summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-10-28 18:42:15 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-10-28 18:42:15 +0100
commitdb3f3df89acc33740af35b4860b23aebce6aff62 (patch)
treea4d121cd95ea208be1dffff4b41febbd3e13dadd
parent3ee71788fc14b245f46d85c14d7f9917227434bb (diff)
genkeypair: use install(1) for atomic file creation with permission mode.
-rw-r--r--roles/common-LDAP/tasks/main.yml2
-rwxr-xr-xroles/common/files/usr/local/bin/gendhparam.sh4
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh22
3 files changed, 13 insertions, 15 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index aff0e58..5b7143f 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -42,7 +42,7 @@
--ou=LDAP {{ item.ou }} --cn={{ item.name }}
--usage=digitalSignature,keyEncipherment,keyCertSign
-t rsa -b 4096 -h sha256
- --chown="root:openldap" --chmod=0640
+ --owner=root --group=openldap --mode=0640
register: r2
changed_when: r2.rc == 0
failed_when: r2.rc > 1
diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh
index 074986b..84b7d56 100755
--- a/roles/common/files/usr/local/bin/gendhparam.sh
+++ b/roles/common/files/usr/local/bin/gendhparam.sh
@@ -7,7 +7,5 @@ privkey="$1"
bits="${2:-2048}"
rand=
-mv -f "$(mktemp)" "$privkey"
-chmod og-rwx "$privkey"
-
+install --mode=0600 /dev/null "$privkey"
openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey"
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index 5bf67f2..fac8ff2 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -35,8 +35,9 @@ dns=
ou=
cn=
usage=
-chmod=
-chown=
+mode=
+owner=
+group=
rand=
usage() {
@@ -60,10 +61,11 @@ usage() {
2: overwrite both keys if they exist)
--config: configuration file
--pubkey: public key file (default: pubkey.pem)
- --privkey: private key file (default: privkey.pem; created with og-rwx)
+ --privkey: private key file (default: privkey.pem)
--usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign)
- --chmod: chmod the private key
- --chown: chown the private key
+ --mode: set privkey's permission mode (default: 0600)
+ --owner: set privkey's owner (default: the process' current owner)
+ --group: set privkey's group (default: the process' current group)
Return values:
0 The key pair was successfully generated
@@ -115,8 +117,9 @@ while [ $# -gt 0 ]; do
--usage=?*) usage="${usage:+$usage,}${1#--usage=}";;
--config=?*) dns="${1#--config=}";;
- --chmod=?*) chmod="${1#--chmod=}";;
- --chown=?*) chown="${1#--chown=}";;
+ --mode=?*) mode="${1#--mode=}";;
+ --owner=?*) owner="${1#--owner=}";;
+ --group=?*) group="${1#--group=}";;
--help) usage; exit;;
*) echo "Unrecognized argument: $1" >&2; exit 2
@@ -181,10 +184,7 @@ if [ -s "$privkey" -a $force -eq 0 ]; then
[ "$cmd" = dkim ] && dkiminfo
exit 1
elif [ ! -s "$privkey" -o $force -ge 2 ]; then
- # Ensure "$privkey" is created with umask 0077
- mv -f "$(mktemp)" "$privkey" || exit 2
- chmod "${chmod:-og-rwx}" "$privkey" || exit 2
- [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2
+ install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2
openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2
[ "$cmd" = dkim ] && { dkiminfo; exit; }
fi