From 5628f7872ce5aebe5ec10eddc70bed1875cc2fdcdb0e9a27168a785c5d1637f1 Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dleuenberger@suse.com>
Date: Mon, 13 Feb 2017 06:49:05 +0000
Subject: [PATCH] Accepting request 455792 from security:dehydrated

Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/455792
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/dehydrated?expand=0&rev=2
---
 acme-challenge.conf.lighttpd.in |   4 +
 dehydrated.changes              |  63 ++++++++++++++
 dehydrated.spec                 | 142 +++++++++++++++++++++++++-------
 dehydrated.tmpfiles.d           |   2 +
 4 files changed, 182 insertions(+), 29 deletions(-)
 create mode 100644 acme-challenge.conf.lighttpd.in
 create mode 100644 dehydrated.tmpfiles.d

diff --git a/acme-challenge.conf.lighttpd.in b/acme-challenge.conf.lighttpd.in
new file mode 100644
index 0000000..9cb48fc
--- /dev/null
+++ b/acme-challenge.conf.lighttpd.in
@@ -0,0 +1,4 @@
+server.modules += ("alias")
+alias.url += (
+ "/.well-known/acme-challenge/" => "@CHALLENGEDIR@",
+)
diff --git a/dehydrated.changes b/dehydrated.changes
index 90d2e22..643c0f0 100644
--- a/dehydrated.changes
+++ b/dehydrated.changes
@@ -1,3 +1,66 @@
+-------------------------------------------------------------------
+Thu Feb  2 15:04:16 UTC 2017 - daniel.molkentin@suse.com
+
+- More dependency fixes 
+
+-------------------------------------------------------------------
+Thu Feb  2 13:59:16 UTC 2017 - daniel.molkentin@suse.com
+
+- Make nginx and lighttpd packages into features
+  Default-disable them on distros where we cannot provide a dependency.
+
+-------------------------------------------------------------------
+Thu Feb  2 12:32:20 UTC 2017 - daniel.molkentin@suse.com
+
+- Fix build on Fedora
+
+-------------------------------------------------------------------
+Thu Feb  2 11:03:43 UTC 2017 - mrueckert@suse.de
+
+- make permissions of the lighty and nginx config files tighter
+
+-------------------------------------------------------------------
+Thu Feb  2 10:56:58 UTC 2017 - mrueckert@suse.de
+
+- only own the configuration files and not the whole directory tree
+  - add BR for nginx, lighttpd, apache2 to handle directory
+    ownership
+
+-------------------------------------------------------------------
+Thu Jan 12 10:24:20 UTC 2017 - mrueckert@suse.de
+
+- with making the permissions more tight ... dehydrated can not
+  write its lock file anymore to /etc/dehydrated. To fix this we
+  now create /var/run/dehydrated (sysvinit) or /run/dehydrated
+  (systemd) and point the lock file in the default config to that
+  directory.
+
+  Please adapt your local config files accordingly.
+
+-------------------------------------------------------------------
+Thu Jan 12 09:53:06 UTC 2017 - mrueckert@suse.de
+
+- change permissions of /etc/dehydrated to:
+  root:dehydrated u=rwx,g=rx,o=
+- create the subdirs that dehydrated would create later anyway:
+  /etc/dehydrated/accounts
+  /etc/dehydrated/certs
+  dehydrated::dehydrated u=rwx,go=
+- tighten up permissions on
+  /etc/dehydrated/config
+  /etc/dehydrated/domain.txt
+
+  root:root u=rw,go=r -> root:dehydrated u=rw,g=r,o=
+
+  /etc/dehydrated/hook.sh
+
+  root:root u=rw,go=r -> root:dehydrated u=rwx,g=rx,o=
+
+-------------------------------------------------------------------
+Wed Nov 23 02:20:53 UTC 2016 - daniel@molkentin.de
+
+- Add lighttpd configuration via dehydrated-lighttpd 
+
 -------------------------------------------------------------------
 Mon Nov 14 09:26:41 UTC 2016 - jengelh@inai.de
 
diff --git a/dehydrated.spec b/dehydrated.spec
index 3e56470..c1eb8a6 100644
--- a/dehydrated.spec
+++ b/dehydrated.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package dehydrated
 #
-# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -15,6 +15,7 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
 # See also http://en.opensuse.org/openSUSE:Specfile_guidelines
 
 %if 0%{?suse_version}
@@ -26,6 +27,24 @@
 %define _user         dehydrated
 %define _home         /etc/dehydrated
 
+%if 0%{?suse_version} > 1230
+%bcond_without systemd
+%define  _lock_dir /run/dehydrated
+%else
+%bcond_with    systemd
+%define  _lock_dir /var/run/dehydrated
+%endif
+
+%if (0%{?suse_version} < 1200 && !0%{?is_opensuse}) || 0%{?centos_version} || 0%{?rhel_version}
+%bcond_with nginx
+%bcond_with lighttpd
+%else
+%bcond_without nginx
+%bcond_without lighttpd
+%endif
+
+%{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d }
+
 Name:           dehydrated
 Version:        0.3.1
 Release:        0
@@ -36,10 +55,23 @@ Url:            https://github.com/lukas2511/dehydrated
 Source0:        %{name}-%{version}.tar.gz
 Source1:        acme-challenge.conf.in
 Source2:        acme-challenge.in
-Source3:        dehydrated.cron.in
+Source3:        acme-challenge.conf.lighttpd.in
+Source4:        dehydrated.cron.in
+Source5:        dehydrated.tmpfiles.d
+BuildRequires:  %{_apache}
+%if %{with lighttpd}
+BuildRequires:  lighttpd
+%endif
+%if %{with nginx}
+BuildRequires:  nginx
+%endif
+%if 0%{?fedora_version}
+BuildRequires:  generic-logos
+BuildRequires:  generic-logos-httpd
+%endif
+Requires:       coreutils
 Requires:       curl
 Requires:       openssl
-Requires:       coreutils
 %if 0%{?suse_version}
 Requires:       cron
 %endif
@@ -50,11 +82,15 @@ Requires(pre):  /usr/bin/getent
 %if 0%{?suse_version} >= 1230
 BuildRequires:  shadow
 %endif
+%if %{with systemd}
+BuildRequires:  pkgconfig(systemd)
+%{?systemd_requires}
+%endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 
-Obsoletes: letsencrypt.sh < %{version}
-Provides: letsencrypt.sh = %{version}
+Obsoletes:      letsencrypt.sh < %{version}
+Provides:       letsencrypt.sh = %{version}
 
 %description
 This is a client for signing certificates with an ACME server
@@ -75,31 +111,42 @@ Current features:
 * Certificate revocation
 
 %package %{_apache}
-Group:    Productivity/Networking/Security
-License:  MIT
-Requires: %{name}
-Requires: %{_apache}
+Requires:       %{_apache}
+Requires:       %{name}
 %if ! 0%{?suse_version}
-Requires: mod_ssl
+Requires:       mod_ssl
 %endif
-Obsoletes: letsencrypt.sh-%{_apache} < %{version}
-Provides: letsencrypt.sh-%{_apache} = %{version}
-Summary: Apache Integration for dehydrated
+Obsoletes:      letsencrypt.sh-%{_apache} < %{version}
+Provides:       letsencrypt.sh-%{_apache} = %{version}
+Summary:        Apache Integration for dehydrated
+Group:          Productivity/Networking/Security
 
 %description %{_apache}
 This adds a configuration file for dehydrated's acme-challenge to Apache.
 
+%if %{with nginx}
 %package nginx
-Group:    Productivity/Networking/Security
-License:  MIT
-Requires: %{name}
-Requires: nginx
-Obsoletes: letsencrypt.sh-nginx < %{version}
-Provides: letsencrypt.sh-nginx = %{version}
-Summary: Nginx Integration for dehydrated
+Requires:       %{name}
+Requires:       nginx
+Obsoletes:      letsencrypt.sh-nginx < %{version}
+Provides:       letsencrypt.sh-nginx = %{version}
+Summary:        Nginx Integration for dehydrated
+Group:          Productivity/Networking/Security
 
 %description nginx
 This adds a configuration file for dehydrated's acme-challenge to nginx.
+%endif #with nginx
+
+%if %{with lighttpd}
+%package lighttpd
+Requires:       %{name}
+Requires:       lighttpd
+Summary:        Lighttpd Integration for dehydrated
+Group:          Productivity/Networking/Security
+
+%description lighttpd
+This adds a configuration file for dehydrated's acme-challenge to lighttpd.
+%endif #with lighttpd 
 
 %pre
 getent group %{_user} >/dev/null || /usr/sbin/groupadd -r %{_user}
@@ -108,6 +155,11 @@ getent passwd %{_user} >/dev/null || /usr/sbin/useradd -g %{_user} \
 if [ -d /etc/letsencrypt.sh ]; then mv /etc/letsencrypt.sh /etc/dehydrated; chown -R %{_user} /etc/dehydrated; fi
 if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehydrated/config; fi
 
+%if %{with systemd}
+%post
+systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
+%endif
+
 %prep
 %setup -q
 
@@ -115,7 +167,7 @@ if [ -e /etc/dehydrated/config.sh ]; then mv /etc/dehydrated/config.sh /etc/dehy
 
 %install
 # sensitive keys
-mkdir -p %{buildroot}%{_home}
+mkdir -p %{buildroot}%{_home}/{accounts,certs}
 
 sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
 install -m 0644 docs/examples/* %{buildroot}%{_home}
@@ -126,31 +178,63 @@ install -m 0755 -d %{buildroot}%{_challengedir}
 install -m 0755 -d %{buildroot}/etc/%{_apache}/conf.d
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE1} > acme-challenge.conf
 install -m 0644 acme-challenge.conf %{buildroot}/etc/%{_apache}/conf.d
+
+%if %{with nginx}
 install -m 0755 -d %{buildroot}/etc/nginx
 sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE2} > acme-challenge
 install -m 0644 acme-challenge %{buildroot}/etc/nginx
+%endif #with nginx
+
+%if %{with lighttpd}
+install -m 0755 -d %{buildroot}/etc/lighttpd/conf.d
+sed "s,@CHALLENGEDIR@,%{_challengedir},g" %{SOURCE3} > acme-challenge
+install -m 0644 acme-challenge %{buildroot}/etc/lighttpd/conf.d
+%endif #with lighttpd
+
 install -m 0755 -d %{buildroot}/etc/cron.d
-sed "s,@USER@,%{_user},g" %{SOURCE3} > dehydrated.cron
+sed "s,@USER@,%{_user},g" %{SOURCE4} > dehydrated.cron
 install -m 0644 dehydrated.cron %{buildroot}/etc/cron.d/dehydrated
+%if %{with systemd}
+install -D    -m 0644 %{S:5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+%else
+install -D -d -m 0750 %{buildroot}%{_lock_dir}
+%endif
+perl -p -i -e 's|#LOCKFILE="\${BASEDIR}/lock"|LOCKFILE="%{_lock_dir}/lock"|' %{buildroot}%{_home}/config
+diff -urN docs/examples/config %{buildroot}%{_home}/config ||:
 
 %files
 %defattr(-,root,root)
-%attr(750,%{_user},root) %dir %{_sysconfdir}/dehydrated
-%config %{_sysconfdir}/dehydrated/config
-%config %{_sysconfdir}/dehydrated/domains.txt
-%config %{_sysconfdir}/dehydrated/hook.sh
+%attr(750,root,%{_user}) %dir %{_sysconfdir}/dehydrated
+%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/accounts
+%attr(700,%{_user},%{_user}) %dir %{_sysconfdir}/dehydrated/certs
+%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/config
+%config(noreplace) %attr(640,root,%{_user}) %{_sysconfdir}/dehydrated/domains.txt
+%config(noreplace) %attr(750,root,%{_user}) %{_sysconfdir}/dehydrated/hook.sh
 %config %{_sysconfdir}/cron.d/dehydrated
 %{_bindir}/dehydrated
 %attr(-,%{_user},root) %dir %{_localstatedir}/lib/acme-challenge
 %doc LICENSE README.md docs/*.md docs/*.jpg
+%if %{with systemd}
+%{_tmpfilesdir}/%{name}.conf
+%ghost %attr(700,%{_user},%{_user}) %dir %{_lock_dir}
+%else
+%attr(700,%{_user},%{_user}) %dir %{_lock_dir}
+%endif
 
 %files %{_apache}
 %defattr(-,root,root,-)
-%config %{_sysconfdir}/%{_apache}
+%config %{_sysconfdir}/%{_apache}/conf.d/acme-challenge.conf
 
+%if %{with nginx}
 %files nginx
 %defattr(-,root,root,-)
-%config %{_sysconfdir}/nginx
+%config %attr(640,root,nginx) %{_sysconfdir}/nginx/acme-challenge
+%endif #with nginx
+
+%if %{with lighttpd}
+%files lighttpd
+%defattr(-,root,root,-)
+%config %attr(640,root,lighttpd) %{_sysconfdir}/lighttpd/conf.d/acme-challenge
+%endif #with lighttpd
 
 %changelog
-
diff --git a/dehydrated.tmpfiles.d b/dehydrated.tmpfiles.d
new file mode 100644
index 0000000..e13218a
--- /dev/null
+++ b/dehydrated.tmpfiles.d
@@ -0,0 +1,2 @@
+# Type Path                    Mode UID        GID     Age Argument
+d      /run/dehydrated         0700 dehydrated dehydrated    -   -