X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fmonkeysphere-server;h=6ca6a4f7a3b4d6023cc39014a78c65e2c1f13322;hb=refs%2Ftags%2Fmonkeysphere_0.17-1;hp=60a83af3adf339070a358c85cfe5ed85eee13cb5;hpb=91d16f389d27fa8e9e7ed721029334e187506da1;p=monkeysphere.git

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 60a83af..6ca6a4f 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -66,8 +66,17 @@ subcommands:
 EOF
 }
 
+# function to run command as monkeysphere user
 su_monkeysphere_user() {
-    su "$MONKEYSPHERE_USER" -c "$@"
+    # if the current user is the monkeysphere user, then just eval
+    # command
+    if [ $(id -un) = "$MONKEYSPHERE_USER" ] ; then
+	eval "$@"
+
+    # otherwise su command as monkeysphere user
+    else
+	su "$MONKEYSPHERE_USER" -c "$@"
+    fi
 }
 
 # function to interact with the host gnupg keyring
@@ -161,32 +170,8 @@ update_users() {
 	    continue
 	fi
 
-	# set authorized_user_ids and raw authorized_keys variables,
-	# translating ssh-style path variables
-	authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
-	rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
-
-	# if neither is found, skip user
-	if [ ! -s "$authorizedUserIDs" ] ; then
-	    if [ "$rawAuthorizedKeys" = '-' -o ! -s "$rawAuthorizedKeys" ] ; then
-		continue
-	    fi
-	fi
-
 	log verbose "----- user: $uname -----"
 
-        # exit if the authorized_user_ids file is empty
-	if ! check_key_file_permissions "$uname" "$AUTHORIZED_USER_IDS" ; then
-	    log error "Improper permissions on path '$AUTHORIZED_USER_IDS'."
-	    continue
-	fi
-
-	# check permissions on the authorized_keys file path
-	if ! check_key_file_permissions "$uname" "$RAW_AUTHORIZED_KEYS" ; then
-	    log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'."
-	    continue
-	fi
-
         # make temporary directory
         TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
 
@@ -208,39 +193,60 @@ update_users() {
         chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
         chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
 
-	# if the authorized_user_ids file exists...
+	# process authorized_user_ids file
+	# translating ssh-style path variables
+	authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 	if [ -s "$authorizedUserIDs" ] ; then
-            # copy user authorized_user_ids file to temporary
-            # location
-	    cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
-
-	    # export needed variables
-	    export AUTHORIZED_KEYS
-	    export TMP_AUTHORIZED_USER_IDS
-
-	    # process authorized_user_ids file, as monkeysphere
-	    # user
-	    su_monkeysphere_user \
-		". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
-	    RETURN="$?"
+	    # check permissions on the authorized_user_ids file path
+	    if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then
+                # copy user authorized_user_ids file to temporary
+                # location
+		cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
+
+		# export needed variables
+		export AUTHORIZED_KEYS
+		export TMP_AUTHORIZED_USER_IDS
+
+		# process authorized_user_ids file, as monkeysphere
+		# user
+		su_monkeysphere_user \
+		    ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
+		RETURN="$?"
+	    else
+		log error "Improper permissions on path '$AUTHORIZED_USER_IDS'."
+	    fi
 	fi
 
-	# add user-controlled authorized_keys file path if specified
-	if [ "$rawAuthorizedKeys" != '-' -a -s "$rawAuthorizedKeys" ] ; then
-	    log verbose "adding raw authorized_keys file... "
-	    cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+	# add user-controlled authorized_keys file if specified
+	# translate ssh-style path variables
+	rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
+	if [ "$rawAuthorizedKeys" -a -s "$rawAuthorizedKeys" ] ; then
+	    # check permissions on the authorized_keys file path
+	    if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
+		log verbose "adding raw authorized_keys file... "
+		cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+	    else
+		log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'.  Not added to authorized_keys file."
+	    fi
 	fi
 
-	# openssh appears to check the contents of the
-        # authorized_keys file as the user in question, so the
-        # file must be readable by that user at least.
-	# FIXME: is there a better way to do this?
-	chown root "$AUTHORIZED_KEYS"
-	chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
-	chmod g+r "$AUTHORIZED_KEYS"
+	# move the new authorized_keys file into place
+	if [ -s "$AUTHORIZED_KEYS" ] ; then
+	    # openssh appears to check the contents of the
+	    # authorized_keys file as the user in question, so the
+	    # file must be readable by that user at least.
+	    # FIXME: is there a better way to do this?
+	    chown root "$AUTHORIZED_KEYS"
+	    chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
+	    chmod g+r "$AUTHORIZED_KEYS"
+
+	    mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
+	else
+	    rm -f "${SYSDATADIR}/authorized_keys/${uname}"
+	fi
 
-	# move the resulting authorized_keys file into place
-	mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
+	# unset the trap
+	trap - EXIT
 
 	# destroy temporary directory
 	rm -rf "$TMPLOC"
@@ -681,11 +687,14 @@ diagnostics() {
 # FIXME: look to see that the ownertrust rules are set properly on the
 #    authentication keyring
 
-# FIXME:  make sure that at least one identity certifier exists
+# FIXME: make sure that at least one identity certifier exists
 
 # FIXME: look at the timestamps on the monkeysphere-generated
 # authorized_keys files -- warn if they seem out-of-date.
 
+# FIXME: check for a cronjob that updates monkeysphere-generated
+# authorized_keys?
+
     echo
     echo "Checking for MonkeySphere-enabled public-key authentication for users ..."
     # Ensure that User ID authentication is enabled:
@@ -919,7 +928,7 @@ unset MONKEYSPHERE_USER
 # set empty config variable with ones from the environment, or with
 # defaults
 LOG_LEVEL=${MONKEYSPHERE_LOG_LEVEL:=${LOG_LEVEL:="INFO"}}
-KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}}
+KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="pool.sks-keyservers.net"}}
 AUTHORIZED_USER_IDS=${MONKEYSPHERE_AUTHORIZED_USER_IDS:=${AUTHORIZED_USER_IDS:="%h/.monkeysphere/authorized_user_ids"}}
 RAW_AUTHORIZED_KEYS=${MONKEYSPHERE_RAW_AUTHORIZED_KEYS:=${RAW_AUTHORIZED_KEYS:="%h/.ssh/authorized_keys"}}
 MONKEYSPHERE_USER=${MONKEYSPHERE_MONKEYSPHERE_USER:=${MONKEYSPHERE_USER:="monkeysphere"}}