From 9661aea8f5533780ede7ccb9bb570aae9fefe2d041d65e5ce029a0cd169bf09a Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Thu, 11 May 2017 15:15:35 +0000 Subject: [PATCH] - create tss user account and install udev rule to fix startup of resourcemgr (bnc#1038586) OBS-URL: https://build.opensuse.org/package/show/security/tpm2-0-tss?expand=0&rev=41 --- tpm2-0-tss.changes | 6 ++++++ tpm2-0-tss.spec | 29 +++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/tpm2-0-tss.changes b/tpm2-0-tss.changes index b4cc3d8..0c14825 100644 --- a/tpm2-0-tss.changes +++ b/tpm2-0-tss.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu May 11 15:13:49 UTC 2017 - matthias.gerstner@suse.com + +- create tss user account and install udev rule to fix startup of resourcemgr + (bnc#1038586) + ------------------------------------------------------------------- Wed May 10 13:33:16 CEST 2017 - mgerstner@suse.com diff --git a/tpm2-0-tss.spec b/tpm2-0-tss.spec index ada0370..c7b241f 100644 --- a/tpm2-0-tss.spec +++ b/tpm2-0-tss.spec @@ -36,7 +36,10 @@ Requires(pre): pwdutils BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -The tpm2-0-tss package provides a TPM 2.0 TSS implementation. +The tpm2-0-tss package provides a TPM 2.0 TSS implementation. This +implementation is developed by INTEL. Note that the current resource manager +imiplementation is considered deprecated (a prototype, probably buggy and +insecure) by its developers. %package devel Summary: Development headers for the Intel TSS library for TPM 2.0 chips @@ -92,6 +95,7 @@ find %{buildroot} -type f -name "*.la" -delete -print install -D -m 0644 contrib/resourcemgr.service %{buildroot}/%{_unitdir}/resourcemgr.service sed -e 's#usr/local/sbin/#usr/sbin/#;' -i %{buildroot}/%{_unitdir}/resourcemgr.service ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr +install -D -m 0644 contrib/tpm-udev.rules %{buildroot}%{_udevrulesdir}/tpm-udev.rules %post -n libsapi0 -p /sbin/ldconfig %postun -n libsapi0 -p /sbin/ldconfig @@ -101,6 +105,26 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr %postun -n libtcti-socket0 -p /sbin/ldconfig %pre +# the same user is employed by trousers: +# +# trousers just needs those accounts for dropping privileges to. The service +# starts as root and uses set*id to drop to tss, after the tpm device has been +# opened. +# +# resourcemgr has no set*id handling and thus requires /dev/tpm to be owned +# by the tss user. Therefore we also need to install a udev rule file. +# +# trousers was here first and created the user like this, also giving it a +# home in /var/lib/tpm. I don't think the home directory is used by any of +# both packages ATM. Trousers is keeping state there, but the directory is +# owned by root and files are opened before dropping privileges. The passwd +# entry seems not to be evaluated. +# +# so I guess we can share the account between the two packages for now. +%_bindir/getent group tss >/dev/null || %{_sbindir}/groupadd -g 98 tss || : +%_bindir/getent passwd tss >/dev/null || \ + %{_sbindir}/useradd -u 98 -o -g tss -s /bin/false -c "TSS daemon" \ + -d %{_localstatedir}/lib/tpm tss || : %service_add_pre resourcemgr.service %post @@ -118,6 +142,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr %{_sbindir}/resourcemgr /%{_unitdir}/resourcemgr.service %{_sbindir}/rcresourcemgr +%{_udevrulesdir}/tpm-udev.rules %files devel %defattr(-,root,root) @@ -126,7 +151,7 @@ ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcresourcemgr %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc ##only available in static form -#%{_libdir}/libtddl.a +#%%{_libdir}/libtddl.a %files -n libsapi0 %defattr(-,root,root)