X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=1e8f23c0ca97de6ed2c17b98ecc40e0661ce68bd;hb=4a0f106f79e46edd6a0c18ec68e7f0cb9f05550f;hp=240de38886f5ae39568cf96cb23099946253bbe7;hpb=5fadec09dcd44c4dcad657a0f3d96878b592b77b;p=monkeysphere.git diff --git a/src/common b/src/common index 240de38..1e8f23c 100644 --- a/src/common +++ b/src/common @@ -79,11 +79,15 @@ remove_line() { file="$1" string="$2" - # if the string is in the file and removed, return 0 + if [ -z "$file" -o -z "$string" ] ; then + return 1 + fi + + # if the string is in the file... if grep -q -F "$string" "$file" 2> /dev/null ; then + # remove the line with the string, and return 0 grep -v -F "$string" "$file" | sponge "$file" return 0 - # otherwise return 1 else return 1 @@ -111,7 +115,49 @@ translate_ssh_variables() { # test that a string to conforms to GPG's expiration format test_gpg_expire() { - echo "$1" | egrep -q "^[0-9][mwy]?$" + echo "$1" | egrep -q "^[0-9]+[mwy]?$" +} + +# check that a file is properly owned, and that all it's parent +# directories are not group/other writable +check_key_file_permissions() { + local user + local path + local access + local gAccess + local oAccess + + # function to check that an octal corresponds to writability + is_write() { + [ "$1" -eq 2 -o "$1" -eq 3 -o "$1" -eq 6 -o "$1" -eq 7 ] + } + + user="$1" + path="$2" + + # return 0 is path does not exist + [ -e "$path" ] || return 0 + + owner=$(stat --format '%U' "$path") + access=$(stat --format '%a' "$path") + gAccess=$(echo "$access" | cut -c2) + oAccess=$(echo "$access" | cut -c3) + + # check owner + if [ "$owner" != "$user" -a "$owner" != 'root' ] ; then + return 1 + fi + + # check group/other writability + if is_write "$gAccess" || is_write "$oAccess" ; then + return 2 + fi + + if [ "$path" = '/' ] ; then + return 0 + else + check_key_file_permissions $(dirname "$path") + fi } ### CONVERSION UTILITIES @@ -405,6 +451,10 @@ process_host_known_hosts() { keyid=$(echo "$line" | cut -d: -f2) sshKey=$(gpg2ssh "$keyid") + if [ -z "$sshKey" ] ; then + log " ! key could not be translated." + continue + fi # remove the old host key line, and note if removed remove_line "$KNOWN_HOSTS" "$sshKey" @@ -513,6 +563,11 @@ process_known_hosts() { hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') + if [ -z "$hosts" ] ; then + log "no hosts to process." + return + fi + # take all the hosts from the known_hosts file (first # field), grep out all the hashed hosts (lines starting # with '|')... @@ -542,6 +597,10 @@ process_uid_authorized_keys() { keyid=$(echo "$line" | cut -d: -f2) sshKey=$(gpg2ssh "$keyid") + if [ -z "$sshKey" ] ; then + log " ! key could not be translated." + continue + fi # remove the old host key line remove_line "$AUTHORIZED_KEYS" "$sshKey" @@ -636,15 +695,25 @@ update_authorized_keys() { # process an authorized_user_ids file for authorized_keys process_authorized_user_ids() { local line + local nline local userIDs authorizedUserIDs="$1" log "processing authorized_user_ids file..." + if ! meat "$authorizedUserIDs" ; then + log "no user IDs to process." + return + fi + + nline=0 + # extract user IDs from authorized_user_ids file - for line in $(seq 1 $(meat "$authorizedUserIDs" | wc -l)) ; do - userIDs[$((line-1))]=$(cutline "$line" "$authorizedUserIDs") + IFS=$'\n' + for line in $(meat "$authorizedUserIDs") ; do + userIDs["$nline"]="$line" + nline=$((nline+1)) done update_authorized_keys "${userIDs[@]}"