Accepting request 537056 from security:dehydrated
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/537056 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=5
This commit is contained in:
commit
7f94fd2df8
@ -1,4 +1,4 @@
|
|||||||
From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001
|
From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001
|
||||||
From: Daniel Molkentin <dmolkentin@suse.com>
|
From: Daniel Molkentin <dmolkentin@suse.com>
|
||||||
Date: Thu, 21 Sep 2017 19:07:54 +0200
|
Date: Thu, 21 Sep 2017 19:07:54 +0200
|
||||||
Subject: [PATCH] Add optional user and group configuration
|
Subject: [PATCH] Add optional user and group configuration
|
||||||
@ -6,16 +6,30 @@ Subject: [PATCH] Add optional user and group configuration
|
|||||||
when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
|
when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
|
||||||
and instead launch itself as the user in DEHYDRATED_USER (and
|
and instead launch itself as the user in DEHYDRATED_USER (and
|
||||||
DEHYDRATED_GROUP if set).
|
DEHYDRATED_GROUP if set).
|
||||||
|
|
||||||
|
Using sudo has a few practical advantages over su:
|
||||||
|
- it doesn't require to specify a login shell when no login shell is set
|
||||||
|
for the target user
|
||||||
|
- it allows (safe) handling of arguments.
|
||||||
---
|
---
|
||||||
dehydrated | 15 +++++++++++++++
|
dehydrated | 22 ++++++++++++++++++++++
|
||||||
docs/examples/config | 6 ++++++
|
docs/examples/config | 6 ++++++
|
||||||
2 files changed, 21 insertions(+)
|
2 files changed, 28 insertions(+)
|
||||||
|
|
||||||
diff --git a/dehydrated b/dehydrated
|
diff --git a/dehydrated b/dehydrated
|
||||||
index 8b31ee1..39c717f 100755
|
index 8b31ee1..acca1d0 100755
|
||||||
--- a/dehydrated
|
--- a/dehydrated
|
||||||
+++ b/dehydrated
|
+++ b/dehydrated
|
||||||
@@ -126,6 +126,8 @@ load_config() {
|
@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
|
||||||
|
|
||||||
|
BASEDIR="${SCRIPTDIR}"
|
||||||
|
|
||||||
|
+ORIGARGS="$@"
|
||||||
|
+
|
||||||
|
# Create (identifiable) temporary files
|
||||||
|
_mktemp() {
|
||||||
|
# shellcheck disable=SC2068
|
||||||
|
@@ -126,6 +128,8 @@ load_config() {
|
||||||
LOCKFILE=
|
LOCKFILE=
|
||||||
OCSP_MUST_STAPLE="no"
|
OCSP_MUST_STAPLE="no"
|
||||||
IP_VERSION=
|
IP_VERSION=
|
||||||
@ -24,17 +38,22 @@ index 8b31ee1..39c717f 100755
|
|||||||
|
|
||||||
if [[ -z "${CONFIG:-}" ]]; then
|
if [[ -z "${CONFIG:-}" ]]; then
|
||||||
echo "#" >&2
|
echo "#" >&2
|
||||||
@@ -159,6 +161,19 @@ load_config() {
|
@@ -159,6 +163,24 @@ load_config() {
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
+ # Check if we are running & are allowed to run as root
|
+ # Check if we are running & are allowed to run as root
|
||||||
+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
|
+ if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
|
||||||
|
+ sudo=`command -v sudo`
|
||||||
|
+ if [ -z $sudo ]; then
|
||||||
|
+ echo "DEHYDRATED_USER set but sudo not available. Please install sudo."
|
||||||
|
+ exit
|
||||||
|
+ fi
|
||||||
+ if [ ! -z "$DEHYDRATED_GROUP" ]; then
|
+ if [ ! -z "$DEHYDRATED_GROUP" ]; then
|
||||||
+ group="-g $DEHYDRATED_GROUP"
|
+ group="-g $DEHYDRATED_GROUP"
|
||||||
+ fi
|
+ fi
|
||||||
+ echo "# INFO: Running $0 as $DEHYDRATED_USER"
|
+ echo "# INFO: Running $0 as $DEHYDRATED_USER"
|
||||||
+ su -c "$0" $group "$DEHYDRATED_USER"
|
+ $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS
|
||||||
+ exit
|
+ exit
|
||||||
+ fi
|
+ fi
|
||||||
+
|
+
|
||||||
@ -62,5 +81,5 @@ index 1b1b3d8..9a890f4 100644
|
|||||||
# supported values: 4, 6
|
# supported values: 4, 6
|
||||||
# default: <unset>
|
# default: <unset>
|
||||||
--
|
--
|
||||||
2.12.3
|
2.14.1
|
||||||
|
|
||||||
|
@ -1,3 +1,44 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Oct 20 11:02:24 UTC 2017 - mrueckert@suse.de
|
||||||
|
|
||||||
|
- revert accidental change to the service file
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Oct 20 10:55:26 UTC 2017 - mrueckert@suse.de
|
||||||
|
|
||||||
|
- actually try to find the real path to bash and don't hardcode
|
||||||
|
/usr/bin/bash
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 19 08:11:20 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Use /usr/bin/bash directly, rather than via env
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 18 16:42:31 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Use sudo instead of su to allow for argument handling, also
|
||||||
|
works in all cases when no login shell is assigned to the
|
||||||
|
dehydrated user
|
||||||
|
* updates 0001-Add-optional-user-and-group-configuration.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 17 14:46:16 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Commands in service files need some escaping after all. Fix ExecStartPost.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 16 09:27:28 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- In the timer service, execute root post run hooks in ExecStartPost
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 16 04:43:22 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
- Fix run of root hooks
|
||||||
|
|
||||||
|
- Simplify root hook execution, this is also more robust
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Oct 5 13:36:39 UTC 2017 - daniel.molkentin@suse.com
|
Thu Oct 5 13:36:39 UTC 2017 - daniel.molkentin@suse.com
|
||||||
|
|
||||||
|
@ -2,4 +2,4 @@ SHELL=/bin/sh
|
|||||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
MAILTO=root
|
MAILTO=root
|
||||||
|
|
||||||
25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;
|
25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \;
|
||||||
|
@ -6,7 +6,7 @@ Wants=acmeresponder.socket
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;'
|
ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \;
|
||||||
ExecStart=/usr/bin/dehydrated --cron
|
ExecStart=/usr/bin/dehydrated --cron
|
||||||
|
|
||||||
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
|
# dehydrated --cron will drop permissions and run critical code as dehydrated user.
|
||||||
|
@ -72,6 +72,7 @@ BuildRequires: %{_apache}
|
|||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
Requires: curl
|
Requires: curl
|
||||||
Requires: openssl
|
Requires: openssl
|
||||||
|
Requires: sudo
|
||||||
Requires(pre): %{_bindir}/getent
|
Requires(pre): %{_bindir}/getent
|
||||||
Requires(pre): %{_sbindir}/groupadd
|
Requires(pre): %{_sbindir}/groupadd
|
||||||
Requires(pre): %{_sbindir}/useradd
|
Requires(pre): %{_sbindir}/useradd
|
||||||
@ -205,6 +206,9 @@ mkdir -p %{buildroot}%{_postrunhooks}
|
|||||||
|
|
||||||
cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
|
cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
|
||||||
|
|
||||||
|
# Silence E: env-script-interpreter
|
||||||
|
find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;
|
||||||
|
|
||||||
sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
|
sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
|
||||||
install -m 0644 docs/examples/* %{buildroot}%{_home}
|
install -m 0644 docs/examples/* %{buildroot}%{_home}
|
||||||
install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks}
|
install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks}
|
||||||
|
Loading…
Reference in New Issue
Block a user