[Secure Coding] master: Packaging: Adjust RPM flags of key-related files (f5803d1)
fweimer at fedoraproject.org
fweimer at fedoraproject.org
Fri Jun 6 14:42:23 UTC 2014
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit f5803d1403f9adf1cb54dd5ab93bb649d5e07c88
Author: Florian Weimer <fweimer at redhat.com>
Date: Fri Jun 6 13:32:50 2014 +0200
Packaging: Adjust RPM flags of key-related files
>---------------------------------------------------------------
defensive-coding/en-US/Tasks-Packaging.xml | 17 +++++++++++++----
1 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/defensive-coding/en-US/Tasks-Packaging.xml b/defensive-coding/en-US/Tasks-Packaging.xml
index 5562f45..3e3feab 100644
--- a/defensive-coding/en-US/Tasks-Packaging.xml
+++ b/defensive-coding/en-US/Tasks-Packaging.xml
@@ -86,11 +86,20 @@ fi
%files
%dir %attr(0755,%{tlsuser},%{tlsuser]) %{tlsdir}
-%ghost %attr(0600,%{tlsuser},%{tlsuser}) %{tlskey}
-%ghost %attr(0644,%{tlsuser},%{tlsuser}) %{tlscert}
+%ghost %attr(0600,%{tlsuser},%{tlsuser}) %config(noreplace) %{tlskey}
+%ghost %attr(0644,%{tlsuser},%{tlsuser}) %config(noreplace) %{tlscert}
</programlisting>
</example>
<para>
+ The files containing the key material are marked as ghost
+ configuration files. This ensures that they are tracked in the
+ RPM database as associated with the package, but RPM will not
+ create them when the package is installed and not verify their
+ contents (the <literal>%ghost</literal>), or delete the files
+ when the package is uninstalled (the
+ <literal>%config(noreplace)</literal> part).
+ </para>
+ <para>
If the <emphasis>directory</emphasis>
<literal>%{tlsdir}</literal> <emphasis>is owned by</emphasis>
<literal>root</literal>, use the code in <xref
@@ -114,8 +123,8 @@ fi
%files
%dir %attr(0755,root,root]) %{tlsdir}
-%ghost %attr(0600,%{tlsuser},%{tlsuser}) %{tlskey}
-%ghost %attr(0644,root,root) %{tlscert}
+%ghost %attr(0600,%{tlsuser},%{tlsuser}) %config(noreplace) %{tlskey}
+%ghost %attr(0644,root,root) %config(noreplace) %{tlscert}
</programlisting>
</example>
<para>
More information about the security
mailing list