file_hash() {
if type md5sum &>/dev/null ; then
md5sum "$1"
- elif type lockfile &>/dev/null ; then
+ elif type md5 &>/dev/null ; then
md5 "$1"
else
failure "Neither md5sum nor md5 are in the path!"
<n>y = key expires in n years
EOF
while [ -z "$keyExpire" ] ; do
- read -p "Key is valid for? (0) " keyExpire
+ printf "Key is valid for? (0) " >&2
+ read keyExpire
if ! test_gpg_expire ${keyExpire:=0} ; then
echo "invalid value" >&2
unset keyExpire
local fifo="$2"
local PASS
- if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then
+ if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null 2>/dev/null; then
printf 'Launching "%s"\n' "${SSH_ASKPASS:-ssh-askpass}" | log info
printf '(with prompt "%s")\n' "$prompt" | log debug
"${SSH_ASKPASS:-ssh-askpass}" "$prompt" > "$fifo"
path="$2"
# get the user's home directory
- userHome=$(getent passwd "$uname" | cut -d: -f6)
+ userHome=$(get_homedir "$uname")
# translate '%u' to user name
path=${path/\%u/"$uname"}
check_key_file_permissions() {
local uname
local path
- local stat
- local access
- local gAccess
- local oAccess
-
- # function to check that the given permission corresponds to writability
- is_write() {
- [ "$1" = "w" ]
- }
uname="$1"
path="$2"
- log debug "checking path permission '$path'..."
-
- # return 255 if cannot stat file
- if ! stat=$(ls -ld "$path" 2>/dev/null) ; then
- log error "could not stat path '$path'."
- return 255
+ if [ "$STRICT_MODES" = 'false' ] ; then
+ log debug "skipping path permission check for '$path' because STRICT_MODES is false..."
+ return 0
fi
+ log debug "checking path permission '$path'..."
+ "${SYSSHAREDIR}/checkperms" "$uname" "$path"
+}
- owner=$(echo "$stat" | awk '{ print $3 }')
- gAccess=$(echo "$stat" | cut -c6)
- oAccess=$(echo "$stat" | cut -c9)
-
- # return 1 if path has invalid owner
- if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then
- log error "improper ownership on path '$path':"
- log error " $owner != ($uname|root)"
- return 1
+# return a list of all users on the system
+list_users() {
+ if type getent &>/dev/null ; then
+ # for linux and FreeBSD systems
+ getent passwd | cut -d: -f1
+ elif type dscl &>/dev/null ; then
+ # for Darwin systems
+ dscl localhost -list /Search/Users
+ else
+ failure "Neither getent or dscl is in the path! Could not determine list of users."
fi
+}
- # return 2 if path has group or other writability
- if is_write "$gAccess" || is_write "$oAccess" ; then
- log error "improper group or other writability on path '$path':"
- log error " group: $gAccess, other: $oAcess"
- return 2
- fi
+# return the path to the home directory of a user
+get_homedir() {
+ local uname=${1:-`whoami`}
+ eval "echo ~${uname}"
+}
- # return zero if all clear, or go to next path
- if [ "$path" = '/' ] ; then
- log debug "path ok."
- return 0
- else
- check_key_file_permissions "$uname" $(dirname "$path")
- fi
+# return the primary group of a user
+get_primary_group() {
+ local uname=${1:-`whoami`}
+ groups "$uname" | sed 's/^..* : //' | awk '{ print $1 }'
}
### CONVERSION UTILITIES
local nHostsBAD
local fileCheck
local host
+ local newUmask
# the number of hosts specified on command line
nHosts="$#"
# touch the known_hosts file so that the file permission check
# below won't fail upon not finding the file
- (umask 0022 && touch "$KNOWN_HOSTS")
+ if [ ! -f "$KNOWN_HOSTS" ]; then
+ # make sure to create any files or directories with the appropriate write bits turned off:
+ newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) )
+ [ -d $(dirname "$KNOWN_HOSTS") ] \
+ || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$KNOWN_HOSTS") ) \
+ || failure "Could not create path to known_hosts file '$KNOWN_HOSTS'"
+ # make sure to create this file with the appropriate bits turned off:
+ (umask "$newUmask" && touch "$KNOWN_HOSTS") \
+ || failure "Unable to create known_hosts file '$KNOWN_HOSTS'"
+ fi
# check permissions on the known_hosts file path
- check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure
+ check_key_file_permissions $(whoami) "$KNOWN_HOSTS" \
+ || failure "Bad permissions governing known_hosts file '$KNOWN_HOSTS'"
# create a lockfile on known_hosts:
lock create "$KNOWN_HOSTS"
trap "lock remove $KNOWN_HOSTS" EXIT
# note pre update file checksum
- fileCheck="$(file_hash "$KNOWN_HOSTS")"
+ fileCheck=$(file_hash "$KNOWN_HOSTS")
for host ; do
# process the host