From 036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Thu, 29 Jul 2021 13:04:55 +0200 Subject: [PATCH] secmod: services create their own client dirs with correct permissions --- src/util/crypto_helper_denom.c | 41 ++++++++++++----------- src/util/crypto_helper_esign.c | 37 +++++++++++--------- src/util/taler-exchange-secmod-eddsa.c | 39 +++++++++++++++++++++ src/util/taler-exchange-secmod-eddsa.conf | 3 ++ src/util/taler-exchange-secmod-rsa.c | 39 +++++++++++++++++++++ src/util/taler-exchange-secmod-rsa.conf | 5 ++- 6 files changed, 129 insertions(+), 35 deletions(-) diff --git a/src/util/crypto_helper_denom.c b/src/util/crypto_helper_denom.c index bd9802d2f..2cc140c8e 100644 --- a/src/util/crypto_helper_denom.c +++ b/src/util/crypto_helper_denom.c @@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect ( if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg, - "PATHS", - "TALER_RUNTIME_DIR", + "taler-exchange-secmod-rsa", + "CLIENT_DIR", &tmpdir)) { - GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, - "PATHS", - "TALER_RUNTIME_DIR"); - tmpdir = GNUNET_strdup ("/tmp"); - } - GNUNET_asprintf (&template, - "%s/crypto-rsa-client/cli", - tmpdir); - GNUNET_free (tmpdir); - if (GNUNET_OK != - GNUNET_DISK_directory_create_for_file (template)) - { - GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR, - "mkdir", - template); - GNUNET_free (dh); - GNUNET_free (template); + GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, + "taler-exchange-secmod-rsa", + "CLIENT_DIR"); return NULL; } + GNUNET_asprintf (&template, + "%s/cli", + tmpdir); + /* We expect the service to create the client directory */ + if (GNUNET_OK != + GNUNET_DISK_directory_test (tmpdir, + GNUNET_YES)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Unable to read secmod client directory (%s)\n", + tmpdir); + GNUNET_free (dh); + GNUNET_free (template); + GNUNET_free (tmpdir); + return NULL; + } + GNUNET_free (tmpdir); dh->template = template; if (strlen (template) >= sizeof (dh->sa.sun_path)) { diff --git a/src/util/crypto_helper_esign.c b/src/util/crypto_helper_esign.c index a1fb9319d..d5baa9348 100644 --- a/src/util/crypto_helper_esign.c +++ b/src/util/crypto_helper_esign.c @@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect ( if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (cfg, - "PATHS", - "TALER_RUNTIME_DIR", + "taler-exchange-secmod-eddsa", + "CLIENT_DIR", &tmpdir)) { - GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, - "PATHS", - "TALER_RUNTIME_DIR"); - tmpdir = GNUNET_strdup ("/tmp"); - } - GNUNET_asprintf (&template, - "%s/crypto-eddsa-client/cli", - tmpdir); - GNUNET_free (tmpdir); - if (GNUNET_OK != - GNUNET_DISK_directory_create_for_file (template)) - { + GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, + "taler-exchange-secmod-eddsa", + "CLIENT_DIR"); GNUNET_free (esh); - GNUNET_free (template); return NULL; } + GNUNET_asprintf (&template, + "%s/cli", + tmpdir); + /* We expect the service to create the client directory */ + if (GNUNET_OK != + GNUNET_DISK_directory_test (tmpdir, + GNUNET_YES)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Unable to read secmod client directory (%s)\n", + tmpdir); + GNUNET_free (esh); + GNUNET_free (template); + GNUNET_free (tmpdir); + return NULL; + } + GNUNET_free (tmpdir); esh->template = template; if (strlen (template) >= sizeof (esh->sa.sun_path)) { diff --git a/src/util/taler-exchange-secmod-eddsa.c b/src/util/taler-exchange-secmod-eddsa.c index ac4bfc61b..48dcdf718 100644 --- a/src/util/taler-exchange-secmod-eddsa.c +++ b/src/util/taler-exchange-secmod-eddsa.c @@ -1522,6 +1522,45 @@ run (void *cls, return; } + /* Create client directory and set permissions. */ + { + char *client_dir; + + if (GNUNET_OK != + GNUNET_CONFIGURATION_get_value_filename (kcfg, + "taler-exchange-secmod-eddsa", + "CLIENT_DIR", + &client_dir)) + { + GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, + "taler-exchange-secmod-eddsa", + "CLIENT_DIR"); + global_ret = 3; + return; + } + + if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Can't create client directory (%s)\n", + client_dir); + global_ret = 3; + return; + } + /* Set sticky group bit, so that clients will be writeable by the current service. */ + if (0 != chmod (client_dir, + S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Can't set permissions for client directory (%s)\n", + client_dir); + global_ret = 3; + return; + } + + GNUNET_free (client_dir); + } + if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (kcfg, "taler-exchange-secmod-eddsa", diff --git a/src/util/taler-exchange-secmod-eddsa.conf b/src/util/taler-exchange-secmod-eddsa.conf index 8a171353d..8227c908f 100644 --- a/src/util/taler-exchange-secmod-eddsa.conf +++ b/src/util/taler-exchange-secmod-eddsa.conf @@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/ # Where does the helper listen for requests? UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock +# Directory for clients. +CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client + # Where should the security module store it's private key? SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c index 3c1f81c26..1307b8f45 100644 --- a/src/util/taler-exchange-secmod-rsa.c +++ b/src/util/taler-exchange-secmod-rsa.c @@ -1896,6 +1896,45 @@ run (void *cls, return; } + /* Create client directory and set permissions. */ + { + char *client_dir; + + if (GNUNET_OK != + GNUNET_CONFIGURATION_get_value_filename (kcfg, + "taler-exchange-secmod-rsa", + "CLIENT_DIR", + &client_dir)) + { + GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR, + "taler-exchange-secmod-rsa", + "CLIENT_DIR"); + global_ret = 3; + return; + } + + if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Can't create client directory (%s)\n", + client_dir); + global_ret = 3; + return; + } + /* Set sticky group bit, so that clients will be writeable by the current service. */ + if (0 != chmod (client_dir, + S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID)) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "Can't set permissions for client directory (%s)\n", + client_dir); + global_ret = 3; + return; + } + + GNUNET_free (client_dir); + } + if (GNUNET_OK != GNUNET_CONFIGURATION_get_value_filename (kcfg, "taler-exchange-secmod-rsa", diff --git a/src/util/taler-exchange-secmod-rsa.conf b/src/util/taler-exchange-secmod-rsa.conf index f9a6c7d1f..c653fa4f4 100644 --- a/src/util/taler-exchange-secmod-rsa.conf +++ b/src/util/taler-exchange-secmod-rsa.conf @@ -13,8 +13,11 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/ # Where does the helper listen for requests? UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock +# Directory for clients. +CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client + # Where should the security module store it's private key? SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key # For how long into the future do we pre-generate keys? -LOOKAHEAD_SIGN = 1 year \ No newline at end of file +LOOKAHEAD_SIGN = 1 year