summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJoey Hess2015-02-12 12:35:15 -0400
committerJoey Hess2015-02-12 12:35:15 -0400
commitda77276378ecbed7d6434145793bfb209c731b76 (patch)
tree83699313d3357f8e26958fc1850c5af0b7432677 /src
parent0743e2223ef2b2960f0e89fa32ee68373199e3f8 (diff)
ssh user perm fixes
* Ssh.authorizedKey: Make the authorized_keys file and .ssh directory be owned by the user, not root. * Ssh.knownHost: Make the .ssh directory be owned by the user, not root.
Diffstat (limited to 'src')
-rw-r--r--src/Propellor/Property/SiteSpecific/JoeySites.hs1
-rw-r--r--src/Propellor/Property/Ssh.hs12
2 files changed, 9 insertions, 4 deletions
diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index 3d453a8a..9644cb72 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -330,7 +330,6 @@ twitRss = combineProperties "twitter rss" $ props
]
-- Work around for expired ssl cert.
--- (no longer expired, TODO remove this and change urls)
pumpRss :: Property NoInfo
pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/"
"wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null"
diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs
index fe2794a5..f44688c1 100644
--- a/src/Propellor/Property/Ssh.hs
+++ b/src/Propellor/Property/Ssh.hs
@@ -207,6 +207,7 @@ knownHost hosts hn user = property desc $
, f `File.containsLines`
(map (\k -> hn ++ " " ++ k) (M.elems m))
, File.ownerGroup f user user
+ , File.ownerGroup (takeDirectory f) user user
]
go _ = do
warningMessage $ "no configred pubKey for " ++ hn
@@ -230,12 +231,17 @@ authorizedKeys user context = withPrivData (SshAuthorizedKeys user) context $ \g
-- | Ensures that a user's authorized_keys contains a line.
-- Any other lines in the file are preserved as-is.
authorizedKey :: UserName -> String -> Property NoInfo
-authorizedKey user l = property (user ++ " has autorized_keys line " ++ l) $ do
+authorizedKey user l = property desc $ do
f <- liftIO $ dotFile "authorized_keys" user
- ensureProperty $
- f `File.containsLine` l
+ ensureProperty $ combineProperties desc
+ [ f `File.containsLine` l
`requires` File.dirExists (takeDirectory f)
`onChange` File.mode f (combineModes [ownerWriteMode, ownerReadMode])
+ , File.ownerGroup f user user
+ , File.ownerGroup (takeDirectory f) user user
+ ]
+ where
+ desc = user ++ " has autorized_keys line " ++ l
-- | Makes the ssh server listen on a given port, in addition to any other
-- ports it is configured to listen on.