###--------------------------------------------------------------------------
### Configuration variables.
+## Automatically configured pathnames.
PACKAGE="@PACKAGE@" VERSION="@VERSION@"
bindir="@bindir@"
-case ":$PATH:" in *:"$bindir":*) ;; *) PATH=$bindir:$PATH ;; esac
-
+## Read user configuration.
if [ -f $ETC/keys.conf ]; then . $ETC/keys.conf; fi
+## Maybe turn on debugging.
case "${KEYS_DEBUG+t}" in t) set -x ;; esac
+## Fake up caller credentials if not called via userv.
+case "${USERV_USER+t}" in
+ t) ;;
+ *) USERV_USER=${LOGNAME-${USER-$(id -un)}} USERV_UID=$(id -u) ;;
+esac
+case "${USERV_GROUP+t}" in
+ t) ;;
+ *) USERV_GROUP=$(id -Gn) USERV_GID=$(id -gn) ;;
+esac
+
###--------------------------------------------------------------------------
### Cleanup handling.
prepare () {
key=$1 op=$2
## Prepare for a crypto operation OP, using the KEY. This validates the
- ## key label, reads the profile, and checks the access-control list.
+ ## key label, reads the profile, and checks the access-control list. If OP
+ ## is `-' then allow the operation unconditionally.
## Find the key properties.
parse_keylabel "$key"
## Check whether we're allowed to do this thing. This is annoyingly
## fiddly.
+ case $op in -) return ;; esac
eval acl=\${kprop_acl_$op-!owner}
verdict=forbid
while :; do