/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: teddy at recompile
  • Date: 2020-04-05 21:30:59 UTC
  • mto: This revision was merged to the branch mainline in revision 398.
  • Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk
Fix file descriptor leak in mandos-client

When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.)  The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.

This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route.  If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.

Fix this by eliminating the file descriptor leak in the client.

* plugins.d/mandos-client.c (add_delete_local_route): Do
  close(devnull) also in parent process, also if fork() fails, and on
  any failure in child process.

Show diffs side-by-side

added added

removed removed

Lines of Context:
Makefile
29
29
 
30
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
 
FORTIFY:=-fstack-protector-all -fPIC
33
 
CPPFLAGS+=-D_FORTIFY_SOURCE=3
 
32
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
34
33
LINK_FORTIFY_LD:=-z relro -z now
35
34
LINK_FORTIFY:=
36
35
 
42
41
#COVERAGE=--coverage
43
42
OPTIMIZE:=-Os -fno-strict-aliasing
44
43
LANGUAGE:=-std=gnu11
45
 
CPPFLAGS+=-D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64
 
44
FEATURES:=-D_FILE_OFFSET_BITS=64
46
45
htmldir:=man
47
 
version:=1.8.17
 
46
version:=1.8.10
48
47
SED:=sed
49
48
PKG_CONFIG?=pkg-config
50
49
 
57
56
 
58
57
## Use these settings for a traditional /usr/local install
59
58
# PREFIX:=$(DESTDIR)/usr/local
60
 
# BINDIR:=$(PREFIX)/sbin
61
59
# CONFDIR:=$(DESTDIR)/etc/mandos
62
60
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
63
61
# MANDIR:=$(PREFIX)/man
65
63
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
66
64
# STATEDIR:=$(DESTDIR)/var/lib/mandos
67
65
# LIBDIR:=$(PREFIX)/lib
68
 
# DBUSPOLICYDIR:=$(DESTDIR)/etc/dbus-1/system.d
69
66
##
70
67
 
71
68
## These settings are for a package-type install
72
69
PREFIX:=$(DESTDIR)/usr
73
 
BINDIR:=$(PREFIX)/sbin
74
70
CONFDIR:=$(DESTDIR)/etc/mandos
75
71
KEYDIR:=$(DESTDIR)/etc/keys/mandos
76
72
MANDIR:=$(PREFIX)/share/man
87
83
                        break; \
88
84
                fi; \
89
85
        done)
90
 
DBUSPOLICYDIR:=$(DESTDIR)/usr/share/dbus-1/system.d
91
86
##
92
87
 
93
88
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
101
96
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
102
97
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
103
98
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
104
 
GPGME_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gpgme 2>/dev/null \
105
 
        || gpgme-config --cflags; getconf LFS_CFLAGS)
106
 
GPGME_LIBS:=$(shell $(PKG_CONFIG) --libs gpgme 2>/dev/null \
107
 
        || gpgme-config --libs; getconf LFS_LIBS; \
 
99
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
100
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
108
101
        getconf LFS_LDFLAGS)
109
102
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
110
103
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
113
106
 
114
107
# Do not change these two
115
108
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
116
 
        $(LANGUAGE) -DVERSION='"$(version)"'
 
109
        $(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'
117
110
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
118
111
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
119
112
 
291
284
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
292
285
                $@)
293
286
 
294
 
# Does the linker support the --no-warn-execstack option?
295
 
ifeq ($(shell echo 'int main(){}'|$(CC) --language=c /dev/stdin -o /dev/null -Xlinker --no-warn-execstack >/dev/null 2>&1 && echo yes),yes)
296
 
# These programs use nested functions, which uses an executable stack
297
 
plugin-runner: LDFLAGS += -Xlinker --no-warn-execstack
298
 
dracut-module/password-agent: LDFLAGS += -Xlinker --no-warn-execstack
299
 
plugins.d/password-prompt: LDFLAGS += -Xlinker --no-warn-execstack
300
 
plugins.d/mandos-client: LDFLAGS += -Xlinker --no-warn-execstack
301
 
plugins.d/plymouth: LDFLAGS += -Xlinker --no-warn-execstack
302
 
endif
303
 
 
304
287
# Need to add the GnuTLS, Avahi and GPGME libraries
305
288
plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \
306
289
        ) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)
313
296
 
314
297
# Need to add the GLib and pthread libraries
315
298
dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)
316
 
# Note: -lpthread is unnecessary with the GNU C library 2.34 or later
317
299
dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread
318
300
 
319
301
.PHONY: clean
387
369
 
388
370
# Used by run-server
389
371
confdir/mandos.conf: mandos.conf
390
 
        install -D --mode=u=rw,go=r $^ $@
 
372
        install --directory confdir
 
373
        install --mode=u=rw,go=r $^ $@
391
374
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
392
 
        install -D --mode=u=rw $< $@
 
375
        install --directory confdir
 
376
        install --mode=u=rw $< $@
393
377
# Add a client password
394
378
        ./mandos-keygen --dir keydir --password --no-ssh >> $@
395
379
statedir:
400
384
 
401
385
.PHONY: install-html
402
386
install-html: html
403
 
        install -D --mode=u=rw,go=r --target-directory=$(htmldir) \
 
387
        install --directory $(htmldir)
 
388
        install --mode=u=rw,go=r --target-directory=$(htmldir) \
404
389
                $(htmldocs)
405
390
 
406
391
.PHONY: install-server
407
392
install-server: doc
 
393
        install --directory $(CONFDIR)
408
394
        if install --directory --mode=u=rwx --owner=$(USER) \
409
395
                --group=$(GROUP) $(STATEDIR); then \
410
396
                :; \
411
397
        elif install --directory --mode=u=rwx $(STATEDIR); then \
412
398
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
413
399
        fi
414
 
        if [ "$(TMPFILES)" != "$(DESTDIR)" ]; then \
415
 
                install -D --mode=u=rw,go=r tmpfiles.d-mandos.conf \
 
400
        if [ "$(TMPFILES)" != "$(DESTDIR)" \
 
401
                        -a -d "$(TMPFILES)" ]; then \
 
402
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
416
403
                        $(TMPFILES)/mandos.conf; \
417
404
        fi
418
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" ]; then \
419
 
                install -D --mode=u=rw,go=r sysusers.d-mandos.conf \
 
405
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
 
406
                        -a -d "$(SYSUSERS)" ]; then \
 
407
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
420
408
                        $(SYSUSERS)/mandos.conf; \
421
409
        fi
422
 
        install --directory $(BINDIR)
423
 
        install --mode=u=rwx,go=rx --target-directory=$(BINDIR) mandos
424
 
        install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \
 
410
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
 
411
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
425
412
                mandos-ctl
426
 
        install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \
 
413
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
427
414
                mandos-monitor
428
 
        install --directory $(CONFDIR)
429
415
        install --mode=u=rw,go=r --target-directory=$(CONFDIR) \
430
416
                mandos.conf
431
417
        install --mode=u=rw --target-directory=$(CONFDIR) \
432
418
                clients.conf
433
 
        install -D --mode=u=rw,go=r dbus-mandos.conf \
434
 
                $(DBUSPOLICYDIR)/mandos.conf
435
 
        install -D --mode=u=rwx,go=rx init.d-mandos \
 
419
        install --mode=u=rw,go=r dbus-mandos.conf \
 
420
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
 
421
        install --mode=u=rwx,go=rx init.d-mandos \
436
422
                $(DESTDIR)/etc/init.d/mandos
437
 
        if [ "$(SYSTEMD)" != "$(DESTDIR)" ]; then \
438
 
                install -D --mode=u=rw,go=r mandos.service \
439
 
                        $(SYSTEMD); \
 
423
        if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \
 
424
                install --mode=u=rw,go=r mandos.service $(SYSTEMD); \
440
425
        fi
441
 
        install -D --mode=u=rw,go=r default-mandos \
 
426
        install --mode=u=rw,go=r default-mandos \
442
427
                $(DESTDIR)/etc/default/mandos
443
428
        if [ -z $(DESTDIR) ]; then \
444
429
                update-rc.d mandos defaults 25 15;\
445
430
        fi
446
 
        install --directory $(MANDIR)/man8 $(MANDIR)/man5
447
431
        gzip --best --to-stdout mandos.8 \
448
432
                > $(MANDIR)/man8/mandos.8.gz
449
433
        gzip --best --to-stdout mandos-monitor.8 \
459
443
 
460
444
.PHONY: install-client-nokey
461
445
install-client-nokey: all doc
 
446
        install --directory $(LIBDIR)/mandos $(CONFDIR)
462
447
        install --directory --mode=u=rwx $(KEYDIR) \
463
448
                $(LIBDIR)/mandos/plugins.d \
464
449
                $(LIBDIR)/mandos/plugin-helpers
465
 
        if [ "$(SYSUSERS)" != "$(DESTDIR)" ]; then \
466
 
                install -D --mode=u=rw,go=r sysusers.d-mandos.conf \
 
450
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
 
451
                        -a -d "$(SYSUSERS)" ]; then \
 
452
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
467
453
                        $(SYSUSERS)/mandos-client.conf; \
468
454
        fi
469
455
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
470
 
                install --directory \
471
 
                        --mode=u=rwx "$(CONFDIR)/plugins.d" \
 
456
                install --mode=u=rwx \
 
457
                        --directory "$(CONFDIR)/plugins.d" \
472
458
                        "$(CONFDIR)/plugin-helpers"; \
473
459
        fi
474
 
        install --directory --mode=u=rwx,go=rx \
 
460
        install --mode=u=rwx,go=rx --directory \
475
461
                "$(CONFDIR)/network-hooks.d"
476
462
        install --mode=u=rwx,go=rx \
477
463
                --target-directory=$(LIBDIR)/mandos plugin-runner
478
464
        install --mode=u=rwx,go=rx \
479
465
                --target-directory=$(LIBDIR)/mandos \
480
466
                mandos-to-cryptroot-unlock
481
 
        install --directory $(BINDIR)
482
 
        install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \
 
467
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
483
468
                mandos-keygen
484
469
        install --mode=u=rwx,go=rx \
485
470
                --target-directory=$(LIBDIR)/mandos/plugins.d \
502
487
        install --mode=u=rwx,go=rx \
503
488
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
504
489
                plugin-helpers/mandos-client-iprouteadddel
505
 
        install -D initramfs-tools-hook \
 
490
        install initramfs-tools-hook \
506
491
                $(INITRAMFSTOOLS)/hooks/mandos
507
 
        install -D --mode=u=rw,go=r initramfs-tools-conf \
 
492
        install --mode=u=rw,go=r initramfs-tools-conf \
508
493
                $(INITRAMFSTOOLS)/conf.d/mandos-conf
509
 
        install -D --mode=u=rw,go=r initramfs-tools-conf-hook \
 
494
        install --mode=u=rw,go=r initramfs-tools-conf-hook \
510
495
                $(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
511
 
        install -D initramfs-tools-script \
 
496
        install initramfs-tools-script \
512
497
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
513
 
        install -D initramfs-tools-script-stop \
 
498
        install initramfs-tools-script-stop \
514
499
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
515
 
        install -D --mode=u=rw,go=r \
516
 
                --target-directory=$(DRACUTMODULE) \
 
500
        install --directory $(DRACUTMODULE)
 
501
        install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
517
502
                dracut-module/ask-password-mandos.path \
518
503
                dracut-module/ask-password-mandos.service
519
504
        install --mode=u=rwxs,go=rx \
522
507
                dracut-module/cmdline-mandos.sh \
523
508
                dracut-module/password-agent
524
509
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
525
 
        install --directory $(MANDIR)/man8
526
510
        gzip --best --to-stdout mandos-keygen.8 \
527
511
                > $(MANDIR)/man8/mandos-keygen.8.gz
528
512
        gzip --best --to-stdout plugin-runner.8mandos \
545
529
.PHONY: install-client
546
530
install-client: install-client-nokey
547
531
# Post-installation stuff
548
 
        -$(BINDIR)/mandos-keygen --dir "$(KEYDIR)"
 
532
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
549
533
        if command -v update-initramfs >/dev/null; then \
550
534
            update-initramfs -k all -u; \
551
535
        elif command -v dracut >/dev/null; then \
563
547
 
564
548
.PHONY: uninstall-server
565
549
uninstall-server:
566
 
        -rm --force $(BINDIR)/mandos \
567
 
                $(BINDIR)/mandos-ctl \
568
 
                $(BINDIR)/mandos-monitor \
 
550
        -rm --force $(PREFIX)/sbin/mandos \
 
551
                $(PREFIX)/sbin/mandos-ctl \
 
552
                $(PREFIX)/sbin/mandos-monitor \
569
553
                $(MANDIR)/man8/mandos.8.gz \
570
554
                $(MANDIR)/man8/mandos-monitor.8.gz \
571
555
                $(MANDIR)/man8/mandos-ctl.8.gz \
580
564
# to use it.
581
565
        ! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \
582
566
                $(DESTDIR)/etc/crypttab
583
 
        -rm --force $(BINDIR)/mandos-keygen \
 
567
        -rm --force $(PREFIX)/sbin/mandos-keygen \
584
568
                $(LIBDIR)/mandos/plugin-runner \
585
569
                $(LIBDIR)/mandos/plugins.d/password-prompt \
586
570
                $(LIBDIR)/mandos/plugins.d/mandos-client \
625
609
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
626
610
                $(DESTDIR)/etc/default/mandos \
627
611
                $(DESTDIR)/etc/init.d/mandos \
 
612
                $(SYSTEMD)/mandos.service \
628
613
                $(DESTDIR)/run/mandos.pid \
629
614
                $(DESTDIR)/var/run/mandos.pid
630
 
        if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \
631
 
                -rm --force -- $(SYSTEMD)/mandos.service; \
632
 
        fi
633
615
        -rmdir $(CONFDIR)
634
616
 
635
617
.PHONY: purge-client