From f1212565b3783564a50f98a652588091a6680908 Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Fri, 12 Sep 2014 09:37:07 -0500
Subject: [PATCH 08/15] A more plugable way of setting ACLs for pesign

The sysvinit script provided with pesign sets ACLS for the pesign/socket
file for kojibuilder:kojibuilder.  The systemd unit, however, does not.

I've built a more general solution for both the sysvinit and systemd
unit that should allow for greater flexibility and compat behavior.

Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit 3c2374b57f26f15efa7c883e0fbbbaf3c490d074)
---
 src/pesign-authorize-groups | 17 +++++++++++++++++
 src/pesign-authorize-users  | 17 +++++++++++++++++
 src/pesign.service          |  2 ++
 src/pesign.sysvinit         |  6 ++----
 4 files changed, 38 insertions(+), 4 deletions(-)
 create mode 100644 src/pesign-authorize-groups
 create mode 100644 src/pesign-authorize-users

diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
new file mode 100644
index 0000000..1048904
--- /dev/null
+++ b/src/pesign-authorize-groups
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific groups is useful
+#
+#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+
+if [[ -r /etc/pesign/authorize-groups ]]; then
+    for group in $(cat /etc/pesign/authorize-groups); do
+        setfacl -m g:${group}:rx /var/run/pesign
+        setfacl -m g:${group}:rw /var/run/pesign/socket
+    done
+fi
diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
new file mode 100644
index 0000000..1993570
--- /dev/null
+++ b/src/pesign-authorize-users
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+#
+# With /run/pesign/socket on tmpfs, a simple way of restoring the
+# acls for specific users is useful
+#
+#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+#
+
+# License: GPLv2
+
+if [[ -r /etc/pesign/authorize-users ]]; then
+    for username in $(cat /etc/pesign/authorize-users); do
+        setfacl -m u:${username}:rx /var/run/pesign
+        setfacl -m u:${username}:rw /var/run/pesign/socket
+    done
+fi
diff --git a/src/pesign.service b/src/pesign.service
index 75a73c3..d6a412e 100644
--- a/src/pesign.service
+++ b/src/pesign.service
@@ -6,3 +6,5 @@ PrivateTmp=true
 Type=forking
 PIDFile=/var/run/pesign.pid
 ExecStart=/usr/bin/pesign --daemonize
+ExecStartPost=/usr/sbin/pesign-authorize-users
+ExecStartPost=/usr/sbin/pesign-authorize-groups
diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit
index ea37c58..6f20560 100644
--- a/src/pesign.sysvinit
+++ b/src/pesign.sysvinit
@@ -24,10 +24,8 @@ start(){
     RETVAL=$?
     echo
     touch /var/lock/subsys/pesign
-    setfacl -m u:kojibuilder:x /var/run/pesign
-    setfacl -m u:kojibuilder:rw /var/run/pesign/socket
-    setfacl -m g:kojibuilder:x /var/run/pesign
-    setfacl -m g:kojibuilder:rw /var/run/pesign/socket
+    /usr/sbin/pesign-authorize-users
+    /usr/sbin/pesign-authorize-groups
 }
 
 stop(){
-- 
2.5.5