Hi! В опубликованный сегодня Sisyphus вошёл новый rpm-build: > rpm-build - Scripts and executable programs used to build packages > * Thu Jan 11 2024 Arseny Maslennikov 4.0.4.195-alt1 > - debuginfo: Changed compression format (--lzma2=dict=2MiB -> > --check=crc32 --lzma2=dict=1MiB) of xz-compressed modules for compatibility > with kmod >= 31 (thx asheplyakov@). > - Introduced brp-verify-unit to check sanity of systemd units included > in built packages. Новый brp-модуль проверяет юниты systemd на вшивость. Пока он содержит две проверки: * на файле с systemd-юнитом не должно быть x-бита; * файл с systemd-юнитом, предусматривающим порождение процесса, не должен запускать что-либо под nobody. В результате сегодняшней тестовой пересборки обнаружилось[1] 14 исходных пакетов, куда-то кладущих юнит с правами rwxr-xr-x, и 1 пакет, содержащий юнит с правами rwxr-x---. [1] https://lore.altlinux.org/sisyphus-cybertalk/Zcb1ezIHJkgVff21@beehive.mskdc.altlinux.org/T/#u Пакеты, перечисленные ниже, нужно исправить, сняв x-биты с юнитов systemd под %buildroot. Под каждой цитатой из лога пересборки размещён acl на пакет. bonito-open-5.58.1-alt1 + mv misc/bonito_clear_cache.cron /usr/src/tmp/bonito-open-buildroot//etc/cron.d/bonito_clear_cache + sed 's|/usr/bin/bonito_clear_cache|/usr/bin/bonito_clear_cache|' bonito_clear_cache + chmod a+x /usr/src/tmp/bonito-open-buildroot//usr/bin/bonito_clear_cache + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/bonito-open-buildroot (auto) Verifying and fixing files in /usr/src/tmp/bonito-open-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/bonito-open-buildroot/ (default) Compressing files in /usr/src/tmp/bonito-open-buildroot (auto) Verifying systemd units in /usr/src/tmp/bonito-open-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/skejobserver.service": -rwxr-xr-x bonito-open kirill @everybody bozohttpd-20220517-alt1 044-verify-unit.brp: bad permissions on "/lib/systemd/system/bozohttpd@.service": -rwxr-xr-x 044-verify-unit.brp: ERROR: "/lib/systemd/system/bozohttpd@.service" assumes overflowugid credentials bozohttpd george @everybody cpufreqd-2.4.3-alt3 <...> Verifying and fixing files in /usr/src/tmp/cpufreqd-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/cpufreqd-buildroot/ (default) Compressing files in /usr/src/tmp/cpufreqd-buildroot (auto) Verifying systemd units in /usr/src/tmp/cpufreqd-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/cpufreqd.service": -rwxr-xr-x cpufreqd shaba ctwm-1:4.1.0-alt1 Verifying and fixing files in /usr/src/tmp/ctwm-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/ctwm-buildroot/ (default) Compressing files in /usr/src/tmp/ctwm-buildroot (auto) mode of '/usr/src/tmp/ctwm-buildroot/usr/share/man/man1/ctwm.1' changed from 0755 (rwxr-xr-x) to 0644 (rw-r--r--) gunzip: /usr/src/tmp/ctwm-buildroot/usr/share/man/man1/ctwm.1 already exists; not overwritten Verifying systemd units in /usr/src/tmp/ctwm-buildroot 044-verify-unit.brp: bad permissions on "/usr/lib/systemd/user/ctwm.target": -rwxr-xr-x 044-verify-unit.brp: bad permissions on "/usr/lib/systemd/user/ctwm-session.target": -rwxr-xr-x 044-verify-unit.brp: bad permissions on "/usr/lib/systemd/user/ctwm.service": -rwxr-xr-x ctwm george @qa dictd-1:1.13.1-alt1 <...> Checking contents of files in /usr/src/tmp/dictd-buildroot/ (default) Compressing files in /usr/src/tmp/dictd-buildroot (auto) Verifying systemd units in /usr/src/tmp/dictd-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/dictd.service": -rwxr-xr-x dictd lav cheusov @qa @everybody foreman-3.5.1-alt8 + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/foreman-buildroot (auto) removed './usr/lib/foreman/Gemfile.orig' removed './usr/lib/foreman/app/models/setting.rb.orig' removed './usr/lib/foreman/app/models/role.rb.orig' Verifying and fixing files in /usr/src/tmp/foreman-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/foreman-buildroot/ (default) Compressing files in /usr/src/tmp/foreman-buildroot (auto) Verifying systemd units in /usr/src/tmp/foreman-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/foreman.service": -rwxr-xr-x foreman majioa @everybody ima-integrity-check-0.5.1-alt1 + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/ima-integrity-check-buildroot (auto) Verifying and fixing files in /usr/src/tmp/ima-integrity-check-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/ima-integrity-check-buildroot/ (default) Compressing files in /usr/src/tmp/ima-integrity-check-buildroot (auto) Verifying systemd units in /usr/src/tmp/ima-integrity-check-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/signing.service": -rwxr-x--- ima-integrity-check nbr @everybody matterbridge-1.22.3-alt1 + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/matterbridge-buildroot (auto) Verifying and fixing files in /usr/src/tmp/matterbridge-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/matterbridge-buildroot/ (default) Compressing files in /usr/src/tmp/matterbridge-buildroot (auto) Verifying systemd units in /usr/src/tmp/matterbridge-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/matterbridge.service": -rwxr-xr-x matterbridge @nobody nbd-3.25-alt1 + install -pD -m644 /usr/src/RPM/SOURCES/nbd.sysconfig /usr/src/tmp/nbd-buildroot/etc/sysconfig/nbd-server + mkdir -p /usr/src/tmp/nbd-buildroot/usr/share/doc/nbd-3.25 + install -pm644 README.md tests/run/simple_test /usr/src/tmp/nbd-buildroot/usr/share/doc/nbd-3.25/ + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/nbd-buildroot (auto) Verifying and fixing files in /usr/src/tmp/nbd-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/nbd-buildroot/ (default) Compressing files in /usr/src/tmp/nbd-buildroot (auto) Verifying systemd units in /usr/src/tmp/nbd-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/nbd-server.service": -rwxr-xr-x nbd rider @everybody passivedns-1.2.1-alt3 + mkdir -p /usr/src/tmp/passivedns-buildroot/etc/logrotate.d + cat + ln -s /dev/null /usr/src/tmp/passivedns-buildroot/lib/systemd/system/passivedns.service + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/passivedns-buildroot (auto) Verifying and fixing files in /usr/src/tmp/passivedns-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/passivedns-buildroot/ (default) Compressing files in /usr/src/tmp/passivedns-buildroot (auto) Verifying systemd units in /usr/src/tmp/passivedns-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/passivedns@.service": -rwxr-xr-x passivedns rider @everybody puppetdb-7.12.0-alt1 + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/puppetdb-buildroot (auto) Verifying and fixing files in /usr/src/tmp/puppetdb-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/puppetdb-buildroot/ (default) Compressing files in /usr/src/tmp/puppetdb-buildroot (auto) Verifying systemd units in /usr/src/tmp/puppetdb-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/puppetdb.service": -rwxr-xr-x error: Bad exit status from /usr/src/tmp/rpm-tmp.52351 (%install) RPM build errors: Macro %ubt not found puppetdb dshein @everybody virtualbox-7.0.14-alt1 Checking contents of files in /usr/src/tmp/virtualbox-buildroot/ (default) Compressing files in /usr/src/tmp/virtualbox-buildroot (auto) Verifying systemd units in /usr/src/tmp/virtualbox-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/virtualbox-vmsvga.service": -rwxr-xr-x error: Bad exit status from /usr/src/tmp/rpm-tmp.25157 (%install) RPM build errors: line 181: Deprecated PreReq converted to Requires(pre,postun): PreReq: virtualbox-common = 7.0.14-alt1 line 314: Deprecated PreReq converted to Requires(pre,postun): PreReq: control >= 0.7.2-alt1 line 315: Deprecated PreReq converted to Requires(pre,postun): PreReq: shadow-utils line 317: Deprecated PreReq converted to Requires(pre,postun): PreReq: sysvinit-utils virtualbox sin nbr greh vnstat-2.11-alt1 + /usr/lib/rpm/brp-alt Cleaning files in /usr/src/tmp/vnstat-buildroot (auto) Verifying and fixing files in /usr/src/tmp/vnstat-buildroot (binconfig,pkgconfig,libtool,desktop,gnuconfig) Checking contents of files in /usr/src/tmp/vnstat-buildroot/ (default) Compressing files in /usr/src/tmp/vnstat-buildroot (auto) Verifying systemd units in /usr/src/tmp/vnstat-buildroot 044-verify-unit.brp: bad permissions on "/lib/systemd/system/vnstatd.service": -rwxr-xr-x error: Bad exit status from /usr/src/tmp/rpm-tmp.43441 (%install) RPM build errors: File /usr/src/RPM/SOURCES/vnstat-2.11-alt1.patch is smaller than 8 bytes vnstat naf О 5 пакетах, которые brp-verify-unit зарубил из-за overflowugid credentials, напишу немного позже.