=== removed directory '.bzr-builddeb' === removed file '.bzr-builddeb/default.conf' --- .bzr-builddeb/default.conf 2008-09-17 00:34:09 +0000 +++ .bzr-builddeb/default.conf 1970-01-01 00:00:00 +0000 @@ -1,2 +0,0 @@ -[BUILDDEB] -split = True === modified file '.bzrignore' --- .bzrignore 2008-09-26 05:04:15 +0000 +++ .bzrignore 2008-08-27 01:18:25 +0000 @@ -1,12 +1,8 @@ *.5 *.8 *.8mandos +plugin-runner +plugins.d/password-prompt +plugins.d/password-request confdir -debian/po/messages.mo -debian/po/templates.pot keydir -plugin-runner -plugins.d/mandos-client -plugins.d/password-prompt -plugins.d/splashy -plugins.d/usplash === removed file 'INSTALL' --- INSTALL 2008-09-08 18:54:47 +0000 +++ INSTALL 1970-01-01 00:00:00 +0000 @@ -1,114 +0,0 @@ --*- org -*- - -* Prerequisites - -** Operating System - - Debian 5.0 "lenny" or Ubuntu 8.04 "Hardy Heron". - - This is mostly for the support scripts which make sure that the - client is installed and started in the initial RAM disk environment - and that the initrd.img file is automatically made unreadable. The - server and client programs themselves *could* be run in other - distributions, but they *are* specific to GNU/Linux systems, and - are not intended to be portable to other Unixes. - -** Libraries - - The following libraries and packages are needed. (It is possible - that it might work with older versions of some of these, but these - versions are confirmed to work. Newer versions are almost - certainly OK.) - -*** Documentation - These are required to build the manual pages for both the server - and client: - - + DocBook 4.5 http://www.docbook.org/ - Note: DocBook 5.0 is not compatible. - + DocBook XSL stylesheets 1.71.0 - http://wiki.docbook.org/topic/DocBookXslStylesheets - - Package names: - docbook docbook-xsl - - To build just the documentation, run the command "make doc". Then - the manual page "mandos.8", for example, can be read by running - "man -l mandos.8". - -*** Mandos Server - + GnuTLS 2.4 http://www.gnu.org/software/gnutls/ - + Avahi 0.6.16 http://www.avahi.org/ - + Python 2.4 http://www.python.org/ - + Python-GnuTLS 1.1.5 http://pypi.python.org/pypi/python-gnutls/ - + dbus-python 0.82.4 http://dbus.freedesktop.org/doc/dbus-python/ - + python-ctypes 1.0.0 http://pypi.python.org/pypi/ctypes - - Strongly recommended: - + fping 2.4b2-to-ipv6 http://www.fping.com/ - - Package names: - python-gnutls avahi-daemon python python-avahi python-dbus - python-ctypes - -*** Mandos Client - + initramfs-tools 0.85i - http://packages.qa.debian.org/i/initramfs-tools.html - + GnuTLS 2.4 http://www.gnu.org/software/gnutls/ - + Avahi 0.6.16 http://www.avahi.org/ - + GnuPG 1.4.9 http://www.gnupg.org/ - + GPGME 1.1.6 http://www.gnupg.org/related_software/gpgme/ - - Package names: - initramfs-tools libgnutls-dev libavahi-core-dev gnupg - libgpgme11-dev - -* Installing the Mandos server - - 1. Do "make doc". - - 2. On the computer to run as a Mandos server, run the following - command: - For Debian: su -c 'make install-server' - For Ubuntu: sudo make install-server - - (This creates a configuration without any clients configured; you - need an actually configured client to do that; see below.) - -* Installing the Mandos client. - - 1. Do "make all doc". - - 2. On the computer to run as a Mandos client, run the following - command: - For Debian: su -c 'make install-client' - For Ubuntu: sudo make install-client - - This will also create an OpenPGP key, which will take some time - and entropy, so be patient. - - 3. Run the following command: - For Debian: su -c 'mandos-keygen --password' - For Ubuntu: sudo mandos-keygen --password - - When prompted, enter the password/passphrase for the encrypted - root file system on this client computer. The command will - output a section of text, starting with a [section header]. Copy - and append this to the file "/etc/mandos/clients.conf" *on the - server computer*. - - 4. On the server computer, start the server by running the command - For Debian: su -c 'invoke-rc.d mandos start' - For Ubuntu: sudo invoke-rc.d mandos start - - After this, the client computer should be able to reboot without - needing a password entered on the console, as long as it does not - take more than an hour to reboot. - -* Further customizations - - You may want to tighten or loosen the timeouts in the server - configuration files; see mandos.conf(5) and mandos-clients.conf(5). - Is IPsec is not used, it is suggested that a more cryptographically - secure checker program is used and configured, since without IPsec - ping packets can be faked. === modified file 'Makefile' --- Makefile 2008-09-30 03:19:39 +0000 +++ Makefile 2008-09-03 05:04:40 +0000 @@ -4,31 +4,21 @@ -Wunsafe-loop-optimizations -Wpointer-arith \ -Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings \ -Wconversion -Wstrict-prototypes -Wold-style-definition \ - -Wpacked -Wnested-externs -Winline -Wvolatile-register-var -# -Wunreachable-code -#DEBUG=-ggdb3 + -Wpacked -Wnested-externs -Wunreachable-code -Winline \ + -Wvolatile-register-var +DEBUG=-ggdb3 # For info about _FORTIFY_SOURCE, see # FORTIFY=-D_FORTIFY_SOURCE=2 # -fstack-protector-all #COVERAGE=--coverage OPTIMIZE=-Os LANGUAGE=-std=gnu99 - -## Use these settings for a traditional /usr/local install -# PREFIX=$(DESTDIR)/usr/local -# CONFDIR=$(DESTDIR)/etc/mandos -# KEYDIR=$(DESTDIR)/etc/mandos/keys -# MANDIR=$(PREFIX)/man -# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools -## - -## These settings are for a package-type install +# PREFIX=/usr/local PREFIX=$(DESTDIR)/usr +# CONFDIR=/usr/local/lib/mandos CONFDIR=$(DESTDIR)/etc/mandos -KEYDIR=$(DESTDIR)/etc/keys/mandos -MANDIR=$(PREFIX)/share/man -INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools -## +# MANDIR=/usr/local/man +MANDIR=$(DESTDIR)/usr/share/man GNUTLS_CFLAGS=$(shell libgnutls-config --cflags) GNUTLS_LIBS=$(shell libgnutls-config --libs) @@ -42,7 +32,7 @@ $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) LDFLAGS=$(COVERAGE) -# Commands to format a DocBook document into a manual page +# Commands to format a DocBook refentry document into a manual page DOCBOOKTOMAN=cd $(dir $<); xsltproc --nonet --xinclude \ --param man.charmap.use.subset 0 \ --param make.year.ranges 1 \ @@ -52,95 +42,58 @@ /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \ $(notdir $<); \ $(MANPOST) $(notdir $@) -# DocBook-to-man post-processing to fix a '\n' escape bug +# DocBook-to-man post-processing to fix a \n escape bug MANPOST=sed --in-place --expression='s,\\\\en,\\en,g;s,\\n,\\en,g' -DOCBOOKTOHTML=xsltproc --nonet --xinclude \ - --param make.year.ranges 1 \ - --param make.single.year.ranges 1 \ - --param man.output.quietly 1 \ - --param man.authors.section.enabled 0 \ - --param citerefentry.link 1 \ - --output $@ \ - /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \ - $<; $(HTMLPOST) $@ -# Fix citerefentry links -HTMLPOST=sed --in-place --expression='s/\(\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g' - -PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \ - plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo +PLUGINS=plugins.d/password-prompt plugins.d/password-request PROGS=plugin-runner $(PLUGINS) DOCS=mandos.8 plugin-runner.8mandos mandos-keygen.8 \ - plugins.d/mandos-client.8mandos \ + plugins.d/password-request.8mandos \ plugins.d/password-prompt.8mandos mandos.conf.5 \ mandos-clients.conf.5 -htmldocs=$(addsuffix .xhtml,$(DOCS)) - objects=$(addsuffix .o,$(PROGS)) all: $(PROGS) doc: $(DOCS) -html: $(htmldocs) - %.5: %.xml legalnotice.xml $(DOCBOOKTOMAN) -%.5.xhtml: %.xml legalnotice.xml - $(DOCBOOKTOHTML) %.8: %.xml legalnotice.xml $(DOCBOOKTOMAN) -%.8.xhtml: %.xml legalnotice.xml - $(DOCBOOKTOHTML) %.8mandos: %.xml legalnotice.xml $(DOCBOOKTOMAN) -%.8mandos.xhtml: %.xml legalnotice.xml - $(DOCBOOKTOHTML) mandos.8: mandos.xml mandos-options.xml overview.xml legalnotice.xml $(DOCBOOKTOMAN) -mandos.8.xhtml: mandos.xml mandos-options.xml overview.xml \ - legalnotice.xml - $(DOCBOOKTOHTML) mandos-keygen.8: mandos-keygen.xml overview.xml legalnotice.xml $(DOCBOOKTOMAN) -mandos-keygen.8.xhtml: mandos-keygen.xml overview.xml legalnotice.xml - $(DOCBOOKTOHTML) mandos.conf.5: mandos.conf.xml mandos-options.xml legalnotice.xml $(DOCBOOKTOMAN) -mandos.conf.5.xhtml: mandos.conf.xml mandos-options.xml legalnotice.xml - $(DOCBOOKTOHTML) plugin-runner.8mandos: plugin-runner.xml overview.xml legalnotice.xml $(DOCBOOKTOMAN) -plugin-runner.8mandos.xhtml: plugin-runner.xml overview.xml \ - legalnotice.xml - $(DOCBOOKTOHTML) -plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \ +plugins.d/password-request.8mandos: plugins.d/password-request.xml \ mandos-options.xml \ overview.xml legalnotice.xml $(DOCBOOKTOMAN) -plugins.d/mandos-client.8mandos.xhtml: plugins.d/mandos-client.xml \ - mandos-options.xml \ - overview.xml legalnotice.xml - $(DOCBOOKTOHTML) -plugins.d/mandos-client: plugins.d/mandos-client.o +plugins.d/password-request: plugins.d/password-request.o $(LINK.o) $(GNUTLS_LIBS) $(AVAHI_LIBS) $(GPGME_LIBS) \ $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ -.PHONY : all doc html clean distclean run-client run-server install \ +.PHONY : all doc clean distclean run-client run-server install \ install-server install-client uninstall uninstall-server \ uninstall-client purge purge-server purge-client clean: - -rm --force $(PROGS) $(objects) $(htmldocs) $(DOCS) core + -rm --force $(PROGS) $(objects) $(DOCS) core distclean: clean mostlyclean: clean @@ -151,12 +104,17 @@ ./mandos --check # Run the client with a local config and key -run-client: all keydir/seckey.txt keydir/pubkey.txt +run-client: all keydir/seckey.txt keydir/pubkey.txt \ + keydir/secring.gpg keydir/pubring.gpg ./plugin-runner --plugin-dir=plugins.d \ --config-file=plugin-runner.conf \ - --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt + --options-for=password-request:--keydir=keydir # Used by run-client +keydir/secring.gpg: keydir/seckey.txt + gpg --homedir $(dir $<) --import $^ +keydir/pubring.gpg: keydir/pubkey.txt + gpg --homedir $(dir $<) --import $^ keydir/seckey.txt keydir/pubkey.txt: mandos-keygen install --directory keydir ./mandos-keygen --dir keydir --force @@ -168,33 +126,22 @@ # Used by run-server confdir/mandos.conf: mandos.conf install --directory confdir - install --mode=u=rw,go=r $^ $@ + install $^ $@ confdir/clients.conf: clients.conf keydir/seckey.txt install --directory confdir - install --mode=u=rw $< $@ + install clients.conf $@ # Add a client password ./mandos-keygen --dir keydir --password >> $@ -install: install-server install-client-nokey - -install-html: $(htmldocs) - install --directory man - install --mode=u=rw,go=r --target-directory=man $(htmldocs) +install: install-server install-client install-server: doc - install --directory $(CONFDIR) - install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos - install --mode=u=rw,go=r --target-directory=$(CONFDIR) \ - mandos.conf - install --mode=u=rw --target-directory=$(CONFDIR) \ + install --directory --parents $(CONFDIR) $(MANDIR)/man5 \ + $(MANDIR)/man8 + install --mode=0755 mandos $(PREFIX)/sbin/mandos + install --mode=0644 --target-directory=$(CONFDIR) mandos.conf + install --mode=0640 --target-directory=$(CONFDIR) \ clients.conf - install --mode=u=rwx,go=rx init.d-mandos \ - $(DESTDIR)/etc/init.d/mandos - install --mode=u=rw,go=r default-mandos \ - $(DESTDIR)/etc/default/mandos - if [ -z $(DESTDIR) ]; then \ - update-rc.d mandos defaults 25 15;\ - fi gzip --best --to-stdout mandos.8 \ > $(MANDIR)/man8/mandos.8.gz gzip --best --to-stdout mandos.conf.5 \ @@ -202,101 +149,72 @@ gzip --best --to-stdout mandos-clients.conf.5 \ > $(MANDIR)/man5/mandos-clients.conf.5.gz -install-client-nokey: all doc - install --directory $(PREFIX)/lib/mandos $(CONFDIR) - install --directory --mode=u=rwx $(KEYDIR) \ - $(PREFIX)/lib/mandos/plugins.d - if [ "$(CONFDIR)" != "$(PREFIX)/lib/mandos" ]; then \ - install --mode=u=rwx \ - --directory "$(CONFDIR)/plugins.d"; \ - fi - install --mode=u=rwx,go=rx \ - --target-directory=$(PREFIX)/lib/mandos plugin-runner - install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \ +install-client: all doc /usr/share/initramfs-tools/hooks/. + install --directory --parents $(PREFIX)/lib/mandos \ + $(CONFDIR) $(MANDIR)/man8 + install --directory --mode=0700 $(PREFIX)/lib/mandos/plugins.d + chmod u=rwx,g=,o= $(PREFIX)/lib/mandos/plugins.d + install --mode=0755 --target-directory=$(PREFIX)/lib/mandos \ + plugin-runner + install --mode=0755 --target-directory=$(PREFIX)/sbin \ mandos-keygen - install --mode=u=rwx,go=rx \ + install --mode=0755 \ --target-directory=$(PREFIX)/lib/mandos/plugins.d \ plugins.d/password-prompt - install --mode=u=rwxs,go=rx \ - --target-directory=$(PREFIX)/lib/mandos/plugins.d \ - plugins.d/mandos-client - install --mode=u=rwxs,go=rx \ - --target-directory=$(PREFIX)/lib/mandos/plugins.d \ - plugins.d/usplash - install --mode=u=rwxs,go=rx \ - --target-directory=$(PREFIX)/lib/mandos/plugins.d \ - plugins.d/splashy - install --mode=u=rwxs,go=rx \ - --target-directory=$(PREFIX)/lib/mandos/plugins.d \ - plugins.d/askpass-fifo + install --mode=4755 \ + --target-directory=$(PREFIX)/lib/mandos/plugins.d \ + plugins.d/password-request install initramfs-tools-hook \ - $(INITRAMFSTOOLS)/hooks/mandos - install --mode=u=rw,go=r initramfs-tools-hook-conf \ - $(INITRAMFSTOOLS)/conf-hooks.d/mandos + /usr/share/initramfs-tools/hooks/mandos + install initramfs-tools-hook-conf \ + /usr/share/initramfs-tools/conf-hooks.d/mandos install initramfs-tools-script \ - $(INITRAMFSTOOLS)/scripts/local-top/mandos - install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR) + /usr/share/initramfs-tools/scripts/local-top/mandos gzip --best --to-stdout mandos-keygen.8 \ > $(MANDIR)/man8/mandos-keygen.8.gz gzip --best --to-stdout plugin-runner.8mandos \ > $(MANDIR)/man8/plugin-runner.8mandos.gz gzip --best --to-stdout plugins.d/password-prompt.8mandos \ > $(MANDIR)/man8/password-prompt.8mandos.gz - gzip --best --to-stdout plugins.d/mandos-client.8mandos \ - > $(MANDIR)/man8/mandos-client.8mandos.gz - -install-client: install-client-nokey -# Post-installation stuff - -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)" + gzip --best --to-stdout plugins.d/password-request.8mandos \ + > $(MANDIR)/man8/password-request.8mandos.gz + -$(PREFIX)/sbin/mandos-keygen update-initramfs -k all -u - echo "Now run mandos-keygen --password --dir $(KEYDIR)" uninstall: uninstall-server uninstall-client -uninstall-server: +uninstall-server: $(PREFIX)/sbin/mandos -rm --force $(PREFIX)/sbin/mandos \ $(MANDIR)/man8/mandos.8.gz \ $(MANDIR)/man5/mandos.conf.5.gz \ $(MANDIR)/man5/mandos-clients.conf.5.gz - update-rc.d -f mandos remove -rmdir $(CONFDIR) uninstall-client: # Refuse to uninstall client if /etc/crypttab is explicitly configured # to use it. ! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \ - $(DESTDIR)/etc/crypttab + /etc/crypttab -rm --force $(PREFIX)/sbin/mandos-keygen \ $(PREFIX)/lib/mandos/plugin-runner \ $(PREFIX)/lib/mandos/plugins.d/password-prompt \ - $(PREFIX)/lib/mandos/plugins.d/mandos-client \ - $(PREFIX)/lib/mandos/plugins.d/usplash \ - $(PREFIX)/lib/mandos/plugins.d/splashy \ - $(INITRAMFSTOOLS)/hooks/mandos \ - $(INITRAMFSTOOLS)/conf-hooks.d/mandos \ - $(INITRAMFSTOOLS)/scripts/local-top/mandos \ + $(PREFIX)/lib/mandos/plugins.d/password-request \ + /usr/share/initramfs-tools/hooks/mandos \ + /usr/share/initramfs-tools/conf-hooks.d/mandos \ $(MANDIR)/man8/plugin-runner.8mandos.gz \ $(MANDIR)/man8/mandos-keygen.8.gz \ $(MANDIR)/man8/password-prompt.8mandos.gz \ - $(MANDIR)/man8/mandos-client.8mandos.gz - if [ "$(CONFDIR)" != "$(PREFIX)/lib/mandos" ]; then \ - rm --force $(CONFDIR)/plugins.d/README; \ - fi + $(MANDIR)/man8/password-request.8mandos.gz -rmdir $(PREFIX)/lib/mandos/plugins.d $(CONFDIR)/plugins.d \ - $(PREFIX)/lib/mandos $(CONFDIR) $(KEYDIR) + $(PREFIX)/lib/mandos $(CONFDIR) update-initramfs -k all -u purge: purge-server purge-client purge-server: uninstall-server - -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \ - $(DESTDIR)/etc/default/mandos \ - $(DESTDIR)/etc/init.d/mandos \ - $(DESTDIR)/var/run/mandos.pid + -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf -rmdir $(CONFDIR) purge-client: uninstall-client - -shred --remove $(KEYDIR)/seckey.txt - -rm --force $(CONFDIR)/plugin-runner.conf \ - $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt - -rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR) + -rm --force $(CONFDIR)/seckey.txt $(CONFDIR)/pubkey.txt + -rmdir $(CONFDIR) $(CONFDIR)/plugins.d === removed file 'README' --- README 2008-09-30 03:19:39 +0000 +++ README 1970-01-01 00:00:00 +0000 @@ -1,180 +0,0 @@ --*- org -*- - -* Mandos - - Have your cake and eat it too! - - You know how it is. You’ve heard of it happening. The Man comes - and takes away your servers, your friends’ servers, the servers of - everybody in the same hosting facility. The servers of their - neighbors, and their neighbors’ friends. The servers of people who - owe them money. And like *that*, they’re gone. And you doubt - you’ll ever see them again. - - That is why your servers have encrypted root file systems. However, - there’s a downside. There’s no going around it: rebooting is a - pain. Dragging out that rarely-used keyboard and screen and - unraveling cables behind your servers to plug them in to type in - that password is messy, especially if you have many servers. There - are some people who do clever things like using serial line consoles - and daisy-chain it to the next server, and keep all the servers - connected in a ring with serial cables, which will work, if your - servers are physically close enough. There are also other - out-of-band management solutions, but with *all* these, you still - have to be on hand and manually type in the password at boot time. - Otherwise the server just sits there, waiting for a password. - - Wouldn’t it be great if you could have the security of encrypted - root file systems and still have servers that could boot up - automatically if there was a short power outage while you were - asleep? That you could reboot at will, without having someone run - over to the server to type in the password? - - Well, with Mandos, you (almost) can! The gain in convenience will - only be offset by a small loss in security. The setup is as - follows: - - The server will still have its encrypted root file system. The - password to this file system will be stored on another computer - (henceforth known as the Mandos server) on the same local network. - The password will *not* be stored in plaintext, but encrypted with - OpenPGP. To decrypt this password, a key is needed. This key (the - Mandos client key) will not be stored there, but back on the - original server (henceforth known as the Mandos client) in the - initial RAM disk image. Oh, and all network Mandos client/server - communications will be encrypted, using TLS (SSL). - - So, at boot time, the Mandos client will ask for its encrypted data - over the network, decrypt it to get the password, use it to decrypt - the root file, and continue booting. - - Now, of course the initial RAM disk image is not on the encrypted - root file system, so anyone who had physical access could take the - Mandos client computer offline and read the disk with their own - tools to get the authentication keys used by a client. *But*, by - then the Mandos server should notice that the original server has - been offline for too long, and will no longer give out the encrypted - key. The timing here is the only real weak point, and the method, - frequency and timeout of the server’s checking can be adjusted to - any desired level of paranoia - - (The encrypted keys on the Mandos server is on its normal file - system, so those are safe, provided the root file system of *that* - server is encrypted.) - -* FAQ - couldn’t the security be defeated by... - -** Grabbing the Mandos client key from the initrd *really quickly*? - This, as mentioned above, is the only real weak point. But if you - set the timing values tight enough, this will be really difficult - to do. An attacker would have to physically disassemble the client - computer, extract the key from the initial RAM disk image, and then - connect to a *still online* Mandos server to get the encrypted key, - and do all this *before* the Mandos server timeout kicks in and the - Mandos server refuses to give out the key to anyone. - - Now, as the typical procedure seems to be to barge in and turn off - and grab *all* computers, to maybe look at them months later, this - is not likely. If someone does that, the whole system *will* lock - itself up completely, since Mandos servers are no longer running. - - For sophisticated attackers who *could* do the clever thing, *and* - had physical access to the server for enough time, it would be - simpler to get a key for an encrypted file system by using hardware - memory scanners and reading it right off the memory bus. - -** Replay attacks? - Nope, the network stuff is all done over TLS, which provides - protection against that. - -** Man-in-the-middle? - No. The server only gives out the passwords to clients which have - *in the TLS handshake* proven that they do indeed hold the OpenPGP - private key corresponding to that client. - -** Physically grabbing the Mandos server computer? - You could protect *that* computer the old-fashioned way, with a - must-type-in-the-password-at-boot method. Or you could have two - computers be the Mandos server for each other. - - Multiple Mandos servers can coexist on a network without any - trouble. They do not clash, and clients will try all available - servers. This means that if just one reboots then the other can - bring it back up, but if both reboots at the same time they will - stay down until someone types in the password on one of them. - -** Faking ping replies? - The default for the server is to use "fping", the replies to which - could be faked to eliminate the timeout. But this could easily be - changed to any shell command, with any security measures you like. - It could, for instance, be changed to an SSH command with strict - keychecking, which could not be faked. Or IPsec could be used for - the ping packets, making them secure. - -* Security Summary - So, in summary: The only weakness in the Mandos system is from - people who have: - 1. The power to come in and physically take your servers, *and* - 2. The cunning and patience to do it carefully, one at a time, and - *quickly*, faking Mandos client/server responses for each one - before the timeout. - - While there are some who may be threatened by people who have *both* - these attributes, they do not, probably, constitute the majority. - - If you *do* face such opponents, you must figure that they could - just as well open your servers and read the file system keys right - off the memory by running wires to the memory bus. - - What Mandos is designed to protect against is *not* such determined, - focused, and competent attacks, but against the early morning knock - on your door and the sudden absence of all the servers in your - server room. Which it does nicely. - -* The Plugin System - In the early designs, the mandos-client(8mandos) program (which - retrieves a password from the Mandos server) also prompted for a - password on the terminal, in case a Mandos server could not be - found. This duality of purpose was seen to be too complex to be a - viable way to continue. Instead, the programs are now separated - into mandos-client(8mandos) and password-prompt(8mandos), and a - plugin-runner(8mandos) exist to run them both in parallel, allowing - the first plugin to succeed to provide the password. This opened up - for any number of additional plugins to run, all competing to be the - first to find a password and provide it to the plugin runner. - - Three additional plugins are provided: - * usplash - This prompts for a password when using usplash(8). - * splashy - This prompts for a password when using splashy(8). - * askpass-fifo - To provide compatibility with the "askpass" program from - cryptsetup, this plugin listens to the same FIFO as askpass would - do. - - (None of these take any options or reads any files.) - - More plugins could easily be written and added by the system - administrator; see the section called "WRITING PLUGINS" in - plugin-runner(8mandos) to learn the plugin requirements. - -* Copyright - - Copyright © 2008 Teddy Hogeborn - 2008 Björn Påhlsson - -** License: - - This program is free software: you can redistribute it and/or - modify it under the terms of the GNU General Public License as - published by the Free Software Foundation, either version 3 of the - License, or (at your option) any later version. - - This program is distributed in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see - . === modified file 'TODO' --- TODO 2008-09-30 03:19:39 +0000 +++ TODO 2008-09-03 05:04:40 +0000 @@ -1,71 +1,102 @@ -*- org -*- -* DONE plugin-runner - -* mandos-client -** TODO [#B] Temporarily lower kernel log level +* [#A] README file + +* plugin-runner +** [#B] Add more comments to code +** [#B] Add more if(debug) calls +** [#B] Seperate more code to function for more readability + +* password-request +** [#A] Man page: man8/password-request.8mandos +*** FILES + Describe the key files and the key ring files. Also note that + they should normally have been automatically created. +*** BUGS +*** EXAMPLE + Examples of normal usage, debug usage, debugging by connecting + directly, etc. +*** SECURITY +*** SEE ALSO + Update from mandos.xml +** [#B] Temporarily lower kernel log level for less printouts during sucessfull boot. -** TODO [#C] IPv4 support +** IPv4 support +** use strsep instead of strtok? +** Do not depend on GnuPG key rings on disk + This would mean creating new GnuPG key rings with GPGME by + importing the key files from scratch on every program start. +** Keydir move: /etc/mandos -> /etc/keys/mandos + Must create in preinst if not pre-depending on cryptsetup -* DONE password-prompt +* password-prompt +** [#C] Use getpass(3)? + Man page says "obsolete", but [[info:libc:getpass][GNU LibC Manual: Reading Passwords]] + does not. See also [[http://sources.redhat.com/ml/libc-alpha/2003-05/msg00251.html][Marcus Brinkmann: Re: getpass obsolete?]] and + [[http://article.gmane.org/gmane.comp.lib.glibc.alpha/4906][Petter Reinholdtsen: Re: getpass obsolete?]], and especially also + [[http://www.steve.org.uk/Reference/Unix/faq_4.html#SEC48][Unix Programming FAQ 3.1 How can I make my program not echo input?]] * mandos (server) -** TODO [#B] Log level :bugs: -** TODO /etc/mandos/clients.d/*.conf +** [#A] /etc/init.d/mandos-server :teddy: +** [#B] Log level :bugs: +** /etc/mandos/clients.d/*.conf Watch this directory and add/remove/update clients? -** TODO config for TXT record -** TODO [#B] Run-time communication with server :bugs: +** config for TXT record +** [#B] Run-time communication with server :bugs: Probably using D-Bus See also [[*Mandos-tools]] -** TODO Implement --foreground :bugs: - [[info:standards:Option%20Table][Table of Long Options]] -** TODO Implement --socket - [[info:standards:Option%20Table][Table of Long Options]] -** TODO Date+time on console log messages :bugs: +** Implement --foreground :bugs: + [[info:standards:Option%20Table][Table of Long Options]] +** Implement --socket + [[info:standards:Option%20Table][Table of Long Options]] +** Date+time on console log messages :bugs: Is this the default? -** TODO delete hook when clients fall out by timeout * Mandos-tools/utilities All of this probably using D-Bus -** TODO List clients -** TODO Disable client -** TODO Enable client -** TODO Reset timer +** List clients +** Disable client +** Enable client * Man pages -** TODO Use xinclude for all common sections +** Use xinclude for common sections Like authors, etc. * Installer ** Client-side +*** Update initrd.img after installation + This seems to use some kind of "trigger" system + [[file:/usr/share/doc/dpkg/triggers.txt.gz]] + dpkg-trigger(1), deb-triggers(5) +*** Keydir move: /etc/mandos -> /etc/keys/mandos + Must create in preinst if not pre-depending on cryptsetup *** mandos-keygen -**** TODO "--secfile" option +**** "--passfile" option Using the "secfile" option instead of "secret" -**** TODO [#B] "--test" option +**** [#A] "--test" option For testing decryption before rebooting. - +** Server-side +*** [#A] Create mandos user and group for server +*** [#A] Create /var/run/mandos directory with perm and ownership * [#A] Package ** /usr/share/initramfs-tools/hooks/mandos -*** TODO Do not install in initrd.img if configured not to. +*** Do not install in initrd.img if configured not to. Use "/etc/initramfs-tools/conf.d/mandos"? Definitely a debconf question. -** TODO /etc/bash_completion.d/mandos +** /etc/bash_completion.d/mandos From XML sources directly? -** TODO unperish - -* TODO Web site -** DONE http://www.fukt.bsnet.se/mandos - Redirects to the wiki page -** TODO http://wiki.fukt.bsnet.se/wiki/Mandos - http://liw.fi/free-software-website/ +** unperish +** bzr-builddeb + +* INSTALL file + +* Web site * Mailing list -** DONE mandos-dev -*** TODO http://gmane.org/subscribe.php -* TODO Announce project on Usenet +* Announce project on news [[news:comp.os.linux.announce]] === modified file 'clients.conf' --- clients.conf 2008-09-21 13:42:34 +0000 +++ clients.conf 2008-08-27 01:18:25 +0000 @@ -55,7 +55,7 @@ ;fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27 ; ;# If "secret" is not specified, a file can be read for the data. -;secfile = /etc/mandos/bar-secret.bin +;;secfile = /etc/mandos/bar-secret.txt.asc ; ;# An IP address for host is also fine, if the checker accepts it. ;host = 192.0.2.3 === removed directory 'debian' === removed file 'debian/changelog' --- debian/changelog 2008-09-17 00:34:09 +0000 +++ debian/changelog 1970-01-01 00:00:00 +0000 @@ -1,5 +0,0 @@ -mandos (1.0) unstable; urgency=low - - * Initial Release. - - -- Mandos Maintainers Sun, 07 Sep 2008 11:55:51 +0200 === removed file 'debian/compat' --- debian/compat 2008-09-17 00:34:09 +0000 +++ debian/compat 1970-01-01 00:00:00 +0000 @@ -1,1 +0,0 @@ -7 === removed file 'debian/control' --- debian/control 2008-09-30 03:19:39 +0000 +++ debian/control 1970-01-01 00:00:00 +0000 @@ -1,52 +0,0 @@ -Source: mandos -Section: admin -Priority: extra -Maintainer: Mandos Maintainers -Uploaders: Teddy Hogeborn , - Björn Påhlsson -Build-Depends: debhelper (>= 7), docbook-xsl, libavahi-core-dev, - libgpgme11-dev, libgnutls-dev, xsltproc, po-debconf, - pkg-config -Standards-Version: 3.8.0 -Vcs-Bzr: http://ftp.fukt.bsnet.se/pub/mandos/trunk -Vcs-Browser: http://bzr.fukt.bsnet.se/loggerhead/mandos/trunk/files -Homepage: http://www.fukt.bsnet.se/mandos - -Package: mandos -Architecture: all -Depends: ${misc:Depends}, python (>=2.5), python-gnutls, python-dbus, - python-avahi, avahi-daemon, gnupg (< 2), adduser -Recommends: fping -Description: a server giving encrypted passwords to Mandos clients - This is the server part of the Mandos system, which allows - computers to have encrypted root file systems and at the - same time be capable of remote and/or unattended reboots. - . - The computers run a small client program in the initial RAM - disk environment which will communicate with a server over a - network. All network communication is encrypted using TLS. - The clients are identified by the server using an OpenPGP - key; each client has one unique to it. The server sends the - clients an encrypted password. The encrypted password is - decrypted by the clients using the same OpenPGP key, and the - password is then used to unlock the root file system, - whereupon the computers can continue booting normally. - -Package: mandos-client -Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, cryptsetup -Enhances: cryptsetup -Description: do unattended reboots with an encrypted root file system - This is the client part of the Mandos system, which allows - computers to have encrypted root file systems and at the - same time be capable of remote and/or unattended reboots. - . - The computers run a small client program in the initial RAM - disk environment which will communicate with a server over a - network. All network communication is encrypted using TLS. - The clients are identified by the server using an OpenPGP - key; each client has one unique to it. The server sends the - clients an encrypted password. The encrypted password is - decrypted by the clients using the same OpenPGP key, and the - password is then used to unlock the root file system, - whereupon the computers can continue booting normally. === removed file 'debian/copyright' --- debian/copyright 2008-09-17 00:34:09 +0000 +++ debian/copyright 1970-01-01 00:00:00 +0000 @@ -1,27 +0,0 @@ -Authors: Teddy Hogeborn, Björn Påhlsson - -Homepage: - -Copyright: - - Copyright © 2008 Teddy Hogeborn - 2008 Björn Påhlsson - -License: - - This program is free software: you can redistribute it and/or - modify it under the terms of the GNU General Public License as - published by the Free Software Foundation, either version 3 of the - License, or (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see - . - -On Debian systems, the complete text of the GNU General Public License -can be found in "/usr/share/common-licenses/GPL". === removed file 'debian/mandos-client.README.Debian' --- debian/mandos-client.README.Debian 2008-09-19 20:54:58 +0000 +++ debian/mandos-client.README.Debian 1970-01-01 00:00:00 +0000 @@ -1,23 +0,0 @@ -A client key has been automatically created in /etc/keys/mandos. The -next step is to run "mandos-keygen --password" to get a config file -stanza to copy and paste into /etc/mandos/clients.conf on the Mandos -server. - -Also, if some other network interface than "eth0" is used, it will be -necessary to edit /etc/mandos/plugin-runner.conf to uncomment and -change the line there. If this file is changed, it will be necessary -to update the initrd image by doing "update-initramfs -k all -u". - -Any plugins found in /etc/mandos/plugins.d will override and add to -the normal Mandos plugins. When adding or changing plugins, do not -forget to update the initital RAM disk image: - -# update-initramfs -k all -u - -It is NOT necessary to edit /etc/crypttab to specify -/usr/lib/mandos/plugin-runner as a keyscript for the root file system; -if no keyscript is given for the root file system, the Mandos client -will be the new default way for getting a password for the root file -system when booting. - - -- Teddy Hogeborn , Fri, 19 Sep 2008 22:50:16 +0200 === removed file 'debian/mandos-client.config' --- debian/mandos-client.config 2008-09-21 04:22:50 +0000 +++ debian/mandos-client.config 1970-01-01 00:00:00 +0000 @@ -1,27 +0,0 @@ -#! /bin/sh -# -# config Mandos Debconf configuration. -# - -# Source debconf library. -. /usr/share/debconf/confmodule -if ! db_version 2.0; then - echo "mandos.config: need DebConf 2.0 or later" - exit 1 -fi - -set -e -umask 022 - -# Now, interaction. Batch it in case any front ends can use this. -db_beginblock - -# If this is a first time install then prompt -if [ "$1" = "configure" -a "$2" != "" ]; then - db_input high mandos-client/not-yet-configured || true -fi - -db_endblock -db_go || true - -exit 0 === removed file 'debian/mandos-client.dirs' --- debian/mandos-client.dirs 2008-09-17 00:34:09 +0000 +++ debian/mandos-client.dirs 1970-01-01 00:00:00 +0000 @@ -1,5 +0,0 @@ -usr/share/man/man8 -usr/sbin -usr/share/initramfs-tools/hooks -usr/share/initramfs-tools/conf-hooks.d -usr/share/initramfs-tools/scripts/local-top === removed file 'debian/mandos-client.docs' --- debian/mandos-client.docs 2008-09-19 13:50:22 +0000 +++ debian/mandos-client.docs 1970-01-01 00:00:00 +0000 @@ -1,2 +0,0 @@ -README -TODO === removed file 'debian/mandos-client.links' --- debian/mandos-client.links 2008-09-19 13:50:22 +0000 +++ debian/mandos-client.links 1970-01-01 00:00:00 +0000 @@ -1,1 +0,0 @@ -usr/share/man/man8/plugin-runner.8mandos.gz usr/share/man/man5/plugin-runner.conf.5mandos.gz === removed file 'debian/mandos-client.lintian-overrides' --- debian/mandos-client.lintian-overrides 2008-09-26 19:47:21 +0000 +++ debian/mandos-client.lintian-overrides 1970-01-01 00:00:00 +0000 @@ -1,7 +0,0 @@ -mandos-client binary: manpage-has-errors-from-man usr/share/man/man8/plugin-runner.8mandos.gz 297: warning [p 4, 5.8i]: can't break line -mandos-client binary: non-standard-dir-perm etc/keys/mandos/ 0700 != 0755 -mandos-client binary: setuid-binary usr/lib/mandos/plugins.d/mandos-client 4755 root/root -mandos-client binary: setuid-binary usr/lib/mandos/plugins.d/askpass-fifo 4755 root/root -mandos-client binary: setuid-binary usr/lib/mandos/plugins.d/splashy 4755 root/root -mandos-client binary: setuid-binary usr/lib/mandos/plugins.d/usplash 4755 root/root -mandos-client binary: non-standard-dir-perm usr/lib/mandos/plugins.d/ 0700 != 0755 === removed file 'debian/mandos-client.postinst' --- debian/mandos-client.postinst 2008-09-26 04:54:35 +0000 +++ debian/mandos-client.postinst 1970-01-01 00:00:00 +0000 @@ -1,65 +0,0 @@ -#!/bin/bash -e -# This script can be called in the following ways: -# -# After the package was installed: -# configure -# -# -# If prerm fails during upgrade or fails on failed upgrade: -# abort-upgrade -# -# If prerm fails during deconfiguration of a package: -# abort-deconfigure in-favour -# removing -# -# If prerm fails during replacement due to conflict: -# abort-remove in-favour - -. /usr/share/debconf/confmodule - -# Update the initial RAM file system image -update_initramfs() -{ - if [ -x /usr/sbin/update-initramfs ]; then - update-initramfs -u -k all - fi -} - -# Add user and group -add_mandos_user(){ - if ! getent passwd mandos >/dev/null; then - adduser --disabled-password --quiet --system \ - --home /nonexistent --no-create-home \ - --gecos "Mandos password system" --group mandos - fi -} - -# Create client key pair -create_key(){ - if [ -r /etc/keys/mandos/pubkey.txt \ - -a -r /etc/keys/mandos/seckey.txt ]; then - return 0 - fi - if [ -x /usr/sbin/mandos-keygen ]; then - mandos-keygen - fi -} - -case "$1" in - configure) - add_mandos_user - create_key - update_initramfs - ;; - abort-upgrade|abort-deconfigure|abort-remove) - ;; - - *) - echo "$0 called with unknown argument \`$1'" 1>&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 === removed file 'debian/mandos-client.postrm' --- debian/mandos-client.postrm 2008-09-19 20:54:58 +0000 +++ debian/mandos-client.postrm 1970-01-01 00:00:00 +0000 @@ -1,60 +0,0 @@ -#!/bin/sh -e -# This script can be called in the following ways: -# -# After the package was removed: -# remove -# -# After the package was purged: -# purge -# -# After the package was upgraded: -# upgrade -# if that fails: -# failed-upgrade -# -# -# After all of the packages files have been replaced: -# disappear -# -# -# If preinst fails during install: -# abort-install -# -# If preinst fails during upgrade of removed package: -# abort-install -# -# If preinst fails during upgrade: -# abort-upgrade - - -# Update the initial RAM file system image -update_initramfs() -{ - if [ -x /usr/sbin/update-initramfs ]; then - update-initramfs -u -k all - fi -} - -case "$1" in - remove) - update_initramfs - ;; - - purge) - shred --remove /etc/keys/mandos/seckey.txt 2>/dev/null || : - rm --force /etc/mandos/plugin-runner.conf \ - /etc/keys/mandos/pubkey.txt \ - /etc/keys/mandos/seckey.txt 2>/dev/null - ;; - upgrade|failed-upgrade|disappear|abort-install|abort-upgrade) - ;; - - *) - echo "$0 called with unknown argument \`$1'" 1>&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 === removed file 'debian/mandos-client.templates' --- debian/mandos-client.templates 2008-09-21 04:22:50 +0000 +++ debian/mandos-client.templates 1970-01-01 00:00:00 +0000 @@ -1,8 +0,0 @@ -Template: mandos-client/not-yet-configured -Type: note -_Description: Your system needs more configuration[ mandos-client] - Your system can not function as a Mandos client until a - password for this client has been added to the - configuration on the Mandos server. Please read - /usr/share/doc/mandos-client/README.Debian.gz to find out - how. === removed file 'debian/mandos.README.Debian' --- debian/mandos.README.Debian 2008-09-21 04:22:50 +0000 +++ debian/mandos.README.Debian 1970-01-01 00:00:00 +0000 @@ -1,7 +0,0 @@ -The Mandos server cannot run without at least one configured client in -/etc/mandos/clients.conf. To create one, install the "mandos-client" -package on a client computer, and run "mandos-keygen --password" there -to get a config file stanza. Append that to /etc/mandos/clients.conf -on the Mandos server. - - -- Teddy Hogeborn , Sat, 20 Sep 2008 21:21:19 +0200 === removed file 'debian/mandos.config' --- debian/mandos.config 2008-09-21 04:22:50 +0000 +++ debian/mandos.config 1970-01-01 00:00:00 +0000 @@ -1,27 +0,0 @@ -#! /bin/sh -# -# config Mandos Debconf configuration. -# - -# Source debconf library. -. /usr/share/debconf/confmodule -if ! db_version 2.0; then - echo "mandos.config: need DebConf 2.0 or later" - exit 1 -fi - -set -e -umask 022 - -# Now, interaction. Batch it in case any front ends can use this. -db_beginblock - -# If this is a first time install then prompt -if [ "$1" = "configure" -a "$2" != "" ]; then - db_input high mandos/not-yet-configured || true -fi - -db_endblock -db_go || true - -exit 0 === removed file 'debian/mandos.dirs' --- debian/mandos.dirs 2008-09-17 00:34:09 +0000 +++ debian/mandos.dirs 1970-01-01 00:00:00 +0000 @@ -1,5 +0,0 @@ -usr/share/man/man5 -usr/share/man/man8 -etc/init.d -etc/default -usr/sbin === removed file 'debian/mandos.docs' --- debian/mandos.docs 2008-09-19 13:50:22 +0000 +++ debian/mandos.docs 1970-01-01 00:00:00 +0000 @@ -1,2 +0,0 @@ -README -TODO === removed file 'debian/mandos.lintian-overrides' --- debian/mandos.lintian-overrides 2008-09-17 00:34:09 +0000 +++ debian/mandos.lintian-overrides 1970-01-01 00:00:00 +0000 @@ -1,1 +0,0 @@ -mandos binary: non-standard-file-perm etc/mandos/clients.conf 0600 != 0644 === removed file 'debian/mandos.postinst' --- debian/mandos.postinst 2008-09-26 04:54:35 +0000 +++ debian/mandos.postinst 1970-01-01 00:00:00 +0000 @@ -1,40 +0,0 @@ -#!/bin/bash -e -# This script can be called in the following ways: -# -# After the package was installed: -# configure -# -# -# If prerm fails during upgrade or fails on failed upgrade: -# abort-upgrade -# -# If prerm fails during deconfiguration of a package: -# abort-deconfigure in-favour -# removing -# -# If prerm fails during replacement due to conflict: -# abort-remove in-favour - -. /usr/share/debconf/confmodule - -case "$1" in - configure) - if ! getent passwd mandos >/dev/null; then - adduser --disabled-password --quiet --system \ - --home /nonexistent --no-create-home \ - --gecos "Mandos password system" --group mandos - fi - ;; - - abort-upgrade|abort-deconfigure|abort-remove) - ;; - - *) - echo "$0 called with unknown argument \`$1'" 1>&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 === removed file 'debian/mandos.prerm' --- debian/mandos.prerm 2008-09-21 13:42:34 +0000 +++ debian/mandos.prerm 1970-01-01 00:00:00 +0000 @@ -1,38 +0,0 @@ -#! /bin/sh -# prerm script for mandos -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `upgrade' -# * `failed-upgrade' -# * `remove' `in-favour' -# * `deconfigure' `in-favour' -# `removing' -# -# for details, see /usr/share/doc/packaging-manual/ - -case "$1" in - remove|deconfigure) - if [ -x /etc/init.d/mandos ]; then - if [ -x /usr/sbin/invoke-rc.d ]; then - invoke-rc.d mandos stop - else - /etc/init.d/mandos stop - fi - fi - ;; - upgrade|failed-upgrade) - ;; - *) - echo "prerm called with unknown argument \`$1'" >&2 - exit 0 - ;; -esac - -#DEBHELPER# - -exit 0 === removed file 'debian/mandos.templates' --- debian/mandos.templates 2008-09-21 04:22:50 +0000 +++ debian/mandos.templates 1970-01-01 00:00:00 +0000 @@ -1,9 +0,0 @@ -Template: mandos/not-yet-configured -Type: note -_Description: Your system needs more configuration[ mandos] - Your system has not yet been completely configured as a - Mandos server - clients need to be added to to - /etc/mandos/clients.conf. Please read - /usr/share/doc/mandos/README.Debian.gz to find out how. - . - (The server has not been started.) === removed directory 'debian/po' === removed file 'debian/po/POTFILES.in' --- debian/po/POTFILES.in 2008-09-21 04:22:50 +0000 +++ debian/po/POTFILES.in 1970-01-01 00:00:00 +0000 @@ -1,2 +0,0 @@ -[type: gettext/rfc822deb] mandos.templates -[type: gettext/rfc822deb] mandos-client.templates === removed file 'debian/po/sv.po' --- debian/po/sv.po 2008-09-21 04:22:50 +0000 +++ debian/po/sv.po 1970-01-01 00:00:00 +0000 @@ -1,66 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the mandos package. -# FIRST AUTHOR , YEAR. -# -msgid "" -msgstr "" -"Project-Id-Version: 1.0\n" -"Report-Msgid-Bugs-To: mandos@packages.debian.org\n" -"POT-Creation-Date: 2008-09-20 23:01+0200\n" -"PO-Revision-Date: 2008-09-21 06:01+0200\n" -"Last-Translator: Teddy Hogeborn \n" -"Language-Team: Swedish \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=UTF-8\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: note -#. Description -#: ../mandos.templates:1001 -msgid "Your system needs more configuration[ mandos]" -msgstr "Ditt system behöver ytterligare konfigurering" - -#. Type: note -#. Description -#: ../mandos.templates:1001 -#| msgid "" -#| "Your system has not yet been completely configured as a Mandos server - " -#| "you need to setup /etc/mandos/clients.conf. Please read /usr/share/doc/" -#| "mandos/README.Debian.gz to find out how." -msgid "" -"Your system has not yet been completely configured as a Mandos server - " -"clients need to be added to to /etc/mandos/clients.conf. Please read /usr/" -"share/doc/mandos/README.Debian.gz to find out how." -msgstr "" -"Ditt system är inte helt inställd som en Mandos-server än -\n" -"det behövs läggas till klienter i Mandos-serverns\n" -"inställingar. Var vänlig läs\n" -"/usr/share/doc/mandos-client/README.Debian.gz för att få\n" -"veta hur." - -#. Type: note -#. Description -#: ../mandos.templates:1001 -msgid "(The server has not been started.)" -msgstr "(Servern har inte startats.)" - -#. Type: note -#. Description -#: ../mandos-client.templates:1001 -msgid "Your system needs more configuration[ mandos-client]" -msgstr "Ditt system behöver ytterligare konfigurering" - -#. Type: note -#. Description -#: ../mandos-client.templates:1001 -msgid "" -"Your system can not function as a Mandos client until a password for this " -"client has been added to the configuration on the Mandos server. Please " -"read /usr/share/doc/mandos-client/README.Debian.gz to find out how." -msgstr "" -"Ditt system kan inte fungera som en Mandos-klient förrän\n" -"ett krypterat lösenord har lagts till i Mandos-serverns\n" -"inställingar. Var vänlig läs\n" -"/usr/share/doc/mandos-client/README.Debian.gz för att få\n" -"veta hur." === removed file 'debian/rules' --- debian/rules 2008-09-21 12:04:02 +0000 +++ debian/rules 1970-01-01 00:00:00 +0000 @@ -1,93 +0,0 @@ -#!/usr/bin/make -f -# Sample debian/rules that uses debhelper. -# -# This file was originally written by Joey Hess and Craig Small. -# As a special exception, when this file is copied by dh-make into a -# dh-make output file, you may use that output file without restriction. -# This special exception was added by Craig Small in version 0.37 of dh-make. -# -# Modified to make a template file for a multi-binary package with separated -# build-arch and build-indep targets by Bill Allombert 2001 - -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 - -# This has to be exported to make some magic below work. -export DH_OPTIONS - -configure: configure-stamp -configure-stamp: - dh_testdir - touch configure-stamp - -build: build-arch build-indep - -build-arch: build-arch-stamp -build-arch-stamp: configure-stamp - dh_auto_build -- all doc - touch $@ - -build-indep: build-indep-stamp -build-indep-stamp: configure-stamp - dh_auto_build -- doc - touch $@ - -clean: - dh_testdir - dh_testroot - rm -f build-arch-stamp build-indep-stamp configure-stamp - dh_auto_clean - dh_clean - debconf-updatepo - -install: install-indep install-arch -install-indep: - dh_testdir - dh_testroot - dh_prep - dh_installdirs --indep - $(MAKE) DESTDIR=$(CURDIR)/debian/mandos install-server - dh_lintian - dh_installinit --onlyscripts --no-start \ - --update-rcd-params="defaults 25 15" - dh_install --indep - -install-arch: - dh_testdir - dh_testroot - dh_prep - dh_installdirs --same-arch - $(MAKE) DESTDIR=$(CURDIR)/debian/mandos-client install-client-nokey - dh_lintian - dh_install --same-arch - -binary-common: - dh_testdir - dh_testroot - dh_installchangelogs - dh_installdocs - dh_installdebconf - dh_link - dh_strip - dh_compress - dh_fixperms --exclude etc/keys/mandos \ - --exclude etc/mandos/clients.conf \ - --exclude usr/lib/mandos/plugins.d - dh_installdeb - dh_shlibdeps - dh_gencontrol - dh_md5sums - dh_builddeb - -# Build architecture independant packages using the common target. -binary-indep: build-indep install-indep - $(MAKE) -f debian/rules DH_OPTIONS=--indep binary-common - -# Build architecture dependant packages using the common target. -binary-arch: build-arch install-arch - $(MAKE) -f debian/rules DH_OPTIONS=--same-arch binary-common - -binary: binary-arch binary-indep - -.PHONY: build clean binary-indep binary-arch binary install \ - install-indep install-arch configure === removed file 'default-mandos' --- default-mandos 2008-09-17 00:34:09 +0000 +++ default-mandos 1970-01-01 00:00:00 +0000 @@ -1,7 +0,0 @@ -# Directory where configuration files are located. Default is -# "/etc/mandos". -# -#CONFIGDIR=/etc/mandos - -# Additional options that are passed to the Daemon. -DAEMON_ARGS="" === removed file 'init.d-mandos' --- init.d-mandos 2008-09-21 12:04:02 +0000 +++ init.d-mandos 1970-01-01 00:00:00 +0000 @@ -1,159 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: mandos -# Required-Start: $remote_fs avahi-daemon -# Required-Stop: $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Mandos server -# Description: Gives encrypted passwords to Mandos clients -### END INIT INFO - -# Author: Teddy Hogeborn -# Author: Björn Påhlsson -# -# Please remove the "Author" lines above and replace them -# with your own name if you copy and modify this script. - -# Do NOT "set -e" - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/usr/sbin:/bin:/usr/bin -DESC="Mandos root file system password server" -NAME=mandos -DAEMON=/usr/sbin/$NAME -DAEMON_ARGS="" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME - -if [ -n "$CONFIGDIR" ]; then - DAEMON_ARGS="$DAEMON_ARGS --configdir $CONFIGDIR" -fi - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -# Depend on lsb-base (>= 3.0-6) to ensure that this file is present. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 - # Add code here, if necessary, that waits for the process to be ready - # to handle requests from services started subsequently which depend - # on this one. As a last resort, sleep for some time. -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - # Wait for children to finish too if this is a daemon that forks - # and if the daemon is only ever run from this initscript. - # If the above conditions are not satisfied then add some other code - # that waits for the process to drop all resources that could be - # needed by services started subsequently. A last resort is to - # sleep for some time. - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f $PIDFILE - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - # - # If the daemon can reload its configuration without - # restarting (for example, when it is sent a SIGHUP), - # then implement that here. - # - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - #reload|force-reload) - # - # If do_reload() is not implemented then leave this commented out - # and leave 'force-reload' as an alias for 'restart'. - # - #log_daemon_msg "Reloading $DESC" "$NAME" - #do_reload - #log_end_msg $? - #;; - restart|force-reload) - # - # If the "reload" option is implemented then remove the - # 'force-reload' alias - # - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 - echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: === modified file 'initramfs-tools-hook' --- initramfs-tools-hook 2008-09-19 00:54:24 +0000 +++ initramfs-tools-hook 2008-08-24 23:18:18 +0000 @@ -29,37 +29,15 @@ . /usr/share/initramfs-tools/hook-functions -for d in /usr /usr/local; do - if [ -d "$d"/lib/mandos ]; then - prefix="$d" - break - fi -done -if [ -z "$prefix" ]; then +if [ -d /usr/lib/mandos ]; then + prefix=/usr +elif [ -d /usr/local/lib/mandos ]; then + prefix=/usr/local +else # Mandos not found exit 1 fi -for d in /etc/keys/mandos /etc/mandos/keys; do - if [ -d "$d" ]; then - keydir="$d" - break - fi -done -if [ -z "$keydir" ]; then - # Mandos key directory not found - exit 1 -fi - -mandos_user="`{ getent passwd mandos \ - || getent passwd nobody \ - || echo ::65534::::; } \ - | awk --field-separator=: '{ print $3 }'`" -mandos_group="`{ getent group mandos \ - || getent group nogroup \ - || echo ::65534:; } \ - | awk --field-separator=: '{ print $3 }'`" - # The Mandos network client uses the network auto_add_modules net # The Mandos network client uses IPv6 @@ -71,13 +49,11 @@ PLUGINDIR="${MANDOSDIR}/plugins.d" # Make directories -install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \ - "${DESTDIR}${MANDOSDIR}" -install --owner=${mandos_user} --group=${mandos_group} --directory \ - --mode=u=rwx "${DESTDIR}${PLUGINDIR}" +mkdir --parents "${DESTDIR}${CONFDIR}" +mkdir --parents "${DESTDIR}${PLUGINDIR}" # Copy the Mandos plugin runner -copy_exec "$prefix"/lib/mandos/plugin-runner "${MANDOSDIR}" +copy_exec "$prefix"/lib/mandos/plugin-runner "${DESTDIR}${MANDOSDIR}" # Copy the plugins @@ -90,7 +66,6 @@ fi case "$base" in *~|.*|\#*\#|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;; - "*") :;; *) copy_exec "$file" "${PLUGINDIR}";; esac done @@ -99,46 +74,31 @@ for file in /etc/mandos/plugins.d/*; do base="`basename \"$file\"`" case "$base" in - *~|.*|\#*\#|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;; - "*") :;; + *~|.*|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;; *) copy_exec "$file" "${PLUGINDIR}";; esac done # GPGME needs /usr/bin/gpg -if [ ! -e "${DESTDIR}/usr/bin/gpg" \ - -a -n "`ls \"${DESTDIR}\"/usr/lib/libgpgme.so* \ - 2>/dev/null`" ]; then +if ! [ -e "${DESTDIR}/usr/bin/gpg" ] \ + && [ -n "`ls \"${DESTDIR}\"/usr/lib/libgpgme.so* 2>/dev/null`" ]; then copy_exec /usr/bin/gpg fi -# Config files +# Key files for file in /etc/mandos/*; do if [ -d "$file" ]; then continue fi cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}" done - -if [ ${mandos_user} != 65534 ]; then - PLUGINRUNNERCONF="${DESTDIR}${CONFDIR}/plugin-runner.conf" - echo "--userid=${mandos_user}" >> "$PLUGINRUNNERCONF" -fi - -if [ ${mandos_group} != 65534 ]; then - PLUGINRUNNERCONF="${DESTDIR}${CONFDIR}/plugin-runner.conf" - echo "--groupid=${mandos_group}" >> "$PLUGINRUNNERCONF" -fi - -# Key files -for file in "$keydir"/*; do - if [ -d "$file" ]; then - continue - fi - cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}" - chown ${mandos_user}:${mandos_group} \ - "${DESTDIR}${CONFDIR}/`basename \"$file\"`" -done +# Create key ring files +gpg --no-random-seed-file --quiet --batch --no-tty --armor \ + --no-default-keyring --no-options --enable-dsa2 \ + --homedir "${DESTDIR}${CONFDIR}" --no-permission-warning \ + --trust-model always --import-options import-minimal \ + --import "${DESTDIR}${CONFDIR}/seckey.txt" +chown nobody "${DESTDIR}${CONFDIR}/secring.gpg" # /lib/mandos/plugin-runner will drop priviliges, but needs access to # its plugin directory and its config file. However, since almost all @@ -152,7 +112,7 @@ # condition. This umask is set by "initramfs-tools-hook-conf", # installed as "/usr/share/initramfs-tools/conf-hooks.d/mandos".) # -for full in "${MANDOSDIR}" "${CONFDIR}"; do +for full in "${PLUGINDIR}" "${CONFDIR}"; do while [ "$full" != "/" ]; do chmod a+rX "${DESTDIR}$full" full="`dirname \"$full\"`" @@ -162,11 +122,8 @@ # Reset some other things to sane permissions which we have # inadvertently affected with our umask setting. for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do - if [ -d "${DESTDIR}$dir" ]; then - chmod a+rX "${DESTDIR}$dir" - fi + chmod a+rX "${DESTDIR}$dir" done for dir in /lib /usr/lib; do - find "${DESTDIR}$dir" \! -perm -u+rw,g+r -prune -or -print0 \ - | xargs --null --no-run-if-empty chmod a+rX + chmod --recursive a+rX "${DESTDIR}$dir" done === modified file 'initramfs-tools-script' --- initramfs-tools-script 2008-09-07 15:42:11 +0000 +++ initramfs-tools-script 2008-08-14 02:24:59 +0000 @@ -24,8 +24,6 @@ ;; esac -chmod a=rwxt /tmp - test -w /conf/conf.d/cryptroot # Do not replace cryptroot file unless we need to. === modified file 'legalnotice.xml' --- legalnotice.xml 2008-09-06 17:24:58 +0000 +++ legalnotice.xml 2008-08-31 15:06:39 +0000 @@ -4,24 +4,21 @@ This manual page is free software: you can redistribute it and/or - modify it under the terms of the GNU General - Public License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any later - version. + modify it under the terms of the GNU General Public License as + published by the Free Software Foundation, either version 3 of the + License, or (at your option) any later version. This manual page is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - See the GNU General Public License for more - details. + See the GNU General Public License for more details. - You should have received a copy of the GNU - General Public License along with this program. If not, see - http://www.gnu.org/licenses/. + You should have received a copy of the GNU General Public License + along with this program; If not, see . === modified file 'mandos' --- mandos 2008-09-26 21:54:54 +0000 +++ mandos 2008-08-27 01:18:25 +0000 @@ -11,7 +11,7 @@ # and some lines in "main". # # Everything else is -# Copyright © 2008 Teddy Hogeborn & Björn Påhlsson +# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -34,6 +34,7 @@ import SocketServer import socket +import select from optparse import OptionParser import datetime import errno @@ -54,14 +55,12 @@ import stat import logging import logging.handlers -import pwd import dbus import gobject import avahi from dbus.mainloop.glib import DBusGMainLoop import ctypes -import ctypes.util version = "1.0" @@ -81,7 +80,6 @@ class AvahiError(Exception): def __init__(self, value): self.value = value - super(AvahiError, self).__init__() def __str__(self): return repr(self.value) @@ -109,11 +107,11 @@ a sensible number of times """ def __init__(self, interface = avahi.IF_UNSPEC, name = None, - servicetype = None, port = None, TXT = None, domain = "", + type = None, port = None, TXT = None, domain = "", host = "", max_renames = 32768): self.interface = interface self.name = name - self.type = servicetype + self.type = type self.port = port if TXT is None: self.TXT = [] @@ -128,7 +126,7 @@ if self.rename_count >= self.max_renames: logger.critical(u"No suitable Zeroconf service name found" u" after %i retries, exiting.", - self.rename_count) + rename_count) raise AvahiServiceError("Too many renames") self.name = server.GetAlternativeServiceName(self.name) logger.info(u"Changing Zeroconf service name to %r ...", @@ -223,12 +221,10 @@ interval = property(lambda self: self._interval, _set_interval) del _set_interval - def __init__(self, name = None, stop_hook=None, config=None): + def __init__(self, name = None, stop_hook=None, config={}): """Note: the 'checker' key in 'config' sets the 'checker_command' attribute and *not* the 'checker' attribute.""" - if config is None: - config = {} self.name = name logger.debug(u"Creating client %r", self.name) # Uppercase and remove spaces from fingerprint for later @@ -240,9 +236,9 @@ if "secret" in config: self.secret = config["secret"].decode(u"base64") elif "secfile" in config: - secfile = open(config["secfile"]) - self.secret = secfile.read() - secfile.close() + sf = open(config["secfile"]) + self.secret = sf.read() + sf.close() else: raise TypeError(u"No secret or secfile for client %s" % self.name) @@ -418,28 +414,28 @@ (crt, ctypes.byref(datum), gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW) # Verify the self signature in the key - crtverify = ctypes.c_uint() + crtverify = ctypes.c_uint(); gnutls.library.functions.gnutls_openpgp_crt_verify_self\ (crt, 0, ctypes.byref(crtverify)) if crtverify.value != 0: gnutls.library.functions.gnutls_openpgp_crt_deinit(crt) raise gnutls.errors.CertificateSecurityError("Verify failed") # New buffer for the fingerprint - buf = ctypes.create_string_buffer(20) - buf_len = ctypes.c_size_t() + buffer = ctypes.create_string_buffer(20) + buffer_length = ctypes.c_size_t() # Get the fingerprint from the certificate into the buffer gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\ - (crt, ctypes.byref(buf), ctypes.byref(buf_len)) + (crt, ctypes.byref(buffer), ctypes.byref(buffer_length)) # Deinit the certificate gnutls.library.functions.gnutls_openpgp_crt_deinit(crt) # Convert the buffer to a Python bytestring - fpr = ctypes.string_at(buf, buf_len.value) + fpr = ctypes.string_at(buffer, buffer_length.value) # Convert the bytestring to hexadecimal notation hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr) return hex_fpr -class TCP_handler(SocketServer.BaseRequestHandler, object): +class tcp_handler(SocketServer.BaseRequestHandler, object): """A TCP request handler class. Instantiated by IPv6_TCPServer for each request to handle it. Note: This will run in its own forked process.""" @@ -472,7 +468,7 @@ if self.server.settings["priority"]: priority = self.server.settings["priority"] gnutls.library.functions.gnutls_priority_set_direct\ - (session._c_object, priority, None) + (session._c_object, priority, None); try: session.handshake() @@ -521,7 +517,6 @@ Attributes: settings: Server settings clients: Set() of Client objects - enabled: Boolean; whether this server is activated yet """ address_family = socket.AF_INET6 def __init__(self, *args, **kwargs): @@ -531,8 +526,7 @@ if "clients" in kwargs: self.clients = kwargs["clients"] del kwargs["clients"] - self.enabled = False - super(IPv6_TCPServer, self).__init__(*args, **kwargs) + return super(type(self), self).__init__(*args, **kwargs) def server_bind(self): """This overrides the normal server_bind() function to bind to an interface if one was specified, and also NOT to @@ -567,12 +561,7 @@ # if_nametoindex # (self.settings # ["interface"])) - return super(IPv6_TCPServer, self).server_bind() - def server_activate(self): - if self.enabled: - return super(IPv6_TCPServer, self).server_activate() - def enable(self): - self.enabled = True + return super(type(self), self).server_bind() def string_to_delta(interval): @@ -594,8 +583,8 @@ timevalue = datetime.timedelta(0) for s in interval.split(): try: - suffix = unicode(s[-1]) - value = int(s[:-1]) + suffix=unicode(s[-1]) + value=int(s[:-1]) if suffix == u"d": delta = datetime.timedelta(value) elif suffix == u"s": @@ -641,6 +630,8 @@ """Call the C function if_nametoindex(), or equivalent""" global if_nametoindex try: + if "ctypes.util" not in sys.modules: + import ctypes.util if_nametoindex = ctypes.cdll.LoadLibrary\ (ctypes.util.find_library("c")).if_nametoindex except (OSError, AttributeError): @@ -684,6 +675,9 @@ def main(): + global main_loop_started + main_loop_started = False + parser = OptionParser(version = "%%prog %s" % version) parser.add_option("-i", "--interface", type="string", metavar="IF", help="Bind to interface IF") @@ -704,7 +698,7 @@ default="/etc/mandos", metavar="DIR", help="Directory to search for configuration" " files") - options = parser.parse_args()[0] + (options, args) = parser.parse_args() if options.check: import doctest @@ -764,44 +758,9 @@ client_config.read(os.path.join(server_settings["configdir"], "clients.conf")) - clients = Set() - tcp_server = IPv6_TCPServer((server_settings["address"], - server_settings["port"]), - TCP_handler, - settings=server_settings, - clients=clients) - pidfilename = "/var/run/mandos.pid" - try: - pidfile = open(pidfilename, "w") - except IOError, error: - logger.error("Could not open file %r", pidfilename) - - uid = 65534 - gid = 65534 - try: - uid = pwd.getpwnam("mandos").pw_uid - except KeyError: - try: - uid = pwd.getpwnam("nobody").pw_uid - except KeyError: - pass - try: - gid = pwd.getpwnam("mandos").pw_gid - except KeyError: - try: - gid = pwd.getpwnam("nogroup").pw_gid - except KeyError: - pass - try: - os.setuid(uid) - os.setgid(gid) - except OSError, error: - if error[0] != errno.EPERM: - raise error - global service service = AvahiService(name = server_settings["servicename"], - servicetype = "_mandos._tcp", ) + type = "_mandos._tcp", ); if server_settings["interface"]: service.interface = if_nametoindex\ (server_settings["interface"]) @@ -818,6 +777,7 @@ avahi.DBUS_INTERFACE_SERVER) # End of Avahi example code + clients = Set() def remove_from_clients(client): clients.remove(client) if not clients: @@ -845,18 +805,16 @@ # Close all input and output, do double fork, etc. daemon() + pidfilename = "/var/run/mandos/mandos.pid" + pid = os.getpid() try: - pid = os.getpid() + pidfile = open(pidfilename, "w") pidfile.write(str(pid) + "\n") pidfile.close() del pidfile - except IOError: - logger.error(u"Could not write to file %r with PID %d", - pidfilename, pid) - except NameError: - # "pidfile" was never created - pass - del pidfilename + except IOError, err: + logger.error(u"Could not write %s file with PID %d", + pidfilename, os.getpid()) def cleanup(): "Cleanup function; run on exit" @@ -882,9 +840,11 @@ for client in clients: client.start() - tcp_server.enable() - tcp_server.server_activate() - + tcp_server = IPv6_TCPServer((server_settings["address"], + server_settings["port"]), + tcp_handler, + settings=server_settings, + clients=clients) # Find out what port we got service.port = tcp_server.socket.getsockname()[1] logger.info(u"Now listening on address %r, port %d, flowinfo %d," @@ -908,6 +868,7 @@ (*args[2:], **kwargs) or True) logger.debug(u"Starting main loop") + main_loop_started = True main_loop.run() except AvahiError, error: logger.critical(u"AvahiError: %s" + unicode(error)) === modified file 'mandos-clients.conf.xml' --- mandos-clients.conf.xml 2008-09-12 19:12:40 +0000 +++ mandos-clients.conf.xml 2008-08-31 15:06:39 +0000 @@ -4,7 +4,7 @@ /etc/mandos/clients.conf"> - + ]> @@ -37,7 +37,7 @@ - + &CONFNAME; 5 @@ -49,11 +49,11 @@ Configuration file for the Mandos server - + &CONFPATH; - + DESCRIPTION @@ -93,19 +93,16 @@ start time expansion, see . - Unknown options are ignored. The used options are as follows: + Uknown options are ignored. The used options are as follows: - + - + - This option is optional. - - The timeout is how long the server will wait for a successful checker run until a client is considered invalid - that is, ineligible to get the data this server @@ -126,15 +123,12 @@ - + - This option is optional. - - How often to run the checker to confirm that a client is still up. Note: a new checker will not be started if an old one is still running. The server @@ -149,15 +143,12 @@ - + - This option is optional. - - This option allows you to override the default shell command that the server will use to check if the client is still up. Any output of the command will be ignored, only @@ -183,9 +174,6 @@ >HEXSTRING - This option is required. - - This option sets the OpenPGP fingerprint that identifies the public key that clients authenticate themselves with through TLS. The string needs to be in hexidecimal form, @@ -199,11 +187,6 @@ >BASE64_ENCODED_DATA - If this option is not specified, the option is required - to be present. - - If present, this option must be set to a string of base64-encoded binary data. It will be decoded and sent to the client matching the above @@ -221,38 +204,36 @@ lines is that a line beginning with white space adds to the value of the previous line, RFC 822-style. + + If this option is not specified, the option is used instead, but one of them + must be present. + - + - This option is only used if is not - specified, in which case this option is - required. - - Similar to the , except the secret data is in an external file. The contents of the file should not be base64-encoded, but will be sent to clients verbatim. + + This option is only used, and must be + present, if is not specified. + - + - This option is optional, but highly - recommended unless the - option is modified to a - non-standard value without %(host)s in it. - - Host name for this client. This is not used by the server directly, but can be, and is by default, used by the checker. See the option. @@ -313,7 +294,7 @@ mode is needed to expose an error of this kind. - + @@ -373,6 +354,7 @@ fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27 secfile = /etc/mandos/bar-secret timeout = 15m + === modified file 'mandos-keygen' --- mandos-keygen 2008-09-21 14:05:44 +0000 +++ mandos-keygen 2008-08-31 08:47:38 +0000 @@ -2,7 +2,7 @@ # # Mandos key generator - create a new OpenPGP key for a Mandos client # -# Copyright © 2008 Teddy Hogeborn & Björn Påhlsson +# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -22,12 +22,12 @@ VERSION="1.0" -KEYDIR="/etc/keys/mandos" +KEYDIR="/etc/mandos" KEYTYPE=DSA KEYLENGTH=2048 SUBKEYTYPE=ELG-E SUBKEYLENGTH=2048 -KEYNAME="`hostname --fqdn 2>/dev/null || hostname`" +KEYNAME="`hostname --fqdn`" KEYEMAIL="" KEYCOMMENT="Mandos client key" KEYEXPIRE=0 @@ -35,13 +35,9 @@ KEYCOMMENT_ORIG="$KEYCOMMENT" mode=keygen -if [ ! -d "$KEYDIR" ]; then - KEYDIR="/etc/mandos/keys" -fi - # Parse options -TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \ - --longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \ +TEMP=`getopt --options vhd:t:l:n:e:c:x:f \ + --longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \ --name "$0" -- "$@"` help(){ @@ -53,7 +49,6 @@ $basename [ OPTIONS ] Encrypted password creation: $basename { -p | --password } [ --name NAME ] [ --dir DIR] - $basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR] Key creation options: -v, --version Show program's version number and exit @@ -75,14 +70,10 @@ -x TIME, --expire TIME Key expire time. Default is no expiration. See gpg(1) for syntax. - -f, --force Force overwriting old key files. + -f, --force Force overwriting old keys. Password creation options: - -p, --password Create an encrypted password using the key in - the key directory. All options other than - --dir and --name are ignored. - -F FILE, --passfile FILE - Encrypt a password from FILE using the key in + -p, --password Create an encrypted password using the keys in the key directory. All options other than --dir and --name are ignored. EOF @@ -92,7 +83,6 @@ while :; do case "$1" in -p|--password) mode=password; shift;; - -F|--passfile) mode=password; PASSFILE="$2"; shift 2;; -d|--dir) KEYDIR="$2"; shift 2;; -t|--type) KEYTYPE="$2"; shift 2;; -s|--subtype) SUBKEYTYPE="$2"; shift 2;; @@ -118,20 +108,21 @@ PUBKEYFILE="$KEYDIR/pubkey.txt" # Check for some invalid values -if [ ! -d "$KEYDIR" ]; then +if [ -d "$KEYDIR" ]; then :; else echo "$KEYDIR not a directory" >&2 exit 1 fi -if [ ! -r "$KEYDIR" ]; then - echo "Directory $KEYDIR not readable" >&2 +if [ -w "$KEYDIR" ]; then :; else + echo "Directory $KEYDIR not writeable" >&2 + exit 1 +fi + +if [ "$mode" = password -a -e "$KEYDIR/trustdb.gpg.lock" ]; then + echo "Key directory has locked trustdb; aborting." >&2 exit 1 fi if [ "$mode" = keygen ]; then - if [ ! -w "$KEYDIR" ]; then - echo "Directory $KEYDIR not writeable" >&2 - exit 1 - fi if [ -z "$KEYTYPE" ]; then echo "Empty key type" >&2 exit 1 @@ -158,8 +149,8 @@ [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;; esac - if [ \( -e "$SECKEYFILE" -o -e "$PUBKEYFILE" \) \ - -a "$FORCE" -eq 0 ]; then + if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \ + && [ "$FORCE" -eq 0 ]; then echo "Refusing to overwrite old key files; use --force" >&2 exit 1 fi @@ -173,28 +164,35 @@ fi # Create temporary gpg batch file - BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`" + BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`" fi if [ "$mode" = password ]; then # Create temporary encrypted password file - SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`" -fi - -# Create temporary key ring directory -RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`" + SECFILE="`mktemp -t mandos-gpg-secfile.XXXXXXXXXX`" +fi + +# Create temporary key rings +SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`" +PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`" + +if [ "$mode" = password ]; then + # If a trustdb.gpg file does not already exist, schedule it for + # deletion when we are done. + if ! [ -e "$KEYDIR/trustdb.gpg" ]; then + TRUSTDB="$KEYDIR/trustdb.gpg" + fi +fi # Remove temporary files on exit trap " set +e; \ -test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \ -shred --remove \"$RINGDIR\"/sec*; -test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \ -rm --recursive --force \"$RINGDIR\"; +rm --force $PUBRING ${PUBRING}~ $BATCHFILE $TRUSTDB; \ +shred --remove $SECRING $SECFILE; \ stty echo; \ " EXIT -umask 077 +umask 027 if [ "$mode" = keygen ]; then # Create batch file for GnuPG @@ -211,17 +209,18 @@ Expire-Date: $KEYEXPIRE #Preferences: #Handle: - #%pubring pubring.gpg - #%secring secring.gpg + %pubring $PUBRING + %secring $SECRING %commit EOF # Generate a new key in the key rings - gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ - --homedir "$RINGDIR" --trust-model always \ + gpg --no-random-seed-file --quiet --batch --no-tty \ + --no-default-keyring --no-options --enable-dsa2 \ + --secret-keyring "$SECRING" --keyring "$PUBRING" \ --gen-key "$BATCHFILE" rm --force "$BATCHFILE" - + # Backup any old key files if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \ 2>/dev/null; then @@ -241,68 +240,64 @@ FILECOMMENT="$FILECOMMENT <$KEYEMAIL>" fi - # Export key from key rings to key files - gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ - --homedir "$RINGDIR" --armor --export-options export-minimal \ - --comment "$FILECOMMENT" --output "$SECKEYFILE" \ - --export-secret-keys - gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ - --homedir "$RINGDIR" --armor --export-options export-minimal \ - --comment "$FILECOMMENT" --output "$PUBKEYFILE" --export + # Export keys from key rings to key files + gpg --no-random-seed-file --quiet --batch --no-tty --armor \ + --no-default-keyring --no-options --enable-dsa2 \ + --secret-keyring "$SECRING" --keyring "$PUBRING" \ + --export-options export-minimal --comment "$FILECOMMENT" \ + --output "$SECKEYFILE" --export-secret-keys + gpg --no-random-seed-file --quiet --batch --no-tty --armor \ + --no-default-keyring --no-options --enable-dsa2 \ + --secret-keyring "$SECRING" --keyring "$PUBRING" \ + --export-options export-minimal --comment "$FILECOMMENT" \ + --output "$PUBKEYFILE" --export fi if [ "$mode" = password ]; then - # Import key into temporary key rings - gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ - --homedir "$RINGDIR" --trust-model always --armor \ - --import "$SECKEYFILE" - gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ - --homedir "$RINGDIR" --trust-model always --armor \ - --import "$PUBKEYFILE" - + # Import keys into temporary key rings + gpg --no-random-seed-file --quiet --batch --no-tty --armor \ + --no-default-keyring --no-options --enable-dsa2 \ + --homedir "$KEYDIR" --no-permission-warning \ + --secret-keyring "$SECRING" --keyring "$PUBRING" \ + --trust-model always --import "$SECKEYFILE" + gpg --no-random-seed-file --quiet --batch --no-tty --armor \ + --no-default-keyring --no-options --enable-dsa2 \ + --homedir "$KEYDIR" --no-permission-warning \ + --secret-keyring "$SECRING" --keyring "$PUBRING" \ + --trust-model always --import "$PUBKEYFILE" + # Get fingerprint of key - FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \ - --enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \ - --fingerprint --with-colons \ - | sed --quiet \ - --expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`" + FINGERPRINT="`gpg --no-random-seed-file --quiet --batch --no-tty \ + --armor --no-default-keyring --no-options --enable-dsa2 \ + --homedir \"$KEYDIR\" --no-permission-warning \ + --secret-keyring \"$SECRING\" --keyring \"$PUBRING\" \ + --trust-model always --fingerprint --with-colons \ + | sed -n -e '/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`" test -n "$FINGERPRINT" FILECOMMENT="Encrypted password for a Mandos client" - if [ -n "$PASSFILE" ]; then - cat "$PASSFILE" - else - stty -echo - echo -n "Enter passphrase: " >&2 - first="$(head --lines=1 | tr --delete '\n')" - echo -n -e "\nRepeat passphrase: " >&2 - second="$(head --lines=1 | tr --delete '\n')" - echo >&2 - stty echo - if [ "$first" != "$second" ]; then - echo -e "Passphrase mismatch" >&2 - false - else - echo -n "$first" - fi - fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ - --homedir "$RINGDIR" --trust-model always --armor --encrypt \ - --recipient "$FINGERPRINT" --comment "$FILECOMMENT" \ + stty -echo + echo -n "Enter passphrase: " >&2 + sed -e '1q' \ + | gpg --no-random-seed-file --batch --no-tty --armor \ + --no-default-keyring --no-options --enable-dsa2 \ + --homedir "$KEYDIR" --no-permission-warning \ + --secret-keyring "$SECRING" --keyring "$PUBRING" \ + --trust-model always --encrypt --recipient "$FINGERPRINT" \ + --comment "$FILECOMMENT" \ > "$SECFILE" - status="${PIPESTATUS[0]}" - if [ "$status" -ne 0 ]; then - exit "$status" - fi + echo >&2 + stty echo cat <<-EOF [$KEYNAME] host = $KEYNAME fingerprint = $FINGERPRINT secret = - EOF - sed --quiet --expression=' +EOF + sed -n -e ' /^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{ /^$/,${ # Remove 24-bit Radix-64 checksum @@ -321,5 +316,9 @@ shred --remove "$SECFILE" fi # Remove the key rings -shred --remove "$RINGDIR"/sec* -rm --recursive --force "$RINGDIR" +shred --remove "$SECRING" +rm --force "$PUBRING" "${PUBRING}~" +# Remove the trustdb, if one did not exist when we started +if [ -n "$TRUSTDB" ]; then + rm --force "$TRUSTDB" +fi === modified file 'mandos-keygen.xml' --- mandos-keygen.xml 2008-09-19 23:31:34 +0000 +++ mandos-keygen.xml 2008-08-31 15:06:39 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -36,7 +36,7 @@ - + &COMMANDNAME; 8 @@ -48,7 +48,7 @@ Generate key and password for Mandos client and server. - + &COMMANDNAME; @@ -122,10 +122,6 @@ - - - FILE @@ -163,7 +159,7 @@ &COMMANDNAME; is a program to generate the OpenPGP key used by - mandos-client + password-request 8mandos. The key is normally written to /etc/mandos for later installation into the initrd image, but this, and most other things, can be changed @@ -171,9 +167,8 @@ This program can also be used with the - or - options to generate a ready-made section for - clients.conf (see + option to generate a ready-made + section for clients.conf (see mandos-clients.conf 5). @@ -202,7 +197,7 @@ - + @@ -215,7 +210,7 @@ - + @@ -227,7 +222,7 @@ - + @@ -239,7 +234,7 @@ - + @@ -252,7 +247,7 @@ - + @@ -264,7 +259,7 @@ - + @@ -276,7 +271,7 @@ - + @@ -289,7 +284,7 @@ - + @@ -303,7 +298,7 @@ - + @@ -331,21 +326,9 @@ - - - - - - The same as , but read from - FILE, not the terminal. - - - - + OVERVIEW @@ -355,7 +338,7 @@ clients.conf on the server. - + EXIT STATUS @@ -418,13 +401,14 @@ - - - - - - - + + + BUGS + + None are known at this time. + + + EXAMPLE @@ -471,7 +455,7 @@ - + SECURITY @@ -486,7 +470,7 @@ 8. - + SEE ALSO @@ -496,7 +480,7 @@ 5, mandos 8, - mandos-client + password-request 8mandos === modified file 'mandos-options.xml' --- mandos-options.xml 2008-09-30 03:19:39 +0000 +++ mandos-options.xml 2008-09-03 05:04:40 +0000 @@ -6,7 +6,7 @@ This file is used by both mandos(8) and mandos.conf(5), since these options can be used both on the command line and in the config file. -It is also used for some texts by mandos-client(8mandos). +It is also used for some texts by password-request(8mandos). -->
@@ -58,8 +58,8 @@ Zeroconf service name. The default is Mandos. This only needs to be - changed if for some reason is would be necessary to run more than - one server on the same host. This would not + changed this if it, for some reason, is necessary to run more than + one server on the same host, which would not normally be useful. If there are name collisions on the same network, the newer server will automatically rename itself to Mandos #2, and === modified file 'mandos.conf.xml' --- mandos.conf.xml 2008-09-12 19:12:40 +0000 +++ mandos.conf.xml 2008-08-31 15:06:39 +0000 @@ -4,7 +4,7 @@ /etc/mandos/mandos.conf"> - + ]> @@ -37,7 +37,7 @@ - + &CONFNAME; 5 @@ -49,11 +49,11 @@ Configuration file for the Mandos server - + &CONFPATH; - + DESCRIPTION @@ -71,7 +71,7 @@ # or ; are ignored and may be used to provide comments. - + OPTIONS @@ -84,7 +84,7 @@ - + @@ -92,7 +92,7 @@ - + @@ -100,7 +100,7 @@ - + - + @@ -119,7 +119,7 @@ - + @@ -144,7 +144,7 @@ The [DEFAULT] is necessary because the Python built-in module ConfigParser - requires it. + requres it. @@ -185,7 +185,7 @@ mandos-clients.conf 5 - + === modified file 'mandos.xml' --- mandos.xml 2008-09-21 12:20:55 +0000 +++ mandos.xml 2008-09-02 17:42:53 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -36,7 +36,7 @@ - + &COMMANDNAME; 8 @@ -48,7 +48,7 @@ Gives encrypted passwords to authenticated Mandos clients - + &COMMANDNAME; @@ -100,7 +100,7 @@ - + DESCRIPTION @@ -186,7 +186,7 @@ - + @@ -194,7 +194,7 @@ - + @@ -203,7 +203,7 @@ xpointer="servicename"/> - + @@ -218,7 +218,7 @@ - + @@ -229,7 +229,7 @@ - + OVERVIEW @@ -239,7 +239,7 @@ RAM disk environment. - + NETWORK PROTOCOL @@ -297,7 +297,7 @@ - + CHECKING @@ -311,7 +311,7 @@ 5. - + LOGGING @@ -321,7 +321,7 @@ and also show them on the console. - + EXIT STATUS @@ -329,7 +329,7 @@ critical error is encountered. - + ENVIRONMENT @@ -349,7 +349,7 @@ - + FILES @@ -379,7 +379,7 @@ - /var/run/mandos.pid + /var/run/mandos/mandos.pid The file containing the process id of @@ -434,11 +434,7 @@ Debug mode is conflated with running in the foreground. - The console log messages does not show a time stamp. - - - This server does not check the expire time of clients’ OpenPGP - keys. + The console log messages does not show a timestamp. @@ -479,7 +475,7 @@ - + SECURITY @@ -487,8 +483,8 @@ Running this &COMMANDNAME; server program should not in itself present any security risk to the host - computer running it. The program switches to a non-root user - soon after startup. + computer running it. The program does not need any special + privileges to run, and is designed to run as a non-root user. @@ -504,7 +500,7 @@ mandos-clients.conf 5) must be made non-readable by anyone - except the user starting the server (usually root). + except the user running the server. As detailed in , the status of all @@ -529,12 +525,12 @@ For more details on client-side security, see - mandos-client + password-request 8mandos. - + SEE ALSO @@ -543,7 +539,7 @@ 5, mandos.conf 5, - mandos-client + password-request 8mandos, sh1 === modified file 'overview.xml' --- overview.xml 2008-09-13 15:36:18 +0000 +++ overview.xml 2008-09-01 08:29:23 +0000 @@ -6,12 +6,10 @@ encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which - will communicate with a server over a network. All network - communication is encrypted using TLS. The - clients are identified by the server using an OpenPGP key; each - client has one unique to it. The server sends the clients an - encrypted password. The encrypted password is decrypted by the - clients using the same OpenPGP key, and the password is then used to - unlock the root file system, whereupon the computers can continue - booting normally. + will communicate with a server over a network. The clients are + identified by the server using a OpenPGP key; each client has one + unique to it. The server sends the clients an encrypted password. + The encrypted password is decrypted by the clients using the same + OpenPGP key, and the password is then used to unlock the root file + system, whereupon the computers can continue booting normally. === modified file 'plugin-runner.c' --- plugin-runner.c 2008-09-26 04:54:35 +0000 +++ plugin-runner.c 2008-09-02 06:13:47 +0000 @@ -2,7 +2,7 @@ /* * Mandos plugin runner - Run Mandos plugins * - * Copyright © 2008 Teddy Hogeborn & Björn Påhlsson + * Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -27,8 +27,8 @@ #include /* malloc(), exit(), EXIT_FAILURE, EXIT_SUCCESS, realloc() */ #include /* bool, true, false */ -#include /* perror, fileno(), fprintf(), - stderr, STDOUT_FILENO */ +#include /* perror, popen(), fileno(), + fprintf(), stderr, STDOUT_FILENO */ #include /* DIR, opendir(), stat(), struct stat, waitpid(), WIFEXITED(), WEXITSTATUS(), wait(), pid_t, @@ -46,7 +46,7 @@ fcntl(), setuid(), setgid(), F_GETFD, F_SETFD, FD_CLOEXEC, access(), pipe(), fork(), close() - dup2(), STDOUT_FILENO, _exit(), + dup2, STDOUT_FILENO, _exit(), execv(), write(), read(), close() */ #include /* fcntl(), F_GETFD, F_SETFD, @@ -72,6 +72,8 @@ const char *argp_program_version = "plugin-runner 1.0"; const char *argp_program_bug_address = ""; +struct plugin; + typedef struct plugin{ char *name; /* can be NULL or any plugin name */ char **argv; @@ -94,7 +96,7 @@ static plugin *plugin_list = NULL; -/* Gets an existing plugin based on name, +/* Gets a existing plugin based on name, or if none is found, creates a new one */ static plugin *getplugin(char *name){ /* Check for exiting plugin with that name */ @@ -116,7 +118,7 @@ return NULL; } } - + *new_plugin = (plugin) { .name = copy_name, .argc = 1, .disabled = false, @@ -185,10 +187,10 @@ size_t namelen = (size_t)(strchrnul(def, '=') - def); /* Search for this environment variable */ for(char **e = p->environ; *e != NULL; e++){ - if(strncmp(*e, def, namelen + 1) == 0){ + if(strncmp(*e, def, namelen+1) == 0){ /* It already exists */ if(replace){ - char *new = realloc(*e, strlen(def) + 1); + char *new = realloc(*e, strlen(def)); if(new == NULL){ return false; } @@ -206,7 +208,8 @@ * Descriptor Flags". * *Note File Descriptor Flags:(libc)Descriptor Flags. */ -static int set_cloexec_flag(int fd){ +static int set_cloexec_flag(int fd) +{ int ret = fcntl(fd, F_GETFD, 0); /* If reading the flags failed, return error indication now. */ if(ret < 0){ @@ -219,7 +222,7 @@ /* Mark processes as completed when they exit, and save their exit status. */ -static void handle_sigchld(__attribute__((unused)) int sig){ +void handle_sigchld(__attribute__((unused)) int sig){ while(true){ plugin *proc = plugin_list; int status; @@ -235,7 +238,7 @@ /* No child processes */ break; } - + /* A child exited, find it in process_list */ while(proc != NULL and proc->pid != pid){ proc = proc->next; @@ -250,8 +253,11 @@ } /* Prints out a password to stdout */ -static bool print_out_password(const char *buffer, size_t length){ +bool print_out_password(const char *buffer, size_t length){ ssize_t ret; + if(length>0 and buffer[length-1] == '\n'){ + length--; + } for(size_t written = 0; written < length; written += (size_t)ret){ ret = TEMP_FAILURE_RETRY(write(STDOUT_FILENO, buffer + written, length - written)); @@ -391,28 +397,36 @@ if(arg == NULL){ break; } - if(not add_environment(getplugin(NULL), arg, true)){ - perror("add_environment"); + { + char *envdef = strdup(arg); + if(envdef == NULL){ + break; + } + if(not add_environment(getplugin(NULL), envdef, true)){ + perror("add_environment"); + } } break; case 'o': /* --options-for */ if (arg != NULL){ char *p_name = strsep(&arg, ":"); - if(p_name[0] == '\0' or arg == NULL){ + if(p_name[0] == '\0'){ break; } char *opt = strsep(&arg, ":"); - if(opt[0] == '\0' or opt == NULL){ + if(opt[0] == '\0'){ break; } - char *p; - while((p = strsep(&opt, ",")) != NULL){ - if(p[0] == '\0'){ - continue; - } - if(not add_argument(getplugin(p_name), p)){ - perror("add_argument"); - return ARGP_ERR_UNKNOWN; + if(opt != NULL){ + char *p; + while((p = strsep(&opt, ",")) != NULL){ + if(p[0] == '\0'){ + continue; + } + if(not add_argument(getplugin(p_name), p)){ + perror("add_argument"); + return ARGP_ERR_UNKNOWN; + } } } } @@ -426,8 +440,12 @@ if(envdef == NULL){ break; } - *envdef = '\0'; - if(not add_environment(getplugin(arg), envdef+1, true)){ + char *p_name = strndup(arg, (size_t) (envdef-arg)); + if(p_name == NULL){ + break; + } + envdef++; + if(not add_environment(getplugin(p_name), envdef, true)){ perror("add_environment"); } } @@ -451,7 +469,6 @@ } break; case 128: /* --plugin-dir */ - free(plugindir); plugindir = strdup(arg); if(plugindir == NULL){ perror("strdup"); @@ -470,12 +487,7 @@ debug = true; break; case ARGP_KEY_ARG: - /* Cryptsetup always passes an argument, which is an empty - string if "none" was specified in /etc/crypttab. So if - argument was empty, we ignore it silently. */ - if(arg[0] != '\0'){ - fprintf(stderr, "Ignoring unknown argument \"%s\"\n", arg); - } + fprintf(stderr, "Ignoring unknown argument \"%s\"\n", arg); break; case ARGP_KEY_END: break; @@ -500,7 +512,6 @@ case 128: /* --plugin-dir */ break; case 129: /* --config-file */ - free(argfile); argfile = strdup(arg); if(argfile == NULL){ perror("strdup"); @@ -736,11 +747,7 @@ } char *filename; - if(plugindir == NULL){ - ret = asprintf(&filename, PDIR "/%s", dirst->d_name); - } else { - ret = asprintf(&filename, "%s/%s", plugindir, dirst->d_name); - } + ret = asprintf(&filename, "%s/%s", plugindir, dirst->d_name); if(ret < 0){ perror("asprintf"); continue; @@ -846,12 +853,12 @@ perror("sigaction"); _exit(EXIT_FAILURE); } - ret = sigprocmask(SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); + ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); if(ret < 0){ perror("sigprocmask"); _exit(EXIT_FAILURE); } - + ret = dup2(pipefd[1], STDOUT_FILENO); /* replace our stdout */ if(ret == -1){ perror("dup2"); @@ -907,11 +914,12 @@ if (maxfd < new_plugin->fd){ maxfd = new_plugin->fd; } + } closedir(dir); dir = NULL; - + for(plugin *p = plugin_list; p != NULL; p = p->next){ if(p->pid != 0){ break; @@ -922,7 +930,7 @@ free_plugin_list(); } } - + /* Main loop while running plugins exist */ while(plugin_list){ fd_set rfds = rfds_all; @@ -934,7 +942,7 @@ } /* OK, now either a process completed, or something can be read from one of them */ - for(plugin *proc = plugin_list; proc != NULL;){ + for(plugin *proc = plugin_list; proc != NULL; proc = proc->next){ /* Is this process completely done? */ if(proc->eof and proc->completed){ /* Only accept the plugin output if it exited cleanly */ @@ -967,11 +975,7 @@ exitstatus = EXIT_FAILURE; goto fallback; } - - plugin *next_plugin = proc->next; free_plugin(proc); - proc = next_plugin; - /* We are done modifying process list, so unblock signal */ ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); @@ -984,12 +988,11 @@ if(plugin_list == NULL){ break; } - continue; } /* This process exited nicely, so print its buffer */ - + bool bret = print_out_password(proc->buffer, proc->buffer_length); if(not bret){ @@ -1002,7 +1005,6 @@ /* This process has not completed. Does it have any output? */ if(proc->eof or not FD_ISSET(proc->fd, &rfds)){ /* This process had nothing to say at this time */ - proc = proc->next; continue; } /* Before reading, make the process' data buffer large enough */ @@ -1021,7 +1023,6 @@ BUFFER_SIZE); if(ret < 0){ /* Read error from this process; ignore the error */ - proc = proc->next; continue; } if(ret == 0){ @@ -1042,13 +1043,7 @@ bool bret; fprintf(stderr, "Going to fallback mode using getpass(3)\n"); char *passwordbuffer = getpass("Password: "); - size_t len = strlen(passwordbuffer); - /* Strip trailing newline */ - if(len > 0 and passwordbuffer[len-1] == '\n'){ - passwordbuffer[len-1] = '\0'; /* not strictly necessary */ - len--; - } - bret = print_out_password(passwordbuffer, len); + bret = print_out_password(passwordbuffer, strlen(passwordbuffer)); if(not bret){ perror("print_out_password"); exitstatus = EXIT_FAILURE; @@ -1061,7 +1056,7 @@ perror("sigaction"); exitstatus = EXIT_FAILURE; } - + if(custom_argv != NULL){ for(char **arg = custom_argv+1; *arg != NULL; arg++){ free(*arg); @@ -1073,7 +1068,7 @@ closedir(dir); } - /* Kill the processes */ + /* Free the process list and kill the processes */ for(plugin *p = plugin_list; p != NULL; p = p->next){ if(p->pid != 0){ close(p->fd); @@ -1092,7 +1087,7 @@ if(errno != ECHILD){ perror("wait"); } - + free_plugin_list(); free(plugindir); === removed file 'plugin-runner.conf' --- plugin-runner.conf 2008-09-06 16:31:49 +0000 +++ plugin-runner.conf 1970-01-01 00:00:00 +0000 @@ -1,9 +0,0 @@ -## This is the configuration file for plugin-runner. It should be -## installed as "/etc/mandos/plugin-runner.conf", which will be copied -## to "/conf/conf.d/mandos/plugin-runner.conf" in the initrd.img file. -## -## The default network interface for mandos-client(8mandos) is -## "eth0". Uncomment this line and change it if necessary. -## - -#--options-for=mandos-client:--interface=eth0 === modified file 'plugin-runner.xml' --- plugin-runner.xml 2008-09-19 00:00:51 +0000 +++ plugin-runner.xml 2008-09-02 13:04:42 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -36,7 +36,7 @@ - + &COMMANDNAME; 8mandos @@ -45,19 +45,19 @@ &COMMANDNAME; - Run Mandos plugins, pass data from first to succeed. + Run Mandos plugins. Pass data from first succesful one. - + &COMMANDNAME; @@ -140,11 +140,11 @@ DESCRIPTION &COMMANDNAME; is a program which is meant to - be specified as a keyscript for the root disk in - crypttab - 5. The aim of this - program is therefore to output a password, which then - cryptsetup + be specified as keyscript in + crypttab + 5 for the root disk. The + aim of this program is therefore to output a password, which + then cryptsetup 8 will use to unlock the root disk. @@ -170,10 +170,10 @@ @@ -247,7 +247,7 @@ - + @@ -261,7 +261,7 @@ - + @@ -272,11 +272,11 @@ Re-enable the plugin named PLUGIN. This is only useful to undo a previous option, maybe - from the configuration file. + from the config file. - + @@ -289,7 +289,7 @@ - + @@ -302,7 +302,7 @@ - + @@ -365,7 +365,7 @@ - + @@ -377,7 +377,7 @@ - + OVERVIEW @@ -403,7 +403,7 @@ code will make this plugin-runner output the password from that plugin, stop any other plugins, and exit. - + WRITING PLUGINS @@ -416,11 +416,6 @@ console. - If the password is a single-line, manually entered passprase, - a final trailing newline character should - not be printed. - - The plugin will run in the initial RAM disk environment, so care must be taken not to depend on any files or running services not available there. @@ -433,8 +428,8 @@ The plugin must not use resources, like for instance reading - from the standard input, without knowing that no other plugin - is also using it. + from the standard input, without knowing that no other plugins + are also using it. It is useful, but not required, for the plugin to take the @@ -472,7 +467,7 @@ only passes on its environment to all the plugins. The environment passed to plugins can be modified using the and - options. + optins. @@ -515,13 +510,11 @@ - - BUGS - - The option is ignored when - specified from within a configuration file. - - + + + + + EXAMPLE @@ -569,15 +562,15 @@ - Run plugins from a different directory, read a different - configuration file, and add two options to the - mandos-client + Run plugins from a different directory and add a special + option to the password-request 8mandos plugin: -&COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt +&COMMANDNAME; --plugin-dir=plugins.d --options-for=password-request:--keydir=keydir @@ -591,16 +584,16 @@ non-privileged. This user and group is then what all plugins will be started as. Therefore, the only way to run a plugin as a privileged user is to have the set-user-ID or set-group-ID bit - set on the plugin executable file (see + set on the plugin executable files (see execve2 ). If this program is used as a keyscript in crypttab5 - , there is a slight risk that if this program - fails to work, there might be no way to boot the system except - for booting from another media and editing the initial RAM disk + , there is a risk that if this program fails to + work, there might be no way to boot the system except for + booting from another media and editing the initial RAM disk image to not run this program. This is, however, unlikely, since the password-prompt8mandos @@ -625,7 +618,7 @@ 8, password-prompt 8mandos, - mandos-client + password-request 8mandos === removed file 'plugins.d/askpass-fifo.c' --- plugins.d/askpass-fifo.c 2008-09-26 19:47:21 +0000 +++ plugins.d/askpass-fifo.c 1970-01-01 00:00:00 +0000 @@ -1,80 +0,0 @@ -#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */ -#include /* ssize_t */ -#include /* mkfifo(), S_IRUSR, S_IWUSR */ -#include /* and */ -#include /* errno, EEXIST */ -#include /* perror() */ -#include /* EXIT_FAILURE, NULL, size_t, free(), - realloc(), EXIT_SUCCESS */ -#include /* open(), O_RDONLY */ -#include /* read(), close(), write(), - STDOUT_FILENO */ - - -int main(__attribute__((unused))int argc, - __attribute__((unused))char **argv){ - int ret = 0; - ssize_t sret; - - /* Create FIFO */ - const char passfifo[] = "/lib/cryptsetup/passfifo"; - ret = TEMP_FAILURE_RETRY(mkfifo(passfifo, S_IRUSR | S_IWUSR)); - if(ret == -1 and errno != EEXIST){ - perror("mkfifo"); - return EXIT_FAILURE; - } - - /* Open FIFO */ - int fifo_fd = TEMP_FAILURE_RETRY(open(passfifo, O_RDONLY)); - if(fifo_fd == -1){ - perror("open"); - return EXIT_FAILURE; - } - - /* Read from FIFO */ - char *buf = NULL; - size_t buf_len = 0; - { - size_t buf_allocated = 0; - const size_t blocksize = 1024; - do{ - if(buf_len + blocksize > buf_allocated){ - char *tmp = realloc(buf, buf_allocated + blocksize); - if(tmp == NULL){ - perror("realloc"); - free(buf); - return EXIT_FAILURE; - } - buf = tmp; - buf_allocated += blocksize; - } - sret = TEMP_FAILURE_RETRY(read(fifo_fd, buf + buf_len, - buf_allocated - buf_len)); - if(sret == -1){ - perror("read"); - free(buf); - return EXIT_FAILURE; - } - buf_len += (size_t)sret; - }while(sret != 0); - } - - /* Close FIFO */ - TEMP_FAILURE_RETRY(close(fifo_fd)); - - /* Print password to stdout */ - size_t written = 0; - while(written < buf_len){ - sret = TEMP_FAILURE_RETRY(write(STDOUT_FILENO, buf + written, - buf_len - written)); - if(sret == -1){ - perror("write"); - free(buf); - return EXIT_FAILURE; - } - written += (size_t)sret; - } - free(buf); - - return EXIT_SUCCESS; -} === modified file 'plugins.d/password-prompt.c' --- plugins.d/password-prompt.c 2008-09-19 20:42:17 +0000 +++ plugins.d/password-prompt.c 2008-08-29 05:53:59 +0000 @@ -2,7 +2,7 @@ /* * Passprompt - Read a password from the terminal and print it * - * Copyright © 2008 Teddy Hogeborn & Björn Påhlsson + * Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -216,11 +216,6 @@ status = EXIT_SUCCESS; /* Make n = data size instead of allocated buffer size */ n = (size_t)ret; - /* Strip final newline */ - if(n>0 and buffer[n-1] == '\n'){ - buffer[n-1] = '\0'; /* not strictly necessary */ - n--; - } size_t written = 0; while(written < n){ ret = write(STDOUT_FILENO, buffer + written, n - written); @@ -249,8 +244,6 @@ fprintf(stderr, "getline() returned 0, retrying.\n"); } } - - free(buffer); if (debug){ fprintf(stderr, "Restoring terminal attributes\n"); @@ -263,9 +256,6 @@ fprintf(stderr, "%s is exiting with status %d\n", argv[0], status); } - if(status == EXIT_SUCCESS){ - fputc('\n', stderr); - } return status; } === modified file 'plugins.d/password-prompt.xml' --- plugins.d/password-prompt.xml 2008-09-06 16:31:49 +0000 +++ plugins.d/password-prompt.xml 2008-09-01 08:29:23 +0000 @@ -3,7 +3,7 @@ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ - + ]> @@ -87,7 +87,7 @@ is not very useful on its own. This program is really meant to run as a plugin in the Mandos client-side system, where it is used as a fallback and - alternative to retrieving passwords from a Mandos server. @@ -240,7 +240,7 @@ Show a prefix before the prompt; in this case, a host name. It might be useful to be reminded of which host needs a - password, in case of KVM switches, etc. + password, in case of KVM switches, etc. @@ -270,7 +270,7 @@ >plugin-runner8mandos , and will, when run standalone, outside, in a normal environment, immediately output on its standard output - any presumably secret password it just received. Therefore, + any presumably secret password it just recieved. Therefore, when running this program standalone (which should never normally be done), take care not to type in any real secret password by force of habit, since it would then immediately be @@ -290,7 +290,7 @@ crypttab 5 - mandos-client + password-request 8mandos plugin-runner 8mandos, === renamed file 'plugins.d/mandos-client.c' => 'plugins.d/password-request.c' --- plugins.d/mandos-client.c 2008-09-19 20:42:17 +0000 +++ plugins.d/password-request.c 2008-09-03 05:04:40 +0000 @@ -9,7 +9,7 @@ * "browse_callback", and parts of "main". * * Everything else is - * Copyright © 2008 Teddy Hogeborn & Björn Påhlsson + * Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -47,24 +47,21 @@ #include /* socket(), inet_pton(), sockaddr, sockaddr_in6, PF_INET6, SOCK_STREAM, INET6_ADDRSTRLEN, - uid_t, gid_t, open(), opendir(), DIR */ -#include /* open() */ + uid_t, gid_t */ +#include /* PRIu16 */ #include /* socket(), struct sockaddr_in6, struct in6_addr, inet_pton(), connect() */ -#include /* open() */ -#include /* opendir(), struct dirent, readdir() */ -#include /* PRIu16 */ #include /* assert() */ #include /* perror(), errno */ #include /* time() */ #include /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS, if_indextoname(), if_nametoindex(), IF_NAMESIZE */ -#include #include /* close(), SEEK_SET, off_t, write(), getuid(), getgid(), setuid(), setgid() */ +#include #include /* inet_pton(), htons */ #include /* not, and */ #include /* struct argp_option, error_t, struct @@ -101,17 +98,10 @@ #define BUFFER_SIZE 256 -/* - #define PATHDIR "/conf/conf.d/mandos" -*/ - -#define PATHDIR "/conf/conf.d/mandos" -#define SECKEY "seckey.txt" -#define PUBKEY "pubkey.txt" - bool debug = false; +static const char *keydir = "/conf/conf.d/mandos"; static const char mandos_protocol_version[] = "1"; -const char *argp_program_version = "mandos-client 1.0"; +const char *argp_program_version = "password-request 1.0"; const char *argp_program_bug_address = ""; /* Used for passing in values through the Avahi callback functions */ @@ -122,7 +112,6 @@ unsigned int dh_bits; gnutls_dh_params_t dh_params; const char *priority; - gpgme_ctx_t ctx; } mandos_context; /* @@ -143,52 +132,23 @@ } /* - * Initialize GPGME. + * Decrypt OpenPGP data using keyrings in HOMEDIR. + * Returns -1 on error */ -static bool init_gpgme(mandos_context *mc, const char *seckey, - const char *pubkey, const char *tempdir){ - int ret; +static ssize_t pgp_packet_decrypt (const char *cryptotext, + size_t crypto_size, + char **plaintext, + const char *homedir){ + gpgme_data_t dh_crypto, dh_plain; + gpgme_ctx_t ctx; gpgme_error_t rc; + ssize_t ret; + size_t plaintext_capacity = 0; + ssize_t plaintext_length = 0; gpgme_engine_info_t engine_info; - - /* - * Helper function to insert pub and seckey to the enigne keyring. - */ - bool import_key(const char *filename){ - int fd; - gpgme_data_t pgp_data; - - fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY)); - if(fd == -1){ - perror("open"); - return false; - } - - rc = gpgme_data_new_from_fd(&pgp_data, fd); - if (rc != GPG_ERR_NO_ERROR){ - fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n", - gpgme_strsource(rc), gpgme_strerror(rc)); - return false; - } - - rc = gpgme_op_import(mc->ctx, pgp_data); - if (rc != GPG_ERR_NO_ERROR){ - fprintf(stderr, "bad gpgme_op_import: %s: %s\n", - gpgme_strsource(rc), gpgme_strerror(rc)); - return false; - } - - ret = TEMP_FAILURE_RETRY(close(fd)); - if(ret == -1){ - perror("close"); - } - gpgme_data_release(pgp_data); - return true; - } - if (debug){ - fprintf(stderr, "Initialize gpgme\n"); + fprintf(stderr, "Trying to decrypt OpenPGP data\n"); } /* Init GPGME */ @@ -197,60 +157,27 @@ if (rc != GPG_ERR_NO_ERROR){ fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n", gpgme_strsource(rc), gpgme_strerror(rc)); - return false; + return -1; } - /* Set GPGME home directory for the OpenPGP engine only */ + /* Set GPGME home directory for the OpenPGP engine only */ rc = gpgme_get_engine_info (&engine_info); if (rc != GPG_ERR_NO_ERROR){ fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n", gpgme_strsource(rc), gpgme_strerror(rc)); - return false; + return -1; } while(engine_info != NULL){ if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){ gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP, - engine_info->file_name, tempdir); + engine_info->file_name, homedir); break; } engine_info = engine_info->next; } if(engine_info == NULL){ - fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir); - return false; - } - - /* Create new GPGME "context" */ - rc = gpgme_new(&(mc->ctx)); - if (rc != GPG_ERR_NO_ERROR){ - fprintf(stderr, "bad gpgme_new: %s: %s\n", - gpgme_strsource(rc), gpgme_strerror(rc)); - return false; - } - - if (not import_key(pubkey) or not import_key(seckey)){ - return false; - } - - return true; -} - -/* - * Decrypt OpenPGP data. - * Returns -1 on error - */ -static ssize_t pgp_packet_decrypt (const mandos_context *mc, - const char *cryptotext, - size_t crypto_size, - char **plaintext){ - gpgme_data_t dh_crypto, dh_plain; - gpgme_error_t rc; - ssize_t ret; - size_t plaintext_capacity = 0; - ssize_t plaintext_length = 0; - - if (debug){ - fprintf(stderr, "Trying to decrypt OpenPGP data\n"); + fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir); + return -1; } /* Create new GPGME data buffer from memory cryptotext */ @@ -271,16 +198,25 @@ return -1; } + /* Create new GPGME "context" */ + rc = gpgme_new(&ctx); + if (rc != GPG_ERR_NO_ERROR){ + fprintf(stderr, "bad gpgme_new: %s: %s\n", + gpgme_strsource(rc), gpgme_strerror(rc)); + plaintext_length = -1; + goto decrypt_end; + } + /* Decrypt data from the cryptotext data buffer to the plaintext data buffer */ - rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain); + rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain); if (rc != GPG_ERR_NO_ERROR){ fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n", gpgme_strsource(rc), gpgme_strerror(rc)); plaintext_length = -1; if (debug){ gpgme_decrypt_result_t result; - result = gpgme_op_decrypt_result(mc->ctx); + result = gpgme_op_decrypt_result(ctx); if (result == NULL){ fprintf(stderr, "gpgme_op_decrypt_result failed\n"); } else { @@ -315,7 +251,7 @@ /* Seek back to the beginning of the GPGME plaintext data buffer */ if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){ - perror("gpgme_data_seek"); + perror("pgpme_data_seek"); plaintext_length = -1; goto decrypt_end; } @@ -412,8 +348,8 @@ } if(debug){ - fprintf(stderr, "Attempting to use OpenPGP public key %s and" - " secret key %s as GnuTLS credentials\n", pubkeyfilename, + fprintf(stderr, "Attempting to use OpenPGP certificate %s" + " and keyfile %s as GnuTLS credentials\n", pubkeyfilename, seckeyfilename); } @@ -424,7 +360,7 @@ fprintf(stderr, "Error[%d] while reading the OpenPGP key pair ('%s'," " '%s')\n", ret, pubkeyfilename, seckeyfilename); - fprintf(stderr, "The GnuTLS error is: %s\n", + fprintf(stdout, "The GnuTLS error is: %s\n", safer_gnutls_strerror(ret)); goto globalfail; } @@ -451,7 +387,6 @@ gnutls_certificate_free_credentials(mc->cred); gnutls_global_deinit(); - gnutls_dh_params_deinit(mc->dh_params); return -1; } @@ -675,9 +610,10 @@ gnutls_bye (session, GNUTLS_SHUT_RDWR); if (buffer_length > 0){ - decrypted_buffer_size = pgp_packet_decrypt(mc, buffer, + decrypted_buffer_size = pgp_packet_decrypt(buffer, buffer_length, - &decrypted_buffer); + &decrypted_buffer, + keydir); if (decrypted_buffer_size >= 0){ written = 0; while(written < (size_t) decrypted_buffer_size){ @@ -706,10 +642,7 @@ mandos_end: free(buffer); - ret = TEMP_FAILURE_RETRY(close(tcp_sd)); - if(ret == -1){ - perror("close"); - } + close(tcp_sd); gnutls_deinit (session); return retval; } @@ -811,6 +744,18 @@ } } +/* Combines file name and path and returns the malloced new + string. some sane checks could/should be added */ +static char *combinepath(const char *first, const char *second){ + char *tmp; + int ret = asprintf(&tmp, "%s/%s", first, second); + if(ret < 0){ + return NULL; + } + return tmp; +} + + int main(int argc, char *argv[]){ AvahiSServiceBrowser *sb = NULL; int error; @@ -822,16 +767,15 @@ uid_t uid; gid_t gid; char *connect_to = NULL; - char tempdir[] = "/tmp/mandosXXXXXX"; AvahiIfIndex if_index = AVAHI_IF_UNSPEC; - const char *seckey = PATHDIR "/" SECKEY; - const char *pubkey = PATHDIR "/" PUBKEY; - + char *pubkeyfilename = NULL; + char *seckeyfilename = NULL; + const char *pubkeyname = "pubkey.txt"; + const char *seckeyname = "seckey.txt"; mandos_context mc = { .simple_poll = NULL, .server = NULL, .dh_bits = 1024, .priority = "SECURE256" ":!CTYPE-X.509:+CTYPE-OPENPGP" }; bool gnutls_initalized = false; - bool gpgme_initalized = false; { struct argp_option options[] = { @@ -846,6 +790,10 @@ .doc = "Interface that will be used to search for Mandos" " servers", .group = 1 }, + { .name = "keydir", .key = 'd', + .arg = "DIRECTORY", + .doc = "Directory to read the OpenPGP key files from", + .group = 1 }, { .name = "seckey", .key = 's', .arg = "FILE", .doc = "OpenPGP secret key file base name", @@ -880,11 +828,14 @@ case 'i': /* --interface */ interface = arg; break; + case 'd': /* --keydir */ + keydir = arg; + break; case 's': /* --seckey */ - seckey = arg; + seckeyname = arg; break; case 'p': /* --pubkey */ - pubkey = arg; + pubkeyname = arg; break; case 129: /* --dh-bits */ errno = 0; @@ -919,6 +870,29 @@ } } + pubkeyfilename = combinepath(keydir, pubkeyname); + if (pubkeyfilename == NULL){ + perror("combinepath"); + exitcode = EXIT_FAILURE; + goto end; + } + + seckeyfilename = combinepath(keydir, seckeyname); + if (seckeyfilename == NULL){ + perror("combinepath"); + exitcode = EXIT_FAILURE; + goto end; + } + + ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename); + if (ret == -1){ + fprintf(stderr, "init_gnutls_global failed\n"); + exitcode = EXIT_FAILURE; + goto end; + } else { + gnutls_initalized = true; + } + /* If the interface is down, bring it up */ { sd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); @@ -943,10 +917,7 @@ goto end; } } - ret = TEMP_FAILURE_RETRY(close(sd)); - if(ret == -1){ - perror("close"); - } + close(sd); } uid = getuid(); @@ -962,29 +933,6 @@ perror("setgid"); } - ret = init_gnutls_global(&mc, pubkey, seckey); - if (ret == -1){ - fprintf(stderr, "init_gnutls_global failed\n"); - exitcode = EXIT_FAILURE; - goto end; - } else { - gnutls_initalized = true; - } - - if(mkdtemp(tempdir) == NULL){ - perror("mkdtemp"); - tempdir[0] = '\0'; - goto end; - } - - if(not init_gpgme(&mc, pubkey, seckey, tempdir)){ - fprintf(stderr, "gpgme_initalized failed\n"); - exitcode = EXIT_FAILURE; - goto end; - } else { - gpgme_initalized = true; - } - if_index = (AvahiIfIndex) if_nametoindex(interface); if(if_index == 0){ fprintf(stderr, "No such interface: \"%s\"\n", interface); @@ -1095,53 +1043,13 @@ if (mc.simple_poll != NULL) avahi_simple_poll_free(mc.simple_poll); + free(pubkeyfilename); + free(seckeyfilename); if (gnutls_initalized){ gnutls_certificate_free_credentials(mc.cred); gnutls_global_deinit (); - gnutls_dh_params_deinit(mc.dh_params); - } - - if(gpgme_initalized){ - gpgme_release(mc.ctx); - } - - /* Removes the temp directory used by GPGME */ - if(tempdir[0] != '\0'){ - DIR *d; - struct dirent *direntry; - d = opendir(tempdir); - if(d == NULL){ - perror("opendir"); - } else { - while(true){ - direntry = readdir(d); - if(direntry == NULL){ - break; - } - if (direntry->d_type == DT_REG){ - char *fullname = NULL; - ret = asprintf(&fullname, "%s/%s", tempdir, - direntry->d_name); - if(ret < 0){ - perror("asprintf"); - continue; - } - ret = unlink(fullname); - if(ret == -1){ - fprintf(stderr, "unlink(\"%s\"): %s", - fullname, strerror(errno)); - } - free(fullname); - } - } - closedir(d); - } - ret = rmdir(tempdir); - if(ret == -1){ - perror("rmdir"); - } - } - + } + return exitcode; } === renamed file 'plugins.d/mandos-client.xml' => 'plugins.d/password-request.xml' --- plugins.d/mandos-client.xml 2008-09-30 03:19:39 +0000 +++ plugins.d/password-request.xml 2008-09-03 05:04:40 +0000 @@ -2,8 +2,8 @@ - - + + ]> @@ -36,7 +36,7 @@ - + &COMMANDNAME; 8mandos @@ -45,23 +45,30 @@ &COMMANDNAME; - Client for Mandos + Client for mandos - + &COMMANDNAME; + + + + + - + DESCRIPTION @@ -121,10 +128,10 @@ communicates with mandos8 to get a password. It uses IPv6 link-local addresses to get - network connectivity, Zeroconf to find servers, and TLS with an - OpenPGP key to ensure authenticity and confidentiality. It + network connectivity, Zeroconf to find the server, and TLS with + an OpenPGP key to ensure authenticity and confidentiality. It keeps running, trying all servers on the network, until it - receives a satisfactory reply or a TERM signal is received. + receives a satisfactory reply. This program is not meant to be run directly; it is really meant @@ -184,6 +191,22 @@ + + + + + Directory to read the OpenPGP key files + pubkey.txt and + seckey.txt from. The default is + /conf/conf.d/mandos (in the initial + RAM disk environment). + + + + + - - If the option is used, this - specifies the interface to use to connect to the address - given. - @@ -209,13 +227,14 @@ FILE - OpenPGP public key file name. The default name is - /conf/conf.d/mandos/pubkey.txt. + OpenPGP public key file base name. This will be combined + with the directory from the + option to form an absolute file name. The default name is + pubkey.txt. - + @@ -223,9 +242,10 @@ FILE - OpenPGP secret key file name. The default name is - /conf/conf.d/mandos/seckey.txt. + OpenPGP secret key file base name. This will be combined + with the directory from the + option to form an absolute file name. The default name is + seckey.txt. @@ -238,7 +258,7 @@ xpointer="priority"/> - + @@ -284,7 +304,7 @@ - + @@ -296,7 +316,7 @@ - + OVERVIEW @@ -309,14 +329,10 @@ This program could, theoretically, be used as a keyscript in /etc/crypttab, but it would then be - impossible to enter a password for the encrypted root disk at - the console, since this program does not read from the console - at all. This is why a separate plugin runner ( - plugin-runner - 8mandos) is used to run - both this program and others in in parallel, - one of which will prompt for passwords on - the system console. + impossible to enter the encrypted root disk password at the + console, since this program does not read from the console at + all. This is why a separate plugin does that, which will be run + in parallell to this one. @@ -328,8 +344,8 @@ successfully decrypted and output on standard output. The program will exit with a non-zero exit status only if a critical error occurs. Otherwise, it will forever connect to new - Mandos servers as they appear, trying - to get a decryptable password and print it. + Mandosservers servers as they appear, + trying to get a decryptable password. @@ -345,139 +361,31 @@ FILES - - - /conf/conf.d/mandos/pubkey.txt - /conf/conf.d/mandos/seckey.txt - - - OpenPGP public and private key files, in ASCII - Armor format. These are the default file names, - they can be changed with the and - options. - - - - - - - - - - - - + + + + + + BUGS + + + + EXAMPLE - Note that normally, command line options will not be given - directly, but via options for the Mandos plugin-runner - 8mandos. - - - Normal invocation needs no options, if the network interface - is eth0: - - - &COMMANDNAME; - - - - - Search for Mandos servers (and connect to them) using another - interface: - - - - &COMMANDNAME; --interface eth1 - - - - - Run in debug mode, and use a custom key: - - - - -&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt - - - - - - Run in debug mode, with a custom key, and do not use Zeroconf - to locate a server; connect directly to the IPv6 address - 2001:db8:f983:bd0b:30de:ae4a:71f2:f672, - port 4711, using interface eth2: - - - - -&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2 - - - - + SECURITY - This program is set-uid to root, but will switch back to the - original (and presumably non-privileged) user and group after - bringing up the network interface. - - - To use this program for its intended purpose (see ), the password for the root file system will - have to be given out to be stored in a server computer, after - having been encrypted using an OpenPGP key. This encrypted data - which will be stored in a server can only be decrypted by the - OpenPGP key, and the data will only be given out to those - clients who can prove they actually have that key. This key, - however, is stored unencrypted on the client side in its initial - RAM disk image file system. This is normally - readable by all, but this is normally fixed during installation - of this program; file permissions are set so that no-one is able - to read that file. - - - The only remaining weak point is that someone with physical - access to the client hard drive might turn off the client - computer, read the OpenPGP keys directly from the hard drive, - and communicate with the server. To safeguard against this, the - server is supposed to notice the client disappearing and stop - giving out the encrypted data. Therefore, it is important to - set the timeout and checker interval values tightly on the - server. See mandos8. - - - It will also help if the checker program on the server is - configured to request something from the client which can not be - spoofed by someone else on the network, unlike unencrypted - ICMP echo (ping) replies. - - - Note: This makes it completely insecure to - have Mandos clients which dual-boot - to another operating system which is not - trusted to keep the initial RAM disk image - confidential. - + SEE ALSO - cryptsetup - 8, - crypttab - 5, mandos 8, password-prompt @@ -485,124 +393,45 @@ plugin-runner 8mandos - - - - Zeroconf - - - - Zeroconf is the network protocol standard used for finding - Mandos servers on the local network. - - - - - - Avahi - - - - Avahi is the library this program calls to find Zeroconf - services. - - - - - - GnuTLS - - - - GnuTLS is the library this client uses to implement TLS for - communicating securely with the server, and at the same time - send the public OpenPGP key to the server. - - - - - - GPGME - - - - GPGME is the library used to decrypt the OpenPGP data sent - by the server. - - - - - - RFC 4291: IP Version 6 Addressing - Architecture - - - - - Section 2.2: Text Representation of - Addresses - - - - Section 2.5.5.2: IPv4-Mapped IPv6 - Address - - - - Section 2.5.6, Link-Local IPv6 Unicast - Addresses - - - This client uses IPv6 link-local addresses, which are - immediately usable since a link-local addresses is - automatically assigned to a network interfaces when it - is brought up. - - - - - - - - - RFC 4346: The Transport Layer Security (TLS) - Protocol Version 1.1 - - - - TLS 1.1 is the protocol implemented by GnuTLS. - - - - - - RFC 4880: OpenPGP Message Format - - - - The data received from the server is binary encrypted - OpenPGP data. - - - - - - RFC 5081: Using OpenPGP Keys for Transport Layer - Security - - - - This is implemented by GnuTLS and used by this program so - that OpenPGP keys can be used. - - - - + + + Zeroconf + + + + Avahi + + + + GnuTLS + + + + GPGME + + + + RFC 4880: OpenPGP Message + Format + + + + RFC 5081: Using OpenPGP Keys for + Transport Layer Security + + + + RFC 4291: IP Version 6 Addressing + Architecture, section 2.5.6, Link-Local IPv6 + Unicast Addresses + + + - === removed file 'plugins.d/splashy.c' --- plugins.d/splashy.c 2008-09-24 23:03:31 +0000 +++ plugins.d/splashy.c 1970-01-01 00:00:00 +0000 @@ -1,220 +0,0 @@ -#define _GNU_SOURCE /* asprintf() */ -#include /* sig_atomic_t, struct sigaction, - sigemptyset(), sigaddset(), - sigaction, SIGINT, SIG_IGN, SIGHUP, - SIGTERM, kill(), SIGKILL */ -#include /* NULL */ -#include /* getenv() */ -#include /* asprintf(), perror() */ -#include /* EXIT_FAILURE, EXIT_SUCCESS, - strtoul(), free() */ -#include /* pid_t, DIR, struct dirent, - ssize_t */ -#include /* opendir(), readdir(), closedir() */ -#include /* readlink(), fork(), execl(), - _exit */ -#include /* memcmp() */ -#include /* and */ -#include /* errno */ -#include /* waitpid(), WIFEXITED(), - WEXITSTATUS() */ - -sig_atomic_t interrupted_by_signal = 0; - -static void termination_handler(__attribute__((unused))int signum){ - interrupted_by_signal = 1; -} - -int main(__attribute__((unused))int argc, - __attribute__((unused))char **argv){ - int ret = 0; - - /* Create prompt string */ - char *prompt = NULL; - { - const char *const cryptsource = getenv("cryptsource"); - const char *const crypttarget = getenv("crypttarget"); - const char *const prompt_start = "getpass " - "Enter passphrase to unlock the disk"; - - if(cryptsource == NULL){ - if(crypttarget == NULL){ - ret = asprintf(&prompt, "%s: ", prompt_start); - } else { - ret = asprintf(&prompt, "%s (%s): ", prompt_start, - crypttarget); - } - } else { - if(crypttarget == NULL){ - ret = asprintf(&prompt, "%s %s: ", prompt_start, cryptsource); - } else { - ret = asprintf(&prompt, "%s %s (%s): ", prompt_start, - cryptsource, crypttarget); - } - } - if(ret == -1){ - return EXIT_FAILURE; - } - } - - /* Find splashy process */ - pid_t splashy_pid = 0; - { - const char splashy_name[] = "/sbin/splashy"; - DIR *proc_dir = opendir("/proc"); - if(proc_dir == NULL){ - free(prompt); - perror("opendir"); - return EXIT_FAILURE; - } - for(struct dirent *proc_ent = readdir(proc_dir); - proc_ent != NULL; - proc_ent = readdir(proc_dir)){ - pid_t pid = (pid_t) strtoul(proc_ent->d_name, NULL, 10); - if(pid == 0){ - /* Not a process */ - continue; - } - /* Find the executable name by doing readlink() on the - /proc//exe link */ - char exe_target[sizeof(splashy_name)]; - ssize_t sret; - { - char *exe_link; - ret = asprintf(&exe_link, "/proc/%s/exe", proc_ent->d_name); - if(ret == -1){ - perror("asprintf"); - free(prompt); - closedir(proc_dir); - return EXIT_FAILURE; - } - sret = readlink(exe_link, exe_target, sizeof(exe_target)); - free(exe_link); - } - if((sret == ((ssize_t)sizeof(exe_target)-1)) - and (memcmp(splashy_name, exe_target, - sizeof(exe_target)-1) == 0)){ - splashy_pid = pid; - break; - } - } - closedir(proc_dir); - } - if(splashy_pid == 0){ - free(prompt); - return EXIT_FAILURE; - } - - /* Set up the signal handler */ - { - struct sigaction old_action, - new_action = { .sa_handler = termination_handler, - .sa_flags = 0 }; - sigemptyset(&new_action.sa_mask); - sigaddset(&new_action.sa_mask, SIGINT); - sigaddset(&new_action.sa_mask, SIGHUP); - sigaddset(&new_action.sa_mask, SIGTERM); - ret = sigaction(SIGINT, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGINT, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - } - ret = sigaction(SIGHUP, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGHUP, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - } - ret = sigaction(SIGTERM, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGTERM, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - } - } - - /* Fork off the splashy command to prompt for password */ - pid_t splashy_command_pid = 0; - if(not interrupted_by_signal){ - splashy_command_pid = fork(); - if(splashy_command_pid == -1){ - if(not interrupted_by_signal){ - perror("fork"); - } - return EXIT_FAILURE; - } - /* Child */ - if(splashy_command_pid == 0){ - const char splashy_command[] = "/sbin/splashy_update"; - ret = execl(splashy_command, splashy_command, prompt, - (char *)NULL); - if(not interrupted_by_signal and errno != ENOENT){ - /* Don't report "File not found", since splashy might not be - installed. */ - perror("execl"); - } - free(prompt); - return EXIT_FAILURE; - } - } - - /* Parent */ - free(prompt); - - /* Wait for command to complete */ - int status; - while(not interrupted_by_signal){ - waitpid(splashy_command_pid, &status, 0); - if(not interrupted_by_signal - and WIFEXITED(status) and WEXITSTATUS(status)==0){ - return EXIT_SUCCESS; - } - } - kill(splashy_pid, SIGTERM); - if(interrupted_by_signal){ - kill(splashy_command_pid, SIGTERM); - } - - pid_t new_splashy_pid = fork(); - if(new_splashy_pid == 0){ - /* Child; will become new splashy process */ - while(kill(splashy_pid, 0)){ - sleep(2); - kill(splashy_pid, SIGKILL); - sleep(1); - } - ret = dup2(STDERR_FILENO, STDOUT_FILENO); /* replace our stdout */ - if(ret == -1){ - perror("dup2"); - _exit(EXIT_FAILURE); - } - execl("/sbin/splashy", "/sbin/splashy", "boot", (char *)NULL); - } - - return EXIT_FAILURE; -} === added file 'plugins.d/usplash' --- plugins.d/usplash 1970-01-01 00:00:00 +0000 +++ plugins.d/usplash 2008-08-14 02:24:59 +0000 @@ -0,0 +1,42 @@ +#!/bin/sh -e + +# If not on a tty, then get rid of possibly disrupting stderr output +if ! tty -s; then + exec 2>/dev/null +fi + +test -x /sbin/usplash + +usplash="`pidof usplash -o $$`" +test -n "$usplash" + +# We get some variables from cryptsetup: +# $cryptsource the device node, like "/dev/sda3" +# $crypttarget the device mapper name, like "sda3_crypt". + +prompt="Enter passphrase to unlock" +if [ -n "$crypttarget" ]; then + prompt="$prompt the disk $crypttarget" +fi +if [ -n "$cryptsource" ]; then + prompt="$prompt ($cryptsource)" +fi + +splash_input_password(){ + test -p /dev/.initramfs/usplash_outfifo || return 1 + /sbin/usplash_write "INPUTQUIET $1" || return 1 + cat /dev/.initramfs/usplash_outfifo 2> /dev/null || return 1 +} + +# Usplash keeps waiting for input even if some other plugin provided +# the password, so we must kill it +trap "kill -TERM $usplash; sleep 2; kill -KILL $usplash; + kill -TERM $$" TERM HUP + +password="`splash_input_password \"$prompt: \" password`" + +trap - TERM + +/sbin/usplash_write "TIMEOUT 15" + +echo -n "$password" === removed file 'plugins.d/usplash.c' --- plugins.d/usplash.c 2008-09-26 19:27:46 +0000 +++ plugins.d/usplash.c 1970-01-01 00:00:00 +0000 @@ -1,479 +0,0 @@ -#define _GNU_SOURCE /* asprintf() */ -#include /* sig_atomic_t, struct sigaction, - sigemptyset(), sigaddset(), SIGINT, - SIGHUP, SIGTERM, sigaction(), - SIG_IGN, kill(), SIGKILL */ -#include /* bool, false, true */ -#include /* open(), O_WRONLY, O_RDONLY */ -#include /* errno, EINTR */ -#include /* size_t, ssize_t, pid_t, DIR, - struct dirent */ -#include /* NULL */ -#include /* strlen(), memcmp() */ -#include /* asprintf(), perror() */ -#include /* close(), write(), readlink(), - read(), STDOUT_FILENO, sleep(), - fork(), setuid(), geteuid(), - setsid(), chdir(), dup2(), - STDERR_FILENO, execv() */ -#include /* free(), EXIT_FAILURE, strtoul(), - realloc(), EXIT_SUCCESS, malloc(), - _exit() */ -#include /* getenv() */ -#include /* opendir(), readdir(), closedir() */ - - - -#include /* and */ -#include /* waitpid(), WIFEXITED(), - WEXITSTATUS() */ - -sig_atomic_t interrupted_by_signal = 0; - -static void termination_handler(__attribute__((unused))int signum){ - interrupted_by_signal = 1; -} - -static bool usplash_write(const char *cmd, const char *arg){ - /* - * usplash_write("TIMEOUT", "15"); -> "TIMEOUT 15\0" - * usplash_write("PULSATE", NULL); -> "PULSATE\0" - * SEE ALSO - * usplash_write(8) - */ - int ret; - int fifo_fd; - do{ - fifo_fd = open("/dev/.initramfs/usplash_fifo", O_WRONLY); - if(fifo_fd == -1 and (errno != EINTR or interrupted_by_signal)){ - return false; - } - }while(fifo_fd == -1); - - const char *cmd_line; - size_t cmd_line_len; - char *cmd_line_alloc = NULL; - if(arg == NULL){ - cmd_line = cmd; - cmd_line_len = strlen(cmd); - }else{ - do{ - ret = asprintf(&cmd_line_alloc, "%s %s", cmd, arg); - if(ret == -1 and (errno != EINTR or interrupted_by_signal)){ - int e = errno; - close(fifo_fd); - errno = e; - return false; - } - }while(ret == -1); - cmd_line = cmd_line_alloc; - cmd_line_len = (size_t)ret + 1; - } - - size_t written = 0; - while(not interrupted_by_signal and written < cmd_line_len){ - ret = write(fifo_fd, cmd_line + written, - cmd_line_len - written); - if(ret == -1){ - if(errno != EINTR or interrupted_by_signal){ - int e = errno; - close(fifo_fd); - free(cmd_line_alloc); - errno = e; - return false; - } else { - continue; - } - } - written += (size_t)ret; - } - free(cmd_line_alloc); - do{ - ret = close(fifo_fd); - if(ret == -1 and (errno != EINTR or interrupted_by_signal)){ - return false; - } - }while(ret == -1); - if(interrupted_by_signal){ - return false; - } - return true; -} - -int main(__attribute__((unused))int argc, - __attribute__((unused))char **argv){ - int ret = 0; - ssize_t sret; - bool an_error_occured = false; - - /* Create prompt string */ - char *prompt = NULL; - { - const char *const cryptsource = getenv("cryptsource"); - const char *const crypttarget = getenv("crypttarget"); - const char prompt_start[] = "Enter passphrase to unlock the disk"; - - if(cryptsource == NULL){ - if(crypttarget == NULL){ - ret = asprintf(&prompt, "%s: ", prompt_start); - } else { - ret = asprintf(&prompt, "%s (%s): ", prompt_start, - crypttarget); - } - } else { - if(crypttarget == NULL){ - ret = asprintf(&prompt, "%s %s: ", prompt_start, cryptsource); - } else { - ret = asprintf(&prompt, "%s %s (%s): ", prompt_start, - cryptsource, crypttarget); - } - } - if(ret == -1){ - return EXIT_FAILURE; - } - } - - /* Find usplash process */ - pid_t usplash_pid = 0; - char *cmdline = NULL; - size_t cmdline_len = 0; - const char usplash_name[] = "/sbin/usplash"; - { - DIR *proc_dir = opendir("/proc"); - if(proc_dir == NULL){ - free(prompt); - perror("opendir"); - return EXIT_FAILURE; - } - for(struct dirent *proc_ent = readdir(proc_dir); - proc_ent != NULL; - proc_ent = readdir(proc_dir)){ - pid_t pid = (pid_t) strtoul(proc_ent->d_name, NULL, 10); - if(pid == 0){ - /* Not a process */ - continue; - } - /* Find the executable name by doing readlink() on the - /proc//exe link */ - char exe_target[sizeof(usplash_name)]; - { - char *exe_link; - ret = asprintf(&exe_link, "/proc/%s/exe", proc_ent->d_name); - if(ret == -1){ - perror("asprintf"); - free(prompt); - closedir(proc_dir); - return EXIT_FAILURE; - } - sret = readlink(exe_link, exe_target, sizeof(exe_target)); - free(exe_link); - if(sret == -1){ - continue; - } - } - if((sret == ((ssize_t)sizeof(exe_target)-1)) - and (memcmp(usplash_name, exe_target, - sizeof(exe_target)-1) == 0)){ - usplash_pid = pid; - /* Read and save the command line of usplash in "cmdline" */ - { - /* Open /proc//cmdline */ - int cl_fd; - { - char *cmdline_filename; - ret = asprintf(&cmdline_filename, "/proc/%s/cmdline", - proc_ent->d_name); - if(ret == -1){ - perror("asprintf"); - free(prompt); - closedir(proc_dir); - return EXIT_FAILURE; - } - cl_fd = open(cmdline_filename, O_RDONLY); - if(cl_fd == -1){ - perror("open"); - free(cmdline_filename); - free(prompt); - closedir(proc_dir); - return EXIT_FAILURE; - } - free(cmdline_filename); - } - size_t cmdline_allocated = 0; - char *tmp; - const size_t blocksize = 1024; - do{ - if(cmdline_len + blocksize > cmdline_allocated){ - tmp = realloc(cmdline, cmdline_allocated + blocksize); - if(tmp == NULL){ - perror("realloc"); - free(cmdline); - free(prompt); - closedir(proc_dir); - return EXIT_FAILURE; - } - cmdline = tmp; - cmdline_allocated += blocksize; - } - sret = read(cl_fd, cmdline + cmdline_len, - cmdline_allocated - cmdline_len); - if(sret == -1){ - perror("read"); - free(cmdline); - free(prompt); - closedir(proc_dir); - return EXIT_FAILURE; - } - cmdline_len += (size_t)sret; - } while(sret != 0); - close(cl_fd); - } - break; - } - } - closedir(proc_dir); - } - if(usplash_pid == 0){ - free(prompt); - return EXIT_FAILURE; - } - - /* Set up the signal handler */ - { - struct sigaction old_action, - new_action = { .sa_handler = termination_handler, - .sa_flags = 0 }; - sigemptyset(&new_action.sa_mask); - sigaddset(&new_action.sa_mask, SIGINT); - sigaddset(&new_action.sa_mask, SIGHUP); - sigaddset(&new_action.sa_mask, SIGTERM); - ret = sigaction(SIGINT, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGINT, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - } - ret = sigaction(SIGHUP, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGHUP, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - } - ret = sigaction(SIGTERM, NULL, &old_action); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - if (old_action.sa_handler != SIG_IGN){ - ret = sigaction(SIGTERM, &new_action, NULL); - if(ret == -1){ - perror("sigaction"); - free(prompt); - return EXIT_FAILURE; - } - } - } - - /* Write command to FIFO */ - if(not interrupted_by_signal){ - if(not usplash_write("TIMEOUT", "0") - and (errno != EINTR)){ - perror("usplash_write"); - an_error_occured = true; - } - } - if(not interrupted_by_signal and not an_error_occured){ - if(not usplash_write("INPUTQUIET", prompt) - and (errno != EINTR)){ - perror("usplash_write"); - an_error_occured = true; - } - } - free(prompt); - - /* This is not really a loop; while() is used to be able to "break" - out of it; those breaks are marked "Big" */ - while(not interrupted_by_signal and not an_error_occured){ - char *buf = NULL; - size_t buf_len = 0; - - /* Open FIFO */ - int fifo_fd; - do{ - fifo_fd = open("/dev/.initramfs/usplash_outfifo", O_RDONLY); - if(fifo_fd == -1){ - if(errno != EINTR){ - perror("open"); - an_error_occured = true; - break; - } - if(interrupted_by_signal){ - break; - } - } - }while(fifo_fd == -1); - if(interrupted_by_signal or an_error_occured){ - break; /* Big */ - } - - /* Read from FIFO */ - size_t buf_allocated = 0; - const size_t blocksize = 1024; - do{ - if(buf_len + blocksize > buf_allocated){ - char *tmp = realloc(buf, buf_allocated + blocksize); - if(tmp == NULL){ - perror("realloc"); - an_error_occured = true; - break; - } - buf = tmp; - buf_allocated += blocksize; - } - do{ - sret = read(fifo_fd, buf + buf_len, buf_allocated - buf_len); - if(sret == -1){ - if(errno != EINTR){ - perror("read"); - an_error_occured = true; - break; - } - if(interrupted_by_signal){ - break; - } - } - }while(sret == -1); - if(interrupted_by_signal or an_error_occured){ - break; - } - - buf_len += (size_t)sret; - }while(sret != 0); - close(fifo_fd); - if(interrupted_by_signal or an_error_occured){ - break; /* Big */ - } - - if(not usplash_write("TIMEOUT", "15") - and (errno != EINTR)){ - perror("usplash_write"); - an_error_occured = true; - } - if(interrupted_by_signal or an_error_occured){ - break; /* Big */ - } - - /* Print password to stdout */ - size_t written = 0; - while(written < buf_len){ - do{ - sret = write(STDOUT_FILENO, buf + written, buf_len - written); - if(sret == -1){ - if(errno != EINTR){ - perror("write"); - an_error_occured = true; - break; - } - if(interrupted_by_signal){ - break; - } - } - }while(sret == -1); - if(interrupted_by_signal or an_error_occured){ - break; - } - written += (size_t)sret; - } - free(buf); - if(not interrupted_by_signal and not an_error_occured){ - free(cmdline); - return EXIT_SUCCESS; - } - break; /* Big */ - } - - /* If we got here, an error or interrupt must have happened */ - - int cmdline_argc = 0; - char **cmdline_argv = malloc(sizeof(char *)); - /* Create argv and argc for new usplash*/ - { - size_t position = 0; - while(position < cmdline_len){ - char **tmp = realloc(cmdline_argv, - (sizeof(char *) - * (size_t)(cmdline_argc + 2))); - if(tmp == NULL){ - perror("realloc"); - free(cmdline_argv); - return EXIT_FAILURE; - } - cmdline_argv = tmp; - cmdline_argv[cmdline_argc] = cmdline + position; - cmdline_argc++; - position += strlen(cmdline + position) + 1; - } - cmdline_argv[cmdline_argc] = NULL; - } - /* Kill old usplash */ - kill(usplash_pid, SIGTERM); - sleep(2); - while(kill(usplash_pid, 0) == 0){ - kill(usplash_pid, SIGKILL); - sleep(1); - } - pid_t new_usplash_pid = fork(); - if(new_usplash_pid == 0){ - /* Child; will become new usplash process */ - - /* Make the effective user ID (root) the only user ID instead of - the real user ID (mandos) */ - ret = setuid(geteuid()); - if (ret == -1){ - perror("setuid"); - } - - setsid(); - ret = chdir("/"); -/* if(fork() != 0){ */ -/* _exit(EXIT_SUCCESS); */ -/* } */ - ret = dup2(STDERR_FILENO, STDOUT_FILENO); /* replace our stdout */ - if(ret == -1){ - perror("dup2"); - _exit(EXIT_FAILURE); - } - - execv(usplash_name, cmdline_argv); - perror("execv"); - free(cmdline); - free(cmdline_argv); - _exit(EXIT_FAILURE); - } - free(cmdline); - free(cmdline_argv); - sleep(2); - if(not usplash_write("PULSATE", NULL) - and (errno != EINTR)){ - perror("usplash_write"); - } - - return EXIT_FAILURE; -}