X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fcommon;h=4aa3f7ce14857b60390a2c2da02bf1cabddaeee7;hb=e8c2a77f53d65fed90af9fc9c62380fa9c81f858;hp=bd887d39b410d333badc6048b08d5e777322ce4b;hpb=9d0eb248fd7965df843665dbd179bb6493f8d9c3;p=monkeysphere.git

diff --git a/src/share/common b/src/share/common
index bd887d3..4aa3f7c 100644
--- a/src/share/common
+++ b/src/share/common
@@ -291,7 +291,8 @@ Please specify how long the key should be valid.
       <n>y = key expires in n years
 EOF
 	while [ -z "$keyExpire" ] ; do
-	    read -p "Key is valid for? (0) " keyExpire
+	    printf "Key is valid for? (0) " >&2
+	    read keyExpire
 	    if ! test_gpg_expire ${keyExpire:=0} ; then
 		echo "invalid value" >&2
 		unset keyExpire
@@ -309,7 +310,7 @@ passphrase_prompt() {
     local fifo="$2"
     local PASS
 
-    if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null; then
+    if [ "$DISPLAY" ] && type "${SSH_ASKPASS:-ssh-askpass}" >/dev/null 2>/dev/null; then
 	printf 'Launching "%s"\n' "${SSH_ASKPASS:-ssh-askpass}" | log info
 	printf '(with prompt "%s")\n' "$prompt" | log debug
 	"${SSH_ASKPASS:-ssh-askpass}" "$prompt" > "$fifo"
@@ -410,58 +411,16 @@ test_gpg_expire() {
 check_key_file_permissions() {
     local uname
     local path
-    local stat
-    local access
-    local gAccess
-    local oAccess
-
-    # function to check that the given permission corresponds to writability
-    is_write() {
-	[ "$1" = "w" ]
-    }
 
     uname="$1"
     path="$2"
 
-    log debug "checking path permission '$path'..."
-
-    # rewrite path if it points to a symlink
-    if [ -h "$path" ] ; then
-	path=$(readlink -f "$path")
-	log debug "checking path symlink '$path'..."
-    fi
-
-    # return 255 if cannot stat file
-    if ! stat=$(ls -ld "$path" 2>/dev/null) ; then
-        log error "could not stat path '$path'."
-	return 255
-    fi
-
-    owner=$(echo "$stat" | awk '{ print $3 }')
-    gAccess=$(echo "$stat" | cut -c6)
-    oAccess=$(echo "$stat" | cut -c9)
-
-    # return 1 if path has invalid owner
-    if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then
-	log error "improper ownership on path '$path':"
-	log error " $owner != ($uname|root)"
-	return 1
-    fi
-
-    # return 2 if path has group or other writability
-    if is_write "$gAccess" || is_write "$oAccess" ; then
-	log error "improper group or other writability on path '$path':"
-	log error " group: $gAccess, other: $oAccess"
-	return 2
-    fi
-
-    # return zero if all clear, or go to next path
-    if [ "$path" = '/' ] ; then
-	log debug "path ok."
+    if [ "$STRICT_MODES" = 'false' ] ; then
+	log debug "skipping path permission check for '$path' because STRICT_MODES is false..."
 	return 0
-    else
-	check_key_file_permissions "$uname" $(dirname "$path")
     fi
+    log debug "checking path permission '$path'..."
+    "${SYSSHAREDIR}/checkperms" "$uname" "$path"
 }
 
 # return a list of all users on the system
@@ -483,6 +442,12 @@ get_homedir() {
     eval "echo ~${uname}"
 }
 
+# return the primary group of a user
+get_primary_group() {
+    local uname=${1:-`whoami`}
+    groups "$uname" | sed 's/^..* : //' | awk '{ print $1 }'
+}
+
 ### CONVERSION UTILITIES
 
 # output the ssh key for a given key ID
@@ -880,6 +845,7 @@ update_known_hosts() {
     local nHostsBAD
     local fileCheck
     local host
+    local newUmask
 
     # the number of hosts specified on command line
     nHosts="$#"
@@ -889,10 +855,20 @@ update_known_hosts() {
 
     # touch the known_hosts file so that the file permission check
     # below won't fail upon not finding the file
-    (umask 0022 && touch "$KNOWN_HOSTS")
+    if [ ! -f "$KNOWN_HOSTS" ]; then
+	# make sure to create any files or directories with the appropriate write bits turned off:
+	newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) )
+	[ -d $(dirname "$KNOWN_HOSTS") ] \
+	    || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$KNOWN_HOSTS") ) \
+	    || failure "Could not create path to known_hosts file '$KNOWN_HOSTS'"
+	# make sure to create this file with the appropriate bits turned off:
+	(umask "$newUmask" && touch "$KNOWN_HOSTS") \
+	    || failure "Unable to create known_hosts file '$KNOWN_HOSTS'"
+    fi
 
     # check permissions on the known_hosts file path
-    check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure
+    check_key_file_permissions $(whoami) "$KNOWN_HOSTS" \
+	|| failure "Bad permissions governing known_hosts file '$KNOWN_HOSTS'"
 
     # create a lockfile on known_hosts:
     lock create "$KNOWN_HOSTS"
@@ -900,7 +876,7 @@ update_known_hosts() {
     trap "lock remove $KNOWN_HOSTS" EXIT
 
     # note pre update file checksum
-    fileCheck="$(file_hash "$KNOWN_HOSTS")"
+    fileCheck=$(file_hash "$KNOWN_HOSTS")
 
     for host ; do
 	# process the host