rpms/rpm-ostree
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to 2024.5

Browse Source 
Resolves #RHEL-30415
This commit is contained in:
Joseph Marrero Corchado 2024-04-15 21:47:32 -04:00
parent d2dcf5861e
commit 034b49734a
6 changed files with 9 additions and 321 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -127,3 +127,4 @@
/rpm-ostree-2024.2.tar.xz
/rpm-ostree-2024.3.tar.xz
/rpm-ostree-2024.4.tar.xz
/rpm-ostree-2024.5.tar.xz

150
0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
View File

@ -1,150 +0,0 @@
From a8e53434a529e7d53514a8c44d1cec42f04b0723 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 21 Mar 2024 10:43:07 -0400
Subject: [PATCH] Revert "compose: Inject our static tmpfiles.d dropins
earlier"
This reverts commit e1e78cf9df902d895a7fce9dc719726c283e9d03.
It breaks idempotency with osbuild.
Closes: https://github.com/coreos/rpm-ostree/issues/4879
---
rust/src/passwd.rs | 3 --
src/app/rpmostree-compose-builtin-tree.cxx | 40 --------------------
src/libpriv/rpmostree-postprocess.cxx | 44 ++++++++++++++++++++--
3 files changed, 41 insertions(+), 46 deletions(-)
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
index 79ee488f..821497d8 100644
--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
@@ -106,9 +106,6 @@ pub fn passwd_cleanup(rootfs_dfd: i32) -> Result<()> {
/// in /usr/etc at this point), and splitting it into two streams: a new
/// /etc/passwd that just contains the root entry, and /usr/lib/passwd which
/// contains everything else.
-///
-/// Note: the presence of /usr/lib/passwd is used in postprocess_final() to make
-/// it idempotent. See related comment there.
#[context("Migrating 'passwd' to /usr/lib")]
pub fn migrate_passwd_except_root(rootfs_dfd: i32) -> CxxResult<()> {
static ETCSRC_PATH: &str = "usr/etc/passwd";
diff --git a/src/app/rpmostree-compose-builtin-tree.cxx b/src/app/rpmostree-compose-builtin-tree.cxx
index 1f2862f8..63648288 100644
--- a/src/app/rpmostree-compose-builtin-tree.cxx
+++ b/src/app/rpmostree-compose-builtin-tree.cxx
@@ -477,46 +477,6 @@ install_packages (RpmOstreeTreeComposeContext *self, gboolean *out_unmodified,
std::string (previous_ref), opt_unified_core),
error);
- /* Assembly will regen the rpm-ostree-autovar.conf tmpfiles.d dropin; let's
- * make sure to add our own static dropins before that so that they're taken
- * into account when looking for dupes. */
- g_print ("Adding rpm-ostree-0-integration.conf\n");
-
- /* This is useful if we're running in an uninstalled configuration, e.g.
- * during tests. */
- const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR;
- glnx_autofd int pkglibdir_dfd = -1;
- if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error))
- return FALSE;
-
- if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error))
- return FALSE;
-
- if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd,
- "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf",
- GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
- cancellable, error))
- return FALSE;
-
- if ((*self->treefile_rs)->get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay)
- {
- if (!glnx_file_copy_at (
- pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd,
- "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf",
- GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
- cancellable, error))
- return FALSE;
- }
- else
- {
- if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL,
- rootfs_dfd,
- "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf",
- GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
- cancellable, error))
- return FALSE;
- }
-
if (opt_unified_core)
{
if (!rpmostree_context_import (self->corectx, cancellable, error))
diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx
index 9b5cdec7..311de70f 100644
--- a/src/libpriv/rpmostree-postprocess.cxx
+++ b/src/libpriv/rpmostree-postprocess.cxx
@@ -368,12 +368,13 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
{
GLNX_AUTO_PREFIX_ERROR ("Finalizing rootfs", error);
- /* Use the presence of /usr/lib/passwd as an "idempotence" marker to
+ /* Use installation of the tmpfiles integration as an "idempotence" marker to
* avoid doing postprocessing twice, which can happen when mixing `compose
* postprocess-root` with `compose commit`.
*/
- const char usr_lib_passwd[] = "usr/lib/password";
- if (!glnx_fstatat_allow_noent (rootfs_dfd, usr_lib_passwd, NULL, AT_SYMLINK_NOFOLLOW, error))
+ const char tmpfiles_integration_path[] = "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf";
+ if (!glnx_fstatat_allow_noent (rootfs_dfd, tmpfiles_integration_path, NULL, AT_SYMLINK_NOFOLLOW,
+ error))
return FALSE;
if (errno == 0)
return TRUE;
@@ -446,6 +447,43 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un
if (!rpmostree_rootfs_postprocess_common (rootfs_dfd, cancellable, error))
return FALSE;
+ g_print ("Adding rpm-ostree-0-integration.conf\n");
+ /* This is useful if we're running in an uninstalled configuration, e.g.
+ * during tests. */
+ const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR;
+ glnx_autofd int pkglibdir_dfd = -1;
+
+ if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error))
+ return FALSE;
+
+ if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error))
+ return FALSE;
+
+ if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd,
+ tmpfiles_integration_path,
+ GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
+ cancellable, error))
+ return FALSE;
+
+ if (treefile.get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay)
+ {
+ if (!glnx_file_copy_at (
+ pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd,
+ "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf",
+ GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
+ cancellable, error))
+ return FALSE;
+ }
+ else
+ {
+ if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL,
+ rootfs_dfd,
+ "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf",
+ GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */
+ cancellable, error))
+ return FALSE;
+ }
+
/* Handle kernel/initramfs if we're not doing a container */
if (!container)
{
--
2.43.0

79
0001-unit-chmod-etc-g-shadow-to-0000.patch
View File

@ -1,79 +0,0 @@
From 7d27c0a85af81d8f6dffc8bf1fa0ab13b77859c0 Mon Sep 17 00:00:00 2001
From: jbtrystram <jbtrystram@redhat.com>
Date: Thu, 21 Mar 2024 17:27:21 +0100
Subject: [PATCH 1/2] unit: chmod /etc/[g]shadow[-] to 0000
fdb879c introduced a regression where /etc/[g]shadow[-] files where
created with default permissions: 0644
This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
before interactive login is allowed on a system.
This will fix the systems that were deployed with the above issue.
We keep the stamp in /etc to account for the case where a deployment
with this unit is rolled back. If we used /var, the stamp would have
stayed but the fix would not be re-applied on the next update.
---
Makefile-daemon.am | 1 +
packaging/rpm-ostree.spec.in | 5 +++++
src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
3 files changed, 25 insertions(+)
create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
diff --git a/Makefile-daemon.am b/Makefile-daemon.am
index 4233d90d..f96f49a9 100644
--- a/Makefile-daemon.am
+++ b/Makefile-daemon.am
@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
rpm-ostreed-automatic.service \
rpm-ostree-bootstatus.service \
rpm-ostree-countme.service \
+ rpm-ostree-fix-shadow-mode.service \
$(NULL)
systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
index 8aa9afaa..f734f676 100644
--- a/packaging/rpm-ostree.spec.in
+++ b/packaging/rpm-ostree.spec.in
@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
# Setup rpm-ostree-countme.timer according to presets
%post
%systemd_post rpm-ostree-countme.timer
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/
+fi
%preun
%systemd_preun rpm-ostree-countme.timer
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
new file mode 100644
index 00000000..4aea7462
--- /dev/null
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -0,0 +1,19 @@
+[Unit]
+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=/run/ostree-booted
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--
2.44.0

83
0002-passwd-create-etc-g-shadow-with-mode-0.patch
View File

@ -1,83 +0,0 @@
From 3b4c96c5c49a537fba2e0cda0c6ee6bd58cac625 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 19 Mar 2024 15:20:43 -0400
Subject: [PATCH 2/2] passwd: create `/etc/[g]shadow` with mode 0
Because of how our composes work, we need to manually inject
passwd-related things before installing packages. A somewhat recent
regression in that area made it so that the `/etc/shadow` and
`/etc/gshadow` files were created with default permissions (0644), which
meant they were world readable.
Fix this by explicitly setting their modes to 0. Ideally, we would rely
on the canonical permissions set in the `setup` package here, but it's
tricky to fix that without reworking how we install `setup` and handle
`passwd` treefile options.
Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
`etc/{passwd,group}`").
Fixes #4401
---
rust/src/passwd.rs | 14 ++++++++++++++
tests/compose/libbasic-test.sh | 5 +++++
2 files changed, 19 insertions(+)
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
index 79ee488f..8f0e5841 100644
--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
@@ -421,6 +421,12 @@ fn write_data_from_treefile(
let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
let shadow_name = target.shadow_file();
let target_shadow_path = format!("{}{}", dest_path, shadow_name);
+ // Ideally these permissions come from `setup`, which is the package
+ // that owns these files:
+ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
+ // But at this point of the compose, the rootfs is completely empty; we
+ // haven't started unpacking things yet. So we need to hardcode it here.
+ let shadow_perms = cap_std::fs::Permissions::from_mode(0);
match target {
PasswdKind::User => {
@@ -430,6 +436,10 @@ fn write_data_from_treefile(
for user in entries {
writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
@@ -441,6 +451,10 @@ fn write_data_from_treefile(
for group in entries {
writeln!(target_shadow, "{}:::", group.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
index 0a751760..3f7c6d8a 100644
--- a/tests/compose/libbasic-test.sh
+++ b/tests/compose/libbasic-test.sh
@@ -22,6 +22,11 @@ validate_passwd group
ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
assert_file_has_content_literal passwd.txt '00644 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
+assert_file_has_content_literal shadow.txt '00000 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
+assert_file_has_content_literal gshadow.txt '00000 '
+
ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
assert_file_has_content_literal useradd.txt HOME=/var/home
--
2.44.0

15
rpm-ostree.spec
View File

@ -3,19 +3,14 @@
Summary: Hybrid image/package system
Name: rpm-ostree
Version: 2024.4
Release: 4%{?dist}
Version: 2024.5
Release: 1%{?dist}
License: LGPLv2+
URL: https://github.com/coreos/rpm-ostree
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
# in the upstream git. It also contains vendored Rust sources.
Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
# https://issues.redhat.com/browse/RHEL-29559
Patch0: 0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch
Patch1: 0001-unit-chmod-etc-g-shadow-to-0000.patch
Patch2: 0002-passwd-create-etc-g-shadow-with-mode-0.patch
ExclusiveArch: %{rust_arches}
BuildRequires: make
@ -249,9 +244,13 @@ fi
%files devel -f files.devel
%changelog
* Mon Apr 15 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.5-1
- Rebase to 2024.5
Adds fix for https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Resolves: #RHEL-30415
* Tue Apr 09 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.4-4
- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Resolves: #RHEL-31951
* Thu Mar 21 2024 Colin Walters <walters@verbum.org> - 2024.4-3
- Backport patch to fix https://issues.redhat.com/browse/RHEL-29559

2
sources
View File

@ -1 +1 @@
SHA512 (rpm-ostree-2024.4.tar.xz) = e5b5f77fa574c3778b1332453392719cd561746a8677b19eee4febbc44b3c8c2da8415a066bfe7d4228606340f8a1c38f46ee64879b9d762fe8091f54d019c0f
SHA512 (rpm-ostree-2024.5.tar.xz) = 6d684f6f8c586cfe5dbccc6831c4d69da8da04907e0a53adb4d995d42878b86466c1b97e8665e30aeeb94d9795bbda76888ccb7bf00b32a5502ffb9dfa045f66