[pve-devel] r5750 - in pve-cluster/trunk: data/perl debian

svn-commits at proxmox.com svn-commits at proxmox.com
Thu Mar 24 09:51:03 CET 2011 

Author: dietmar
Date: 2011-03-24 09:51:03 +0100 (Thu, 24 Mar 2011)
New Revision: 5750

Modified:
   pve-cluster/trunk/data/perl/Cluster.pm
   pve-cluster/trunk/data/perl/pvecert
   pve-cluster/trunk/debian/postinst
Log:
always run pvecert, generate secret for CSRF


Modified: pve-cluster/trunk/data/perl/Cluster.pm
===================================================================
--- pve-cluster/trunk/data/perl/Cluster.pm	2011-03-24 06:12:58 UTC (rev 5749)
+++ pve-cluster/trunk/data/perl/Cluster.pm	2011-03-24 08:51:03 UTC (rev 5750)
@@ -35,6 +35,9 @@
 my $pveca_cert_fn = "$basedir/pve-root-ca.pem";
 my $pvessl_key_fn = "$basedir/local/pve-ssl.key";
 my $pvessl_cert_fn = "$basedir/local/pve-ssl.pem";
+# this is just a secret accessable by the web browser
+# and is used for CSRF prevention
+my $pvewww_key_fn = "$basedir/pve-www.key";
 
 my $observed = {
     'storage.cfg' => 1,
@@ -132,6 +135,17 @@
     die "unable to generate pve ssl key:\n$@" if $@;
 }
 
+sub gen_pve_www_key {
+
+    return if -f $pvewww_key_fn;
+
+    eval {
+	run_command(['openssl', 'genrsa', '-out', $pvewww_key_fn, '2048']);
+    };
+
+    die "unable to generate pve www key:\n$@" if $@;
+}
+
 sub update_serial {
     my ($serial) = @_;
 

Modified: pve-cluster/trunk/data/perl/pvecert
===================================================================
--- pve-cluster/trunk/data/perl/pvecert	2011-03-24 06:12:58 UTC (rev 5749)
+++ pve-cluster/trunk/data/perl/pvecert	2011-03-24 08:51:03 UTC (rev 5750)
@@ -20,6 +20,10 @@
 
 PVE::Cluster::gen_local_dirs($nodename);
 
+# make sure we have a (cluster wide) secret
+# for CSRFR prevention
+PVE::Cluster::gen_pve_www_key();
+
 # make sure we have a (per node) private key
 PVE::Cluster::gen_pve_ssl_key();
 

Modified: pve-cluster/trunk/debian/postinst
===================================================================
--- pve-cluster/trunk/debian/postinst	2011-03-24 06:12:58 UTC (rev 5749)
+++ pve-cluster/trunk/debian/postinst	2011-03-24 08:51:03 UTC (rev 5750)
@@ -27,10 +27,7 @@
 	if test ! -e /proxmox_install_mode; then
 	    invoke-rc.d pve-cluster restart
 	    invoke-rc.d rsyslog restart
-
-	    if test ! -f /etc/pve/cluster.conf; then
-		pvecert
-	    fi	    
+	    pvecert
 	fi
     ;;

More information about the pve-devel mailing list