Add an unprivileged mode where calls to install are passed appropriate

flags.  For ease of integration, use the same flags as install:

 -U		unprivileged mode
 -D <destdir>	Specify DESTDIR (overrides the environment)
 -M <metalog>	Full path to METALOG file

Reviewed by:	kevans
Obtained from:	CheriBSD
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D24932

usr.sbin/certctl/certctl.8

@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 19, 2019
+.Dd May 22, 2020
 .Dt CERTCTL 8
 .Os
 .Sh NAME
@@ -40,7 +40,9 @@
 .Op Fl v
 .Ic blacklisted
 .Nm
-.Op Fl nv
+.Op Fl nUv
+.Op Fl D Ar destdir
+.Op Fl M Ar metalog
 .Ic rehash
 .Nm
 .Op Fl nv
@@ -56,10 +58,17 @@ applications that use OpenSSL.
 .Pp
 Flags:
 .Bl -tag -width 4n
+.It Fl D Ar destdir
+Specify the DESTDIR (overriding values from the environment).
+.It Fl M Ar metalog
+Specify the path of the METALOG file (default: $DESTDIR/METALOG).
 .It Fl n
 No-Op mode, do not actually perform any actions.
 .It Fl v
 be verbose, print details about actions before performing them.
+.It Fl U
+Unprivileged mode, do not change the ownership of created links.
+Do record the ownership in the METALOG file.
 .El
 .Pp
 Primary command functions:

usr.sbin/certctl/certctl.sh

@@ -30,10 +30,6 @@
 ############################################################ CONFIGURATION
 
 : ${DESTDIR:=}
-: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
-: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
-: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
-: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
 : ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"}
 : ${VERBOSE:=0}
 
@@ -42,6 +38,7 @@
 SCRIPTNAME="${0##*/}"
 ERRORS=0
 NOOP=0
+UNPRIV=0
 
 ############################################################ FUNCTIONS
 
@@ -69,7 +66,7 @@ create_trusted_link()
 		return 1
 	fi
 	[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
-	[ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0"
+	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0"
 }
 
 create_blacklisted()
@@ -88,7 +85,7 @@ create_blacklisted()
 		return
 	fi
 	[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
-	[ $NOOP -eq 0 ] && install -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
+	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
 }
 
 do_scan()
@@ -105,7 +102,7 @@ do_scan()
 		[ -d "$CPATH" ] || continue
 		echo "Scanning $CPATH for certificates..."
 		for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do
-			[ -e "$CPATH/$CFILE" ] || continue
+			[ -e "$CPATH/$CFILE" && $UNPRIV -eq 0 ] || continue
 			[ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
 			"$CFUNC" "$CPATH/$CFILE"
 		done
@@ -209,7 +206,7 @@ usage()
 	echo "		List trusted certificates"
 	echo "	$SCRIPTNAME [-v] blacklisted"
 	echo "		List blacklisted certificates"
-	echo "	$SCRIPTNAME [-nv] rehash"
+	echo "	$SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash"
 	echo "		Generate hash links for all certificates"
 	echo "	$SCRIPTNAME [-nv] blacklist <file>"
 	echo "		Add <file> to the list of blacklisted certificates"
@@ -220,14 +217,25 @@ usage()
 
 ############################################################ MAIN
 
-while getopts nv flag; do
+while getopts D:M:nUv flag; do
 	case "$flag" in
+	D) DESTDIR=${OPTARG} ;;
+	M) METALOG=${OPTARG} ;;
 	n) NOOP=1 ;;
+	U) UNPRIV=1 ;;
 	v) VERBOSE=$(( $VERBOSE + 1 )) ;;
 	esac
 done
 shift $(( $OPTIND - 1 ))
 
+: ${METALOG:=${DESTDIR}/METALOG}
+INSTALLFLAGS=
+[ $UNPRIV -eq 1 ] && INSTALLFLAGS=-U -M ${METALOG} -D ${DESTDIR}
+: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
+: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
+: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
+: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
+
 [ $# -gt 0 ] || usage
 case "$1" in
 list)		cmd_list ;;