diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2015-10-28 18:42:15 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-10-28 18:42:15 +0100 |
commit | db3f3df89acc33740af35b4860b23aebce6aff62 (patch) | |
tree | a4d121cd95ea208be1dffff4b41febbd3e13dadd | |
parent | 3ee71788fc14b245f46d85c14d7f9917227434bb (diff) |
genkeypair: use install(1) for atomic file creation with permission mode.
-rw-r--r-- | roles/common-LDAP/tasks/main.yml | 2 | ||||
-rwxr-xr-x | roles/common/files/usr/local/bin/gendhparam.sh | 4 | ||||
-rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 22 |
3 files changed, 13 insertions, 15 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index aff0e58..5b7143f 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -42,7 +42,7 @@ --ou=LDAP {{ item.ou }} --cn={{ item.name }} --usage=digitalSignature,keyEncipherment,keyCertSign -t rsa -b 4096 -h sha256 - --chown="root:openldap" --chmod=0640 + --owner=root --group=openldap --mode=0640 register: r2 changed_when: r2.rc == 0 failed_when: r2.rc > 1 diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh index 074986b..84b7d56 100755 --- a/roles/common/files/usr/local/bin/gendhparam.sh +++ b/roles/common/files/usr/local/bin/gendhparam.sh @@ -7,7 +7,5 @@ privkey="$1" bits="${2:-2048}" rand= -mv -f "$(mktemp)" "$privkey" -chmod og-rwx "$privkey" - +install --mode=0600 /dev/null "$privkey" openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey" diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 5bf67f2..fac8ff2 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -35,8 +35,9 @@ dns= ou= cn= usage= -chmod= -chown= +mode= +owner= +group= rand= usage() { @@ -60,10 +61,11 @@ usage() { 2: overwrite both keys if they exist) --config: configuration file --pubkey: public key file (default: pubkey.pem) - --privkey: private key file (default: privkey.pem; created with og-rwx) + --privkey: private key file (default: privkey.pem) --usage: key usage (default: digitalSignature,keyEncipherment,keyCertSign) - --chmod: chmod the private key - --chown: chown the private key + --mode: set privkey's permission mode (default: 0600) + --owner: set privkey's owner (default: the process' current owner) + --group: set privkey's group (default: the process' current group) Return values: 0 The key pair was successfully generated @@ -115,8 +117,9 @@ while [ $# -gt 0 ]; do --usage=?*) usage="${usage:+$usage,}${1#--usage=}";; --config=?*) dns="${1#--config=}";; - --chmod=?*) chmod="${1#--chmod=}";; - --chown=?*) chown="${1#--chown=}";; + --mode=?*) mode="${1#--mode=}";; + --owner=?*) owner="${1#--owner=}";; + --group=?*) group="${1#--group=}";; --help) usage; exit;; *) echo "Unrecognized argument: $1" >&2; exit 2 @@ -181,10 +184,7 @@ if [ -s "$privkey" -a $force -eq 0 ]; then [ "$cmd" = dkim ] && dkiminfo exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then - # Ensure "$privkey" is created with umask 0077 - mv -f "$(mktemp)" "$privkey" || exit 2 - chmod "${chmod:-og-rwx}" "$privkey" || exit 2 - [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2 + install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi |