diff --git a/19950.patch b/19950.patch deleted file mode 100644 index fc08006..0000000 --- a/19950.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 420ae742ef584fbe5b98780c3cdada528a45ad67 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Sun, 23 May 2021 22:00:22 +0200 -Subject: [PATCH] meson: allow "soft-static" allocations for uids and gids in - the initrd - -The general idea with users and groups created through sysusers is that an -appropriate number is picked when the allocation is made. The number that is -selected will be different on each system based on the order of creation of -users, installed packages, etc. Since system users and groups are not shared -between installations, this generally is not an issue. But it becomes a problem -for initrd: some file systems are shared between the initrd and the host (/run -and /dev are probably the only ones that matter). If the allocations are -different in the host and the initrd, and files survive switch-root, they will -have wrong ownership. - -This makes the gids build-time-configurable for all groups and users where -state may survive the switch from initrd to the host. - -In particular, all "hardware access" groups are like this: files in /dev will -be owned by them. Eventually the new udev would change ownership, but there -would be a momemnt where the files were owned by the wrong group. The -allocations are "soft-static" in the language of Fedora packaging guidelines: -the uid/gid will be used if possible, but we'll fall back to a different -one. TTY_GID is the exception, because the number is used directly. - -Similarly, the possibility to configure "soft-static" uids is added for daemons -which may usefully run in the initramfs: systemd-network (lease information and -interface state is serialized to /run), systemd-resolve (stub files and -interface state), systemd-timesync (/run/systemd/timesync). - -Journal files are owned by the group systemd-journal, and acls are granted -for wheel and adm. - -systemd-oom and systemd-coredump are excluded from this patch: I assume that -oomd is not useful in the initrd, and coredump leaves no state (it only creates -a pipe in /run?). - -The defaults are not changed: if nothing is configured, dynamic allocation will -be used. I looked at a Debian system, and the numbers are all different than -on Fedora. - -For Fedora, see the list of uids and gids at https://pagure.io/setup/blob/master/f/uidgid. -In particular, systemd-network and systemd-resolve got soft-static numbers to -make it easy to transition from a non-host-specific initrd to a host system -already a few years back (https://bugzilla.redhat.com/show_bug.cgi?id=1102002). - -I also requested static allocations for sgx, input, render in -https://pagure.io/packaging-committee/issue/1078, -https://pagure.io/setup/pull-request/27. ---- - meson.build | 40 ++++++++++++++++++++++++------- - meson_options.txt | 48 ++++++++++++++++++++++++++++++++++---- - sysusers.d/basic.conf.in | 38 +++++++++++++++--------------- - sysusers.d/systemd.conf.in | 8 +++---- - 4 files changed, 99 insertions(+), 35 deletions(-) - -diff --git a/meson.build b/meson.build -index 0b136529e3a1..3634ce0a3cb0 100644 ---- a/meson.build -+++ b/meson.build -@@ -793,12 +793,37 @@ endif - conf.set_quoted('NOBODY_USER_NAME', nobody_user) - conf.set_quoted('NOBODY_GROUP_NAME', nobody_group) - --tty_gid = get_option('tty-gid') --conf.set('TTY_GID', tty_gid) -- --# Ensure provided GID argument is numeric, otherwise fall back to default assignment --users_gid = get_option('users-gid') --conf.set('USERS_GID', users_gid < 0 ? '-' : users_gid) -+static_ugids = [] -+foreach option : ['adm-gid', -+ 'audio-gid', -+ 'cdrom-gid', -+ 'dialout-gid', -+ 'disk-gid', -+ 'input-gid', -+ 'kmem-gid', -+ 'kvm-gid', -+ 'lp-gid', -+ 'render-gid', -+ 'sgx-gid', -+ 'tape-gid', -+ 'tty-gid', -+ 'users-gid', -+ 'utmp-gid', -+ 'video-gid', -+ 'wheel-gid', -+ 'systemd-journal-gid', -+ 'systemd-network-uid', -+ 'systemd-resolve-uid', -+ 'systemd-timesync-uid'] -+ name = option.underscorify().to_upper() -+ val = get_option(option) -+ -+ # Ensure provided GID argument is numeric, otherwise fall back to default assignment -+ conf.set(name, val >= 0 ? val : '-') -+ if val >= 0 -+ static_ugids += '@0@:@1@'.format(option, val) -+ endif -+endforeach - - conf.set10('ENABLE_ADM_GROUP', get_option('adm-group')) - conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group')) -@@ -3713,14 +3738,13 @@ status = [ - 'extra start script: @0@'.format(get_option('rc-local')), - 'debug shell: @0@ @ @1@'.format(get_option('debug-shell'), - get_option('debug-tty')), -- 'TTY GID: @0@'.format(tty_gid), -- 'users GID: @0@'.format(conf.get('USERS_GID')), - 'system UIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_UID_MAX'), - conf.get('SYSTEM_ALLOC_UID_MIN')), - 'system GIDs: <=@0@ (alloc >=@1@)'.format(conf.get('SYSTEM_GID_MAX'), - conf.get('SYSTEM_ALLOC_GID_MIN')), - 'dynamic UIDs: @0@…@1@'.format(dynamic_uid_min, dynamic_uid_max), - 'container UID bases: @0@…@1@'.format(container_uid_base_min, container_uid_base_max), -+ 'static UID/GID allocations: @0@'.format(' '.join(static_ugids)), - '/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')), - 'render group access mode: @0@'.format(get_option('group-render-mode')), - 'certificate root directory: @0@'.format(get_option('certificate-root')), -diff --git a/meson_options.txt b/meson_options.txt -index fc58e888d939..5048de755d91 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -204,6 +204,7 @@ option('status-unit-format-default', type : 'combo', - description : 'use unit name or description in messages by default') - option('time-epoch', type : 'integer', value : '-1', - description : 'time epoch for time clients') -+ - option('system-alloc-uid-min', type : 'integer', value : '-1', - description : 'minimum system UID used when allocating') - option('system-alloc-gid-min', type : 'integer', value : '-1', -@@ -220,10 +221,6 @@ option('container-uid-base-min', type : 'integer', value : 0x00080000, - description : 'minimum container UID base') - option('container-uid-base-max', type : 'integer', value : 0x6FFF0000, - description : 'maximum container UID base') --option('tty-gid', type : 'integer', value : 5, -- description : 'the numeric GID of the "tty" group') --option('users-gid', type : 'integer', value : '-1', -- description : 'the numeric GID of the "users" group') - option('adm-group', type : 'boolean', - description : 'the ACL for adm group should be added') - option('wheel-group', type : 'boolean', -@@ -234,6 +231,49 @@ option('nobody-user', type : 'string', - option('nobody-group', type : 'string', - description : 'The name of the nobody group (the one with GID 65534)', - value : 'nobody') -+option('adm-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "adm" group') -+option('audio-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "audio" group') -+option('cdrom-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "cdrom" group') -+option('dialout-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "dialout" group') -+option('disk-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "disk" group') -+option('input-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "input" group') -+option('kmem-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "kmem" group') -+option('kvm-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "kvm" group') -+option('lp-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "lp" group') -+option('render-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "render" group') -+option('sgx-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "sgx" group') -+option('tape-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "tape" group') -+option('tty-gid', type : 'integer', value : 5, -+ description : 'the numeric GID of the "tty" group') -+option('users-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "users" group') -+option('utmp-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "utmp" group') -+option('video-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "video" group') -+option('wheel-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the "wheel" group') -+option('systemd-journal-gid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the systemd-journal group') -+option('systemd-network-uid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the systemd-network user') -+option('systemd-resolve-uid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the systemd-resolve user') -+option('systemd-timesync-uid', type : 'integer', value : '-1', -+ description : 'soft-static allocation for the systemd-timesync user') -+ - option('dev-kvm-mode', type : 'string', value : '0666', - description : '/dev/kvm access mode') - option('group-render-mode', type : 'string', value : '0666', -diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in -index 9da02514216d..8cc1a7cad218 100644 ---- a/sysusers.d/basic.conf.in -+++ b/sysusers.d/basic.conf.in -@@ -12,28 +12,28 @@ u root 0 "Super User" /root - u {{NOBODY_USER_NAME}} 65534 "Nobody" - - - # Administrator group: can *see* more than normal users --g adm - - - -+g adm {{ADM_GID }} - - - - # Administrator group: can *do* more than normal users --g wheel - - - -+g wheel {{WHEEL_GID }} - - - --# Access to certain kernel and userspace facilities --g kmem - - - --g tty {{TTY_GID}} - - --g utmp - - - -+# Access to shared database of users on the system -+g utmp {{UTMP_GID }} - - - --# Hardware access groups --g audio - - - --g cdrom - - - --g dialout - - - --g disk - - - --g input - - - --g kvm - - - --g lp - - - --g render - - - --g sgx - - - --g tape - - - --g video - - - -+# Physical and virtual hardware access groups -+g audio {{AUDIO_GID }} - - -+g cdrom {{CDROM_GID }} - - -+g dialout {{DIALOUT_GID}} - - -+g disk {{DISK_GID }} - - -+g input {{INPUT_GID }} - - -+g kmem {{KMEM_GID }} - - -+g kvm {{KVM_GID }} - - -+g lp {{LP_GID }} - - -+g render {{RENDER_GID }} - - -+g sgx {{SGX_GID }} - - -+g tape {{TAPE_GID }} - - -+g tty {{TTY_GID }} - - -+g video {{VIDEO_GID }} - - - - # Default group for normal users --g users {{USERS_GID}} - - -+g users {{USERS_GID }} - - -diff --git a/sysusers.d/systemd.conf.in b/sysusers.d/systemd.conf.in -index 9905eb596c61..9941ef8ef4f7 100644 ---- a/sysusers.d/systemd.conf.in -+++ b/sysusers.d/systemd.conf.in -@@ -5,18 +5,18 @@ - # the Free Software Foundation; either version 2.1 of the License, or - # (at your option) any later version. - --g systemd-journal - - -+g systemd-journal {{SYSTEMD_JOURNAL_GID}} - - {% if ENABLE_NETWORKD %} --u systemd-network - "systemd Network Management" -+u systemd-network {{SYSTEMD_NETWORK_UID}} "systemd Network Management" - {% endif %} - {% if ENABLE_OOMD %} - u systemd-oom - "systemd Userspace OOM Killer" - {% endif %} - {% if ENABLE_RESOLVE %} --u systemd-resolve - "systemd Resolver" -+u systemd-resolve {{SYSTEMD_RESOLVE_UID}} "systemd Resolver" - {% endif %} - {% if ENABLE_TIMESYNCD %} --u systemd-timesync - "systemd Time Synchronization" -+u systemd-timesync {{SYSTEMD_TIMESYNC_UID}} "systemd Time Synchronization" - {% endif %} - {% if ENABLE_COREDUMP %} - u systemd-coredump - "systemd Core Dumper" diff --git a/sources b/sources index fcb0ef4..3d957a7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-249-rc1.tar.gz) = dd75fd6a2f63ce296973c7052ebd199619c99805935e9e04a65b58b0de6053f51157233070f32a4731c43cb65e8d232051a0b5c26508256218ae63f11cd24f1b +SHA512 (systemd-249-rc2.tar.gz) = 97570607fb3262cbcf9c956eb6a05d83877de411b6de90d2b359e85fa4cc0e14fe7efd6e71e135f9922374fb69ee7f328c3d2240bf736d0016b8fbb68e3f0725 diff --git a/systemd.spec b/systemd.spec index 0f0f169..f7e9921 100644 --- a/systemd.spec +++ b/systemd.spec @@ -30,8 +30,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd %if %{without inplace} -Version: 249~rc1 -Release: 2%{?dist} +Version: 249~rc2 +Release: 1%{?dist} %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') @@ -91,7 +91,7 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # Any patches which are "in preparation" upstream should be listed # here, rather than in the next section. Packit CI will drop any # patches in this range before applying upstream pull requests. -Patch0001: https://github.com/systemd/systemd/pull/19950.patch + # Downstream-only patches (5000–9999) # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 @@ -995,12 +995,17 @@ fi %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Fri Jun 25 2021 Zbigniew Jędrzejewski-Szmek - 249~rc2-1 +- Latest upstream prerelease with various bugfixes, see + https://github.com/systemd/systemd/blob/v248-rc2/NEWS. +- Ignore FORCERENEW DHCP packets (TALOS-2020-1142, CVE-2020-13529, #1959398) + * Thu Jun 17 2021 Adam Williamson - 249~rc1-2 - Stop systemd providing systemd-resolved, now the subpackage exists (#1973462) * Wed Jun 16 2021 Zbigniew Jędrzejewski-Szmek - 249~rc1-1 - Latest upstream prerelease, see - https://github.com/systemd/systemd/blob/v248-rc4/NEWS. + https://github.com/systemd/systemd/blob/v249-rc1/NEWS. Fixes #1963428. - Use systemd-sysusers to create users (#1965815) - Move systemd-resolved into systemd-resolved subpackage (#1923727)