paths.
* update authorized_keys and known_hosts in temp file that are
atomically moved into place
+ * don't fail if authorized_keys file not already present (Closes: 600644)
- -- Jameson Rollins <jrollins@finestructure.net> Mon, 18 Oct 2010 16:35:59 -0400
+ -- Jameson Rollins <jrollins@finestructure.net> Fri, 22 Oct 2010 16:23:31 -0400
monkeysphere (0.33) unstable; urgency=low
echo "$1" | egrep -q "^[0-9]+[mwy]?$"
}
+# touch a key file if it doesn't exist, including creating needed
+# directories with correct permissions
+touch_key_file_or_fail() {
+ local keyFile="$1"
+ if [ ! -f "$keyFile" ]; then
+ # make sure to create files and directories with the
+ # appropriate write bits turned off:
+ newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) )
+ [ -d $(dirname "$keyFile") ] \
+ || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$keyFile") ) \
+ || failure "Could not create path to $keyFile"
+ # make sure to create this file with the appropriate bits turned off:
+ (umask "$newUmask" && touch "$keyFile") \
+ || failure "Unable to create $keyFile"
+ fi
+}
+
# check that a file is properly owned, and that all it's parent
# directories are not group/other writable
check_key_file_permissions() {
fi
;;
(*)
- ((nline++))
+ ((++nline))
userIDs[${nline}]="$line"
unset koptions[${nline}] || true
;;
# 3 or later.
update_authorized_keys() {
+ local newUmask
local tmpFile
- log debug "updating authorized_keys file:"
- log debug " $AUTHORIZED_KEYS"
+ if [ ! -s "$AUTHORIZED_USER_IDS" ] ; then
+ log error "empty or absent authorized_user_ids file."
+ failure
+ fi
+ check_key_file_permissions $(whoami) "$AUTHORIZED_USER_IDS" \
+ || failure "Bad permissions governing authorized_user_ids file '$AUTHORIZED_USER_IDS'"
- check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" || failure
- check_key_file_permissions $(whoami) "$AUTHORIZED_USER_IDS" || failure
+ # touch the authorized_keys file so that the file permission check
+ # below won't fail upon not finding the file
+ touch_key_file_or_fail "$AUTHORIZED_KEYS"
+ check_key_file_permissions $(whoami) "$AUTHORIZED_KEYS" \
+ || failure "Bad permissions governing authorized_keys file $AUTHORIZED_KEYS"
lock create "$AUTHORIZED_KEYS"
# FIXME: we're discarding any pre-existing EXIT trap; is this bad?
- trap "lock remove $AUTHORIZED_KEYS" EXIT
+ trap "log debug TRAP; lock remove $AUTHORIZED_KEYS" EXIT
tmpFile=$(mktemp "${AUTHORIZED_KEYS}.monkeysphere.XXXXXX")
- trap "lock remove $AUTHORIZED_KEYS; rm -f $tmpFile" EXIT
+ trap "log debug TRAP; lock remove $AUTHORIZED_KEYS; rm -f $tmpFile" EXIT
# remove any monkeysphere lines from authorized_keys file this is
# to insure that that all old authorized keys that are no longer
# authorized are removed
- remove_monkeysphere_lines <"$AUTHORIZED_KEYS" >"$tmpFile"
+ log debug "removing old monkeysphere lines..."
+ remove_monkeysphere_lines <"$AUTHORIZED_KEYS" >"$tmpFile" || true
process_authorized_user_ids "$tmpFile" \
< "$AUTHORIZED_USER_IDS"
# touch the known_hosts file so that the file permission check
# below won't fail upon not finding the file
- if [ ! -f "$KNOWN_HOSTS" ]; then
- # make sure to create any files or directories with the appropriate write bits turned off:
- newUmask=$(printf "%04o" $(( 0$(umask) | 0022 )) )
- [ -d $(dirname "$KNOWN_HOSTS") ] \
- || (umask "$newUmask" && mkdir -p -m 0700 $(dirname "$KNOWN_HOSTS") ) \
- || failure "Could not create path to known_hosts file '$KNOWN_HOSTS'"
- # make sure to create this file with the appropriate bits turned off:
- (umask "$newUmask" && touch "$KNOWN_HOSTS") \
- || failure "Unable to create known_hosts file '$KNOWN_HOSTS'"
- fi
-
+ touch_key_file_or_fail "$KNOWN_HOSTS"
check_key_file_permissions $(whoami) "$KNOWN_HOSTS" \
- || failure "Bad permissions governing known_hosts file '$KNOWN_HOSTS'"
+ || failure "Bad permissions governing known_hosts file $KNOWN_HOSTS"
lock create "$KNOWN_HOSTS"
# FIXME: we're discarding any pre-existing EXIT trap; is this bad?
- trap "lock remove $KNOWN_HOSTS" EXIT
+ trap "log debug TRAP; lock remove $KNOWN_HOSTS" EXIT
tmpFile=$(mktemp "${KNOWN_HOSTS}.monkeysphere.XXXXXX")
- trap "lock remove $KNOWN_HOSTS; rm -f $tmpFile" EXIT
+ trap "log debug TRAP; lock remove $KNOWN_HOSTS; rm -f $tmpFile" EXIT
cat "$KNOWN_HOSTS" >"$tmpFile"