- run as root:dehydrated by default to allow special group read

  permission for certificates and keys

diff --git a/dehydrated.spec b/dehydrated.spec
index d5e6a1066c6f9368bcdd1082a99e7b879f91db0f..3a25b89a1105629ecc9e3399234b7a9e441b024a 100644 (file)
--- a/dehydrated.spec
+++ b/dehydrated.spec
@@ -1,7 +1,7 @@
 Summary:       letsencrypt/acme client implemented as a shell-script
 Name:          dehydrated
 Version:       0.6.2
-Release:       3
+Release:       4
 License:       MIT
 Group:         Applications/Networking
 Source0:       https://github.com/lukas2511/dehydrated/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -23,6 +23,7 @@ Source14:     hook.sh
 Source15:      hook.functions
 Source16:      hook.custom_functions
 Source17:      hook.global
+Source18:      sudoers
 Patch0:                tld.patch
 URL:           https://github.com/lukas2511/dehydrated
 BuildRequires: rpmbuild(macros) >= 1.713
@@ -34,7 +35,11 @@ Requires:    grep
 Requires:      mktemp
 Requires:      openssl-tools
 Requires:      sed
+Requires:      sudo
 Requires:      webapps
+Requires(postun):      /usr/sbin/groupdel
+Requires(pre): /usr/bin/getgid
+Requires(pre): /usr/sbin/groupadd
 Suggests:      webserver(access)
 Suggests:      webserver(alias)
 BuildArch:     noarch
@@ -60,7 +65,7 @@ Current features:
 
 %install
 rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sbindir},{/etc/%{name},%{_webapps}/%{name}}/{conf.d,hooks,hooks.d},/etc/cron.d} \
+install -d $RPM_BUILD_ROOT{%{_sbindir},{/etc/%{name},%{_webapps}/%{name}}/{conf.d,hooks,hooks.d},/etc/{cron,sudoers}.d} \
        $RPM_BUILD_ROOT/var/lib/%{name}/{accounts,acme-challenges,certs}
 
 install -p %{name} $RPM_BUILD_ROOT%{_sbindir}
@@ -77,6 +82,15 @@ install -p %{SOURCE14} $RPM_BUILD_ROOT/etc/%{name}/hooks/hook.sh
 cp -p %{SOURCE15} $RPM_BUILD_ROOT/etc/%{name}/hooks/functions
 cp -p %{SOURCE16} $RPM_BUILD_ROOT/etc/%{name}/hooks/custom_functions
 cp -p %{SOURCE17} $RPM_BUILD_ROOT/etc/%{name}/hooks.d/global
+cp -p %{SOURCE18} $RPM_BUILD_ROOT/etc/sudoers.d/%{name}
+
+%pre
+%groupadd -g 184 dehydrated
+
+%postun
+if [ "$1" = "0" ]; then
+       %groupremove dehydrated
+fi
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -103,6 +117,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(644,root,root,755)
 %doc README.md CHANGELOG LICENSE
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/cron.d/%{name}
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sudoers.d/%{name}
 %dir %attr(750,root,http) %{_webapps}/%{name}
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_webapps}/%{name}/httpd.conf
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_webapps}/%{name}/lighttpd.conf
@@ -121,6 +136,6 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) %{_sbindir}/%{name}
 %dir %attr(751,root,root) /var/lib/%{name}
 %dir %attr(700,root,root) /var/lib/%{name}/accounts
-%dir %attr(700,root,root) /var/lib/%{name}/certs
+%dir %attr(750,root,dehydrated) /var/lib/%{name}/certs
 # challenges written here, need to be readable by webserver
-%dir %attr(751,root,root) /var/lib/%{name}/acme-challenges
+%dir %attr(751,root,dehydrated) /var/lib/%{name}/acme-challenges

diff --git a/sudoers b/sudoers
new file mode 100644 (file)
index 0000000..c30c7ed
--- /dev/null
+++ b/sudoers
@@ -0,0 +1 @@
+root ALL = (root:dehydrated) /usr/sbin/dehydrated

diff --git a/tld.patch b/tld.patch
index 57beb42e535bef30e248dfb31f89913f5f49deba..d70c46676fa6eff30181247616f278ca541ca9df 100644 (file)
--- a/tld.patch
+++ b/tld.patch
@@ -1,12 +1,21 @@
 diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated
 --- dehydrated-0.6.2.orig/dehydrated   2018-04-25 21:22:40.000000000 +0000
-+++ dehydrated-0.6.2/dehydrated        2018-05-27 19:22:45.065763589 +0000
++++ dehydrated-0.6.2/dehydrated        2018-12-19 22:00:23.842403000 +0000
 @@ -1,4 +1,4 @@
 -#!/usr/bin/env bash
 +#!/bin/bash
  
  # dehydrated by lukas2511
  # Source: https://dehydrated.io
+@@ -11,7 +11,7 @@
+ [[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB && set -o noglob
+ [[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob && set -f
+ 
+-umask 077 # paranoid umask, we're creating private keys
++umask 027 # allow root and dehydrated group only to protect private keys
+ 
+ # Close weird external file descriptors
+ exec 3>&-
 @@ -28,7 +28,7 @@
  done
  SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
@@ -25,6 +34,17 @@ diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated
    KEYSIZE="4096"
    WELLKNOWN=
    PRIVATE_KEY_RENEW="yes"
+@@ -148,8 +148,8 @@
+   IP_VERSION=
+   CHAINCACHE=
+   AUTO_CLEANUP="no"
+-  DEHYDRATED_USER=
+-  DEHYDRATED_GROUP=
++  DEHYDRATED_USER="root"
++  DEHYDRATED_GROUP="dehydrated"
+   API="auto"
+ 
+   if [[ -z "${CONFIG:-}" ]]; then
 @@ -255,8 +255,8 @@
  
    [[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs"
@@ -38,7 +58,7 @@ diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated
    [[ -n "${PARAM_LOCKFILE_SUFFIX:-}" ]] && LOCKFILE="${LOCKFILE}-${PARAM_LOCKFILE_SUFFIX}"
 diff -ur dehydrated-0.6.2.orig/docs/examples/config dehydrated-0.6.2/docs/examples/config
 --- dehydrated-0.6.2.orig/docs/examples/config 2018-04-25 21:22:40.000000000 +0000
-+++ dehydrated-0.6.2/docs/examples/config      2018-05-27 19:12:46.943770323 +0000
++++ dehydrated-0.6.2/docs/examples/config      2018-12-19 21:54:12.003403000 +0000
 @@ -40,11 +40,11 @@
  # default: <unset>
  #CONFIG_D=