From d06d666dbb56c1c42c54e1c626ce5f5c8b22a566 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Thu, 7 Jan 2010 02:37:35 +0000 Subject: [PATCH] Address review comments in patch #547860 --- 547860.patch | 66 ++++++++++++++++++++++++++++++++-------------------- nss.spec | 14 +++++------ 2 files changed, 47 insertions(+), 33 deletions(-) diff --git a/547860.patch b/547860.patch index 439adbe..4954880 100644 --- a/547860.patch +++ b/547860.patch @@ -1,6 +1,6 @@ diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c ---- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 2009-12-26 19:26:47.688694605 -0800 -+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2009-12-26 19:36:21.817699009 -0800 +--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 2010-01-06 17:57:30.722388282 -0800 ++++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2010-01-06 18:20:59.713397530 -0800 @@ -50,6 +50,7 @@ */ @@ -9,10 +9,18 @@ diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.1 #include #include -@@ -108,12 +109,18 @@ getSystemDB(void) { +@@ -108,12 +109,26 @@ getSystemDB(void) { return PORT_Strdup(NSS_DEFAULT_SYSTEM); } ++static PRBool ++userIsRoot() ++{ ++ /* this works for linux and all unixes that we know off ++ though it isn't stated as such in POSIX documentation */ ++ return getuid() == 0; ++} ++ +static PRBool +userCanModifySystemDB() +{ @@ -29,7 +37,7 @@ diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.1 * one in the users Appdir location */ return NULL; } -@@ -121,13 +128,21 @@ getUserDB(void) +@@ -121,13 +136,28 @@ getUserDB(void) static char * getSystemDB(void) { @@ -39,43 +47,51 @@ diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.1 return NULL; } ++static PRBool ++userIsRoot() ++{ ++ /* use the registry to find if the user is the system administrator. */ ++ return PR_FALSE; ++} ++ +static PRBool +userCanModifySystemDB() +{ + /* use the registry to find if the user has administrative privilege + * to modify the system's nss database. */ -+ return PR_FALSE ++ return PR_FALSE; +} + #else -#error "Need to write getUserDB and get SystemDB functions" -+#error "Need to write getUserDB, SystemDB and userCanModifySystemDB functions" ++#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions" #endif #endif -@@ -206,7 +221,7 @@ askpw=any timeout=30 ] } "; - static char ** - get_list(char *filename, char *stripped_parameters) - { -- char **module_list = PORT_ZNewArray(char *, 5); -+ char **module_list = PORT_ZNewArray(char *, 4); - char *userdb, *sysdb; - int isFIPS = getFIPSMode(); - const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags; -@@ -245,23 +260,14 @@ get_list(char *filename, char *stripped_ +@@ -225,7 +255,8 @@ get_list(char *filename, char *stripped_ + if (userdb && !strcmp(filename, userdb)) + filename = NULL; + +- if (userdb != NULL) { ++ /* Don't open root's user DB */ ++ if (userdb != NULL && !userIsRoot()) { + /* return a list of databases to open. First the user Database */ + module_list[next++] = PR_smprintf( + "library= " +@@ -245,7 +276,8 @@ get_list(char *filename, char *stripped_ userdb, stripped_parameters); } - if (filename && 0 /* This doesn't actually work. If we register -- both this and the sysdb (in either order) -- then only one of them actually shows up */) { -- module_list[next++] = PR_smprintf( -- "library= " -- "module=\"NSS database\" " -- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" " -- "NSS=\"%sflags=internal\"",filename, filename, nssflags); -- } -- ++ if (filename && !userIsRoot() && 0 ++ /* This doesn't actually work. If we register + both this and the sysdb (in either order) + then only one of them actually shows up */) { + module_list[next++] = PR_smprintf( +@@ -255,13 +287,14 @@ get_list(char *filename, char *stripped_ + "NSS=\"%sflags=internal\"",filename, filename, nssflags); + } + - /* now the system database (always read only) */ + /* now the system database (always read only unless it's root) */ if (sysdb) { diff --git a/nss.spec b/nss.spec index 39a9d84..1c193c7 100644 --- a/nss.spec +++ b/nss.spec @@ -7,7 +7,7 @@ Summary: Network Security Services Name: nss Version: 3.12.5 -Release: 1%{?dist}.13.1 +Release: 1%{?dist}.13.2 License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -240,13 +240,8 @@ rm -rf ./mozilla/tests_results cd ./mozilla/security/nss/tests/ # all.sh is the test suite script -# don't run all the tests when testing packaging -# nss_cycles: standard pkix upgradedb sharedb -# nss_tests: cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains -# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr -# nss_ssl_run: cov auth stress - -# Temporarily disabling the ssl tests +# Temporarily disabling the ssl test suites +# until bug 539183 gets resolved %global nss_ssl_tests " " %global nss_ssl_run " " @@ -490,6 +485,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Wed Jan 06 2010 Elio Maldonado - 3.12.5-1.13.2 +- New version of patch to allow root to modify ystem database (#547860) + * Thu Dec 31 2009 Elio Maldonado - 3.12.5-1.13.1 - Temporarily disabling the ssl tests