diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..0a80fdce31f59c062e2abba28776e9521eddff30 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.gz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..b192ef1bb53d063eb50bedf0392f6743e6bfbb76 --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/ntp diff --git a/backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch b/backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch deleted file mode 100644 index 9ec1ebf8339fec41a1c0da9c4a9b32adc7955cba..0000000000000000000000000000000000000000 --- a/backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 6f92672308e9ff2ff72f1d929b6887ab24787e42 Mon Sep 17 00:00:00 2001 -From: Harlen Stenn -Date: Tue, 20 Jun 2023 18:41:55 +0000 -Subject: [PATCH] add NULL pointer check when ntpd deletes the last interface - -Conflict:NA -Reference:https://bugs.ntp.org/attachment.cgi?id=1854&action=diff - ---- - include/ntp_lists.h | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/include/ntp_lists.h b/include/ntp_lists.h -index d741974..37befc0 100644 ---- a/include/ntp_lists.h -+++ b/include/ntp_lists.h -@@ -181,7 +181,7 @@ do { \ - - #define UNLINK_EXPR_SLIST(punlinked, listhead, expr, nextlink, \ - entrytype) \ --do { \ -+if (NULL != (listhead)) { \ - entrytype **ppentry; \ - \ - ppentry = &(listhead); \ -@@ -202,6 +202,8 @@ do { \ - } else { \ - (punlinked) = NULL; \ - } \ -+} else do { \ -+ (punlinked) = NULL; \ - } while (FALSE) - - #define UNLINK_SLIST(punlinked, listhead, ptounlink, nextlink, \ --- -2.27.0 - diff --git a/ntp-4.2.8p17.tar.gz b/ntp-4.2.8p17.tar.gz deleted file mode 100644 index 92894e4ba38c555411cb31fa48a3682cc3e8784e..0000000000000000000000000000000000000000 Binary files a/ntp-4.2.8p17.tar.gz and /dev/null differ diff --git a/ntp-4.2.8p18.tar.gz b/ntp-4.2.8p18.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..0a0e738b5207fd4276e5703a17c1eabc6cba4d9c --- /dev/null +++ b/ntp-4.2.8p18.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf84c5f3fb1a295284942624d823fffa634144e096cfc4f9969ac98ef5f468e5 +size 7210799 diff --git a/ntp-ssl-libs.patch b/ntp-ssl-libs.patch deleted file mode 100644 index f2b12fcb0cd8409013bc88610b2821177dc4bdbc..0000000000000000000000000000000000000000 --- a/ntp-ssl-libs.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up ntp-4.2.8p13/configure.ssl-libs ntp-4.2.8p13/configure ---- ntp-4.2.8p13/configure.ssl-libs 2019-02-20 18:56:00.000000000 +0100 -+++ ntp-4.2.8p13/configure 2019-05-20 10:20:54.700427323 +0200 -@@ -30257,7 +30257,7 @@ $as_echo_n "checking pkg-config for $pkg - CPPFLAGS_NTP="$CPPFLAGS_NTP `$PKG_CONFIG --cflags-only-I $pkg`" - CFLAGS_NTP="$CFLAGS_NTP `$PKG_CONFIG --cflags-only-other $pkg`" - LDADD_NTP="$LDADD_NTP `$PKG_CONFIG --libs-only-L $pkg`" -- LDADD_NTP="$LDADD_NTP `$PKG_CONFIG --libs-only-l --static $pkg`" -+ LDADD_NTP="$LDADD_NTP `$PKG_CONFIG --libs-only-l $pkg`" - LDFLAGS_NTP="$LDFLAGS_NTP `$PKG_CONFIG --libs-only-other $pkg`" - VER_SUFFIX=o - ntp_openssl=yes -diff -up ntp-4.2.8p13/sntp/configure.ssl-libs ntp-4.2.8p13/sntp/configure ---- ntp-4.2.8p13/sntp/configure.ssl-libs 2019-02-20 18:55:31.000000000 +0100 -+++ ntp-4.2.8p13/sntp/configure 2019-05-20 10:20:43.575400947 +0200 -@@ -25185,7 +25185,7 @@ $as_echo_n "checking pkg-config for $pkg - CPPFLAGS_NTP="$CPPFLAGS_NTP `$PKG_CONFIG --cflags-only-I $pkg`" - CFLAGS_NTP="$CFLAGS_NTP `$PKG_CONFIG --cflags-only-other $pkg`" - LDADD_NTP="$LDADD_NTP `$PKG_CONFIG --libs-only-L $pkg`" -- LDADD_NTP="$LDADD_NTP `$PKG_CONFIG --libs-only-l --static $pkg`" -+ LDADD_NTP="$LDADD_NTP `$PKG_CONFIG --libs-only-l $pkg`" - LDFLAGS_NTP="$LDFLAGS_NTP `$PKG_CONFIG --libs-only-other $pkg`" - VER_SUFFIX=o - ntp_openssl=yes diff --git a/ntp-wait.service b/ntp-wait.service index 8d67e1353205ff29bb42a9249a1a66fe6fcf3874..ebc4480bc93ff334ee25df82025aa84464a0eb2d 100644 --- a/ntp-wait.service +++ b/ntp-wait.service @@ -6,6 +6,16 @@ Before=time-sync.target Wants=time-sync.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions Type=oneshot ExecStart=/usr/sbin/ntp-wait RemainAfterExit=yes diff --git a/ntp.spec b/ntp.spec index 89504fde7162fdd75019e2ee780c5e615576583f..75b68aef0eb5d5143f87e4500dd106e077a6aca9 100644 --- a/ntp.spec +++ b/ntp.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ntp -Version: 4.2.8p17 -Release: 3 +Version: 4.2.8p18 +Release: 1 Summary: A protocol designed to synchronize the clocks of computers over a network License: MIT and BSD and BSD with advertising URL: https://www.ntp.org/ @@ -15,21 +15,21 @@ Source7: ntpdate.wrapper Source8: ntp.cryptopw Source9: ntpdate.sysconfig Source10: ntp.dhclient +Source11: ntp.sysusers.conf Source12: ntpd.service Source13: ntpdate.service Source14: ntp-wait.service Source15: sntp.service Source16: sntp.sysconfig -Patch1: ntp-ssl-libs.patch Patch2: bugfix-fix-bind-port-in-debug-mode.patch Patch3: bugfix-fix-ifindex-length.patch Patch4: fix-MD5-manpage.patch -Patch5: backport-add-NULL-pointer-check-when-ntpd-deletes-the-last-interface.patch Patch6: backport-ntpd-abort-if-fail-to-drop-root.patch BuildRequires: libcap-devel openssl-devel libedit-devel libevent-devel pps-tools-devel BuildRequires: autogen autogen-libopts-devel systemd gcc perl-generators perl-HTML-Parser -Requires(pre): shadow-utils autogen >= 5.18.16 +Requires: autogen >= %(rpm -q --queryformat="%%{VERSION}" autogen) +%{?sysusers_requires_compat} %{?systemd_requires} Recommends: ntpstat timedatex Provides: ntpdate sntp @@ -124,6 +124,7 @@ sed -e 's|VENDORZONE\.|%{vendorzone}|' \ touch -r %{SOURCE16} .%{_sysconfdir}/sysconfig/sntp install -p -m600 %{SOURCE8} .%{_sysconfdir}/ntp/crypto/pw install -p -m755 %{SOURCE10} .%{_sysconfdir}/dhcp/dhclient.d/ntp.sh +install -m0644 -D %{SOURCE11} %{buildroot}%{_sysusersdir}/ntp.conf install -p -m644 %{SOURCE12} .%{_unitdir}/ntpd.service install -p -m644 %{SOURCE13} .%{_unitdir}/ntpdate.service install -p -m644 %{SOURCE14} .%{_unitdir}/ntp-wait.service @@ -135,11 +136,10 @@ echo 'ntpd.service' > .%{_prefix}/lib/systemd/ntp-units.d/60-ntpd.list popd %check -make check +%make_build check %pre -/usr/sbin/groupadd -g 38 ntp 2> /dev/null || : -/usr/sbin/useradd -u 38 -g 38 -s /sbin/nologin -M -r -d %{_sysconfdir}/ntp ntp 2>/dev/null || : +%sysusers_create_compat %{S:11} %post %systemd_post ntpd.service ntpdate.service sntp.service @@ -160,7 +160,6 @@ make check %systemd_postun ntp-wait.service %files -%defattr(-,root,root) %doc COPYRIGHT ChangeLog NEWS %license COPYRIGHT %dir %attr(-,ntp,ntp) %{_localstatedir}/lib/ntp @@ -188,12 +187,12 @@ make check %ghost %attr(644,ntp,ntp) %{_localstatedir}/lib/ntp/drift %ghost %{_localstatedir}/lib/sntp/kod +%{_sysusersdir}/ntp.conf %{_unitdir}/*.service %{_prefix}/lib/systemd/ntp-units.d/*.list %{_libexecdir}/ntpdate-wrapper %files perl -%defattr(-,root,root) %{_sbindir}/calc_tickadj %{_sbindir}/ntp-wait %{_sbindir}/ntptrace @@ -201,13 +200,17 @@ make check %{_datadir}/ntp %files help -%defattr(-,root,root) %dir %{ntpdocdir} %{ntpdocdir}/html %{_mandir}/man5/*.5* %{_mandir}/man8/*.8* %changelog +* Sun Mar 02 2025 Funda Wang - 4.2.8p18-1 +- update to 4.2.8p18 +- harden systemd service +- convert user creation to systemd style + * Tue Jan 23 2024 chengyechun - 4.2.8p17-3 - Type:bugfix - ID:NA diff --git a/ntp.sysusers.conf b/ntp.sysusers.conf new file mode 100644 index 0000000000000000000000000000000000000000..7cea41d5168e0465e837f214c0f5b0067d403a7d --- /dev/null +++ b/ntp.sysusers.conf @@ -0,0 +1 @@ +u ntp 38 - /etc/ntp /sbin/nologin diff --git a/ntpd.service b/ntpd.service index 61dee04c70ab0cdab3606a54ea3a4bf0ff35776d..20594a72cf1a989169c194ab55a2afbedd98a93c 100644 --- a/ntpd.service +++ b/ntpd.service @@ -9,6 +9,16 @@ EnvironmentFile=-/etc/sysconfig/ntpd ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS PrivateTmp=true Restart=on-failure +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +# end of automatic additions [Install] WantedBy=multi-user.target