summaryrefslogtreecommitdiffstats
path: root/modsign.cxx
diff options
context:
space:
mode:
Diffstat (limited to 'modsign.cxx')
-rw-r--r--modsign.cxx268
1 files changed, 26 insertions, 242 deletions
diff --git a/modsign.cxx b/modsign.cxx
index 1fc4ef32..0965b923 100644
--- a/modsign.cxx
+++ b/modsign.cxx
@@ -43,243 +43,6 @@ extern "C" {
using namespace std;
-/* Function: int check_cert_db_permissions (const string &cert_db_path);
- *
- * Check that the given certificate directory and its contents have
- * the correct permissions.
- *
- * Returns 0 if there is an error, 1 otherwise.
- */
-static int
-check_cert_file_permissions (
- const string &cert_file,
- uid_t euid,
- const struct passwd *pw
-) {
- struct stat info;
- int rc;
-
- rc = stat (cert_file.c_str (), & info);
- if (rc)
- {
- cerr << "Could not obtain information on certificate file " << cert_file << "." << endl;
- perror ("");
- return 0;
- }
-
- rc = 1; // ok
-
-#if 0 // these checks are probably overkill
- // We must be the owner of the file.
- if (info.st_uid != euid)
- {
- cerr << "Certificate file " << cert_file << " must be owned by "
- << pw->pw_name << endl;
- rc = 0;
- }
-
- // Check the access permissions of the file
- if ((info.st_mode & S_IRUSR) == 0)
- cerr << "Certificate file " << cert_file << " should be readable by the owner" << "." << endl;
- if ((info.st_mode & S_IWUSR) == 0)
- cerr << "Certificate file " << cert_file << " should be writeable by the owner" << "." << endl;
- if ((info.st_mode & S_IXUSR) != 0)
- {
- cerr << "Certificate file " << cert_file << " must not be executable by the owner" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IRGRP) == 0)
- cerr << "Certificate file " << cert_file << " should be readable by the group" << "." << endl;
- if ((info.st_mode & S_IWGRP) != 0)
- {
- cerr << "Certificate file " << cert_file << " must not be writable by the group" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IXGRP) != 0)
- {
- cerr << "Certificate file " << cert_file << " must not be executable by the group" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IROTH) == 0)
- cerr << "Certificate file " << cert_file << " should be readable by others" << "." << endl;
- if ((info.st_mode & S_IWOTH) != 0)
- {
- cerr << "Certificate file " << cert_file << " must not be writable by others" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IXOTH) != 0)
- {
- cerr << "Certificate file " << cert_file << " must not be executable by others" << "." << endl;
- rc = 0;
- }
-#endif // these checks are probably overkill
-
-
- return rc;
-}
-
-/* Function: int check_cert_db_permissions (const string &cert_db_path);
- *
- * Check that the given certificate directory and its contents have
- * the correct permissions.
- *
- * Returns 0 if there is an error, 1 otherwise.
- */
-static int
-check_db_file_permissions (
- const string &cert_db_file,
- uid_t euid,
- const struct passwd *pw
-) {
- struct stat info;
- int rc;
-
- rc = stat (cert_db_file.c_str (), & info);
- if (rc)
- {
- cerr << "Could not obtain information on certificate database file " << cert_db_file << "." << endl;
- perror ("");
- return 0;
- }
-
- rc = 1; // ok
-
-#if 0 // these checks are probably overkill
- // We must be the owner of the file.
- if (info.st_uid != euid)
- {
- cerr << "Certificate database file " << cert_db_file << " must be owned by "
- << pw->pw_name << endl;
- rc = 0;
- }
-
- // Check the access permissions of the file
- if ((info.st_mode & S_IRUSR) == 0)
- cerr << "Certificate database file " << cert_db_file << " should be readable by the owner" << "." << endl;
- if ((info.st_mode & S_IWUSR) == 0)
- cerr << "Certificate database file " << cert_db_file << " should be writeable by the owner" << "." << endl;
- if ((info.st_mode & S_IXUSR) != 0)
- {
- cerr << "Certificate database file " << cert_db_file << " must not be executable by the owner" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IRGRP) != 0)
- {
- cerr << "Certificate database file " << cert_db_file << " must not be readable by the group" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IWGRP) != 0)
- {
- cerr << "Certificate database file " << cert_db_file << " must not be writable by the group" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IXGRP) != 0)
- {
- cerr << "Certificate database file " << cert_db_file << " must not be executable by the group" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IROTH) != 0)
- {
- cerr << "Certificate database file " << cert_db_file << " must not be readable by others" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IWOTH) != 0)
- {
- cerr << "Certificate database file " << cert_db_file << " must not be writable by others" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IXOTH) != 0)
- {
- cerr << "Certificate database file " << cert_db_file << " must not be executable by others" << "." << endl;
- rc = 0;
- }
-#endif // these checks are probably overkill
-
- return rc;
-}
-
-/* Function: int check_cert_db_permissions (const string &cert_db_path);
- *
- * Check that the given certificate directory and its contents have
- * the correct permissions.
- *
- * Returns 0 if there is an error, 1 otherwise.
- */
-static int
-check_cert_db_permissions (const string &cert_db_path) {
- struct stat info;
- const struct passwd *pw;
- uid_t euid;
- int rc;
-
- rc = stat (cert_db_path.c_str (), & info);
- if (rc)
- {
- cerr << "Could not obtain information on certificate database directory " << cert_db_path << "." << endl;
- perror ("");
- return 0;
- }
-
- rc = 1; // ok
-
- // We must be the owner of the database.
- euid = geteuid ();
- pw = getpwuid (euid);
-#if 0 // these checks are probably overkill
- if (! pw)
- {
- cerr << "Unable to obtain current user information which checking certificate database "
- << cert_db_path << endl;
- perror ("");
- return 0;
- }
- if (info.st_uid != euid)
- {
- cerr << "Certificate database " << cert_db_path << " must be owned by "
- << pw->pw_name << endl;
- rc = 0;
- }
-
- // Check the database directory access permissions
- if ((info.st_mode & S_IRUSR) == 0)
- cerr << "Certificate database " << cert_db_path << " should be readable by the owner" << "." << endl;
- if ((info.st_mode & S_IWUSR) == 0)
- cerr << "Certificate database " << cert_db_path << " should be writeable by the owner" << "." << endl;
- if ((info.st_mode & S_IXUSR) == 0)
- cerr << "Certificate database " << cert_db_path << " should be searchable by the owner" << "." << endl;
- if ((info.st_mode & S_IRGRP) == 0)
- cerr << "Certificate database " << cert_db_path << " should be readable by the group" << "." << endl;
- if ((info.st_mode & S_IWGRP) != 0)
- {
- cerr << "Certificate database " << cert_db_path << " must not be writable by the group" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IXGRP) == 0)
- cerr << "Certificate database " << cert_db_path << " should be searchable by the group" << "." << endl;
- if ((info.st_mode & S_IROTH) == 0)
- cerr << "Certificate database " << cert_db_path << " should be readable by others" << "." << endl;
- if ((info.st_mode & S_IWOTH) != 0)
- {
- cerr << "Certificate database " << cert_db_path << " must not be writable by others" << "." << endl;
- rc = 0;
- }
- if ((info.st_mode & S_IXOTH) == 0)
- cerr << "Certificate database " << cert_db_path << " should be searchable by others" << "." << endl;
-#endif // these checks are probably overkill
-
- // Now check the permissions of the critical files.
- rc &= check_db_file_permissions (cert_db_path + "/cert8.db", euid, pw);
- rc &= check_db_file_permissions (cert_db_path + "/key3.db", euid, pw);
- rc &= check_db_file_permissions (cert_db_path + "/secmod.db", euid, pw);
- rc &= check_db_file_permissions (cert_db_path + "/pw", euid, pw);
- rc &= check_cert_file_permissions (cert_db_path + "/stap.cert", euid, pw);
-
- if (rc == 0)
- cerr << "Unable to use certificate database " << cert_db_path << " due to errors" << "." << endl;
-
- return rc;
-}
-
/* Function: int init_cert_db_path (const string &cert_db_path);
*
* Initialize a certificate database at the given path.
@@ -329,7 +92,7 @@ check_cert_db_path (const string &cert_db_path) {
PR_Delete (fname.c_str ());
}
- return check_cert_db_permissions (cert_db_path);
+ return 1; // ok
}
/* Function: char * password_callback()
@@ -508,6 +271,8 @@ main(int argc, char **argv)
CERTCertificate *cert;
SECKEYPrivateKey *privKey;
SECStatus secStatus;
+ const char *stap_dir;
+ struct passwd *pwd;
if (argc < 2) {
cerr << "Module name was not specified." << endl;
@@ -515,11 +280,30 @@ main(int argc, char **argv)
}
module_name = argv[1];
- if (argc < 3) {
- cerr << "Certificate database path was not specified." << endl;
- return 1;
+ if (argc >= 3)
+ cert_db_path = argv[2];
+ else {
+ // Use the default database for this user.
+ if (geteuid () == 0)
+ cert_db_path = SYSCONFDIR "/systemtap/ssl/server";
+ else {
+ stap_dir = getenv ("SYSTEMTAP_DIR");
+ if (stap_dir == NULL) {
+ stap_dir = getenv("HOME");
+ if (stap_dir == NULL) {
+ pwd = getpwuid(getuid());
+ if (pwd)
+ stap_dir = pwd->pw_dir;
+ else {
+ cerr << "Unable to determine the certificate database path." << endl;
+ return 1;
+ }
+ }
+ }
+ cert_db_path = stap_dir;
+ cert_db_path += "/.systemtap/ssl/server";
+ }
}
- cert_db_path = argv[2];
if (! check_cert_db_path (cert_db_path))
return 1;
generated by cgit (git 2.34.1) at 2025-08-02 23:37:37 +0000