From 7a85d4d9c110b75280793fecd7d3d3971cd45418 Mon Sep 17 00:00:00 2001 From: Ben Kibbey Date: Sat, 2 Mar 2013 22:01:02 -0500 Subject: [PATCH] Add configuration paramter "require_save_key". To require a key needed to open a data file before saving. The default is true. --- doc/config.example | 3 +++ doc/pwmd.texi | 4 ++++ src/commands.c | 13 ++++++------- src/pwmd.c | 7 ++++++- src/rcfile.c | 17 +++++++++-------- 5 files changed, 28 insertions(+), 16 deletions(-) diff --git a/doc/config.example b/doc/config.example index d514f5c0..e79dcc28 100644 --- a/doc/config.example +++ b/doc/config.example @@ -47,6 +47,9 @@ # Kill the smartcard daemon after each OPEN or SAVE. #kill_scd=false +# Require the passphrase needed for a data file before each SAVE. +#require_save_key=true + # Set to false to call mlockall(2) after a client connects. Uses more memory # but is also more secure. Most will probably find it overkill since the # contents of all memory is cleared before being freed. diff --git a/doc/pwmd.texi b/doc/pwmd.texi index 95c6b9e5..d42e4459 100644 --- a/doc/pwmd.texi +++ b/doc/pwmd.texi @@ -318,6 +318,10 @@ option. Kill @command{scdaemon} after each @code{OPEN} (@pxref{OPEN}) or @code{SAVE} (@pxref{SAVE}) command. +@item require_save_key = boolean +Require the passphrase needed to open a data file before writing changes +of the documment to disk reguardless of the key cache status. + @item disable_list_and_dump = boolean When @code{true}, the @code{XPATH}, @code{XPATHATTR}, @code{LIST} and @code{DUMP} protocol commands (@pxref{Commands}) will be disabled. diff --git a/src/commands.c b/src/commands.c index 0e65ec93..f168de76 100644 --- a/src/commands.c +++ b/src/commands.c @@ -974,12 +974,8 @@ save_command (assuan_context_t ctx, char *line) int defer; rc = cache_iscached (client->filename, &defer); - if (!rc && defer) - { - log_write ("%s: %s", client->filename, - pwmd_strerror (GPG_ERR_KEY_EXPIRED)); - client->opts |= OPT_RESET; - } + if ((!rc && defer) || config_get_boolean ("global", "require_save_key")) + client->opts |= OPT_RESET; if (client->opts & OPT_RESET) { @@ -987,6 +983,8 @@ save_command (assuan_context_t ctx, char *line) if (rc) return send_error (ctx, rc); + log_write ("%s: %s", client->filename, + pwmd_strerror (GPG_ERR_KEY_EXPIRED)); send_status_all (STATUS_CACHE, NULL); } @@ -1010,7 +1008,8 @@ save_command (assuan_context_t ctx, char *line) size_t keylen = 0; /* Wanting to generate a new key. Require the key to open the - current file before proceeding. */ + current file before proceeding reguardless of the + require_save_key configuration parameter. */ rc = cache_clear (client->md5file); if (!rc) { diff --git a/src/pwmd.c b/src/pwmd.c index 1caef16c..ef253dd6 100644 --- a/src/pwmd.c +++ b/src/pwmd.c @@ -238,8 +238,11 @@ reload_rcfile_thread (void *arg) struct slist_s *config; char **users; int b = disable_list_and_dump; -#ifdef WITH_GNUTLS int exists; + int require_save_key = config_get_bool_param (global_config, "global", + "require_save_key", + &exists); +#ifdef WITH_GNUTLS int tcp_require_key = config_get_bool_param (global_config, "global", "tcp_require_key", &exists); @@ -272,6 +275,8 @@ reload_rcfile_thread (void *arg) config_set_bool_param (&global_config, "global", "tcp_require_key", tcp_require_key ? "true" : "false"); + config_set_bool_param (&global_config, "global", "require_save_key", + require_save_key ? "true" : "false"); #endif char *tmp = strv_join (",", users); config_set_list_param (&global_config, "global", "allowed", tmp); diff --git a/src/rcfile.c b/src/rcfile.c index 6cdf6eae..a11a6138 100644 --- a/src/rcfile.c +++ b/src/rcfile.c @@ -58,7 +58,7 @@ static struct config_params_s int type; char *value; } config_params[] = { - { "backup", PARAM_BOOL, "1"}, + { "backup", PARAM_BOOL, "true"}, { "socket_path", PARAM_CHARP, NULL}, { "socket_perms", PARAM_CHARP, NULL}, { "passphrase", PARAM_CHARP, NULL}, @@ -67,25 +67,25 @@ static struct config_params_s { "log_path", PARAM_CHARP, "~/.pwmd/log"}, { "enable_logging", PARAM_BOOL, "0"}, { "log_level", PARAM_INT, "0"}, - { "disable_mlockall", PARAM_BOOL, "1"}, + { "disable_mlockall", PARAM_BOOL, "true"}, { "cache_timeout", PARAM_INT, "-1"}, { "cache_push", PARAM_CHARPP, NULL}, - { "disable_list_and_dump", PARAM_BOOL, "0"}, + { "disable_list_and_dump", PARAM_BOOL, "false"}, { "recursion_depth", PARAM_INT, "100"}, - { "syslog", PARAM_BOOL, "0"}, + { "syslog", PARAM_BOOL, "false"}, { "xfer_progress", PARAM_INT, "8196"}, { "allowed", PARAM_CHARPP, NULL}, { "nbits", PARAM_INT, "2048"}, { "algo", PARAM_CHARP, "rsa"}, { "cipher", PARAM_CHARP, "aes256"}, - { "kill_scd", PARAM_BOOL, "0"}, + { "kill_scd", PARAM_BOOL, "false"}, { "cipher_iterations", PARAM_ULONGLONG, "0"}, { "cipher_progress", PARAM_LONG, DEFAULT_ITERATION_PROGRESS}, { "priority", PARAM_INT, INVALID_PRIORITY}, { "keepalive_interval", PARAM_INT, "5"}, { "tcp_port", PARAM_INT, "6466"}, - { "enable_tcp", PARAM_BOOL, "0"}, - { "tcp_require_key", PARAM_BOOL, "0"}, + { "enable_tcp", PARAM_BOOL, "false"}, + { "tcp_require_key", PARAM_BOOL, "false"}, { "tcp_wait", PARAM_INT, "0"}, { "tcp_bind", PARAM_CHARP, "any"}, { "tcp_interface", PARAM_CHARP, NULL}, @@ -94,7 +94,8 @@ static struct config_params_s { "tls_access", PARAM_CHARPP, NULL}, { "pinentry_path", PARAM_CHARP, PINENTRY_PATH}, { "pinentry_timeout", PARAM_INT, DEFAULT_PINENTRY_TIMEOUT}, - { "use_agent", PARAM_BOOL, "0"}, + { "use_agent", PARAM_BOOL, "false"}, + { "require_save_key", PARAM_BOOL, "true"}, { NULL, 0, NULL}, }; -- 2.11.4.GIT