secmod: services create their own client dirs with correct permissions

This commit is contained in:
Florian Dold 2021-07-29 13:04:55 +02:00
parent dae09f1a43
commit 036d4cb71a
No known key found for this signature in database
GPG Key ID: D2E4F00F29D02A4B
6 changed files with 129 additions and 35 deletions

View File

@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect (
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg,
"PATHS",
"TALER_RUNTIME_DIR",
"taler-exchange-secmod-rsa",
"CLIENT_DIR",
&tmpdir))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
"PATHS",
"TALER_RUNTIME_DIR");
tmpdir = GNUNET_strdup ("/tmp");
}
GNUNET_asprintf (&template,
"%s/crypto-rsa-client/cli",
tmpdir);
GNUNET_free (tmpdir);
if (GNUNET_OK !=
GNUNET_DISK_directory_create_for_file (template))
{
GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
"mkdir",
template);
GNUNET_free (dh);
GNUNET_free (template);
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"taler-exchange-secmod-rsa",
"CLIENT_DIR");
return NULL;
}
GNUNET_asprintf (&template,
"%s/cli",
tmpdir);
/* We expect the service to create the client directory */
if (GNUNET_OK !=
GNUNET_DISK_directory_test (tmpdir,
GNUNET_YES))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Unable to read secmod client directory (%s)\n",
tmpdir);
GNUNET_free (dh);
GNUNET_free (template);
GNUNET_free (tmpdir);
return NULL;
}
GNUNET_free (tmpdir);
dh->template = template;
if (strlen (template) >= sizeof (dh->sa.sun_path))
{

View File

@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect (
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg,
"PATHS",
"TALER_RUNTIME_DIR",
"taler-exchange-secmod-eddsa",
"CLIENT_DIR",
&tmpdir))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
"PATHS",
"TALER_RUNTIME_DIR");
tmpdir = GNUNET_strdup ("/tmp");
}
GNUNET_asprintf (&template,
"%s/crypto-eddsa-client/cli",
tmpdir);
GNUNET_free (tmpdir);
if (GNUNET_OK !=
GNUNET_DISK_directory_create_for_file (template))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"taler-exchange-secmod-eddsa",
"CLIENT_DIR");
GNUNET_free (esh);
GNUNET_free (template);
return NULL;
}
GNUNET_asprintf (&template,
"%s/cli",
tmpdir);
/* We expect the service to create the client directory */
if (GNUNET_OK !=
GNUNET_DISK_directory_test (tmpdir,
GNUNET_YES))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Unable to read secmod client directory (%s)\n",
tmpdir);
GNUNET_free (esh);
GNUNET_free (template);
GNUNET_free (tmpdir);
return NULL;
}
GNUNET_free (tmpdir);
esh->template = template;
if (strlen (template) >= sizeof (esh->sa.sun_path))
{

View File

@ -1522,6 +1522,45 @@ run (void *cls,
return;
}
/* Create client directory and set permissions. */
{
char *client_dir;
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-eddsa",
"CLIENT_DIR",
&client_dir))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"taler-exchange-secmod-eddsa",
"CLIENT_DIR");
global_ret = 3;
return;
}
if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't create client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
/* Set sticky group bit, so that clients will be writeable by the current service. */
if (0 != chmod (client_dir,
S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't set permissions for client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
GNUNET_free (client_dir);
}
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-eddsa",

View File

@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/
# Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock
# Directory for clients.
CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client
# Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key

View File

@ -1896,6 +1896,45 @@ run (void *cls,
return;
}
/* Create client directory and set permissions. */
{
char *client_dir;
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-rsa",
"CLIENT_DIR",
&client_dir))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"taler-exchange-secmod-rsa",
"CLIENT_DIR");
global_ret = 3;
return;
}
if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't create client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
/* Set sticky group bit, so that clients will be writeable by the current service. */
if (0 != chmod (client_dir,
S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't set permissions for client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
GNUNET_free (client_dir);
}
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-rsa",

View File

@ -13,8 +13,11 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/
# Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock
# Directory for clients.
CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client
# Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key
# For how long into the future do we pre-generate keys?
LOOKAHEAD_SIGN = 1 year
LOOKAHEAD_SIGN = 1 year