[ssl_mgmt] Fail instead of sudo if rights not ok

2014-05-03 17:53:38 +08:00 · 2014-05-03 17:53:38 +08:00 · b1b4251233
parent 001fbf5499
commit b1b4251233
1 changed files with 52 additions and 44 deletions
--- a/ssl_mgmt/ssl_mgmt
+++ b/ssl_mgmt/ssl_mgmt
@ -21,22 +21,6 @@
 set -u
 cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
 . $cnfFilePath
 workDir=${workDir:-/usr/lib/ssl/CA}
 csrSubdir=${csrSubdir:-csr}
 certSubdir=${certSubdir:-newcerts}
 keySubdir=${keySubdir:-newkeys}
 certDestDir=${certDestDir:-/etc/ssl/certs}
 keyDestDir=${keyDestDir:-/etc/ssl/private}
 CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
 CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
 opensslCnfFile=openssl.cnf
 rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
 managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
 # Display usage.
 usage ()
@ -116,32 +100,53 @@ parse_args ()
 	eval service="\$$((OPTIND+1))"
 }
-# @return 0 if we are not root and must sudo, 1 otherwise
+# @param file the file we wish to access
-# Are we root?
+# @param mode the mode we wish to access the file in.
-must_sudo ()
+#        It must be either "READ" or "WRITE".
 #
 # Exit if we are unable to access the given file with requested access mode
 # NB: this function does not return.
 exit_if_no_access ()
 {
-	uid="$(id -u)"
+	accessedFile="$1"
-	[ ! $uid -eq 0 ]
+	accessMode="$2"
-	return $?
+
 	case $accessMode in
 		"READ")
 			[ -r $accessedFile ];;
 		"WRITE")
 			[ -w $accessedFile ];;
 	esac
 	if [ ! $? -eq 0 ]
 	then
 		echo "You do not have enough rights to access ${accessedFile}."
 		echo "Permission of $accessedFile are:"
 		getfacl "$accessedFile"
 	fi
 }
-# @param cmdline the command line used to invoke this script
+# Set all variables configuring the overall behavior of ssl_mgmt. A default
-#
+# value is provided and overriden if set in the configuration file
-# This function tries to become root with sudo and execute this script.
+set_variables ()
 # NB: This function doesn't return.
 try_sudo ()
 {
-	local - ret
+	cnfFilePath=${cnfFilePath:-/etc/${0##*/}.conf}
-	echo "You aren't root. Trying to use sudo to become root…"
+	exit_if_no_access "$cnfFilePath" "READ"
-	sudo $0 "$@" # Try to execute the script with sudo
+
-	ret=$?
+	. $cnfFilePath
-	if [ ! $ret -eq 0 ]
+
-	then
+	workDir=${workDir:-/usr/lib/ssl/CA}
-		echo -n "Error! You must be root or being able to become root"
+	#workDir=${workDir:-${0%/*/*}/lib/${0##*/}}
-		echo -n " by sudo without password to\ncreate an email account"
+	csrSubdir=${csrSubdir:-csr}
-		echo -n " or add an email alias." >&2
+	certSubdir=${certSubdir:-newcerts}
-	fi
+	keySubdir=${keySubdir:-newkeys}
-	exit $ret
+	certDestDir=${certDestDir:-/etc/ssl/certs}
 	keyDestDir=${keyDestDir:-/etc/ssl/private}
 	CACertPath=${CACertPath:-$certDestDir/ca-cert.pem}
 	CAKeyPath=${CAKeyPath:-$keyDestDir/ca-key.pem}
 	opensslCnfFile=openssl.cnf
 	rootCAPwdPath=${rootCAPwdPath:-/root/passwords/root_ca}
 	managedCerts=${managedCerts:-$(xargs </root/homemade-certs)}
 }
 # @param subject the subject line
@ -299,15 +304,11 @@ main ()
 	local - ret servicesok certPath keyPath
 	ret=0
 	parse_args "$@"
-	# This test should be useless if rights on this file are corrects
+	set_variables
 	# (that is 770 for root:gt owner)
 	if must_sudo
 	then
 		try_sudo "$@"
 	fi
 	cd $workDir
 	if [ "${service}" = "all" ]
 	then
 		exit_if_no_access "$managedCerts" "READ"
 		services=""
 		for service in $managedCerts
 		do
@ -316,6 +317,10 @@ main ()
 	else
 		services=${service}
 	fi
 	exit_if_no_access "$certDestDir" "WRITE"
 	exit_if_no_access "$keyDestDir" "WRITE"
 	for service in $services
 	do
 		servicesok=""
@ -334,6 +339,9 @@ main ()
 			ret=1
 			continue
 		fi
 		exit_if_no_access "$certPath" "READ"
 		exit_if_no_access "$keyPath" "READ"
 		exit_if_no_access "$rootCAPwdPath" "READ"
 		get_cert_params "$certPath"
 		generate_config
 		if [ -n "$config_only" ]