[arch-commits] Commit in systemd/trunk (PKGBUILD)
Christian Hesse
eworm at archlinux.org
Wed Jul 5 21:55:19 UTC 2017
Date: Wednesday, July 5, 2017 @ 21:55:19
Author: eworm
Revision: 299728
upgpkg: systemd 233.75-2
With systemd v233 each system service is run with a fresh session keyring
(upstream commit 74dd6b51) to store the invocation ID in the per-service
keyring (upstream commit b3415f5d). This broke accessing keys added to user
and user session keyrings.
Linking the user and user session keyrings to the session keyring makes the
situation even worse: A system service (like lightdm or sshd) is run with a
fresh session keyring, that the user keyring is linked to. Every user
logging in inherits the keyrings and has access, which allows unprivileged
users to steal secrets from root and vice versa.
So drop the backport that links the keyrings (437a8511) and revert the
remaining keyring commits (74dd6b51 and b3415f5d).
Modified:
systemd/trunk/PKGBUILD
----------+
PKGBUILD | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-07-05 21:54:57 UTC (rev 299727)
+++ PKGBUILD 2017-07-05 21:55:19 UTC (rev 299728)
@@ -10,7 +10,7 @@
# Bump this to latest major release for signed tag verification,
# the commit count is handled by pkgver() function.
pkgver=233.75
-pkgrel=1
+pkgrel=2
arch=('i686' 'x86_64')
url="https://www.github.com/systemd/systemd"
makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf'
@@ -57,10 +57,15 @@
'6554550f35a7976f9110aff94743d3576d5f02dd'
# core: do not print color console message about gc-ed jobs
'047d7219fde661698d3487fc49e9878c61eefd77'
- # core: link user keyring to session keyring (#6275)
- '437a85112e02042b62751395b9e7225628c1b708'
)
+_reverts=(
+ # core: store the invocation ID in the per-service keyring
+ 'b3415f5daef49642be3d5f417b8880c078420ff7'
+ # core: run each system service with a fresh session keyring
+ '74dd6b515fa968c5710b396a7664cac335e25ca8'
+)
+
_validate_tag() {
local success fingerprint trusted status tag=v${pkgver%.*}
@@ -110,6 +115,9 @@
for _commit in "${_backports[@]}"; do
git cherry-pick -n "$_commit"
done
+ for _commit in "${_reverts[@]}"; do
+ git revert -n "$_commit"
+ done
# nss-resolve: drop the internal fallback to libnss_dns
git show '5486a31d287f26bcd7c0a4eb2abfa4c074b985f1' -- \
More information about the arch-commits
mailing list