From b1b42512334751f66424f74f927fb71749e5a552 Mon Sep 17 00:00:00 2001
From: Thomas Preud'homme <robotux@celest.fr>
Date: Sat, 3 May 2014 17:53:38 +0800
Subject: [PATCH] [ssl_mgmt] Fail instead of sudo if rights not ok

---
 ssl_mgmt/ssl_mgmt | 96 +++++++++++++++++++++++++----------------------
 1 file changed, 52 insertions(+), 44 deletions(-)

diff --git a/ssl_mgmt/ssl_mgmt b/ssl_mgmt/ssl_mgmt
index c22819e..8a349cd 100755
--- a/ssl_mgmt/ssl_mgmt
+++ b/ssl_mgmt/ssl_mgmt
@@ -21,22 +21,6 @@
 
 set -u
 
-cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
-
-. $cnfFilePath
-
-workDir=${workDir:-/usr/lib/ssl/CA}
-csrSubdir=${csrSubdir:-csr}
-certSubdir=${certSubdir:-newcerts}
-keySubdir=${keySubdir:-newkeys}
-certDestDir=${certDestDir:-/etc/ssl/certs}
-keyDestDir=${keyDestDir:-/etc/ssl/private}
-CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
-CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
-opensslCnfFile=openssl.cnf
-rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
-managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
-
 
 # Display usage.
 usage ()
@@ -116,32 +100,53 @@ parse_args ()
 	eval service="\$$((OPTIND+1))"
 }
 
-# @return 0 if we are not root and must sudo, 1 otherwise
-# Are we root?
-must_sudo ()
+# @param file the file we wish to access
+# @param mode the mode we wish to access the file in.
+#        It must be either "READ" or "WRITE".
+#
+# Exit if we are unable to access the given file with requested access mode
+# NB: this function does not return.
+exit_if_no_access ()
 {
-	uid="$(id -u)"
-	[ ! $uid -eq 0 ]
-	return $?
+	accessedFile="$1"
+	accessMode="$2"
+
+	case $accessMode in
+		"READ")
+			[ -r $accessedFile ];;
+		"WRITE")
+			[ -w $accessedFile ];;
+	esac
+
+	if [ ! $? -eq 0 ]
+	then
+		echo "You do not have enough rights to access ${accessedFile}."
+		echo "Permission of $accessedFile are:"
+		getfacl "$accessedFile"
+	fi
 }
 
-# @param cmdline the command line used to invoke this script
-#
-# This function tries to become root with sudo and execute this script.
-# NB: This function doesn't return.
-try_sudo ()
+# Set all variables configuring the overall behavior of ssl_mgmt. A default
+# value is provided and overriden if set in the configuration file
+set_variables ()
 {
-	local - ret
-	echo "You aren't root. Trying to use sudo to become root…"
-	sudo $0 "$@" # Try to execute the script with sudo
-	ret=$?
-	if [ ! $ret -eq 0 ]
-	then
-		echo -n "Error! You must be root or being able to become root"
-		echo -n " by sudo without password to\ncreate an email account"
-		echo -n " or add an email alias." >&2
-	fi
-	exit $ret
+	cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
+	exit_if_no_access "$cnfFilePath" "READ"
+
+	. $cnfFilePath
+
+	workDir=${workDir:-/usr/lib/ssl/CA}
+	#workDir=${workDir:-${0%/*/*}/lib/${0##*/}}
+	csrSubdir=${csrSubdir:-csr}
+	certSubdir=${certSubdir:-newcerts}
+	keySubdir=${keySubdir:-newkeys}
+	certDestDir=${certDestDir:-/etc/ssl/certs}
+	keyDestDir=${keyDestDir:-/etc/ssl/private}
+	CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
+	CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
+	opensslCnfFile=openssl.cnf
+	rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
+	managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
 }
 
 # @param subject the subject line
@@ -299,15 +304,11 @@ main ()
 	local - ret servicesok certPath keyPath
 	ret=0
 	parse_args "$@"
-	# This test should be useless if rights on this file are corrects
-	# (that is 770 for root:gt owner)
-	if must_sudo
-	then
-		try_sudo "$@"
-	fi
+	set_variables
 	cd $workDir
 	if [ "${service}" = "all" ]
 	then
+		exit_if_no_access "$managedCerts" "READ"
 		services=""
 		for service in $managedCerts
 		do
@@ -316,6 +317,10 @@ main ()
 	else
 		services=${service}
 	fi
+
+	exit_if_no_access "$certDestDir" "WRITE"
+	exit_if_no_access "$keyDestDir" "WRITE"
+
 	for service in $services
 	do
 		servicesok=""
@@ -334,6 +339,9 @@ main ()
 			ret=1
 			continue
 		fi
+		exit_if_no_access "$certPath" "READ"
+		exit_if_no_access "$keyPath" "READ"
+		exit_if_no_access "$rootCAPwdPath" "READ"
 		get_cert_params "$certPath"
 		generate_config
 		if [ -n "$config_only" ]