Commit 2fa60209 authored by Aard's avatar Aard

[ssu] Set default users authorized_keys file even when run as root

parent 76c70f3d
...@@ -27,7 +27,7 @@ SOURCES = \ ...@@ -27,7 +27,7 @@ SOURCES = \
CONFIG += link_pkgconfig CONFIG += link_pkgconfig
QT += network xml dbus QT += network xml dbus
PKGCONFIG += libsystemd-journal boardname Qt5SystemInfo PKGCONFIG += libsystemd-journal boardname Qt5SystemInfo libshadowutils
install_headers.files = $${public_headers} install_headers.files = $${public_headers}
......
...@@ -12,6 +12,9 @@ ...@@ -12,6 +12,9 @@
#include <QUrlQuery> #include <QUrlQuery>
#endif #endif
#include <getdef.h>
#include <pwd.h>
#include "ssu.h" #include "ssu.h"
#include "ssulog.h" #include "ssulog.h"
#include "ssuvariables.h" #include "ssuvariables.h"
...@@ -425,26 +428,62 @@ void Ssu::setError(QString errorMessage){ ...@@ -425,26 +428,62 @@ void Ssu::setError(QString errorMessage){
void Ssu::storeAuthorizedKeys(QByteArray data){ void Ssu::storeAuthorizedKeys(QByteArray data){
QDir dir; QDir dir;
SsuLog *ssuLog = SsuLog::instance();
// only set the key for unprivileged users int uid_min = getdef_num("UID_MIN", -1);
if (getuid() < 1000) return; QString homePath;
if (getuid() >= uid_min){
homePath = dir.homePath();
} else if (getuid() == 0){
// place authorized_keys in the default users home when run with uid0
struct passwd *pw = getpwuid(uid_min);
if (pw == NULL){
ssuLog->print(LOG_DEBUG, QString("Unable to find password entry for uid %1")
.arg(uid_min));
return;
}
if (dir.exists(dir.homePath() + "/.ssh/authorized_keys")) //homePath = QString(pw->pw_dir);
homePath = pw->pw_dir;
// use users uid/gid for creating the directories and files
setegid(pw->pw_gid);
seteuid(uid_min);
ssuLog->print(LOG_DEBUG, QString("Dropping to %1/%2 for writing authorized keys")
.arg(uid_min)
.arg(pw->pw_gid));
} else
return; return;
if (!dir.exists(dir.homePath() + "/.ssh")) if (dir.exists(homePath + "/.ssh/authorized_keys")){
if (!dir.mkdir(dir.homePath() + "/.ssh")) return; ssuLog->print(LOG_DEBUG, QString(".ssh/authorized_keys already exists in %1")
.arg(homePath));
return;
}
if (!dir.exists(homePath + "/.ssh"))
if (!dir.mkdir(homePath + "/.ssh")){
ssuLog->print(LOG_DEBUG, QString("Unable to create .ssh in %1")
.arg(homePath));
return;
}
QFile::setPermissions(dir.homePath() + "/.ssh", QFile::setPermissions(homePath + "/.ssh",
QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner); QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);
QFile authorizedKeys(dir.homePath() + "/.ssh/authorized_keys"); QFile authorizedKeys(homePath + "/.ssh/authorized_keys");
authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate); authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate);
authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner); authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner);
QTextStream out(&authorizedKeys); QTextStream out(&authorizedKeys);
out << data; out << data;
out.flush(); out.flush();
authorizedKeys.close(); authorizedKeys.close();
if (getuid() == 0){
seteuid(0);
setegid(0);
}
} }
void Ssu::updateCredentials(bool force){ void Ssu::updateCredentials(bool force){
......
...@@ -15,6 +15,7 @@ BuildRequires: pkgconfig(Qt5Test) ...@@ -15,6 +15,7 @@ BuildRequires: pkgconfig(Qt5Test)
BuildRequires: pkgconfig(Qt5SystemInfo) BuildRequires: pkgconfig(Qt5SystemInfo)
BuildRequires: pkgconfig(libzypp) BuildRequires: pkgconfig(libzypp)
BuildRequires: pkgconfig(libsystemd-journal) BuildRequires: pkgconfig(libsystemd-journal)
BuildRequires: pkgconfig(libshadowutils)
BuildRequires: oneshot BuildRequires: oneshot
BuildRequires: doxygen BuildRequires: doxygen
Requires(pre): shadow-utils Requires(pre): shadow-utils
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment