From 034b49734ac171df32f1a27bf9b8a0a21f16ece3 Mon Sep 17 00:00:00 2001 From: Joseph Marrero Corchado Date: Mon, 15 Apr 2024 21:47:32 -0400 Subject: [PATCH] Rebase to 2024.5 Resolves #RHEL-30415 --- .gitignore | 1 + ...nject-our-static-tmpfiles.d-dropins-.patch | 150 ------------------ 0001-unit-chmod-etc-g-shadow-to-0000.patch | 79 --------- ...sswd-create-etc-g-shadow-with-mode-0.patch | 83 ---------- rpm-ostree.spec | 15 +- sources | 2 +- 6 files changed, 9 insertions(+), 321 deletions(-) delete mode 100644 0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch delete mode 100644 0001-unit-chmod-etc-g-shadow-to-0000.patch delete mode 100644 0002-passwd-create-etc-g-shadow-with-mode-0.patch diff --git a/.gitignore b/.gitignore index 58d370a..445a86a 100644 --- a/.gitignore +++ b/.gitignore @@ -127,3 +127,4 @@ /rpm-ostree-2024.2.tar.xz /rpm-ostree-2024.3.tar.xz /rpm-ostree-2024.4.tar.xz +/rpm-ostree-2024.5.tar.xz diff --git a/0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch b/0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch deleted file mode 100644 index 9576681..0000000 --- a/0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch +++ /dev/null @@ -1,150 +0,0 @@ -From a8e53434a529e7d53514a8c44d1cec42f04b0723 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Thu, 21 Mar 2024 10:43:07 -0400 -Subject: [PATCH] Revert "compose: Inject our static tmpfiles.d dropins - earlier" - -This reverts commit e1e78cf9df902d895a7fce9dc719726c283e9d03. - -It breaks idempotency with osbuild. - -Closes: https://github.com/coreos/rpm-ostree/issues/4879 ---- - rust/src/passwd.rs | 3 -- - src/app/rpmostree-compose-builtin-tree.cxx | 40 -------------------- - src/libpriv/rpmostree-postprocess.cxx | 44 ++++++++++++++++++++-- - 3 files changed, 41 insertions(+), 46 deletions(-) - -diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs -index 79ee488f..821497d8 100644 ---- a/rust/src/passwd.rs -+++ b/rust/src/passwd.rs -@@ -106,9 +106,6 @@ pub fn passwd_cleanup(rootfs_dfd: i32) -> Result<()> { - /// in /usr/etc at this point), and splitting it into two streams: a new - /// /etc/passwd that just contains the root entry, and /usr/lib/passwd which - /// contains everything else. --/// --/// Note: the presence of /usr/lib/passwd is used in postprocess_final() to make --/// it idempotent. See related comment there. - #[context("Migrating 'passwd' to /usr/lib")] - pub fn migrate_passwd_except_root(rootfs_dfd: i32) -> CxxResult<()> { - static ETCSRC_PATH: &str = "usr/etc/passwd"; -diff --git a/src/app/rpmostree-compose-builtin-tree.cxx b/src/app/rpmostree-compose-builtin-tree.cxx -index 1f2862f8..63648288 100644 ---- a/src/app/rpmostree-compose-builtin-tree.cxx -+++ b/src/app/rpmostree-compose-builtin-tree.cxx -@@ -477,46 +477,6 @@ install_packages (RpmOstreeTreeComposeContext *self, gboolean *out_unmodified, - std::string (previous_ref), opt_unified_core), - error); - -- /* Assembly will regen the rpm-ostree-autovar.conf tmpfiles.d dropin; let's -- * make sure to add our own static dropins before that so that they're taken -- * into account when looking for dupes. */ -- g_print ("Adding rpm-ostree-0-integration.conf\n"); -- -- /* This is useful if we're running in an uninstalled configuration, e.g. -- * during tests. */ -- const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR; -- glnx_autofd int pkglibdir_dfd = -1; -- if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error)) -- return FALSE; -- -- if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error)) -- return FALSE; -- -- if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd, -- "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf", -- GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */ -- cancellable, error)) -- return FALSE; -- -- if ((*self->treefile_rs)->get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay) -- { -- if (!glnx_file_copy_at ( -- pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd, -- "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf", -- GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */ -- cancellable, error)) -- return FALSE; -- } -- else -- { -- if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL, -- rootfs_dfd, -- "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf", -- GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */ -- cancellable, error)) -- return FALSE; -- } -- - if (opt_unified_core) - { - if (!rpmostree_context_import (self->corectx, cancellable, error)) -diff --git a/src/libpriv/rpmostree-postprocess.cxx b/src/libpriv/rpmostree-postprocess.cxx -index 9b5cdec7..311de70f 100644 ---- a/src/libpriv/rpmostree-postprocess.cxx -+++ b/src/libpriv/rpmostree-postprocess.cxx -@@ -368,12 +368,13 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un - { - GLNX_AUTO_PREFIX_ERROR ("Finalizing rootfs", error); - -- /* Use the presence of /usr/lib/passwd as an "idempotence" marker to -+ /* Use installation of the tmpfiles integration as an "idempotence" marker to - * avoid doing postprocessing twice, which can happen when mixing `compose - * postprocess-root` with `compose commit`. - */ -- const char usr_lib_passwd[] = "usr/lib/password"; -- if (!glnx_fstatat_allow_noent (rootfs_dfd, usr_lib_passwd, NULL, AT_SYMLINK_NOFOLLOW, error)) -+ const char tmpfiles_integration_path[] = "usr/lib/tmpfiles.d/rpm-ostree-0-integration.conf"; -+ if (!glnx_fstatat_allow_noent (rootfs_dfd, tmpfiles_integration_path, NULL, AT_SYMLINK_NOFOLLOW, -+ error)) - return FALSE; - if (errno == 0) - return TRUE; -@@ -446,6 +447,43 @@ postprocess_final (int rootfs_dfd, rpmostreecxx::Treefile &treefile, gboolean un - if (!rpmostree_rootfs_postprocess_common (rootfs_dfd, cancellable, error)) - return FALSE; - -+ g_print ("Adding rpm-ostree-0-integration.conf\n"); -+ /* This is useful if we're running in an uninstalled configuration, e.g. -+ * during tests. */ -+ const char *pkglibdir_path = g_getenv ("RPMOSTREE_UNINSTALLED_PKGLIBDIR") ?: PKGLIBDIR; -+ glnx_autofd int pkglibdir_dfd = -1; -+ -+ if (!glnx_opendirat (AT_FDCWD, pkglibdir_path, TRUE, &pkglibdir_dfd, error)) -+ return FALSE; -+ -+ if (!glnx_shutil_mkdir_p_at (rootfs_dfd, "usr/lib/tmpfiles.d", 0755, cancellable, error)) -+ return FALSE; -+ -+ if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration.conf", NULL, rootfs_dfd, -+ tmpfiles_integration_path, -+ GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */ -+ cancellable, error)) -+ return FALSE; -+ -+ if (treefile.get_opt_usrlocal () == rpmostreecxx::OptUsrLocal::StateOverlay) -+ { -+ if (!glnx_file_copy_at ( -+ pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal-compat.conf", NULL, rootfs_dfd, -+ "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal-compat.conf", -+ GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */ -+ cancellable, error)) -+ return FALSE; -+ } -+ else -+ { -+ if (!glnx_file_copy_at (pkglibdir_dfd, "rpm-ostree-0-integration-opt-usrlocal.conf", NULL, -+ rootfs_dfd, -+ "usr/lib/tmpfiles.d/rpm-ostree-0-integration-opt-usrlocal.conf", -+ GLNX_FILE_COPY_NOXATTRS, /* Don't take selinux label */ -+ cancellable, error)) -+ return FALSE; -+ } -+ - /* Handle kernel/initramfs if we're not doing a container */ - if (!container) - { --- -2.43.0 - diff --git a/0001-unit-chmod-etc-g-shadow-to-0000.patch b/0001-unit-chmod-etc-g-shadow-to-0000.patch deleted file mode 100644 index 5066d5a..0000000 --- a/0001-unit-chmod-etc-g-shadow-to-0000.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 7d27c0a85af81d8f6dffc8bf1fa0ab13b77859c0 Mon Sep 17 00:00:00 2001 -From: jbtrystram -Date: Thu, 21 Mar 2024 17:27:21 +0100 -Subject: [PATCH 1/2] unit: chmod /etc/[g]shadow[-] to 0000 - -fdb879c introduced a regression where /etc/[g]shadow[-] files where -created with default permissions: 0644 - -This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000 -before interactive login is allowed on a system. - -This will fix the systems that were deployed with the above issue. - -We keep the stamp in /etc to account for the case where a deployment -with this unit is rolled back. If we used /var, the stamp would have -stayed but the fix would not be re-applied on the next update. ---- - Makefile-daemon.am | 1 + - packaging/rpm-ostree.spec.in | 5 +++++ - src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++ - 3 files changed, 25 insertions(+) - create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service - -diff --git a/Makefile-daemon.am b/Makefile-daemon.am -index 4233d90d..f96f49a9 100644 ---- a/Makefile-daemon.am -+++ b/Makefile-daemon.am -@@ -60,6 +60,7 @@ systemdunit_service_file_names = \ - rpm-ostreed-automatic.service \ - rpm-ostree-bootstatus.service \ - rpm-ostree-countme.service \ -+ rpm-ostree-fix-shadow-mode.service \ - $(NULL) - - systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names)) -diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in -index 8aa9afaa..f734f676 100644 ---- a/packaging/rpm-ostree.spec.in -+++ b/packaging/rpm-ostree.spec.in -@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \ - # Setup rpm-ostree-countme.timer according to presets - %post - %systemd_post rpm-ostree-countme.timer -+# Only enable on rpm-ostree based systems and manually force unit enablement to -+# explicitly ignore presets for this security fix -+if [ -e /run/ostree-booted ]; then -+ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/ -+fi - - %preun - %systemd_preun rpm-ostree-countme.timer -diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service -new file mode 100644 -index 00000000..4aea7462 ---- /dev/null -+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service -@@ -0,0 +1,19 @@ -+[Unit] -+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`. -+# This makes sure to fix permissions on systems that were deployed with the wrong permissions. -+Description=Update permissions for /etc/shadow -+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6 -+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp -+ConditionPathExists=/run/ostree-booted -+# Make sure this is started before any unprivileged (interactive) user has access to the system. -+Before=systemd-user-sessions.service -+ -+[Service] -+Type=oneshot -+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow -+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow- -+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp -+RemainAfterExit=yes -+ -+[Install] -+WantedBy=multi-user.target --- -2.44.0 - diff --git a/0002-passwd-create-etc-g-shadow-with-mode-0.patch b/0002-passwd-create-etc-g-shadow-with-mode-0.patch deleted file mode 100644 index 3156dce..0000000 --- a/0002-passwd-create-etc-g-shadow-with-mode-0.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 3b4c96c5c49a537fba2e0cda0c6ee6bd58cac625 Mon Sep 17 00:00:00 2001 -From: Jonathan Lebon -Date: Tue, 19 Mar 2024 15:20:43 -0400 -Subject: [PATCH 2/2] passwd: create `/etc/[g]shadow` with mode 0 - -Because of how our composes work, we need to manually inject -passwd-related things before installing packages. A somewhat recent -regression in that area made it so that the `/etc/shadow` and -`/etc/gshadow` files were created with default permissions (0644), which -meant they were world readable. - -Fix this by explicitly setting their modes to 0. Ideally, we would rely -on the canonical permissions set in the `setup` package here, but it's -tricky to fix that without reworking how we install `setup` and handle -`passwd` treefile options. - -Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to -`etc/{passwd,group}`"). - -Fixes #4401 ---- - rust/src/passwd.rs | 14 ++++++++++++++ - tests/compose/libbasic-test.sh | 5 +++++ - 2 files changed, 19 insertions(+) - -diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs -index 79ee488f..8f0e5841 100644 ---- a/rust/src/passwd.rs -+++ b/rust/src/passwd.rs -@@ -421,6 +421,12 @@ fn write_data_from_treefile( - let db = rootfs.open(target_passwd_path).map(BufReader::new)?; - let shadow_name = target.shadow_file(); - let target_shadow_path = format!("{}{}", dest_path, shadow_name); -+ // Ideally these permissions come from `setup`, which is the package -+ // that owns these files: -+ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96 -+ // But at this point of the compose, the rootfs is completely empty; we -+ // haven't started unpacking things yet. So we need to hardcode it here. -+ let shadow_perms = cap_std::fs::Permissions::from_mode(0); - - match target { - PasswdKind::User => { -@@ -430,6 +436,10 @@ fn write_data_from_treefile( - for user in entries { - writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?; - } -+ target_shadow -+ .get_mut() -+ .as_file_mut() -+ .set_permissions(shadow_perms)?; - Ok(()) - }) - .with_context(|| format!("Writing {target_shadow_path}"))?; -@@ -441,6 +451,10 @@ fn write_data_from_treefile( - for group in entries { - writeln!(target_shadow, "{}:::", group.name)?; - } -+ target_shadow -+ .get_mut() -+ .as_file_mut() -+ .set_permissions(shadow_perms)?; - Ok(()) - }) - .with_context(|| format!("Writing {target_shadow_path}"))?; -diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh -index 0a751760..3f7c6d8a 100644 ---- a/tests/compose/libbasic-test.sh -+++ b/tests/compose/libbasic-test.sh -@@ -22,6 +22,11 @@ validate_passwd group - ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt - assert_file_has_content_literal passwd.txt '00644 ' - -+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt -+assert_file_has_content_literal shadow.txt '00000 ' -+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt -+assert_file_has_content_literal gshadow.txt '00000 ' -+ - ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt - assert_file_has_content_literal useradd.txt HOME=/var/home - --- -2.44.0 - diff --git a/rpm-ostree.spec b/rpm-ostree.spec index 2e6872b..293ba7a 100644 --- a/rpm-ostree.spec +++ b/rpm-ostree.spec @@ -3,19 +3,14 @@ Summary: Hybrid image/package system Name: rpm-ostree -Version: 2024.4 -Release: 4%{?dist} +Version: 2024.5 +Release: 1%{?dist} License: LGPLv2+ URL: https://github.com/coreos/rpm-ostree # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot" # in the upstream git. It also contains vendored Rust sources. Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz -# https://issues.redhat.com/browse/RHEL-29559 -Patch0: 0001-Revert-compose-Inject-our-static-tmpfiles.d-dropins-.patch -Patch1: 0001-unit-chmod-etc-g-shadow-to-0000.patch -Patch2: 0002-passwd-create-etc-g-shadow-with-mode-0.patch - ExclusiveArch: %{rust_arches} BuildRequires: make @@ -249,9 +244,13 @@ fi %files devel -f files.devel %changelog +* Mon Apr 15 2024 Joseph Marrero - 2024.5-1 +- Rebase to 2024.5 + Adds fix for https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 + Resolves: #RHEL-30415 + * Tue Apr 09 2024 Joseph Marrero - 2024.4-4 - Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 - Resolves: #RHEL-31951 * Thu Mar 21 2024 Colin Walters - 2024.4-3 - Backport patch to fix https://issues.redhat.com/browse/RHEL-29559 diff --git a/sources b/sources index bc21ed5..0633670 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (rpm-ostree-2024.4.tar.xz) = e5b5f77fa574c3778b1332453392719cd561746a8677b19eee4febbc44b3c8c2da8415a066bfe7d4228606340f8a1c38f46ee64879b9d762fe8091f54d019c0f +SHA512 (rpm-ostree-2024.5.tar.xz) = 6d684f6f8c586cfe5dbccc6831c4d69da8da04907e0a53adb4d995d42878b86466c1b97e8665e30aeeb94d9795bbda76888ccb7bf00b32a5502ffb9dfa045f66