[SecImprove] Validate real auth keys location when adding or deleting ssh key. Add required args and some cosmetic changes

Author: Lupul

bin/v-add-user-ssh-key

@@ -24,6 +24,7 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
+check_args '2' "$#" 'USER SSH_PUBLIC_KEY'
 is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -37,22 +38,23 @@ check_hestia_demo_mode
 
 # Reading user values
 source $USER_DATA/user.conf
+
+AUTHKEY_FILE="$HOMEDIR/$user/.ssh/authorized_keys"
+[ -z "$(readlink -f "$AUTHKEY_FILE" | egrep "^$HOMEDIR/$user/.ssh/")" ] && check_result $E_FORBIDEN "Invalid authorized keys path"
+
 #check if file exits
-AUTHKEY_FILE=$HOMEDIR/$user/.ssh/authorized_keys
 if [ ! -f "$AUTHKEY_FILE" ]; then
-    touch "$AUTHKEY_FILE"
-    chown ${user}: "${AUTHKEY_FILE}"
+    v-add-fs-file "$user" "${AUTHKEY_FILE}"
 fi
-TEMP=$(mktemp)
-echo "$key" >> "$TEMP"
-ssh-keygen -l -f "$TEMP"
-if [ ! $? -eq 0 ]; then
-    rm "$TEMP"
-    exit
+
+[ -z "$key" ] && check_result $E_NOTEXIST "Empty ssh public key"
+
+if ! echo "$key" | ssh-keygen -l -f - > /dev/null 2>&1; then
+    check_result $E_PARSING "Validating user private key"
 fi
-rm "$TEMP"
+
 # make sure authorized_keys is ending with EOL
-sed -i '$a\' "${AUTHKEY_FILE}"
+[ -f "${AUTHKEY_FILE}" ] && sed -i '$a\' "${AUTHKEY_FILE}"
 
 #append key to file
 echo "$key" >> "$AUTHKEY_FILE"
@@ -62,7 +64,7 @@ echo "$key" >> "$AUTHKEY_FILE"
 #----------------------------------------------------------#
 
 # Logging
-log_history "added ssh-key $user"
+log_history "Added ssh-key $user"
 log_event "$OK" "$ARGUMENTS"
 
 exit

bin/v-delete-user-ssh-key

@@ -23,15 +23,18 @@ source $HESTIA/conf/hestia.conf
 #                    Verifications                         #
 #----------------------------------------------------------#
 
+check_args '2' "$#" 'USER KEYID'
 is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
 
 source $USER_DATA/user.conf
 
-FILE=$HOMEDIR/$user/.ssh/authorized_keys
-if [ ! -f "$FILE" ]; then
-    exit;
+AUTHKEY_FILE="$HOMEDIR/$user/.ssh/authorized_keys"
+[ -z "$(readlink -f "$AUTHKEY_FILE" | egrep "^$HOMEDIR/$user/.ssh/")" ] && check_result $E_FORBIDEN "Invalid authorized keys path"
+
+if [ ! -f "$AUTHKEY_FILE" ]; then
+    exit
 fi
 
 # Perform verification if read-only mode is enabled
@@ -41,14 +44,14 @@ check_hestia_demo_mode
 #                       Action                             #
 #----------------------------------------------------------#
 
-sed -i "/${keyid}/d" "$FILE"
+sed -i "/${keyid}/d" "$AUTHKEY_FILE"
 
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#
 
 # Logging
-log_history "DELETE ssh-key $user"
+log_history "Deleted ssh-key $user"
 log_event "$OK" "$ARGUMENTS"
 
 exit

bin/v-list-user-ssh-key

@@ -74,6 +74,7 @@ csv_list() {
 #                    Verifications                         #
 #----------------------------------------------------------#
 
+check_args '1' "$#" 'USER'
 is_format_valid 'user'
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"
@@ -82,9 +83,11 @@ is_object_unsuspended 'user' 'USER' "$user"
 #                       Action                             #
 #----------------------------------------------------------#
 
-#check if file exsists
+AUTHKEY_FILE="$HOMEDIR/$user/.ssh/authorized_keys"
+[ -z "$(readlink -f "$AUTHKEY_FILE" | egrep "^$HOMEDIR/$user/.ssh/")" ] && check_result $E_FORBIDEN "Invalid authorized keys path"
 
-if [ ! -f "$HOMEDIR/$user/.ssh/authorized_keys" ]; then
+#check if file exsists
+if [ ! -f "$AUTHKEY_FILE" ]; then
     exit
 fi
 
@@ -96,7 +99,7 @@ while read l; do
         (( $first_loop )) && keys="$sshkey"  || keys="$keys"$'\n'"$sshkey"
         unset first_loop
     fi
-done < "$HOMEDIR/$user/.ssh/authorized_keys"
+done < "$AUTHKEY_FILE"
 
 
 # Listing data