From 2fa60209a8c6e4475ccf7176166266b973ff1c10 Mon Sep 17 00:00:00 2001 From: Bernd Wachter Date: Mon, 9 Sep 2013 21:57:14 +0300 Subject: [PATCH] [ssu] Set default users authorized_keys file even when run as root --- libssu/libssu.pro | 2 +- libssu/ssu.cpp | 53 ++++++++++++++++++++++++++++++++++++++++------- rpm/ssu.spec | 1 + 3 files changed, 48 insertions(+), 8 deletions(-) diff --git a/libssu/libssu.pro b/libssu/libssu.pro index cfb52fc..efd3a33 100644 --- a/libssu/libssu.pro +++ b/libssu/libssu.pro @@ -27,7 +27,7 @@ SOURCES = \ CONFIG += link_pkgconfig QT += network xml dbus -PKGCONFIG += libsystemd-journal boardname Qt5SystemInfo +PKGCONFIG += libsystemd-journal boardname Qt5SystemInfo libshadowutils install_headers.files = $${public_headers} diff --git a/libssu/ssu.cpp b/libssu/ssu.cpp index 128dad0..a87d407 100644 --- a/libssu/ssu.cpp +++ b/libssu/ssu.cpp @@ -12,6 +12,9 @@ #include #endif +#include +#include + #include "ssu.h" #include "ssulog.h" #include "ssuvariables.h" @@ -425,26 +428,62 @@ void Ssu::setError(QString errorMessage){ void Ssu::storeAuthorizedKeys(QByteArray data){ QDir dir; + SsuLog *ssuLog = SsuLog::instance(); - // only set the key for unprivileged users - if (getuid() < 1000) return; + int uid_min = getdef_num("UID_MIN", -1); + QString homePath; + + if (getuid() >= uid_min){ + homePath = dir.homePath(); + } else if (getuid() == 0){ + // place authorized_keys in the default users home when run with uid0 + struct passwd *pw = getpwuid(uid_min); + if (pw == NULL){ + ssuLog->print(LOG_DEBUG, QString("Unable to find password entry for uid %1") + .arg(uid_min)); + return; + } - if (dir.exists(dir.homePath() + "/.ssh/authorized_keys")) + //homePath = QString(pw->pw_dir); + homePath = pw->pw_dir; + + // use users uid/gid for creating the directories and files + setegid(pw->pw_gid); + seteuid(uid_min); + ssuLog->print(LOG_DEBUG, QString("Dropping to %1/%2 for writing authorized keys") + .arg(uid_min) + .arg(pw->pw_gid)); + } else return; - if (!dir.exists(dir.homePath() + "/.ssh")) - if (!dir.mkdir(dir.homePath() + "/.ssh")) return; + if (dir.exists(homePath + "/.ssh/authorized_keys")){ + ssuLog->print(LOG_DEBUG, QString(".ssh/authorized_keys already exists in %1") + .arg(homePath)); + return; + } + + if (!dir.exists(homePath + "/.ssh")) + if (!dir.mkdir(homePath + "/.ssh")){ + ssuLog->print(LOG_DEBUG, QString("Unable to create .ssh in %1") + .arg(homePath)); + return; + } - QFile::setPermissions(dir.homePath() + "/.ssh", + QFile::setPermissions(homePath + "/.ssh", QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner); - QFile authorizedKeys(dir.homePath() + "/.ssh/authorized_keys"); + QFile authorizedKeys(homePath + "/.ssh/authorized_keys"); authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate); authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner); QTextStream out(&authorizedKeys); out << data; out.flush(); authorizedKeys.close(); + + if (getuid() == 0){ + seteuid(0); + setegid(0); + } } void Ssu::updateCredentials(bool force){ diff --git a/rpm/ssu.spec b/rpm/ssu.spec index c0e2b69..c30f31e 100644 --- a/rpm/ssu.spec +++ b/rpm/ssu.spec @@ -15,6 +15,7 @@ BuildRequires: pkgconfig(Qt5Test) BuildRequires: pkgconfig(Qt5SystemInfo) BuildRequires: pkgconfig(libzypp) BuildRequires: pkgconfig(libsystemd-journal) +BuildRequires: pkgconfig(libshadowutils) BuildRequires: oneshot BuildRequires: doxygen Requires(pre): shadow-utils