X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=1e8f23c0ca97de6ed2c17b98ecc40e0661ce68bd;hb=4c39f00752f9a57329aff481d33aed24bfc301a4;hp=5d43fa4aa15a44a054037b46c35edf405c122e53;hpb=c8b42c1d77005ab3f41d20cc2524f4307086ec4f;p=monkeysphere.git diff --git a/src/common b/src/common index 5d43fa4..1e8f23c 100644 --- a/src/common +++ b/src/common @@ -20,14 +20,10 @@ export ETC ######################################################################## ### UTILITY FUNCTIONS -error() { - log "$1" - ERR=${2:-'1'} -} - +# failure function. exits with code 255, unless specified otherwise. failure() { echo "$1" >&2 - exit ${2:-'1'} + exit ${2:-'255'} } # write output to stderr @@ -83,11 +79,15 @@ remove_line() { file="$1" string="$2" - # if the string is in the file and removed, return 0 + if [ -z "$file" -o -z "$string" ] ; then + return 1 + fi + + # if the string is in the file... if grep -q -F "$string" "$file" 2> /dev/null ; then + # remove the line with the string, and return 0 grep -v -F "$string" "$file" | sponge "$file" return 0 - # otherwise return 1 else return 1 @@ -115,7 +115,49 @@ translate_ssh_variables() { # test that a string to conforms to GPG's expiration format test_gpg_expire() { - echo "$1" | egrep -q "^[0-9][mwy]?$" + echo "$1" | egrep -q "^[0-9]+[mwy]?$" +} + +# check that a file is properly owned, and that all it's parent +# directories are not group/other writable +check_key_file_permissions() { + local user + local path + local access + local gAccess + local oAccess + + # function to check that an octal corresponds to writability + is_write() { + [ "$1" -eq 2 -o "$1" -eq 3 -o "$1" -eq 6 -o "$1" -eq 7 ] + } + + user="$1" + path="$2" + + # return 0 is path does not exist + [ -e "$path" ] || return 0 + + owner=$(stat --format '%U' "$path") + access=$(stat --format '%a' "$path") + gAccess=$(echo "$access" | cut -c2) + oAccess=$(echo "$access" | cut -c3) + + # check owner + if [ "$owner" != "$user" -a "$owner" != 'root' ] ; then + return 1 + fi + + # check group/other writability + if is_write "$gAccess" || is_write "$oAccess" ; then + return 2 + fi + + if [ "$path" = '/' ] ; then + return 0 + else + check_key_file_permissions $(dirname "$path") + fi } ### CONVERSION UTILITIES @@ -409,6 +451,10 @@ process_host_known_hosts() { keyid=$(echo "$line" | cut -d: -f2) sshKey=$(gpg2ssh "$keyid") + if [ -z "$sshKey" ] ; then + log " ! key could not be translated." + continue + fi # remove the old host key line, and note if removed remove_line "$KNOWN_HOSTS" "$sshKey" @@ -517,6 +563,11 @@ process_known_hosts() { hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') + if [ -z "$hosts" ] ; then + log "no hosts to process." + return + fi + # take all the hosts from the known_hosts file (first # field), grep out all the hashed hosts (lines starting # with '|')... @@ -546,6 +597,10 @@ process_uid_authorized_keys() { keyid=$(echo "$line" | cut -d: -f2) sshKey=$(gpg2ssh "$keyid") + if [ -z "$sshKey" ] ; then + log " ! key could not be translated." + continue + fi # remove the old host key line remove_line "$AUTHORIZED_KEYS" "$sshKey" @@ -640,15 +695,25 @@ update_authorized_keys() { # process an authorized_user_ids file for authorized_keys process_authorized_user_ids() { local line + local nline local userIDs authorizedUserIDs="$1" log "processing authorized_user_ids file..." + if ! meat "$authorizedUserIDs" ; then + log "no user IDs to process." + return + fi + + nline=0 + # extract user IDs from authorized_user_ids file - for line in $(seq 1 $(meat "$authorizedUserIDs" | wc -l)) ; do - userIDs[$((line-1))]=$(cutline "$line" "$authorizedUserIDs") + IFS=$'\n' + for line in $(meat "$authorizedUserIDs") ; do + userIDs["$nline"]="$line" + nline=$((nline+1)) done update_authorized_keys "${userIDs[@]}"