rpms/nss/F-12 547860.patch,NONE,1.1 nss.spec,1.129,1.130

Elio Maldonado emaldonado at fedoraproject.org
Thu Jan 7 02:41:43 UTC 2010 

Author: emaldonado

Update of /cvs/pkgs/rpms/nss/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20865

Modified Files:
	nss.spec 
Added Files:
	547860.patch 
Log Message:
Fix nsssysinit to allow root to modify the nss system database (#547860)

547860.patch:
 nsssysinit.c |   51 ++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 42 insertions(+), 9 deletions(-)

--- NEW FILE 547860.patch ---
diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
--- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860	2010-01-06 17:57:30.722388282 -0800
+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c	2010-01-06 18:20:59.713397530 -0800
@@ -50,6 +50,7 @@
  */
 
 #ifdef XP_UNIX
+#include <unistd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 
@@ -108,12 +109,26 @@ getSystemDB(void) {
    return PORT_Strdup(NSS_DEFAULT_SYSTEM);
 }
 
+static PRBool
+userIsRoot()
+{
+   /* this works for linux and all unixes that we know off
+	  though it isn't stated as such in POSIX documentation */
+   return getuid() == 0;
+}
+
+static PRBool
+userCanModifySystemDB()
+{
+   return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
+}
+
 #else
 #ifdef XP_WIN
 static char *
 getUserDB(void)
 {
-   /* use the registry to find the user's NSS_DIR. if no entry exists, creaate
+   /* use the registry to find the user's NSS_DIR. if no entry exists, create
     * one in the users Appdir location */
    return NULL;
 }
@@ -121,13 +136,28 @@ getUserDB(void)
 static char *
 getSystemDB(void)
 {
-   /* use the registry to find the system's NSS_DIR. if no entry exists, creaate
+   /* use the registry to find the system's NSS_DIR. if no entry exists, create
     * one based on the windows system data area */
    return NULL;
 }
 
+static PRBool
+userIsRoot()
+{
+   /* use the registry to find if the user is the system administrator. */
+   return PR_FALSE;
+}
+
+static PRBool
+userCanModifySystemDB()
+{
+   /* use the registry to find if the user has administrative privilege 
+    * to modify the system's nss database. */
+   return PR_FALSE;
+}
+
 #else
-#error "Need to write getUserDB and get SystemDB functions"
+#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
 #endif
 #endif
 
@@ -225,7 +255,8 @@ get_list(char *filename, char *stripped_
     if (userdb && !strcmp(filename, userdb))
 	    filename = NULL;
 
-    if (userdb != NULL) {
+    /* Don't open root's user DB */
+    if (userdb != NULL && !userIsRoot()) {
 	/* return a list of databases to open. First the user Database */
 	module_list[next++] = PR_smprintf(
 	    "library= "
@@ -245,7 +276,8 @@ get_list(char *filename, char *stripped_
 		userdb, stripped_parameters);
 	}
 
-    if (filename && 0 /* This doesn't actually work. If we register
+    if (filename && !userIsRoot() && 0
+		/* This doesn't actually work. If we register
 			 both this and the sysdb (in either order)
 			 then only one of them actually shows up */) {
 	    module_list[next++] = PR_smprintf(
@@ -255,13 +287,14 @@ get_list(char *filename, char *stripped_
 	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
     }
 
-    /* now the system database (always read only) */
+    /* now the system database (always read only unless it's root) */
     if (sysdb) {
-	    module_list[next++] = PR_smprintf(
+	const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+	module_list[next++] = PR_smprintf(
 	      "library= "
 	      "module=\"NSS system database\" "
-	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
-	      "NSS=\"%sflags=internal,critical\"",sysdb, nssflags);
+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+	      "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
     }
 
     /* that was the last module */


Index: nss.spec
===================================================================
RCS file: /cvs/pkgs/rpms/nss/F-12/nss.spec,v
retrieving revision 1.129
retrieving revision 1.130
diff -u -p -r1.129 -r1.130
--- nss.spec	6 Jan 2010 21:59:38 -0000	1.129
+++ nss.spec	7 Jan 2010 02:41:42 -0000	1.130
@@ -7,7 +7,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.12.5
-Release:          1%{?dist}.12.1
+Release:          1%{?dist}.14
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -46,6 +46,7 @@ Patch8:           nss-sysinit.patch
 Patch9:           540387.patch
 Patch10:          545779.patch
 Patch11:          546221.patch
+Patch12:          547860.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -117,6 +118,7 @@ low level services.
 %patch9 -p1 -b .540387
 %patch10 -p0 -b .545779
 %patch11 -p1 -b .546221
+%patch12 -p1 -b .547860
 
 %build
 
@@ -483,6 +485,9 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/ns
 
 
 %changelog
+* Wed Jan 06 2010 Elio Maldonado<emaldona at redhat.com> - 3.12.5-1.14
+- Fix nsssysinit to allow root to modify the nss system database (#547860)
+
 * Wed Jan 06 2010 Elio Maldonado<emaldona at redhat.com> - 3.12.5-1.12.1
 - Temporarily disabling the ssl tests until Bug 539183 is resolved

More information about the fedora-extras-commits mailing list