From 7ceeebf1505dba655b43e095f5392367a3a0f9b8 Mon Sep 17 00:00:00 2001
From: Dan McGee <dan@archlinux.org>
Date: Thu, 25 Aug 2011 12:59:26 -0500
Subject: pacman-key: refine permission and locking checks
* secring.gpg can be 600, readable by root user only
* ensure grep for lock-never option in check_keyring doesn't catch comments
Signed-off-by: Dan McGee <dan@archlinux.org>
---
scripts/pacman-key.sh.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 7b9f80ba..1c93314c 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -109,7 +109,8 @@ initialize() {
[[ -f ${PACMAN_KEYRING_DIR}/pubring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/pubring.gpg
[[ -f ${PACMAN_KEYRING_DIR}/secring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/secring.gpg
[[ -f ${PACMAN_KEYRING_DIR}/trustdb.gpg ]] || "${GPG_PACMAN[@]}" --update-trustdb
- chmod 644 ${PACMAN_KEYRING_DIR}/{{pub,sec}ring,trustdb}.gpg
+ chmod 644 ${PACMAN_KEYRING_DIR}/{pubring,trustdb}.gpg
+ chmod 600 ${PACMAN_KEYRING_DIR}/secring.gpg
# gpg.conf
[[ -f ${PACMAN_KEYRING_DIR}/gpg.conf ]] || touch ${PACMAN_KEYRING_DIR}/gpg.conf
@@ -121,7 +122,6 @@ initialize() {
check_keyring() {
if [[ ! -r ${PACMAN_KEYRING_DIR}/pubring.gpg || \
- ! -r ${PACMAN_KEYRING_DIR}/secring.gpg || \
! -r ${PACMAN_KEYRING_DIR}/trustdb.gpg ]]; then
error "$(gettext "You do not have sufficient permissions to read the %s keyring...")" "pacman"
msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
@@ -129,7 +129,7 @@ check_keyring() {
fi
if (( (EXPORT || FINGER || LIST || VERIFY) && EUID != 0 )); then
- if ! grep -w -q "lock-never" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
+ if ! grep -q "^[[:space:]]*lock-never[[:space:]]*$" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
error "$(gettext "You do not have sufficient permissions to run this command...")"
msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
exit 1
--
cgit v1.2.3-70-g09d2