system/doas
system/doas
1
0
Fork 0
mirror of https://github.com/slicer69/doas synced 2024-07-01 06:54:29 +00:00
Code Issues Projects Releases Wiki Activity
23818b138e
doas/vidoas

242 lines
5.3 KiB
Plaintext
Raw Normal View History

Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
#!/bin/sh
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
# Copyright (c) 2020 Kimmo Suominen <kim@netbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
# WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
# AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
# DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA
# OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Edit a temporary copy of the doas.conf file and check it for syntax
# errors before installing it as the actual doas.conf file.
Added explanation of what vidoas does to the top of the script.
2020-08-07 21:42:52 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
set -eu
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
PATH=/bin:/usr/bin:/usr/local/bin
export PATH
PROG="${0##*/}"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
umask 022
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
DOAS_CONF=@DOAS_CONF@
Fixed error where doas could try to run doas again.
2021-01-25 18:25:28 +00:00
doas_conf_mode="0600"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
die()
{
echo "${PROG}: ${@}" 1>&2
exit 1
}
warn()
{
echo "${PROG}: ${@}" 1>&2
}
get_intr()
{
stty -a \
| sed -En '
/^(.* )?intr = / {
s///
s/;.*$//
p
}
'
}
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
owner_of()
{
local file
file="${1}"
if stat --version >/dev/null 2>&1
then
stat -c '%U' "${file}"
else
stat -f '%Su' "${file}"
fi \
| awk '{print $1; exit}'
}
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
set_trap_rm()
{
local file file_list
file_list=
for file
do
file_list="${file_list} '${file}'"
done
if [ -n "${file_list}" ]
then
trap "rm -f ${file_list}" 0 1 2 15
fi
}
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
usage()
{
cat <<EOF
Usage: ${PROG} [-n] [file]
${PROG} -h
Edit a temporary copy of a doas configuration file and check it for
syntax errors before installing it as the actual configuration file.
When no file is named, ${PROG} will edit the default configuration file
for doas(1): @DOAS_CONF@
Options:
-h Show this usage.
-n Do not edit the file, just perform prerequisite checks. If this
switch is repeated, all output will be suppressed and the check
result is only indicated by the exit status.
EOF
}
noop=0
Account correctly for the -h option
2020-11-09 09:54:04 +00:00
while getopts hn opt
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
do
case "${opt}" in
h) usage; exit 0;;
Account correctly for the -h option
2020-11-09 09:54:04 +00:00
n) noop=$((${noop} + 1));;
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
*) usage 1>&2; exit 1;;
esac
done
shift $((${OPTIND} - 1))
case ${#} in
0) ;;
1) DOAS_CONF="${1}";;
*) usage 1>&2; exit 1;;
esac
case ${noop} in
0) noop=false;;
1) noop=true;;
*) noop=true; exec >/dev/null 2>&1;;
esac
case "${DOAS_CONF}" in
-*)
warn "Invalid filename: ${DOAS_CONF}"
die "Try using './${DOAS_CONF}' instead"
;;
esac
doas_conf_dir="$(dirname "${DOAS_CONF}")"
doas_conf_base="$(basename "${DOAS_CONF}")"
DOAS_CONF="${doas_conf_dir}/${doas_conf_base}"
doas_lock_file="${DOAS_CONF}.lck"
# These checks are only for producing nicer diagnostic messages to the
# user. They are not relied on by the rest of the code.
if [ ! -e "${doas_conf_dir}" ]
then
die "${doas_conf_dir} does not exist"
fi
if [ ! -d "${doas_conf_dir}" ]
then
die "${doas_conf_dir} is not a directory"
fi
if [ ! -w "${doas_conf_dir}" ]
then
owner="$(owner_of "${doas_conf_dir}")"
warn "${doas_conf_dir} is not writable"
die "You probably need to run ${PROG} as ${owner:-root}"
fi
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
tmp_doas="$(mktemp "${DOAS_CONF}.XXXXXXXXXX")" \
|| die "You probably need to run ${PROG} as root"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
set_trap_rm "${tmp_doas}"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# It is important that the ln(1) command fails if the target already
# exists. Some versions are known to behave like "ln -f" by default
# (removing any existing target). Adjust PATH to avoid such ln(1)
# implementations.
tmp_test_ln="$(mktemp "${DOAS_CONF}.XXXXXXXXXX")"
set_trap_rm "${tmp_doas}" "${tmp_test_ln}"
if ln "${tmp_doas}" "${tmp_test_ln}" 2>/dev/null
then
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
die 'ln(1) is not safe for creating lock files, bailing'
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
fi
# If a doas.conf file exists, copy it into the temporary file for
# editing. If none exist, the editor will open with an empty file.
if [ -f "${DOAS_CONF}" ]
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
if [ -r "${DOAS_CONF}" ]
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
cp "${DOAS_CONF}" "${tmp_doas}"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
else
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
die "${DOAS_CONF} is not readable"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
fi
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
fi
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
if ${noop}
then
Added syntax check for file passed to vidoas script using -n flag. Restored vidoas script to /usr/local/bin/ from /usr/local/sbin/ to insure it is in common user path.
2020-11-09 15:30:49 +00:00
if ! doas -C "${DOAS_CONF}"
then
die "${DOAS_CONF} contains syntax errors."
fi
vidoas: Allow specifying file to edit. Add manual page and license. - Add functionality to edit a file specified on the command line. - Add `-n` option for running prerequisite checks without editing the configuration file. - Install vidoas in `@PREFIX@/sbin` as it is really more of a system maintenance command (run by administrators; requires root privileges for editing the default **doas(1)** configuation file). - Add a manual page (in section `8`). - Release the code under the same MIT-like license as **doas(1)** itself.
2020-11-09 09:43:46 +00:00
warn 'OK: Prerequisite checks passed'
exit 0
fi
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Link the temporary file to the lock file.
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
if ln "${tmp_doas}" "${doas_lock_file}"
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
set_trap_rm "${tmp_doas}" "${tmp_test_ln}" "${doas_lock_file}"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
else
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
die "${DOAS_CONF} is already locked"
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
fi
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Some versions of vi(1) exit with a code that reflects the number of
# editing errors made. This is why we ignore the exit code from the
# editor.
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
"${EDITOR:-vi}" "${tmp_doas}" || true
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
while ! doas -C "${tmp_doas}"
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
do
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
warn "Press enter to edit doas.conf again to fix it,"
warn "or interrupt ($(get_intr)) to cancel."
read status
"${EDITOR:-vi}" "${tmp_doas}" || true
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
done
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Use mv(1) to rename the temporary file to doas.conf as it is atomic.
Merge branch 'master' of https://github.com/slicer69/doas
2021-01-25 18:14:21 +00:00
# Update: No longer use mv as it messes up permissions on the doas.conf file.
# Use install with ownership set to root.
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
if [ -s "${tmp_doas}" ]
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
if cmp -s "${tmp_doas}" "${DOAS_CONF}"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
then
warn "No changes made"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
warn "${DOAS_CONF} unchanged"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
else
Fixed error where doas could try to run doas again.
2021-01-25 18:25:28 +00:00
install -o root -m "${doas_conf_mode}" \
"${tmp_doas}" "${DOAS_CONF}" \
&& warn "${DOAS_CONF} updated"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
fi
else
warn "Not installing an empty doas.conf file"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
warn "${DOAS_CONF} unchanged"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
fi
Reference in New Issue Copy Permalink