diff --git a/0683-man-reword-the-description-of-secure-pager-handling.patch b/0683-man-reword-the-description-of-secure-pager-handling.patch new file mode 100644 index 0000000..0996933 --- /dev/null +++ b/0683-man-reword-the-description-of-secure-pager-handling.patch @@ -0,0 +1,90 @@ +From ac160a968eb734f18e662bb48254e5200489df77 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 6 May 2025 11:14:10 +0200 +Subject: [PATCH] man: reword the description of "secure pager" handling + +The existing description was not *wrong*, but it was a bit muddled. Let's +reorder the text to give a short intro and then describe what the options +actually do and the clear "true" and "false" cases first, and then describe +autodetection. + +Related to https://yeswehack.com/vulnerability-center/reports/346802. + +(cherry picked from commit 718dbdb2ca4458cf91711cd9a7de3a972e46658e) + +Related: RHEL-102939 +--- + man/common-variables.xml | 58 ++++++++++++++++++++++++++-------------- + 1 file changed, 38 insertions(+), 20 deletions(-) + +diff --git a/man/common-variables.xml b/man/common-variables.xml +index 2d26bf7242..9f322dbf23 100644 +--- a/man/common-variables.xml ++++ b/man/common-variables.xml +@@ -167,28 +167,46 @@ + + $SYSTEMD_PAGERSECURE + +- Takes a boolean argument. When true, the "secure" mode of the pager is enabled; if +- false, disabled. If $SYSTEMD_PAGERSECURE is not set at all, secure mode is enabled +- if the effective UID is not the same as the owner of the login session, see +- geteuid2 +- and sd_pid_get_owner_uid3. +- In secure mode, will be set when invoking the pager, and the pager shall +- disable commands that open or create new files or start new subprocesses. When +- $SYSTEMD_PAGERSECURE is not set at all, pagers which are not known to implement +- secure mode will not be used. (Currently only +- less1 +- implements secure mode.) +- +- Note: when commands are invoked with elevated privileges, for example under ++ Common pager commands like less1, in ++ addition to "paging", i.e. scrolling through the output, support opening of or writing to other files ++ and running arbitrary shell commands. When commands are invoked with elevated privileges, for example ++ under sudo8 or + pkexec1, care +- must be taken to ensure that unintended interactive features are not enabled. "Secure" mode for the +- pager may be enabled automatically as describe above. Setting SYSTEMD_PAGERSECURE=0 +- or not removing it from the inherited environment allows the user to invoke arbitrary commands. Note +- that if the $SYSTEMD_PAGER or $PAGER variables are to be +- honoured, $SYSTEMD_PAGERSECURE must be set too. It might be reasonable to completely +- disable the pager using instead. ++ project='die-net'>pkexec1, the ++ pager becomes a security boundary. Care must be taken that only programs with strictly limited ++ functionality are used as pagers, and unintended interactive features like opening or creation of new ++ files or starting of subprocesses are not allowed. "Secure mode" for the pager may be enabled as ++ described below, if the pager supports that (most pagers are not written in a way ++ that takes this into consideration). It is recommended to either explicitly enable "secure mode" or to ++ completely disable the pager using or PAGER=cat when ++ allowing untrusted users to execute commands with elevated privileges. ++ ++ This option takes a boolean argument. When set to true, the "secure mode" of the pager is ++ enabled. In "secure mode", will be set when invoking the pager, which ++ instructs the pager to disable commands that open or create new files or start new subprocesses. ++ Currently only less1 is known ++ to understand this variable and implement "secure mode". ++ ++ When set to false, no limitation is placed on the pager. Setting ++ SYSTEMD_PAGERSECURE=0 or not removing it from the inherited environment may allow ++ the user to invoke arbitrary commands. ++ ++ When $SYSTEMD_PAGERSECURE is not set, systemd tools attempt to automatically ++ figure out if "secure mode" should be enabled and whether the pager supports it. "Secure mode" is ++ enabled if the effective UID is not the same as the owner of the login session, see ++ geteuid2 ++ and ++ sd_pid_get_owner_uid3. ++ In this case, SYSTEMD_PAGERSECURE=1 will be set and pagers which are not known to ++ implement "secure mode" will not be used at all. ++ ++ Note that if the $SYSTEMD_PAGER or $PAGER variables are to ++ be honoured, $SYSTEMD_PAGERSECURE must be set too. ++ + + + diff --git a/0684-pager-also-check-for-SUDO_UID.patch b/0684-pager-also-check-for-SUDO_UID.patch new file mode 100644 index 0000000..e209363 --- /dev/null +++ b/0684-pager-also-check-for-SUDO_UID.patch @@ -0,0 +1,132 @@ +From 517489471d6f314e834a6ee675974151ce2e0234 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 6 May 2025 14:29:02 +0200 +Subject: [PATCH] pager: also check for $SUDO_UID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This returns to the original approach proposed in +https://github.com/systemd/systemd/pull/17270. After review, the approach was +changed to use sd_pid_get_owner_uid() instead. Back then, when running in a +typical graphical session, sd_pid_get_owner_uid() would usually return the user +UID, and when running under sudo, geteuid() would return 0, so we'd trigger the +secure path. + +sudo may allocate a new session if is invoked outside of a session (depending +on the PAM config). Since nowadays desktop environments usually start the user +shell through user units, the typical shell in a terminal emulator is not part +of a session, and when sudo is invoked, a new session is allocated, and +sd_pid_get_owner_uid() returns 0 too. Technically, the code still works as +documented in the man page, but in the common case, it doesn't do the expected +thing. + +$ build/test-sd-login |& rg 'get_(owner_uid|cgroup|session)' +sd_pid_get_session(0) → No data available +sd_pid_get_owner_uid(0) → 1000 +sd_pid_get_cgroup(0) → /user.slice/user-1000.slice/user@1000.service/app.slice/app-ghostty-transient-5088.scope/surfaces/556FAF50BA40.scope + +$ sudo build/test-sd-login |& rg 'get_(owner_uid|cgroup|session)' +sd_pid_get_session(0) → c289 +sd_pid_get_owner_uid(0) → 0 +sd_pid_get_cgroup(0) → /user.slice/user-0.slice/session-c289.scope + +I think it's worth checking for sudo because it is a common case used by users. +There obviously are other mechanims, so the man page is extended to say that +only some common mechanisms are supported, and to (again) recommend setting +SYSTEMD_LESSSECURE explicitly. The other option would be to set "secure mode" +by default. But this would create an inconvenience for users doing the right +thing, running systemctl and other tools directly, because then they can't run +privileged commands from the pager, e.g. to save the output to a file. (Or the +user would need to explicitly set SYSTEMD_LESSSECURE. One option would be to +set it always in the environment and to rely on sudo and other tools stripping +it from the environment before running privileged code. But that is also fairly +fragile and it obviously relies on the user doing a complicated setup to +support a fairly common use case. I think this decreases usability of the +system quite a bit. I don't think we should build solutions that work in +priniciple, but are painfully inconvenient in common cases.) + +Fixes https://yeswehack.com/vulnerability-center/reports/346802. + +Also see https://github.com/polkit-org/polkit/pull/562, which adds support for +$SUDO_UID/$SUDO_GID to pkexec. + +(cherry picked from commit cd93478af8b9dc69478d5667f113b67d175090fa) + +Resolves: RHEL-102939 +--- + man/common-variables.xml | 13 ++++++++++--- + src/shared/pager.c | 29 +++++++++++++++++++---------- + 2 files changed, 29 insertions(+), 13 deletions(-) + +diff --git a/man/common-variables.xml b/man/common-variables.xml +index 9f322dbf23..825cfe57e9 100644 +--- a/man/common-variables.xml ++++ b/man/common-variables.xml +@@ -200,9 +200,16 @@ + enabled if the effective UID is not the same as the owner of the login session, see + geteuid2 + and +- sd_pid_get_owner_uid3. +- In this case, SYSTEMD_PAGERSECURE=1 will be set and pagers which are not known to +- implement "secure mode" will not be used at all. ++ sd_pid_get_owner_uid3, ++ or when running under ++ sudo8 or similar ++ tools ($SUDO_UID is set ++ It is recommended for other tools to set and check $SUDO_UID as appropriate, ++ treating it is a common interface.). In those cases, ++ SYSTEMD_PAGERSECURE=1 will be set and pagers which are not known to implement ++ "secure mode" will not be used at all. Note that this autodetection only covers the most common ++ mechanisms to elevate privileges and is intended as convenience. It is recommended to explicitly set ++ $SYSTEMD_PAGERSECURE or disable the pager. + + Note that if the $SYSTEMD_PAGER or $PAGER variables are to + be honoured, $SYSTEMD_PAGERSECURE must be set too. +diff --git a/src/shared/pager.c b/src/shared/pager.c +index 9b8ae76700..f1043ec132 100644 +--- a/src/shared/pager.c ++++ b/src/shared/pager.c +@@ -82,6 +82,22 @@ static int no_quit_on_interrupt(int exe_name_fd, const char *less_opts) { + return r; + } + ++static bool running_with_escalated_privileges(void) { ++ int r; ++ ++ if (getenv("SUDO_UID")) ++ return true; ++ ++ uid_t uid; ++ r = sd_pid_get_owner_uid(0, &uid); ++ if (r < 0) { ++ log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m"); ++ return true; ++ } ++ ++ return uid != geteuid(); ++} ++ + void pager_open(PagerFlags flags) { + _cleanup_close_pair_ int fd[2] = EBADF_PAIR, exe_name_pipe[2] = EBADF_PAIR; + _cleanup_strv_free_ char **pager_args = NULL; +@@ -177,16 +193,9 @@ void pager_open(PagerFlags flags) { + * know to be good. */ + int use_secure_mode = secure_getenv_bool("SYSTEMD_PAGERSECURE"); + bool trust_pager = use_secure_mode >= 0; +- if (use_secure_mode == -ENXIO) { +- uid_t uid; +- +- r = sd_pid_get_owner_uid(0, &uid); +- if (r < 0) +- log_debug_errno(r, "sd_pid_get_owner_uid() failed, enabling pager secure mode: %m"); +- +- use_secure_mode = r < 0 || uid != geteuid(); +- +- } else if (use_secure_mode < 0) { ++ if (use_secure_mode == -ENXIO) ++ use_secure_mode = running_with_escalated_privileges(); ++ else if (use_secure_mode < 0) { + log_warning_errno(use_secure_mode, "Unable to parse $SYSTEMD_PAGERSECURE, assuming true: %m"); + use_secure_mode = true; + } diff --git a/0685-Revert-mount-setup-tune-down-log-level-if-usrquota-i.patch b/0685-Revert-mount-setup-tune-down-log-level-if-usrquota-i.patch new file mode 100644 index 0000000..affcf16 --- /dev/null +++ b/0685-Revert-mount-setup-tune-down-log-level-if-usrquota-i.patch @@ -0,0 +1,38 @@ +From fef6198a931a9d7538c0c93a446fd02ffc52fc79 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 25 Jun 2026 14:26:45 +0200 +Subject: [PATCH] Revert "mount-setup: tune down log level if usrquota is not + supported, apply usrquota when smack is in use too" + +This reverts commit d5642d888c6bc1b8014b727b6b1b4851a0829239. + +Reverts: RHEL-143028 +--- + src/shared/mount-setup.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c +index 4c5151c7db..93e646d045 100644 +--- a/src/shared/mount-setup.c ++++ b/src/shared/mount-setup.c +@@ -90,7 +90,7 @@ static const MountPoint mount_table[] = { + { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV, + mac_smack_use, MNT_FATAL }, + { "tmpfs", "/dev/shm", "tmpfs", "mode=01777,smackfsroot=*", MS_NOSUID|MS_NODEV|MS_STRICTATIME, +- mac_smack_use, MNT_FATAL|MNT_USRQUOTA_GRACEFUL }, ++ mac_smack_use, MNT_FATAL }, + #endif + { "tmpfs", "/dev/shm", "tmpfs", "mode=01777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_USRQUOTA_GRACEFUL }, +@@ -194,9 +194,9 @@ static int mount_one(const MountPoint *p, bool relabel) { + if (FLAGS_SET(p->mode, MNT_USRQUOTA_GRACEFUL)) { + r = mount_option_supported(p->type, "usrquota", /* value= */ NULL); + if (r < 0) +- log_full_errno(priority, r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type); ++ log_warning_errno(r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type); + else if (r == 0) +- log_debug("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where); ++ log_info("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where); + else { + if (!strextend_with_separator(&extend_options, ",", p->options ?: POINTER_MAX, "usrquota")) + return log_oom(); diff --git a/0686-Revert-nspawn-enable-usrquota-support-on-tmp-and-dev.patch b/0686-Revert-nspawn-enable-usrquota-support-on-tmp-and-dev.patch new file mode 100644 index 0000000..52cddbf --- /dev/null +++ b/0686-Revert-nspawn-enable-usrquota-support-on-tmp-and-dev.patch @@ -0,0 +1,72 @@ +From 05f890fb4841d10372aee1413340013e701ee210 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 25 Jun 2026 14:28:13 +0200 +Subject: [PATCH] Revert "nspawn: enable usrquota support on /tmp/ and + /dev/shm/" + +This reverts commit b9cfb8c02ec36304e0a3ba730363a6dd747dd26a. + +Reverts: RHEL-143028 +--- + src/nspawn/nspawn-mount.c | 21 ++------------------- + src/nspawn/nspawn-mount.h | 1 - + 2 files changed, 2 insertions(+), 20 deletions(-) + +diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c +index cd5a634ec0..c233cdf600 100644 +--- a/src/nspawn/nspawn-mount.c ++++ b/src/nspawn/nspawn-mount.c +@@ -592,7 +592,7 @@ int mount_all(const char *dest, + + /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing when we are privileged) */ + { "tmpfs", "/tmp", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME, +- MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL }, ++ MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR }, + { "tmpfs", "/sys", "tmpfs", "mode=0555" TMPFS_LIMITS_SYS, MS_NOSUID|MS_NOEXEC|MS_NODEV, + MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR|MOUNT_PRIVILEGED }, + { "sysfs", "/sys", "sysfs", NULL, SYS_DEFAULT_MOUNT_FLAGS, +@@ -602,7 +602,7 @@ int mount_all(const char *dest, + { "tmpfs", "/dev", "tmpfs", "mode=0755" TMPFS_LIMITS_PRIVATE_DEV, MS_NOSUID|MS_STRICTATIME, + MOUNT_FATAL|MOUNT_MKDIR }, + { "tmpfs", "/dev/shm", "tmpfs", "mode=01777" NESTED_TMPFS_LIMITS, MS_NOSUID|MS_NODEV|MS_STRICTATIME, +- MOUNT_FATAL|MOUNT_MKDIR|MOUNT_USRQUOTA_GRACEFUL }, ++ MOUNT_FATAL|MOUNT_MKDIR }, + { "tmpfs", "/run", "tmpfs", "mode=0755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME, + MOUNT_FATAL|MOUNT_MKDIR }, + { "/run/host", "/run/host", NULL, NULL, MS_BIND, +@@ -710,23 +710,6 @@ int mount_all(const char *dest, + o = options; + } + +- if (FLAGS_SET(m->mount_settings, MOUNT_USRQUOTA_GRACEFUL)) { +- r = mount_option_supported(m->type, /* key= */ "usrquota", /* value= */ NULL); +- if (r < 0) +- log_warning_errno(r, "Failed to determine if '%s' supports 'usrquota', assuming it doesn't: %m", m->type); +- else if (r == 0) +- log_debug("Kernel doesn't support 'usrquota' on '%s', not including in mount options for '%s'.", m->type, m->where); +- else { +- _cleanup_free_ char *joined = NULL; +- +- if (!strextend_with_separator(&joined, ",", o ?: POINTER_MAX, "usrquota")) +- return log_oom(); +- +- free_and_replace(options, joined); +- o = options; +- } +- } +- + if (FLAGS_SET(m->mount_settings, MOUNT_PREFIX_ROOT)) { + /* Optionally prefix the mount source with the root dir. This is useful in bind + * mounts to be created within the container image before we transition into it. Note +diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h +index 529fa16658..5f66bc7328 100644 +--- a/src/nspawn/nspawn-mount.h ++++ b/src/nspawn/nspawn-mount.h +@@ -21,7 +21,6 @@ typedef enum MountSettingsMask { + MOUNT_PREFIX_ROOT = 1 << 10,/* if set, prefix the source path with the container's root directory */ + MOUNT_FOLLOW_SYMLINKS = 1 << 11,/* if set, we'll follow symlinks for the mount target */ + MOUNT_PRIVILEGED = 1 << 12,/* if set, we'll only mount this in the outer child if we are running in privileged mode */ +- MOUNT_USRQUOTA_GRACEFUL = 1 << 13,/* if set, append "usrquota" to mount options if kernel tmpfs supports that */ + } MountSettingsMask; + + typedef enum CustomMountType { diff --git a/0687-Revert-units-enable-usrquota-support-on-tmp.patch b/0687-Revert-units-enable-usrquota-support-on-tmp.patch new file mode 100644 index 0000000..4116bdc --- /dev/null +++ b/0687-Revert-units-enable-usrquota-support-on-tmp.patch @@ -0,0 +1,25 @@ +From 9da37815ff97c67a890f2e74893a7e79d45bded9 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 25 Jun 2026 14:28:48 +0200 +Subject: [PATCH] Revert "units: enable usrquota support on /tmp/" + +This reverts commit bc192261e4801ad27a8610fea4e10010d705bfc0. + +Reverts: RHEL-143028 +--- + units/tmp.mount | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/units/tmp.mount b/units/tmp.mount +index 373b131211..d7beaa8d14 100644 +--- a/units/tmp.mount ++++ b/units/tmp.mount +@@ -22,7 +22,7 @@ After=swap.target + What=tmpfs + Where=/tmp + Type=tmpfs +-Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m,x-systemd.graceful-option=usrquota ++Options=mode=1777,strictatime,nosuid,nodev,size=50%%,nr_inodes=1m + + # Make 'systemctl enable tmp.mount' work: + [Install] diff --git a/0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch b/0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch new file mode 100644 index 0000000..345e587 --- /dev/null +++ b/0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch @@ -0,0 +1,75 @@ +From 1d0d81d776f35dc0c5c2f98fbf546fee06fdf2ff Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 25 Jun 2026 14:29:22 +0200 +Subject: [PATCH] Revert "pid1: enable usrquota support on /dev/shm" + +This reverts commit 75f712d4fb8d5b05f28eda98e9ae44512ba6d7f8. + +Reverts: RHEL-143028 +--- + src/shared/mount-setup.c | 33 ++++++++------------------------- + 1 file changed, 8 insertions(+), 25 deletions(-) + +diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c +index 93e646d045..e7a315a420 100644 +--- a/src/shared/mount-setup.c ++++ b/src/shared/mount-setup.c +@@ -34,12 +34,11 @@ + #include "virt.h" + + typedef enum MountMode { +- MNT_NONE = 0, +- MNT_FATAL = 1 << 0, +- MNT_IN_CONTAINER = 1 << 1, +- MNT_CHECK_WRITABLE = 1 << 2, +- MNT_FOLLOW_SYMLINK = 1 << 3, +- MNT_USRQUOTA_GRACEFUL = 1 << 4, ++ MNT_NONE = 0, ++ MNT_FATAL = 1 << 0, ++ MNT_IN_CONTAINER = 1 << 1, ++ MNT_CHECK_WRITABLE = 1 << 2, ++ MNT_FOLLOW_SYMLINK = 1 << 3, + } MountMode; + + typedef struct MountPoint { +@@ -93,7 +92,7 @@ static const MountPoint mount_table[] = { + mac_smack_use, MNT_FATAL }, + #endif + { "tmpfs", "/dev/shm", "tmpfs", "mode=01777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, +- NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_USRQUOTA_GRACEFUL }, ++ NULL, MNT_FATAL|MNT_IN_CONTAINER }, + { "devpts", "/dev/pts", "devpts", "mode=" STRINGIFY(TTY_MODE) ",gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, + NULL, MNT_IN_CONTAINER }, + #if ENABLE_SMACK +@@ -189,29 +188,13 @@ static int mount_one(const MountPoint *p, bool relabel) { + else + (void) mkdir_p(p->where, 0755); + +- _cleanup_free_ char *extend_options = NULL; +- const char *o = p->options; +- if (FLAGS_SET(p->mode, MNT_USRQUOTA_GRACEFUL)) { +- r = mount_option_supported(p->type, "usrquota", /* value= */ NULL); +- if (r < 0) +- log_warning_errno(r, "Unable to determine whether %s supports 'usrquota' mount option, assuming not: %m", p->type); +- else if (r == 0) +- log_info("Not enabling 'usrquota' on '%s' as kernel lacks support for it.", p->where); +- else { +- if (!strextend_with_separator(&extend_options, ",", p->options ?: POINTER_MAX, "usrquota")) +- return log_oom(); +- +- o = extend_options; +- } +- } +- + log_debug("Mounting %s to %s of type %s with options %s.", + p->what, + p->where, + p->type, +- strna(o)); ++ strna(p->options)); + +- r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, o, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK)); ++ r = mount_verbose_full(priority, p->what, p->where, p->type, p->flags, p->options, FLAGS_SET(p->mode, MNT_FOLLOW_SYMLINK)); + if (r < 0) + return FLAGS_SET(p->mode, MNT_FATAL) ? r : 0; + diff --git a/0689-Revert-udev-builtin-net-id-print-cescaped-bad-attrib.patch b/0689-Revert-udev-builtin-net-id-print-cescaped-bad-attrib.patch new file mode 100644 index 0000000..6371e85 --- /dev/null +++ b/0689-Revert-udev-builtin-net-id-print-cescaped-bad-attrib.patch @@ -0,0 +1,88 @@ +From 99af961154502ebce7b0c99875f131af9dc19955 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Thu, 12 Mar 2026 07:14:44 +0900 +Subject: [PATCH] Revert "udev-builtin-net-id: print cescaped bad attributes" + +This reverts commit 7c4047957ef58744ecfad6d277f7c45d430f6d70. + +This is not necessary, as bad characters are already filtered. + +(cherry picked from commit c6ea72e39a8d829b1bd65f15f6dd7d1c2b6d04c3) + +Resolves: RHEL-180922 +--- + src/udev/udev-builtin-net_id.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c +index fd39a90c87..0d3c62f4b5 100644 +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -28,7 +28,6 @@ + #include "device-private.h" + #include "device-util.h" + #include "dirent-util.h" +-#include "escape.h" + #include "ether-addr-util.h" + #include "fd-util.h" + #include "fileio.h" +@@ -46,12 +45,6 @@ + #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1) + #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1) + +-static int log_invalid_device_attr(sd_device *dev, const char *attr, const char *value) { +- _cleanup_free_ char *escaped = cescape(value); +- return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), +- "Invalid %s value '%s'.", attr, strnull(escaped)); +-} +- + /* skip intermediate virtio devices */ + static sd_device *device_skip_virtio(sd_device *dev) { + /* there can only ever be one virtio bus per parent device, so we can +@@ -245,7 +238,7 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re + } + + if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL)) +- return log_invalid_device_attr(dev, "phys_port_name", phys_port_name); ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name"); + + /* Otherwise, use phys_port_name as is. */ + buf = strjoin("n", phys_port_name); +@@ -352,7 +345,7 @@ static int names_pci_onboard_label(UdevEvent *event, sd_device *pci_dev, const c + return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m"); + + if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL)) +- return log_invalid_device_attr(dev, "label", label); ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label"); + + char str[ALTIFNAMSIZ]; + if (snprintf_ok(str, sizeof str, "%s%s", +@@ -758,7 +751,8 @@ static int names_vio(UdevEvent *event, const char *prefix) { + "VIO bus ID and slot ID have invalid length: %s", s); + + if (!in_charset(s, HEXDIGITS)) +- return log_invalid_device_attr(dev, "VIO bus ID and slot ID", s); ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), ++ "VIO bus ID and slot ID contain invalid characters: %s", s); + + /* Parse only slot ID (the last 4 hexdigits). */ + r = safe_atou_full(s + 4, 16, &slotid); +@@ -814,7 +808,8 @@ static int names_platform(UdevEvent *event, const char *prefix) { + return -EOPNOTSUPP; + + if (!in_charset(vendor, validchars)) +- return log_invalid_device_attr(dev, "platform vendor", vendor); ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ENOENT), ++ "Platform vendor contains invalid characters: %s", vendor); + + ascii_strlower(vendor); + +@@ -1270,7 +1265,7 @@ static int names_netdevsim(UdevEvent *event, const char *prefix) { + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP), + "The 'phys_port_name' attribute is empty."); + if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL)) +- return log_invalid_device_attr(dev, "phys_port_name", phys_port_name); ++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name"); + + char str[ALTIFNAMSIZ]; + if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name)) diff --git a/0690-homectl-apply-all-member-of-groups-from-a-comma-sepa.patch b/0690-homectl-apply-all-member-of-groups-from-a-comma-sepa.patch new file mode 100644 index 0000000..00841dc --- /dev/null +++ b/0690-homectl-apply-all-member-of-groups-from-a-comma-sepa.patch @@ -0,0 +1,71 @@ +From 890fa2263270063b5db76e950db13c1df19ee00f Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Tue, 24 Mar 2026 14:29:27 +0100 +Subject: [PATCH] homectl: apply all --member-of= groups from a comma-separated + list + +Commit 0e1ede4b4b6d1ce6b5b6cda5f803e4f1b5aa4a03 introduced a bug where +we'd always fetch the "original" (empty) list of groups when processing +a comma-separated list of groups from the --member-of= option, so only +the last group from the list would get applied. This bug was then later +(in 316e9887f2a48bd1c4efa3e31b4bfbaeb22de3a3) refactored into a separate +function. + +Follow-up for 0e1ede4b4b6d1ce6b5b6cda5f803e4f1b5aa4a03. +Fixes: #41286 + +(cherry picked from commit f912de93125bcf0b6c59770503424bcafc683e78) + +Resolves: RHEL-180924 +--- + src/home/homectl.c | 2 +- + test/units/TEST-46-HOMED.sh | 23 +++++++++++++++++++++++ + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/src/home/homectl.c b/src/home/homectl.c +index c99663ffea..d6eb04a1e5 100644 +--- a/src/home/homectl.c ++++ b/src/home/homectl.c +@@ -4080,7 +4080,7 @@ static int parse_argv(int argc, char *argv[]) { + if (!valid_user_group_name(word, 0)) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid group name %s.", word); + +- mo = sd_json_variant_ref(sd_json_variant_by_key(arg_identity_extra, "memberOf")); ++ mo = sd_json_variant_ref(sd_json_variant_by_key(*(match_identity ?: &arg_identity_extra), "memberOf")); + + r = sd_json_variant_strv(mo, &list); + if (r < 0) +diff --git a/test/units/TEST-46-HOMED.sh b/test/units/TEST-46-HOMED.sh +index 998a52c76a..544dedfb0a 100755 +--- a/test/units/TEST-46-HOMED.sh ++++ b/test/units/TEST-46-HOMED.sh +@@ -82,6 +82,29 @@ inspect test-user + SYSTEMD_LOG_LEVEL=debug PASSWORD=yPN4N0fYNKUkOq NEWPASSWORD=xEhErW0ndafV4s homectl passwd test-user + inspect test-user + ++# --member-of= ++systemd-sysusers --inline "g test-group1" "g test-group2" ++# Single group ++PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1" ++[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1"]' ]] ++# Multiple groups ++PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1,test-group2" ++[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]] ++# Empty argument ++PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of= ++[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == 'null' ]] ++# Argument shenanigans ++# - only separators ++(! PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=",,,,,,,,,,,,,,,,,,") ++# - invalid group ++(! PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group1,inv@lid.group?") ++# - separators & valid groups ++PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of=",,,,,test-group1,,,,,,,,,,,,,,test-group2," ++[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]] ++# - duplicate groups ++PASSWORD=xEhErW0ndafV4s homectl update test-user --member-of="test-group2,test-group1,test-group1,test-group2" ++[[ "$(homectl inspect -j test-user | jq -c .memberOf)" == '["test-group1","test-group2"]' ]] ++ + homectl deactivate test-user + inspect test-user + diff --git a/0691-udevadm-gracefully-handle-when-a-maked-file-is-speci.patch b/0691-udevadm-gracefully-handle-when-a-maked-file-is-speci.patch new file mode 100644 index 0000000..4eb7241 --- /dev/null +++ b/0691-udevadm-gracefully-handle-when-a-maked-file-is-speci.patch @@ -0,0 +1,75 @@ +From 535334a89f042af82de1284f4142c5966fbf1519 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 13 Jan 2026 15:48:56 +0900 +Subject: [PATCH] udevadm: gracefully handle when a maked file is specified to + udevadm verify/cat + +Previously, since 7cb4508c5af465ab1be1b103e6c2b613eb58e63c, if a masked +file is specified, the commands failed. +Let's warn that the file is masked and ignore the file. + +(cherry picked from commit 782569afd05b97143938ec294b5a28b4f2ffb75c) + +Resolves: RHEL-180917 +--- + src/udev/udevadm-util.c | 11 +++++++++++ + test/units/TEST-17-UDEV.10.sh | 2 +- + test/units/TEST-17-UDEV.11.sh | 3 +-- + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/udev/udevadm-util.c b/src/udev/udevadm-util.c +index 4aa5e6b6d7..4c6c76dd54 100644 +--- a/src/udev/udevadm-util.c ++++ b/src/udev/udevadm-util.c +@@ -149,6 +149,12 @@ static int search_rules_file_in_conf_dirs(const char *s, const char *root, char + if (!path) + return log_oom(); + ++ r = null_or_empty_path_with_root(path, root); ++ if (r > 0) { ++ log_warning("File '%s%s' is a mask, ignoring.", empty_to_root(root), skip_leading_slash(path)); ++ return 1; /* Found masked file. */ ++ } ++ + r = chase(path, root, CHASE_PREFIX_ROOT | CHASE_MUST_BE_REGULAR, &resolved, /* ret_fd = */ NULL); + if (r == -ENOENT) + continue; +@@ -183,6 +189,11 @@ static int search_rules_file(const char *s, const char *root, char ***files) { + if (r < 0) + return log_error_errno(r, "Failed to chase \"%s\": %m", s); + ++ if (null_or_empty(&st)) { ++ log_warning("File '%s%s' is a mask, ignoring.", empty_to_root(root), skip_leading_slash(s)); ++ return 0; /* Found masked file. */ ++ } ++ + r = stat_verify_regular(&st); + if (r == -EISDIR) { + _cleanup_strv_free_ char **files_in_dir = NULL; +diff --git a/test/units/TEST-17-UDEV.10.sh b/test/units/TEST-17-UDEV.10.sh +index 68d310a8e5..b81b8a9b1f 100755 +--- a/test/units/TEST-17-UDEV.10.sh ++++ b/test/units/TEST-17-UDEV.10.sh +@@ -38,7 +38,7 @@ udevadm cat 99-systemd + udevadm cat 99-systemd.rules + udevadm cat /usr/lib/udev/rules.d/99-systemd.rules + udevadm cat /usr/lib/udev/rules.d +-(! udevadm cat /dev/null) ++udevadm cat /dev/null + udevadm cat --config + udevadm cat -h + +diff --git a/test/units/TEST-17-UDEV.11.sh b/test/units/TEST-17-UDEV.11.sh +index f0ab20e5c9..ff15343827 100755 +--- a/test/units/TEST-17-UDEV.11.sh ++++ b/test/units/TEST-17-UDEV.11.sh +@@ -116,8 +116,7 @@ assert_1 --resolve-names=now + assert_1 ./nosuchfile + # Failed to parse rules file ./nosuchfile: No such file or directory + assert_1 ./nosuchfile /dev/null +-# '/dev/null' is neither a regular file nor a directory: File descriptor in bad state +-assert_1 /dev/null ++assert_0 /dev/null + + rules_dir='etc/udev/rules.d' + mkdir -p "${rules_dir}" diff --git a/systemd.spec b/systemd.spec index 1e70294..8f6d5b3 100644 --- a/systemd.spec +++ b/systemd.spec @@ -48,7 +48,7 @@ Url: https://systemd.io # Allow users to specify the version and release when building the rpm by # setting the %%version_override and %%release_override macros. Version: %{?version_override}%{!?version_override:257} -Release: 27%{?dist} +Release: 28%{?dist} %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) @@ -792,6 +792,15 @@ Patch0679: 0679-udev-net_id-introduce-naming-scheme-for-RHEL-10.3.patch Patch0680: 0680-Tag-accel-devices-for-uaccess-render.patch Patch0681: 0681-udev-tag-kfd-devices-for-xaccess-render-40888.patch Patch0682: 0682-fstab-generator-fix-spurious-quota-warning-for-xfs.patch +Patch0683: 0683-man-reword-the-description-of-secure-pager-handling.patch +Patch0684: 0684-pager-also-check-for-SUDO_UID.patch +Patch0685: 0685-Revert-mount-setup-tune-down-log-level-if-usrquota-i.patch +Patch0686: 0686-Revert-nspawn-enable-usrquota-support-on-tmp-and-dev.patch +Patch0687: 0687-Revert-units-enable-usrquota-support-on-tmp.patch +Patch0688: 0688-Revert-pid1-enable-usrquota-support-on-dev-shm.patch +Patch0689: 0689-Revert-udev-builtin-net-id-print-cescaped-bad-attrib.patch +Patch0690: 0690-homectl-apply-all-member-of-groups-from-a-comma-sepa.patch +Patch0691: 0691-udevadm-gracefully-handle-when-a-maked-file-is-speci.patch # Downstream-only patches (9000–9999) %endif @@ -1743,6 +1752,17 @@ rm -f .file-list-* rm -f %{name}.lang %changelog +* Wed Jul 01 2026 systemd maintenance team - 257-28 +- man: reword the description of "secure pager" handling (RHEL-102939) +- pager: also check for $SUDO_UID (RHEL-102939) +- Revert "mount-setup: tune down log level if usrquota is not supported, apply usrquota when smack is in use too" (RHEL-143028) +- Revert "nspawn: enable usrquota support on /tmp/ and /dev/shm/" (RHEL-143028) +- Revert "units: enable usrquota support on /tmp/" (RHEL-143028) +- Revert "pid1: enable usrquota support on /dev/shm" (RHEL-143028) +- Revert "udev-builtin-net-id: print cescaped bad attributes" (RHEL-180922) +- homectl: apply all --member-of= groups from a comma-separated list (RHEL-180924) +- udevadm: gracefully handle when a maked file is specified to udevadm verify/cat (RHEL-180917) + * Mon Jun 15 2026 systemd maintenance team - 257-27 - Do not build efi stub on i686 anymore (RHEL-176073)