From b162d5cacde85999353afa87a4210c5b5d42ceab Mon Sep 17 00:00:00 2001
From: rhatto <rhatto>
Date: Fri, 6 Oct 2006 22:12:14 +0000
Subject: added permission checking on configuration (both local and global)
 and keyring files

---
 GUIDELINES |   1 +
 README     |  53 ++++++++++++++++++++++++--
 firma      | 127 +++++++++++++++++++++++++++++++++++++++++++++++++++++--------
 3 files changed, 162 insertions(+), 19 deletions(-)

diff --git a/GUIDELINES b/GUIDELINES
index 801364f..a41e21f 100755
--- a/GUIDELINES
+++ b/GUIDELINES
@@ -131,6 +131,7 @@ In the future this procedure will be automatic.
    mkdir
    touch
    chmod
+   chown
    basename
    expect
    fold
diff --git a/README b/README
index e626415..69f9b5b 100755
--- a/README
+++ b/README
@@ -153,11 +153,40 @@ Setup
       user your MTA runs. If you run postfix, the user is specified by the
       main.cf parameter "default_privs".
 
-      We suggest you to use
+      we suggest you to use
 
        MAIL_AGENT=/usr/sbin/sendmail
        MAIL_AGENT_ARGS=-t
 
+      as optional parameters, you can also set
+
+       USER= user that runs firma (usually the same as your MTA user);
+             defaults to "nobody"; you can also specify this parameter
+             in each mailing list config file if you plan to have one
+             user per mailing list
+
+       GROUP= group that runs firma (usually the same as your MTA group);
+              defaults to "nogroup"; you can also specify this parameter
+              in each mailing list config file if you plan to have one
+              group per mailing list
+
+       LOG_TO_SYSLOG= set to "1" to log errors and warnings to syslog, else firma
+                      will print errors to STDERR
+
+       LOGGER_BINARY= if logging to syslog, set the path to logger's binary
+
+       SYSLOG_PRIORITY= if logging to syslog, set a priority for the error messages
+                        (defaults to "user.err")
+
+       USE_GPG_HIDDEN_RECIPIENT_OPTION= set to '1' to use GnuPG's --hidden-recipient
+                                        option, available from version 1.4.0 onwards
+                                        (try 'man gpg' for more information)
+
+       REMOVE_THESE_HEADERS_ON_ALL_LISTS= headers that should be stripped from list
+                                          messages on all lists running under firma
+                                          (space separated case-insensitive entries)
+                                          (may include regexps (e.g., X-.*)
+
  4 - then create your lists with the command
 
        firma -c your-list
@@ -174,6 +203,22 @@ Setup
      the owner of the config file and keyring should be nobody.nobody
      (or the user your MTA run as) and its permissions must be 600.
 
+     after it you can add some optional parameters on this list config file:
+
+       SUBJECT_PREFIX= prefix to be included in the subject of list messages
+
+       REMOVE_THESE_HEADERS= headers that should be stripped from list messages
+                             (space separated case-insensitive entries)
+                             (may include regexps (e.g., X-.*)
+
+       REPLIES_SHOULD_GO_TO_LIST= set to '1' to add a Reply-To header containing the
+                                  list address
+
+       SILENTLY_DISCARD_INVALID_MESSAGES= set to '1' to silently discard invalid
+                                          messages (message not signed/encrypted,
+                                          sender not subscribed to the list, etc.)
+                                          instead of sending bounces back to sender
+
  5 - create an alias to the list at your MTA; on sendmail or postfix,
      add this to your aliases file:
 
@@ -186,8 +231,8 @@ Setup
 
      alternatively, you can use a virtual ...
 
- 6 - admin tasks are performed through your-list-request@yourmachine or
-     via command-line:
+ 6 - admin tasks are performed through your-list-request@yourmachine (currently
+     not implemente) or via command-line:
 
        firma -a your-list
 
@@ -199,7 +244,7 @@ Setup
          subscribe key-id pubkey from file or keyserver (currently not
          implemented)
 
-       unsure email-address
+       unsub email-address
 
           unsubscribe all keys with email-address IDs (currently not
           implemented)
diff --git a/firma b/firma
index bfa05f9..c14f3f6 100755
--- a/firma
+++ b/firma
@@ -33,6 +33,14 @@
 #
 # And it may contain the following optional parameters:
 #
+# USER= user that runs firma (usually the same as your MTA user);
+#       defaults to "nobody"; you can also specify this parameter
+#       in each mailing list config file if you plan to have one
+#       user per mailing list
+# GROUP= group that runs firma (usually the same as your MTA group);
+#        defaults to "nogroup"; you can also specify this parameter
+#        in each mailing list config file if you plan to have one
+#        group per mailing list
 # LOG_TO_SYSLOG= set to "1" to log errors and warnings to syslog, else firma
 #                will print errors to STDERR
 # LOGGER_BINARY= if logging to syslog, set the path to logger's binary
@@ -175,6 +183,14 @@ WARNING: Setting LOG_TO_SYSLOG to '0'."
     fi
   fi
 
+  if [ -z "$USER" ]; then
+    USER="nobody"
+  fi
+
+  if [ -z "$GROUP" ]; then
+    GROUP="nobody"
+  fi
+
   return $return_code
 }
 
@@ -838,28 +854,28 @@ function NewList {
 
     echo "Creating folder $LIST_PATH..."
     if mkdir "$LIST_PATH"; then # || (echo "$(basename $0): error creating $LIST_PATH: installation aborted"; exit 1)
-      echo "creating list config file and will ask some questions."
+      echo "Creating list config file and will ask some questions."
 
     read -rep "  List keyring location: ("$LIST_PATH") " LIST_HOMEDIR
     LIST_HOMEDIR=${LIST_HOMEDIR:-"$LIST_PATH"}
 
-    # NAO USAR UTF-8 (VER DETAILS)
+    # Dont use UTF-8 (look at DETAILS)
     read -rep "  List email address: " LIST_ADDRESS
     read -rep "  List administrator(s) email address(es) (space delimited): " LIST_ADMIN
     read -rep "  List description (optional): " DESCRIPTION
     read -resp "  Passphrase to protect the list's secret key: " PASSPHRASE
 
-    # todo: key specs (size, expiry date...)
+    # TODO: key specs (size, expiry date...)
 
-    echo "creating your config..."
+    echo "Creating your config..."
     touch $LIST_CONFIG_FILE
-    chown root.root $LIST_CONFIG_FILE
     chmod 600 $LIST_CONFIG_FILE
+    chown $USER.$GROUP $LIST_CONFIG_FILE
     if [ -f "$LIST_CONFIG_FILE" ]; then
       DeclareGpgVars
       # removed: MAIL_AGENT=$MAIL_AGENT\nGPG_BINARY=$GPG_BINARY\n
-      echo -e "LIST_HOMEDIR=$LIST_HOMEDIR\nLIST_ADDRESS=$LIST_ADDRESS\nLIST_ADMIN=$LIST_ADMIN\nPASSPHRASE=$PASSPHRASE" > $LIST_CONFIG_FILE
-      echo "now generating your keyring..."
+      echo -e "LIST_HOMEDIR=\'$LIST_HOMEDIR\'\nLIST_ADDRESS=\'$LIST_ADDRESS\'\nLIST_ADMIN=\'$LIST_ADMIN\'\nPASSPHRASE=\'$PASSPHRASE\'" > $LIST_CONFIG_FILE
+      echo "Now generating your keyring..."
 
       $GPG --gen-key <<EOF
 
@@ -877,6 +893,8 @@ function NewList {
 
 EOF
 
+      chown -R $USER.$GROUP $LIST_HOMEDIR
+
     else
       echo "$(basename $0): cannot create $LIST_PATH: Installation aborted"
       return_code=1
@@ -888,7 +906,7 @@ EOF
     return_code=1
   fi
 
-  return return_code
+  return $return_code
 }
 
 
@@ -1040,6 +1058,68 @@ EOF
   return $return_code
 }
 
+
+function CheckPermission {
+  #-------------------------------------------------------------
+  # check if file has correct permissions (600) and also
+  # + if the file is owned by $USER
+  # +got the idea for this function from backupninja
+  #
+  # parameter(s): file name
+  # depends on function(s): none
+  # returns: 0 if file has correct permissions
+  #          1 if not, and also print a warning message
+  #-------------------------------------------------------------
+
+  local file="$1"
+  local perms="`ls -ld $file`"
+  perms=${perms:4:6}
+  if [ "$perms" != "------" ]; then
+    ERROR_MESSAGE="WARNING: Configuration files must not be group or world writable/readable! Dying on file $file"
+    echo $ERROR_MESSAGE
+    if [[ "$LOG_TO_SYSLOG" == 1 ]]; then
+      echo "$ERROR_MESSAGE" | $LOGGER_BINARY -p "$SYSLOG_PRIORITY" -t "$BASENAME"
+    fi
+    return 1
+  fi
+
+  if [ `ls -ld $file | awk '{print $3}'` != "$USER" ]; then
+    echo "WARNING: Configuration files must be owned by $USER! Dying on file $file"
+  fi
+
+  return 0
+}
+
+
+function CheckListPermissions {
+  #-------------------------------------------------------------
+  # check if list files has correct permissions (600) and also
+  # + if the files are owned by $USER
+  #
+  # parameter(s): list config file
+  # depends on function(s): CheckPermission
+  # returns: 0 if file has correct permissions
+  #          1 if not, and also print a warning message
+  #-------------------------------------------------------------
+
+  local file
+  local folder
+  local config
+
+  # check and fix permissions on all files from $LIST_PATH to $USER.$GROUP
+  if [ ! -z "$1" ]; then
+    folder="`basedir $1`"
+    config="`basename $1`"
+    for file in $config pubring.gpg pubring.gpg~ random_seed secring.gpg trustdb.gpg; do
+      if CheckPermission $folder/$file; then
+        echo "Fixing permission and ownership for $folder/$file"
+        chmod 600 $folder/$file
+        chown $USER.$GROUP $folder/$file
+      fi
+    done
+  fi
+}
+
 #-------------------------------------------------------------
 # main()
 #-------------------------------------------------------------
@@ -1072,7 +1152,10 @@ GLOBAL_VARS="
   MESSAGE_HEADERS MESSAGE_BODY
   MESSAGE
   FUNCTION FUNCTIONS
-  GLOBAL_VARS VAR"
+  GLOBAL_VARS VAR
+  USER
+  GROUP
+  BASENAME"
 
 FUNCTIONS="
   Usage
@@ -1096,7 +1179,9 @@ FUNCTIONS="
   ProcessMessage
   NewList
   ListAdministration
-  ChooseUid"
+  ChooseUid
+  CheckPermission
+  CheckListPermissions"
 
 for VAR in $GLOBAL_VARS; do
   declare $VAR
@@ -1105,6 +1190,9 @@ done
 # set initial exit code
 EXIT_CODE=0
 
+# set program name
+BASENAME="`basename $0`"
+
 # command line parsing:
 # first check number of arguments, then check what was entered
 # start main case
@@ -1140,8 +1228,11 @@ case $# in
     esac
     ;;
   2)
+    # if firma.conf exists but has wrong permissions or ownership
+    if [ -f "$FIRMA_CONFIG_FILE" ] && ! CheckPermission $FIRMA_CONFIG_FILE; then
+      EXIT_CODE="1"
     # if firma.conf exists
-    if [ -f "$FIRMA_CONFIG_FILE" ]; then
+    elif [ -f "$FIRMA_CONFIG_FILE" ]; then
 
       # evaluate its parameters
       shopt -u sourcepath && source "$FIRMA_CONFIG_FILE"
@@ -1166,11 +1257,17 @@ case $# in
           # options that depend on the list configuration file
           -a|--admin-task|-p|--process-message)
 
-            # if the configuration file exists, disable bash's
-            #+sourcepath and evaluate list parameters
-            if [[ -f "$LIST_CONFIG_FILE" ]]; then
+            # if config file exists but has wrong permissions or ownership
+            if [[ -f "$LIST_CONFIG_FILE" ]] && ! CheckPermission $LIST_CONFIG_FILE; then
+              EXIT_CODE="1"
+            elif [[ -f "$LIST_CONFIG_FILE" ]]; then
+
+              # if the configuration file exists, disable bash's
+              #+sourcepath and evaluate list parameters
               shopt -u sourcepath && source "$LIST_CONFIG_FILE"
 
+              CheckListPermissions $LIST_CONFIG_FILE
+
               # get gpg parameters
               DeclareGpgVars
 
@@ -1256,7 +1353,7 @@ esac
 # print/log error message, if any
 if [[ -n "$ERROR_MESSAGE" ]]; then
   if [[ "$LOG_TO_SYSLOG" == 1 ]]; then
-    echo "$ERROR_MESSAGE" | $LOGGER_BINARY -p "$SYSLOG_PRIORITY" -t "$(basename $0)"
+    echo "$ERROR_MESSAGE" | $LOGGER_BINARY -p "$SYSLOG_PRIORITY" -t "$BASENAME"
   else
     echo >&2 "$(basename $0): $ERROR_MESSAGE"
   fi
-- 
cgit v1.2.3