X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fcommon;h=5df8f6a7198a158db439ee0c1e124012fc6c87a4;hb=6923ef580f068ff535af273714e59235260ab7b6;hp=48739d92d8639056c59295cf6fba0585df162eec;hpb=1343ffb414e74917b4e6f9eed05df035d25be4aa;p=monkeysphere.git diff --git a/src/common b/src/common index 48739d9..5df8f6a 100644 --- a/src/common +++ b/src/common @@ -1,4 +1,5 @@ # -*-shell-script-*- +# This should be sourced by bash (though we welcome changes to make it POSIX sh compliant) # Shared sh functions for the monkeysphere # @@ -16,15 +17,18 @@ ### COMMON VARIABLES # managed directories -ETC="/etc/monkeysphere" -export ETC +SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} +export SYSCONFIGDIR + +# monkeysphere version +VERSION=__VERSION__ ######################################################################## ### UTILITY FUNCTIONS # failure function. exits with code 255, unless specified otherwise. failure() { - echo "$1" >&2 + [ "$1" ] && echo "$1" >&2 exit ${2:-'255'} } @@ -147,7 +151,7 @@ advance_date() { local shortunits # try things the GNU way first - if date -d "$number $longunits" "$format" >&/dev/null ; then + if date -d "$number $longunits" "$format" >/dev/null 2>&1; then date -d "$number $longunits" "$format" else # otherwise, convert to (a limited version of) BSD date syntax: @@ -393,42 +397,48 @@ test_gpg_expire() { # check that a file is properly owned, and that all it's parent # directories are not group/other writable check_key_file_permissions() { - local user + local uname local path + local stat local access local gAccess local oAccess - # function to check that an octal corresponds to writability + # function to check that the given permission corresponds to writability is_write() { - [ "$1" -eq 2 -o "$1" -eq 3 -o "$1" -eq 6 -o "$1" -eq 7 ] + [ "$1" = "w" ] } - user="$1" + uname="$1" path="$2" - # return 0 is path does not exist - [ -e "$path" ] || return 0 + # return 255 if cannot stat file + if ! stat=$(ls -ld "$path" 2>/dev/null) ; then + log error "could not stat path '$path'." + return 255 + fi - owner=$(stat --format '%U' "$path") - access=$(stat --format '%a' "$path") - gAccess=$(echo "$access" | cut -c2) - oAccess=$(echo "$access" | cut -c3) + owner=$(echo "$stat" | awk '{ print $3 }') + gAccess=$(echo "$stat" | cut -c6) + oAccess=$(echo "$stat" | cut -c9) - # check owner - if [ "$owner" != "$user" -a "$owner" != 'root' ] ; then + # return 1 if path has invalid owner + if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then + log error "improper ownership on path '$path'." return 1 fi - # check group/other writability + # return 2 if path has group or other writability if is_write "$gAccess" || is_write "$oAccess" ; then + log error "improper group or other writability on path '$path'." return 2 fi + # return zero if all clear, or go to next path if [ "$path" = '/' ] ; then return 0 else - check_key_file_permissions $(dirname "$path") + check_key_file_permissions "$uname" $(dirname "$path") fi } @@ -516,7 +526,7 @@ gpg_fetch_userid() { userID="$1" - log info " checking keyserver $KEYSERVER... " + log verbose " checking keyserver $KEYSERVER... " echo 1,2,3,4,5 | \ gpg --quiet --batch --with-colons \ --command-fd 0 --keyserver "$KEYSERVER" \ @@ -609,17 +619,17 @@ process_user_id() { # if overall key is not valid, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then - log error " - unacceptable primary key validity ($validity)." + log debug " - unacceptable primary key validity ($validity)." continue fi # if overall key is disabled, skip if check_capability "$usage" 'D' ; then - log error " - key disabled." + log debug " - key disabled." continue fi # if overall key capability is not ok, skip if ! check_capability "$usage" $requiredPubCapability ; then - log error " - unacceptable primary key capability ($usage)." + log debug " - unacceptable primary key capability ($usage)." continue fi @@ -633,7 +643,7 @@ process_user_id() { ;; 'uid') # user ids if [ "$lastKey" != pub ] ; then - log error " - got a user ID after a sub key?! user IDs should only follow primary keys!" + log verbose " ! got a user ID after a sub key?! user IDs should only follow primary keys!" continue fi # if an acceptable user ID was already found, skip @@ -646,6 +656,8 @@ process_user_id() { if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then # mark user ID acceptable uidOK=true + else + log debug " - unacceptable user ID validity ($validity)." fi else continue @@ -661,9 +673,9 @@ process_user_id() { echo "0:${sshKey}" fi else - log error " - unacceptable primary key." + log debug " - unacceptable primary key." if [ -z "$sshKey" ] ; then - log error " ! primary key could not be translated (not RSA or DSA?)." + log debug " ! primary key could not be translated (not RSA or DSA?)." else echo "1:${sshKey}" fi @@ -687,10 +699,12 @@ process_user_id() { # if sub key validity is not ok, skip if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + log debug " - unacceptable sub key validity ($validity)." continue fi # if sub key capability is not ok, skip if ! check_capability "$usage" $requiredCapability ; then + log debug " - unacceptable sub key capability ($usage)." continue fi @@ -717,9 +731,9 @@ process_user_id() { echo "0:${sshKey}" fi else - log error " - unacceptable sub key." + log debug " - unacceptable sub key." if [ -z "$sshKey" ] ; then - log error " ! sub key could not be translated (not RSA or DSA?)." + log debug " ! sub key could not be translated (not RSA or DSA?)." else echo "1:${sshKey}" fi @@ -736,6 +750,7 @@ process_user_id() { process_host_known_hosts() { local host local userID + local noKey= local nKeys local nKeysOK local ok @@ -762,8 +777,9 @@ process_host_known_hosts() { continue fi - # remove the old host key line, and note if removed - remove_line "$KNOWN_HOSTS" "$sshKey" + # remove any old host key line, and note if removed nothing is + # removed + remove_line "$KNOWN_HOSTS" "$sshKey" || noKey=true # if key OK, add new host line if [ "$ok" -eq '0' ] ; then @@ -782,6 +798,11 @@ process_host_known_hosts() { else ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS" fi + + # log if this is a new key to the known_hosts file + if [ "$noKey" ] ; then + log info "* new key for $host added to known_hosts file." + fi fi done @@ -846,7 +867,7 @@ update_known_hosts() { # note if the known_hosts file was updated if [ "$(file_hash "$KNOWN_HOSTS")" != "$fileCheck" ] ; then - log verbose "known_hosts file updated." + log debug "known_hosts file updated." fi # if an acceptable host was found, return 0 @@ -869,12 +890,12 @@ update_known_hosts() { process_known_hosts() { local hosts - log verbose "processing known_hosts file..." + log debug "processing known_hosts file..." hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') if [ -z "$hosts" ] ; then - log error "no hosts to process." + log debug "no hosts to process." return fi @@ -989,7 +1010,7 @@ update_authorized_keys() { # note if the authorized_keys file was updated if [ "$(file_hash "$AUTHORIZED_KEYS")" != "$fileCheck" ] ; then - log verbose "authorized_keys file updated." + log debug "authorized_keys file updated." fi # if an acceptable id was found, return 0 @@ -1016,10 +1037,10 @@ process_authorized_user_ids() { authorizedUserIDs="$1" - log verbose "processing authorized_user_ids file..." + log debug "processing authorized_user_ids file..." if ! meat "$authorizedUserIDs" > /dev/null ; then - log error "no user IDs to process." + log debug " no user IDs to process." return fi