/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

  • Committer: Teddy Hogeborn
  • Date: 2019-08-02 22:16:53 UTC
  • Revision ID: teddy@recompile.se-20190802221653-ic1iko9hbefzwsk7
Fix bug in server Debian package: Fails to start on first install

There has been a very long-standing bug where installation of the
server (the "mandos" Debian package) would fail to start the server
properly right after installation.  It would work on manual (re)start
after installation, or after reboot, and even after package purge and
reinstall, it would then work the first time.  The problem, it turns
out, is when the new "_mandos" user (and corresponding group) is
created, the D-Bus server is not reloaded, and is therefore not aware
of that user, and does not recognize the user and group name in the
/etc/dbus-1/system.d/mandos.conf file.  The Mandos server, when it
tries to start and access the D-Bus, is then not permitted to connect
to its D-Bus bus name, and disables D-Bus use as a fallback measure;
i.e. the server works, but it is not controllable via D-Bus commands
(via mandos-ctl or mandos-monitor).  The next time the D-Bus daemon is
reloaded for any reason, the new user & group would become visible to
the D-Bus daemon and after that, any restart of the Mandos server
would succeed and it would bind to its D-Bus name properly, and
thereby be visible and controllable by mandos-ctl & mandos-monitor.
This was mostly invisible when using sysvinit, but systemd makes the
problem visible since the systemd service file for the Mandos server
is configured to not consider the Mandos server "started" until the
D-Bus name has been bound; this makes the starting of the service wait
for 90 seconds and then fail with a timeout error.

Fixing this should also make the Debian CI autopkgtest tests work.

* debian/mandos.postinst (configure): After creating (or renaming)
                                      user & group, reload D-Bus
                                      daemon (if present).

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-ctl">
5
 
<!ENTITY TIMESTAMP "2015-07-20">
 
5
<!ENTITY TIMESTAMP "2019-07-29">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
37
37
      <year>2013</year>
38
38
      <year>2014</year>
39
39
      <year>2015</year>
 
40
      <year>2016</year>
 
41
      <year>2017</year>
 
42
      <year>2018</year>
 
43
      <year>2019</year>
40
44
      <holder>Teddy Hogeborn</holder>
41
45
      <holder>Björn Påhlsson</holder>
42
46
    </copyright>
51
55
  <refnamediv>
52
56
    <refname><command>&COMMANDNAME;</command></refname>
53
57
    <refpurpose>
54
 
      Control the operation of the Mandos server
 
58
      Control or query the operation of the Mandos server
55
59
    </refpurpose>
56
60
  </refnamediv>
57
61
  
59
63
    <cmdsynopsis>
60
64
      <command>&COMMANDNAME;</command>
61
65
      <group>
62
 
        <arg choice="plain"><option>--enable</option></arg>
63
 
        <arg choice="plain"><option>-e</option></arg>
64
 
        <sbr/>
65
 
        <arg choice="plain"><option>--disable</option></arg>
66
 
        <arg choice="plain"><option>-d</option></arg>
67
 
      </group>
68
 
      <sbr/>
69
 
      <group>
70
 
        <arg choice="plain"><option>--bump-timeout</option></arg>
71
 
        <arg choice="plain"><option>-b</option></arg>
72
 
      </group>
73
 
      <sbr/>
74
 
      <group>
75
 
        <arg choice="plain"><option>--start-checker</option></arg>
76
 
      </group>
77
 
      <sbr/>
78
 
      <group>
79
 
        <arg choice="plain"><option>--stop-checker</option></arg>
80
 
      </group>
81
 
      <sbr/>
82
 
      <group>
83
 
        <arg choice="plain"><option>--remove</option></arg>
84
 
        <arg choice="plain"><option>-r</option></arg>
85
 
      </group>
86
 
      <sbr/>
87
 
      <group>
88
 
        <arg choice="plain"><option>--checker
89
 
        <replaceable>COMMAND</replaceable></option></arg>
90
 
        <arg choice="plain"><option>-c
91
 
        <replaceable>COMMAND</replaceable></option></arg>
92
 
      </group>
93
 
      <sbr/>
94
 
      <group>
95
 
        <arg choice="plain"><option>--timeout
96
 
        <replaceable>TIME</replaceable></option></arg>
97
 
        <arg choice="plain"><option>-t
98
 
        <replaceable>TIME</replaceable></option></arg>
99
 
      </group>
100
 
      <sbr/>
101
 
      <group>
102
 
        <arg choice="plain"><option>--extended-timeout
103
 
        <replaceable>TIME</replaceable></option></arg>
104
 
      </group>
105
 
      <sbr/>
106
 
      <group>
107
 
        <arg choice="plain"><option>--interval
108
 
        <replaceable>TIME</replaceable></option></arg>
109
 
        <arg choice="plain"><option>-i
110
 
        <replaceable>TIME</replaceable></option></arg>
111
 
      </group>
112
 
      <sbr/>
113
 
      <group>
114
 
        <arg choice="plain"><option>--approve-by-default</option
115
 
        ></arg>
116
 
        <sbr/>
117
 
        <arg choice="plain"><option>--deny-by-default</option></arg>
118
 
      </group>
119
 
      <sbr/>
120
 
      <group>
121
 
        <arg choice="plain"><option>--approval-delay
122
 
        <replaceable>TIME</replaceable></option></arg>
123
 
      </group>
124
 
      <sbr/>
125
 
      <group>
126
 
        <arg choice="plain"><option>--approval-duration
127
 
        <replaceable>TIME</replaceable></option></arg>
128
 
      </group>
129
 
      <sbr/>
130
 
      <group>
131
 
        <arg choice="plain"><option>--interval
132
 
        <replaceable>TIME</replaceable></option></arg>
133
 
        <arg choice="plain"><option>-i
134
 
        <replaceable>TIME</replaceable></option></arg>
135
 
      </group>
136
 
      <sbr/>
137
 
      <group>
138
 
        <arg choice="plain"><option>--host
139
 
        <replaceable>STRING</replaceable></option></arg>
140
 
        <arg choice="plain"><option>-H
141
 
        <replaceable>STRING</replaceable></option></arg>
142
 
      </group>
143
 
      <sbr/>
144
 
      <group>
145
 
        <arg choice="plain"><option>--secret
146
 
        <replaceable>FILENAME</replaceable></option></arg>
147
 
        <arg choice="plain"><option>-s
148
 
        <replaceable>FILENAME</replaceable></option></arg>
149
 
      </group>
150
 
      <sbr/>
151
 
      <group>
152
 
        <arg choice="plain"><option>--approve</option></arg>
153
 
        <arg choice="plain"><option>-A</option></arg>
154
 
        <sbr/>
 
66
          <arg choice="plain"><option>--verbose</option></arg>
 
67
          <arg choice="plain"><option>-v</option></arg>
 
68
          <sbr/>
 
69
          <arg choice="plain"><option>--dump-json</option></arg>
 
70
          <arg choice="plain"><option>-j</option></arg>
 
71
      </group>
 
72
      <arg><option>--debug</option></arg>
 
73
      <group>
 
74
        <arg rep='repeat' choice='plain'>
 
75
          <replaceable>CLIENT</replaceable>
 
76
        </arg>
 
77
      </group>
 
78
    </cmdsynopsis>
 
79
    <cmdsynopsis>
 
80
      <command>&COMMANDNAME;</command>
 
81
      <group choice="req">
 
82
        <group>
 
83
          <arg choice="plain"><option>--enable</option></arg>
 
84
          <arg choice="plain"><option>-e</option></arg>
 
85
          <sbr/>
 
86
          <arg choice="plain"><option>--disable</option></arg>
 
87
          <arg choice="plain"><option>-d</option></arg>
 
88
        </group>
 
89
        <sbr/>
 
90
        <group>
 
91
          <arg choice="plain"><option>--bump-timeout</option></arg>
 
92
          <arg choice="plain"><option>-b</option></arg>
 
93
        </group>
 
94
        <sbr/>
 
95
        <group>
 
96
          <arg choice="plain"><option>--start-checker</option></arg>
 
97
          <arg choice="plain"><option>--stop-checker</option></arg>
 
98
        </group>
 
99
        <sbr/>
 
100
        <group>
 
101
          <arg choice="plain"><option>--checker
 
102
          <replaceable>COMMAND</replaceable></option></arg>
 
103
          <arg choice="plain"><option>-c
 
104
          <replaceable>COMMAND</replaceable></option></arg>
 
105
        </group>
 
106
        <sbr/>
 
107
        <group>
 
108
          <arg choice="plain"><option>--timeout
 
109
          <replaceable>TIME</replaceable></option></arg>
 
110
          <arg choice="plain"><option>-t
 
111
          <replaceable>TIME</replaceable></option></arg>
 
112
        </group>
 
113
        <sbr/>
 
114
        <group>
 
115
          <arg choice="plain"><option>--extended-timeout
 
116
          <replaceable>TIME</replaceable></option></arg>
 
117
        </group>
 
118
        <sbr/>
 
119
        <group>
 
120
          <arg choice="plain"><option>--interval
 
121
          <replaceable>TIME</replaceable></option></arg>
 
122
          <arg choice="plain"><option>-i
 
123
          <replaceable>TIME</replaceable></option></arg>
 
124
        </group>
 
125
        <sbr/>
 
126
        <group>
 
127
          <arg choice="plain"><option>--approve-by-default</option
 
128
          ></arg>
 
129
          <sbr/>
 
130
          <arg choice="plain"><option>--deny-by-default</option></arg>
 
131
        </group>
 
132
        <sbr/>
 
133
        <group>
 
134
          <arg choice="plain"><option>--approval-delay
 
135
          <replaceable>TIME</replaceable></option></arg>
 
136
        </group>
 
137
        <sbr/>
 
138
        <group>
 
139
          <arg choice="plain"><option>--approval-duration
 
140
          <replaceable>TIME</replaceable></option></arg>
 
141
        </group>
 
142
        <sbr/>
 
143
        <group>
 
144
          <arg choice="plain"><option>--host
 
145
          <replaceable>STRING</replaceable></option></arg>
 
146
          <arg choice="plain"><option>-H
 
147
          <replaceable>STRING</replaceable></option></arg>
 
148
        </group>
 
149
        <sbr/>
 
150
        <group>
 
151
          <arg choice="plain"><option>--secret
 
152
          <replaceable>FILENAME</replaceable></option></arg>
 
153
          <arg choice="plain"><option>-s
 
154
          <replaceable>FILENAME</replaceable></option></arg>
 
155
        </group>
 
156
        <sbr/>
 
157
        <group>
 
158
          <arg choice="plain"><option>--approve</option></arg>
 
159
          <arg choice="plain"><option>-A</option></arg>
 
160
          <sbr/>
 
161
          <arg choice="plain"><option>--deny</option></arg>
 
162
          <arg choice="plain"><option>-D</option></arg>
 
163
        </group>
 
164
      </group>
 
165
      <sbr/>
 
166
      <arg><option>--debug</option></arg>
 
167
      <group choice="req">
 
168
        <arg choice="plain"><option>--all</option></arg>
 
169
        <arg choice="plain"><option>-a</option></arg>
 
170
        <arg rep='repeat' choice='plain'>
 
171
          <replaceable>CLIENT</replaceable>
 
172
        </arg>
 
173
      </group>
 
174
    </cmdsynopsis>
 
175
    <cmdsynopsis>
 
176
      <command>&COMMANDNAME;</command>
 
177
      <group>
155
178
        <arg choice="plain"><option>--deny</option></arg>
156
179
        <arg choice="plain"><option>-D</option></arg>
157
180
      </group>
 
181
      <group choice="req">
 
182
          <arg choice="plain"><option>--remove</option></arg>
 
183
          <arg choice="plain"><option>-r</option></arg>
 
184
      </group>
158
185
      <sbr/>
 
186
      <arg><option>--debug</option></arg>
159
187
      <group choice="req">
160
188
        <arg choice="plain"><option>--all</option></arg>
161
189
        <arg choice="plain"><option>-a</option></arg>
166
194
    </cmdsynopsis>
167
195
    <cmdsynopsis>
168
196
      <command>&COMMANDNAME;</command>
169
 
      <group>
170
 
        <arg choice="plain"><option>--verbose</option></arg>
171
 
        <arg choice="plain"><option>-v</option></arg>
172
 
      </group>
173
 
      <group>
174
 
        <arg rep='repeat' choice='plain'>
175
 
          <replaceable>CLIENT</replaceable>
176
 
        </arg>
177
 
      </group>
178
 
    </cmdsynopsis>
179
 
    <cmdsynopsis>
180
 
      <command>&COMMANDNAME;</command>
181
197
      <group choice="req">
182
198
        <arg choice="plain"><option>--is-enabled</option></arg>
183
199
        <arg choice="plain"><option>-V</option></arg>
184
200
      </group>
 
201
      <arg><option>--debug</option></arg>
185
202
      <arg choice='plain'><replaceable>CLIENT</replaceable></arg>
186
203
    </cmdsynopsis>
187
204
    <cmdsynopsis>
207
224
  <refsect1 id="description">
208
225
    <title>DESCRIPTION</title>
209
226
    <para>
210
 
      <command>&COMMANDNAME;</command> is a program to control the
211
 
      operation of the Mandos server <citerefentry><refentrytitle
212
 
      >mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
 
227
      <command>&COMMANDNAME;</command> is a program to control or
 
228
      query the operation of the Mandos server
 
229
      <citerefentry><refentrytitle>mandos</refentrytitle><manvolnum
 
230
      >8</manvolnum></citerefentry>.
213
231
    </para>
214
232
    <para>
215
233
      This program can be used to change client settings, approve or
473
491
      </varlistentry>
474
492
      
475
493
      <varlistentry>
 
494
        <term><option>--dump-json</option></term>
 
495
        <term><option>-j</option></term>
 
496
        <listitem>
 
497
          <para>
 
498
            Dump client settings as JSON to standard output.
 
499
          </para>
 
500
        </listitem>
 
501
      </varlistentry>
 
502
      
 
503
      <varlistentry>
476
504
        <term><option>--is-enabled</option></term>
477
505
        <term><option>-V</option></term>
478
506
        <listitem>
484
512
      </varlistentry>
485
513
      
486
514
      <varlistentry>
 
515
        <term><option>--debug</option></term>
 
516
        <listitem>
 
517
          <para>
 
518
            Show debug output; currently, this means show D-Bus calls.
 
519
          </para>
 
520
        </listitem>
 
521
      </varlistentry>
 
522
      
 
523
      <varlistentry>
487
524
        <term><option>--check</option></term>
488
525
        <listitem>
489
526
          <para>
513
550
    </para>
514
551
  </refsect1>
515
552
  
516
 
<!--   <refsect1 id="bugs"> -->
517
 
<!--     <title>BUGS</title> -->
518
 
<!--     <para> -->
519
 
<!--     </para> -->
520
 
<!--   </refsect1> -->
 
553
  <refsect1 id="bugs">
 
554
    <title>BUGS</title>
 
555
    <xi:include href="bugs.xml"/>
 
556
  </refsect1>
521
557
  
522
558
  <refsect1 id="example">
523
559
    <title>EXAMPLE</title>
 
560
    <!-- Name of test methods in class Test_commands_from_options are
 
561
         written in comments below.  When adding an example, add a
 
562
         test too which tests the documented behavior. -->
524
563
    <informalexample>
 
564
      <!-- Test method: test_manual_page_example_1() -->
525
565
      <para>
526
566
        To list all clients:
527
567
      </para>
531
571
    </informalexample>
532
572
    
533
573
    <informalexample>
 
574
      <!-- Test method: test_manual_page_example_2() -->
534
575
      <para>
535
576
        To list <emphasis>all</emphasis> settings for the clients
536
577
        named <quote>foo1.example.org</quote> and <quote
545
586
    </informalexample>
546
587
    
547
588
    <informalexample>
 
589
      <!-- Test method: test_manual_page_example_3() -->
548
590
      <para>
549
591
        To enable all clients:
550
592
      </para>
554
596
    </informalexample>
555
597
    
556
598
    <informalexample>
 
599
      <!-- Test method: test_manual_page_example_4() -->
557
600
      <para>
558
601
        To change timeout and interval value for the clients
559
602
        named <quote>foo1.example.org</quote> and <quote
562
605
      <para>
563
606
 
564
607
<!-- do not wrap this line -->
565
 
<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>
 
608
<userinput>&COMMANDNAME; --timeout=PT5M --interval=PT1M foo1.example.org foo2.example.org</userinput>
566
609
 
567
610
      </para>
568
611
    </informalexample>
569
612
    
570
613
    <informalexample>
 
614
      <!-- Test method: test_manual_page_example_5() -->
571
615
      <para>
572
 
        To approve all clients currently waiting for it:
 
616
        To approve all clients currently waiting for approval:
573
617
      </para>
574
618
      <para>
575
619
        <userinput>&COMMANDNAME; --approve --all</userinput>