X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fcommon;h=4aa3f7ce14857b60390a2c2da02bf1cabddaeee7;hb=e8c2a77f53d65fed90af9fc9c62380fa9c81f858;hp=8e2232d659350558e472bd5f37c365d050317b8d;hpb=0e288e3ce07ff84830aeaa414191666fad55db6b;p=monkeysphere.git diff --git a/src/share/common b/src/share/common index 8e2232d..4aa3f7c 100644 --- a/src/share/common +++ b/src/share/common @@ -310,7 +310,7 @@ passphrase_prompt() { local fifo="$2" local PASS - if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then + if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null 2>/dev/null; then printf 'Launching "%s"\n' "${SSH_ASKPASS:-ssh-askpass}" | log info printf '(with prompt "%s")\n' "$prompt" | log debug "${SSH_ASKPASS:-ssh-askpass}" "$prompt" > "$fifo" @@ -411,58 +411,16 @@ test_gpg_expire() { check_key_file_permissions() { local uname local path - local stat - local access - local gAccess - local oAccess - - # function to check that the given permission corresponds to writability - is_write() { - [ "$1" = "w" ] - } uname="$1" path="$2" - log debug "checking path permission '$path'..." - - # rewrite path if it points to a symlink - if [ -h "$path" ] ; then - path=$(readlink -f "$path") - log debug "checking path symlink '$path'..." - fi - - # return 255 if cannot stat file - if ! stat=$(ls -ld "$path" 2>/dev/null) ; then - log error "could not stat path '$path'." - return 255 - fi - - owner=$(echo "$stat" | awk '{ print $3 }') - gAccess=$(echo "$stat" | cut -c6) - oAccess=$(echo "$stat" | cut -c9) - - # return 1 if path has invalid owner - if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then - log error "improper ownership on path '$path':" - log error " $owner != ($uname|root)" - return 1 - fi - - # return 2 if path has group or other writability - if is_write "$gAccess" || is_write "$oAccess" ; then - log error "improper group or other writability on path '$path':" - log error " group: $gAccess, other: $oAccess" - return 2 - fi - - # return zero if all clear, or go to next path - if [ "$path" = '/' ] ; then - log debug "path ok." + if [ "$STRICT_MODES" = 'false' ] ; then + log debug "skipping path permission check for '$path' because STRICT_MODES is false..." return 0 - else - check_key_file_permissions "$uname" $(dirname "$path") fi + log debug "checking path permission '$path'..." + "${SYSSHAREDIR}/checkperms" "$uname" "$path" } # return a list of all users on the system @@ -887,6 +845,7 @@ update_known_hosts() { local nHostsBAD local fileCheck local host + local newUmask # the number of hosts specified on command line nHosts="$#" @@ -896,10 +855,20 @@ update_known_hosts() { # touch the known_hosts file so that the file permission check # below won't fail upon not finding the file - (umask 0022 && touch "$KNOWN_HOSTS") + if [ ! -f "$KNOWN_HOSTS" ]; then + # make sure to create any files or directories with the appropriate write bits turned off: + newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) ) + [ -d $(dirname "$KNOWN_HOSTS") ] \ + || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$KNOWN_HOSTS") ) \ + || failure "Could not create path to known_hosts file '$KNOWN_HOSTS'" + # make sure to create this file with the appropriate bits turned off: + (umask "$newUmask" && touch "$KNOWN_HOSTS") \ + || failure "Unable to create known_hosts file '$KNOWN_HOSTS'" + fi # check permissions on the known_hosts file path - check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure + check_key_file_permissions $(whoami) "$KNOWN_HOSTS" \ + || failure "Bad permissions governing known_hosts file '$KNOWN_HOSTS'" # create a lockfile on known_hosts: lock create "$KNOWN_HOSTS" @@ -907,7 +876,7 @@ update_known_hosts() { trap "lock remove $KNOWN_HOSTS" EXIT # note pre update file checksum - fileCheck="$(file_hash "$KNOWN_HOSTS")" + fileCheck=$(file_hash "$KNOWN_HOSTS") for host ; do # process the host