To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 223
- compare with another revision
- download diff
- download tarball
- view history from revision 223
- Committer: Teddy Hogeborn
- Date: 2008-10-03 09:32:30 UTC
- Revision ID: teddy@fukt.bsnet.se-20081003093230-rshn19e0c19zz12i
* .bzrignore (plugins.d/askpass-fifo): Added.
* Makefile (FORTIFY): Added "-fstack-protector-all".
(mandos, mandos-keygen): Use more strict regexps when updating the
version number.
* mandos (Client.__init__): Use os.path.expandvars() and
os.path.expanduser() on the "secfile"
config value.
* plugins.d/splashy.c: Update comments and order of #include's.
(main): Check user and group when looking for running splashy
process. Do not ignore ENOENT from execl(). Use _exit()
instead of "return" when an error happens in child
processes. Bug fix: Only wait for splashy_update
completion if it was started. Bug fix: detect failing
waitpid(). Only kill splashy_update if it is running. Do
the killing of the old splashy process before the fork().
Do setsid() and setuid(geteuid()) before starting the new
splashy. Report failing execl().
* plugins.d/usplash.c: Update comments and order of #include's.
(main): Check user and group when looking for running usplash
process. Do not report execv() error if interrupted by a
signal.
* Makefile (FORTIFY): Added "-fstack-protector-all".
(mandos, mandos-keygen): Use more strict regexps when updating the
version number.
* mandos (Client.__init__): Use os.path.expandvars() and
os.path.expanduser() on the "secfile"
config value.
* plugins.d/splashy.c: Update comments and order of #include's.
(main): Check user and group when looking for running splashy
process. Do not ignore ENOENT from execl(). Use _exit()
instead of "return" when an error happens in child
processes. Bug fix: Only wait for splashy_update
completion if it was started. Bug fix: detect failing
waitpid(). Only kill splashy_update if it is running. Do
the killing of the old splashy process before the fork().
Do setsid() and setuid(geteuid()) before starting the new
splashy. Report failing execl().
* plugins.d/usplash.c: Update comments and order of #include's.
(main): Check user and group when looking for running usplash
process. Do not report execv() error if interrupted by a
signal.
- files added:
- .bzr-builddeb
- debian
- debian/po
- files removed:
- ca.pem
- files renamed:
- server.py => mandos
- server.conf => mandos.conf
- plugbasedclient.c => plugin-runner.c
- plugins.d/mandosclient.c => plugins.d/mandos-client.c
- plugins.d/passprompt.c => plugins.d/password-prompt.c
- files modified:
- Makefile
added
removed
mandos
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
# following functions: "AvahiService.add", "AvahiService.remove",
10
# "server_state_changed", "entry_group_state_changed", and some lines
11
# in "main".
9
# methods "add" and "remove" in the "AvahiService" class, the
10
# "server_state_changed" and "entry_group_state_changed" functions,
11
# and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
14
# Copyright © 2008 Teddy Hogeborn & Björn Påhlsson
15
15
#
16
16
# This program is free software: you can redistribute it and/or modify
17
17
# it under the terms of the GNU General Public License as published by
24
24
# GNU General Public License for more details.
25
25
#
26
26
# You should have received a copy of the GNU General Public License
27
# along with this program. If not, see <http://www.gnu.org/licenses/>.
27
# along with this program. If not, see
28
# <http://www.gnu.org/licenses/>.
28
29
#
29
30
# Contact the authors at <mandos@fukt.bsnet.se>.
30
31
#
33
34
34
35
import SocketServer
35
36
import socket
36
import select
37
37
from optparse import OptionParser
38
38
import datetime
39
39
import errno
54
54
import stat
55
55
import logging
56
56
import logging.handlers
57
import pwd
57
58
58
59
import dbus
59
60
import gobject
60
61
import avahi
61
62
from dbus.mainloop.glib import DBusGMainLoop
62
63
import ctypes
63
64
# Brief description of the operation of this program:
65
#
66
# This server announces itself as a Zeroconf service. Connecting
67
# clients use the TLS protocol, with the unusual quirk that this
68
# server program acts as a TLS "client" while a connecting client acts
69
# as a TLS "server". The client (acting as a TLS "server") must
70
# supply an OpenPGP certificate, and the fingerprint of this
71
# certificate is used by this server to look up (in a list read from a
72
# file at start time) which binary blob to give the client. No other
73
# authentication or authorization is done by this server.
74
64
import ctypes.util
65
66
version = "1.0"
75
67
76
68
logger = logging.Logger('mandos')
77
69
syslogger = logging.handlers.SysLogHandler\
78
(facility = logging.handlers.SysLogHandler.LOG_DAEMON)
70
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
71
address = "/dev/log")
79
72
syslogger.setFormatter(logging.Formatter\
80
('%(levelname)s: %(message)s'))
73
('Mandos: %(levelname)s: %(message)s'))
81
74
logger.addHandler(syslogger)
82
del syslogger
83
75
76
console = logging.StreamHandler()
77
console.setFormatter(logging.Formatter('%(name)s: %(levelname)s:'
78
' %(message)s'))
79
logger.addHandler(console)
84
80
85
81
class AvahiError(Exception):
86
82
def __init__(self, value):
87
83
self.value = value
84
super(AvahiError, self).__init__()
88
85
def __str__(self):
89
86
return repr(self.value)
90
87
96
93
97
94
98
95
class AvahiService(object):
99
"""
96
"""An Avahi (Zeroconf) service.
97
Attributes:
100
98
interface: integer; avahi.IF_UNSPEC or an interface index.
101
99
Used to optionally bind to the specified interface.
102
name = string; Example: "Mandos"
103
type = string; Example: "_mandos._tcp".
104
See <http://www.dns-sd.org/ServiceTypes.html>
105
port = integer; what port to announce
106
TXT = list of strings; TXT record for the service
107
domain = string; Domain to publish on, default to .local if empty.
108
host = string; Host to publish records for, default to localhost
109
if empty.
110
max_renames = integer; maximum number of renames
111
rename_count = integer; counter so we only rename after collisions
112
a sensible number of times
100
name: string; Example: 'Mandos'
101
type: string; Example: '_mandos._tcp'.
102
See <http://www.dns-sd.org/ServiceTypes.html>
103
port: integer; what port to announce
104
TXT: list of strings; TXT record for the service
105
domain: string; Domain to publish on, default to .local if empty.
106
host: string; Host to publish records for, default is localhost
107
max_renames: integer; maximum number of renames
108
rename_count: integer; counter so we only rename after collisions
109
a sensible number of times
113
110
"""
114
111
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
115
type = None, port = None, TXT = None, domain = "",
116
host = "", max_renames = 12):
117
"""An Avahi (Zeroconf) service. """
112
servicetype = None, port = None, TXT = None, domain = "",
113
host = "", max_renames = 32768):
118
114
self.interface = interface
119
115
self.name = name
120
self.type = type
116
self.type = servicetype
121
117
self.port = port
122
118
if TXT is None:
123
119
self.TXT = []
126
122
self.domain = domain
127
123
self.host = host
128
124
self.rename_count = 0
125
self.max_renames = max_renames
129
126
def rename(self):
130
127
"""Derived from the Avahi example code"""
131
128
if self.rename_count >= self.max_renames:
132
logger.critical(u"No suitable service name found after %i"
133
u" retries, exiting.", rename_count)
129
logger.critical(u"No suitable Zeroconf service name found"
130
u" after %i retries, exiting.",
131
self.rename_count)
134
132
raise AvahiServiceError("Too many renames")
135
name = server.GetAlternativeServiceName(name)
136
logger.notice(u"Changing name to %r ...", name)
133
self.name = server.GetAlternativeServiceName(self.name)
134
logger.info(u"Changing Zeroconf service name to %r ...",
135
str(self.name))
136
syslogger.setFormatter(logging.Formatter\
137
('Mandos (%s): %%(levelname)s:'
138
' %%(message)s' % self.name))
137
139
self.remove()
138
140
self.add()
139
141
self.rename_count += 1
151
153
avahi.DBUS_INTERFACE_ENTRY_GROUP)
152
154
group.connect_to_signal('StateChanged',
153
155
entry_group_state_changed)
154
logger.debug(u"Adding service '%s' of type '%s' ...",
156
logger.debug(u"Adding Zeroconf service '%s' of type '%s' ...",
155
157
service.name, service.type)
156
158
group.AddService(
157
159
self.interface, # interface
175
177
fingerprint: string (40 or 32 hexadecimal digits); used to
176
178
uniquely identify the client
177
179
secret: bytestring; sent verbatim (over TLS) to client
178
fqdn: string (FQDN); available for use by the checker command
180
host: string; available for use by the checker command
179
181
created: datetime.datetime(); object creation, not client host
180
182
last_checked_ok: datetime.datetime() or None if not yet checked OK
181
183
timeout: datetime.timedelta(); How long from last_checked_ok
221
223
interval = property(lambda self: self._interval,
222
224
_set_interval)
223
225
del _set_interval
224
def __init__(self, name=None, stop_hook=None, fingerprint=None,
225
secret=None, secfile=None, fqdn=None, timeout=None,
226
interval=-1, checker=None):
227
"""Note: the 'checker' argument sets the 'checker_command'
228
attribute and not the 'checker' attribute.."""
226
def __init__(self, name = None, stop_hook=None, config=None):
227
"""Note: the 'checker' key in 'config' sets the
228
'checker_command' attribute and *not* the 'checker'
229
attribute."""
230
if config is None:
231
config = {}
229
232
self.name = name
230
233
logger.debug(u"Creating client %r", self.name)
231
# Uppercase and remove spaces from fingerprint
232
# for later comparison purposes with return value of
233
# the fingerprint() function
234
self.fingerprint = fingerprint.upper().replace(u" ", u"")
234
# Uppercase and remove spaces from fingerprint for later
235
# comparison purposes with return value from the fingerprint()
236
# function
237
self.fingerprint = config["fingerprint"].upper()\
238
.replace(u" ", u"")
235
239
logger.debug(u" Fingerprint: %s", self.fingerprint)
236
if secret:
237
self.secret = secret.decode(u"base64")
238
elif secfile:
239
sf = open(secfile)
240
self.secret = sf.read()
241
sf.close()
240
if "secret" in config:
241
self.secret = config["secret"].decode(u"base64")
242
elif "secfile" in config:
243
secfile = open(os.path.expanduser(os.path.expandvars
244
(config["secfile"])))
245
self.secret = secfile.read()
246
secfile.close()
242
247
else:
243
248
raise TypeError(u"No secret or secfile for client %s"
244
249
% self.name)
245
self.fqdn = fqdn
250
self.host = config.get("host", "")
246
251
self.created = datetime.datetime.now()
247
252
self.last_checked_ok = None
248
self.timeout = string_to_delta(timeout)
249
self.interval = string_to_delta(interval)
253
self.timeout = string_to_delta(config["timeout"])
254
self.interval = string_to_delta(config["interval"])
250
255
self.stop_hook = stop_hook
251
256
self.checker = None
252
257
self.checker_initiator_tag = None
253
258
self.stop_initiator_tag = None
254
259
self.checker_callback_tag = None
255
self.check_command = checker
260
self.check_command = config["checker"]
256
261
def start(self):
257
262
"""Start this client's checker and timeout hooks"""
258
263
# Schedule a new checker to be started an 'interval' from now,
271
276
The possibility that a client might be restarted is left open,
272
277
but not currently used."""
273
278
# If this client doesn't have a secret, it is already stopped.
274
if self.secret:
275
logger.debug(u"Stopping client %s", self.name)
279
if hasattr(self, "secret") and self.secret:
280
logger.info(u"Stopping client %s", self.name)
276
281
self.secret = None
277
282
else:
278
283
return False
297
302
self.checker = None
298
303
if os.WIFEXITED(condition) \
299
304
and (os.WEXITSTATUS(condition) == 0):
300
logger.debug(u"Checker for %(name)s succeeded",
301
vars(self))
305
logger.info(u"Checker for %(name)s succeeded",
306
vars(self))
302
307
self.last_checked_ok = now
303
308
gobject.source_remove(self.stop_initiator_tag)
304
309
self.stop_initiator_tag = gobject.timeout_add\
308
313
logger.warning(u"Checker for %(name)s crashed?",
309
314
vars(self))
310
315
else:
311
logger.debug(u"Checker for %(name)s failed",
312
vars(self))
316
logger.info(u"Checker for %(name)s failed",
317
vars(self))
313
318
def start_checker(self):
314
319
"""Start a new checker subprocess if one is not running.
315
320
If a checker already exists, leave it running and do
325
330
if self.checker is None:
326
331
try:
327
332
# In case check_command has exactly one % operator
328
command = self.check_command % self.fqdn
333
command = self.check_command % self.host
329
334
except TypeError:
330
335
# Escape attributes for the shell
331
336
escaped_attrs = dict((key, re.escape(str(val)))
338
343
u' %s', self.check_command, error)
339
344
return True # Try again later
340
345
try:
341
logger.debug(u"Starting checker %r for %s",
342
command, self.name)
346
logger.info(u"Starting checker %r for %s",
347
command, self.name)
348
# We don't need to redirect stdout and stderr, since
349
# in normal mode, that is already done by daemon(),
350
# and in debug mode we don't want to. (Stdin is
351
# always replaced by /dev/null.)
343
352
self.checker = subprocess.Popen(command,
344
353
close_fds=True,
345
354
shell=True, cwd="/")
346
355
self.checker_callback_tag = gobject.child_watch_add\
347
356
(self.checker.pid,
348
357
self.checker_callback)
349
except subprocess.OSError, error:
358
except OSError, error:
350
359
logger.error(u"Failed to start subprocess: %s",
351
360
error)
352
361
# Re-run this periodically if run by gobject.timeout_add
358
367
self.checker_callback_tag = None
359
368
if getattr(self, "checker", None) is None:
360
369
return
361
logger.debug("Stopping checker for %(name)s", vars(self))
370
logger.debug(u"Stopping checker for %(name)s", vars(self))
362
371
try:
363
372
os.kill(self.checker.pid, signal.SIGTERM)
364
373
#os.sleep(0.5)
396
405
397
406
def fingerprint(openpgp):
398
407
"Convert an OpenPGP bytestring to a hexdigit fingerprint string"
399
# New empty GnuTLS certificate
400
crt = gnutls.library.types.gnutls_openpgp_crt_t()
401
gnutls.library.functions.gnutls_openpgp_crt_init\
402
(ctypes.byref(crt))
403
408
# New GnuTLS "datum" with the OpenPGP public key
404
409
datum = gnutls.library.types.gnutls_datum_t\
405
410
(ctypes.cast(ctypes.c_char_p(openpgp),
406
411
ctypes.POINTER(ctypes.c_ubyte)),
407
412
ctypes.c_uint(len(openpgp)))
413
# New empty GnuTLS certificate
414
crt = gnutls.library.types.gnutls_openpgp_crt_t()
415
gnutls.library.functions.gnutls_openpgp_crt_init\
416
(ctypes.byref(crt))
408
417
# Import the OpenPGP public key into the certificate
409
ret = gnutls.library.functions.gnutls_openpgp_crt_import\
410
(crt,
411
ctypes.byref(datum),
412
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
418
gnutls.library.functions.gnutls_openpgp_crt_import\
419
(crt, ctypes.byref(datum),
420
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
421
# Verify the self signature in the key
422
crtverify = ctypes.c_uint()
423
gnutls.library.functions.gnutls_openpgp_crt_verify_self\
424
(crt, 0, ctypes.byref(crtverify))
425
if crtverify.value != 0:
426
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
427
raise gnutls.errors.CertificateSecurityError("Verify failed")
413
428
# New buffer for the fingerprint
414
buffer = ctypes.create_string_buffer(20)
415
buffer_length = ctypes.c_size_t()
429
buf = ctypes.create_string_buffer(20)
430
buf_len = ctypes.c_size_t()
416
431
# Get the fingerprint from the certificate into the buffer
417
432
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint\
418
(crt, ctypes.byref(buffer), ctypes.byref(buffer_length))
433
(crt, ctypes.byref(buf), ctypes.byref(buf_len))
419
434
# Deinit the certificate
420
435
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
421
436
# Convert the buffer to a Python bytestring
422
fpr = ctypes.string_at(buffer, buffer_length.value)
437
fpr = ctypes.string_at(buf, buf_len.value)
423
438
# Convert the bytestring to hexadecimal notation
424
439
hex_fpr = u''.join(u"%02X" % ord(char) for char in fpr)
425
440
return hex_fpr
426
441
427
442
428
class tcp_handler(SocketServer.BaseRequestHandler, object):
443
class TCP_handler(SocketServer.BaseRequestHandler, object):
429
444
"""A TCP request handler class.
430
445
Instantiated by IPv6_TCPServer for each request to handle it.
431
446
Note: This will run in its own forked process."""
432
447
433
448
def handle(self):
434
logger.debug(u"TCP connection from: %s",
449
logger.info(u"TCP connection from: %s",
435
450
unicode(self.client_address))
436
451
session = gnutls.connection.ClientSession\
437
452
(self.request, gnutls.connection.X509Credentials())
453
454
line = self.request.makefile().readline()
455
logger.debug(u"Protocol version: %r", line)
456
try:
457
if int(line.strip().split()[0]) > 1:
458
raise RuntimeError
459
except (ValueError, IndexError, RuntimeError), error:
460
logger.error(u"Unknown protocol version: %s", error)
461
return
462
438
463
# Note: gnutls.connection.X509Credentials is really a generic
439
464
# GnuTLS certificate credentials object so long as no X.509
440
465
# keys are added to it. Therefore, we can use it here despite
448
473
if self.server.settings["priority"]:
449
474
priority = self.server.settings["priority"]
450
475
gnutls.library.functions.gnutls_priority_set_direct\
451
(session._c_object, priority, None);
476
(session._c_object, priority, None)
452
477
453
478
try:
454
479
session.handshake()
455
480
except gnutls.errors.GNUTLSError, error:
456
logger.debug(u"Handshake failed: %s", error)
481
logger.warning(u"Handshake failed: %s", error)
457
482
# Do not run session.bye() here: the session is not
458
483
# established. Just abandon the request.
459
484
return
460
485
try:
461
486
fpr = fingerprint(peer_certificate(session))
462
487
except (TypeError, gnutls.errors.GNUTLSError), error:
463
logger.debug(u"Bad certificate: %s", error)
488
logger.warning(u"Bad certificate: %s", error)
464
489
session.bye()
465
490
return
466
491
logger.debug(u"Fingerprint: %s", fpr)
470
495
client = c
471
496
break
472
497
if not client:
473
logger.debug(u"Client not found for fingerprint: %s", fpr)
498
logger.warning(u"Client not found for fingerprint: %s",
499
fpr)
474
500
session.bye()
475
501
return
476
502
# Have to check if client.still_valid(), since it is possible
477
503
# that the client timed out while establishing the GnuTLS
478
504
# session.
479
505
if not client.still_valid():
480
logger.debug(u"Client %(name)s is invalid", vars(client))
506
logger.warning(u"Client %(name)s is invalid",
507
vars(client))
481
508
session.bye()
482
509
return
483
510
sent_size = 0
495
522
Attributes:
496
523
settings: Server settings
497
524
clients: Set() of Client objects
525
enabled: Boolean; whether this server is activated yet
498
526
"""
499
527
address_family = socket.AF_INET6
500
528
def __init__(self, *args, **kwargs):
504
532
if "clients" in kwargs:
505
533
self.clients = kwargs["clients"]
506
534
del kwargs["clients"]
507
return super(type(self), self).__init__(*args, **kwargs)
535
self.enabled = False
536
super(IPv6_TCPServer, self).__init__(*args, **kwargs)
508
537
def server_bind(self):
509
538
"""This overrides the normal server_bind() function
510
539
to bind to an interface if one was specified, and also NOT to
511
540
bind to an address or port if they were not specified."""
512
if self.settings["interface"] != avahi.IF_UNSPEC:
541
if self.settings["interface"]:
513
542
# 25 is from /usr/include/asm-i486/socket.h
514
543
SO_BINDTODEVICE = getattr(socket, "SO_BINDTODEVICE", 25)
515
544
try:
518
547
self.settings["interface"])
519
548
except socket.error, error:
520
549
if error[0] == errno.EPERM:
521
logger.warning(u"No permission to"
522
u" bind to interface %s",
523
self.settings["interface"])
550
logger.error(u"No permission to"
551
u" bind to interface %s",
552
self.settings["interface"])
524
553
else:
525
554
raise error
526
555
# Only bind(2) the socket if we really need to.
529
558
in6addr_any = "::"
530
559
self.server_address = (in6addr_any,
531
560
self.server_address[1])
532
elif self.server_address[1] is None:
561
elif not self.server_address[1]:
533
562
self.server_address = (self.server_address[0],
534
563
0)
535
return super(type(self), self).server_bind()
564
# if self.settings["interface"]:
565
# self.server_address = (self.server_address[0],
566
# 0, # port
567
# 0, # flowinfo
568
# if_nametoindex
569
# (self.settings
570
# ["interface"]))
571
return super(IPv6_TCPServer, self).server_bind()
572
def server_activate(self):
573
if self.enabled:
574
return super(IPv6_TCPServer, self).server_activate()
575
def enable(self):
576
self.enabled = True
536
577
537
578
538
579
def string_to_delta(interval):
548
589
datetime.timedelta(1)
549
590
>>> string_to_delta(u'1w')
550
591
datetime.timedelta(7)
592
>>> string_to_delta('5m 30s')
593
datetime.timedelta(0, 330)
551
594
"""
552
try:
553
suffix=unicode(interval[-1])
554
value=int(interval[:-1])
555
if suffix == u"d":
556
delta = datetime.timedelta(value)
557
elif suffix == u"s":
558
delta = datetime.timedelta(0, value)
559
elif suffix == u"m":
560
delta = datetime.timedelta(0, 0, 0, 0, value)
561
elif suffix == u"h":
562
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
563
elif suffix == u"w":
564
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
565
else:
595
timevalue = datetime.timedelta(0)
596
for s in interval.split():
597
try:
598
suffix = unicode(s[-1])
599
value = int(s[:-1])
600
if suffix == u"d":
601
delta = datetime.timedelta(value)
602
elif suffix == u"s":
603
delta = datetime.timedelta(0, value)
604
elif suffix == u"m":
605
delta = datetime.timedelta(0, 0, 0, 0, value)
606
elif suffix == u"h":
607
delta = datetime.timedelta(0, 0, 0, 0, 0, value)
608
elif suffix == u"w":
609
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
610
else:
611
raise ValueError
612
except (ValueError, IndexError):
566
613
raise ValueError
567
except (ValueError, IndexError):
568
raise ValueError
569
return delta
614
timevalue += delta
615
return timevalue
570
616
571
617
572
618
def server_state_changed(state):
573
619
"""Derived from the Avahi example code"""
574
620
if state == avahi.SERVER_COLLISION:
575
logger.warning(u"Server name collision")
621
logger.error(u"Zeroconf server name collision")
576
622
service.remove()
577
623
elif state == avahi.SERVER_RUNNING:
578
624
service.add()
580
626
581
627
def entry_group_state_changed(state, error):
582
628
"""Derived from the Avahi example code"""
583
logger.debug(u"state change: %i", state)
629
logger.debug(u"Avahi state change: %i", state)
584
630
585
631
if state == avahi.ENTRY_GROUP_ESTABLISHED:
586
logger.debug(u"Service established.")
632
logger.debug(u"Zeroconf service established.")
587
633
elif state == avahi.ENTRY_GROUP_COLLISION:
588
logger.warning(u"Service name collision.")
634
logger.warning(u"Zeroconf service name collision.")
589
635
service.rename()
590
636
elif state == avahi.ENTRY_GROUP_FAILURE:
591
logger.critical(u"Error in group state changed %s",
637
logger.critical(u"Avahi: Error in group state changed %s",
592
638
unicode(error))
593
639
raise AvahiGroupError("State changed: %s", str(error))
594
640
595
def if_nametoindex(interface, _func=[None]):
641
def if_nametoindex(interface):
596
642
"""Call the C function if_nametoindex(), or equivalent"""
597
if _func[0] is not None:
598
return _func[0](interface)
643
global if_nametoindex
599
644
try:
600
if "ctypes.util" not in sys.modules:
601
import ctypes.util
602
while True:
603
try:
604
libc = ctypes.cdll.LoadLibrary\
605
(ctypes.util.find_library("c"))
606
func[0] = libc.if_nametoindex
607
return _func[0](interface)
608
except IOError, e:
609
if e != errno.EINTR:
610
raise
645
if_nametoindex = ctypes.cdll.LoadLibrary\
646
(ctypes.util.find_library("c")).if_nametoindex
611
647
except (OSError, AttributeError):
612
648
if "struct" not in sys.modules:
613
649
import struct
614
650
if "fcntl" not in sys.modules:
615
651
import fcntl
616
def the_hard_way(interface):
652
def if_nametoindex(interface):
617
653
"Get an interface index the hard way, i.e. using fcntl()"
618
654
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
619
655
s = socket.socket()
622
658
s.close()
623
659
interface_index = struct.unpack("I", ifreq[16:20])[0]
624
660
return interface_index
625
_func[0] = the_hard_way
626
return _func[0](interface)
627
628
629
def daemon(nochdir, noclose):
661
return if_nametoindex(interface)
662
663
664
def daemon(nochdir = False, noclose = False):
630
665
"""See daemon(3). Standard BSD Unix function.
631
666
This should really exist as os.daemon, but it doesn't (yet)."""
632
667
if os.fork():
634
669
os.setsid()
635
670
if not nochdir:
636
671
os.chdir("/")
672
if os.fork():
673
sys.exit()
637
674
if not noclose:
638
675
# Close all standard open file descriptors
639
676
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
648
685
649
686
650
687
def main():
651
global main_loop_started
652
main_loop_started = False
653
654
parser = OptionParser()
688
parser = OptionParser(version = "%%prog %s" % version)
655
689
parser.add_option("-i", "--interface", type="string",
656
690
metavar="IF", help="Bind to interface IF")
657
691
parser.add_option("-a", "--address", type="string",
660
694
help="Port number to receive requests on")
661
695
parser.add_option("--check", action="store_true", default=False,
662
696
help="Run self-test")
663
parser.add_option("--debug", action="store_true", default=False,
697
parser.add_option("--debug", action="store_true",
664
698
help="Debug mode; run in foreground and log to"
665
699
" terminal")
666
700
parser.add_option("--priority", type="string", help="GnuTLS"
671
705
default="/etc/mandos", metavar="DIR",
672
706
help="Directory to search for configuration"
673
707
" files")
674
(options, args) = parser.parse_args()
708
options = parser.parse_args()[0]
675
709
676
710
if options.check:
677
711
import doctest
691
725
# Parse config file for server-global settings
692
726
server_config = ConfigParser.SafeConfigParser(server_defaults)
693
727
del server_defaults
694
server_config.read(os.path.join(options.configdir, "server.conf"))
695
server_section = "server"
728
server_config.read(os.path.join(options.configdir, "mandos.conf"))
696
729
# Convert the SafeConfigParser object to a dict
697
server_settings = dict(server_config.items(server_section))
730
server_settings = server_config.defaults()
698
731
# Use getboolean on the boolean config option
699
732
server_settings["debug"] = server_config.getboolean\
700
(server_section, "debug")
733
("DEFAULT", "debug")
701
734
del server_config
702
if not server_settings["interface"]:
703
server_settings["interface"] = avahi.IF_UNSPEC
704
735
705
736
# Override the settings from the config file with command line
706
737
# options, if set.
712
743
del options
713
744
# Now we have our good server settings in "server_settings"
714
745
746
debug = server_settings["debug"]
747
748
if not debug:
749
syslogger.setLevel(logging.WARNING)
750
console.setLevel(logging.WARNING)
751
752
if server_settings["servicename"] != "Mandos":
753
syslogger.setFormatter(logging.Formatter\
754
('Mandos (%s): %%(levelname)s:'
755
' %%(message)s'
756
% server_settings["servicename"]))
757
715
758
# Parse config file with clients
716
759
client_defaults = { "timeout": "1h",
717
760
"interval": "5m",
718
"checker": "fping -q -- %%(fqdn)s",
761
"checker": "fping -q -- %(host)s",
762
"host": "",
719
763
}
720
764
client_config = ConfigParser.SafeConfigParser(client_defaults)
721
765
client_config.read(os.path.join(server_settings["configdir"],
722
766
"clients.conf"))
723
767
768
clients = Set()
769
tcp_server = IPv6_TCPServer((server_settings["address"],
770
server_settings["port"]),
771
TCP_handler,
772
settings=server_settings,
773
clients=clients)
774
pidfilename = "/var/run/mandos.pid"
775
try:
776
pidfile = open(pidfilename, "w")
777
except IOError, error:
778
logger.error("Could not open file %r", pidfilename)
779
780
uid = 65534
781
gid = 65534
782
try:
783
uid = pwd.getpwnam("mandos").pw_uid
784
except KeyError:
785
try:
786
uid = pwd.getpwnam("nobody").pw_uid
787
except KeyError:
788
pass
789
try:
790
gid = pwd.getpwnam("mandos").pw_gid
791
except KeyError:
792
try:
793
gid = pwd.getpwnam("nogroup").pw_gid
794
except KeyError:
795
pass
796
try:
797
os.setuid(uid)
798
os.setgid(gid)
799
except OSError, error:
800
if error[0] != errno.EPERM:
801
raise error
802
724
803
global service
725
804
service = AvahiService(name = server_settings["servicename"],
726
type = "_mandos._tcp", );
805
servicetype = "_mandos._tcp", )
806
if server_settings["interface"]:
807
service.interface = if_nametoindex\
808
(server_settings["interface"])
727
809
728
810
global main_loop
729
811
global bus
732
814
DBusGMainLoop(set_as_default=True )
733
815
main_loop = gobject.MainLoop()
734
816
bus = dbus.SystemBus()
735
server = dbus.Interface(
736
bus.get_object( avahi.DBUS_NAME, avahi.DBUS_PATH_SERVER ),
737
avahi.DBUS_INTERFACE_SERVER )
817
server = dbus.Interface(bus.get_object(avahi.DBUS_NAME,
818
avahi.DBUS_PATH_SERVER),
819
avahi.DBUS_INTERFACE_SERVER)
738
820
# End of Avahi example code
739
821
740
debug = server_settings["debug"]
741
742
if debug:
743
console = logging.StreamHandler()
744
# console.setLevel(logging.DEBUG)
745
console.setFormatter(logging.Formatter\
746
('%(levelname)s: %(message)s'))
747
logger.addHandler(console)
748
del console
749
750
clients = Set()
751
822
def remove_from_clients(client):
752
823
clients.remove(client)
753
824
if not clients:
754
logger.debug(u"No clients left, exiting")
825
logger.critical(u"No clients left, exiting")
755
826
sys.exit()
756
827
757
clients.update(Set(Client(name=section,
828
clients.update(Set(Client(name = section,
758
829
stop_hook = remove_from_clients,
759
**(dict(client_config\
760
.items(section))))
830
config
831
= dict(client_config.items(section)))
761
832
for section in client_config.sections()))
762
763
if not debug:
764
daemon(False, False)
833
if not clients:
834
logger.critical(u"No clients defined")
835
sys.exit(1)
836
837
if debug:
838
# Redirect stdin so all checkers get /dev/null
839
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
840
os.dup2(null, sys.stdin.fileno())
841
if null > 2:
842
os.close(null)
843
else:
844
# No console logging
845
logger.removeHandler(console)
846
# Close all input and output, do double fork, etc.
847
daemon()
848
849
try:
850
pid = os.getpid()
851
pidfile.write(str(pid) + "\n")
852
pidfile.close()
853
del pidfile
854
except IOError:
855
logger.error(u"Could not write to file %r with PID %d",
856
pidfilename, pid)
857
except NameError:
858
# "pidfile" was never created
859
pass
860
del pidfilename
765
861
766
862
def cleanup():
767
863
"Cleanup function; run on exit"
787
883
for client in clients:
788
884
client.start()
789
885
790
tcp_server = IPv6_TCPServer((server_settings["address"],
791
server_settings["port"]),
792
tcp_handler,
793
settings=server_settings,
794
clients=clients)
886
tcp_server.enable()
887
tcp_server.server_activate()
888
795
889
# Find out what port we got
796
890
service.port = tcp_server.socket.getsockname()[1]
797
logger.debug(u"Now listening on port %d", service.port)
891
logger.info(u"Now listening on address %r, port %d, flowinfo %d,"
892
u" scope_id %d" % tcp_server.socket.getsockname())
798
893
799
if not server_settings["interface"]:
800
service.interface = if_nametoindex\
801
(server_settings["interface"])
894
#service.interface = tcp_server.socket.getsockname()[3]
802
895
803
896
try:
804
897
# From the Avahi example code
815
908
tcp_server.handle_request\
816
909
(*args[2:], **kwargs) or True)
817
910
818
logger.debug("Starting main loop")
819
main_loop_started = True
911
logger.debug(u"Starting main loop")
820
912
main_loop.run()
821
913
except AvahiError, error:
822
914
logger.critical(u"AvahiError: %s" + unicode(error))
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0