void Ssu::storeAuthorizedKeys(QByteArray data){ QDir dir; SsuLog *ssuLog = SsuLog::instance(); int uid_min = getdef_num("UID_MIN", -1); QString homePath; if (getuid() >= uid_min){ homePath = dir.homePath(); } else if (getuid() == 0){ // place authorized_keys in the default users home when run with uid0 struct passwd *pw = getpwuid(uid_min); if (pw == NULL){ ssuLog->print(LOG_DEBUG, QString("Unable to find password entry for uid %1") .arg(uid_min)); return; } //homePath = QString(pw->pw_dir); homePath = pw->pw_dir; // use users uid/gid for creating the directories and files setegid(pw->pw_gid); seteuid(uid_min); ssuLog->print(LOG_DEBUG, QString("Dropping to %1/%2 for writing authorized keys") .arg(uid_min) .arg(pw->pw_gid)); } else return; homePath = Sandbox::map(homePath); if (dir.exists(homePath + "/.ssh/authorized_keys")){ ssuLog->print(LOG_DEBUG, QString(".ssh/authorized_keys already exists in %1") .arg(homePath)); restoreUid(); return; } if (!dir.exists(homePath + "/.ssh")) if (!dir.mkdir(homePath + "/.ssh")){ ssuLog->print(LOG_DEBUG, QString("Unable to create .ssh in %1") .arg(homePath)); restoreUid(); return; } QFile::setPermissions(homePath + "/.ssh", QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner); QFile authorizedKeys(homePath + "/.ssh/authorized_keys"); authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate); authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner); QTextStream out(&authorizedKeys); out << data; out.flush(); authorizedKeys.close(); restoreUid(); }
void UrlResolverTest::checkStoreAuthorizedKeys(){ QVERIFY(QDir().mkpath(Sandbox::map(QDir::homePath()))); QByteArray testData("# test data\n"); ssu.storeAuthorizedKeys(testData); QFile authorizedKeys(Sandbox::map(QDir::home().filePath(".ssh/authorized_keys"))); QVERIFY(authorizedKeys.open(QIODevice::ReadOnly)); QVERIFY(authorizedKeys.readAll().split('\n').contains(testData.trimmed())); QByteArray testData2("# test data2\n"); ssu.storeAuthorizedKeys(testData2); QEXPECT_FAIL("", "Ssu::storeAuthorizedKeys() does not modify existing authorized_keys", Continue); authorizedKeys.seek(0); QVERIFY(authorizedKeys.readAll().split('\n').contains(testData2.trimmed())); const QFile::Permissions go_rwx = QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup | QFile::ReadOther | QFile::WriteOther | QFile::ExeOther; QVERIFY((QFileInfo(Sandbox::map(QDir::home().filePath(".ssh"))).permissions() & go_rwx) == 0); }
void Ssu::storeAuthorizedKeys(QByteArray data){ QDir dir; // only set the key for unprivileged users if (getuid() < 1000) return; if (dir.exists(dir.homePath() + "/.ssh/authorized_keys")) return; if (!dir.exists(dir.homePath() + "/.ssh")) if (!dir.mkdir(dir.homePath() + "/.ssh")) return; QFile::setPermissions(dir.homePath() + "/.ssh", QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner); QFile authorizedKeys(dir.homePath() + "/.ssh/authorized_keys"); authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate); authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner); QTextStream out(&authorizedKeys); out << data; out.flush(); authorizedKeys.close(); }