1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

agent: New option --no-user-trustlist and --sys-trustlist-name.

* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New.
(opts): Add new option names.
(parse_rereadable_options): Parse options.
(finalize_rereadable_options): Reset allow-mark-trusted for the new
option.
* agent/agent.h (opt): Add fields no_user_trustlist and
sys_trustlist_name.
* agent/trustlist.c (make_sys_trustlist_name): New.
(read_one_trustfile): Use here.
(read_trustfiles): Use here.  Implement --no-user-trustlist.  Also
repalce "allow_include" by "systrust" and adjust callers.
--

With the global options we can now avoid that a user changes the
Root-CA trust by editing the trustlist.txt.  However, to implement
this we need a new option so that we don't need to rely on some magic
like --no-allow-mark-trusted has been put into a force section.

The second option makes system administration easier as it allows to
keep the trustlist in a non-distributed file.

GnuPG-bug-id: 5990
Backported-from-master: 1530d04725d475bf29328eab40b42f72ff8aa06b
This commit is contained in:
Werner Koch 2022-06-14 14:25:21 +02:00
parent abe69b2094
commit d0bd91ba73
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
4 changed files with 77 additions and 17 deletions

View File

@ -148,6 +148,13 @@ struct
interactively mark certificate in trustlist.txt as trusted. */ interactively mark certificate in trustlist.txt as trusted. */
int allow_mark_trusted; int allow_mark_trusted;
/* Only use the system trustlist. */
int no_user_trustlist;
/* The standard system trustlist is SYSCONFDIR/trustlist.txt. This
* option can be used to change the name. */
const char *sys_trustlist_name;
/* If this global option is true, the Assuan command /* If this global option is true, the Assuan command
PRESET_PASSPHRASE is allowed. */ PRESET_PASSPHRASE is allowed. */
int allow_preset_passphrase; int allow_preset_passphrase;

View File

@ -128,6 +128,8 @@ enum cmd_and_opt_values
oIgnoreCacheForSigning, oIgnoreCacheForSigning,
oAllowMarkTrusted, oAllowMarkTrusted,
oNoAllowMarkTrusted, oNoAllowMarkTrusted,
oNoUserTrustlist,
oSysTrustlistName,
oAllowPresetPassphrase, oAllowPresetPassphrase,
oAllowLoopbackPinentry, oAllowLoopbackPinentry,
oNoAllowLoopbackPinentry, oNoAllowLoopbackPinentry,
@ -249,6 +251,8 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted", ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted",
/* */ N_("disallow clients to mark keys as \"trusted\"")), /* */ N_("disallow clients to mark keys as \"trusted\"")),
ARGPARSE_s_n (oAllowMarkTrusted, "allow-mark-trusted", "@"), ARGPARSE_s_n (oAllowMarkTrusted, "allow-mark-trusted", "@"),
ARGPARSE_s_n (oNoUserTrustlist, "no-user-trustlist", "@"),
ARGPARSE_s_s (oSysTrustlistName, "sys-trustlist-name", "@"),
ARGPARSE_s_n (oAllowPresetPassphrase, "allow-preset-passphrase", ARGPARSE_s_n (oAllowPresetPassphrase, "allow-preset-passphrase",
/* */ N_("allow presetting passphrase")), /* */ N_("allow presetting passphrase")),
ARGPARSE_s_u (oS2KCount, "s2k-count", "@"), ARGPARSE_s_u (oS2KCount, "s2k-count", "@"),
@ -873,6 +877,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
opt.enable_extended_key_format = 1; opt.enable_extended_key_format = 1;
opt.ignore_cache_for_signing = 0; opt.ignore_cache_for_signing = 0;
opt.allow_mark_trusted = 1; opt.allow_mark_trusted = 1;
opt.sys_trustlist_name = NULL;
opt.allow_external_cache = 1; opt.allow_external_cache = 1;
opt.allow_loopback_pinentry = 1; opt.allow_loopback_pinentry = 1;
opt.allow_emacs_pinentry = 0; opt.allow_emacs_pinentry = 0;
@ -963,6 +968,8 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
case oAllowMarkTrusted: opt.allow_mark_trusted = 1; break; case oAllowMarkTrusted: opt.allow_mark_trusted = 1; break;
case oNoAllowMarkTrusted: opt.allow_mark_trusted = 0; break; case oNoAllowMarkTrusted: opt.allow_mark_trusted = 0; break;
case oNoUserTrustlist: opt.no_user_trustlist = 1; break;
case oSysTrustlistName: opt.sys_trustlist_name = pargs->r.ret_str; break;
case oAllowPresetPassphrase: opt.allow_preset_passphrase = 1; break; case oAllowPresetPassphrase: opt.allow_preset_passphrase = 1; break;
@ -1008,6 +1015,11 @@ finalize_rereadable_options (void)
/* Hack to allow --grab to override --no-grab. */ /* Hack to allow --grab to override --no-grab. */
if ((opt.no_grab & 2)) if ((opt.no_grab & 2))
opt.no_grab = 0; opt.no_grab = 0;
/* With --no-user-trustlist it does not make sense to allow the mark
* trusted feature. */
if (opt.no_user_trustlist)
opt.allow_mark_trusted = 0;
} }

View File

@ -128,8 +128,26 @@ clear_trusttable (void)
} }
/* Return the name of the system trustlist. Caller must free. */
static char *
make_sys_trustlist_name (void)
{
if (opt.sys_trustlist_name
&& (strchr (opt.sys_trustlist_name, '/')
|| strchr (opt.sys_trustlist_name, '\\')
|| (*opt.sys_trustlist_name == '~'
&& opt.sys_trustlist_name[1] == '/')))
return make_absfilename (opt.sys_trustlist_name, NULL);
else
return make_filename (gnupg_sysconfdir (),
(opt.sys_trustlist_name ?
opt.sys_trustlist_name : "trustlist.txt"),
NULL);
}
static gpg_error_t static gpg_error_t
read_one_trustfile (const char *fname, int allow_include, read_one_trustfile (const char *fname, int systrust,
trustitem_t **addr_of_table, trustitem_t **addr_of_table,
size_t *addr_of_tablesize, size_t *addr_of_tablesize,
int *addr_of_tableidx) int *addr_of_tableidx)
@ -188,7 +206,7 @@ read_one_trustfile (const char *fname, int allow_include,
gpg_error_t err2; gpg_error_t err2;
gpg_err_code_t ec; gpg_err_code_t ec;
if (!allow_include) if (systrust)
{ {
log_error (_("statement \"%s\" ignored in '%s', line %d\n"), log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
"include-default", fname, lnr); "include-default", fname, lnr);
@ -196,7 +214,7 @@ read_one_trustfile (const char *fname, int allow_include,
} }
/* fixme: Should check for trailing garbage. */ /* fixme: Should check for trailing garbage. */
etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL); etcname = make_sys_trustlist_name ();
if ( !strcmp (etcname, fname) ) /* Same file. */ if ( !strcmp (etcname, fname) ) /* Same file. */
log_info (_("statement \"%s\" ignored in '%s', line %d\n"), log_info (_("statement \"%s\" ignored in '%s', line %d\n"),
"include-default", fname, lnr); "include-default", fname, lnr);
@ -208,7 +226,7 @@ read_one_trustfile (const char *fname, int allow_include,
} }
else else
{ {
err2 = read_one_trustfile (etcname, 0, err2 = read_one_trustfile (etcname, 1,
&table, &tablesize, &tableidx); &table, &tablesize, &tableidx);
if (err2) if (err2)
err = err2; err = err2;
@ -337,7 +355,7 @@ read_trustfiles (void)
int tableidx; int tableidx;
size_t tablesize; size_t tablesize;
char *fname; char *fname;
int allow_include = 1; int systrust = 0;
gpg_err_code_t ec; gpg_err_code_t ec;
tablesize = 20; tablesize = 20;
@ -346,17 +364,24 @@ read_trustfiles (void)
return gpg_error_from_syserror (); return gpg_error_from_syserror ();
tableidx = 0; tableidx = 0;
fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL); if (opt.no_user_trustlist)
if (!fname) fname = NULL;
else
{ {
err = gpg_error_from_syserror (); fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
xfree (table); if (!fname)
return err; {
err = gpg_error_from_syserror ();
xfree (table);
return err;
}
} }
if ((ec = gnupg_access (fname, F_OK))) if (!fname || (ec = gnupg_access (fname, F_OK)))
{ {
if ( ec == GPG_ERR_ENOENT ) if (!fname)
; /* --no-user-trustlist active. */
else if ( ec == GPG_ERR_ENOENT )
; /* Silently ignore a non-existing trustfile. */ ; /* Silently ignore a non-existing trustfile. */
else else
{ {
@ -364,11 +389,10 @@ read_trustfiles (void)
log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err)); log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err));
} }
xfree (fname); xfree (fname);
fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL); fname = make_sys_trustlist_name ();
allow_include = 0; systrust = 1;
} }
err = read_one_trustfile (fname, allow_include, err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
&table, &tablesize, &tableidx);
xfree (fname); xfree (fname);
if (err) if (err)

View File

@ -366,6 +366,21 @@ Do not allow clients to mark keys as trusted, i.e. put them into the
@file{trustlist.txt} file. This makes it harder for users to inadvertently @file{trustlist.txt} file. This makes it harder for users to inadvertently
accept Root-CA keys. accept Root-CA keys.
@anchor{option --no-user-trustlist}
@item --no-user-trustlist
@opindex no-user-trustlist
Entirely ignore the user trust list and consider only the global
trustlist (@file{@value{SYSCONFDIR}/trustlist.txt}). This
implies the @ref{option --no-allow-mark-trusted}.
@item --sys-trustlist-name @var{file}
@opindex sys-trustlist-name
Changes the default name for the global trustlist from "trustlist.txt"
to @var{file}. If @var{file} does not contain any slashes and does
not start with "~/" it is searched in the system configuration
directory (@file{@value{SYSCONFDIR}}).
@anchor{option --allow-preset-passphrase} @anchor{option --allow-preset-passphrase}
@item --allow-preset-passphrase @item --allow-preset-passphrase
@opindex allow-preset-passphrase @opindex allow-preset-passphrase
@ -794,7 +809,9 @@ that this file can't be changed inadvertently.
As a special feature a line @code{include-default} will include a global As a special feature a line @code{include-default} will include a global
list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}). list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}).
This global list is also used if the local list is not available. This global list is also used if the local list is not available;
the @ref{option --no-user-trustlist} enforces the use of only
this global list.
It is possible to add further flags after the @code{S} for use by the It is possible to add further flags after the @code{S} for use by the
caller: caller: