=== added directory '.bzr-builddeb' === added file '.bzr-builddeb/default.conf' --- .bzr-builddeb/default.conf 1970-01-01 00:00:00 +0000 +++ .bzr-builddeb/default.conf 2008-09-17 00:34:09 +0000 @@ -0,0 +1,2 @@ +[BUILDDEB] +split = True === modified file '.bzrignore' --- .bzrignore 2008-08-27 01:18:25 +0000 +++ .bzrignore 2008-10-03 09:32:30 +0000 @@ -1,8 +1,14 @@ *.5 *.8 *.8mandos +confdir +debian/po/messages.mo +debian/po/templates.pot +keydir +man plugin-runner +plugins.d/askpass-fifo +plugins.d/mandos-client plugins.d/password-prompt -plugins.d/password-request -confdir -keydir +plugins.d/splashy +plugins.d/usplash === added file 'INSTALL' --- INSTALL 1970-01-01 00:00:00 +0000 +++ INSTALL 2008-10-28 18:00:20 +0000 @@ -0,0 +1,132 @@ +-*- org -*- + +* Prerequisites + +** Operating System + + Debian 5.0 "lenny" or Ubuntu 8.04 "Hardy Heron". + + This is mostly for the support scripts which make sure that the + client is installed and started in the initial RAM disk environment + and that the initrd.img file is automatically made unreadable. The + server and client programs themselves *could* be run in other + distributions, but they *are* specific to GNU/Linux systems, and + are not intended to be portable to other Unixes. + +** Libraries + + The following libraries and packages are needed. (It is possible + that it might work with older versions of some of these, but these + versions are confirmed to work. Newer versions are almost + certainly OK.) + +*** Documentation + These are required to build the manual pages for both the server + and client: + + + DocBook 4.5 http://www.docbook.org/ + Note: DocBook 5.0 is not compatible. + + DocBook XSL stylesheets 1.71.0 + http://wiki.docbook.org/topic/DocBookXslStylesheets + + Package names: + docbook docbook-xsl + + To build just the documentation, run the command "make doc". Then + the manual page "mandos.8", for example, can be read by running + "man -l mandos.8". + +*** Mandos Server + + GnuTLS 2.4 http://www.gnu.org/software/gnutls/ + + Avahi 0.6.16 http://www.avahi.org/ + + Python 2.4 http://www.python.org/ + + Python-GnuTLS 1.1.5 http://pypi.python.org/pypi/python-gnutls/ + + dbus-python 0.82.4 http://dbus.freedesktop.org/doc/dbus-python/ + + python-ctypes 1.0.0 http://pypi.python.org/pypi/ctypes + + Strongly recommended: + + fping 2.4b2-to-ipv6 http://www.fping.com/ + + Package names: + python-gnutls avahi-daemon python python-avahi python-dbus + python-ctypes + +*** Mandos Client + + initramfs-tools 0.85i + http://packages.qa.debian.org/i/initramfs-tools.html + + GnuTLS 2.4 http://www.gnu.org/software/gnutls/ + + Avahi 0.6.16 http://www.avahi.org/ + + GnuPG 1.4.9 http://www.gnupg.org/ + + GPGME 1.1.6 http://www.gnupg.org/related_software/gpgme/ + + Package names: + initramfs-tools libgnutls-dev libavahi-core-dev gnupg + libgpgme11-dev + +* Installing the Mandos server + + 1. Do "make doc". + + 2. On the computer to run as a Mandos server, run the following + command: + For Debian: su -c 'make install-server' + For Ubuntu: sudo make install-server + + (This creates a configuration without any clients configured; you + need an actually configured client to do that; see below.) + +* Installing the Mandos client. + + 1. Do "make all doc". + + 2. On the computer to run as a Mandos client, run the following + command: + For Debian: su -c 'make install-client' + For Ubuntu: sudo make install-client + + This will also create an OpenPGP key, which will take some time + and entropy, so be patient. + + 3. Run the following command: + For Debian: su -c 'mandos-keygen --password' + For Ubuntu: sudo mandos-keygen --password + + When prompted, enter the password/passphrase for the encrypted + root file system on this client computer. The command will + output a section of text, starting with a [section header]. Copy + and append this to the file "/etc/mandos/clients.conf" *on the + server computer*. + + 4. Configure the client to use the correct network interface. The + default is "eth0", and if this needs to be adjusted, it will be + necessary to edit /etc/mandos/plugin-runner.conf to uncomment and + change the line there. If that file is changed, the initrd.img + file must be updated, possibly using the following command: + + # update-initramfs -k all -u + + 5. On the server computer, start the server by running the command + For Debian: su -c 'invoke-rc.d mandos start' + For Ubuntu: sudo invoke-rc.d mandos start + + At this point, it is possible to verify that the correct password + will be received by the client by running the command: + + # /usr/lib/mandos/plugins.d/mandos-client \ + --pubkey=/etc/keys/mandos/pubkey.txt \ + --seckey=/etc/keys/mandos/seckey.txt; echo + + This command should retrieve the password from the server, + decrypt it, and output it to standard output. + + After this, the client computer should be able to reboot without + needing a password entered on the console, as long as it does not + take more than an hour to reboot. + +* Further customizations + + You may want to tighten or loosen the timeouts in the server + configuration files; see mandos.conf(5) and mandos-clients.conf(5). + If IPsec is not used, it is suggested that a more cryptographically + secure checker program is used and configured, since without IPsec + ping packets can be faked. === modified file 'Makefile' --- Makefile 2008-08-25 06:44:13 +0000 +++ Makefile 2009-01-06 22:51:38 +0000 @@ -4,21 +4,35 @@ -Wunsafe-loop-optimizations -Wpointer-arith \ -Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings \ -Wconversion -Wstrict-prototypes -Wold-style-definition \ - -Wpacked -Wnested-externs -Wunreachable-code -Winline \ - -Wvolatile-register-var -DEBUG=-ggdb3 + -Wpacked -Wnested-externs -Winline -Wvolatile-register-var +# -Wunreachable-code +#DEBUG=-ggdb3 # For info about _FORTIFY_SOURCE, see # -FORTIFY=-D_FORTIFY_SOURCE=2 # -fstack-protector-all +FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIE -pie +LINK_FORTIFY=-z relro -pie #COVERAGE=--coverage OPTIMIZE=-Os LANGUAGE=-std=gnu99 -# PREFIX=/usr/local +htmldir=man +version=1.0.3 +SED=sed + +## Use these settings for a traditional /usr/local install +# PREFIX=$(DESTDIR)/usr/local +# CONFDIR=$(DESTDIR)/etc/mandos +# KEYDIR=$(DESTDIR)/etc/mandos/keys +# MANDIR=$(PREFIX)/man +# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools +## + +## These settings are for a package-type install PREFIX=$(DESTDIR)/usr -# CONFDIR=/usr/local/lib/mandos CONFDIR=$(DESTDIR)/etc/mandos -# MANDIR=/usr/local/man -MANDIR=$(DESTDIR)/usr/share/man +KEYDIR=$(DESTDIR)/etc/keys/mandos +MANDIR=$(PREFIX)/share/man +INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools +## GNUTLS_CFLAGS=$(shell libgnutls-config --cflags) GNUTLS_LIBS=$(shell libgnutls-config --libs) @@ -29,10 +43,11 @@ # Do not change these two CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \ - $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) -LDFLAGS=$(COVERAGE) + $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \ + -DVERSION='"$(version)"' +LDFLAGS=$(COVERAGE) $(foreach flag,$(LINK_FORTIFY),-Xlinker $(flag)) -# Commands to format a DocBook refentry document into a manual page +# Commands to format a DocBook document into a manual page DOCBOOKTOMAN=cd $(dir $<); xsltproc --nonet --xinclude \ --param man.charmap.use.subset 0 \ --param make.year.ranges 1 \ @@ -42,67 +57,154 @@ /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \ $(notdir $<); \ $(MANPOST) $(notdir $@) -# DocBook-to-man post-processing to fix a \n escape bug -MANPOST=sed --in-place --expression='s,\\\\en,\\en,g;s,\\n,\\en,g' - -PLUGINS=plugins.d/password-prompt plugins.d/password-request -PROGS=plugin-runner $(PLUGINS) +# DocBook-to-man post-processing to fix a '\n' escape bug +MANPOST=$(SED) --in-place --expression='s,\\\\en,\\en,g;s,\\n,\\en,g' + +DOCBOOKTOHTML=xsltproc --nonet --xinclude \ + --param make.year.ranges 1 \ + --param make.single.year.ranges 1 \ + --param man.output.quietly 1 \ + --param man.authors.section.enabled 0 \ + --param citerefentry.link 1 \ + --output $@ \ + /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \ + $<; $(HTMLPOST) $@ +# Fix citerefentry links +HTMLPOST=$(SED) --in-place \ + --expression='s/\(\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g' + +PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \ + plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo +CPROGS=plugin-runner $(PLUGINS) +PROGS=mandos mandos-keygen mandos-list $(CPROGS) DOCS=mandos.8 plugin-runner.8mandos mandos-keygen.8 \ - plugins.d/password-request.8mandos \ + plugins.d/mandos-client.8mandos \ plugins.d/password-prompt.8mandos mandos.conf.5 \ - mandos-clients.conf.5 - -objects=$(addsuffix .o,$(PROGS)) - -all: $(PROGS) + plugins.d/usplash.8mandos plugins.d/splashy.8mandos \ + plugins.d/askpass-fifo.8mandos mandos-clients.conf.5 + +htmldocs=$(addsuffix .xhtml,$(DOCS)) + +objects=$(addsuffix .o,$(CPROGS)) + +all: $(PROGS) mandos.lsm doc: $(DOCS) -%.5: %.xml - $(DOCBOOKTOMAN) - -%.8: %.xml - $(DOCBOOKTOMAN) - -%.8mandos: %.xml - $(DOCBOOKTOMAN) - -mandos.8: mandos.xml mandos-options.xml - $(DOCBOOKTOMAN) - -mandos.conf.5: mandos.conf.xml mandos-options.xml - $(DOCBOOKTOMAN) - -plugins.d/password-request: plugins.d/password-request.o +html: $(htmldocs) + +%.5: %.xml common.ent legalnotice.xml + $(DOCBOOKTOMAN) +%.5.xhtml: %.xml common.ent legalnotice.xml + $(DOCBOOKTOHTML) + +%.8: %.xml common.ent legalnotice.xml + $(DOCBOOKTOMAN) +%.8.xhtml: %.xml common.ent legalnotice.xml + $(DOCBOOKTOHTML) + +%.8mandos: %.xml common.ent legalnotice.xml + $(DOCBOOKTOMAN) +%.8mandos.xhtml: %.xml common.ent legalnotice.xml + $(DOCBOOKTOHTML) + +mandos.8: mandos.xml common.ent mandos-options.xml overview.xml \ + legalnotice.xml + $(DOCBOOKTOMAN) +mandos.8.xhtml: mandos.xml common.ent mandos-options.xml \ + overview.xml legalnotice.xml + $(DOCBOOKTOHTML) + +mandos-keygen.8: mandos-keygen.xml common.ent overview.xml \ + legalnotice.xml + $(DOCBOOKTOMAN) +mandos-keygen.8.xhtml: mandos-keygen.xml common.ent overview.xml \ + legalnotice.xml + $(DOCBOOKTOHTML) + +mandos.conf.5: mandos.conf.xml common.ent mandos-options.xml \ + legalnotice.xml + $(DOCBOOKTOMAN) +mandos.conf.5.xhtml: mandos.conf.xml common.ent mandos-options.xml \ + legalnotice.xml + $(DOCBOOKTOHTML) + +plugin-runner.8mandos: plugin-runner.xml common.ent overview.xml \ + legalnotice.xml + $(DOCBOOKTOMAN) +plugin-runner.8mandos.xhtml: plugin-runner.xml common.ent \ + overview.xml legalnotice.xml + $(DOCBOOKTOHTML) + +plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \ + common.ent \ + mandos-options.xml \ + overview.xml legalnotice.xml + $(DOCBOOKTOMAN) +plugins.d/mandos-client.8mandos.xhtml: plugins.d/mandos-client.xml \ + common.ent \ + mandos-options.xml \ + overview.xml legalnotice.xml + $(DOCBOOKTOHTML) + +# Update all these files with version number $(version) +common.ent: Makefile + $(SED) --in-place \ + --expression='s/^\($$/\1$(version)"/' \ + $@ + +mandos: Makefile + $(SED) --in-place \ + --expression='s/^\(version = "\)[^"]*"$$/\1$(version)"/' \ + $@ + +mandos-keygen: Makefile + $(SED) --in-place \ + --expression='s/^\(VERSION="\)[^"]*"$$/\1$(version)"/' \ + $@ + +mandos-list: Makefile + $(SED) --in-place \ + --expression='s/^\(version = "\)[^"]*"$$/\1$(version)"/' \ + $@ + +mandos.lsm: Makefile + $(SED) --in-place \ + --expression='s/^\(Version:\).*/\1\t$(version)/' \ + $@ + $(SED) --in-place \ + --expression='s/^\(Entered-date:\).*/\1\t$(shell date --rfc-3339=date --reference=Makefile)/' \ + $@ + $(SED) --in-place \ + --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \ + $@ + +plugins.d/mandos-client: plugins.d/mandos-client.o $(LINK.o) $(GNUTLS_LIBS) $(AVAHI_LIBS) $(GPGME_LIBS) \ $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@ -.PHONY : all doc clean distclean run-client run-server install \ +.PHONY : all doc html clean distclean run-client run-server install \ install-server install-client uninstall uninstall-server \ uninstall-client purge purge-server purge-client clean: - -rm --force $(PROGS) $(objects) $(DOCS) core + -rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core distclean: clean mostlyclean: clean maintainer-clean: clean -rm --force --recursive keydir confdir -check: +check: all ./mandos --check -# Run the server with a local key -run-client: all keydir/seckey.txt keydir/pubkey.txt \ - keydir/secring.gpg keydir/pubring.gpg +# Run the client with a local config and key +run-client: all keydir/seckey.txt keydir/pubkey.txt ./plugin-runner --plugin-dir=plugins.d \ - --options-for=password-request:--keydir=keydir + --config-file=plugin-runner.conf \ + --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt # Used by run-client -keydir/secring.gpg: keydir/seckey.txt - gpg --homedir $(dir $<) --import $^ -keydir/pubring.gpg: keydir/pubkey.txt - gpg --homedir $(dir $<) --import $^ keydir/seckey.txt keydir/pubkey.txt: mandos-keygen install --directory keydir ./mandos-keygen --dir keydir --force @@ -114,22 +216,34 @@ # Used by run-server confdir/mandos.conf: mandos.conf install --directory confdir - install $^ $@ + install --mode=u=rw,go=r $^ $@ confdir/clients.conf: clients.conf keydir/seckey.txt install --directory confdir - install clients.conf $@ + install --mode=u=rw $< $@ # Add a client password ./mandos-keygen --dir keydir --password >> $@ -install: install-server install-client +install: install-server install-client-nokey + +install-html: html + install --directory $(htmldir) + install --mode=u=rw,go=r --target-directory=$(htmldir) \ + $(htmldocs) install-server: doc - install --directory --parents $(CONFDIR) $(MANDIR)/man5 \ - $(MANDIR)/man8 - install --mode=0755 mandos $(PREFIX)/sbin/mandos - install --mode=0644 --target-directory=$(CONFDIR) mandos.conf - install --mode=0640 --target-directory=$(CONFDIR) \ + install --directory $(CONFDIR) + install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos + install --mode=u=rw,go=r --target-directory=$(CONFDIR) \ + mandos.conf + install --mode=u=rw --target-directory=$(CONFDIR) \ clients.conf + install --mode=u=rwx,go=rx init.d-mandos \ + $(DESTDIR)/etc/init.d/mandos + install --mode=u=rw,go=r default-mandos \ + $(DESTDIR)/etc/default/mandos + if [ -z $(DESTDIR) ]; then \ + update-rc.d mandos defaults 25 15;\ + fi gzip --best --to-stdout mandos.8 \ > $(MANDIR)/man8/mandos.8.gz gzip --best --to-stdout mandos.conf.5 \ @@ -137,72 +251,108 @@ gzip --best --to-stdout mandos-clients.conf.5 \ > $(MANDIR)/man5/mandos-clients.conf.5.gz -install-client: all doc /usr/share/initramfs-tools/hooks/. - install --directory --parents $(PREFIX)/lib/mandos \ - $(CONFDIR) $(MANDIR)/man8 - install --directory --mode=0700 $(PREFIX)/lib/mandos/plugins.d - chmod u=rwx,g=,o= $(PREFIX)/lib/mandos/plugins.d - install --mode=0755 --target-directory=$(PREFIX)/lib/mandos \ - plugin-runner - install --mode=0755 --target-directory=$(PREFIX)/sbin \ +install-client-nokey: all doc + install --directory $(PREFIX)/lib/mandos $(CONFDIR) + install --directory --mode=u=rwx $(KEYDIR) \ + $(PREFIX)/lib/mandos/plugins.d + if [ "$(CONFDIR)" != "$(PREFIX)/lib/mandos" ]; then \ + install --mode=u=rwx \ + --directory "$(CONFDIR)/plugins.d"; \ + fi + install --mode=u=rwx,go=rx \ + --target-directory=$(PREFIX)/lib/mandos plugin-runner + install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \ mandos-keygen - install --mode=0755 \ + install --mode=u=rwx,go=rx \ --target-directory=$(PREFIX)/lib/mandos/plugins.d \ plugins.d/password-prompt - install --mode=4755 \ - --target-directory=$(PREFIX)/lib/mandos/plugins.d \ - plugins.d/password-request + install --mode=u=rwxs,go=rx \ + --target-directory=$(PREFIX)/lib/mandos/plugins.d \ + plugins.d/mandos-client + install --mode=u=rwxs,go=rx \ + --target-directory=$(PREFIX)/lib/mandos/plugins.d \ + plugins.d/usplash + install --mode=u=rwxs,go=rx \ + --target-directory=$(PREFIX)/lib/mandos/plugins.d \ + plugins.d/splashy + install --mode=u=rwxs,go=rx \ + --target-directory=$(PREFIX)/lib/mandos/plugins.d \ + plugins.d/askpass-fifo install initramfs-tools-hook \ - /usr/share/initramfs-tools/hooks/mandos - install initramfs-tools-hook-conf \ - /usr/share/initramfs-tools/conf-hooks.d/mandos + $(INITRAMFSTOOLS)/hooks/mandos + install --mode=u=rw,go=r initramfs-tools-hook-conf \ + $(INITRAMFSTOOLS)/conf-hooks.d/mandos install initramfs-tools-script \ - /usr/share/initramfs-tools/scripts/local-top/mandos + $(INITRAMFSTOOLS)/scripts/local-top/mandos + install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR) gzip --best --to-stdout mandos-keygen.8 \ > $(MANDIR)/man8/mandos-keygen.8.gz gzip --best --to-stdout plugin-runner.8mandos \ > $(MANDIR)/man8/plugin-runner.8mandos.gz gzip --best --to-stdout plugins.d/password-prompt.8mandos \ > $(MANDIR)/man8/password-prompt.8mandos.gz - gzip --best --to-stdout plugins.d/password-request.8mandos \ - > $(MANDIR)/man8/password-request.8mandos.gz - -$(PREFIX)/sbin/mandos-keygen + gzip --best --to-stdout plugins.d/mandos-client.8mandos \ + > $(MANDIR)/man8/mandos-client.8mandos.gz + gzip --best --to-stdout plugins.d/usplash.8mandos \ + > $(MANDIR)/man8/usplash.8mandos.gz + gzip --best --to-stdout plugins.d/splashy.8mandos \ + > $(MANDIR)/man8/splashy.8mandos.gz + gzip --best --to-stdout plugins.d/askpass-fifo.8mandos \ + > $(MANDIR)/man8/askpass-fifo.8mandos.gz + +install-client: install-client-nokey +# Post-installation stuff + -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)" update-initramfs -k all -u + echo "Now run mandos-keygen --password --dir $(KEYDIR)" uninstall: uninstall-server uninstall-client -uninstall-server: $(PREFIX)/sbin/mandos +uninstall-server: -rm --force $(PREFIX)/sbin/mandos \ $(MANDIR)/man8/mandos.8.gz \ $(MANDIR)/man5/mandos.conf.5.gz \ $(MANDIR)/man5/mandos-clients.conf.5.gz + update-rc.d -f mandos remove -rmdir $(CONFDIR) uninstall-client: # Refuse to uninstall client if /etc/crypttab is explicitly configured # to use it. ! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \ - /etc/crypttab + $(DESTDIR)/etc/crypttab -rm --force $(PREFIX)/sbin/mandos-keygen \ $(PREFIX)/lib/mandos/plugin-runner \ $(PREFIX)/lib/mandos/plugins.d/password-prompt \ - $(PREFIX)/lib/mandos/plugins.d/password-request \ - /usr/share/initramfs-tools/hooks/mandos \ - /usr/share/initramfs-tools/conf-hooks.d/mandos \ + $(PREFIX)/lib/mandos/plugins.d/mandos-client \ + $(PREFIX)/lib/mandos/plugins.d/usplash \ + $(PREFIX)/lib/mandos/plugins.d/splashy \ + $(PREFIX)/lib/mandos/plugins.d/askpass-fifo \ + $(INITRAMFSTOOLS)/hooks/mandos \ + $(INITRAMFSTOOLS)/conf-hooks.d/mandos \ + $(INITRAMFSTOOLS)/scripts/local-top/mandos \ $(MANDIR)/man8/plugin-runner.8mandos.gz \ $(MANDIR)/man8/mandos-keygen.8.gz \ $(MANDIR)/man8/password-prompt.8mandos.gz \ - $(MANDIR)/man8/password-request.8mandos.gz + $(MANDIR)/man8/usplash.8mandos.gz \ + $(MANDIR)/man8/splashy.8mandos.gz \ + $(MANDIR)/man8/askpass-fifo.8mandos.gz \ + $(MANDIR)/man8/mandos-client.8mandos.gz -rmdir $(PREFIX)/lib/mandos/plugins.d $(CONFDIR)/plugins.d \ - $(PREFIX)/lib/mandos $(CONFDIR) + $(PREFIX)/lib/mandos $(CONFDIR) $(KEYDIR) update-initramfs -k all -u purge: purge-server purge-client purge-server: uninstall-server - -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf + -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \ + $(DESTDIR)/etc/default/mandos \ + $(DESTDIR)/etc/init.d/mandos \ + $(DESTDIR)/var/run/mandos.pid -rmdir $(CONFDIR) purge-client: uninstall-client - -rm --force $(CONFDIR)/seckey.txt $(CONFDIR)/pubkey.txt - -rmdir $(CONFDIR) $(CONFDIR)/plugins.d + -shred --remove $(KEYDIR)/seckey.txt + -rm --force $(CONFDIR)/plugin-runner.conf \ + $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt + -rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR) === added file 'NEWS' --- NEWS 1970-01-01 00:00:00 +0000 +++ NEWS 2009-01-06 02:42:53 +0000 @@ -0,0 +1,35 @@ +This NEWS file records noteworthy changes, very tersely. +See the manual for detailed information. + +Version 1.0.3 (2009-01-06) +* Server +** Now tries to change to user and group "_mandos" before falling back + to trying the old values "mandos", "nobody:nogroup", and "65534". +** Now does not abort on startup even if no clients are defined in + clients.conf. + +* Client +** Plugins named "*.dpkg-bak" are now ignored. +** Hopefully fixed compilation failure on some architectures where the + C compiler does not recognize the "-z" option as a linker option. + +Version 1.0.2 (2008-10-17) +* mandos-keygen now signs the encrypted key blobs. This signature is + not currently verified by mandos-client, but this may change in the + future. + +Version 1.0.1 (2008-10-07) +* Server +** Expand environment variables and ~user in clients.conf's "secfile" + The "secfile" option in /etc/mandos/clients.conf now expands + "~user/foo" and "$ENVVAR" strings. + +* Client (plugin-runner, plugins, etc.) +** Manual pages for the usplash, splashy, and askpass-fifo plugins. + All plugins now have man pages. +** More secure compilation and linking flags. + All programs are now compiled with "-fstack-protector-all -fPIE + -pie", and linked using "-z relro -pie" for additional security. + +* There is now a "NEWS" file (this one), giving a history of + noteworthy changes. === added file 'README' --- README 1970-01-01 00:00:00 +0000 +++ README 2009-01-04 21:54:55 +0000 @@ -0,0 +1,180 @@ +-*- org -*- + +* Mandos + - Have your cake and eat it too! + + You know how it is. You’ve heard of it happening. The Man comes + and takes away your servers, your friends’ servers, the servers of + everybody in the same hosting facility. The servers of their + neighbors, and their neighbors’ friends. The servers of people who + owe them money. And like *that*, they’re gone. And you doubt + you’ll ever see them again. + + That is why your servers have encrypted root file systems. However, + there’s a downside. There’s no going around it: rebooting is a + pain. Dragging out that rarely-used keyboard and screen and + unraveling cables behind your servers to plug them in to type in + that password is messy, especially if you have many servers. There + are some people who do clever things like using serial line consoles + and daisy-chain it to the next server, and keep all the servers + connected in a ring with serial cables, which will work, if your + servers are physically close enough. There are also other + out-of-band management solutions, but with *all* these, you still + have to be on hand and manually type in the password at boot time. + Otherwise the server just sits there, waiting for a password. + + Wouldn’t it be great if you could have the security of encrypted + root file systems and still have servers that could boot up + automatically if there was a short power outage while you were + asleep? That you could reboot at will, without having someone run + over to the server to type in the password? + + Well, with Mandos, you (almost) can! The gain in convenience will + only be offset by a small loss in security. The setup is as + follows: + + The server will still have its encrypted root file system. The + password to this file system will be stored on another computer + (henceforth known as the Mandos server) on the same local network. + The password will *not* be stored in plaintext, but encrypted with + OpenPGP. To decrypt this password, a key is needed. This key (the + Mandos client key) will not be stored there, but back on the + original server (henceforth known as the Mandos client) in the + initial RAM disk image. Oh, and all network Mandos client/server + communications will be encrypted, using TLS (SSL). + + So, at boot time, the Mandos client will ask for its encrypted data + over the network, decrypt it to get the password, use it to decrypt + the root file, and continue booting. + + Now, of course the initial RAM disk image is not on the encrypted + root file system, so anyone who had physical access could take the + Mandos client computer offline and read the disk with their own + tools to get the authentication keys used by a client. *But*, by + then the Mandos server should notice that the original server has + been offline for too long, and will no longer give out the encrypted + key. The timing here is the only real weak point, and the method, + frequency and timeout of the server’s checking can be adjusted to + any desired level of paranoia + + (The encrypted keys on the Mandos server is on its normal file + system, so those are safe, provided the root file system of *that* + server is encrypted.) + +* FAQ - couldn’t the security be defeated by... + +** Grabbing the Mandos client key from the initrd *really quickly*? + This, as mentioned above, is the only real weak point. But if you + set the timing values tight enough, this will be really difficult + to do. An attacker would have to physically disassemble the client + computer, extract the key from the initial RAM disk image, and then + connect to a *still online* Mandos server to get the encrypted key, + and do all this *before* the Mandos server timeout kicks in and the + Mandos server refuses to give out the key to anyone. + + Now, as the typical procedure seems to be to barge in and turn off + and grab *all* computers, to maybe look at them months later, this + is not likely. If someone does that, the whole system *will* lock + itself up completely, since Mandos servers are no longer running. + + For sophisticated attackers who *could* do the clever thing, *and* + had physical access to the server for enough time, it would be + simpler to get a key for an encrypted file system by using hardware + memory scanners and reading it right off the memory bus. + +** Replay attacks? + Nope, the network stuff is all done over TLS, which provides + protection against that. + +** Man-in-the-middle? + No. The server only gives out the passwords to clients which have + *in the TLS handshake* proven that they do indeed hold the OpenPGP + private key corresponding to that client. + +** Physically grabbing the Mandos server computer? + You could protect *that* computer the old-fashioned way, with a + must-type-in-the-password-at-boot method. Or you could have two + computers be the Mandos server for each other. + + Multiple Mandos servers can coexist on a network without any + trouble. They do not clash, and clients will try all available + servers. This means that if just one reboots then the other can + bring it back up, but if both reboots at the same time they will + stay down until someone types in the password on one of them. + +** Faking ping replies? + The default for the server is to use "fping", the replies to which + could be faked to eliminate the timeout. But this could easily be + changed to any shell command, with any security measures you like. + It could, for instance, be changed to an SSH command with strict + keychecking, which could not be faked. Or IPsec could be used for + the ping packets, making them secure. + +* Security Summary + So, in summary: The only weakness in the Mandos system is from + people who have: + 1. The power to come in and physically take your servers, *and* + 2. The cunning and patience to do it carefully, one at a time, and + *quickly*, faking Mandos client/server responses for each one + before the timeout. + + While there are some who may be threatened by people who have *both* + these attributes, they do not, probably, constitute the majority. + + If you *do* face such opponents, you must figure that they could + just as well open your servers and read the file system keys right + off the memory by running wires to the memory bus. + + What Mandos is designed to protect against is *not* such determined, + focused, and competent attacks, but against the early morning knock + on your door and the sudden absence of all the servers in your + server room. Which it does nicely. + +* The Plugin System + In the early designs, the mandos-client(8mandos) program (which + retrieves a password from the Mandos server) also prompted for a + password on the terminal, in case a Mandos server could not be + found. This duality of purpose was seen to be too complex to be a + viable way to continue. Instead, the programs are now separated + into mandos-client(8mandos) and password-prompt(8mandos), and a + plugin-runner(8mandos) exist to run them both in parallel, allowing + the first plugin to succeed to provide the password. This opened up + for any number of additional plugins to run, all competing to be the + first to find a password and provide it to the plugin runner. + + Three additional plugins are provided: + * usplash(8mandos) + This prompts for a password when using usplash(8). + * splashy(8mandos) + This prompts for a password when using splashy(8). + * askpass-fifo(8mandos) + To provide compatibility with the "askpass" program from + cryptsetup, this plugin listens to the same FIFO as askpass would + do. + + (None of these take any options or reads any files.) + + More plugins could easily be written and added by the system + administrator; see the section called "WRITING PLUGINS" in + plugin-runner(8mandos) to learn the plugin requirements. + +* Copyright + + Copyright © 2008,2009 Teddy Hogeborn + Copyright © 2008,2009 Björn Påhlsson + +** License: + + This program is free software: you can redistribute it and/or + modify it under the terms of the GNU General Public License as + published by the Free Software Foundation, either version 3 of the + License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see + . === modified file 'TODO' --- TODO 2008-08-30 19:05:15 +0000 +++ TODO 2008-12-29 02:44:54 +0000 @@ -1,153 +1,65 @@ -*- org -*- -* [#A] README file +* mandos-client +** TODO [#B] Temporarily lower kernel log level + for less printouts during sucessfull boot. + klogctl(6, NULL, 0); klogctl(7, NULL, 0); +** TODO [#C] IPv4 support * plugin-runner -** [#B] Add more comments to code -** [#B] Add more if(debug) calls -** [#B] Seperate more code to function for more readability -** [#A] Man page: man8/plugin-runner.8mandos -*** EXIT STATUS -*** ENVIRONMENT - Environment is modified according to options and passed to plugins -*** EXAMPLE - Examples of normal usage, debug usage, debugging single or all - plugins, etc. -*** FILES -*** SECURITY - Note the danger of using this program, since you might lock - yourself out of your system without any means of entering the root - file system password. This is, however, very unlikely considering - the fallback to getpass(3). -*** BUGS -*** SEE ALSO - Explaining text on what you can read - -* password-request -** [#A] Man page: man8/password-request.8mandos -*** SYNOPSIS - Document short options -*** DESCRIPTION - State that this command is not meant to be invoked directly, but - is run as a plugin from mandos-client(8) and only run in the - initrd environment, not the real system. -*** PURPOSE - As in mandos.xml -*** OVERVIEW - As in mandos.xml -*** EXIT STATUS -*** ENVIRONMENT - Note that it does *not* currently use cryptsource or crypttarget. -*** FILES - Describe the key files and the key ring files. Also note that - they should normally have been automatically created. -*** BUGS -*** EXAMPLE - Examples of normal usage, debug usage, debugging by connecting - directly, etc. -*** SECURITY -*** SEE ALSO - Update from mandos.xml -** [#B] Temporarily lower kernel log level - for less printouts during sucessfull boot. -** IPv4 support -** use strsep instead of strtok? -** Do not depend on GnuPG key rings on disk - This would mean creating new GnuPG key rings with GPGME by - importing the key files from scratch on every program start. -** Keydir move: /etc/mandos -> /etc/keys/mandos - Must create in preinst if not pre-depending on cryptsetup - -* password-prompt -** [#C] Use getpass(3)? - Man page says "obsolete", but [[info:libc:getpass][GNU LibC Manual: Reading Passwords]] - does not. See also [[http://sources.redhat.com/ml/libc-alpha/2003-05/msg00251.html][Marcus Brinkmann: Re: getpass obsolete?]] and - [[http://article.gmane.org/gmane.comp.lib.glibc.alpha/4906][Petter Reinholdtsen: Re: getpass obsolete?]], and especially also - [[http://www.steve.org.uk/Reference/Unix/faq_4.html#SEC48][Unix Programming FAQ 3.1 How can I make my program not echo input?]] +** TODO [#B] use scandir(3) instead of readdir(3) * mandos (server) -** [#A] /etc/init.d/mandos-server :teddy: -** [#B] Log level :bugs: -** /etc/mandos/clients.d/*.conf +** TODO [#B] Log level :bugs: +** TODO /etc/mandos/clients.d/*.conf Watch this directory and add/remove/update clients? -** config for TXT record -** [#B] Run-time communication with server :bugs: +** TODO config for TXT record +** TODO [#B] Run-time communication with server :bugs: Probably using D-Bus See also [[*Mandos-tools]] -** Implement --foreground :bugs: - [[info:standards:Option%20Table][Table of Long Options]] -** Implement --socket - [[info:standards:Option%20Table][Table of Long Options]] -** Date+time on console log messages :bugs: +*** Client class +*** Main server + + SetLogLevel + syslogger.setLevel(logging.WARNING) + + Quit + + [[http://log.ometer.com/2007-05.html][Best D-Bus practices]] +** TODO Implement --foreground :bugs: + [[info:standards:Option%20Table][Table of Long Options]] +** TODO Implement --socket + [[info:standards:Option%20Table][Table of Long Options]] +** TODO Date+time on console log messages :bugs: Is this the default? - -* Mandos-tools/utilities - All of this probably using D-Bus -** List clients -** Disable client -** Enable client - -* Man pages -** Tags - Go through all man pages to conform to the style of tags chosen in - [[http://svn.debian.org/wsvn/debian-xml-sgml/packages/docbook-xsl/trunk/debian/examples/foo.1.example_manpage.xml?op=file&rev=0&sc=0][foo.1.example_manpage.xml]]. In particular: -*** SYNOPSIS - with inner and + If this option is not specified, the option is required + to be present. + + If present, this option must be set to a string of base64-encoded binary data. It will be decoded and sent to the client matching the above @@ -226,36 +223,43 @@ lines is that a line beginning with white space adds to the value of the previous line, RFC 822-style. - - If this option is not specified, the option is used instead, but one of them - must be present. - - + + This option is only used if is not + specified, in which case this option is + required. + + Similar to the , except the secret data is in an external file. The contents of the file should not be base64-encoded, but will be sent to clients verbatim. - This option is only used, and must be - present, if is not specified. + File names of the form ~user/foo/bar + and $ENVVAR/foo/bar + are supported. - + + This option is optional, but highly + recommended unless the + option is modified to a + non-standard value without %(host)s in it. + + Host name for this client. This is not used by the server directly, but can be, and is by default, used by the checker. See the option. @@ -316,7 +320,7 @@ mode is needed to expose an error of this kind. - + @@ -376,7 +380,6 @@ fingerprint = 3e393aeaefb84c7e89e2f547b3a107558fca3a27 secfile = /etc/mandos/bar-secret timeout = 15m - === modified file 'mandos-keygen' --- mandos-keygen 2008-08-25 03:53:42 +0000 +++ mandos-keygen 2009-01-06 02:42:53 +0000 @@ -2,7 +2,8 @@ # # Mandos key generator - create a new OpenPGP key for a Mandos client # -# Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson +# Copyright © 2008,2009 Teddy Hogeborn +# Copyright © 2008,2009 Björn Påhlsson # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,14 +21,14 @@ # Contact the authors at . # -VERSION="1.0" +VERSION="1.0.3" -KEYDIR="/etc/mandos" +KEYDIR="/etc/keys/mandos" KEYTYPE=DSA KEYLENGTH=2048 SUBKEYTYPE=ELG-E SUBKEYLENGTH=2048 -KEYNAME="`hostname --fqdn`" +KEYNAME="`hostname --fqdn 2>/dev/null || hostname`" KEYEMAIL="" KEYCOMMENT="Mandos client key" KEYEXPIRE=0 @@ -35,9 +36,13 @@ KEYCOMMENT_ORIG="$KEYCOMMENT" mode=keygen +if [ ! -d "$KEYDIR" ]; then + KEYDIR="/etc/mandos/keys" +fi + # Parse options -TEMP=`getopt --options vhd:t:l:n:e:c:x:f \ - --longoptions version,help,password,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \ +TEMP=`getopt --options vhpF:d:t:l:s:L:n:e:c:x:f \ + --longoptions version,help,password,passfile:,dir:,type:,length:,subtype:,sublength:,name:,email:,comment:,expire:,force \ --name "$0" -- "$@"` help(){ @@ -49,6 +54,7 @@ $basename [ OPTIONS ] Encrypted password creation: $basename { -p | --password } [ --name NAME ] [ --dir DIR] + $basename { -F | --passfile } FILE [ --name NAME ] [ --dir DIR] Key creation options: -v, --version Show program's version number and exit @@ -64,18 +70,22 @@ -n NAME, --name NAME Name of key. Default is the FQDN. -e ADDRESS, --email ADDRESS Email address of key. Default is empty. - -c COMMENT, --comment COMMENT + -c TEXT, --comment TEXT Comment field for key. The default value is "Mandos client key". -x TIME, --expire TIME Key expire time. Default is no expiration. See gpg(1) for syntax. - -f, --force Force overwriting old keys. + -f, --force Force overwriting old key files. Password creation options: - -p, --password Create an encrypted password using the keys in - the key directory. All options other than - --keydir and --name are ignored. + -p, --password Create an encrypted password using the key in + the key directory. All options other than + --dir and --name are ignored. + -F FILE, --passfile FILE + Encrypt a password from FILE using the key in + the key directory. All options other than + --dir and --name are ignored. EOF } @@ -83,6 +93,7 @@ while :; do case "$1" in -p|--password) mode=password; shift;; + -F|--passfile) mode=password; PASSFILE="$2"; shift 2;; -d|--dir) KEYDIR="$2"; shift 2;; -t|--type) KEYTYPE="$2"; shift 2;; -s|--subtype) SUBKEYTYPE="$2"; shift 2;; @@ -108,21 +119,20 @@ PUBKEYFILE="$KEYDIR/pubkey.txt" # Check for some invalid values -if [ -d "$KEYDIR" ]; then :; else +if [ ! -d "$KEYDIR" ]; then echo "$KEYDIR not a directory" >&2 exit 1 fi -if [ -w "$KEYDIR" ]; then :; else - echo "Directory $KEYDIR not writeable" >&2 - exit 1 -fi - -if [ "$mode" = password -a -e "$KEYDIR/trustdb.gpg.lock" ]; then - echo "Key directory has locked trustdb; aborting." >&2 +if [ ! -r "$KEYDIR" ]; then + echo "Directory $KEYDIR not readable" >&2 exit 1 fi if [ "$mode" = keygen ]; then + if [ ! -w "$KEYDIR" ]; then + echo "Directory $KEYDIR not writeable" >&2 + exit 1 + fi if [ -z "$KEYTYPE" ]; then echo "Empty key type" >&2 exit 1 @@ -149,8 +159,8 @@ [Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;; esac - if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ]; } \ - && [ "$FORCE" -eq 0 ]; then + if [ \( -e "$SECKEYFILE" -o -e "$PUBKEYFILE" \) \ + -a "$FORCE" -eq 0 ]; then echo "Refusing to overwrite old key files; use --force" >&2 exit 1 fi @@ -164,35 +174,28 @@ fi # Create temporary gpg batch file - BATCHFILE="`mktemp -t mandos-gpg-batch.XXXXXXXXXX`" + BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`" fi if [ "$mode" = password ]; then # Create temporary encrypted password file - SECFILE="`mktemp -t mandos-gpg-secfile.XXXXXXXXXX`" -fi - -# Create temporary key rings -SECRING="`mktemp -t mandos-gpg-secring.XXXXXXXXXX`" -PUBRING="`mktemp -t mandos-gpg-pubring.XXXXXXXXXX`" - -if [ "$mode" = password ]; then - # If a trustdb.gpg file does not already exist, schedule it for - # deletion when we are done. - if ! [ -e "$KEYDIR/trustdb.gpg" ]; then - TRUSTDB="$KEYDIR/trustdb.gpg" - fi -fi + SECFILE="`mktemp -t mandos-keygen-secfile.XXXXXXXXXX`" +fi + +# Create temporary key ring directory +RINGDIR="`mktemp -d -t mandos-keygen-keyrings.XXXXXXXXXX`" # Remove temporary files on exit trap " set +e; \ -rm --force $PUBRING ${PUBRING}~ $BATCHFILE $TRUSTDB; \ -shred --remove $SECRING $SECFILE; \ +test -n \"$SECFILE\" && shred --remove \"$SECFILE\"; \ +shred --remove \"$RINGDIR\"/sec*; +test -n \"$BATCHFILE\" && rm --force \"$BATCHFILE\"; \ +rm --recursive --force \"$RINGDIR\"; stty echo; \ " EXIT -umask 027 +umask 077 if [ "$mode" = keygen ]; then # Create batch file for GnuPG @@ -209,18 +212,17 @@ Expire-Date: $KEYEXPIRE #Preferences: #Handle: - %pubring $PUBRING - %secring $SECRING + #%pubring pubring.gpg + #%secring secring.gpg %commit EOF # Generate a new key in the key rings - gpg --no-random-seed-file --quiet --batch --no-tty \ - --no-default-keyring --no-options --enable-dsa2 \ - --secret-keyring "$SECRING" --keyring "$PUBRING" \ + gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ + --homedir "$RINGDIR" --trust-model always \ --gen-key "$BATCHFILE" rm --force "$BATCHFILE" - + # Backup any old key files if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \ 2>/dev/null; then @@ -240,64 +242,68 @@ FILECOMMENT="$FILECOMMENT <$KEYEMAIL>" fi - # Export keys from key rings to key files - gpg --no-random-seed-file --quiet --batch --no-tty --armor \ - --no-default-keyring --no-options --enable-dsa2 \ - --secret-keyring "$SECRING" --keyring "$PUBRING" \ - --export-options export-minimal --comment "$FILECOMMENT" \ - --output "$SECKEYFILE" --export-secret-keys - gpg --no-random-seed-file --quiet --batch --no-tty --armor \ - --no-default-keyring --no-options --enable-dsa2 \ - --secret-keyring "$SECRING" --keyring "$PUBRING" \ - --export-options export-minimal --comment "$FILECOMMENT" \ - --output "$PUBKEYFILE" --export + # Export key from key rings to key files + gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ + --homedir "$RINGDIR" --armor --export-options export-minimal \ + --comment "$FILECOMMENT" --output "$SECKEYFILE" \ + --export-secret-keys + gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ + --homedir "$RINGDIR" --armor --export-options export-minimal \ + --comment "$FILECOMMENT" --output "$PUBKEYFILE" --export fi if [ "$mode" = password ]; then - # Import keys into temporary key rings - gpg --no-random-seed-file --quiet --batch --no-tty --armor \ - --no-default-keyring --no-options --enable-dsa2 \ - --homedir "$KEYDIR" --no-permission-warning \ - --secret-keyring "$SECRING" --keyring "$PUBRING" \ - --trust-model always --import "$SECKEYFILE" - gpg --no-random-seed-file --quiet --batch --no-tty --armor \ - --no-default-keyring --no-options --enable-dsa2 \ - --homedir "$KEYDIR" --no-permission-warning \ - --secret-keyring "$SECRING" --keyring "$PUBRING" \ - --trust-model always --import "$PUBKEYFILE" - + # Import key into temporary key rings + gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ + --homedir "$RINGDIR" --trust-model always --armor \ + --import "$SECKEYFILE" + gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ + --homedir "$RINGDIR" --trust-model always --armor \ + --import "$PUBKEYFILE" + # Get fingerprint of key - FINGERPRINT="`gpg --no-random-seed-file --quiet --batch --no-tty \ - --armor --no-default-keyring --no-options --enable-dsa2 \ - --homedir \"$KEYDIR\" --no-permission-warning \ - --secret-keyring \"$SECRING\" --keyring \"$PUBRING\" \ - --trust-model always --fingerprint --with-colons \ - | sed -n -e '/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`" + FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \ + --enable-dsa2 --homedir \"$RINGDIR\" --trust-model always \ + --fingerprint --with-colons \ + | sed --quiet \ + --expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`" test -n "$FINGERPRINT" FILECOMMENT="Encrypted password for a Mandos client" - stty -echo - echo -n "Enter passphrase: " >&2 - sed -e '1q' \ - | gpg --no-random-seed-file --batch --no-tty --armor \ - --no-default-keyring --no-options --enable-dsa2 \ - --homedir "$KEYDIR" --no-permission-warning \ - --secret-keyring "$SECRING" --keyring "$PUBRING" \ - --trust-model always --encrypt --recipient "$FINGERPRINT" \ - --comment "$FILECOMMENT" \ + if [ -n "$PASSFILE" ]; then + cat "$PASSFILE" + else + stty -echo + echo -n "Enter passphrase: " >&2 + first="$(head --lines=1 | tr --delete '\n')" + echo -n -e "\nRepeat passphrase: " >&2 + second="$(head --lines=1 | tr --delete '\n')" + echo >&2 + stty echo + if [ "$first" != "$second" ]; then + echo -e "Passphrase mismatch" >&2 + false + else + echo -n "$first" + fi + fi | gpg --quiet --batch --no-tty --no-options --enable-dsa2 \ + --homedir "$RINGDIR" --trust-model always --armor --encrypt \ + --sign --recipient "$FINGERPRINT" --comment "$FILECOMMENT" \ > "$SECFILE" - echo >&2 - stty echo + status="${PIPESTATUS[0]}" + if [ "$status" -ne 0 ]; then + exit "$status" + fi cat <<-EOF [$KEYNAME] host = $KEYNAME fingerprint = $FINGERPRINT secret = -EOF - sed -n -e ' + EOF + sed --quiet --expression=' /^-----BEGIN PGP MESSAGE-----$/,/^-----END PGP MESSAGE-----$/{ /^$/,${ # Remove 24-bit Radix-64 checksum @@ -316,9 +322,5 @@ shred --remove "$SECFILE" fi # Remove the key rings -shred --remove "$SECRING" -rm --force "$PUBRING" "${PUBRING}~" -# Remove the trustdb, if one did not exist when we started -if [ -n "$TRUSTDB" ]; then - rm --force "$TRUSTDB" -fi +shred --remove "$RINGDIR"/sec* +rm --recursive --force "$RINGDIR" === modified file 'mandos-keygen.xml' --- mandos-keygen.xml 2008-08-30 17:16:33 +0000 +++ mandos-keygen.xml 2009-01-04 21:54:55 +0000 @@ -1,9 +1,10 @@ - + + +%common; ]> @@ -11,7 +12,7 @@ Mandos Manual Mandos - &VERSION; + &version; &TIMESTAMP; @@ -31,34 +32,13 @@ 2008 + 2009 Teddy Hogeborn Björn Påhlsson - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - + - + &COMMANDNAME; 8 @@ -67,11 +47,10 @@ &COMMANDNAME; - Generate keys for password-request - 8mandos + Generate key and password for Mandos client and server. - + &COMMANDNAME; @@ -143,8 +122,12 @@ &COMMANDNAME; + - + + + FILE @@ -164,66 +147,69 @@ &COMMANDNAME; + - &COMMANDNAME; + - - + DESCRIPTION &COMMANDNAME; is a program to generate the - OpenPGP keys used by - password-request - 8mandos. The keys are + OpenPGP key used by + mandos-client + 8mandos. The key is normally written to /etc/mandos for later installation into the - initrd image, but this, like most things, can be changed with - command line options. + initrd image, but this, and most other things, can be changed + with command line options. - It can also be used to generate ready-made sections for + This program can also be used with the + or + options to generate a ready-made section for + clients.conf (see mandos-clients.conf - 5 using the - option. + 5). PURPOSE - The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See for details. - OPTIONS - + - -h, --help + + Show a help message and exit - + - -d, --dir - directory + + Target directory for key files. Default is @@ -231,30 +217,36 @@ - + - -t, --type - type + + Key type. Default is DSA. - + - -l, --length - bits + + Key length in bits. Default is 2048. - + - -s, --subtype - type + + Subkey type. Default is ELG-E (Elgamal @@ -262,30 +254,36 @@ - + - -L, --sublength - bits + + Subkey length in bits. Default is 2048. - + - -e, --email - address + + Email address of key. Default is empty. - + - -c, --comment - comment + + Comment field for key. The default value is @@ -293,10 +291,12 @@ - + - -x, --expire - time + + Key expire time. Default is no expiration. See @@ -305,18 +305,19 @@ - + - -f, --force + + - Force overwriting old keys. + Force overwriting old key. - -p, --password + + Prompt for a password and encrypt it with the key already @@ -328,27 +329,41 @@ >8. The host name or the name specified with the option is used for the section header. All other options are ignored, - and no keys are created. + and no key is created. + + + + + + + + + The same as , but read from + FILE, not the terminal. - + OVERVIEW This program is a small utility to generate new OpenPGP keys for - new Mandos clients. + new Mandos clients, and to generate sections for inclusion in + clients.conf on the server. - + EXIT STATUS - The exit status will be 0 if new keys were successfully created, - otherwise not. + The exit status will be 0 if a new key (or password, if the + option was used) was successfully + created, otherwise not. @@ -368,7 +383,7 @@ - + FILES Use the option to change where @@ -405,14 +420,13 @@ - - - BUGS - - None are known at this time. - - - + + + + + + + EXAMPLE @@ -425,7 +439,7 @@ - Create keys in another directory and of another type. Force + Create key in another directory and of another type. Force overwriting old key files: @@ -435,31 +449,56 @@ + + + Prompt for a password, encrypt it with the key in + /etc/mandos and output a section suitable + for clients.conf. + + + &COMMANDNAME; --password + + + + + Prompt for a password, encrypt it with the key in the + client-key directory and output a section + suitable for clients.conf. + + + + +&COMMANDNAME; --password --dir client-key + + + - + SECURITY The , , , and - options can be used to create keys of insufficient security. If - in doubt, leave them to the default values. + options can be used to create keys of low security. If in + doubt, leave them to the default values. - The key expire time is not guaranteed to be honored by - mandos + The key expire time is not guaranteed to be + honored by mandos 8. - + SEE ALSO gpg 1, + mandos-clients.conf + 5, mandos 8, - password-request + mandos-client 8mandos === added file 'mandos-list' --- mandos-list 1970-01-01 00:00:00 +0000 +++ mandos-list 2008-12-21 19:19:25 +0000 @@ -0,0 +1,65 @@ +#!/usr/bin/python +# -*- mode: python; coding: utf-8 -*- + +import dbus +from optparse import OptionParser +import locale + +locale.setlocale(locale.LC_ALL, u'') + +tablewords = { + 'name': u'Name', + 'enabled': u'Enabled', + 'timeout': u'Timeout', + 'last_checked_ok': u'Last Successful Check', + 'created': u'Created', + 'interval': u'Interval', + 'host': u'Host', + 'fingerprint': u'Fingerprint', + 'checker_running': u'Check Is Running', + 'last_enabled': u'Last Enabled', + 'checker': u'Checker', + } +busname = 'org.mandos-system.Mandos' +object_path = '/Mandos' +interface = 'org.mandos_system.Mandos' +version = "1.0.2" +defaultkeywords = ('name', 'enabled', 'timeout', 'last_checked_ok', + 'checker') + +parser = OptionParser(version = "%%prog %s" % version) +parser.add_option("-a", "--all", action="store_true", default=False, + help="Print all fields") +options = parser.parse_args()[0] +if options.all: + keywords = ('name', 'enabled', 'timeout', 'last_checked_ok', + 'created', 'interval', 'host', 'fingerprint', + 'checker_running', 'last_enabled', 'checker') +else: + keywords = defaultkeywords + + +bus = dbus.SystemBus() +mandos_dbus_objc = bus.get_object(busname, object_path) +mandos_serv = dbus.Interface(mandos_dbus_objc, + dbus_interface = interface) +mandos_clients = mandos_serv.GetAllClientsWithProperties() + +def valuetostring(x): + if type(x) is dbus.Boolean: + return u"Yes" if x else u"No" + else: + return unicode(x) + +format_string = u' '.join(u'%%-%ds' + % max(len(tablewords[key]), + max(len(valuetostring(client[key])) + for client + in mandos_clients.itervalues())) + for key in keywords) +print format_string % tuple(tablewords[key] for key in keywords) +for client in mandos_clients.itervalues(): + print format_string % tuple(valuetostring(client[key]) + for key in keywords) + + === modified file 'mandos-options.xml' --- mandos-options.xml 2008-08-30 18:45:41 +0000 +++ mandos-options.xml 2008-12-29 02:44:54 +0000 @@ -5,6 +5,8 @@
@@ -43,26 +45,31 @@ - GnuTLS priority string for the TLS handshake - with the clients. The default is - SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP. See - gnutls_priority_init + GnuTLS priority string for the TLS handshake. + The default is SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP. See + gnutls_priority_init 3 for the syntax. Warning: changing this may make the - TLS handshake fail, making communication with - clients impossible. + TLS handshake fail, making server-client + communication impossible. Zeroconf service name. The default is Mandos. This only needs to be - changed this if it, for some reason, is necessary to run more than - one server on the same host, which would not + changed if for some reason is would be necessary to run more than + one server on the same host. This would not normally be useful. If there are name collisions on the same network, the newer server will automatically rename itself to Mandos #2, and so on; therefore, this option is not needed in that case. + + + This option controls whether the server will provide a D-Bus + system bus interface. The default is to provide such an + interface. +
=== modified file 'mandos.conf' --- mandos.conf 2008-08-18 23:55:28 +0000 +++ mandos.conf 2008-12-29 02:44:54 +0000 @@ -36,3 +36,6 @@ # If there are name collisions on the same *network*, the server will # rename itself to "Mandos #2", etc. ;servicename = Mandos + +# Whether to provide a D-Bus system bus interface or not +;use_dbus = True === modified file 'mandos.conf.xml' --- mandos.conf.xml 2008-08-30 18:45:41 +0000 +++ mandos.conf.xml 2009-01-04 21:54:55 +0000 @@ -1,10 +1,11 @@ - + /etc/mandos/mandos.conf"> - + + +%common; ]> @@ -12,7 +13,7 @@ Mandos Manual Mandos - &VERSION; + &version; &TIMESTAMP; @@ -32,34 +33,13 @@ 2008 + 2009 Teddy Hogeborn Björn Påhlsson - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - + - + &CONFNAME; 5 @@ -71,11 +51,11 @@ Configuration file for the Mandos server - + &CONFPATH; - + DESCRIPTION @@ -93,7 +73,7 @@ # or ; are ignored and may be used to provide comments. - + OPTIONS @@ -106,7 +86,7 @@ - + @@ -114,7 +94,7 @@ - + @@ -122,7 +102,7 @@ - + - + @@ -141,7 +121,7 @@ - + @@ -151,6 +131,17 @@ + + + + + + + @@ -166,7 +157,7 @@ The [DEFAULT] is necessary because the Python built-in module ConfigParser - requres it. + requires it. @@ -193,6 +184,7 @@ debug = true priority = SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP servicename = Daena +use_dbus = False @@ -207,7 +199,7 @@ mandos-clients.conf 5 - + === added file 'mandos.lsm' --- mandos.lsm 1970-01-01 00:00:00 +0000 +++ mandos.lsm 2009-01-06 02:42:53 +0000 @@ -0,0 +1,22 @@ +Begin4 +Title: Mandos +Version: 1.0.3 +Entered-date: 2009-01-06 +Description: The Mandos system allows computers to have encrypted +root file systems and at the same time be capable of remote and/or +unattended reboots. +Keywords: boot, encryption, luks, cryptsetup, network, openpgp, +tls, dm-crypt +Author: teddy@fukt.bsnet.se (Teddy Hogeborn), + belorn@fukt.bsnet.se (Björn Påhlsson) +Maintained-by: teddy@fukt.bsnet.se (Teddy Hogeborn), + belorn@fukt.bsnet.se (Björn Påhlsson) +Primary-site: http://www.fukt.bsnet.se/mandos + 92K mandos_1.0.3.orig.tar.gz +Alternate-site: ftp://ftp.fukt.bsnet.se/pub/mandos + 92K mandos_1.0.3.orig.tar.gz +Platforms: Requires GCC, GNU libC, Avahi, GnuPG, Python 2.4, and +various other libraries. While made for Debian GNU/Linux, it is +probably portable to other distributions, but not other Unixes. +Copying-policy: GNU General Public License version 3.0 or later +End === modified file 'mandos.xml' --- mandos.xml 2008-08-30 19:05:15 +0000 +++ mandos.xml 2009-01-04 21:54:55 +0000 @@ -1,17 +1,18 @@ - + + +%common; ]> - + Mandos Manual Mandos - &VERSION; + &version; &TIMESTAMP; @@ -31,34 +32,13 @@ 2008 + 2009 Teddy Hogeborn Björn Påhlsson - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - + - + &COMMANDNAME; 8 @@ -70,7 +50,7 @@ Gives encrypted passwords to authenticated Mandos clients - + &COMMANDNAME; @@ -105,12 +85,14 @@ DIRECTORY + + &COMMANDNAME; + - @@ -122,7 +104,7 @@ - + DESCRIPTION @@ -137,63 +119,63 @@ Any authenticated client is then given the stored pre-encrypted password for that specific client. - PURPOSE - The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See for details. - OPTIONS - + - Show a help message and exit - + + + NAME NAME - - NAME - + - -a, --address - ADDRESS + + - + - -p, --port - PORT + + - + - --check + Run the server’s self-tests. This includes any unit @@ -201,34 +183,34 @@ - + - --debug + - + - --priority - PRIORITY + - + - --servicename NAME - + - + - --configdir DIR - + Directory to search for configuration files. Default is @@ -240,28 +222,38 @@ - + - --version + Prints the program version and exit. + + + + + + + See also . + + + - + OVERVIEW This program is the server part. It is a normal server program and will run in a normal system environment, not in an initial - RAM disk environment. + RAM disk environment. - + NETWORK PROTOCOL @@ -319,7 +311,7 @@ - + CHECKING @@ -333,7 +325,7 @@ 5. - + LOGGING @@ -343,6 +335,16 @@ and also show them on the console. + + + D-BUS INTERFACE + + The server will by default provide a D-Bus system bus interface. + This interface will only be accessible by the root user or a + Mandos-specific user, if such a user exists. + + + EXIT STATUS @@ -351,7 +353,7 @@ critical error is encountered. - + ENVIRONMENT @@ -371,8 +373,8 @@ - - + + FILES Use the option to change where @@ -401,7 +403,7 @@ - /var/run/mandos/mandos.pid + /var/run/mandos.pid The file containing the process id of @@ -442,7 +444,7 @@ Currently, if a client is declared invalid due to having timed out, the server does not record this fact onto permanent storage. This has some security implications, see - . + . There is currently no way of querying the server of the current @@ -456,7 +458,11 @@ Debug mode is conflated with running in the foreground. - The console log messages does not show a timestamp. + The console log messages does not show a time stamp. + + + This server does not check the expire time of clients’ OpenPGP + keys. @@ -497,19 +503,19 @@ - + SECURITY - + SERVER Running this &COMMANDNAME; server program should not in itself present any security risk to the host - computer running it. The program does not need any special - privileges to run, and is designed to run as a non-root user. + computer running it. The program switches to a non-root user + soon after startup. - + CLIENTS The server only gives out its stored data to clients which @@ -522,7 +528,7 @@ mandos-clients.conf 5) must be made non-readable by anyone - except the user running the server. + except the user starting the server (usually root). As detailed in , the status of all @@ -539,20 +545,20 @@ restarting servers if it is suspected that a client has, in fact, been compromised by parties who may now be running a fake Mandos client with the keys from the non-encrypted - initial RAM image of the client host. What should be done in - that case (if restarting the server program really is - necessary) is to stop the server program, edit the + initial RAM image of the client host. What + should be done in that case (if restarting the server program + really is necessary) is to stop the server program, edit the configuration file to omit any suspect clients, and restart the server program. For more details on client-side security, see - password-request + mandos-client 8mandos. - + SEE ALSO @@ -561,7 +567,7 @@ 5, mandos.conf 5, - password-request + mandos-client 8mandos, sh1 === modified file 'overview.xml' --- overview.xml 2008-08-23 07:17:28 +0000 +++ overview.xml 2008-09-13 15:36:18 +0000 @@ -1,15 +1,17 @@ - This is part of the Mandos system for allowing computers to have - encrypted root file systems and also be capable of remote and - unattended reboots. The computers run a small client program in the - initial RAM disk environment which will communicate with a server - over a network. The clients are identified by the server using a - OpenPGP key; each client has one unique to it. The server sends the - clients an encrypted password. The encrypted password is decrypted - by the clients using the same OpenPGP key, and the password is then - used to unlock the root file system, whereupon the computers can - continue booting normally. + encrypted root file systems and at the same time be capable of + remote and/or unattended reboots. The computers run a small client + program in the initial RAM disk environment which + will communicate with a server over a network. All network + communication is encrypted using TLS. The + clients are identified by the server using an OpenPGP key; each + client has one unique to it. The server sends the clients an + encrypted password. The encrypted password is decrypted by the + clients using the same OpenPGP key, and the password is then used to + unlock the root file system, whereupon the computers can continue + booting normally. === modified file 'plugin-runner.c' --- plugin-runner.c 2008-08-25 07:53:43 +0000 +++ plugin-runner.c 2009-01-06 22:49:50 +0000 @@ -2,7 +2,8 @@ /* * Mandos plugin runner - Run Mandos plugins * - * Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson + * Copyright © 2008,2009 Teddy Hogeborn + * Copyright © 2008,2009 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -27,8 +28,8 @@ #include /* malloc(), exit(), EXIT_FAILURE, EXIT_SUCCESS, realloc() */ #include /* bool, true, false */ -#include /* perror, popen(), fileno(), - fprintf(), stderr, STDOUT_FILENO */ +#include /* perror, fileno(), fprintf(), + stderr, STDOUT_FILENO */ #include /* DIR, opendir(), stat(), struct stat, waitpid(), WIFEXITED(), WEXITSTATUS(), wait(), pid_t, @@ -46,7 +47,7 @@ fcntl(), setuid(), setgid(), F_GETFD, F_SETFD, FD_CLOEXEC, access(), pipe(), fork(), close() - dup2, STDOUT_FILENO, _exit(), + dup2(), STDOUT_FILENO, _exit(), execv(), write(), read(), close() */ #include /* fcntl(), F_GETFD, F_SETFD, @@ -69,12 +70,18 @@ #define PDIR "/lib/mandos/plugins.d" #define AFILE "/conf/conf.d/mandos/plugin-runner.conf" -const char *argp_program_version = "plugin-runner 1.0"; +const char *argp_program_version = "plugin-runner " VERSION; const char *argp_program_bug_address = ""; -struct process; +typedef struct plugin{ + char *name; /* can be NULL or any plugin name */ + char **argv; + int argc; + char **environ; + int envc; + bool disabled; -typedef struct process{ + /* Variables used for running processes*/ pid_t pid; int fd; char *buffer; @@ -83,21 +90,16 @@ bool eof; volatile bool completed; volatile int status; - struct process *next; -} process; - -typedef struct plugin{ - char *name; /* can be NULL or any plugin name */ - char **argv; - int argc; - char **environ; - int envc; - bool disabled; struct plugin *next; } plugin; -static plugin *getplugin(char *name, plugin **plugin_list){ - for (plugin *p = *plugin_list; p != NULL; p = p->next){ +static plugin *plugin_list = NULL; + +/* Gets an existing plugin based on name, + or if none is found, creates a new one */ +static plugin *getplugin(char *name){ + /* Check for exiting plugin with that name */ + for (plugin *p = plugin_list; p != NULL; p = p->next){ if ((p->name == name) or (p->name and name and (strcmp(p->name, name) == 0))){ return p; @@ -118,9 +120,8 @@ *new_plugin = (plugin) { .name = copy_name, .argc = 1, - .envc = 0, .disabled = false, - .next = *plugin_list }; + .next = plugin_list }; new_plugin->argv = malloc(sizeof(char *) * 2); if (new_plugin->argv == NULL){ @@ -130,7 +131,7 @@ } new_plugin->argv[0] = copy_name; new_plugin->argv[1] = NULL; - + new_plugin->environ = malloc(sizeof(char *)); if(new_plugin->environ == NULL){ free(copy_name); @@ -139,8 +140,9 @@ return NULL; } new_plugin->environ[0] = NULL; + /* Append the new plugin to the list */ - *plugin_list = new_plugin; + plugin_list = new_plugin; return new_plugin; } @@ -176,21 +178,36 @@ } /* Add to a plugin's environment */ -static bool add_environment(plugin *p, const char *def){ +static bool add_environment(plugin *p, const char *def, bool replace){ if(p == NULL){ return false; } + /* namelen = length of name of environment variable */ + size_t namelen = (size_t)(strchrnul(def, '=') - def); + /* Search for this environment variable */ + for(char **e = p->environ; *e != NULL; e++){ + if(strncmp(*e, def, namelen + 1) == 0){ + /* It already exists */ + if(replace){ + char *new = realloc(*e, strlen(def) + 1); + if(new == NULL){ + return false; + } + *e = new; + strcpy(*e, def); + } + return true; + } + } return add_to_char_array(def, &(p->environ), &(p->envc)); } - /* * Based on the example in the GNU LibC manual chapter 13.13 "File * Descriptor Flags". * *Note File Descriptor Flags:(libc)Descriptor Flags. */ -static int set_cloexec_flag(int fd) -{ +static int set_cloexec_flag(int fd){ int ret = fcntl(fd, F_GETFD, 0); /* If reading the flags failed, return error indication now. */ if(ret < 0){ @@ -200,13 +217,12 @@ return fcntl(fd, F_SETFD, ret | FD_CLOEXEC); } -process *process_list = NULL; /* Mark processes as completed when they exit, and save their exit status. */ -void handle_sigchld(__attribute__((unused)) int sig){ +static void handle_sigchld(__attribute__((unused)) int sig){ while(true){ - process *proc = process_list; + plugin *proc = plugin_list; int status; pid_t pid = waitpid(-1, &status, WNOHANG); if(pid == 0){ @@ -220,7 +236,7 @@ /* No child processes */ break; } - + /* A child exited, find it in process_list */ while(proc != NULL and proc->pid != pid){ proc = proc->next; @@ -234,11 +250,9 @@ } } -bool print_out_password(const char *buffer, size_t length){ +/* Prints out a password to stdout */ +static bool print_out_password(const char *buffer, size_t length){ ssize_t ret; - if(length>0 and buffer[length-1] == '\n'){ - length--; - } for(size_t written = 0; written < length; written += (size_t)ret){ ret = TEMP_FAILURE_RETRY(write(STDOUT_FILENO, buffer + written, length - written)); @@ -249,18 +263,39 @@ return true; } -static void free_plugin_list(plugin *plugin_list){ - for(plugin *next; plugin_list != NULL; plugin_list = next){ - next = plugin_list->next; - for(char **arg = plugin_list->argv; *arg != NULL; arg++){ - free(*arg); - } - free(plugin_list->argv); - for(char **env = plugin_list->environ; *env != NULL; env++){ - free(*env); - } - free(plugin_list->environ); - free(plugin_list); +/* Removes and free a plugin from the plugin list */ +static void free_plugin(plugin *plugin_node){ + + for(char **arg = plugin_node->argv; *arg != NULL; arg++){ + free(*arg); + } + free(plugin_node->argv); + for(char **env = plugin_node->environ; *env != NULL; env++){ + free(*env); + } + free(plugin_node->environ); + free(plugin_node->buffer); + + /* Removes the plugin from the singly-linked list */ + if(plugin_node == plugin_list){ + /* First one - simple */ + plugin_list = plugin_list->next; + } else { + /* Second one or later */ + for(plugin *p = plugin_list; p != NULL; p = p->next){ + if(p->next == plugin_node){ + p->next = plugin_node->next; + break; + } + } + } + + free(plugin_node); +} + +static void free_plugin_list(void){ + while(plugin_list != NULL){ + free_plugin(plugin_list); } } @@ -274,6 +309,7 @@ struct stat st; fd_set rfds_all; int ret, maxfd = 0; + ssize_t sret; uid_t uid = 65534; gid_t gid = 65534; bool debug = false; @@ -304,18 +340,21 @@ { .name = "global-options", .key = 'g', .arg = "OPTION[,OPTION[,...]]", .doc = "Options passed to all plugins" }, - { .name = "global-envs", .key = 'e', + { .name = "global-env", .key = 'G', .arg = "VAR=value", .doc = "Environment variable passed to all plugins" }, { .name = "options-for", .key = 'o', .arg = "PLUGIN:OPTION[,OPTION[,...]]", .doc = "Options passed only to specified plugin" }, - { .name = "envs-for", .key = 'f', + { .name = "env-for", .key = 'E', .arg = "PLUGIN:ENV=value", .doc = "Environment variable passed to specified plugin" }, { .name = "disable", .key = 'd', .arg = "PLUGIN", .doc = "Disable a specific plugin", .group = 1 }, + { .name = "enable", .key = 'e', + .arg = "PLUGIN", + .doc = "Enable a specific plugin", .group = 1 }, { .name = "plugin-dir", .key = 128, .arg = "DIRECTORY", .doc = "Specify a different plugin directory", .group = 2 }, @@ -333,64 +372,54 @@ { .name = NULL } }; - error_t parse_opt (int key, char *arg, struct argp_state *state) { - /* Get the INPUT argument from `argp_parse', which we know is a - pointer to our plugin list pointer. */ - plugin **plugins = state->input; + error_t parse_opt (int key, char *arg, __attribute__((unused)) + struct argp_state *state) { switch (key) { - case 'g': + case 'g': /* --global-options */ if (arg != NULL){ char *p; while((p = strsep(&arg, ",")) != NULL){ if(p[0] == '\0'){ continue; } - if(not add_argument(getplugin(NULL, plugins), p)){ + if(not add_argument(getplugin(NULL), p)){ perror("add_argument"); return ARGP_ERR_UNKNOWN; } } } break; - case 'e': + case 'G': /* --global-env */ if(arg == NULL){ break; } - { - char *envdef = strdup(arg); - if(envdef == NULL){ - break; - } - if(not add_environment(getplugin(NULL, plugins), envdef)){ - perror("add_environment"); - } + if(not add_environment(getplugin(NULL), arg, true)){ + perror("add_environment"); } break; - case 'o': + case 'o': /* --options-for */ if (arg != NULL){ char *p_name = strsep(&arg, ":"); - if(p_name[0] == '\0'){ + if(p_name[0] == '\0' or arg == NULL){ break; } char *opt = strsep(&arg, ":"); - if(opt[0] == '\0'){ + if(opt[0] == '\0' or opt == NULL){ break; } - if(opt != NULL){ - char *p; - while((p = strsep(&opt, ",")) != NULL){ - if(p[0] == '\0'){ - continue; - } - if(not add_argument(getplugin(p_name, plugins), p)){ - perror("add_argument"); - return ARGP_ERR_UNKNOWN; - } + char *p; + while((p = strsep(&opt, ",")) != NULL){ + if(p[0] == '\0'){ + continue; + } + if(not add_argument(getplugin(p_name), p)){ + perror("add_argument"); + return ARGP_ERR_UNKNOWN; } } } break; - case 'f': + case 'E': /* --env-for */ if(arg == NULL){ break; } @@ -399,49 +428,90 @@ if(envdef == NULL){ break; } - char *p_name = strndup(arg, (size_t) (envdef-arg)); - if(p_name == NULL){ - break; - } - envdef++; - if(not add_environment(getplugin(p_name, plugins), envdef)){ + *envdef = '\0'; + if(not add_environment(getplugin(arg), envdef+1, true)){ perror("add_environment"); } } break; - case 'd': + case 'd': /* --disable */ if (arg != NULL){ - plugin *p = getplugin(arg, plugins); + plugin *p = getplugin(arg); if(p == NULL){ return ARGP_ERR_UNKNOWN; } p->disabled = true; } break; - case 128: + case 'e': /* --enable */ + if (arg != NULL){ + plugin *p = getplugin(arg); + if(p == NULL){ + return ARGP_ERR_UNKNOWN; + } + p->disabled = false; + } + break; + case 128: /* --plugin-dir */ + free(plugindir); plugindir = strdup(arg); if(plugindir == NULL){ perror("strdup"); } break; - case 129: + case 129: /* --config-file */ + /* This is already done by parse_opt_config_file() */ + break; + case 130: /* --userid */ + uid = (uid_t)strtol(arg, NULL, 10); + break; + case 131: /* --groupid */ + gid = (gid_t)strtol(arg, NULL, 10); + break; + case 132: /* --debug */ + debug = true; + break; + case ARGP_KEY_ARG: + /* Cryptsetup always passes an argument, which is an empty + string if "none" was specified in /etc/crypttab. So if + argument was empty, we ignore it silently. */ + if(arg[0] != '\0'){ + fprintf(stderr, "Ignoring unknown argument \"%s\"\n", arg); + } + break; + case ARGP_KEY_END: + break; + default: + return ARGP_ERR_UNKNOWN; + } + return 0; + } + + /* This option parser is the same as parse_opt() above, except it + ignores everything but the --config-file option. */ + error_t parse_opt_config_file (int key, char *arg, + __attribute__((unused)) + struct argp_state *state) { + switch (key) { + case 'g': /* --global-options */ + case 'G': /* --global-env */ + case 'o': /* --options-for */ + case 'E': /* --env-for */ + case 'd': /* --disable */ + case 'e': /* --enable */ + case 128: /* --plugin-dir */ + break; + case 129: /* --config-file */ + free(argfile); argfile = strdup(arg); if(argfile == NULL){ perror("strdup"); } break; - case 130: - uid = (uid_t)strtol(arg, NULL, 10); - break; - case 131: - gid = (gid_t)strtol(arg, NULL, 10); - break; - case 132: - debug = true; - break; + case 130: /* --userid */ + case 131: /* --groupid */ + case 132: /* --debug */ case ARGP_KEY_ARG: - fprintf(stderr, "Ignoring unknown argument \"%s\"\n", arg); - break; case ARGP_KEY_END: break; default: @@ -450,30 +520,33 @@ return 0; } - plugin *plugin_list = NULL; - - struct argp argp = { .options = options, .parser = parse_opt, - .args_doc = "[+PLUS_SEPARATED_OPTIONS]", + struct argp argp = { .options = options, + .parser = parse_opt_config_file, + .args_doc = "", .doc = "Mandos plugin runner -- Run plugins" }; - ret = argp_parse (&argp, argc, argv, 0, 0, &plugin_list); + /* Parse using the parse_opt_config_file in order to get the custom + config file location, if any. */ + ret = argp_parse (&argp, argc, argv, ARGP_IN_ORDER, 0, NULL); if (ret == ARGP_ERR_UNKNOWN){ fprintf(stderr, "Unknown error while parsing arguments\n"); exitstatus = EXIT_FAILURE; goto fallback; } - + + /* Reset to the normal argument parser */ + argp.parser = parse_opt; + + /* Open the configfile if available */ if (argfile == NULL){ conffp = fopen(AFILE, "r"); } else { conffp = fopen(argfile, "r"); - } - + } if(conffp != NULL){ char *org_line = NULL; char *p, *arg, *new_arg, *line; size_t size = 0; - ssize_t sret; const char whitespace_delims[] = " \r\t\f\v\n"; const char comment_delim[] = "#"; @@ -486,7 +559,9 @@ } custom_argv[0] = argv[0]; custom_argv[1] = NULL; - + + /* for each line in the config file, strip whitespace and ignore + commented text */ while(true){ sret = getline(&org_line, &size, conffp); if(sret == -1){ @@ -521,7 +596,7 @@ } } free(org_line); - } else{ + } else { /* Check for harmful errors and go to fallback. Other errors might not affect opening plugins */ if (errno == EMFILE or errno == ENFILE or errno == ENOMEM){ @@ -530,9 +605,11 @@ goto fallback; } } - + /* If there was any arguments from configuration file, + pass them to parser as command arguments */ if(custom_argv != NULL){ - ret = argp_parse (&argp, custom_argc, custom_argv, 0, 0, &plugin_list); + ret = argp_parse (&argp, custom_argc, custom_argv, ARGP_IN_ORDER, + 0, NULL); if (ret == ARGP_ERR_UNKNOWN){ fprintf(stderr, "Unknown error while parsing arguments\n"); exitstatus = EXIT_FAILURE; @@ -540,6 +617,15 @@ } } + /* Parse actual command line arguments, to let them override the + config file */ + ret = argp_parse (&argp, argc, argv, ARGP_IN_ORDER, 0, NULL); + if (ret == ARGP_ERR_UNKNOWN){ + fprintf(stderr, "Unknown error while parsing arguments\n"); + exitstatus = EXIT_FAILURE; + goto fallback; + } + if(debug){ for(plugin *p = plugin_list; p != NULL; p=p->next){ fprintf(stderr, "Plugin: %s has %d arguments\n", @@ -554,16 +640,16 @@ } } + /* Strip permissions down to nobody */ ret = setuid(uid); if (ret == -1){ perror("setuid"); - } - + } setgid(gid); if (ret == -1){ perror("setgid"); } - + if (plugindir == NULL){ dir = opendir(PDIR); } else { @@ -591,10 +677,11 @@ FD_ZERO(&rfds_all); + /* Read and execute any executable in the plugin directory*/ while(true){ dirst = readdir(dir); - // All directory entries have been processed + /* All directory entries have been processed */ if(dirst == NULL){ if (errno == EBADF){ perror("readdir"); @@ -606,7 +693,7 @@ d_name_len = strlen(dirst->d_name); - // Ignore dotfiles, backup files and other junk + /* Ignore dotfiles, backup files and other junk */ { bool bad_name = false; @@ -614,6 +701,7 @@ const char const *bad_suffixes[] = { "~", "#", ".dpkg-new", ".dpkg-old", + ".dpkg-bak", ".dpkg-divert", NULL }; for(const char **pre = bad_prefixes; *pre != NULL; pre++){ size_t pre_len = strlen(*pre); @@ -627,11 +715,9 @@ break; } } - if(bad_name){ continue; } - for(const char **suf = bad_suffixes; *suf != NULL; suf++){ size_t suf_len = strlen(*suf); if((d_name_len >= suf_len) @@ -652,7 +738,11 @@ } char *filename; - ret = asprintf(&filename, "%s/%s", plugindir, dirst->d_name); + if(plugindir == NULL){ + ret = asprintf(&filename, PDIR "/%s", dirst->d_name); + } else { + ret = asprintf(&filename, "%s/%s", plugindir, dirst->d_name); + } if(ret < 0){ perror("asprintf"); continue; @@ -664,7 +754,8 @@ free(filename); continue; } - + + /* Ignore non-executable files */ if (not S_ISREG(st.st_mode) or (access(filename, X_OK) != 0)){ if(debug){ fprintf(stderr, "Ignoring plugin dir entry \"%s\"" @@ -673,7 +764,8 @@ free(filename); continue; } - plugin *p = getplugin(dirst->d_name, &plugin_list); + + plugin *p = getplugin(dirst->d_name); if(p == NULL){ perror("getplugin"); free(filename); @@ -689,7 +781,7 @@ } { /* Add global arguments to argument list for this plugin */ - plugin *g = getplugin(NULL, &plugin_list); + plugin *g = getplugin(NULL); if(g != NULL){ for(char **a = g->argv + 1; *a != NULL; a++){ if(not add_argument(p, *a)){ @@ -698,7 +790,7 @@ } /* Add global environment variables */ for(char **e = g->environ; *e != NULL; e++){ - if(not add_environment(p, *e)){ + if(not add_environment(p, *e, false)){ perror("add_environment"); } } @@ -709,12 +801,7 @@ process, too. */ if(p->environ[0] != NULL){ for(char **e = environ; *e != NULL; e++){ - char *copy = strdup(*e); - if(copy == NULL){ - perror("strdup"); - continue; - } - if(not add_environment(p, copy)){ + if(not add_environment(p, *e, false)){ perror("add_environment"); } } @@ -727,6 +814,7 @@ exitstatus = EXIT_FAILURE; goto fallback; } + /* Ask OS to automatic close the pipe on exec */ ret = set_cloexec_flag(pipefd[0]); if(ret < 0){ perror("set_cloexec_flag"); @@ -746,7 +834,7 @@ exitstatus = EXIT_FAILURE; goto fallback; } - // Starting a new process to be watched + /* Starting a new process to be watched */ pid_t pid = fork(); if(pid == -1){ perror("fork"); @@ -760,12 +848,12 @@ perror("sigaction"); _exit(EXIT_FAILURE); } - ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); + ret = sigprocmask(SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); if(ret < 0){ perror("sigprocmask"); _exit(EXIT_FAILURE); } - + ret = dup2(pipefd[1], STDOUT_FILENO); /* replace our stdout */ if(ret == -1){ perror("dup2"); @@ -790,25 +878,23 @@ } /* no return */ } - /* parent process */ + /* Parent process */ + close(pipefd[1]); /* Close unused write end of pipe */ free(filename); - close(pipefd[1]); /* close unused write end of pipe */ - process *new_process = malloc(sizeof(process)); - if (new_process == NULL){ - perror("malloc"); + plugin *new_plugin = getplugin(dirst->d_name); + if (new_plugin == NULL){ + perror("getplugin"); ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); if(ret < 0){ - perror("sigprocmask"); + perror("sigprocmask"); } exitstatus = EXIT_FAILURE; goto fallback; } - *new_process = (struct process){ .pid = pid, - .fd = pipefd[0], - .next = process_list }; - // List handling - process_list = new_process; + new_plugin->pid = pid; + new_plugin->fd = pipefd[0]; + /* Unblock SIGCHLD so signal handler can be run if this process has already completed */ ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); @@ -818,26 +904,29 @@ goto fallback; } - FD_SET(new_process->fd, &rfds_all); + FD_SET(new_plugin->fd, &rfds_all); - if (maxfd < new_process->fd){ - maxfd = new_process->fd; + if (maxfd < new_plugin->fd){ + maxfd = new_plugin->fd; } - } - - free_plugin_list(plugin_list); - plugin_list = NULL; closedir(dir); dir = NULL; - - if (process_list == NULL){ - fprintf(stderr, "No plugin processes started. Incorrect plugin" - " directory?\n"); - process_list = NULL; + + for(plugin *p = plugin_list; p != NULL; p = p->next){ + if(p->pid != 0){ + break; + } + if(p->next == NULL){ + fprintf(stderr, "No plugin processes started. Incorrect plugin" + " directory?\n"); + free_plugin_list(); + } } - while(process_list){ + + /* Main loop while running plugins exist */ + while(plugin_list){ fd_set rfds = rfds_all; int select_ret = select(maxfd+1, &rfds, NULL, NULL, NULL); if (select_ret == -1){ @@ -847,13 +936,14 @@ } /* OK, now either a process completed, or something can be read from one of them */ - for(process *proc = process_list; proc ; proc = proc->next){ + for(plugin *proc = plugin_list; proc != NULL;){ /* Is this process completely done? */ if(proc->eof and proc->completed){ /* Only accept the plugin output if it exited cleanly */ if(not WIFEXITED(proc->status) or WEXITSTATUS(proc->status) != 0){ /* Bad exit by plugin */ + if(debug){ if(WIFEXITED(proc->status)){ fprintf(stderr, "Plugin %u exited with status %d\n", @@ -868,8 +958,10 @@ (unsigned int) (proc->pid)); } } + /* Remove the plugin */ FD_CLR(proc->fd, &rfds_all); + /* Block signal while modifying process_list */ ret = sigprocmask(SIG_BLOCK, &sigchld_action.sa_mask, NULL); if(ret < 0){ @@ -877,34 +969,29 @@ exitstatus = EXIT_FAILURE; goto fallback; } - /* Delete this process entry from the list */ - if(process_list == proc){ - /* First one - simple */ - process_list = proc->next; - } else { - /* Second one or later */ - for(process *p = process_list; p != NULL; p = p->next){ - if(p->next == proc){ - p->next = proc->next; - break; - } - } - } + + plugin *next_plugin = proc->next; + free_plugin(proc); + proc = next_plugin; + /* We are done modifying process list, so unblock signal */ ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask, NULL); if(ret < 0){ perror("sigprocmask"); - } - free(proc->buffer); - free(proc); - /* We deleted this process from the list, so we can't go - proc->next. Therefore, start over from the beginning of - the process list */ - break; + exitstatus = EXIT_FAILURE; + goto fallback; + } + + if(plugin_list == NULL){ + break; + } + + continue; } + /* This process exited nicely, so print its buffer */ - + bool bret = print_out_password(proc->buffer, proc->buffer_length); if(not bret){ @@ -913,9 +1000,11 @@ } goto fallback; } + /* This process has not completed. Does it have any output? */ if(proc->eof or not FD_ISSET(proc->fd, &rfds)){ /* This process had nothing to say at this time */ + proc = proc->next; continue; } /* Before reading, make the process' data buffer large enough */ @@ -930,17 +1019,18 @@ proc->buffer_size += BUFFER_SIZE; } /* Read from the process */ - ret = read(proc->fd, proc->buffer + proc->buffer_length, - BUFFER_SIZE); - if(ret < 0){ + sret = read(proc->fd, proc->buffer + proc->buffer_length, + BUFFER_SIZE); + if(sret < 0){ /* Read error from this process; ignore the error */ + proc = proc->next; continue; } - if(ret == 0){ + if(sret == 0){ /* got EOF */ proc->eof = true; } else { - proc->buffer_length += (size_t) ret; + proc->buffer_length += (size_t) sret; } } } @@ -948,13 +1038,19 @@ fallback: - if(process_list == NULL or exitstatus != EXIT_SUCCESS){ + if(plugin_list == NULL or exitstatus != EXIT_SUCCESS){ /* Fallback if all plugins failed, none are found or an error occured */ bool bret; fprintf(stderr, "Going to fallback mode using getpass(3)\n"); char *passwordbuffer = getpass("Password: "); - bret = print_out_password(passwordbuffer, strlen(passwordbuffer)); + size_t len = strlen(passwordbuffer); + /* Strip trailing newline */ + if(len > 0 and passwordbuffer[len-1] == '\n'){ + passwordbuffer[len-1] = '\0'; /* not strictly necessary */ + len--; + } + bret = print_out_password(passwordbuffer, len); if(not bret){ perror("print_out_password"); exitstatus = EXIT_FAILURE; @@ -967,30 +1063,28 @@ perror("sigaction"); exitstatus = EXIT_FAILURE; } - + if(custom_argv != NULL){ for(char **arg = custom_argv+1; *arg != NULL; arg++){ free(*arg); } free(custom_argv); } - free_plugin_list(plugin_list); if(dir != NULL){ closedir(dir); } - /* Free the process list and kill the processes */ - for(process *next; process_list != NULL; process_list = next){ - next = process_list->next; - close(process_list->fd); - ret = kill(process_list->pid, SIGTERM); - if(ret == -1 and errno != ESRCH){ - /* set-uid proccesses migth not get closed */ - perror("kill"); + /* Kill the processes */ + for(plugin *p = plugin_list; p != NULL; p = p->next){ + if(p->pid != 0){ + close(p->fd); + ret = kill(p->pid, SIGTERM); + if(ret == -1 and errno != ESRCH){ + /* Set-uid proccesses might not get closed */ + perror("kill"); + } } - free(process_list->buffer); - free(process_list); } /* Wait for any remaining child processes to terminate */ @@ -1000,7 +1094,9 @@ if(errno != ECHILD){ perror("wait"); } - + + free_plugin_list(); + free(plugindir); free(argfile); === added file 'plugin-runner.conf' --- plugin-runner.conf 1970-01-01 00:00:00 +0000 +++ plugin-runner.conf 2008-10-05 17:38:31 +0000 @@ -0,0 +1,11 @@ +## This is the configuration file for plugin-runner. It should be +## installed as "/etc/mandos/plugin-runner.conf", which will be copied +## to "/conf/conf.d/mandos/plugin-runner.conf" in the initrd.img file. +## +## After editing this file, the initrd image file must be updated for +## the changes to take effect! +## +## The default network interface for mandos-client(8mandos) is +## "eth0". Uncomment this line and change it if necessary. +## +#--options-for=mandos-client:--interface=eth0 === modified file 'plugin-runner.xml' --- plugin-runner.xml 2008-08-30 17:16:33 +0000 +++ plugin-runner.xml 2009-01-04 21:54:55 +0000 @@ -1,19 +1,18 @@ - - + - + + +%common; ]> - + Mandos Manual - + Mandos - &VERSION; + &version; &TIMESTAMP; @@ -33,33 +32,13 @@ 2008 - Teddy Hogeborn & Björn Påhlsson + 2009 + Teddy Hogeborn + Björn Påhlsson - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - + - + &COMMANDNAME; 8mandos @@ -68,211 +47,591 @@ &COMMANDNAME; - get password for encrypted rootdisk + Run Mandos plugins, pass data from first to succeed. - + &COMMANDNAME; - --global-optionsOPTIONS - --options-forPLUGIN:OPTIONS - --disablePLUGIN - --groupidID - --useridID - --plugin-dirDIRECTORY - --debug - - - &COMMANDNAME; - --help - - - &COMMANDNAME; - --usage - - - &COMMANDNAME; - --version + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + &COMMANDNAME; + + + + + + + &COMMANDNAME; + + + + &COMMANDNAME; + + + + - + DESCRIPTION - &COMMANDNAME; is a plugin runner that waits - for any of its plugins to return sucessfull with a password, and - passes it to cryptsetup as stdout message. This command is not - meant to be invoked directly, but is instead meant to be run by - cryptsetup by being specified in /etc/crypttab as a keyscript - and subsequlently started in the initrd environment. See + &COMMANDNAME; is a program which is meant to + be specified as a keyscript for the root disk in crypttab - 5 for more information on - keyscripts. - - - - plugins is looked for in the plugins directory which by default will be - /conf/conf.d/mandos/plugins.d if not changed by option --plugin-dir. - - + 5. The aim of this + program is therefore to output a password, which then + cryptsetup + 8 will use to unlock the + root disk. + + + This program is not meant to be invoked directly, but can be in + order to test it. Note that any password obtained will simply + be output on standard output. + + + + + PURPOSE + + The purpose of this is to enable remote and unattended + rebooting of client host computer with an + encrypted root file system. See for details. + + + OPTIONS - -g,--global-options - OPTIONS - - - Global options given to all plugins as additional start - arguments. Options are specified with a -o flag followed - by a comma separated string of options. - - - - - - -o, --options-for - PLUGIN:OPTION - - - - Plugin specific options given to the plugin as additional - start arguments. Options are specified with a -o flag - followed by a comma separated string of options. - - - - - - -d, --disable - PLUGIN - - - - Disable a specific plugin - - - - - - --groupid ID - - - - Group ID the plugins will run as - - - - - - --userid ID - - - - User ID the plugins will run as - - - - - - --plugin-dir DIRECTORY - - - - Specify a different plugin directory - - - - - - --debug - - - Debug mode - - - - - - -?, --help - - - Gives a help message - - - - - - --usage - - - Gives a short usage message - - - - - - -V, --version - - - Prints the program version + + + + + This option will add an environment variable setting to + all plugins. This will override any inherited environment + variable. + + + + + + + + + + This option will add an environment variable setting to + the PLUGIN plugin. This will + override any inherited environment variables or + environment variables specified using + . + + + + + + + + + + Pass some options to all plugins. + OPTIONS is a comma separated + list of options. This is not a very useful option, except + for specifying the + option to all plugins. + + + + + + + + + + Pass some options to a specific plugin. PLUGIN is the name (file basename) of a + plugin, and OPTIONS is a comma + separated list of options. + + + Note that since options are not split on whitespace, the + way to pass, to the plugin + foo, the option + with the option argument + baz is either + --options-for=foo:--bar=baz or + --options-for=foo:--bar,baz. Using + --options-for="foo:--bar baz". will + not work. + + + + + + + + + + Disable the plugin named + PLUGIN. The plugin will not be + started. + + + + + + + + + + Re-enable the plugin named + PLUGIN. This is only useful to + undo a previous option, maybe + from the configuration file. + + + + + + + + + Change to group ID ID on + startup. The default is 65534. All plugins will be + started using this group ID. Note: + This must be a number, not a name. + + + + + + + + + Change to user ID ID on + startup. The default is 65534. All plugins will be + started using this user ID. Note: + This must be a number, not a name. + + + + + + + + + Specify a different plugin directory. The default is + /lib/mandos/plugins.d, which will + exist in the initial RAM disk + environment. + + + + + + + + + Specify a different file to read additional options from. + See . Other command line options + will override options specified in the file. + + + + + + + + + Enable debug mode. This will enable a lot of output to + standard error about what the program is doing. The + program will still perform all other functions normally. + The default is to not run in debug + mode. + + + The plugins will not be affected by + this option. Use + + if complete debugging eruption is desired. + + + + + + + + + + Gives a help message about options and their meanings. + + + + + + + + + Gives a short usage message. + + + + + + + + + + Prints the program version. - + + + OVERVIEW + + + This program will run on the client side in the initial + RAM disk environment, and is responsible for + getting a password. It does this by running plugins, one of + which will normally be the actual client program communicating + with the server. + + + + PLUGINS + + This program will get a password by running a number of + plugins, which are simply executable + programs in a directory in the initial RAM + disk environment. The default directory is + /lib/mandos/plugins.d, but this can be + changed with the option. The + plugins are started in parallel, and the first plugin to output + a password and exit with a successful exit + code will make this plugin-runner output the password from that + plugin, stop any other plugins, and exit. + + + + WRITING PLUGINS + + A plugin is simply a program which prints a password to its + standard output and then exits with a successful (zero) exit + status. If the exit status is not zero, any output on + standard output will be ignored by the plugin runner. Any + output on its standard error channel will simply be passed to + the standard error of the plugin runner, usually the system + console. + + + If the password is a single-line, manually entered passprase, + a final trailing newline character should + not be printed. + + + The plugin will run in the initial RAM disk environment, so + care must be taken not to depend on any files or running + services not available there. + + + The plugin must exit cleanly and free all allocated resources + upon getting the TERM signal, since this is what the plugin + runner uses to stop all other plugins when one plugin has + output a password and exited cleanly. + + + The plugin must not use resources, like for instance reading + from the standard input, without knowing that no other plugin + is also using it. + + + It is useful, but not required, for the plugin to take the + option. + + + + + + FALLBACK + + If no plugins succeed, this program will, as a fallback, ask for + a password on the console using getpass3, + and output it. This is not meant to be the normal mode of + operation, as there is a separate plugin for getting a password + from the console. + + + EXIT STATUS - - - - + Exit status of this program is zero if no errors were + encountered, and otherwise not. The fallback (see ) may or may not have succeeded in either + case. + + + + + ENVIRONMENT + + This program does not use any environment variables itself, it + only passes on its environment to all the plugins. The + environment passed to plugins can be modified using the + and + options. + + + + FILES - - - - - NOTES - + + + /conf/conf.d/mandos/plugin-runner.conf + + + Since this program will be run as a keyscript, there is + little to no opportunity to pass command line arguments + to it. Therefore, it will also + read this file and use its contents as + whitespace-separated command line options. Also, + everything from a # character to the end + of a line is ignored. + + + This program is meant to run in the initial RAM disk + environment, so that is where this file is assumed to + exist. The file does not need to exist in the normal + file system. + + + This file will be processed before + the normal command line options, so the latter can + override the former, if need be. + + + This file name is the default; the file to read for + arguments can be changed using the + option. + + + + BUGS + The option is ignored when + specified from within a configuration file. - + EXAMPLE - - + + + Normal invocation needs no options: + + + &COMMANDNAME; + + + + + Run the program, but not the plugins, in debug mode: + + + + + &COMMANDNAME; --debug + + + + + + Run all plugins, but run the foo plugin in + debug mode: + + + + + &COMMANDNAME; --options-for=foo:--debug + + + + + + Run all plugins, but not the program, in debug mode: + + + + + &COMMANDNAME; --global-options=--debug + + + + + + Run plugins from a different directory, read a different + configuration file, and add two options to the + mandos-client + 8mandos plugin: + + + + +&COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt + + + - SECURITY + This program will, when starting, try to switch to another user. + If it is started as root, it will succeed, and will by default + switch to user and group 65534, which are assumed to be + non-privileged. This user and group is then what all plugins + will be started as. Therefore, the only way to run a plugin as + a privileged user is to have the set-user-ID or set-group-ID bit + set on the plugin executable file (see + execve2 + ). + + + If this program is used as a keyscript in crypttab5 + , there is a slight risk that if this program + fails to work, there might be no way to boot the system except + for booting from another media and editing the initial RAM disk + image to not run this program. This is, however, unlikely, + since the password-prompt8mandos + plugin will read a password from the console in + case of failure of the other plugins, and this plugin runner + will also, in case of catastrophic failure, itself fall back to + asking and outputting a password on the console (see ). - + SEE ALSO cryptsetup 8, + crypttab + 5, + execve + 2, mandos 8, password-prompt 8mandos, - password-request + mandos-client 8mandos - + === added file 'plugins.d/askpass-fifo.c' --- plugins.d/askpass-fifo.c 1970-01-01 00:00:00 +0000 +++ plugins.d/askpass-fifo.c 2009-01-04 21:54:55 +0000 @@ -0,0 +1,105 @@ +/* -*- coding: utf-8 -*- */ +/* + * Passprompt - Read a password from a FIFO and output it + * + * Copyright © 2008,2009 Teddy Hogeborn + * Copyright © 2008,2009 Björn Påhlsson + * + * This program is free software: you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see + * . + * + * Contact the authors at and + * . + */ + +#define _GNU_SOURCE /* TEMP_FAILURE_RETRY() */ +#include /* ssize_t */ +#include /* mkfifo(), S_IRUSR, S_IWUSR */ +#include /* and */ +#include /* errno, EEXIST */ +#include /* perror() */ +#include /* EXIT_FAILURE, NULL, size_t, free(), + realloc(), EXIT_SUCCESS */ +#include /* open(), O_RDONLY */ +#include /* read(), close(), write(), + STDOUT_FILENO */ + + +int main(__attribute__((unused))int argc, + __attribute__((unused))char **argv){ + int ret = 0; + ssize_t sret; + + /* Create FIFO */ + const char passfifo[] = "/lib/cryptsetup/passfifo"; + ret = TEMP_FAILURE_RETRY(mkfifo(passfifo, S_IRUSR | S_IWUSR)); + if(ret == -1 and errno != EEXIST){ + perror("mkfifo"); + return EXIT_FAILURE; + } + + /* Open FIFO */ + int fifo_fd = TEMP_FAILURE_RETRY(open(passfifo, O_RDONLY)); + if(fifo_fd == -1){ + perror("open"); + return EXIT_FAILURE; + } + + /* Read from FIFO */ + char *buf = NULL; + size_t buf_len = 0; + { + size_t buf_allocated = 0; + const size_t blocksize = 1024; + do{ + if(buf_len + blocksize > buf_allocated){ + char *tmp = realloc(buf, buf_allocated + blocksize); + if(tmp == NULL){ + perror("realloc"); + free(buf); + return EXIT_FAILURE; + } + buf = tmp; + buf_allocated += blocksize; + } + sret = TEMP_FAILURE_RETRY(read(fifo_fd, buf + buf_len, + buf_allocated - buf_len)); + if(sret == -1){ + perror("read"); + free(buf); + return EXIT_FAILURE; + } + buf_len += (size_t)sret; + }while(sret != 0); + } + + /* Close FIFO */ + TEMP_FAILURE_RETRY(close(fifo_fd)); + + /* Print password to stdout */ + size_t written = 0; + while(written < buf_len){ + sret = TEMP_FAILURE_RETRY(write(STDOUT_FILENO, buf + written, + buf_len - written)); + if(sret == -1){ + perror("write"); + free(buf); + return EXIT_FAILURE; + } + written += (size_t)sret; + } + free(buf); + + return EXIT_SUCCESS; +} === added file 'plugins.d/askpass-fifo.xml' --- plugins.d/askpass-fifo.xml 1970-01-01 00:00:00 +0000 +++ plugins.d/askpass-fifo.xml 2009-01-04 21:54:55 +0000 @@ -0,0 +1,162 @@ + + + + +%common; +]> + + + + Mandos Manual + + Mandos + &version; + &TIMESTAMP; + + + Björn + Påhlsson +
+ belorn@fukt.bsnet.se +
+ + + Teddy + Hogeborn +
+ teddy@fukt.bsnet.se +
+ + + + 2008 + 2009 + Teddy Hogeborn + Björn Påhlsson + + + + + + &COMMANDNAME; + 8mandos + + + + &COMMANDNAME; + Mandos plugin to get a password from a + FIFO. + + + + + &COMMANDNAME; + + + + + DESCRIPTION + + This program reads a password from a FIFO and + outputs it to standard output. + + + This program is not very useful on its own. This program is + really meant to run as a plugin in the Mandos client-side system, where it is used as a + fallback and alternative to retrieving passwords from a + Mandos server. + + + This program is meant to be imitate a feature of the + askpass program, so that programs written to + interface with it can keep working under the + Mandos system. + + + + + OPTIONS + + This program takes no options. + + + + + EXIT STATUS + + If exit status is 0, the output from the program is the password + as it was read. Otherwise, if exit status is other than 0, the + program was interrupted or encountered an error, and any output + so far could be corrupt and/or truncated, and should therefore + be ignored. + + + + + FILES + + + /lib/cryptsetup/passfifo + + + This is the FIFO where this program + will read the password. If it does not exist, it will be + created. + + + + + + + + EXAMPLE + + Note that normally, this program will not be invoked directly, + but instead started by the Mandos plugin-runner8mandos + . + + + + This program takes no options. + + + &COMMANDNAME; + + + + + + SECURITY + + The only thing that could be considered worthy of note is + this: This program is meant to be run by + plugin-runner8mandos, and will, when run + standalone, outside, in a normal environment, immediately output + on its standard output any presumably secret password it just + received. Therefore, when running this program standalone + (which should never normally be done), take care not to type in + any real secret password by force of habit, since it would then + immediately be shown as output. + + + + + SEE ALSO + + fifo + 7, + plugin-runner + 8mandos + + + + + + + + === renamed file 'plugins.d/password-request.c' => 'plugins.d/mandos-client.c' --- plugins.d/password-request.c 2008-08-24 10:49:09 +0000 +++ plugins.d/mandos-client.c 2009-01-04 21:54:55 +0000 @@ -9,7 +9,8 @@ * "browse_callback", and parts of "main". * * Everything else is - * Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson + * Copyright © 2008,2009 Teddy Hogeborn + * Copyright © 2008,2009 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -47,21 +48,24 @@ #include /* socket(), inet_pton(), sockaddr, sockaddr_in6, PF_INET6, SOCK_STREAM, INET6_ADDRSTRLEN, - uid_t, gid_t */ -#include /* PRIu16 */ + uid_t, gid_t, open(), opendir(), DIR */ +#include /* open() */ #include /* socket(), struct sockaddr_in6, struct in6_addr, inet_pton(), connect() */ +#include /* open() */ +#include /* opendir(), struct dirent, readdir() */ +#include /* PRIu16 */ #include /* assert() */ #include /* perror(), errno */ #include /* time() */ #include /* ioctl, ifreq, SIOCGIFFLAGS, IFF_UP, SIOCSIFFLAGS, if_indextoname(), if_nametoindex(), IF_NAMESIZE */ +#include #include /* close(), SEEK_SET, off_t, write(), getuid(), getgid(), setuid(), setgid() */ -#include #include /* inet_pton(), htons */ #include /* not, and */ #include /* struct argp_option, error_t, struct @@ -98,10 +102,13 @@ #define BUFFER_SIZE 256 +#define PATHDIR "/conf/conf.d/mandos" +#define SECKEY "seckey.txt" +#define PUBKEY "pubkey.txt" + bool debug = false; -static const char *keydir = "/conf/conf.d/mandos"; static const char mandos_protocol_version[] = "1"; -const char *argp_program_version = "password-request 1.0"; +const char *argp_program_version = "mandos-client " VERSION; const char *argp_program_bug_address = ""; /* Used for passing in values through the Avahi callback functions */ @@ -112,6 +119,7 @@ unsigned int dh_bits; gnutls_dh_params_t dh_params; const char *priority; + gpgme_ctx_t ctx; } mandos_context; /* @@ -132,23 +140,52 @@ } /* - * Decrypt OpenPGP data using keyrings in HOMEDIR. - * Returns -1 on error + * Initialize GPGME. */ -static ssize_t pgp_packet_decrypt (const char *cryptotext, - size_t crypto_size, - char **plaintext, - const char *homedir){ - gpgme_data_t dh_crypto, dh_plain; - gpgme_ctx_t ctx; +static bool init_gpgme(mandos_context *mc, const char *seckey, + const char *pubkey, const char *tempdir){ + int ret; gpgme_error_t rc; - ssize_t ret; - size_t plaintext_capacity = 0; - ssize_t plaintext_length = 0; gpgme_engine_info_t engine_info; + + /* + * Helper function to insert pub and seckey to the enigne keyring. + */ + bool import_key(const char *filename){ + int fd; + gpgme_data_t pgp_data; + + fd = TEMP_FAILURE_RETRY(open(filename, O_RDONLY)); + if(fd == -1){ + perror("open"); + return false; + } + + rc = gpgme_data_new_from_fd(&pgp_data, fd); + if (rc != GPG_ERR_NO_ERROR){ + fprintf(stderr, "bad gpgme_data_new_from_fd: %s: %s\n", + gpgme_strsource(rc), gpgme_strerror(rc)); + return false; + } + + rc = gpgme_op_import(mc->ctx, pgp_data); + if (rc != GPG_ERR_NO_ERROR){ + fprintf(stderr, "bad gpgme_op_import: %s: %s\n", + gpgme_strsource(rc), gpgme_strerror(rc)); + return false; + } + + ret = TEMP_FAILURE_RETRY(close(fd)); + if(ret == -1){ + perror("close"); + } + gpgme_data_release(pgp_data); + return true; + } + if (debug){ - fprintf(stderr, "Trying to decrypt OpenPGP data\n"); + fprintf(stderr, "Initialize gpgme\n"); } /* Init GPGME */ @@ -157,27 +194,60 @@ if (rc != GPG_ERR_NO_ERROR){ fprintf(stderr, "bad gpgme_engine_check_version: %s: %s\n", gpgme_strsource(rc), gpgme_strerror(rc)); - return -1; + return false; } - /* Set GPGME home directory for the OpenPGP engine only */ + /* Set GPGME home directory for the OpenPGP engine only */ rc = gpgme_get_engine_info (&engine_info); if (rc != GPG_ERR_NO_ERROR){ fprintf(stderr, "bad gpgme_get_engine_info: %s: %s\n", gpgme_strsource(rc), gpgme_strerror(rc)); - return -1; + return false; } while(engine_info != NULL){ if(engine_info->protocol == GPGME_PROTOCOL_OpenPGP){ gpgme_set_engine_info(GPGME_PROTOCOL_OpenPGP, - engine_info->file_name, homedir); + engine_info->file_name, tempdir); break; } engine_info = engine_info->next; } if(engine_info == NULL){ - fprintf(stderr, "Could not set GPGME home dir to %s\n", homedir); - return -1; + fprintf(stderr, "Could not set GPGME home dir to %s\n", tempdir); + return false; + } + + /* Create new GPGME "context" */ + rc = gpgme_new(&(mc->ctx)); + if (rc != GPG_ERR_NO_ERROR){ + fprintf(stderr, "bad gpgme_new: %s: %s\n", + gpgme_strsource(rc), gpgme_strerror(rc)); + return false; + } + + if (not import_key(pubkey) or not import_key(seckey)){ + return false; + } + + return true; +} + +/* + * Decrypt OpenPGP data. + * Returns -1 on error + */ +static ssize_t pgp_packet_decrypt (const mandos_context *mc, + const char *cryptotext, + size_t crypto_size, + char **plaintext){ + gpgme_data_t dh_crypto, dh_plain; + gpgme_error_t rc; + ssize_t ret; + size_t plaintext_capacity = 0; + ssize_t plaintext_length = 0; + + if (debug){ + fprintf(stderr, "Trying to decrypt OpenPGP data\n"); } /* Create new GPGME data buffer from memory cryptotext */ @@ -198,25 +268,16 @@ return -1; } - /* Create new GPGME "context" */ - rc = gpgme_new(&ctx); - if (rc != GPG_ERR_NO_ERROR){ - fprintf(stderr, "bad gpgme_new: %s: %s\n", - gpgme_strsource(rc), gpgme_strerror(rc)); - plaintext_length = -1; - goto decrypt_end; - } - /* Decrypt data from the cryptotext data buffer to the plaintext data buffer */ - rc = gpgme_op_decrypt(ctx, dh_crypto, dh_plain); + rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain); if (rc != GPG_ERR_NO_ERROR){ fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n", gpgme_strsource(rc), gpgme_strerror(rc)); plaintext_length = -1; if (debug){ gpgme_decrypt_result_t result; - result = gpgme_op_decrypt_result(ctx); + result = gpgme_op_decrypt_result(mc->ctx); if (result == NULL){ fprintf(stderr, "gpgme_op_decrypt_result failed\n"); } else { @@ -251,7 +312,7 @@ /* Seek back to the beginning of the GPGME plaintext data buffer */ if (gpgme_data_seek(dh_plain, (off_t) 0, SEEK_SET) == -1){ - perror("pgpme_data_seek"); + perror("gpgme_data_seek"); plaintext_length = -1; goto decrypt_end; } @@ -281,7 +342,7 @@ } plaintext_length += ret; } - + if(debug){ fprintf(stderr, "Decrypted password is: "); for(ssize_t i = 0; i < plaintext_length; i++){ @@ -348,8 +409,8 @@ } if(debug){ - fprintf(stderr, "Attempting to use OpenPGP certificate %s" - " and keyfile %s as GnuTLS credentials\n", pubkeyfilename, + fprintf(stderr, "Attempting to use OpenPGP public key %s and" + " secret key %s as GnuTLS credentials\n", pubkeyfilename, seckeyfilename); } @@ -360,7 +421,7 @@ fprintf(stderr, "Error[%d] while reading the OpenPGP key pair ('%s'," " '%s')\n", ret, pubkeyfilename, seckeyfilename); - fprintf(stdout, "The GnuTLS error is: %s\n", + fprintf(stderr, "The GnuTLS error is: %s\n", safer_gnutls_strerror(ret)); goto globalfail; } @@ -380,15 +441,15 @@ } gnutls_certificate_set_dh_params(mc->cred, mc->dh_params); - + return 0; - + globalfail: - + gnutls_certificate_free_credentials(mc->cred); gnutls_global_deinit(); + gnutls_dh_params_deinit(mc->dh_params); return -1; - } static int init_gnutls_session(mandos_context *mc, @@ -466,7 +527,7 @@ perror("socket"); return -1; } - + if(debug){ if(if_indextoname((unsigned int)if_index, interface) == NULL){ perror("if_indextoname"); @@ -511,7 +572,7 @@ perror("connect"); return -1; } - + const char *out = mandos_protocol_version; written = 0; while (true){ @@ -535,13 +596,13 @@ } } } - + if(debug){ fprintf(stderr, "Establishing TLS session with %s\n", ip); } gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) tcp_sd); - + do{ ret = gnutls_handshake (session); } while(ret == GNUTLS_E_AGAIN or ret == GNUTLS_E_INTERRUPTED); @@ -561,7 +622,7 @@ fprintf(stderr, "Retrieving pgp encrypted password from %s\n", ip); } - + while(true){ buffer_capacity = adjustbuffer(&buffer, buffer_length, buffer_capacity); @@ -611,10 +672,9 @@ gnutls_bye (session, GNUTLS_SHUT_RDWR); if (buffer_length > 0){ - decrypted_buffer_size = pgp_packet_decrypt(buffer, + decrypted_buffer_size = pgp_packet_decrypt(mc, buffer, buffer_length, - &decrypted_buffer, - keydir); + &decrypted_buffer); if (decrypted_buffer_size >= 0){ written = 0; while(written < (size_t) decrypted_buffer_size){ @@ -643,7 +703,10 @@ mandos_end: free(buffer); - close(tcp_sd); + ret = TEMP_FAILURE_RETRY(close(tcp_sd)); + if(ret == -1){ + perror("close"); + } gnutls_deinit (session); return retval; } @@ -745,18 +808,6 @@ } } -/* Combines file name and path and returns the malloced new - string. some sane checks could/should be added */ -static char *combinepath(const char *first, const char *second){ - char *tmp; - int ret = asprintf(&tmp, "%s/%s", first, second); - if(ret < 0){ - return NULL; - } - return tmp; -} - - int main(int argc, char *argv[]){ AvahiSServiceBrowser *sb = NULL; int error; @@ -768,74 +819,71 @@ uid_t uid; gid_t gid; char *connect_to = NULL; + char tempdir[] = "/tmp/mandosXXXXXX"; AvahiIfIndex if_index = AVAHI_IF_UNSPEC; - char *pubkeyfilename = NULL; - char *seckeyfilename = NULL; - const char *pubkeyname = "pubkey.txt"; - const char *seckeyname = "seckey.txt"; + const char *seckey = PATHDIR "/" SECKEY; + const char *pubkey = PATHDIR "/" PUBKEY; + mandos_context mc = { .simple_poll = NULL, .server = NULL, - .dh_bits = 1024, .priority = "SECURE256"}; + .dh_bits = 1024, .priority = "SECURE256" + ":!CTYPE-X.509:+CTYPE-OPENPGP" }; bool gnutls_initalized = false; + bool gpgme_initalized = false; { struct argp_option options[] = { { .name = "debug", .key = 128, .doc = "Debug mode", .group = 3 }, { .name = "connect", .key = 'c', - .arg = "IP", - .doc = "Connect directly to a sepcified mandos server", + .arg = "ADDRESS:PORT", + .doc = "Connect directly to a specific Mandos server", .group = 1 }, { .name = "interface", .key = 'i', - .arg = "INTERFACE", - .doc = "Interface that Avahi will conntect through", - .group = 1 }, - { .name = "keydir", .key = 'd', - .arg = "KEYDIR", - .doc = "Directory where the openpgp keyring is", + .arg = "NAME", + .doc = "Interface that will be used to search for Mandos" + " servers", .group = 1 }, { .name = "seckey", .key = 's', - .arg = "SECKEY", - .doc = "Secret openpgp key for gnutls authentication", + .arg = "FILE", + .doc = "OpenPGP secret key file base name", .group = 1 }, { .name = "pubkey", .key = 'p', - .arg = "PUBKEY", - .doc = "Public openpgp key for gnutls authentication", + .arg = "FILE", + .doc = "OpenPGP public key file base name", .group = 2 }, { .name = "dh-bits", .key = 129, .arg = "BITS", - .doc = "dh-bits to use in gnutls communication", + .doc = "Bit length of the prime number used in the" + " Diffie-Hellman key exchange", .group = 2 }, { .name = "priority", .key = 130, - .arg = "PRIORITY", - .doc = "GNUTLS priority", .group = 1 }, + .arg = "STRING", + .doc = "GnuTLS priority string for the TLS handshake", + .group = 1 }, { .name = NULL } }; - error_t parse_opt (int key, char *arg, struct argp_state *state) { /* Get the INPUT argument from `argp_parse', which we know is a pointer to our plugin list pointer. */ switch (key) { - case 128: + case 128: /* --debug */ debug = true; break; - case 'c': + case 'c': /* --connect */ connect_to = arg; break; - case 'i': + case 'i': /* --interface */ interface = arg; break; - case 'd': - keydir = arg; - break; - case 's': - seckeyname = arg; - break; - case 'p': - pubkeyname = arg; - break; - case 129: + case 's': /* --seckey */ + seckey = arg; + break; + case 'p': /* --pubkey */ + pubkey = arg; + break; + case 129: /* --dh-bits */ errno = 0; mc.dh_bits = (unsigned int) strtol(arg, NULL, 10); if (errno){ @@ -843,7 +891,7 @@ exit(EXIT_FAILURE); } break; - case 130: + case 130: /* --priority */ mc.priority = arg; break; case ARGP_KEY_ARG: @@ -855,11 +903,11 @@ } return 0; } - + struct argp argp = { .options = options, .parser = parse_opt, .args_doc = "", .doc = "Mandos client -- Get and decrypt" - " passwords from mandos server" }; + " passwords from a Mandos server" }; ret = argp_parse (&argp, argc, argv, 0, 0, NULL); if (ret == ARGP_ERR_UNKNOWN){ fprintf(stderr, "Unknown error while parsing arguments\n"); @@ -867,29 +915,6 @@ goto end; } } - - pubkeyfilename = combinepath(keydir, pubkeyname); - if (pubkeyfilename == NULL){ - perror("combinepath"); - exitcode = EXIT_FAILURE; - goto end; - } - - seckeyfilename = combinepath(keydir, seckeyname); - if (seckeyfilename == NULL){ - perror("combinepath"); - exitcode = EXIT_FAILURE; - goto end; - } - - ret = init_gnutls_global(&mc, pubkeyfilename, seckeyfilename); - if (ret == -1){ - fprintf(stderr, "init_gnutls_global failed\n"); - exitcode = EXIT_FAILURE; - goto end; - } else { - gnutls_initalized = true; - } /* If the interface is down, bring it up */ { @@ -915,7 +940,10 @@ goto end; } } - close(sd); + ret = TEMP_FAILURE_RETRY(close(sd)); + if(ret == -1){ + perror("close"); + } } uid = getuid(); @@ -931,6 +959,29 @@ perror("setgid"); } + ret = init_gnutls_global(&mc, pubkey, seckey); + if (ret == -1){ + fprintf(stderr, "init_gnutls_global failed\n"); + exitcode = EXIT_FAILURE; + goto end; + } else { + gnutls_initalized = true; + } + + if(mkdtemp(tempdir) == NULL){ + perror("mkdtemp"); + tempdir[0] = '\0'; + goto end; + } + + if(not init_gpgme(&mc, pubkey, seckey, tempdir)){ + fprintf(stderr, "gpgme_initalized failed\n"); + exitcode = EXIT_FAILURE; + goto end; + } else { + gpgme_initalized = true; + } + if_index = (AvahiIfIndex) if_nametoindex(interface); if(if_index == 0){ fprintf(stderr, "No such interface: \"%s\"\n", interface); @@ -979,7 +1030,7 @@ exitcode = EXIT_FAILURE; goto end; } - + { AvahiServerConfig config; /* Do not publish any local Zeroconf records */ @@ -988,12 +1039,12 @@ config.publish_addresses = 0; config.publish_workstation = 0; config.publish_domain = 0; - + /* Allocate a new server */ mc.server = avahi_server_new(avahi_simple_poll_get (mc.simple_poll), &config, NULL, NULL, &error); - + /* Free the Avahi configuration data */ avahi_server_config_free(&config); } @@ -1019,7 +1070,7 @@ } /* Run the main loop */ - + if (debug){ fprintf(stderr, "Starting Avahi loop search\n"); } @@ -1027,7 +1078,7 @@ avahi_simple_poll_loop(mc.simple_poll); end: - + if (debug){ fprintf(stderr, "%s exiting\n", argv[0]); } @@ -1038,16 +1089,56 @@ if (mc.server != NULL) avahi_server_free(mc.server); - + if (mc.simple_poll != NULL) avahi_simple_poll_free(mc.simple_poll); - free(pubkeyfilename); - free(seckeyfilename); - + if (gnutls_initalized){ gnutls_certificate_free_credentials(mc.cred); gnutls_global_deinit (); - } - + gnutls_dh_params_deinit(mc.dh_params); + } + + if(gpgme_initalized){ + gpgme_release(mc.ctx); + } + + /* Removes the temp directory used by GPGME */ + if(tempdir[0] != '\0'){ + DIR *d; + struct dirent *direntry; + d = opendir(tempdir); + if(d == NULL){ + perror("opendir"); + } else { + while(true){ + direntry = readdir(d); + if(direntry == NULL){ + break; + } + if (direntry->d_type == DT_REG){ + char *fullname = NULL; + ret = asprintf(&fullname, "%s/%s", tempdir, + direntry->d_name); + if(ret < 0){ + perror("asprintf"); + continue; + } + ret = unlink(fullname); + if(ret == -1){ + fprintf(stderr, "unlink(\"%s\"): %s", + fullname, strerror(errno)); + } + free(fullname); + } + } + closedir(d); + } + ret = rmdir(tempdir); + if(ret == -1){ + perror("rmdir"); + } + } + return exitcode; } === renamed file 'plugins.d/password-request.xml' => 'plugins.d/mandos-client.xml' --- plugins.d/password-request.xml 2008-08-30 17:16:33 +0000 +++ plugins.d/mandos-client.xml 2009-01-04 21:54:55 +0000 @@ -1,19 +1,18 @@ - - + - - + + + +%common; ]> - + Mandos Manual - + Mandos - &VERSION; + &version; &TIMESTAMP; @@ -33,33 +32,13 @@ 2008 - Teddy Hogeborn & Björn Påhlsson + 2009 + Teddy Hogeborn + Björn Påhlsson - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - + - + &COMMANDNAME; 8mandos @@ -68,30 +47,23 @@ &COMMANDNAME; - Client for mandos + Client for Mandos - + &COMMANDNAME; - - - - - - + DESCRIPTION - &COMMANDNAME; is a mandos plugin that works - like a client program that through avahi detects mandos servers, - sets up a gnutls connect and request a encrypted password. Any - passwords given is automaticly decrypted and passed to - cryptsetup. + &COMMANDNAME; is a client program that + communicates with mandos8 + to get a password. It uses IPv6 link-local addresses to get + network connectivity, Zeroconf to find servers, and TLS with an + OpenPGP key to ensure authenticity and confidentiality. It + keeps running, trying all servers on the network, until it + receives a satisfactory reply or a TERM signal is received. + + + This program is not meant to be run directly; it is really meant + to run as a plugin of the Mandos + plugin-runner + 8mandos, which runs in the + initial RAM disk environment because it is + specified as a keyscript in the + crypttab5 + file. + + + + + PURPOSE + + The purpose of this is to enable remote and unattended + rebooting of client host computer with an + encrypted root file system. See for details. OPTIONS - Commonly not invoked as command lines but from configuration - file of plugin runner. + This program is commonly not invoked from the command line; it + is normally started by the Mandos + plugin runner, see plugin-runner8mandos + . Any command line options this program accepts + are therefore normally provided by the plugin runner, and not + directly. - + - -c, --connect= - IP - - - Connect directly to a specified mandos server - - - - - - -d, --keydir= - KEYDIR - - - Directory where the openpgp keyring is - - - - - - -i, --interface= - INTERFACE - - - Interface that Avahi will conntect through - - - - - - -p, --pubkey= - PUBKEY - - - Public openpgp key for gnutls authentication - - - - - - -s, --seckey= - SECKEY - - - Secret openpgp key for gnutls authentication - - - - - - --priority=PRIORITY - - - - GNUTLS priority - - - - - - --dh-bits=BITS - - - - dh-bits to use in gnutls communication - - - - - - --debug - - - Debug mode - - - - - - -?, --help - - - Gives a help message - - - - - - --usage - - - Gives a short usage message - - - - - - -V, --version - - - Prints the program version + + + + + Do not use Zeroconf to locate servers. Connect directly + to only one specified Mandos + server. Note that an IPv6 address has colon characters in + it, so the last colon character is + assumed to separate the address from the port number. + + + This option is normally only useful for testing and + debugging. + + + + + + + + + + Network interface that will be brought up and scanned for + Mandos servers to connect to. The default it + eth0. + + + If the option is used, this + specifies the interface to use to connect to the address + given. + + + + + + + + + + OpenPGP public key file name. The default name is + /conf/conf.d/mandos/pubkey.txt. + + + + + + + + + + OpenPGP secret key file name. The default name is + /conf/conf.d/mandos/seckey.txt. + + + + + + + + + + + + + + + + Sets the number of bits to use for the prime number in the + TLS Diffie-Hellman key exchange. Default is 1024. + + + + + + + + + Enable debug mode. This will enable a lot of output to + standard error about what the program is doing. The + program will still perform all other functions normally. + + + It will also enable debug mode in the Avahi and GnuTLS + libraries, making them print large amounts of debugging + output. + + + + + + + + + + Gives a help message about options and their meanings. + + + + + + + + + Gives a short usage message. + + + + + + + + + + Prints the program version. - + + + OVERVIEW + + + This program is the client part. It is a plugin started by + plugin-runner + 8mandos which will run in + an initial RAM disk environment. + + + This program could, theoretically, be used as a keyscript in + /etc/crypttab, but it would then be + impossible to enter a password for the encrypted root disk at + the console, since this program does not read from the console + at all. This is why a separate plugin runner ( + plugin-runner + 8mandos) is used to run + both this program and others in in parallel, + one of which will prompt for passwords on + the system console. + + + EXIT STATUS + This program will exit with a successful (zero) exit status if a + server could be found and the password received from it could be + successfully decrypted and output on standard output. The + program will exit with a non-zero exit status only if a critical + error occurs. Otherwise, it will forever connect to new + Mandos servers as they appear, trying + to get a decryptable password and print it. - + ENVIRONMENT + This program does not use any environment variables, not even + the ones provided by cryptsetup8 + . - - + + FILES - - - - - - BUGS - - - - + + + /conf/conf.d/mandos/pubkey.txt + /conf/conf.d/mandos/seckey.txt + + + OpenPGP public and private key files, in ASCII + Armor format. These are the default file names, + they can be changed with the and + options. + + + + + + + + + + + + EXAMPLE + Note that normally, command line options will not be given + directly, but via options for the Mandos plugin-runner + 8mandos. + + + Normal invocation needs no options, if the network interface + is eth0: + + + &COMMANDNAME; + + + + + Search for Mandos servers (and connect to them) using another + interface: + + + + &COMMANDNAME; --interface eth1 + + + + + Run in debug mode, and use a custom key: + + + + +&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt + + + + + + Run in debug mode, with a custom key, and do not use Zeroconf + to locate a server; connect directly to the IPv6 address + 2001:db8:f983:bd0b:30de:ae4a:71f2:f672, + port 4711, using interface eth2: + + + + +&COMMANDNAME; --debug --pubkey keydir/pubkey.txt --seckey keydir/seckey.txt --connect 2001:db8:f983:bd0b:30de:ae4a:71f2:f672:4711 --interface eth2 + + + - + SECURITY + This program is set-uid to root, but will switch back to the + original (and presumably non-privileged) user and group after + bringing up the network interface. + + + To use this program for its intended purpose (see ), the password for the root file system will + have to be given out to be stored in a server computer, after + having been encrypted using an OpenPGP key. This encrypted data + which will be stored in a server can only be decrypted by the + OpenPGP key, and the data will only be given out to those + clients who can prove they actually have that key. This key, + however, is stored unencrypted on the client side in its initial + RAM disk image file system. This is normally + readable by all, but this is normally fixed during installation + of this program; file permissions are set so that no-one is able + to read that file. + + + The only remaining weak point is that someone with physical + access to the client hard drive might turn off the client + computer, read the OpenPGP keys directly from the hard drive, + and communicate with the server. To safeguard against this, the + server is supposed to notice the client disappearing and stop + giving out the encrypted data. Therefore, it is important to + set the timeout and checker interval values tightly on the + server. See mandos8. + + + It will also help if the checker program on the server is + configured to request something from the client which can not be + spoofed by someone else on the network, unlike unencrypted + ICMP echo (ping) replies. + + + Note: This makes it completely insecure to + have Mandos clients which dual-boot + to another operating system which is not + trusted to keep the initial RAM disk image + confidential. - + SEE ALSO + cryptsetup + 8, + crypttab + 5, mandos 8, password-prompt @@ -317,45 +487,124 @@ plugin-runner 8mandos - - - Zeroconf - - - - Avahi - - - - GnuTLS - - - - - GPGME - - - - RFC 4880: OpenPGP Message - Format - - - - RFC 5081: Using OpenPGP Keys for - Transport Layer Security - - - - RFC 4291: IP Version 6 Addressing - Architecture, section 2.5.6, Link-Local IPv6 - Unicast Addresses - - + + + + Zeroconf + + + + Zeroconf is the network protocol standard used for finding + Mandos servers on the local network. + + + + + + Avahi + + + + Avahi is the library this program calls to find Zeroconf + services. + + + + + + GnuTLS + + + + GnuTLS is the library this client uses to implement TLS for + communicating securely with the server, and at the same time + send the public OpenPGP key to the server. + + + + + + GPGME + + + + GPGME is the library used to decrypt the OpenPGP data sent + by the server. + + + + + + RFC 4291: IP Version 6 Addressing + Architecture + + + + + Section 2.2: Text Representation of + Addresses + + + + Section 2.5.5.2: IPv4-Mapped IPv6 + Address + + + + Section 2.5.6, Link-Local IPv6 Unicast + Addresses + + + This client uses IPv6 link-local addresses, which are + immediately usable since a link-local addresses is + automatically assigned to a network interfaces when it + is brought up. + + + + + + + + + RFC 4346: The Transport Layer Security (TLS) + Protocol Version 1.1 + + + + TLS 1.1 is the protocol implemented by GnuTLS. + + + + + + RFC 4880: OpenPGP Message Format + + + + The data received from the server is binary encrypted + OpenPGP data. + + + + + + RFC 5081: Using OpenPGP Keys for Transport Layer + Security + + + + This is implemented by GnuTLS and used by this program so + that OpenPGP keys can be used. + + + + - + === modified file 'plugins.d/password-prompt.c' --- plugins.d/password-prompt.c 2008-08-29 05:53:59 +0000 +++ plugins.d/password-prompt.c 2009-01-04 21:54:55 +0000 @@ -1,8 +1,9 @@ /* -*- coding: utf-8 -*- */ /* * Passprompt - Read a password from the terminal and print it - * - * Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson + * + * Copyright © 2008,2009 Teddy Hogeborn + * Copyright © 2008,2009 Björn Påhlsson * * This program is free software: you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -52,7 +53,7 @@ volatile bool quit_now = false; bool debug = false; -const char *argp_program_version = "password-prompt 1.0"; +const char *argp_program_version = "password-prompt " VERSION; const char *argp_program_bug_address = ""; static void termination_handler(__attribute__((unused))int signum){ @@ -216,6 +217,11 @@ status = EXIT_SUCCESS; /* Make n = data size instead of allocated buffer size */ n = (size_t)ret; + /* Strip final newline */ + if(n>0 and buffer[n-1] == '\n'){ + buffer[n-1] = '\0'; /* not strictly necessary */ + n--; + } size_t written = 0; while(written < n){ ret = write(STDOUT_FILENO, buffer + written, n - written); @@ -244,6 +250,8 @@ fprintf(stderr, "getline() returned 0, retrying.\n"); } } + + free(buffer); if (debug){ fprintf(stderr, "Restoring terminal attributes\n"); @@ -256,6 +264,9 @@ fprintf(stderr, "%s is exiting with status %d\n", argv[0], status); } + if(status == EXIT_SUCCESS){ + fputc('\n', stderr); + } return status; } === modified file 'plugins.d/password-prompt.xml' --- plugins.d/password-prompt.xml 2008-08-30 17:16:33 +0000 +++ plugins.d/password-prompt.xml 2009-01-04 21:54:55 +0000 @@ -1,17 +1,18 @@ - + + +%common; ]> - + Mandos Manual Mandos - &VERSION; + &version; &TIMESTAMP; @@ -31,32 +32,11 @@ 2008 + 2009 Teddy Hogeborn Björn Påhlsson - - - This manual page is free software: you can redistribute it - and/or modify it under the terms of the GNU General Public - License as published by the Free Software Foundation, - either version 3 of the License, or (at your option) any - later version. - - - - This manual page is distributed in the hope that it will - be useful, but WITHOUT ANY WARRANTY; without even the - implied warranty of MERCHANTABILITY or FITNESS FOR A - PARTICULAR PURPOSE. See the GNU General Public License - for more details. - - - - You should have received a copy of the GNU General Public - License along with this program; If not, see - . - - + @@ -73,18 +53,19 @@ &COMMANDNAME; - - PREFIX + &COMMANDNAME; + - @@ -94,8 +75,8 @@ &COMMANDNAME; + - @@ -104,12 +85,14 @@ DESCRIPTION All &COMMANDNAME; does is prompt for a - password and output any given password to standard output. This - is not very useful on its own. This program is really meant to - run as a plugin in the Mandos - client-side system, where it is used as a fallback and - alternative to retriving passwords from a Mandos server. + password and output any given password to standard output. + + + This program is not very useful on its own. This program is + really meant to run as a plugin in the Mandos client-side system, where it is used as a + fallback and alternative to retrieving passwords from a + Mandos server. This program is little more than a - PREFIX - PREFIX + + Prefix string shown before the password prompt. @@ -156,8 +139,8 @@ + - Gives a help message about options and their meanings. @@ -175,8 +158,8 @@ + - Prints the program version. @@ -215,8 +198,8 @@ 8mandos, which will normally have inherited them from /scripts/local-top/cryptroot in the - initial RAM disk environment, which will have set them from - parsing kernel arguments and + initial RAM disk environment, which will + have set them from parsing kernel arguments and /conf/conf.d/cryptroot (also in the initial RAM disk environment), which in turn will have been created when the initial RAM disk image was created by @@ -261,7 +244,7 @@ Show a prefix before the prompt; in this case, a host name. It might be useful to be reminded of which host needs a - password, in case of KVM switches, etc. + password, in case of KVM switches, etc. @@ -291,7 +274,7 @@ >plugin-runner8mandos , and will, when run standalone, outside, in a normal environment, immediately output on its standard output - any presumably secret password it just recieved. Therefore, + any presumably secret password it just received. Therefore, when running this program standalone (which should never normally be done), take care not to type in any real secret password by force of habit, since it would then immediately be @@ -311,7 +294,7 @@ crypttab 5 - password-request + mandos-client 8mandos plugin-runner 8mandos, === added file 'plugins.d/splashy.c' --- plugins.d/splashy.c 1970-01-01 00:00:00 +0000 +++ plugins.d/splashy.c 2009-01-04 21:54:55 +0000 @@ -0,0 +1,291 @@ +/* -*- coding: utf-8 -*- */ +/* + * Passprompt - Read a password from splashy and output it + * + * Copyright © 2008,2009 Teddy Hogeborn + * Copyright © 2008,2009 Björn Påhlsson + * + * This program is free software: you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see + * . + * + * Contact the authors at and + * . + */ + +#define _GNU_SOURCE /* asprintf() */ +#include /* sig_atomic_t, struct sigaction, + sigemptyset(), sigaddset(), SIGINT, + SIGHUP, SIGTERM, sigaction, + SIG_IGN, kill(), SIGKILL */ +#include /* NULL */ +#include /* getenv() */ +#include /* asprintf(), perror() */ +#include /* EXIT_FAILURE, free(), strtoul(), + EXIT_SUCCESS */ +#include /* pid_t, DIR, struct dirent, + ssize_t */ +#include /* opendir(), readdir(), closedir() */ +#include /* struct stat, lstat(), S_ISLNK */ +#include /* not, or, and */ +#include /* readlink(), fork(), execl(), + sleep(), dup2() STDERR_FILENO, + STDOUT_FILENO, _exit() */ +#include /* memcmp() */ +#include /* errno */ +#include /* waitpid(), WIFEXITED(), + WEXITSTATUS() */ + +sig_atomic_t interrupted_by_signal = 0; + +static void termination_handler(__attribute__((unused))int signum){ + interrupted_by_signal = 1; +} + +int main(__attribute__((unused))int argc, + __attribute__((unused))char **argv){ + int ret = 0; + + /* Create prompt string */ + char *prompt = NULL; + { + const char *const cryptsource = getenv("cryptsource"); + const char *const crypttarget = getenv("crypttarget"); + const char *const prompt_start = "getpass " + "Enter passphrase to unlock the disk"; + + if(cryptsource == NULL){ + if(crypttarget == NULL){ + ret = asprintf(&prompt, "%s: ", prompt_start); + } else { + ret = asprintf(&prompt, "%s (%s): ", prompt_start, + crypttarget); + } + } else { + if(crypttarget == NULL){ + ret = asprintf(&prompt, "%s %s: ", prompt_start, cryptsource); + } else { + ret = asprintf(&prompt, "%s %s (%s): ", prompt_start, + cryptsource, crypttarget); + } + } + if(ret == -1){ + return EXIT_FAILURE; + } + } + + /* Find splashy process */ + pid_t splashy_pid = 0; + { + const char splashy_name[] = "/sbin/splashy"; + DIR *proc_dir = opendir("/proc"); + if(proc_dir == NULL){ + free(prompt); + perror("opendir"); + return EXIT_FAILURE; + } + for(struct dirent *proc_ent = readdir(proc_dir); + proc_ent != NULL; + proc_ent = readdir(proc_dir)){ + pid_t pid = (pid_t) strtoul(proc_ent->d_name, NULL, 10); + if(pid == 0){ + /* Not a process */ + continue; + } + /* Find the executable name by doing readlink() on the + /proc//exe link */ + char exe_target[sizeof(splashy_name)]; + ssize_t sret; + { + char *exe_link; + ret = asprintf(&exe_link, "/proc/%s/exe", proc_ent->d_name); + if(ret == -1){ + perror("asprintf"); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + + /* Check that it refers to a symlink owned by root:root */ + struct stat exe_stat; + ret = lstat(exe_link, &exe_stat); + if(ret == -1){ + perror("lstat"); + free(exe_link); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + if(not S_ISLNK(exe_stat.st_mode) + or exe_stat.st_uid != 0 + or exe_stat.st_gid != 0){ + free(exe_link); + continue; + } + + sret = readlink(exe_link, exe_target, sizeof(exe_target)); + free(exe_link); + } + if((sret == ((ssize_t)sizeof(exe_target)-1)) + and (memcmp(splashy_name, exe_target, + sizeof(exe_target)-1) == 0)){ + splashy_pid = pid; + break; + } + } + closedir(proc_dir); + } + if(splashy_pid == 0){ + free(prompt); + return EXIT_FAILURE; + } + + /* Set up the signal handler */ + { + struct sigaction old_action, + new_action = { .sa_handler = termination_handler, + .sa_flags = 0 }; + sigemptyset(&new_action.sa_mask); + sigaddset(&new_action.sa_mask, SIGINT); + sigaddset(&new_action.sa_mask, SIGHUP); + sigaddset(&new_action.sa_mask, SIGTERM); + ret = sigaction(SIGINT, NULL, &old_action); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + if(old_action.sa_handler != SIG_IGN){ + ret = sigaction(SIGINT, &new_action, NULL); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + } + ret = sigaction(SIGHUP, NULL, &old_action); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + if(old_action.sa_handler != SIG_IGN){ + ret = sigaction(SIGHUP, &new_action, NULL); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + } + ret = sigaction(SIGTERM, NULL, &old_action); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + if(old_action.sa_handler != SIG_IGN){ + ret = sigaction(SIGTERM, &new_action, NULL); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + } + } + + /* Fork off the splashy command to prompt for password */ + pid_t splashy_command_pid = 0; + if(not interrupted_by_signal){ + splashy_command_pid = fork(); + if(splashy_command_pid == -1){ + if(not interrupted_by_signal){ + perror("fork"); + } + return EXIT_FAILURE; + } + /* Child */ + if(splashy_command_pid == 0){ + const char splashy_command[] = "/sbin/splashy_update"; + ret = execl(splashy_command, splashy_command, prompt, + (char *)NULL); + if(not interrupted_by_signal){ + perror("execl"); + } + free(prompt); + _exit(EXIT_FAILURE); + } + } + + /* Parent */ + free(prompt); + + /* Wait for command to complete */ + if(not interrupted_by_signal and splashy_command_pid != 0){ + int status; + ret = waitpid(splashy_command_pid, &status, 0); + if(ret == -1){ + if(errno != EINTR){ + perror("waitpid"); + } + if(errno == ECHILD){ + splashy_command_pid = 0; + } + } else { + /* The child process has exited */ + splashy_command_pid = 0; + if(not interrupted_by_signal and WIFEXITED(status) + and WEXITSTATUS(status)==0){ + return EXIT_SUCCESS; + } + } + } + kill(splashy_pid, SIGTERM); + if(interrupted_by_signal and splashy_command_pid != 0){ + kill(splashy_command_pid, SIGTERM); + } + sleep(2); + while(kill(splashy_pid, 0) == 0){ + kill(splashy_pid, SIGKILL); + sleep(1); + } + pid_t new_splashy_pid = fork(); + if(new_splashy_pid == 0){ + /* Child; will become new splashy process */ + + /* Make the effective user ID (root) the only user ID instead of + the real user ID (mandos) */ + ret = setuid(geteuid()); + if(ret == -1){ + perror("setuid"); + } + + setsid(); + ret = chdir("/"); +/* if(fork() != 0){ */ +/* _exit(EXIT_SUCCESS); */ +/* } */ + ret = dup2(STDERR_FILENO, STDOUT_FILENO); /* replace our stdout */ + if(ret == -1){ + perror("dup2"); + _exit(EXIT_FAILURE); + } + + execl("/sbin/splashy", "/sbin/splashy", "boot", (char *)NULL); + if(not interrupted_by_signal){ + perror("execl"); + } + _exit(EXIT_FAILURE); + } + + return EXIT_FAILURE; +} === added file 'plugins.d/splashy.xml' --- plugins.d/splashy.xml 1970-01-01 00:00:00 +0000 +++ plugins.d/splashy.xml 2009-01-04 21:54:55 +0000 @@ -0,0 +1,283 @@ + + + + +%common; +]> + + + + Mandos Manual + + Mandos + &version; + &TIMESTAMP; + + + Björn + Påhlsson +
+ belorn@fukt.bsnet.se +
+ + + Teddy + Hogeborn +
+ teddy@fukt.bsnet.se +
+ + + + 2008 + 2009 + Teddy Hogeborn + Björn Påhlsson + + + + + + &COMMANDNAME; + 8mandos + + + + &COMMANDNAME; + Mandos plugin to use splashy to get a + password. + + + + + &COMMANDNAME; + + + + + DESCRIPTION + + This program prompts for a password using + splashy_update + 8 and outputs any given + password to standard output. If no splashy8 + process can be found, this program will immediately exit with an + exit code indicating failure. + + + This program is not very useful on its own. This program is + really meant to run as a plugin in the Mandos client-side system, where it is used as a + fallback and alternative to retrieving passwords from a + Mandos server. + + + If this program is killed (presumably by + plugin-runner + 8mandos because some other + plugin provided the password), it cannot tell + splashy8 + to abort requesting a password, because + splashy + 8 does not support this. + Therefore, this program will then kill the + running splashy + 8 process and start a + new one, using boot as the only argument. + + + + + OPTIONS + + This program takes no options. + + + + + EXIT STATUS + + If exit status is 0, the output from the program is the password + as it was read. Otherwise, if exit status is other than 0, the + program was interrupted or encountered an error, and any output + so far could be corrupt and/or truncated, and should therefore + be ignored. + + + + + ENVIRONMENT + + + cryptsource + crypttarget + + + If set, these environment variables will be assumed to + contain the source device name and the target device + mapper name, respectively, and will be shown as part of + the prompt. + + + These variables will normally be inherited from + plugin-runner + 8mandos, which will + normally have inherited them from + /scripts/local-top/cryptroot in the + initial RAM disk environment, which will + have set them from parsing kernel arguments and + /conf/conf.d/cryptroot (also in the + initial RAM disk environment), which in turn will have been + created when the initial RAM disk image was created by + /usr/share/initramfs-tools/hooks/cryptroot, by + extracting the information of the root file system from + /etc/crypttab. + + + This behavior is meant to exactly mirror the behavior of + askpass, the default password prompter. + + + + + + + + FILES + + + /sbin/splashy_update + + + This is the command run to retrieve a password from + splashy + 8. See + splashy_update8 + . + + + + + /proc + + + To find the running splashy8 + , this directory will be searched for + numeric entries which will be assumed to be directories. + In all those directories, the exe + entry will be used to determine the name of the running + binary and the effective user and group + ID of the process. See + proc5. + + + + + /sbin/splashy + + + This is the name of the binary which will be searched for + in the process list. See splashy8 + . + + + + + + + + BUGS + + Killing splashy + 8 and starting a new one + is ugly, but necessary as long as it does not support aborting a + password request. + + + + + EXAMPLE + + Note that normally, this program will not be invoked directly, + but instead started by the Mandos plugin-runner8mandos + . + + + + This program takes no options. + + + &COMMANDNAME; + + + + + + SECURITY + + If this program is killed by a signal, it will kill the process + ID which at the start of this program was + determined to run splashy8 + as root (see also ). There is a very + slight risk that, in the time between those events, that process + ID was freed and then taken up by another + process; the wrong process would then be killed. Now, this + program can only be killed by the user who started it; see + plugin-runner + 8mandos. This program + should therefore be started by a completely separate + non-privileged user, and no other programs should be allowed to + run as that special user. This means that it is not recommended + to use the user "nobody" to start this program, as other + possibly less trusted programs could be running as "nobody", and + they would then be able to kill this program, triggering the + killing of the process ID which may or may not + be splashy + 8. + + + The only other thing that could be considered worthy of note is + this: This program is meant to be run by + plugin-runner8mandos, and will, when run + standalone, outside, in a normal environment, immediately output + on its standard output any presumably secret password it just + received. Therefore, when running this program standalone + (which should never normally be done), take care not to type in + any real secret password by force of habit, since it would then + immediately be shown as output. + + + + + SEE ALSO + + crypttab + 5, + plugin-runner + 8mandos, + proc + 5, + splashy + 8, + splashy_update + 8 + + + + + + + + === removed file 'plugins.d/usplash' --- plugins.d/usplash 2008-08-14 02:24:59 +0000 +++ plugins.d/usplash 1970-01-01 00:00:00 +0000 @@ -1,42 +0,0 @@ -#!/bin/sh -e - -# If not on a tty, then get rid of possibly disrupting stderr output -if ! tty -s; then - exec 2>/dev/null -fi - -test -x /sbin/usplash - -usplash="`pidof usplash -o $$`" -test -n "$usplash" - -# We get some variables from cryptsetup: -# $cryptsource the device node, like "/dev/sda3" -# $crypttarget the device mapper name, like "sda3_crypt". - -prompt="Enter passphrase to unlock" -if [ -n "$crypttarget" ]; then - prompt="$prompt the disk $crypttarget" -fi -if [ -n "$cryptsource" ]; then - prompt="$prompt ($cryptsource)" -fi - -splash_input_password(){ - test -p /dev/.initramfs/usplash_outfifo || return 1 - /sbin/usplash_write "INPUTQUIET $1" || return 1 - cat /dev/.initramfs/usplash_outfifo 2> /dev/null || return 1 -} - -# Usplash keeps waiting for input even if some other plugin provided -# the password, so we must kill it -trap "kill -TERM $usplash; sleep 2; kill -KILL $usplash; - kill -TERM $$" TERM HUP - -password="`splash_input_password \"$prompt: \" password`" - -trap - TERM - -/sbin/usplash_write "TIMEOUT 15" - -echo -n "$password" === added file 'plugins.d/usplash.c' --- plugins.d/usplash.c 1970-01-01 00:00:00 +0000 +++ plugins.d/usplash.c 2009-01-04 21:54:55 +0000 @@ -0,0 +1,521 @@ +/* -*- coding: utf-8 -*- */ +/* + * Passprompt - Read a password from usplash and output it + * + * Copyright © 2008,2009 Teddy Hogeborn + * Copyright © 2008,2009 Björn Påhlsson + * + * This program is free software: you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see + * . + * + * Contact the authors at and + * . + */ + +#define _GNU_SOURCE /* asprintf() */ +#include /* sig_atomic_t, struct sigaction, + sigemptyset(), sigaddset(), SIGINT, + SIGHUP, SIGTERM, sigaction(), + SIG_IGN, kill(), SIGKILL */ +#include /* bool, false, true */ +#include /* open(), O_WRONLY, O_RDONLY */ +#include /* and, or, not*/ +#include /* errno, EINTR */ +#include /* size_t, ssize_t, pid_t, DIR, struct + dirent */ +#include /* NULL */ +#include /* strlen(), memcmp() */ +#include /* asprintf(), perror() */ +#include /* close(), write(), readlink(), + read(), STDOUT_FILENO, sleep(), + fork(), setuid(), geteuid(), + setsid(), chdir(), dup2(), + STDERR_FILENO, execv() */ +#include /* free(), EXIT_FAILURE, strtoul(), + realloc(), EXIT_SUCCESS, malloc(), + _exit() */ +#include /* getenv() */ +#include /* opendir(), readdir(), closedir() */ +#include /* struct stat, lstat(), S_ISLNK */ + +sig_atomic_t interrupted_by_signal = 0; + +static void termination_handler(__attribute__((unused))int signum){ + interrupted_by_signal = 1; +} + +static bool usplash_write(const char *cmd, const char *arg){ + /* + * usplash_write("TIMEOUT", "15") will write "TIMEOUT 15\0" + * usplash_write("PULSATE", NULL) will write "PULSATE\0" + * SEE ALSO + * usplash_write(8) + */ + int ret; + int fifo_fd; + do{ + fifo_fd = open("/dev/.initramfs/usplash_fifo", O_WRONLY); + if(fifo_fd == -1 and (errno != EINTR or interrupted_by_signal)){ + return false; + } + }while(fifo_fd == -1); + + const char *cmd_line; + size_t cmd_line_len; + char *cmd_line_alloc = NULL; + if(arg == NULL){ + cmd_line = cmd; + cmd_line_len = strlen(cmd); + }else{ + do{ + ret = asprintf(&cmd_line_alloc, "%s %s", cmd, arg); + if(ret == -1 and (errno != EINTR or interrupted_by_signal)){ + int e = errno; + close(fifo_fd); + errno = e; + return false; + } + }while(ret == -1); + cmd_line = cmd_line_alloc; + cmd_line_len = (size_t)ret + 1; + } + + size_t written = 0; + while(not interrupted_by_signal and written < cmd_line_len){ + ret = write(fifo_fd, cmd_line + written, + cmd_line_len - written); + if(ret == -1){ + if(errno != EINTR or interrupted_by_signal){ + int e = errno; + close(fifo_fd); + free(cmd_line_alloc); + errno = e; + return false; + } else { + continue; + } + } + written += (size_t)ret; + } + free(cmd_line_alloc); + do{ + ret = close(fifo_fd); + if(ret == -1 and (errno != EINTR or interrupted_by_signal)){ + return false; + } + }while(ret == -1); + if(interrupted_by_signal){ + return false; + } + return true; +} + +int main(__attribute__((unused))int argc, + __attribute__((unused))char **argv){ + int ret = 0; + ssize_t sret; + bool an_error_occured = false; + + /* Create prompt string */ + char *prompt = NULL; + { + const char *const cryptsource = getenv("cryptsource"); + const char *const crypttarget = getenv("crypttarget"); + const char prompt_start[] = "Enter passphrase to unlock the disk"; + + if(cryptsource == NULL){ + if(crypttarget == NULL){ + ret = asprintf(&prompt, "%s: ", prompt_start); + } else { + ret = asprintf(&prompt, "%s (%s): ", prompt_start, + crypttarget); + } + } else { + if(crypttarget == NULL){ + ret = asprintf(&prompt, "%s %s: ", prompt_start, cryptsource); + } else { + ret = asprintf(&prompt, "%s %s (%s): ", prompt_start, + cryptsource, crypttarget); + } + } + if(ret == -1){ + return EXIT_FAILURE; + } + } + + /* Find usplash process */ + pid_t usplash_pid = 0; + char *cmdline = NULL; + size_t cmdline_len = 0; + const char usplash_name[] = "/sbin/usplash"; + { + DIR *proc_dir = opendir("/proc"); + if(proc_dir == NULL){ + free(prompt); + perror("opendir"); + return EXIT_FAILURE; + } + for(struct dirent *proc_ent = readdir(proc_dir); + proc_ent != NULL; + proc_ent = readdir(proc_dir)){ + pid_t pid = (pid_t) strtoul(proc_ent->d_name, NULL, 10); + if(pid == 0){ + /* Not a process */ + continue; + } + /* Find the executable name by doing readlink() on the + /proc//exe link */ + char exe_target[sizeof(usplash_name)]; + { + /* create file name string */ + char *exe_link; + ret = asprintf(&exe_link, "/proc/%s/exe", proc_ent->d_name); + if(ret == -1){ + perror("asprintf"); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + + /* Check that it refers to a symlink owned by root:root */ + struct stat exe_stat; + ret = lstat(exe_link, &exe_stat); + if(ret == -1){ + perror("lstat"); + free(exe_link); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + if(not S_ISLNK(exe_stat.st_mode) + or exe_stat.st_uid != 0 + or exe_stat.st_gid != 0){ + free(exe_link); + continue; + } + + sret = readlink(exe_link, exe_target, sizeof(exe_target)); + free(exe_link); + if(sret == -1){ + continue; + } + } + if((sret == ((ssize_t)sizeof(exe_target)-1)) + and (memcmp(usplash_name, exe_target, + sizeof(exe_target)-1) == 0)){ + usplash_pid = pid; + /* Read and save the command line of usplash in "cmdline" */ + { + /* Open /proc//cmdline */ + int cl_fd; + { + char *cmdline_filename; + ret = asprintf(&cmdline_filename, "/proc/%s/cmdline", + proc_ent->d_name); + if(ret == -1){ + perror("asprintf"); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + cl_fd = open(cmdline_filename, O_RDONLY); + if(cl_fd == -1){ + perror("open"); + free(cmdline_filename); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + free(cmdline_filename); + } + size_t cmdline_allocated = 0; + char *tmp; + const size_t blocksize = 1024; + do{ + if(cmdline_len + blocksize > cmdline_allocated){ + tmp = realloc(cmdline, cmdline_allocated + blocksize); + if(tmp == NULL){ + perror("realloc"); + free(cmdline); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + cmdline = tmp; + cmdline_allocated += blocksize; + } + sret = read(cl_fd, cmdline + cmdline_len, + cmdline_allocated - cmdline_len); + if(sret == -1){ + perror("read"); + free(cmdline); + free(prompt); + closedir(proc_dir); + return EXIT_FAILURE; + } + cmdline_len += (size_t)sret; + } while(sret != 0); + close(cl_fd); + } + break; + } + } + closedir(proc_dir); + } + if(usplash_pid == 0){ + free(prompt); + return EXIT_FAILURE; + } + + /* Set up the signal handler */ + { + struct sigaction old_action, + new_action = { .sa_handler = termination_handler, + .sa_flags = 0 }; + sigemptyset(&new_action.sa_mask); + sigaddset(&new_action.sa_mask, SIGINT); + sigaddset(&new_action.sa_mask, SIGHUP); + sigaddset(&new_action.sa_mask, SIGTERM); + ret = sigaction(SIGINT, NULL, &old_action); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + if(old_action.sa_handler != SIG_IGN){ + ret = sigaction(SIGINT, &new_action, NULL); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + } + ret = sigaction(SIGHUP, NULL, &old_action); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + if(old_action.sa_handler != SIG_IGN){ + ret = sigaction(SIGHUP, &new_action, NULL); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + } + ret = sigaction(SIGTERM, NULL, &old_action); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + if(old_action.sa_handler != SIG_IGN){ + ret = sigaction(SIGTERM, &new_action, NULL); + if(ret == -1){ + perror("sigaction"); + free(prompt); + return EXIT_FAILURE; + } + } + } + + /* Write command to FIFO */ + if(not interrupted_by_signal){ + if(not usplash_write("TIMEOUT", "0") + and (errno != EINTR)){ + perror("usplash_write"); + an_error_occured = true; + } + } + if(not interrupted_by_signal and not an_error_occured){ + if(not usplash_write("INPUTQUIET", prompt) + and (errno != EINTR)){ + perror("usplash_write"); + an_error_occured = true; + } + } + free(prompt); + + /* This is not really a loop; while() is used to be able to "break" + out of it; those breaks are marked "Big" */ + while(not interrupted_by_signal and not an_error_occured){ + char *buf = NULL; + size_t buf_len = 0; + + /* Open FIFO */ + int fifo_fd; + do{ + fifo_fd = open("/dev/.initramfs/usplash_outfifo", O_RDONLY); + if(fifo_fd == -1){ + if(errno != EINTR){ + perror("open"); + an_error_occured = true; + break; + } + if(interrupted_by_signal){ + break; + } + } + }while(fifo_fd == -1); + if(interrupted_by_signal or an_error_occured){ + break; /* Big */ + } + + /* Read from FIFO */ + size_t buf_allocated = 0; + const size_t blocksize = 1024; + do{ + if(buf_len + blocksize > buf_allocated){ + char *tmp = realloc(buf, buf_allocated + blocksize); + if(tmp == NULL){ + perror("realloc"); + an_error_occured = true; + break; + } + buf = tmp; + buf_allocated += blocksize; + } + do{ + sret = read(fifo_fd, buf + buf_len, buf_allocated - buf_len); + if(sret == -1){ + if(errno != EINTR){ + perror("read"); + an_error_occured = true; + break; + } + if(interrupted_by_signal){ + break; + } + } + }while(sret == -1); + if(interrupted_by_signal or an_error_occured){ + break; + } + + buf_len += (size_t)sret; + }while(sret != 0); + close(fifo_fd); + if(interrupted_by_signal or an_error_occured){ + break; /* Big */ + } + + if(not usplash_write("TIMEOUT", "15") + and (errno != EINTR)){ + perror("usplash_write"); + an_error_occured = true; + } + if(interrupted_by_signal or an_error_occured){ + break; /* Big */ + } + + /* Print password to stdout */ + size_t written = 0; + while(written < buf_len){ + do{ + sret = write(STDOUT_FILENO, buf + written, buf_len - written); + if(sret == -1){ + if(errno != EINTR){ + perror("write"); + an_error_occured = true; + break; + } + if(interrupted_by_signal){ + break; + } + } + }while(sret == -1); + if(interrupted_by_signal or an_error_occured){ + break; + } + written += (size_t)sret; + } + free(buf); + if(not interrupted_by_signal and not an_error_occured){ + free(cmdline); + return EXIT_SUCCESS; + } + break; /* Big */ + } /* end of non-loop while() */ + + /* If we got here, an error or interrupt must have happened */ + + /* Create argc and argv for new usplash*/ + int cmdline_argc = 0; + char **cmdline_argv = malloc(sizeof(char *)); + { + size_t position = 0; + while(position < cmdline_len){ + char **tmp = realloc(cmdline_argv, + (sizeof(char *) + * (size_t)(cmdline_argc + 2))); + if(tmp == NULL){ + perror("realloc"); + free(cmdline_argv); + return EXIT_FAILURE; + } + cmdline_argv = tmp; + cmdline_argv[cmdline_argc] = cmdline + position; + cmdline_argc++; + position += strlen(cmdline + position) + 1; + } + cmdline_argv[cmdline_argc] = NULL; + } + /* Kill old usplash */ + kill(usplash_pid, SIGTERM); + sleep(2); + while(kill(usplash_pid, 0) == 0){ + kill(usplash_pid, SIGKILL); + sleep(1); + } + pid_t new_usplash_pid = fork(); + if(new_usplash_pid == 0){ + /* Child; will become new usplash process */ + + /* Make the effective user ID (root) the only user ID instead of + the real user ID (mandos) */ + ret = setuid(geteuid()); + if(ret == -1){ + perror("setuid"); + } + + setsid(); + ret = chdir("/"); +/* if(fork() != 0){ */ +/* _exit(EXIT_SUCCESS); */ +/* } */ + ret = dup2(STDERR_FILENO, STDOUT_FILENO); /* replace our stdout */ + if(ret == -1){ + perror("dup2"); + _exit(EXIT_FAILURE); + } + + execv(usplash_name, cmdline_argv); + if(not interrupted_by_signal){ + perror("execv"); + } + free(cmdline); + free(cmdline_argv); + _exit(EXIT_FAILURE); + } + free(cmdline); + free(cmdline_argv); + sleep(2); + if(not usplash_write("PULSATE", NULL) + and (errno != EINTR)){ + perror("usplash_write"); + } + + return EXIT_FAILURE; +} === added file 'plugins.d/usplash.xml' --- plugins.d/usplash.xml 1970-01-01 00:00:00 +0000 +++ plugins.d/usplash.xml 2009-01-04 21:54:55 +0000 @@ -0,0 +1,297 @@ + + + + +%common; +]> + + + + Mandos Manual + + Mandos + &version; + &TIMESTAMP; + + + Björn + Påhlsson +
+ belorn@fukt.bsnet.se +
+ + + Teddy + Hogeborn +
+ teddy@fukt.bsnet.se +
+ + + + 2008 + 2009 + Teddy Hogeborn + Björn Påhlsson + + + + + + &COMMANDNAME; + 8mandos + + + + &COMMANDNAME; + Mandos plugin to use usplash to get a + password. + + + + + &COMMANDNAME; + + + + + DESCRIPTION + + This program prompts for a password using + usplash8 + and outputs any given password to standard + output. If no usplash8 + process can be found, this program will immediately exit with an + exit code indicating failure. + + + This program is not very useful on its own. This program is + really meant to run as a plugin in the Mandos client-side system, where it is used as a + fallback and alternative to retrieving passwords from a + Mandos server. + + + If this program is killed (presumably by + plugin-runner + 8mandos because some other + plugin provided the password), it cannot tell + usplash8 + to abort requesting a password, because + usplash + 8 does not support this. + Therefore, this program will then kill the + running usplash + 8 process and start a + new one using the same command line + arguments as the old one was using. + + + + + OPTIONS + + This program takes no options. + + + + + EXIT STATUS + + If exit status is 0, the output from the program is the password + as it was read. Otherwise, if exit status is other than 0, the + program was interrupted or encountered an error, and any output + so far could be corrupt and/or truncated, and should therefore + be ignored. + + + + + ENVIRONMENT + + + cryptsource + crypttarget + + + If set, these environment variables will be assumed to + contain the source device name and the target device + mapper name, respectively, and will be shown as part of + the prompt. + + + These variables will normally be inherited from + plugin-runner + 8mandos, which will + normally have inherited them from + /scripts/local-top/cryptroot in the + initial RAM disk environment, which will + have set them from parsing kernel arguments and + /conf/conf.d/cryptroot (also in the + initial RAM disk environment), which in turn will have been + created when the initial RAM disk image was created by + /usr/share/initramfs-tools/hooks/cryptroot, by + extracting the information of the root file system from + /etc/crypttab. + + + This behavior is meant to exactly mirror the behavior of + askpass, the default password prompter. + + + + + + + + FILES + + + /dev/.initramfs/usplash_fifo + + + This is the FIFO to where this program + will write the commands for usplash8 + . See fifo7 + . + + + + + /dev/.initramfs/usplash_outfifo + + + This is the FIFO where this program + will read the password from usplash8 + . See fifo7 + . + + + + + /proc + + + To find the running usplash8 + , this directory will be searched for + numeric entries which will be assumed to be directories. + In all those directories, the exe and + cmdline entries will be used to + determine the name of the running binary, effective user + and group ID, and the command line + arguments. See proc5 + . + + + + + /sbin/usplash + + + This is the name of the binary which will be searched for + in the process list. See usplash8 + . + + + + + + + + BUGS + + Killing usplash + 8 and starting a new one + is ugly, but necessary as long as it does not support aborting a + password request. + + + + + EXAMPLE + + Note that normally, this program will not be invoked directly, + but instead started by the Mandos plugin-runner8mandos + . + + + + This program takes no options. + + + &COMMANDNAME; + + + + + + SECURITY + + If this program is killed by a signal, it will kill the process + ID which at the start of this program was + determined to run usplash8 + as root (see also ). There is a very + slight risk that, in the time between those events, that process + ID was freed and then taken up by another + process; the wrong process would then be killed. Now, this + program can only be killed by the user who started it; see + plugin-runner + 8mandos. This program + should therefore be started by a completely separate + non-privileged user, and no other programs should be allowed to + run as that special user. This means that it is not recommended + to use the user "nobody" to start this program, as other + possibly less trusted programs could be running as "nobody", and + they would then be able to kill this program, triggering the + killing of the process ID which may or may not + be usplash + 8. + + + The only other thing that could be considered worthy of note is + this: This program is meant to be run by + plugin-runner8mandos, and will, when run + standalone, outside, in a normal environment, immediately output + on its standard output any presumably secret password it just + received. Therefore, when running this program standalone + (which should never normally be done), take care not to type in + any real secret password by force of habit, since it would then + immediately be shown as output. + + + + + SEE ALSO + + crypttab + 5, + fifo + 7, + plugin-runner + 8mandos, + proc + 5, + usplash + 8 + + + + + + + +