From 0860da2b7cd2a15a9cda732244838b56b788bf00 Mon Sep 17 00:00:00 2001 From: Thomas Makin Date: Tue, 27 Feb 2024 15:01:49 -0500 Subject: [PATCH] agent: fix folder and file generation Permissions are fixed! .ssh and authorized_keys are now created using uid and gid of user. Note this is sketchily dependent on system LDAP. Can be improved. --- agent/src/sshKeys.ts | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/agent/src/sshKeys.ts b/agent/src/sshKeys.ts index 2667120..bd777c5 100644 --- a/agent/src/sshKeys.ts +++ b/agent/src/sshKeys.ts @@ -1,5 +1,5 @@ import { Router } from 'express'; -import { existsSync, readFileSync, appendFileSync, chownSync, mkdirSync } from 'fs'; +import { existsSync, readFileSync, writeFileSync, appendFileSync, chownSync, mkdirSync } from 'fs'; import { execFileSync } from 'child_process'; import * as jf from 'joiful'; import path from 'path'; @@ -48,19 +48,30 @@ sshRouter.post( const file = `${userDir}/.ssh/authorized_keys`; if (existsSync(userDir)) { + let exists = true; if(!existsSync(`${userDir}/.ssh`)) { - const entry = execFileSync('/usr/bin/ldapsearch', ['-x', `\'(uid=${value.username})\'`]).toString(); - const uid = parseInt(entry.match(/uidNumber: \d\d\d\d/gi)[0]); - const gid = parseInt(entry.match(/gidNumber: \d\d\d/gi)[0]); + mkdirSync(`${userDir}/.ssh`, {mode: 0o700}); + exists = false; + } + if (!existsSync(file)) { + writeFileSync(file, '', {mode: 0o644}); + const entry = execFileSync('/usr/bin/ldapsearch', ['-x', `(uid=${value.username})`]).toString(); + const uid = parseInt(entry.match(/uidNumber: \d+$/gim)[0].split(' ')[1]); + const gid = parseInt(entry.match(/gidNumber: \d+$/gim)[0].split(' ')[1]); if (!(uid && gid)) { logger.warn(`Id of user ${value.username} (class: ${value.classYear}) could not be determined`); return res .status(400) .send(`Id of user ${value.username} (class: ${value.classYear}) could not be determined`); } - mkdirSync(`${userDir}/.ssh`, {mode: 0o700}); - chownSync(`${userDir}/.ssh`, uid, gid); + + // chown file and only chown dir if created + chownSync(`${userDir}/.ssh/authorized_keys`, uid, gid); + if (!exists) + chownSync(`${userDir}/.ssh`, uid, gid); + } + logger.info(`Replacing contents of authorized_keys file at ${file}`); appendFileSync(file, req.body.toString()); res.sendStatus(200);