From f1212565b3783564a50f98a652588091a6680908 Mon Sep 17 00:00:00 2001

From: Pat Riehecky <riehecky@fnal.gov>

Date: Fri, 12 Sep 2014 09:37:07 -0500

Subject: [PATCH 08/15] A more plugable way of setting ACLs for pesign

The sysvinit script provided with pesign sets ACLS for the pesign/socket

file for kojibuilder:kojibuilder.  The systemd unit, however, does not.

I've built a more general solution for both the sysvinit and systemd

unit that should allow for greater flexibility and compat behavior.

Signed-off-by: Peter Jones <pjones@redhat.com>

(cherry picked from commit 3c2374b57f26f15efa7c883e0fbbbaf3c490d074)

---

 src/pesign-authorize-groups | 17 +++++++++++++++++

 src/pesign-authorize-users  | 17 +++++++++++++++++

 src/pesign.service          |  2 ++

 src/pesign.sysvinit         |  6 ++----

 4 files changed, 38 insertions(+), 4 deletions(-)

 create mode 100644 src/pesign-authorize-groups

 create mode 100644 src/pesign-authorize-users

diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups

new file mode 100644

index 0000000..1048904

--- /dev/null

+++ b/src/pesign-authorize-groups

@@ -0,0 +1,17 @@

+#!/bin/bash

+

+#

+# With /run/pesign/socket on tmpfs, a simple way of restoring the

+# acls for specific groups is useful

+#

+#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6

+#

+

+# License: GPLv2

+

+if [[ -r /etc/pesign/authorize-groups ]]; then

+    for group in $(cat /etc/pesign/authorize-groups); do

+        setfacl -m g:${group}:rx /var/run/pesign

+        setfacl -m g:${group}:rw /var/run/pesign/socket

+    done

+fi

diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users

new file mode 100644

index 0000000..1993570

--- /dev/null

+++ b/src/pesign-authorize-users

@@ -0,0 +1,17 @@

+#!/bin/bash

+

+#

+# With /run/pesign/socket on tmpfs, a simple way of restoring the

+# acls for specific users is useful

+#

+#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6

+#

+

+# License: GPLv2

+

+if [[ -r /etc/pesign/authorize-users ]]; then

+    for username in $(cat /etc/pesign/authorize-users); do

+        setfacl -m u:${username}:rx /var/run/pesign

+        setfacl -m u:${username}:rw /var/run/pesign/socket

+    done

+fi

diff --git a/src/pesign.service b/src/pesign.service

index 75a73c3..d6a412e 100644

--- a/src/pesign.service

+++ b/src/pesign.service

@@ -6,3 +6,5 @@ PrivateTmp=true

 Type=forking

 PIDFile=/var/run/pesign.pid

 ExecStart=/usr/bin/pesign --daemonize

+ExecStartPost=/usr/sbin/pesign-authorize-users

+ExecStartPost=/usr/sbin/pesign-authorize-groups

diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit

index ea37c58..6f20560 100644

--- a/src/pesign.sysvinit

+++ b/src/pesign.sysvinit

@@ -24,10 +24,8 @@ start(){

     RETVAL=$?

     echo

     touch /var/lock/subsys/pesign

-    setfacl -m u:kojibuilder:x /var/run/pesign

-    setfacl -m u:kojibuilder:rw /var/run/pesign/socket

-    setfacl -m g:kojibuilder:x /var/run/pesign

-    setfacl -m g:kojibuilder:rw /var/run/pesign/socket

+    /usr/sbin/pesign-authorize-users

+    /usr/sbin/pesign-authorize-groups

 }

 stop(){

-- 

2.5.5