diff options
| author | Jameson Rollins <jrollins@finestructure.net> | 2010-10-18 09:55:53 -0400 |
|---|---|---|
| committer | Jameson Rollins <jrollins@finestructure.net> | 2010-10-18 16:34:32 -0400 |
| commit | df882c1e7e63fc658d0296dbd272499923fc4c69 (patch) | |
| tree | e9e7e364780bc6429e09340d74e1bf7dc580be33 /src/share/ma/update_users | |
| parent | 7f20193196c87b2cff0bf95d5ec53b5be3bdabb8 (diff) | |
Simplification/refactoring of key/file processing
This is a fairly major overhaul to greatly reduce the number of
redundant code paths. We here created a new process_keys_for_file
function that processes key from a userid for a given key file. All
the main top elevel functions now call this one function.
The main top level monkeysphere functions for updating the user's
authorized_keys and known_hosts files are now moved to their own
sourced files, which greatly reduces the amount of code sourced with
common.
monkeysphere now updates authorized_keys and known_hosts in temporary
files that are then atomically moved into place upon completion.
Finally, removed the confusing return codes in the key/file processing
functions that were based on number of valid/invalid keys processed.
It was confusing in the presence of actual errors that stopped
processing.
Diffstat (limited to 'src/share/ma/update_users')
| -rw-r--r-- | src/share/ma/update_users | 37 |
1 files changed, 14 insertions, 23 deletions
diff --git a/src/share/ma/update_users b/src/share/ma/update_users index 4d2bb35..c84716e 100644 --- a/src/share/ma/update_users +++ b/src/share/ma/update_users @@ -17,6 +17,7 @@ local returnCode=0 local unames local uname local authorizedKeysDir +local tmpAuthorizedKeys local authorizedUserIDs if [ "$1" ] ; then @@ -57,19 +58,14 @@ for uname in $unames ; do # trap to delete temporary directory on exit trap "rm -rf $TMPLOC" EXIT - # create temporary authorized_user_ids file - TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids" - touch "$TMP_AUTHORIZED_USER_IDS" - # create temporary authorized_keys file - AUTHORIZED_KEYS="${TMPLOC}/authorized_keys" - touch "$AUTHORIZED_KEYS" + tmpAuthorizedKeys="${TMPLOC}/authorized_keys" + touch "$tmpAuthorizedKeys" # set restrictive permissions on the temporary files # FIXME: is there a better way to do this? chmod 0700 "$TMPLOC" - chmod 0600 "$AUTHORIZED_KEYS" - chmod 0600 "$TMP_AUTHORIZED_USER_IDS" + chmod 0600 "$tmpAuthorizedKeys" chown -R "$MONKEYSPHERE_USER" "$TMPLOC" # process authorized_user_ids file @@ -80,17 +76,12 @@ for uname in $unames ; do log debug "authorized_user_ids file found." # check permissions on the authorized_user_ids file path if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then - # copy user authorized_user_ids file to temporary - # location - cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS" - - # export needed variables - export AUTHORIZED_KEYS # process authorized_user_ids file, as monkeysphere user su_monkeysphere_user \ - ". ${SYSSHAREDIR}/common; STRICT_MODES='$STRICT_MODES' process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" \ - || returnCode="$?" + ". ${SYSSHAREDIR}/common; STRICT_MODES='$STRICT_MODES' process_authorized_user_ids $tmpAuthorizedKeys" \ + < "$authorizedUserIDs" + else log debug "not processing authorized_user_ids." fi @@ -107,7 +98,7 @@ for uname in $unames ; do # check permissions on the authorized_keys file path if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then log verbose "adding raw authorized_keys file... " - cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS" + cat "$rawAuthorizedKeys" >> "$tmpAuthorizedKeys" else log debug "not adding raw authorized_keys file." fi @@ -117,7 +108,7 @@ for uname in $unames ; do fi # move the new authorized_keys file into place - if [ -s "$AUTHORIZED_KEYS" ] ; then + if [ -s "$tmpAuthorizedKeys" ] ; then # openssh appears to check the contents of the authorized_keys # file as the user in question, so the file must be readable # by that user at least. @@ -130,14 +121,14 @@ for uname in $unames ; do if [ "$OUTPUT_STDOUT" ] ; then log debug "outputting keys to stdout..." - cat "$AUTHORIZED_KEYS" + cat "$tmpAuthorizedKeys" else log debug "moving new file to ${authorizedKeysDir}/${uname}..." # FIXME: is there a better way to do this? - chown $(whoami) "$AUTHORIZED_KEYS" && \ - chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \ - chmod g+r "$AUTHORIZED_KEYS" && \ - mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \ + chown $(whoami) "$tmpAuthorizedKeys" && \ + chgrp $(id -g "$uname") "$tmpAuthorizedKeys" && \ + chmod g+r "$tmpAuthorizedKeys" && \ + mv -f "$tmpAuthorizedKeys" "${authorizedKeysDir}/${uname}" || \ { log error "Failed to install authorized_keys for '$uname'!" rm -f "${authorizedKeysDir}/${uname}" |