|
 |
65f427 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
793dd5 |
From: Peter Jones <pjones@redhat.com>
|
|
|
793dd5 |
Date: Tue, 8 Aug 2017 15:44:44 -0400
|
|
|
65f427 |
Subject: [PATCH] Better authorization scripts. Again.
|
|
|
793dd5 |
|
|
|
793dd5 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
793dd5 |
---
|
|
|
793dd5 |
src/Makefile | 12 ++++++----
|
|
|
793dd5 |
src/pesign-authorize | 56 +++++++++++++++++++++++++++++++++++++++++++++
|
|
|
793dd5 |
src/pesign-authorize-groups | 30 ------------------------
|
|
|
793dd5 |
src/pesign-authorize-users | 30 ------------------------
|
|
|
793dd5 |
src/pesign.service.in | 3 +--
|
|
|
793dd5 |
src/pesign.sysvinit.in | 3 +--
|
|
|
793dd5 |
6 files changed, 65 insertions(+), 69 deletions(-)
|
|
|
793dd5 |
create mode 100755 src/pesign-authorize
|
|
|
793dd5 |
delete mode 100644 src/pesign-authorize-groups
|
|
|
793dd5 |
delete mode 100644 src/pesign-authorize-users
|
|
|
793dd5 |
|
|
|
793dd5 |
diff --git a/src/Makefile b/src/Makefile
|
|
|
793dd5 |
index 654b792..84ad130 100644
|
|
|
793dd5 |
--- a/src/Makefile
|
|
|
793dd5 |
+++ b/src/Makefile
|
|
|
793dd5 |
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
|
|
|
793dd5 |
|
|
|
793dd5 |
BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
|
|
|
793dd5 |
SVCTARGETS=pesign.sysvinit pesign.service
|
|
|
793dd5 |
-TARGETS=$(BINTARGETS) $(SVCTARGETS)
|
|
|
793dd5 |
+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
|
|
|
793dd5 |
|
|
|
793dd5 |
all : deps $(TARGETS)
|
|
|
793dd5 |
|
|
|
793dd5 |
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
|
|
|
793dd5 |
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
|
|
|
793dd5 |
$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
|
|
|
793dd5 |
|
|
|
793dd5 |
+pesign-users pesign-groups :
|
|
|
793dd5 |
+ echo pesign > $@
|
|
|
793dd5 |
+
|
|
|
793dd5 |
install :
|
|
|
793dd5 |
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
|
|
|
793dd5 |
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
|
|
|
793dd5 |
@@ -88,10 +91,9 @@ install :
|
|
|
793dd5 |
$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
|
|
|
793dd5 |
$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
|
|
|
793dd5 |
$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
|
|
|
793dd5 |
- $(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
|
|
|
793dd5 |
- $(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
|
|
|
793dd5 |
+ $(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
|
|
|
793dd5 |
$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
|
|
|
793dd5 |
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
|
|
|
793dd5 |
- $(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
|
|
|
793dd5 |
+ $(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
|
|
|
793dd5 |
+ $(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
|
|
|
793dd5 |
|
|
|
793dd5 |
.PHONY: all deps clean install
|
|
|
793dd5 |
diff --git a/src/pesign-authorize b/src/pesign-authorize
|
|
|
793dd5 |
new file mode 100755
|
|
|
793dd5 |
index 0000000..a496f60
|
|
|
793dd5 |
--- /dev/null
|
|
|
793dd5 |
+++ b/src/pesign-authorize
|
|
|
793dd5 |
@@ -0,0 +1,56 @@
|
|
|
793dd5 |
+#!/bin/bash
|
|
|
793dd5 |
+set -e
|
|
|
793dd5 |
+set -u
|
|
|
793dd5 |
+
|
|
|
793dd5 |
+#
|
|
|
793dd5 |
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
793dd5 |
+# acls for specific users is useful
|
|
|
793dd5 |
+#
|
|
|
793dd5 |
+# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
|
793dd5 |
+#
|
|
|
793dd5 |
+
|
|
|
793dd5 |
+# License: GPLv2
|
|
|
793dd5 |
+declare -a fileusers=()
|
|
|
793dd5 |
+declare -a dirusers=()
|
|
|
793dd5 |
+for user in $(cat /etc/pesign/users); do
|
|
|
793dd5 |
+ dirusers[${#dirusers[@]}]=-m
|
|
|
793dd5 |
+ dirusers[${#dirusers[@]}]="u:$user:rwx"
|
|
|
793dd5 |
+ fileusers[${#fileusers[@]}]=-m
|
|
|
793dd5 |
+ fileusers[${#fileusers[@]}]="u:$user:rw"
|
|
|
793dd5 |
+done
|
|
|
793dd5 |
+
|
|
|
793dd5 |
+declare -a filegroups=()
|
|
|
793dd5 |
+declare -a dirgroups=()
|
|
|
793dd5 |
+for group in $(cat /etc/pesign/groups); do
|
|
|
793dd5 |
+ dirgroups[${#dirgroups[@]}]=-m
|
|
|
793dd5 |
+ dirgroups[${#dirgroups[@]}]="g:$group:rwx"
|
|
|
793dd5 |
+ filegroups[${#filegroups[@]}]=-m
|
|
|
793dd5 |
+ filegroups[${#filegroups[@]}]="g:$group:rw"
|
|
|
793dd5 |
+done
|
|
|
793dd5 |
+
|
|
|
793dd5 |
+update_subdir() {
|
|
|
793dd5 |
+ subdir=$1 && shift
|
|
|
793dd5 |
+
|
|
|
793dd5 |
+ setfacl -bk "${subdir}"
|
|
|
793dd5 |
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
|
|
|
793dd5 |
+ for x in "${subdir}"* ; do
|
|
|
793dd5 |
+ if [ -d "${x}" ]; then
|
|
|
793dd5 |
+ setfacl -bk ${x}
|
|
|
793dd5 |
+ setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
|
|
|
793dd5 |
+ update_subdir "${x}/"
|
|
|
793dd5 |
+ elif [ -e "${x}" ]; then
|
|
|
793dd5 |
+ setfacl -bk ${x}
|
|
|
793dd5 |
+ setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
|
|
|
793dd5 |
+ else
|
|
|
793dd5 |
+ :;
|
|
|
793dd5 |
+ fi
|
|
|
793dd5 |
+ done
|
|
|
793dd5 |
+}
|
|
|
793dd5 |
+
|
|
|
793dd5 |
+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
|
|
|
793dd5 |
+ if [ -d "${x}" ]; then
|
|
|
793dd5 |
+ update_subdir "${x}"
|
|
|
793dd5 |
+ else
|
|
|
793dd5 |
+ :;
|
|
|
793dd5 |
+ fi
|
|
|
793dd5 |
+done
|
|
|
793dd5 |
diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
|
|
|
793dd5 |
deleted file mode 100644
|
|
|
793dd5 |
index cf51fb6..0000000
|
|
|
793dd5 |
--- a/src/pesign-authorize-groups
|
|
|
793dd5 |
+++ /dev/null
|
|
|
793dd5 |
@@ -1,30 +0,0 @@
|
|
|
793dd5 |
-#!/bin/bash
|
|
|
793dd5 |
-set -e
|
|
|
793dd5 |
-
|
|
|
793dd5 |
-#
|
|
|
793dd5 |
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
793dd5 |
-# acls for specific groups is useful
|
|
|
793dd5 |
-#
|
|
|
793dd5 |
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
|
793dd5 |
-#
|
|
|
793dd5 |
-
|
|
|
793dd5 |
-# License: GPLv2
|
|
|
793dd5 |
-
|
|
|
793dd5 |
-if [ -r /etc/pesign/groups ]; then
|
|
|
793dd5 |
- for group in $(cat /etc/pesign/groups); do
|
|
|
793dd5 |
- if [ -d /var/run/pesign ]; then
|
|
|
793dd5 |
- setfacl -m g:${group}:rx /var/run/pesign
|
|
|
793dd5 |
- if [ -e /var/run/pesign/socket ]; then
|
|
|
793dd5 |
- setfacl -m g:${group}:rw /var/run/pesign/socket
|
|
|
793dd5 |
- fi
|
|
|
793dd5 |
- fi
|
|
|
793dd5 |
- for x in /etc/pki/pesign*/ ; do
|
|
|
793dd5 |
- if [ -d ${x} ]; then
|
|
|
793dd5 |
- setfacl -m g:${group}:rx ${x}
|
|
|
793dd5 |
- for y in ${x}{cert8,key3,secmod}.db ; do
|
|
|
793dd5 |
- setfacl -m g:${group}:rw ${y}
|
|
|
793dd5 |
- done
|
|
|
793dd5 |
- fi
|
|
|
793dd5 |
- done
|
|
|
793dd5 |
- done
|
|
|
793dd5 |
-fi
|
|
|
793dd5 |
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
|
|
|
793dd5 |
deleted file mode 100644
|
|
|
793dd5 |
index 940138e..0000000
|
|
|
793dd5 |
--- a/src/pesign-authorize-users
|
|
|
793dd5 |
+++ /dev/null
|
|
|
793dd5 |
@@ -1,30 +0,0 @@
|
|
|
793dd5 |
-#!/bin/bash
|
|
|
793dd5 |
-set -e
|
|
|
793dd5 |
-
|
|
|
793dd5 |
-#
|
|
|
793dd5 |
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
|
|
|
793dd5 |
-# acls for specific users is useful
|
|
|
793dd5 |
-#
|
|
|
793dd5 |
-# Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
|
|
|
793dd5 |
-#
|
|
|
793dd5 |
-
|
|
|
793dd5 |
-# License: GPLv2
|
|
|
793dd5 |
-
|
|
|
793dd5 |
-if [ -r /etc/pesign/users ]; then
|
|
|
793dd5 |
- for username in $(cat /etc/pesign/users); do
|
|
|
793dd5 |
- if [ -d /var/run/pesign ]; then
|
|
|
793dd5 |
- setfacl -m g:${username}:rx /var/run/pesign
|
|
|
793dd5 |
- if [ -e /var/run/pesign/socket ]; then
|
|
|
793dd5 |
- setfacl -m g:${username}:rw /var/run/pesign/socket
|
|
|
793dd5 |
- fi
|
|
|
793dd5 |
- fi
|
|
|
793dd5 |
- for x in /etc/pki/pesign*/ ; do
|
|
|
793dd5 |
- if [ -d ${x} ]; then
|
|
|
793dd5 |
- setfacl -m g:${username}:rx ${x}
|
|
|
793dd5 |
- for y in ${x}{cert8,key3,secmod}.db ; do
|
|
|
793dd5 |
- setfacl -m g:${username}:rw ${y}
|
|
|
793dd5 |
- done
|
|
|
793dd5 |
- fi
|
|
|
793dd5 |
- done
|
|
|
793dd5 |
- done
|
|
|
793dd5 |
-fi
|
|
|
793dd5 |
diff --git a/src/pesign.service.in b/src/pesign.service.in
|
|
|
793dd5 |
index aaa408e..c75a000 100644
|
|
|
793dd5 |
--- a/src/pesign.service.in
|
|
|
793dd5 |
+++ b/src/pesign.service.in
|
|
|
793dd5 |
@@ -6,5 +6,4 @@ PrivateTmp=true
|
|
|
793dd5 |
Type=forking
|
|
|
793dd5 |
PIDFile=/var/run/pesign.pid
|
|
|
793dd5 |
ExecStart=/usr/bin/pesign --daemonize
|
|
|
793dd5 |
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
|
|
|
793dd5 |
-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
|
|
793dd5 |
+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
|
|
|
793dd5 |
diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
|
|
|
793dd5 |
index dc508d8..b0e0f84 100644
|
|
|
793dd5 |
--- a/src/pesign.sysvinit.in
|
|
|
793dd5 |
+++ b/src/pesign.sysvinit.in
|
|
|
793dd5 |
@@ -27,8 +27,7 @@ start(){
|
|
|
793dd5 |
RETVAL=$?
|
|
|
793dd5 |
echo
|
|
|
793dd5 |
touch /var/lock/subsys/pesign
|
|
|
793dd5 |
- @@LIBEXECDIR@@/pesign/pesign-authorize-users
|
|
|
793dd5 |
- @@LIBEXECDIR@@/pesign/pesign-authorize-groups
|
|
|
793dd5 |
+ @@LIBEXECDIR@@/pesign/pesign-authorize
|
|
|
793dd5 |
}
|
|
|
793dd5 |
|
|
|
793dd5 |
stop(){
|