[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/system-trusted-certs] 2 commits: Make libnssckbi.so consumers trust system root certificate store
Guido Berhörster (@gber)
gitlab at salsa.debian.org
Thu Sep 14 10:11:02 BST 2023
Guido Berhörster pushed to branch personal/gber/system-trusted-certs at Debian Edu / debian-edu-config
Commits:
15638508 by Guido Berhoerster at 2023-09-14T11:10:37+02:00
Make libnssckbi.so consumers trust system root certificate store
Add diversion for libnssckbi.so and replace with symlink to p11-kit-trust.so in
order to work around #704180. Note that it is important to keep the renamed file
outside of /usr/lib/<arch>/ in order to prevent ldconfig from overwriting the
symlink.
- - - - -
24bd34d8 by Guido Berhoerster at 2023-09-14T11:10:37+02:00
Stop adding the DebianEdu root CA to NSS shared database
NSS consumers like Firefox, Thunderbird, Chromium should use the system trusted
root CA store via p11-kit (Closes: #926388).
- - - - -
18 changed files:
- Makefile
- − bin/debian-edu-copy-pki
- debian/control
- debian/debian-edu-config.links
- debian/debian-edu-config.lintian-overrides
- debian/debian-edu-config.postrm → debian/debian-edu-config.postrm.in
- debian/debian-edu-config.preinst → debian/debian-edu-config.preinst.in
- debian/rules
- ldap-tools/ldap-createuser-krb5
- ldap-tools/ldap-debian-edu-install
- − lib/thunderbird/distribution/policies.json
- sbin/debian-edu-ltsp-install
- share/debian-edu-config/tools/create-debian-edu-certs
- − share/debian-edu-config/tools/create-user-nssdb
- share/debian-edu-config/tools/gosa-create
- − share/debian-edu-config/tools/update-cert-dbs
- share/firefox-esr/distribution/policies.json
- − share/man/man1/debian-edu-copy-pki.1
Changes:
=====================================
Makefile
=====================================
@@ -5,7 +5,6 @@ NULL =
PROGS = \
debian-edu-ldapserver \
update-ini-file \
- debian-edu-copy-pki \
$(NULL)
SPROGS = \
@@ -229,10 +228,6 @@ WWWFILES = \
wpad.dat \
$(NULL)
-LIBFILES = \
- thunderbird/distribution/policies.json \
- $(NULL)
-
all:
$(MAKE) -C www
@@ -282,10 +277,6 @@ install: install-testsuite
$(INSTALL) etc/$$file $(DESTDIR)$(sysconfdir)/$$file; \
done
- set -e ; for file in $(LIBFILES) ; do \
- $(INSTALL_DATA) lib/$$file $(DESTDIR)$(libdir)/$$file; \
- done
-
set -e ; for f in \
share/debian-edu-config/d-i/finish-install \
share/debian-edu-config/d-i/pre-pkgsel \
@@ -335,7 +326,6 @@ install: install-testsuite
share/debian-edu-config/tools/sssd-generate-config \
share/debian-edu-config/tools/squid-update-cachedir \
share/debian-edu-config/tools/subnet-change \
- share/debian-edu-config/tools/update-cert-dbs \
share/debian-edu-config/tools/update-dlw-krb5-keytabs \
share/debian-edu-config/tools/update-firefox-homepage \
share/debian-edu-config/tools/update-chromium-homepage \
@@ -345,7 +335,6 @@ install: install-testsuite
share/debian-edu-config/tools/exim4-create-environment \
share/debian-edu-config/tools/edu-ldap-from-scratch \
share/debian-edu-config/tools/edu-icinga-setup \
- share/debian-edu-config/tools/create-user-nssdb \
share/debian-edu-config/tools/copy-host-keytab \
share/debian-edu-config/tools/improve-desktop-l10n \
share/debian-edu-config/tools/install-task-pkgs \
=====================================
bin/debian-edu-copy-pki deleted
=====================================
@@ -1,23 +0,0 @@
-#!/bin/sh
-#
-# On a roaming workstation, the local user's home directory is missing the .pki
-# directory causing a question about the self-signed Debian Edu web server
-# certificate if Chromium is used.
-# Upon first login, a user can open a terminal window and execute this command
-# to copy the whole PKI directory from the main server.
-
-# schweer, 2020-12-08
-
-set -e
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-if ! echo "$PROFILE" | grep -Eq 'Roaming-Workstation' ; then
- echo "This isn't a roaming workstation, nothing done."
- else
- if [ ! -d $HOME/.pki ] ; then
- scp -rq $USER at tjener:~/.pki $HOME
- echo "The PKI files have been copied from the main server."
- fi
-fi
=====================================
debian/control
=====================================
@@ -8,17 +8,18 @@ Uploaders: Petter Reinholdtsen <pere at debian.org>,
Dominik George <natureshadow at debian.org>,
Standards-Version: 4.6.2
Rules-Requires-Root: no
-Build-Depends: debhelper-compat (= 13), debhelper
-Build-Depends-Indep: po-debconf,
- po4a,
- help2man,
- libfilesys-df-perl
+Build-Depends: debhelper-compat (= 13),
+ debhelper,
+ po-debconf,
+ po4a,
+ help2man,
+ libfilesys-df-perl
Homepage: https://blends.debian.org/edu
Vcs-Browser: https://salsa.debian.org/debian-edu/debian-edu-config
Vcs-Git: https://salsa.debian.org/debian-edu/debian-edu-config.git
Package: debian-edu-config
-Architecture: all
+Architecture: any
Depends: ${misc:Depends},
adduser,
bind9-host,
@@ -54,6 +55,7 @@ Depends: ${misc:Depends},
net-tools,
ng-utils,
openssl,
+ p11-kit-modules,
patch,
python3,
python3-notify2,
=====================================
debian/debian-edu-config.links
=====================================
@@ -1,2 +1,3 @@
usr/share/debian-edu-config/tools/ldapdump.sh etc/slbackup/pre.d/ldapdump.sh
etc/debian-edu/www/index.html.nb-no etc/debian-edu/www/index.html.no
+usr/lib/${DEB_HOST_MULTIARCH}/pkcs11/p11-kit-trust.so usr/lib/${DEB_HOST_MULTIARCH}/libnssckbi.so
=====================================
debian/debian-edu-config.lintian-overrides
=====================================
@@ -22,3 +22,4 @@ debian-edu-config: unused-debconf-template debian-edu-config/ldap-password [temp
debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-again [templates:359]
debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-empty [templates:442]
debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-mismatch [templates:401]
+debian-edu-config: diversion-for-unknown-file * [postinst:213]
=====================================
debian/debian-edu-config.postrm → debian/debian-edu-config.postrm.in
=====================================
@@ -62,4 +62,17 @@ case "$1" in
fi
esac
+# remove diversion of libnssckbi.so, workaround until #704180 is resolved
+remove_libnssckbi_diversion () {
+ dpkg-divert --package debian-edu-config --remove --rename \
+ --divert /usr/lib/@DEB_HOST_MULTIARCH at _libnssckbi.so_libnss3 \
+ /usr/lib/@DEB_HOST_MULTIARCH@/libnssckbi.so
+}
+
+if [ "$1" = "remove" ] || [ "$1" = "abort-install" ] || [ "$1" = "disappear" ]; then
+ remove_libnssckbi_diversion
+elif [ "$1" = "abort-upgrade" ] && dpkg --compare-versions "$2" lt 2.12.37; then
+ remove_libnssckbi_diversion
+fi
+
#DEBHELPER#
=====================================
debian/debian-edu-config.preinst → debian/debian-edu-config.preinst.in
=====================================
@@ -59,6 +59,14 @@ upgrade)
fi
fi
+
+ # add diversion for libnssckbi.so and replaces with p11-kit-trust.so,
+ # workaround until # #704180 is resolved
+ if dpkg --compare-versions "$2" le "2.12.36"; then
+ dpkg-divert --package debian-edu-config --add --rename \
+ --divert /usr/lib/@DEB_HOST_MULTIARCH at _libnssckbi.so_libnss3 \
+ /usr/lib/@DEB_HOST_MULTIARCH@/libnssckbi.so
+ fi
;;
esac
=====================================
debian/rules
=====================================
@@ -1,11 +1,17 @@
#!/usr/bin/make -f
DESTDIR=`pwd`/debian/debian-edu-config
+SUBSTFILES = \
+ debian/debian-edu-config.preinst \
+ debian/debian-edu-config.postrm
+
+debian/%: debian/%.in
+ sed 's/@DEB_HOST_MULTIARCH@/$(DEB_HOST_MULTIARCH)/g' <$< >$@
%:
dh $@
-override_dh_auto_install:
+override_dh_auto_install: $(SUBSTFILES)
$(MAKE) install prefix=/usr DESTDIR=$(DESTDIR)
override_dh_installinit:
@@ -40,3 +46,7 @@ override_dh_installman:
--help-option="-h" \
--no-discard-stderr debian/debian-edu-config/usr/bin/ldap-createuser-krb5 \
> debian/debian-edu-config/usr/share/man/man1/ldap-createuser-krb5.1
+
+override_dh_auto_clean:
+ dh_auto_clean
+ -rm -f $(SUBSTFILES)
=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -181,9 +181,6 @@ EOF
# Create home directory
if [ ! -d $HOMEDIR ] ; then
cp -r /etc/skel $HOMEDIR
- mkdir -p $HOMEDIR/.pki/nssdb
- chmod -R 700 $HOMEDIR/.pki/nssdb
- certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
chown -R $NEWUID:$NEWGID $HOMEDIR
fi
=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -357,13 +357,3 @@ SLAPPIDS=$(pidof slapd || /bin/true)
if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
service slapd start
fi
-
-# Create PKI nssdb files for first user.
-if [ -x /usr/bin/certutil ] ; then
- mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
- chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
- certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
- echo "info: created PKI nssdb files for first-user"
-fi
-
=====================================
lib/thunderbird/distribution/policies.json deleted
=====================================
@@ -1,11 +0,0 @@
-{
- "policies": {
- "Certificates": {
- "ImportEnterpriseRoots": true,
- "Install": [
- "/etc/ssl/certs/Debian-Edu_rootCA.crt"
- ]
- }
- }
-}
-
=====================================
sbin/debian-edu-ltsp-install
=====================================
@@ -531,12 +531,6 @@ debootstrap --arch="$arch" --no-check-gpg --variant=minbase --include=sitesummar
cat <<EOF > /srv/ltsp/x2go-"$thin_type"-"$arch"/usr/share/firefox-esr/distribution/policies.json
{
"policies": {
- "Certificates": {
- "ImportEnterpriseRoots": true,
- "Install": [
- "/etc/ssl/certs/Debian-Edu_rootCA.crt"
- ]
- },
"NewTabPage": false,
"OverrideFirstRunPage": "",
"SearchEngines": {
=====================================
share/debian-edu-config/tools/create-debian-edu-certs
=====================================
@@ -78,13 +78,6 @@ generate() {
logger -t create-debian-edu-certs "Certs with both .crt and .pem extension made available in /etc/debian-edu/www."
}
-update_nssdb() {
- # Update dbm and sql certificate and key databases in homedirs.
- echo "Now updating the nssdb files for all user accounts..."
- /usr/share/debian-edu-config/tools/update-cert-dbs
- echo "The nssdb files for all user accounts have been updated"
-}
-
if [ "$1" = "--force-overwrite" ] ; then
generate
echo "Reloading / restarting related services; this will take some time..."
@@ -94,11 +87,9 @@ if [ "$1" = "--force-overwrite" ] ; then
service dovecot restart
service nslcd stop
service nslcd start
- update_nssdb
else
if [ ! -f $CA_CERT ] || [ ! -f $CA_KEY ]; then
generate
- update_nssdb
else
echo "Certificates and keys already exist, nothing to do!"
echo "Call $0 with param '--force-overwrite' if new ones should be generated."
=====================================
share/debian-edu-config/tools/create-user-nssdb deleted
=====================================
@@ -1,25 +0,0 @@
-#!/bin/sh
-
-set -e
-
-BASE_HOME=/skole/tjener
-for dir in "$BASE_HOME"/*/*; do
- # Skip if not a directory
- test -d "$dir" || continue
-
- # Extract username and check existence
- username=${dir##*/}
- id "$username" >/dev/null 2>&1 || continue
-
- if [ -d "$dir/.pki/nssdb" ] ; then
- su - $username sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- else
- mkdir -p $dir/.pki/nssdb
- chmod -R 700 $dir/.pki/nssdb
- chown -R $i:$i $dir/.pki/nssdb
- certutil -A -d sql:$dir/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- fi
- logger -t create-user-nssdb -p notice PKI nssdb files created in $dir.
-done
-
-exit 0
=====================================
share/debian-edu-config/tools/gosa-create
=====================================
@@ -38,10 +38,6 @@ while read KEY VALUE ; do
nscd -i passwd || true
nscd -i group || true
fi
- mkdir -p $HOMEDIR/.pki/nssdb
- chmod -R 700 $HOMEDIR/.pki/nssdb
- certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- logger -t gosa-create -p notice PKI nssdb files created in \'$HOMEDIR\'.
chown -R $USERID:$GROUPID $HOMEDIR
kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.
=====================================
share/debian-edu-config/tools/update-cert-dbs deleted
=====================================
@@ -1,21 +0,0 @@
-#!/bin/bash
-#
-# Update PKI nssdb files in users' homedirs.
-#
-
-set -e
-
-BASE_HOME=/skole/tjener
-for dir in "$BASE_HOME"/*/*; do
- # Skip if not a directory
- test -d "$dir" || continue
-
- # Extract username and check existence
- username=${dir##*/}
- id "$username" >/dev/null 2>&1 || continue
-
- if [ -d "$dir/.pki/nssdb" ] ; then
- su - $username sh -c 'certutil -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
- fi
- logger -t update-cert-dbs "Updated PKI nssdb files for user $username in $dir"
-done
=====================================
share/firefox-esr/distribution/policies.json
=====================================
@@ -1,11 +1,5 @@
{
"policies": {
- "Certificates": {
- "ImportEnterpriseRoots": true,
- "Install": [
- "/etc/ssl/certs/Debian-Edu_rootCA.crt"
- ]
- },
"NewTabPage": false,
"OverrideFirstRunPage": "",
"SearchEngines": {
=====================================
share/man/man1/debian-edu-copy-pki.1 deleted
=====================================
@@ -1,15 +0,0 @@
-.TH DEBIAN-EDU-COPY-PKI 1 "December 2020" "Debian Edu" "Debian Edu User Tools"
-
-.SH NAME
-debian-edu-copy-pki - copy user's PKI files from the Debian Edu main server
-
-.SH SYNOPSIS
-.B debian-edu-copy-pki
-
-.SH DESCRIPTION
-This script is useful on roaming workstations. The user's "$HOME/.pki" directory on the main server is copied to the local home directory.
-.TP
-This way, all programs relying on the PKI infrastructure (like e.g. Chromium) will accept Debian Edu self signed certificates.
-
-.SH AUTHORS
-Debian Edu Team, https://blends.debian.org/edu
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/ff60890762e335382af9f40a2e634221d5fb2436...24bd34d806fe9bc106ae7f8d5421fc1da371759d
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/ff60890762e335382af9f40a2e634221d5fb2436...24bd34d806fe9bc106ae7f8d5421fc1da371759d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230914/c504d55b/attachment-0001.htm>
More information about the debian-edu-commits
mailing list