From 7d21b05af920c810b12f9f33b260b129af475b64 Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Thu, 13 Feb 2025 13:28:29 +0100 Subject: [PATCH] Update spec for compiler flags and systemd user C and C++ flags are now retrieved from 'optflags' macro. In Fedora this is: CFLAGS='-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer ' Additionally, user creation is moved to systemd. --- pki.spec | 62 ++++++++++++++------------------------------------------ 1 file changed, 15 insertions(+), 47 deletions(-) diff --git a/pki.spec b/pki.spec index 97679d396aa..f302ec3fd0e 100644 --- a/pki.spec +++ b/pki.spec @@ -669,6 +669,9 @@ Provides: bundled(js-jquery-i18n-properties) = 1.2.7 Provides: bundled(js-patternfly) = 3.59.2 Provides: bundled(js-underscore) = 1.9.2 +Provides: user(%{pki_username}) +Provides: group(%{pki_groupname}) + %description -n %{product_id}-server This package provides libraries and utilities needed by %{product_name} services. @@ -1197,6 +1200,13 @@ fi %if %{with console} %mvn_package org.dogtagpki.pki:pki-console pki-console %endif + +# Create a sysusers.d config file + +cat > %{product_id}.sysusers.conf <= 10 -# https://sourceware.org/annobin/annobin.html/Test-gaps.html -C_FLAGS="$C_FLAGS -fplugin=annobin" - -%ifarch x86_64 -# https://sourceware.org/annobin/annobin.html/Test-cf-protection.html -C_FLAGS="$C_FLAGS -fcf-protection=full" -CXX_FLAGS="$CXX_FLAGS -fcf-protection=full" -%endif - -# https://sourceware.org/annobin/annobin.html/Test-optimization.html -C_FLAGS="$C_FLAGS -O2" -CXX_FLAGS="$CXX_FLAGS -O2" - -# https://sourceware.org/annobin/annobin.html/Test-glibcxx-assertions.html -C_FLAGS="$C_FLAGS -D_GLIBCXX_ASSERTIONS" -CXX_FLAGS="$CXX_FLAGS -D_GLIBCXX_ASSERTIONS" - -# https://sourceware.org/annobin/annobin.html/Test-lto.html -C_FLAGS="$C_FLAGS -flto" - -# https://sourceware.org/annobin/annobin.html/Test-fortify.html -C_FLAGS="$C_FLAGS -D_FORTIFY_SOURCE=3" -CXX_FLAGS="$CXX_FLAGS -D_FORTIFY_SOURCE=3" - -# https://sourceware.org/annobin/annobin.html/Test-stack-clash.html -C_FLAGS="$C_FLAGS -fstack-clash-protection" -CXX_FLAGS="$CXX_FLAGS -fstack-clash-protection" - -%ifarch aarch64 -# https://sourceware.org/annobin/annobin.html/Test-dynamic-tags.html -C_FLAGS="$C_FLAGS -mbranch-protection=standard" -CXX_FLAGS="$CXX_FLAGS -mbranch-protection=standard" -%endif - -%endif +C_FLAGS="%{optflags}" +CXX_FLAGS="%{optflags}" pkgs=base\ %{?with_server:,server}\ @@ -1541,15 +1514,9 @@ xmlstarlet edit --inplace \ %if %{with server} -%pre -n %{product_id}-server - -# create PKI group if it doesn't exist -getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} +install -m0644 -D %{product_id}.sysusers.conf %{buildroot}%{_sysusersdir}/%{product_id}.conf -# create PKI user if it doesn't exist -if ! getent passwd %{pki_username} >/dev/null ; then - useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username} -fi +%pre -n %{product_id}-server # create PKI home directory if it doesn't exist if [ ! -d %{pki_homedir} ] ; then @@ -1820,6 +1787,7 @@ fi %{_mandir}/man8/pki-healthcheck.8.gz %{_datadir}/pki/setup/ %{_datadir}/pki/server/ +%{_sysusersdir}/%{product_id}.conf %if %{without maven} %{_datadir}/java/pki/pki-server.jar