#!/bin/bash
set -e

#
# With /run/pesign/socket on tmpfs, a simple way of restoring the
# acls for specific users is useful
#
#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
#

# License: GPLv2

if [ -r /etc/pesign/users ]; then
    for username in $(cat /etc/pesign/users); do
	if [ -d /var/run/pesign ]; then
	    setfacl -m g:${username}:rx /var/run/pesign
	    if [ -e /var/run/pesign/socket ]; then
		setfacl -m g:${username}:rw /var/run/pesign/socket
	    fi
	fi
	for x in /etc/pki/pesign* ; do
	    if [ -d ${x} ]; then
		setfacl -m g:${username}:rx /etc/pki/pesign
		for y in ${x}/{cert8,key3,secmod}.db ; do
		    setfacl -m g:${username}:rw ${y}
		done
	    fi
	done
    done
fi
