From 00388c2150008aacae371d9d66d8b895a195b977148a555c7b97207c74735334 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Fri, 31 Jan 2020 14:16:21 +0000 Subject: [PATCH] Accepting request 769062 from home:michals - Use system-users for tss user creation (boo#1162360). OBS-URL: https://build.opensuse.org/request/show/769062 OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=92 --- tpm2-0-tss.changes | 5 +++++ tpm2-0-tss.spec | 40 ++++++++++++++++------------------------ 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes index 84b75a2..ccefaf5 100644 --- a/tpm2-0-tss.changes +++ b/tpm2-0-tss.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jan 31 11:51:03 UTC 2020 - Michal Suchanek + +- Use system-users for tss user creation (boo#1162360). + ------------------------------------------------------------------- Fri Jan 24 14:13:01 UTC 2020 - Dominique Leuenberger diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec index 47bdccd..3e0a5c8 100644 --- a/tpm2-0-tss.spec +++ b/tpm2-0-tss.spec @@ -31,7 +31,22 @@ BuildRequires: libgcrypt-devel BuildRequires: libopenssl-devel BuildRequires: pkg-config BuildRequires: pkgconfig(udev) -Requires(pre): shadow +# The same user is employed by trousers (and was employed by the old +# resourcemgr shipped with the tpm2-0-tss package): +# +# trousers just needs those accounts for dropping privileges to. The service +# starts as root and uses set*id to drop to tss, after the tpm device has been +# opened. +# +# tpm2-abrmd has no set*id handling and thus requires /dev/tpm to be owned +# by the tss user. Therefore we also need to install a udev rule file. +# +# trousers was here first and created the user like this, also giving it a +# home in /var/lib/tpm. I don't think the home directory is used by either of +# the packages ATM. Trousers is keeping state there, but the directory is +# owned by root and files are opened before dropping privileges. The passwd +# entry seems not to be evaluated. +Requires: user(tss) BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -126,29 +141,6 @@ protocol exposed by the Microsoft software TPM2 simulator. %prep %setup -q -n tpm2-tss-%{version} -%pre -# the same user is employed by trousers (and was employed by the old -# resourcemgr shipped with the tpm2-0-tss package): -# -# trousers just needs those accounts for dropping privileges to. The service -# starts as root and uses set*id to drop to tss, after the tpm device has been -# opened. -# -# tpm2-abrmd has no set*id handling and thus requires /dev/tpm to be owned -# by the tss user. Therefore we also need to install a udev rule file. -# -# trousers was here first and created the user like this, also giving it a -# home in /var/lib/tpm. I don't think the home directory is used by any of -# both packages ATM. Trousers is keeping state there, but the directory is -# owned by root and files are opened before dropping privileges. The passwd -# entry seems not to be evaluated. -# -# so I guess we can share the account between the two packages for now. -%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss -%_bindir/getent passwd tss >/dev/null || \ - %{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \ - -d %{_localstatedir}/lib/tpm tss - %build %configure --disable-static --with-udevrulesdir=%{_udevrulesdir} make %{?_smp_mflags} PTHREAD_LDFLAGS=-pthread