[pacman-dev] [PATCH 1/2] pacman-key: refine permission and locking checks

[Dan McGee]

* secring.gpg can be 600, readable by root user only
* ensure grep for lock-never option in check_keyring doesn't catch comments

Signed-off-by: Dan McGee <dan at archlinux.org>
---
 scripts/pacman-key.sh.in |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 819ec69..5b4320d 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -108,7 +108,8 @@ initialize() {
 	[[ -f ${PACMAN_KEYRING_DIR}/pubring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/pubring.gpg
 	[[ -f ${PACMAN_KEYRING_DIR}/secring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/secring.gpg
 	[[ -f ${PACMAN_KEYRING_DIR}/trustdb.gpg ]] || "${GPG_PACMAN[@]}" --update-trustdb
-	chmod 644 ${PACMAN_KEYRING_DIR}/{{pub,sec}ring,trustdb}.gpg
+	chmod 644 ${PACMAN_KEYRING_DIR}/{pubring,trustdb}.gpg
+	chmod 600 ${PACMAN_KEYRING_DIR}/secring.gpg
 
 	# gpg.conf
 	[[ -f ${PACMAN_KEYRING_DIR}/gpg.conf ]] || touch  ${PACMAN_KEYRING_DIR}/gpg.conf
@@ -120,7 +121,6 @@ initialize() {
 
 check_keyring() {
 	if [[ ! -r ${PACMAN_KEYRING_DIR}/pubring.gpg || \
-			! -r ${PACMAN_KEYRING_DIR}/secring.gpg || \
 			! -r ${PACMAN_KEYRING_DIR}/trustdb.gpg ]]; then
 		error "$(gettext "You do not have sufficient permissions to read the %s keyring...")" "pacman"
 		msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
@@ -128,7 +128,7 @@ check_keyring() {
 	fi
 
 	if (( (EXPORT || FINGER || LIST || VERIFY) && EUID != 0 )); then
-		if ! grep -w -q "lock-never" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
+		if ! grep -q "^[[:space:]]*lock-never[[:space:]]*$" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
 			error "$(gettext "You do not have sufficient permissions to run this command...")"
 			msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
 			exit 1
-- 
1.7.6.1