[arch-commits] Commit in systemd/trunk (PKGBUILD)

Christian Hesse eworm at archlinux.org
Wed Jul 5 21:55:19 UTC 2017 

    Date: Wednesday, July 5, 2017 @ 21:55:19
  Author: eworm
Revision: 299728

upgpkg: systemd 233.75-2

With systemd v233 each system service is run with a fresh session keyring
(upstream commit 74dd6b51) to store the invocation ID in the per-service
keyring (upstream commit b3415f5d). This broke accessing keys added to user
and user session keyrings.

Linking the user and user session keyrings to the session keyring makes the
situation even worse: A system service (like lightdm or sshd) is run with a
fresh session keyring, that the user keyring is linked to. Every user
logging in inherits the keyrings and has access, which allows unprivileged
users to steal secrets from root and vice versa.

So drop the backport that links the keyrings (437a8511) and revert the
remaining keyring commits (74dd6b51 and b3415f5d).

Modified:
  systemd/trunk/PKGBUILD

----------+
 PKGBUILD |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-07-05 21:54:57 UTC (rev 299727)
+++ PKGBUILD	2017-07-05 21:55:19 UTC (rev 299728)
@@ -10,7 +10,7 @@
 # Bump this to latest major release for signed tag verification,
 # the commit count is handled by pkgver() function.
 pkgver=233.75
-pkgrel=1
+pkgrel=2
 arch=('i686' 'x86_64')
 url="https://www.github.com/systemd/systemd"
 makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam' 'libelf'
@@ -57,10 +57,15 @@
   '6554550f35a7976f9110aff94743d3576d5f02dd'
   # core: do not print color console message about gc-ed jobs
   '047d7219fde661698d3487fc49e9878c61eefd77'
-  # core: link user keyring to session keyring (#6275)
-  '437a85112e02042b62751395b9e7225628c1b708'
 )
 
+_reverts=(
+  # core: store the invocation ID in the per-service keyring
+  'b3415f5daef49642be3d5f417b8880c078420ff7'
+  # core: run each system service with a fresh session keyring
+  '74dd6b515fa968c5710b396a7664cac335e25ca8'
+)
+
 _validate_tag() {
   local success fingerprint trusted status tag=v${pkgver%.*}
 
@@ -110,6 +115,9 @@
   for _commit in "${_backports[@]}"; do
     git cherry-pick -n "$_commit"
   done
+  for _commit in "${_reverts[@]}"; do
+    git revert -n "$_commit"
+  done
 
   # nss-resolve: drop the internal fallback to libnss_dns
   git show '5486a31d287f26bcd7c0a4eb2abfa4c074b985f1' -- \

More information about the arch-commits mailing list