From 1a3b226231d85e4fe3dc55d071e8f42dc74fded3 Mon Sep 17 00:00:00 2001 From: aszlig Date: Tue, 24 Jun 2014 13:56:49 +0200 Subject: [PATCH] MachineState: Implement permissions for keys. This however only implements setting permissions if "storeKeysOnMachine" is set to false right now, because if the value is set to true the keys are symlinked from the store and we actually have to find a way to control permisions on it, which for the store is only possible if NixOS/nix#8 is implemented. Also, this ensures that the key filename is properly escaped. Signed-off-by: aszlig --- nixops/backends/__init__.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/nixops/backends/__init__.py b/nixops/backends/__init__.py index 1a2c93a86..f5b5c6a01 100644 --- a/nixops/backends/__init__.py +++ b/nixops/backends/__init__.py @@ -187,13 +187,19 @@ def send_keys(self): self.run_command("mkdir -m 0750 -p /run/keys" " && chown root:keys /run/keys") for k, opts in self.get_keys().items(): - v = opts['text'] self.log("uploading key ‘{0}’...".format(k)) tmp = self.depl.tempdir + "/key-" + self.name - f = open(tmp, "w+"); f.write(v); f.close() - self.run_command("rm -f /run/keys/" + k) - self.upload_file(tmp, "/run/keys/" + k) - self.run_command("chmod 600 /run/keys/" + k) + f = open(tmp, "w+"); f.write(opts['text']); f.close() + outfile = "/run/keys/" + k + outfile_esc = "'" + outfile.replace("'", r"'\''") + "'" + self.run_command("rm -f " + outfile_esc) + self.upload_file(tmp, outfile) + chmod = "chmod '{0}' " + outfile_esc + chown = "chown '{0}:{1}' " + outfile_esc + self.run_command(' && '.join([ + chown.format(opts['user'], opts['group']), + chmod.format(opts['permissions']) + ])) os.remove(tmp) self.run_command("touch /run/keys/done")