|
|
fe5aa1 |
From f1212565b3783564a50f98a652588091a6680908 Mon Sep 17 00:00:00 2001
|
|
|
fe5aa1 |
From: Pat Riehecky <riehecky@fnal.gov>
|
|
|
fe5aa1 |
Date: Fri, 12 Sep 2014 09:37:07 -0500
|
|
|
fe5aa1 |
Subject: [PATCH 08/15] A more plugable way of setting ACLs for pesign
|
|
|
fe5aa1 |
|
|
|
fe5aa1 |
The sysvinit script provided with pesign sets ACLS for the pesign/socket
|
|
|
fe5aa1 |
file for kojibuilder:kojibuilder. The systemd unit, however, does not.
|
|
|
fe5aa1 |
|
|
|
fe5aa1 |
I've built a more general solution for both the sysvinit and systemd
|
|
|
fe5aa1 |
unit that should allow for greater flexibility and compat behavior.
|
|
|
fe5aa1 |
|
|
|
fe5aa1 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
fe5aa1 |
(cherry picked from commit 3c2374b57f26f15efa7c883e0fbbbaf3c490d074)
|
|
|
fe5aa1 |
---
|
|
|
fe5aa1 |
src/pesign-authorize-groups | 17 +++++++++++++++++
|
|
|
fe5aa1 |
src/pesign-authorize-users | 17 +++++++++++++++++
|
|
|
fe5aa1 |
src/pesign.service | 2 ++
|
|
|
fe5aa1 |
src/pesign.sysvinit | 6 ++----
|
|
|
fe5aa1 |
4 files changed, 38 insertions(+), 4 deletions(-)
|
|
|
fe5aa1 |
create mode 100644 src/pesign-authorize-groups
|
|
|
fe5aa1 |
create mode 100644 src/pesign-authorize-users
|
|
|
fe5aa1 |
|
|
|
fe5aa1 |
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
|
|
fe5aa1 |
new file mode 100644
|
|
|
fe5aa1 |
index 0000000..1048904
|
|
|
fe5aa1 |
--- /dev/null
|
|
|
fe5aa1 |
+++ b/src/pesign-authorize-groups
|
|
|
fe5aa1 |
@@ -0,0 +1,17 @@
|
|
|
fe5aa1 |
+#!/bin/bash
|
|
|
fe5aa1 |
+
|
|
|
fe5aa1 |
+#
|
|
|
fe5aa1 |
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
fe5aa1 |
+# acls for specific groups is useful
|
|
|
fe5aa1 |
+#
|
|
|
fe5aa1 |
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
|
fe5aa1 |
+#
|
|
|
fe5aa1 |
+
|
|
|
fe5aa1 |
+# License: GPLv2
|
|
|
fe5aa1 |
+
|
|
|
fe5aa1 |
+if [[ -r /etc/pesign/authorize-groups ]]; then
|
|
|
fe5aa1 |
+ for group in $(cat /etc/pesign/authorize-groups); do
|
|
|
fe5aa1 |
+ setfacl -m g:${group}:rx /var/run/pesign
|
|
|
fe5aa1 |
+ setfacl -m g:${group}:rw /var/run/pesign/socket
|
|
|
fe5aa1 |
+ done
|
|
|
fe5aa1 |
+fi
|
|
|
fe5aa1 |
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
|
|
fe5aa1 |
new file mode 100644
|
|
|
fe5aa1 |
index 0000000..1993570
|
|
|
fe5aa1 |
--- /dev/null
|
|
|
fe5aa1 |
+++ b/src/pesign-authorize-users
|
|
|
fe5aa1 |
@@ -0,0 +1,17 @@
|
|
|
fe5aa1 |
+#!/bin/bash
|
|
|
fe5aa1 |
+
|
|
|
fe5aa1 |
+#
|
|
|
fe5aa1 |
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
fe5aa1 |
+# acls for specific users is useful
|
|
|
fe5aa1 |
+#
|
|
|
fe5aa1 |
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
|
fe5aa1 |
+#
|
|
|
fe5aa1 |
+
|
|
|
fe5aa1 |
+# License: GPLv2
|
|
|
fe5aa1 |
+
|
|
|
fe5aa1 |
+if [[ -r /etc/pesign/authorize-users ]]; then
|
|
|
fe5aa1 |
+ for username in $(cat /etc/pesign/authorize-users); do
|
|
|
fe5aa1 |
+ setfacl -m u:${username}:rx /var/run/pesign
|
|
|
fe5aa1 |
+ setfacl -m u:${username}:rw /var/run/pesign/socket
|
|
|
fe5aa1 |
+ done
|
|
|
fe5aa1 |
+fi
|
|
|
fe5aa1 |
diff --git a/src/pesign.service b/src/pesign.service
|
|
|
fe5aa1 |
index 75a73c3..d6a412e 100644
|
|
|
fe5aa1 |
--- a/src/pesign.service
|
|
|
fe5aa1 |
+++ b/src/pesign.service
|
|
|
fe5aa1 |
@@ -6,3 +6,5 @@ PrivateTmp=true
|
|
|
fe5aa1 |
Type=forking
|
|
|
fe5aa1 |
PIDFile=/var/run/pesign.pid
|
|
|
fe5aa1 |
ExecStart=/usr/bin/pesign --daemonize
|
|
|
fe5aa1 |
+ExecStartPost=/usr/sbin/pesign-authorize-users
|
|
|
fe5aa1 |
+ExecStartPost=/usr/sbin/pesign-authorize-groups
|
|
|
fe5aa1 |
diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit
|
|
|
fe5aa1 |
index ea37c58..6f20560 100644
|
|
|
fe5aa1 |
--- a/src/pesign.sysvinit
|
|
|
fe5aa1 |
+++ b/src/pesign.sysvinit
|
|
|
fe5aa1 |
@@ -24,10 +24,8 @@ start(){
|
|
|
fe5aa1 |
RETVAL=$?
|
|
|
fe5aa1 |
echo
|
|
|
fe5aa1 |
touch /var/lock/subsys/pesign
|
|
|
fe5aa1 |
- setfacl -m u:kojibuilder:x /var/run/pesign
|
|
|
fe5aa1 |
- setfacl -m u:kojibuilder:rw /var/run/pesign/socket
|
|
|
fe5aa1 |
- setfacl -m g:kojibuilder:x /var/run/pesign
|
|
|
fe5aa1 |
- setfacl -m g:kojibuilder:rw /var/run/pesign/socket
|
|
|
fe5aa1 |
+ /usr/sbin/pesign-authorize-users
|
|
|
fe5aa1 |
+ /usr/sbin/pesign-authorize-groups
|
|
|
fe5aa1 |
}
|
|
|
fe5aa1 |
|
|
|
fe5aa1 |
stop(){
|
|
|
fe5aa1 |
--
|
|
|
fe5aa1 |
2.5.5
|
|
|
fe5aa1 |
|