74
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
75
getuid(), getgid(), seteuid(),
76
setgid(), pause(), _exit() */
77
77
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
78
78
#include <iso646.h> /* not, or, and */
79
79
#include <argp.h> /* struct argp_option, error_t, struct
86
86
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
87
87
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
88
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
89
WEXITSTATUS(), WTERMSIG() */
90
#include <grp.h> /* setgroups() */
93
90
#include <sys/klog.h> /* klogctl() */
171
167
/* Function to use when printing errors */
172
168
void perror_plus(const char *print_text){
174
169
fprintf(stderr, "Mandos plugin %s: ",
175
170
program_invocation_short_name);
177
171
perror(print_text);
180
__attribute__((format (gnu_printf, 2, 3)))
181
int fprintf_plus(FILE *stream, const char *format, ...){
183
va_start (ap, format);
185
TEMP_FAILURE_RETRY(fprintf(stream, "Mandos plugin %s: ",
186
program_invocation_short_name));
187
return TEMP_FAILURE_RETRY(vfprintf(stream, format, ap));
191
175
* Make additional room in "buffer" for at least BUFFER_SIZE more
192
176
* bytes. "buffer_capacity" is how much is currently allocated,
193
177
* "buffer_length" is how much is already used.
195
179
size_t incbuffer(char **buffer, size_t buffer_length,
196
size_t buffer_capacity){
180
size_t buffer_capacity){
197
181
if(buffer_length + BUFFER_SIZE > buffer_capacity){
198
182
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
199
183
if(buffer == NULL){
207
191
/* Add server to set of servers to retry periodically */
208
bool add_server(const char *ip, uint16_t port, AvahiIfIndex if_index,
192
int add_server(const char *ip, uint16_t port,
193
AvahiIfIndex if_index,
211
196
server *new_server = malloc(sizeof(server));
212
197
if(new_server == NULL){
213
198
perror_plus("malloc");
216
201
*new_server = (server){ .ip = strdup(ip),
218
.if_index = if_index,
203
.if_index = if_index,
220
205
if(new_server->ip == NULL){
221
206
perror_plus("strdup");
224
209
/* Special case of first server */
225
210
if (mc.current_server == NULL){
267
252
rc = gpgme_data_new_from_fd(&pgp_data, fd);
268
253
if(rc != GPG_ERR_NO_ERROR){
269
fprintf_plus(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
270
gpgme_strsource(rc), gpgme_strerror(rc));
254
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
255
gpgme_strsource(rc), gpgme_strerror(rc));
274
259
rc = gpgme_op_import(mc.ctx, pgp_data);
275
260
if(rc != GPG_ERR_NO_ERROR){
276
fprintf_plus(stderr, "bad gpgme_op_import: %s: %s\n",
277
gpgme_strsource(rc), gpgme_strerror(rc));
261
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
262
gpgme_strsource(rc), gpgme_strerror(rc));
290
fprintf_plus(stderr, "Initializing GPGME\n");
275
fprintf(stderr, "Initializing GPGME\n");
294
279
gpgme_check_version(NULL);
295
280
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
296
281
if(rc != GPG_ERR_NO_ERROR){
297
fprintf_plus(stderr, "bad gpgme_engine_check_version: %s: %s\n",
298
gpgme_strsource(rc), gpgme_strerror(rc));
282
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
283
gpgme_strsource(rc), gpgme_strerror(rc));
302
287
/* Set GPGME home directory for the OpenPGP engine only */
303
288
rc = gpgme_get_engine_info(&engine_info);
304
289
if(rc != GPG_ERR_NO_ERROR){
305
fprintf_plus(stderr, "bad gpgme_get_engine_info: %s: %s\n",
306
gpgme_strsource(rc), gpgme_strerror(rc));
290
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
291
gpgme_strsource(rc), gpgme_strerror(rc));
309
294
while(engine_info != NULL){
315
300
engine_info = engine_info->next;
317
302
if(engine_info == NULL){
318
fprintf_plus(stderr, "Could not set GPGME home dir to %s\n",
303
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
323
307
/* Create new GPGME "context" */
324
308
rc = gpgme_new(&(mc.ctx));
325
309
if(rc != GPG_ERR_NO_ERROR){
326
fprintf_plus(stderr, "Mandos plugin mandos-client: "
327
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
310
fprintf(stderr, "bad gpgme_new: %s: %s\n",
311
gpgme_strsource(rc), gpgme_strerror(rc));
350
333
ssize_t plaintext_length = 0;
353
fprintf_plus(stderr, "Trying to decrypt OpenPGP data\n");
336
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
356
339
/* Create new GPGME data buffer from memory cryptotext */
357
340
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
359
342
if(rc != GPG_ERR_NO_ERROR){
360
fprintf_plus(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
361
gpgme_strsource(rc), gpgme_strerror(rc));
343
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
344
gpgme_strsource(rc), gpgme_strerror(rc));
365
348
/* Create new empty GPGME data buffer for the plaintext */
366
349
rc = gpgme_data_new(&dh_plain);
367
350
if(rc != GPG_ERR_NO_ERROR){
368
fprintf_plus(stderr, "Mandos plugin mandos-client: "
369
"bad gpgme_data_new: %s: %s\n",
370
gpgme_strsource(rc), gpgme_strerror(rc));
351
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
352
gpgme_strsource(rc), gpgme_strerror(rc));
371
353
gpgme_data_release(dh_crypto);
377
359
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
378
360
if(rc != GPG_ERR_NO_ERROR){
379
fprintf_plus(stderr, "bad gpgme_op_decrypt: %s: %s\n",
380
gpgme_strsource(rc), gpgme_strerror(rc));
361
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
362
gpgme_strsource(rc), gpgme_strerror(rc));
381
363
plaintext_length = -1;
383
365
gpgme_decrypt_result_t result;
384
366
result = gpgme_op_decrypt_result(mc.ctx);
385
367
if(result == NULL){
386
fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");
368
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
388
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
389
result->unsupported_algorithm);
390
fprintf_plus(stderr, "Wrong key usage: %u\n",
391
result->wrong_key_usage);
370
fprintf(stderr, "Unsupported algorithm: %s\n",
371
result->unsupported_algorithm);
372
fprintf(stderr, "Wrong key usage: %u\n",
373
result->wrong_key_usage);
392
374
if(result->file_name != NULL){
393
fprintf_plus(stderr, "File name: %s\n", result->file_name);
375
fprintf(stderr, "File name: %s\n", result->file_name);
395
377
gpgme_recipient_t recipient;
396
378
recipient = result->recipients;
397
379
while(recipient != NULL){
398
fprintf_plus(stderr, "Public key algorithm: %s\n",
399
gpgme_pubkey_algo_name
400
(recipient->pubkey_algo));
401
fprintf_plus(stderr, "Key ID: %s\n", recipient->keyid);
402
fprintf_plus(stderr, "Secret key available: %s\n",
403
recipient->status == GPG_ERR_NO_SECKEY
380
fprintf(stderr, "Public key algorithm: %s\n",
381
gpgme_pubkey_algo_name(recipient->pubkey_algo));
382
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
383
fprintf(stderr, "Secret key available: %s\n",
384
recipient->status == GPG_ERR_NO_SECKEY
405
386
recipient = recipient->next;
486
fprintf_plus(stderr, "Initializing GnuTLS\n");
467
fprintf(stderr, "Initializing GnuTLS\n");
489
470
ret = gnutls_global_init();
490
471
if(ret != GNUTLS_E_SUCCESS){
491
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
492
safer_gnutls_strerror(ret));
472
fprintf(stderr, "GnuTLS global_init: %s\n",
473
safer_gnutls_strerror(ret));
504
485
/* OpenPGP credentials */
505
486
ret = gnutls_certificate_allocate_credentials(&mc.cred);
506
487
if(ret != GNUTLS_E_SUCCESS){
507
fprintf_plus(stderr, "GnuTLS memory error: %s\n",
508
safer_gnutls_strerror(ret));
488
fprintf(stderr, "GnuTLS memory error: %s\n",
489
safer_gnutls_strerror(ret));
509
490
gnutls_global_deinit();
514
fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
515
" secret key %s as GnuTLS credentials\n",
495
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
496
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
520
500
ret = gnutls_certificate_set_openpgp_key_file
521
501
(mc.cred, pubkeyfilename, seckeyfilename,
522
502
GNUTLS_OPENPGP_FMT_BASE64);
523
503
if(ret != GNUTLS_E_SUCCESS){
525
"Error[%d] while reading the OpenPGP key pair ('%s',"
526
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
527
fprintf_plus(stderr, "The GnuTLS error is: %s\n",
528
safer_gnutls_strerror(ret));
505
"Error[%d] while reading the OpenPGP key pair ('%s',"
506
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
507
fprintf(stderr, "The GnuTLS error is: %s\n",
508
safer_gnutls_strerror(ret));
532
512
/* GnuTLS server initialization */
533
513
ret = gnutls_dh_params_init(&mc.dh_params);
534
514
if(ret != GNUTLS_E_SUCCESS){
535
fprintf_plus(stderr, "Error in GnuTLS DH parameter"
536
" initialization: %s\n",
537
safer_gnutls_strerror(ret));
515
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
516
" %s\n", safer_gnutls_strerror(ret));
540
519
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
541
520
if(ret != GNUTLS_E_SUCCESS){
542
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
543
safer_gnutls_strerror(ret));
521
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
522
safer_gnutls_strerror(ret));
582
560
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
583
561
if(ret != GNUTLS_E_SUCCESS){
584
fprintf_plus(stderr, "Syntax error at: %s\n", err);
585
fprintf_plus(stderr, "GnuTLS error: %s\n",
586
safer_gnutls_strerror(ret));
562
fprintf(stderr, "Syntax error at: %s\n", err);
563
fprintf(stderr, "GnuTLS error: %s\n",
564
safer_gnutls_strerror(ret));
587
565
gnutls_deinit(*session);
732
710
if(if_indextoname((unsigned int)if_index, interface) == NULL){
733
711
perror_plus("if_indextoname");
735
fprintf_plus(stderr, "Connection to: %s%%%s, port %" PRIu16
736
"\n", ip, interface, port);
713
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
714
ip, interface, port);
739
fprintf_plus(stderr, "Connection to: %s, port %" PRIu16 "\n",
717
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
742
720
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
743
721
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
895
873
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
897
fprintf_plus(stderr, "*** GnuTLS Re-handshake failed "
875
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
899
876
gnutls_perror(ret);
905
fprintf_plus(stderr, "Unknown error while reading data from"
906
" encrypted session with Mandos server\n");
882
fprintf(stderr, "Unknown error while reading data from"
883
" encrypted session with Mandos server\n");
907
884
gnutls_bye(session, GNUTLS_SHUT_RDWR);
1015
993
case AVAHI_RESOLVER_FAILURE:
1016
fprintf_plus(stderr, "(Avahi Resolver) Failed to resolve service "
1017
"'%s' of type '%s' in domain '%s': %s\n", name, type,
1019
avahi_strerror(avahi_server_errno(mc.server)));
994
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
995
" of type '%s' in domain '%s': %s\n", name, type, domain,
996
avahi_strerror(avahi_server_errno(mc.server)));
1022
999
case AVAHI_RESOLVER_FOUND:
1024
1001
char ip[AVAHI_ADDRESS_STR_MAX];
1025
1002
avahi_address_snprint(ip, sizeof(ip), address);
1027
fprintf_plus(stderr, "Mandos server \"%s\" found on %s (%s, %"
1028
PRIdMAX ") on port %" PRIu16 "\n", name,
1029
host_name, ip, (intmax_t)interface, port);
1004
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
1005
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
1006
ip, (intmax_t)interface, port);
1031
1008
int ret = start_mandos_communication(ip, port, interface,
1032
1009
avahi_proto_to_af(proto));
1034
1011
avahi_simple_poll_quit(mc.simple_poll);
1036
if(not add_server(ip, port, interface,
1037
avahi_proto_to_af(proto))){
1038
fprintf_plus(stderr, "Failed to add server \"%s\" to server"
1013
ret = add_server(ip, port, interface,
1014
avahi_proto_to_af(proto));
1081
1055
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
1082
1056
name, type, domain, protocol, 0,
1083
1057
resolve_callback, NULL) == NULL)
1084
fprintf_plus(stderr, "Avahi: Failed to resolve service '%s':"
1086
avahi_strerror(avahi_server_errno(mc.server)));
1058
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
1059
name, avahi_strerror(avahi_server_errno(mc.server)));
1089
1062
case AVAHI_BROWSER_REMOVE:
1138
1110
/* Reject the loopback device */
1139
1111
if(ifr->ifr_flags & IFF_LOOPBACK){
1141
fprintf_plus(stderr, "Rejecting loopback interface \"%s\"\n",
1113
fprintf(stderr, "Rejecting loopback interface \"%s\"\n",
1146
1118
/* Accept point-to-point devices only if connect_to is specified */
1147
1119
if(connect_to != NULL and (ifr->ifr_flags & IFF_POINTOPOINT)){
1149
fprintf_plus(stderr, "Accepting point-to-point interface"
1150
" \"%s\"\n", ifname);
1121
fprintf(stderr, "Accepting point-to-point interface \"%s\"\n",
1154
1126
/* Otherwise, reject non-broadcast-capable devices */
1155
1127
if(not (ifr->ifr_flags & IFF_BROADCAST)){
1157
fprintf_plus(stderr, "Rejecting non-broadcast interface"
1158
" \"%s\"\n", ifname);
1129
fprintf(stderr, "Rejecting non-broadcast interface \"%s\"\n",
1162
1134
/* Reject non-ARP interfaces (including dummy interfaces) */
1163
1135
if(ifr->ifr_flags & IFF_NOARP){
1165
fprintf_plus(stderr, "Rejecting non-ARP interface \"%s\"\n",
1137
fprintf(stderr, "Rejecting non-ARP interface \"%s\"\n", ifname);
1171
1142
/* Accept this device */
1173
fprintf_plus(stderr, "Interface \"%s\" is good\n", ifname);
1144
fprintf(stderr, "Interface \"%s\" is good\n", ifname);
1268
sret = strspn(direntry->d_name, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1269
"abcdefghijklmnopqrstuvwxyz"
1272
if((direntry->d_name)[sret] != '\0'){
1273
/* Contains non-allowed characters */
1275
fprintf_plus(stderr, "Ignoring hook \"%s\" with bad name\n",
1281
char *fullname = NULL;
1282
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1284
perror_plus("asprintf");
1288
ret = stat(fullname, &st);
1238
/* Save pointer to last character */
1239
char *end = strchr(direntry->d_name, '\0')-1;
1246
if(((direntry->d_name)[0] == '#')
1248
/* Temporary #name# */
1252
/* XXX more rules here */
1254
ret = stat(direntry->d_name, &st);
1291
perror_plus("Could not stat hook");
1257
perror_plus("Could not stat plugin");
1295
1261
if(not (S_ISREG(st.st_mode))){
1296
1262
/* Not a regular file */
1298
fprintf_plus(stderr, "Ignoring hook \"%s\" - not a file\n",
1303
1265
if(not (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))){
1304
1266
/* Not executable */
1306
fprintf_plus(stderr, "Ignoring hook \"%s\" - not executable\n",
1312
fprintf_plus(stderr, "Hook \"%s\" is acceptable\n",
1325
1279
if(mc.current_server == NULL){
1327
fprintf_plus(stderr, "Wait until first server is found."
1282
"Wait until first server is found. No timeout!\n");
1330
1284
ret = avahi_simple_poll_iterate(s, -1);
1333
fprintf_plus(stderr, "Check current_server if we should run"
1287
fprintf(stderr, "Check current_server if we should run it,"
1336
1290
/* the current time */
1337
1291
ret = clock_gettime(CLOCK_MONOTONIC, &now);
1380
1333
ret = avahi_simple_poll_iterate(s, (int)block_time);
1383
if (ret > 0 or errno != EINTR){
1336
if (ret > 0 or errno != EINTR) {
1384
1337
return (ret != 1) ? ret : 0;
1390
bool run_network_hooks(const char *mode, const char *interface,
1392
struct dirent **direntries;
1393
struct dirent *direntry;
1395
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1398
perror_plus("scandir");
1400
int devnull = open("/dev/null", O_RDONLY);
1401
for(int i = 0; i < numhooks; i++){
1402
direntry = direntries[i];
1403
char *fullname = NULL;
1404
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1406
perror_plus("asprintf");
1410
fprintf_plus(stderr, "Running network hook \"%s\"\n",
1413
pid_t hook_pid = fork();
1416
/* Raise privileges */
1420
perror_plus("seteuid");
1422
/* Raise privileges even more */
1426
perror_plus("setuid");
1432
perror_plus("setgid");
1434
/* Reset supplementary groups */
1436
ret = setgroups(0, NULL);
1438
perror_plus("setgroups");
1440
dup2(devnull, STDIN_FILENO);
1442
dup2(STDERR_FILENO, STDOUT_FILENO);
1443
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1445
perror_plus("setenv");
1448
ret = setenv("DEVICE", interface, 1);
1450
perror_plus("setenv");
1453
ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
1455
perror_plus("setenv");
1458
ret = setenv("MODE", mode, 1);
1460
perror_plus("setenv");
1464
ret = asprintf(&delaystring, "%f", delay);
1466
perror_plus("asprintf");
1469
ret = setenv("DELAY", delaystring, 1);
1472
perror_plus("setenv");
1476
if(connect_to != NULL){
1477
ret = setenv("CONNECT", connect_to, 1);
1479
perror_plus("setenv");
1483
if(execl(fullname, direntry->d_name, mode, NULL) == -1){
1484
perror_plus("execl");
1485
_exit(EXIT_FAILURE);
1489
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1490
perror_plus("waitpid");
1494
if(WIFEXITED(status)){
1495
if(WEXITSTATUS(status) != 0){
1496
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1497
" with status %d\n", direntry->d_name,
1498
WEXITSTATUS(status));
1502
} else if(WIFSIGNALED(status)){
1503
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1504
" signal %d\n", direntry->d_name,
1509
fprintf_plus(stderr, "Warning: network hook \"%s\""
1510
" crashed\n", direntry->d_name);
1517
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1526
1343
int main(int argc, char *argv[]){
1527
1344
AvahiSServiceBrowser *sb = NULL;
1609
1426
{ .name = "retry", .key = 132,
1610
1427
.arg = "SECONDS",
1611
.doc = "Retry interval used when denied by the Mandos server",
1613
{ .name = "network-hook-dir", .key = 133,
1615
.doc = "Directory where network hooks are located",
1428
.doc = "Retry interval used when denied by the mandos server",
1618
1431
* These reproduce what we would get without ARGP_NO_HELP
1720
1530
/* Work around Debian bug #633582:
1721
1531
<http://bugs.debian.org/633582> */
1723
1534
/* Re-raise priviliges */
1725
1536
ret = seteuid(0);
1727
1538
perror_plus("seteuid");
1731
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1732
int seckey_fd = open(seckey, O_RDONLY);
1733
if(seckey_fd == -1){
1734
perror_plus("open");
1736
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
1738
perror_plus("fstat");
1740
if(S_ISREG(st.st_mode)
1741
and st.st_uid == 0 and st.st_gid == 0){
1742
ret = fchown(seckey_fd, uid, gid);
1744
perror_plus("fchown");
1748
TEMP_FAILURE_RETRY(close(seckey_fd));
1752
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
1753
int pubkey_fd = open(pubkey, O_RDONLY);
1754
if(pubkey_fd == -1){
1755
perror_plus("open");
1757
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
1759
perror_plus("fstat");
1761
if(S_ISREG(st.st_mode)
1762
and st.st_uid == 0 and st.st_gid == 0){
1763
ret = fchown(pubkey_fd, uid, gid);
1765
perror_plus("fchown");
1769
TEMP_FAILURE_RETRY(close(pubkey_fd));
1773
/* Lower privileges */
1777
perror_plus("seteuid");
1541
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1542
int seckey_fd = open(seckey, O_RDONLY);
1543
if(seckey_fd == -1){
1544
perror_plus("open");
1546
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
1548
perror_plus("fstat");
1550
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1551
ret = fchown(seckey_fd, uid, gid);
1553
perror_plus("fchown");
1557
TEMP_FAILURE_RETRY(close(seckey_fd));
1561
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
1562
int pubkey_fd = open(pubkey, O_RDONLY);
1563
if(pubkey_fd == -1){
1564
perror_plus("open");
1566
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
1568
perror_plus("fstat");
1570
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1571
ret = fchown(pubkey_fd, uid, gid);
1573
perror_plus("fchown");
1577
TEMP_FAILURE_RETRY(close(pubkey_fd));
1581
/* Lower privileges */
1585
perror_plus("seteuid");
1782
/* Run network hooks */
1783
if(not run_network_hooks("start", interface, delay)){
1589
/* Find network hooks and run them */
1591
struct dirent **direntries;
1592
struct dirent *direntry;
1593
int numhooks = scandir(HOOKDIR, &direntries, runnable_hook,
1595
int devnull = open("/dev/null", O_RDONLY);
1596
for(int i = 0; i < numhooks; i++){
1597
direntry = direntries[0];
1598
char *fullname = NULL;
1599
ret = asprintf(&fullname, "%s/%s", tempdir,
1602
perror_plus("asprintf");
1605
pid_t hook_pid = fork();
1608
dup2(devnull, STDIN_FILENO);
1610
dup2(STDERR_FILENO, STDOUT_FILENO);
1611
ret = setenv("DEVICE", interface, 1);
1613
perror_plus("setenv");
1616
ret = setenv("VERBOSE", debug ? "1" : "0", 1);
1618
perror_plus("setenv");
1621
ret = setenv("MODE", "start", 1);
1623
perror_plus("setenv");
1627
ret = asprintf(&delaystring, "%f", delay);
1629
perror_plus("asprintf");
1632
ret = setenv("DELAY", delaystring, 1);
1635
perror_plus("setenv");
1639
ret = execl(fullname, direntry->d_name, "start", NULL);
1640
perror_plus("execl");
2178
2048
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
2179
2049
NULL, 0, browse_callback, NULL);
2180
2050
if(sb == NULL){
2181
fprintf_plus(stderr, "Failed to create service browser: %s\n",
2182
avahi_strerror(avahi_server_errno(mc.server)));
2051
fprintf(stderr, "Failed to create service browser: %s\n",
2052
avahi_strerror(avahi_server_errno(mc.server)));
2183
2053
exitcode = EX_UNAVAILABLE;
2191
2061
/* Run the main loop */
2194
fprintf_plus(stderr, "Starting Avahi loop search\n");
2064
fprintf(stderr, "Starting Avahi loop search\n");
2197
2067
ret = avahi_loop_with_timeout(mc.simple_poll,
2198
2068
(int)(retry_interval * 1000));
2200
fprintf_plus(stderr, "avahi_loop_with_timeout exited %s\n",
2201
(ret == 0) ? "successfully" : "with error");
2070
fprintf(stderr, "avahi_loop_with_timeout exited %s\n",
2071
(ret == 0) ? "successfully" : "with error");
2207
fprintf_plus(stderr, "%s exiting\n", argv[0]);
2077
fprintf(stderr, "%s exiting\n", argv[0]);
2210
2080
/* Cleanup things */
2241
/* Run network hooks */
2242
run_network_hooks("stop", interface, delay);
2111
/* XXX run network hooks "stop" here */
2244
/* Re-raise priviliges */
2113
/* Take down the network interface */
2114
if(take_down_interface){
2115
/* Re-raise priviliges */
2247
2117
ret = seteuid(0);
2249
2119
perror_plus("seteuid");
2252
/* Take down the network interface */
2253
if(take_down_interface and geteuid() == 0){
2254
2122
ret = ioctl(sd, SIOCGIFFLAGS, &network);
2256
2124
perror_plus("ioctl SIOCGIFFLAGS");
2257
} else if(network.ifr_flags & IFF_UP){
2125
} else if(network.ifr_flags & IFF_UP) {
2258
2126
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
2259
2127
ret = ioctl(sd, SIOCSIFFLAGS, &network);