diff options
author | Eric Hameleers <alien@slackware.com> | 2021-08-01 15:41:38 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2021-08-01 15:41:38 +0000 |
commit | c4f12fdd0f31bd9ecac6ec85c294ac55cf3f1b7e (patch) | |
tree | 4e8b5e06cf01adf001dc198efe1961d5cb2bb9f3 | |
parent | 3dd9038a8cf3157fc232c221d92b70528a14b807 (diff) | |
download | asb-c4f12fdd0f31bd9ecac6ec85c294ac55cf3f1b7e.tar.gz asb-c4f12fdd0f31bd9ecac6ec85c294ac55cf3f1b7e.tar.xz |
pesign: work out the correct use of the pesign daemon
-rwxr-xr-x | pesign/build/pesign.SlackBuild | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/pesign/build/pesign.SlackBuild b/pesign/build/pesign.SlackBuild index 8592d699..e3656110 100755 --- a/pesign/build/pesign.SlackBuild +++ b/pesign/build/pesign.SlackBuild @@ -186,7 +186,11 @@ make DESTDIR=$PKG install \ install -Dm0644 src/pesign.sysvinit $PKG/etc/rc.d/rc.pesign.new # Remove cruft: -rm -rf $PKG/etc/pki $PKG/etc/popt.d $PKG/etc/rpm +rm -rf $PKG/etc/pki/pesign-* $PKG/etc/popt.d $PKG/etc/rpm + +# Remove /var/run/pesign - it's on a tmpfs so will not survive reboot. +# Also, rc.pesign creates it every boot anyway: +rm -rf $PKG/var # Don't clobber configuration files: mv -i $PKG/etc/pesign/groups{,.new} @@ -226,12 +230,26 @@ config etc/pesign/users.new # Create 'pesign' user and group on target host: chroot . \ -getent group pesign > /dev/null || \ - /usr/sbin/groupadd -g ${PESIGNGID} -r pesign 2>/dev/null + getent group pesign > /dev/null || \ + /usr/sbin/groupadd -g ${PESIGNGID} -r pesign 2>/dev/null +chroot . \ + getent passwd pesign > /dev/null || \ + /usr/sbin/useradd -c "PE signing daemon" -g pesign \ + -s /bin/bash -u ${PESIGNUID} -r pesign 2>/dev/null + +# Give the NSS database directory proper ownership: chroot . \ -getent passwd pesign > /dev/null || \ - /usr/sbin/useradd -c "PE signing daemon" -g pesign \ - -s /bin/bash -u ${PESIGNUID} -r pesign 2>/dev/null + chown pesign:pesign etc/pki/pesign + +# Pesign does not come with a preconfigured NSS database. On startup, pesign +# would abort with error "pesign could not open nss database: bad database". +# If none exists yet, create an initial empty database without password. +# NOTE: for production usage you would set a password on this database +# using the command "certutil -d sql:/etc/pki/pesign -W"! +if [ ! -f etc/pki/pesign/cert?*.db ]; then + chroot . \ + su - pesign -c "certutil -N -d sql:/etc/pki/pesign --empty-password" +fi # Update rc.local so that pesign will be started on boot: if ! grep -q "rc.pesign" etc/rc.d/rc.local ; then |