diff --git a/.gitignore b/.gitignore index 4aa6c42..969db19 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/oddjob-0.34.4.tar.gz +SOURCES/oddjob-0.34.5.tar.gz diff --git a/.oddjob.metadata b/.oddjob.metadata index 34ebf1d..b433780 100644 --- a/.oddjob.metadata +++ b/.oddjob.metadata @@ -1 +1 @@ -51d4d370ffb081e614f86075fda7a9db03ac0b71 SOURCES/oddjob-0.34.4.tar.gz +0e820fb0fce17fa8b44846ce496e722be37cfc96 SOURCES/oddjob-0.34.5.tar.gz diff --git a/SOURCES/oddjob-0.34.4.tar.gz.sig b/SOURCES/oddjob-0.34.4.tar.gz.sig deleted file mode 100644 index bcd791a..0000000 Binary files a/SOURCES/oddjob-0.34.4.tar.gz.sig and /dev/null differ diff --git a/SOURCES/oddjob-0.34.5.tar.gz.sig b/SOURCES/oddjob-0.34.5.tar.gz.sig new file mode 100644 index 0000000..7a44442 Binary files /dev/null and b/SOURCES/oddjob-0.34.5.tar.gz.sig differ diff --git a/SOURCES/oddjob-home-mode-support.patch b/SOURCES/oddjob-home-mode-support.patch new file mode 100644 index 0000000..c74982e --- /dev/null +++ b/SOURCES/oddjob-home-mode-support.patch @@ -0,0 +1,96 @@ +From c51b28adf66a4597ff1c0cb0e0754b2968a337e2 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 8 Oct 2020 13:37:32 +0300 +Subject: [PATCH] Read HOME_MODE and UMASK from /etc/login.defs + +shadow-utils changed behavior of UMASK to only apply to runtime +processes. For home directories, HOME_MODE variable was introduced +instead. + +Read HOME_MODE and fall back to UMASK if that does not exist. + +Signed-off-by: Alexander Bokovoy +--- + src/mkhomedir.c | 13 +++++++++---- + src/oddjobd-mkhomedir.conf.5.in | 3 ++- + src/pam_oddjob_mkhomedir.8.in | 5 +++-- + 3 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/src/mkhomedir.c b/src/mkhomedir.c +index 1c0d8e4..be85959 100644 +--- a/src/mkhomedir.c ++++ b/src/mkhomedir.c +@@ -264,12 +264,13 @@ mkhomedir(const char *user, int flags) + } + + static mode_t +-get_umask(int *configured) ++get_umask(int *configured, const char *variable) + { + FILE *fp; + char buf[BUFSIZ], *p, *end; + mode_t mask = umask(0777); + long tmp; ++ size_t vlen = strlen(variable); + + fp = fopen("/etc/login.defs", "r"); + if (fp != NULL) { +@@ -279,10 +280,10 @@ get_umask(int *configured) + } + buf[strcspn(buf, "\r\n")] = '\0'; + p = buf + strspn(buf, " \t"); +- if (strncmp(p, "UMASK", 5) != 0) { ++ if (strncmp(p, variable, vlen) != 0) { + continue; + } +- p += 5; ++ p += vlen; + if (strspn(p, " \t") == 0) { + continue; + } +@@ -308,7 +309,11 @@ main(int argc, char **argv) + int i, configured_umask = 0, flags = FLAG_POPULATE; + + openlog(PACKAGE "-mkhomedir", LOG_PID, LOG_DAEMON); +- override_umask = get_umask(&configured_umask); ++ /* Unlike UMASK, HOME_MODE is the file mode, so needs to be reverted */ ++ override_umask = 0777 & ~get_umask(&configured_umask, "HOME_MODE"); ++ if (configured_umask == 0) { ++ override_umask = get_umask(&configured_umask, "UMASK"); ++ } + umask(override_umask); + skel_dir = "/etc/skel"; + +diff --git a/src/oddjobd-mkhomedir.conf.5.in b/src/oddjobd-mkhomedir.conf.5.in +index b0cd934..d7a2429 100644 +--- a/src/oddjobd-mkhomedir.conf.5.in ++++ b/src/oddjobd-mkhomedir.conf.5.in +@@ -24,7 +24,8 @@ Override the location of the skeleton directory (by default: \fI/etc/skel\fR). + -u + Specify a umask whose bits are masked off of contents of the skeleton directory + while they are copied to the user's new home directory. The default is read +-from \fB/etc/login.defs\fR. ++from \fB/etc/login.defs\fR by taking \fBHOME_MODE\fR and \fBUMASK\fR values, in ++this order. First found value persists. + + .SH SEE ALSO + \fBoddjob.conf\fR(5) +diff --git a/src/pam_oddjob_mkhomedir.8.in b/src/pam_oddjob_mkhomedir.8.in +index 3793764..2fb16bc 100644 +--- a/src/pam_oddjob_mkhomedir.8.in ++++ b/src/pam_oddjob_mkhomedir.8.in +@@ -14,8 +14,9 @@ if the module is running with superuser privileges. Otherwise, it invokes the + \fImkmyhomedir\fR method. + + The location of the skeleton directory and the default umask are determined by +-the configuration for the corresponding service in \fBoddjobd-mkhomedir.conf\fR, +-so they can not be specified as arguments to this module. ++the values of \fBHOME_MODE\fR or \fBUMASK\fR (as a fallback) variables in ++\fI/etc/login.defs\fR, so they can not be specified as arguments to this ++module. + + If \fID-Bus\fR has not been configured to allow the calling application to + invoke these methods provided as part of the \fI@NAMESPACE@.oddjob_mkhomedir\fR +-- +2.28.0 + diff --git a/SPECS/oddjob.spec b/SPECS/oddjob.spec index 7fd99f6..d7029dd 100644 --- a/SPECS/oddjob.spec +++ b/SPECS/oddjob.spec @@ -21,10 +21,12 @@ %endif Name: oddjob -Version: 0.34.4 -Release: 7%{?dist} +Version: 0.34.5 +Release: 3%{?dist} Source0: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz Source1: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz.sig +Patch1: oddjob-home-mode-support.patch + Summary: A D-Bus service which runs odd jobs on behalf of client applications License: BSD Group: System Environment/Daemons @@ -90,6 +92,7 @@ This package contains a trivial sample oddjob service. %prep %setup -q +%patch1 -p1 %build sample_flag= @@ -249,6 +252,20 @@ fi exit 0 %changelog +* Thu Oct 08 2020 Alexander Bokovoy - 0.34.5-3 +- Support HOME_MODE from /etc/login.defs + Resolves: rhbz#1886362 + +* Fri May 08 2020 Alexander Bokovoy - 0.34.5-2 +- Add gating tests using idm:DL1 module stream and upstream tests + Resolves: rhbz#1682457 + +* Fri May 08 2020 Alexander Bokovoy - 0.34.5-1 +- Upstream release 0.34.5 +- Resolves: rhbz#1833289 - Rebase oddjob to 0.34.5 +- Resolves: rhbz#1833052 - CVE-2020-10737 + oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack + * Tue Dec 4 2018 Nalin Dahyabhai - 0.34.4-7 - Drop Python 2 build-time dependency, which hasn't been used since we turned off building the python bindings years ago (#1595853, #1642502).