/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to debian/mandos-client.lintian-overrides

  • Committer: Teddy Hogeborn
  • Date: 2008-07-19 18:43:24 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080719184324-iwhoa5in75xa0u2u
* mandos-clients.conf ([foo]/dn, [foo]/password, [braxen_client]/dn,
                       [braxen_client]/password): Removed.
  ([foo]/fingerprint, [braxen_client]/fingerprint): New.
  ([foo]/checker): New.
  ([foo]/secfile): New.
  ([braxen_client]/secret): New.

* server.py: New "--debug" option to set debug flag.  Removed "cert",
             "key", "ca", "crl", and "cred" variables.  Added default
             value for "checker" config file setting.  Do not pass
             credentials to IPv6_TCPServer constructor.
  (debug): New global debug flag.  Used by most debugging output code.
  (Client.__init__): Keyword argument "dn" replaced by "fingerprint",
                     "password" renamed to "secret", and "passfile"
                     renamed to "secfile".  New keyword argument
                     "checker". All callers changed.
  (Client.dn): Removed.
  (Client.fingerprint): New.
  (Client.password): Renamed to "secret"; all users changed.
  (Client.passfile): Renamed to "secfile"; all users changed.
  (Client.timeout, Client.interval): Changed to be properties; now
                                     automatically updates the
                                     "_timeout_milliseconds" and
                                     "_interval_milliseconds" values.
  (Client.timeout_milliseconds): Renamed to "_timeout_milliseconds".
  (Client.interval_milliseconds): Renamed to "_interval_milliseconds".
  (Client.check_command): New.
  (Client.start_checker): Use the new "check_command" attribute.
  (peer_certificate, fingerprint): New functions.

  (tcp_handler.handle): Use ClientSession with empty credentials
                        object instead of ServerSession.  Set gnutls
                        priority string.  Do not verify peer.  Use
                        fingerprint instead of DN when searching for
                        clients.  Bug fix: Loop sending data so even large
                        secret data strings are sent.
  (IPv6_TCPServer.credentials): Removed.
  (if_nametoindex): Do not import ctypes since that is now imported
                    globally.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
# This directory contains secret client key files.
2
 
mandos-client binary: non-standard-dir-perm 0700 != 0755 [etc/keys/mandos/]
3
 
 
4
 
# The directory /usr/lib/<arch>/mandos/plugins.d contains setuid
5
 
# binaries which are only meant to be run inside an initial RAM disk
6
 
# environment (except for test purposes).  It would be insecure to
7
 
# allow anyone to run them.
8
 
mandos-client binary: non-standard-dir-perm 0700 != 0755 [usr/lib/*/mandos/plugins.d/]
9
 
# Likewise for helper executables for plugins
10
 
mandos-client binary: non-standard-dir-perm 0700 != 0755 [usr/lib/*/mandos/plugin-helpers/]
11
 
 
12
 
# These binaries must be setuid root, since they need root powers, but
13
 
# are started by plugin-runner(8mandos), which runs all plugins as
14
 
# user/group "_mandos".  These binaries are never run in a running
15
 
# system, but only in an initial RAM disk environment.  Here they are
16
 
# protected from non-root access by the directory permissions, above.
17
 
mandos-client binary: elevated-privileges 4755 root/root [usr/lib/*/mandos/plugins.d/mandos-client]
18
 
mandos-client binary: elevated-privileges 4755 root/root [usr/lib/*/mandos/plugins.d/askpass-fifo]
19
 
mandos-client binary: elevated-privileges 4755 root/root [usr/lib/*/mandos/plugins.d/splashy]
20
 
mandos-client binary: elevated-privileges 4755 root/root [usr/lib/*/mandos/plugins.d/usplash]
21
 
mandos-client binary: elevated-privileges 4755 root/root [usr/lib/*/mandos/plugins.d/plymouth]
22
 
 
23
 
# These binaries are never executed in a running system, or from this
24
 
# directory.  These files exist only to be copied from here into the
25
 
# initial RAM disk image.
26
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/mandos-to-cryptroot-unlock]
27
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugin-helpers/mandos-client-iprouteadddel]
28
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugin-runner]
29
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/askpass-fifo]
30
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/mandos-client]
31
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/password-prompt]
32
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/plymouth]
33
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/splashy]
34
 
mandos-client binary: executable-in-usr-lib [usr/lib/*/mandos/plugins.d/usplash]
35
 
 
36
 
# This is the official directory for Dracut plugins, which are all
37
 
# executable shell script files.
38
 
mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/module-setup.sh]
39
 
# These files are never executed in a running system, or from this
40
 
# directory. These files exist only to be copied from here into the
41
 
# initial RAM disk image by the dracut/90mandos/module-setup.sh
42
 
# script.
43
 
mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/cmdline-mandos.sh]
44
 
mandos-client binary: executable-in-usr-lib [usr/lib/dracut/modules.d/90mandos/password-agent]
45
 
 
46
 
# The directory /etc/mandos/plugins.d can be used by local system
47
 
# administrators to place plugins in, overriding and complementing
48
 
# /usr/lib/<arch>/mandos/plugins.d, and must be likewise protected.
49
 
mandos-client binary: non-standard-dir-perm 0700 != 0755 [etc/mandos/plugins.d/]
50
 
# Likewise for plugin-helpers directory
51
 
mandos-client binary: non-standard-dir-perm 0700 != 0755 [etc/mandos/plugin-helpers/]
52
 
 
53
 
# The debconf templates is only used for displaying information
54
 
# detected in the postinst, not for saving answers to questions, so we
55
 
# don't need a .config file.
56
 
mandos-client binary: no-debconf-config
57
 
 
58
 
# The notice displayed from the postinst script really is critical
59
 
mandos-client binary: postinst-uses-db-input
60
 
 
61
 
# These are very important to work around bugs or changes in the old
62
 
# versions, and there is no pressing need to remove them.
63
 
mandos-client binary: maintainer-script-supports-ancient-package-version *