From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 8 Aug 2017 15:44:44 -0400 Subject: [PATCH 23/29] Better authorization scripts. Again. Signed-off-by: Peter Jones --- src/Makefile | 12 ++++++---- src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++ src/pesign-authorize-groups | 30 ------------------------ src/pesign-authorize-users | 30 ------------------------ src/pesign.service.in | 3 +-- src/pesign.sysvinit.in | 3 +-- 6 files changed, 65 insertions(+), 69 deletions(-) create mode 100755 src/pesign-authorize delete mode 100644 src/pesign-authorize-groups delete mode 100644 src/pesign-authorize-users diff --git a/src/Makefile b/src/Makefile index 654b792..84ad130 100644 --- a/src/Makefile +++ b/src/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign SVCTARGETS=pesign.sysvinit pesign.service -TARGETS=$(BINTARGETS) $(SVCTARGETS) +TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups all : deps $(TARGETS) @@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/ $(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign +pesign-users pesign-groups : + echo pesign > $@ + install : $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/ @@ -88,10 +91,9 @@ install : $(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/ $(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/ $(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/ - $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/ + $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/ $(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign - $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users - $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups + $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users + $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups .PHONY: all deps clean install diff --git a/src/pesign-authorize b/src/pesign-authorize new file mode 100755 index 0000000..a496f60 --- /dev/null +++ b/src/pesign-authorize @@ -0,0 +1,56 @@ +#!/bin/bash +set -e +set -u + +# +# With /run/pesign/socket on tmpfs, a simple way of restoring the +# acls for specific users is useful +# +# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 +# + +# License: GPLv2 +declare -a fileusers=() +declare -a dirusers=() +for user in $(cat /etc/pesign/users); do + dirusers[${#dirusers[@]}]=-m + dirusers[${#dirusers[@]}]="u:$user:rwx" + fileusers[${#fileusers[@]}]=-m + fileusers[${#fileusers[@]}]="u:$user:rw" +done + +declare -a filegroups=() +declare -a dirgroups=() +for group in $(cat /etc/pesign/groups); do + dirgroups[${#dirgroups[@]}]=-m + dirgroups[${#dirgroups[@]}]="g:$group:rwx" + filegroups[${#filegroups[@]}]=-m + filegroups[${#filegroups[@]}]="g:$group:rw" +done + +update_subdir() { + subdir=$1 && shift + + setfacl -bk "${subdir}" + setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}" + for x in "${subdir}"* ; do + if [ -d "${x}" ]; then + setfacl -bk ${x} + setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x} + update_subdir "${x}/" + elif [ -e "${x}" ]; then + setfacl -bk ${x} + setfacl "${fileusers[@]}" "${filegroups[@]}" ${x} + else + :; + fi + done +} + +for x in /var/run/pesign/ /etc/pki/pesign*/ ; do + if [ -d "${x}" ]; then + update_subdir "${x}" + else + :; + fi +done diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups deleted file mode 100644 index cf51fb6..0000000 --- a/src/pesign-authorize-groups +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -set -e - -# -# With /run/pesign/socket on tmpfs, a simple way of restoring the -# acls for specific groups is useful -# -# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 -# - -# License: GPLv2 - -if [ -r /etc/pesign/groups ]; then - for group in $(cat /etc/pesign/groups); do - if [ -d /var/run/pesign ]; then - setfacl -m g:${group}:rx /var/run/pesign - if [ -e /var/run/pesign/socket ]; then - setfacl -m g:${group}:rw /var/run/pesign/socket - fi - fi - for x in /etc/pki/pesign*/ ; do - if [ -d ${x} ]; then - setfacl -m g:${group}:rx ${x} - for y in ${x}{cert8,key3,secmod}.db ; do - setfacl -m g:${group}:rw ${y} - done - fi - done - done -fi diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users deleted file mode 100644 index 940138e..0000000 --- a/src/pesign-authorize-users +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash -set -e - -# -# With /run/pesign/socket on tmpfs, a simple way of restoring the -# acls for specific users is useful -# -# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6 -# - -# License: GPLv2 - -if [ -r /etc/pesign/users ]; then - for username in $(cat /etc/pesign/users); do - if [ -d /var/run/pesign ]; then - setfacl -m g:${username}:rx /var/run/pesign - if [ -e /var/run/pesign/socket ]; then - setfacl -m g:${username}:rw /var/run/pesign/socket - fi - fi - for x in /etc/pki/pesign*/ ; do - if [ -d ${x} ]; then - setfacl -m g:${username}:rx ${x} - for y in ${x}{cert8,key3,secmod}.db ; do - setfacl -m g:${username}:rw ${y} - done - fi - done - done -fi diff --git a/src/pesign.service.in b/src/pesign.service.in index aaa408e..c75a000 100644 --- a/src/pesign.service.in +++ b/src/pesign.service.in @@ -6,5 +6,4 @@ PrivateTmp=true Type=forking PIDFile=/var/run/pesign.pid ExecStart=/usr/bin/pesign --daemonize -ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users -ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups +ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in index dc508d8..b0e0f84 100644 --- a/src/pesign.sysvinit.in +++ b/src/pesign.sysvinit.in @@ -27,8 +27,7 @@ start(){ RETVAL=$? echo touch /var/lock/subsys/pesign - @@LIBEXECDIR@@/pesign/pesign-authorize-users - @@LIBEXECDIR@@/pesign/pesign-authorize-groups + @@LIBEXECDIR@@/pesign/pesign-authorize } stop(){ -- 2.13.4