secmod: services create their own client dirs with correct permissions

This commit is contained in:
Florian Dold 2021-07-29 13:04:55 +02:00
parent dae09f1a43
commit 036d4cb71a
No known key found for this signature in database
GPG Key ID: D2E4F00F29D02A4B
6 changed files with 129 additions and 35 deletions

View File

@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect (
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg, GNUNET_CONFIGURATION_get_value_filename (cfg,
"PATHS", "taler-exchange-secmod-rsa",
"TALER_RUNTIME_DIR", "CLIENT_DIR",
&tmpdir)) &tmpdir))
{ {
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"PATHS", "taler-exchange-secmod-rsa",
"TALER_RUNTIME_DIR"); "CLIENT_DIR");
tmpdir = GNUNET_strdup ("/tmp");
}
GNUNET_asprintf (&template,
"%s/crypto-rsa-client/cli",
tmpdir);
GNUNET_free (tmpdir);
if (GNUNET_OK !=
GNUNET_DISK_directory_create_for_file (template))
{
GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
"mkdir",
template);
GNUNET_free (dh);
GNUNET_free (template);
return NULL; return NULL;
} }
GNUNET_asprintf (&template,
"%s/cli",
tmpdir);
/* We expect the service to create the client directory */
if (GNUNET_OK !=
GNUNET_DISK_directory_test (tmpdir,
GNUNET_YES))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Unable to read secmod client directory (%s)\n",
tmpdir);
GNUNET_free (dh);
GNUNET_free (template);
GNUNET_free (tmpdir);
return NULL;
}
GNUNET_free (tmpdir);
dh->template = template; dh->template = template;
if (strlen (template) >= sizeof (dh->sa.sun_path)) if (strlen (template) >= sizeof (dh->sa.sun_path))
{ {

View File

@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect (
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg, GNUNET_CONFIGURATION_get_value_filename (cfg,
"PATHS", "taler-exchange-secmod-eddsa",
"TALER_RUNTIME_DIR", "CLIENT_DIR",
&tmpdir)) &tmpdir))
{ {
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING, GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"PATHS", "taler-exchange-secmod-eddsa",
"TALER_RUNTIME_DIR"); "CLIENT_DIR");
tmpdir = GNUNET_strdup ("/tmp");
}
GNUNET_asprintf (&template,
"%s/crypto-eddsa-client/cli",
tmpdir);
GNUNET_free (tmpdir);
if (GNUNET_OK !=
GNUNET_DISK_directory_create_for_file (template))
{
GNUNET_free (esh); GNUNET_free (esh);
GNUNET_free (template);
return NULL; return NULL;
} }
GNUNET_asprintf (&template,
"%s/cli",
tmpdir);
/* We expect the service to create the client directory */
if (GNUNET_OK !=
GNUNET_DISK_directory_test (tmpdir,
GNUNET_YES))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Unable to read secmod client directory (%s)\n",
tmpdir);
GNUNET_free (esh);
GNUNET_free (template);
GNUNET_free (tmpdir);
return NULL;
}
GNUNET_free (tmpdir);
esh->template = template; esh->template = template;
if (strlen (template) >= sizeof (esh->sa.sun_path)) if (strlen (template) >= sizeof (esh->sa.sun_path))
{ {

View File

@ -1522,6 +1522,45 @@ run (void *cls,
return; return;
} }
/* Create client directory and set permissions. */
{
char *client_dir;
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-eddsa",
"CLIENT_DIR",
&client_dir))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"taler-exchange-secmod-eddsa",
"CLIENT_DIR");
global_ret = 3;
return;
}
if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't create client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
/* Set sticky group bit, so that clients will be writeable by the current service. */
if (0 != chmod (client_dir,
S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't set permissions for client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
GNUNET_free (client_dir);
}
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg, GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-eddsa", "taler-exchange-secmod-eddsa",

View File

@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/
# Where does the helper listen for requests? # Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock
# Directory for clients.
CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client
# Where should the security module store it's private key? # Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key

View File

@ -1896,6 +1896,45 @@ run (void *cls,
return; return;
} }
/* Create client directory and set permissions. */
{
char *client_dir;
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-rsa",
"CLIENT_DIR",
&client_dir))
{
GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
"taler-exchange-secmod-rsa",
"CLIENT_DIR");
global_ret = 3;
return;
}
if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't create client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
/* Set sticky group bit, so that clients will be writeable by the current service. */
if (0 != chmod (client_dir,
S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
{
GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
"Can't set permissions for client directory (%s)\n",
client_dir);
global_ret = 3;
return;
}
GNUNET_free (client_dir);
}
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg, GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-rsa", "taler-exchange-secmod-rsa",

View File

@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/
# Where does the helper listen for requests? # Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock
# Directory for clients.
CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client
# Where should the security module store it's private key? # Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key