From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Tue, 29 Apr 2014 01:12:44 +0000 (-0400)
Subject: Fix domtool-addcert for when user running is not in `wheel'
X-Git-Tag: release_20140509~12
X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/ec76f5e64acbc68248b1555f4ba74594be8b939b

Fix domtool-addcert for when user running is not in `wheel'

Domtool on deleuze assumed admin users would be in group
`wheel'. This is no longer true. Instead, make the CA readable only by
root, generate the new keys and certs into a non-afs temp directory,
and then move everything into afs afterward.
---

diff --git a/scripts/domtool-addcert b/scripts/domtool-addcert
index 25533b1..9b5495b 100755
--- a/scripts/domtool-addcert
+++ b/scripts/domtool-addcert
@@ -6,14 +6,20 @@ if test -z "$USER"; then
 	exit 1
 fi   
 
+umask 0066 # Prevent others from reading any files creating on local fs
+
+ WORKDIR=/tmp/domtool-keyreq
   KEYDIR=`domtool-config -path cert keys`/$USER
  KEYFILE=$KEYDIR/key.pem
 CERTFILE=`domtool-config -path cert certs`/$USER.pem
-  NEWREQ=~/.newreq.pem
-     NEW=~/.new.pem
-   KEYIN=~/.keyin
+  NEWREQ=$WORKDIR/.newreq.pem
+     NEW=$WORKDIR/.new.pem
+   KEYIN=$WORKDIR/.keyin
+ NEWCERT=$WORKDIR/.cert
   CACONF=`domtool-config -path cert ca`/domtool-openssl.conf
 
+mkdir $WORKDIR && chmod 700 $WORKDIR || (echo Cannot create work dir ; exit 1)
+
 mkdir $KEYDIR || echo Key directory already exists.
 openssl genrsa -out $KEYFILE 4096
 # chown -R domtool.nogroup $KEYDIR
@@ -52,6 +58,9 @@ if [ ! -r $CACONF ]; then
     ROOTCMD=sudo
 fi
 
-$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $CERTFILE -infiles $NEW
+$ROOTCMD openssl ca -batch -config `domtool-config -path cert ca`/domtool-openssl.conf -out $NEWCERT -infiles $NEW
+$ROOTCMD chown `whoami` $NEWCERT
+mv $NEWCERT $CERTFILE
 rm $NEW
+rm $WORKDIR -rf
 #chown domtool.nogroup $CERTFILE