[arch-commits] Commit in tang/trunk (PKGBUILD tang.sysusers.conf tang.tmpfiles.conf)

Jonas Witschel diabonas at gemini.archlinux.org
Tue Dec 14 12:35:06 UTC 2021 

    Date: Tuesday, December 14, 2021 @ 12:35:05
  Author: diabonas
Revision: 1072747

upgpkg: tang 11-1: upstream security release (CVE-2021-4076)

This release changes tangd from running as root to the unprivileged "tang"
user. We need to create this user and adjust the permissions of /var/db/tang/
and its contents accordingly. Follow the Fedora spec file
(https://src.fedoraproject.org/rpms/tang/blob/rawhide/f/tang.spec) regarding
the permissions.

Added:
  tang/trunk/tang.sysusers.conf
  tang/trunk/tang.tmpfiles.conf
Modified:
  tang/trunk/PKGBUILD

--------------------+
 PKGBUILD           |   15 ++++++++++-----
 tang.sysusers.conf |    1 +
 tang.tmpfiles.conf |    3 +++
 3 files changed, 14 insertions(+), 5 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-12-14 11:17:01 UTC (rev 1072746)
+++ PKGBUILD	2021-12-14 12:35:05 UTC (rev 1072747)
@@ -1,7 +1,7 @@
 # Maintainer: Jonas Witschel <diabonas at archlinux.org>
 pkgname=tang
-pkgver=10
-_commit=d2c08fba8f0296a4e4458a7aac8a63133f71ed51 # git rev-parse "v$pkgver^{}"
+pkgver=11
+_commit=e2059ee1109510a7c14b099af7dcd8631e598270 # git rev-parse "v$pkgver^{}"
 pkgrel=1
 pkgdesc='Server for binding data to network presence'
 arch=('x86_64')
@@ -10,8 +10,12 @@
 depends=('http-parser' 'jose')
 makedepends=('git' 'asciidoc' 'meson')
 checkdepends=('systemd')
-source=("git+$url.git?signed#commit=$_commit")
-sha512sums=('SKIP')
+source=("git+$url.git?signed#commit=$_commit"
+        'tang.sysusers.conf'
+        'tang.tmpfiles.conf')
+sha512sums=('SKIP'
+            '08b5abb5ff5195a96c1196e7336eefeabad36a82ef8862881689e3c9cfa8aebc5679e14c4aacc3fa80793fe42ffa591e6ec0ec07bf98f6e0d783e23b2f06218a'
+            '48c3026b37ce3fe180633facb99a194e1fcb0ff860f6dff33541b6216b441572c1de0620102ce25e36c06f3c769b3149cb595f5aa4e355416c680b1c6f73e957')
 validpgpkeys=('7CE2CB3D2AF59FE1EA22F551D0D219ED1F7E762C') # Sergio Correia <scorreia at redhat.com>
 
 pkgver() {
@@ -33,5 +37,6 @@
 package() {
 	cd "$pkgname"
 	DESTDIR="$pkgdir" meson install -C build
-	mkdir -pm700 "$pkgdir/var/db/tang"
+	install -Dm644 "$srcdir/tang.sysusers.conf" "$pkgdir/usr/lib/sysusers.d/$pkgname.conf"
+	install -Dm644 "$srcdir/tang.tmpfiles.conf" "$pkgdir/usr/lib/tmpfiles.d/$pkgname.conf"
 }

Added: tang.sysusers.conf
===================================================================
--- tang.sysusers.conf	                        (rev 0)
+++ tang.sysusers.conf	2021-12-14 12:35:05 UTC (rev 1072747)
@@ -0,0 +1 @@
+u tang - "unprivileged user for tang operations"

Added: tang.tmpfiles.conf
===================================================================
--- tang.tmpfiles.conf	                        (rev 0)
+++ tang.tmpfiles.conf	2021-12-14 12:35:05 UTC (rev 1072747)
@@ -0,0 +1,3 @@
+Z /var/db/tang 0700 tang tang
+z /var/db/tang/*.jwk 0440 tang tang
+z /var/db/tang/.*.jwk 0440 tang tang

More information about the arch-commits mailing list