Bug 1141263 - [RFE] more pluggable way of setting pesign permissions
Summary: [RFE] more pluggable way of setting pesign permissions
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pesign
Version: 7.2
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Peter Jones
QA Contact: Radka Skvarilova
Petr Bokoc
Depends On:
Blocks: 1191019
TreeView+ depends on / blocked
Reported: 2014-09-12 14:44 UTC by Pat Riehecky
Modified: 2017-04-11 14:01 UTC (History)
11 users (show)

Fixed In Version: pesign-0.109-10.el7
Doc Type: Known Issue
Doc Text:
The *pesign* key database requires manually changing permissions to enable improved access permission controls The *pesign* key database, which is used to sign UEFI binaries, now offers a more generalized method of setting database access permissions. You can now configure permissions using system-wide key databases, and means that any user or group can now be granted access. However, a known issue in permission settings in *pesign* currently prevents the aforementioned new feature from working. To enable the improved access control, you must change the permissions to *pesign* manually: chmod 0660 /etc/pki/pesign/* chmod 0770 /etc/pki/pesign After setting these permissions, the improved access control will become available. If you do not perform these steps, *pesign* behavior will be identical to previous releases.
Clone Of:
Last Closed: 2016-11-04 05:04:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
add code for behavior (2.79 KB, text/plain)
2014-09-12 14:44 UTC, Pat Riehecky
no flags Details
Spec file updates for previous patch (1.11 KB, patch)
2014-09-12 14:45 UTC, Pat Riehecky
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2384 0 normal SHIPPED_LIVE pesign enhancement update 2016-11-03 13:53:11 UTC

Description Pat Riehecky 2014-09-12 14:44:38 UTC
Created attachment 936989 [details]
add code for behavior

Description of problem: The sysvinit script provided with pesign sets ACLS for the pesign/socket file for kojibuilder:kojibuilder.  The systemd unit, however, does not.

I've built a more general solution for both the sysvinit and systemd unit that should allow for greater flexibility and compat behavior. 

Version-Release number of selected component (if applicable):pesign-0.109-6.el7

How reproducible:100%

Steps to Reproduce:
1.search for way to set acls under systemd unit like the sysvinit script
2.unable to locate

Actual results:
the EPEL6 package sets ACLS for kojibuilder, but the EL7 package does not and has no provided solution

Expected results:
similar behavior between sysvinit script and systemd unit

Additional info:
Attached patches resolve

Comment 1 Pat Riehecky 2014-09-12 14:45:05 UTC
Created attachment 936990 [details]
Spec file updates for previous patch

Comment 8 Radka Skvarilova 2016-09-29 15:58:25 UTC
During the testing we found a mistake:

there is simple patch like:

chmod 0660 /etc/pki/pesign/* ; chmod 0770 /etc/pki/pesign

without this change this bug is not fixed, it works the same way as it works before.

Comment 20 errata-xmlrpc 2016-11-04 05:04:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.