/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

  • Committer: teddy at recompile
  • Date: 2020-12-03 20:30:45 UTC
  • Revision ID: teddy@recompile.se-20201203203045-iqd6nq9y5nwalh1x
Minor fix of a test function

In dracut-module/password-agent, the test function
test_send_password_to_socket_EMSGSIZE() (which tests that the
send_password_to_socket() task function aborts properly when getting
EMSGSIZE when writing to the password socket), part of the test code
is supposed to find a message size which definitely does trigger
EMSGSIZE when send()ing to a socket.  Without a "break" in the proper
place, however, the size given is always exactly 1024 bytes too large.

This is very probably not a problem, since a too large message will
still be too large if it is increased by 1024 bytes, and send(2) in
practice checks the size before reading the buffer.  The biggest issue
would be if some version of send(2) would try to look at the last 1024
bytes of the message buffer before checking the message size; this
would then lead to a buffer over-read when running this test function.
(But even then there would be no security implications since the tests
are not run in the normal operation of the program.)

* dracut-module/password-agent.c
  (test_send_password_to_socket_EMSGSIZE): Break out early when ssret
  < 0 and errno == EMSGSIZE; don't allow loop to increase message_size
  again.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
 
WARN=-O -Wall -Wformat=2 -Winit-self -Wmissing-include-dirs \
2
 
        -Wswitch-default -Wswitch-enum -Wunused-parameter \
3
 
        -Wstrict-aliasing=1 -Wextra -Wfloat-equal -Wundef -Wshadow \
 
1
WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \
 
2
        -Wmissing-include-dirs -Wswitch-default -Wswitch-enum \
 
3
        -Wunused -Wuninitialized -Wstrict-overflow=5 \
 
4
        -Wsuggest-attribute=pure -Wsuggest-attribute=const \
 
5
        -Wsuggest-attribute=noreturn -Wfloat-equal -Wundef -Wshadow \
4
6
        -Wunsafe-loop-optimizations -Wpointer-arith \
5
7
        -Wbad-function-cast -Wcast-qual -Wcast-align -Wwrite-strings \
6
 
        -Wconversion -Wstrict-prototypes -Wold-style-definition \
7
 
        -Wpacked -Wnested-externs -Winline -Wvolatile-register-var
8
 
#       -Wunreachable-code 
9
 
#DEBUG=-ggdb3
10
 
# For info about _FORTIFY_SOURCE, see
11
 
# <http://www.kernel.org/doc/man-pages/online/pages/man7/feature_test_macros.7.html>
12
 
# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
13
 
FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
14
 
LINK_FORTIFY_LD=-z relro -z now
15
 
LINK_FORTIFY=
 
8
        -Wconversion -Wlogical-op -Waggregate-return \
 
9
        -Wstrict-prototypes -Wold-style-definition \
 
10
        -Wmissing-format-attribute -Wnormalized=nfc -Wpacked \
 
11
        -Wredundant-decls -Wnested-externs -Winline -Wvla \
 
12
        -Wvolatile-register-var -Woverlength-strings
 
13
 
 
14
#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)
 
15
## Check which sanitizing options can be used
 
16
#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \
 
17
#       echo 'int main(){}' | $(CC) --language=c $(option) \
 
18
#       /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))
 
19
# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>
 
20
ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \
 
21
        -fsanitize=shift -fsanitize=integer-divide-by-zero \
 
22
        -fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \
 
23
        -fsanitize=return -fsanitize=signed-integer-overflow \
 
24
        -fsanitize=bounds -fsanitize=alignment \
 
25
        -fsanitize=object-size -fsanitize=float-divide-by-zero \
 
26
        -fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \
 
27
        -fsanitize=returns-nonnull-attribute -fsanitize=bool \
 
28
        -fsanitize=enum -fsanitize-address-use-after-scope
 
29
 
 
30
# For info about _FORTIFY_SOURCE, see feature_test_macros(7)
 
31
# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.
 
32
FORTIFY:=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC
 
33
LINK_FORTIFY_LD:=-z relro -z now
 
34
LINK_FORTIFY:=
16
35
 
17
36
# If BROKEN_PIE is set, do not build with -pie
18
37
ifndef BROKEN_PIE
20
39
LINK_FORTIFY += -pie
21
40
endif
22
41
#COVERAGE=--coverage
23
 
OPTIMIZE=-Os
24
 
LANGUAGE=-std=gnu99
25
 
htmldir=man
26
 
version=1.0.14
27
 
SED=sed
 
42
OPTIMIZE:=-Os -fno-strict-aliasing
 
43
LANGUAGE:=-std=gnu11
 
44
FEATURES:=-D_FILE_OFFSET_BITS=64
 
45
htmldir:=man
 
46
version:=1.8.13
 
47
SED:=sed
 
48
PKG_CONFIG?=pkg-config
 
49
 
 
50
USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \
 
51
        || getent passwd nobody || echo 65534)))
 
52
GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \
 
53
        || getent group nogroup || echo 65534)))
 
54
 
 
55
LINUXVERSION:=$(shell uname --kernel-release)
28
56
 
29
57
## Use these settings for a traditional /usr/local install
30
 
# PREFIX=$(DESTDIR)/usr/local
31
 
# CONFDIR=$(DESTDIR)/etc/mandos
32
 
# KEYDIR=$(DESTDIR)/etc/mandos/keys
33
 
# MANDIR=$(PREFIX)/man
34
 
# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools
 
58
# PREFIX:=$(DESTDIR)/usr/local
 
59
# CONFDIR:=$(DESTDIR)/etc/mandos
 
60
# KEYDIR:=$(DESTDIR)/etc/mandos/keys
 
61
# MANDIR:=$(PREFIX)/man
 
62
# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools
 
63
# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
 
64
# STATEDIR:=$(DESTDIR)/var/lib/mandos
 
65
# LIBDIR:=$(PREFIX)/lib
35
66
##
36
67
 
37
68
## These settings are for a package-type install
38
 
PREFIX=$(DESTDIR)/usr
39
 
CONFDIR=$(DESTDIR)/etc/mandos
40
 
KEYDIR=$(DESTDIR)/etc/keys/mandos
41
 
MANDIR=$(PREFIX)/share/man
42
 
INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools
 
69
PREFIX:=$(DESTDIR)/usr
 
70
CONFDIR:=$(DESTDIR)/etc/mandos
 
71
KEYDIR:=$(DESTDIR)/etc/keys/mandos
 
72
MANDIR:=$(PREFIX)/share/man
 
73
INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools
 
74
DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos
 
75
STATEDIR:=$(DESTDIR)/var/lib/mandos
 
76
LIBDIR:=$(shell \
 
77
        for d in \
 
78
        "/usr/lib/`dpkg-architecture \
 
79
                        -qDEB_HOST_MULTIARCH 2>/dev/null`" \
 
80
        "`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \
 
81
                if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \
 
82
                        echo "$(DESTDIR)$$d"; \
 
83
                        break; \
 
84
                fi; \
 
85
        done)
43
86
##
44
87
 
45
 
GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)
46
 
GNUTLS_LIBS=$(shell pkg-config --libs gnutls)
47
 
AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)
48
 
AVAHI_LIBS=$(shell pkg-config --libs avahi-core)
49
 
GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
50
 
GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \
 
88
SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
 
89
                        --variable=systemdsystemunitdir)
 
90
TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
 
91
                        --variable=tmpfilesdir)
 
92
SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \
 
93
                        --variable=sysusersdir)
 
94
 
 
95
GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)
 
96
GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)
 
97
AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)
 
98
AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)
 
99
GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)
 
100
GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \
51
101
        getconf LFS_LDFLAGS)
 
102
LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)
 
103
LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)
 
104
GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)
 
105
GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)
52
106
 
53
107
# Do not change these two
54
 
CFLAGS=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
55
 
        $(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \
56
 
        -DVERSION='"$(version)"'
57
 
LDFLAGS=$(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
 
108
CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \
 
109
        $(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'
 
110
LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \
 
111
        ) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))
58
112
 
59
113
# Commands to format a DocBook <refentry> document into a manual page
60
114
DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \
63
117
        --param make.single.year.ranges         1 \
64
118
        --param man.output.quietly              1 \
65
119
        --param man.authors.section.enabled     0 \
66
 
         /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
 
120
        /usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \
67
121
        $(notdir $<); \
68
 
        $(MANPOST) $(notdir $@))
69
 
# DocBook-to-man post-processing to fix a '\n' escape bug
70
 
MANPOST=$(SED) --in-place --expression='s,\\\\en,\\en,g;s,\\n,\\en,g'
 
122
        if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \
 
123
        && command -v man >/dev/null; then LANG=en_US.UTF-8 \
 
124
        MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \
 
125
        $(notdir $@); fi >/dev/null)
71
126
 
72
127
DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \
73
128
        --param make.year.ranges                1 \
79
134
        /usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \
80
135
        $<; $(HTMLPOST) $@)
81
136
# Fix citerefentry links
82
 
HTMLPOST=$(SED) --in-place \
 
137
HTMLPOST:=$(SED) --in-place \
83
138
        --expression='s/\(<a class="citerefentry" href="\)\("><span class="citerefentry"><span class="refentrytitle">\)\([^<]*\)\(<\/span>(\)\([^)]*\)\()<\/span><\/a>\)/\1\3.\5\2\3\4\5\6/g'
84
139
 
85
 
PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
86
 
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo
87
 
CPROGS=plugin-runner $(PLUGINS)
88
 
PROGS=mandos mandos-keygen mandos-ctl $(CPROGS)
89
 
DOCS=mandos.8 plugin-runner.8mandos mandos-keygen.8 \
 
140
PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \
 
141
        plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
 
142
        plugins.d/plymouth
 
143
PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel
 
144
CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \
 
145
        $(PLUGIN_HELPERS)
 
146
PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 
147
DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 
148
        mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
 
149
        dracut-module/password-agent.8mandos \
90
150
        plugins.d/mandos-client.8mandos \
91
 
        plugins.d/password-prompt.8mandos mandos.conf.5 \
92
 
        plugins.d/usplash.8mandos plugins.d/splashy.8mandos \
93
 
        plugins.d/askpass-fifo.8mandos mandos-clients.conf.5
94
 
 
95
 
htmldocs=$(addsuffix .xhtml,$(DOCS))
96
 
 
97
 
objects=$(addsuffix .o,$(CPROGS))
98
 
 
 
151
        plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \
 
152
        plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \
 
153
        plugins.d/plymouth.8mandos intro.8mandos
 
154
 
 
155
htmldocs:=$(addsuffix .xhtml,$(DOCS))
 
156
 
 
157
objects:=$(addsuffix .o,$(CPROGS))
 
158
 
 
159
.PHONY: all
99
160
all: $(PROGS) mandos.lsm
100
161
 
 
162
.PHONY: doc
101
163
doc: $(DOCS)
102
164
 
 
165
.PHONY: html
103
166
html: $(htmldocs)
104
167
 
105
168
%.5: %.xml common.ent legalnotice.xml
117
180
%.8mandos.xhtml: %.xml common.ent legalnotice.xml
118
181
        $(DOCBOOKTOHTML)
119
182
 
 
183
intro.8mandos: intro.xml common.ent legalnotice.xml
 
184
        $(DOCBOOKTOMAN)
 
185
intro.8mandos.xhtml: intro.xml common.ent legalnotice.xml
 
186
        $(DOCBOOKTOHTML)
 
187
 
120
188
mandos.8: mandos.xml common.ent mandos-options.xml overview.xml \
121
189
                legalnotice.xml
122
190
        $(DOCBOOKTOMAN)
131
199
                 legalnotice.xml
132
200
        $(DOCBOOKTOHTML)
133
201
 
 
202
mandos-monitor.8: mandos-monitor.xml common.ent overview.xml \
 
203
                legalnotice.xml
 
204
        $(DOCBOOKTOMAN)
 
205
mandos-monitor.8.xhtml: mandos-monitor.xml common.ent overview.xml \
 
206
                 legalnotice.xml
 
207
        $(DOCBOOKTOHTML)
 
208
 
 
209
mandos-ctl.8: mandos-ctl.xml common.ent overview.xml \
 
210
                legalnotice.xml
 
211
        $(DOCBOOKTOMAN)
 
212
mandos-ctl.8.xhtml: mandos-ctl.xml common.ent overview.xml \
 
213
                 legalnotice.xml
 
214
        $(DOCBOOKTOHTML)
 
215
 
134
216
mandos.conf.5: mandos.conf.xml common.ent mandos-options.xml \
135
217
                legalnotice.xml
136
218
        $(DOCBOOKTOMAN)
145
227
                overview.xml legalnotice.xml
146
228
        $(DOCBOOKTOHTML)
147
229
 
 
230
dracut-module/password-agent.8mandos: \
 
231
                dracut-module/password-agent.xml common.ent \
 
232
                overview.xml legalnotice.xml
 
233
        $(DOCBOOKTOMAN)
 
234
dracut-module/password-agent.8mandos.xhtml: \
 
235
                dracut-module/password-agent.xml common.ent \
 
236
                overview.xml legalnotice.xml
 
237
        $(DOCBOOKTOHTML)
 
238
 
148
239
plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \
149
240
                                        common.ent \
150
241
                                        mandos-options.xml \
177
268
                --expression='s/^\(version = "\)[^"]*"$$/\1$(version)"/' \
178
269
                $@)
179
270
 
 
271
mandos-monitor: Makefile
 
272
        $(strip $(SED) --in-place \
 
273
                --expression='s/^\(version = "\)[^"]*"$$/\1$(version)"/' \
 
274
                $@)
 
275
 
180
276
mandos.lsm: Makefile
181
277
        $(strip $(SED) --in-place \
182
278
                --expression='s/^\(Version:\).*/\1\t$(version)/' \
188
284
                --expression='s/\(mandos_\)[0-9.]\+\(\.orig\.tar\.gz\)/\1$(version)\2/' \
189
285
                $@)
190
286
 
191
 
plugins.d/mandos-client: plugins.d/mandos-client.c
192
 
        $(LINK.c) $(GNUTLS_LIBS) $(AVAHI_LIBS) $(GPGME_LIBS) $(strip\
193
 
                ) $(COMMON) $^ $(LOADLIBES) $(LDLIBS) -o $@
194
 
 
195
 
.PHONY : all doc html clean distclean run-client run-server install \
196
 
        install-server install-client uninstall uninstall-server \
197
 
        uninstall-client purge purge-server purge-client
198
 
 
 
287
# Need to add the GnuTLS, Avahi and GPGME libraries
 
288
plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \
 
289
        ) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)
 
290
plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \
 
291
        ) $(AVAHI_LIBS) $(GPGME_LIBS)
 
292
 
 
293
# Need to add the libnl-route library
 
294
plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)
 
295
plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)
 
296
 
 
297
# Need to add the GLib and pthread libraries
 
298
dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)
 
299
dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread
 
300
 
 
301
.PHONY: clean
199
302
clean:
200
303
        -rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core
201
304
 
 
305
.PHONY: distclean
202
306
distclean: clean
 
307
.PHONY: mostlyclean
203
308
mostlyclean: clean
 
309
.PHONY: maintainer-clean
204
310
maintainer-clean: clean
205
 
        -rm --force --recursive keydir confdir
 
311
        -rm --force --recursive keydir confdir statedir
206
312
 
207
 
check:  all
 
313
.PHONY: check
 
314
check: all
208
315
        ./mandos --check
 
316
        ./mandos-ctl --check
 
317
        ./mandos-keygen --version
 
318
        ./plugin-runner --version
 
319
        ./plugin-helpers/mandos-client-iprouteadddel --version
 
320
        ./dracut-module/password-agent --test
209
321
 
210
322
# Run the client with a local config and key
211
 
run-client: all keydir/seckey.txt keydir/pubkey.txt
 
323
.PHONY: run-client
 
324
run-client: all keydir/seckey.txt keydir/pubkey.txt \
 
325
                        keydir/tls-privkey.pem keydir/tls-pubkey.pem
 
326
        @echo '######################################################'
 
327
        @echo '# The following error messages are harmless and can  #'
 
328
        @echo '#  be safely ignored:                                #'
 
329
        @echo '## From plugin-runner:                               #'
 
330
        @echo '# setgid: Operation not permitted                    #'
 
331
        @echo '# setuid: Operation not permitted                    #'
 
332
        @echo '## From askpass-fifo:                                #'
 
333
        @echo '# mkfifo: Permission denied                          #'
 
334
        @echo '## From mandos-client:                               #'
 
335
        @echo '# Failed to raise privileges: Operation not permi... #'
 
336
        @echo '# Warning: network hook "*" exited with status *     #'
 
337
        @echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'
 
338
        @echo '# Failed to bring up interface "*": Operation not... #'
 
339
        @echo '#                                                    #'
 
340
        @echo '# (The messages are caused by not running as root,   #'
 
341
        @echo '# but you should NOT run "make run-client" as root   #'
 
342
        @echo '# unless you also unpacked and compiled Mandos as    #'
 
343
        @echo '# root, which is also NOT recommended.)              #'
 
344
        @echo '######################################################'
 
345
# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
212
346
        ./plugin-runner --plugin-dir=plugins.d \
 
347
                --plugin-helper-dir=plugin-helpers \
213
348
                --config-file=plugin-runner.conf \
214
 
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt \
 
349
                --options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \
 
350
                --env-for=mandos-client:GNOME_KEYRING_CONTROL= \
215
351
                $(CLIENTARGS)
216
352
 
217
353
# Used by run-client
218
 
keydir/seckey.txt keydir/pubkey.txt: mandos-keygen
 
354
keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen
219
355
        install --directory keydir
220
356
        ./mandos-keygen --dir keydir --force
 
357
        if ! [ -e keydir/tls-privkey.pem ]; then \
 
358
                install --mode=u=rw /dev/null keydir/tls-privkey.pem; \
 
359
        fi
 
360
        if ! [ -e keydir/tls-pubkey.pem ]; then \
 
361
                install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \
 
362
        fi
221
363
 
222
364
# Run the server with a local config
223
 
run-server: confdir/mandos.conf confdir/clients.conf
224
 
        ./mandos --debug --no-dbus --configdir=confdir $(SERVERARGS)
 
365
.PHONY: run-server
 
366
run-server: confdir/mandos.conf confdir/clients.conf statedir
 
367
        ./mandos --debug --no-dbus --configdir=confdir \
 
368
                --statedir=statedir $(SERVERARGS)
225
369
 
226
370
# Used by run-server
227
371
confdir/mandos.conf: mandos.conf
228
372
        install --directory confdir
229
373
        install --mode=u=rw,go=r $^ $@
230
 
confdir/clients.conf: clients.conf keydir/seckey.txt
 
374
confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem
231
375
        install --directory confdir
232
376
        install --mode=u=rw $< $@
233
377
# Add a client password
234
 
        ./mandos-keygen --dir keydir --password >> $@
 
378
        ./mandos-keygen --dir keydir --password --no-ssh >> $@
 
379
statedir:
 
380
        install --directory statedir
235
381
 
 
382
.PHONY: install
236
383
install: install-server install-client-nokey
237
384
 
 
385
.PHONY: install-html
238
386
install-html: html
239
387
        install --directory $(htmldir)
240
388
        install --mode=u=rw,go=r --target-directory=$(htmldir) \
241
389
                $(htmldocs)
242
390
 
 
391
.PHONY: install-server
243
392
install-server: doc
244
393
        install --directory $(CONFDIR)
 
394
        if install --directory --mode=u=rwx --owner=$(USER) \
 
395
                --group=$(GROUP) $(STATEDIR); then \
 
396
                :; \
 
397
        elif install --directory --mode=u=rwx $(STATEDIR); then \
 
398
                chown -- $(USER):$(GROUP) $(STATEDIR) || :; \
 
399
        fi
 
400
        if [ "$(TMPFILES)" != "$(DESTDIR)" \
 
401
                        -a -d "$(TMPFILES)" ]; then \
 
402
                install --mode=u=rw,go=r tmpfiles.d-mandos.conf \
 
403
                        $(TMPFILES)/mandos.conf; \
 
404
        fi
 
405
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
 
406
                        -a -d "$(SYSUSERS)" ]; then \
 
407
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
 
408
                        $(SYSUSERS)/mandos.conf; \
 
409
        fi
245
410
        install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos
 
411
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
 
412
                mandos-ctl
 
413
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
 
414
                mandos-monitor
246
415
        install --mode=u=rw,go=r --target-directory=$(CONFDIR) \
247
416
                mandos.conf
248
417
        install --mode=u=rw --target-directory=$(CONFDIR) \
249
418
                clients.conf
 
419
        install --mode=u=rw,go=r dbus-mandos.conf \
 
420
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
250
421
        install --mode=u=rwx,go=rx init.d-mandos \
251
422
                $(DESTDIR)/etc/init.d/mandos
 
423
        if [ "$(SYSTEMD)" != "$(DESTDIR)" -a -d "$(SYSTEMD)" ]; then \
 
424
                install --mode=u=rw,go=r mandos.service $(SYSTEMD); \
 
425
        fi
252
426
        install --mode=u=rw,go=r default-mandos \
253
427
                $(DESTDIR)/etc/default/mandos
254
428
        if [ -z $(DESTDIR) ]; then \
256
430
        fi
257
431
        gzip --best --to-stdout mandos.8 \
258
432
                > $(MANDIR)/man8/mandos.8.gz
 
433
        gzip --best --to-stdout mandos-monitor.8 \
 
434
                > $(MANDIR)/man8/mandos-monitor.8.gz
 
435
        gzip --best --to-stdout mandos-ctl.8 \
 
436
                > $(MANDIR)/man8/mandos-ctl.8.gz
259
437
        gzip --best --to-stdout mandos.conf.5 \
260
438
                > $(MANDIR)/man5/mandos.conf.5.gz
261
439
        gzip --best --to-stdout mandos-clients.conf.5 \
262
440
                > $(MANDIR)/man5/mandos-clients.conf.5.gz
 
441
        gzip --best --to-stdout intro.8mandos \
 
442
                > $(MANDIR)/man8/intro.8mandos.gz
263
443
 
 
444
.PHONY: install-client-nokey
264
445
install-client-nokey: all doc
265
 
        install --directory $(PREFIX)/lib/mandos $(CONFDIR)
 
446
        install --directory $(LIBDIR)/mandos $(CONFDIR)
266
447
        install --directory --mode=u=rwx $(KEYDIR) \
267
 
                $(PREFIX)/lib/mandos/plugins.d
268
 
        if [ "$(CONFDIR)" != "$(PREFIX)/lib/mandos" ]; then \
 
448
                $(LIBDIR)/mandos/plugins.d \
 
449
                $(LIBDIR)/mandos/plugin-helpers
 
450
        if [ "$(SYSUSERS)" != "$(DESTDIR)" \
 
451
                        -a -d "$(SYSUSERS)" ]; then \
 
452
                install --mode=u=rw,go=r sysusers.d-mandos.conf \
 
453
                        $(SYSUSERS)/mandos-client.conf; \
 
454
        fi
 
455
        if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
269
456
                install --mode=u=rwx \
270
 
                        --directory "$(CONFDIR)/plugins.d"; \
 
457
                        --directory "$(CONFDIR)/plugins.d" \
 
458
                        "$(CONFDIR)/plugin-helpers"; \
271
459
        fi
272
 
        install --mode=u=rwx,go=rx \
273
 
                --target-directory=$(PREFIX)/lib/mandos plugin-runner
 
460
        install --mode=u=rwx,go=rx --directory \
 
461
                "$(CONFDIR)/network-hooks.d"
 
462
        install --mode=u=rwx,go=rx \
 
463
                --target-directory=$(LIBDIR)/mandos plugin-runner
 
464
        install --mode=u=rwx,go=rx \
 
465
                --target-directory=$(LIBDIR)/mandos \
 
466
                mandos-to-cryptroot-unlock
274
467
        install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \
275
468
                mandos-keygen
276
469
        install --mode=u=rwx,go=rx \
277
 
                --target-directory=$(PREFIX)/lib/mandos/plugins.d \
 
470
                --target-directory=$(LIBDIR)/mandos/plugins.d \
278
471
                plugins.d/password-prompt
279
472
        install --mode=u=rwxs,go=rx \
280
 
                --target-directory=$(PREFIX)/lib/mandos/plugins.d \
 
473
                --target-directory=$(LIBDIR)/mandos/plugins.d \
281
474
                plugins.d/mandos-client
282
475
        install --mode=u=rwxs,go=rx \
283
 
                --target-directory=$(PREFIX)/lib/mandos/plugins.d \
 
476
                --target-directory=$(LIBDIR)/mandos/plugins.d \
284
477
                plugins.d/usplash
285
478
        install --mode=u=rwxs,go=rx \
286
 
                --target-directory=$(PREFIX)/lib/mandos/plugins.d \
 
479
                --target-directory=$(LIBDIR)/mandos/plugins.d \
287
480
                plugins.d/splashy
288
481
        install --mode=u=rwxs,go=rx \
289
 
                --target-directory=$(PREFIX)/lib/mandos/plugins.d \
 
482
                --target-directory=$(LIBDIR)/mandos/plugins.d \
290
483
                plugins.d/askpass-fifo
 
484
        install --mode=u=rwxs,go=rx \
 
485
                --target-directory=$(LIBDIR)/mandos/plugins.d \
 
486
                plugins.d/plymouth
 
487
        install --mode=u=rwx,go=rx \
 
488
                --target-directory=$(LIBDIR)/mandos/plugin-helpers \
 
489
                plugin-helpers/mandos-client-iprouteadddel
291
490
        install initramfs-tools-hook \
292
491
                $(INITRAMFSTOOLS)/hooks/mandos
293
 
        install --mode=u=rw,go=r initramfs-tools-hook-conf \
294
 
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos
 
492
        install --mode=u=rw,go=r initramfs-tools-conf \
 
493
                $(INITRAMFSTOOLS)/conf.d/mandos-conf
 
494
        install --mode=u=rw,go=r initramfs-tools-conf-hook \
 
495
                $(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos
295
496
        install initramfs-tools-script \
296
497
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos
 
498
        install initramfs-tools-script-stop \
 
499
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos
 
500
        install --directory $(DRACUTMODULE)
 
501
        install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \
 
502
                dracut-module/ask-password-mandos.path \
 
503
                dracut-module/ask-password-mandos.service
 
504
        install --mode=u=rwxs,go=rx \
 
505
                --target-directory=$(DRACUTMODULE) \
 
506
                dracut-module/module-setup.sh \
 
507
                dracut-module/cmdline-mandos.sh \
 
508
                dracut-module/password-agent
297
509
        install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)
298
510
        gzip --best --to-stdout mandos-keygen.8 \
299
511
                > $(MANDIR)/man8/mandos-keygen.8.gz
300
512
        gzip --best --to-stdout plugin-runner.8mandos \
301
513
                > $(MANDIR)/man8/plugin-runner.8mandos.gz
 
514
        gzip --best --to-stdout plugins.d/mandos-client.8mandos \
 
515
                > $(MANDIR)/man8/mandos-client.8mandos.gz
302
516
        gzip --best --to-stdout plugins.d/password-prompt.8mandos \
303
517
                > $(MANDIR)/man8/password-prompt.8mandos.gz
304
 
        gzip --best --to-stdout plugins.d/mandos-client.8mandos \
305
 
                > $(MANDIR)/man8/mandos-client.8mandos.gz
306
518
        gzip --best --to-stdout plugins.d/usplash.8mandos \
307
519
                > $(MANDIR)/man8/usplash.8mandos.gz
308
520
        gzip --best --to-stdout plugins.d/splashy.8mandos \
309
521
                > $(MANDIR)/man8/splashy.8mandos.gz
310
522
        gzip --best --to-stdout plugins.d/askpass-fifo.8mandos \
311
523
                > $(MANDIR)/man8/askpass-fifo.8mandos.gz
 
524
        gzip --best --to-stdout plugins.d/plymouth.8mandos \
 
525
                > $(MANDIR)/man8/plymouth.8mandos.gz
 
526
        gzip --best --to-stdout dracut-module/password-agent.8mandos \
 
527
                > $(MANDIR)/man8/password-agent.8mandos.gz
312
528
 
 
529
.PHONY: install-client
313
530
install-client: install-client-nokey
314
531
# Post-installation stuff
315
532
        -$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"
316
 
        update-initramfs -k all -u
 
533
        if command -v update-initramfs >/dev/null; then \
 
534
            update-initramfs -k all -u; \
 
535
        elif command -v dracut >/dev/null; then \
 
536
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
 
537
                if [ -w "$$initrd" ]; then \
 
538
                    chmod go-r "$$initrd"; \
 
539
                    dracut --force "$$initrd"; \
 
540
                fi; \
 
541
            done; \
 
542
        fi
317
543
        echo "Now run mandos-keygen --password --dir $(KEYDIR)"
318
544
 
 
545
.PHONY: uninstall
319
546
uninstall: uninstall-server uninstall-client
320
547
 
 
548
.PHONY: uninstall-server
321
549
uninstall-server:
322
550
        -rm --force $(PREFIX)/sbin/mandos \
 
551
                $(PREFIX)/sbin/mandos-ctl \
 
552
                $(PREFIX)/sbin/mandos-monitor \
323
553
                $(MANDIR)/man8/mandos.8.gz \
 
554
                $(MANDIR)/man8/mandos-monitor.8.gz \
 
555
                $(MANDIR)/man8/mandos-ctl.8.gz \
324
556
                $(MANDIR)/man5/mandos.conf.5.gz \
325
557
                $(MANDIR)/man5/mandos-clients.conf.5.gz
326
558
        update-rc.d -f mandos remove
327
559
        -rmdir $(CONFDIR)
328
560
 
 
561
.PHONY: uninstall-client
329
562
uninstall-client:
330
563
# Refuse to uninstall client if /etc/crypttab is explicitly configured
331
564
# to use it.
332
565
        ! grep --regexp='^ *[^ #].*keyscript=[^,=]*/mandos/' \
333
566
                $(DESTDIR)/etc/crypttab
334
567
        -rm --force $(PREFIX)/sbin/mandos-keygen \
335
 
                $(PREFIX)/lib/mandos/plugin-runner \
336
 
                $(PREFIX)/lib/mandos/plugins.d/password-prompt \
337
 
                $(PREFIX)/lib/mandos/plugins.d/mandos-client \
338
 
                $(PREFIX)/lib/mandos/plugins.d/usplash \
339
 
                $(PREFIX)/lib/mandos/plugins.d/splashy \
340
 
                $(PREFIX)/lib/mandos/plugins.d/askpass-fifo \
 
568
                $(LIBDIR)/mandos/plugin-runner \
 
569
                $(LIBDIR)/mandos/plugins.d/password-prompt \
 
570
                $(LIBDIR)/mandos/plugins.d/mandos-client \
 
571
                $(LIBDIR)/mandos/plugins.d/usplash \
 
572
                $(LIBDIR)/mandos/plugins.d/splashy \
 
573
                $(LIBDIR)/mandos/plugins.d/askpass-fifo \
 
574
                $(LIBDIR)/mandos/plugins.d/plymouth \
341
575
                $(INITRAMFSTOOLS)/hooks/mandos \
342
576
                $(INITRAMFSTOOLS)/conf-hooks.d/mandos \
343
577
                $(INITRAMFSTOOLS)/scripts/init-premount/mandos \
 
578
                $(INITRAMFSTOOLS)/scripts/local-premount/mandos \
 
579
                $(DRACUTMODULE)/ask-password-mandos.path \
 
580
                $(DRACUTMODULE)/ask-password-mandos.service \
 
581
                $(DRACUTMODULE)/module-setup.sh \
 
582
                $(DRACUTMODULE)/cmdline-mandos.sh \
 
583
                $(DRACUTMODULE)/password-agent \
 
584
                $(MANDIR)/man8/mandos-keygen.8.gz \
344
585
                $(MANDIR)/man8/plugin-runner.8mandos.gz \
345
 
                $(MANDIR)/man8/mandos-keygen.8.gz \
 
586
                $(MANDIR)/man8/mandos-client.8mandos.gz
346
587
                $(MANDIR)/man8/password-prompt.8mandos.gz \
347
588
                $(MANDIR)/man8/usplash.8mandos.gz \
348
589
                $(MANDIR)/man8/splashy.8mandos.gz \
349
590
                $(MANDIR)/man8/askpass-fifo.8mandos.gz \
350
 
                $(MANDIR)/man8/mandos-client.8mandos.gz
351
 
        -rmdir $(PREFIX)/lib/mandos/plugins.d $(CONFDIR)/plugins.d \
352
 
                 $(PREFIX)/lib/mandos $(CONFDIR) $(KEYDIR)
353
 
        update-initramfs -k all -u
 
591
                $(MANDIR)/man8/plymouth.8mandos.gz \
 
592
                $(MANDIR)/man8/password-agent.8mandos.gz \
 
593
        -rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \
 
594
                 $(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)
 
595
        if command -v update-initramfs >/dev/null; then \
 
596
            update-initramfs -k all -u; \
 
597
        elif command -v dracut >/dev/null; then \
 
598
            for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \
 
599
                test -w "$$initrd" && dracut --force "$$initrd"; \
 
600
            done; \
 
601
        fi
354
602
 
 
603
.PHONY: purge
355
604
purge: purge-server purge-client
356
605
 
 
606
.PHONY: purge-server
357
607
purge-server: uninstall-server
358
608
        -rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \
 
609
                $(DESTDIR)/etc/dbus-1/system.d/mandos.conf
359
610
                $(DESTDIR)/etc/default/mandos \
360
611
                $(DESTDIR)/etc/init.d/mandos \
 
612
                $(SYSTEMD)/mandos.service \
 
613
                $(DESTDIR)/run/mandos.pid \
361
614
                $(DESTDIR)/var/run/mandos.pid
362
615
        -rmdir $(CONFDIR)
363
616
 
 
617
.PHONY: purge-client
364
618
purge-client: uninstall-client
365
 
        -shred --remove $(KEYDIR)/seckey.txt
 
619
        -shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem
366
620
        -rm --force $(CONFDIR)/plugin-runner.conf \
367
 
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt
 
621
                $(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \
 
622
                $(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt
368
623
        -rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)