From c9e98b2046d6081c51a9417270ebf1d9ac873a308c0d4e2ecb15a6ee110a7849 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Mon, 5 Feb 2024 10:39:53 +0000 Subject: [PATCH 1/3] - switch to sysuser for user/group setup OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=87 --- dehydrated.changes | 5 +++++ dehydrated.spec | 15 ++++++++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/dehydrated.changes b/dehydrated.changes index 53b8bc1..d3f54e0 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Feb 5 10:38:26 UTC 2024 - Marcus Rueckert + +- switch to sysuser for user/group setup + ------------------------------------------------------------------- Fri Feb 2 17:34:54 UTC 2024 - Marcus Rueckert diff --git a/dehydrated.spec b/dehydrated.spec index 8194c3c..629b1cb 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -77,6 +77,7 @@ Source17: dehydrated.target Source18: dehydrated-postrun-hooks.service Source19: dehydrated-postrun-hooks@.service Source20: README.postrun-hooks +Source21: dehydrated.sysusers BuildRequires: %{_apache} Requires: coreutils Requires: curl @@ -103,7 +104,10 @@ BuildRequires: shadow %endif %if %{with systemd} BuildRequires: pkgconfig(systemd) -%{?systemd_requires} +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools +%{?systemd_ordering} +%sysusers_requires %else #with_systemd %if 0%{?suse_version} Requires: cron @@ -151,10 +155,7 @@ Provides: letsencrypt.sh-nginx = %{version} This adds a configuration file for dehydrated's acme-challenge to nginx. %endif #with nginx -%pre -getent group %{_user} >/dev/null || %{_sbindir}/groupadd -r %{_user} -getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \ - -s /bin/false -r -c "%{_user}" -d %{_home} %{_user} +%pre -f %{name}.pre if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi %if %{with systemd} @@ -178,6 +179,7 @@ cp %{SOURCE10} . cp %{SOURCE20} . %build +%sysusers_generate_pre %{SOURCE21} %{name} %{name}.conf %install # sensitive keys @@ -259,6 +261,8 @@ perl -p -i -e 's|#DEHYDRATED_GROUP=|DEHYDRATED_GROUP="%{_user}"|' %{buildroot}%{ diff -urN docs/examples/config %{buildroot}%{_home}/config ||: +install -Dpm0644 %{SOURCE21} %{buildroot}%{_sysusersdir}/%{name}.conf + # Rename existing config file config files fror nginx %if %{with nginx} %pre nginx @@ -294,6 +298,7 @@ diff -urN docs/examples/config %{buildroot}%{_home}/config ||: %{_unitdir}/dehydrated*.timer %if %{with instantiated_service} %{_unitdir}/dehydrated.target +%{_sysusersdir}/%{name}.conf %endif %if 0%{?suse_version} %{_sbindir}/rcdehydrated From ae87ae2016475f1a0210957e660b6283a828334e00cd63d3f56f8b8c92cf434f Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Mon, 5 Feb 2024 10:41:12 +0000 Subject: [PATCH 2/3] missing file OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=88 --- dehydrated.sysusers | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 dehydrated.sysusers diff --git a/dehydrated.sysusers b/dehydrated.sysusers new file mode 100644 index 0000000..d21301e --- /dev/null +++ b/dehydrated.sysusers @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +u dehydrated - "User for dehydrated" /etc/dehydrated From 2b2c603fd7d01811a08085eba612b88a90659ea1335a3f9d6fc1cc4b7bd2c252 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Mon, 5 Feb 2024 10:46:02 +0000 Subject: [PATCH 3/3] remove extra provides OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=89 --- dehydrated.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/dehydrated.spec b/dehydrated.spec index 629b1cb..79b185c 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -89,8 +89,6 @@ Requires(pre): %{_sbindir}/useradd Obsoletes: dehydrated-lighttpd < %{version}-%{release} Obsoletes: letsencrypt.sh < %{version} Provides: letsencrypt.sh = %{version} -Provides: user(%{_user}) -Provides: group(%{_user}) %if %{with nginx} BuildRequires: nginx %endif