MachineState: Implement permissions for keys.

This however only implements setting permissions if "storeKeysOnMachine" is set to false right now, because if the value is set to true the keys are symlinked from the store and we actually have to find a way to control permisions on it, which for the store is only possible if NixOS/nix#8 is implemented. Also, this ensures that the key filename is properly escaped. Signed-off-by: aszlig <[email protected]>
atsukotakahashi · Jun 24, 2014 · 40c1f5d · 40c1f5d
1 parent 4d25e7b
commit 40c1f5d
Showing 1 changed file with 11 additions and 5 deletions.
diff --git a/nixops/backends/__init__.py b/nixops/backends/__init__.py
@@ -187,13 +187,19 @@ def send_keys(self):
         self.run_command("mkdir -m 0750 -p /run/keys"
                          " && chown root:keys /run/keys")
         for k, opts in self.get_keys().items():
-            v = opts['text']
             self.log("uploading key ‘{0}’...".format(k))
             tmp = self.depl.tempdir + "/key-" + self.name
-            f = open(tmp, "w+"); f.write(v); f.close()
-            self.run_command("rm -f /run/keys/" + k)
-            self.upload_file(tmp, "/run/keys/" + k)
-            self.run_command("chmod 600 /run/keys/" + k)
+            f = open(tmp, "w+"); f.write(opts['text']); f.close()
+            outfile = "/run/keys/" + k
+            outfile_esc = "'" + outfile.replace("'", r"'\''") + "'"
+            self.run_command("rm -f " + outfile_esc)
+            self.upload_file(tmp, outfile)
+            chmod = "chmod '{0}' " + outfile_esc
+            chown = "chown '{0}:{1}' " + outfile_esc
+            self.run_command(' && '.join([
+                chown.format(opts['user'], opts['group']),
+                chmod.format(opts['permissions'])
+            ]))
             os.remove(tmp)
         self.run_command("touch /run/keys/done")