From 519303988cbb6541744d4fd02d62b369b0405102 Mon Sep 17 00:00:00 2001 From: Thomas Preud'homme Date: Tue, 4 Nov 2014 23:01:00 +0000 Subject: [PATCH] [ssl_mgmt] Set ownership and rights of keycert --- ssl_mgmt/ssl_mgmt | 11 +++++++---- ssl_mgmt/tests/6/cmdline | 3 +++ ssl_mgmt/tests/6/driver | 2 ++ ssl_mgmt/tests/6/fini | 1 + ssl_mgmt/tests/6/init | 1 + 5 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 ssl_mgmt/tests/6/cmdline create mode 100755 ssl_mgmt/tests/6/driver create mode 120000 ssl_mgmt/tests/6/fini create mode 120000 ssl_mgmt/tests/6/init diff --git a/ssl_mgmt/ssl_mgmt b/ssl_mgmt/ssl_mgmt index aeba039..d29b9bd 100755 --- a/ssl_mgmt/ssl_mgmt +++ b/ssl_mgmt/ssl_mgmt @@ -285,6 +285,7 @@ generate_cert () certFile=${certPath##*/} keyFile=${keyPath##*/} keycertFile=${service}-keycert.pem + keycertPath=${keyPath%/*}/$keycertFile # Create the CSR and the key openssl req -new -nodes -out $csrSubdir/$reqFile -keyout $keySubdir/$keyFile -config $opensslCnfFile @@ -298,6 +299,7 @@ generate_cert () then return 1 fi + # Sets ownership and access rights of the key getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keyFile chown --reference="$keyPath" $keySubdir/$keyFile @@ -306,8 +308,11 @@ generate_cert () -keyfile $CAKeyPath -passin file:$rootCAPwdPath \ -out $certSubdir/$certFile -infiles $csrSubdir/$reqFile - # Create the keycert file (file with merged key and certificate) + # Create the keycert file (file with merged key and certificate) and + # sets its ownership and access rights cat $keySubdir/$keyFile $certSubdir/$certFile > $keySubdir/$keycertFile + getfacl "$keycertPath" | setfacl --set-file=- $keySubdir/$keycertFile + chown --reference="$keycertPath" $keySubdir/$keycertFile # Safety check if ! openssl x509 -noout -text -in $certSubdir/$certFile >/dev/null 2>&1 || @@ -333,11 +338,9 @@ generate_cert () return 1 fi - # Sets ownership and rights of generated files + # Sets ownership and access rights of the certificate getfacl "$certPath" | setfacl --set-file=- $certSubdir/$certFile chown --reference="$certPath" $certSubdir/$certFile - getfacl "$keyPath" | setfacl --set-file=- $keySubdir/$keycertFile - chown --reference="$keyPath" $keySubdir/$keycertFile # Notify and install the new certificate if [ -z "$no_overwrite" ] diff --git a/ssl_mgmt/tests/6/cmdline b/ssl_mgmt/tests/6/cmdline new file mode 100644 index 0000000..c22d5b4 --- /dev/null +++ b/ssl_mgmt/tests/6/cmdline @@ -0,0 +1,3 @@ +chmod u+rwx ./destdir/private/foo-keycert.pem \ + && keyId= cnfFilePath=./ssl_mgmt.conf ../ssl_mgmt renew foo \ + && getfacl ./destdir/private/foo-keycert.pem | grep "user::rwx" diff --git a/ssl_mgmt/tests/6/driver b/ssl_mgmt/tests/6/driver new file mode 100755 index 0000000..e64bbaa --- /dev/null +++ b/ssl_mgmt/tests/6/driver @@ -0,0 +1,2 @@ +echo +echo "y" diff --git a/ssl_mgmt/tests/6/fini b/ssl_mgmt/tests/6/fini new file mode 120000 index 0000000..f12b28a --- /dev/null +++ b/ssl_mgmt/tests/6/fini @@ -0,0 +1 @@ +../restore_foo_fini \ No newline at end of file diff --git a/ssl_mgmt/tests/6/init b/ssl_mgmt/tests/6/init new file mode 120000 index 0000000..f74317c --- /dev/null +++ b/ssl_mgmt/tests/6/init @@ -0,0 +1 @@ +../save_foo_init \ No newline at end of file