From 9cd3272fc54f7941f347c4ec9e15176c2ed7da36 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 20 Apr 2016 11:44:08 -0400 Subject: [PATCH 13/15] Improve our setfacl scripts for database and socket ownership. Signed-off-by: Peter Jones (cherry picked from commit a90c967205733c35a97c0c3e67131fa9b5b935fc) --- src/pesign-authorize-groups | 15 ++++++++++----- src/pesign-authorize-users | 19 ++++++++++++------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups index 13aefa6..a4f895e 100644 --- a/src/pesign-authorize-groups +++ b/src/pesign-authorize-groups @@ -1,4 +1,5 @@ #!/bin/bash +set -e # # With /run/pesign/socket on tmpfs, a simple way of restoring the @@ -9,7 +10,7 @@ # License: GPLv2 -if [[ -r /etc/pesign/groups ]]; then +if [ -r /etc/pesign/groups ]; then for group in $(cat /etc/pesign/groups); do if [ -d /var/run/pesign ]; then setfacl -m g:${group}:rx /var/run/pesign @@ -17,9 +18,13 @@ if [[ -r /etc/pesign/groups ]]; then setfacl -m g:${group}:rw /var/run/pesign/socket fi fi - if [ -d /etc/pki/pesign ]; then - setfacl -m g:${group}:rx /etc/pki/pesign - setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db - fi + for x in /etc/pki/pesign* ; do + if [ -d ${x} ]; then + setfacl -m g:${group}:rx /etc/pki/pesign + for y in ${x}/{cert8,key3,secmod}.db ; do + setfacl -m g:${group}:rw ${y} + done + fi + done done fi diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users index a43ce44..8b9a885 100644 --- a/src/pesign-authorize-users +++ b/src/pesign-authorize-users @@ -1,4 +1,5 @@ #!/bin/bash +set -e # # With /run/pesign/socket on tmpfs, a simple way of restoring the @@ -9,17 +10,21 @@ # License: GPLv2 -if [[ -r /etc/pesign/users ]]; then +if [ -r /etc/pesign/users ]; then for username in $(cat /etc/pesign/users); do if [ -d /var/run/pesign ]; then - setfacl -m u:${username}:rx /var/run/pesign + setfacl -m g:${username}:rx /var/run/pesign if [ -e /var/run/pesign/socket ]; then - setfacl -m u:${username}:rw /var/run/pesign/socket + setfacl -m g:${username}:rw /var/run/pesign/socket fi fi - if [ -d /etc/pki/pesign ]; then - setfacl -m u:${username}:rx /etc/pki/pesign - setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db - fi + for x in /etc/pki/pesign* ; do + if [ -d ${x} ]; then + setfacl -m g:${username}:rx /etc/pki/pesign + for y in ${x}/{cert8,key3,secmod}.db ; do + setfacl -m g:${username}:rw ${y} + done + fi + done done fi -- 2.5.5