diff options
| author | Brooks Davis <brooks@FreeBSD.org> | 2020-05-22 17:45:07 +0000 |
|---|---|---|
| committer | Brooks Davis <brooks@FreeBSD.org> | 2020-05-22 17:45:07 +0000 |
| commit | 48e9fb855b021c07642b5393d9eff5704adfd98e (patch) | |
| tree | b3e13c7fbfa71c2b6b9ae1a877dfe184b7238680 /usr.sbin | |
| parent | 71d11ee322d40dcbfc5a69dfa3e789e90d77c348 (diff) | |
| download | src-48e9fb855b021c07642b5393d9eff5704adfd98e.tar.gz src-48e9fb855b021c07642b5393d9eff5704adfd98e.zip | |
Add an unprivileged mode where calls to install are passed appropriate
flags. For ease of integration, use the same flags as install:
-U unprivileged mode
-D <destdir> Specify DESTDIR (overrides the environment)
-M <metalog> Full path to METALOG file
Reviewed by: kevans
Obtained from: CheriBSD
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D24932
Notes
Notes:
svn path=/head/; revision=361397
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/certctl/certctl.8 | 13 | ||||
| -rwxr-xr-x | usr.sbin/certctl/certctl.sh | 26 |
2 files changed, 28 insertions, 11 deletions
diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8 index 0a3e5ed3eb9a..08c4fbef3506 100644 --- a/usr.sbin/certctl/certctl.8 +++ b/usr.sbin/certctl/certctl.8 @@ -26,7 +26,7 @@ .\" .\" $FreeBSD$ .\" -.Dd February 19, 2019 +.Dd May 22, 2020 .Dt CERTCTL 8 .Os .Sh NAME @@ -40,7 +40,9 @@ .Op Fl v .Ic blacklisted .Nm -.Op Fl nv +.Op Fl nUv +.Op Fl D Ar destdir +.Op Fl M Ar metalog .Ic rehash .Nm .Op Fl nv @@ -56,10 +58,17 @@ applications that use OpenSSL. .Pp Flags: .Bl -tag -width 4n +.It Fl D Ar destdir +Specify the DESTDIR (overriding values from the environment). +.It Fl M Ar metalog +Specify the path of the METALOG file (default: $DESTDIR/METALOG). .It Fl n No-Op mode, do not actually perform any actions. .It Fl v be verbose, print details about actions before performing them. +.It Fl U +Unprivileged mode, do not change the ownership of created links. +Do record the ownership in the METALOG file. .El .Pp Primary command functions: diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh index 41d2cecf4645..e1360cb28bd3 100755 --- a/usr.sbin/certctl/certctl.sh +++ b/usr.sbin/certctl/certctl.sh @@ -30,10 +30,6 @@ ############################################################ CONFIGURATION : ${DESTDIR:=} -: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} -: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} -: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} -: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} : ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"} : ${VERBOSE:=0} @@ -42,6 +38,7 @@ SCRIPTNAME="${0##*/}" ERRORS=0 NOOP=0 +UNPRIV=0 ############################################################ FUNCTIONS @@ -69,7 +66,7 @@ create_trusted_link() return 1 fi [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" - [ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" + [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" } create_blacklisted() @@ -88,7 +85,7 @@ create_blacklisted() return fi [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" - [ $NOOP -eq 0 ] && install -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" + [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" } do_scan() @@ -105,7 +102,7 @@ do_scan() [ -d "$CPATH" ] || continue echo "Scanning $CPATH for certificates..." for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do - [ -e "$CPATH/$CFILE" ] || continue + [ -e "$CPATH/$CFILE" && $UNPRIV -eq 0 ] || continue [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" "$CFUNC" "$CPATH/$CFILE" done @@ -209,7 +206,7 @@ usage() echo " List trusted certificates" echo " $SCRIPTNAME [-v] blacklisted" echo " List blacklisted certificates" - echo " $SCRIPTNAME [-nv] rehash" + echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash" echo " Generate hash links for all certificates" echo " $SCRIPTNAME [-nv] blacklist <file>" echo " Add <file> to the list of blacklisted certificates" @@ -220,14 +217,25 @@ usage() ############################################################ MAIN -while getopts nv flag; do +while getopts D:M:nUv flag; do case "$flag" in + D) DESTDIR=${OPTARG} ;; + M) METALOG=${OPTARG} ;; n) NOOP=1 ;; + U) UNPRIV=1 ;; v) VERBOSE=$(( $VERBOSE + 1 )) ;; esac done shift $(( $OPTIND - 1 )) +: ${METALOG:=${DESTDIR}/METALOG} +INSTALLFLAGS= +[ $UNPRIV -eq 1 ] && INSTALLFLAGS=-U -M ${METALOG} -D ${DESTDIR} +: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} +: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} +: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} +: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} + [ $# -gt 0 ] || usage case "$1" in list) cmd_list ;; |