From 1794bd28ab0579c3a8a90fefaa0a50297dba7b73 Mon Sep 17 00:00:00 2001 From: Alexander Grund Date: Wed, 19 Jul 2023 14:28:41 +0200 Subject: [PATCH] Improve `decrypt_and_execute` - (Better) ensure cleanup of /keys (might be skipped due to `set -e`) - Add usage message - Use a unique script filename - Decrypt "inplace" to avoid need to change directory - Exit with "correct" exit code --- server/decrypt_and_execute.sh | 78 +++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 36 deletions(-) diff --git a/server/decrypt_and_execute.sh b/server/decrypt_and_execute.sh index b4b28c9..f3f5eb9 100755 --- a/server/decrypt_and_execute.sh +++ b/server/decrypt_and_execute.sh @@ -1,45 +1,51 @@ #!/bin/bash -# the one executing this script need to have the slurm private key - -set -e - -# erster call ist mit EOF file ohne sudo +# root (entered via sudo) needs to have the slurm private key +# First call is without sudo and without arguments if [[ $EUID -ne 0 ]] ; then + if [[ $# -ne 0 ]]; then + echo "Usage: $0 <" + echo "EOF" + exit 1 + fi user_name=$(whoami) - file_name="run.sh.asc" - cat $1 > /keys/$file_name - sudo decrypt_and_execute $file_name $user_name - exit 0 -fi - -if [ -z "$2" ]; then + script=$(mktemp --tmpdir=/keys) + cat > "$script" + if sudo "$0" "$script" "$user_name"; then + echo "Running script" + "$script" + fi + res=$? + + echo "Clean up" + rm -f /keys/* + + exit $res +elif [[ $# -eq 0 ]]; then echo "Please don't execute this script with sudo" >&2 exit 1 fi -file_name=$1 -user_name=$2 - -echo "Decrypting.." -gpg --no-tty --output /keys/run.sh --decrypt /keys/run.sh.asc - -#remove signed script and encrypted -rm /keys/run.sh.asc - -chown $user_name: /keys/run.sh - -sudo -u $user_name chmod +x /keys/run.sh - -# trouble running the script resulted in the next line -#sudo -u $user_name dos2unix -k -o /keys/run.sh - -echo "Changing directory" -cd /usr/users/$user_name -echo "Running script" -sudo -u $user_name /keys/run.sh - -echo "Clean up" +encrypted_script=${1:?Missing encrypted file} +user_name=${2:?Missing user} +decrypted_script="${encrypted_script}.dec" + +echo -n "Decrypting..." +if out=$(gpg --no-tty --output "$decrypted_script" --decrypt "$encrypted_script" 2>&1); then + echo "OK" + + run_script=$encrypted_script + mv -f "$decrypted_script" "$run_script" || exit 1 + + if ! chmod +x "$run_script" || ! chown "$user_name" "$run_script"; then + echo "Failed to set permissions" >&2 + exit 1 + fi +else + echo "Failed" + echo "$out" >&2 + [[ ! -f $decrypted_script ]] || rm "$decrypted_script" + exit 1 +fi -# remove everything in /keys, the standard should be, that every user has clean directory -sudo rm -f /keys/*