/mandos/trunk : revision 1213

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

Committer: teddy at recompile
Date: 2020-04-05 21:30:59 UTC
Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk

Fix file descriptor leak in mandos-client

When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.)  The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.

This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route.  If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.

Fix this by eliminating the file descriptor leak in the client.

* plugins.d/mandos-client.c (add_delete_local_route): Do
  close(devnull) also in parent process, also if fork() fails, and on
  any failure in child process.

Show diffs side-by-side

added added

removed removed

Makefile

LANGUAGE:=-std=gnu11

FEATURES:=-D_FILE_OFFSET_BITS=64

htmldir:=man

version:=1.8.9

version:=1.8.10

SED:=sed

PKG_CONFIG?=pkg-config

156

157

objects:=$(addsuffix .o,$(CPROGS))

158

159

.PHONY: all

159

160

all: $(PROGS) mandos.lsm

160

161

162

.PHONY: doc

161

163

doc: $(DOCS)

162

164

165

.PHONY: html

163

166

html: $(htmldocs)

164

167

165

168

%.5: %.xml common.ent legalnotice.xml

282

285

$@)

283

286

284

287

# Need to add the GnuTLS, Avahi and GPGME libraries

285

plugins.d/mandos-client: plugins.d/mandos-client.c

286

$(LINK.c) $^ $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(strip\

287

) $(GPGME_CFLAGS) $(GNUTLS_LIBS) $(strip\

288

) $(AVAHI_LIBS) $(GPGME_LIBS) $(LOADLIBES) $(strip\

289

) $(LDLIBS) -o $@

288

plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \

289

) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)

290

plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \

291

) $(AVAHI_LIBS) $(GPGME_LIBS)

290

292

291

293

# Need to add the libnl-route library

292

plugin-helpers/mandos-client-iprouteadddel: plugin-helpers/mandos-client-iprouteadddel.c

293

$(LINK.c) $(LIBNL3_CFLAGS) $^ $(LIBNL3_LIBS) $(strip\

294

) $(LOADLIBES) $(LDLIBS) -o $@

294

plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)

295

plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)

295

296

297

# Need to add the GLib and pthread libraries

297

dracut-module/password-agent: dracut-module/password-agent.c

298

$(LINK.c) $(GLIB_CFLAGS) $^ $(GLIB_LIBS) -lpthread $(strip\

299

) $(LOADLIBES) $(LDLIBS) -o $@

300

301

.PHONY : all doc html clean distclean mostlyclean maintainer-clean \

302

check run-client run-server install install-html \

303

install-server install-client-nokey install-client uninstall \

304

uninstall-server uninstall-client purge purge-server \

305

purge-client

306

298

dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)

299

dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread

300

301

.PHONY: clean

307

302

clean:

308

303

-rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core

309

304

305

.PHONY: distclean

310

306

distclean: clean

307

.PHONY: mostlyclean

311

308

mostlyclean: clean

309

.PHONY: maintainer-clean

312

310

maintainer-clean: clean

313

311

-rm --force --recursive keydir confdir statedir

314

312

313

.PHONY: check

315

314

check: all

316

315

./mandos --check

317

316

./mandos-ctl --check

321

320

./dracut-module/password-agent --test

322

321

323

322

# Run the client with a local config and key

323

.PHONY: run-client

324

run-client: all keydir/seckey.txt keydir/pubkey.txt \

325

keydir/tls-privkey.pem keydir/tls-pubkey.pem

326

@echo '######################################################'

354

keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen

355

install --directory keydir

356

./mandos-keygen --dir keydir --force

357

if ! [ -e keydir/tls-privkey.pem ]; then \

358

install --mode=u=rw /dev/null keydir/tls-privkey.pem; \

359

360

if ! [ -e keydir/tls-pubkey.pem ]; then \

361

install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \

362

357

363

358

364

# Run the server with a local config

365

.PHONY: run-server

359

366

run-server: confdir/mandos.conf confdir/clients.conf statedir

360

367

./mandos --debug --no-dbus --configdir=confdir \

361

368

--statedir=statedir $(SERVERARGS)

372

379

statedir:

373

380

install --directory statedir

374

381

382

.PHONY: install

375

383

install: install-server install-client-nokey

376

384

385

.PHONY: install-html

377

386

install-html: html

378

387

install --directory $(htmldir)

379

388

install --mode=u=rw,go=r --target-directory=$(htmldir) \

380

389

$(htmldocs)

381

390

391

.PHONY: install-server

382

392

install-server: doc

383

393

install --directory $(CONFDIR)

384

394

if install --directory --mode=u=rwx --owner=$(USER) \

431

441

gzip --best --to-stdout intro.8mandos \

432

442

> $(MANDIR)/man8/intro.8mandos.gz

433

443

444

.PHONY: install-client-nokey

434

445

install-client-nokey: all doc

435

446

install --directory $(LIBDIR)/mandos $(CONFDIR)

436

447

install --directory --mode=u=rwx $(KEYDIR) \

515

526

gzip --best --to-stdout dracut-module/password-agent.8mandos \

516

527

> $(MANDIR)/man8/password-agent.8mandos.gz

517

528

529

.PHONY: install-client

518

530

install-client: install-client-nokey

519

531

# Post-installation stuff

520

532

-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"

530

542

531

543

echo "Now run mandos-keygen --password --dir $(KEYDIR)"

532

544

545

.PHONY: uninstall

533

546

uninstall: uninstall-server uninstall-client

534

547

548

.PHONY: uninstall-server

535

549

uninstall-server:

536

550

-rm --force $(PREFIX)/sbin/mandos \

537

551

$(PREFIX)/sbin/mandos-ctl \

544

558

update-rc.d -f mandos remove

545

559

-rmdir $(CONFDIR)

546

560

561

.PHONY: uninstall-client

547

562

uninstall-client:

548

563

# Refuse to uninstall client if /etc/crypttab is explicitly configured

549

564

# to use it.

585

600

done; \

586

601

587

602

603

.PHONY: purge

588

604

purge: purge-server purge-client

589

605

606

.PHONY: purge-server

590

607

purge-server: uninstall-server

591

608

-rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \

592

609

$(DESTDIR)/etc/dbus-1/system.d/mandos.conf

597

614

$(DESTDIR)/var/run/mandos.pid

598

615

-rmdir $(CONFDIR)

599

616

617

.PHONY: purge-client

600

618

purge-client: uninstall-client

601

619

-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem

602

620

-rm --force $(CONFDIR)/plugin-runner.conf \

Older »