Richard Maciel
2013-10-09 14:05:18 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Trousers".
The branch, master has been updated
via 7f44dcad1065c9c4e15c08523e801ce3365668a9 (commit)
from 6deeb2d5a24cd47fb0a9fa98f0c085b09fa3ee53 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=7f44dcad1065c9c4e15c08523e801ce3365668a9
commit 7f44dcad1065c9c4e15c08523e801ce3365668a9
Author: Fuchs, Andreas <***@sit.fraunhofer.de>
Date: Wed Oct 9 07:29:20 2013 +0000
Add support for running tcsd as non TSS:TSS user+group.
When developing with tcsd it is currently required to create the user/group
TSS:TSS since tcsd will switch to it and check that config and state files
are owned by it. This can be troublesome in development environments where
you want to run tcsd as a user and not mess with global system settings.
Add configure switch --disable-usercheck for disable the TSS:TSS need of tcsd:
- No tcsd.conf and /var/lib/tpm owner-checking
- No switching to user by tcsd
- No useradd/groupadd and userdel/groupdel
- No chowns and chmods
- Warning at start of tcsd about this behaviour
Signed-off-by: Andreas Fuchs <***@sit.fraunhofer.de>
Acked-by: Joel Schopp <***@linux.vnet.ibm.com>
Tested-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/configure.in b/configure.in
index 7862aab..0a40da2 100644
--- a/configure.in
+++ b/configure.in
@@ -86,6 +86,13 @@ AC_ARG_ENABLE(strict-spec-compliance,
SPEC_COMP=1
AC_MSG_RESULT([*** Enabling spec compliance at user request ***])],)
+# user+group checking
+AC_ARG_ENABLE(usercheck,
+ [AC_HELP_STRING([--disable-usercheck], [build TrouSerS without checking and setting of user/group tss [default=on] (Caution: This is intended for development purposes only.)])],
+ [AS_IF([test "x$enableval" = "xno"], [CFLAGS="$CFLAGS -DNOUSERCHECK"
+ AC_MSG_RESULT([*** Disabling user checking at user request ***])])],)
+AM_CONDITIONAL(NOUSERCHECK, [test "x$enable_usercheck" = "xno"])
+
# daa math lib: gmp or openssl (default openssl)
MATH_DEFINE=BI_OPENSSL
AC_ARG_WITH([gmp],
diff --git a/dist/Makefile.am b/dist/Makefile.am
index 09448fd..372736a 100644
--- a/dist/Makefile.am
+++ b/dist/Makefile.am
@@ -1,19 +1,26 @@
EXTRA_DIST = system.data.auth system.data.noauth \
fedora/fedora.initrd.tcsd
+
install: install-exec-hook
if test ! -e ${DESTDIR}/@sysconfdir@/tcsd.conf; then mkdir -p ${DESTDIR}/@sysconfdir@ && cp tcsd.conf ${DESTDIR}/@sysconfdir@; fi
+if !NOUSERCHECK
/bin/chown tss:tss ${DESTDIR}/@sysconfdir@/tcsd.conf || true
/bin/chmod 0600 ${DESTDIR}/@sysconfdir@/tcsd.conf
+endif
install-exec-hook:
+ /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi'
+if !NOUSERCHECK
/usr/sbin/groupadd tss || true
/usr/sbin/useradd -r tss -g tss || true
- /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi'
/bin/chown tss:tss ${DESTDIR}/@localstatedir@/lib/tpm || true
/bin/chmod 0700 ${DESTDIR}/@localstatedir@/lib/tpm
+endif
uninstall-hook:
- /usr/sbin/userdel tss || true
- /usr/sbin/groupdel tss || true
rm ${DESTDIR}/@sysconfdir@/tcsd.conf
rmdir ${DESTDIR}/@localstatedir@/lib/tpm
+if !NOUSERCHECK
+ /usr/sbin/userdel tss || true
+ /usr/sbin/groupdel tss || true
+endif
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
index fca9d18..807d1ea 100644
--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
@@ -441,6 +441,10 @@ main(int argc, char **argv)
if ((result = tcsd_startup()))
return (int)result;
+#ifdef NOUSERCHECK
+ LogWarn("will not switch user or check for file permissions. "
+ "(Compiled with --disable-usercheck)");
+#else
#ifndef SOLARIS
pwd = getpwnam(TSS_USER_NAME);
if (pwd == NULL) {
@@ -454,6 +458,7 @@ main(int argc, char **argv)
}
setuid(pwd->pw_uid);
#endif
+#endif
if (setup_server_sockets(socks_info) == -1) {
LogError("Could not create sockets to listen to connections. Aborting...");
diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
index 587f933..a31503d 100644
--- a/src/tcsd/tcsd_conf.c
+++ b/src/tcsd/tcsd_conf.c
@@ -770,6 +770,7 @@ conf_file_init(struct tcsd_config *conf)
}
}
+#ifndef NOUSERCHECK
#ifndef SOLARIS
/* find the gid that owns the conf file */
errno = 0;
@@ -809,6 +810,7 @@ conf_file_init(struct tcsd_config *conf)
return TCSERR(TSS_E_INTERNAL_ERROR);
}
#endif /* SOLARIS */
+#endif /* NOUSERCHECK */
if ((f = fopen(tcsd_config_file, "r")) == NULL) {
LogError("fopen(%s): %s", tcsd_config_file, strerror(errno));
-----------------------------------------------------------------------
Summary of changes:
configure.in | 7 +++++++
dist/Makefile.am | 13 ++++++++++---
src/tcsd/svrside.c | 5 +++++
src/tcsd/tcsd_conf.c | 2 ++
4 files changed, 24 insertions(+), 3 deletions(-)
hooks/post-receive
generated because a ref change was pushed to the repository containing
the project "Trousers".
The branch, master has been updated
via 7f44dcad1065c9c4e15c08523e801ce3365668a9 (commit)
from 6deeb2d5a24cd47fb0a9fa98f0c085b09fa3ee53 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://trousers.git.sourceforge.net/git/gitweb.cgi?p=trousers/trousers;a=commitdiff;h=7f44dcad1065c9c4e15c08523e801ce3365668a9
commit 7f44dcad1065c9c4e15c08523e801ce3365668a9
Author: Fuchs, Andreas <***@sit.fraunhofer.de>
Date: Wed Oct 9 07:29:20 2013 +0000
Add support for running tcsd as non TSS:TSS user+group.
When developing with tcsd it is currently required to create the user/group
TSS:TSS since tcsd will switch to it and check that config and state files
are owned by it. This can be troublesome in development environments where
you want to run tcsd as a user and not mess with global system settings.
Add configure switch --disable-usercheck for disable the TSS:TSS need of tcsd:
- No tcsd.conf and /var/lib/tpm owner-checking
- No switching to user by tcsd
- No useradd/groupadd and userdel/groupdel
- No chowns and chmods
- Warning at start of tcsd about this behaviour
Signed-off-by: Andreas Fuchs <***@sit.fraunhofer.de>
Acked-by: Joel Schopp <***@linux.vnet.ibm.com>
Tested-by: Richard Maciel <***@linux.vnet.ibm.com>
diff --git a/configure.in b/configure.in
index 7862aab..0a40da2 100644
--- a/configure.in
+++ b/configure.in
@@ -86,6 +86,13 @@ AC_ARG_ENABLE(strict-spec-compliance,
SPEC_COMP=1
AC_MSG_RESULT([*** Enabling spec compliance at user request ***])],)
+# user+group checking
+AC_ARG_ENABLE(usercheck,
+ [AC_HELP_STRING([--disable-usercheck], [build TrouSerS without checking and setting of user/group tss [default=on] (Caution: This is intended for development purposes only.)])],
+ [AS_IF([test "x$enableval" = "xno"], [CFLAGS="$CFLAGS -DNOUSERCHECK"
+ AC_MSG_RESULT([*** Disabling user checking at user request ***])])],)
+AM_CONDITIONAL(NOUSERCHECK, [test "x$enable_usercheck" = "xno"])
+
# daa math lib: gmp or openssl (default openssl)
MATH_DEFINE=BI_OPENSSL
AC_ARG_WITH([gmp],
diff --git a/dist/Makefile.am b/dist/Makefile.am
index 09448fd..372736a 100644
--- a/dist/Makefile.am
+++ b/dist/Makefile.am
@@ -1,19 +1,26 @@
EXTRA_DIST = system.data.auth system.data.noauth \
fedora/fedora.initrd.tcsd
+
install: install-exec-hook
if test ! -e ${DESTDIR}/@sysconfdir@/tcsd.conf; then mkdir -p ${DESTDIR}/@sysconfdir@ && cp tcsd.conf ${DESTDIR}/@sysconfdir@; fi
+if !NOUSERCHECK
/bin/chown tss:tss ${DESTDIR}/@sysconfdir@/tcsd.conf || true
/bin/chmod 0600 ${DESTDIR}/@sysconfdir@/tcsd.conf
+endif
install-exec-hook:
+ /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi'
+if !NOUSERCHECK
/usr/sbin/groupadd tss || true
/usr/sbin/useradd -r tss -g tss || true
- /bin/sh -c 'if [ ! -e ${DESTDIR}/@localstatedir@/lib/tpm ];then mkdir -p ${DESTDIR}/@localstatedir@/lib/tpm; fi'
/bin/chown tss:tss ${DESTDIR}/@localstatedir@/lib/tpm || true
/bin/chmod 0700 ${DESTDIR}/@localstatedir@/lib/tpm
+endif
uninstall-hook:
- /usr/sbin/userdel tss || true
- /usr/sbin/groupdel tss || true
rm ${DESTDIR}/@sysconfdir@/tcsd.conf
rmdir ${DESTDIR}/@localstatedir@/lib/tpm
+if !NOUSERCHECK
+ /usr/sbin/userdel tss || true
+ /usr/sbin/groupdel tss || true
+endif
diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
index fca9d18..807d1ea 100644
--- a/src/tcsd/svrside.c
+++ b/src/tcsd/svrside.c
@@ -441,6 +441,10 @@ main(int argc, char **argv)
if ((result = tcsd_startup()))
return (int)result;
+#ifdef NOUSERCHECK
+ LogWarn("will not switch user or check for file permissions. "
+ "(Compiled with --disable-usercheck)");
+#else
#ifndef SOLARIS
pwd = getpwnam(TSS_USER_NAME);
if (pwd == NULL) {
@@ -454,6 +458,7 @@ main(int argc, char **argv)
}
setuid(pwd->pw_uid);
#endif
+#endif
if (setup_server_sockets(socks_info) == -1) {
LogError("Could not create sockets to listen to connections. Aborting...");
diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
index 587f933..a31503d 100644
--- a/src/tcsd/tcsd_conf.c
+++ b/src/tcsd/tcsd_conf.c
@@ -770,6 +770,7 @@ conf_file_init(struct tcsd_config *conf)
}
}
+#ifndef NOUSERCHECK
#ifndef SOLARIS
/* find the gid that owns the conf file */
errno = 0;
@@ -809,6 +810,7 @@ conf_file_init(struct tcsd_config *conf)
return TCSERR(TSS_E_INTERNAL_ERROR);
}
#endif /* SOLARIS */
+#endif /* NOUSERCHECK */
if ((f = fopen(tcsd_config_file, "r")) == NULL) {
LogError("fopen(%s): %s", tcsd_config_file, strerror(errno));
-----------------------------------------------------------------------
Summary of changes:
configure.in | 7 +++++++
dist/Makefile.am | 13 ++++++++++---
src/tcsd/svrside.c | 5 +++++
src/tcsd/tcsd_conf.c | 2 ++
4 files changed, 24 insertions(+), 3 deletions(-)
hooks/post-receive
--
Trousers
Trousers