Source: nss
Version: 3.23-2
Severity: wishlist
Tags: patch
Hi,
Please find a patch (split from the patch previously proposed in bug
#537866) attached to this mail that install the libnsssysinit module and
add the setup-nsssysinit script coming from Fedora[0] to allow sysadmin
to easily enable/disable this module on the machine.
This would be a 1st step to fix #798455 and #537866 could you please
merge this patch independently from the rest.
Cheers,
Laurent Bigonville
[0]
http://pkgs.fedoraproject.org/cgit/rpms/nss.git/plain/setup-nsssysinit.sh
-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru nss-3.23/debian/libnss3.symbols nss-3.23/debian/libnss3.symbols
--- nss-3.23/debian/libnss3.symbols 2016-03-09 05:51:42.000000000 +0100
+++ nss-3.23/debian/libnss3.symbols 2016-04-08 14:09:48.000000000 +0200
@@ -74,6 +74,8 @@
libnssdbm3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER#
| libnss3 #MINVER#
(symver)NSSDBM_3.12 3.12.0
+libnsssysinit.so libnss3 #MINVER#
+ NSS_ReturnModuleSpecData@Base 3.14.2
libnssutil3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER#
| libnss3 #MINVER#
(symver)NSSUTIL_3.12 3.12.0~beta2
diff -Nru nss-3.23/debian/rules nss-3.23/debian/rules
--- nss-3.23/debian/rules 2016-04-03 11:26:39.000000000 +0200
+++ nss-3.23/debian/rules 2016-04-08 14:29:48.000000000 +0200
@@ -104,7 +104,6 @@
$(MAKE) -C nss \
all \
$(COMMON_MAKE_FLAGS) \
- MOZILLA_CLIENT=1 \
NSPR_INCLUDE_DIR=/usr/include/nspr \
NSPR_LIB_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
BUILD_OPT=1 \
@@ -138,6 +137,7 @@
$(DISTDIR)/lib/libfreebl3.so \
$(DISTDIR)/lib/libsoftokn3.so \
$(DISTDIR)/lib/libnssdbm3.so \
+ $(DISTDIR)/lib/libnsssysinit.so \
$(DISTDIR)/lib/libnssckbi.so
install -m 644 -t debian/libnss3-dev/usr/include/nss \
@@ -148,6 +148,8 @@
install -m 755 -t debian/libnss3-dev/usr/bin debian/nss-config
install -m 755 -t debian/libnss3-tools/usr/bin $(addprefix $(DISTDIR)/bin/,$(NSS_TOOLS))
+ install -m 755 -d debian/libnss3-tools/usr/sbin
+ install -m 755 -t debian/libnss3-tools/usr/sbin debian/setup-nsssysinit
install -m 755 -d $(DISTDIR)/man
install -m 644 -t $(DISTDIR)/man $(wildcard $(call manpage,$(NSS_TOOLS)))
diff -Nru nss-3.23/debian/setup-nsssysinit nss-3.23/debian/setup-nsssysinit
--- nss-3.23/debian/setup-nsssysinit 1970-01-01 01:00:00.000000000 +0100
+++ nss-3.23/debian/setup-nsssysinit 2016-04-08 14:11:06.000000000 +0200
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <<EOF
+Usage: setup-nsssysinit [on|off]
+ on - turns on nsssysinit
+ off - turns off nsssysinit
+ status - reports whether nsssysinit is turned on or off
+EOF
+ exit $1
+}
+
+# validate
+if [ $# -eq 0 ]; then
+ usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
