View Issue Details

IDProjectCategoryView StatusLast Update
0006008Talerdeployment and operationspublic2019-12-24 00:33
ReporterMarcello StanisciAssigned To 
PriorityhighSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0006008: fix permissions on keys for blue/green demo setup
DescriptionDeployed keys should be assigned to the 'demo' group and only have read/write permissions.
The attached script addresses this; should be applied and tested.
TagsNo tags attached.

Activities

Marcello Stanisci

2019-12-23 15:42

manager  

permissions.diff (3,463 bytes)
diff --git a/bin/taler-deployment-keyup b/bin/taler-deployment-keyup
index 76de9c3..45f99f8 100755
--- a/bin/taler-deployment-keyup
+++ b/bin/taler-deployment-keyup
@@ -15,6 +15,7 @@ if ! test -f $HOME/.config/taler.conf; then
   exit 1
 fi
 
+DEPLOYMENT_DATA=$(taler-config -s paths -o taler_deployment_data -f)
 DATESALT=$(date +%s%N)
 AUDITOR_REQUEST_DIR=$(taler-config -s exchangedb -o auditor_inputs -f)
 AUDITOR_BASE_DIR=$(taler-config -s exchangedb -o auditor_base_dir -f)
@@ -33,53 +34,52 @@ MERCHANT_TALER_PRIV=$(taler-config -s instance-Taler -o keyfile -f)
 MERCHANT_FSF_PRIV=$(taler-config -s instance-FSF -o keyfile -f)
 MERCHANT_GNUNET_PRIV=$(taler-config -s instance-GNUnet -o keyfile -f)
 
+
+# NOTE: all the steps below will only work IF /home/demo/taler-data/
+# allows already writes from the demo group.  And that it is not (yet?)
+# automated.
+chmod g+s $DEPLOYMENT_DATA/
+
 # Deploying merchant tip-reserve priv.
 if ! test -f $MERCHANT_TIP_RESERVE_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TIP_RESERVE_PRIV)
   cp $HOME/deployment/private-keys/default-tip.priv $MERCHANT_TIP_RESERVE_PRIV
-  chmod 440 $MERCHANT_TIP_RESERVE_PRIV
 fi
 
 # Deploying merchant default priv.
 if ! test -f $MERCHANT_DEFAULT_PRIV ; then
   mkdir -p $(dirname $MERCHANT_DEFAULT_PRIV)
   cp $HOME/deployment/private-keys/default.priv $MERCHANT_DEFAULT_PRIV
-  chmod 440 $MERCHANT_DEFAULT_PRIV
 fi
 
 # Deploying merchant tutorial priv.
 if ! test -f $MERCHANT_TUTORIAL_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TUTORIAL_PRIV)
   cp $HOME/deployment/private-keys/tutorial.priv $MERCHANT_TUTORIAL_PRIV
-  chmod 440 $MERCHANT_TUTORIAL_PRIV
 fi
 
 # Deploying merchant Tor priv.
 if ! test -f $MERCHANT_TOR_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TOR_PRIV)
   cp $HOME/deployment/private-keys/tor.priv $MERCHANT_TOR_PRIV
-  chmod 440 $MERCHANT_TOR_PRIV
 fi
 
 # Deploying merchant Taler priv.
 if ! test -f $MERCHANT_TALER_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TALER_PRIV)
   cp $HOME/deployment/private-keys/taler.priv $MERCHANT_TALER_PRIV
-  chmod 440 $MERCHANT_TALER_PRIV
 fi
 
 # Deploying merchant FSF priv.
 if ! test -f $MERCHANT_FSF_PRIV ; then
   mkdir -p $(dirname $MERCHANT_FSF_PRIV)
   cp $HOME/deployment/private-keys/fsf.priv $MERCHANT_FSF_PRIV
-  chmod 440 $MERCHANT_FSF_PRIV
 fi
 
 # Deploying merchant GNUnet priv.
 if ! test -f $MERCHANT_GNUNET_PRIV ; then
   mkdir -p $(dirname $MERCHANT_GNUNET_PRIV)
   cp $HOME/deployment/private-keys/gnunet.priv $MERCHANT_GNUNET_PRIV
-  chmod 440 $MERCHANT_GNUNET_PRIV
 fi
 
 
@@ -87,14 +87,12 @@ fi
 if ! test -f $EXCHANGE_PRIV ; then
   mkdir -p $(dirname $EXCHANGE_PRIV)
   cp $HOME/deployment/private-keys/${TALER_ENV_NAME}-exchange-master.priv $EXCHANGE_PRIV
-  chmod 440 $EXCHANGE_PRIV
 fi
 
 # Deploying Auditor's priv.
 if ! test -f $AUDITOR_PRIV; then
   mkdir -p $(dirname $AUDITOR_PRIV)
   cp $HOME/deployment/private-keys/auditor.priv $AUDITOR_PRIV
-  chmod 440 $AUDITOR_PRIV
 fi
 
 mkdir -p $AUDITOR_REQUEST_DIR
@@ -104,9 +102,6 @@ taler-exchange-keyup \
 
 # or-ing with true as user A won't be able to
 # change permissions for user B's files.
-chmod -R 440 $EXCHANGE_LIVE_KEYS/* || true
-
-chmod -R 440 $EXCHANGE_WIREFEES/* || true
 
 taler-auditor-exchange \
   -m $EXCHANGE_PUB \
@@ -129,3 +124,5 @@ if [[ -s $AUDITOR_REQUEST_DIR/auditor_request-${DATESALT} ]]; then
     -o "$AUDITOR_BASE_DIR/$DATESALT" \
     -c ${HOME}/.config/taler.conf
 fi
+
+chmod -R 660 $DEPLOYMENT_DATA/
permissions.diff (3,463 bytes)

Christian Grothoff

2019-12-24 00:33

manager   ~0015217

The chmod -R was pretty fatal, it removed -x from directories... Also, 440 is not ok, as some of our tools like to open for writing and fail if they cannot (possibly unnecessarily so, but that's another issue for later!).

Issue History

Date Modified Username Field Change
2019-12-23 15:42 Marcello Stanisci New Issue
2019-12-23 15:42 Marcello Stanisci File Added: permissions.diff
2019-12-23 15:42 Marcello Stanisci Priority normal => high
2019-12-24 00:33 Christian Grothoff Note Added: 0015217