- create tss user account and install udev rule to fix startup of resourcemgr

(bnc#1038586) OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=41
2017-05-11 15:15:35 +00:00 · 2017-05-11 15:15:35 +00:00 · 9661aea8f5
commit 9661aea8f5
parent f8154f343e
2 changed files with 33 additions and 2 deletions
--- a/tpm2-0-tss.changes
+++ b/tpm2-0-tss.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu May 11 15:13:49 UTC 2017 - matthias.gerstner@suse.com
+
+- create tss user account and install udev rule to fix startup of resourcemgr
+  (bnc#1038586)
+
 -------------------------------------------------------------------
 Wed May 10 13:33:16 CEST 2017 - mgerstner@suse.com

--- a/tpm2-0-tss.spec
+++ b/tpm2-0-tss.spec
@ -36,7 +36,10 @@ Requires(pre):  pwdutils
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
-The tpm2-0-tss package provides a TPM 2.0 TSS implementation.
+The tpm2-0-tss package provides a TPM 2.0 TSS implementation. This
+implementation is developed by INTEL. Note that the current resource manager
+imiplementation is considered deprecated (a prototype, probably buggy and
+insecure) by its developers.

 %package devel
 Summary:        Development headers for the Intel TSS library for TPM 2.0 chips
@ -92,6 +95,7 @@ find %{buildroot} -type f -name "*.la" -delete -print
 install -D -m 0644 contrib/resourcemgr.service %{buildroot}/%{_unitdir}/resourcemgr.service
 sed -e 's#usr/local/sbin/#usr/sbin/#;' -i %{buildroot}/%{_unitdir}/resourcemgr.service
 ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
+install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/tpm-udev.rules

 %post -n libsapi0 -p /sbin/ldconfig
 %postun -n libsapi0 -p /sbin/ldconfig
@ -101,6 +105,26 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %postun -n libtcti-socket0 -p /sbin/ldconfig

 %pre
+# the same user is employed by trousers:
+#
+# trousers just needs those accounts for dropping privileges to. The service
+# starts as root and uses set*id to drop to tss, after the tpm device has been
+# opened.
+#
+# resourcemgr has no set*id handling and thus requires /dev/tpm to be owned
+# by the tss user. Therefore we also need to install a udev rule file.
+#
+# trousers was here first and created the user like this, also giving it a
+# home in /var/lib/tpm. I don't think the home directory is used by any of
+# both packages ATM. Trousers is keeping state there, but the directory is
+# owned by root and files are opened before dropping privileges. The passwd
+# entry seems not to be evaluated.
+#
+# so I guess we can share the account between the two packages for now.
+%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss || :
+%_bindir/getent passwd tss >/dev/null || \
+	%{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \
+	-d %{_localstatedir}/lib/tpm tss || :
 %service_add_pre resourcemgr.service

 %post
@ -118,6 +142,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %{_sbindir}/resourcemgr
 /%{_unitdir}/resourcemgr.service
 %{_sbindir}/rcresourcemgr
+%{_udevrulesdir}/tpm-udev.rules

 %files devel
 %defattr(-,root,root)
@ -126,7 +151,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc
 ##only available in static form
-#%{_libdir}/libtddl.a
+#%%{_libdir}/libtddl.a

 %files -n libsapi0
 %defattr(-,root,root)