X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/distorted-keys/blobdiff_plain/e787e19c99a9df4f49ac77237c58d43df3829e9f..b5991f0555161e7baf665822dac54d493209dae2:/keyfunc.sh.in

diff --git a/keyfunc.sh.in b/keyfunc.sh.in
index bad5af1..5b6320e 100644
--- a/keyfunc.sh.in
+++ b/keyfunc.sh.in
@@ -38,6 +38,16 @@ if [ -f $ETC/keys.conf ]; then . $ETC/keys.conf; fi
 ## Maybe turn on debugging.
 case "${KEYS_DEBUG+t}" in t) set -x ;; esac
 
+## Fake up caller credentials if not called via userv.
+case "${USERV_USER+t}" in
+  t) ;;
+  *) USERV_USER=${LOGNAME-${USER-$(id -un)}} USERV_UID=$(id -u) ;;
+esac
+case "${USERV_GROUP+t}" in
+  t) ;;
+  *) USERV_GROUP=$(id -Gn) USERV_GID=$(id -gn) ;;
+esac
+
 ###--------------------------------------------------------------------------
 ### Cleanup handling.
 
@@ -426,7 +436,8 @@ k_verify () { notsupp verify; }
 prepare () {
   key=$1 op=$2
   ## Prepare for a crypto operation OP, using the KEY.  This validates the
-  ## key label, reads the profile, and checks the access-control list.
+  ## key label, reads the profile, and checks the access-control list.  If OP
+  ## is `-' then allow the operation unconditionally.
 
   ## Find the key properties.
   parse_keylabel "$key"
@@ -436,6 +447,7 @@ prepare () {
 
   ## Check whether we're allowed to do this thing.  This is annoyingly
   ## fiddly.
+  case $op in -) return ;; esac
   eval acl=\${kprop_acl_$op-!owner}
   verdict=forbid
   while :; do