From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Tue, 8 Aug 2017 15:44:44 -0400

Subject: [PATCH 23/29] Better authorization scripts.  Again.

Signed-off-by: Peter Jones <pjones@redhat.com>

---

 src/Makefile                | 12 ++++++----

 src/pesign-authorize        | 56 +++++++++++++++++++++++++++++++++++++++++++++

 src/pesign-authorize-groups | 30 ------------------------

 src/pesign-authorize-users  | 30 ------------------------

 src/pesign.service.in       |  3 +--

 src/pesign.sysvinit.in      |  3 +--

 6 files changed, 65 insertions(+), 69 deletions(-)

 create mode 100755 src/pesign-authorize

 delete mode 100644 src/pesign-authorize-groups

 delete mode 100644 src/pesign-authorize-users

diff --git a/src/Makefile b/src/Makefile

index 654b792..84ad130 100644

--- a/src/Makefile

+++ b/src/Makefile

@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults

 BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign

 SVCTARGETS=pesign.sysvinit pesign.service

-TARGETS=$(BINTARGETS) $(SVCTARGETS)

+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups

 all : deps $(TARGETS)

@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit

 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/

 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign

+pesign-users pesign-groups :

+	echo pesign > $@

+

 install :

 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/

 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/

@@ -88,10 +91,9 @@ install :

 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/

 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/

 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/

-	$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/

-	$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/

+	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/

 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign

-	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users

-	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups

+	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users

+	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups

 .PHONY: all deps clean install

diff --git a/src/pesign-authorize b/src/pesign-authorize

new file mode 100755

index 0000000..a496f60

--- /dev/null

+++ b/src/pesign-authorize

@@ -0,0 +1,56 @@

+#!/bin/bash

+set -e

+set -u

+

+#

+# With /run/pesign/socket on tmpfs, a simple way of restoring the

+# acls for specific users is useful

+#

+#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6

+#

+

+# License: GPLv2

+declare -a fileusers=()

+declare -a dirusers=()

+for user in $(cat /etc/pesign/users); do

+	dirusers[${#dirusers[@]}]=-m

+	dirusers[${#dirusers[@]}]="u:$user:rwx"

+	fileusers[${#fileusers[@]}]=-m

+	fileusers[${#fileusers[@]}]="u:$user:rw"

+done

+

+declare -a filegroups=()

+declare -a dirgroups=()

+for group in $(cat /etc/pesign/groups); do

+	dirgroups[${#dirgroups[@]}]=-m

+	dirgroups[${#dirgroups[@]}]="g:$group:rwx"

+	filegroups[${#filegroups[@]}]=-m

+	filegroups[${#filegroups[@]}]="g:$group:rw"

+done

+

+update_subdir() {

+	subdir=$1 && shift

+

+	setfacl -bk "${subdir}"

+	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"

+	for x in "${subdir}"* ; do

+		if [ -d "${x}" ]; then

+			setfacl -bk ${x}

+			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}

+			update_subdir "${x}/"

+		elif [ -e "${x}" ]; then

+			setfacl -bk ${x}

+			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}

+		else

+			:;

+		fi

+	done

+}

+

+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do

+	if [ -d "${x}" ]; then

+		update_subdir "${x}"

+	else

+		:;

+	fi

+done

diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups

deleted file mode 100644

index cf51fb6..0000000

--- a/src/pesign-authorize-groups

+++ /dev/null

@@ -1,30 +0,0 @@

-#!/bin/bash

-set -e

-

-#

-# With /run/pesign/socket on tmpfs, a simple way of restoring the

-# acls for specific groups is useful

-#

-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6

-#

-

-# License: GPLv2

-

-if [ -r /etc/pesign/groups ]; then

-    for group in $(cat /etc/pesign/groups); do

-	if [ -d /var/run/pesign ]; then

-	    setfacl -m g:${group}:rx /var/run/pesign

-	    if [ -e /var/run/pesign/socket ]; then

-		setfacl -m g:${group}:rw /var/run/pesign/socket

-	    fi

-	fi

-	for x in /etc/pki/pesign*/ ; do

-	    if [ -d ${x} ]; then

-		setfacl -m g:${group}:rx ${x}

-		for y in ${x}{cert8,key3,secmod}.db ; do

-		    setfacl -m g:${group}:rw ${y}

-		done

-	    fi

-	done

-    done

-fi

diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users

deleted file mode 100644

index 940138e..0000000

--- a/src/pesign-authorize-users

+++ /dev/null

@@ -1,30 +0,0 @@

-#!/bin/bash

-set -e

-

-#

-# With /run/pesign/socket on tmpfs, a simple way of restoring the

-# acls for specific users is useful

-#

-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6

-#

-

-# License: GPLv2

-

-if [ -r /etc/pesign/users ]; then

-    for username in $(cat /etc/pesign/users); do

-	if [ -d /var/run/pesign ]; then

-	    setfacl -m g:${username}:rx /var/run/pesign

-	    if [ -e /var/run/pesign/socket ]; then

-		setfacl -m g:${username}:rw /var/run/pesign/socket

-	    fi

-	fi

-	for x in /etc/pki/pesign*/ ; do

-	    if [ -d ${x} ]; then

-		setfacl -m g:${username}:rx ${x}

-		for y in ${x}{cert8,key3,secmod}.db ; do

-		    setfacl -m g:${username}:rw ${y}

-		done

-	    fi

-	done

-    done

-fi

diff --git a/src/pesign.service.in b/src/pesign.service.in

index aaa408e..c75a000 100644

--- a/src/pesign.service.in

+++ b/src/pesign.service.in

@@ -6,5 +6,4 @@ PrivateTmp=true

 Type=forking

 PIDFile=/var/run/pesign.pid

 ExecStart=/usr/bin/pesign --daemonize

-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users

-ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups

+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize

diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in

index dc508d8..b0e0f84 100644

--- a/src/pesign.sysvinit.in

+++ b/src/pesign.sysvinit.in

@@ -27,8 +27,7 @@ start(){

     RETVAL=$?

     echo

     touch /var/lock/subsys/pesign

-    @@LIBEXECDIR@@/pesign/pesign-authorize-users

-    @@LIBEXECDIR@@/pesign/pesign-authorize-groups

+    @@LIBEXECDIR@@/pesign/pesign-authorize

 }

 stop(){

-- 

2.13.4