[ssl_mgmt] Fail instead of sudo if rights not ok
This commit is contained in:
parent
001fbf5499
commit
b1b4251233
|
@ -21,22 +21,6 @@
|
|||
|
||||
set -u
|
||||
|
||||
cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
|
||||
|
||||
. $cnfFilePath
|
||||
|
||||
workDir=${workDir:-/usr/lib/ssl/CA}
|
||||
csrSubdir=${csrSubdir:-csr}
|
||||
certSubdir=${certSubdir:-newcerts}
|
||||
keySubdir=${keySubdir:-newkeys}
|
||||
certDestDir=${certDestDir:-/etc/ssl/certs}
|
||||
keyDestDir=${keyDestDir:-/etc/ssl/private}
|
||||
CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
|
||||
CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
|
||||
opensslCnfFile=openssl.cnf
|
||||
rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
|
||||
managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
|
||||
|
||||
|
||||
# Display usage.
|
||||
usage ()
|
||||
|
@ -116,32 +100,53 @@ parse_args ()
|
|||
eval service="\$$((OPTIND+1))"
|
||||
}
|
||||
|
||||
# @return 0 if we are not root and must sudo, 1 otherwise
|
||||
# Are we root?
|
||||
must_sudo ()
|
||||
# @param file the file we wish to access
|
||||
# @param mode the mode we wish to access the file in.
|
||||
# It must be either "READ" or "WRITE".
|
||||
#
|
||||
# Exit if we are unable to access the given file with requested access mode
|
||||
# NB: this function does not return.
|
||||
exit_if_no_access ()
|
||||
{
|
||||
uid="$(id -u)"
|
||||
[ ! $uid -eq 0 ]
|
||||
return $?
|
||||
accessedFile="$1"
|
||||
accessMode="$2"
|
||||
|
||||
case $accessMode in
|
||||
"READ")
|
||||
[ -r $accessedFile ];;
|
||||
"WRITE")
|
||||
[ -w $accessedFile ];;
|
||||
esac
|
||||
|
||||
if [ ! $? -eq 0 ]
|
||||
then
|
||||
echo "You do not have enough rights to access ${accessedFile}."
|
||||
echo "Permission of $accessedFile are:"
|
||||
getfacl "$accessedFile"
|
||||
fi
|
||||
}
|
||||
|
||||
# @param cmdline the command line used to invoke this script
|
||||
#
|
||||
# This function tries to become root with sudo and execute this script.
|
||||
# NB: This function doesn't return.
|
||||
try_sudo ()
|
||||
# Set all variables configuring the overall behavior of ssl_mgmt. A default
|
||||
# value is provided and overriden if set in the configuration file
|
||||
set_variables ()
|
||||
{
|
||||
local - ret
|
||||
echo "You aren't root. Trying to use sudo to become root…"
|
||||
sudo $0 "$@" # Try to execute the script with sudo
|
||||
ret=$?
|
||||
if [ ! $ret -eq 0 ]
|
||||
then
|
||||
echo -n "Error! You must be root or being able to become root"
|
||||
echo -n " by sudo without password to\ncreate an email account"
|
||||
echo -n " or add an email alias." >&2
|
||||
fi
|
||||
exit $ret
|
||||
cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
|
||||
exit_if_no_access "$cnfFilePath" "READ"
|
||||
|
||||
. $cnfFilePath
|
||||
|
||||
workDir=${workDir:-/usr/lib/ssl/CA}
|
||||
#workDir=${workDir:-${0%/*/*}/lib/${0##*/}}
|
||||
csrSubdir=${csrSubdir:-csr}
|
||||
certSubdir=${certSubdir:-newcerts}
|
||||
keySubdir=${keySubdir:-newkeys}
|
||||
certDestDir=${certDestDir:-/etc/ssl/certs}
|
||||
keyDestDir=${keyDestDir:-/etc/ssl/private}
|
||||
CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
|
||||
CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
|
||||
opensslCnfFile=openssl.cnf
|
||||
rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
|
||||
managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
|
||||
}
|
||||
|
||||
# @param subject the subject line
|
||||
|
@ -299,15 +304,11 @@ main ()
|
|||
local - ret servicesok certPath keyPath
|
||||
ret=0
|
||||
parse_args "$@"
|
||||
# This test should be useless if rights on this file are corrects
|
||||
# (that is 770 for root:gt owner)
|
||||
if must_sudo
|
||||
then
|
||||
try_sudo "$@"
|
||||
fi
|
||||
set_variables
|
||||
cd $workDir
|
||||
if [ "${service}" = "all" ]
|
||||
then
|
||||
exit_if_no_access "$managedCerts" "READ"
|
||||
services=""
|
||||
for service in $managedCerts
|
||||
do
|
||||
|
@ -316,6 +317,10 @@ main ()
|
|||
else
|
||||
services=${service}
|
||||
fi
|
||||
|
||||
exit_if_no_access "$certDestDir" "WRITE"
|
||||
exit_if_no_access "$keyDestDir" "WRITE"
|
||||
|
||||
for service in $services
|
||||
do
|
||||
servicesok=""
|
||||
|
@ -334,6 +339,9 @@ main ()
|
|||
ret=1
|
||||
continue
|
||||
fi
|
||||
exit_if_no_access "$certPath" "READ"
|
||||
exit_if_no_access "$keyPath" "READ"
|
||||
exit_if_no_access "$rootCAPwdPath" "READ"
|
||||
get_cert_params "$certPath"
|
||||
generate_config
|
||||
if [ -n "$config_only" ]
|
||||
|
|
Loading…
Reference in New Issue