,
+ uid, gid);
+
+ /* on unexpected errors, or if the home directory itself
+ * suddenly already exists, abort the copy operation. */
+ if (res != 0 && (errno != EEXIST || status->level == 0)) {
return HANDLER_FAILURE;
}
return 0;
@@ -220,8 +234,14 @@ mkhomedir(const char *user, int flags)
}
/* Walk the template tree and make a copy. */
if (flags & FLAG_POPULATE) {
- return nftw(get_skel_dir(), copy_single_item, 5,
- FTW_PHYS);
+ int res = nftw(get_skel_dir(), copy_single_item, 5,
+ FTW_PHYS);
+ /* only now give ownership to the target user */
+ if (res == 0) {
+ res = chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid);
+ }
+
+ return res;
} else {
if (stat(skel, &st) != 0) {
st.st_mode = S_IRWXU;
=====================================
src/oddjob_dbus.c
=====================================
@@ -49,6 +49,7 @@
struct oddjob_dbus_context {
DBusBusType bustype;
int reconnect_timeout;
+ dbus_bool_t selinux_enabled;
struct oddjob_dbus_service {
struct oddjob_dbus_context *ctx;
DBusConnection *conn;
@@ -154,7 +155,7 @@ oddjob_dbus_listeners_set_reconnect_timeout(struct oddjob_dbus_context *ctx,
/* Create a new master state structure. */
struct oddjob_dbus_context *
-oddjob_dbus_listeners_new(DBusBusType bustype)
+oddjob_dbus_listeners_new(DBusBusType bustype, dbus_bool_t selinux_enabled)
{
struct oddjob_dbus_context *ctx;
@@ -167,6 +168,7 @@ oddjob_dbus_listeners_new(DBusBusType bustype)
ctx->reconnect_timeout = 0;
ctx->n_services = 0;
ctx->services = NULL;
+ ctx->selinux_enabled = selinux_enabled;
return ctx;
}
@@ -712,7 +714,7 @@ oddjob_dbus_filter(DBusConnection *conn, DBusMessage *message, void *user_data)
}
/* Build our message structure. */
- msg = oddjob_dbus_message_from_message(conn, message, FALSE, TRUE);
+ msg = oddjob_dbus_message_from_message(conn, message, FALSE, ctx->selinux_enabled);
if (msg == NULL) {
return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
}
=====================================
src/oddjob_dbus.h
=====================================
@@ -39,7 +39,7 @@ struct oddjob_dbus_context;
struct oddjob_dbus_message;
/* Server */
-struct oddjob_dbus_context *oddjob_dbus_listeners_new(DBusBusType bus);
+struct oddjob_dbus_context *oddjob_dbus_listeners_new(DBusBusType bus, dbus_bool_t selinux_enabled);
void oddjob_dbus_listeners_reconnect_if_needed(struct oddjob_dbus_context *ctx);
void oddjob_dbus_listeners_set_reconnect_timeout(struct oddjob_dbus_context *ctx,
int timeout);
=====================================
src/oddjobd.c
=====================================
@@ -51,7 +51,6 @@
#ifdef SELINUX_ACLS
#include <selinux/selinux.h>
#include <selinux/context.h>
-#include <selinux/flask.h>
#endif
#include "buffer.h"
#include "common.h"
@@ -1810,13 +1809,13 @@ oddjobd_exec_method(struct oddjob_dbus_context *ctx,
} else {
task->argv[n++] = method->argv[0];
}
- if (method->prepend_user) {
- task->argv[n++] = (char *) user;
- }
for (i = 1; method->argv[i] != NULL; i++) {
arg = method->argv[i];
task->argv[n++] = (char *) arg;
}
+ if (method->prepend_user) {
+ task->argv[n++] = (char *) user;
+ }
for (i = 0; i < method->n_arguments; i++) {
arg = oddjob_dbus_message_get_arg(msg, i);
task->argv[n++] = (char *) arg;
@@ -1973,7 +1972,7 @@ oddjobd_exec_method(struct oddjob_dbus_context *ctx,
}
if (security_compute_create((char *) client_secontext,
helper_context,
- SECCLASS_PROCESS,
+ string_to_security_class("process"),
&exec_context) != 0) {
/* Failed to compute exec context? */
exec_errno = 0xfe;
@@ -2985,7 +2984,8 @@ main(int argc, char **argv)
globals.config = config;
/* Open a connection to the message bus. */
- ctx = oddjob_dbus_listeners_new(options.bus);
+ check_selinux_applicable();
+ ctx = oddjob_dbus_listeners_new(options.bus, globals.selinux_enabled);
if (ctx == NULL) {
fprintf(stderr, "Error connecting to D-Bus!\n");
return 2;
=====================================
src/oddjobd.conf.5.in
=====================================
@@ -23,13 +23,15 @@ which describes a group of methods described in \fI<method>\fP elements.
Each \fI<method>\fR element must specify the method name as a value for its
\fIname\fR attribute and may include a \fI<helper\fR> element which the name of
an executable to run as its \fIexec\fR attribute and the number of arguments
-which will be passed to the helper as its \fIargument_count\fR attribute. A
-\fI<helper>\fR may also include attributes indicating whether or not the
-invoking user's name should be prepended to that argument list
-(\fIprepend_user_name\fR, with recognized values "yes" or "no"), and whether
-that argument list should be passed in to the helper via stdin (the default) or
-on its command line (\fIargument_passing_method\fR, with recognized values
-"stdin" and "cmdline").
+which will be expected from the D-Bus client and passed to the helper as its
+\fIargument_count\fR attribute. The \fI<helper>\fR's \fIexec\fR attribute can
+include one or more command line arguments, separated from the executable by
+whitespace. A \fI<helper>\fR may also include attributes indicating whether or
+not the invoking user's name should be prepended to the list of arguments
+received as part of the D-Bus request (\fIprepend_user_name\fR, with recognized
+values "yes" or "no"), and whether that set of arguments should be passed in to
+the helper via stdin (the default) or on its command line
+(\fIargument_passing_method\fR, with recognized values "stdin" and "cmdline").
Each \fI<oddjobconfig>\fR, \fI<service>\fR, \fI<object>\fR, \fI<interface>\fR,
or \fI<method>\fR element may also include authorization elements \fI<allow>\fR
@@ -79,6 +81,9 @@ Another:
<method name="reboot">
<helper exec="/sbin/reboot" argument_count="0"/>
</method>
+ <method name="flush-nscd">
+ <helper exec="/sbin/nscd -i passwd -i group -i hosts" argument_count="0"/>
+ </method>
</interface>
<interface name="@DBUS_INTROSPECTION_INTERFACE@">
<allow min_uid="0" max_uid="0"/>
View it on GitLab: https://salsa.debian.org/freeipa-team/oddjob/-/compare/ebfed4c30820cf5f90d2b51e56c55f6e32459b3f...86f18680b969915f3465c13c48122e94eed417bb
--
View it on GitLab: https://salsa.debian.org/freeipa-team/oddjob/-/compare/ebfed4c30820cf5f90d2b51e56c55f6e32459b3f...86f18680b969915f3465c13c48122e94eed417bb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200601/d1eeb317/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list