On Fri, 08 Apr 2016 14:56:09 +0200 Laurent Bigonville <bi...@debian.org>
wrote:
> Hi,
>
> Please find a patch (split from the patch previously proposed in bug
> #537866) attached to this mail that install the libnsssysinit module and
> add the setup-nsssysinit script coming from Fedora[0] to allow sysadmin
> to easily enable/disable this module on the machine.
>
> This would be a 1st step to fix #798455 and #537866 could you please
> merge this patch independently from the rest.
>
> Cheers,
>
> Laurent Bigonville
>
> [0]
> http://pkgs.fedoraproject.org/cgit/rpms/nss.git/plain/setup-nsssysinit.sh
>
Any remarks on this patch? Could somebody merge that in the experimental
version?
I've attached a patch rebased against experimental. I've also added the
call to shlibsign for that module (side note is that expected that
shlibsign is not called for libnssckbi.so?)
Regards,
Laurent Bigonville
diff -Nru nss-3.29.1/debian/libnss3.symbols nss-3.29.1/debian/libnss3.symbols
--- nss-3.29.1/debian/libnss3.symbols 2017-02-12 23:41:48.000000000 +0100
+++ nss-3.29.1/debian/libnss3.symbols 2017-03-01 16:16:01.000000000 +0100
@@ -73,6 +73,8 @@
(symver)NSS_3.1 2:3.13.4-2~
libnssdbm3.so libnss3 #MINVER#
(symver)NSSDBM_3.12 2:3.13.4-2~
+libnsssysinit.so libnss3 #MINVER#
+ NSS_ReturnModuleSpecData@Base 2:3.29.2~
libnssutil3.so libnss3 #MINVER#
(symver)NSSUTIL_3.12 2:3.13.4-2~
(symver)NSSUTIL_3.12.3 2:3.13.4-2~
diff -Nru nss-3.29.1/debian/rules nss-3.29.1/debian/rules
--- nss-3.29.1/debian/rules 2016-08-16 09:16:56.000000000 +0200
+++ nss-3.29.1/debian/rules 2017-03-01 16:16:01.000000000 +0100
@@ -105,7 +105,6 @@
$(MAKE) -C nss \
all \
$(COMMON_MAKE_FLAGS) \
- MOZILLA_CLIENT=1 \
NSPR_INCLUDE_DIR=/usr/include/nspr \
NSPR_LIB_DIR=/usr/lib/$(DEB_HOST_MULTIARCH) \
BUILD_OPT=1 \
@@ -140,6 +139,7 @@
$(DISTDIR)/lib/libfreeblpriv3.so \
$(DISTDIR)/lib/libsoftokn3.so \
$(DISTDIR)/lib/libnssdbm3.so \
+ $(DISTDIR)/lib/libnsssysinit.so \
$(DISTDIR)/lib/libnssckbi.so
install -m 644 -t debian/libnss3-dev/usr/include/nss \
@@ -150,6 +150,8 @@
install -m 755 -t debian/libnss3-dev/usr/bin debian/nss-config
install -m 755 -t debian/libnss3-tools/usr/bin $(addprefix $(DISTDIR)/bin/,$(NSS_TOOLS))
+ install -m 755 -d debian/libnss3-tools/usr/sbin
+ install -m 755 -t debian/libnss3-tools/usr/sbin debian/setup-nsssysinit
install -m 755 -d $(DISTDIR)/man
install -m 644 -t $(DISTDIR)/man $(wildcard $(call manpage,$(NSS_TOOLS)))
@@ -170,7 +172,7 @@
override_dh_strip:
dh_strip -a --dbg-package=libnss3-dbg
- $(foreach lib,libsoftokn3.so libfreebl3.so libfreeblpriv3.so libnssdbm3.so, \
+ $(foreach lib,libsoftokn3.so libfreebl3.so libfreeblpriv3.so libnssdbm3.so libnsssysinit.so, \
$(call cmd,umask 022; $(SHLIBSIGN) -v -i debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss/$(lib)))
ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
diff -Nru nss-3.29.1/debian/setup-nsssysinit nss-3.29.1/debian/setup-nsssysinit
--- nss-3.29.1/debian/setup-nsssysinit 1970-01-01 01:00:00.000000000 +0100
+++ nss-3.29.1/debian/setup-nsssysinit 2017-03-01 16:14:57.000000000 +0100
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <<EOF
+Usage: setup-nsssysinit [on|off]
+ on - turns on nsssysinit
+ off - turns off nsssysinit
+ status - reports whether nsssysinit is turned on or off
+EOF
+ exit $1
+}
+
+# validate
+if [ $# -eq 0 ]; then
+ usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
