/mandos/trunk : revision 1138

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

Committer: Teddy Hogeborn
Date: 2019-08-02 22:16:53 UTC
Revision ID: teddy@recompile.se-20190802221653-ic1iko9hbefzwsk7

Fix bug in server Debian package: Fails to start on first install

There has been a very long-standing bug where installation of the
server (the "mandos" Debian package) would fail to start the server
properly right after installation.  It would work on manual (re)start
after installation, or after reboot, and even after package purge and
reinstall, it would then work the first time.  The problem, it turns
out, is when the new "_mandos" user (and corresponding group) is
created, the D-Bus server is not reloaded, and is therefore not aware
of that user, and does not recognize the user and group name in the
/etc/dbus-1/system.d/mandos.conf file.  The Mandos server, when it
tries to start and access the D-Bus, is then not permitted to connect
to its D-Bus bus name, and disables D-Bus use as a fallback measure;
i.e. the server works, but it is not controllable via D-Bus commands
(via mandos-ctl or mandos-monitor).  The next time the D-Bus daemon is
reloaded for any reason, the new user & group would become visible to
the D-Bus daemon and after that, any restart of the Mandos server
would succeed and it would bind to its D-Bus name properly, and
thereby be visible and controllable by mandos-ctl & mandos-monitor.
This was mostly invisible when using sysvinit, but systemd makes the
problem visible since the systemd service file for the Mandos server
is configured to not consider the Mandos server "started" until the
D-Bus name has been bound; this makes the starting of the service wait
for 90 seconds and then fail with a timeout error.

Fixing this should also make the Debian CI autopkgtest tests work.

* debian/mandos.postinst (configure): After creating (or renaming)
                                      user & group, reload D-Bus
                                      daemon (if present).

files removed:
debian/mandos.maintscript

debian/po/de.po

debian/po/en_US.po

debian/po/es.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/sv.po

debian/upstream/metadata

sysusers.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.templates

debian/po/templates.pot

debian/rules

debian/source/lintian-overrides

debian/tests/control

dracut-module/ask-password-mandos.service

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-hook

initramfs-tools-script

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-monitor

mandos-to-cryptroot-unlock

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

Makefile

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY:=-fstack-protector-all -fPIC

CPPFLAGS+=-D_FORTIFY_SOURCE=3

FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

LINK_FORTIFY_LD:=-z relro -z now

LINK_FORTIFY:=

#COVERAGE=--coverage

OPTIMIZE:=-Os -fno-strict-aliasing

LANGUAGE:=-std=gnu11

CPPFLAGS+=-D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64

htmldir:=man

version:=1.8.17

version:=1.8.5

SED:=sed

PKG_CONFIG?=pkg-config

## Use these settings for a traditional /usr/local install

# PREFIX:=$(DESTDIR)/usr/local

# BINDIR:=$(PREFIX)/sbin

# CONFDIR:=$(DESTDIR)/etc/mandos

# KEYDIR:=$(DESTDIR)/etc/mandos/keys

# MANDIR:=$(PREFIX)/man

# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos

# STATEDIR:=$(DESTDIR)/var/lib/mandos

# LIBDIR:=$(PREFIX)/lib

# DBUSPOLICYDIR:=$(DESTDIR)/etc/dbus-1/system.d

## These settings are for a package-type install

PREFIX:=$(DESTDIR)/usr

BINDIR:=$(PREFIX)/sbin

CONFDIR:=$(DESTDIR)/etc/mandos

KEYDIR:=$(DESTDIR)/etc/keys/mandos

MANDIR:=$(PREFIX)/share/man

break; \

fi; \

done)

DBUSPOLICYDIR:=$(DESTDIR)/usr/share/dbus-1/system.d

SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=tmpfilesdir)

SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=sysusersdir)

100

GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)

101

GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)

102

AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)

103

AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)

104

GPGME_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gpgme 2>/dev/null \

105

|| gpgme-config --cflags; getconf LFS_CFLAGS)

106

GPGME_LIBS:=$(shell $(PKG_CONFIG) --libs gpgme 2>/dev/null \

107

|| gpgme-config --libs; getconf LFS_LIBS; \

GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \

108

getconf LFS_LDFLAGS)

109

LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)

110

100

LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)

112

102

GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)

113

103

114

104

# Do not change these two

115

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \

116

$(LANGUAGE) -DVERSION='"$(version)"'

105

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) \

106

$(OPTIMIZE) $(LANGUAGE) -DVERSION='"$(version)"'

117

107

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \

118

108

) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

119

109

163

153

164

154

objects:=$(addsuffix .o,$(CPROGS))

165

155

166

.PHONY: all

167

156

all: $(PROGS) mandos.lsm

168

157

169

.PHONY: doc

170

158

doc: $(DOCS)

171

159

172

.PHONY: html

173

160

html: $(htmldocs)

174

161

175

162

%.5: %.xml common.ent legalnotice.xml

291

278

--expression='s/$mandos_$[0-9.]\+$\.orig\.tar\.gz$/\1$(version)\2/' \

292

279

$@)

293

280

294

# Does the linker support the --no-warn-execstack option?

295

ifeq ($(shell echo 'int main(){}'|$(CC) --language=c /dev/stdin -o /dev/null -Xlinker --no-warn-execstack >/dev/null 2>&1 && echo yes),yes)

296

# These programs use nested functions, which uses an executable stack

297

plugin-runner: LDFLAGS += -Xlinker --no-warn-execstack

298

dracut-module/password-agent: LDFLAGS += -Xlinker --no-warn-execstack

299

plugins.d/password-prompt: LDFLAGS += -Xlinker --no-warn-execstack

300

plugins.d/mandos-client: LDFLAGS += -Xlinker --no-warn-execstack

301

plugins.d/plymouth: LDFLAGS += -Xlinker --no-warn-execstack

302

endif

303

304

281

# Need to add the GnuTLS, Avahi and GPGME libraries

305

plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \

306

) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)

307

plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \

308

) $(AVAHI_LIBS) $(GPGME_LIBS)

282

plugins.d/mandos-client: plugins.d/mandos-client.c

283

$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\

284

) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\

285

) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\

286

) $(LDLIBS) -o $@

309

287

310

288

# Need to add the libnl-route library

311

plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)

312

plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)

289

plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c

290

$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\

291

) $(LOADLIBES) $(LDLIBS) -o $@

313

292

314

293

# Need to add the GLib and pthread libraries

315

dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)

316

# Note: -lpthread is unnecessary with the GNU C library 2.34 or later

317

dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread

318

319

.PHONY: clean

294

dracut-module/password-agent: dracut-module/password-agent.c

295

$(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\

296

) $(LOADLIBES) $(LDLIBS) -o $@

297

298

.PHONY : all doc html clean distclean mostlyclean maintainer-clean \

299

check run-client run-server install install-html \

300

install-server install-client-nokey install-client uninstall \

301

uninstall-server uninstall-client purge purge-server \

302

purge-client

303

320

304

clean:

321

305

-rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core

322

306

323

.PHONY: distclean

324

307

distclean: clean

325

.PHONY: mostlyclean

326

308

mostlyclean: clean

327

.PHONY: maintainer-clean

328

309

maintainer-clean: clean

329

310

-rm --force --recursive keydir confdir statedir

330

311

331

.PHONY: check

332

312

check: all

333

313

./mandos --check

334

314

./mandos-ctl --check

338

318

./dracut-module/password-agent --test

339

319

340

320

# Run the client with a local config and key

341

.PHONY: run-client

342

321

run-client: all keydir/seckey.txt keydir/pubkey.txt \

343

322

keydir/tls-privkey.pem keydir/tls-pubkey.pem

344

323

@echo '######################################################'

372

351

keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen

373

352

install --directory keydir

374

353

./mandos-keygen --dir keydir --force

375

if ! [ -e keydir/tls-privkey.pem ]; then \

376

install --mode=u=rw /dev/null keydir/tls-privkey.pem; \

377

378

if ! [ -e keydir/tls-pubkey.pem ]; then \

379

install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \

380

381

354

382

355

# Run the server with a local config

383

.PHONY: run-server

384

356

run-server: confdir/mandos.conf confdir/clients.conf statedir

385

357

./mandos --debug --no-dbus --configdir=confdir \

386

358

--statedir=statedir $(SERVERARGS)

387

359

388

360

# Used by run-server

389

361

confdir/mandos.conf: mandos.conf

390

install -D --mode=u=rw,go=r $^ $@

362

install --directory confdir

363

install --mode=u=rw,go=r $^ $@

391

364

confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem

392

install -D --mode=u=rw $< $@

365

install --directory confdir

366

install --mode=u=rw $< $@

393

367

# Add a client password

394

368

./mandos-keygen --dir keydir --password --no-ssh >> $@

395

369

statedir:

396

370

install --directory statedir

397

371

398

.PHONY: install

399

372

install: install-server install-client-nokey

400

373

401

.PHONY: install-html

402

374

install-html: html

403

install -D --mode=u=rw,go=r --target-directory=$(htmldir) \

375

install --directory $(htmldir)

376

install --mode=u=rw,go=r --target-directory=$(htmldir) \

404

377

$(htmldocs)

405

378

406

.PHONY: install-server

407

379

install-server: doc

380

install --directory $(CONFDIR)

408

381

if install --directory --mode=u=rwx --owner=$(USER) \

409

382

--group=$(GROUP) $(STATEDIR); then \

410

383

:; \

411

384

elif install --directory --mode=u=rwx $(STATEDIR); then \

412

385

chown -- $(USER):$(GROUP) $(STATEDIR) || :; \

413

386

414

if [ "$(TMPFILES)" != "$(DESTDIR)" ]; then \

415

install -D --mode=u=rw,go=r tmpfiles.d-mandos.conf \

387

if [ "$(TMPFILES)" != "$(DESTDIR)" \

388

-a -d "$(TMPFILES)" ]; then \

389

install --mode=u=rw,go=r tmpfiles.d-mandos.conf \

416

390

$(TMPFILES)/mandos.conf; \

417

391

418

if [ "$(SYSUSERS)" != "$(DESTDIR)" ]; then \

419

install -D --mode=u=rw,go=r sysusers.d-mandos.conf \

420

$(SYSUSERS)/mandos.conf; \

421

422

install --directory $(BINDIR)

423

install --mode=u=rwx,go=rx --target-directory=$(BINDIR) mandos

424

install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \

392

install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos

393

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

425

394

mandos-ctl

426

install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \

395

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

427

396

mandos-monitor

428

install --directory $(CONFDIR)

429

397

install --mode=u=rw,go=r --target-directory=$(CONFDIR) \

430

398

mandos.conf

431

399

install --mode=u=rw --target-directory=$(CONFDIR) \

432

400

clients.conf

433

install -D --mode=u=rw,go=r dbus-mandos.conf \

434

$(DBUSPOLICYDIR)/mandos.conf

435

install -D --mode=u=rwx,go=rx init.d-mandos \

401

install --mode=u=rw,go=r dbus-mandos.conf \

402

$(DESTDIR)/etc/dbus-1/system.d/mandos.conf

403

install --mode=u=rwx,go=rx init.d-mandos \

436

404

$(DESTDIR)/etc/init.d/mandos

437

if [ "$(SYSTEMD)" != "$(DESTDIR)" ]; then \

438

install -D --mode=u=rw,go=r mandos.service \

439

$(SYSTEMD); \

405

if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \

406

install --mode=u=rw,go=r mandos.service $(SYSTEMD); \

440

407

441

install -D --mode=u=rw,go=r default-mandos \

408

install --mode=u=rw,go=r default-mandos \

442

409

$(DESTDIR)/etc/default/mandos

443

410

if [ -z $(DESTDIR) ]; then \

444

411

update-rc.d mandos defaults 25 15;\

445

412

446

install --directory $(MANDIR)/man8 $(MANDIR)/man5

447

413

gzip --best --to-stdout mandos.8 \

448

414

> $(MANDIR)/man8/mandos.8.gz

449

415

gzip --best --to-stdout mandos-monitor.8 \

457

423

gzip --best --to-stdout intro.8mandos \

458

424

> $(MANDIR)/man8/intro.8mandos.gz

459

425

460

.PHONY: install-client-nokey

461

426

install-client-nokey: all doc

427

install --directory $(LIBDIR)/mandos $(CONFDIR)

462

428

install --directory --mode=u=rwx $(KEYDIR) \

463

429

$(LIBDIR)/mandos/plugins.d \

464

430

$(LIBDIR)/mandos/plugin-helpers

465

if [ "$(SYSUSERS)" != "$(DESTDIR)" ]; then \

466

install -D --mode=u=rw,go=r sysusers.d-mandos.conf \

467

$(SYSUSERS)/mandos-client.conf; \

468

469

431

if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \

470

install --directory \

471

--mode=u=rwx "$(CONFDIR)/plugins.d" \

432

install --mode=u=rwx \

433

--directory "$(CONFDIR)/plugins.d" \

472

434

"$(CONFDIR)/plugin-helpers"; \

473

435

474

install --directory --mode=u=rwx,go=rx \

436

install --mode=u=rwx,go=rx --directory \

475

437

"$(CONFDIR)/network-hooks.d"

476

438

install --mode=u=rwx,go=rx \

477

439

--target-directory=$(LIBDIR)/mandos plugin-runner

478

440

install --mode=u=rwx,go=rx \

479

441

--target-directory=$(LIBDIR)/mandos \

480

442

mandos-to-cryptroot-unlock

481

install --directory $(BINDIR)

482

install --mode=u=rwx,go=rx --target-directory=$(BINDIR) \

443

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

483

444

mandos-keygen

484

445

install --mode=u=rwx,go=rx \

485

446

--target-directory=$(LIBDIR)/mandos/plugins.d \

502

463

install --mode=u=rwx,go=rx \

503

464

--target-directory=$(LIBDIR)/mandos/plugin-helpers \

504

465

plugin-helpers/mandos-client-iprouteadddel

505

install -D initramfs-tools-hook \

466

install initramfs-tools-hook \

506

467

$(INITRAMFSTOOLS)/hooks/mandos

507

install -D --mode=u=rw,go=r initramfs-tools-conf \

468

install --mode=u=rw,go=r initramfs-tools-conf \

508

469

$(INITRAMFSTOOLS)/conf.d/mandos-conf

509

install -D --mode=u=rw,go=r initramfs-tools-conf-hook \

470

install --mode=u=rw,go=r initramfs-tools-conf-hook \

510

471

$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos

511

install -D initramfs-tools-script \

472

install initramfs-tools-script \

512

473

$(INITRAMFSTOOLS)/scripts/init-premount/mandos

513

install -D initramfs-tools-script-stop \

474

install initramfs-tools-script-stop \

514

475

$(INITRAMFSTOOLS)/scripts/local-premount/mandos

515

install -D --mode=u=rw,go=r \

516

--target-directory=$(DRACUTMODULE) \

476

install --directory $(DRACUTMODULE)

477

install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \

517

478

dracut-module/ask-password-mandos.path \

518

479

dracut-module/ask-password-mandos.service

519

480

install --mode=u=rwxs,go=rx \

522

483

dracut-module/cmdline-mandos.sh \

523

484

dracut-module/password-agent

524

485

install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)

525

install --directory $(MANDIR)/man8

526

486

gzip --best --to-stdout mandos-keygen.8 \

527

487

> $(MANDIR)/man8/mandos-keygen.8.gz

528

488

gzip --best --to-stdout plugin-runner.8mandos \

542

502

gzip --best --to-stdout dracut-module/password-agent.8mandos \

543

503

> $(MANDIR)/man8/password-agent.8mandos.gz

544

504

545

.PHONY: install-client

546

505

install-client: install-client-nokey

547

506

# Post-installation stuff

548

-$(BINDIR)/mandos-keygen --dir "$(KEYDIR)"

507

-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"

549

508

if command -v update-initramfs >/dev/null; then \

550

509

update-initramfs -k all -u; \

551

510

elif command -v dracut >/dev/null; then \

558

517

559

518

echo "Now run mandos-keygen --password --dir $(KEYDIR)"

560

519

561

.PHONY: uninstall

562

520

uninstall: uninstall-server uninstall-client

563

521

564

.PHONY: uninstall-server

565

522

uninstall-server:

566

-rm --force $(BINDIR)/mandos \

567

$(BINDIR)/mandos-ctl \

568

$(BINDIR)/mandos-monitor \

523

-rm --force $(PREFIX)/sbin/mandos \

524

$(PREFIX)/sbin/mandos-ctl \

525

$(PREFIX)/sbin/mandos-monitor \

569

526

$(MANDIR)/man8/mandos.8.gz \

570

527

$(MANDIR)/man8/mandos-monitor.8.gz \

571

528

$(MANDIR)/man8/mandos-ctl.8.gz \

574

531

update-rc.d -f mandos remove

575

532

-rmdir $(CONFDIR)

576

533

577

.PHONY: uninstall-client

578

534

uninstall-client:

579

535

# Refuse to uninstall client if /etc/crypttab is explicitly configured

580

536

# to use it.

581

537

! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \

582

538

$(DESTDIR)/etc/crypttab

583

-rm --force $(BINDIR)/mandos-keygen \

539

-rm --force $(PREFIX)/sbin/mandos-keygen \

584

540

$(LIBDIR)/mandos/plugin-runner \

585

541

$(LIBDIR)/mandos/plugins.d/password-prompt \

586

542

$(LIBDIR)/mandos/plugins.d/mandos-client \

616

572

done; \

617

573

618

574

619

.PHONY: purge

620

575

purge: purge-server purge-client

621

576

622

.PHONY: purge-server

623

577

purge-server: uninstall-server

624

578

-rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \

625

579

$(DESTDIR)/etc/dbus-1/system.d/mandos.conf

626

580

$(DESTDIR)/etc/default/mandos \

627

581

$(DESTDIR)/etc/init.d/mandos \

582

$(SYSTEMD)/mandos.service \

628

583

$(DESTDIR)/run/mandos.pid \

629

584

$(DESTDIR)/var/run/mandos.pid

630

if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \

631

-rm --force -- $(SYSTEMD)/mandos.service; \

632

633

585

-rmdir $(CONFDIR)

634

586

635

.PHONY: purge-client

636

587

purge-client: uninstall-client

637

588

-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem

638

589

-rm --force $(CONFDIR)/plugin-runner.conf \

Older »