From f83f5532fb1cec60741ce07cf90df4abdf5b2c1f Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 28 Oct 2008 21:12:35 -0400
Subject: [PATCH] enforce error checking when transferring the authorized keys
 file.  If the transfer fails, remove any existing target file so that we fail
 closed.

---
 src/monkeysphere-server | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 846eb81..0b63e5c 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -153,6 +153,8 @@ update_users() {
 	unames=$(getent passwd | cut -d: -f1)
     fi
 
+    RETCODE=0
+
     # set mode
     MODE="authorized_keys"
 
@@ -170,7 +172,7 @@ update_users() {
     # loop over users
     for uname in $unames ; do
 	# check all specified users exist
-	if ! getent passwd "$uname" >/dev/null ; then
+	if ! id "$uname" >/dev/null ; then
 	    log error "----- unknown user '$uname' -----"
 	    continue
 	fi
@@ -248,12 +250,25 @@ update_users() {
 	    # openssh appears to check the contents of the
 	    # authorized_keys file as the user in question, so the
 	    # file must be readable by that user at least.
-	    # FIXME: is there a better way to do this?
-	    chown $(whoami) "$AUTHORIZED_KEYS"
-	    chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
-	    chmod g+r "$AUTHORIZED_KEYS"
 
-	    mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
+	    # but in general, we don't want the user tampering with
+	    # this file directly, so we'll adopt this approach: Own
+	    # the file by the monkeysphere-server invoker (usually
+	    # root, but should be the same uid that sshd is launched
+	    # as); change the group of the file so that members of the
+	    # user's group can read it.
+
+	    # FIXME: is there a better way to do this?
+	    chown $(whoami) "$AUTHORIZED_KEYS" && \
+		chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
+		chmod g+r "$AUTHORIZED_KEYS" && \
+		mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" || \
+		{ 
+		log error "Failed to install authorized_keys for '$uname'!"
+		rm -f "${SYSDATADIR}/authorized_keys/${uname}"
+		# indicate that there has been a failure:
+		RETURN=1
+		}
 	else
 	    rm -f "${SYSDATADIR}/authorized_keys/${uname}"
 	fi
-- 
2.25.1