Date: Fri, 4 Nov 2022 11:05:23 GMT From: Mateusz Piotrowski <0mp@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 47c2569d8979 - main - security/trousers: Fix tcsd.conf permissions Message-ID: <202211041105.2A4B5NuZ028760@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by 0mp: URL: https://cgit.FreeBSD.org/ports/commit/?id=47c2569d8979db687528456bd11c549a37ee4155 commit 47c2569d8979db687528456bd11c549a37ee4155 Author: Mateusz Piotrowski <0mp@FreeBSD.org> AuthorDate: 2022-11-04 10:29:24 +0000 Commit: Mateusz Piotrowski <0mp@FreeBSD.org> CommitDate: 2022-11-04 11:05:09 +0000 security/trousers: Fix tcsd.conf permissions It turns out that tcsd requires the ownership of tcsd.conf file to be set to root:_tss. See trousers-0.3.14_3/src/tcsd/tcsd_conf.c for details. Otherwise, tcsd fails: # service tcsd start Starting tcsd. /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd # tail /var/log/messages Nov 4 11:24:43 x TCSD[1298]: TrouSerS ERROR: TCSD config file (/usr/local/etc/tcsd.conf) must be user/group root/_tss Nov 4 11:24:43 x 0mp[2372]: /usr/local/etc/rc.d/tcsd: WARNING: failed to start tcsd Also, the mode of the configuration file has to be 640. PR: 253858 Reported by: unitrunker <unitrunker@gmail.com> Approved by: maintainer timeout, portmgr blanket (runtime error) Sponsored by: Klara, Inc. --- security/trousers/Makefile | 2 +- security/trousers/files/tcsd.in | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/security/trousers/Makefile b/security/trousers/Makefile index 6c2cb841de65..ef15376beb24 100644 --- a/security/trousers/Makefile +++ b/security/trousers/Makefile @@ -1,6 +1,6 @@ PORTNAME= trousers PORTVERSION= 0.3.14 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security MASTER_SITES= SF diff --git a/security/trousers/files/tcsd.in b/security/trousers/files/tcsd.in index eb36dfcbcd83..78b01750b5f3 100644 --- a/security/trousers/files/tcsd.in +++ b/security/trousers/files/tcsd.in @@ -26,9 +26,12 @@ tcsd_precmd() { /usr/bin/install -d -m 0700 -o %%USERS%% -g %%GROUPS%% \ /var/run/tpm /var/run/ima %%PREFIX%%/var/lib/tpm - /usr/sbin/chown %%USERS%%:%%GROUPS%% \ + # The configuration files must be owned by root so + # that the %%USERS%% user can only read (but not manipulate) + # the configuration file. + /usr/sbin/chown root:%%GROUPS%% \ %%PREFIX%%/etc/tcsd.conf - /bin/chmod 0600 \ + /bin/chmod 0640 \ %%PREFIX%%/etc/tcsd.conf }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202211041105.2A4B5NuZ028760>