From ab3b913cc74666dffe56d1f87f6f90653d8f4e70 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Sat, 2 Oct 2021 09:14:21 -0300 Subject: [PATCH 4/4] Specify user and group for tang So that we can run tang itself with a different user. Systemd unit and helpers for rotating keys updated to use the new user and group. --- meson.build | 2 ++ meson_options.txt | 2 ++ src/meson.build | 18 ++++++++++++++++-- src/{tangd-keygen => tangd-keygen.in} | 11 +++++++++-- ...{tangd-rotate-keys => tangd-rotate-keys.in} | 9 ++++++++- units/tangd@.service.in | 1 + 6 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 meson_options.txt rename src/{tangd-keygen => tangd-keygen.in} (85%) rename src/{tangd-rotate-keys => tangd-rotate-keys.in} (92%) diff --git a/meson.build b/meson.build index 1733d47..7664e05 100644 --- a/meson.build +++ b/meson.build @@ -26,6 +26,8 @@ data.set('libexecdir', libexecdir) data.set('sysconfdir', sysconfdir) data.set('systemunitdir', systemunitdir) data.set('jwkdir', jwkdir) +data.set('user', get_option('user')) +data.set('group', get_option('group')) add_project_arguments( '-D_POSIX_C_SOURCE=200809L', diff --git a/meson_options.txt b/meson_options.txt new file mode 100644 index 0000000..9b1f7c6 --- /dev/null +++ b/meson_options.txt @@ -0,0 +1,2 @@ +option('user', type: 'string', value: 'tang', description: 'Unprivileged user for tang operations') +option('group', type: 'string', value: 'tang', description: 'Unprivileged group for tang operations') diff --git a/src/meson.build b/src/meson.build index e7dc60c..f022775 100644 --- a/src/meson.build +++ b/src/meson.build @@ -7,8 +7,22 @@ tangd = executable('tangd', install_dir: libexecdir ) +tangd_keygen = configure_file( + input: 'tangd-keygen.in', + output: 'tangd-keygen', + configuration: data, + install: true, + install_dir: libexecdir +) + +tangd_rotate_keys = configure_file( + input: 'tangd-rotate-keys.in', + output: 'tangd-rotate-keys', + configuration: data, + install: true, + install_dir: libexecdir +) + bins += join_paths(meson.current_source_dir(), 'tang-show-keys') -libexecbins += join_paths(meson.current_source_dir(), 'tangd-keygen') -libexecbins += join_paths(meson.current_source_dir(), 'tangd-rotate-keys') # vim:set ts=2 sw=2 et: diff --git a/src/tangd-keygen b/src/tangd-keygen.in similarity index 85% rename from src/tangd-keygen rename to src/tangd-keygen.in index ed51124..f74b86f 100755 --- a/src/tangd-keygen +++ b/src/tangd-keygen.in @@ -25,6 +25,13 @@ usage() { exit 1 } +set_perms() { + chmod 0440 -- "${1}" + if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then + echo "Unable to change owner/group for ${1} to @user@:@group@" >&2 + fi +} + [ $# -ne 1 ] && [ $# -ne 3 ] && usage [ -d "$1" ] || usage @@ -34,10 +41,10 @@ THP_DEFAULT_HASH=S256 # SHA-256. jwe=$(jose jwk gen -i '{"alg":"ES512"}') [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}") echo "$jwe" > "$1/$sig.jwk" -chmod 0440 "$1/$sig.jwk" +set_perms "$1/$sig.jwk" jwe=$(jose jwk gen -i '{"alg":"ECMR"}') [ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}") echo "$jwe" > "$1/$exc.jwk" -chmod 0440 "$1/$exc.jwk" +set_perms "$1/$exc.jwk" diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys.in similarity index 92% rename from src/tangd-rotate-keys rename to src/tangd-rotate-keys.in index 8649652..56b94ad 100755 --- a/src/tangd-rotate-keys +++ b/src/tangd-rotate-keys.in @@ -48,6 +48,13 @@ error() { usage 1 } +set_perms() { + chmod 0440 -- "${1}" + if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then + echo "Unable to change owner/group for ${1} to @user@:@group@" >&2 + fi +} + JWKDIR= VERBOSE= while getopts "hvd:" o; do @@ -78,7 +85,7 @@ cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'" thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \ -a "${DEFAULT_THP_HASH}")" echo "${jwe}" > "${thp}.jwk" - chmod 0440 "${thp}.jwk" + set_perms "${thp}.jwk" log "Created new key ${thp}.jwk" "${VERBOSE}" done cd - >/dev/null diff --git a/units/tangd@.service.in b/units/tangd@.service.in index f1db261..aeb2dc1 100644 --- a/units/tangd@.service.in +++ b/units/tangd@.service.in @@ -6,3 +6,4 @@ StandardInput=socket StandardOutput=socket StandardError=journal ExecStart=@libexecdir@/tangd @jwkdir@ +User=@user@ -- 2.31.1