148 lines
4.5 KiB
Diff
148 lines
4.5 KiB
Diff
From ab3b913cc74666dffe56d1f87f6f90653d8f4e70 Mon Sep 17 00:00:00 2001
|
|
From: Sergio Correia <scorreia@redhat.com>
|
|
Date: Sat, 2 Oct 2021 09:14:21 -0300
|
|
Subject: [PATCH 4/4] Specify user and group for tang
|
|
|
|
So that we can run tang itself with a different user.
|
|
|
|
Systemd unit and helpers for rotating keys updated to use the
|
|
new user and group.
|
|
---
|
|
meson.build | 2 ++
|
|
meson_options.txt | 2 ++
|
|
src/meson.build | 18 ++++++++++++++++--
|
|
src/{tangd-keygen => tangd-keygen.in} | 11 +++++++++--
|
|
...{tangd-rotate-keys => tangd-rotate-keys.in} | 9 ++++++++-
|
|
units/tangd@.service.in | 1 +
|
|
6 files changed, 38 insertions(+), 5 deletions(-)
|
|
create mode 100644 meson_options.txt
|
|
rename src/{tangd-keygen => tangd-keygen.in} (85%)
|
|
rename src/{tangd-rotate-keys => tangd-rotate-keys.in} (92%)
|
|
|
|
diff --git a/meson.build b/meson.build
|
|
index 1733d47..7664e05 100644
|
|
--- a/meson.build
|
|
+++ b/meson.build
|
|
@@ -26,6 +26,8 @@ data.set('libexecdir', libexecdir)
|
|
data.set('sysconfdir', sysconfdir)
|
|
data.set('systemunitdir', systemunitdir)
|
|
data.set('jwkdir', jwkdir)
|
|
+data.set('user', get_option('user'))
|
|
+data.set('group', get_option('group'))
|
|
|
|
add_project_arguments(
|
|
'-D_POSIX_C_SOURCE=200809L',
|
|
diff --git a/meson_options.txt b/meson_options.txt
|
|
new file mode 100644
|
|
index 0000000..9b1f7c6
|
|
--- /dev/null
|
|
+++ b/meson_options.txt
|
|
@@ -0,0 +1,2 @@
|
|
+option('user', type: 'string', value: 'tang', description: 'Unprivileged user for tang operations')
|
|
+option('group', type: 'string', value: 'tang', description: 'Unprivileged group for tang operations')
|
|
diff --git a/src/meson.build b/src/meson.build
|
|
index e7dc60c..f022775 100644
|
|
--- a/src/meson.build
|
|
+++ b/src/meson.build
|
|
@@ -7,8 +7,22 @@ tangd = executable('tangd',
|
|
install_dir: libexecdir
|
|
)
|
|
|
|
+tangd_keygen = configure_file(
|
|
+ input: 'tangd-keygen.in',
|
|
+ output: 'tangd-keygen',
|
|
+ configuration: data,
|
|
+ install: true,
|
|
+ install_dir: libexecdir
|
|
+)
|
|
+
|
|
+tangd_rotate_keys = configure_file(
|
|
+ input: 'tangd-rotate-keys.in',
|
|
+ output: 'tangd-rotate-keys',
|
|
+ configuration: data,
|
|
+ install: true,
|
|
+ install_dir: libexecdir
|
|
+)
|
|
+
|
|
bins += join_paths(meson.current_source_dir(), 'tang-show-keys')
|
|
-libexecbins += join_paths(meson.current_source_dir(), 'tangd-keygen')
|
|
-libexecbins += join_paths(meson.current_source_dir(), 'tangd-rotate-keys')
|
|
|
|
# vim:set ts=2 sw=2 et:
|
|
diff --git a/src/tangd-keygen b/src/tangd-keygen.in
|
|
similarity index 85%
|
|
rename from src/tangd-keygen
|
|
rename to src/tangd-keygen.in
|
|
index ed51124..f74b86f 100755
|
|
--- a/src/tangd-keygen
|
|
+++ b/src/tangd-keygen.in
|
|
@@ -25,6 +25,13 @@ usage() {
|
|
exit 1
|
|
}
|
|
|
|
+set_perms() {
|
|
+ chmod 0440 -- "${1}"
|
|
+ if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
|
|
+ echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
|
|
+ fi
|
|
+}
|
|
+
|
|
[ $# -ne 1 ] && [ $# -ne 3 ] && usage
|
|
[ -d "$1" ] || usage
|
|
|
|
@@ -34,10 +41,10 @@ THP_DEFAULT_HASH=S256 # SHA-256.
|
|
jwe=$(jose jwk gen -i '{"alg":"ES512"}')
|
|
[ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
echo "$jwe" > "$1/$sig.jwk"
|
|
-chmod 0440 "$1/$sig.jwk"
|
|
+set_perms "$1/$sig.jwk"
|
|
|
|
|
|
jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
|
|
[ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
|
|
echo "$jwe" > "$1/$exc.jwk"
|
|
-chmod 0440 "$1/$exc.jwk"
|
|
+set_perms "$1/$exc.jwk"
|
|
diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys.in
|
|
similarity index 92%
|
|
rename from src/tangd-rotate-keys
|
|
rename to src/tangd-rotate-keys.in
|
|
index 8649652..56b94ad 100755
|
|
--- a/src/tangd-rotate-keys
|
|
+++ b/src/tangd-rotate-keys.in
|
|
@@ -48,6 +48,13 @@ error() {
|
|
usage 1
|
|
}
|
|
|
|
+set_perms() {
|
|
+ chmod 0440 -- "${1}"
|
|
+ if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
|
|
+ echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
|
|
+ fi
|
|
+}
|
|
+
|
|
JWKDIR=
|
|
VERBOSE=
|
|
while getopts "hvd:" o; do
|
|
@@ -78,7 +85,7 @@ cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'"
|
|
thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \
|
|
-a "${DEFAULT_THP_HASH}")"
|
|
echo "${jwe}" > "${thp}.jwk"
|
|
- chmod 0440 "${thp}.jwk"
|
|
+ set_perms "${thp}.jwk"
|
|
log "Created new key ${thp}.jwk" "${VERBOSE}"
|
|
done
|
|
cd - >/dev/null
|
|
diff --git a/units/tangd@.service.in b/units/tangd@.service.in
|
|
index f1db261..aeb2dc1 100644
|
|
--- a/units/tangd@.service.in
|
|
+++ b/units/tangd@.service.in
|
|
@@ -6,3 +6,4 @@ StandardInput=socket
|
|
StandardOutput=socket
|
|
StandardError=journal
|
|
ExecStart=@libexecdir@/tangd @jwkdir@
|
|
+User=@user@
|
|
--
|
|
2.31.1
|
|
|