/mandos/release : revision 223

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to mandos

Committer: Teddy Hogeborn
Date: 2008-10-03 09:32:30 UTC
Revision ID: teddy@fukt.bsnet.se-20081003093230-rshn19e0c19zz12i

* .bzrignore (plugins.d/askpass-fifo): Added.

* Makefile (FORTIFY): Added "-fstack-protector-all".
  (mandos, mandos-keygen): Use more strict regexps when updating the
                           version number.

* mandos (Client.__init__): Use os.path.expandvars() and
                            os.path.expanduser() on the "secfile"
                            config value.

* plugins.d/splashy.c: Update comments and order of #include's.
  (main): Check user and group when looking for running splashy
          process.  Do not ignore ENOENT from execl().  Use _exit()
          instead of "return" when an error happens in child
          processes.  Bug fix: Only wait for splashy_update
          completion if it was started.  Bug fix: detect failing
          waitpid().  Only kill splashy_update if it is running.  Do
          the killing of the old splashy process before the fork().
          Do setsid() and setuid(geteuid()) before starting the new
          splashy.  Report failing execl().

* plugins.d/usplash.c: Update comments and order of #include's.
  (main): Check user and group when looking for running usplash
          process.  Do not report execv() error if interrupted by a
          signal.

Show diffs side-by-side

added added

removed removed

mandos

# Contact the authors at <mandos@fukt.bsnet.se>.

from __future__ import division, with_statement, absolute_import

from __future__ import division

import SocketServer

import socket

import logging

import logging.handlers

import pwd

from contextlib import closing

import dbus

import gobject

import ctypes

import ctypes.util

version = "1.0.2"

version = "1.0"

logger = logging.Logger('mandos')

syslogger = logging.handlers.SysLogHandler\

241

240

if "secret" in config:

242

241

self.secret = config["secret"].decode(u"base64")

243

242

elif "secfile" in config:

244

with closing(open(os.path.expanduser

245

(os.path.expandvars

246

(config["secfile"])))) \

247

as secfile:

248

self.secret = secfile.read()

243

secfile = open(os.path.expanduser(os.path.expandvars

244

(config["secfile"])))

245

self.secret = secfile.read()

246

secfile.close()

249

247

else:

250

248

raise TypeError(u"No secret or secfile for client %s"

251

249

% self.name)

299

297

self.stop()

300

298

def checker_callback(self, pid, condition):

301

299

"""The checker has completed, so take appropriate actions."""

300

now = datetime.datetime.now()

302

301

self.checker_callback_tag = None

303

302

self.checker = None

304

303

if os.WIFEXITED(condition) \

305

304

and (os.WEXITSTATUS(condition) == 0):

306

305

logger.info(u"Checker for %(name)s succeeded",

307

306

vars(self))

308

self.bump_timeout()

307

self.last_checked_ok = now

308

gobject.source_remove(self.stop_initiator_tag)

309

self.stop_initiator_tag = gobject.timeout_add\

310

(self._timeout_milliseconds,

311

self.stop)

309

312

elif not os.WIFEXITED(condition):

310

313

logger.warning(u"Checker for %(name)s crashed?",

311

314

vars(self))

312

315

else:

313

316

logger.info(u"Checker for %(name)s failed",

314

317

vars(self))

315

def bump_timeout(self):

316

"""Bump up the timeout for this client.

317

This should only be called when the client has been seen,

318

alive and well.

319

"""

320

self.last_checked_ok = datetime.datetime.now()

321

gobject.source_remove(self.stop_initiator_tag)

322

self.stop_initiator_tag = gobject.timeout_add\

323

(self._timeout_milliseconds, self.stop)

324

318

def start_checker(self):

325

319

"""Start a new checker subprocess if one is not running.

326

320

If a checker already exists, leave it running and do

453

447

454

448

def handle(self):

455

449

logger.info(u"TCP connection from: %s",

456

unicode(self.client_address))

450

unicode(self.client_address))

457

451

session = gnutls.connection.ClientSession\

458

452

(self.request, gnutls.connection.X509Credentials())

459

453

474

468

#priority = ':'.join(("NONE", "+VERS-TLS1.1", "+AES-256-CBC",

475

469

# "+SHA1", "+COMP-NULL", "+CTYPE-OPENPGP",

476

470

# "+DHE-DSS"))

477

# Use a fallback default, since this MUST be set.

478

priority = self.server.settings.get("priority", "NORMAL")

471

priority = "NORMAL" # Fallback default, since this

472

# MUST be set.

473

if self.server.settings["priority"]:

474

priority = self.server.settings["priority"]

479

475

gnutls.library.functions.gnutls_priority_set_direct\

480

476

(session._c_object, priority, None)

481

477

511

507

vars(client))

512

508

session.bye()

513

509

return

514

## This won't work here, since we're in a fork.

515

# client.bump_timeout()

516

510

sent_size = 0

517

511

while sent_size < len(client.secret):

518

512

sent = session.send(client.secret[sent_size:])

523

517

session.bye()

524

518

525

519

526

class IPv6_TCPServer(SocketServer.ForkingMixIn,

527

SocketServer.TCPServer, object):

520

class IPv6_TCPServer(SocketServer.ForkingTCPServer, object):

528

521

"""IPv6 TCP server. Accepts 'None' as address and/or port.

529

522

Attributes:

530

523

settings: Server settings

659

652

def if_nametoindex(interface):

660

653

"Get an interface index the hard way, i.e. using fcntl()"

661

654

SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h

662

with closing(socket.socket()) as s:

663

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

664

struct.pack("16s16x", interface))

655

s = socket.socket()

656

ifreq = fcntl.ioctl(s, SIOCGIFINDEX,

657

struct.pack("16s16x", interface))

658

s.close()

665

659

interface_index = struct.unpack("I", ifreq[16:20])[0]

666

660

return interface_index

667

661

return if_nametoindex(interface)

Older »