system/doas
system/doas
1
0
Fork 0
mirror of https://github.com/slicer69/doas synced 2024-07-23 11:14:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
doas/vidoas

125 lines
2.5 KiB
Plaintext
Raw Normal View History

Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
#!/bin/sh
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Edit a temporary copy of the doas.conf file and check it for syntax
# errors before installing it as the actual doas.conf file.
Added explanation of what vidoas does to the top of the script.
2020-08-07 21:42:52 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
set -eu
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
PATH=/bin:/usr/bin:/usr/local/bin
export PATH
PROG="${0##*/}"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
umask 022
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
DOAS_CONF=@DOAS_CONF@
doas_lock_file="${DOAS_CONF}.lck"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
die()
{
echo "${PROG}: ${@}" 1>&2
exit 1
}
warn()
{
echo "${PROG}: ${@}" 1>&2
}
get_intr()
{
stty -a \
| sed -En '
/^(.* )?intr = / {
s///
s/;.*$//
p
}
'
}
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
set_trap_rm()
{
local file file_list
file_list=
for file
do
file_list="${file_list} '${file}'"
done
if [ -n "${file_list}" ]
then
trap "rm -f ${file_list}" 0 1 2 15
fi
}
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
tmp_doas="$(mktemp "${DOAS_CONF}.XXXXXXXXXX")" \
|| die "You probably need to run ${PROG} as root"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
set_trap_rm "${tmp_doas}"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# It is important that the ln(1) command fails if the target already
# exists. Some versions are known to behave like "ln -f" by default
# (removing any existing target). Adjust PATH to avoid such ln(1)
# implementations.
tmp_test_ln="$(mktemp "${DOAS_CONF}.XXXXXXXXXX")"
set_trap_rm "${tmp_doas}" "${tmp_test_ln}"
if ln "${tmp_doas}" "${tmp_test_ln}" 2>/dev/null
then
die 'ln(1) is not safe for lock files, bailing'
fi
# If a doas.conf file exists, copy it into the temporary file for
# editing. If none exist, the editor will open with an empty file.
if [ -f "${DOAS_CONF}" ]
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
if [ -r "${DOAS_CONF}" ]
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
cp "${DOAS_CONF}" "${tmp_doas}"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
else
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
die "Cannot read ${DOAS_CONF}"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
fi
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
fi
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Link the temporary file to the lock file.
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
if ln "${tmp_doas}" "${doas_lock_file}"
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
set_trap_rm "${tmp_doas}" "${tmp_test_ln}" "${doas_lock_file}"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
else
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
die "${DOAS_CONF} is already locked"
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
fi
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Some versions of vi(1) exit with a code that reflects the number of
# editing errors made. This is why we ignore the exit code from the
# editor.
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
"${EDITOR:-vi}" "${tmp_doas}" || true
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
while ! doas -C "${tmp_doas}"
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
do
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
warn "Press enter to edit doas.conf again to fix it,"
warn "or interrupt ($(get_intr)) to cancel."
read status
"${EDITOR:-vi}" "${tmp_doas}" || true
Added a new shell script called vidoas. This script creates a temporary version of the doas.conf file. Then allows the user to edit it. The new configuration file is checked for syntax and then, if it passes, is installed on the system. If the syntax check fails the user is asked to fix any errors.
2020-08-07 21:18:40 +00:00
done
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
# Use mv(1) to rename the temporary file to doas.conf as it is atomic.
# This avoids any problems from another process reading doas.conf while
# it is being written.
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
if [ -s "${tmp_doas}" ]
then
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
if cmp -s "${tmp_doas}" "${DOAS_CONF}"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
then
warn "No changes made"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
warn "${DOAS_CONF} unchanged"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
else
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
mv "${tmp_doas}" "${DOAS_CONF}" \
&& warn "${DOAS_CONF} updated"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
fi
else
warn "Not installing an empty doas.conf file"
Install doas.conf safely. Define DOAS_CONF only once. - Use mv(1) to install doas.conf to avoid writing a configuration file while other processes might be reading it. - Define the DOAS_CONF path once in Makefile and pass that to the substitutions instead of recreating the full path independently in multiple files. - Add a separate rule for building the doas binary, instead of creating it in the "all" target. This avoids some unnecessary re-linking.
2020-11-08 22:12:50 +00:00
warn "${DOAS_CONF} unchanged"
vidoas: Address security concerns and improve some behaviour I'm not claiming this script is now safe. It would certainly benefit from additional review. I do think (and hope) that I did not make things worse, at least. It might be better to look at vipw(8) or visudo(8), which both are written in C, for prior art on how to do this kind of thing securely. Security changes: - Exit on errors and if referencing unset variables. - Set PATH so that we don't run unintended commands from the PATH that is in the caller's environment. - Set umask to prevent other users from having write access to the temporary files. - Use /var/tmp instead of /tmp, as /tmp is not shared between users on all systems. (So trying to install a file from /tmp as root would not find the file, if the user running vidoas is not root.) XXX: Using /var/tmp does not guarantee this either, but is more likely to work. - Create a temporary file for editing and use ln(1) to acquire the lock. This addresses a race condition between checking for the lock file and creating it. - Use "install -r" to avoid a truncated doas.conf from existing as would happen with cp (or install without the "-r" option). XXX: "install -r" is not portable. - Use "install -m" to set the mode of the installed doas.conf file. Changes to user experience: - Don't check for executability of ${EDITOR} as it is not required to be an absolute path to the executable. - Don't install an unchanged doas.conf file. - Don't install an empty doas.conf file. - The above two checks result in a no-op in the case that ${EDITOR} could not be run. - Present the user with a choice of fixing errors or canceling changes. - Output diagnostic messages to stderr (just like other tools do, e.g. doas, ln, and cp). TODO: - Avoid using hard-coded paths (/usr/local/bin and /usr/local/etc). They should be replaced with @PREFIX@/bin and @SYSCONFDIR@ before installing.
2020-10-22 08:23:56 +00:00
fi
Reference in a new issue Copy permalink