https://bugzilla.redhat.com/show_bug.cgi?id=1310092 --- Comment #18 from Ralf Senderek <fedora@xxxxxxxxxxx> --- (In reply to Richard Shaw from comment #17) > > I have added a line "Requires=sshd.service" to the cryptoboned.service file > > and removed the code above from the spec file. > > OK. In hindsight you've been quite right actually to complain about this feature. I made a mistake by thinking that the ssh daemon is a requirement. On the client side I really do need the ssh client to be present, the daemon would be necessary on a Fedora system that implements the external Crypto Bone. So I think I'd remove this requirement from the source code. The next release (6) is in the pipeline, but needs further testing before it'll hit the road. > > The spec file now has > > a %prosttrans section, which informs the user to run this script. > > This can be done any time, as long as the user has knowledge of the > > root password, to set the sudoers.d/cbcontrol file and to activate the > > deamon. > > Ok, I may have to dig into this one a bit. There is actually a process to > get permission to be enabled by default, I believe it requires an FPC ticket > but really I don't for this kind of process that it's unreasonable to have > them read a little documentation so they know why they're getting into and > enable the daemon explicitly. > I've already worked further on this problem, and you're right that explicit user consent should be necessary to activate the daemon. So the best way to make sure that everything needed is up and running is the GUI. I modified the GUI to ask the user for permission to activate the Crypto Bone and to define the login name of the user that should (exclusively) use this Crypto Bone. It is essential that only a user who can acquire root permissions is able to make this initial setup (via "sudogetuser"). All other users must be blocked from changing anything. I think the GUI does that now. (rel 6) > This is a pretty invasive package so I appreciate your patience with getting > me up to speed and making all the requisite changes. > I'll start on the full review as soon as I have a few moments. Thank you for your time and effort. PS: I know that rpmlint has a few issues with the rpm, but the non-standard file permissions are all a result of security measures not ignorance. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review