74
74
#include <unistd.h> /* close(), SEEK_SET, off_t, write(),
75
75
getuid(), getgid(), seteuid(),
76
setgid(), pause(), _exit() */
77
77
#include <arpa/inet.h> /* inet_pton(), htons, inet_ntop() */
78
78
#include <iso646.h> /* not, or, and */
79
79
#include <argp.h> /* struct argp_option, error_t, struct
86
86
#include <sysexits.h> /* EX_OSERR, EX_USAGE, EX_UNAVAILABLE,
87
87
EX_NOHOST, EX_IOERR, EX_PROTOCOL */
88
#include <sys/wait.h> /* waitpid(), WIFEXITED(),
89
WEXITSTATUS(), WTERMSIG() */
90
#include <grp.h> /* setgroups() */
90
93
#include <sys/klog.h> /* klogctl() */
167
171
/* Function to use when printing errors */
168
172
void perror_plus(const char *print_text){
169
174
fprintf(stderr, "Mandos plugin %s: ",
170
175
program_invocation_short_name);
171
177
perror(print_text);
180
__attribute__((format (gnu_printf, 2, 3)))
181
int fprintf_plus(FILE *stream, const char *format, ...){
183
va_start (ap, format);
185
TEMP_FAILURE_RETRY(fprintf(stream, "Mandos plugin %s: ",
186
program_invocation_short_name));
187
return TEMP_FAILURE_RETRY(vfprintf(stream, format, ap));
175
191
* Make additional room in "buffer" for at least BUFFER_SIZE more
176
192
* bytes. "buffer_capacity" is how much is currently allocated,
177
193
* "buffer_length" is how much is already used.
179
195
size_t incbuffer(char **buffer, size_t buffer_length,
180
size_t buffer_capacity){
196
size_t buffer_capacity){
181
197
if(buffer_length + BUFFER_SIZE > buffer_capacity){
182
198
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
183
199
if(buffer == NULL){
191
207
/* Add server to set of servers to retry periodically */
192
int add_server(const char *ip, uint16_t port,
193
AvahiIfIndex if_index,
208
bool add_server(const char *ip, uint16_t port, AvahiIfIndex if_index,
196
211
server *new_server = malloc(sizeof(server));
197
212
if(new_server == NULL){
198
213
perror_plus("malloc");
201
216
*new_server = (server){ .ip = strdup(ip),
203
.if_index = if_index,
218
.if_index = if_index,
205
220
if(new_server->ip == NULL){
206
221
perror_plus("strdup");
209
224
/* Special case of first server */
210
225
if (mc.current_server == NULL){
252
267
rc = gpgme_data_new_from_fd(&pgp_data, fd);
253
268
if(rc != GPG_ERR_NO_ERROR){
254
fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
255
gpgme_strsource(rc), gpgme_strerror(rc));
269
fprintf_plus(stderr, "bad gpgme_data_new_from_fd: %s: %s\n",
270
gpgme_strsource(rc), gpgme_strerror(rc));
259
274
rc = gpgme_op_import(mc.ctx, pgp_data);
260
275
if(rc != GPG_ERR_NO_ERROR){
261
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
262
gpgme_strsource(rc), gpgme_strerror(rc));
276
fprintf_plus(stderr, "bad gpgme_op_import: %s: %s\n",
277
gpgme_strsource(rc), gpgme_strerror(rc));
275
fprintf(stderr, "Initializing GPGME\n");
290
fprintf_plus(stderr, "Initializing GPGME\n");
279
294
gpgme_check_version(NULL);
280
295
rc = gpgme_engine_check_version(GPGME_PROTOCOL_OpenPGP);
281
296
if(rc != GPG_ERR_NO_ERROR){
282
fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n",
283
gpgme_strsource(rc), gpgme_strerror(rc));
297
fprintf_plus(stderr, "bad gpgme_engine_check_version: %s: %s\n",
298
gpgme_strsource(rc), gpgme_strerror(rc));
287
302
/* Set GPGME home directory for the OpenPGP engine only */
288
303
rc = gpgme_get_engine_info(&engine_info);
289
304
if(rc != GPG_ERR_NO_ERROR){
290
fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n",
291
gpgme_strsource(rc), gpgme_strerror(rc));
305
fprintf_plus(stderr, "bad gpgme_get_engine_info: %s: %s\n",
306
gpgme_strsource(rc), gpgme_strerror(rc));
294
309
while(engine_info != NULL){
300
315
engine_info = engine_info->next;
302
317
if(engine_info == NULL){
303
fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir);
318
fprintf_plus(stderr, "Could not set GPGME home dir to %s\n",
307
323
/* Create new GPGME "context" */
308
324
rc = gpgme_new(&(mc.ctx));
309
325
if(rc != GPG_ERR_NO_ERROR){
310
fprintf(stderr, "bad gpgme_new: %s: %s\n",
311
gpgme_strsource(rc), gpgme_strerror(rc));
326
fprintf_plus(stderr, "Mandos plugin mandos-client: "
327
"bad gpgme_new: %s: %s\n", gpgme_strsource(rc),
333
350
ssize_t plaintext_length = 0;
336
fprintf(stderr, "Trying to decrypt OpenPGP data\n");
353
fprintf_plus(stderr, "Trying to decrypt OpenPGP data\n");
339
356
/* Create new GPGME data buffer from memory cryptotext */
340
357
rc = gpgme_data_new_from_mem(&dh_crypto, cryptotext, crypto_size,
342
359
if(rc != GPG_ERR_NO_ERROR){
343
fprintf(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
344
gpgme_strsource(rc), gpgme_strerror(rc));
360
fprintf_plus(stderr, "bad gpgme_data_new_from_mem: %s: %s\n",
361
gpgme_strsource(rc), gpgme_strerror(rc));
348
365
/* Create new empty GPGME data buffer for the plaintext */
349
366
rc = gpgme_data_new(&dh_plain);
350
367
if(rc != GPG_ERR_NO_ERROR){
351
fprintf(stderr, "bad gpgme_data_new: %s: %s\n",
352
gpgme_strsource(rc), gpgme_strerror(rc));
368
fprintf_plus(stderr, "Mandos plugin mandos-client: "
369
"bad gpgme_data_new: %s: %s\n",
370
gpgme_strsource(rc), gpgme_strerror(rc));
353
371
gpgme_data_release(dh_crypto);
359
377
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
360
378
if(rc != GPG_ERR_NO_ERROR){
361
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
362
gpgme_strsource(rc), gpgme_strerror(rc));
379
fprintf_plus(stderr, "bad gpgme_op_decrypt: %s: %s\n",
380
gpgme_strsource(rc), gpgme_strerror(rc));
363
381
plaintext_length = -1;
365
383
gpgme_decrypt_result_t result;
366
384
result = gpgme_op_decrypt_result(mc.ctx);
367
385
if(result == NULL){
368
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
386
fprintf_plus(stderr, "gpgme_op_decrypt_result failed\n");
370
fprintf(stderr, "Unsupported algorithm: %s\n",
371
result->unsupported_algorithm);
372
fprintf(stderr, "Wrong key usage: %u\n",
373
result->wrong_key_usage);
388
fprintf_plus(stderr, "Unsupported algorithm: %s\n",
389
result->unsupported_algorithm);
390
fprintf_plus(stderr, "Wrong key usage: %u\n",
391
result->wrong_key_usage);
374
392
if(result->file_name != NULL){
375
fprintf(stderr, "File name: %s\n", result->file_name);
393
fprintf_plus(stderr, "File name: %s\n", result->file_name);
377
395
gpgme_recipient_t recipient;
378
396
recipient = result->recipients;
379
397
while(recipient != NULL){
380
fprintf(stderr, "Public key algorithm: %s\n",
381
gpgme_pubkey_algo_name(recipient->pubkey_algo));
382
fprintf(stderr, "Key ID: %s\n", recipient->keyid);
383
fprintf(stderr, "Secret key available: %s\n",
384
recipient->status == GPG_ERR_NO_SECKEY
398
fprintf_plus(stderr, "Public key algorithm: %s\n",
399
gpgme_pubkey_algo_name
400
(recipient->pubkey_algo));
401
fprintf_plus(stderr, "Key ID: %s\n", recipient->keyid);
402
fprintf_plus(stderr, "Secret key available: %s\n",
403
recipient->status == GPG_ERR_NO_SECKEY
386
405
recipient = recipient->next;
467
fprintf(stderr, "Initializing GnuTLS\n");
486
fprintf_plus(stderr, "Initializing GnuTLS\n");
470
489
ret = gnutls_global_init();
471
490
if(ret != GNUTLS_E_SUCCESS){
472
fprintf(stderr, "GnuTLS global_init: %s\n",
473
safer_gnutls_strerror(ret));
491
fprintf_plus(stderr, "GnuTLS global_init: %s\n",
492
safer_gnutls_strerror(ret));
485
504
/* OpenPGP credentials */
486
505
ret = gnutls_certificate_allocate_credentials(&mc.cred);
487
506
if(ret != GNUTLS_E_SUCCESS){
488
fprintf(stderr, "GnuTLS memory error: %s\n",
489
safer_gnutls_strerror(ret));
507
fprintf_plus(stderr, "GnuTLS memory error: %s\n",
508
safer_gnutls_strerror(ret));
490
509
gnutls_global_deinit();
495
fprintf(stderr, "Attempting to use OpenPGP public key %s and"
496
" secret key %s as GnuTLS credentials\n", pubkeyfilename,
514
fprintf_plus(stderr, "Attempting to use OpenPGP public key %s and"
515
" secret key %s as GnuTLS credentials\n",
500
520
ret = gnutls_certificate_set_openpgp_key_file
501
521
(mc.cred, pubkeyfilename, seckeyfilename,
502
522
GNUTLS_OPENPGP_FMT_BASE64);
503
523
if(ret != GNUTLS_E_SUCCESS){
505
"Error[%d] while reading the OpenPGP key pair ('%s',"
506
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
507
fprintf(stderr, "The GnuTLS error is: %s\n",
508
safer_gnutls_strerror(ret));
525
"Error[%d] while reading the OpenPGP key pair ('%s',"
526
" '%s')\n", ret, pubkeyfilename, seckeyfilename);
527
fprintf_plus(stderr, "The GnuTLS error is: %s\n",
528
safer_gnutls_strerror(ret));
512
532
/* GnuTLS server initialization */
513
533
ret = gnutls_dh_params_init(&mc.dh_params);
514
534
if(ret != GNUTLS_E_SUCCESS){
515
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
516
" %s\n", safer_gnutls_strerror(ret));
535
fprintf_plus(stderr, "Error in GnuTLS DH parameter"
536
" initialization: %s\n",
537
safer_gnutls_strerror(ret));
519
540
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
520
541
if(ret != GNUTLS_E_SUCCESS){
521
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
522
safer_gnutls_strerror(ret));
542
fprintf_plus(stderr, "Error in GnuTLS prime generation: %s\n",
543
safer_gnutls_strerror(ret));
560
582
} while(ret == GNUTLS_E_INTERRUPTED or ret == GNUTLS_E_AGAIN);
561
583
if(ret != GNUTLS_E_SUCCESS){
562
fprintf(stderr, "Syntax error at: %s\n", err);
563
fprintf(stderr, "GnuTLS error: %s\n",
564
safer_gnutls_strerror(ret));
584
fprintf_plus(stderr, "Syntax error at: %s\n", err);
585
fprintf_plus(stderr, "GnuTLS error: %s\n",
586
safer_gnutls_strerror(ret));
565
587
gnutls_deinit(*session);
710
732
if(if_indextoname((unsigned int)if_index, interface) == NULL){
711
733
perror_plus("if_indextoname");
713
fprintf(stderr, "Connection to: %s%%%s, port %" PRIu16 "\n",
714
ip, interface, port);
735
fprintf_plus(stderr, "Connection to: %s%%%s, port %" PRIu16
736
"\n", ip, interface, port);
717
fprintf(stderr, "Connection to: %s, port %" PRIu16 "\n", ip,
739
fprintf_plus(stderr, "Connection to: %s, port %" PRIu16 "\n",
720
742
char addrstr[(INET_ADDRSTRLEN > INET6_ADDRSTRLEN) ?
721
743
INET_ADDRSTRLEN : INET6_ADDRSTRLEN] = "";
873
895
} while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED);
875
fprintf(stderr, "*** GnuTLS Re-handshake failed ***\n");
897
fprintf_plus(stderr, "*** GnuTLS Re-handshake failed "
876
899
gnutls_perror(ret);
882
fprintf(stderr, "Unknown error while reading data from"
883
" encrypted session with Mandos server\n");
905
fprintf_plus(stderr, "Unknown error while reading data from"
906
" encrypted session with Mandos server\n");
884
907
gnutls_bye(session, GNUTLS_SHUT_RDWR);
993
1015
case AVAHI_RESOLVER_FAILURE:
994
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
995
" of type '%s' in domain '%s': %s\n", name, type, domain,
996
avahi_strerror(avahi_server_errno(mc.server)));
1016
fprintf_plus(stderr, "(Avahi Resolver) Failed to resolve service "
1017
"'%s' of type '%s' in domain '%s': %s\n", name, type,
1019
avahi_strerror(avahi_server_errno(mc.server)));
999
1022
case AVAHI_RESOLVER_FOUND:
1001
1024
char ip[AVAHI_ADDRESS_STR_MAX];
1002
1025
avahi_address_snprint(ip, sizeof(ip), address);
1004
fprintf(stderr, "Mandos server \"%s\" found on %s (%s, %"
1005
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
1006
ip, (intmax_t)interface, port);
1027
fprintf_plus(stderr, "Mandos server \"%s\" found on %s (%s, %"
1028
PRIdMAX ") on port %" PRIu16 "\n", name,
1029
host_name, ip, (intmax_t)interface, port);
1008
1031
int ret = start_mandos_communication(ip, port, interface,
1009
1032
avahi_proto_to_af(proto));
1011
1034
avahi_simple_poll_quit(mc.simple_poll);
1013
ret = add_server(ip, port, interface,
1014
avahi_proto_to_af(proto));
1036
if(not add_server(ip, port, interface,
1037
avahi_proto_to_af(proto))){
1038
fprintf_plus(stderr, "Failed to add server \"%s\" to server"
1055
1081
if(avahi_s_service_resolver_new(mc.server, interface, protocol,
1056
1082
name, type, domain, protocol, 0,
1057
1083
resolve_callback, NULL) == NULL)
1058
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
1059
name, avahi_strerror(avahi_server_errno(mc.server)));
1084
fprintf_plus(stderr, "Avahi: Failed to resolve service '%s':"
1086
avahi_strerror(avahi_server_errno(mc.server)));
1062
1089
case AVAHI_BROWSER_REMOVE:
1110
1138
/* Reject the loopback device */
1111
1139
if(ifr->ifr_flags & IFF_LOOPBACK){
1113
fprintf(stderr, "Rejecting loopback interface \"%s\"\n",
1141
fprintf_plus(stderr, "Rejecting loopback interface \"%s\"\n",
1118
1146
/* Accept point-to-point devices only if connect_to is specified */
1119
1147
if(connect_to != NULL and (ifr->ifr_flags & IFF_POINTOPOINT)){
1121
fprintf(stderr, "Accepting point-to-point interface \"%s\"\n",
1149
fprintf_plus(stderr, "Accepting point-to-point interface"
1150
" \"%s\"\n", ifname);
1126
1154
/* Otherwise, reject non-broadcast-capable devices */
1127
1155
if(not (ifr->ifr_flags & IFF_BROADCAST)){
1129
fprintf(stderr, "Rejecting non-broadcast interface \"%s\"\n",
1157
fprintf_plus(stderr, "Rejecting non-broadcast interface"
1158
" \"%s\"\n", ifname);
1134
1162
/* Reject non-ARP interfaces (including dummy interfaces) */
1135
1163
if(ifr->ifr_flags & IFF_NOARP){
1137
fprintf(stderr, "Rejecting non-ARP interface \"%s\"\n", ifname);
1165
fprintf_plus(stderr, "Rejecting non-ARP interface \"%s\"\n",
1142
1171
/* Accept this device */
1144
fprintf(stderr, "Interface \"%s\" is good\n", ifname);
1173
fprintf_plus(stderr, "Interface \"%s\" is good\n", ifname);
1238
/* Save pointer to last character */
1239
char *end = strchr(direntry->d_name, '\0')-1;
1246
if(((direntry->d_name)[0] == '#')
1248
/* Temporary #name# */
1252
/* XXX more rules here */
1254
ret = stat(direntry->d_name, &st);
1268
sret = strspn(direntry->d_name, "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
1269
"abcdefghijklmnopqrstuvwxyz"
1272
if((direntry->d_name)[sret] != '\0'){
1273
/* Contains non-allowed characters */
1275
fprintf_plus(stderr, "Ignoring hook \"%s\" with bad name\n",
1281
char *fullname = NULL;
1282
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1284
perror_plus("asprintf");
1288
ret = stat(fullname, &st);
1257
perror_plus("Could not stat plugin");
1291
perror_plus("Could not stat hook");
1261
1295
if(not (S_ISREG(st.st_mode))){
1262
1296
/* Not a regular file */
1298
fprintf_plus(stderr, "Ignoring hook \"%s\" - not a file\n",
1265
1303
if(not (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))){
1266
1304
/* Not executable */
1306
fprintf_plus(stderr, "Ignoring hook \"%s\" - not executable\n",
1312
fprintf_plus(stderr, "Hook \"%s\" is acceptable\n",
1279
1325
if(mc.current_server == NULL){
1282
"Wait until first server is found. No timeout!\n");
1327
fprintf_plus(stderr, "Wait until first server is found."
1284
1330
ret = avahi_simple_poll_iterate(s, -1);
1287
fprintf(stderr, "Check current_server if we should run it,"
1333
fprintf_plus(stderr, "Check current_server if we should run"
1290
1336
/* the current time */
1291
1337
ret = clock_gettime(CLOCK_MONOTONIC, &now);
1333
1380
ret = avahi_simple_poll_iterate(s, (int)block_time);
1336
if (ret > 0 or errno != EINTR) {
1383
if (ret > 0 or errno != EINTR){
1337
1384
return (ret != 1) ? ret : 0;
1390
bool run_network_hooks(const char *mode, const char *interface,
1392
struct dirent **direntries;
1393
struct dirent *direntry;
1395
int numhooks = scandir(hookdir, &direntries, runnable_hook,
1398
perror_plus("scandir");
1400
int devnull = open("/dev/null", O_RDONLY);
1401
for(int i = 0; i < numhooks; i++){
1402
direntry = direntries[i];
1403
char *fullname = NULL;
1404
ret = asprintf(&fullname, "%s/%s", hookdir, direntry->d_name);
1406
perror_plus("asprintf");
1410
fprintf_plus(stderr, "Running network hook \"%s\"\n",
1413
pid_t hook_pid = fork();
1416
/* Raise privileges */
1420
perror_plus("seteuid");
1422
/* Raise privileges even more */
1426
perror_plus("setuid");
1432
perror_plus("setgid");
1434
/* Reset supplementary groups */
1436
ret = setgroups(0, NULL);
1438
perror_plus("setgroups");
1440
dup2(devnull, STDIN_FILENO);
1442
dup2(STDERR_FILENO, STDOUT_FILENO);
1443
ret = setenv("MANDOSNETHOOKDIR", hookdir, 1);
1445
perror_plus("setenv");
1448
ret = setenv("DEVICE", interface, 1);
1450
perror_plus("setenv");
1453
ret = setenv("VERBOSITY", debug ? "1" : "0", 1);
1455
perror_plus("setenv");
1458
ret = setenv("MODE", mode, 1);
1460
perror_plus("setenv");
1464
ret = asprintf(&delaystring, "%f", delay);
1466
perror_plus("asprintf");
1469
ret = setenv("DELAY", delaystring, 1);
1472
perror_plus("setenv");
1476
if(connect_to != NULL){
1477
ret = setenv("CONNECT", connect_to, 1);
1479
perror_plus("setenv");
1483
if(execl(fullname, direntry->d_name, mode, NULL) == -1){
1484
perror_plus("execl");
1485
_exit(EXIT_FAILURE);
1489
if(TEMP_FAILURE_RETRY(waitpid(hook_pid, &status, 0)) == -1){
1490
perror_plus("waitpid");
1494
if(WIFEXITED(status)){
1495
if(WEXITSTATUS(status) != 0){
1496
fprintf_plus(stderr, "Warning: network hook \"%s\" exited"
1497
" with status %d\n", direntry->d_name,
1498
WEXITSTATUS(status));
1502
} else if(WIFSIGNALED(status)){
1503
fprintf_plus(stderr, "Warning: network hook \"%s\" died by"
1504
" signal %d\n", direntry->d_name,
1509
fprintf_plus(stderr, "Warning: network hook \"%s\""
1510
" crashed\n", direntry->d_name);
1517
fprintf_plus(stderr, "Network hook \"%s\" ran successfully\n",
1343
1526
int main(int argc, char *argv[]){
1344
1527
AvahiSServiceBrowser *sb = NULL;
1426
1609
{ .name = "retry", .key = 132,
1427
1610
.arg = "SECONDS",
1428
.doc = "Retry interval used when denied by the mandos server",
1611
.doc = "Retry interval used when denied by the Mandos server",
1613
{ .name = "network-hook-dir", .key = 133,
1615
.doc = "Directory where network hooks are located",
1431
1618
* These reproduce what we would get without ARGP_NO_HELP
1530
1720
/* Work around Debian bug #633582:
1531
1721
<http://bugs.debian.org/633582> */
1534
1723
/* Re-raise priviliges */
1536
1725
ret = seteuid(0);
1538
1727
perror_plus("seteuid");
1541
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1542
int seckey_fd = open(seckey, O_RDONLY);
1543
if(seckey_fd == -1){
1544
perror_plus("open");
1546
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
1548
perror_plus("fstat");
1550
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1551
ret = fchown(seckey_fd, uid, gid);
1553
perror_plus("fchown");
1557
TEMP_FAILURE_RETRY(close(seckey_fd));
1561
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
1562
int pubkey_fd = open(pubkey, O_RDONLY);
1563
if(pubkey_fd == -1){
1564
perror_plus("open");
1566
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
1568
perror_plus("fstat");
1570
if(S_ISREG(st.st_mode) and st.st_uid == 0 and st.st_gid == 0){
1571
ret = fchown(pubkey_fd, uid, gid);
1573
perror_plus("fchown");
1577
TEMP_FAILURE_RETRY(close(pubkey_fd));
1581
/* Lower privileges */
1585
perror_plus("seteuid");
1731
if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){
1732
int seckey_fd = open(seckey, O_RDONLY);
1733
if(seckey_fd == -1){
1734
perror_plus("open");
1736
ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st));
1738
perror_plus("fstat");
1740
if(S_ISREG(st.st_mode)
1741
and st.st_uid == 0 and st.st_gid == 0){
1742
ret = fchown(seckey_fd, uid, gid);
1744
perror_plus("fchown");
1748
TEMP_FAILURE_RETRY(close(seckey_fd));
1752
if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){
1753
int pubkey_fd = open(pubkey, O_RDONLY);
1754
if(pubkey_fd == -1){
1755
perror_plus("open");
1757
ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st));
1759
perror_plus("fstat");
1761
if(S_ISREG(st.st_mode)
1762
and st.st_uid == 0 and st.st_gid == 0){
1763
ret = fchown(pubkey_fd, uid, gid);
1765
perror_plus("fchown");
1769
TEMP_FAILURE_RETRY(close(pubkey_fd));
1773
/* Lower privileges */
1777
perror_plus("seteuid");
1589
/* Find network hooks and run them */
1591
struct dirent **direntries;
1592
struct dirent *direntry;
1593
int numhooks = scandir(HOOKDIR, &direntries, runnable_hook,
1595
int devnull = open("/dev/null", O_RDONLY);
1596
for(int i = 0; i < numhooks; i++){
1597
direntry = direntries[0];
1598
char *fullname = NULL;
1599
ret = asprintf(&fullname, "%s/%s", tempdir,
1602
perror_plus("asprintf");
1605
pid_t hook_pid = fork();
1608
dup2(devnull, STDIN_FILENO);
1610
dup2(STDERR_FILENO, STDOUT_FILENO);
1611
ret = setenv("DEVICE", interface, 1);
1613
perror_plus("setenv");
1616
ret = setenv("VERBOSE", debug ? "1" : "0", 1);
1618
perror_plus("setenv");
1621
ret = setenv("MODE", "start", 1);
1623
perror_plus("setenv");
1627
ret = asprintf(&delaystring, "%f", delay);
1629
perror_plus("asprintf");
1632
ret = setenv("DELAY", delaystring, 1);
1635
perror_plus("setenv");
1639
ret = execl(fullname, direntry->d_name, "start", NULL);
1640
perror_plus("execl");
1782
/* Run network hooks */
1783
if(not run_network_hooks("start", interface, delay)){
2048
2178
AVAHI_PROTO_UNSPEC, "_mandos._tcp",
2049
2179
NULL, 0, browse_callback, NULL);
2050
2180
if(sb == NULL){
2051
fprintf(stderr, "Failed to create service browser: %s\n",
2052
avahi_strerror(avahi_server_errno(mc.server)));
2181
fprintf_plus(stderr, "Failed to create service browser: %s\n",
2182
avahi_strerror(avahi_server_errno(mc.server)));
2053
2183
exitcode = EX_UNAVAILABLE;
2061
2191
/* Run the main loop */
2064
fprintf(stderr, "Starting Avahi loop search\n");
2194
fprintf_plus(stderr, "Starting Avahi loop search\n");
2067
2197
ret = avahi_loop_with_timeout(mc.simple_poll,
2068
2198
(int)(retry_interval * 1000));
2070
fprintf(stderr, "avahi_loop_with_timeout exited %s\n",
2071
(ret == 0) ? "successfully" : "with error");
2200
fprintf_plus(stderr, "avahi_loop_with_timeout exited %s\n",
2201
(ret == 0) ? "successfully" : "with error");
2077
fprintf(stderr, "%s exiting\n", argv[0]);
2207
fprintf_plus(stderr, "%s exiting\n", argv[0]);
2080
2210
/* Cleanup things */
2111
/* XXX run network hooks "stop" here */
2241
/* Run network hooks */
2242
run_network_hooks("stop", interface, delay);
2113
/* Take down the network interface */
2114
if(take_down_interface){
2115
/* Re-raise priviliges */
2244
/* Re-raise priviliges */
2117
2247
ret = seteuid(0);
2119
2249
perror_plus("seteuid");
2252
/* Take down the network interface */
2253
if(take_down_interface and geteuid() == 0){
2122
2254
ret = ioctl(sd, SIOCGIFFLAGS, &network);
2124
2256
perror_plus("ioctl SIOCGIFFLAGS");
2125
} else if(network.ifr_flags & IFF_UP) {
2257
} else if(network.ifr_flags & IFF_UP){
2126
2258
network.ifr_flags &= ~(short)IFF_UP; /* clear flag */
2127
2259
ret = ioctl(sd, SIOCSIFFLAGS, &network);