Makefile.am | 6 ++++-- debian/loolwsd.postinst.in | 1 + docker/Dockerfile | 1 + loolwsd-generate-proof-key | 32 ++++++++++++++++++++++++++++++++ loolwsd.spec.in | 3 +++ man/loolconfig.1 | 2 +- man/loolconvert.1 | 2 +- man/loolforkit.1 | 2 +- man/loolwsd-generate-proof-key.1 | 9 +++++++++ man/loolwsd-systemplate-setup.1 | 2 +- man/loolwsd.1 | 2 +- wsd/ProofKey.cpp | 7 +++++-- 12 files changed, 60 insertions(+), 9 deletions(-)
New commits: commit 25bc0a1088d308f30f1705df96b13d650114a357 Author: Andras Timar <[email protected]> AuthorDate: Thu Apr 23 15:55:32 2020 +0200 Commit: Andras Timar <[email protected]> CommitDate: Thu Apr 23 19:36:06 2020 +0200 Proof: add loolwsd-generate-proof-key helper script Change-Id: Ibbd99b6431b1a2992c520d3fad5f52d0770905f6 Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92788 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Andras Timar <[email protected]> diff --git a/Makefile.am b/Makefile.am index dcbfbdcbb..521631dac 100644 --- a/Makefile.am +++ b/Makefile.am @@ -23,13 +23,15 @@ else bin_PROGRAMS += loolwsd endif -dist_bin_SCRIPTS = loolwsd-systemplate-setup +dist_bin_SCRIPTS = loolwsd-systemplate-setup \ + loolwsd-generate-proof-key man_MANS = man/loolwsd.1 \ man/loolforkit.1 \ man/loolconvert.1 \ man/loolconfig.1 \ - man/loolwsd-systemplate-setup.1 + man/loolwsd-systemplate-setup.1 \ + man/loolwsd-generate-proof-key.1 dist_doc_DATA = wsd/README \ wsd/README.vars \ diff --git a/debian/loolwsd.postinst.in b/debian/loolwsd.postinst.in index afd2cde2a..41198e75a 100644 --- a/debian/loolwsd.postinst.in +++ b/debian/loolwsd.postinst.in @@ -24,6 +24,7 @@ case "$1" in fc-cache @LO_PATH@/share/fonts/truetype loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1 + loolwsd-generate-proof-key >/dev/null 2>&1 cat << EOF > /etc/apt/apt.conf.d/25loolwsd // Rebuild systemplate of @APP_NAME@ DPkg::Post-Invoke { "echo Updating loolwsd systemplate;su lool --shell=/bin/sh -c 'loolwsd-systemplate-setup /opt/lool/systemplate @LO_PATH@ >/dev/null 2>&1'"; }; diff --git a/docker/Dockerfile b/docker/Dockerfile index c82cdee4c..351f9589e 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -31,6 +31,7 @@ RUN rm -rf /var/cache/loolwsd/* RUN rm -rf /opt/lool RUN mkdir -p /opt/lool/child-roots RUN loolwsd-systemplate-setup /opt/lool/systemplate /opt/libreoffice >/dev/null 2>&1 +RUN loolwsd-generate-proof-key >/dev/null 2>&1 RUN touch /var/log/loolwsd.log # Fix permissions RUN chown lool:lool /var/log/loolwsd.log diff --git a/loolwsd-generate-proof-key b/loolwsd-generate-proof-key new file mode 100755 index 000000000..1abbab78f --- /dev/null +++ b/loolwsd-generate-proof-key @@ -0,0 +1,32 @@ +#!/bin/bash + +SUDO='' +if (( $EUID != 0 )); then + if hash sudo 2>/dev/null; then + SUDO='sudo' + else + "Run the script as root." + exit 1 + fi +fi + +if [ -f /etc/loolwsd/proof_key ]; then + echo "/etc/loolwsd/proof_key exists already." + exit 0 +fi + +if hash ssh-keygen 2>/dev/null; then + $SUDO ssh-keygen -t rsa -N "" -m PEM -f /etc/loolwsd/proof_key + if [ $? -ne 0 ] ; then + exit $? + fi + if id -u lool >/dev/null 2>&1; then + $SUDO chown lool: /etc/loolwsd/proof_key + else + echo "User lool does not exist. Please reinstall loolwsd package, or in case of manual installation from source, create the lool user manually." + fi +else + echo "ssh-keygen command not found. Please install openssh client tools." + exit 127 +fi + diff --git a/loolwsd.spec.in b/loolwsd.spec.in index d78760e82..e8747a5a9 100644 --- a/loolwsd.spec.in +++ b/loolwsd.spec.in @@ -96,6 +96,7 @@ echo "account required pam_unix.so" >> %{buildroot}/etc/pam.d/loolwsd %files /usr/bin/loolwsd /usr/bin/loolwsd-systemplate-setup +/usr/bin/loolwsd-generate-proof-key /usr/bin/loolforkit /usr/bin/loolconvert /usr/bin/loolconfig @@ -112,6 +113,7 @@ echo "account required pam_unix.so" >> %{buildroot}/etc/pam.d/loolwsd /usr/share/man/man1/loolconvert.1 /usr/share/man/man1/loolconfig.1 /usr/share/man/man1/loolwsd-systemplate-setup.1 +/usr/share/man/man1/loolwsd-generate-proof-key.1 %{_unitdir}/loolwsd.service %if 0%{?fedora} || 0%{?rhel} >= 7 %config(noreplace) /etc/sysconfig/loolwsd @@ -154,6 +156,7 @@ chown lool:lool ${loolparent}/lool/child-roots fc-cache ${loroot}/share/fonts/truetype loolwsd-systemplate-setup ${loolparent}/lool/systemplate ${loroot} >/dev/null 2>&1 +loolwsd-generate-proof-key >/dev/null 2>&1 %if 0%{?fedora} || 0%{?rhel} >= 7 %systemd_post loolwsd.service diff --git a/man/loolconfig.1 b/man/loolconfig.1 index 3637d9b14..ce481b02e 100644 --- a/man/loolconfig.1 +++ b/man/loolconfig.1 @@ -24,4 +24,4 @@ update\-system\-template .PP \fB\-\-pwd\-hash\-length\fR=\fInumber\fR Length of password hash to generate [set\-admin\-password]. .SH "SEE ALSO" -loolforkit(1), loolconvert(1), loolwsd(1), loolwsd-systemplate-setup(1) +loolforkit(1), loolconvert(1), loolwsd(1), loolwsd-systemplate-setup(1), loolwsd-generate-proof-key(1) diff --git a/man/loolconvert.1 b/man/loolconvert.1 index bd0dcf01a..7b89e8351 100644 --- a/man/loolconvert.1 +++ b/man/loolconvert.1 @@ -17,4 +17,4 @@ loolconvert OPTIONS FILE(S) \fB\-\-no\-check\-certificate\fR Disable checking of SSL certs .PP .SH "SEE ALSO" -loolwsd(1), loolforkit(1), loolconfig(1), loolforkit-systemplate-setup(1) +loolwsd(1), loolforkit(1), loolconfig(1), loolforkit-systemplate-setup(1), loolwsd-generate-proof-key(1) diff --git a/man/loolforkit.1 b/man/loolforkit.1 index 73b54fd7a..1862f5de7 100644 --- a/man/loolforkit.1 +++ b/man/loolforkit.1 @@ -8,4 +8,4 @@ Single-threaded process that spawns LibreOffice Online Kit (LOK) instances. .PP \fBNote\fR: Running this standalone is not possible. It is spawned by loolwsd and is controlled via a pipe. .SH "SEE ALSO" -loolwsd(1), loolconvert(1), loolconfig(1), loolforkit-systemplate-setup(1) +loolwsd(1), loolconvert(1), loolconfig(1), loolforkit-systemplate-setup(1), loolwsd-generate-proof-key(1) diff --git a/man/loolwsd-generate-proof-key.1 b/man/loolwsd-generate-proof-key.1 new file mode 100644 index 000000000..2a30a22c8 --- /dev/null +++ b/man/loolwsd-generate-proof-key.1 @@ -0,0 +1,9 @@ +.TH LOOLWSD-GENERATE_PROOF_KEY "1" "April 2020" "loolwsd-generate-proof-key " "User Commands" +.SH NAME +loolwsd-generate-proof-key +.SH SYNOPSYS +loolwsd-generate-proof-key +.SH DESCRIPTION +loolwsd-generate-proof-key creates an RSA key pair in /etc/loolwsd for the WOPI Proof headers. The script is automatically run by the postinstall script of loolwsd package, but in case of failure sysadmins can run it manually. +.SH "SEE ALSO" +loolforkit(1), loolconvert(1), loolconfig(1), loolwsd(1), loolwsd-systemplate-setup(1) diff --git a/man/loolwsd-systemplate-setup.1 b/man/loolwsd-systemplate-setup.1 index c55f17290..6614e6779 100644 --- a/man/loolwsd-systemplate-setup.1 +++ b/man/loolwsd-systemplate-setup.1 @@ -6,4 +6,4 @@ loolwsd-systemplate-setup <chroot template directory for system libs to create> .SH DESCRIPTION loolwsd-systemplate-setup creates a minimal system template for running the LibreOfficeKit in a chroot jail. The system template contains the bare minimum of system libraries to run LibreOfficeKit, and also fonts and locale data from the system. .SH "SEE ALSO" -loolforkit(1), loolconvert(1), loolconfig(1), loolwsd(1) +loolforkit(1), loolconvert(1), loolconfig(1), loolwsd(1), loolwsd-generate-proof-key(1) diff --git a/man/loolwsd.1 b/man/loolwsd.1 index c73adfd93..bd932d521 100644 --- a/man/loolwsd.1 +++ b/man/loolwsd.1 @@ -31,4 +31,4 @@ loolwsd OPTIONS \fB\-\-nocaps\fR Use a non\-privileged forkit, with increase in security problems. .PP .SH "SEE ALSO" -loolforkit(1), loolconvert(1), loolconfig(1), loolwsd-systemplate-setup(1) +loolforkit(1), loolconvert(1), loolconfig(1), loolwsd-systemplate-setup(1), loolwsd-generate-proof-key(1) diff --git a/wsd/ProofKey.cpp b/wsd/ProofKey.cpp index 836b2967a..ed49fb0bf 100644 --- a/wsd/ProofKey.cpp +++ b/wsd/ProofKey.cpp @@ -142,8 +142,11 @@ Proof::Proof() { std::string msg = e.displayText() + "\nNo proof-key will be present in discovery." - "\nIf you need to use WOPI security, generate an RSA key using this command line:" - "\n ssh-keygen -t rsa -N \"\" -m PEM -f \"" + keyPath + "\""; + "\nIf you need to use WOPI security, generate an RSA key using this command:" + "\n loolwsd-generate-proof-key" + "\nor if your config dir is not /etc, you can run ssh-keygen manually:" + "\n ssh-keygen -t rsa -N \"\" -m PEM -f \"" + keyPath + "\"" + "\nNote: the proof_key file must be readable by the loolwsd process."; LOG_WRN(msg); } catch (const Poco::Exception& e) _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
