[devel] I: brp-verify-unit: "bad permissions on ..."
Arseny Maslennikov
arseny на altlinux.org
Сб Фев 10 12:55:26 MSK 2024
Hi!
В опубликованный сегодня Sisyphus вошёл новый rpm-build:
> rpm-build - Scripts and executable programs used to build packages
> * Thu Jan 11 2024 Arseny Maslennikov <arseny на altlinux> 4.0.4.195-alt1
> - debuginfo: Changed compression format (--lzma2=dict=2MiB ->
> --check=crc32 --lzma2=dict=1MiB) of xz-compressed modules for compatibility
> with kmod >= 31 (thx asheplyakov@).
> - Introduced brp-verify-unit to check sanity of systemd units included
> in built packages.
Новый brp-модуль проверяет юниты systemd на вшивость. Пока он содержит
две проверки:
* на файле с systemd-юнитом не должно быть x-бита;
* файл с systemd-юнитом, предусматривающим порождение процесса, не
должен запускать что-либо под nobody.
В результате сегодняшней тестовой пересборки обнаружилось[1] 14 исходных
пакетов, куда-то кладущих юнит с правами rwxr-xr-x, и 1 пакет,
содержащий юнит с правами rwxr-x---.
[1] https://lore.altlinux.org/sisyphus-cybertalk/Zcb1ezIHJkgVff21@beehive.mskdc.altlinux.org/T/#u
Пакеты, перечисленные ниже, нужно исправить, сняв x-биты с юнитов
systemd под %buildroot.
Под каждой цитатой из лога пересборки размещён acl на пакет.
bonito-open-5.58.1-alt1
+ mv misc/bonito_clear_cache.cron
/usr/src/tmp/bonito-open-buildroot//etc/cron.d/bonito_clear_cache
+ sed 's|/usr/bin/bonito_clear_cache|/usr/bin/bonito_clear_cache|' bonito_clear_cache
+ chmod a+x /usr/src/tmp/bonito-open-buildroot//usr/bin/bonito_clear_cache
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/bonito-open-buildroot (auto)
Verifying and fixing files in /usr/src/tmp/bonito-open-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/bonito-open-buildroot/ (default)
Compressing files in /usr/src/tmp/bonito-open-buildroot (auto)
Verifying systemd units in /usr/src/tmp/bonito-open-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/skejobserver.service":
-rwxr-xr-x
bonito-open kirill @everybody
bozohttpd-20220517-alt1
044-verify-unit.brp: bad permissions on "/lib/systemd/system/bozohttpd на .service":
-rwxr-xr-x
044-verify-unit.brp: ERROR: "/lib/systemd/system/bozohttpd на .service" assumes overflowugid
credentials
bozohttpd george @everybody
cpufreqd-2.4.3-alt3
<...>
Verifying and fixing files in /usr/src/tmp/cpufreqd-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/cpufreqd-buildroot/ (default)
Compressing files in /usr/src/tmp/cpufreqd-buildroot (auto)
Verifying systemd units in /usr/src/tmp/cpufreqd-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/cpufreqd.service": -rwxr-xr-x
cpufreqd shaba
ctwm-1:4.1.0-alt1
Verifying and fixing files in /usr/src/tmp/ctwm-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/ctwm-buildroot/ (default)
Compressing files in /usr/src/tmp/ctwm-buildroot (auto)
mode of '/usr/src/tmp/ctwm-buildroot/usr/share/man/man1/ctwm.1' changed from 0755
(rwxr-xr-x) to 0644 (rw-r--r--)
gunzip: /usr/src/tmp/ctwm-buildroot/usr/share/man/man1/ctwm.1 already exists; not
overwritten
Verifying systemd units in /usr/src/tmp/ctwm-buildroot
044-verify-unit.brp: bad permissions on "/usr/lib/systemd/user/ctwm.target": -rwxr-xr-x
044-verify-unit.brp: bad permissions on "/usr/lib/systemd/user/ctwm-session.target":
-rwxr-xr-x
044-verify-unit.brp: bad permissions on "/usr/lib/systemd/user/ctwm.service": -rwxr-xr-x
ctwm george @qa
dictd-1:1.13.1-alt1
<...>
Checking contents of files in /usr/src/tmp/dictd-buildroot/ (default)
Compressing files in /usr/src/tmp/dictd-buildroot (auto)
Verifying systemd units in /usr/src/tmp/dictd-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/dictd.service": -rwxr-xr-x
dictd lav cheusov @qa @everybody
foreman-3.5.1-alt8
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/foreman-buildroot (auto)
removed './usr/lib/foreman/Gemfile.orig'
removed './usr/lib/foreman/app/models/setting.rb.orig'
removed './usr/lib/foreman/app/models/role.rb.orig'
Verifying and fixing files in /usr/src/tmp/foreman-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/foreman-buildroot/ (default)
Compressing files in /usr/src/tmp/foreman-buildroot (auto)
Verifying systemd units in /usr/src/tmp/foreman-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/foreman.service": -rwxr-xr-x
foreman majioa @everybody
ima-integrity-check-0.5.1-alt1
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/ima-integrity-check-buildroot (auto)
Verifying and fixing files in /usr/src/tmp/ima-integrity-check-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/ima-integrity-check-buildroot/ (default)
Compressing files in /usr/src/tmp/ima-integrity-check-buildroot (auto)
Verifying systemd units in /usr/src/tmp/ima-integrity-check-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/signing.service": -rwxr-x---
ima-integrity-check nbr @everybody
matterbridge-1.22.3-alt1
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/matterbridge-buildroot (auto)
Verifying and fixing files in /usr/src/tmp/matterbridge-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/matterbridge-buildroot/ (default)
Compressing files in /usr/src/tmp/matterbridge-buildroot (auto)
Verifying systemd units in /usr/src/tmp/matterbridge-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/matterbridge.service":
-rwxr-xr-x
matterbridge @nobody
nbd-3.25-alt1
+ install -pD -m644 /usr/src/RPM/SOURCES/nbd.sysconfig
/usr/src/tmp/nbd-buildroot/etc/sysconfig/nbd-server
+ mkdir -p /usr/src/tmp/nbd-buildroot/usr/share/doc/nbd-3.25
+ install -pm644 README.md tests/run/simple_test
/usr/src/tmp/nbd-buildroot/usr/share/doc/nbd-3.25/
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/nbd-buildroot (auto)
Verifying and fixing files in /usr/src/tmp/nbd-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/nbd-buildroot/ (default)
Compressing files in /usr/src/tmp/nbd-buildroot (auto)
Verifying systemd units in /usr/src/tmp/nbd-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/nbd-server.service":
-rwxr-xr-x
nbd rider @everybody
passivedns-1.2.1-alt3
+ mkdir -p /usr/src/tmp/passivedns-buildroot/etc/logrotate.d
+ cat
+ ln -s /dev/null /usr/src/tmp/passivedns-buildroot/lib/systemd/system/passivedns.service
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/passivedns-buildroot (auto)
Verifying and fixing files in /usr/src/tmp/passivedns-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/passivedns-buildroot/ (default)
Compressing files in /usr/src/tmp/passivedns-buildroot (auto)
Verifying systemd units in /usr/src/tmp/passivedns-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/passivedns на .service":
-rwxr-xr-x
passivedns rider @everybody
puppetdb-7.12.0-alt1
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/puppetdb-buildroot (auto)
Verifying and fixing files in /usr/src/tmp/puppetdb-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/puppetdb-buildroot/ (default)
Compressing files in /usr/src/tmp/puppetdb-buildroot (auto)
Verifying systemd units in /usr/src/tmp/puppetdb-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/puppetdb.service": -rwxr-xr-x
error: Bad exit status from /usr/src/tmp/rpm-tmp.52351 (%install)
RPM build errors:
Macro %ubt not found
puppetdb dshein @everybody
virtualbox-7.0.14-alt1
Checking contents of files in /usr/src/tmp/virtualbox-buildroot/ (default)
Compressing files in /usr/src/tmp/virtualbox-buildroot (auto)
Verifying systemd units in /usr/src/tmp/virtualbox-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/virtualbox-vmsvga.service":
-rwxr-xr-x
error: Bad exit status from /usr/src/tmp/rpm-tmp.25157 (%install)
RPM build errors:
line 181: Deprecated PreReq converted to Requires(pre,postun): PreReq: virtualbox-common
= 7.0.14-alt1
line 314: Deprecated PreReq converted to Requires(pre,postun): PreReq: control >=
0.7.2-alt1
line 315: Deprecated PreReq converted to Requires(pre,postun): PreReq: shadow-utils
line 317: Deprecated PreReq converted to Requires(pre,postun): PreReq: sysvinit-utils
virtualbox sin nbr greh
vnstat-2.11-alt1
+ /usr/lib/rpm/brp-alt
Cleaning files in /usr/src/tmp/vnstat-buildroot (auto)
Verifying and fixing files in /usr/src/tmp/vnstat-buildroot
(binconfig,pkgconfig,libtool,desktop,gnuconfig)
Checking contents of files in /usr/src/tmp/vnstat-buildroot/ (default)
Compressing files in /usr/src/tmp/vnstat-buildroot (auto)
Verifying systemd units in /usr/src/tmp/vnstat-buildroot
044-verify-unit.brp: bad permissions on "/lib/systemd/system/vnstatd.service": -rwxr-xr-x
error: Bad exit status from /usr/src/tmp/rpm-tmp.43441 (%install)
RPM build errors:
File /usr/src/RPM/SOURCES/vnstat-2.11-alt1.patch is smaller than 8 bytes
vnstat naf
О 5 пакетах, которые brp-verify-unit зарубил из-за overflowugid
credentials, напишу немного позже.
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя : signature.asc
Тип : application/pgp-signature
Размер : 833 байтов
Описание: отсутствует
Url : <http://lists.altlinux.org/pipermail/devel/attachments/20240210/0c2a4b67/attachment-0001.bin>
Подробная информация о списке рассылки Devel