diff --git a/rpm-4.20.0-upstream-disable_unshare_plugin_in_chroot.patch b/rpm-4.20.0-upstream-disable_unshare_plugin_in_chroot.patch deleted file mode 100644 index 42a028b..0000000 --- a/rpm-4.20.0-upstream-disable_unshare_plugin_in_chroot.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 931cb97455b01228c639ae8361e4553679b13d54 Mon Sep 17 00:00:00 2001 -From: Panu Matilainen -Date: Thu, 1 Aug 2024 13:54:25 +0300 -Subject: [PATCH] Disable private mounts in chroot'ed operation in the unshare - plugin - -mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) inside a chroot -fails with EINVAL if the "/" inside the chroot is not an actual -mount point on the system - as it often isn't. For now, just disable -that functionality on chroot operation. - -Related: #3187 ---- - docs/man/rpm-plugin-unshare.8.md | 5 +++++ - plugins/unshare.c | 21 ++++++++++++++++----- - 2 files changed, 21 insertions(+), 5 deletions(-) - -diff --git a/docs/man/rpm-plugin-unshare.8.md b/docs/man/rpm-plugin-unshare.8.md -index d8a4222426..33073b872d 100644 ---- a/docs/man/rpm-plugin-unshare.8.md -+++ b/docs/man/rpm-plugin-unshare.8.md -@@ -27,6 +27,11 @@ This plugin implements the following configurables: - execution. Typical examples would be `/tmp` to protect against - insecure temporary file usage inside scriptlets, and `/home` to - prevent scriptlets from accessing user home directories. -+ When path unsharing is enabled, any mounts made from scriptlets -+ are also private to the scriptlet (and vice versa, mount changes -+ on the host are not visible to the scriptlet). -+ -+ Private mounts in chroot-operations is unimplemented. - - `%__transaction_unshare_nonet` - -diff --git a/plugins/unshare.c b/plugins/unshare.c -index bb02201e4a..50f60fad2f 100644 ---- a/plugins/unshare.c -+++ b/plugins/unshare.c -@@ -19,8 +19,18 @@ static rpmRC unshare_init(rpmPlugin plugin, rpmts ts) - { - char *paths = rpmExpand("%{?__transaction_unshare_paths}", NULL); - private_mounts = argvSplitString(paths, ":", ARGV_SKIPEMPTY); -- if (private_mounts) -- unshare_flags |= CLONE_NEWNS; -+ if (private_mounts) { -+ /* -+ * Changing mount propagation from inside a chroot fails if the root -+ * is not also a mount point, disable for now. -+ */ -+ if (strcmp(rpmtsRootDir(ts), "/")) { -+ rpmlog(RPMLOG_WARNING, -+ "private mounts in chroot not implemented\n"); -+ } else { -+ unshare_flags |= CLONE_NEWNS; -+ } -+ } - free(paths); - - if (rpmExpandNumeric("%{?__transaction_unshare_nonet}")) -@@ -47,9 +57,10 @@ static rpmRC unshare_scriptlet_fork_post(rpmPlugin plugin, - goto exit; - } - -- if (private_mounts) { -- if (mount("/", "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) { -- rpmlog(RPMLOG_ERR, _("failed to mount private %s: %s\n"), -+ if (unshare_flags & CLONE_NEWNS) { -+ if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) == -1) { -+ rpmlog(RPMLOG_ERR, -+ _("failed to change mount propagation %s: %s\n"), - "/", strerror(errno)); - goto exit; - } diff --git a/rpm-4.20.0-upstream-support-u-exclamation-mark-in-sysusers-files.patch b/rpm-4.20.0-upstream-support-u-exclamation-mark-in-sysusers-files.patch deleted file mode 100644 index e1e08cd..0000000 --- a/rpm-4.20.0-upstream-support-u-exclamation-mark-in-sysusers-files.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 234706084d8203a22eb984b1ef3646a15f8a9a1b Mon Sep 17 00:00:00 2001 -From: Florian Festi -Date: Mon, 18 Nov 2024 14:16:29 +0100 -Subject: [PATCH] Support new u! command in sysusers files - -systemd 257 defines a new modifier ! for u entries that locks the -account by setting it as expired. - -See https://github.com/systemd/systemd/commit/2ec7977e1b100c1717d95417e6d825fbf939f7b3 - -Resolves: #3450 ---- - docs/manual/users_and_groups.md | 8 ++++---- - macros.in | 2 +- - scripts/sysusers.sh | 21 ++++++++++++++++----- - tests/data/SPECS/klang.spec | 2 +- - tests/rpmi.at | 8 ++++++-- - 5 files changed, 28 insertions(+), 13 deletions(-) - -diff --git a/docs/manual/users_and_groups.md b/docs/manual/users_and_groups.md -index 3950b594b5..aee103f1c2 100644 ---- a/docs/manual/users_and_groups.md -+++ b/docs/manual/users_and_groups.md -@@ -41,10 +41,10 @@ to weaken these into recommends-dependencies by setting - - ## Limitations - --At this time, rpm only supports the `u`, `g` and (since RPM 4.20) `m` --directives of sysusers.d format and ignores others. If other --directives are needed, the package will need to call systemd-sysusers --with the correct arguments manually. -+At this time, rpm only supports the `u`, `g`, (since RPM 4.20) `m` -+and (since RPM 6.0) the `u!` directives of sysusers.d format and -+ignores others. If other directives are needed, the package will need -+to call systemd-sysusers with the correct arguments manually. - - ## Technical details - -diff --git a/macros.in b/macros.in -index cb07970e13..00c9d07715 100644 ---- a/macros.in -+++ b/macros.in -@@ -1367,7 +1367,7 @@ end - name = arg[2] - if arg[1] == 'g' then - type = 'group' -- elseif arg[1] == 'u' then -+ elseif arg[1] == 'u' or arg[1] == 'u!' then - type = 'user' - elseif arg[1] == 'm' and #arg >=3 then - type = 'groupmember' -diff --git a/scripts/sysusers.sh b/scripts/sysusers.sh -index 22ae5f23e6..d945b281bd 100755 ---- a/scripts/sysusers.sh -+++ b/scripts/sysusers.sh -@@ -72,6 +72,7 @@ user() { - local group="$4" - local home="$5" - local shell="$6" -+ local expire="$7" - - [ "$desc" = '-' ] && desc= - { [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/ -@@ -90,6 +91,10 @@ user() { - fi - fi - fi -+ -+ if [[ $expire ]]; then -+ usermod -e 1 "${user}" -+ fi - } - - group() { -@@ -109,13 +114,13 @@ addtogroup() { - local group="$2" - - group "${group}" "-" -- user "${user}" "-" "" "${group}" "" "" -+ user "${user}" "-" "" "${group}" "" "" "" - - usermod -R "$ROOT" -a -G "${group}" "$user" || : - } - - parse() { -- local line arr -+ local line arr expire - - while read -r line || [ -n "$line" ] ; do - { [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue -@@ -123,13 +128,19 @@ parse() { - [ -z "$line" ] && continue - mapfile -t arr < <(xargs -n1 <<<"$line") - -+ expire="" -+ - case "${arr[0]}" in -- ('u') -+ ('u' | 'u!') -+ if [[ "${arr[0]}" == 'u!' ]]; then -+ expire="1"; -+ fi -+ - if [[ "${arr[2]}" == *":"* ]]; then -- user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}" -+ user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}" $expire - else - group "${arr[1]}" "${arr[2]}" -- user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" -+ user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}" $expire - fi - ;; - ('g') -diff --git a/tests/data/SPECS/klang.spec b/tests/data/SPECS/klang.spec -index cc35b87bd4..6d71de6ea0 100644 ---- a/tests/data/SPECS/klang.spec -+++ b/tests/data/SPECS/klang.spec -@@ -47,7 +47,7 @@ EOF - cat << EOF > ${RPM_BUILD_ROOT}/%{_sysusersdir}/plong.conf - - # Real life files have all sorts of anomalies --u plong - "Plong fu" /var/lib/plong /sbin/nologin -+u! plong - "Plong fu" /var/lib/plong /sbin/nologin - #...such as empty lines - - # and comments comments -diff --git a/tests/rpmi.at b/tests/rpmi.at -index 7ea6a75207..6c7b84cdfe 100644 ---- a/tests/rpmi.at -+++ b/tests/rpmi.at -@@ -1589,7 +1589,7 @@ group(klong) = ZyBrbG9uZyAt - group(plong) - groupmember(klangd/klong) = bSBrbGFuZ2Qga2xvbmcA - user(klangd) = dSBrbGFuZ2QgLSAiS2xhbmcgc2VydmVyIiAvdmFyL2xpYi9rbGFuZ2QgL3NiaW4vbm9sb2dpbgAA --user(plong) = dSBwbG9uZyAtICJQbG9uZyBmdSIgL3Zhci9saWIvcGxvbmcgL3NiaW4vbm9sb2dpbgAA -+user(plong) = dSEgcGxvbmcgLSAiUGxvbmcgZnUiIC92YXIvbGliL3Bsb25nIC9zYmluL25vbG9naW4A - ], - [warning: ignoring unsupported sysuser type: r - ]) -@@ -1618,7 +1618,7 @@ group(klong) = ZyBrbG9uZyAt - group(plong) - groupmember(klangd/klong) = bSBrbGFuZ2Qga2xvbmcA - user(klangd) = dSBrbGFuZ2QgLSAiS2xhbmcgc2VydmVyIiAvdmFyL2xpYi9rbGFuZ2QgL3NiaW4vbm9sb2dpbgAA --user(plong) = dSBwbG9uZyAtICJQbG9uZyBmdSIgL3Zhci9saWIvcGxvbmcgL3NiaW4vbm9sb2dpbgAA -+user(plong) = dSEgcGxvbmcgLSAiUGxvbmcgZnUiIC92YXIvbGliL3Bsb25nIC9zYmluL25vbG9naW4A - ], - [warning: ignoring unsupported sysuser type: r - ]) -@@ -1660,15 +1660,19 @@ runroot rpm -V ${VERIFYOPTS} klang-client klang-common - RPMTEST_CHECK([ - runroot rpm -U /build/RPMS/noarch/klang-server-1.0-1.noarch.rpm - runroot_other grep ^klangd /etc/passwd | cut -f1 -d: -+runroot_other chage -l klangd | grep "Account expires" | cut -f2 -d: - runroot_other grep ^klangd /etc/group | cut -f1 -d: - runroot_other grep ^plong /etc/passwd | cut -f1 -d: -+runroot_other chage -l plong | grep "Account expires" | cut -f2 -d: - runroot_other grep ^klong /etc/group | cut -f4 -d: - runroot rpm -V ${VERIFYOPTS} klang-server - ], - [0], - [klangd -+ never - klangd - plong -+ Jan 02, 1970 - klangd - ], - [ignore]) diff --git a/rpm.spec b/rpm.spec index ab913fd..f9688db 100644 --- a/rpm.spec +++ b/rpm.spec @@ -16,8 +16,8 @@ %define majver %(echo %version | cut -d. -f1-2) Name: rpm Epoch: 1 -Version: 4.20.0 -Release: 4mamba +Version: 4.20.1 +Release: 1mamba Summary: The RPM Package Manager (RPM) is a powerful package management system Group: System/Management Vendor: openmamba @@ -44,8 +44,6 @@ Patch15: rpm-4.18.0-allow-disabling-rmbuild.patch Patch16: rpm-4.19.1.1-i586-add-sse-sse2-build-flags.patch Patch17: rpm-4.19.1.1-i586-only-force-i586-host-cpu.patch Patch19: rpm-4.19.1.1-host-readd-gnu-suffix.patch -Patch20: rpm-4.20.0-upstream-support-u-exclamation-mark-in-sysusers-files.patch -Patch21: rpm-4.20.0-upstream-disable_unshare_plugin_in_chroot.patch License: LGPL ## AUTOBUILDREQ-BEGIN BuildRequires: glibc-devel @@ -145,8 +143,6 @@ This package should be installed if you want to develop Python programs that wil %patch 17 -p1 %endif %patch 19 -p1 -%patch 20 -p1 -b .upstream-support-u-exclamation-mark-in-sysusers-files -%patch 21 -p1 -b .upstream-disable_unshare_plugin_in_chroot %build #:<< _EOF @@ -292,6 +288,9 @@ install -d -m0755 %{buildroot}%{_sysconfdir}/rpm/ %{python3_sitearch}/rpm/* %changelog +* Fri Feb 21 2025 Automatic Build System 4.20.1-1mamba +- automatic version update by autodist + * Sun Jan 19 2025 Silvan Calarco 4.20.0-4mamba - remove old brp-strip which was replacing -regex with -path but has problems