Accepting request 564525 from home:dmolkentin:branches:security:dehydrated

- Updated dehydrated to 0.5.0 This removes the following patches and files, which are now part of the upstream package: * 0001-Add-optional-user-and-group-configuration.patch * 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch * dehydrated.1: the man page has been adopted by upstream Starting with this version, upstream introduced signed releases, which is now being used for source validation. Upstream changes: Changed * Certificate chain is now cached (CHAINCACHE) * OpenSSL binary path is now configurable (OPENSSL) * Cleanup now also moves revoked certificates Added * New feature for updating contact information (--account) * Allow automatic cleanup on exit (AUTO_CLEANUP) * Initial support for fetching OCSP status to be used for OCSP stapling (OCSP_FETCH) * Certificates can now have aliases to create multiple certificates with identical set of domains (see --alias and domains.txt documentation) * Allow dehydrated to run as specified user (/group). This was already available previously as a patch to this package. OBS-URL: https://build.opensuse.org/request/show/564525 OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=21
2018-01-15 11:59:16 +00:00 · 2018-01-15 11:59:16 +00:00 · f303fdbcb8
commit f303fdbcb8
parent 69cee6f711
10 changed files with 95 additions and 303 deletions
--- a/0001-Add-optional-user-and-group-configuration.patch
+++ b/0001-Add-optional-user-and-group-configuration.patch
@ -1,85 +0,0 @@
 From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001
 From: Daniel Molkentin <dmolkentin@suse.com>
 Date: Thu, 21 Sep 2017 19:07:54 +0200
 Subject: [PATCH] Add optional user and group configuration
 when DEHYDRATED_USER is set, dehydrated will refuse to run as root,
 and instead launch itself as the user in DEHYDRATED_USER (and
 DEHYDRATED_GROUP if set).
 Using sudo has a few practical advantages over su:
 - it doesn't require to specify a login shell when no login shell is set
  for the target user
 - it allows (safe) handling of arguments.
 ---
 dehydrated           | 22 ++++++++++++++++++++++
 docs/examples/config |  6 ++++++
 2 files changed, 28 insertions(+)
 diff --git a/dehydrated b/dehydrated
 index 8b31ee1..acca1d0 100755
 --- a/dehydrated
 +++ b/dehydrated
@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
 BASEDIR="${SCRIPTDIR}"
 +ORIGARGS="$@"
 +
 # Create (identifiable) temporary files
 _mktemp() {
   # shellcheck disable=SC2068
@@ -126,6 +128,8 @@ load_config() {
   LOCKFILE=
   OCSP_MUST_STAPLE="no"
   IP_VERSION=
 +  DEHYDRATED_USER=
 +  DEHYDRATED_GROUP=
   if [[ -z "${CONFIG:-}" ]]; then
     echo "#" >&2
@@ -159,6 +163,24 @@ load_config() {
    done
   fi
 +  # Check if we are running & are allowed to run as root
 +  if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then
 +    sudo=`command -v sudo`
 +    if [ -z $sudo ]; then
 +       echo "DEHYDRATED_USER set but sudo not available. Please install sudo."
 +       exit
 +    fi
 +    if [ ! -z "$DEHYDRATED_GROUP" ]; then
 +        group="-g $DEHYDRATED_GROUP"
 +    fi
 +    echo "# INFO: Running $0 as $DEHYDRATED_USER"
 +    $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS
 +    exit
 +  fi
 +
 +  # Check for missing dependencies
 +  check_dependencies
 +
   # Remove slash from end of BASEDIR. Mostly for cleaner outputs, doesn't change functionality.
   BASEDIR="${BASEDIR%%/}"
 diff --git a/docs/examples/config b/docs/examples/config
 index 1b1b3d8..9a890f4 100644
 --- a/docs/examples/config
 +++ b/docs/examples/config
@@ -10,6 +10,12 @@
 # Default values of this config are in comments        #
 ########################################################
 +# Which user should dehydrated run as? This will be implictly enforced when running as root
 +#DEHYDRATED_USER=
 +
 +# Which group should dehydrated run as? This will be implictly enforced when running as root
 +#DEHYDRATED_GROUP=
 +
 # Resolve names to addresses of IP version only. (curl)
 # supported values: 4, 6
 # default: <unset>
 -- 
 2.14.1
--- a/0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
+++ b/0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
@ -1,49 +0,0 @@
 From 5214632c55c70c6c1f0dabce204a9fb8529c8ca8 Mon Sep 17 00:00:00 2001
 From: Lukas Schauer <lukas@schauer.so>
 Date: Thu, 21 Sep 2017 18:10:01 +0200
 Subject: [PATCH] use nullglob, disable warning on empty CONFIG_D directory
 ---
 dehydrated | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)
 diff --git a/dehydrated b/dehydrated
 index 8b31ee1..a62b858 100755
 --- a/dehydrated
 +++ b/dehydrated
@@ -8,7 +8,9 @@
 set -e
 set -u
 set -o pipefail
 -[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO
 +[[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB
 +[[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob
 +
 umask 077 # paranoid umask, we're creating private keys
 # Find directory in which this script is stored by traversing all symbolic links
@@ -146,10 +148,7 @@ load_config() {
     fi
     for check_config_d in "${CONFIG_D}"/*.sh; do
 -      if [[ ! -e "${check_config_d}" ]]; then
 -        echo "# !! WARNING !! Extra configuration directory ${CONFIG_D} exists, but no configuration found in it." >&2
 -        break
 -      elif [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
 +      if [[ -f "${check_config_d}" ]] && [[ -r "${check_config_d}" ]]; then
         echo "# INFO: Using additional config file ${check_config_d}"
         # shellcheck disable=SC1090
         . "${check_config_d}"
@@ -1020,9 +1019,6 @@ command_cleanup() {
       # Loop over all files of this type
       for file in "${certdir}/${filebase}-"*".${fileext}"; do
 -        # Handle case where no files match the wildcard
 -        [[ -f "${file}" ]] || break
 -
         # Check if current file is in use, if unused move to archive directory
         filename="$(basename "${file}")"
         if [[ ! "${filename}" = "${current}" ]]; then
 -- 
 2.12.3
--- a/README.SUSE
+++ b/README.SUSE
@ -110,7 +110,7 @@ activated manually:
 Aqcuisition through DNS (dns-01)
 ================================
-Tnis is mostly useful under these conditions
+This is mostly useful under these conditions
 1. Your hosts are not directly exposed to the internet
 2. Your host names are part of a public DNS zone visible on the internet.
--- a/dehydrated-0.4.0.tar.gz
+++ b/dehydrated-0.4.0.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:611da321330ffd43d1dc497990b486b2dec12c59149803ad7d156980c8527f48
 size 74005
--- a/dehydrated-0.5.0.tar.gz
+++ b/dehydrated-0.5.0.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:3559de9c61f8cb9dda1d247fbb88d94eddcf2d9421941dad73b1d672cb933abe
 size 79965
--- a/dehydrated-0.5.0.tar.gz.asc
+++ b/dehydrated-0.5.0.tar.gz.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCgAdFiEEPC8mBeB4oeGPR5OQnE2+bPQ48zMFAlpaWfkACgkQnE2+bPQ4
 8zOw+Af/YhJVNxDCFFe8uhIm5oFgMvJPyNXk1rMf60kwGINXUUwSHTVXvwFUF/qN
 9ZAnt/zaL4KmK3v5pSP8fIDBwsF17x9G1J0Xv9s5IG9YQOgyV89lVo8Tu15g3Yla
 7Z1OhB4OvzwVioWRNiedyLK916ut9+XJ8YNmUC6LsIHttL7un2Yyqy1nR86x/iDr
 Oh/2DxWtYYGjnr3+DTqcLvdySIy6MBJsRez1zW1MJCCiBIBeq+7fBseT5h9vu55h
 F1vR8KthfCJFqQfdtA7Io3ql8H2hJHn7VintPTnbq8bEIvpDS7CTE+ICP+fuxqzU
 KeElNt7vu/UuoQBnYNBPw2gA/L8fGw==
 =Edom
 -----END PGP SIGNATURE-----
--- a/dehydrated.1
+++ b/dehydrated.1
@ -1,155 +0,0 @@
 .TH DEHYDRATED 1 2017-09-20 "Dehydrated ACME Client"
 .SH NAME
 dehydrated \- ACME client implemented as a shell-script
 .SH SYNOPSIS
 .B dehydrated
 [\fBcommand\fR [\fBargument\fR]]
 [\fBargument\fR [\fBargument\fR]]
 .IR ...
 .SH DESCRIPTION
 A client for ACME-based Certificate Authorities, such as LetsEncrypt.  It
 allows to request and obtain TLS certificates from an ACME-based
 certificate authority.
 Before any certificates can be requested, Dehydrated needs
 to acquire an account with the Certificate Authorities. Optionally, an email
 address can be provided.  It will be used to e.g. notify about expiring
 certificates. You will usually need to accept the Terms of Service of the CA.
 Dehydrated will notify if no account is configured. Run with \fB--register
 --accept-terms\fR to create a new account.
 Next, all domain names must be provided in domains.txt. The format is line
 based: If the file contains two lines "example.com" and "example.net",
 Dehydrated will request two certificate, one for "example.com" and the other
 for "example.net". A single line while "example.com example.net" will request a
 single certificate valid for both "example.net" and "example.com" through the \fISubject
 Alternative Name\fR (SAN) field.
 For the next step, one way of verifying domain name ownership needs to be
 configured.  Dehydrated implements \fIhttp-01\fR and \fIdns-01\fR verification. 
 The \fIhttp-01\fR verification provides proof of ownership by providing a
 challenge token. In order to do that, the directory referenced in the
 \fIWELLKNOWN\fR config variable needs to be exposed at
 \fIhttp://{domain}/.well-known/acme-challenge/\fR, where {domain} is every
 domain name specified in \fIdomains.txt\fR.  Dehydrated does not provide its
 own challenge responder, but relies on an existing web server to provide the
 challenge response.  See \fIwellknown.md\fR for configuration examples of
 popular web servers.
 The \fIdns-01\fR verification works by providing a challenge token through DNS.
 This is especially interesting for hosts that cannot be exposed to the public
 Internet.  Because adding records to DNS zones is oftentimes highly specific to
 the software or the DNS provider at hand, there are many third party hooks
 available for dehydrated.  See \fIdns-verification.md\fR for hooks for popular
 DNS servers and DNS hosters.
 Finally, the certificates need to be requested and updated on a regular basis.
 This can happen through a cron job or a timer. Initially, you may enforce this
 by invoking \fIdehydrated -c\fR manually.
 After a successful run, certificates are stored in
 \fI/etc/dehydrated/certs/{domain}\fR, where {domain} is the domain name in the
 first column of \fIdomains.txt\fR.
 .SH OPTIONS
 .BR Commands
 .TP
 .BR \-\-version ", " \-v
 Print version information
 .TP
 .BR \-\-register
 Register account key
 .TP
 .BR \-\-account
 Update account contact information
 .TP
 .BR \-\-cron ", " \-c
 Sign/renew non\-existent/changed/expiring certificates.
 .TP
 .BR \-\-signcsr ", " \-s " " \fIpath/to/csr.pem\fR
 Sign a given CSR, output CRT on stdout (advanced usage)
 .TP
 .BR \-\-revoke ", " \-r " " \fIpath/to/cert.pem\fR
 Revoke specified certificate
 .TP
 .BR \-\-cleanup ", " \-gc
 Move unused certificate files to archive directory
 .TP
 .BR \-\-help ", " \-h
 Show help text
 .TP
 .BR \-\-env ", " \-e
 Output configuration variables for use in other scripts
 .PP
 .BR Parameters
 .TP
 .BR \-\-accept\-terms
 Accept CAs terms of service
 .TP
 .BR \-\-full\-chain ", " \-fc
 Print full chain when using \fB\-\-signcsr\fR
 .TP
 .BR \-\-ipv4 ", " \-4
 Resolve names to IPv4 addresses only
 .TP
 .BR \-\-ipv6 ", " \-6
 Resolve names to IPv6 addresses only
 .TP
 .BR \-\-domain ", " \-d " " \fIdomain.tld\fR
 Use specified domain name(s) instead of domains.txt entry (one certificate!)
 .TP
 .BR \-\-keep\-going ", " \-g
 Keep going after encountering an error while creating/renewing multiple
 certificates in cron mode
 .TP
 .BR \-\-force ", " \-x
 Force renew of certificate even if it is longer valid than value in RENEW_DAYS
 .TP
 .BR \-\-no\-lock ", " \-n
 Don't use lockfile (potentially dangerous!)
 .TP
 .BR \-\-lock\-suffix " " \fIexample.com\fR
 Suffix lockfile name with a string (useful for use with \-d)
 .TP
 .BR \-\-ocsp
 Sets option in CSR indicating OCSP stapling to be mandatory
 .TP
 .BR \-\-privkey ", " \-p " " \fIpath/to/key.pem\fR
 Use specified private key instead of account key (useful for revocation)
 .TP
 .BR \-\-config ", " \-f " " \fIpath/to/config\fR
 Use specified config file
 .TP
 .BR \-\-hook ", " \-k " " \fIpath/to/hook.sh\fR
 Use specified script for hooks
 .TP
 .BR \-\-out ", " \-o " " \fIcerts/directory\fR
 Output certificates into the specified directory
 .TP
 .BR \-\-challenge ", " \-t " " \fI[http\-01|dns\-01]\fR
 Which challenge should be used? Currently http\-01 and dns\-01 are supported
 .TP
 .BR \-\-algo ", " \-a " " \fI[rsa|prime256v1|secp384r1]\fR
 Which public key algorithm should be used? Supported: rsa, prime256v1 and
 secp384r1
 .SH DIAGNOSTICS
 The program exits 0 if everything was fine, 1 if an error occurred.
 .SH BUGS
 Please report any bugs that you may encounter at the project web site
 .UR https://github.com/lukas2511/dehydrated/issues
 .UE .
 .SH AUTHOR
 Dehydrated was written by Lukas Schauer. This man page was contributed by
 Daniel Molkentin.
 .SH COPYRIGHT
 Copyright 20015-2017 by Lukas Schauer and the respective contributors.
 Provided under the MIT License. See the LICENSE file that accompanies the
 distribution for licensing information.
 .SH SEE ALSO
 Full documentation along with configuration examples are provided in the \fIdocs\fR
 directory of the distribution, or at
 .UR https://github.com/lukas2511/dehydrated/tree/master/docs
 .UE .
--- a/dehydrated.changes
+++ b/dehydrated.changes
@ -1,3 +1,36 @@
 -------------------------------------------------------------------
 Mon Jan 15 11:29:11 UTC 2018 - daniel.molkentin@suse.com
 - Updated dehydrated to 0.5.0
  This removes the following patches and files, which are now part of the
  upstream package:
  * 0001-Add-optional-user-and-group-configuration.patch
  * 0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
  * dehydrated.1: the man page has been adopted by upstream
  Starting with this version, upstream introduced signed releases, which
  is now being used for source validation.
  Upstream changes:
  Changed
  * Certificate chain is now cached (CHAINCACHE)
  * OpenSSL binary path is now configurable (OPENSSL)
  * Cleanup now also moves revoked certificates
  Added
  * New feature for updating contact information (--account)
  * Allow automatic cleanup on exit (AUTO_CLEANUP)
  * Initial support for fetching OCSP status to be used for OCSP stapling
    (OCSP_FETCH)
  * Certificates can now have aliases to create multiple certificates with
    identical set of domains (see --alias and domains.txt documentation)
  * Allow dehydrated to run as specified user (/group). This was already
    available previously as a patch to this package.
 -------------------------------------------------------------------
 Fri Oct 20 11:02:24 UTC 2017 - mrueckert@suse.de
--- a/dehydrated.keyring
+++ b/dehydrated.keyring
@ -0,0 +1,42 @@
 pub   2048R/F438F333 2013-04-05
 uid       [ unknown] Lukas Schauer <lukas@schauer.so>
 uid       [ unknown] Lukas Schauer <lukas2511@xxpro.net>
 sub   2048R/57805524 2013-04-05
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2
 mQENBFFfGhMBCADuxAL1vqC7J1AmxMrFGxobyPaY9tmUEueRF+JuUJlk48qSbcWg
 zAMEprSgw3HY/15Galu/7g8KxXnlN4WO2vgA6eu1CYx3CoukJ8dc/m6hEMxqwsIW
 H/1sI7P2hLGB/6YC3MqgpyZxrXzS3coe/JLLkeOtcnBgeT1VpGnodSEKsK4unkfV
 cmheLuF+zMb0t1DFtd//Ka99XtoF7HXW6p/n8NjiAXKkEkTWf+0qsOIzar3Hl7QE
 dnEMK1EjDbrqNufTe+TyvM9hVMyDTptvA0EDOj+5Jmt29pWpriOgUgm2D1JgZi9b
 YmGnTo149q5bUzfLvsTDI0IS7ClxXIES/dfXABEBAAG0IEx1a2FzIFNjaGF1ZXIg
 PGx1a2FzQHNjaGF1ZXIuc28+iQE5BBMBAgAjBQJSHiDfAhsDBwsJCAcDAgEGFQgC
 CQoLBBYCAwECHgECF4AACgkQnE2+bPQ48zPRxgf/Y1pJ9H6uB6rmCa3VHoxhvLkV
 ruUSpI+JXNUhwpUWUKNE1yk78jmjRhMMZf7UMYifyGkuK/0/cErktr5j8kqJ2r60
 hOnmkC3jEq5H0hKfGzhosenUvzR9cENYzgnm/4BNWWz1I16jkWRcEGjeC8y033U3
 Tjrtc6f0jLe7R6LzospUCWKzp8WUWgTgqpAyjJY6I44Y6QpTjmRF6t1Nz2yRxxf2
 NAbOQWkSTueusgLVYyvqLZ51u3fsuDJxbQiBnNt0ZGYSDBKrs59Rvg0Xj1cBv1t7
 SrzHuwyiiCQsEaLMvYCygk7qRmZBZ6PKA0gE8oYIr5f10Kx0Mjqnrs8wmpegiLQj
 THVrYXMgU2NoYXVlciA8bHVrYXMyNTExQHh4cHJvLm5ldD6JATgEEwECACIFAlFf
 GhMCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJxNvmz0OPMzHXoH/jCy
 wwo+W3hy7WAzaKqgnIjRfMQD63OFSwrPI8P7mU0WWrxURwET4C/i+eYHIZYPVaP0
 HvdMMcpgSbBZ0sAW+gtv2qMtL+kB4s+FGVchV4lfh4q5w4EDRknuCEpD5bj7NsOT
 ROvGu0gSvGbGG/EFLJuhrkct5s7ESH5sWonxstk6Ea9L5STR4PGH6swTq0WggbMq
 VFQuWOkjw6KpQOeFTp9koQl3R6P6I0uqe6tVLKJD/nSTKbMYPMZX9Q+TvzqRSRlH
 wL509ZIZV4IzdDFXGM28xvC7KIifbxEzWHVci2afdqbVNH2MBhgHt/SIaW8xBab2
 wnd45rkdHuoK2wBPlPu5AQ0EUV8aEwEIAM1d0x6B/PUlXfUzkTlYtFmfm67OOPW2
 EImld+53RgVc/HGY9RyYP0YwxNs1mjWalzJYV6/aQ9xke/Dz0pLYwIl2c1TCzwin
 qgymkR17krDJ/+hj2GZBsiEHlMDbWskgwIc7WldhcmxsOvsvRrHSCcw7ZFD+iA9l
 6XJoUrtP9QhJLaj6WoX0fU377t3me6hji5387pzYoDKiq8cfJu4q/K6oB42kmo+L
 PVub+DvBBZPDakDnE46v0LfbgvPqjaVxM2KHjqllepk1CIOAbUbtyC9kVuavDgnI
 OMe1couHsy0+7fXeQE0xMLPjGGZAXt6OVI8o/1IbgA2EbiVR225Tu2cAEQEAAYkB
 HwQYAQIACQUCUV8aEwIbDAAKCRCcTb5s9DjzM09cCACGdENt71lx56EjzH6W5o/F
 OYHHTm4ewcfgGSHWmdScq8gOI414kBkOg9ds9IMQt5hp60hXteSxG1l0qxEXbMX7
 cO5FNnjer/ikcwPDS6eZ2a5Gni/h/UFRnVYcw2c+7UAAgouswhwqbkVUrRMDodG2
 DT05fQIdgfbQLUBW5qFToS/CXNzvG47jqBEUS/mFMtZgF2+myU2buMlIXmarTi0K
 EYMt0geGXhpS2DN9iQrQzQ8gjVz/EBgdHbEZOsHW4JMQaycYvouPFVqCIcZoN0s8
 c9AilqEu9V8XLLWA0zRVC8Fp6m/ZpMX8t2kVQdBKMHb1NUz0b+uHynANCRQUGKIg
 =2fWi
 -----END PGP PUBLIC KEY BLOCK-----
--- a/dehydrated.spec
+++ b/dehydrated.spec
@ -1,7 +1,7 @@
 #
 # spec file for package dehydrated
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -46,7 +46,7 @@
 %endif
 Name:           dehydrated
-Version:        0.4.0
+Version:        0.5.0
 Release:        0
 Summary:        A client for signing certificates with an ACME server
 License:        MIT
@ -60,14 +60,11 @@ Source4:        dehydrated.cron.in
 Source5:        dehydrated.tmpfiles.d
 Source6:        dehydrated.service.in
 Source7:        dehydrated.timer
 Source8:        dehydrated.1
 Source9:        README.SUSE
 Source10:       README.Fedora
 Source11:       README.hooks
-# Patch submitted to  upstream
+Source12:       %{name}-%{version}.tar.gz.asc
-Patch1:         0001-Add-optional-user-and-group-configuration.patch
+Source13:       %{name}.keyring
 # Patch from upstream
 Patch2:         0002-use-nullglob-disable-warning-on-empty-CONFIG_D-direc.patch
 BuildRequires:  %{_apache}
 Requires:       coreutils
 Requires:       curl
@ -189,8 +186,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf ||:
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 cp %{SOURCE9} .
 cp %{SOURCE10} .
@ -204,7 +199,7 @@ mkdir -p %{buildroot}%{_mandir}/man1
 mkdir -p %{buildroot}%{_home}/config.d
 mkdir -p %{buildroot}%{_postrunhooks}
-cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
+cat dehydrated.1 | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
 # Silence E: env-script-interpreter
 find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;