|
 |
fe5aa1 |
From 82cf315182deacdc488b465cb50d8c0d692f4dcc Mon Sep 17 00:00:00 2001
|
|
|
fe5aa1 |
From: Peter Jones <pjones@redhat.com>
|
|
|
fe5aa1 |
Date: Thu, 19 Nov 2015 11:36:59 -0500
|
|
|
fe5aa1 |
Subject: [PATCH 10/15] setfacl the nss DBs to our authorized users, not just
|
|
|
fe5aa1 |
the socket.
|
|
|
fe5aa1 |
|
|
|
fe5aa1 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
fe5aa1 |
(cherry picked from commit 1a9a8eefe8f9a9b21996151a5afd956df22921ea)
|
|
|
fe5aa1 |
---
|
|
|
fe5aa1 |
src/pesign-authorize-groups | 2 ++
|
|
|
fe5aa1 |
src/pesign-authorize-users | 2 ++
|
|
|
fe5aa1 |
2 files changed, 4 insertions(+)
|
|
|
fe5aa1 |
|
|
|
fe5aa1 |
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
|
|
fe5aa1 |
index e3864ce..2236bea 100644
|
|
|
fe5aa1 |
--- a/src/pesign-authorize-groups
|
|
|
fe5aa1 |
+++ b/src/pesign-authorize-groups
|
|
|
fe5aa1 |
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
|
|
|
fe5aa1 |
for group in $(cat /etc/pesign/groups); do
|
|
|
fe5aa1 |
setfacl -m g:${group}:rx /var/run/pesign
|
|
|
fe5aa1 |
setfacl -m g:${group}:rw /var/run/pesign/socket
|
|
|
fe5aa1 |
+ setfacl -m g:${username}:rx /etc/pki/pesign
|
|
|
fe5aa1 |
+ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
|
|
fe5aa1 |
done
|
|
|
fe5aa1 |
fi
|
|
|
fe5aa1 |
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
|
|
fe5aa1 |
index e500204..9c38a25 100644
|
|
|
fe5aa1 |
--- a/src/pesign-authorize-users
|
|
|
fe5aa1 |
+++ b/src/pesign-authorize-users
|
|
|
fe5aa1 |
@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
|
|
|
fe5aa1 |
for username in $(cat /etc/pesign/users); do
|
|
|
fe5aa1 |
setfacl -m u:${username}:rx /var/run/pesign
|
|
|
fe5aa1 |
setfacl -m u:${username}:rw /var/run/pesign/socket
|
|
|
fe5aa1 |
+ setfacl -m u:${username}:rx /etc/pki/pesign
|
|
|
fe5aa1 |
+ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
|
|
fe5aa1 |
done
|
|
|
fe5aa1 |
fi
|
|
|
fe5aa1 |
--
|
|
|
fe5aa1 |
2.5.5
|
|
|
fe5aa1 |
|