3
3
* Mandos plugin runner - Run Mandos plugins
5
* Copyright © 2008,2009 Teddy Hogeborn
6
* Copyright © 2008,2009 Björn Påhlsson
5
* Copyright © 2007-2008 Teddy Hogeborn & Björn Påhlsson
8
7
* This program is free software: you can redistribute it and/or
9
8
* modify it under the terms of the GNU General Public License as
28
27
#include <stdlib.h> /* malloc(), exit(), EXIT_FAILURE,
29
28
EXIT_SUCCESS, realloc() */
30
29
#include <stdbool.h> /* bool, true, false */
31
#include <stdio.h> /* perror, fileno(), fprintf(),
32
stderr, STDOUT_FILENO */
30
#include <stdio.h> /* perror, popen(), fileno(),
31
fprintf(), stderr, STDOUT_FILENO */
33
32
#include <sys/types.h> /* DIR, opendir(), stat(), struct
34
33
stat, waitpid(), WIFEXITED(),
35
34
WEXITSTATUS(), wait(), pid_t,
47
46
fcntl(), setuid(), setgid(),
48
47
F_GETFD, F_SETFD, FD_CLOEXEC,
49
48
access(), pipe(), fork(), close()
50
dup2(), STDOUT_FILENO, _exit(),
49
dup2, STDOUT_FILENO, _exit(),
51
50
execv(), write(), read(),
53
52
#include <fcntl.h> /* fcntl(), F_GETFD, F_SETFD,
70
69
#define PDIR "/lib/mandos/plugins.d"
71
70
#define AFILE "/conf/conf.d/mandos/plugin-runner.conf"
73
const char *argp_program_version = "plugin-runner " VERSION;
72
const char *argp_program_version = "plugin-runner 1.0";
74
73
const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";
76
77
typedef struct plugin{
77
78
char *name; /* can be NULL or any plugin name */
96
97
static plugin *plugin_list = NULL;
98
/* Gets an existing plugin based on name,
99
/* Gets a existing plugin based on name,
99
100
or if none is found, creates a new one */
100
101
static plugin *getplugin(char *name){
101
102
/* Check for exiting plugin with that name */
186
187
size_t namelen = (size_t)(strchrnul(def, '=') - def);
187
188
/* Search for this environment variable */
188
189
for(char **e = p->environ; *e != NULL; e++){
189
if(strncmp(*e, def, namelen + 1) == 0){
190
if(strncmp(*e, def, namelen+1) == 0){
190
191
/* It already exists */
192
char *new = realloc(*e, strlen(def) + 1);
193
char *new = realloc(*e, strlen(def));
207
208
* Descriptor Flags".
208
209
* *Note File Descriptor Flags:(libc)Descriptor Flags.
210
static int set_cloexec_flag(int fd){
211
static int set_cloexec_flag(int fd)
211
213
int ret = fcntl(fd, F_GETFD, 0);
212
214
/* If reading the flags failed, return error indication now. */
221
223
/* Mark processes as completed when they exit, and save their exit
223
static void handle_sigchld(__attribute__((unused)) int sig){
225
void handle_sigchld(__attribute__((unused)) int sig){
225
227
plugin *proc = plugin_list;
253
255
/* Prints out a password to stdout */
254
static bool print_out_password(const char *buffer, size_t length){
256
bool print_out_password(const char *buffer, size_t length){
258
if(length>0 and buffer[length-1] == '\n'){
256
261
for(size_t written = 0; written < length; written += (size_t)ret){
257
262
ret = TEMP_FAILURE_RETRY(write(STDOUT_FILENO, buffer + written,
258
263
length - written));
396
if(not add_environment(getplugin(NULL), arg, true)){
397
perror("add_environment");
401
char *envdef = strdup(arg);
405
if(not add_environment(getplugin(NULL), envdef, true)){
406
perror("add_environment");
400
410
case 'o': /* --options-for */
401
411
if (arg != NULL){
402
412
char *p_name = strsep(&arg, ":");
403
if(p_name[0] == '\0' or arg == NULL){
413
if(p_name[0] == '\0'){
406
416
char *opt = strsep(&arg, ":");
407
if(opt[0] == '\0' or opt == NULL){
411
while((p = strsep(&opt, ",")) != NULL){
415
if(not add_argument(getplugin(p_name), p)){
416
perror("add_argument");
417
return ARGP_ERR_UNKNOWN;
422
while((p = strsep(&opt, ",")) != NULL){
426
if(not add_argument(getplugin(p_name), p)){
427
perror("add_argument");
428
return ARGP_ERR_UNKNOWN;
428
440
if(envdef == NULL){
432
if(not add_environment(getplugin(arg), envdef+1, true)){
443
char *p_name = strndup(arg, (size_t) (envdef-arg));
448
if(not add_environment(getplugin(p_name), envdef, true)){
433
449
perror("add_environment");
463
478
/* This is already done by parse_opt_config_file() */
465
480
case 130: /* --userid */
466
/* In the GNU C library, uid_t is always unsigned int */
467
ret = sscanf(arg, "%ud", &uid);
469
fprintf(stderr, "Bad user ID number: \"%s\", using %ud\n",
481
uid = (uid_t)strtol(arg, NULL, 10);
473
483
case 131: /* --groupid */
474
/* In the GNU C library, gid_t is always unsigned int */
475
ret = sscanf(arg, "%ud", &gid);
477
fprintf(stderr, "Bad group ID number: \"%s\", using %ud\n",
484
gid = (gid_t)strtol(arg, NULL, 10);
481
486
case 132: /* --debug */
485
* When adding more options before this line, remember to also add a
486
* "case" to the "parse_opt_config_file" function below.
488
489
case ARGP_KEY_ARG:
489
/* Cryptsetup always passes an argument, which is an empty
490
string if "none" was specified in /etc/crypttab. So if
491
argument was empty, we ignore it silently. */
493
fprintf(stderr, "Ignoring unknown argument \"%s\"\n", arg);
490
fprintf(stderr, "Ignoring unknown argument \"%s\"\n", arg);
496
492
case ARGP_KEY_END:
561
556
char *org_line = NULL;
562
557
char *p, *arg, *new_arg, *line;
564
560
const char whitespace_delims[] = " \r\t\f\v\n";
565
561
const char comment_delim[] = "#";
716
712
const char const *bad_suffixes[] = { "~", "#", ".dpkg-new",
719
714
".dpkg-divert", NULL };
720
715
for(const char **pre = bad_prefixes; *pre != NULL; pre++){
721
716
size_t pre_len = strlen(*pre);
755
if(plugindir == NULL){
756
ret = asprintf(&filename, PDIR "/%s", dirst->d_name);
758
ret = asprintf(&filename, "%s/%s", plugindir, dirst->d_name);
750
ret = asprintf(&filename, "%s/%s", plugindir, dirst->d_name);
761
752
perror("asprintf");
862
853
perror("sigaction");
863
854
_exit(EXIT_FAILURE);
865
ret = sigprocmask(SIG_UNBLOCK, &sigchld_action.sa_mask, NULL);
856
ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask, NULL);
867
858
perror("sigprocmask");
868
859
_exit(EXIT_FAILURE);
871
862
ret = dup2(pipefd[1], STDOUT_FILENO); /* replace our stdout */
951
943
/* OK, now either a process completed, or something can be read
952
944
from one of them */
953
for(plugin *proc = plugin_list; proc != NULL;){
945
for(plugin *proc = plugin_list; proc != NULL; proc = proc->next){
954
946
/* Is this process completely done? */
955
947
if(proc->eof and proc->completed){
956
948
/* Only accept the plugin output if it exited cleanly */
983
975
exitstatus = EXIT_FAILURE;
987
plugin *next_plugin = proc->next;
988
978
free_plugin(proc);
991
979
/* We are done modifying process list, so unblock signal */
992
980
ret = sigprocmask (SIG_UNBLOCK, &sigchld_action.sa_mask,
1018
1005
/* This process has not completed. Does it have any output? */
1019
1006
if(proc->eof or not FD_ISSET(proc->fd, &rfds)){
1020
1007
/* This process had nothing to say at this time */
1024
1010
/* Before reading, make the process' data buffer large enough */
1033
1019
proc->buffer_size += BUFFER_SIZE;
1035
1021
/* Read from the process */
1036
sret = read(proc->fd, proc->buffer + proc->buffer_length,
1022
ret = read(proc->fd, proc->buffer + proc->buffer_length,
1039
1025
/* Read error from this process; ignore the error */
1045
1030
proc->eof = true;
1047
proc->buffer_length += (size_t) sret;
1032
proc->buffer_length += (size_t) ret;
1059
1044
fprintf(stderr, "Going to fallback mode using getpass(3)\n");
1060
1045
char *passwordbuffer = getpass("Password: ");
1061
size_t len = strlen(passwordbuffer);
1062
/* Strip trailing newline */
1063
if(len > 0 and passwordbuffer[len-1] == '\n'){
1064
passwordbuffer[len-1] = '\0'; /* not strictly necessary */
1067
bret = print_out_password(passwordbuffer, len);
1046
bret = print_out_password(passwordbuffer, strlen(passwordbuffer));
1069
1048
perror("print_out_password");
1070
1049
exitstatus = EXIT_FAILURE;