Add an unprivileged mode where calls to install are passed appropriate

flags.  For ease of integration, use the same flags as install:

 -U		unprivileged mode
 -D <destdir>	Specify DESTDIR (overrides the environment)
 -M <metalog>	Full path to METALOG file

Reviewed by:	kevans
Obtained from:	CheriBSD
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D24932
This commit is contained in:
Brooks Davis 2020-05-22 17:45:07 +00:00
parent 71d11ee322
commit 48e9fb855b
2 changed files with 28 additions and 11 deletions

View File

@ -26,7 +26,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd February 19, 2019
.Dd May 22, 2020
.Dt CERTCTL 8
.Os
.Sh NAME
@ -40,7 +40,9 @@
.Op Fl v
.Ic blacklisted
.Nm
.Op Fl nv
.Op Fl nUv
.Op Fl D Ar destdir
.Op Fl M Ar metalog
.Ic rehash
.Nm
.Op Fl nv
@ -56,10 +58,17 @@ applications that use OpenSSL.
.Pp
Flags:
.Bl -tag -width 4n
.It Fl D Ar destdir
Specify the DESTDIR (overriding values from the environment).
.It Fl M Ar metalog
Specify the path of the METALOG file (default: $DESTDIR/METALOG).
.It Fl n
No-Op mode, do not actually perform any actions.
.It Fl v
be verbose, print details about actions before performing them.
.It Fl U
Unprivileged mode, do not change the ownership of created links.
Do record the ownership in the METALOG file.
.El
.Pp
Primary command functions:

View File

@ -30,10 +30,6 @@
############################################################ CONFIGURATION
: ${DESTDIR:=}
: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
: ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"}
: ${VERBOSE:=0}
@ -42,6 +38,7 @@
SCRIPTNAME="${0##*/}"
ERRORS=0
NOOP=0
UNPRIV=0
############################################################ FUNCTIONS
@ -69,7 +66,7 @@ create_trusted_link()
return 1
fi
[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
[ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0"
[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0"
}
create_blacklisted()
@ -88,7 +85,7 @@ create_blacklisted()
return
fi
[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
[ $NOOP -eq 0 ] && install -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
}
do_scan()
@ -105,7 +102,7 @@ do_scan()
[ -d "$CPATH" ] || continue
echo "Scanning $CPATH for certificates..."
for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do
[ -e "$CPATH/$CFILE" ] || continue
[ -e "$CPATH/$CFILE" && $UNPRIV -eq 0 ] || continue
[ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
"$CFUNC" "$CPATH/$CFILE"
done
@ -209,7 +206,7 @@ usage()
echo " List trusted certificates"
echo " $SCRIPTNAME [-v] blacklisted"
echo " List blacklisted certificates"
echo " $SCRIPTNAME [-nv] rehash"
echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash"
echo " Generate hash links for all certificates"
echo " $SCRIPTNAME [-nv] blacklist <file>"
echo " Add <file> to the list of blacklisted certificates"
@ -220,14 +217,25 @@ usage()
############################################################ MAIN
while getopts nv flag; do
while getopts D:M:nUv flag; do
case "$flag" in
D) DESTDIR=${OPTARG} ;;
M) METALOG=${OPTARG} ;;
n) NOOP=1 ;;
U) UNPRIV=1 ;;
v) VERBOSE=$(( $VERBOSE + 1 )) ;;
esac
done
shift $(( $OPTIND - 1 ))
: ${METALOG:=${DESTDIR}/METALOG}
INSTALLFLAGS=
[ $UNPRIV -eq 1 ] && INSTALLFLAGS=-U -M ${METALOG} -D ${DESTDIR}
: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
[ $# -gt 0 ] || usage
case "$1" in
list) cmd_list ;;