From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 12 Aug 2021 14:45:38 +0000 (+0000)
Subject: key: Make secret keys non-world-writable
X-Git-Tag: 0.9.28~996
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb23ef144ecb60976e203c970cf842949d1ab5ca;p=pakfire.git

key: Make secret keys non-world-writable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/libpakfire/include/pakfire/key.h b/src/libpakfire/include/pakfire/key.h
index 32e9befbc..89605abf1 100644
--- a/src/libpakfire/include/pakfire/key.h
+++ b/src/libpakfire/include/pakfire/key.h
@@ -48,6 +48,7 @@ const char* pakfire_key_get_name(struct pakfire_key* key);
 const char* pakfire_key_get_email(struct pakfire_key* key);
 const char* pakfire_key_get_pubkey_algo(struct pakfire_key* key);
 size_t pakfire_key_get_pubkey_length(struct pakfire_key* key);
+int pakfire_key_has_secret(struct pakfire_key* key);
 time_t pakfire_key_get_created(struct pakfire_key* key);
 time_t pakfire_key_get_expires(struct pakfire_key* key);
 int pakfire_key_is_revoked(struct pakfire_key* key);
diff --git a/src/libpakfire/key.c b/src/libpakfire/key.c
index bcdc74f8a..b0f7c2519 100644
--- a/src/libpakfire/key.c
+++ b/src/libpakfire/key.c
@@ -331,6 +331,13 @@ PAKFIRE_EXPORT size_t pakfire_key_get_pubkey_length(struct pakfire_key* key) {
 	return 0;
 }
 
+PAKFIRE_EXPORT int pakfire_key_has_secret(struct pakfire_key* key) {
+	if (key->gpgkey)
+		return key->gpgkey->secret;
+
+	return 0;
+}
+
 PAKFIRE_EXPORT time_t pakfire_key_get_created(struct pakfire_key* key) {
 	if (key->gpgkey->subkeys)
 		return key->gpgkey->subkeys->timestamp;
@@ -382,6 +389,16 @@ static int pakfire_key_write_to_keystore(struct pakfire_key* key) {
 		return 1;
 	}
 
+	// Make files with secret keys non-world-readable
+	if (pakfire_key_has_secret(key)) {
+		r = chmod(path, 0600);
+		if (r) {
+			ERROR(key->pakfire, "Could not chmod %s: %m\n", path);
+			fclose(f);
+			return r;
+		}
+	}
+
 	// Write key to file
 	r = pakfire_key_export(key, f, 0);
 	if (r) {
diff --git a/src/libpakfire/libpakfire.sym b/src/libpakfire/libpakfire.sym
index e825bb8ac..21fe73fe7 100644
--- a/src/libpakfire/libpakfire.sym
+++ b/src/libpakfire/libpakfire.sym
@@ -117,6 +117,7 @@ global:
 	pakfire_key_get_pubkey_algo;
 	pakfire_key_get_pubkey_length;
 	pakfire_key_get_uid;
+	pakfire_key_has_secret;
 	pakfire_key_import;
 	pakfire_key_is_revoked;
 	pakfire_key_ref;