rpm-build/scripts/brp-verify-unit.in
George V. Kouryachy (Fr. Br. George) 8892bcefce brp: Fix permissions in a common section instead of error report
- scripts/brp-fix-perms.in: fix systemd units and man/info permissions
- scripts/brp-verify-unit.in: drop validation of already fixed permissions
- scripts/brp-compress.in: move permission fix to brp-fix-perms

Provide a section in brp-fix-perms for cleaning out x, s and t bits from
files not supposed to have them, particularly, systemd unit files, info
and man pages (actually, all files from /**/man/** are processed, presumably
they do not need those bits). Remove permission validation from
brp-verify-unit, considering having those bits on unit files is not an
error. Move permission fix from brp-compress (it appears that no files
in %_compress_skiplist have been fixed, which is slightly wrong), to
the corresponding place in brp-fix-perms.
2024-03-11 17:00:00 +03:00

54 lines
1.4 KiB
Bash
Executable File

#!/bin/sh -eu
# SPDX-License-Identifier: GPL-2.0-or-later
. @RPMCONFIGDIR@/functions
ValidateBuildRoot
cd "$RPM_BUILD_ROOT"
Error() {
echo "${0##*/}: ERROR: $*" >&2
}
# Validates user and group credentials of processes spawned by this unit.
ValidateUnitExecUG() {
# We do not catch the case where a relevant directive is set to an
# invalid value and then overwritten with a valid value by a further
# drop-in file, always present when the original unit is present. It
# makes very little sense to do this in a package instead of patching
# the unit to be correct.
local k_regex
local unitf="$1"; shift
[ -L "$unitf" ] && return ||:
k_regex='^[[:space:]]*(User|Group)[[:space:]]*=[[:space:]]*'
if sed -En "s/$k_regex//p" "$unitf" | grep -Eq 'nobody|65534'; then
Error "\"${unitf#.}\" assumes overflowugid credentials"
rc=1
fi
k_regex='^[[:space:]]*SupplementaryGroups[[:space:]]*=[[:space:]]*'
# A space-separated list of names or IDs.
if sed -En "s/$k_regex/ /p" "$unitf" | grep -Eq ' (nobody|65534)'; then
Error "\"${unitf#.}\" assumes overflowgid as supplementary group"
rc=1
fi
return $rc
}
USERUNITDIR="./usr/lib/systemd/user"
UNITDIR="./usr/lib/systemd/system"
[ -d "$UNITDIR" ] || UNITDIR="./lib/systemd/system"
[ -d "$UNITDIR" ] || exit 0
rc=0
echo "Verifying systemd units in $RPM_BUILD_ROOT"
Verbose "Examining ${UNITDIR#.}"
[ -d "$UNITDIR" ] && for f in $(find "$UNITDIR" -type f); do
ValidateUnitExecUG "$f" || rc=1
done
exit $rc