/mandos/trunk : revision 1229

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos.conf.xml

Committer: teddy at recompile
Date: 2020-12-03 20:30:45 UTC
Revision ID: teddy@recompile.se-20201203203045-iqd6nq9y5nwalh1x

Minor fix of a test function

In dracut-module/password-agent, the test function
test_send_password_to_socket_EMSGSIZE() (which tests that the
send_password_to_socket() task function aborts properly when getting
EMSGSIZE when writing to the password socket), part of the test code
is supposed to find a message size which definitely does trigger
EMSGSIZE when send()ing to a socket.  Without a "break" in the proper
place, however, the size given is always exactly 1024 bytes too large.

This is very probably not a problem, since a too large message will
still be too large if it is increased by 1024 bytes, and send(2) in
practice checks the size before reading the buffer.  The biggest issue
would be if some version of send(2) would try to look at the last 1024
bytes of the message buffer before checking the message size; this
would then lead to a buffer over-read when running this test function.
(But even then there would be no security implications since the tests
are not run in the normal operation of the program.)

* dracut-module/password-agent.c
  (test_send_password_to_socket_EMSGSIZE): Break out early when ssret
  < 0 and errno == EMSGSIZE; don't allow loop to increase message_size
  again.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/rules

debian/source

debian/source/format

debian/source/lintian-overrides

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/metadata

debian/upstream/signing-key.asc

debian/watch

default-mandos

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

init.d-mandos

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-hook

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

files renamed:
server.py => mandos

server.conf => mandos.conf

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

clients.conf

Show diffs side-by-side

added added

removed removed

mandos.conf.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY CONFNAME "mandos.conf">

<!ENTITY CONFPATH "<filename>/etc/mandos/mandos.conf</filename>">

<!ENTITY TIMESTAMP "2019-06-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&CONFNAME;</refentrytitle>

</refmeta>

<refname><filename>&CONFNAME;</filename></refname>

Configuration file for the Mandos server

</refpurpose>

</refnamediv>

<synopsis>&CONFPATH;</synopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

The file &CONFPATH; is a simple configuration file for

<citerefentry><refentrytitle>mandos</refentrytitle>

<manvolnum>8</manvolnum></citerefentry>, and is read by it at

startup. The configuration file starts with <quote><literal

>[DEFAULT]</literal></quote> on a line by itself, followed by

any number of <quote><varname><replaceable>option</replaceable

></varname>=<replaceable>value</replaceable></quote> entries,

with continuations in the style of RFC 822. <quote><varname

><replaceable>option</replaceable></varname>: <replaceable

>value</replaceable></quote> is also accepted. Note that

leading whitespace is removed from values. Lines beginning with

<quote>#</quote> or <quote>;</quote> are ignored and may be used

to provide comments.

</para>

</refsect1>

<title>OPTIONS</title>

<term><option>interface<literal> = </literal><replaceable

>NAME</replaceable></option></term>

<xi:include href="mandos-options.xml" xpointer="interface"/>

</listitem>

</varlistentry>

100

101

<term><option>address<literal> = </literal><replaceable

102

>ADDRESS</replaceable></option></term>

103

104

<xi:include href="mandos-options.xml" xpointer="address"/>

105

</listitem>

106

</varlistentry>

107

108

109

<term><option>port<literal> = </literal><replaceable

110

>NUMBER</replaceable></option></term>

111

112

<xi:include href="mandos-options.xml" xpointer="port"/>

113

</listitem>

114

</varlistentry>

115

116

117

<term><option>debug<literal> = </literal>{ <literal

118

>1</literal> | <literal>yes</literal> | <literal

119

>true</literal> | <literal>on</literal> | <literal

120

>0</literal> | <literal>no</literal> | <literal

121

>false</literal> | <literal>off</literal> }</option></term>

122

123

<xi:include href="mandos-options.xml" xpointer="debug"/>

124

</listitem>

125

</varlistentry>

126

127

128

<term><option>priority<literal> = </literal><replaceable

129

>STRING</replaceable></option></term>

130

131

<xi:include href="mandos-options.xml" xpointer="priority"/>

132

</listitem>

133

</varlistentry>

134

135

136

<term><option>servicename<literal> = </literal

137

><replaceable>NAME</replaceable></option></term>

138

139

<xi:include href="mandos-options.xml"

140

xpointer="servicename"/>

141

</listitem>

142

</varlistentry>

143

144

145

<term><option>use_dbus<literal> = </literal>{ <literal

146

>1</literal> | <literal>yes</literal> | <literal

147

>true</literal> | <literal>on</literal> | <literal

148

>0</literal> | <literal>no</literal> | <literal

149

>false</literal> | <literal>off</literal> }</option></term>

150

151

<xi:include href="mandos-options.xml" xpointer="dbus"/>

152

</listitem>

153

</varlistentry>

154

155

156

<term><option>use_ipv6<literal> = </literal>{ <literal

157

>1</literal> | <literal>yes</literal> | <literal

158

>true</literal> | <literal>on</literal> | <literal

159

>0</literal> | <literal>no</literal> | <literal

160

>false</literal> | <literal>off</literal> }</option></term>

161

162

<xi:include href="mandos-options.xml" xpointer="ipv6"/>

163

</listitem>

164

</varlistentry>

165

166

167

<term><option>restore<literal> = </literal>{ <literal

168

>1</literal> | <literal>yes</literal> | <literal

169

>true</literal> | <literal>on</literal> | <literal

170

>0</literal> | <literal>no</literal> | <literal

171

>false</literal> | <literal>off</literal> }</option></term>

172

173

<xi:include href="mandos-options.xml" xpointer="restore"/>

174

</listitem>

175

</varlistentry>

176

177

178

<term><option>statedir<literal> = </literal><replaceable

179

>DIRECTORY</replaceable></option></term>

180

181

<xi:include href="mandos-options.xml" xpointer="statedir"/>

182

</listitem>

183

</varlistentry>

184

185

186

<term><option>socket<literal> = </literal><replaceable

187

>NUMBER</replaceable></option></term>

188

189

<xi:include href="mandos-options.xml" xpointer="socket"/>

190

</listitem>

191

</varlistentry>

192

193

</variablelist>

194

</refsect1>

195

196

197

<title>FILES</title>

198

<para>

199

The file described here is &CONFPATH;

200

</para>

201

</refsect1>

202

203

204

205

<para>

206

The <literal>[DEFAULT]</literal> is necessary because the Python

207

built-in module <systemitem class="library">ConfigParser</systemitem>

208

requires it.

209

</para>

210

<xi:include href="bugs.xml"/>

211

</refsect1>

212

213

214

<title>EXAMPLE</title>

215

216

<para>

217

No options are actually required:

218

</para>

219

220

[DEFAULT]

221

</programlisting>

222

</informalexample>

223

224

<para>

225

An example using all the options:

226

</para>

227

228

[DEFAULT]

229

# A configuration example

230

interface = enp1s0

231

address = fe80::aede:48ff:fe71:f6f2

232

port = 1025

233

debug = True

234

priority = SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA:!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA

235

servicename = Daena

236

use_dbus = False

237

use_ipv6 = True

238

restore = True

239

statedir = /var/lib/mandos

240

</programlisting>

241

</informalexample>

242

</refsect1>

243

244

245

246

<para>

247

<citerefentry><refentrytitle>intro</refentrytitle>

248

<manvolnum>8mandos</manvolnum></citerefentry>,

249

<citerefentry><refentrytitle>gnutls_priority_init</refentrytitle

250

><manvolnum>3</manvolnum></citerefentry>,

251

<citerefentry><refentrytitle>mandos</refentrytitle>

252

<manvolnum>8</manvolnum></citerefentry>,

253

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

254

255

</para>

256

257

258

259

<term>

260

RFC 4291: <citetitle>IP Version 6 Addressing

261

Architecture</citetitle>

262

</term>

263

264

265

266

<term>Section 2.2: <citetitle>Text Representation of

267

Addresses</citetitle></term>

268

269

</varlistentry>

270

271

<term>Section 2.5.5.2: <citetitle>IPv4-Mapped IPv6

272

Address</citetitle></term>

273

274

</varlistentry>

275

276

<term>Section 2.5.6, <citetitle>Link-Local IPv6 Unicast

277

Addresses</citetitle></term>

278

279

<para>

280

The clients use IPv6 link-local addresses, which are

281

immediately usable since a link-local addresses is

282

automatically assigned to a network interface when it

283

is brought up.

284

</para>

285

</listitem>

286

</varlistentry>

287

</variablelist>

288

</listitem>

289

</varlistentry>

290

291

<term>

292

<ulink url="http://www.zeroconf.org/">Zeroconf</ulink>

293

</term>

294

295

<para>

296

Zeroconf is the network protocol standard used by clients

297

for finding the Mandos server on the local network.

298

</para>

299

</listitem>

300

</varlistentry>

301

</variablelist>

302

</refsect1>

303

</refentry>

304

305

306

307

308

Older »