rpms/tog-pegasus/devel genSSLcerts, NONE, 1.1 access.conf, NONE, 1.1 README.RedHat.Security, NONE, 1.1 rpm_build_env, NONE, 1.1

[fedora-cvs-commits at redhat.com]

Author: jvdias

Update of /cvs/dist/rpms/tog-pegasus/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv30573

Added Files:
	genSSLcerts access.conf README.RedHat.Security rpm_build_env 
Log Message:
port from RHEL-4; upgrade to 2.5


--- NEW FILE genSSLcerts ---
#!/bin/bash
#
#  Set up the openssl certificates for the tog-pegasus cimserver
#
#  Arguments:
#    If a single host name argument is given that resolves to a host
#    IP address, then the script will attempt to copy the certificate
#    files from that host name.
#
#  Without any arguments:
# 
#  Modify entries in ssl.cnf, then
#  Generate a self signed node certificate
#
PEGASUS_CONFIG_DIR=${PEGASUS_CONFIG_DIR:=/etc/Pegasus}
INSTALL_LOG=${INSTALL_LOG:=/var/log/Pegasus/install.log}
PEGASUS_SSL_CERT_FILE=${PEGASUS_SSL_CERT_FILE:=server.pem}
PEGASUS_SSL_KEY_FILE=${PEGASUS_SSL_KEY_FILE:=file.pem}
PEGASUS_SSL_TRUSTSTORE=${PEGASUS_SSL_TRUSTSTORE:=client.pem}
cnfChanged=0;
if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then
    mkdir -p ${INSTALL_LOG%/*}
    mkdir -p $PEGASUS_CONFIG_DIR
    echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "distinguished_name     = req_distinguished_name"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "prompt                 = no"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "C                      = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "ST                     = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "L                      = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "O                      = The Open Group" >> $PEGASUS_CONFIG_DIR/ssl.cnf
    echo "OU                     = The OpenPegasus Project" >> $PEGASUS_CONFIG_DIR/ssl.cnf
    DN=`hostname`;
    if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then
       DN='localhost.localdomain';
    fi;
    FQDN=`{ host -W1 $DN 2>/dev/null || echo "$DN has address "; } | grep 'has address' | head -1 | sed 's/\ .*$//'`;
    if [ -z "$FQDN" ] ; then
	FQDN="$DN";
    fi;
    # cannot use 'hostname --fqdn' because this can hang indefinitely
    echo "CN                     = $FQDN"  >> $PEGASUS_CONFIG_DIR/ssl.cnf
    chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf
    chown root $PEGASUS_CONFIG_DIR/ssl.cnf
    chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf
    cnfChanged=1;
fi
if [ $cnfChanged -eq 1 ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_CERT_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_KEY_FILE ] || [ ! -e /etc/Pegasus/$PEGASUS_SSL_TRUSTSTORE ]; then
    /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \
       -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf   \
       -keyout $PEGASUS_CONFIG_DIR/key.pem -out $PEGASUS_CONFIG_DIR/cert.pem 2>>$INSTALL_LOG
    chmod 700 $PEGASUS_CONFIG_DIR/*.pem
    cat $PEGASUS_CONFIG_DIR/key.pem > $PEGASUS_CONFIG_DIR/file_2048.pem
    chmod 400 $PEGASUS_CONFIG_DIR/file_2048.pem
    cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/server_2048.pem
    chmod 400 $PEGASUS_CONFIG_DIR/server_2048.pem
    cat $PEGASUS_CONFIG_DIR/cert.pem > $PEGASUS_CONFIG_DIR/client_2048.pem
    chmod 400 $PEGASUS_CONFIG_DIR/client_2048.pem
    rm -f $PEGASUS_CONFIG_DIR/key.pem $PEGASUS_CONFIG_DIR/cert.pem
    cp -fp $PEGASUS_CONFIG_DIR/server_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE
    cp -fp $PEGASUS_CONFIG_DIR/file_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
    chmod 400 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_KEY_FILE
    chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_CERT_FILE 
    cp -fp $PEGASUS_CONFIG_DIR/client_2048.pem $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE
    chmod 444 $PEGASUS_CONFIG_DIR/$PEGASUS_SSL_TRUSTSTORE;
fi;


--- NEW FILE access.conf ---
##############################################################################
# Pegasus WBEM HTTP/HTTPS Network Service User Access Control Table:
# 
# This file controls access to the Pegasus WBEM Network services by users
# with the PAM pam_access module .
#
# The format of the access control table is three fields separated by a
# ":" character:
# 
# 	permission : users : origins
# 
# The first field should be a "+" (access granted) or "-" (access denied)
# character. 
#
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). A pattern of the form user at host is
# matched when the login name matches the "user" part, and when the
# "host" part matches the local machine name.
#
# If you run NIS you can use @netgroupname in host or user patterns; this
# even works for @usergroup@@hostgroup patterns. Weird.
#
# The EXCEPT operator makes it possible to write very compact rules.
#
# The group file is searched only when a name does not match that of the
# logged-in user. Both the user's primary group is matched, as well as
# groups in which users are explicitly listed.
#
# The third field must be 'wbemNetwork', to control access by users from
# remote hosts, or 'wbemLocal', to control access by users from the local host.
##############################################################################
# 
# Pegasus PAM Access Rules:
# 1. The Remote host user access rule:
#    By default, ONLY the pegasus user can use remote network HTTP/S service:
#
-: ALL EXCEPT pegasus:wbemNetwork
#
#
# 2. The Local host user access rule:
#    By default, ONLY the pegasus and root users can use pegasus local HTTP/S service:
#
-: ALL EXCEPT pegasus root:wbemLocal


--- NEW FILE README.RedHat.Security ---
		Red Hat Security Enhancements for tog-pegasus
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 Access to the Pegasus services:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   By default, with the configuration as shipped, the upstream Open Group Pegasus
   release allowed any user with an account on the machine (including root) to
   use the network HTTPS port 5989 (by default) and HTTP port 5988 services.
   On authentication failures, though there was the standard PAM authentication
   failure delay, no messages were logged to syslog. This meant that potentially
   a long-running cracker process could try millions of root passwords over the
   network and could possibly discover the root password .  If users were unwise
   enough to enable the HTTP service on port 5988, then root passwords could be
   sent unencrypted over the network.

   This situation was deemed unacceptable by Red Hat RHEL QA test and Security
   Response team engineers.
 
   So for the Red Hat tog-pegasus release, PAM access control was enabled, to 
   remove these vulnerabilities. There is now a "pegasus" user created during
   install, and users are recommended to use only that user to invoke CIM 
   operations over the network.

   By default:

   o root password authentication for CIM operations invoked over the network 
     HTTPS/HTTP services is denied - the root user is unable to invoke pegasus
     services over the network - only the "pegasus" user may do so.

   o the root user may invoke CIM operations over the HTTPS/HTTP ports on the
     local machine.
 
   o any user other than "pegasus" or "root" may not invoke pegasus services
     over the HTTPS/HTTP ports at all.
     
   o any PAM authentication failure will be logged to syslog 

   NOTE: after installation, you must set the password for the pegasus user -
         issue this command as root :
         # passwd pegasus
         - to enable CIM operation network service, if the pegasus user is 
         a local system user.

   Note also that even though a non-root user's password is used to authenticate
   with the cimserver, the cimserver and all CIM Operation Providers run as root.
   This was another reason to restrict use of CIM Operations to only one user.  

   The "pegasus" user may of course be a NIS, Kerberos, or LDAP user, which
   could be used as configured in /etc/nsswitch.conf or with the PAM stack.

   You may configure this differently, and at your own risk, by modifying the
   pam_access configuration file /etc/Pegasus/access.conf, or by removing the
   line:
       account required pam_access.so accessfile=/etc/Pegasus/access.conf
   from /etc/pam.d/wbem - then tog-pegasus' authentication behaviour would
   be the same as that of the upstream release.

 SELinux
 ~~~~~~~
   There is an SELinux policy for tog-pegasus shipped in selinux-policy-targeted-1.17.30-2.110+ .
   When SELinux is enabled in enforcing mode, the cimserver and providers are restricted to the
   operations allowed to the 'pegasus_t' security context. Also only the pegasus_exec_t context
   may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus 
   configuration files which are of pegasus_conf_t file context.


 ExecShield
 ~~~~~~~~~~
   All tog-pegasus binary executables are compiled with ExecShield enabled, which make it nearly
   impossible to modify them or to poke executable code into them.



--- NEW FILE rpm_build_env ---
# Pegasus RPM %build + %install environment setup: 
#
# compile options:
#
export PEGASUS_EXTRA_C_FLAGS="$RPM_OPT_FLAGS -fPIC -g -Wall -Wno-unused"
export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS"
export PEGASUS_EXE_LINK_FLAGS="$RPM_OPT_FLAGS -g -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack"
export SYS_INCLUDES=-I/usr/kerberos/include
#
# build object directories:
#
export SRCNAME=pegasus
export PEGASUS_ROOT=${RPM_BUILD_DIR}/${SRCNAME}-${RPM_PACKAGE_VERSION}
export ROOT=$PEGASUS_ROOT
export PEGASUS_HOME=${RPM_BUILD_ROOT}/build
export PEGASUS_ARCH_LIB_DIR=${RPM_ARCH_LIB}
#
# PEGASUS_PLATFORM (hardware platform) setup:
#
if [ -z "$RPM_ARCH" ]; then
    export RPM_ARCH=`/bin/uname -i`;
fi;
case ${RPM_ARCH} in
  ia64|x86_64)
    export PEGASUS_PLATFORM=LINUX_IA64_GNU;
    ;;
  ppc)
    export PEGASUS_PLATFORM=LINUX_PPC_GNU;
    ;;
  ppc64|pseries)
    export PEGASUS_PLATFORM=LINUX_PPC64_GNU;
    ;;
  s390)
    export PEGASUS_PLATFORM=LINUX_ZSERIES_GNU;
    export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
    export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
    ;;
  s390x|zseries)
    export PEGASUS_PLATFORM=LINUX_ZSERIES64_GNU;
    export PEGASUS_EXTRA_C_FLAGS="$PEGASUS_EXTRA_C_FLAGS -fsigned-char";
    export PEGASUS_EXTRA_CXX_FLAGS="$PEGASUS_EXTRA_C_FLAGS";
    ;;
  i386)
    export PEGASUS_PLATFORM=LINUX_IX86_GNU
    ;;
  *)
    echo "Architecture unsupported by pegasus: $RPM_ARCH";
    exit 1;
    ;;
esac;
#
# Pegasus Build options:
# 
export OPENSSL_HOME=/usr
export PEGASUS_HAS_SSL=yes
# per bug #368
export PEGASUS_USE_RELEASE_DIRS=true
export PEGASUS_USE_RELEASE_CONFIG_OPTIONS=true
# per PEP #144
export PEGASUS_PAM_AUTHENTICATION=true
export PAM_CONFIG_DIR=/etc/pam.d
#
# export PEGASUS_USE_PAM_STANDALONE_PROC=true
# NO, we do NOT use 'cimservera' on Red Hat platforms!
#
export PEGASUS_CIM_SCHEMA=CIM29
export PEGASUS_LOCAL_DOMAIN_SOCKET=true
export PEGASUS_USE_SYSLOGS=true
export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
# per PEP #174
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
export PEGASUS_HAS_PERFSTATS=true
export PEGASUS_NOASSERTS=true
export PEGASUS_DISABLE_CQL=true
export PEGASUS_DISABLE_OBJECT_NORMALIZATION=true
export PEGASUS_ENABLE_CMPI_PROVIDER_MANAGER=true
export PEGASUS_ENABLE_USERGROUP_AUTHORIZATION=true
export PEGASUS_USE_RELEASE_DIRS=true
#
# Pegasus Directory Structure:
#
export PEGASUS_PROD_DIR=/usr
export PEGASUS_PRODSHARE_DIR=${PEGASUS_PROD_DIR}/share/Pegasus
export PEGASUS_DOC_DIR=/usr/share/doc/tog-pegasus-${RPM_PACKAGE_VERSION}
export PEGASUS_MAN_DIR=/usr/share/man
export PEGASUS_MANUSER_DIR=${PEGASUS_MAN_DIR}/man1
export PEGASUS_MANADMIN_DIR=${PEGASUS_MAN_DIR}/man8
export PEGASUS_MOF_DIR=${PEGASUS_PRODSHARE_DIR}/mof
export PEGASUS_DEST_LIB_DIR=${PEGASUS_PROD_DIR}/${PEGASUS_ARCH_LIB_DIR}
export PEGASUS_PROVIDER_DIR=${PEGASUS_DEST_LIB_DIR}/Pegasus/providers
export PEGASUS_PROVIDER_LIB_DIR=${PEGASUS_PROVIDER_DIR}
export PEGASUS_SBIN_DIR=${PEGASUS_PROD_DIR}/sbin
export PEGASUS_BIN_DIR=${PEGASUS_PROD_DIR}/bin
export PEGASUS_VARDATA_DIR=/var/lib/Pegasus
export PEGASUS_REPOSITORY_PARENT_DIR=${PEGASUS_VARDATA_DIR}
export PEGASUS_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/repository
export PEGASUS_PREV_REPOSITORY_DIR=${PEGASUS_REPOSITORY_PARENT_DIR}/prev_repository
export PEGASUS_CONFIG_DIR=/etc/Pegasus
export PEGASUS_VARRUN_DIR=/var/run/tog-pegasus
export PEGASUS_CIMSERVER_START_FILE=${PEGASUS_VARRUN_DIR}/cimserver.pid
export PEGASUS_LOCAL_DOMAIN_SOCKET_DIR=${PEGASUS_VARRUN_DIR}
export PEGASUS_LOCAL_DOMAIN_SOCKET_PATH=${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR}/cimxml.socket
export PEGASUS_VARDATA_CACHE_DIR=${PEGASUS_VARDATA_DIR}/cache
export PEGASUS_LOCAL_AUTH_DIR=${PEGASUS_VARDATA_CACHE_DIR}/localauth
export PEGASUS_TRACE_DIR=${PEGASUS_VARDATA_CACHE_DIR}/trace
export PEGASUS_PLANNED_CONFIG_FILE=cimserver_planned.conf
export PEGASUS_CURRENT_CONFIG_FILE=cimserver_current.conf
export PEGASUS_PEM_DIR=${PEGASUS_CONFIG_DIR}
export PEGASUS_LOG_DIR=/var/log/Pegasus
export PEGASUS_SSL_KEY_FILE=file.pem
export PEGASUS_SSL_CERT_FILE=server.pem
export PEGASUS_SSL_TRUSTSTORE=client.pem
export PEGASUS_SAMPLES_DIR=${PEGASUS_PRODSHARE_DIR}/samples
export PEGASUS_INCLUDE_DIR=${PEGASUS_PROD_DIR}/include
export PEGASUS_HTML_DIR=${PEGASUS_PRODSHARE_DIR}/html
export PEGASUS_TEST_DIR=${PEGASUS_PRODSHARE_DIR}/test
export PEGASUS_TEST_REPOSITORY_DIR=${PEGASUS_VARDATA_DIR}
export PEGASUS_TEST_REPOSITORY_NAME=testrepository
export PRODUCT_DIRECTORY_STRUCTURE=(\
   ${PEGASUS_PROD_DIR} \
   ${PEGASUS_PRODSHARE_DIR} \
   ${PEGASUS_DOC_DIR} \
   ${PEGASUS_MAN_DIR} \
   ${PEGASUS_MANUSER_DIR} \
   ${PEGASUS_MANADMIN_DIR} \
   ${PEGASUS_DEST_LIB_DIR} \
   ${PEGASUS_PROVIDER_DIR} \
   ${PEGASUS_PROVIDER_LIB_DIR} \
   ${PEGASUS_SBIN_DIR} \
   ${PEGASUS_BIN_DIR} \
   ${PEGASUS_MOF_DIR} \
   ${PEGASUS_VARDATA_DIR} \
   ${PEGASUS_REPOSITORY_DIR} \
   ${PEGASUS_VARDATA_CACHE_DIR} \
   ${PEGASUS_TRACE_DIR} \
   ${PEGASUS_LOG_DIR} \
   ${PEGASUS_LOCAL_AUTH_DIR} \
   ${PEGASUS_VARRUN_DIR} \
   ${PEGASUS_LOCAL_DOMAIN_SOCKET_DIR} \
   ${PEGASUS_CONFIG_DIR});