From d2c25deb8388018c030ded0dff332e04add214e6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 12 Sep 2023 00:31:12 +0100 Subject: [PATCH] source_vars(): Forbid 'pki/vars' setting PKI for command 'init-pki' Forbid default 'pki/vars', if it exists, from setting EASYRSA_PKI to any other value except "$PWD/pki", for command 'init-pki'. When 'init-pki' is called with all default options then it will load a dafault 'pki/vars' file, if it exists. This EXPECTS the PKI to be 'pki' ONLY. For 'init-pki'; This 'pki/vars' file MUST NOT be allowed to set EASYRSA_PKI. This MUST include setting EASYRSA_PKI to 'pki'. Otherwise, this allows default command 'init-pki' to delete a non-default PKI. This change also forbids using command line settings for --vars and --pki-dir, to set the expected vars file or PKI, when a default 'pki/vars' exists AND changes the expected PKI, to anything other than "$PWD/pki". Example of the problem: If 'easyrsa' is executed with all default settings then the expected value for EASYRSA_PKI is "$PWD/pki" and if 'pki/vars' file exists, it IS loaded. If 'pki/vars' sets EASYRSA_PKI to a different PKI, 'bad-pki', then this would allow 'init-pki' to delete 'bad-pki' not 'pki'. For the record: All of these changes have been extensively tested. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e5ffe50f1..4f4115c53 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5781,6 +5781,15 @@ Remove 'unset' ('force_set_var' may also work)." unset -v EASYRSA_CALLER fi + # Set expected PKI to determine if vars has changed PKI + # Required for init-pki + case "$cmd" in + init-pki|clean-all) + expected_pki="${expected_pki:-"$PWD/pki"}" + ;; + *) : # ok + esac + # Set defaults, preferring existing env-vars if present set_var EASYRSA "$PWD" set_var EASYRSA_OPENSSL openssl