Accepting request 531761 from home:dmolkentin:branches:security:dehydrated

- Remove unused hooks directory
- Introduced a directory for custom post-run hooks executed as root,
  see README.SUSE for details. (not to be confused with the native hooks
  run as dehyrated user)

- Clarify necessity of enabling dehydrated.timer in README.SUSE
- Submit to SLE15 as per fate#323377
- Add optional post run hook directory, executed by cron/systemd
  after dehydrated --cron has run
- Remove hook directory intended for packaging other native hooks.
  Will be approach differently

OBS-URL: https://build.opensuse.org/request/show/531761
OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=13

README.SUSE

@@ -7,16 +7,32 @@ certificates (aka SSL Certificates) as simple as possible, while still being
 useful in a broad amount of use cases. Please consult the dehydrated man page,
 then continue reading here.
 
-Aqcuisition through HTTP (http-01)
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+IMPORTANT: On systemd-enabled system (SLE12+), you need to enable the update
+timer, which has obsoleted the cron job. This is independent on which method
+you chose from below!
+
+# systemctl enable dehydrated.timer
+
+Also note that with the systemd timer, failures will not be mailed to the
+system administrator, but are being logged to the systemd journal, as per
+systemd's design philosophy.
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+Acquisition through HTTP (http-01)
 ===================================
 
-This is the primary method of acquiring certifictes.
+This is the primary method of acquiring certifictes. The Certificate Authority
+will provide a challenge that the requestor needs to provide via HTTP on port 80/TCP,
+in /.well-known/acme-challenge/.
 
 Setting up the acme-challenge auto-responder
 --------------------------------------------
 
-Apache
+Apache (easiest)
-~~~~~~
+~~~~~~~~~~~~~~~~
 
 If you are using Apache, just install dehydrated-apache2 and reload Apache.
 This will take care of setting up the acme-challenge auto-responder.
@@ -57,11 +73,11 @@ Machines without a webserver
 
 On machines that are not running any web server, e.g. mail relays, you can run
 apache2 with dehydrated-apache2. If you do not want to run any web server on a
-system with systemd, you can use dehydrated-acmeresponder, a small socket
+system with systemd permnently, you can use dehydrated-acmeresponder. This is a
-activated server. Once installed, it will automatically listen on port 80
+small socket activated server. Once installed, it will automatically listen on
-whenever the dehydrated cron job seeks renewal, assuming no other server is
+port 80 whenever the dehydrated cron job seeks renewal, assuming no other
-currently occupying the port. It will also shut down once the timer has
+server is currently occupying the port. It will also shut down once the timer
-finished execution.
+has finished execution.
 
 Acquisition of initial certificate
 ----------------------------------
@@ -107,7 +123,7 @@ Ansible or Salt. For details, please refer to dns-verification.md. For
 openSUSE, the python-dns-lexicon package provides hooks into many DNS providers
 and DNS servers.
 
-Proceeding After initial certificate Aquisition
+Proceeding after initial certificate aquisition
 ===============================================
 
 Setting up the SSL host
@@ -129,10 +145,13 @@ Limitations & Ceveats
 
 * It is currently not possible to aqcuire Wildcard certificates
 * No EV- or OV-validated certificates
-* Certificates expire within weeks, not years, this is by design. Ensure that
+* Certificates expire within weeks, not years. This is by design. Ensure that
   certificate renewal works and that daemons get reloaded frequently to pick
-  up certificate updates (This is currently not automated on the dehydrated end,
+  up certificate updates. Apache will work due to log rotation SIGHUP'ing
-  however Apache will reload every night due to log rotation).
+  the process frequently. However, any other actions, such as service reloads
+  need to be provided as a script in /etc/dehydrated/postrun-hooks.d, which
+  will be executed by the cron script / systemd timer *after* an update run
+  has been performed.
 
 Links
 =====

README.hooks

@@ -0,0 +1,4 @@
+Dehydrated's hooks only run as user dehydrated. To circumvent this limitation,
+i.e. when services need to be restarted, all executable files in this directory
+will be executed as root after the certificate update has run.
+

dehydrated.changes

@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Thu Oct  5 13:36:39 UTC 2017 - daniel.molkentin@suse.com
+
+- Remove unused hooks directory
+
+- Introduced a directory for custom post-run hooks executed as root,
+  see README.SUSE for details. (not to be confused with the native hooks
+  run as dehyrated user)
+
+-------------------------------------------------------------------
+Fri Sep 29 15:14:29 UTC 2017 - daniel.molkentin@suse.com
+
+- Clarify necessity of enabling dehydrated.timer in README.SUSE
+
+- Submit to SLE15 as per fate#323377
+
+- Add optional post run hook directory, executed by cron/systemd
+  after dehydrated --cron has run
+
+- Remove hook directory intended for packaging other native hooks.
+  Will be approach differently
+
 -------------------------------------------------------------------
 Wed Sep 27 10:09:16 UTC 2017 - daniel.molkentin@suse.com
 

dehydrated.cron.in

@@ -2,4 +2,4 @@ SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 MAILTO=root
 
-25 3 * * *   @USER@    test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron
+25 3 * * *   root    test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;

dehydrated.service.in

@@ -6,7 +6,9 @@ Wants=acmeresponder.socket
 
 [Service]
 Type=oneshot
+ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;'
 ExecStart=/usr/bin/dehydrated --cron
 
-User=@USER@
+# dehydrated --cron will drop permissions and run critical code as dehydrated user.
-Group=@USER@
+User=root
+Group=root

dehydrated.spec

@@ -19,6 +19,7 @@
 %define _challengedir %{_localstatedir}/lib/acme-challenge
 %define _user         dehydrated
 %define _home         %{_sysconfdir}/dehydrated
+%define _postrunhooks %{_home}/postrun-hooks.d
 
 %if 0%{?suse_version} > 1230
 %define  _lock_dir /run/dehydrated
@@ -28,7 +29,7 @@
 %bcond_with    systemd
 %endif
 
-%if %{defined is_opensuse} || %{defined fedora}
+%if 0%{?is_opensuse} || %{defined fedora}
 %bcond_without nginx
 %bcond_without lighttpd
 %else
@@ -62,6 +63,7 @@ Source7:        dehydrated.timer
 Source8:        dehydrated.1
 Source9:        README.SUSE
 Source10:       README.Fedora
+Source11:       README.hooks
 # Patch submitted to  upstream
 Patch1:         0001-Add-optional-user-and-group-configuration.patch
 # Patch from upstream
@@ -199,12 +201,13 @@ mkdir -p %{buildroot}%{_home}/{accounts,certs}
 mkdir -p %{buildroot}%{_sbindir}
 mkdir -p %{buildroot}%{_mandir}/man1
 mkdir -p %{buildroot}%{_home}/config.d
-mkdir -p %{buildroot}%{_home}/hooks # used by hook packages
+mkdir -p %{buildroot}%{_postrunhooks}
 
 cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
 
 sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
 install -m 0644 docs/examples/* %{buildroot}%{_home}
+install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks}
 install -m 0755 -d %{buildroot}%{_bindir}
 install -m 0755 dehydrated %{buildroot}%{_bindir}
 install -m 0755 -d %{buildroot}%{_challengedir}
@@ -227,10 +230,10 @@ install -m 0644 acme-challenge %{buildroot}%{_sysconfdir}/lighttpd/conf.d
 
 %if %{with systemd}
 install -D    -m 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
-sed "s,@USER@,%{_user},g" %{SOURCE6} > dehydrated.service
 # Use timer
+sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE6} > dehydrated.service
 install -D -m 644 dehydrated.service  %{buildroot}%{_unitdir}/dehydrated.service
-install -D -m 644 %{SOURCE7}                     %{buildroot}%{_unitdir}/dehydrated.timer
+install -D -m 644 %{SOURCE7}          %{buildroot}%{_unitdir}/dehydrated.timer
 %if 0%{?suse_version}
 ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
 %endif
@@ -238,7 +241,7 @@ ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcdehydrated
 install -D -d -m 0750 %{buildroot}%{_lock_dir}
 # Use cron
 install -m 0755 -d %{buildroot}%{_sysconfdir}/cron.d
-sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
+sed "s,@POSTRUNHOOKS_DIR@,%{_postrunhooks},g" %{SOURCE4} > dehydrated.cron
 install -m 0644 dehydrated.cron %{buildroot}%{_sysconfdir}/cron.d/dehydrated
 %endif #with systemd
 
@@ -259,7 +262,8 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
 %config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/config.d
 %config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
 %config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
-%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hooks
+%dir %attr(750,root,%{_user}) %{_postrunhooks}
+%config(noreplace) %attr(640,root,%{_user}) %{_postrunhooks}/README.hooks
 %{_bindir}/dehydrated
 %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
 %{_mandir}/man1/*