[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-exchange] branch master updated: secmod: services create their ow
From: |
gnunet |
Subject: |
[taler-exchange] branch master updated: secmod: services create their own client dirs with correct permissions |
Date: |
Thu, 29 Jul 2021 13:04:59 +0200 |
This is an automated email from the git hooks/post-receive script.
dold pushed a commit to branch master
in repository exchange.
The following commit(s) were added to refs/heads/master by this push:
new 036d4cb7 secmod: services create their own client dirs with correct
permissions
036d4cb7 is described below
commit 036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1
Author: Florian Dold <florian@dold.me>
AuthorDate: Thu Jul 29 13:04:55 2021 +0200
secmod: services create their own client dirs with correct permissions
---
src/util/crypto_helper_denom.c | 27 +++++++++++----------
src/util/crypto_helper_esign.c | 25 +++++++++++++-------
src/util/taler-exchange-secmod-eddsa.c | 39 +++++++++++++++++++++++++++++++
src/util/taler-exchange-secmod-eddsa.conf | 3 +++
src/util/taler-exchange-secmod-rsa.c | 39 +++++++++++++++++++++++++++++++
src/util/taler-exchange-secmod-rsa.conf | 5 +++-
6 files changed, 116 insertions(+), 22 deletions(-)
diff --git a/src/util/crypto_helper_denom.c b/src/util/crypto_helper_denom.c
index bd9802d2..2cc140c8 100644
--- a/src/util/crypto_helper_denom.c
+++ b/src/util/crypto_helper_denom.c
@@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect (
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg,
- "PATHS",
- "TALER_RUNTIME_DIR",
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR",
&tmpdir))
{
- GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
- "PATHS",
- "TALER_RUNTIME_DIR");
- tmpdir = GNUNET_strdup ("/tmp");
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR");
+ return NULL;
}
GNUNET_asprintf (&template,
- "%s/crypto-rsa-client/cli",
+ "%s/cli",
tmpdir);
- GNUNET_free (tmpdir);
+ /* We expect the service to create the client directory */
if (GNUNET_OK !=
- GNUNET_DISK_directory_create_for_file (template))
+ GNUNET_DISK_directory_test (tmpdir,
+ GNUNET_YES))
{
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
- "mkdir",
- template);
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Unable to read secmod client directory (%s)\n",
+ tmpdir);
GNUNET_free (dh);
GNUNET_free (template);
+ GNUNET_free (tmpdir);
return NULL;
}
+ GNUNET_free (tmpdir);
dh->template = template;
if (strlen (template) >= sizeof (dh->sa.sun_path))
{
diff --git a/src/util/crypto_helper_esign.c b/src/util/crypto_helper_esign.c
index a1fb9319..d5baa934 100644
--- a/src/util/crypto_helper_esign.c
+++ b/src/util/crypto_helper_esign.c
@@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect (
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg,
- "PATHS",
- "TALER_RUNTIME_DIR",
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR",
&tmpdir))
{
- GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
- "PATHS",
- "TALER_RUNTIME_DIR");
- tmpdir = GNUNET_strdup ("/tmp");
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR");
+ GNUNET_free (esh);
+ return NULL;
}
GNUNET_asprintf (&template,
- "%s/crypto-eddsa-client/cli",
+ "%s/cli",
tmpdir);
- GNUNET_free (tmpdir);
+ /* We expect the service to create the client directory */
if (GNUNET_OK !=
- GNUNET_DISK_directory_create_for_file (template))
+ GNUNET_DISK_directory_test (tmpdir,
+ GNUNET_YES))
{
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Unable to read secmod client directory (%s)\n",
+ tmpdir);
GNUNET_free (esh);
GNUNET_free (template);
+ GNUNET_free (tmpdir);
return NULL;
}
+ GNUNET_free (tmpdir);
esh->template = template;
if (strlen (template) >= sizeof (esh->sa.sun_path))
{
diff --git a/src/util/taler-exchange-secmod-eddsa.c
b/src/util/taler-exchange-secmod-eddsa.c
index ac4bfc61..48dcdf71 100644
--- a/src/util/taler-exchange-secmod-eddsa.c
+++ b/src/util/taler-exchange-secmod-eddsa.c
@@ -1522,6 +1522,45 @@ run (void *cls,
return;
}
+ /* Create client directory and set permissions. */
+ {
+ char *client_dir;
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR",
+ &client_dir))
+ {
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR");
+ global_ret = 3;
+ return;
+ }
+
+ if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't create client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+ /* Set sticky group bit, so that clients will be writeable by the current
service. */
+ if (0 != chmod (client_dir,
+ S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't set permissions for client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+
+ GNUNET_free (client_dir);
+ }
+
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-eddsa",
diff --git a/src/util/taler-exchange-secmod-eddsa.conf
b/src/util/taler-exchange-secmod-eddsa.conf
index 8a171353..8227c908 100644
--- a/src/util/taler-exchange-secmod-eddsa.conf
+++ b/src/util/taler-exchange-secmod-eddsa.conf
@@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/
# Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock
+# Directory for clients.
+CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client
+
# Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key
diff --git a/src/util/taler-exchange-secmod-rsa.c
b/src/util/taler-exchange-secmod-rsa.c
index 3c1f81c2..1307b8f4 100644
--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@@ -1896,6 +1896,45 @@ run (void *cls,
return;
}
+ /* Create client directory and set permissions. */
+ {
+ char *client_dir;
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR",
+ &client_dir))
+ {
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR");
+ global_ret = 3;
+ return;
+ }
+
+ if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't create client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+ /* Set sticky group bit, so that clients will be writeable by the current
service. */
+ if (0 != chmod (client_dir,
+ S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't set permissions for client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+
+ GNUNET_free (client_dir);
+ }
+
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-rsa",
diff --git a/src/util/taler-exchange-secmod-rsa.conf
b/src/util/taler-exchange-secmod-rsa.conf
index f9a6c7d1..c653fa4f 100644
--- a/src/util/taler-exchange-secmod-rsa.conf
+++ b/src/util/taler-exchange-secmod-rsa.conf
@@ -13,8 +13,11 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/
# Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock
+# Directory for clients.
+CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client
+
# Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key
# For how long into the future do we pre-generate keys?
-LOOKAHEAD_SIGN = 1 year
\ No newline at end of file
+LOOKAHEAD_SIGN = 1 year
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-exchange] branch master updated: secmod: services create their own client dirs with correct permissions,
gnunet <=