To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to Makefile
- browse files at revision 1213
- compare with another revision
- download diff
- download tarball
- view history from revision 1213
- Committer: teddy at recompile
- Date: 2020-04-05 21:30:59 UTC
- Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk
Fix file descriptor leak in mandos-client
When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.) The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.
This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route. If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.
Fix this by eliminating the file descriptor leak in the client.
* plugins.d/mandos-client.c (add_delete_local_route): Do
close(devnull) also in parent process, also if fork() fails, and on
any failure in child process.
When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.) The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.
This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route. If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.
Fix this by eliminating the file descriptor leak in the client.
* plugins.d/mandos-client.c (add_delete_local_route): Do
close(devnull) also in parent process, also if fork() fails, and on
any failure in child process.
- files added:
- bugs.xml
- debian/tests
- debian/upstream
- dracut-module
- network-hooks.d
- plugin-helpers
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
Makefile
1
WARN=-O -Wall -Wformat=2 -Winit-self -Wmissing-include-dirs \
2
-Wswitch-default -Wswitch-enum -Wunused-parameter \
3
-Wstrict-aliasing=1 -Wextra -Wfloat-equal -Wundef -Wshadow \
1
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
2
-Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
3
-Wunused -Wuninitialized -Wstrict-overflow=5 \
4
-Wsuggest-attribute=pure -Wsuggest-attribute=const \
5
-Wsuggest-attribute=noreturn -Wfloat-equal -Wundef -Wshadow \
4
6
-Wunsafe-loop-optimizations -Wpointer-arith \
5
7
-Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings \
6
-Wconversion -Wstrict-prototypes -Wold-style-definition \
7
-Wpacked -Wnested-externs -Winline -Wvolatile-register-var
8
# -Wunreachable-code
9
#DEBUG=-ggdb3
10
# For info about _FORTIFY_SOURCE, see
11
# <http://www.kernel.org/doc/man-pages/online/pages/man7/feature_test_macros.7.html>
12
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
13
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
14
LINK_FORTIFY_LD=-z relro -z now
15
LINK_FORTIFY=
8
-Wconversion -Wlogical-op -Waggregate-return \
9
-Wstrict-prototypes -Wold-style-definition \
10
-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
11
-Wredundant-decls -Wnested-externs -Winline -Wvla \
12
-Wvolatile-register-var -Woverlength-strings
13
14
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
15
## Check which sanitizing options can be used
16
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
17
# echo 'int main(){}' | $(CC) --language=c $(option) \
18
# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
19
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
20
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
21
-fsanitize=shift -fsanitize=integer-divide-by-zero \
22
-fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
23
-fsanitize=return -fsanitize=signed-integer-overflow \
24
-fsanitize=bounds -fsanitize=alignment \
25
-fsanitize=object-size -fsanitize=float-divide-by-zero \
26
-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
27
-fsanitize=returns-nonnull-attribute -fsanitize=bool \
28
-fsanitize=enum -fsanitize-address-use-after-scope
29
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
32
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
33
LINK_FORTIFY_LD:=-z relro -z now
34
LINK_FORTIFY:=
16
35
17
36
# If BROKEN_PIE is set, do not build with -pie
18
37
ifndef BROKEN_PIE
20
39
LINK_FORTIFY += -pie
21
40
endif
22
41
#COVERAGE=--coverage
23
OPTIMIZE=-Os
24
LANGUAGE=-std=gnu99
25
htmldir=man
26
version=1.3.1
27
SED=sed
42
OPTIMIZE:=-Os -fno-strict-aliasing
43
LANGUAGE:=-std=gnu11
44
FEATURES:=-D_FILE_OFFSET_BITS=64
45
htmldir:=man
46
version:=1.8.10
47
SED:=sed
48
PKG_CONFIG?=pkg-config
49
50
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
51
|| getent passwd nobody || echo 65534)))
52
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
53
|| getent group nogroup || echo 65534)))
54
55
LINUXVERSION:=$(shell uname --kernel-release)
28
56
29
57
## Use these settings for a traditional /usr/local install
30
# PREFIX=$(DESTDIR)/usr/local
31
# CONFDIR=$(DESTDIR)/etc/mandos
32
# KEYDIR=$(DESTDIR)/etc/mandos/keys
33
# MANDIR=$(PREFIX)/man
34
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
58
# PREFIX:=$(DESTDIR)/usr/local
59
# CONFDIR:=$(DESTDIR)/etc/mandos
60
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
61
# MANDIR:=$(PREFIX)/man
62
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
63
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
64
# STATEDIR:=$(DESTDIR)/var/lib/mandos
65
# LIBDIR:=$(PREFIX)/lib
35
66
##
36
67
37
68
## These settings are for a package-type install
38
PREFIX=$(DESTDIR)/usr
39
CONFDIR=$(DESTDIR)/etc/mandos
40
KEYDIR=$(DESTDIR)/etc/keys/mandos
41
MANDIR=$(PREFIX)/share/man
42
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
69
PREFIX:=$(DESTDIR)/usr
70
CONFDIR:=$(DESTDIR)/etc/mandos
71
KEYDIR:=$(DESTDIR)/etc/keys/mandos
72
MANDIR:=$(PREFIX)/share/man
73
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
74
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
75
STATEDIR:=$(DESTDIR)/var/lib/mandos
76
LIBDIR:=$(shell \
77
for d in \
78
"/usr/lib/`dpkg-architecture \
79
-qDEB_HOST_MULTIARCH 2>/dev/null`" \
80
"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
81
if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
82
echo "$(DESTDIR)$$d"; \
83
break; \
84
fi; \
85
done)
43
86
##
44
87
45
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
46
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
47
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
48
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
49
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
50
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
88
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
89
--variable=systemdsystemunitdir)
90
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
91
--variable=tmpfilesdir)
92
SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
93
--variable=sysusersdir)
94
95
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
96
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
97
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
98
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
99
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
100
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
51
101
getconf LFS_LDFLAGS)
102
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
103
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
104
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
105
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
52
106
53
107
# Do not change these two
54
CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
55
$(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
56
-DVERSION='"$(version)"'
57
LDFLAGS=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
108
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
109
$(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'
110
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
111
) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
58
112
59
113
# Commands to format a DocBook <refentry> document into a manual page
60
114
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
63
117
--param make.single.year.ranges 1 \
64
118
--param man.output.quietly 1 \
65
119
--param man.authors.section.enabled 0 \
66
/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
120
/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
67
121
$(notdir $<); \
68
$(MANPOST) $(notdir $@))
69
# DocBook-to-man post-processing to fix a '\n' escape bug
70
MANPOST=$(SED) --in-place --expression='s,\\\\en,\\en,g;s,\\n,\\en,g'
122
if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
123
&& command -v man >/dev/null; then LANG=en_US.UTF-8 \
124
MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
125
$(notdir $@); fi >/dev/null)
71
126
72
127
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
73
128
--param make.year.ranges 1 \
79
134
/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
80
135
$<; $(HTMLPOST) $@)
81
136
# Fix citerefentry links
82
HTMLPOST=$(SED) --in-place \
137
HTMLPOST:=$(SED) --in-place \
83
138
--expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
84
139
85
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
140
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
86
141
plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
87
142
plugins.d/plymouth
88
CPROGS=plugin-runner $(PLUGINS)
89
PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
90
DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
143
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
144
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
145
$(PLUGIN_HELPERS)
146
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
147
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
91
148
mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
149
dracut-module/password-agent.8mandos \
92
150
plugins.d/mandos-client.8mandos \
93
151
plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
94
152
plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
95
153
plugins.d/plymouth.8mandos intro.8mandos
96
154
97
htmldocs=$(addsuffix .xhtml,$(DOCS))
98
99
objects=$(addsuffix .o,$(CPROGS))
100
155
htmldocs:=$(addsuffix .xhtml,$(DOCS))
156
157
objects:=$(addsuffix .o,$(CPROGS))
158
159
.PHONY: all
101
160
all: $(PROGS) mandos.lsm
102
161
162
.PHONY: doc
103
163
doc: $(DOCS)
104
164
165
.PHONY: html
105
166
html: $(htmldocs)
106
167
107
168
%.5: %.xml common.ent legalnotice.xml
166
227
overview.xml legalnotice.xml
167
228
$(DOCBOOKTOHTML)
168
229
230
dracut-module/password-agent.8mandos: \
231
dracut-module/password-agent.xml common.ent \
232
overview.xml legalnotice.xml
233
$(DOCBOOKTOMAN)
234
dracut-module/password-agent.8mandos.xhtml: \
235
dracut-module/password-agent.xml common.ent \
236
overview.xml legalnotice.xml
237
$(DOCBOOKTOHTML)
238
169
239
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
170
240
common.ent \
171
241
mandos-options.xml \
214
284
--expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
215
285
$@)
216
286
217
plugins.d/mandos-client: plugins.d/mandos-client.c
218
$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\
219
) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@
220
221
.PHONY : all doc html clean distclean run-client run-server install \
222
install-server install-client uninstall uninstall-server \
223
uninstall-client purge purge-server purge-client
224
287
# Need to add the GnuTLS, Avahi and GPGME libraries
288
plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \
289
) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)
290
plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \
291
) $(AVAHI_LIBS) $(GPGME_LIBS)
292
293
# Need to add the libnl-route library
294
plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)
295
plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)
296
297
# Need to add the GLib and pthread libraries
298
dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)
299
dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread
300
301
.PHONY: clean
225
302
clean:
226
303
-rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core
227
304
305
.PHONY: distclean
228
306
distclean: clean
307
.PHONY: mostlyclean
229
308
mostlyclean: clean
309
.PHONY: maintainer-clean
230
310
maintainer-clean: clean
231
-rm --force --recursive keydir confdir
311
-rm --force --recursive keydir confdir statedir
232
312
233
check: all
313
.PHONY: check
314
check: all
234
315
./mandos --check
316
./mandos-ctl --check
317
./mandos-keygen --version
318
./plugin-runner --version
319
./plugin-helpers/mandos-client-iprouteadddel --version
320
./dracut-module/password-agent --test
235
321
236
322
# Run the client with a local config and key
237
run-client: all keydir/seckey.txt keydir/pubkey.txt
238
@echo "###################################################################"
239
@echo "# The following error messages are harmless and can be safely #"
240
@echo "# ignored. The messages are caused by not running as root, but #"
241
@echo "# you should NOT run \"make run-client\" as root unless you also #"
242
@echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"
243
@echo "# From plugin-runner: setuid: Operation not permitted #"
244
@echo "# From askpass-fifo: mkfifo: Permission denied #"
245
@echo "# From mandos-client: setuid: Operation not permitted #"
246
@echo "# seteuid: Operation not permitted #"
247
@echo "# klogctl: Operation not permitted #"
248
@echo "###################################################################"
323
.PHONY: run-client
324
run-client: all keydir/seckey.txt keydir/pubkey.txt \
325
keydir/tls-privkey.pem keydir/tls-pubkey.pem
326
@echo '######################################################'
327
@echo '# The following error messages are harmless and can #'
328
@echo '# be safely ignored: #'
329
@echo '## From plugin-runner: #'
330
@echo '# setgid: Operation not permitted #'
331
@echo '# setuid: Operation not permitted #'
332
@echo '## From askpass-fifo: #'
333
@echo '# mkfifo: Permission denied #'
334
@echo '## From mandos-client: #'
335
@echo '# Failed to raise privileges: Operation not permi... #'
336
@echo '# Warning: network hook "*" exited with status * #'
337
@echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
338
@echo '# Failed to bring up interface "*": Operation not... #'
339
@echo '# #'
340
@echo '# (The messages are caused by not running as root, #'
341
@echo '# but you should NOT run "make run-client" as root #'
342
@echo '# unless you also unpacked and compiled Mandos as #'
343
@echo '# root, which is also NOT recommended.) #'
344
@echo '######################################################'
345
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
249
346
./plugin-runner --plugin-dir=plugins.d \
347
--plugin-helper-dir=plugin-helpers \
250
348
--config-file=plugin-runner.conf \
251
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt \
349
--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
350
--env-for=mandos-client:GNOME_KEYRING_CONTROL= \
252
351
$(CLIENTARGS)
253
352
254
353
# Used by run-client
255
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
354
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
256
355
install --directory keydir
257
356
./mandos-keygen --dir keydir --force
357
if ! [ -e keydir/tls-privkey.pem ]; then \
358
install --mode=u=rw /dev/null keydir/tls-privkey.pem; \
359
fi
360
if ! [ -e keydir/tls-pubkey.pem ]; then \
361
install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \
362
fi
258
363
259
364
# Run the server with a local config
260
run-server: confdir/mandos.conf confdir/clients.conf
261
@echo "#################################################################"
262
@echo "# NOTE: Please IGNORE the error about \"Could not open file #"
263
@echo "# u'/var/run/mandos.pid'\" - it is harmless and is caused by #"
264
@echo "# the server not running as root. Do NOT run \"make run-server\" #"
265
@echo "# server as root if you didn't also unpack and compile it thus. #"
266
@echo "#################################################################"
267
./mandos --debug --no-dbus --configdir=confdir $(SERVERARGS)
365
.PHONY: run-server
366
run-server: confdir/mandos.conf confdir/clients.conf statedir
367
./mandos --debug --no-dbus --configdir=confdir \
368
--statedir=statedir $(SERVERARGS)
268
369
269
370
# Used by run-server
270
371
confdir/mandos.conf: mandos.conf
271
372
install --directory confdir
272
373
install --mode=u=rw,go=r $^ $@
273
confdir/clients.conf: clients.conf keydir/seckey.txt
374
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
274
375
install --directory confdir
275
376
install --mode=u=rw $< $@
276
377
# Add a client password
277
./mandos-keygen --dir keydir --password >> $@
378
./mandos-keygen --dir keydir --password --no-ssh >> $@
379
statedir:
380
install --directory statedir
278
381
382
.PHONY: install
279
383
install: install-server install-client-nokey
280
384
385
.PHONY: install-html
281
386
install-html: html
282
387
install --directory $(htmldir)
283
388
install --mode=u=rw,go=r --target-directory=$(htmldir) \
284
389
$(htmldocs)
285
390
391
.PHONY: install-server
286
392
install-server: doc
287
393
install --directory $(CONFDIR)
394
if install --directory --mode=u=rwx --owner=$(USER) \
395
--group=$(GROUP) $(STATEDIR); then \
396
:; \
397
elif install --directory --mode=u=rwx $(STATEDIR); then \
398
chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
399
fi
400
if [ "$(TMPFILES)" != "$(DESTDIR)" \
401
-a -d "$(TMPFILES)" ]; then \
402
install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
403
$(TMPFILES)/mandos.conf; \
404
fi
405
if [ "$(SYSUSERS)" != "$(DESTDIR)" \
406
-a -d "$(SYSUSERS)" ]; then \
407
install --mode=u=rw,go=r sysusers.d-mandos.conf \
408
$(SYSUSERS)/mandos.conf; \
409
fi
288
410
install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
289
411
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
290
412
mandos-ctl
298
420
$(DESTDIR)/etc/dbus-1/system.d/mandos.conf
299
421
install --mode=u=rwx,go=rx init.d-mandos \
300
422
$(DESTDIR)/etc/init.d/mandos
423
if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \
424
install --mode=u=rw,go=r mandos.service $(SYSTEMD); \
425
fi
301
426
install --mode=u=rw,go=r default-mandos \
302
427
$(DESTDIR)/etc/default/mandos
303
428
if [ -z $(DESTDIR) ]; then \
313
438
> $(MANDIR)/man5/mandos.conf.5.gz
314
439
gzip --best --to-stdout mandos-clients.conf.5 \
315
440
> $(MANDIR)/man5/mandos-clients.conf.5.gz
441
gzip --best --to-stdout intro.8mandos \
442
> $(MANDIR)/man8/intro.8mandos.gz
316
443
444
.PHONY: install-client-nokey
317
445
install-client-nokey: all doc
318
install --directory $(PREFIX)/lib/mandos $(CONFDIR)
446
install --directory $(LIBDIR)/mandos $(CONFDIR)
319
447
install --directory --mode=u=rwx $(KEYDIR) \
320
$(PREFIX)/lib/mandos/plugins.d
321
if [ "$(CONFDIR)" != "$(PREFIX)/lib/mandos" ]; then \
448
$(LIBDIR)/mandos/plugins.d \
449
$(LIBDIR)/mandos/plugin-helpers
450
if [ "$(SYSUSERS)" != "$(DESTDIR)" \
451
-a -d "$(SYSUSERS)" ]; then \
452
install --mode=u=rw,go=r sysusers.d-mandos.conf \
453
$(SYSUSERS)/mandos-client.conf; \
454
fi
455
if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
322
456
install --mode=u=rwx \
323
--directory "$(CONFDIR)/plugins.d"; \
457
--directory "$(CONFDIR)/plugins.d" \
458
"$(CONFDIR)/plugin-helpers"; \
324
459
fi
325
install --mode=u=rwx,go=rx \
326
--target-directory=$(PREFIX)/lib/mandos plugin-runner
460
install --mode=u=rwx,go=rx --directory \
461
"$(CONFDIR)/network-hooks.d"
462
install --mode=u=rwx,go=rx \
463
--target-directory=$(LIBDIR)/mandos plugin-runner
464
install --mode=u=rwx,go=rx \
465
--target-directory=$(LIBDIR)/mandos \
466
mandos-to-cryptroot-unlock
327
467
install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
328
468
mandos-keygen
329
469
install --mode=u=rwx,go=rx \
330
--target-directory=$(PREFIX)/lib/mandos/plugins.d \
470
--target-directory=$(LIBDIR)/mandos/plugins.d \
331
471
plugins.d/password-prompt
332
472
install --mode=u=rwxs,go=rx \
333
--target-directory=$(PREFIX)/lib/mandos/plugins.d \
473
--target-directory=$(LIBDIR)/mandos/plugins.d \
334
474
plugins.d/mandos-client
335
475
install --mode=u=rwxs,go=rx \
336
--target-directory=$(PREFIX)/lib/mandos/plugins.d \
476
--target-directory=$(LIBDIR)/mandos/plugins.d \
337
477
plugins.d/usplash
338
478
install --mode=u=rwxs,go=rx \
339
--target-directory=$(PREFIX)/lib/mandos/plugins.d \
479
--target-directory=$(LIBDIR)/mandos/plugins.d \
340
480
plugins.d/splashy
341
481
install --mode=u=rwxs,go=rx \
342
--target-directory=$(PREFIX)/lib/mandos/plugins.d \
482
--target-directory=$(LIBDIR)/mandos/plugins.d \
343
483
plugins.d/askpass-fifo
344
484
install --mode=u=rwxs,go=rx \
345
--target-directory=$(PREFIX)/lib/mandos/plugins.d \
485
--target-directory=$(LIBDIR)/mandos/plugins.d \
346
486
plugins.d/plymouth
487
install --mode=u=rwx,go=rx \
488
--target-directory=$(LIBDIR)/mandos/plugin-helpers \
489
plugin-helpers/mandos-client-iprouteadddel
347
490
install initramfs-tools-hook \
348
491
$(INITRAMFSTOOLS)/hooks/mandos
349
install --mode=u=rw,go=r initramfs-tools-hook-conf \
350
$(INITRAMFSTOOLS)/conf-hooks.d/mandos
492
install --mode=u=rw,go=r initramfs-tools-conf \
493
$(INITRAMFSTOOLS)/conf.d/mandos-conf
494
install --mode=u=rw,go=r initramfs-tools-conf-hook \
495
$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
351
496
install initramfs-tools-script \
352
497
$(INITRAMFSTOOLS)/scripts/init-premount/mandos
498
install initramfs-tools-script-stop \
499
$(INITRAMFSTOOLS)/scripts/local-premount/mandos
500
install --directory $(DRACUTMODULE)
501
install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
502
dracut-module/ask-password-mandos.path \
503
dracut-module/ask-password-mandos.service
504
install --mode=u=rwxs,go=rx \
505
--target-directory=$(DRACUTMODULE) \
506
dracut-module/module-setup.sh \
507
dracut-module/cmdline-mandos.sh \
508
dracut-module/password-agent
353
509
install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
354
510
gzip --best --to-stdout mandos-keygen.8 \
355
511
> $(MANDIR)/man8/mandos-keygen.8.gz
367
523
> $(MANDIR)/man8/askpass-fifo.8mandos.gz
368
524
gzip --best --to-stdout plugins.d/plymouth.8mandos \
369
525
> $(MANDIR)/man8/plymouth.8mandos.gz
526
gzip --best --to-stdout dracut-module/password-agent.8mandos \
527
> $(MANDIR)/man8/password-agent.8mandos.gz
370
528
529
.PHONY: install-client
371
530
install-client: install-client-nokey
372
531
# Post-installation stuff
373
532
-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
374
update-initramfs -k all -u
533
if command -v update-initramfs >/dev/null; then \
534
update-initramfs -k all -u; \
535
elif command -v dracut >/dev/null; then \
536
for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
537
if [ -w "$$initrd" ]; then \
538
chmod go-r "$$initrd"; \
539
dracut --force "$$initrd"; \
540
fi; \
541
done; \
542
fi
375
543
echo "Now run mandos-keygen --password --dir $(KEYDIR)"
376
544
545
.PHONY: uninstall
377
546
uninstall: uninstall-server uninstall-client
378
547
548
.PHONY: uninstall-server
379
549
uninstall-server:
380
550
-rm --force $(PREFIX)/sbin/mandos \
381
551
$(PREFIX)/sbin/mandos-ctl \
388
558
update-rc.d -f mandos remove
389
559
-rmdir $(CONFDIR)
390
560
561
.PHONY: uninstall-client
391
562
uninstall-client:
392
563
# Refuse to uninstall client if /etc/crypttab is explicitly configured
393
564
# to use it.
394
565
! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \
395
566
$(DESTDIR)/etc/crypttab
396
567
-rm --force $(PREFIX)/sbin/mandos-keygen \
397
$(PREFIX)/lib/mandos/plugin-runner \
398
$(PREFIX)/lib/mandos/plugins.d/password-prompt \
399
$(PREFIX)/lib/mandos/plugins.d/mandos-client \
400
$(PREFIX)/lib/mandos/plugins.d/usplash \
401
$(PREFIX)/lib/mandos/plugins.d/splashy \
402
$(PREFIX)/lib/mandos/plugins.d/askpass-fifo \
403
$(PREFIX)/lib/mandos/plugins.d/plymouth \
568
$(LIBDIR)/mandos/plugin-runner \
569
$(LIBDIR)/mandos/plugins.d/password-prompt \
570
$(LIBDIR)/mandos/plugins.d/mandos-client \
571
$(LIBDIR)/mandos/plugins.d/usplash \
572
$(LIBDIR)/mandos/plugins.d/splashy \
573
$(LIBDIR)/mandos/plugins.d/askpass-fifo \
574
$(LIBDIR)/mandos/plugins.d/plymouth \
404
575
$(INITRAMFSTOOLS)/hooks/mandos \
405
576
$(INITRAMFSTOOLS)/conf-hooks.d/mandos \
406
577
$(INITRAMFSTOOLS)/scripts/init-premount/mandos \
578
$(INITRAMFSTOOLS)/scripts/local-premount/mandos \
579
$(DRACUTMODULE)/ask-password-mandos.path \
580
$(DRACUTMODULE)/ask-password-mandos.service \
581
$(DRACUTMODULE)/module-setup.sh \
582
$(DRACUTMODULE)/cmdline-mandos.sh \
583
$(DRACUTMODULE)/password-agent \
407
584
$(MANDIR)/man8/mandos-keygen.8.gz \
408
585
$(MANDIR)/man8/plugin-runner.8mandos.gz \
409
586
$(MANDIR)/man8/mandos-client.8mandos.gz
412
589
$(MANDIR)/man8/splashy.8mandos.gz \
413
590
$(MANDIR)/man8/askpass-fifo.8mandos.gz \
414
591
$(MANDIR)/man8/plymouth.8mandos.gz \
415
-rmdir $(PREFIX)/lib/mandos/plugins.d $(CONFDIR)/plugins.d \
416
$(PREFIX)/lib/mandos $(CONFDIR) $(KEYDIR)
417
update-initramfs -k all -u
592
$(MANDIR)/man8/password-agent.8mandos.gz \
593
-rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
594
$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
595
if command -v update-initramfs >/dev/null; then \
596
update-initramfs -k all -u; \
597
elif command -v dracut >/dev/null; then \
598
for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
599
test -w "$$initrd" && dracut --force "$$initrd"; \
600
done; \
601
fi
418
602
603
.PHONY: purge
419
604
purge: purge-server purge-client
420
605
606
.PHONY: purge-server
421
607
purge-server: uninstall-server
422
608
-rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \
423
609
$(DESTDIR)/etc/dbus-1/system.d/mandos.conf
424
610
$(DESTDIR)/etc/default/mandos \
425
611
$(DESTDIR)/etc/init.d/mandos \
612
$(SYSTEMD)/mandos.service \
613
$(DESTDIR)/run/mandos.pid \
426
614
$(DESTDIR)/var/run/mandos.pid
427
615
-rmdir $(CONFDIR)
428
616
617
.PHONY: purge-client
429
618
purge-client: uninstall-client
430
-shred --remove $(KEYDIR)/seckey.txt
619
-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
431
620
-rm --force $(CONFDIR)/plugin-runner.conf \
432
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
621
$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
622
$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
433
623
-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0