|
|
b8b9f4 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
664c67 |
From: Peter Jones <pjones@redhat.com>
|
|
|
664c67 |
Date: Wed, 20 Apr 2016 11:44:08 -0400
|
|
|
b8b9f4 |
Subject: [PATCH] Improve our setfacl scripts for database and socket
|
|
|
664c67 |
ownership.
|
|
|
664c67 |
|
|
|
664c67 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
664c67 |
(cherry picked from commit a90c967205733c35a97c0c3e67131fa9b5b935fc)
|
|
|
664c67 |
---
|
|
|
664c67 |
src/pesign-authorize-groups | 15 ++++++++++-----
|
|
|
664c67 |
src/pesign-authorize-users | 19 ++++++++++++-------
|
|
|
664c67 |
2 files changed, 22 insertions(+), 12 deletions(-)
|
|
|
664c67 |
|
|
|
664c67 |
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
|
|
664c67 |
index 13aefa6..a4f895e 100644
|
|
|
664c67 |
--- a/src/pesign-authorize-groups
|
|
|
664c67 |
+++ b/src/pesign-authorize-groups
|
|
|
664c67 |
@@ -1,4 +1,5 @@
|
|
|
664c67 |
#!/bin/bash
|
|
|
664c67 |
+set -e
|
|
|
664c67 |
|
|
|
664c67 |
#
|
|
|
664c67 |
# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
664c67 |
@@ -9,7 +10,7 @@
|
|
|
664c67 |
|
|
|
664c67 |
# License: GPLv2
|
|
|
664c67 |
|
|
|
664c67 |
-if [[ -r /etc/pesign/groups ]]; then
|
|
|
664c67 |
+if [ -r /etc/pesign/groups ]; then
|
|
|
664c67 |
for group in $(cat /etc/pesign/groups); do
|
|
|
664c67 |
if [ -d /var/run/pesign ]; then
|
|
|
664c67 |
setfacl -m g:${group}:rx /var/run/pesign
|
|
|
664c67 |
@@ -17,9 +18,13 @@ if [[ -r /etc/pesign/groups ]]; then
|
|
|
664c67 |
setfacl -m g:${group}:rw /var/run/pesign/socket
|
|
|
664c67 |
fi
|
|
|
664c67 |
fi
|
|
|
664c67 |
- if [ -d /etc/pki/pesign ]; then
|
|
|
664c67 |
- setfacl -m g:${group}:rx /etc/pki/pesign
|
|
|
664c67 |
- setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
|
|
664c67 |
- fi
|
|
|
664c67 |
+ for x in /etc/pki/pesign* ; do
|
|
|
664c67 |
+ if [ -d ${x} ]; then
|
|
|
664c67 |
+ setfacl -m g:${group}:rx /etc/pki/pesign
|
|
|
664c67 |
+ for y in ${x}/{cert8,key3,secmod}.db ; do
|
|
|
664c67 |
+ setfacl -m g:${group}:rw ${y}
|
|
|
664c67 |
+ done
|
|
|
664c67 |
+ fi
|
|
|
664c67 |
+ done
|
|
|
664c67 |
done
|
|
|
664c67 |
fi
|
|
|
664c67 |
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
|
|
664c67 |
index a43ce44..8b9a885 100644
|
|
|
664c67 |
--- a/src/pesign-authorize-users
|
|
|
664c67 |
+++ b/src/pesign-authorize-users
|
|
|
664c67 |
@@ -1,4 +1,5 @@
|
|
|
664c67 |
#!/bin/bash
|
|
|
664c67 |
+set -e
|
|
|
664c67 |
|
|
|
664c67 |
#
|
|
|
664c67 |
# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
664c67 |
@@ -9,17 +10,21 @@
|
|
|
664c67 |
|
|
|
664c67 |
# License: GPLv2
|
|
|
664c67 |
|
|
|
664c67 |
-if [[ -r /etc/pesign/users ]]; then
|
|
|
664c67 |
+if [ -r /etc/pesign/users ]; then
|
|
|
664c67 |
for username in $(cat /etc/pesign/users); do
|
|
|
664c67 |
if [ -d /var/run/pesign ]; then
|
|
|
664c67 |
- setfacl -m u:${username}:rx /var/run/pesign
|
|
|
664c67 |
+ setfacl -m g:${username}:rx /var/run/pesign
|
|
|
664c67 |
if [ -e /var/run/pesign/socket ]; then
|
|
|
664c67 |
- setfacl -m u:${username}:rw /var/run/pesign/socket
|
|
|
664c67 |
+ setfacl -m g:${username}:rw /var/run/pesign/socket
|
|
|
664c67 |
fi
|
|
|
664c67 |
fi
|
|
|
664c67 |
- if [ -d /etc/pki/pesign ]; then
|
|
|
664c67 |
- setfacl -m u:${username}:rx /etc/pki/pesign
|
|
|
664c67 |
- setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
|
|
|
664c67 |
- fi
|
|
|
664c67 |
+ for x in /etc/pki/pesign* ; do
|
|
|
664c67 |
+ if [ -d ${x} ]; then
|
|
|
664c67 |
+ setfacl -m g:${username}:rx /etc/pki/pesign
|
|
|
664c67 |
+ for y in ${x}/{cert8,key3,secmod}.db ; do
|
|
|
664c67 |
+ setfacl -m g:${username}:rw ${y}
|
|
|
664c67 |
+ done
|
|
|
664c67 |
+ fi
|
|
|
664c67 |
+ done
|
|
|
664c67 |
done
|
|
|
664c67 |
fi
|