| Summary: | RFE: provide a command/signal for certmonger to send after renewing cert | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
| Component: | certmonger | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0 | CC: | jgalipea, kchamart, ksiddiqu, mharmsen, nalin, rcritten |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | certmonger-0.54-1.el6 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 761188 | Environment: | |
| Last Closed: | 2012-06-20 13:43:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 761188, 790967 | ||
| Bug Blocks: | 736854, 750334, 854383 | ||
|
Description
Dmitri Pal
2011-12-10 19:05:06 UTC
*** Bug 782972 has been marked as a duplicate of this bug. *** Two approaches here. In 0.53 or later, the object which the D-Bus service provides for managing the certificate will begin to emit a "SavedCertificate" after it successfully saves a certificate. Additionally, most of the information is now exposed as D-Bus properties, and the usual "PropertiesChanged" signal will now be emitted. A lower-effort alternative for clients is to have the daemon also offer the ability to just run a specified command at this step. This turns out to be kind of tricky - while we currently only allow root to talk to the system daemon, while we can add the ability to fire off an arbitrary command now, if we ever allow access for unprivileged users in the future, this would be easily abused. Tracking the UID of the client that last set the command that we'll run, and dropping to that user's privileges before running that command, might be a reasonable way to do it. (In reply to comment #2) > Tracking the UID of the client that last set the command that we'll run, and > dropping to that user's privileges before running that command, might be a > reasonable way to do it. Okay, we're going with that. The command can be specified as an argument for the new -C option for a number of getcert's functions. (In reply to comment #3) > Okay, we're going with that. The command can be specified as an argument for > the new -C option for a number of getcert's functions. Note that potentially dropping to the calling user's privileges and then executing an arbitrary command requires more permissions from the SELinux policy than we previously needed. That conversation is happening in bug #790967, and feedback on what the policy needs to start allowing would be appreciated there. Verified. Certmonger Version: =================== certmonger-0.56-1.el6.x86_64 Successful beaker job: ====================== https://beaker.engineering.redhat.com/jobs/225467 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0833.html |