Setfacl even harder.
Resolves: rhbz#1284561 Resolves: rhbz#1283475 Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
parent
2ad806160d
commit
78c38032d7
2
.gitignore
vendored
2
.gitignore
vendored
@ -3,3 +3,5 @@ clog
|
||||
/rh-test-certs.tar.bz2
|
||||
*.rpm
|
||||
/certs.tar.xz
|
||||
.build*.log
|
||||
/pesign-*/
|
||||
|
54
0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
Normal file
54
0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 20 Nov 2015 19:19:49 -0500
|
||||
Subject: [PATCH 2/3] Don't setfacl when the socket or dir aren't there.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 10 ++++++----
|
||||
src/pesign-authorize-users | 10 ++++++----
|
||||
2 files changed, 12 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index 2236bea..2222809 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -11,9 +11,11 @@
|
||||
|
||||
if [[ -r /etc/pesign/groups ]]; then
|
||||
for group in $(cat /etc/pesign/groups); do
|
||||
- setfacl -m g:${group}:rx /var/run/pesign
|
||||
- setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
- setfacl -m g:${username}:rx /etc/pki/pesign
|
||||
- setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ if [ -d /var/run/pesign ]; then
|
||||
+ setfacl -m g:${group}:rx /var/run/pesign
|
||||
+ if [ -e /var/run/pesign/socket ]; then
|
||||
+ setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
+ fi
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index 9c38a25..22bddec 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -11,9 +11,11 @@
|
||||
|
||||
if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
- setfacl -m u:${username}:rx /var/run/pesign
|
||||
- setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
- setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ if [ -d /var/run/pesign ]; then
|
||||
+ setfacl -m g:${username}:rx /var/run/pesign
|
||||
+ if [ -e /var/run/pesign/socket ]; then
|
||||
+ setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||
+ fi
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
51
0003-setfacl-the-db-as-well.patch
Normal file
51
0003-setfacl-the-db-as-well.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 20 Nov 2015 19:21:39 -0500
|
||||
Subject: [PATCH 3/3] setfacl the db as well
|
||||
|
||||
And also get all our "-m [ug]:${name}:$perm" arguments right.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 4 ++++
|
||||
src/pesign-authorize-users | 8 ++++++--
|
||||
2 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index 2222809..13aefa6 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
|
||||
setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
fi
|
||||
fi
|
||||
+ if [ -d /etc/pki/pesign ]; then
|
||||
+ setfacl -m g:${group}:rx /etc/pki/pesign
|
||||
+ setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index 22bddec..a43ce44 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -12,10 +12,14 @@
|
||||
if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
if [ -d /var/run/pesign ]; then
|
||||
- setfacl -m g:${username}:rx /var/run/pesign
|
||||
+ setfacl -m u:${username}:rx /var/run/pesign
|
||||
if [ -e /var/run/pesign/socket ]; then
|
||||
- setfacl -m g:${username}:rw /var/run/pesign/socket
|
||||
+ setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
fi
|
||||
fi
|
||||
+ if [ -d /etc/pki/pesign ]; then
|
||||
+ setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
+ fi
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
112
0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch
Normal file
112
0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch
Normal file
@ -0,0 +1,112 @@
|
||||
From 54dd12c2653dc3aecdd73b9ffb2a85d92e39d858 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 30 Nov 2015 15:34:35 -0500
|
||||
Subject: [PATCH 4/4] Gripe about pesign-rh-test-certs not being installed
|
||||
|
||||
---
|
||||
src/Makefile | 7 +++++--
|
||||
src/macros.pesign | 10 ++++++++--
|
||||
src/missing-stuff.txt | 11 +++++++++++
|
||||
src/pesign-authorize.service.in | 8 ++++++++
|
||||
4 files changed, 32 insertions(+), 4 deletions(-)
|
||||
create mode 100644 src/missing-stuff.txt
|
||||
create mode 100644 src/pesign-authorize.service.in
|
||||
|
||||
diff --git a/src/Makefile b/src/Makefile
|
||||
index af3fd07..9e27ee6 100644
|
||||
--- a/src/Makefile
|
||||
+++ b/src/Makefile
|
||||
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
|
||||
include $(TOPDIR)/Make.defaults
|
||||
|
||||
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
||||
-SVCTARGETS=pesign.sysvinit pesign.service
|
||||
+SVCTARGETS=pesign.sysvinit pesign.service pesign-authorize.service
|
||||
TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
||||
|
||||
all : deps $(TARGETS)
|
||||
@@ -53,11 +53,12 @@ clean :
|
||||
@rm -rfv *.o *.a *.so $(TARGETS)
|
||||
@rm -rfv .*.d
|
||||
|
||||
-install_systemd: pesign.service
|
||||
+install_systemd: pesign.service pesign-authorize.service
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)tmpfiles.d/
|
||||
$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)$(libdatadir)tmpfiles.d/pesign.conf
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)systemd/system/
|
||||
$(INSTALL) -m 644 pesign.service $(INSTALLROOT)$(libdatadir)systemd/system/
|
||||
+ $(INSTALL) -m 644 pesign-authorize.service $(INSTALLROOT)$(libdatadir)systemd/system/
|
||||
|
||||
install_sysvinit: pesign.sysvinit
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
|
||||
@@ -84,6 +85,8 @@ install :
|
||||
$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
|
||||
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
||||
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/doc/pesign/
|
||||
+ $(INSTALL) -m 644 missing-stuff.txt $(INSTALLROOT)/usr/share/doc/pesign/
|
||||
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
|
||||
diff --git a/src/macros.pesign b/src/macros.pesign
|
||||
index 39374ce..3197ed7 100644
|
||||
--- a/src/macros.pesign
|
||||
+++ b/src/macros.pesign
|
||||
@@ -7,7 +7,7 @@
|
||||
# And magically get the right thing.
|
||||
|
||||
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
|
||||
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
|
||||
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
|
||||
|
||||
%_pesign /usr/bin/pesign
|
||||
%_pesign_client /usr/bin/pesign-client
|
||||
@@ -41,7 +41,13 @@
|
||||
-c "/CN=Fedora Secure Boot Signer" \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
else \
|
||||
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
|
||||
+ if ! certutil -d /etc/pki/pesign -L -n %{__pesign_cert} >/dev/null 2>&1 ; then \ \
|
||||
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
|
||||
+ cat /usr/share/doc/pesign/missing-stuff.txt 1>&2 \
|
||||
+ exit 1 \
|
||||
+ fi \
|
||||
+ fi \
|
||||
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
|
||||
%{-i} %{-o} %{-e} %{-s} %{-C} \
|
||||
fi \
|
||||
else \
|
||||
diff --git a/src/missing-stuff.txt b/src/missing-stuff.txt
|
||||
new file mode 100644
|
||||
index 0000000..55b68e3
|
||||
--- /dev/null
|
||||
+++ b/src/missing-stuff.txt
|
||||
@@ -0,0 +1,11 @@
|
||||
+
|
||||
+
|
||||
+You are attempting to sign the with the "Red Hat Test Certificate",
|
||||
+which is not installed or cannot be accessed. If you mean to be signing
|
||||
+with this key, ensure that the "pesign-rh-test-certs" package is
|
||||
+installed and that your user name is listed in "/etc/pesign/users", and
|
||||
+then run:
|
||||
+
|
||||
+ systemctl restart pesign-authorize.service
|
||||
+
|
||||
+
|
||||
diff --git a/src/pesign-authorize.service.in b/src/pesign-authorize.service.in
|
||||
new file mode 100644
|
||||
index 0000000..ccb1d4f
|
||||
--- /dev/null
|
||||
+++ b/src/pesign-authorize.service.in
|
||||
@@ -0,0 +1,8 @@
|
||||
+[Unit]
|
||||
+Description=Pesign database authentication management service
|
||||
+
|
||||
+[Service]
|
||||
+PrivateTmp=true
|
||||
+Type=oneshot
|
||||
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-users
|
||||
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
||||
--
|
||||
2.5.0
|
||||
|
39
pesign.spec
39
pesign.spec
@ -3,7 +3,7 @@
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.111
|
||||
Release: 3%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
Recommends: pesign-rh-test-certs
|
||||
@ -25,8 +25,10 @@ BuildRequires: rh-signing-tools >= 1.20-2
|
||||
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
|
||||
Source1: certs.tar.xz
|
||||
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
|
||||
Patch0002: 0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
|
||||
Patch0003: 0002-setfacl-the-db-as-well.patch
|
||||
Patch10001: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
|
||||
Patch10002: 0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
|
||||
Patch10003: 0003-setfacl-the-db-as-well.patch
|
||||
Patch10004: 0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
@ -89,15 +91,20 @@ exit 0
|
||||
|
||||
%post rh-test-certs
|
||||
certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/
|
||||
getent passwd mockbuild >/dev/null && \
|
||||
echo mockbuild >> %{_sysconfdir}/pesign/users &&
|
||||
%{_libexecdir}/pesign/pesign-authorize-users
|
||||
if getent passwd mockbuild >/dev/null ; then
|
||||
if ! grep -q mockbuild %{_sysconfdir}/pesign/users ; then
|
||||
echo mockbuild >> %{_sysconfdir}/pesign/users
|
||||
%{_libexecdir}/pesign/pesign-authorize-users
|
||||
fi
|
||||
fi
|
||||
|
||||
%postun rh-test-certs
|
||||
%preun rh-test-certs
|
||||
if [ "$1" -eq 0 ]; then
|
||||
certutil -d %{_sysconfdir}/pki/pesign -F -n "Red Hat Test Certificate"
|
||||
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test Certificate"
|
||||
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test CA"
|
||||
if certutil -d %{_sysconfdir}/pki/pesign -L -n "Red Hat Test Certificate" >/dev/null 2>&1 ; then
|
||||
certutil -d %{_sysconfdir}/pki/pesign -F -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
|
||||
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
|
||||
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test CA" >/dev/null 2>&1 || :
|
||||
fi
|
||||
fi
|
||||
|
||||
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||
@ -116,7 +123,7 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
%else
|
||||
%post
|
||||
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so
|
||||
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
|
||||
%endif
|
||||
|
||||
%files
|
||||
@ -138,6 +145,7 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
%config(noreplace)/%{_sysconfdir}/pesign/groups
|
||||
%{_sysconfdir}/popt.d/pesign.popt
|
||||
%{macrosdir}/macros.pesign
|
||||
%{_docdir}/pesign/missing-stuff.txt
|
||||
%{_mandir}/man*/*
|
||||
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign
|
||||
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
|
||||
@ -147,6 +155,7 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
|
||||
%{_tmpfilesdir}/pesign.conf
|
||||
%{_unitdir}/pesign.service
|
||||
%{_unitdir}/pesign-authorize.service
|
||||
%endif
|
||||
|
||||
%files rh-test-certs
|
||||
@ -154,9 +163,15 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/*
|
||||
|
||||
%changelog
|
||||
* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
|
||||
- setfacl even harder.
|
||||
Resolves: rhbz#1283475
|
||||
Resolves: rhbz#1284063
|
||||
Resolves: rhbz#1284561
|
||||
|
||||
* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
|
||||
- Better ACL setting code.
|
||||
Related: rhbz#1283745
|
||||
Related: rhbz#1283475
|
||||
|
||||
* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
|
||||
- Allow the mockbuild user to read the nss database if the account exists.
|
||||
|
Loading…
Reference in New Issue
Block a user