[rt-commit] r131 - in /redwax-tool/trunk: ChangeLog redwax-tool.c redwax-tool.h
rt-commit at redwax.eu
rt-commit at redwax.eu
Mon Dec 20 08:49:47 CET 2021
Author: minfrin at redwax.eu
Date: Mon Dec 20 08:49:45 2021
New Revision: 131
Log:
Add support for reading and writing certificates and
keys as specific users or groups.
Modified:
redwax-tool/trunk/ChangeLog
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog (original)
+++ redwax-tool/trunk/ChangeLog Mon Dec 20 08:49:45 2021
@@ -1,7 +1,8 @@
Changes with v0.9.2
-
+ *) Add support for reading and writing certificates and
+ keys as specific users or groups. [Graham Leggett]
Changes with v0.9.1
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Mon Dec 20 08:49:45 2021
@@ -22,6 +22,10 @@
#include <stdlib.h>
#include <string.h>
+#include <sys/types.h>
+#include <grp.h>
+#include <pwd.h>
+#include <unistd.h>
#include <apr.h>
#include <apr_crypto.h>
@@ -199,6 +203,7 @@
#define REDWAX_EXIT_INIT 1
#define REDWAX_EXIT_OPTIONS 2
#define REDWAX_EXIT_FILTER 3
+#define REDWAX_EXIT_AUTH 4
#define REDWAX_PASSTHROUGH "passthrough"
@@ -275,6 +280,10 @@
{ "pkcs11-module-out", REDWAX_TOOL_PKCS11_MODULE_OUT, 1, " --pkcs11-module-out=mod\tSpecify the name of the PKCS11 module to be used,\n\t\t\t\toverriding system defaults. If relative, use the\n\t\t\t\tdefault PKCS11 module path, otherwise specify the\n\t\t\t\tabsolute path. Include the extension of the module." },
{ "metadata-out", REDWAX_TOOL_METADATA_OUT, 1, " --metadata-out=file\t\tWrite metadata of each certificate and key to the\n\t\t\t\tgiven file in the format given by the format\n\t\t\t\tparameter." },
{ "format-out", REDWAX_TOOL_FORMAT_OUT, 1, " --format-out=xml|json|yaml\tFormat of output metadata." },
+ { "user-in", REDWAX_TOOL_USER_IN, 1, " --user-in=user\t\tUse the privileges of this user when reading\n\t\t\t\tcertificates and keys." },
+ { "user-out", REDWAX_TOOL_USER_OUT, 1, " --user-out=user\t\tUse the privileges of this user when writing\n\t\t\t\tcertificates and keys." },
+ { "group-in", REDWAX_TOOL_GROUP_IN, 1, " --group-in=group\t\tUse the privileges of this group when reading\n\t\t\t\tcertificates and keys." },
+ { "group-out", REDWAX_TOOL_GROUP_OUT, 1, " --group-out=group\t\tUse the privileges of this group when writing\n\t\t\t\tcertificates and keys." },
#if 0
{ "jwks-out", REDWAX_TOOL_JWKS_OUT, 1, " --jwks-out=file\t\tWrite keys to the given file as an RFC7517 JSON\n\t\t\t\tWeb Key Set." },
{ "ssh-private-out", REDWAX_TOOL_SSH_PRIVATE_OUT, 1, " --ssh-private-out=file\t\tWrite an SSH private key to the given file." },
@@ -282,10 +291,6 @@
{ "smimea-out", REDWAX_TOOL_SMIMEA_OUT, 1, " --smimea-out=file\t\tWrite an SMIMEA DNS record to the given file." },
{ "sshfp-out", REDWAX_TOOL_SSHFP_OUT, 1, " --sshfp-out=file\t\tWrite an SSHFP DNS record to the given file." },
{ "tlsa-out", REDWAX_TOOL_TLSA_OUT, 1, " --tlsa-out=file\t\tWrite a TLSA DNS record to the given file." },
- { "user-in", REDWAX_TOOL_USER_IN, 1, " --user-in=user\t\tUse the privileges of this user when reading certificates and keys." },
- { "user-out", REDWAX_TOOL_USER_OUT, 1, " --user-out=user\t\tUse the privileges of this user when writing certificates and keys." },
- { "group-in", REDWAX_TOOL_GROUP_IN, 1, " --group-in=group\t\tUse the privileges of this group when reading certificates and keys." },
- { "group-out", REDWAX_TOOL_GROUP_OUT, 1, " --group-out=group\t\tUse the privileges of this group when writing certificates and keys." },
#endif
{ NULL }
};
@@ -332,6 +337,7 @@
" - 1: We failed to initialise.\n"
" - 2: The command line options were not valid.\n"
" - 3: No certificates were passed through the filter.\n"
+ " - 4: Could not become user or group."
"\n"
"EXAMPLES\n"
" In this example, we read all PEM files matching the wildcard, we pass\n"
@@ -1064,6 +1070,86 @@
return APR_SUCCESS;
}
+apr_status_t redwax_user_cleanup(void *dummy)
+{
+ setuid(getuid());
+
+ return APR_SUCCESS;
+}
+
+apr_status_t redwax_group_cleanup(void *dummy)
+{
+ setgid(getgid());
+
+ return APR_SUCCESS;
+}
+
+apr_status_t redwax_set_user(redwax_tool_t *r, const char *user)
+{
+ struct passwd *pw;
+
+ setuid(getuid());
+
+ if (!user) {
+ return APR_SUCCESS;
+ }
+
+ errno = 0;
+
+ pw = getpwnam(user);
+
+ if (pw) {
+
+ setuid(pw->pw_uid);
+
+ if (errno) {
+ redwax_print_error(r, "Could not set the user to '%s': %s\n", user,
+ strerror(errno));
+ return APR_EGENERAL;
+ }
+
+ }
+ else {
+ redwax_print_error(r,
+ "User '%s' could not be found: %s\n", user, strerror(errno));
+ return APR_EGENERAL;
+ }
+
+ return APR_SUCCESS;
+}
+
+apr_status_t redwax_set_group(redwax_tool_t *r, const char *group)
+{
+ struct group *gr;
+
+ setgid(getgid());
+
+ if (!group) {
+ return APR_SUCCESS;
+ }
+
+ gr = getgrnam(group);
+
+ if (gr) {
+
+ setgid(gr->gr_gid);
+
+ if (errno) {
+ redwax_print_error(r, "Could not set the group to '%s': %s\n", group,
+ strerror(errno));
+ return APR_EGENERAL;
+ }
+
+ }
+ else {
+ redwax_print_error(r,
+ "Group '%s' could not be found: %s\n", group, strerror(errno));
+ return APR_EGENERAL;
+ }
+
+ return APR_SUCCESS;
+}
+
const char *redwax_home(redwax_tool_t *r, const char *path)
{
if (path[0] == '~') {
@@ -1209,6 +1295,60 @@
return NULL;
}
+apr_status_t redwax_complete_user(redwax_tool_t *r, const char *arg,
+ redwax_token_quoted_e quoted)
+{
+ int arglen = strlen(arg);
+
+ setpwent();
+
+ while (1) {
+
+ struct passwd *pw = getpwent();
+
+ if (!pw) {
+ break;
+ }
+
+ if (!strncmp(arg, (const char *)pw->pw_name, arglen)) {
+
+ apr_file_printf(r->out, "%s \n",
+ redwax_pescape_echo_quoted(r->pool,
+ (const char *)pw->pw_name, quoted, 1));
+ }
+
+ }
+
+ return APR_SUCCESS;
+}
+
+apr_status_t redwax_complete_group(redwax_tool_t *r, const char *arg,
+ redwax_token_quoted_e quoted)
+{
+ int arglen = strlen(arg);
+
+ setgrent();
+
+ while (1) {
+
+ struct group *gr = getgrent();
+
+ if (!gr) {
+ break;
+ }
+
+ if (!strncmp(arg, (const char *)gr->gr_name, arglen)) {
+
+ apr_file_printf(r->out, "%s \n",
+ redwax_pescape_echo_quoted(r->pool,
+ (const char *)gr->gr_name, quoted, 1));
+ }
+
+ }
+
+ return APR_SUCCESS;
+}
+
apr_status_t redwax_complete_filter(redwax_tool_t *r, const char *arg,
redwax_token_quoted_e quoted)
{
@@ -1798,6 +1938,42 @@
return APR_SUCCESS;
}
+static apr_status_t redwax_set_user_in(redwax_tool_t *r, const char *arg)
+{
+ r->user_in = arg;
+
+ redwax_set_user(r, arg);
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t redwax_set_user_out(redwax_tool_t *r, const char *arg)
+{
+ r->user_out = arg;
+
+ redwax_set_user(r, arg);
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t redwax_set_group_in(redwax_tool_t *r, const char *arg)
+{
+ r->group_in = arg;
+
+ redwax_set_group(r, arg);
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t redwax_set_group_out(redwax_tool_t *r, const char *arg)
+{
+ r->group_out = arg;
+
+ redwax_set_group(r, arg);
+
+ return APR_SUCCESS;
+}
+
static apr_status_t redwax_set_current(redwax_tool_t *r)
{
r->current = 1;
@@ -2143,6 +2319,18 @@
== APR_SUCCESS) {
switch (optch) {
+ case REDWAX_TOOL_USER_IN: {
+ if (redwax_set_user_in(r, optarg)) {
+ return REDWAX_EXIT_AUTH;
+ }
+ break;
+ }
+ case REDWAX_TOOL_GROUP_IN: {
+ if (redwax_set_group_in(r, optarg)) {
+ return REDWAX_EXIT_AUTH;
+ }
+ break;
+ }
case REDWAX_TOOL_KEY_IN: {
redwax_set_key_in(r);
break;
@@ -2178,6 +2366,9 @@
}
}
+
+ redwax_set_user(r, NULL);
+ redwax_set_group(r, NULL);
/* walk filter options */
@@ -2232,6 +2423,9 @@
redwax_process_filter(r, REDWAX_PASSTHROUGH);
}
+ redwax_set_user(r, NULL);
+ redwax_set_group(r, NULL);
+
/* walk output options */
apr_getopt_init(&opt, r->pool, argc, argv);
@@ -2239,6 +2433,18 @@
== APR_SUCCESS) {
switch (optch) {
+ case REDWAX_TOOL_USER_OUT: {
+ if (redwax_set_user_out(r, optarg)) {
+ return REDWAX_EXIT_AUTH;
+ }
+ break;
+ }
+ case REDWAX_TOOL_GROUP_OUT: {
+ if (redwax_set_group_out(r, optarg)) {
+ return REDWAX_EXIT_AUTH;
+ }
+ break;
+ }
case REDWAX_TOOL_TEXT_OUT: {
r->text++;
break;
@@ -2357,6 +2563,9 @@
/* output catch-all */
redwax_nss_dir_out(r, NULL);
+
+ redwax_set_user(r, NULL);
+ redwax_set_group(r, NULL);
return r->rc;
}
@@ -2436,6 +2645,14 @@
redwax_complete_file(r, optarg, state.isquoted);
break;
}
+ case REDWAX_TOOL_USER_IN: {
+ redwax_complete_user(r, optarg, state.isquoted);
+ break;
+ }
+ case REDWAX_TOOL_GROUP_IN: {
+ redwax_complete_group(r, optarg, state.isquoted);
+ break;
+ }
case REDWAX_TOOL_FILTER: {
redwax_complete_filter(r, optarg, state.isquoted);
break;
@@ -2494,6 +2711,14 @@
}
case REDWAX_TOOL_JWKS_OUT: {
redwax_complete_file(r, optarg, state.isquoted);
+ break;
+ }
+ case REDWAX_TOOL_USER_OUT: {
+ redwax_complete_user(r, optarg, state.isquoted);
+ break;
+ }
+ case REDWAX_TOOL_GROUP_OUT: {
+ redwax_complete_group(r, optarg, state.isquoted);
break;
}
}
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Mon Dec 20 08:49:45 2021
@@ -87,6 +87,10 @@
const char *secret_token_in;
const char *secret_token_out;
const char *label_out;
+ const char *user_in;
+ const char *user_out;
+ const char *group_in;
+ const char *group_out;
redwax_filter_t filter;
redwax_nss_t nss_out;
redwax_pkcs11_t pkcs11_in;
More information about the rt-commit
mailing list