From bce49d6f1195d72a13fdd16c5466da0b080af4ac2adbb2fb4a4d9b23100a223b Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 17 Oct 2017 02:03:39 +0000 Subject: [PATCH 1/5] Accepting request 534175 from home:dmolkentin:branches:security:dehydrated - In the timer service, execute root post run hooks in ExecStartPost - Fix run of root hooks - Simplify root hook execution, this is also more robust OBS-URL: https://build.opensuse.org/request/show/534175 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=15 --- dehydrated.changes | 12 ++++++++++++ dehydrated.cron.in | 2 +- dehydrated.service.in | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/dehydrated.changes b/dehydrated.changes index 071ea65..aca8222 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Mon Oct 16 09:27:28 UTC 2017 - daniel.molkentin@suse.com + +- In the timer service, execute root post run hooks in ExecStartPost + +------------------------------------------------------------------- +Mon Oct 16 04:43:22 UTC 2017 - daniel.molkentin@suse.com + +- Fix run of root hooks + +- Simplify root hook execution, this is also more robust + ------------------------------------------------------------------- Thu Oct 5 13:36:39 UTC 2017 - daniel.molkentin@suse.com diff --git a/dehydrated.cron.in b/dehydrated.cron.in index ba90790..fc2157b 100644 --- a/dehydrated.cron.in +++ b/dehydrated.cron.in @@ -2,4 +2,4 @@ SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root -25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done; +25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \; diff --git a/dehydrated.service.in b/dehydrated.service.in index 5f1fad2..baf2ba2 100644 --- a/dehydrated.service.in +++ b/dehydrated.service.in @@ -6,7 +6,7 @@ Wants=acmeresponder.socket [Service] Type=oneshot -ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;' +ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} ; ExecStart=/usr/bin/dehydrated --cron # dehydrated --cron will drop permissions and run critical code as dehydrated user. From ea11f1cea0de72d64b186dcf7a679848b833438df8337f1cbe1d8010f736bed9 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Tue, 17 Oct 2017 14:48:54 +0000 Subject: [PATCH 2/5] Accepting request 534491 from home:dmolkentin:branches:security:dehydrated - Commands in service files need some escaping after all. Fix ExecStartPost. OBS-URL: https://build.opensuse.org/request/show/534491 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=16 --- dehydrated.changes | 5 +++++ dehydrated.service.in | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/dehydrated.changes b/dehydrated.changes index aca8222..4419682 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Oct 17 14:46:16 UTC 2017 - daniel.molkentin@suse.com + +- Commands in service files need some escaping after all. Fix ExecStartPost. + ------------------------------------------------------------------- Mon Oct 16 09:27:28 UTC 2017 - daniel.molkentin@suse.com diff --git a/dehydrated.service.in b/dehydrated.service.in index baf2ba2..6038ab0 100644 --- a/dehydrated.service.in +++ b/dehydrated.service.in @@ -6,7 +6,7 @@ Wants=acmeresponder.socket [Service] Type=oneshot -ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} ; +ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \; ExecStart=/usr/bin/dehydrated --cron # dehydrated --cron will drop permissions and run critical code as dehydrated user. From bae7cb3bbf51fb72d5eae13cdaac9f19e72e07cca6dfa99564d69b50155b9909 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Fri, 20 Oct 2017 09:54:53 +0000 Subject: [PATCH 3/5] Accepting request 535146 from home:dmolkentin:branches:security:dehydrated - Use /usr/bin/bash directly, rather than via env - Use sudo instead of su to allow for argument handling, also works in all cases when no login shell is assigned to the dehydrated user * updates 0001-Add-optional-user-and-group-configuration.patch OBS-URL: https://build.opensuse.org/request/show/535146 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=17 --- ...ptional-user-and-group-configuration.patch | 35 ++++++++++++++----- dehydrated.changes | 13 +++++++ dehydrated.spec | 4 +++ 3 files changed, 44 insertions(+), 8 deletions(-) diff --git a/0001-Add-optional-user-and-group-configuration.patch b/0001-Add-optional-user-and-group-configuration.patch index fb931b7..ef092d6 100644 --- a/0001-Add-optional-user-and-group-configuration.patch +++ b/0001-Add-optional-user-and-group-configuration.patch @@ -1,4 +1,4 @@ -From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001 +From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Thu, 21 Sep 2017 19:07:54 +0200 Subject: [PATCH] Add optional user and group configuration @@ -6,16 +6,30 @@ Subject: [PATCH] Add optional user and group configuration when DEHYDRATED_USER is set, dehydrated will refuse to run as root, and instead launch itself as the user in DEHYDRATED_USER (and DEHYDRATED_GROUP if set). + +Using sudo has a few practical advantages over su: +- it doesn't require to specify a login shell when no login shell is set + for the target user +- it allows (safe) handling of arguments. --- - dehydrated | 15 +++++++++++++++ + dehydrated | 22 ++++++++++++++++++++++ docs/examples/config | 6 ++++++ - 2 files changed, 21 insertions(+) + 2 files changed, 28 insertions(+) diff --git a/dehydrated b/dehydrated -index 8b31ee1..39c717f 100755 +index 8b31ee1..acca1d0 100755 --- a/dehydrated +++ b/dehydrated -@@ -126,6 +126,8 @@ load_config() { +@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + + BASEDIR="${SCRIPTDIR}" + ++ORIGARGS="$@" ++ + # Create (identifiable) temporary files + _mktemp() { + # shellcheck disable=SC2068 +@@ -126,6 +128,8 @@ load_config() { LOCKFILE= OCSP_MUST_STAPLE="no" IP_VERSION= @@ -24,17 +38,22 @@ index 8b31ee1..39c717f 100755 if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 -@@ -159,6 +161,19 @@ load_config() { +@@ -159,6 +163,24 @@ load_config() { done fi + # Check if we are running & are allowed to run as root + if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then ++ sudo=`command -v sudo` ++ if [ -z $sudo ]; then ++ echo "DEHYDRATED_USER set but sudo not available. Please install sudo." ++ exit ++ fi + if [ ! -z "$DEHYDRATED_GROUP" ]; then + group="-g $DEHYDRATED_GROUP" + fi + echo "# INFO: Running $0 as $DEHYDRATED_USER" -+ su -c "$0" $group "$DEHYDRATED_USER" ++ $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS + exit + fi + @@ -62,5 +81,5 @@ index 1b1b3d8..9a890f4 100644 # supported values: 4, 6 # default: -- -2.12.3 +2.14.1 diff --git a/dehydrated.changes b/dehydrated.changes index 4419682..28a7bb8 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Oct 19 08:11:20 UTC 2017 - daniel.molkentin@suse.com + +- Use /usr/bin/bash directly, rather than via env + +------------------------------------------------------------------- +Wed Oct 18 16:42:31 UTC 2017 - daniel.molkentin@suse.com + +- Use sudo instead of su to allow for argument handling, also + works in all cases when no login shell is assigned to the + dehydrated user + * updates 0001-Add-optional-user-and-group-configuration.patch + ------------------------------------------------------------------- Tue Oct 17 14:46:16 UTC 2017 - daniel.molkentin@suse.com diff --git a/dehydrated.spec b/dehydrated.spec index e289eed..a1c32c3 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -72,6 +72,7 @@ BuildRequires: %{_apache} Requires: coreutils Requires: curl Requires: openssl +Requires: sudo Requires(pre): %{_bindir}/getent Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/useradd @@ -205,6 +206,9 @@ mkdir -p %{buildroot}%{_postrunhooks} cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz +# Silence E: env-script-interpreter +find \( -name \*.sh -o -name dehydrated \) -exec sed -i 's,#!/usr/bin/env bash,#!/usr/bin/bash,g' {} \; + sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config install -m 0644 docs/examples/* %{buildroot}%{_home} install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks} From dd7fda6243a014a0523d1dcc14257e44a7fe9a17afbe985da8713887a2ebe79e Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Fri, 20 Oct 2017 10:57:53 +0000 Subject: [PATCH 4/5] - actually try to find the real path to bash and don't hardcode /usr/bin/bash OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=18 --- dehydrated.changes | 6 ++++++ dehydrated.service.in | 3 ++- dehydrated.spec | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/dehydrated.changes b/dehydrated.changes index 28a7bb8..532aab0 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Oct 20 10:55:26 UTC 2017 - mrueckert@suse.de + +- actually try to find the real path to bash and don't hardcode + /usr/bin/bash + ------------------------------------------------------------------- Thu Oct 19 08:11:20 UTC 2017 - daniel.molkentin@suse.com diff --git a/dehydrated.service.in b/dehydrated.service.in index 6038ab0..bf4121f 100644 --- a/dehydrated.service.in +++ b/dehydrated.service.in @@ -7,7 +7,8 @@ Wants=acmeresponder.socket [Service] Type=oneshot ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \; -ExecStart=/usr/bin/dehydrated --cron +EnvironmentFile=/etc/dehydrated/config +ExecStart=/usr/bin/su -s /bin/bash -c "/usr/bin/dehydrated --cron" -g $DEHYDRATED_GROUP $DEHYDRATED_USER # dehydrated --cron will drop permissions and run critical code as dehydrated user. User=root diff --git a/dehydrated.spec b/dehydrated.spec index a1c32c3..3552df1 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -207,7 +207,7 @@ mkdir -p %{buildroot}%{_postrunhooks} cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz # Silence E: env-script-interpreter -find \( -name \*.sh -o -name dehydrated \) -exec sed -i 's,#!/usr/bin/env bash,#!/usr/bin/bash,g' {} \; +find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \; sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config install -m 0644 docs/examples/* %{buildroot}%{_home} From 69cee6f711ab355cfec4a788a0b0d2122b4603ec082e8653221af13031457aed Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Fri, 20 Oct 2017 11:02:37 +0000 Subject: [PATCH 5/5] - actually try to find the real path to bash and don't hardcode /usr/bin/bash OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=19 --- dehydrated.changes | 5 +++++ dehydrated.service.in | 3 +-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/dehydrated.changes b/dehydrated.changes index 532aab0..c77f508 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 20 11:02:24 UTC 2017 - mrueckert@suse.de + +- revert accidental change to the service file + ------------------------------------------------------------------- Fri Oct 20 10:55:26 UTC 2017 - mrueckert@suse.de diff --git a/dehydrated.service.in b/dehydrated.service.in index bf4121f..6038ab0 100644 --- a/dehydrated.service.in +++ b/dehydrated.service.in @@ -7,8 +7,7 @@ Wants=acmeresponder.socket [Service] Type=oneshot ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \; -EnvironmentFile=/etc/dehydrated/config -ExecStart=/usr/bin/su -s /bin/bash -c "/usr/bin/dehydrated --cron" -g $DEHYDRATED_GROUP $DEHYDRATED_USER +ExecStart=/usr/bin/dehydrated --cron # dehydrated --cron will drop permissions and run critical code as dehydrated user. User=root