Allow the mockbuild user to read the nss database if the account exists.
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
parent
e53252edeb
commit
78fe18a501
@ -0,0 +1,39 @@
|
||||
From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 19 Nov 2015 11:36:59 -0500
|
||||
Subject: [PATCH] setfacl the nss DBs to our authorized users, not just the
|
||||
socket.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
src/pesign-authorize-groups | 2 ++
|
||||
src/pesign-authorize-users | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
||||
index e3864ce..2236bea 100644
|
||||
--- a/src/pesign-authorize-groups
|
||||
+++ b/src/pesign-authorize-groups
|
||||
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
|
||||
for group in $(cat /etc/pesign/groups); do
|
||||
setfacl -m g:${group}:rx /var/run/pesign
|
||||
setfacl -m g:${group}:rw /var/run/pesign/socket
|
||||
+ setfacl -m g:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
done
|
||||
fi
|
||||
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
||||
index e500204..9c38a25 100644
|
||||
--- a/src/pesign-authorize-users
|
||||
+++ b/src/pesign-authorize-users
|
||||
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
|
||||
for username in $(cat /etc/pesign/users); do
|
||||
setfacl -m u:${username}:rx /var/run/pesign
|
||||
setfacl -m u:${username}:rw /var/run/pesign/socket
|
||||
+ setfacl -m u:${username}:rx /etc/pki/pesign
|
||||
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
||||
done
|
||||
fi
|
||||
--
|
||||
2.5.0
|
||||
|
@ -3,7 +3,7 @@
|
||||
Summary: Signing utility for UEFI binaries
|
||||
Name: pesign
|
||||
Version: 0.111
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Group: Development/System
|
||||
License: GPLv2
|
||||
Recommends: pesign-rh-test-certs
|
||||
@ -25,6 +25,7 @@ BuildRequires: rh-signing-tools >= 1.20-2
|
||||
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
|
||||
Source1: certs.tar.xz
|
||||
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
|
||||
Patch0002: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
|
||||
|
||||
%description
|
||||
This package contains the pesign utility for signing UEFI binaries as
|
||||
@ -87,6 +88,9 @@ exit 0
|
||||
|
||||
%post rh-test-certs
|
||||
certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/
|
||||
getent passwd mockbuild >/dev/null && \
|
||||
echo mockbuild >> %{_sysconfdir}/pesign/users &&
|
||||
%{_libexecdir}/pesign/pesign-authorize-users
|
||||
|
||||
%postun rh-test-certs
|
||||
if [ "$1" -eq 0 ]; then
|
||||
@ -149,6 +153,9 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
|
||||
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/*
|
||||
|
||||
%changelog
|
||||
* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
|
||||
- Allow the mockbuild user to read the nss database if the account exists.
|
||||
|
||||
* Wed Oct 28 2015 Peter Jones <pjones@redhat.com> - 0.111-1
|
||||
- Rebase to 0.111
|
||||
- Split test certs out into a "Recommends" subpackage.
|
||||
|
Loading…
Reference in New Issue
Block a user