[ssl_mgmt] Fail instead of sudo if rights not ok
This commit is contained in:
parent
001fbf5499
commit
b1b4251233
|
@ -21,22 +21,6 @@
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
|
|
||||||
|
|
||||||
. $cnfFilePath
|
|
||||||
|
|
||||||
workDir=${workDir:-/usr/lib/ssl/CA}
|
|
||||||
csrSubdir=${csrSubdir:-csr}
|
|
||||||
certSubdir=${certSubdir:-newcerts}
|
|
||||||
keySubdir=${keySubdir:-newkeys}
|
|
||||||
certDestDir=${certDestDir:-/etc/ssl/certs}
|
|
||||||
keyDestDir=${keyDestDir:-/etc/ssl/private}
|
|
||||||
CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
|
|
||||||
CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
|
|
||||||
opensslCnfFile=openssl.cnf
|
|
||||||
rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
|
|
||||||
managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
|
|
||||||
|
|
||||||
|
|
||||||
# Display usage.
|
# Display usage.
|
||||||
usage ()
|
usage ()
|
||||||
|
@ -116,32 +100,53 @@ parse_args ()
|
||||||
eval service="\$$((OPTIND+1))"
|
eval service="\$$((OPTIND+1))"
|
||||||
}
|
}
|
||||||
|
|
||||||
# @return 0 if we are not root and must sudo, 1 otherwise
|
# @param file the file we wish to access
|
||||||
# Are we root?
|
# @param mode the mode we wish to access the file in.
|
||||||
must_sudo ()
|
# It must be either "READ" or "WRITE".
|
||||||
|
#
|
||||||
|
# Exit if we are unable to access the given file with requested access mode
|
||||||
|
# NB: this function does not return.
|
||||||
|
exit_if_no_access ()
|
||||||
{
|
{
|
||||||
uid="$(id -u)"
|
accessedFile="$1"
|
||||||
[ ! $uid -eq 0 ]
|
accessMode="$2"
|
||||||
return $?
|
|
||||||
|
case $accessMode in
|
||||||
|
"READ")
|
||||||
|
[ -r $accessedFile ];;
|
||||||
|
"WRITE")
|
||||||
|
[ -w $accessedFile ];;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ ! $? -eq 0 ]
|
||||||
|
then
|
||||||
|
echo "You do not have enough rights to access ${accessedFile}."
|
||||||
|
echo "Permission of $accessedFile are:"
|
||||||
|
getfacl "$accessedFile"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# @param cmdline the command line used to invoke this script
|
# Set all variables configuring the overall behavior of ssl_mgmt. A default
|
||||||
#
|
# value is provided and overriden if set in the configuration file
|
||||||
# This function tries to become root with sudo and execute this script.
|
set_variables ()
|
||||||
# NB: This function doesn't return.
|
|
||||||
try_sudo ()
|
|
||||||
{
|
{
|
||||||
local - ret
|
cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
|
||||||
echo "You aren't root. Trying to use sudo to become root…"
|
exit_if_no_access "$cnfFilePath" "READ"
|
||||||
sudo $0 "$@" # Try to execute the script with sudo
|
|
||||||
ret=$?
|
. $cnfFilePath
|
||||||
if [ ! $ret -eq 0 ]
|
|
||||||
then
|
workDir=${workDir:-/usr/lib/ssl/CA}
|
||||||
echo -n "Error! You must be root or being able to become root"
|
#workDir=${workDir:-${0%/*/*}/lib/${0##*/}}
|
||||||
echo -n " by sudo without password to\ncreate an email account"
|
csrSubdir=${csrSubdir:-csr}
|
||||||
echo -n " or add an email alias." >&2
|
certSubdir=${certSubdir:-newcerts}
|
||||||
fi
|
keySubdir=${keySubdir:-newkeys}
|
||||||
exit $ret
|
certDestDir=${certDestDir:-/etc/ssl/certs}
|
||||||
|
keyDestDir=${keyDestDir:-/etc/ssl/private}
|
||||||
|
CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
|
||||||
|
CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
|
||||||
|
opensslCnfFile=openssl.cnf
|
||||||
|
rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
|
||||||
|
managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
|
||||||
}
|
}
|
||||||
|
|
||||||
# @param subject the subject line
|
# @param subject the subject line
|
||||||
|
@ -299,15 +304,11 @@ main ()
|
||||||
local - ret servicesok certPath keyPath
|
local - ret servicesok certPath keyPath
|
||||||
ret=0
|
ret=0
|
||||||
parse_args "$@"
|
parse_args "$@"
|
||||||
# This test should be useless if rights on this file are corrects
|
set_variables
|
||||||
# (that is 770 for root:gt owner)
|
|
||||||
if must_sudo
|
|
||||||
then
|
|
||||||
try_sudo "$@"
|
|
||||||
fi
|
|
||||||
cd $workDir
|
cd $workDir
|
||||||
if [ "${service}" = "all" ]
|
if [ "${service}" = "all" ]
|
||||||
then
|
then
|
||||||
|
exit_if_no_access "$managedCerts" "READ"
|
||||||
services=""
|
services=""
|
||||||
for service in $managedCerts
|
for service in $managedCerts
|
||||||
do
|
do
|
||||||
|
@ -316,6 +317,10 @@ main ()
|
||||||
else
|
else
|
||||||
services=${service}
|
services=${service}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
exit_if_no_access "$certDestDir" "WRITE"
|
||||||
|
exit_if_no_access "$keyDestDir" "WRITE"
|
||||||
|
|
||||||
for service in $services
|
for service in $services
|
||||||
do
|
do
|
||||||
servicesok=""
|
servicesok=""
|
||||||
|
@ -334,6 +339,9 @@ main ()
|
||||||
ret=1
|
ret=1
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
exit_if_no_access "$certPath" "READ"
|
||||||
|
exit_if_no_access "$keyPath" "READ"
|
||||||
|
exit_if_no_access "$rootCAPwdPath" "READ"
|
||||||
get_cert_params "$certPath"
|
get_cert_params "$certPath"
|
||||||
generate_config
|
generate_config
|
||||||
if [ -n "$config_only" ]
|
if [ -n "$config_only" ]
|
||||||
|
|
Loading…
Reference in New Issue