From 11b00957be9f8661c4248d52bb20cdacdd442615 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Wed, 13 Jun 2018 21:55:19 +0000 Subject: Wed Jun 13 21:55:19 UTC 2018 a/etc-15.0-x86_64-5.txz: Rebuilt. Don't hardcode passwd/shadow/group additions in doinst.sh - get them from the .new files. a/sysvinit-scripts-2.1-noarch-11.txz: Rebuilt. rc.S: don't start rc.haveged in this script - move it to rc.M. rc.M: start rc.haveged after seeding /dev/urandom in rc.S, and after starting syslogd, klogd, and udev in rc.M. rc.M: start rc.rndg (we don't ship it or rng-tools) after udev. H. Peter Anvin says that it's fine to run both haveged and rndg, and I trust his opinion on that. Thanks to GazL. ap/at-3.1.20-x86_64-4.txz: Rebuilt. Fixed wrong variable in rc.atd. Thanks to upnort. n/libgcrypt-1.8.3-x86_64-1.txz: Upgraded. Use blinding for ECDSA signing to mitigate a novel side-channel attack. For more information, see: https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 (* Security fix *) --- source/a/etc/doinst.sh | 114 +++++++++++++++++++++ source/a/etc/etc.SlackBuild | 16 ++- source/a/etc/group.new | 54 ++++++++++ source/a/etc/passwd.new | 33 ++++++ source/a/etc/shadow.new | 33 ++++++ source/a/sysvinit-scripts/scripts/rc.M | 10 ++ source/a/sysvinit-scripts/scripts/rc.S | 6 -- .../a/sysvinit-scripts/sysvinit-scripts.SlackBuild | 2 +- 8 files changed, 260 insertions(+), 8 deletions(-) create mode 100644 source/a/etc/doinst.sh create mode 100644 source/a/etc/group.new create mode 100644 source/a/etc/passwd.new create mode 100644 source/a/etc/shadow.new (limited to 'source/a') diff --git a/source/a/etc/doinst.sh b/source/a/etc/doinst.sh new file mode 100644 index 000000000..83376f57f --- /dev/null +++ b/source/a/etc/doinst.sh @@ -0,0 +1,114 @@ +#!/bin/sh +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +# First, make sure any new entries in passwd/shadow/group are added: +if [ -r etc/passwd -a -r etc/passwd.new ]; then + cat etc/passwd.new | while read line ; do + if ! grep -q "^$(echo $line | cut -f 1 -d :):" etc/passwd ; then + echo $line >> etc/passwd + fi + done +fi +if [ -r etc/shadow -a -r etc/shadow.new ]; then + cat etc/shadow.new | while read line ; do + if ! grep -q "^$(echo $line | cut -f 1 -d :):" etc/shadow ; then + echo $line >> etc/shadow + fi + done +fi +if [ -r etc/group -a -r etc/group.new ]; then + cat etc/group.new | while read line ; do + if ! grep -q "^$(echo $line | cut -f 1 -d :):" etc/group ; then + echo $line >> etc/group + fi + done +fi + +config etc/mtab.new +config etc/motd.new +config etc/group.new +config etc/csh.login.new +config etc/ld.so.conf.new +config etc/profile.new +config etc/hosts.new +config etc/inputrc.new +config etc/shadow.new +config etc/passwd.new +config etc/printcap.new +config etc/networks.new +config etc/HOSTNAME.new +config etc/gshadow.new +config etc/issue.new +config etc/securetty.new +config etc/shells.new +config etc/services.new +config etc/issue.net.new +config etc/nsswitch.conf.new +config etc/profile.d/lang.csh.new +config etc/profile.d/lang.sh.new +config etc/profile.d/z-dot-in-non-root-path.csh.new +config etc/profile.d/z-dot-in-non-root-path.sh.new +config var/log/lastlog.new +config var/log/wtmp.new +config var/run/utmp.new + +if [ -r etc/ld.so.conf.new -a -r etc/ld.so.conf ]; then + # Ensure that ld.so.conf contains the minimal set of paths: + cat etc/ld.so.conf | while read pathline ; do + if ! grep "^${pathline}$" etc/ld.so.conf.new 1> /dev/null 2> /dev/null ; then + echo "$pathline" >> etc/ld.so.conf.new + fi + done + cp etc/ld.so.conf.new etc/ld.so.conf +fi + +# Clean up useless non-examples: +rm -f etc/mtab.new +rm -f etc/motd.new +rm -f etc/ld.so.conf.new +rm -f etc/hosts.new +#rm -f etc/shadow.new +rm -f etc/networks.new +rm -f etc/HOSTNAME.new +#rm -f etc/gshadow.new +rm -f etc/shells.new +rm -f etc/printcap.new +rm -f etc/issue.new +rm -f etc/issue.net.new +#rm -f etc/profile.d/lang.csh.new +#rm -f etc/profile.d/lang.sh.new +rm -f var/run/utmp.new +rm -f var/log/lastlog.new +rm -f var/log/wtmp.new + +# Make sure $HOME is correct for user sddm: +chroot . /usr/sbin/usermod -d /var/lib/sddm sddm > /dev/null 2> /dev/null +# Make sure that sddm is a member of group video: +chroot . /usr/sbin/usermod --groups video sddm > /dev/null 2> /dev/null + +# Also ensure ownerships/perms: +chown root.utmp var/run/utmp var/log/wtmp +chmod 664 var/run/utmp var/log/wtmp +chown root.shadow etc/shadow etc/gshadow +chmod 640 etc/shadow etc/gshadow + +# Match permissions on any leftover config z-dot-in-non-root-path scripts +# to prevent anyone who turned them on from accidentally losing that setting +# by moving the .new script into place: +if [ -r etc/profile.d/z-dot-in-non-root-path.csh.new ]; then + touch -r etc/profile.d/z-dot-in-non-root-path.csh etc/profile.d/z-dot-in-non-root-path.csh.new +fi +if [ -r etc/profile.d/z-dot-in-non-root-path.sh.new ]; then + touch -r etc/profile.d/z-dot-in-non-root-path.sh etc/profile.d/z-dot-in-non-root-path.sh.new +fi + diff --git a/source/a/etc/etc.SlackBuild b/source/a/etc/etc.SlackBuild index 98bc581e6..72c1f02c7 100755 --- a/source/a/etc/etc.SlackBuild +++ b/source/a/etc/etc.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=etc VERSION=15.0 -BUILD=${BUILD:-4} +BUILD=${BUILD:-5} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -60,8 +60,22 @@ if [ "$ARCH" = "x86_64" ]; then fi zcat $CWD/nsswitch.conf.gz > $PKG/etc/nsswitch.conf.new +# Check to make sure that shadow has the same number of entries +# as passwd: +if [ ! "$(cat $CWD/passwd.new | wc -l)" = "$(cat $CWD/shadow.new | wc -l)" ]; then + echo "#######################################################################################" + echo "# WARNING: /etc/passwd.new and /etc/shadow.new don't have the same number of entries. #" + echo "#######################################################################################" + sleep 60 +fi +# Install default passwd/shadow/group (sorted): +sort -n -t ':' -k3 $CWD/passwd.new > $PKG/etc/passwd.new +awk -F':' 'NR==FNR{z[$1]=$0;next}{print z[$1]}' $CWD/shadow.new $PKG/etc/passwd.new > $PKG/etc/shadow.new +sort -n -t ':' -k3 $CWD/group.new > $PKG/etc/group.new + mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh # Build the package: cd $PKG diff --git a/source/a/etc/group.new b/source/a/etc/group.new new file mode 100644 index 000000000..1fb3242c4 --- /dev/null +++ b/source/a/etc/group.new @@ -0,0 +1,54 @@ +root:x:0:root +bin:x:1:root,bin +daemon:x:2:root,bin,daemon +sys:x:3:root,bin,adm +adm:x:4:root,adm,daemon +tty:x:5: +disk:x:6:root,adm +lp:x:7:lp +mem:x:8: +kmem:x:9: +wheel:x:10:root +floppy:x:11: +mail:x:12:mail +news:x:13:news +uucp:x:14:uucp +man:x:15: +dialout:x:16:uucp +audio:x:17:root,pulse +video:x:18:sddm +cdrom:x:19: +games:x:20: +slocate:x:21: +utmp:x:22: +smmsp:x:25:smmsp +tape:x:26: +mysql:x:27: +rpc:x:32: +sshd:x:33:sshd +cgred:x:41: +gdm:x:42: +shadow:x:43: +ntp:x:44: +ftp:x:50: +oprofile:x:51: +sddm:x:64: +pulse:x:65: +input:x:71: +apache:x:80: +messagebus:x:81: +haldaemon:x:82: +plugdev:x:83: +power:x:84: +netdev:x:86: +polkitd:x:87: +pop:x:90:pop +postfix:x:91: +postdrop:x:92: +scanner:x:93: +dovecot:x:94: +dovenull:x:95: +nobody:x:98:nobody +nogroup:x:99: +users:x:100: +console:x:101: diff --git a/source/a/etc/passwd.new b/source/a/etc/passwd.new new file mode 100644 index 000000000..e25220170 --- /dev/null +++ b/source/a/etc/passwd.new @@ -0,0 +1,33 @@ +root:x:0:0::/root:/bin/bash +bin:x:1:1:bin:/bin:/bin/false +daemon:x:2:2:daemon:/sbin:/bin/false +adm:x:3:4:adm:/var/log:/bin/false +lp:x:4:7:lp:/var/spool/lpd:/bin/false +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/:/bin/false +news:x:9:13:news:/usr/lib/news:/bin/false +uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false +operator:x:11:0:operator:/root:/bin/bash +games:x:12:100:games:/usr/games:/bin/false +ftp:x:14:50::/home/ftp:/bin/false +smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false +mysql:x:27:27:MySQL:/var/lib/mysql:/bin/false +rpc:x:32:32:RPC portmap user:/:/bin/false +sshd:x:33:33:sshd:/:/bin/false +gdm:x:42:42:GDM:/var/lib/gdm:/sbin/nologin +ntp:x:44:44:User for NTP:/:/bin/false +oprofile:x:51:51:oprofile:/:/bin/false +usbmux:x:52:83:User for usbmux daemon:/var/empty:/bin/false +sddm:x:64:64:User for SDDM:/var/lib/sddm:/bin/false +pulse:x:65:65:User for PulseAudio:/var/run/pulse:/bin/false +apache:x:80:80:User for Apache:/srv/httpd:/bin/false +messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false +haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false +polkitd:x:87:87:PolicyKit daemon owner:/var/lib/polkit:/bin/false +pop:x:90:90:POP:/:/bin/false +postfix:x:91:91:User for Postfix MTA:/dev/null:/bin/false +dovecot:x:94:94:User for Dovecot processes:/dev/null:/bin/false +dovenull:x:95:95:User for Dovecot login processing:/dev/null:/bin/false +nobody:x:99:99:nobody:/:/bin/false diff --git a/source/a/etc/shadow.new b/source/a/etc/shadow.new new file mode 100644 index 000000000..fd3a87cca --- /dev/null +++ b/source/a/etc/shadow.new @@ -0,0 +1,33 @@ +root::9804:0::::: +bin:*:9797:0::::: +daemon:*:9797:0::::: +adm:*:9797:0::::: +lp:*:9797:0::::: +sync:*:9797:0::::: +shutdown:*:9797:0::::: +halt:*:9797:0::::: +mail:*:9797:0::::: +news:*:9797:0::::: +uucp:*:9797:0::::: +operator:*:9797:0::::: +games:*:9797:0::::: +ftp:*:9797:0::::: +smmsp:*:9797:0::::: +mysql:*:9797:0::::: +rpc:*:9797:0::::: +sshd:*:9797:0::::: +gdm:*:9797:0::::: +ntp:*:9797:0::::: +oprofile:*:9797:0::::: +usbmux:*:9797:0::::: +sddm:*:9797:0::::: +pulse:*:9797:0::::: +apache:*:9797:0::::: +messagebus:*:9797:0::::: +haldaemon:*:9797:0::::: +polkitd:*:9797:0::::: +pop:*:9797:0::::: +postfix:*:9797:0::::: +dovecot:*:9797:0::::: +dovenull:*:9797:0::::: +nobody:*:9797:0::::: diff --git a/source/a/sysvinit-scripts/scripts/rc.M b/source/a/sysvinit-scripts/scripts/rc.M index 6bd667c56..30c852958 100644 --- a/source/a/sysvinit-scripts/scripts/rc.M +++ b/source/a/sysvinit-scripts/scripts/rc.M @@ -94,6 +94,16 @@ if grep -wq sysfs /proc/mounts && grep -q devtmpfs /proc/filesystems ; then fi fi +# Start the haveged entropy daemon: +if [ -x /etc/rc.d/rc.haveged ]; then + /etc/rc.d/rc.haveged start +fi + +# Start the rngd entropy daemon: +if [ -x /etc/rc.d/rc.rngd ]; then + /etc/rc.d/rc.rngd start +fi + # Initialize the networking hardware. if [ -x /etc/rc.d/rc.inet1 ]; then /etc/rc.d/rc.inet1 diff --git a/source/a/sysvinit-scripts/scripts/rc.S b/source/a/sysvinit-scripts/scripts/rc.S index c53548f4a..793d95852 100644 --- a/source/a/sysvinit-scripts/scripts/rc.S +++ b/source/a/sysvinit-scripts/scripts/rc.S @@ -73,11 +73,6 @@ if grep -wq cgroup /proc/filesystems ; then fi fi -# Start the haveged entropy daemon: -if [ -x /etc/rc.d/rc.haveged ]; then - /etc/rc.d/rc.haveged start -fi - # Initialize the Logical Volume Manager. # This won't start unless we find /etc/lvmtab (LVM1) or # /etc/lvm/backup/ (LVM2). This is created by /sbin/vgscan, so to @@ -446,4 +441,3 @@ else dd if=/dev/urandom of=/etc/random-seed count=1 bs=512 2> /dev/null fi chmod 600 /etc/random-seed - diff --git a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild index 6e47bc031..34ef07a74 100755 --- a/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild +++ b/source/a/sysvinit-scripts/sysvinit-scripts.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=sysvinit-scripts VERSION=${VERSION:-2.1} ARCH=noarch -BUILD=${BUILD:-10} +BUILD=${BUILD:-11} # If the variable PRINT_PACKAGE_NAME is set, then this script will report what # the name of the created package would be, and then exit. This information -- cgit v1.2.3