Bug#891426: stretch-pu: package nvidia-modprobe/384.111-1~deb9u1
On 2018-02-25 15:44, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Sun, 2018-02-25 at 15:02 +0100, Andreas Beckmann wrote:
>> please allow the upgrade of nvidia-modprobe in stretch to a new
>> upstream release matching the updated nvidia-graphics-drivers
>> package.
> Please go ahead.
That was uploaded yesterday, but I just uploaded another fix to sid that
may be worthy to be fixed in stretch, too.
nvidia-modprobe (a setuid root binary) stopped working for regular users
since dash started dropping privileges if euid != uid (like bash has
been doing for ages). The fix is a oneliner: call setuid(0) before
forking modprobe to preserve permissions through the recursive shell and
modprobe invocations needed by our modprobe configuration using install
commands.
The problem is reproducible in stretch if /bin/sh points to bash instead
of dash.
The incremental source debdiff is attached.
If that is acceptable, please reject 384.111-1~deb9u1 and I'll upload
384.111-2~deb9u1 instead.
Andreas
diff --git a/debian/changelog b/debian/changelog
index 7deb07b..0adbb7c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+nvidia-modprobe (384.111-2~deb9u1) stretch; urgency=medium
+
+ * Rebuild for stretch.
+
+ -- Andreas Beckmann <anbe@debian.org> Tue, 27 Feb 2018 02:06:17 +0100
+
+nvidia-modprobe (384.111-2) unstable; urgency=medium
+
+ * Add setuid.patch to run setuid(0) before forking modprobe to preserve
+ privileges through shell invocations and recursive modprobe calls.
+ Thanks to Hiromasa YOSHIMOTO for intensive debugging and the final patch!
+ (Closes: #888952)
+ * Add debian/upstream/metadata.
+ * Fix new Lintian issues.
+ * Switch Vcs-* URLs to salsa.debian.org.
+
+ -- Andreas Beckmann <anbe@debian.org> Tue, 27 Feb 2018 01:50:01 +0100
+
nvidia-modprobe (384.111-1) unstable; urgency=medium
* New upstream release.
diff --git a/debian/control b/debian/control
index c6963ee..836da1b 100644
--- a/debian/control
+++ b/debian/control
@@ -12,8 +12,8 @@ Build-Depends:
Rules-Requires-Root: binary-targets
Standards-Version: 4.1.3
Homepage: https://github.com/NVIDIA/nvidia-modprobe
-Vcs-Git: https://anonscm.debian.org/git/pkg-nvidia/nvidia-modprobe.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-nvidia/nvidia-modprobe.git
+Vcs-Browser: https://salsa.debian.org/nvidia-team/nvidia-modprobe
+Vcs-Git: https://salsa.debian.org/nvidia-team/nvidia-modprobe.git
Package: nvidia-modprobe
Architecture: i386 amd64 armhf ppc64el
diff --git a/debian/copyright b/debian/copyright
index 0974a69..ad3f83a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,6 +1,12 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: nvidia-modprobe
Source: https://download.nvidia.com/XFree86/nvidia-modprobe/
+Disclaimer:
+ This package is not part of the GNU/Linux Debian distribution. It is
+ provided in the contrib archive area as a convenience to Debian users.
+ The contents of this source package are freely licensed under the Expat
+ license, but it is only useful in combination with the proprietary
+ NVIDIA drivers in non-free.
Files: *
Copyright: Copyright (C) 2004-2017 NVIDIA Corporation
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..57623ce
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+setuid.patch
diff --git a/debian/patches/setuid.patch b/debian/patches/setuid.patch
new file mode 100644
index 0000000..106df55
--- /dev/null
+++ b/debian/patches/setuid.patch
@@ -0,0 +1,27 @@
+Author: Hiromasa YOSHIMOTO <hiromasa.yoshimoto@gmail.com>
+Description: use setuid(0) to preserve privileges over shell invocations
+ Fixing bug https://bugs.debian.org/734869 dash recently started to drop
+ privileges if euid != uid. (Bash has been doing that for a long time
+ already, but is usually not used for /bin/sh.)
+ The Debian modprobe configuration /etc/modprobe.d/nvidia.conf uses install
+ commands that require forking a shell from within modprobe to (recursively)
+ run further modprobe commands. If the shell drops privileges in setuid
+ contexts, the inner modprobe commands are run unprivileged, failing to load
+ the modules.
+ Run setuid(0) before forking modprobe to preserve privileges through to the
+ inner modprobe commands.
+Bug-Debian: https://bugs.debian.org/888952
+
+--- nvidia-modprobe-384.111.orig/modprobe-utils/nvidia-modprobe-utils.c
++++ nvidia-modprobe-384.111/modprobe-utils/nvidia-modprobe-utils.c
+@@ -374,6 +374,10 @@ static int modprobe_helper(const int pri
+ */
+ silence_current_process();
+
++ /* Workaround for debian's /etc/modprobe.d/nvidia.conf configuration.
++ * See Bug#888952 for details */
++ setuid(0);
++
+ execle(modprobe_path, "modprobe",
+ module_name, NULL, envp);
+
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 7ec9f82..8ebed74 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,2 +1,2 @@
# upstream provides no signatures
-debian-watch-may-check-gpg-signature
+debian-watch-does-not-check-gpg-signature
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..04277b1
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,3 @@
+Name: nvidia-modprobe
+Repository: https://github.com/NVIDIA/nvidia-modprobe.git
+Repository-Browse: https://github.com/NVIDIA/nvidia-modprobe
Reply to: