diff options
author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2015-12-16 17:50:30 +0100 |
---|---|---|
committer | Krzysztof Jackiewicz <k.jackiewicz@samsung.com> | 2016-01-05 03:22:20 -0800 |
commit | ad8a5435939161bea16ee2abe37f07f3ebd85782 (patch) | |
tree | 715729faa91c49186e12207bf704e718434ca5ac | |
parent | 2896b70686abbe59620b7a4adb5eb12960ecd071 (diff) | |
download | key-manager-ad8a5435939161bea16ee2abe37f07f3ebd85782.tar.gz key-manager-ad8a5435939161bea16ee2abe37f07f3ebd85782.tar.bz2 key-manager-ad8a5435939161bea16ee2abe37f07f3ebd85782.zip |
Change user from root to key-manager
[Solution] User changed. Smack labels/manifests adjusted. Runtime directory
created. Tests adjusted.
Change-Id: I22b7ed01158b16ce3ac3d04110e4ab2ab3d46711
-rw-r--r-- | CMakeLists.txt | 9 | ||||
-rwxr-xr-x | data/scripts/231.key-manager-change-user.patch.sh | 21 | ||||
-rw-r--r-- | packaging/key-manager-tests.manifest | 10 | ||||
-rw-r--r-- | packaging/key-manager.manifest | 3 | ||||
-rw-r--r-- | packaging/key-manager.spec | 49 | ||||
-rw-r--r-- | packaging/libkey-manager-client-devel.manifest | 5 | ||||
-rw-r--r-- | src/listener/listener-daemon.cpp | 2 | ||||
-rw-r--r-- | src/manager/service/file-system.cpp | 2 | ||||
-rw-r--r-- | systemd/CMakeLists.txt | 3 | ||||
-rw-r--r-- | systemd/central-key-manager-listener.service.in (renamed from systemd/central-key-manager-listener.service) | 3 | ||||
-rw-r--r-- | systemd/central-key-manager.service.in | 4 | ||||
-rw-r--r-- | tests/encryption-scheme/scheme-test.cpp | 18 |
12 files changed, 120 insertions, 9 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 73720b1e..3d1a298a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -52,6 +52,11 @@ STRING(REGEX MATCH "([^.]*)" API_VERSION "${VERSION}") ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"") ADD_DEFINITIONS("-DSMACK_ENABLED") ADD_DEFINITIONS("-DSQLCIPHER_HAS_CODEC") +ADD_DEFINITIONS("-DRUN_DIR=\"${RUN_DIR}\"") +ADD_DEFINITIONS("-DSERVICE_NAME=\"${SERVICE_NAME}\"") +ADD_DEFINITIONS("-DUSER_NAME=\"${USER_NAME}\"") +ADD_DEFINITIONS("-DGROUP_NAME=\"${GROUP_NAME}\"") +ADD_DEFINITIONS("-DSMACK_DOMAIN_NAME=\"${SMACK_DOMAIN_NAME}\"") IF (CMAKE_BUILD_TYPE MATCHES "DEBUG") ADD_DEFINITIONS("-DTIZEN_DEBUG_ENABLE") @@ -71,7 +76,9 @@ SET(TARGET_PAM_KEY_MANAGER_PLUGIN "pam_key_manager_plugin") SET(TARGET_TEST_MERGED "ckm-tests-internal") -INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-dkek.patch.sh +INSTALL(FILES + ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/230.key-manager-migrate-dkek.patch.sh + ${CMAKE_CURRENT_BINARY_DIR}/data/scripts/231.key-manager-change-user.patch.sh DESTINATION /etc/opt/upgrade PERMISSIONS OWNER_READ OWNER_WRITE diff --git a/data/scripts/231.key-manager-change-user.patch.sh b/data/scripts/231.key-manager-change-user.patch.sh new file mode 100755 index 00000000..e02cc12a --- /dev/null +++ b/data/scripts/231.key-manager-change-user.patch.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +USER_NAME=key-manager +GROUP_NAME=key-manager +CKM_DATA_PATH=/opt/data/ckm +SMACK_LABEL=System + +id -g $GROUP_NAME > /dev/null 2>&1 +if [ $? -eq 1 ]; then + groupadd $GROUP_NAME -r > /dev/null 2>&1 +fi + +id -u $USER_NAME > /dev/null 2>&1 +if [ $? -eq 1 ]; then + useradd -d /var/lib/empty -s /sbin/nologin -r -g $GROUP_NAME $USER_NAME > /dev/null 2>&1 +fi + +# In ckm version <= 0.1.18 all files were owned by root. +find /opt/data/ckm -exec chsmack -a $SMACK_LABEL {} \; +chown ${USER_NAME}:${GROUP_NAME} -R ${CKM_DATA_PATH} + diff --git a/packaging/key-manager-tests.manifest b/packaging/key-manager-tests.manifest new file mode 100644 index 00000000..8471cc34 --- /dev/null +++ b/packaging/key-manager-tests.manifest @@ -0,0 +1,10 @@ +<manifest> + <request> + <domain name="_" /> + </request> + <assign> + <filesystem path="/usr/bin/ckm-tests-internal" exec_label="System" /> + <filesystem path="/usr/bin/ckm_db_tool" exec_label="System" /> + <filesystem path="/usr/bin/ckm_generate_db" exec_label="System" /> + </assign> +</manifest> diff --git a/packaging/key-manager.manifest b/packaging/key-manager.manifest index a76fdbae..d4c43468 100644 --- a/packaging/key-manager.manifest +++ b/packaging/key-manager.manifest @@ -2,4 +2,7 @@ <request> <domain name="_" /> </request> + <assign> + <filesystem path="/opt/data/ckm" label="System" type="transmutable" /> + </assign> </manifest> diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index fe34919d..365d502a 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -9,7 +9,9 @@ Source1001: key-manager.manifest Source1002: key-manager-pam-plugin.manifest Source1003: key-manager-listener.manifest Source1004: libkey-manager-client.manifest -Source1005: libkey-manager-common.manifest +Source1005: libkey-manager-client-devel.manifest +Source1006: libkey-manager-common.manifest +Source1007: key-manager-tests.manifest BuildRequires: cmake BuildRequires: zip BuildRequires: pkgconfig(dlog) @@ -24,9 +26,17 @@ BuildRequires: pkgconfig(security-manager) BuildRequires: pkgconfig(cynara-client-async) BuildRequires: pkgconfig(cynara-creds-socket) BuildRequires: boost-devel +Requires(pre): pwdutils +Requires(postun): pwdutils Requires: libkey-manager-common = %{version}-%{release} %{?systemd_requires} +%global user_name key-manager +%global group_name key-manager +%global service_name key-manager +%global _rundir /run +%global smack_domain_name System + %description Central Key Manager daemon could be used as secure storage for certificate and private/public keys. It gives API for @@ -105,6 +115,8 @@ cp -a %{SOURCE1002} . cp -a %{SOURCE1003} . cp -a %{SOURCE1004} . cp -a %{SOURCE1005} . +cp -a %{SOURCE1006} . +cp -a %{SOURCE1007} . %build %if 0%{?sec_build_binary_debug_enable} @@ -121,6 +133,11 @@ export LDFLAGS+="-Wl,--rpath=%{_libdir},-Bsymbolic-functions " -DCMAKE_VERBOSE_MAKEFILE=ON \ -DSYSTEMD_UNIT_DIR=%{_unitdir} \ -DSYSTEMD_ENV_FILE="/etc/sysconfig/central-key-manager" \ + -DRUN_DIR:PATH=%{_rundir} \ + -DSERVICE_NAME=%{service_name} \ + -DUSER_NAME=%{user_name} \ + -DGROUP_NAME=%{group_name} \ + -DSMACK_DOMAIN_NAME=%{smack_domain_name} \ -DMOCKUP_SM=%{?mockup_sm:%mockup_sm}%{!?mockup_sm:OFF} make %{?jobs:-j%jobs} @@ -161,6 +178,19 @@ cp tests/encryption-scheme/db/key-7654 %{buildroot}/usr/share/ckm-db-test/key-76 %install_service sockets.target.wants central-key-manager-api-ocsp.socket %install_service sockets.target.wants central-key-manager-api-encryption.socket +%pre +# User/group (key-manager/key-manager) should be already added in passwd package. +# This is our backup plan if passwd package will not be configured correctly. +id -g %{group_name} > /dev/null 2>&1 +if [ $? -eq 1 ]; then + groupadd %{group_name} -r > /dev/null 2>&1 +fi + +id -u %{user_name} > /dev/null 2>&1 +if [ $? -eq 1 ]; then + useradd -d /var/lib/empty -s /sbin/nologin -r -g %{group_name} %{user_name} > /dev/null 2>&1 +fi + %clean rm -rf %{buildroot} @@ -202,6 +232,10 @@ if [ $1 = 1 ]; then fi if [ $1 = 2 ]; then # update + + # In ckm version <= 0.1.18 all files were owned by root. + find /opt/data/ckm -exec chsmack -a %{smack_domain_name} {} \; + chown %{user_name}:%{group_name} -R /opt/data/ckm systemctl restart central-key-manager-listener.service fi @@ -234,12 +268,15 @@ fi %{_unitdir}/central-key-manager-api-ocsp.socket %{_unitdir}/sockets.target.wants/central-key-manager-api-encryption.socket %{_unitdir}/central-key-manager-api-encryption.socket +%dir %{_datadir}/ckm %{_datadir}/ckm/initial_values.xsd %{_datadir}/ckm/sw_key.xsd -/opt/data/ckm/initial_values/ -%attr(444, root, root) %{_datadir}/ckm/scripts/*.sql +%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/ +%attr(770, %{user_name}, %{group_name}) /opt/data/ckm/initial_values/ +%{_datadir}/ckm/scripts/*.sql /etc/opt/upgrade/230.key-manager-migrate-dkek.patch.sh -%attr(550, root, root) /etc/gumd/userdel.d/10_key-manager.post +/etc/opt/upgrade/231.key-manager-change-user.patch.sh +/etc/gumd/userdel.d/10_key-manager.post %{_bindir}/ckm_tool %files -n key-manager-pam-plugin @@ -263,6 +300,7 @@ fi %{_libdir}/libkey-manager-control-client.so.* %files -n libkey-manager-client-devel +%manifest libkey-manager-client-devel.manifest %{_libdir}/libkey-manager-client.so %{_libdir}/libkey-manager-control-client.so %{_libdir}/libkey-manager-common.so @@ -283,7 +321,9 @@ fi %{_libdir}/pkgconfig/*.pc %files -n key-manager-tests +%manifest key-manager-tests.manifest %{_bindir}/ckm-tests-internal +%dir %{_datadir}/ckm-db-test %{_datadir}/ckm-db-test/testme_ver1.db %{_datadir}/ckm-db-test/testme_ver2.db %{_datadir}/ckm-db-test/testme_ver3.db @@ -303,3 +343,4 @@ fi %{_bindir}/ckm_so_loader %{_bindir}/ckm_db_tool %{_bindir}/ckm_generate_db + diff --git a/packaging/libkey-manager-client-devel.manifest b/packaging/libkey-manager-client-devel.manifest new file mode 100644 index 00000000..a76fdbae --- /dev/null +++ b/packaging/libkey-manager-client-devel.manifest @@ -0,0 +1,5 @@ +<manifest> + <request> + <domain name="_" /> + </request> +</manifest> diff --git a/src/listener/listener-daemon.cpp b/src/listener/listener-daemon.cpp index 894d4282..92d6ce12 100644 --- a/src/listener/listener-daemon.cpp +++ b/src/listener/listener-daemon.cpp @@ -35,7 +35,7 @@ #define LOG_TAG "CKM_LISTENER" namespace { -const char* const CKM_LOCK = "/var/run/key-manager.pid"; +const char* const CKM_LOCK = RUN_DIR "/" SERVICE_NAME "/key-manager.pid"; }; bool isCkmRunning() diff --git a/src/manager/service/file-system.cpp b/src/manager/service/file-system.cpp index e569d1dd..678ee6d9 100644 --- a/src/manager/service/file-system.cpp +++ b/src/manager/service/file-system.cpp @@ -47,7 +47,7 @@ const std::string CKM_KEY_PREFIX = "key-"; const std::string CKM_DB_KEY_PREFIX = "db-key-"; const std::string CKM_DB_PREFIX = "db-"; const std::string CKM_REMOVED_APP_PREFIX = "removed-app-"; -const std::string CKM_LOCK_FILE = "/var/run/key-manager.pid"; +const std::string CKM_LOCK_FILE = RUN_DIR "/" SERVICE_NAME "/key-manager.pid"; } // namespace anonymous diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index cda16ecc..e8f38adf 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -1,6 +1,9 @@ CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service.in ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service @ONLY) +CONFIGURE_FILE(${CMAKE_SOURCE_DIR}/systemd/central-key-manager-listener.service.in + ${CMAKE_SOURCE_DIR}/systemd/central-key-manager-listener.service @ONLY) + INSTALL(FILES ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.service ${CMAKE_SOURCE_DIR}/systemd/central-key-manager.target diff --git a/systemd/central-key-manager-listener.service b/systemd/central-key-manager-listener.service.in index ba2b8bcc..2b4e7cde 100644 --- a/systemd/central-key-manager-listener.service +++ b/systemd/central-key-manager-listener.service.in @@ -4,6 +4,9 @@ Requires=dbus.service After=central-key-manager.service [Service] +User=@USER_NAME@ +Group=@GROUP_NAME@ +SmackProcessLabel=@SMACK_DOMAIN_NAME@ Type=simple ExecStart=/usr/bin/key-manager-listener diff --git a/systemd/central-key-manager.service.in b/systemd/central-key-manager.service.in index 01591315..c516c411 100644 --- a/systemd/central-key-manager.service.in +++ b/systemd/central-key-manager.service.in @@ -3,6 +3,9 @@ Description=Start the Central Key Manager DefaultDependencies=no [Service] +User=@USER_NAME@ +Group=@GROUP_NAME@ +SmackProcessLabel=@SMACK_DOMAIN_NAME@ Type=notify ExecStart=/usr/bin/key-manager Sockets=central-key-manager-api-storage.socket @@ -10,6 +13,7 @@ Sockets=central-key-manager-api-control.socket Sockets=central-key-manager-api-ocsp.socket Sockets=central-key-manager-api-encryption.socket EnvironmentFile=-@SYSTEMD_ENV_FILE@ +RuntimeDirectory=@SERVICE_NAME@ [Install] WantedBy=multi-user.target diff --git a/tests/encryption-scheme/scheme-test.cpp b/tests/encryption-scheme/scheme-test.cpp index 35b78c93..9abf27eb 100644 --- a/tests/encryption-scheme/scheme-test.cpp +++ b/tests/encryption-scheme/scheme-test.cpp @@ -27,6 +27,8 @@ #include <fcntl.h> #include <unistd.h> #include <string.h> +#include <grp.h> +#include <pwd.h> #include <fstream> #include <stdexcept> @@ -56,8 +58,6 @@ RawBuffer TEST_DATA(TEST_DATA_STR.begin(), TEST_DATA_STR.end()); const Password TEST_PASS = "custom user password"; const size_t IV_LEN = 16; const size_t CHAIN_LEN = 3; -const uid_t CKM_UID = 0; -const gid_t CKM_GID = 0; enum { NO_PASS = 0, @@ -253,7 +253,21 @@ struct FdCloser { typedef std::unique_ptr<int, FdCloser> FdPtr; +uid_t getUid(const char *name) { + passwd *p = getpwnam(name); + BOOST_REQUIRE_MESSAGE(p, "getpwnam failed"); + return p->pw_uid; +} + +gid_t getGid(const char *name) { + group *g = getgrnam(name); + BOOST_REQUIRE_MESSAGE(g, "getgrnam failed"); + return g->gr_gid; +} + void restoreFile(const string& filename) { + static uid_t CKM_UID = getUid(USER_NAME); + static gid_t CKM_GID = getGid(GROUP_NAME); string sourcePath = "/usr/share/ckm-db-test/" + filename; string targetPath = "/opt/data/ckm/" + filename; |