agent: New option --no-user-trustlist and --sys-trustlist-name.

* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New. (opts): Add new option names. (parse_rereadable_options): Parse options. (finalize_rereadable_options): Reset allow-mark-trusted for the new option. * agent/agent.h (opt): Add fields no_user_trustlist and sys_trustlist_name. * agent/trustlist.c (make_sys_trustlist_name): New. (read_one_trustfile): Use here. (read_trustfiles): Use here. Implement --no-user-trustlist. Also repalce "allow_include" by "systrust" and adjust callers. -- With the global options we can now avoid that a user changes the Root-CA trust by editing the trustlist.txt. However, to implement this we need a new option so that we don't need to rely on some magic like --no-allow-mark-trusted has been put into a force section. The second option makes system administration easier as it allows to keep the trustlist in a non-distributed file. GnuPG-bug-id: 5990 Backported-from-master: 1530d04725d475bf29328eab40b42f72ff8aa06b
author: Werner Koch <[email protected]> 2022-06-14 12:25:21 +0000
committer: Werner Koch <[email protected]> 2022-07-27 15:02:29 +0000
commit: d0bd91ba73a7e333e9b5007875c9bd475fb9581e (patch)
tree: 50fe9c74518ad04bddaf252a964fdc2f424407b6
parent: gpg: Look up user ID to revoke by UID hash (diff)
download: gnupg-d0bd91ba73a7e333e9b5007875c9bd475fb9581e.tar.gz
gnupg-d0bd91ba73a7e333e9b5007875c9bd475fb9581e.zip
4 files changed, 77 insertions, 17 deletions
diff --git a/agent/agent.h b/agent/agent.h
index d84bb9576..09ccc90c1 100644
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -148,6 +148,13 @@ struct
      interactively mark certificate in trustlist.txt as trusted. */
   int allow_mark_trusted;
 
+  /* Only use the system trustlist.  */
+  int no_user_trustlist;
+
+  /* The standard system trustlist is SYSCONFDIR/trustlist.txt.  This
+   * option can be used to change the name.  */
+  const char *sys_trustlist_name;
+
   /* If this global option is true, the Assuan command
      PRESET_PASSPHRASE is allowed.  */
   int allow_preset_passphrase;
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 9aa7ae022..53b86dd48 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -128,6 +128,8 @@ enum cmd_and_opt_values
   oIgnoreCacheForSigning,
   oAllowMarkTrusted,
   oNoAllowMarkTrusted,
+  oNoUserTrustlist,
+  oSysTrustlistName,
   oAllowPresetPassphrase,
   oAllowLoopbackPinentry,
   oNoAllowLoopbackPinentry,
@@ -249,6 +251,8 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oNoAllowMarkTrusted, "no-allow-mark-trusted",
                 /* */    N_("disallow clients to mark keys as \"trusted\"")),
   ARGPARSE_s_n (oAllowMarkTrusted,   "allow-mark-trusted", "@"),
+  ARGPARSE_s_n (oNoUserTrustlist,    "no-user-trustlist", "@"),
+  ARGPARSE_s_s (oSysTrustlistName,   "sys-trustlist-name", "@"),
   ARGPARSE_s_n (oAllowPresetPassphrase, "allow-preset-passphrase",
                 /* */                    N_("allow presetting passphrase")),
   ARGPARSE_s_u (oS2KCount, "s2k-count", "@"),
@@ -873,6 +877,7 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
       opt.enable_extended_key_format = 1;
       opt.ignore_cache_for_signing = 0;
       opt.allow_mark_trusted = 1;
+      opt.sys_trustlist_name = NULL;
       opt.allow_external_cache = 1;
       opt.allow_loopback_pinentry = 1;
       opt.allow_emacs_pinentry = 0;
@@ -963,6 +968,8 @@ parse_rereadable_options (ARGPARSE_ARGS *pargs, int reread)
 
     case oAllowMarkTrusted: opt.allow_mark_trusted = 1; break;
     case oNoAllowMarkTrusted: opt.allow_mark_trusted = 0; break;
+    case oNoUserTrustlist: opt.no_user_trustlist = 1; break;
+    case oSysTrustlistName: opt.sys_trustlist_name = pargs->r.ret_str; break;
 
     case oAllowPresetPassphrase: opt.allow_preset_passphrase = 1; break;
 
@@ -1008,6 +1015,11 @@ finalize_rereadable_options (void)
   /* Hack to allow --grab to override --no-grab.  */
   if ((opt.no_grab & 2))
     opt.no_grab = 0;
+
+  /* With --no-user-trustlist it does not make sense to allow the mark
+   * trusted feature.  */
+  if (opt.no_user_trustlist)
+    opt.allow_mark_trusted = 0;
 }
 
 
diff --git a/agent/trustlist.c b/agent/trustlist.c
index 50f2ad45e..086d8ae76 100644
--- a/agent/trustlist.c
+++ b/agent/trustlist.c
@@ -128,8 +128,26 @@ clear_trusttable (void)
 }
 
 
+/* Return the name of the system trustlist.  Caller must free.  */
+static char *
+make_sys_trustlist_name (void)
+{
+  if (opt.sys_trustlist_name
+      && (strchr (opt.sys_trustlist_name, '/')
+          || strchr (opt.sys_trustlist_name, '\\')
+          || (*opt.sys_trustlist_name == '~'
+              && opt.sys_trustlist_name[1] == '/')))
+    return make_absfilename (opt.sys_trustlist_name, NULL);
+  else
+    return make_filename (gnupg_sysconfdir (),
+                          (opt.sys_trustlist_name ?
+                           opt.sys_trustlist_name : "trustlist.txt"),
+                          NULL);
+}
+
+
 static gpg_error_t
-read_one_trustfile (const char *fname, int allow_include,
+read_one_trustfile (const char *fname, int systrust,
                     trustitem_t **addr_of_table,
                     size_t *addr_of_tablesize,
                     int *addr_of_tableidx)
@@ -188,7 +206,7 @@ read_one_trustfile (const char *fname, int allow_include,
           gpg_error_t err2;
           gpg_err_code_t ec;
 
-          if (!allow_include)
+          if (systrust)
             {
               log_error (_("statement \"%s\" ignored in '%s', line %d\n"),
                          "include-default", fname, lnr);
@@ -196,7 +214,7 @@ read_one_trustfile (const char *fname, int allow_include,
             }
           /* fixme: Should check for trailing garbage.  */
 
-          etcname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
+          etcname = make_sys_trustlist_name ();
           if ( !strcmp (etcname, fname) ) /* Same file. */
             log_info (_("statement \"%s\" ignored in '%s', line %d\n"),
                       "include-default", fname, lnr);
@@ -208,7 +226,7 @@ read_one_trustfile (const char *fname, int allow_include,
             }
           else
             {
-              err2 = read_one_trustfile (etcname, 0,
+              err2 = read_one_trustfile (etcname, 1,
                                          &table, &tablesize, &tableidx);
               if (err2)
                 err = err2;
@@ -337,7 +355,7 @@ read_trustfiles (void)
   int tableidx;
   size_t tablesize;
   char *fname;
-  int allow_include = 1;
+  int systrust = 0;
   gpg_err_code_t ec;
 
   tablesize = 20;
@@ -346,17 +364,24 @@ read_trustfiles (void)
     return gpg_error_from_syserror ();
   tableidx = 0;
 
-  fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
-  if (!fname)
+  if (opt.no_user_trustlist)
+    fname = NULL;
+  else
     {
-      err = gpg_error_from_syserror ();
-      xfree (table);
-      return err;
+      fname = make_filename_try (gnupg_homedir (), "trustlist.txt", NULL);
+      if (!fname)
+        {
+          err = gpg_error_from_syserror ();
+          xfree (table);
+          return err;
+        }
     }
 
-  if ((ec = gnupg_access (fname, F_OK)))
+  if (!fname || (ec = gnupg_access (fname, F_OK)))
     {
-      if ( ec == GPG_ERR_ENOENT )
+      if (!fname)
+        ; /* --no-user-trustlist active.  */
+      else if ( ec == GPG_ERR_ENOENT )
         ; /* Silently ignore a non-existing trustfile.  */
       else
         {
@@ -364,11 +389,10 @@ read_trustfiles (void)
           log_error (_("error opening '%s': %s\n"), fname, gpg_strerror (err));
         }
       xfree (fname);
-      fname = make_filename (gnupg_sysconfdir (), "trustlist.txt", NULL);
-      allow_include = 0;
+      fname = make_sys_trustlist_name ();
+      systrust = 1;
     }
-  err = read_one_trustfile (fname, allow_include,
-                            &table, &tablesize, &tableidx);
+  err = read_one_trustfile (fname, systrust, &table, &tablesize, &tableidx);
   xfree (fname);
 
   if (err)
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 2fa80f49c..876625071 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -366,6 +366,21 @@ Do not allow clients to mark keys as trusted, i.e. put them into the
 @file{trustlist.txt} file.  This makes it harder for users to inadvertently
 accept Root-CA keys.
 
+
+@anchor{option --no-user-trustlist}
+@item --no-user-trustlist
+@opindex no-user-trustlist
+Entirely ignore the user trust list and consider only the global
+trustlist (@file{@value{SYSCONFDIR}/trustlist.txt}).  This
+implies the @ref{option --no-allow-mark-trusted}.
+
+@item --sys-trustlist-name @var{file}
+@opindex sys-trustlist-name
+Changes the default name for the global trustlist from "trustlist.txt"
+to @var{file}.  If @var{file} does not contain any slashes and does
+not start with "~/" it is searched in the system configuration
+directory (@file{@value{SYSCONFDIR}}).
+
 @anchor{option --allow-preset-passphrase}
 @item --allow-preset-passphrase
 @opindex allow-preset-passphrase
@@ -794,7 +809,9 @@ that this file can't be changed inadvertently.
 
 As a special feature a line @code{include-default} will include a global
 list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}).
-This global list is also used if the local list is not available.
+This global list is also used if the local list is not available;
+the @ref{option --no-user-trustlist} enforces the use of only
+this global list.
 
 It is possible to add further flags after the @code{S} for use by the
 caller:
author	Werner Koch <[email protected]>	2022-06-14 12:25:21 +0000
committer	Werner Koch <[email protected]>	2022-07-27 15:02:29 +0000
commit	d0bd91ba73a7e333e9b5007875c9bd475fb9581e (patch)
tree	50fe9c74518ad04bddaf252a964fdc2f424407b6
parent	gpg: Look up user ID to revoke by UID hash (diff)
download	gnupg-d0bd91ba73a7e333e9b5007875c9bd475fb9581e.tar.gz gnupg-d0bd91ba73a7e333e9b5007875c9bd475fb9581e.zip