diff options
author | Jan Pokorný <jpokorny@redhat.com> | 2013-04-11 21:34:56 +0200 |
---|---|---|
committer | Jan Pokorný <jpokorny@redhat.com> | 2013-04-11 21:34:56 +0200 |
commit | 8b13e854030ad9d65c39a86f47f2647a1ddd4c19 (patch) | |
tree | 9396fb6c6ee99b8563a8f9f70fe681eb878edf58 /scripts/certs | |
parent | 21aa2db78f966e12df9721106ab6443ae0ca40f6 (diff) | |
download | dotfiles-8b13e854030ad9d65c39a86f47f2647a1ddd4c19.tar.gz dotfiles-8b13e854030ad9d65c39a86f47f2647a1ddd4c19.tar.xz dotfiles-8b13e854030ad9d65c39a86f47f2647a1ddd4c19.zip |
scripts/certs: more secure (umask), a bit more sanitized
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
Diffstat (limited to 'scripts/certs')
-rwxr-xr-x | scripts/certs/cert-check | 39 | ||||
-rwxr-xr-x | scripts/certs/cert-import | 33 |
2 files changed, 49 insertions, 23 deletions
diff --git a/scripts/certs/cert-check b/scripts/certs/cert-check index 09b1a0f..88a6fb2 100755 --- a/scripts/certs/cert-check +++ b/scripts/certs/cert-check @@ -14,14 +14,12 @@ # file descriptor sharing is suitable (stdin can be read only once, # generally, there is a race between the two?) # - wget vs. certificates? switch to curl? - -set -u -set +e +# - remove unneeded subshells? ( '()' -> '{}' ) CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt HOMEBUNDLE=~/.pki/tls/certs/ca-bundle.crt -#WGET="wget -nv --ca-certificate <(cat "${CA_BUNDLE}" "${HOMEBUNDLE}")" -WGET="wget -nv" +#WGET="wget -nv -U '' --ca-certificate <(cat "${CA_BUNDLE}" "${HOMEBUNDLE}")" +WGET="wget -nv -U ''" guess_inform() { case "{1##*.}" in @@ -74,8 +72,8 @@ cert_pick_url() { local port=${host#*:} [ "${port}" = "${machine}" ] && port=443 ( echo ">>> recursion" >&2 - main "${machine}" "${port}" \ - || main -nocrl "${machine}" "${port}" + cert_pick_check "${machine}" "${port}" \ + || cert_pick_check -nocrl "${machine}" "${port}" echo "<<< recursion" >&2 ) >&2 \ && ${WGET} --no-check-certificate "$1" -O- fi) | openssl x509 -inform "${inform}" @@ -131,16 +129,29 @@ colorize() { || cat ) | awk 'FNR == 1 { last=$1; while (getline) { print last; last=$0; } exit last}' } -pseudo_return() { - return $1 -} - -main() { +cert_pick_check() { local crl=1 [ "$1" = "-nocrl" ] && shift && crl=0 cert_pick "$@" | cert_check $crl } +setup() { + set -u + RESTOREUMASK=$(umask -p) + umask 077 +} + +teardown() { + ${RESTOREUMASK} + unset RESTOREUMASK + return $1 +} + [[ "${BASH_SOURCE[0]}" != "${0}" ]] || \ - ( [ $# -lt 1 ] && echo "usage: $0 [-nocrl] file-or-url-or-server [server-port=443]" \ - || ( main "$@"; echo $? ) |& colorize 1 && set +u || ( ret=$?; set +u; pseudo_return $ret )) + [ $# -lt 1 ] \ + && echo "usage: $0" \ + "[-nocrl] file-or-url-or-server [server-port=443]" \ + || ( setup + ( cert_pick_check "$@"; echo $? ) \ + |& colorize 1 + teardown $? ) diff --git a/scripts/certs/cert-import b/scripts/certs/cert-import index ecf8b76..7e23d32 100755 --- a/scripts/certs/cert-import +++ b/scripts/certs/cert-import @@ -4,10 +4,7 @@ # # jpokorny@redhat.com # -# TODO: fix exit code - -set -u -set +e +# TODO: fix exit code, remove unneeded subshells? ( '()' -> '{}' ) source cert-check @@ -40,18 +37,20 @@ cert_import_firefox() { } cert_import() { - local homebundle=0 firefox=0 mutt=0 crl=1 + local homebundle=0 firefox=0 mutt=0 crl=1 spec=0 while true; do case $1 in homebundle) homebundle=1;; firefox) firefox=1;; mutt) mutt=1;; all) homebundle=1; firefox=1; mutt=1;; - --) ;; - *) break;; + --|*) break;; esac + spec=1 shift done + [ $spec -eq 0 ] \ + && echo "run me without arguments to get usage help" && return [ "$1" = "-nocrl" ] && shift && crl=0 ( (cert_pick "$@" | cert_check $crl) \ @@ -62,8 +61,24 @@ cert_import() { ) |& colorize 1 } +setup() { + set -u + RESTOREUMASK=$(umask -p) + umask 077 +} + +teardown() { + ${RESTOREUMASK} + unset RESTOREUMASK + return $1 +} + [[ "${BASH_SOURCE[0]}" != "${0}" ]] || \ [ $# -lt 1 ] \ - && echo "usage: $0 (homebundle|mutt|firefox|all)* [-nocrl] file-or-server [port=443]" \ - || ( cert_import "$@" && set +u || ( ret=$?; set +u; pseudo_return $ret )) + && echo "usage: $0" \ + "(homebundle|mutt|firefox|all)*" \ + "[-nocrl] file-or-server [port=443]" \ + || ( setup + cert_import "$@" + teardown $? ) |