retitle 941738 buster-pu: package network-manager/1.14.6-2+deb10u1 thanks Am 04.10.19 um 15:20 schrieb Michael Biebl: > Am 04.10.19 um 15:09 schrieb Michael Biebl: >> +network-manager (1.14.6-3) stable; urgency=medium > > 1.14.6-3 is unused so far, but I guess it would be better us use > 1.14.6-2+deb10u1 instead?
I guess the latter is more in line with current practice, so retitling the bug report accordingly. Updated debdiff attached. Please let me know if I can proceed with the upload. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
diff --git a/debian/changelog b/debian/changelog
index 7cb171e5a..13658c1c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+network-manager (1.14.6-2+deb10u1) stable; urgency=medium
+
+ * core: fix file permissions for "/var/lib/NetworkManager/secret_key"
+ Patch cherry-picked from upstream.
+ * Fix permissions of /var/lib/NetworkManager/secret_key on upgrades.
+ The file mode is supposed to be 0600. (Closes: #941609)
+ * Install directories as created by upstream build system.
+ Drop network-manager.dirs and instead use the directories created by the
+ upstream build system. Fix permissions of /var/lib/NetworkManager to be
+ 0700 as it contains possibly sensitive data and should not be
+ world-readable.
+ * d/gbp.conf: Set debian-branch to buster
+
+ -- Michael Biebl <bi...@debian.org> Fri, 04 Oct 2019 15:03:20 +0200
+
network-manager (1.14.6-2) unstable; urgency=medium
* supplicant: fix setting pmf when the supplicant doesn't advertise support
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 478d845ce..3c81df87a 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
patch-numbers = False
-debian-branch = master
+debian-branch = buster
diff --git a/debian/network-manager.dirs b/debian/network-manager.dirs
deleted file mode 100644
index e09403be4..000000000
--- a/debian/network-manager.dirs
+++ /dev/null
@@ -1,10 +0,0 @@
-etc/NetworkManager/conf.d/
-etc/NetworkManager/dispatcher.d/no-wait.d/
-etc/NetworkManager/dispatcher.d/pre-down.d/
-etc/NetworkManager/dispatcher.d/pre-up.d/
-etc/NetworkManager/dnsmasq.d/
-etc/NetworkManager/dnsmasq-shared.d/
-etc/NetworkManager/system-connections/
-usr/lib/NetworkManager/conf.d/
-usr/lib/NetworkManager/VPN/
-var/lib/NetworkManager/
diff --git a/debian/network-manager.install b/debian/network-manager.install
index 0f1e82ae5..3f94d7a46 100644
--- a/debian/network-manager.install
+++ b/debian/network-manager.install
@@ -2,10 +2,7 @@ usr/sbin/NetworkManager
usr/bin/nm-online
usr/bin/nmcli
usr/bin/nmtui*
-usr/lib/NetworkManager/nm-dhcp-helper
-usr/lib/NetworkManager/nm-iface-helper
-usr/lib/NetworkManager/nm-dispatcher
-usr/lib/NetworkManager/nm-initrd-generator
+usr/lib/NetworkManager/
usr/lib/*/NetworkManager/*/libnm-settings-plugin-ifupdown.so
usr/lib/*/NetworkManager/*/libnm-device-plugin-*.so
usr/lib/*/NetworkManager/*/libnm-ppp-plugin.so
@@ -18,7 +15,8 @@ usr/share/dbus-1/system.d/org.freedesktop.NetworkManager.conf
usr/share/dbus-1/system.d/nm-dispatcher.conf
usr/share/polkit-1/
usr/share/bash-completion/
-etc/NetworkManager/dispatcher.d/
+etc/NetworkManager/
+var/lib/NetworkManager/
lib/udev/rules.d/*.rules
lib/systemd/system/NetworkManager.service
lib/systemd/system/NetworkManager-dispatcher.service
diff --git a/debian/network-manager.postinst b/debian/network-manager.postinst
index 0f95087f8..7f0589da6 100644
--- a/debian/network-manager.postinst
+++ b/debian/network-manager.postinst
@@ -24,6 +24,9 @@ case "$1" in
# org.freedesktop.NetworkManager.settings.modify.system without prior
authentication
addgroup --quiet --system netdev
+ # This directory can contain sensitive data and should not be
world-readable
+ chmod 0700 /var/lib/NetworkManager
+
NIF=/etc/network/interfaces
if [ -z "$2" ] && [ -f $NIF ]; then
ifaces=`grep -v '^#' $NIF | awk '/iface/ {print $2}' | sort -u |
sed -e 's/lo//' -e '/^$/d' -e 's/^/- /'`
@@ -44,6 +47,12 @@ case "$1" in
ln -sf /run/NetworkManager/resolv.conf /etc/resolv.conf
fi
fi
+
+ if dpkg --compare-versions "$2" lt-nl "1.14.6-3"; then
+ if [ -f /var/lib/NetworkManager/secret_key ]; then
+ chmod 0600 /var/lib/NetworkManager/secret_key
+ fi
+ fi
;;
abort-upgrade|abort-deconfigure|abort-remove)
diff --git
a/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
b/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
new file mode 100644
index 000000000..8e51fa6a4
--- /dev/null
+++
b/debian/patches/core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
@@ -0,0 +1,40 @@
+From: Thomas Haller <thal...@redhat.com>
+Date: Tue, 14 May 2019 13:55:41 +0200
+Subject: core: fix file permissions for "/var/lib/NetworkManager/secret_key"
+
+Ooherwise, the file has wrong permissions:
+
+ # ls -la /var/lib/NetworkManager/secret_key
+ ----r-xr-x. 1 root root 50 May 14 13:52 /var/lib/NetworkManager/secret_key
+
+Luckily, /var/lib/NetworkManager should be already
+
+ # ls -lad /var/lib/NetworkManager
+ drwx------. 2 root root 8192 May 14 13:57 /var/lib/NetworkManager
+
+which mitigates this a bit.
+
+Fixes: dbcb1d6d97c6 ('core: let nm_utils_secret_key_read() handle failures
internally')
+
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/175
+(cherry picked from commit dc3a2f9bc4c35030bcaf9e81953daf7894ab62b6)
+(cherry picked from commit 2d46247c6ac6f89a0b8bac86d684431c07dc6c8e)
+(cherry picked from commit 7a0f8520ffd2173d0912e8cbdd192bc232e92a43)
+(cherry picked from commit 869ac551cff99162fda1eb614bf2c45bfc3e5321)
+---
+ src/nm-core-utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nm-core-utils.c b/src/nm-core-utils.c
+index a65ac63..99a62e6 100644
+--- a/src/nm-core-utils.c
++++ b/src/nm-core-utils.c
+@@ -2896,7 +2896,7 @@ _host_id_read (guint8 **out_host_id,
+ } else if (!nm_utils_file_set_contents (SECRET_KEY_FILE,
+ (const char *)
new_content,
+ len,
+- 0077,
++ 0600,
+ &error)) {
+ nm_log_warn (LOGD_CORE, "secret-key: failure to persist
secret key in \"%s\" (%s) (use non-persistent key)",
+ SECRET_KEY_FILE, error->message);
diff --git a/debian/patches/series b/debian/patches/series
index b21e8a16f..5504c0a8a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ supplicant-fix-setting-pmf-when-the-supplicant-doesn-t-ad.patch
Force-online-state-with-unmanaged-devices.patch
Don-t-setup-Sleep-Monitor-if-not-booted-with-systemd.patch
Don-t-make-NetworkManager-D-Bus-activatable.patch
+core-fix-file-permissions-for-var-lib-NetworkManager-secr.patch
signature.asc
Description: OpenPGP digital signature
