diff --git a/manifests/services/pkgsigner.pp b/manifests/services/pkgsigner.pp index 11af55c..4449934 100644 --- a/manifests/services/pkgsigner.pp +++ b/manifests/services/pkgsigner.pp @@ -17,7 +17,7 @@ class pkgsigner {
folder { "/etc/pki/pkgsigner/":
owner => 'root', - group => 'jkeating', + group => 'signers', mode => '0750', source => "blank/" } @@ -25,7 +25,7 @@ class pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root', - group => 'jkeating', + group => 'signers', mode => '440'
}
@@ -45,7 +45,7 @@ class epel-pkgsigner {
folder { "/etc/pki/pkgsigner/": owner => 'root', - group => 'jkeating', + group => 'signers', mode => '0750',
source => "blank/" } @@ -53,7 +53,7 @@ class epel-pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root', - group => 'jkeating', + group => 'signers', mode => '440'
}
+1 (assuming your kmail mangled he patch a bit ;-P)
-Mike
On Thu, 5 Aug 2010, Dennis Gilmore wrote:
diff --git a/manifests/services/pkgsigner.pp b/manifests/services/pkgsigner.pp index 11af55c..4449934 100644
a/manifests/services/pkgsigner.pp +++ b/manifests/services/pkgsigner.pp @@ -17,7 +17,7 @@ class pkgsigner {
folder { "/etc/pki/pkgsigner/": owner => 'root',
group => 'jkeating',
group =>
'signers', mode => '0750', source => "blank/" } @@ -25,7 +25,7 @@ class pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root',
group => 'jkeating',
group => 'signers', mode => '440'
}
@@ -45,7 +45,7 @@ class epel-pkgsigner {
folder {
"/etc/pki/pkgsigner/": owner => 'root',
group =>
'jkeating',
group => 'signers', mode => '0750',
source => "blank/" } @@ -53,7 +53,7 @@ class epel-pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root',
group => 'jkeating',
group => 'signers', mode => '440'
}
On Thu, 5 Aug 2010 12:37:00 -0500 Dennis Gilmore dennis@ausil.us wrote:
diff --git a/manifests/services/pkgsigner.pp b/manifests/services/pkgsigner.pp index 11af55c..4449934 100644
a/manifests/services/pkgsigner.pp +++ b/manifests/services/pkgsigner.pp @@ -17,7 +17,7 @@ class pkgsigner {
folder { "/etc/pki/pkgsigner/": owner => 'root',
group => 'jkeating',
group =>
'signers', mode => '0750', source => "blank/" } @@ -25,7 +25,7 @@ class pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root',
group => 'jkeating',
group => 'signers', mode => '440'
}
@@ -45,7 +45,7 @@ class epel-pkgsigner {
folder {
"/etc/pki/pkgsigner/": owner => 'root',
group =>
'jkeating',
group => 'signers', mode => '0750',
source => "blank/" } @@ -53,7 +53,7 @@ class epel-pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root',
group => 'jkeating',
group => 'signers', mode => '440'
}
Looks good to me, +1
kevin
Kevin Fenzi said the following on 08/05/2010 04:44 PM Pacific Time:
On Thu, 5 Aug 2010 12:37:00 -0500 Dennis Gilmoredennis@ausil.us wrote:
diff --git a/manifests/services/pkgsigner.pp b/manifests/services/pkgsigner.pp index 11af55c..4449934 100644
a/manifests/services/pkgsigner.pp +++ b/manifests/services/pkgsigner.pp @@ -17,7 +17,7 @@ class pkgsigner {
folder { "/etc/pki/pkgsigner/": owner => 'root',
group => 'jkeating',
group =>
'signers', mode => '0750', source => "blank/" } @@ -25,7 +25,7 @@ class pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root',
group => 'jkeating',
group => 'signers', mode => '440'
}
@@ -45,7 +45,7 @@ class epel-pkgsigner {
folder {
"/etc/pki/pkgsigner/": owner => 'root',
group =>
'jkeating',
group => 'signers', mode => '0750',
source => "blank/" } @@ -53,7 +53,7 @@ class epel-pkgsigner { cert { '/etc/pki/pkgsigner/pkgsigner.pem': source => 'secure/pkgsigner_key_and_cert.pem', owner => 'root',
group => 'jkeating',
group => 'signers', mode => '440'
}
Looks good to me, +1
kevin
It seems to me that this is a very important group. Do we have an SOP that describes how this group is handled?
Things like:
a) What kind of "controls" do we have to make sure that the @signers group is limited and that it requires some sort of approval to add people to it?
b) Who has the ability to add another person?
c) Are people promptly removed when they no longer need to do any signing?
d) Who has the ability to remove people?
John
On Tue, 10 Aug 2010 15:37:29 -0700 John Poelstra poelstra@redhat.com wrote:
It seems to me that this is a very important group. Do we have an SOP that describes how this group is handled?
Not that I know of... perhaps there should be one.
Things like:
a) What kind of "controls" do we have to make sure that the @signers group is limited and that it requires some sort of approval to add people to it?
No more so than any other fas group I don't think.
b) Who has the ability to add another person?
The admin/sponsors of the group. Currently jkeating is the only admin, there are no sponsors.
c) Are people promptly removed when they no longer need to do any signing?
I don't know. I would hope so.
d) Who has the ability to remove people?
admin/sponsor of the group?
I think if we are going to write up policies for this group, we might also put on the same page other "important" groups. ie, sysadmin-main, cvsadmin, possibly others?
kevin
On Tue, 10 Aug 2010, Kevin Fenzi wrote:
On Tue, 10 Aug 2010 15:37:29 -0700 John Poelstra poelstra@redhat.com wrote:
It seems to me that this is a very important group. Do we have an SOP that describes how this group is handled?
Not that I know of... perhaps there should be one.
Things like:
a) What kind of "controls" do we have to make sure that the @signers group is limited and that it requires some sort of approval to add people to it?
No more so than any other fas group I don't think.
Yeah, just a regular fas group.
-Mike
infrastructure@lists.fedoraproject.org