Setfacl even harder.

Resolves: rhbz#1284561
  Resolves: rhbz#1283475

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2015-11-30 15:11:29 -05:00
parent 49c6a13cfd
commit d9833768d9
5 changed files with 246 additions and 12 deletions

2
.gitignore vendored
View File

@ -3,3 +3,5 @@ clog
/rh-test-certs.tar.bz2 /rh-test-certs.tar.bz2
*.rpm *.rpm
/certs.tar.xz /certs.tar.xz
.build*.log
/pesign-*/

View File

@ -0,0 +1,54 @@
From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:19:49 -0500
Subject: [PATCH 2/3] Don't setfacl when the socket or dir aren't there.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 10 ++++++----
src/pesign-authorize-users | 10 ++++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index 2236bea..2222809 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -11,9 +11,11 @@
if [[ -r /etc/pesign/groups ]]; then
for group in $(cat /etc/pesign/groups); do
- setfacl -m g:${group}:rx /var/run/pesign
- setfacl -m g:${group}:rw /var/run/pesign/socket
- setfacl -m g:${username}:rx /etc/pki/pesign
- setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${group}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${group}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 9c38a25..22bddec 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -11,9 +11,11 @@
if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
- setfacl -m u:${username}:rx /var/run/pesign
- setfacl -m u:${username}:rw /var/run/pesign/socket
- setfacl -m u:${username}:rx /etc/pki/pesign
- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ if [ -d /var/run/pesign ]; then
+ setfacl -m g:${username}:rx /var/run/pesign
+ if [ -e /var/run/pesign/socket ]; then
+ setfacl -m g:${username}:rw /var/run/pesign/socket
+ fi
+ fi
done
fi
--
2.5.0

View File

@ -0,0 +1,51 @@
From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 20 Nov 2015 19:21:39 -0500
Subject: [PATCH 3/3] setfacl the db as well
And also get all our "-m [ug]:${name}:$perm" arguments right.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/pesign-authorize-groups | 4 ++++
src/pesign-authorize-users | 8 ++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
index 2222809..13aefa6 100644
--- a/src/pesign-authorize-groups
+++ b/src/pesign-authorize-groups
@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
setfacl -m g:${group}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m g:${group}:rx /etc/pki/pesign
+ setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
index 22bddec..a43ce44 100644
--- a/src/pesign-authorize-users
+++ b/src/pesign-authorize-users
@@ -12,10 +12,14 @@
if [[ -r /etc/pesign/users ]]; then
for username in $(cat /etc/pesign/users); do
if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
+ setfacl -m u:${username}:rx /var/run/pesign
if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
+ setfacl -m u:${username}:rw /var/run/pesign/socket
fi
fi
+ if [ -d /etc/pki/pesign ]; then
+ setfacl -m u:${username}:rx /etc/pki/pesign
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+ fi
done
fi
--
2.5.0

View File

@ -0,0 +1,112 @@
From 54dd12c2653dc3aecdd73b9ffb2a85d92e39d858 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 30 Nov 2015 15:34:35 -0500
Subject: [PATCH 4/4] Gripe about pesign-rh-test-certs not being installed
---
src/Makefile | 7 +++++--
src/macros.pesign | 10 ++++++++--
src/missing-stuff.txt | 11 +++++++++++
src/pesign-authorize.service.in | 8 ++++++++
4 files changed, 32 insertions(+), 4 deletions(-)
create mode 100644 src/missing-stuff.txt
create mode 100644 src/pesign-authorize.service.in
diff --git a/src/Makefile b/src/Makefile
index af3fd07..9e27ee6 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
-SVCTARGETS=pesign.sysvinit pesign.service
+SVCTARGETS=pesign.sysvinit pesign.service pesign-authorize.service
TARGETS=$(BINTARGETS) $(SVCTARGETS)
all : deps $(TARGETS)
@@ -53,11 +53,12 @@ clean :
@rm -rfv *.o *.a *.so $(TARGETS)
@rm -rfv .*.d
-install_systemd: pesign.service
+install_systemd: pesign.service pesign-authorize.service
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)tmpfiles.d/
$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)$(libdatadir)tmpfiles.d/pesign.conf
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libdatadir)systemd/system/
$(INSTALL) -m 644 pesign.service $(INSTALLROOT)$(libdatadir)systemd/system/
+ $(INSTALL) -m 644 pesign-authorize.service $(INSTALLROOT)$(libdatadir)systemd/system/
install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
@@ -84,6 +85,8 @@ install :
$(INSTALL) -m 644 efisiglist.1 $(INSTALLROOT)$(mandir)man1/
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ $(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/doc/pesign/
+ $(INSTALL) -m 644 missing-stuff.txt $(INSTALLROOT)/usr/share/doc/pesign/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
diff --git a/src/macros.pesign b/src/macros.pesign
index 39374ce..3197ed7 100644
--- a/src/macros.pesign
+++ b/src/macros.pesign
@@ -7,7 +7,7 @@
# And magically get the right thing.
%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
+%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client
@@ -41,7 +41,13 @@
-c "/CN=Fedora Secure Boot Signer" \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
else \
- %{_pesign} %{__pesign_token} %{__pesign_cert} \\\
+ if ! certutil -d /etc/pki/pesign -L -n %{__pesign_cert} >/dev/null 2>&1 ; then \ \
+ if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then \
+ cat /usr/share/doc/pesign/missing-stuff.txt 1>&2 \
+ exit 1 \
+ fi \
+ fi \
+ %{_pesign} %{__pesign_token} -c %{__pesign_cert} \\\
%{-i} %{-o} %{-e} %{-s} %{-C} \
fi \
else \
diff --git a/src/missing-stuff.txt b/src/missing-stuff.txt
new file mode 100644
index 0000000..55b68e3
--- /dev/null
+++ b/src/missing-stuff.txt
@@ -0,0 +1,11 @@
+
+
+You are attempting to sign the with the "Red Hat Test Certificate",
+which is not installed or cannot be accessed. If you mean to be signing
+with this key, ensure that the "pesign-rh-test-certs" package is
+installed and that your user name is listed in "/etc/pesign/users", and
+then run:
+
+ systemctl restart pesign-authorize.service
+
+
diff --git a/src/pesign-authorize.service.in b/src/pesign-authorize.service.in
new file mode 100644
index 0000000..ccb1d4f
--- /dev/null
+++ b/src/pesign-authorize.service.in
@@ -0,0 +1,8 @@
+[Unit]
+Description=Pesign database authentication management service
+
+[Service]
+PrivateTmp=true
+Type=oneshot
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-users
+ExecStart=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
--
2.5.0

View File

@ -3,7 +3,7 @@
Summary: Signing utility for UEFI binaries Summary: Signing utility for UEFI binaries
Name: pesign Name: pesign
Version: 0.111 Version: 0.111
Release: 3%{?dist} Release: 5%{?dist}
Group: Development/System Group: Development/System
License: GPLv2 License: GPLv2
Recommends: pesign-rh-test-certs Recommends: pesign-rh-test-certs
@ -25,8 +25,10 @@ BuildRequires: rh-signing-tools >= 1.20-2
Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
Source1: certs.tar.xz Source1: certs.tar.xz
Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
Patch0002: 0001-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch Patch10001: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
Patch0003: 0002-setfacl-the-db-as-well.patch Patch10002: 0002-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
Patch10003: 0003-setfacl-the-db-as-well.patch
Patch10004: 0004-Gripe-about-pesign-rh-test-certs-not-being-installed.patch
%description %description
This package contains the pesign utility for signing UEFI binaries as This package contains the pesign utility for signing UEFI binaries as
@ -89,15 +91,20 @@ exit 0
%post rh-test-certs %post rh-test-certs
certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/ certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/
getent passwd mockbuild >/dev/null && \ if getent passwd mockbuild >/dev/null ; then
echo mockbuild >> %{_sysconfdir}/pesign/users && if ! grep -q mockbuild %{_sysconfdir}/pesign/users ; then
echo mockbuild >> %{_sysconfdir}/pesign/users
%{_libexecdir}/pesign/pesign-authorize-users %{_libexecdir}/pesign/pesign-authorize-users
fi
fi
%postun rh-test-certs %preun rh-test-certs
if [ "$1" -eq 0 ]; then if [ "$1" -eq 0 ]; then
certutil -d %{_sysconfdir}/pki/pesign -F -n "Red Hat Test Certificate" if certutil -d %{_sysconfdir}/pki/pesign -L -n "Red Hat Test Certificate" >/dev/null 2>&1 ; then
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test Certificate" certutil -d %{_sysconfdir}/pki/pesign -F -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test CA" certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test Certificate" >/dev/null 2>&1 || :
certutil -d %{_sysconfdir}/pki/pesign -D -n "Red Hat Test CA" >/dev/null 2>&1 || :
fi
fi fi
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
@ -116,7 +123,7 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%else %else
%post %post
modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
-libfile %{_libdir}/pkcs11/opensc-pkcs11.so -libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
%endif %endif
%files %files
@ -138,6 +145,7 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%config(noreplace)/%{_sysconfdir}/pesign/groups %config(noreplace)/%{_sysconfdir}/pesign/groups
%{_sysconfdir}/popt.d/pesign.popt %{_sysconfdir}/popt.d/pesign.popt
%{macrosdir}/macros.pesign %{macrosdir}/macros.pesign
%{_docdir}/pesign/missing-stuff.txt
%{_mandir}/man*/* %{_mandir}/man*/*
%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign %dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/* %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
@ -147,6 +155,7 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
%{_tmpfilesdir}/pesign.conf %{_tmpfilesdir}/pesign.conf
%{_unitdir}/pesign.service %{_unitdir}/pesign.service
%{_unitdir}/pesign-authorize.service
%endif %endif
%files rh-test-certs %files rh-test-certs
@ -154,9 +163,15 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/* %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/*
%changelog %changelog
* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
- setfacl even harder.
Resolves: rhbz#1283475
Resolves: rhbz#1284063
Resolves: rhbz#1284561
* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3 * Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
- Better ACL setting code. - Better ACL setting code.
Related: rhbz#1283745 Related: rhbz#1283475
* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2 * Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
- Allow the mockbuild user to read the nss database if the account exists. - Allow the mockbuild user to read the nss database if the account exists.