From 1a81c69db595a4af8814776968ebe4f5b093806e Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@debian.org>
Date: Fri, 14 May 2010 17:30:00 -0700
Subject: [PATCH] Modify shib-keygen to create the certificate key
 group-readable

* Modify shib-keygen to create the new certificate key group-readable by
  _shibd and not world-readable.  (Closes: #571631)
---
 configs/keygen.sh | 9 +++++----
 debian/changelog  | 7 +++++++
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/configs/keygen.sh b/configs/keygen.sh
index cd53c9e..e68607c 100755
--- a/configs/keygen.sh
+++ b/configs/keygen.sh
@@ -66,6 +66,11 @@ subjectAltName=$ALTNAME
 subjectKeyIdentifier=hash
 EOF
 
+# Added for Debian.  Make the key mode 640 and readable by group _shibd so
+# that the Debian shibd can use a non-root user.
+touch sp-key.pem
+chgrp _shibd sp-key.pem
+chmod 640 sp-key.pem
 if [ -z "$BATCH" ] ; then
     openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
 else
@@ -73,7 +78,3 @@ else
 fi
 
 rm sp-cert.cnf
-
-if  [ -s sp-key.pem ] ; then
-    chmod 600 sp-key.pem
-fi
diff --git a/debian/changelog b/debian/changelog
index e3d0bb7..b628755 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+shibboleth-sp2 (2.3.1+dfsg-2) UNRELEASED; urgency=low
+
+  * Modify shib-keygen to create the new certificate key group-readable by
+    _shibd and not world-readable.  (Closes: #571631)
+
+ -- Russ Allbery <rra@debian.org>  Fri, 14 May 2010 17:29:48 -0700
+
 shibboleth-sp2 (2.3.1+dfsg-1) unstable; urgency=low
 
   * New upstream release.
-- 
2.1.4