[packages/dehydrated] - run always via sudo as root:dehydrated to allow dehydrated group to read certificates and keys,

hawk hawk at pld-linux.org
Wed Dec 19 23:48:26 CET 2018 

commit e91f3230f38cc6642d9d0853ab0990f8ecec8d9c
Author: Marcin Krol <hawk at tld-linux.org>
Date:   Wed Dec 19 22:46:13 2018 +0000

    - run always via sudo as root:dehydrated to allow dehydrated group
      to read certificates and keys, this is useful for services which
      are not running as root but use SSL certificates (ie. ejabberd)

 dehydrated.spec | 23 +++++++++++++++++++----
 pld.patch       | 44 +++++++++++++++++++++++++++++++++-----------
 sudoers         |  1 +
 3 files changed, 53 insertions(+), 15 deletions(-)
---
diff --git a/dehydrated.spec b/dehydrated.spec
index 803058e..b8672ba 100644
--- a/dehydrated.spec
+++ b/dehydrated.spec
@@ -1,7 +1,7 @@
 Summary:	letsencrypt/acme client implemented as a shell-script
 Name:		dehydrated
 Version:	0.6.2
-Release:	1
+Release:	2
 License:	MIT
 Group:		Applications/Networking
 Source0:	https://github.com/lukas2511/dehydrated/archive/v%{version}/%{name}-%{version}.tar.gz
@@ -12,6 +12,7 @@ Source3:	nginx.conf
 Source5:	hook.sh
 Source6:	hook-dns-01.sh
 Source7:	crontab
+Source8:	sudoers
 Patch0:		pld.patch
 URL:		https://dehydrated.io/
 BuildRequires:	rpmbuild(macros) >= 1.713
@@ -23,7 +24,11 @@ Requires:	grep
 Requires:	mktemp
 Requires:	openssl-tools
 Requires:	sed
+Requires:	sudo
 Requires:	webapps
+Requires(postun):	/usr/sbin/groupdel
+Requires(pre):	/usr/bin/getgid
+Requires(pre):	/usr/sbin/groupadd
 Suggests:	webserver(access)
 Suggests:	webserver(alias)
 BuildArch:	noarch
@@ -52,7 +57,7 @@ Current features:
 
 %install
 rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sbindir},%{_sysconfdir}/certs,/etc/cron.d} \
+install -d $RPM_BUILD_ROOT{%{_sbindir},%{_sysconfdir}/certs,/etc/{cron,sudoers}.d} \
 	$RPM_BUILD_ROOT/var/lib/%{name}/{accounts,acme-challenge,certs}
 
 install -p %{name} $RPM_BUILD_ROOT%{_sbindir}
@@ -62,10 +67,19 @@ cp -p %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/nginx.conf
 cp -p docs/examples/config $RPM_BUILD_ROOT%{_sysconfdir}
 cp -p docs/examples/domains.txt $RPM_BUILD_ROOT%{_sysconfdir}
 cp -p %{SOURCE7} $RPM_BUILD_ROOT/etc/cron.d/%{name}
+cp -p %{SOURCE8} $RPM_BUILD_ROOT/etc/sudoers.d/%{name}
 install -p %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}
 install -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
 cp -p $RPM_BUILD_ROOT%{_sysconfdir}/{apache,httpd}.conf
 
+%pre
+%groupadd -g 184 dehydrated
+
+%postun
+if [ "$1" = "0" ]; then
+	%groupremove dehydrated
+fi
+
 %clean
 rm -rf $RPM_BUILD_ROOT
 
@@ -97,6 +111,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(644,root,root,755)
 %doc README.md CHANGELOG LICENSE
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/cron.d/%{name}
+%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sudoers.d/%{name}
 %dir %attr(750,root,http) %{_sysconfdir}
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/apache.conf
 %attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/httpd.conf
@@ -109,6 +124,6 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) %{_sbindir}/%{name}
 %dir %attr(751,root,root) /var/lib/%{name}
 %dir %attr(700,root,root) /var/lib/%{name}/accounts
-%dir %attr(700,root,root) /var/lib/%{name}/certs
+%dir %attr(750,root,dehydrated) /var/lib/%{name}/certs
 # challenges written here, need to be readable by webserver
-%dir %attr(751,root,root) /var/lib/%{name}/acme-challenge
+%dir %attr(751,dehydrated,root) /var/lib/%{name}/acme-challenge
diff --git a/pld.patch b/pld.patch
index c02a0c3..a46fc29 100644
--- a/pld.patch
+++ b/pld.patch
@@ -1,12 +1,22 @@
---- dehydrated-0.3.1/dehydrated	2016-11-22 19:57:26.978516490 +0200
-+++ dehydrated-0.3.1/dehydrated	2016-11-22 20:01:59.118747292 +0200
+diff -ur dehydrated-0.6.2.orig/dehydrated dehydrated-0.6.2/dehydrated
+--- dehydrated-0.6.2.orig/dehydrated	2018-04-25 21:22:40.000000000 +0000
++++ dehydrated-0.6.2/dehydrated	2018-12-19 22:44:07.875403000 +0000
 @@ -1,4 +1,4 @@
 -#!/usr/bin/env bash
 +#!/bin/bash
  
- # letsencrypt.sh by lukas2511
- # Source: https://github.com/lukas2511/letsencrypt.sh
-@@ -94,7 +94,7 @@
+ # dehydrated by lukas2511
+ # Source: https://dehydrated.io
+@@ -11,7 +11,7 @@
+ [[ -n "${ZSH_VERSION:-}" ]] && set -o SH_WORD_SPLIT && set +o FUNCTION_ARGZERO && set -o NULL_GLOB && set -o noglob
+ [[ -z "${ZSH_VERSION:-}" ]] && shopt -s nullglob && set -f
+ 
+-umask 077 # paranoid umask, we're creating private keys
++umask 027 # allow root and dehydrated group only to protect private keys
+ 
+ # Close weird external file descriptors
+ exec 3>&-
+@@ -112,7 +112,7 @@
  load_config() {
    # Check for config in various locations
    if [[ -z "${CONFIG:-}" ]]; then
@@ -15,7 +25,18 @@
        if [[ -f "${check_config}/config" ]]; then
          BASEDIR="${check_config}"
          CONFIG="${check_config}/config"
-@@ -224,7 +224,7 @@ load_config() {
+@@ -148,8 +148,8 @@
+   IP_VERSION=
+   CHAINCACHE=
+   AUTO_CLEANUP="no"
+-  DEHYDRATED_USER=
+-  DEHYDRATED_GROUP=
++  DEHYDRATED_USER="root"
++  DEHYDRATED_GROUP="dehydrated"
+   API="auto"
+ 
+   if [[ -z "${CONFIG:-}" ]]; then
+@@ -228,7 +228,7 @@
  
    # Create new account directory or symlink to account directory from old CA
    CAHASH="$(echo "${CA}" | urlbase64)"
@@ -24,7 +45,7 @@
    if [[ ! -e "${ACCOUNTDIR}/${CAHASH}" ]]; then
      OLDCAHASH="$(echo "${OLDCA}" | urlbase64)"
      mkdir -p "${ACCOUNTDIR}"
-@@ -249,10 +249,10 @@ load_config() {
+@@ -253,10 +253,10 @@
      mv "${BASEDIR}/private_key.json" "${ACCOUNT_KEY_JSON}"
    fi
  
@@ -37,9 +58,10 @@
    [[ -z "${LOCKFILE}" ]] && LOCKFILE="${BASEDIR}/lock"
    [[ -z "${OPENSSL_CNF}" ]] && OPENSSL_CNF="$("${OPENSSL}" version -d | cut -d\" -f2)/openssl.cnf"
    [[ -n "${PARAM_LOCKFILE_SUFFIX:-}" ]] && LOCKFILE="${LOCKFILE}-${PARAM_LOCKFILE_SUFFIX}"
---- dehydrated-0.3.1/docs/examples/config	2016-10-17 22:32:37.370663315 +0300
-+++ dehydrated-0.3.1/docs/examples/config	2016-11-22 20:02:34.173827857 +0200
-@@ -37,13 +37,13 @@
+diff -ur dehydrated-0.6.2.orig/docs/examples/config dehydrated-0.6.2/docs/examples/config
+--- dehydrated-0.6.2.orig/docs/examples/config	2018-04-25 21:22:40.000000000 +0000
++++ dehydrated-0.6.2/docs/examples/config	2018-12-19 22:42:55.015403000 +0000
+@@ -47,13 +47,13 @@
  #DOMAINS_TXT="${BASEDIR}/domains.txt"
  
  # Output directory for generated certificates
@@ -55,7 +77,7 @@
  
  # Default keysize for private keys (default: 4096)
  #KEYSIZE="4096"
-@@ -61,7 +61,7 @@
+@@ -77,7 +77,7 @@
  #
  # BASEDIR and WELLKNOWN variables are exported and can be used in an external program
  # default: <unset>
diff --git a/sudoers b/sudoers
new file mode 100644
index 0000000..c30c7ed
--- /dev/null
+++ b/sudoers
@@ -0,0 +1 @@
+root ALL = (root:dehydrated) /usr/sbin/dehydrated
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/dehydrated.git/commitdiff/e91f3230f38cc6642d9d0853ab0990f8ecec8d9c

More information about the pld-cvs-commit mailing list