From ab3b913cc74666dffe56d1f87f6f90653d8f4e70 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sat, 2 Oct 2021 09:14:21 -0300
Subject: [PATCH 4/4] Specify user and group for tang
So that we can run tang itself with a different user.
Systemd unit and helpers for rotating keys updated to use the
new user and group.
---
meson.build | 2 ++
meson_options.txt | 2 ++
src/meson.build | 18 ++++++++++++++++--
src/{tangd-keygen => tangd-keygen.in} | 11 +++++++++--
...{tangd-rotate-keys => tangd-rotate-keys.in} | 9 ++++++++-
units/tangd@.service.in | 1 +
6 files changed, 38 insertions(+), 5 deletions(-)
create mode 100644 meson_options.txt
rename src/{tangd-keygen => tangd-keygen.in} (85%)
rename src/{tangd-rotate-keys => tangd-rotate-keys.in} (92%)
diff --git a/meson.build b/meson.build
index 1733d47..7664e05 100644
--- a/meson.build
+++ b/meson.build
@@ -26,6 +26,8 @@ data.set('libexecdir', libexecdir)
data.set('sysconfdir', sysconfdir)
data.set('systemunitdir', systemunitdir)
data.set('jwkdir', jwkdir)
+data.set('user', get_option('user'))
+data.set('group', get_option('group'))
add_project_arguments(
'-D_POSIX_C_SOURCE=200809L',
diff --git a/meson_options.txt b/meson_options.txt
new file mode 100644
index 0000000..9b1f7c6
--- /dev/null
+++ b/meson_options.txt
@@ -0,0 +1,2 @@
+option('user', type: 'string', value: 'tang', description: 'Unprivileged user for tang operations')
+option('group', type: 'string', value: 'tang', description: 'Unprivileged group for tang operations')
diff --git a/src/meson.build b/src/meson.build
index e7dc60c..f022775 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -7,8 +7,22 @@ tangd = executable('tangd',
install_dir: libexecdir
)
+tangd_keygen = configure_file(
+ input: 'tangd-keygen.in',
+ output: 'tangd-keygen',
+ configuration: data,
+ install: true,
+ install_dir: libexecdir
+)
+
+tangd_rotate_keys = configure_file(
+ input: 'tangd-rotate-keys.in',
+ output: 'tangd-rotate-keys',
+ configuration: data,
+ install: true,
+ install_dir: libexecdir
+)
+
bins += join_paths(meson.current_source_dir(), 'tang-show-keys')
-libexecbins += join_paths(meson.current_source_dir(), 'tangd-keygen')
-libexecbins += join_paths(meson.current_source_dir(), 'tangd-rotate-keys')
# vim:set ts=2 sw=2 et:
diff --git a/src/tangd-keygen b/src/tangd-keygen.in
similarity index 85%
rename from src/tangd-keygen
rename to src/tangd-keygen.in
index ed51124..f74b86f 100755
--- a/src/tangd-keygen
+++ b/src/tangd-keygen.in
@@ -25,6 +25,13 @@ usage() {
exit 1
}
+set_perms() {
+ chmod 0440 -- "${1}"
+ if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
+ echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
+ fi
+}
+
[ $# -ne 1 ] && [ $# -ne 3 ] && usage
[ -d "$1" ] || usage
@@ -34,10 +41,10 @@ THP_DEFAULT_HASH=S256 # SHA-256.
jwe=$(jose jwk gen -i '{"alg":"ES512"}')
[ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
echo "$jwe" > "$1/$sig.jwk"
-chmod 0440 "$1/$sig.jwk"
+set_perms "$1/$sig.jwk"
jwe=$(jose jwk gen -i '{"alg":"ECMR"}')
[ -z "$exc" ] && exc=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
echo "$jwe" > "$1/$exc.jwk"
-chmod 0440 "$1/$exc.jwk"
+set_perms "$1/$exc.jwk"
diff --git a/src/tangd-rotate-keys b/src/tangd-rotate-keys.in
similarity index 92%
rename from src/tangd-rotate-keys
rename to src/tangd-rotate-keys.in
index 8649652..56b94ad 100755
--- a/src/tangd-rotate-keys
+++ b/src/tangd-rotate-keys.in
@@ -48,6 +48,13 @@ error() {
usage 1
}
+set_perms() {
+ chmod 0440 -- "${1}"
+ if ! chown @user@:@group@ -- "${1}" 2>/dev/null; then
+ echo "Unable to change owner/group for ${1} to @user@:@group@" >&2
+ fi
+}
+
JWKDIR=
VERBOSE=
while getopts "hvd:" o; do
@@ -78,7 +85,7 @@ cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'"
thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \
-a "${DEFAULT_THP_HASH}")"
echo "${jwe}" > "${thp}.jwk"
- chmod 0440 "${thp}.jwk"
+ set_perms "${thp}.jwk"
log "Created new key ${thp}.jwk" "${VERBOSE}"
done
cd - >/dev/null
diff --git a/units/tangd@.service.in b/units/tangd@.service.in
index f1db261..aeb2dc1 100644
--- a/units/tangd@.service.in
+++ b/units/tangd@.service.in
@@ -6,3 +6,4 @@ StandardInput=socket
StandardOutput=socket
StandardError=journal
ExecStart=@libexecdir@/tangd @jwkdir@
+User=@user@
--
2.31.1