X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fcommon;h=9630bf9adbb2827100c0a7a33f3c9e01e660fcdf;hb=d0459e29cb1a6f6196e3e12ccc4da47601514d67;hp=00a10080008571b4cd89b40f10fcc59015f26dfd;hpb=7548a859412f10e68f90ee68f330593d85b090fc;p=monkeysphere.git diff --git a/src/share/common b/src/share/common index 00a1008..9630bf9 100644 --- a/src/share/common +++ b/src/share/common @@ -21,7 +21,22 @@ SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} export SYSCONFIGDIR # monkeysphere version -VERSION=__VERSION__ +VERSION=0.23~pre + +# default log level +LOG_LEVEL="INFO" + +# default keyserver +KEYSERVER="pool.sks-keyservers.net" + +# whether or not to check keyservers by defaul +CHECK_KEYSERVER="true" + +# default monkeysphere user +MONKEYSPHERE_USER="monkeysphere" + +# default about whether or not to prompt +PROMPT="true" ######################################################################## ### UTILITY FUNCTIONS @@ -90,6 +105,40 @@ log() { done } +# run command as monkeysphere user +su_monkeysphere_user() { + # our main goal here is to run the given command as the the + # monkeysphere user, but without prompting for any sort of + # authentication. If this is not possible, we should just fail. + + # FIXME: our current implementation is overly restrictive, because + # there may be some su PAM configurations that would allow su + # "$MONKEYSPHERE_USER" -c "$@" to Just Work without prompting, + # allowing specific users to invoke commands which make use of + # this user. + + # chpst (from runit) would be nice to use, but we don't want to + # introduce an extra dependency just for this. This may be a + # candidate for re-factoring if we switch implementation languages. + + case $(id -un) in + # if monkeysphere user, run the command under bash + "$MONKEYSPHERE_USER") + bash -c "$@" + ;; + + # if root, su command as monkeysphere user + 'root') + su "$MONKEYSPHERE_USER" -c "$@" + ;; + + # otherwise, fail + *) + log error "non-privileged user." + ;; + esac +} + # cut out all comments(#) and blank lines from standard input meat() { grep -v -e "^[[:space:]]*#" -e '^$' "$1" @@ -100,6 +149,11 @@ cutline() { head --line="$1" "$2" | tail -1 } +# make a temporary directly +msmktempdir() { + mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX +} + # this is a wrapper for doing lock functions. # # it lets us depend on either lockfile-progs (preferred) or procmail's @@ -123,6 +177,7 @@ lock() { else lockfile -r 20 "${file}.lock" || failure "unable to lock '$file'" fi + log debug "lock created on '$file'." ;; touch) if [ -n "$use_lockfileprogs" ] ; then @@ -130,6 +185,7 @@ lock() { else : Nothing to do here fi + log debug "lock touched on '$file'." ;; remove) if [ -n "$use_lockfileprogs" ] ; then @@ -137,6 +193,7 @@ lock() { else rm -f "${file}.lock" fi + log debug "lock removed on '$file'." ;; *) failure "bad argument for lock subfunction '$action'" @@ -234,7 +291,7 @@ get_gpg_expiration() { keyExpire="$1" - if [ -z "$keyExpire" ]; then + if [ -z "$keyExpire" -a "$PROMPT" = 'true' ]; then cat >&2 </dev/null) ; then log error "could not stat path '$path'." @@ -756,6 +815,9 @@ process_host_known_hosts() { local sshKey local tmpfile + # set the key processing mode + export MODE='known_hosts' + host="$1" userID="ssh://${host}" @@ -835,6 +897,13 @@ update_known_hosts() { nHostsOK=0 nHostsBAD=0 + # touch the known_hosts file so that the file permission check + # below won't fail upon not finding the file + (umask 0022 && touch "$KNOWN_HOSTS") + + # check permissions on the known_hosts file path + check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure + # create a lockfile on known_hosts: lock create "$KNOWN_HOSTS" # FIXME: we're discarding any pre-existing EXIT trap; is this bad? @@ -889,6 +958,11 @@ update_known_hosts() { process_known_hosts() { local hosts + # exit if the known_hosts file does not exist + if [ ! -e "$KNOWN_HOSTS" ] ; then + failure "known_hosts file '$KNOWN_HOSTS' does not exist." + fi + log debug "processing known_hosts file..." hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') @@ -912,6 +986,9 @@ process_uid_authorized_keys() { local ok local sshKey + # set the key processing mode + export MODE='authorized_keys' + userID="$1" log verbose "processing: $userID" @@ -973,6 +1050,9 @@ update_authorized_keys() { nIDsOK=0 nIDsBAD=0 + # check permissions on the authorized_keys file path + check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure + # create a lockfile on authorized_keys lock create "$AUTHORIZED_KEYS" # FIXME: we're discarding any pre-existing EXIT trap; is this bad? @@ -1005,6 +1085,8 @@ update_authorized_keys() { # remove the lockfile and the trap lock remove "$AUTHORIZED_KEYS" + + # remove the trap trap - EXIT # note if the authorized_keys file was updated @@ -1036,6 +1118,14 @@ process_authorized_user_ids() { authorizedUserIDs="$1" + # exit if the authorized_user_ids file is empty + if [ ! -e "$authorizedUserIDs" ] ; then + failure "authorized_user_ids file '$authorizedUserIDs' does not exist." + fi + + # check permissions on the authorized_user_ids file path + check_key_file_permissions "$USER" "$authorizedUserIDs" || failure + log debug "processing authorized_user_ids file..." if ! meat "$authorizedUserIDs" > /dev/null ; then @@ -1054,3 +1144,14 @@ process_authorized_user_ids() { update_authorized_keys "${userIDs[@]}" } + +# takes a gpg key or keys on stdin, and outputs a list of +# fingerprints, one per line: +list_primary_fingerprints() { + local file="$1" + local fake=$(msmktempdir) + GNUPGHOME="$fake" gpg --no-tty --quiet --import + GNUPGHOME="$fake" gpg --with-colons --fingerprint --list-keys | \ + awk -F: '/^fpr:/{ print $10 }' + rm -rf "$fake" +}