Hello community, here is the log from the commit of package dehydrated for openSUSE:Factory checked in at 2017-10-29 20:24:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dehydrated (Old) and /work/SRC/openSUSE:Factory/.dehydrated.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dehydrated" Sun Oct 29 20:24:21 2017 rev:5 rq:537056 version:0.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/dehydrated/dehydrated.changes 2017-10-07 17:51:11.545914263 +0200 +++ /work/SRC/openSUSE:Factory/.dehydrated.new/dehydrated.changes 2017-10-29 20:24:21.535360514 +0100 @@ -1,0 +2,41 @@ +Fri Oct 20 11:02:24 UTC 2017 - [email protected] + +- revert accidental change to the service file + +------------------------------------------------------------------- +Fri Oct 20 10:55:26 UTC 2017 - [email protected] + +- actually try to find the real path to bash and don't hardcode + /usr/bin/bash + +------------------------------------------------------------------- +Thu Oct 19 08:11:20 UTC 2017 - [email protected] + +- Use /usr/bin/bash directly, rather than via env + +------------------------------------------------------------------- +Wed Oct 18 16:42:31 UTC 2017 - [email protected] + +- Use sudo instead of su to allow for argument handling, also + works in all cases when no login shell is assigned to the + dehydrated user + * updates 0001-Add-optional-user-and-group-configuration.patch + +------------------------------------------------------------------- +Tue Oct 17 14:46:16 UTC 2017 - [email protected] + +- Commands in service files need some escaping after all. Fix ExecStartPost. + +------------------------------------------------------------------- +Mon Oct 16 09:27:28 UTC 2017 - [email protected] + +- In the timer service, execute root post run hooks in ExecStartPost + +------------------------------------------------------------------- +Mon Oct 16 04:43:22 UTC 2017 - [email protected] + +- Fix run of root hooks + +- Simplify root hook execution, this is also more robust + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dehydrated.spec ++++++ --- /var/tmp/diff_new_pack.ZVvjJB/_old 2017-10-29 20:24:22.383329611 +0100 +++ /var/tmp/diff_new_pack.ZVvjJB/_new 2017-10-29 20:24:22.387329465 +0100 @@ -72,6 +72,7 @@ Requires: coreutils Requires: curl Requires: openssl +Requires: sudo Requires(pre): %{_bindir}/getent Requires(pre): %{_sbindir}/groupadd Requires(pre): %{_sbindir}/useradd @@ -205,6 +206,9 @@ cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz +# Silence E: env-script-interpreter +find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \; + sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config install -m 0644 docs/examples/* %{buildroot}%{_home} install -m 0644 %{SOURCE11} %{buildroot}%{_postrunhooks} ++++++ 0001-Add-optional-user-and-group-configuration.patch ++++++ --- /var/tmp/diff_new_pack.ZVvjJB/_old 2017-10-29 20:24:22.403328882 +0100 +++ /var/tmp/diff_new_pack.ZVvjJB/_new 2017-10-29 20:24:22.403328882 +0100 @@ -1,4 +1,4 @@ -From 700040068e3c08025f206e06ba5cfa76a124d805 Mon Sep 17 00:00:00 2001 +From b2b7e6b0801dc50388ec7ed29d91b8e98ec4e57c Mon Sep 17 00:00:00 2001 From: Daniel Molkentin <[email protected]> Date: Thu, 21 Sep 2017 19:07:54 +0200 Subject: [PATCH] Add optional user and group configuration @@ -6,16 +6,30 @@ when DEHYDRATED_USER is set, dehydrated will refuse to run as root, and instead launch itself as the user in DEHYDRATED_USER (and DEHYDRATED_GROUP if set). + +Using sudo has a few practical advantages over su: +- it doesn't require to specify a login shell when no login shell is set + for the target user +- it allows (safe) handling of arguments. --- - dehydrated | 15 +++++++++++++++ + dehydrated | 22 ++++++++++++++++++++++ docs/examples/config | 6 ++++++ - 2 files changed, 21 insertions(+) + 2 files changed, 28 insertions(+) diff --git a/dehydrated b/dehydrated -index 8b31ee1..39c717f 100755 +index 8b31ee1..acca1d0 100755 --- a/dehydrated +++ b/dehydrated -@@ -126,6 +126,8 @@ load_config() { +@@ -22,6 +22,8 @@ SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + + BASEDIR="${SCRIPTDIR}" + ++ORIGARGS="$@" ++ + # Create (identifiable) temporary files + _mktemp() { + # shellcheck disable=SC2068 +@@ -126,6 +128,8 @@ load_config() { LOCKFILE= OCSP_MUST_STAPLE="no" IP_VERSION= @@ -24,17 +38,22 @@ if [[ -z "${CONFIG:-}" ]]; then echo "#" >&2 -@@ -159,6 +161,19 @@ load_config() { +@@ -159,6 +163,24 @@ load_config() { done fi + # Check if we are running & are allowed to run as root + if [[ ! -z "$DEHYDRATED_USER" && $EUID == 0 ]]; then ++ sudo=`command -v sudo` ++ if [ -z $sudo ]; then ++ echo "DEHYDRATED_USER set but sudo not available. Please install sudo." ++ exit ++ fi + if [ ! -z "$DEHYDRATED_GROUP" ]; then + group="-g $DEHYDRATED_GROUP" + fi + echo "# INFO: Running $0 as $DEHYDRATED_USER" -+ su -c "$0" $group "$DEHYDRATED_USER" ++ $sudo -u $DEHYDRATED_USER $group "$0" $ORIGARGS + exit + fi + @@ -62,5 +81,5 @@ # supported values: 4, 6 # default: <unset> -- -2.12.3 +2.14.1 ++++++ dehydrated.cron.in ++++++ --- /var/tmp/diff_new_pack.ZVvjJB/_old 2017-10-29 20:24:22.519324655 +0100 +++ /var/tmp/diff_new_pack.ZVvjJB/_new 2017-10-29 20:24:22.523324509 +0100 @@ -2,4 +2,4 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root -25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done; +25 3 * * * root test -e /etc/dehydrated/config && /usr/bin/dehydrated --cron && find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \; ++++++ dehydrated.service.in ++++++ --- /var/tmp/diff_new_pack.ZVvjJB/_old 2017-10-29 20:24:22.547323635 +0100 +++ /var/tmp/diff_new_pack.ZVvjJB/_new 2017-10-29 20:24:22.551323488 +0100 @@ -6,7 +6,7 @@ [Service] Type=oneshot -ExecStartPre-=/usr/bin/sh -c 'for i in $(find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f); do $i; done;' +ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \; ExecStart=/usr/bin/dehydrated --cron # dehydrated --cron will drop permissions and run critical code as dehydrated user.
