Permalink
Browse files

Initial import from Yahoo!

  • Loading branch information...
0 parents commit 32fbffbea4b7a5bf56fa03c8e5e2ff3f9698d935 @jschauma committed Feb 9, 2011
Showing with 446 additions and 0 deletions.
  1. +29 −0 LICENSE
  2. +12 −0 README
  3. +36 −0 certs/Makefile
  4. +5 −0 certs/README
  5. +17 −0 doc/Makefile
  6. +121 −0 doc/sigsh.1
  7. +176 −0 src/sigsh.sh
  8. +50 −0 test/sigsh.test.pl
29 LICENSE
@@ -0,0 +1,29 @@
+Redistribution and use of this software in source and binary forms,
+with or without modification, are permitted provided that the following
+conditions are met:
+
+* Redistributions of source code must retain the above
+ copyright notice, this list of conditions and the
+ following disclaimer.
+
+* Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the
+ following disclaimer in the documentation and/or other
+ materials provided with the distribution.
+
+* Neither the name of Yahoo! Inc. nor the names of its
+ contributors may be used to endorse or promote products
+ derived from this software without specific prior
+ written permission of Yahoo! Inc.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
12 README
@@ -0,0 +1,12 @@
+sigsh is a non-interactive, signature requiring and verifying command
+interpreter. More accurately, it is a signature verification wrapper
+around a given shell. It reads input in PKCS#7 format from standard in,
+verifies the signature and, if the signature matches, pipes the decoded
+input into the command interpreter.
+
+Related:
+ NetBSD's Veriexec
+ MS Powershell ExecutionPolicy
+ OpenBSD's "Stephanie" / TPE
+ http://packetfactory.openwall.net/projects/stephanie/index.html
+ Linux Trusted Path Execution
@@ -0,0 +1,36 @@
+CERTS?=sigsh.pem
+EXPIRE?=365
+KEY?=mykey.pem
+CERT?=mycert.pem
+DATE!=date +%Y-%m-%d
+SDATE!=date +%s
+EXPSECONDS!=echo '( ${EXPIRE} * 24 * 60 * 60 ) + ${SDATE}' | bc
+EXPDATE!=date -j -f %s ${EXPSECONDS}
+
+all: newcert
+
+newcert:
+ @openssl req -x509 -nodes -days ${EXPIRE} -newkey rsa:2048 \
+ -batch -keyout key.tmp -out cert.tmp >/dev/null 2>&1
+.for f in key cert
+ @echo '#' > .$f
+ @echo '# Generated on ${DATE} by ${USER}.' >> .$f
+ @echo '# This key/cert will expire on ${EXPDATE}.' >> .$f
+ @cat ${f}.tmp >> .$f
+ @rm ${f}.tmp
+.endfor
+ @mv .key ${KEY}
+ @mv .cert ${CERT}
+ @echo "Your new key and cert have been generated."
+ @echo "Please make sure to protect your private key with the necessary due diligence."
+ @echo "If you're sure that that is the right thing to do, then you may add your public"
+ @echo "cert to '${CERTS}' and commit that file."
+
+help:
+ @echo "The following targets are available:"
+ @echo "all synonym for 'newcert'"
+ @echo "clean remove any temporary files"
+ @echo "newcert generate a new certificate"
+
+clean:
+ @rm -f ${KEY} ${CERT}
@@ -0,0 +1,5 @@
+In this directory you will find the certificates that should be installed
+in /etc/sigsh.pem in order to allow sigsh(1) to execute commands signed by
+them.
+
+If you would like to generate a new cert, just run (BSD) 'make'.
@@ -0,0 +1,17 @@
+# A Makefile to create html docs from the man pages.
+
+PRODUCT=sigsh
+
+MANPAGES=./${PRODUCT}.1
+
+all: html
+
+html: ${MANPAGES}
+.for m in ${MANPAGES}
+ nroff -man ${m} | rman -f html > ${m:S/.\///}.html
+.endfor
+
+clean:
+.for m in ${MANPAGES}
+ @rm -f ${m:S/.\///}.html
+.endfor
@@ -0,0 +1,121 @@
+.\" Copyright (c) 2010,2011 Yahoo! Inc.
+.\"
+.\" This manual page was originally written by Jan Schaumann
+.\" <jschauma@yahoo-inc.com> in September 2010.
+.Dd February 09, 2011
+.Dt SIGSH 1
+.Os
+.Sh NAME
+.Nm sigsh
+.Nd a signature verifying shell
+.Sh SYNOPSIS
+.Nm
+.Op Fl c Ar certs
+.Op Fl x
+.Op Fl p Ar prog
+.Sh DESCRIPTION
+.Nm
+is a non-interactive, signature requiring and verifying command
+interpreter.
+More accurately, it is a signature verification wrapper around a given
+shell.
+It reads input in PKCS#7 format from standard in, verifies the signature
+and, if the signature matches, pipes the decoded input into the command
+interpreter.
+.Sh OPTIONS
+.Nm
+supports the following flags:
+.Bl -tag -width s_shell_
+.It Fl c Ar certs
+Read ceritificates to trust from this file.
+.It Fl p Ar prog
+Pipe commands into this interpreter instead of the default
+.Xr bash 1 .
+.It Fl x
+Enable debugging (mnemomic 'xtrace', as
+.Xr sh 1 Ns ).
+.El
+.Sh DETAILS
+Conceptually similar to Microsoft Windows' Powershell ExecutionPolicy (as
+set to 'allSigned'),
+.Nm
+will only execute any commands from the input if a valid signature is
+found.
+This allows, for example, a headless user to be able to run any arbitrary
+set of commands (if provided by trusted entities) without having to give
+it a fully interactive login shell.
+By specifying a different interpreter to which to pass the verified input,
+.Nm
+can be used for almost anything requiring input verification so long as
+the tool invoked accepts input from standard in.
+.Pp
+.Nm
+is intentionally kept as simple as possible and does not provide for a
+whole lot of customization via either a startup file or any command-line
+options.
+.Sh INPUT
+.Nm
+reads input from standard in.
+That is, unlike other interactive command interpreters, it cannot be
+invoked from the terminal to read commands one at a time.
+.Nm
+relies on (and shells out to)
+.Xr openssl 1
+for signature verification.
+In particular, it expects input to be in PKCS#7 format, containing signed
+data to be passed to the command interpreter.
+In order to verify the signature,
+.Nm
+needs to have available a matching certificate (see section FILES).
+.Sh OUTPUT
+By default,
+.Nm
+does not generate any output itself.
+If input verification fails, it will return an error code (see section
+EXIT STATUS) and print a brief message to STDERR; otherwise, it will pipe
+the validated input to the given command interpreter, letting it generate
+any and all output (both to standard out and standard error).
+.Sh EXAMPLES
+The following examples illustrate possible usage of this tool.
+.Pp
+To execute the commands in the file 'script.bash':
+.Bd -literal -offset indent
+openssl smime -sign -nodetach -signer mycert.pem -inkey mykey.pem \\
+ -in script.bash -outform pem | sigsh
+.Ed
+.Pp
+To execute the perl code contained in the signed PKCS#7 file 'code.pem':
+.Bd -literal -offset indent
+sigsh -p /usr/bin/perl < code.pem
+.Ed
+.Sh EXIT STATUS
+.Nm
+will exit with the rather unusual return code of 127 if verification of
+the input fails (for whatever reason).
+Otherwise, it will return the exit code of the interpreter invoked.
+.Sh ENVIRONMENT
+.Nm
+clears the environment before passing the verified input on to the
+interpreter.
+Therefor, the input must make sure to explicitly set any variables it may
+rely on.
+.Sh FILES
+.Nm
+uses the following files:
+.Bl -tag -width _etc_sigsh_pem_
+.It /etc/sigsh.pem
+The file containing all certificates that
+.Nm
+will verify the input against.
+.El
+.Sh SEE ALSO
+.Xr openssl 1 ,
+.Xr smime 1
+.Sh HISTORY
+.Nm
+was originally written by
+.An Jan Schaumann
+.Aq jschauma@yahoo-inc.com
+in September 2010.
+.Sh BUGS
+Please report bugs and feature requests to the author.
Oops, something went wrong.

0 comments on commit 32fbffb

Please sign in to comment.