From d7b39bc640c56ee48cdaa00f37f64cc126f22e3e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Nov 19 2015 18:35:31 +0000 Subject: Allow the mockbuild user to read the nss database if the account exists. Signed-off-by: Peter Jones --- diff --git a/0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch b/0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch new file mode 100644 index 0000000..f554c81 --- /dev/null +++ b/0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch @@ -0,0 +1,39 @@ +From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 19 Nov 2015 11:36:59 -0500 +Subject: [PATCH] setfacl the nss DBs to our authorized users, not just the + socket. + +Signed-off-by: Peter Jones +--- + src/pesign-authorize-groups | 2 ++ + src/pesign-authorize-users | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups +index e3864ce..2236bea 100644 +--- a/src/pesign-authorize-groups ++++ b/src/pesign-authorize-groups +@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then + for group in $(cat /etc/pesign/groups); do + setfacl -m g:${group}:rx /var/run/pesign + setfacl -m g:${group}:rw /var/run/pesign/socket ++ setfacl -m g:${username}:rx /etc/pki/pesign ++ setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db + done + fi +diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users +index e500204..9c38a25 100644 +--- a/src/pesign-authorize-users ++++ b/src/pesign-authorize-users +@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then + for username in $(cat /etc/pesign/users); do + setfacl -m u:${username}:rx /var/run/pesign + setfacl -m u:${username}:rw /var/run/pesign/socket ++ setfacl -m u:${username}:rx /etc/pki/pesign ++ setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db + done + fi +-- +2.5.0 + diff --git a/pesign.spec b/pesign.spec index 3751a04..af02526 100644 --- a/pesign.spec +++ b/pesign.spec @@ -3,7 +3,7 @@ Summary: Signing utility for UEFI binaries Name: pesign Version: 0.111 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/System License: GPLv2 Recommends: pesign-rh-test-certs @@ -25,6 +25,7 @@ BuildRequires: rh-signing-tools >= 1.20-2 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2 Source1: certs.tar.xz Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch +Patch0002: 0001-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch %description This package contains the pesign utility for signing UEFI binaries as @@ -87,6 +88,9 @@ exit 0 %post rh-test-certs certutil --merge -d %{_sysconfdir}/pki/pesign/ --source-dir %{_sysconfdir}/pki/pesign/rh-test-certs/ +getent passwd mockbuild >/dev/null && \ + echo mockbuild >> %{_sysconfdir}/pesign/users && + %{_libexecdir}/pesign/pesign-authorize-users %postun rh-test-certs if [ "$1" -eq 0 ]; then @@ -149,6 +153,9 @@ modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \ %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/rh-test-certs/* %changelog +* Thu Nov 19 2015 Peter Jones - 0.111-2 +- Allow the mockbuild user to read the nss database if the account exists. + * Wed Oct 28 2015 Peter Jones - 0.111-1 - Rebase to 0.111 - Split test certs out into a "Recommends" subpackage.