/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to dracut-module/password-agent.xml

  • Committer: teddy at recompile
  • Date: 2020-12-03 20:30:45 UTC
  • Revision ID: teddy@recompile.se-20201203203045-iqd6nq9y5nwalh1x
Minor fix of a test function

In dracut-module/password-agent, the test function
test_send_password_to_socket_EMSGSIZE() (which tests that the
send_password_to_socket() task function aborts properly when getting
EMSGSIZE when writing to the password socket), part of the test code
is supposed to find a message size which definitely does trigger
EMSGSIZE when send()ing to a socket.  Without a "break" in the proper
place, however, the size given is always exactly 1024 bytes too large.

This is very probably not a problem, since a too large message will
still be too large if it is increased by 1024 bytes, and send(2) in
practice checks the size before reading the buffer.  The biggest issue
would be if some version of send(2) would try to look at the last 1024
bytes of the message buffer before checking the message size; this
would then lead to a buffer over-read when running this test function.
(But even then there would be no security implications since the tests
are not run in the normal operation of the program.)

* dracut-module/password-agent.c
  (test_send_password_to_socket_EMSGSIZE): Break out early when ssret
  < 0 and errno == EMSGSIZE; don't allow loop to increase message_size
  again.

Show diffs side-by-side

added added

removed removed

Lines of Context:
dracut-module/password-agent.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "password-agent">
5
 
<!ENTITY TIMESTAMP "2019-11-13">
 
5
<!ENTITY TIMESTAMP "2020-09-16">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
113
113
      be a <citerefentry><refentrytitle>systemd</refentrytitle>
114
114
      <manvolnum>1</manvolnum></citerefentry> <quote>Password
115
115
      Agent</quote> (See <ulink
116
 
      url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"
117
 
      >Password Agents</ulink>).  The aim of this program is therefore
118
 
      to acquire and then send a password to some other program which
 
116
      url="https://systemd.io/PASSWORD_AGENTS/">Password
 
117
      Agents</ulink>).  The aim of this program is therefore to
 
118
      acquire and then send a password to some other program which
119
119
      will use the password to unlock the encrypted root disk.
120
120
    </para>
121
121
    <para>
146
146
            Specify a different agent directory.  The default is
147
147
            <quote><filename class="directory"
148
148
            >/run/systemd/ask-password</filename ></quote> as per the
149
 
            <ulink
150
 
            url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"
151
 
            >Password Agents</ulink> specification.
 
149
            <ulink url="https://systemd.io/PASSWORD_AGENTS/">Password
 
150
            Agents</ulink> specification.
152
151
          </para>
153
152
        </listitem>
154
153
      </varlistentry>
270
269
      responsible for getting a password from the Mandos client
271
270
      program itself, and to send that password to whatever is
272
271
      currently asking for a password using the systemd <ulink
273
 
      url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"
274
 
      >Password Agents</ulink> mechanism.
 
272
      url="https://systemd.io/PASSWORD_AGENTS/">Password
 
273
      Agents</ulink> mechanism.
275
274
    </para>
276
275
    <para>To accomplish this, &COMMANDNAME; runs the
277
276
    <command>mandos-client</command> program (which is the actual
281
280
    password is acquired from the
282
281
    <replaceable>MANDOS_CLIENT</replaceable> program, sends that
283
282
    password (as per the <ulink
284
 
    url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"
285
 
    >Password Agents</ulink> specification) to all currently
286
 
    unanswered password questions.
 
283
    url="https://systemd.io/PASSWORD_AGENTS/">Password Agents</ulink>
 
284
    specification) to all currently unanswered password questions.
287
285
    </para>
288
286
    <para>
289
287
      This program should be started (normally as a systemd service,
330
328
            <para>
331
329
              The default directory to watch for password questions as
332
330
              per the <ulink
333
 
              url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"
334
 
              >Password Agents</ulink> specification; can be changed
335
 
              by the <option>--agent-directory</option> option.
 
331
              url="https://systemd.io/PASSWORD_AGENTS/">Password
 
332
              Agents</ulink> specification; can be changed by the
 
333
              <option>--agent-directory</option> option.
336
334
            </para>
337
335
          </listitem>
338
336
        </varlistentry>
446
444
    <variablelist>
447
445
      <varlistentry>
448
446
        <term>
449
 
          <ulink
450
 
              url="https://www.freedesktop.org/wiki/Software/systemd/PasswordAgents/"
451
 
              >Password Agents</ulink>
 
447
          <ulink url="https://systemd.io/PASSWORD_AGENTS/">Password
 
448
          Agents</ulink>
452
449
        </term>
453
450
        <listitem>
454
451
          <para>