import oddjob-0.34.5-3.el8

2020-11-03 06:54:37 -05:00 · 2020-11-03 06:54:37 -05:00 · 9f4a46370f
parent 66bce405dc
commit 9f4a46370f
6 changed files with 117 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/oddjob-0.34.4.tar.gz
+SOURCES/oddjob-0.34.5.tar.gz
--- a/.oddjob.metadata
+++ b/.oddjob.metadata
@ -1 +1 @@
-51d4d370ffb081e614f86075fda7a9db03ac0b71 SOURCES/oddjob-0.34.4.tar.gz
+0e820fb0fce17fa8b44846ce496e722be37cfc96 SOURCES/oddjob-0.34.5.tar.gz
--- a/SOURCES/oddjob-0.34.4.tar.gz.sig
+++ b/SOURCES/oddjob-0.34.4.tar.gz.sig
--- a/SOURCES/oddjob-0.34.5.tar.gz.sig
+++ b/SOURCES/oddjob-0.34.5.tar.gz.sig
--- a/SOURCES/oddjob-home-mode-support.patch
+++ b/SOURCES/oddjob-home-mode-support.patch
@ -0,0 +1,96 @@
+From c51b28adf66a4597ff1c0cb0e0754b2968a337e2 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 8 Oct 2020 13:37:32 +0300
+Subject: [PATCH] Read HOME_MODE and UMASK from /etc/login.defs
+
+shadow-utils changed behavior of UMASK to only apply to runtime
+processes. For home directories, HOME_MODE variable was introduced
+instead.
+
+Read HOME_MODE and fall back to UMASK if that does not exist.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/mkhomedir.c                 | 13 +++++++++----
+ src/oddjobd-mkhomedir.conf.5.in |  3 ++-
+ src/pam_oddjob_mkhomedir.8.in   |  5 +++--
+ 3 files changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/src/mkhomedir.c b/src/mkhomedir.c
+index 1c0d8e4..be85959 100644
+--- a/src/mkhomedir.c
+++ b/src/mkhomedir.c
+@@ -264,12 +264,13 @@ mkhomedir(const char *user, int flags)
+ }
+ 
+ static mode_t
+-get_umask(int *configured)
+get_umask(int *configured, const char *variable)
+ {
+ 	FILE *fp;
+ 	char buf[BUFSIZ], *p, *end;
+ 	mode_t mask = umask(0777);
+ 	long tmp;
+	size_t vlen = strlen(variable);
+ 
+ 	fp = fopen("/etc/login.defs", "r");
+ 	if (fp != NULL) {
+@@ -279,10 +280,10 @@ get_umask(int *configured)
+ 			}
+ 			buf[strcspn(buf, "\r\n")] = '\0';
+ 			p = buf + strspn(buf, " \t");
+-			if (strncmp(p, "UMASK", 5) != 0) {
+			if (strncmp(p, variable, vlen) != 0) {
+ 				continue;
+ 			}
+-			p += 5;
+			p += vlen;
+ 			if (strspn(p, " \t") == 0) {
+ 				continue;
+ 			}
+@@ -308,7 +309,11 @@ main(int argc, char **argv)
+ 	int i, configured_umask = 0, flags = FLAG_POPULATE;
+ 
+ 	openlog(PACKAGE "-mkhomedir", LOG_PID, LOG_DAEMON);
+-	override_umask = get_umask(&configured_umask);
+	/* Unlike UMASK, HOME_MODE is the file mode, so needs to be reverted */
+	override_umask = 0777 & ~get_umask(&configured_umask, "HOME_MODE");
+	if (configured_umask == 0) {
+		override_umask = get_umask(&configured_umask, "UMASK");
+	}
+ 	umask(override_umask);
+ 	skel_dir = "/etc/skel";
+ 
+diff --git a/src/oddjobd-mkhomedir.conf.5.in b/src/oddjobd-mkhomedir.conf.5.in
+index b0cd934..d7a2429 100644
+--- a/src/oddjobd-mkhomedir.conf.5.in
+++ b/src/oddjobd-mkhomedir.conf.5.in
+@@ -24,7 +24,8 @@ Override the location of the skeleton directory (by default: \fI/etc/skel\fR).
+ -u
+ Specify a umask whose bits are masked off of contents of the skeleton directory
+ while they are copied to the user's new home directory.  The default is read
+-from \fB/etc/login.defs\fR.
+from \fB/etc/login.defs\fR by taking \fBHOME_MODE\fR and \fBUMASK\fR values, in
+this order.  First found value persists.
+ 
+ .SH SEE ALSO
+ \fBoddjob.conf\fR(5)
+diff --git a/src/pam_oddjob_mkhomedir.8.in b/src/pam_oddjob_mkhomedir.8.in
+index 3793764..2fb16bc 100644
+--- a/src/pam_oddjob_mkhomedir.8.in
+++ b/src/pam_oddjob_mkhomedir.8.in
+@@ -14,8 +14,9 @@ if the module is running with superuser privileges.  Otherwise, it invokes the
+ \fImkmyhomedir\fR method.
+ 
+ The location of the skeleton directory and the default umask are determined by
+-the configuration for the corresponding service in \fBoddjobd-mkhomedir.conf\fR,
+-so they can not be specified as arguments to this module.
+the values of \fBHOME_MODE\fR or \fBUMASK\fR (as a fallback) variables in
+\fI/etc/login.defs\fR, so they can not be specified as arguments to this
+module.
+ 
+ If \fID-Bus\fR has not been configured to allow the calling application to
+ invoke these methods provided as part of the \fI@NAMESPACE@.oddjob_mkhomedir\fR
+-- 
+2.28.0
+
--- a/SPECS/oddjob.spec
+++ b/SPECS/oddjob.spec
@ -21,10 +21,12 @@
 %endif

 Name: oddjob
-Version: 0.34.4
-Release: 7%{?dist}
+Version: 0.34.5
+Release: 3%{?dist}
 Source0: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz
 Source1: https://releases.pagure.org/oddjob/oddjob-%{version}.tar.gz.sig
+Patch1: oddjob-home-mode-support.patch
+
 Summary: A D-Bus service which runs odd jobs on behalf of client applications
 License: BSD
 Group: System Environment/Daemons
@ -90,6 +92,7 @@ This package contains a trivial sample oddjob service.

 %prep
 %setup -q
+%patch1 -p1

 %build
 sample_flag=
@ -249,6 +252,20 @@ fi
 exit 0

 %changelog
+* Thu Oct 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.5-3
+- Support HOME_MODE from /etc/login.defs
+  Resolves: rhbz#1886362
+
+* Fri May 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.5-2
+- Add gating tests using idm:DL1 module stream and upstream tests
+  Resolves: rhbz#1682457
+
+* Fri May 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.34.5-1
+- Upstream release 0.34.5
+- Resolves: rhbz#1833289 - Rebase oddjob to 0.34.5
+- Resolves: rhbz#1833052 - CVE-2020-10737 
+  oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack
+
 * Tue Dec  4 2018 Nalin Dahyabhai <nalin@redhat.com> - 0.34.4-7
 - Drop Python 2 build-time dependency, which hasn't been used since we turned
  off building the python bindings years ago (#1595853, #1642502).