Address review comments in patch #547860

2010-01-07 02:37:35 +00:00 · 2010-01-07 02:37:35 +00:00 · d06d666dbb
commit d06d666dbb
parent 88e3f7f389
2 changed files with 47 additions and 33 deletions
--- a/547860.patch
+++ b/547860.patch
@ -1,6 +1,6 @@
 diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860	2009-12-26 19:26:47.688694605 -0800
-+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c	2009-12-26 19:36:21.817699009 -0800
+--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860	2010-01-06 17:57:30.722388282 -0800
+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c	2010-01-06 18:20:59.713397530 -0800
@@ -50,6 +50,7 @@
  */
 
@ -9,10 +9,18 @@ diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.1
 #include <sys/stat.h>
 #include <sys/types.h>
 
-@@ -108,12 +109,18 @@ getSystemDB(void) {
+@@ -108,12 +109,26 @@ getSystemDB(void) {
    return PORT_Strdup(NSS_DEFAULT_SYSTEM);
 }
 
+static PRBool
+userIsRoot()
+{
+   /* this works for linux and all unixes that we know off
+	  though it isn't stated as such in POSIX documentation */
+   return getuid() == 0;
+}
+
 +static PRBool
 +userCanModifySystemDB()
 +{
@ -29,7 +37,7 @@ diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.1
     * one in the users Appdir location */
    return NULL;
 }
-@@ -121,13 +128,21 @@ getUserDB(void)
+@@ -121,13 +136,28 @@ getUserDB(void)
 static char *
 getSystemDB(void)
 {
@ -39,43 +47,51 @@ diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.1
    return NULL;
 }
 
+static PRBool
+userIsRoot()
+{
+   /* use the registry to find if the user is the system administrator. */
+   return PR_FALSE;
+}
+
 +static PRBool
 +userCanModifySystemDB()
 +{
 +   /* use the registry to find if the user has administrative privilege 
 +    * to modify the system's nss database. */
-+   return PR_FALSE
+   return PR_FALSE;
 +}
 +
 #else
 -#error "Need to write getUserDB and get SystemDB functions"
-+#error "Need to write getUserDB, SystemDB and userCanModifySystemDB functions"
+#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
 #endif
 #endif
 
-@@ -206,7 +221,7 @@ askpw=any timeout=30 ] }  ";
- static char **
- get_list(char *filename, char *stripped_parameters)
- {
-    char **module_list = PORT_ZNewArray(char *, 5);
-+    char **module_list = PORT_ZNewArray(char *, 4);
-     char *userdb, *sysdb;
-     int isFIPS = getFIPSMode();
-     const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
-@@ -245,23 +260,14 @@ get_list(char *filename, char *stripped_
+@@ -225,7 +255,8 @@ get_list(char *filename, char *stripped_
+     if (userdb && !strcmp(filename, userdb))
+ 	    filename = NULL;
+ 
+-    if (userdb != NULL) {
+    /* Don't open root's user DB */
+    if (userdb != NULL && !userIsRoot()) {
+ 	/* return a list of databases to open. First the user Database */
+ 	module_list[next++] = PR_smprintf(
+ 	    "library= "
+@@ -245,7 +276,8 @@ get_list(char *filename, char *stripped_
 		userdb, stripped_parameters);
 	}
 
 -    if (filename && 0 /* This doesn't actually work. If we register
-			 both this and the sysdb (in either order)
-			 then only one of them actually shows up */) {
-	    module_list[next++] = PR_smprintf(
-	      "library= "
-	      "module=\"NSS database\" "
-	      "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
-	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
-    }
-
+    if (filename && !userIsRoot() && 0
+		/* This doesn't actually work. If we register
+ 			 both this and the sysdb (in either order)
+ 			 then only one of them actually shows up */) {
+ 	    module_list[next++] = PR_smprintf(
+@@ -255,13 +287,14 @@ get_list(char *filename, char *stripped_
+ 	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
+     }
+ 
 -    /* now the system database (always read only) */
 +    /* now the system database (always read only unless it's root) */
     if (sysdb) {
--- a/nss.spec
+++ b/nss.spec
@ -7,7 +7,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.12.5
-Release:          1%{?dist}.13.1
+Release:          1%{?dist}.13.2
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -240,13 +240,8 @@ rm -rf ./mozilla/tests_results
 cd ./mozilla/security/nss/tests/
 # all.sh is the test suite script

-#  don't run all the tests when testing packaging
-#  nss_cycles: standard pkix upgradedb sharedb
-#  nss_tests: cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains
-#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
-#  nss_ssl_run: cov auth stress
-
-# Temporarily disabling the ssl tests
+# Temporarily disabling the ssl test suites
+# until bug 539183 gets resolved
 %global nss_ssl_tests " "
 %global nss_ssl_run " "

@ -490,6 +485,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h


 %changelog
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.2
+- New version of patch to allow root to modify ystem database (#547860)
+
 * Thu Dec 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.1
 - Temporarily disabling the ssl tests