[patch] Allow all signers to read the key to upload signed rpms
John Poelstra
poelstra at redhat.com
Tue Aug 10 22:37:29 UTC 2010
Kevin Fenzi said the following on 08/05/2010 04:44 PM Pacific Time:
> On Thu, 5 Aug 2010 12:37:00 -0500
> Dennis Gilmore<dennis at ausil.us> wrote:
>
>> diff --git a/manifests/services/pkgsigner.pp
>> b/manifests/services/pkgsigner.pp
>> index 11af55c..4449934 100644
>> ---
>> a/manifests/services/pkgsigner.pp
>> +++ b/manifests/services/pkgsigner.pp
>> @@
>> -17,7 +17,7 @@ class pkgsigner {
>>
>> folder { "/etc/pki/pkgsigner/":
>>
>> owner => 'root',
>> - group => 'jkeating',
>> + group =>
>> 'signers',
>> mode => '0750',
>> source => "blank/"
>> }
>> @@
>> -25,7 +25,7 @@ class pkgsigner {
>> cert {
>> '/etc/pki/pkgsigner/pkgsigner.pem':
>> source =>
>> 'secure/pkgsigner_key_and_cert.pem',
>> owner => 'root',
>> -
>> group => 'jkeating',
>> + group => 'signers',
>> mode => '440'
>>
>> }
>>
>> @@ -45,7 +45,7 @@ class epel-pkgsigner {
>>
>> folder {
>> "/etc/pki/pkgsigner/":
>> owner => 'root',
>> - group =>
>> 'jkeating',
>> + group => 'signers',
>> mode => '0750',
>>
>> source => "blank/"
>> }
>> @@ -53,7 +53,7 @@ class epel-pkgsigner {
>> cert
>> { '/etc/pki/pkgsigner/pkgsigner.pem':
>> source =>
>> 'secure/pkgsigner_key_and_cert.pem',
>> owner => 'root',
>> -
>> group => 'jkeating',
>> + group => 'signers',
>> mode => '440'
>>
>> }
>
> Looks good to me, +1
>
> kevin
>
>
It seems to me that this is a very important group. Do we have an SOP
that describes how this group is handled?
Things like:
a) What kind of "controls" do we have to make sure that the @signers
group is limited and that it requires some sort of approval to add
people to it?
b) Who has the ability to add another person?
c) Are people promptly removed when they no longer need to do any signing?
d) Who has the ability to remove people?
John
More information about the infrastructure
mailing list