[SecImprove] Validate keys real location when adding sftp key

Lupul · Lupul · commit e4917d1f3fcb · 2020-06-04T05:22:40.000+03:00
diff --git a/bin/v-add-user-sftp-key b/bin/v-add-user-sftp-key
@@ -34,9 +34,9 @@ PRVKEY_FILE="$HOMEDIR/$user/.ssh/hst-filemanager-key"
 PUBKEY_FILE="$HOMEDIR/$user/.ssh/hst-filemanager-key.pub"
 AUTHKEY_FILE="$HOMEDIR/$user/.ssh/authorized_keys"
 
-[ -L "$PRVKEY_FILE" ]  && check_result $E_FORBIDEN "Private key file cannot be a symlink"
-[ -L "$PUBKEY_FILE" ]  && check_result $E_FORBIDEN "Public key file cannot be a symlink"
-[ -L "$AUTHKEY_FILE" ] && check_result $E_FORBIDEN "Authorized keys file cannot be a symlink"
+[ -z "$(readlink -f "$PRVKEY_FILE"  | egrep "^$HOMEDIR/$user/.ssh/")" ] && check_result $E_FORBIDEN "Invalid private key file path"
+[ -z "$(readlink -f "$PUBKEY_FILE"  | egrep "^$HOMEDIR/$user/.ssh/")" ] && check_result $E_FORBIDEN "Invalid public key file path"
+[ -z "$(readlink -f "$AUTHKEY_FILE" | egrep "^$HOMEDIR/$user/.ssh/")" ] && check_result $E_FORBIDEN "Invalid authorized keys path"
 
 if [ ! -f "${PRVKEY_FILE}" ]; then
 
@@ -63,7 +63,7 @@ if [ ! -f "${AUTHKEY_FILE}" ] || [ "$new_pubkey" = true ]; then
     fi
 
     # make sure authorized_keys is ending with EOL
-    sed -i '$a\' "${AUTHKEY_FILE}"
+    [ -f "${AUTHKEY_FILE}" ] && sed -i '$a\' "${AUTHKEY_FILE}"
 
     echo "from=\"127.0.0.1\",command=\"internal-sftp\",restrict ${pubkey_str} TS:${now} ${pubkey_desc}" >> "${AUTHKEY_FILE}"
 
