/mandos/trunk : revision 1213

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.c

Committer: teddy at recompile
Date: 2020-04-05 21:30:59 UTC
Revision ID: teddy@recompile.se-20200405213059-fb2a61ckqynrmatk

Fix file descriptor leak in mandos-client

When the local network has Mandos servers announcing themselves using
real, globally reachable, IPv6 addresses (i.e. not link-local
addresses), but there is no router on the local network providing IPv6
RA (Router Advertisement) packets, the client cannot reach the server
by normal means, since the client only has a link-local IPv6 address,
and has no usable route to reach the server's global IPv6 address.
(This is not a common situation, and usually only happens when the
router itself reboots and runs a Mandos client, since it cannot then
give RA packets to itself.)  The client code has a solution for
this, which consists of adding a temporary local route to reach the
address of the server during communication, and removing this
temporary route afterwards.

This solution with a temporary route works, but has a file descriptor
leak; it leaks one file descriptor for each addition and for each
removal of a route.  If one server requiring an added route is present
on the network, but no servers gives a password, making the client
retry after the default ten seconds, and we furthermore assume a
default 1024 open files limit, the client runs out of file descriptors
after about 90 minutes, after which time the client process will be
useless and fail to retrieve any passwords, necessitating manual
password entry via the keyboard.

Fix this by eliminating the file descriptor leak in the client.

* plugins.d/mandos-client.c (add_delete_local_route): Do
  close(devnull) also in parent process, also if fork() fails, and on
  any failure in child process.

files added:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
initramfs-tools-hook-conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.c

* Password-prompt - Read a password from the terminal and print it

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* published by the Free Software Foundation, either version 3 of the

* License, or (at your option) any later version.

* This program is distributed in the hope that it will be useful, but

* This file is part of Mandos.

* Mandos is free software: you can redistribute it and/or modify it

* under the terms of the GNU General Public License as published by

* the Free Software Foundation, either version 3 of the License, or

* (at your option) any later version.

* Mandos is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* along with Mandos. If not, see <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@recompile.se>.

#include <termios.h> /* struct termios, tcsetattr(),

TCSAFLUSH, tcgetattr(), ECHO */

#include <unistd.h> /* struct termios, tcsetattr(),

STDIN_FILENO, TCSAFLUSH,

tcgetattr(), ECHO, readlink() */

#include <unistd.h> /* access(), struct termios,

tcsetattr(), STDIN_FILENO,

TCSAFLUSH, tcgetattr(), ECHO,

readlink() */

#include <signal.h> /* sig_atomic_t, raise(), struct

sigaction, sigemptyset(),

sigaction(), sigaddset(), SIGINT,

109

111

from the terminal. Password-prompt will exit if it detects

110

112

plymouth since plymouth performs the same functionality.

111

113

114

if(access("/run/plymouth/pid", R_OK) == 0){

115

return true;

116

}

117

112

118

__attribute__((nonnull))

113

119

int is_plymouth(const struct dirent *proc_entry){

114

120

int ret;

215

221

if(ret == -1){

216

222

error_plus(1, errno, "scandir");

217

223

}

224

{

225

int i = ret;

226

while(i--){

227

free(direntries[i]);

228

}

229

}

218

230

free(direntries);

219

231

return ret > 0;

220

232

}

227

239

struct termios t_new, t_old;

228

240

char *buffer = NULL;

229

241

char *prefix = NULL;

242

char *prompt = NULL;

230

243

int status = EXIT_SUCCESS;

231

244

struct sigaction old_action,

232

245

new_action = { .sa_handler = termination_handler,

236

249

{ .name = "prefix", .key = 'p',

237

250

.arg = "PREFIX", .flags = 0,

238

251

.doc = "Prefix shown before the prompt", .group = 2 },

252

{ .name = "prompt", .key = 129,

253

.arg = "PROMPT", .flags = 0,

254

.doc = "The prompt to show", .group = 2 },

239

255

{ .name = "debug", .key = 128,

240

256

.doc = "Debug mode", .group = 3 },

241

257

254

270

error_t parse_opt (int key, char *arg, struct argp_state *state){

255

271

errno = 0;

256

272

switch (key){

257

case 'p':

273

case 'p': /* --prefix */

258

274

prefix = arg;

259

275

break;

260

case 128:

276

case 128: /* --debug */

261

277

debug = true;

262

278

break;

279

case 129: /* --prompt */

280

prompt = arg;

281

break;

263

282

264

283

* These reproduce what we would get without ARGP_NO_HELP

265

284

267

286

argp_state_help(state, state->out_stream,

268

287

(ARGP_HELP_STD_HELP | ARGP_HELP_EXIT_ERR)

269

288

& ~(unsigned int)ARGP_HELP_EXIT_OK);

289

__builtin_unreachable();

270

290

case -3: /* --usage */

271

291

argp_state_help(state, state->out_stream,

272

292

ARGP_HELP_USAGE | ARGP_HELP_EXIT_ERR);

293

__builtin_unreachable();

273

294

case 'V': /* --version */

274

295

fprintf(state->out_stream, "%s\n", argp_program_version);

275

296

exit(argp_err_exit_status);

418

439

if(prefix){

419

440

fprintf(stderr, "%s ", prefix);

420

441

}

421

{

442

if(prompt != NULL){

443

fprintf(stderr, "%s: ", prompt);

444

} else {

422

445

const char *cryptsource = getenv("CRYPTTAB_SOURCE");

423

446

const char *crypttarget = getenv("CRYPTTAB_NAME");

424

447

/* Before cryptsetup 1.1.0~rc2 */

499

522

}

500

523

if(sret < 0){

501

524

int e = errno;

502

if(errno != EINTR and not feof(stdin)){

503

error_plus(0, errno, "getline");

504

switch(e){

505

case EBADF:

506

status = EX_UNAVAILABLE;

507

break;

508

case EIO:

509

case EINVAL:

510

default:

511

status = EX_IOERR;

512

break;

525

if(errno != EINTR){

526

if(not feof(stdin)){

527

error_plus(0, errno, "getline");

528

switch(e){

529

case EBADF:

530

status = EX_UNAVAILABLE;

531

break;

532

case EIO:

533

case EINVAL:

534

default:

535

status = EX_IOERR;

536

break;

537

}

538

break;

539

} else {

540

clearerr(stdin);

513

541

}

514

break;

515

542

}

516

543

}

517

544

/* if(sret == 0), then the only sensible thing to do is to retry

Older »