Bug 475895 - Disallow creation of an initial login shell
Disallow creation of an initial login shell
Status: CLOSED CURRENTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: Installer (pkicreate/pkiremove) (Show other bugs)
1.0
All All
high Severity medium
: ---
: ---
Assigned To: Matthew Harmsen
Chandrasekar Kannan
:
Depends On:
Blocks: 445047
  Show dependency treegraph
 
Reported: 2008-12-10 18:01 EST by Matthew Harmsen
Modified: 2015-01-05 20:16 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-04 15:59:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Spec File Changes (16.42 KB, text/plain)
2008-12-11 13:54 EST, Matthew Harmsen
no flags Details
Dogtag spec file changes (16.42 KB, text/plain)
2008-12-11 19:44 EST, Matthew Harmsen
no flags Details
CS/IPA TIP changes for "base" (331.99 KB, patch)
2010-01-11 20:28 EST, Matthew Harmsen
no flags Details | Diff
CS/IPA TIP changes for "dogtag" (12.00 KB, patch)
2010-01-11 20:29 EST, Matthew Harmsen
no flags Details | Diff
RHCS 8.1.0 TIP changes for "base" (2.59 KB, patch)
2010-01-11 20:31 EST, Matthew Harmsen
no flags Details | Diff
RHCS 8.1.0 TIP changes for "dogtag" (1023 bytes, patch)
2010-01-11 20:32 EST, Matthew Harmsen
no flags Details | Diff
CS/IPA TIP changes for "dogtag" (13.35 KB, patch)
2010-01-12 17:16 EST, Matthew Harmsen
no flags Details | Diff

  None (edit)
Description Matthew Harmsen 2008-12-10 18:01:04 EST
Paramaterize the initial login shell for the defined %{base_user} by creating a %{base_login_shell}.
Comment 1 Matthew Harmsen 2008-12-11 13:54:28 EST
Created attachment 326647 [details]
Spec File Changes
Comment 3 Jack Magne 2008-12-11 14:28:31 EST
Attachment (id=326647) +jmagne.
Comment 5 Matthew Harmsen 2008-12-11 19:44:23 EST
Created attachment 326693 [details]
Dogtag spec file changes
Comment 7 Jack Magne 2008-12-11 19:53:40 EST
Attachment (id=326693) +jmagne.
Comment 9 Matthew Harmsen 2008-12-11 20:04:57 EST
svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      dogtag/ca/pki-ca.spec
M      dogtag/tks/pki-tks.spec
M      dogtag/ra/pki-ra.spec
M      dogtag/ocsp/pki-ocsp.spec
M      dogtag/tps/pki-tps.spec
M      dogtag/kra/pki-kra.spec

svn commit
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/ra/pki-ra.spec
Sending        dogtag/tks/pki-tks.spec
Sending        dogtag/tps/pki-tps.spec
Transmitting file data ......
Committed revision 167.
Comment 11 Matthew Harmsen 2008-12-16 22:14:45 EST
While these checks were made to disallow the creation of an initial login shell, some logic must be added to "pkicreate" (and "pkicommon") to check for this same issue when users specify their own "pki_user" and/or "pki_group" via the "pkicreate" instance creation script.
Comment 13 Matthew Harmsen 2010-01-11 20:28:05 EST
Created attachment 383136 [details]
CS/IPA TIP changes for "base"

These base 'diffs' apply to the following CS/IPA bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
* Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
* Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
Comment 14 Matthew Harmsen 2010-01-11 20:29:32 EST
Created attachment 383137 [details]
CS/IPA TIP changes for "dogtag"

These dogtag 'diffs' apply to the following CS/IPA bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
* Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
* Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
Comment 15 Matthew Harmsen 2010-01-11 20:31:07 EST
Created attachment 383138 [details]
RHCS 8.1.0 TIP changes for "base"

These base 'diffs' apply to the following RHCS 8.1.0 bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Comment 16 Matthew Harmsen 2010-01-11 20:32:04 EST
Created attachment 383139 [details]
RHCS 8.1.0 TIP changes for "dogtag"

These dogtag 'diffs' apply to the following RHCS 8.1.0 bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Comment 18 Ade Lee 2010-01-12 16:17:07 EST
https://bugzilla.redhat.com/attachment.cgi?id=383136 alee+

https://bugzilla.redhat.com/attachment.cgi?id=383138 alee+ 

https://bugzilla.redhat.com/attachment.cgi?id=383139 alee+
 
https://bugzilla.redhat.com/attachment.cgi?id=383137  

The device "||:" in the scriptlets is used incorrectly.  According to https://fedoraproject.org/wiki/Packaging:ScriptletSnippets:

Except in some really exceptional cases (if any), we want all scriptlets to exit with the zero exit status. Because rpm in its default configuration does not at the moment execute shell scriptlets with the -e argument to the shell, excluding explicit exit calls (frowned upon with a non-zero argument!), the exit status of the last command in a scriptlet determines its exit status. Most commands in the snippets in this document have a "|| :" appended to them, which is a generic trick to force the zero exit status for those commands whether they worked or not. Usually the most important bit is to apply this to the last command executed in a scriptlet, or to add a separate command such as plain ":" or "exit 0" as the last one in a scriptlet.

In the patch provided, the "||:" is appended to some some commands in the scriptlets where it is not the last command.  Also, some scriptlets do not include "||:" on the last command.
Comment 20 Matthew Harmsen 2010-01-12 17:16:26 EST
Created attachment 383354 [details]
CS/IPA TIP changes for "dogtag"

These dogtag 'diffs' apply to the following CS/IPA bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into
pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
* Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
* Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
* Corrected "|| :" scriptlet logic
Comment 21 Ade Lee 2010-01-12 17:19:32 EST
https://bugzilla.redhat.com/attachment.cgi?id=383354 alee +
Comment 22 Matthew Harmsen 2010-01-12 17:51:26 EST
CS/IPA TIP:

# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       selinux/src/pki.if
M       selinux/src/pki.fc
M       selinux/src/pki.te
M       setup/pkicreate
M       setup/pkicommon
D       tks/setup/postinstall
D       tks/shared/etc/init.d/httpd
A       tks/shared/etc/init.d/pki-tksd
M       tks/build.xml
D       ocsp/setup/postinstall
D       ocsp/shared/etc/init.d/httpd
A       ocsp/shared/etc/init.d/pki-ocspd
M       ocsp/build.xml
D       kra/setup/postinstall
A       kra/shared/etc/init.d/pki-krad
D       kra/shared/etc/init.d/httpd
M       kra/build.xml

# svn commit
Sending        base/kra/build.xml
Deleting       base/kra/setup/postinstall
Deleting       base/kra/shared/etc/init.d/httpd
Adding         base/kra/shared/etc/init.d/pki-krad
Sending        base/ocsp/build.xml
Deleting       base/ocsp/setup/postinstall
Deleting       base/ocsp/shared/etc/init.d/httpd
Adding         base/ocsp/shared/etc/init.d/pki-ocspd
Sending        base/selinux/src/pki.fc
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        base/setup/pkicommon
Sending        base/setup/pkicreate
Sending        base/tks/build.xml
Deleting       base/tks/setup/postinstall
Deleting       base/tks/shared/etc/init.d/httpd
Adding         base/tks/shared/etc/init.d/pki-tksd
Transmitting file data ...........
Committed revision 908.


# cd pki/dogtag

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       ca/pki-ca.spec
M       selinux/pki-selinux.spec
M       setup/pki-setup.spec
M       tks/pki-tks.spec
M       ocsp/pki-ocsp.spec
M       kra/pki-kra.spec

# svn commit
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/selinux/pki-selinux.spec
Sending        dogtag/setup/pki-setup.spec
Sending        dogtag/tks/pki-tks.spec
Transmitting file data ......
Committed revision 909.
Comment 23 Matthew Harmsen 2010-01-12 18:00:25 EST
RHCS 8.1 TIP:

# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       setup/pkicreate
M       setup/pkicommon

# svn commit
Sending        base/setup/pkicommon
Sending        base/setup/pkicreate
Transmitting file data ..
Committed revision 910.

# cd pki/dogtag

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       setup/pki-setup.spec

# svn commit
Sending        dogtag/setup/pki-setup.spec
Transmitting file data .
Committed revision 911.
Comment 25 Fedora Update System 2010-01-13 21:19:38 EST
pki-setup-1.3.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/pki-setup-1.3.1-1.fc11
Comment 26 Fedora Update System 2010-01-13 21:29:04 EST
pki-setup-1.3.1-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pki-setup-1.3.1-1.fc12
Comment 27 Fedora Update System 2010-01-14 16:46:25 EST
pki-ca-1.3.0-7.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/pki-ca-1.3.0-7.fc11
Comment 28 Fedora Update System 2010-01-14 17:29:25 EST
pki-ca-1.3.0-7.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/pki-ca-1.3.0-7.el5
Comment 29 Fedora Update System 2010-01-14 17:31:44 EST
pki-ca-1.3.0-7.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pki-ca-1.3.0-7.fc12
Comment 30 Fedora Update System 2010-01-14 18:58:42 EST
pki-setup-1.3.1-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/pki-setup-1.3.1-1.el5
Comment 31 Fedora Update System 2010-01-15 17:06:14 EST
pki-setup-1.3.1-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2010-01-15 17:17:53 EST
pki-ca-1.3.0-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2010-02-03 15:04:22 EST
pki-ca-1.3.0-7.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2010-02-22 17:37:46 EST
pki-setup-1.3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.