void Ssu::storeAuthorizedKeys(QByteArray data){
QDir dir;
SsuLog *ssuLog = SsuLog::instance();
int uid_min = getdef_num("UID_MIN", -1);
QString homePath;
if (getuid() >= uid_min){
homePath = dir.homePath();
} else if (getuid() == 0){
// place authorized_keys in the default users home when run with uid0
struct passwd *pw = getpwuid(uid_min);
if (pw == NULL){
ssuLog->print(LOG_DEBUG, QString("Unable to find password entry for uid %1")
.arg(uid_min));
return;
}
//homePath = QString(pw->pw_dir);
homePath = pw->pw_dir;
// use users uid/gid for creating the directories and files
setegid(pw->pw_gid);
seteuid(uid_min);
ssuLog->print(LOG_DEBUG, QString("Dropping to %1/%2 for writing authorized keys")
.arg(uid_min)
.arg(pw->pw_gid));
} else
return;
homePath = Sandbox::map(homePath);
if (dir.exists(homePath + "/.ssh/authorized_keys")){
ssuLog->print(LOG_DEBUG, QString(".ssh/authorized_keys already exists in %1")
.arg(homePath));
restoreUid();
return;
}
if (!dir.exists(homePath + "/.ssh"))
if (!dir.mkdir(homePath + "/.ssh")){
ssuLog->print(LOG_DEBUG, QString("Unable to create .ssh in %1")
.arg(homePath));
restoreUid();
return;
}
QFile::setPermissions(homePath + "/.ssh",
QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);
QFile authorizedKeys(homePath + "/.ssh/authorized_keys");
authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate);
authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner);
QTextStream out(&authorizedKeys);
out << data;
out.flush();
authorizedKeys.close();
restoreUid();
}
void UrlResolverTest::checkStoreAuthorizedKeys(){
QVERIFY(QDir().mkpath(Sandbox::map(QDir::homePath())));
QByteArray testData("# test data\n");
ssu.storeAuthorizedKeys(testData);
QFile authorizedKeys(Sandbox::map(QDir::home().filePath(".ssh/authorized_keys")));
QVERIFY(authorizedKeys.open(QIODevice::ReadOnly));
QVERIFY(authorizedKeys.readAll().split('\n').contains(testData.trimmed()));
QByteArray testData2("# test data2\n");
ssu.storeAuthorizedKeys(testData2);
QEXPECT_FAIL("", "Ssu::storeAuthorizedKeys() does not modify existing authorized_keys", Continue);
authorizedKeys.seek(0);
QVERIFY(authorizedKeys.readAll().split('\n').contains(testData2.trimmed()));
const QFile::Permissions go_rwx =
QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup |
QFile::ReadOther | QFile::WriteOther | QFile::ExeOther;
QVERIFY((QFileInfo(Sandbox::map(QDir::home().filePath(".ssh"))).permissions() & go_rwx) == 0);
}
void Ssu::storeAuthorizedKeys(QByteArray data){
QDir dir;
// only set the key for unprivileged users
if (getuid() < 1000) return;
if (dir.exists(dir.homePath() + "/.ssh/authorized_keys"))
return;
if (!dir.exists(dir.homePath() + "/.ssh"))
if (!dir.mkdir(dir.homePath() + "/.ssh")) return;
QFile::setPermissions(dir.homePath() + "/.ssh",
QFile::ReadOwner | QFile::WriteOwner | QFile::ExeOwner);
QFile authorizedKeys(dir.homePath() + "/.ssh/authorized_keys");
authorizedKeys.open(QIODevice::WriteOnly | QIODevice::Text | QIODevice::Truncate);
authorizedKeys.setPermissions(QFile::ReadOwner | QFile::WriteOwner);
QTextStream out(&authorizedKeys);
out << data;
out.flush();
authorizedKeys.close();
}
