/mandos/trunk : revision 1213

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/module-setup.sh

Committer: teddy at recompile
Date: 2020-04-05 21:30:59 UTC
Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk

Fix file descriptor leak in mandos-client

When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.)  The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.

This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route.  If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.

Fix this by eliminating the file descriptor leak in the client.

* plugins.d/mandos-client.c (add_delete_local_route): Do
  close(devnull) also in parent process, also if fork() fails, and on
  any failure in child process.

files added:
debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

dracut-module/module-setup.sh

#!/bin/sh

# This file should be present in the root file system directory

# /usr/lib/dracut/modules.d/90mandos. When dracut creates the

# initramfs image, dracut will source this file and run the shell

# functions defined in this file: "install", "check", "depends",

# "cmdline", and "installkernel".

# Despite the above #!/bin/sh line and the executable flag, this file

# is not executed; this file is sourced by dracut when creating the

# initramfs image file.

mandos_libdir(){

for dir in /usr/lib \

"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \

"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/local/lib; do

if [ -d "$dir"/mandos ]; then

echo "$dir"/mandos

return

done

# Mandos not found

return 1

}

mandos_keydir(){

for dir in /etc/keys/mandos /etc/mandos/keys; do

if [ -d "$dir" ]; then

echo "$dir"

return

done

# Mandos key directory not found

return 1

}

check(){

if [ "${hostonly:-no}" = "no" ]; then

dwarning "Mandos: Dracut not in hostonly mode"

return 1

local libdir=`mandos_libdir`

if [ -z "$libdir" ]; then

dwarning "Mandos lib directory not found"

return 1

local keydir=`mandos_keydir`

if [ -z "$keydir" ]; then

dwarning "Mandos key directory not found"

return 1

}

install(){

chmod go+w,+t "$initdir"/tmp

local libdir=`mandos_libdir`

local keydir=`mandos_keydir`

set `{ getent passwd _mandos \

|| getent passwd nobody \

|| echo ::65534:65534:::; } \

| cut --delimiter=: --fields=3,4 --only-delimited \

--output-delimiter=" "`

local mandos_user="$1"

local mandos_group="$2"

inst "${libdir}" /lib/mandos

if dracut_module_included "systemd"; then

plugindir=/lib/mandos

inst "${libdir}/plugins.d/mandos-client" \

"${plugindir}/mandos-client"

chmod u-s "${initdir}/${plugindir}/mandos-client"

inst "${moddir}/ask-password-mandos.service" \

"${systemdsystemunitdir}/ask-password-mandos.service"

if [ -d /etc/systemd/system/ask-password-mandos.service.d ]; then

inst /etc/systemd/system/ask-password-mandos.service.d

inst_multiple -o /etc/systemd/system/ask-password-mandos.service.d/*.conf

if [ ${mandos_user} != 65534 ]; then

sed --in-place \

--expression="s,^ExecStart=/lib/mandos/password-agent ,&--user=${mandos_user} ," \

"${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"

if [ ${mandos_group} != 65534 ]; then

sed --in-place \

--expression="s,^ExecStart=/lib/mandos/password-agent ,&--group=${mandos_group} ," \

"${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"

else

inst_hook cmdline 20 "$moddir"/cmdline-mandos.sh

plugindir=/lib/mandos/plugins.d

inst "${libdir}/plugin-runner" /lib/mandos/plugin-runner

inst /etc/mandos/plugin-runner.conf

sed --in-place \

--expression='1i--options-for=mandos-client:--pubkey=/etc/mandos/keys/pubkey.txt,--seckey=/etc/mandos/keys/seckey.txt,--tls-pubkey=/etc/mandos/keys/tls-pubkey.pem,--tls-privkey=/etc/mandos/keys/tls-privkey.pem' \

"${initdir}/etc/mandos/plugin-runner.conf"

if [ ${mandos_user} != 65534 ]; then

sed --in-place --expression="1i--userid=${mandos_user}" \

"${initdir}/etc/mandos/plugin-runner.conf"

100

101

if [ ${mandos_group} != 65534 ]; then

102

sed --in-place \

103

--expression="1i--groupid=${mandos_group}" \

104

"${initdir}/etc/mandos/plugin-runner.conf"

105

106

inst "${libdir}/plugins.d" "$plugindir"

107

chown ${mandos_user}:${mandos_group} "${initdir}/${plugindir}"

108

# Copy the packaged plugins

109

for file in "$libdir"/plugins.d/*; do

110

base="`basename \"$file\"`"

111

# Is this plugin overridden?

112

if [ -e "/etc/mandos/plugins.d/$base" ]; then

113

continue

114

115

case "$base" in

116

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

117

: ;;

118

"*") dwarning "Mandos client plugin directory is empty." >&2 ;;

119

askpass-fifo) : ;; # Ignore packaged for dracut

120

*) inst "${file}" "${plugindir}/${base}" ;;

121

esac

122

done

123

# Copy any user-supplied plugins

124

for file in /etc/mandos/plugins.d/*; do

125

base="`basename \"$file\"`"

126

case "$base" in

127

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

128

: ;;

129

"*") : ;;

130

*) inst "$file" "${plugindir}/${base}" ;;

131

esac

132

done

133

# Copy any user-supplied plugin helpers

134

for file in /etc/mandos/plugin-helpers/*; do

135

base="`basename \"$file\"`"

136

case "$base" in

137

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

138

: ;;

139

"*") : ;;

140

*) inst "$file" "/lib/mandos/plugin-helpers/$base";;

141

esac

142

done

143

144

# Copy network hooks

145

for hook in /etc/mandos/network-hooks.d/*; do

146

basename=`basename "$hook"`

147

case "$basename" in

148

"*") continue ;;

149

*[!A-Za-z0-9_.-]*) continue ;;

150

*) test -d "$hook" || inst "$hook" "/lib/mandos/network-hooks.d/$basename" ;;

151

esac

152

if [ -x "$hook" ]; then

153

# Copy any files needed by the network hook

154

MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \

155

VERBOSITY=0 "$hook" files | while read file target; do

156

if [ ! -e "${file}" ]; then

157

dwarning "WARNING: file ${file} not found, requested by Mandos network hook '${basename}'" >&2

158

159

if [ -z "${target}" ]; then

160

inst "$file"

161

else

162

inst "$file" "$target"

163

164

done

165

166

done

167

# Copy the packaged plugin helpers

168

for file in "$libdir"/plugin-helpers/*; do

169

base="`basename \"$file\"`"

170

# Is this plugin overridden?

171

if [ -e "/etc/mandos/plugin-helpers/$base" ]; then

172

continue

173

174

case "$base" in

175

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

176

: ;;

177

"*") : ;;

178

*) inst "$file" "/lib/mandos/plugin-helpers/$base";;

179

esac

180

done

181

local gpg=/usr/bin/gpg

182

if [ -e /usr/bin/gpgconf ]; then

183

inst /usr/bin/gpgconf

184

gpg="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg:[^:]*://p'`"

185

gpgagent="`/usr/bin/gpgconf|sed --quiet --expression='s/^gpg-agent:[^:]*://p'`"

186

# Newer versions of GnuPG 2 requires the gpg-agent binary

187

if [ -e "$gpgagent" ]; then

188

inst "$gpgagent"

189

190

191

inst "$gpg"

192

if dracut_module_included "systemd"; then

193

inst "${moddir}/password-agent" /lib/mandos/password-agent

194

inst "${moddir}/ask-password-mandos.path" \

195

"${systemdsystemunitdir}/ask-password-mandos.path"

196

ln_r "${systemdsystemunitdir}/ask-password-mandos.path" \

197

"${systemdsystemunitdir}/sysinit.target.wants/ask-password-mandos.path"

198

199

# Key files

200

for file in "$keydir"/*; do

201

if [ -d "$file" ]; then

202

continue

203

204

case "$file" in

205

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

206

: ;;

207

"*") : ;;

208

209

inst "$file" "/etc/mandos/keys/`basename \"$file\"`"

210

chown ${mandos_user}:${mandos_group} \

211

"${initdir}/etc/mandos/keys/`basename \"$file\"`"

212

if [ `basename "$file"` = dhparams.pem ]; then

213

# Use Diffie-Hellman parameters file

214

if dracut_module_included "systemd"; then

215

sed --in-place \

216

--expression='/^ExecStart/s/ \$MANDOS_CLIENT_OPTIONS/ --dh-params=\/etc\/mandos\/keys\/dhparams.pem&/' \

217

"${initdir}/${systemdsystemunitdir}/ask-password-mandos.service"

218

else

219

sed --in-place \

220

--expression="1i--options-for=mandos-client:--dh-params=/etc/mandos/keys/dhparams.pem" \

221

"${initdir}/etc/mandos/plugin-runner.conf"

222

223

224

;;

225

esac

226

done

227

}

228

229

installkernel(){

230

instmods =drivers/net

231

hostonly='' instmods ipv6

232

# Copy any kernel modules needed by network hooks

233

for hook in /etc/mandos/network-hooks.d/*; do

234

basename=`basename "$hook"`

235

case "$basename" in

236

"*") continue ;;

237

*[!A-Za-z0-9_.-]*) continue ;;

238

esac

239

if [ -x "$hook" ]; then

240

# Copy and load any modules needed by the network hook

241

MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=modules \

242

VERBOSITY=0 "$hook" modules | while read module; do

243

if [ -z "${target}" ]; then

244

instmods "$module"

245

246

done

247

248

done

249

}

250

251

depends(){

252

echo crypt

253

}

254

255

cmdline(){

256

257

}

Older »