git: 47c2569d8979 - main - security/trousers: Fix tcsd.conf permissions

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mateusz Piotrowski <0mp_at_FreeBSD.org>
Date: Fri, 04 Nov 2022 11:05:23 UTC
The branch main has been updated by 0mp:

URL: https://cgit.FreeBSD.org/ports/commit/?id=47c2569d8979db687528456bd11c549a37ee4155

commit 47c2569d8979db687528456bd11c549a37ee4155
Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
AuthorDate: 2022-11-04 10:29:24 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2022-11-04 11:05:09 +0000

    security/trousers: Fix tcsd.conf permissions
    
    It turns out that tcsd requires the ownership of tcsd.conf file to be
    set to root:_tss.  See trousers-0.3.14_3/src/tcsd/tcsd_conf.c for
    details. Otherwise, tcsd fails:
    
        # service tcsd start
        Starting tcsd.
        /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd
        # tail /var/log/messages
        Nov  4 11:24:43 x TCSD[1298]: TrouSerS ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss
        Nov  4 11:24:43 x 0mp[2372]: /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd
    
    Also, the mode of the configuration file has to be 640.
    
    PR:             253858
    Reported by:    unitrunker <unitrunker@gmail.com>
    Approved by:    maintainer timeout, portmgr blanket (runtime error)
    Sponsored by:   Klara, Inc.
---
 security/trousers/Makefile      | 2 +-
 security/trousers/files/tcsd.in | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/security/trousers/Makefile b/security/trousers/Makefile
index 6c2cb841de65..ef15376beb24 100644
--- a/security/trousers/Makefile
+++ b/security/trousers/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	trousers
 PORTVERSION=	0.3.14
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	SF
 
diff --git a/security/trousers/files/tcsd.in b/security/trousers/files/tcsd.in
index eb36dfcbcd83..78b01750b5f3 100644
--- a/security/trousers/files/tcsd.in
+++ b/security/trousers/files/tcsd.in
@@ -26,9 +26,12 @@ tcsd_precmd()
 {
 	/usr/bin/install -d -m 0700 -o %%USERS%% -g %%GROUPS%% \
 	    /var/run/tpm /var/run/ima %%PREFIX%%/var/lib/tpm
-	/usr/sbin/chown %%USERS%%:%%GROUPS%% \
+	# The configuration files must be owned by root so
+	# that the %%USERS%% user can only read (but not manipulate)
+	# the configuration file.
+	/usr/sbin/chown root:%%GROUPS%% \
 	    %%PREFIX%%/etc/tcsd.conf
-	/bin/chmod 0600 \
+	/bin/chmod 0640 \
 	    %%PREFIX%%/etc/tcsd.conf
 }