Merge commit 'dkg/master'

author: Matt Goins <mjgoins@openflows.com> 2008-10-29 12:20:42 -0400
committer: Matt Goins <mjgoins@openflows.com> 2008-10-29 12:20:42 -0400
commit: 680d7340d29d16325eb991feb37885d6faa955e2 (patch)
tree: 928830b83f7b248c448ccc7309aaa45ceecba8ba /src
parent: 1b6ebcddf8226ad4aa29da643060b6410030cf5d (diff)
parent: 6ed72efb63d7111acc7fb1f2e4f28757ad485b77 (diff)
3 files changed, 71 insertions, 38 deletions
diff --git a/src/common b/src/common
index 5d92b26..297e7f3 100644
--- a/src/common
+++ b/src/common
@@ -24,7 +24,7 @@ export SYSCONFIGDIR
 
 # failure function.  exits with code 255, unless specified otherwise.
 failure() {
-    echo "$1" >&2
+    [ "$1" ] && echo "$1" >&2
     exit ${2:-'255'}
 }
 
@@ -393,8 +393,9 @@ test_gpg_expire() {
 # check that a file is properly owned, and that all it's parent
 # directories are not group/other writable
 check_key_file_permissions() {
-    local user
+    local uname
     local path
+    local stat
     local access
     local gAccess
     local oAccess
@@ -404,30 +405,36 @@ check_key_file_permissions() {
 	[ "$1" = "w" ]
     }
 
-    user="$1"
+    uname="$1"
     path="$2"
 
-    # return 0 is path does not exist
-    [ -e "$path" ] || return 0
+    # return 255 if cannot stat file
+    if ! stat=$(ls -ld "$path" 2>/dev/null) ; then
+        log error "could not stat path '$path'."
+	return 255
+    fi
 
-    owner=$(ls -l "$path" | awk '{ print $3 }')
-    gAccess=$(ls -l "$path" | cut -c6)
-    oAccess=$(ls -l "$path" | cut -c9)
+    owner=$(echo "$stat" | awk '{ print $3 }')
+    gAccess=$(echo "$stat" | cut -c6)
+    oAccess=$(echo "$stat" | cut -c9)
 
-    # check owner
-    if [ "$owner" != "$user" -a "$owner" != 'root' ] ; then
+    # return 1 if path has invalid owner
+    if [ "$owner" != "$uname" -a "$owner" != 'root' ] ; then
+	log error "improper ownership on path '$path'."
 	return 1
     fi
 
-    # check group/other writability
+    # return 2 if path has group or other writability
     if is_write "$gAccess" || is_write "$oAccess" ; then
+	log error "improper group or other writability on path '$path'."
 	return 2
     fi
 
+    # return zero if all clear, or go to next path
     if [ "$path" = '/' ] ; then
 	return 0
     else
-	check_key_file_permissions $(dirname "$path")
+	check_key_file_permissions "$uname" $(dirname "$path")
     fi
 }
 
@@ -662,7 +669,7 @@ process_user_id() {
 		else
 		    log debug "  - unacceptable primary key."
 		    if [ -z "$sshKey" ] ; then
-			log error "   ! primary key could not be translated (not RSA or DSA?)."
+			log error "    ! primary key could not be translated (not RSA or DSA?)."
 		    else
 			echo "1:${sshKey}"
 		    fi
@@ -1018,7 +1025,7 @@ process_authorized_user_ids() {
     log debug "processing authorized_user_ids file..."
 
     if ! meat "$authorizedUserIDs" > /dev/null ; then
-	log debug "no user IDs to process."
+	log debug " no user IDs to process."
 	return
     fi
 
diff --git a/src/monkeysphere b/src/monkeysphere
index dd689b5..7e800cc 100755
--- a/src/monkeysphere
+++ b/src/monkeysphere
@@ -318,10 +318,12 @@ case $COMMAND in
     'update-known_hosts'|'update-known-hosts'|'k')
 	MODE='known_hosts'
 
+	# touch the known_hosts file so that the file permission check
+	# below won't fail upon not finding the file
+	(umask 0022 && touch "$KNOWN_HOSTS")
+
 	# check permissions on the known_hosts file path
-	if ! check_key_file_permissions "$USER" "$KNOWN_HOSTS" ; then
-	    failure "Improper permissions on known_hosts file path."
-	fi
+	check_key_file_permissions "$USER" "$KNOWN_HOSTS" || failure
 
         # if hosts are specified on the command line, process just
         # those hosts
@@ -347,14 +349,10 @@ case $COMMAND in
 	MODE='authorized_keys'
 
 	# check permissions on the authorized_user_ids file path
-	if ! check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" ; then
-	    failure "Improper permissions on authorized_user_ids file path."
-	fi
+	check_key_file_permissions "$USER" "$AUTHORIZED_USER_IDS" || failure
 
 	# check permissions on the authorized_keys file path
-	if ! check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" ; then
-	    failure "Improper permissions on authorized_keys file path."
-	fi
+	check_key_file_permissions "$USER" "$AUTHORIZED_KEYS" || failure
 
         # exit if the authorized_user_ids file is empty
 	if [ ! -e "$AUTHORIZED_USER_IDS" ] ; then
diff --git a/src/monkeysphere-server b/src/monkeysphere-server
index 6ca6a4f..5f0cb73 100755
--- a/src/monkeysphere-server
+++ b/src/monkeysphere-server
@@ -20,6 +20,11 @@ export SYSSHAREDIR
 SYSDATADIR=${MONKEYSPHERE_SYSDATADIR:-"/var/lib/monkeysphere"}
 export SYSDATADIR
 
+# monkeysphere temp directory, in sysdatadir to enable atomic moves of
+# authorized_keys files
+MSTMPDIR="${SYSDATADIR}/tmp"
+export MSTMPDIR
+
 # UTC date in ISO 8601 format if needed
 DATE=$(date -u '+%FT%T')
 
@@ -148,6 +153,8 @@ update_users() {
 	unames=$(getent passwd | cut -d: -f1)
     fi
 
+    RETCODE=0
+
     # set mode
     MODE="authorized_keys"
 
@@ -165,7 +172,7 @@ update_users() {
     # loop over users
     for uname in $unames ; do
 	# check all specified users exist
-	if ! getent passwd "$uname" >/dev/null ; then
+	if ! id "$uname" >/dev/null ; then
 	    log error "----- unknown user '$uname' -----"
 	    continue
 	fi
@@ -173,7 +180,7 @@ update_users() {
 	log verbose "----- user: $uname -----"
 
         # make temporary directory
-        TMPLOC=$(mktemp -d ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+        TMPLOC=$(mktemp -d ${MSTMPDIR}/tmp.XXXXXXXXXX)
 
 	# trap to delete temporary directory on exit
 	trap "rm -rf $TMPLOC" EXIT
@@ -194,6 +201,7 @@ update_users() {
         chown -R "$MONKEYSPHERE_USER" "$TMPLOC"
 
 	# process authorized_user_ids file
+	log debug "checking for authorized_user_ids..."
 	# translating ssh-style path variables
 	authorizedUserIDs=$(translate_ssh_variables "$uname" "$AUTHORIZED_USER_IDS")
 	if [ -s "$authorizedUserIDs" ] ; then
@@ -213,20 +221,27 @@ update_users() {
 		    ". ${SYSSHAREDIR}/common; process_authorized_user_ids $TMP_AUTHORIZED_USER_IDS"
 		RETURN="$?"
 	    else
-		log error "Improper permissions on path '$AUTHORIZED_USER_IDS'."
+		log debug "not processing authorized_user_ids."
 	    fi
+	else
+	    log debug "empty or absent authorized_user_ids file."
 	fi
 
 	# add user-controlled authorized_keys file if specified
 	# translate ssh-style path variables
 	rawAuthorizedKeys=$(translate_ssh_variables "$uname" "$RAW_AUTHORIZED_KEYS")
-	if [ "$rawAuthorizedKeys" -a -s "$rawAuthorizedKeys" ] ; then
-	    # check permissions on the authorized_keys file path
-	    if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
-		log verbose "adding raw authorized_keys file... "
-		cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+	if [ "$rawAuthorizedKeys" != 'none' ] ; then
+	    log debug "checking for raw authorized_keys..."
+	    if [ -s "$rawAuthorizedKeys" ] ; then
+		# check permissions on the authorized_keys file path
+		if check_key_file_permissions "$uname" "$rawAuthorizedKeys" ; then
+		    log verbose "adding raw authorized_keys file... "
+		    cat "$rawAuthorizedKeys" >> "$AUTHORIZED_KEYS"
+		else
+		    log debug "not adding raw authorized_keys file."		
+		fi
 	    else
-		log error "Improper permissions on path '$RAW_AUTHORIZED_KEYS'.  Not added to authorized_keys file."
+		log debug "empty or absent authorized_keys file."
 	    fi
 	fi
 
@@ -235,12 +250,25 @@ update_users() {
 	    # openssh appears to check the contents of the
 	    # authorized_keys file as the user in question, so the
 	    # file must be readable by that user at least.
-	    # FIXME: is there a better way to do this?
-	    chown root "$AUTHORIZED_KEYS"
-	    chgrp $(getent passwd "$uname" | cut -f4 -d:) "$AUTHORIZED_KEYS"
-	    chmod g+r "$AUTHORIZED_KEYS"
 
-	    mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}"
+	    # but in general, we don't want the user tampering with
+	    # this file directly, so we'll adopt this approach: Own
+	    # the file by the monkeysphere-server invoker (usually
+	    # root, but should be the same uid that sshd is launched
+	    # as); change the group of the file so that members of the
+	    # user's group can read it.
+
+	    # FIXME: is there a better way to do this?
+	    chown $(whoami) "$AUTHORIZED_KEYS" && \
+		chgrp $(id -g "$uname") "$AUTHORIZED_KEYS" && \
+		chmod g+r "$AUTHORIZED_KEYS" && \
+		mv -f "$AUTHORIZED_KEYS" "${SYSDATADIR}/authorized_keys/${uname}" || \
+		{ 
+		log error "Failed to install authorized_keys for '$uname'!"
+		rm -f "${SYSDATADIR}/authorized_keys/${uname}"
+		# indicate that there has been a failure:
+		RETURN=1
+		}
 	else
 	    rm -f "${SYSDATADIR}/authorized_keys/${uname}"
 	fi
@@ -371,7 +399,7 @@ EOF
     (umask 077 && \
 	gpg_host --export-secret-key "$fingerprint" | \
 	openpgp2ssh "$fingerprint" > "${SYSDATADIR}/ssh_host_rsa_key")
-    log info "Private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
+    log info "private SSH host key output to file: ${SYSDATADIR}/ssh_host_rsa_key"
 }
 
 # extend the lifetime of a host key:
author	Matt Goins <mjgoins@openflows.com>	2008-10-29 12:20:42 -0400
committer	Matt Goins <mjgoins@openflows.com>	2008-10-29 12:20:42 -0400
commit	680d7340d29d16325eb991feb37885d6faa955e2 (patch)
tree	928830b83f7b248c448ccc7309aaa45ceecba8ba /src
parent	1b6ebcddf8226ad4aa29da643060b6410030cf5d (diff)
parent	6ed72efb63d7111acc7fb1f2e4f28757ad485b77 (diff)