rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix nsssysinit to allow root to modify the nss system database (#547860)

Browse Source
This commit is contained in:
Elio Maldonado 2009-12-31 01:21:59 +00:00
parent 2d16454a8b
commit c33feabbec
2 changed files with 99 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
547860.patch Normal file
View File

@ -0,0 +1,93 @@
diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 2009-12-26 19:26:47.688694605 -0800
+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c 2009-12-26 19:36:21.817699009 -0800
@@ -50,6 +50,7 @@
*/
#ifdef XP_UNIX
+#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -108,12 +109,18 @@ getSystemDB(void) {
return PORT_Strdup(NSS_DEFAULT_SYSTEM);
}
+static PRBool
+userCanModifySystemDB()
+{
+ return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
+}
+
#else
#ifdef XP_WIN
static char *
getUserDB(void)
{
- /* use the registry to find the user's NSS_DIR. if no entry exists, creaate
+ /* use the registry to find the user's NSS_DIR. if no entry exists, create
* one in the users Appdir location */
return NULL;
}
@@ -121,13 +128,21 @@ getUserDB(void)
static char *
getSystemDB(void)
{
- /* use the registry to find the system's NSS_DIR. if no entry exists, creaate
+ /* use the registry to find the system's NSS_DIR. if no entry exists, create
* one based on the windows system data area */
return NULL;
}
+static PRBool
+userCanModifySystemDB()
+{
+ /* use the registry to find if the user has administrative privilege
+ * to modify the system's nss database. */
+ return PR_FALSE
+}
+
#else
-#error "Need to write getUserDB and get SystemDB functions"
+#error "Need to write getUserDB, SystemDB and userCanModifySystemDB functions"
#endif
#endif
@@ -206,7 +221,7 @@ askpw=any timeout=30 ] } ";
static char **
get_list(char *filename, char *stripped_parameters)
{
- char **module_list = PORT_ZNewArray(char *, 5);
+ char **module_list = PORT_ZNewArray(char *, 4);
char *userdb, *sysdb;
int isFIPS = getFIPSMode();
const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
@@ -245,23 +260,14 @@ get_list(char *filename, char *stripped_
userdb, stripped_parameters);
}
- if (filename && 0 /* This doesn't actually work. If we register
- both this and the sysdb (in either order)
- then only one of them actually shows up */) {
- module_list[next++] = PR_smprintf(
- "library= "
- "module=\"NSS database\" "
- "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
- "NSS=\"%sflags=internal\"",filename, filename, nssflags);
- }
-
- /* now the system database (always read only) */
+ /* now the system database (always read only unless it's root) */
if (sysdb) {
- module_list[next++] = PR_smprintf(
+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+ module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS system database\" "
- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
- "NSS=\"%sflags=internal,critical\"",sysdb, nssflags);
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+ "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
}
/* that was the last module */

7
nss.spec
View File

@ -7,7 +7,7 @@
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: 3.12.5 Version: 3.12.5
Release: 1%{?dist}.11 Release: 1%{?dist}.13
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries Group: System Environment/Libraries
@ -46,6 +46,7 @@ Patch8: nss-sysinit.patch
Patch9: 540387.patch Patch9: 540387.patch
Patch10: 545779.patch Patch10: 545779.patch
Patch11: 546221.patch Patch11: 546221.patch
Patch12: 547860.patch
%description %description
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
@ -117,6 +118,7 @@ low level services.
%patch9 -p1 -b .540387 %patch9 -p1 -b .540387
%patch10 -p0 -b .545779 %patch10 -p0 -b .545779
%patch11 -p1 -b .546221 %patch11 -p1 -b .546221
%patch12 -p1 -b .547860
%build %build
@ -478,6 +480,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog %changelog
* Sat Dec 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13
- Fix nsssysinit to allow root to modify the nss system database (#547860)
* Fri Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11 * Fri Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11
- Fix an error introduced when adapting the patch for rhbz #546211 - Fix an error introduced when adapting the patch for rhbz #546211