X-Git-Url: https://codewiz.org/gitweb?a=blobdiff_plain;f=src%2Fshare%2Fcommon;h=ea872ba17abe39ec1a8a721876b6bf74d42ab069;hb=282c489f3101f0d744b66d88853a150e79b0870d;hp=96fea7721ac3fdc31e7b922b82871a1cf4c4acda;hpb=a7d9d68be60e5d46c016806a47227cd2f2e5a6c7;p=monkeysphere.git diff --git a/src/share/common b/src/share/common index 96fea77..ea872ba 100644 --- a/src/share/common +++ b/src/share/common @@ -8,39 +8,19 @@ # Jamie McClelland # Daniel Kahn Gillmor # -# Copyright 2008, released under the GPL, version 3 or later +# Copyright 2008-2009, released under the GPL, version 3 or later # all-caps variables are meant to be user supplied (ie. from config # file) and are considered global -######################################################################## -### COMMON VARIABLES - -# managed directories -SYSCONFIGDIR=${MONKEYSPHERE_SYSCONFIGDIR:-"/etc/monkeysphere"} -export SYSCONFIGDIR - -# monkeysphere version -VERSION=__VERSION__ - -# default log level -LOG_LEVEL="INFO" - -# default keyserver -KEYSERVER="pool.sks-keyservers.net" - -# whether or not to check keyservers by defaul -CHECK_KEYSERVER="true" - -# default monkeysphere user -MONKEYSPHERE_USER="monkeysphere" - -# default about whether or not to prompt -PROMPT="true" - ######################################################################## ### UTILITY FUNCTIONS +# output version info +version() { + cat "${SYSSHAREDIR}/VERSION" +} + # failure function. exits with code 255, unless specified otherwise. failure() { [ "$1" ] && echo "$1" >&2 @@ -96,11 +76,10 @@ log() { fi if [ "$priority" = "$level" -a "$output" = 'true' ] ; then if [ "$1" ] ; then - echo -n "ms: " >&2 - echo "$@" >&2 + echo "$@" else - cat >&2 - fi + cat + fi | sed 's/^/'"${LOG_PREFIX}"'/' >&2 fi done } @@ -149,9 +128,14 @@ cutline() { head --line="$1" "$2" | tail -1 } -# make a temporary directly +# make a temporary directory msmktempdir() { - mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX + mktemp -d ${TMPDIR:-/tmp}/monkeysphere.XXXXXXXXXX +} + +# make a temporary file +msmktempfile() { + mktemp ${TMPDIR:-/tmp}/monkeysphere.XXXXXXXXXX } # this is a wrapper for doing lock functions. @@ -291,7 +275,7 @@ get_gpg_expiration() { keyExpire="$1" - if [ -z "$keyExpire" ]; then + if [ -z "$keyExpire" -a "$PROMPT" = 'true' ]; then cat >&2 </dev/null 2>/dev/null - -} - # remove all lines with specified string from specified file remove_line() { local file @@ -415,12 +353,15 @@ remove_monkeysphere_lines() { file="$1" - if [ -z "$file" ] ; then + # return error if file does not exist + if [ ! -e "$file" ] ; then return 1 fi - if [ ! -e "$file" ] ; then - return 1 + # just return ok if the file is empty, since there aren't any + # lines to remove + if [ ! -s "$file" ] ; then + return 0 fi tempfile=$(mktemp "${file}.XXXXXXX") || \ @@ -488,18 +429,21 @@ check_key_file_permissions() { # return 1 if path has invalid owner if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then - log error "improper ownership on path '$path'." + log error "improper ownership on path '$path':" + log error " $owner != ($uname|root)" return 1 fi # return 2 if path has group or other writability if is_write "$gAccess" || is_write "$oAccess" ; then - log error "improper group or other writability on path '$path'." + log error "improper group or other writability on path '$path':" + log error " group: $gAccess, other: $oAcess" return 2 fi # return zero if all clear, or go to next path if [ "$path" = '/' ] ; then + log debug "path ok." return 0 else check_key_file_permissions "$uname" $(dirname "$path") @@ -581,8 +525,8 @@ gpg2authorized_keys() { # FIXME: need to figure out how to retrieve all matching keys # (not just first N (5 in this case)) gpg_fetch_userid() { + local returnCode=0 local userID - local returnCode if [ "$CHECK_KEYSERVER" != 'true' ] ; then return 0 @@ -621,6 +565,7 @@ gpg_fetch_userid() { # # expects global variable: "MODE" process_user_id() { + local returnCode=0 local userID local requiredCapability local requiredPubCapability @@ -652,10 +597,10 @@ process_user_id() { # output gpg info for (exact) userid and store gpgOut=$(gpg --list-key --fixed-list-mode --with-colon \ --with-fingerprint --with-fingerprint \ - ="$userID" 2>/dev/null) + ="$userID" 2>/dev/null) || returnCode="$?" # if the gpg query return code is not 0, return 1 - if [ "$?" -ne 0 ] ; then + if [ "$returnCode" -ne 0 ] ; then log verbose " no primary keys found." return 1 fi @@ -726,14 +671,14 @@ process_user_id() { if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then log verbose " * acceptable primary key." if [ -z "$sshKey" ] ; then - log error " ! primary key could not be translated (not RSA or DSA?)." + log error " ! primary key could not be translated (not RSA?)." else echo "0:${sshKey}" fi else log debug " - unacceptable primary key." if [ -z "$sshKey" ] ; then - log debug " ! primary key could not be translated (not RSA or DSA?)." + log debug " ! primary key could not be translated (not RSA?)." else echo "1:${sshKey}" fi @@ -784,14 +729,14 @@ process_user_id() { if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then log verbose " * acceptable sub key." if [ -z "$sshKey" ] ; then - log error " ! sub key could not be translated (not RSA or DSA?)." + log error " ! sub key could not be translated (not RSA?)." else echo "0:${sshKey}" fi else log debug " - unacceptable sub key." if [ -z "$sshKey" ] ; then - log debug " ! sub key could not be translated (not RSA or DSA?)." + log debug " ! sub key could not be translated (not RSA?)." else echo "1:${sshKey}" fi @@ -885,6 +830,7 @@ process_host_known_hosts() { # update the known_hosts file for a set of hosts listed on command # line update_known_hosts() { + local returnCode=0 local nHosts local nHostsOK local nHostsBAD @@ -902,7 +848,7 @@ update_known_hosts() { (umask 0022 && touch "$KNOWN_HOSTS") # check permissions on the known_hosts file path - check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure + check_key_file_permissions $(whoami) "$KNOWN_HOSTS" || failure # create a lockfile on known_hosts: lock create "$KNOWN_HOSTS" @@ -914,9 +860,9 @@ update_known_hosts() { for host ; do # process the host - process_host_known_hosts "$host" + process_host_known_hosts "$host" || returnCode="$?" # note the result - case "$?" in + case "$returnCode" in 0) nHostsOK=$((nHostsOK+1)) ;; @@ -963,7 +909,8 @@ process_known_hosts() { failure "known_hosts file '$KNOWN_HOSTS' does not exist." fi - log debug "processing known_hosts file..." + log debug "processing known_hosts file:" + log debug " $KNOWN_HOSTS" hosts=$(meat "$KNOWN_HOSTS" | cut -d ' ' -f 1 | grep -v '^|.*$' | tr , ' ' | tr '\n' ' ') @@ -1038,6 +985,7 @@ process_uid_authorized_keys() { # update the authorized_keys files from a list of user IDs on command # line update_authorized_keys() { + local returnCode=0 local userID local nIDs local nIDsOK @@ -1050,8 +998,11 @@ update_authorized_keys() { nIDsOK=0 nIDsBAD=0 + log debug "updating authorized_keys file:" + log debug " $AUTHORIZED_KEYS" + # check permissions on the authorized_keys file path - check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure + check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" || failure # create a lockfile on authorized_keys lock create "$AUTHORIZED_KEYS" @@ -1067,10 +1018,10 @@ update_authorized_keys() { for userID ; do # process the user ID, change return code if key not found for # user ID - process_uid_authorized_keys "$userID" + process_uid_authorized_keys "$userID" || returnCode="$?" # note the result - case "$?" in + case "$returnCode" in 0) nIDsOK=$((nIDsOK+1)) ;; @@ -1123,10 +1074,11 @@ process_authorized_user_ids() { failure "authorized_user_ids file '$authorizedUserIDs' does not exist." fi - # check permissions on the authorized_user_ids file path - check_key_file_permissions "$USER" "$authorizedUserIDs" || failure + log debug "processing authorized_user_ids file:" + log debug " $authorizedUserIDs" - log debug "processing authorized_user_ids file..." + # check permissions on the authorized_user_ids file path + check_key_file_permissions $(whoami) "$authorizedUserIDs" || failure if ! meat "$authorizedUserIDs" > /dev/null ; then log debug " no user IDs to process." @@ -1144,3 +1096,53 @@ process_authorized_user_ids() { update_authorized_keys "${userIDs[@]}" } + +# takes a gpg key or keys on stdin, and outputs a list of +# fingerprints, one per line: +list_primary_fingerprints() { + local fake=$(msmktempdir) + GNUPGHOME="$fake" gpg --no-tty --quiet --import + GNUPGHOME="$fake" gpg --with-colons --fingerprint --list-keys | \ + awk -F: '/^fpr:/{ print $10 }' + rm -rf "$fake" +} + + +check_cruft_file() { + local loc="$1" + local version="$2" + + if [ -e "$loc" ] ; then + printf "! The file '%s' is no longer used by\n monkeysphere (as of version %s), and can be removed.\n\n" "$loc" "$version" | log info + fi +} + +check_upgrade_dir() { + local loc="$1" + local version="$2" + + if [ -d "$loc" ] ; then + printf "The presence of directory '%s' indicates that you have\nnot yet completed a monkeysphere upgrade.\nYou should probably run the following script:\n %s/transitions/%s\n\n" "$loc" "$SYSSHAREDIR" "$version" | log info + fi +} + +## look for cruft from old versions of the monkeysphere, and notice if +## upgrades have not been run: +report_cruft() { + check_upgrade_dir "${SYSCONFIGDIR}/gnupg-host" 0.23 + check_upgrade_dir "${SYSCONFIGDIR}/gnupg-authentication" 0.23 + + check_cruft_file "${SYSCONFIGDIR}/gnupg-authentication.conf" 0.23 + check_cruft_file "${SYSCONFIGDIR}/gnupg-host.conf" 0.23 + + local found= + for foo in "${SYSDATADIR}/backup-from-"*"-transition" ; do + if [ -d "$foo" ] ; then + printf "! %s\n" "$foo" | log info + found=true + fi + done + if [ "$found" ] ; then + printf "The directories above are backups left over from a monkeysphere transition.\nThey may contain copies of sensitive data (host keys, certifier lists), but\nthey are no longer needed by monkeysphere.\nYou may remove them at any time.\n\n" | log info + fi +}