aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Dold <florian@dold.me>2021-07-29 13:04:55 +0200
committerFlorian Dold <florian@dold.me>2021-07-29 13:04:55 +0200
commit036d4cb71ac1abe1990c936ee1f3b2cbf15d14c1 (patch)
tree5af2eb2adb5d6a71746b1781920cacc0ed30e5c6
parentdae09f1a43b58778b01f4bb436504ee2fe8f5357 (diff)
secmod: services create their own client dirs with correct permissions
-rw-r--r--src/util/crypto_helper_denom.c27
-rw-r--r--src/util/crypto_helper_esign.c25
-rw-r--r--src/util/taler-exchange-secmod-eddsa.c39
-rw-r--r--src/util/taler-exchange-secmod-eddsa.conf3
-rw-r--r--src/util/taler-exchange-secmod-rsa.c39
-rw-r--r--src/util/taler-exchange-secmod-rsa.conf5
6 files changed, 116 insertions, 22 deletions
diff --git a/src/util/crypto_helper_denom.c b/src/util/crypto_helper_denom.c
index bd9802d2f..2cc140c8e 100644
--- a/src/util/crypto_helper_denom.c
+++ b/src/util/crypto_helper_denom.c
@@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect (
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg,
- "PATHS",
- "TALER_RUNTIME_DIR",
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR",
&tmpdir))
{
- GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
- "PATHS",
- "TALER_RUNTIME_DIR");
- tmpdir = GNUNET_strdup ("/tmp");
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR");
+ return NULL;
}
GNUNET_asprintf (&template,
- "%s/crypto-rsa-client/cli",
+ "%s/cli",
tmpdir);
- GNUNET_free (tmpdir);
+ /* We expect the service to create the client directory */
if (GNUNET_OK !=
- GNUNET_DISK_directory_create_for_file (template))
+ GNUNET_DISK_directory_test (tmpdir,
+ GNUNET_YES))
{
- GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
- "mkdir",
- template);
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Unable to read secmod client directory (%s)\n",
+ tmpdir);
GNUNET_free (dh);
GNUNET_free (template);
+ GNUNET_free (tmpdir);
return NULL;
}
+ GNUNET_free (tmpdir);
dh->template = template;
if (strlen (template) >= sizeof (dh->sa.sun_path))
{
diff --git a/src/util/crypto_helper_esign.c b/src/util/crypto_helper_esign.c
index a1fb9319d..d5baa9348 100644
--- a/src/util/crypto_helper_esign.c
+++ b/src/util/crypto_helper_esign.c
@@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect (
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (cfg,
- "PATHS",
- "TALER_RUNTIME_DIR",
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR",
&tmpdir))
{
- GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
- "PATHS",
- "TALER_RUNTIME_DIR");
- tmpdir = GNUNET_strdup ("/tmp");
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR");
+ GNUNET_free (esh);
+ return NULL;
}
GNUNET_asprintf (&template,
- "%s/crypto-eddsa-client/cli",
+ "%s/cli",
tmpdir);
- GNUNET_free (tmpdir);
+ /* We expect the service to create the client directory */
if (GNUNET_OK !=
- GNUNET_DISK_directory_create_for_file (template))
+ GNUNET_DISK_directory_test (tmpdir,
+ GNUNET_YES))
{
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Unable to read secmod client directory (%s)\n",
+ tmpdir);
GNUNET_free (esh);
GNUNET_free (template);
+ GNUNET_free (tmpdir);
return NULL;
}
+ GNUNET_free (tmpdir);
esh->template = template;
if (strlen (template) >= sizeof (esh->sa.sun_path))
{
diff --git a/src/util/taler-exchange-secmod-eddsa.c b/src/util/taler-exchange-secmod-eddsa.c
index ac4bfc61b..48dcdf718 100644
--- a/src/util/taler-exchange-secmod-eddsa.c
+++ b/src/util/taler-exchange-secmod-eddsa.c
@@ -1522,6 +1522,45 @@ run (void *cls,
return;
}
+ /* Create client directory and set permissions. */
+ {
+ char *client_dir;
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR",
+ &client_dir))
+ {
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-eddsa",
+ "CLIENT_DIR");
+ global_ret = 3;
+ return;
+ }
+
+ if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't create client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+ /* Set sticky group bit, so that clients will be writeable by the current service. */
+ if (0 != chmod (client_dir,
+ S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't set permissions for client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+
+ GNUNET_free (client_dir);
+ }
+
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-eddsa",
diff --git a/src/util/taler-exchange-secmod-eddsa.conf b/src/util/taler-exchange-secmod-eddsa.conf
index 8a171353d..8227c908f 100644
--- a/src/util/taler-exchange-secmod-eddsa.conf
+++ b/src/util/taler-exchange-secmod-eddsa.conf
@@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/
# Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock
+# Directory for clients.
+CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client
+
# Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key
diff --git a/src/util/taler-exchange-secmod-rsa.c b/src/util/taler-exchange-secmod-rsa.c
index 3c1f81c26..1307b8f45 100644
--- a/src/util/taler-exchange-secmod-rsa.c
+++ b/src/util/taler-exchange-secmod-rsa.c
@@ -1896,6 +1896,45 @@ run (void *cls,
return;
}
+ /* Create client directory and set permissions. */
+ {
+ char *client_dir;
+
+ if (GNUNET_OK !=
+ GNUNET_CONFIGURATION_get_value_filename (kcfg,
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR",
+ &client_dir))
+ {
+ GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+ "taler-exchange-secmod-rsa",
+ "CLIENT_DIR");
+ global_ret = 3;
+ return;
+ }
+
+ if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't create client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+ /* Set sticky group bit, so that clients will be writeable by the current service. */
+ if (0 != chmod (client_dir,
+ S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
+ {
+ GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+ "Can't set permissions for client directory (%s)\n",
+ client_dir);
+ global_ret = 3;
+ return;
+ }
+
+ GNUNET_free (client_dir);
+ }
+
if (GNUNET_OK !=
GNUNET_CONFIGURATION_get_value_filename (kcfg,
"taler-exchange-secmod-rsa",
diff --git a/src/util/taler-exchange-secmod-rsa.conf b/src/util/taler-exchange-secmod-rsa.conf
index f9a6c7d1f..c653fa4f4 100644
--- a/src/util/taler-exchange-secmod-rsa.conf
+++ b/src/util/taler-exchange-secmod-rsa.conf
@@ -13,8 +13,11 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/
# Where does the helper listen for requests?
UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock
+# Directory for clients.
+CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client
+
# Where should the security module store it's private key?
SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key
# For how long into the future do we pre-generate keys?
-LOOKAHEAD_SIGN = 1 year \ No newline at end of file
+LOOKAHEAD_SIGN = 1 year