bin/make-ca-key, lib/func.sh: Make user and group names configurable.

This makes testing in a sandpit much easier.

The defaults are good, so I've left the configuration file out of the
repository.

diff --git a/.gitignore b/.gitignore
index d7e6d72..aa429de 100644 (file)
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ index
 private
 state
 tmp
+etc/config

diff --git a/bin/make-ca-key b/bin/make-ca-key
index bb3f83b..d24a902 100755 (executable)
--- a/bin/make-ca-key
+++ b/bin/make-ca-key
@@ -3,6 +3,7 @@
 set -e
 certroot=$(cd ${0%/*}/..; pwd)
 cd "$certroot"
+. lib/func.sh
 umask 022
 
 ## Archive any existing CA.
@@ -27,7 +28,7 @@ rm -f ca.cert distorted.crl
 ## Build a new one.
 mkdir -m750 private
 mkdir -m775 certs crls index index/byhash index/byserial state tmp
-chown root:ca certs crls index index/byhash index/byserial private state tmp
+chown $ca_owner:$ca_group certs crls index index/byhash index/byserial private state tmp
 touch state/db
 echo 01 >state/serial
 echo 01 >state/crlnumber
@@ -41,5 +42,5 @@ umask 027
 openssl req -new -config openssl.conf -x509 -days 3650 \
        -out ca.cert -keyout private/ca.key \
        -subj "$subject"
-chown root:ca private/ca.key
+chown $ca_owner:$ca_group private/ca.key
 chmod 644 ca.cert

diff --git a/lib/func.sh b/lib/func.sh
index 3cfd55e..90e643c 100644 (file)
--- a/lib/func.sh
+++ b/lib/func.sh
@@ -1,5 +1,9 @@
 ### -*-sh-*-
 
+## Set up configuration.
+ca_user=ca ca_group=ca ca_owner=root
+if [ -f etc/config ]; then . etc/config; fi
+
 runas_ca () {
   ## runas_ca
   ##
@@ -7,8 +11,8 @@ runas_ca () {
   ## to run as root against untrusted input -- especially OpenSSL's one.
 
   case $(id -un) in
-    ca) ;;
-    *) exec sudo -u ca "$0" "$@" ;;
+    $ca_user) ;;
+    *) exec sudo -u $ca_user "$0" "$@" ;;
   esac
 }