=== modified file 'Makefile' --- Makefile 2024-09-12 17:10:51 +0000 +++ Makefile 2024-11-03 16:01:18 +0000 @@ -57,6 +57,7 @@ ## Use these settings for a traditional /usr/local install # PREFIX:=$(DESTDIR)/usr/local +# BINDIR:=$(PREFIX)/sbin # CONFDIR:=$(DESTDIR)/etc/mandos # KEYDIR:=$(DESTDIR)/etc/mandos/keys # MANDIR:=$(PREFIX)/man @@ -69,6 +70,7 @@ ## These settings are for a package-type install PREFIX:=$(DESTDIR)/usr +BINDIR:=$(PREFIX)/sbin CONFDIR:=$(DESTDIR)/etc/mandos KEYDIR:=$(DESTDIR)/etc/keys/mandos MANDIR:=$(PREFIX)/share/man @@ -417,12 +419,11 @@ install -D --mode=u=rw,go=r sysusers.d-mandos.conf \ $(SYSUSERS)/mandos.conf; \ fi - install --directory $(PREFIX)/sbin - install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \ - mandos - install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \ + install --directory $(BINDIR) + install --mode=u=rwx,go=rx --target-directory=$(BINDIR) mandos + install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \ mandos-ctl - install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \ + install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \ mandos-monitor install --directory $(CONFDIR) install --mode=u=rw,go=r --target-directory=$(CONFDIR) \ @@ -477,8 +478,8 @@ install --mode=u=rwx,go=rx \ --target-directory=$(LIBDIR)/mandos \ mandos-to-cryptroot-unlock - install --directory $(PREFIX)/sbin - install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \ + install --directory $(BINDIR) + install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \ mandos-keygen install --mode=u=rwx,go=rx \ --target-directory=$(LIBDIR)/mandos/plugins.d \ @@ -544,7 +545,7 @@ .PHONY: install-client install-client: install-client-nokey # Post-installation stuff - -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)" + -$(BINDIR)/mandos-keygen --dir "$(KEYDIR)" if command -v update-initramfs >/dev/null; then \ update-initramfs -k all -u; \ elif command -v dracut >/dev/null; then \ @@ -562,9 +563,9 @@ .PHONY: uninstall-server uninstall-server: - -rm --force $(PREFIX)/sbin/mandos \ - $(PREFIX)/sbin/mandos-ctl \ - $(PREFIX)/sbin/mandos-monitor \ + -rm --force $(BINDIR)/mandos \ + $(BINDIR)/mandos-ctl \ + $(BINDIR)/mandos-monitor \ $(MANDIR)/man8/mandos.8.gz \ $(MANDIR)/man8/mandos-monitor.8.gz \ $(MANDIR)/man8/mandos-ctl.8.gz \ @@ -579,7 +580,7 @@ # to use it. ! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \ $(DESTDIR)/etc/crypttab - -rm --force $(PREFIX)/sbin/mandos-keygen \ + -rm --force $(BINDIR)/mandos-keygen \ $(LIBDIR)/mandos/plugin-runner \ $(LIBDIR)/mandos/plugins.d/password-prompt \ $(LIBDIR)/mandos/plugins.d/mandos-client \ === modified file 'debian/control' --- debian/control 2024-09-09 03:08:13 +0000 +++ debian/control 2024-11-17 18:43:11 +0000 @@ -8,7 +8,7 @@ libavahi-core-dev, libgpgme-dev | libgpgme11-dev, libglib2.0-dev (>=2.40), libgnutls28-dev (>= 3.3.0), libgnutls28-dev (>= 3.6.6) | libgnutls28-dev (<< 3.6.0), - xsltproc, pkg-config, libnl-route-3-dev, + xsltproc, pkgconf | pkg-config, libnl-route-3-dev, systemd-dev | systemd (<< 256~rc2-1) Build-Depends-Indep: python3 (>= 3), python3-dbus, python3-gi, po-debconf @@ -27,7 +27,8 @@ python3-urwid, gnupg, systemd-sysv | lsb-base (>= 3.0-6), debconf (>= 1.5.5) | debconf-2.0 Recommends: ssh-client | fping -Suggests: libc6-dev | libc-dev, c-compiler +Suggests: python3 (>= 3.3) | libc6-dev | libc-dev | python (<= 2.6), + python3 (>= 3.3) | c-compiler | python (<= 2.6) Description: server giving encrypted passwords to Mandos clients This is the server part of the Mandos system, which allows computers to have encrypted root file systems and at the === modified file 'debian/mandos-client.lintian-overrides' --- debian/mandos-client.lintian-overrides 2024-09-09 02:51:47 +0000 +++ debian/mandos-client.lintian-overrides 2024-09-16 21:01:52 +0000 @@ -20,6 +20,29 @@ mandos-client binary: elevated-privileges 4755 root/root [usr/lib/*/mandos/plugins.d/usplash] mandos-client binary: elevated-privileges 4755 root/root [usr/lib/*/mandos/plugins.d/plymouth] +# These binaries are never executed in a running system, or from this +# directory. These files exist only to be copied from here into the +# initial RAM disk image. +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/mandos-to-cryptroot-unlock] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugin-helpers/mandos-client-iprouteadddel] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugin-runner] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/askpass-fifo] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/mandos-client] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/password-prompt] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/plymouth] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/splashy] +mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/usplash] + +# This is the official directory for Dracut plugins, which are all +# executable shell script files. +mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/module-setup.sh] +# These files are never executed in a running system, or from this +# directory. These files exist only to be copied from here into the +# initial RAM disk image by the dracut/90mandos/module-setup.sh +# script. +mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/cmdline-mandos.sh] +mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/password-agent] + # The directory /etc/mandos/plugins.d can be used by local system # administrators to place plugins in, overriding and complementing # /usr/lib//mandos/plugins.d, and must be likewise protected. === modified file 'initramfs-tools-hook' --- initramfs-tools-hook 2024-09-08 03:42:04 +0000 +++ initramfs-tools-hook 2024-11-03 15:32:05 +0000 @@ -180,7 +180,7 @@ # GPGME needs GnuPG gpg=/usr/bin/gpg -libgpgme11_version="`dpkg-query --showformat='${Version}\n' --show libgpgme11t64 libgpgme11 2>/dev/null | head --lines=1`" +libgpgme11_version="`dpkg-query --showformat='${Version}\n' --show libgpgme11t64 libgpgme11 2>/dev/null | sed --quiet --expression='/./{p;q}'`" if dpkg --compare-versions "$libgpgme11_version" ge 1.5.0-0.1; then if [ -e /usr/bin/gpgconf ]; then if [ ! -e "${DESTDIR}/usr/bin/gpgconf" ]; then === modified file 'initramfs-unpack' --- initramfs-unpack 2019-07-27 10:11:45 +0000 +++ initramfs-unpack 2024-11-03 16:55:01 +0000 @@ -65,6 +65,9 @@ elif { $catimg 2>/dev/null | lzop --test >/dev/null 2>&1; [ ${PIPESTATUS[-1]} -eq 0 ]; }; then decomp="lzop --stdout --decompress" + elif { $catimg 2>/dev/null | zstd --test >/dev/null 2>&1; + [ ${PIPESTATUS[-1]} -eq 0 ]; }; then + decomp="zstdcat --stdout --decompress" else skip=$((${skip}+1)) echo "Could not determine compression of ${imgfile}; trying to skip ${skip} bytes" >&2 === modified file 'mandos' --- mandos 2024-09-12 17:10:51 +0000 +++ mandos 2024-11-17 17:28:47 +0000 @@ -110,6 +110,19 @@ except AttributeError: shlex.quote = re.escape +# Add os.set_inheritable if it does not exist +try: + os.set_inheritable +except AttributeError: + def set_inheritable(fd, inheritable): + flags = fcntl.fcntl(fd, fcntl.F_GETFD) + if inheritable and ((flags & fcntl.FD_CLOEXEC) != 0): + fcntl.fcntl(fd, fcntl.F_SETFL, flags & ~fcntl.FD_CLOEXEC) + elif (not inheritable) and ((flags & fcntl.FD_CLOEXEC) == 0): + fcntl.fcntl(fd, fcntl.F_SETFL, flags | fcntl.FD_CLOEXEC) + os.set_inheritable = set_inheritable + del set_inheritable + # Show warnings by default if not sys.warnoptions: import warnings @@ -3096,9 +3109,10 @@ # Later, stdin will, and stdout and stderr might, be dup'ed # over with an opened os.devnull. But we don't want this to # happen with a supplied network socket. - if 0 <= server_settings["socket"] <= 2: + while 0 <= server_settings["socket"] <= 2: server_settings["socket"] = os.dup(server_settings ["socket"]) + os.set_inheritable(server_settings["socket"], False) del server_config # Override the settings from the config file with command line @@ -3243,7 +3257,8 @@ # From the Avahi example code DBusGMainLoop(set_as_default=True) main_loop = GLib.MainLoop() - bus = dbus.SystemBus() + if use_dbus or zeroconf: + bus = dbus.SystemBus() # End of Avahi example code if use_dbus: try: === modified file 'mandos-keygen' --- mandos-keygen 2024-09-12 17:10:51 +0000 +++ mandos-keygen 2024-11-24 00:44:25 +0000 @@ -331,19 +331,22 @@ esac if [ $SSH -eq 1 ]; then - for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do - set +e - ssh_fingerprint="`ssh-keyscan -t $ssh_keytype localhost 2>/dev/null`" - err=$? - set -e - if [ $err -ne 0 ]; then - ssh_fingerprint="" - continue - fi - if [ -n "$ssh_fingerprint" ]; then - ssh_fingerprint="${ssh_fingerprint#localhost }" - break - fi + # The -q option is new in OpenSSH 9.8 + for ssh_keyscan_quiet in "-q " ""; do + for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do + set +e + ssh_fingerprint="`ssh-keyscan ${ssh_keyscan_quiet}-t $ssh_keytype localhost 2>/dev/null`" + err=$? + set -e + if [ $err -ne 0 ]; then + ssh_fingerprint="" + continue + fi + if [ -n "$ssh_fingerprint" ]; then + ssh_fingerprint="${ssh_fingerprint#localhost }" + break 2 + fi + done done fi @@ -434,7 +437,11 @@ } }' < "$SECFILE" if [ -n "$ssh_fingerprint" ]; then - echo 'checker = ssh-keyscan -t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"' + if [ -n "$ssh_keyscan_quiet" ]; then + echo "# Note: if the Mandos server has OpenSSH older than 9.8, the ${ssh_keyscan_quiet}" + echo "# option *must* be removed from the 'checker' setting below" + fi + echo 'checker = ssh-keyscan '"$ssh_keyscan_quiet"'-t '"$ssh_keytype"' %%(host)s 2>/dev/null | grep --fixed-strings --line-regexp --quiet --regexp=%%(host)s" %(ssh_fingerprint)s"' echo "ssh_fingerprint = ${ssh_fingerprint}" fi fi === modified file 'mandos-monitor' --- mandos-monitor 2024-09-12 17:10:51 +0000 +++ mandos-monitor 2024-11-22 20:30:34 +0000 @@ -64,6 +64,7 @@ locale.setlocale(locale.LC_ALL, "") logging.getLogger("dbus.proxies").setLevel(logging.CRITICAL) +logging.getLogger("urwid").setLevel(logging.INFO) # Some useful constants domain = "se.recompile" @@ -127,10 +128,12 @@ self.property_changed_match.remove() -class MandosClientWidget(urwid.FlowWidget, MandosClientPropertyCache): +class MandosClientWidget(MandosClientPropertyCache, urwid.Widget): """A Mandos Client which is visible on the screen. """ + _sizing = frozenset(["flow"]) + def __init__(self, server_proxy_object=None, update_hook=None, delete_hook=None, **kwargs): # Called on update @@ -225,13 +228,13 @@ def selectable(self): """Make this a "selectable" widget. - This overrides the method from urwid.FlowWidget.""" + This overrides the method from urwid.Widget.""" return True def rows(self, maxcolrow, focus=False): """How many rows this widget will occupy might depend on whether we have focus or not. - This overrides the method from urwid.FlowWidget""" + This overrides the method from urwid.Widget""" return self.current_widget(focus).rows(maxcolrow, focus=focus) def current_widget(self, focus=False): @@ -329,13 +332,13 @@ def render(self, maxcolrow, focus=False): """Render differently if we have focus. - This overrides the method from urwid.FlowWidget""" + This overrides the method from urwid.Widget""" return self.current_widget(focus).render(maxcolrow, focus=focus) def keypress(self, maxcolrow, key): """Handle keys. - This overrides the method from urwid.FlowWidget""" + This overrides the method from urwid.Widget""" if key == "+": self.proxy.Set(client_interface, "Enabled", dbus.Boolean(True), ignore_reply=True,