NOT APPROVED: keychain

Alexander Dalloz alex at dalloz.de
Tue Aug 16 13:25:05 UTC 2005 

Am Fr, den 05.08.2005 schrieb Ville Skyttä um 13:56:

> I noticed a problem with the opt-in mechanism in the keychain package.
> When a user who has done the opt-in and has such a ssh-agent running
> runs "sudo -s", a new keychain/ssh-agent appears to be executed as root,
> but using the original user's keys.  This does not happen if I use the
> old way of stuffing the commands from the man page to ~/.bash_profile.
> Plain "su" or "su -" seem to behave as expected, no matter if the
> ~/.keychainrc or ~/.bash_profile way is being used.

Ville,

sorry to reply that late - I am actually very busy.
The thing with "sudo -s" is that while the user becomes root he (mainly)
keeps his environment settings, here in specific the $HOME. So my
proposal is following:

a) keychain.sh

USERID=`id -un`
USERHOME=`getent passwd "$USERID" | cut -d: -f6`
 
if [ $HOME == "$USERHOME" -a -f $HOME/.keychainrc ]; then
 
    . $HOME/.keychainrc

(further script content follows)

b) keychain.csh

set USERID = `id -un`
set USERHOME = `getent passwd "$USERID" | cut -d: -f6`
 
if ($HOME == $USERHOME && -f $HOME/.keychainrc) then
 
    eval `grep -v '^[:blank:]*#' $HOME/.keychainrc | \
        sed 's|\([^=]*\)=\([^=]*\)|set \1 = \2|g' | sed 's|$|;|'`

(further script content follows)

The change I suggest is to test whether the current $HOME variable is
identical to what `getent' gives back as homedir setting for the current
UID the opt-in script runs for. I am a bit unsure whether we can catch
all possible configurations (what about users stored in LDAP?) - but in
doubt the opt-in script will simply not run.

Alexander


-- 
 
1024D/866ED681 2005-07-11 Alexander Dalloz (Fedora Project) <alex at dalloz.de>
Key fingerprint = CD40 0A91 7814 C1E4 5940  8E0E 1FD5 C316 866E D681

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20050816/2e93cb2b/attachment.sig>

More information about the fedora-extras-list mailing list