summaryrefslogtreecommitdiff
path: root/src/share/ma
diff options
context:
space:
mode:
authorJameson Rollins <jrollins@finestructure.net>2010-10-18 09:55:53 -0400
committerJameson Rollins <jrollins@finestructure.net>2010-10-18 16:34:32 -0400
commitdf882c1e7e63fc658d0296dbd272499923fc4c69 (patch)
treee9e7e364780bc6429e09340d74e1bf7dc580be33 /src/share/ma
parent7f20193196c87b2cff0bf95d5ec53b5be3bdabb8 (diff)
Simplification/refactoring of key/file processing
This is a fairly major overhaul to greatly reduce the number of redundant code paths. We here created a new process_keys_for_file function that processes key from a userid for a given key file. All the main top elevel functions now call this one function. The main top level monkeysphere functions for updating the user's authorized_keys and known_hosts files are now moved to their own sourced files, which greatly reduces the amount of code sourced with common. monkeysphere now updates authorized_keys and known_hosts in temporary files that are then atomically moved into place upon completion. Finally, removed the confusing return codes in the key/file processing functions that were based on number of valid/invalid keys processed. It was confusing in the presence of actual errors that stopped processing.
Diffstat (limited to 'src/share/ma')
-rw-r--r--src/share/ma/update_users37
1 files changed, 14 insertions, 23 deletions
diff --git a/src/share/ma/update_users b/src/share/ma/update_users
index 4d2bb35..c84716e 100644
--- a/src/share/ma/update_users
+++ b/src/share/ma/update_users
@@ -17,6 +17,7 @@ local returnCode=0
local unames
local uname
local authorizedKeysDir
+local tmpAuthorizedKeys
local authorizedUserIDs
if [ "$1" ] ; then
@@ -57,19 +58,14 @@ for uname in $unames ; do
# trap to delete temporary directory on exit
trap "rm -rf $TMPLOC" EXIT
- # create temporary authorized_user_ids file
- TMP_AUTHORIZED_USER_IDS="${TMPLOC}/authorized_user_ids"
- touch "$TMP_AUTHORIZED_USER_IDS"
-
# create temporary authorized_keys file
- AUTHORIZED_KEYS="${TMPLOC}/authorized_keys"
- touch "$AUTHORIZED_KEYS"
+ tmpAuthorizedKeys="${TMPLOC}/authorized_keys"
+ touch "$tmpAuthorizedKeys"
# set restrictive permissions on the temporary files
# FIXME: is there a better way to do this?
chmod 0700 "$TMPLOC"
- chmod 0600 "$AUTHORIZED_KEYS"
- chmod 0600 "$TMP_AUTHORIZED_USER_IDS"
+ chmod 0600 "$tmpAuthorizedKeys"
chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
# process authorized_user_ids file
@@ -80,17 +76,12 @@ for uname in $unames ; do
log debug "authorized_user_ids file found."
# check permissions on the authorized_user_ids file path
if check_key_file_permissions "$uname" "$authorizedUserIDs" ; then
- # copy user authorized_user_ids file to temporary
- # location
- cat "$authorizedUserIDs" > "$TMP_AUTHORIZED_USER_IDS"
-
- # export needed variables
- export AUTHORIZED_KEYS
# process authorized_user_ids file, as monkeysphere user
su_monkeysphere_user \
- ". ${SYSSHAREDIR}/common; STRICT_MODES='$STRICT_MODES' process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS" \
- || returnCode="$?"
+ ". ${SYSSHAREDIR}/common; STRICT_MODES='$STRICT_MODES' process_authorized_user_ids $tmpAuthorizedKeys" \
+ < "$authorizedUserIDs"
+
else
log debug "not processing authorized_user_ids."
fi
@@ -107,7 +98,7 @@ for uname in $unames ; do
# check permissions on the authorized_keys file path
if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
log verbose "adding raw authorized_keys file... "
- cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+ cat "$rawAuthorizedKeys" >> "$tmpAuthorizedKeys"
else
log debug "not adding raw authorized_keys file."
fi
@@ -117,7 +108,7 @@ for uname in $unames ; do
fi
# move the new authorized_keys file into place
- if [ -s "$AUTHORIZED_KEYS" ] ; then
+ if [ -s "$tmpAuthorizedKeys" ] ; then
# openssh appears to check the contents of the authorized_keys
# file as the user in question, so the file must be readable
# by that user at least.
@@ -130,14 +121,14 @@ for uname in $unames ; do
if [ "$OUTPUT_STDOUT" ] ; then
log debug "outputting keys to stdout..."
- cat "$AUTHORIZED_KEYS"
+ cat "$tmpAuthorizedKeys"
else
log debug "moving new file to ${authorizedKeysDir}/${uname}..."
# FIXME: is there a better way to do this?
- chown $(whoami) "$AUTHORIZED_KEYS" && \
- chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
- chmod g+r "$AUTHORIZED_KEYS" && \
- mv -f "$AUTHORIZED_KEYS" "${authorizedKeysDir}/${uname}" || \
+ chown $(whoami) "$tmpAuthorizedKeys" && \
+ chgrp $(id -g "$uname") "$tmpAuthorizedKeys" && \
+ chmod g+r "$tmpAuthorizedKeys" && \
+ mv -f "$tmpAuthorizedKeys" "${authorizedKeysDir}/${uname}" || \
{
log error "Failed to install authorized_keys for '$uname'!"
rm -f "${authorizedKeysDir}/${uname}"