diff --git a/0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch b/0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch new file mode 100644 index 0000000..bf4cce3 --- /dev/null +++ b/0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch @@ -0,0 +1,50 @@ +From 2ced112a031c65791f04d46ce73f6d64a17ad069 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 20 Nov 2015 19:19:49 -0500 +Subject: [PATCH 1/2] Don't setfacl when the socket or dir aren't there. + +Signed-off-by: Peter Jones +--- + src/pesign-authorize-groups | 8 ++++++-- + src/pesign-authorize-users | 8 ++++++-- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +index e3864ce..2222809 100644 +--- a/src/pesign-authorize-groups ++++ b/src/pesign-authorize-groups +@@ -11,7 +11,11 @@ + + if [[ -r /etc/pesign/groups ]]; then + for group in $(cat /etc/pesign/groups); do +- setfacl -m g:${group}:rx /var/run/pesign +- setfacl -m g:${group}:rw /var/run/pesign/socket ++ if [ -d /var/run/pesign ]; then ++ setfacl -m g:${group}:rx /var/run/pesign ++ if [ -e /var/run/pesign/socket ]; then ++ setfacl -m g:${group}:rw /var/run/pesign/socket ++ fi ++ fi + done + fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +index e500204..22bddec 100644 +--- a/src/pesign-authorize-users ++++ b/src/pesign-authorize-users +@@ -11,7 +11,11 @@ + + if [[ -r /etc/pesign/users ]]; then + for username in $(cat /etc/pesign/users); do +- setfacl -m u:${username}:rx /var/run/pesign +- setfacl -m u:${username}:rw /var/run/pesign/socket ++ if [ -d /var/run/pesign ]; then ++ setfacl -m g:${username}:rx /var/run/pesign ++ if [ -e /var/run/pesign/socket ]; then ++ setfacl -m g:${username}:rw /var/run/pesign/socket ++ fi ++ fi + done + fi +-- +2.5.0 + diff --git a/0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch b/0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch deleted file mode 100644 index f554c81..0000000 --- a/0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 19 Nov 2015 11:36:59 -0500 -Subject: [PATCH] setfacl the nss DBs to our authorized users, not just the - socket. - -Signed-off-by: Peter Jones ---- - src/pesign-authorize-groups | 2 ++ - src/pesign-authorize-users | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups -index e3864ce..2236bea 100644 ---- a/src/pesign-authorize-groups -+++ b/src/pesign-authorize-groups -@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then - for group in $(cat /etc/pesign/groups); do - setfacl -m g:${group}:rx /var/run/pesign - setfacl -m g:${group}:rw /var/run/pesign/socket -+ setfacl -m g:${username}:rx /etc/pki/pesign -+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db - done - fi -diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users -index e500204..9c38a25 100644 ---- a/src/pesign-authorize-users -+++ b/src/pesign-authorize-users -@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then - for username in $(cat /etc/pesign/users); do - setfacl -m u:${username}:rx /var/run/pesign - setfacl -m u:${username}:rw /var/run/pesign/socket -+ setfacl -m u:${username}:rx /etc/pki/pesign -+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db - done - fi --- -2.5.0 - diff --git a/0002-setfacl-the-db-as-well.patch b/0002-setfacl-the-db-as-well.patch new file mode 100644 index 0000000..55774de --- /dev/null +++ b/0002-setfacl-the-db-as-well.patch @@ -0,0 +1,41 @@ +From 4abf6bc506a31ae3e21ae736a44cea992c6ba6c1 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 20 Nov 2015 19:21:39 -0500 +Subject: [PATCH 2/2] setfacl the db as well + +--- + src/pesign-authorize-groups | 4 ++++ + src/pesign-authorize-users | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +index 2222809..e0f679d 100644 +--- a/src/pesign-authorize-groups ++++ b/src/pesign-authorize-groups +@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then + setfacl -m g:${group}:rw /var/run/pesign/socket + fi + fi ++ if [ -d /etc/pki/pesign ]; then ++ setfacl -m g:${group}:rx /etc/pki/pesign ++ setfacl -m u:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db ++ fi + done + fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +index 22bddec..997c8a3 100644 +--- a/src/pesign-authorize-users ++++ b/src/pesign-authorize-users +@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/users ]]; then + setfacl -m g:${username}:rw /var/run/pesign/socket + fi + fi ++ if [ -d /etc/pki/pesign ]; then ++ setfacl -m g:${username}:rx /etc/pki/pesign ++ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db ++ fi + done + fi +-- +2.5.0 + diff --git a/pesign.spec b/pesign.spec index a0b53ad..1fdbab6 100644 --- a/pesign.spec +++ b/pesign.spec @@ -3,7 +3,7 @@ Summary: Signing utility for UEFI binaries Name: pesign Version: 0.111 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/System License: GPLv2 Recommends: pesign-rh-test-certs @@ -25,7 +25,8 @@ BuildRequires: rh-signing-tools >= 1.20-2 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source1: certs.tar.xz Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch -Patch0002: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch +Patch0002: 0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch +Patch0003: 0002-setfacl-the-db-as-well.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -103,7 +104,7 @@ fi %post %systemd_post pesign.service modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \ - -libfile %{_libdir}/pkcs11/opensc-pkcs11.so + -libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null #modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \ # -libfile %%{_libdir}/pkcs11/libcoolkeypk11.so @@ -153,6 +154,10 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \ %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/* %changelog +* Fri Nov 20 2015 Peter Jones - 0.111-3 +- Better ACL setting code. + Related: rhbz#1283745 + * Thu Nov 19 2015 Peter Jones - 0.111-2 - Allow the mockbuild user to read the nss database if the account exists.