Context Navigation

source: branches/samhain-2_2-branch/scripts/samhainadmin.pl.in@ 176

Last change on this file since 176 was 53, checked in by rainer, 18 years ago
samhainadmin.pl: check for gpg-agent running if use-agent is set
File size: 17.9 KB

Line
1	#! /usr/bin/perl
2
3	# Copyright Rainer Wichmann (2004)
4	#
5	# License Information:
6	# This program is free software; you can redistribute it and/or modify
7	# it under the terms of the GNU General Public License as published by
8	# the Free Software Foundation; either version 2 of the License, or
9	# (at your option) any later version.
10	#
11	# This program is distributed in the hope that it will be useful,
12	# but WITHOUT ANY WARRANTY; without even the implied warranty of
13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14	# GNU General Public License for more details.
15	#
16	# You should have received a copy of the GNU General Public License
17	# along with this program; if not, write to the Free Software
18	# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19	#
20
21	use warnings;
22	use strict;
23	use Getopt::Long;
24	use File::Basename;
25	use File::Copy;
26	use File::stat;
27	use File::Temp qw/ tempfile tempdir unlink0 /;
28	use IO::Handle;
29	use Fcntl qw(:DEFAULT :flock);
30	use Tie::File;
31
32	# Do I/O to the data file in binary mode (so it
33	# wouldn't complain about invalid UTF-8 characters).
34	use bytes;
35
36	File::Temp->safe_level( File::Temp::HIGH );
37
38	my %opts = ();
39	my $action;
40	my $file1;
41	my $file2;
42	my $passphrase;
43	my $return_from_sign = 0;
44	my $no_print_examine = 0;
45	my $no_remove_lock = 0;
46	my $base = basename($0);
47
48	my $cfgfile = "@myconffile@";
49	my $datafile = "@mydatafile@";
50	my $daemon = "@sbindir@/@install_name@";
51	my $gpg = "@mygpg@";
52
53	$cfgfile =~ s/^REQ_FROM_SERVER//;
54	$datafile =~ s/^REQ_FROM_SERVER//;
55
56	$gpg = "gpg" if ($gpg eq "");
57
58	sub check_gpg_agent() {
59	my $gpgconf = "$ENV{'HOME'}/.gnupg/gpg.conf";
60
61	if (!-f "$gpgconf") {
62	$gpgconf = "$ENV{'HOME'}/.gnupg/options";
63	}
64
65	if (-f $gpgconf) {
66
67	my @array = ();
68	tie @array, 'Tie::File', $gpgconf or die "Cannot tie ${gpgconf}: $!";
69	my @grep = grep(/^\s*use-agent/, @array);
70
71	# print "matches = $#grep\n";
72
73	if ($#grep >= 0)
74	{
75	if (exists $ENV{'GPG_AGENT_INFO'})
76	{
77	my $socke = $ENV{'GPG_AGENT_INFO'};
78	$socke =~ s/:.*//;
79
80	# print "socke = $socke\n";
81
82	if (! -S $socke)
83	{
84	print "--------------------------------------------------\n";
85	print "\n";
86	print " GPG is set to use gpg-agent, but GPG agent is";
87	print " not running, though GPG_AGENT_INFO is defined.\n\n";
88	print " Please restart gpg-agent, or remove the use-agent\n";
89	print " option from ${gpgconf} and unset GPG_AGENT_INFO\n\n";
90	print "--------------------------------------------------\n";
91	print "\n";
92	exit 1;
93	}
94	}
95	else
96	{
97	print "--------------------------------------------------\n";
98	print "\n";
99	print " GPG is set to use gpg-agent, but ";
100	print " GPG_AGENT_INFO is not defined.\n\n";
101	print " Please start gpg-agent, or remove the use-agent\n";
102	print " option from ${gpgconf}\n\n";
103	print "--------------------------------------------------\n";
104	print "\n";
105	exit 1;
106	}
107	}
108	untie @array;
109	}
110	}
111
112
113	sub usage() {
114	print "Usage:\n";
115	print " $base { -m F \| --create-cfgfile } [options] [in.cfgfile]\n";
116	print " Sign the configuration file. If in.cfgfile is given, sign it\n";
117	print " and install it as configuration file.\n\n";
118
119	print " $base { -m f \| --print-cfgfile } [options] \n";
120	print " Print the configuration file to stdout. Signatures are removed.\n\n";
121
122	print " $base { -m D \| --create-datafile } [options] [in.datafile]\n";
123	print " Sign the database file. If in.datafile is given, sign it\n";
124	print " and install it as database file.\n\n";
125
126	print " $base { -m d \| --print-datafile } [options] \n";
127	print " Print the database file to stdout. Signatures are removed. Use\n";
128	print " option --list to list files in database rather than printing the raw file.\n\n";
129
130	print " $base { -m R \| --remove-signature } [options] file1 [file2 ...]\n";
131	print " Remove cleartext signature from input file(s). The file\n";
132	print " is replaced by the non-signed file.\n\n";
133
134	print " $base { -m E \| --sign } [options] file1 [file2 ...]\n";
135	print " Sign file(s) with a cleartext signature. The file\n";
136	print " is replaced by the signed file.\n\n";
137
138	print " $base { -m e \| --examine } [options] file1 [file2 ...]\n";
139	print " Report signature status of file(s).\n\n";
140
141	print " $base { -m G \| --generate-keys } [options] \n";
142	print " Generate a PGP keypair to use for signing.\n\n";
143
144	print "Options:\n";
145	print " -c cfgfile --cfgfile cfgfile\n";
146	print " Select an alternate configuration file.\n\n";
147
148	print " -d datafile --datafile datafile\n";
149	print " Select an alternate database file.\n\n";
150
151	print " -p passphrase --passphrase passphrase\n";
152	print " Set the passphrase for gpg. By default, gpg will ask.\n\n";
153
154	print " -l --list\n";
155	print " List the files in database rather than printing the raw file.\n\n";
156
157	print " -v --verbose\n";
158	print " Verbose output.\n\n";
159	return;
160	}
161
162	sub check_gpg_uid () {
163	if (0 != $>) {
164	print "--------------------------------------------------\n";
165	print "\n";
166	print " You are not root. Please remember that samhain/yule\n";
167	print " will use the public keyring of root to verify a signature.\n";
168	print "\n";
169	print "--------------------------------------------------\n";
170	} else {
171	if (!("@yulectl_prg@" =~ //)) {
172	print "--------------------------------------------------\n";
173	print "\n";
174	print " Please remember that yule will drop root after startup. Signature\n";
175	print " verification on SIGHUP will fail if you do not import the public key\n";
176	print " into the keyring of the non-root yule user.\n";
177	print "\n";
178	print "--------------------------------------------------\n";
179	}
180	}
181	}
182
183	sub check_gpg_sign () {
184	if ( (!-d "$ENV{'HOME'}/.gnupg") \|\| (!-e "$ENV{'HOME'}/.gnupg/secring.gpg")) {
185	print "--------------------------------------------------\n";
186	print "\n";
187	if (!-d "$ENV{'HOME'}/.gnupg") {
188	print " Directory \$HOME/.gnupg not found!\n";
189	} else {
190	print " Secret keyring \$HOME/.gnupg/secring.gpg not found!\n";
191	}
192	print "\n";
193	print " This indicates that you have never created a \n";
194	print " public/private keypair, and thus cannot sign.\n";
195	print " \n";
196	print " Please use $0 --generate-keys or gpg --gen-key\n";
197	print " to generate a public/private keypair first.\n";
198	print "\n";
199	print "--------------------------------------------------\n";
200	print "\n";
201	exit;
202	}
203	}
204
205	sub check_gpg_verify () {
206	if ( (!-d "$ENV{'HOME'}/.gnupg") \|\| (!-e "$ENV{'HOME'}/.gnupg/pubring.gpg")) {
207	print "--------------------------------------------------\n";
208	print "\n";
209	if (!-d "$ENV{'HOME'}/.gnupg") {
210	print " Directory \$HOME/.gnupg not found!\n";
211	} else {
212	print " Public keyring \$HOME/.gnupg/pubring.gpg not found!\n";
213	}
214	print "\n";
215	print " This indicates that you have never used gpg before \n";
216	print " and/or have no public keys to verify signatures.\n";
217	print " \n";
218	print " Please use 'gpg --export key_id' to export the public\n";
219	print " signing key of the user who is signing the\n";
220	print " configuration/database files.\n\n";
221	print " Then you can use 'gpg --import keyfile' to import the key\n";
222	print " into this user's public keyring.\n";
223	print "\n";
224	print "--------------------------------------------------\n";
225	print "\n";
226	exit;
227	}
228	}
229
230
231	sub generate () {
232	my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --gen-key";
233	check_gpg_uid();
234	system ($command) == 0
235	or die "system $command failed: $?";
236	exit;
237	}
238
239	sub examine () {
240	my $iscfg = 0;
241	my $have_fp = 0;
242	my $have_sig = 0;
243	my $message = '';
244	my $retval = 9;
245	my $fh;
246	my $filename;
247
248	if (!($file1 =~ /^\-$/)) {
249	die ("Cannot open $file1 for read: $!") unless ((-e $file1) && (-r _));
250	}
251	open FIN, "<$file1" or die "Cannot open $file1 for read: $!";
252
253	my $dir = tempdir( CLEANUP => 1 );
254	$filename = $dir . "/exa_jhfdbilw." . $$;
255	open $fh, ">$filename" or die "Cannot open $filename";
256	autoflush $fh 1;
257
258	while (<FIN>) {
259	print $fh $_;
260	if ($_ =~ /^\s*\[Misc\]/) {
261	$iscfg = 1;
262	}
263	}
264	if ($iscfg == 1) {
265	$message .= "File $file1 is a configuration file\n\n";
266	} else {
267	$message .= "File $file1 is a database file\n\n";
268	}
269
270
271	my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --status-fd 1 ";
272	$command .= "--verbose " if (defined($opts{'v'}));
273	$command .= "--verify $filename ";
274	if (defined($opts{'v'})) {
275	$command .= "2>&1";
276	} else {
277	$command .= "2>/dev/null";
278	}
279
280	print STDOUT "Using: $command\n\n" if (defined($opts{'v'}));
281	open GPGIN, "$command \|" or die "Cannot fork: $!";
282
283	while (<GPGIN>) {
284	if ($_ =~ /^\[GNUPG:\] GOODSIG ([0-9A-F]+) (.*)$/) {
285	$message .= "GOOD signature with key: $1\n";
286	$message .= "Key owner: $2\n";
287	$have_sig = 1;
288	$retval = 0;
289	}
290	if ($_ =~ /^\[GNUPG:\] VALIDSIG ([0-9A-F]+) ([0-9\-]+)\s/) {
291	$message .= "Key fingerprint: $1\n";
292	$message .= "Signature generated on: $2\n\n";
293	$have_fp = 1;
294	$message .= "This file is signed with a valid signature.\n"
295	if ($have_sig == 1);
296	$have_sig = 1;
297	$have_fp = 1;
298	}
299	if ($_ =~ /^\[GNUPG:\] NODATA 1/) {
300	$message .= "NO signature found.\n\n";
301	$message .= "This file is not signed !!!\n";
302	$have_sig = 1;
303	$have_fp = 1;
304	$retval = 2;
305	}
306	if ($_ =~ /^\[GNUPG:\] BADSIG ([0-9A-F]+) (.*)$/) {
307	$message .= "BAD signature with key: $1\n";
308	$message .= "Key owner: $2\n\n";
309	$message .= "This file is signed with an invalid signature !!!\n";
310	$have_sig = 1;
311	$have_fp = 1;
312	$retval = 1;
313	}
314	if ($_ =~ /^\[GNUPG:\] NO_PUBKEY ([0-9A-F]+)/) {
315	$message .= "NOT CHECKED signature with key: $1\n\n";
316	$message .= "The signature of this file cannot be checked: no public key available !!!\n";
317	$have_sig = 1;
318	$have_fp = 1;
319	$retval = 1;
320	}
321	print STDOUT $_ if (defined($opts{'v'}));
322	}
323	close (GPGIN);
324	print STDOUT "\n" if (defined($opts{'v'}));
325	if ($have_sig == 0) {
326	$message .= "NO valid signature found\n";
327	}
328	elsif ($have_fp == 0) {
329	$message .= "NO fingerprint found\n";
330	}
331	close (FIN);
332	if ($no_print_examine == 0) {
333	print STDOUT $message;
334	}
335	unlink0( $fh, $filename ) or die "Cannot unlink $filename safely";
336	return $retval;
337	}
338
339	sub remove () {
340	my $bodystart = 1;
341	my $sigstart = 0;
342	my $sigend = 0;
343	my $filename = "";
344	my $fh;
345	my $stats;
346
347	open FH, "<$file1" or die "Cannot open file $file1 for read: $!";
348	if (!($file1 =~ /^\-$/)) {
349	flock(FH, LOCK_EX) unless ($no_remove_lock == 1);
350	my $dir = tempdir( CLEANUP => 1 ) or die "Tempdir failed";
351	$filename = $dir . "/rem_iqegBCQb." . $$;
352	open $fh, ">$filename" or die "Cannot open $filename";
353	$stats = stat($file1);
354	# ($fh, $filename) = tempfile(UNLINK => 1);
355	} else {
356	open $fh, ">$file1" or die "Cannot open file $file1 for write: $!";
357	}
358	autoflush $fh 1;
359	while (<FH>) {
360	if ($_ =~ /^-----BEGIN PGP SIGNED MESSAGE-----/) {
361	$sigstart = 1;
362	$bodystart = 0;
363	next;
364	} elsif (($sigstart == 1) && ($_ =~ /^\s+$/)) {
365	$sigstart = 0;
366	$bodystart = 1;
367	next;
368	} elsif ($_ =~ /^-----BEGIN PGP SIGNATURE-----/) {
369	$bodystart = 0;
370	$sigend = 1;
371	next;
372	} elsif (($sigend == 1) && ($_ =~ /^-----END PGP SIGNATURE-----/)) {
373	$sigend = 0;
374	$bodystart = 1;
375	next;
376	}
377	if ($bodystart == 1) {
378	print $fh $_;
379	}
380	}
381	if (!($file1 =~ /^\-$/)) {
382	copy("$filename", "$file1")
383	or die "Copy $filename to $file1 failed: $!";
384	chmod $stats->mode, $file1;
385	chown $stats->uid, $stats->gid, $file1;
386	flock(FH, LOCK_UN) unless ($no_remove_lock == 1);
387	close FH;
388	}
389	unlink0( $fh, $filename ) or die "Cannot unlink $filename safely";
390	return;
391	}
392
393	sub print_cfgfile () {
394	my $bodystart = 0;
395	my $sigstart = 0;
396
397	if (!defined($file2)) {
398	$file2 = '-';
399	}
400
401	open FH, "<$file1" or die "Cannot open file $file1 for read: $!";
402	open FO, ">$file2" or die "Cannot open file $file2 for write: $!";
403	while (<FH>) {
404	if ($_ =~ /^-----BEGIN PGP SIGNED MESSAGE-----/) {
405	$sigstart = 1;
406	next;
407	} elsif (($sigstart == 1) && ($_ =~ /^\s+$/)) {
408	$sigstart = 0;
409	$bodystart = 1;
410	next;
411	} elsif ($_ =~ /^-----BEGIN PGP SIGNATURE-----/) {
412	$bodystart = 0;
413	exit;
414	}
415	if ($bodystart == 1) {
416	print FO $_;
417	}
418	}
419	exit;
420	}
421	sub print_datafile () {
422	die ("Cannot find program $daemon")
423	unless (-e $daemon);
424	if (defined($opts{'v'})) {
425	open FH, "$daemon --full-detail -d $datafile \|"
426	or die "Cannot open datafile $datafile for read: $!";
427	} else {
428	open FH, "$daemon -d $datafile \|"
429	or die "Cannot open datafile $datafile for read: $!";
430	}
431	while (<FH>) {
432	print $_;
433	}
434	exit;
435	}
436
437	sub sign_file () {
438
439	my $fileout = '';
440	my $bodystart = 1;
441	my $sigstart = 0;
442	my $sigend = 0;
443	my $stats;
444	my $fh1;
445	my $filename1;
446	my $flag1 = 0;
447
448	check_gpg_uid();
449	check_gpg_agent();
450
451	if (!defined($file2)) {
452	$file2 = $file1;
453	}
454
455	if ($file1 =~ /^\-$/) {
456	my $dir = tempdir( CLEANUP => 1 ) or die "Tempdir failed";
457	$filename1 = $dir . "/sig_vs8827sd." . $$;
458	open $fh1, ">$filename1" or die "Cannot open $filename1";
459	$flag1 = 1;
460	# my ($fh1, $filename1) = tempfile(UNLINK => 1);
461
462	while (<STDIN>) {
463	if ($_ =~ /^-----BEGIN PGP SIGNED MESSAGE-----/) {
464	$sigstart = 1;
465	$bodystart = 0;
466	next;
467	} elsif (($sigstart == 1) && ($_ =~ /^\s+$/)) {
468	$sigstart = 0;
469	$bodystart = 1;
470	next;
471	} elsif ($_ =~ /^-----BEGIN PGP SIGNATURE-----/) {
472	$bodystart = 0;
473	$sigend = 1;
474	next;
475	} elsif (($sigend == 1) && ($_ =~ /^-----END PGP SIGNATURE-----/)) {
476	$sigend = 0;
477	$bodystart = 1;
478	next;
479	}
480	if ($bodystart == 1) {
481	print $fh1 $_;
482	}
483	#
484	# print $fh1 $_;
485	#
486	}
487	$file1 = $filename1;
488	$fileout = '-';
489	} else {
490	open (LOCKFILE, "<$file1") or die "Cannot open $file1: $!";
491	flock(LOCKFILE, LOCK_EX);
492	$no_print_examine = 1;
493	$no_remove_lock = 1;
494	if (examine() < 2) {
495	remove();
496	}
497	$fileout = $file1 . ".asc";
498	$stats = stat($file1)
499	or die "No file $file1: $!";
500	}
501
502	if (defined($passphrase)) {
503	local $SIG{PIPE} = 'IGNORE';
504	my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg --passphrase-fd 0 -a --clearsign -o $fileout --not-dash-escaped $file1";
505	open (FH, "\|$command") or die "can't fork: $!";
506	print FH "$passphrase" or die "can't write: $!";
507	close FH or die "can't close: status=$?";
508	} else {
509	my $command = "$gpg --homedir $ENV{'HOME'}/.gnupg -a --clearsign -o $fileout --not-dash-escaped $file1";
510	system("$command") == 0
511	or die "system $command failed: $?";
512	}
513
514	if (!($fileout =~ /^\-$/)) {
515	my $st_old = stat($file1)
516	or die "No file $file1: $!";
517	my $st_new = stat($fileout)
518	or die "No file $fileout: $!";
519	die ("Signed file is smaller than unsigned file")
520	unless ($st_new->size > $st_old->size);
521	move("$fileout", "$file2")
522	or die "Move $fileout to $file2 failed: $!";
523	chmod $stats->mode, $file2;
524	chown $stats->uid, $stats->gid, $file2;
525	flock(LOCKFILE, LOCK_UN);
526	}
527
528	if ($flag1 == 1) {
529	unlink0( $fh1, $filename1 ) or die "Cannot unlink $filename1 safely";
530	}
531	if ($return_from_sign == 1) {
532	return;
533	}
534	exit;
535	}
536
537	Getopt::Long::Configure ("posix_default");
538	Getopt::Long::Configure ("bundling");
539	# Getopt::Long::Configure ("debug");
540
541	GetOptions (\%opts, 'm=s', 'h\|help', 'v\|verbose', 'l\|list',
542	'c\|cfgfile=s',
543	'd\|datafile=s',
544	'p\|passphrase=s',
545	'create-cfgfile', # -m F
546	'print-cfgfile', # -m f
547	'create-datafile', # -m D
548	'print-datafile', # -m d
549	'remove-signature',# -m R
550	'sign', # -m E
551	'examine', # -m e
552	'generate-keys'); # -m G
553
554	if (defined ($opts{'h'})) {
555	usage();
556	exit;
557	}
558
559	if (defined($opts{'c'})) {
560	$cfgfile = $opts{'c'};
561	}
562	if (defined($opts{'d'})) {
563	$datafile = $opts{'d'};
564	}
565	if (defined($opts{'p'})) {
566	$passphrase = $opts{'p'};
567	}
568
569	if (defined ($opts{'m'}) && ($opts{'m'} =~ /[FfDdREeG]{1}/) ) {
570	$action = $opts{'m'};
571	}
572	elsif (defined ($opts{'create-cfgfile'})) {
573	$action = 'F';
574	}
575	elsif (defined ($opts{'print-cfgfile'})) {
576	$action = 'f';
577	}
578	elsif (defined ($opts{'create-datafile'})) {
579	$action = 'D';
580	}
581	elsif (defined ($opts{'print-datafile'})) {
582	$action = 'd';
583	}
584	elsif (defined ($opts{'remove-signature'})) {
585	$action = 'R';
586	}
587	elsif (defined ($opts{'sign'})) {
588	$action = 'E';
589	}
590	elsif (defined ($opts{'examine'})) {
591	$action = 'e';
592	}
593	elsif (defined ($opts{'generate-keys'})) {
594	$action = 'G';
595	}
596	else {
597	usage();
598	die ("No valid action specified !");
599	}
600
601	if (defined($ARGV[0])) {
602	$file1 = $ARGV[0];
603	}
604	if (defined($ARGV[1])) {
605	$file2 = $ARGV[1];
606	}
607
608
609	if (($action =~ /[REe]{1}/) && !defined($file1)) {
610	usage();
611	die("Option -m $action requires a filename (or '-' for stdio)\n");
612	}
613
614	if ($action =~ /^F$/) {
615	if (!defined($file1)) {
616	$file1 = $cfgfile;
617	}
618	$file2 = $cfgfile;
619	sign_file ();
620	}
621
622	if ($action =~ /^D$/) {
623	if (!defined($file1)) {
624	$file1 = $datafile;
625	}
626	$file2 = $datafile;
627	sign_file ();
628	}
629
630	if ($action =~ /^R$/) {
631	# $file1 defined
632	my $i = 0;
633	while (defined($ARGV[$i])) {
634	$file1 = $ARGV[$i];
635	remove ();
636	++$i;
637	}
638	}
639
640	if ($action =~ /^E$/) {
641	# $file1 defined
642	# default: $file2 = $file1
643	check_gpg_sign();
644	my $i = 0;
645	while (defined($ARGV[$i])) {
646	$file1 = $ARGV[$i];
647	$file2 = $file1;
648	$return_from_sign = 1;
649	sign_file ();
650	++$i;
651	}
652	}
653
654	if ($action =~ /^e$/) {
655	# $file1 defined
656	# default: $file2 = stdout
657	check_gpg_verify();
658	my $i = 0;
659	while (defined($ARGV[$i])) {
660	print "\n";
661	$file1 = $ARGV[$i];
662	examine ();
663	++$i;
664	print "\n--------------------------------\n" if (defined($ARGV[$i]));
665	}
666	}
667
668	if ($action =~ /^f$/) {
669	$file1 = $cfgfile;
670	$file2 = "-";
671	print_cfgfile ();
672	}
673
674	if ($action =~ /^d$/) {
675	# $file1 irrelevant
676	if (defined($opts{'l'})) {
677	print_datafile ();
678	} else {
679	$file1 = $datafile;
680	$file2 = "-";
681	print_cfgfile ();
682	}
683	}
684
685
686

Note: See TracBrowser for help on using the repository browser.

Download in other formats: