Accepting request 535146 from home:dmolkentin:branches:security:dehydrated

- Use /usr/bin/bash directly, rather than via env - Use sudo instead of su to allow for argument handling, also works in all cases when no login shell is assigned to the dehydrated user * updates 0001-Add-optional-user-and-group-configuration.patch OBS-URL: https://build.opensuse.org/request/show/535146 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=17
2017-10-20 09:54:53 +00:00 · 2017-10-20 09:54:53 +00:00 · bae7cb3bbf
commit bae7cb3bbf
parent ea11f1cea0
3 changed files with 44 additions and 8 deletions
--- a/0001-Add-optional-user-and-group-configuration.patch
+++ b/0001-Add-optional-user-and-group-configuration.patch
@ -1,4 +1,4 @@
-From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001
+From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001
 From: Daniel Molkentin <dmolkentin@suse.com>
 Date: Thu, 21 Sep 2017 19:07:54 +0200
 Subject: [PATCH] Add optional user and group configuration
@ -6,16 +6,30 @@ Subject: [PATCH] Add optional user and group configuration
 when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
 and instead launch itself as the user in DEHYDRATED_USER (and
 DEHYDRATED_GROUP if set).
+
+Using sudo has a few practical advantages over su:
+- it doesn't require to specify a login shell when no login shell is set
+  for the target user
+- it allows (safe) handling of arguments.
 ---
- dehydrated           | 15 +++++++++++++++
+ dehydrated           | 22 ++++++++++++++++++++++
 docs/examples/config |  6 ++++++
- 2 files changed, 21 insertions(+)
+ 2 files changed, 28 insertions(+)

 diff --git a/dehydrated b/dehydrated
-index 8b31ee1..39c717f 100755
+index 8b31ee1..acca1d0 100755
 --- a/dehydrated
 +++ b/dehydrated
-@@ -126,6 +126,8 @@ load_config() {
+@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+ 
+ BASEDIR="${SCRIPTDIR}"
+ 
+ORIGARGS="$@"
+
+ # Create (identifiable) temporary files
+ _mktemp() {
+   # shellcheck disable=SC2068
+@@ -126,6 +128,8 @@ load_config() {
   LOCKFILE=
   OCSP_MUST_STAPLE="no"
   IP_VERSION=
@ -24,17 +38,22 @@ index 8b31ee1..39c717f 100755
 
   if [[ -z "${CONFIG:-}" ]]; then
     echo "#" >&2
-@@ -159,6 +161,19 @@ load_config() {
+@@ -159,6 +163,24 @@ load_config() {
    done
   fi
 
 +  # Check if we are running & are allowed to run as root
 +  if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
+    sudo=`command -v sudo`
+    if [ -z $sudo ]; then
+       echo "DEHYDRATED_USER set but sudo not available. Please install sudo."
+       exit
+    fi
 +    if [ ! -z "$DEHYDRATED_GROUP" ]; then
 +        group="-g $DEHYDRATED_GROUP"
 +    fi
 +    echo "# INFO: Running $0 as $DEHYDRATED_USER"
-+    su -c "$0" $group "$DEHYDRATED_USER"
+    $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS
 +    exit
 +  fi
 +
@ -62,5 +81,5 @@ index 1b1b3d8..9a890f4 100644
 # supported values: 4, 6
 # default: <unset>
 -- 
-2.12.3
+2.14.1

--- a/dehydrated.changes
+++ b/dehydrated.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Oct 19 08:11:20 UTC 2017 - daniel.molkentin@suse.com
+
+- Use /usr/bin/bash directly, rather than via env 
+
+-------------------------------------------------------------------
+Wed Oct 18 16:42:31 UTC 2017 - daniel.molkentin@suse.com
+
+- Use sudo instead of su to allow for argument handling, also
+  works in all cases when no login shell is assigned to the
+  dehydrated user
+  * updates 0001-Add-optional-user-and-group-configuration.patch
+
 -------------------------------------------------------------------
 Tue Oct 17 14:46:16 UTC 2017 - daniel.molkentin@suse.com

--- a/dehydrated.spec
+++ b/dehydrated.spec
@ -72,6 +72,7 @@ BuildRequires:  %{_apache}
 Requires:       coreutils
 Requires:       curl
 Requires:       openssl
+Requires:       sudo
 Requires(pre):  %{_bindir}/getent
 Requires(pre):  %{_sbindir}/groupadd
 Requires(pre):  %{_sbindir}/useradd
@ -205,6 +206,9 @@ mkdir -p %{buildroot}%{_postrunhooks}

 cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz

+# Silence E: env-script-interpreter
+find \( -name \*.sh -o -name dehydrated \) -exec sed -i 's,#!/usr/bin/env bash,#!/usr/bin/bash,g' {} \;
+
 sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
 install -m 0644 docs/examples/* %{buildroot}%{_home}
 install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks}