pesign/0023-Better-authorization-scripts.-Again.patch
Igor Gnatenko 6ef5e2d179
Revert "pesign fails to build from source: https://bugzilla.redhat.com/show_bug.cgi?id=1675653"
This reverts commit f45e45d127.

References: https://pagure.io/releng/issue/8618
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2019-08-12 17:36:50 +02:00

218 lines
6.5 KiB
Diff

From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 15:44:44 -0400
Subject: [PATCH 23/29] Better authorization scripts. Again.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
src/Makefile | 12 ++++++----
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
src/pesign-authorize-groups | 30 ------------------------
src/pesign-authorize-users | 30 ------------------------
src/pesign.service.in | 3 +--
src/pesign.sysvinit.in | 3 +--
6 files changed, 65 insertions(+), 69 deletions(-)
create mode 100755 src/pesign-authorize
delete mode 100644 src/pesign-authorize-groups
delete mode 100644 src/pesign-authorize-users
diff --git a/src/Makefile b/src/Makefile
index 654b792..84ad130 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
SVCTARGETS=pesign.sysvinit pesign.service
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
all : deps $(TARGETS)
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+pesign-users pesign-groups :
+ echo pesign > $@
+
install :
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@@ -88,10 +91,9 @@ install :
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
.PHONY: all deps clean install
diff --git a/src/pesign-authorize b/src/pesign-authorize
new file mode 100755
index 0000000..a496f60
--- /dev/null
+++ b/src/pesign-authorize
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -e
+set -u
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific users is useful
+#
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+declare -a fileusers=()
+declare -a dirusers=()
+for user in $(cat /etc/pesign/users); do
+ dirusers[${#dirusers[@]}]=-m
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
+ fileusers[${#fileusers[@]}]=-m
+ fileusers[${#fileusers[@]}]="u:$user:rw"
+done
+
+declare -a filegroups=()
+declare -a dirgroups=()
+for group in $(cat /etc/pesign/groups); do
+ dirgroups[${#dirgroups[@]}]=-m
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ filegroups[${#filegroups[@]}]=-m
+ filegroups[${#filegroups[@]}]="g:$group:rw"
+done
+
+update_subdir() {
+ subdir=$1 && shift
+
+ setfacl -bk "${subdir}"
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ for x in "${subdir}"* ; do
+ if [ -d "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+ update_subdir "${x}/"
+ elif [ -e "${x}" ]; then
+ setfacl -bk ${x}
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+ else
+ :;
+ fi
+ done
+}
+
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+ if [ -d "${x}" ]; then
+ update_subdir "${x}"
+ else
+ :;
+ fi
+done
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
deleted file mode 100644
index cf51fb6..0000000
--- a/src/pesign-authorize-groups
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific groups is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/groups ]; then
- for group in $(cat /etc/pesign/groups); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${group}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${group}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${group}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${group}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
deleted file mode 100644
index 940138e..0000000
--- a/src/pesign-authorize-users
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-set -e
-
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
-# License: GPLv2
-
-if [ -r /etc/pesign/users ]; then
- for username in $(cat /etc/pesign/users); do
- if [ -d /var/run/pesign ]; then
- setfacl -m g:${username}:rx /var/run/pesign
- if [ -e /var/run/pesign/socket ]; then
- setfacl -m g:${username}:rw /var/run/pesign/socket
- fi
- fi
- for x in /etc/pki/pesign*/ ; do
- if [ -d ${x} ]; then
- setfacl -m g:${username}:rx ${x}
- for y in ${x}{cert8,key3,secmod}.db ; do
- setfacl -m g:${username}:rw ${y}
- done
- fi
- done
- done
-fi
diff --git a/src/pesign.service.in b/src/pesign.service.in
index aaa408e..c75a000 100644
--- a/src/pesign.service.in
+++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
Type=forking
PIDFile=/var/run/pesign.pid
ExecStart=/usr/bin/pesign --daemonize
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
index dc508d8..b0e0f84 100644
--- a/src/pesign.sysvinit.in
+++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
RETVAL=$?
echo
touch /var/lock/subsys/pesign
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ @@LIBEXECDIR@@/pesign/pesign-authorize
}
stop(){
--
2.13.4