From 75b6ad1cd661e9e0c9c5617b871603ecdfcb6ab0 Mon Sep 17 00:00:00 2001 From: Marcin Krol Date: Wed, 19 Dec 2018 22:32:44 +0000 Subject: [PATCH] - run as root:dehydrated by default to allow special group read permission for certificates and keys --- dehydrated.spec | 23 +++++++++++++++++++---- sudoers | 1 + tld.patch | 24 ++++++++++++++++++++++-- 3 files changed, 42 insertions(+), 6 deletions(-) create mode 100644 sudoers diff --git a/dehydrated.spec b/dehydrated.spec index d5e6a10..3a25b89 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -1,7 +1,7 @@ Summary: letsencrypt/acme client implemented as a shell-script Name: dehydrated Version: 0.6.2 -Release: 3 +Release: 4 License: MIT Group: Applications/Networking Source0: https://github.com/lukas2511/dehydrated/archive/v%{version}/%{name}-%{version}.tar.gz @@ -23,6 +23,7 @@ Source14: hook.sh Source15: hook.functions Source16: hook.custom_functions Source17: hook.global +Source18: sudoers Patch0: tld.patch URL: https://github.com/lukas2511/dehydrated BuildRequires: rpmbuild(macros) >= 1.713 @@ -34,7 +35,11 @@ Requires: grep Requires: mktemp Requires: openssl-tools Requires: sed +Requires: sudo Requires: webapps +Requires(postun): /usr/sbin/groupdel +Requires(pre): /usr/bin/getgid +Requires(pre): /usr/sbin/groupadd Suggests: webserver(access) Suggests: webserver(alias) BuildArch: noarch @@ -60,7 +65,7 @@ Current features: %install rm -rf $RPM_BUILD_ROOT -install -d $RPM_BUILD_ROOT{%{_sbindir},{/etc/%{name},%{_webapps}/%{name}}/{conf.d,hooks,hooks.d},/etc/cron.d} \ +install -d $RPM_BUILD_ROOT{%{_sbindir},{/etc/%{name},%{_webapps}/%{name}}/{conf.d,hooks,hooks.d},/etc/{cron,sudoers}.d} \ $RPM_BUILD_ROOT/var/lib/%{name}/{accounts,acme-challenges,certs} install -p %{name} $RPM_BUILD_ROOT%{_sbindir} @@ -77,6 +82,15 @@ install -p %{SOURCE14} $RPM_BUILD_ROOT/etc/%{name}/hooks/hook.sh cp -p %{SOURCE15} $RPM_BUILD_ROOT/etc/%{name}/hooks/functions cp -p %{SOURCE16} $RPM_BUILD_ROOT/etc/%{name}/hooks/custom_functions cp -p %{SOURCE17} $RPM_BUILD_ROOT/etc/%{name}/hooks.d/global +cp -p %{SOURCE18} $RPM_BUILD_ROOT/etc/sudoers.d/%{name} + +%pre +%groupadd -g 184 dehydrated + +%postun +if [ "$1" = "0" ]; then + %groupremove dehydrated +fi %clean rm -rf $RPM_BUILD_ROOT @@ -103,6 +117,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(644,root,root,755) %doc README.md CHANGELOG LICENSE %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/cron.d/%{name} +%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sudoers.d/%{name} %dir %attr(750,root,http) %{_webapps}/%{name} %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_webapps}/%{name}/httpd.conf %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_webapps}/%{name}/lighttpd.conf @@ -121,6 +136,6 @@ rm -rf $RPM_BUILD_ROOT %attr(755,root,root) %{_sbindir}/%{name} %dir %attr(751,root,root) /var/lib/%{name} %dir %attr(700,root,root) /var/lib/%{name}/accounts -%dir %attr(700,root,root) /var/lib/%{name}/certs +%dir %attr(750,root,dehydrated) /var/lib/%{name}/certs # challenges written here, need to be readable by webserver -%dir %attr(751,root,root) /var/lib/%{name}/acme-challenges +%dir %attr(751,root,dehydrated) /var/lib/%{name}/acme-challenges diff --git a/sudoers b/sudoers new file mode 100644 index 0000000..c30c7ed --- /dev/null +++ b/sudoers @@ -0,0 +1 @@ +root ALL = (root:dehydrated) /usr/sbin/dehydrated diff --git a/tld.patch b/tld.patch index 57beb42..d70c466 100644 --- a/tld.patch +++ b/tld.patch @@ -1,12 +1,21 @@ diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated --- dehydrated-0.6.2.orig/dehydrated 2018-04-25 21:22:40.000000000 +0000 -+++ dehydrated-0.6.2/dehydrated 2018-05-27 19:22:45.065763589 +0000 ++++ dehydrated-0.6.2/dehydrated 2018-12-19 22:00:23.842403000 +0000 @@ -1,4 +1,4 @@ -#!/usr/bin/env bash +#!/bin/bash # dehydrated by lukas2511 # Source: https://dehydrated.io +@@ -11,7 +11,7 @@ + [[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB && set -o noglob + [[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob && set -f + +-umask 077 # paranoid umask, we're creating private keys ++umask 027 # allow root and dehydrated group only to protect private keys + + # Close weird external file descriptors + exec 3>&- @@ -28,7 +28,7 @@ done SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" @@ -25,6 +34,17 @@ diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated KEYSIZE="4096" WELLKNOWN= PRIVATE_KEY_RENEW="yes" +@@ -148,8 +148,8 @@ + IP_VERSION= + CHAINCACHE= + AUTO_CLEANUP="no" +- DEHYDRATED_USER= +- DEHYDRATED_GROUP= ++ DEHYDRATED_USER="root" ++ DEHYDRATED_GROUP="dehydrated" + API="auto" + + if [[ -z "${CONFIG:-}" ]]; then @@ -255,8 +255,8 @@ [[ -z "${CERTDIR}" ]] && CERTDIR="${BASEDIR}/certs" @@ -38,7 +58,7 @@ diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated [[ -n "${PARAM_LOCKFILE_SUFFIX:-}" ]] && LOCKFILE="${LOCKFILE}-${PARAM_LOCKFILE_SUFFIX}" diff -ur dehydrated-0.6.2.orig/docs/examples/config dehydrated-0.6.2/docs/examples/config --- dehydrated-0.6.2.orig/docs/examples/config 2018-04-25 21:22:40.000000000 +0000 -+++ dehydrated-0.6.2/docs/examples/config 2018-05-27 19:12:46.943770323 +0000 ++++ dehydrated-0.6.2/docs/examples/config 2018-12-19 21:54:12.003403000 +0000 @@ -40,11 +40,11 @@ # default: #CONFIG_D= -- 2.46.0