/mandos/trunk : revision 541

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.c

Committer: Teddy Hogeborn
Date: 2011-12-31 20:07:11 UTC
mfrom: (535.1.9 wireless-network-hook)
Revision ID: teddy@recompile.se-20111231200711-6dli3r8drftem57r

Merge new wireless network hook. Fix bridge network hook to use
hardware addresses instead of interface names. Implement and document
new "CONNECT" environment variable for network hooks.

files added:
DBUS-API

dbus-mandos.conf

debian/source

debian/source/format

debian/source/local-options

intro.xml

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugins.d/plymouth.c

plugins.d/plymouth.xml

files modified:
.bzrignore

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/password-prompt.c

* Password-prompt - Read a password from the terminal and print it

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

* along with this program. If not, see

* <http://www.gnu.org/licenses/>.

* Contact the authors at <mandos@fukt.bsnet.se>.

* Contact the authors at <mandos@recompile.se>.

#define _GNU_SOURCE /* getline() */

#define _GNU_SOURCE /* getline(), asprintf() */

#include <termios.h> /* struct termios, tcsetattr(),

TCSAFLUSH, tcgetattr(), ECHO */

#include <unistd.h> /* struct termios, tcsetattr(),

STDIN_FILENO, TCSAFLUSH,

tcgetattr(), ECHO */

tcgetattr(), ECHO, readlink() */

#include <signal.h> /* sig_atomic_t, raise(), struct

sigaction, sigemptyset(),

sigaction(), sigaddset(), SIGINT,

SIGQUIT, SIGHUP, SIGTERM,

raise() */

#include <stddef.h> /* NULL, size_t, ssize_t */

#include <sys/types.h> /* ssize_t */

#include <sys/types.h> /* ssize_t, struct dirent, pid_t,

ssize_t, open() */

#include <stdlib.h> /* EXIT_SUCCESS, EXIT_FAILURE,

getenv() */

getenv(), free() */

#include <dirent.h> /* scandir(), alphasort() */

#include <stdio.h> /* fprintf(), stderr, getline(),

stdin, feof(), perror(), fputc()

stdin, feof(), fputc(), vfprintf(),

vasprintf() */

#include <errno.h> /* errno, EBADF, ENOTTY, EINVAL,

EFAULT, EFBIG, EIO, ENOSPC, EINTR

#include <error.h> /* error() */

#include <iso646.h> /* or, not */

#include <stdbool.h> /* bool, false, true */

#include <string.h> /* strlen, rindex, strncmp, strcmp */

#include <inttypes.h> /* strtoumax() */

#include <sys/stat.h> /* struct stat, lstat(), open() */

#include <string.h> /* strlen, rindex, memcmp, strerror()

#include <argp.h> /* struct argp_option, struct

argp_state, struct argp,

argp_parse(), error_t,

ARGP_ERR_UNKNOWN */

#include <sysexits.h> /* EX_SOFTWARE, EX_OSERR,

EX_UNAVAILABLE, EX_IOERR, EX_OK */

#include <fcntl.h> /* open() */

#include <stdarg.h> /* va_list, va_start(), ... */

volatile sig_atomic_t quit_now = 0;

int signal_received;

bool debug = false;

const char *argp_program_version = "password-prompt " VERSION;

const char *argp_program_bug_address = "<mandos@fukt.bsnet.se>";

const char *argp_program_bug_address = "<mandos@recompile.se>";

/* Needed for conflict resolution */

const char plymouth_name[] = "plymouthd";

__attribute__((format (gnu_printf, 2, 3), nonnull(1)))

int fprintf_plus(FILE *stream, const char *format, ...){

va_list ap;

va_start (ap, format);

TEMP_FAILURE_RETRY(fprintf(stream, "Mandos plugin %s: ",

program_invocation_short_name));

return TEMP_FAILURE_RETRY(vfprintf(stream, format, ap));

}

/* Function to use when printing errors */

__attribute__((format (gnu_printf, 3, 4)))

void error_plus(int status, int errnum, const char *formatstring,

...){

va_list ap;

char *text;

int ret;

va_start(ap, formatstring);

ret = vasprintf(&text, formatstring, ap);

if (ret == -1){

fprintf(stderr, "Mandos plugin %s: ",

program_invocation_short_name);

vfprintf(stderr, formatstring, ap);

fprintf(stderr, ": %s\n", strerror(errnum));

100

error(status, errno, "vasprintf while printing error");

101

return;

102

}

103

fprintf(stderr, "Mandos plugin ");

104

error(status, errnum, "%s", text);

105

free(text);

106

}

107

108

static void termination_handler(int signum){

109

if(quit_now){

113

signal_received = signum;

114

}

115

116

bool conflict_detection(void){

117

118

/* plymouth conflicts with password-prompt since both want to read

119

from the terminal. Password-prompt will exit if it detects

120

plymouth since plymouth performs the same functionality.

121

122

__attribute__((nonnull))

123

int is_plymouth(const struct dirent *proc_entry){

124

int ret;

125

int cl_fd;

126

{

127

uintmax_t proc_id;

128

char *tmp;

129

errno = 0;

130

proc_id = strtoumax(proc_entry->d_name, &tmp, 10);

131

132

if(errno != 0 or *tmp != '\0'

133

or proc_id != (uintmax_t)((pid_t)proc_id)){

134

return 0;

135

}

136

}

137

138

char *cmdline_filename;

139

ret = asprintf(&cmdline_filename, "/proc/%s/cmdline",

140

proc_entry->d_name);

141

if(ret == -1){

142

error_plus(0, errno, "asprintf");

143

return 0;

144

}

145

146

/* Open /proc/<pid>/cmdline */

147

cl_fd = open(cmdline_filename, O_RDONLY);

148

free(cmdline_filename);

149

if(cl_fd == -1){

150

if(errno != ENOENT){

151

error_plus(0, errno, "open");

152

}

153

return 0;

154

}

155

156

char *cmdline = NULL;

157

{

158

size_t cmdline_len = 0;

159

size_t cmdline_allocated = 0;

160

char *tmp;

161

const size_t blocksize = 1024;

162

ssize_t sret;

163

do {

164

/* Allocate more space? */

165

if(cmdline_len + blocksize + 1 > cmdline_allocated){

166

tmp = realloc(cmdline, cmdline_allocated + blocksize + 1);

167

if(tmp == NULL){

168

error_plus(0, errno, "realloc");

169

free(cmdline);

170

close(cl_fd);

171

return 0;

172

}

173

cmdline = tmp;

174

cmdline_allocated += blocksize;

175

}

176

177

/* Read data */

178

sret = read(cl_fd, cmdline + cmdline_len,

179

cmdline_allocated - cmdline_len);

180

if(sret == -1){

181

error_plus(0, errno, "read");

182

free(cmdline);

183

close(cl_fd);

184

return 0;

185

}

186

cmdline_len += (size_t)sret;

187

} while(sret != 0);

188

ret = close(cl_fd);

189

if(ret == -1){

190

error_plus(0, errno, "close");

191

free(cmdline);

192

return 0;

193

}

194

cmdline[cmdline_len] = '\0'; /* Make sure it is terminated */

195

}

196

/* we now have cmdline */

197

198

/* get basename */

199

char *cmdline_base = strrchr(cmdline, '/');

200

if(cmdline_base != NULL){

201

cmdline_base += 1; /* skip the slash */

202

} else {

203

cmdline_base = cmdline;

204

}

205

206

if(strcmp(cmdline_base, plymouth_name) != 0){

207

if(debug){

208

fprintf(stderr, "\"%s\" is not \"%s\"\n", cmdline_base,

209

plymouth_name);

210

}

211

free(cmdline);

212

return 0;

213

}

214

if(debug){

215

fprintf(stderr, "\"%s\" equals \"%s\"\n", cmdline_base,

216

plymouth_name);

217

}

218

free(cmdline);

219

return 1;

220

}

221

222

struct dirent **direntries = NULL;

223

int ret;

224

ret = scandir("/proc", &direntries, is_plymouth, alphasort);

225

if (ret == -1){

226

error_plus(1, errno, "scandir");

227

}

228

free(direntries);

229

return ret > 0;

230

}

231

232

233

int main(int argc, char **argv){

ssize_t ret;

234

ssize_t sret;

235

int ret;

236

size_t n;

237

struct termios t_new, t_old;

238

char *buffer = NULL;

260

{ .name = NULL }

261

};

100

262

263

__attribute__((nonnull(3)))

101

264

error_t parse_opt (int key, char *arg, struct argp_state *state){

102

265

errno = 0;

103

266

switch (key){

139

302

case ENOMEM:

140

303

default:

141

304

errno = ret;

142

perror("argp_parse");

305

error_plus(0, errno, "argp_parse");

143

306

return EX_OSERR;

144

307

case EINVAL:

145

308

return EX_USAGE;

149

312

if(debug){

150

313

fprintf(stderr, "Starting %s\n", argv[0]);

151

314

}

315

316

if (conflict_detection()){

317

if(debug){

318

fprintf(stderr, "Stopping %s because of conflict\n", argv[0]);

319

}

320

return EXIT_FAILURE;

321

}

322

152

323

if(debug){

153

324

fprintf(stderr, "Storing current terminal attributes\n");

154

325

}

155

326

156

327

if(tcgetattr(STDIN_FILENO, &t_old) != 0){

157

328

int e = errno;

158

perror("tcgetattr");

329

error_plus(0, errno, "tcgetattr");

159

330

switch(e){

160

331

case EBADF:

161

332

case ENOTTY:

168

339

sigemptyset(&new_action.sa_mask);

169

340

ret = sigaddset(&new_action.sa_mask, SIGINT);

170

341

if(ret == -1){

171

perror("sigaddset");

342

error_plus(0, errno, "sigaddset");

172

343

return EX_OSERR;

173

344

}

174

345

ret = sigaddset(&new_action.sa_mask, SIGHUP);

175

346

if(ret == -1){

176

perror("sigaddset");

347

error_plus(0, errno, "sigaddset");

177

348

return EX_OSERR;

178

349

}

179

350

ret = sigaddset(&new_action.sa_mask, SIGTERM);

180

351

if(ret == -1){

181

perror("sigaddset");

352

error_plus(0, errno, "sigaddset");

182

353

return EX_OSERR;

183

354

}

184

355

/* Need to check if the handler is SIG_IGN before handling:

187

358

188

359

ret = sigaction(SIGINT, NULL, &old_action);

189

360

if(ret == -1){

190

perror("sigaction");

361

error_plus(0, errno, "sigaction");

191

362

return EX_OSERR;

192

363

}

193

364

if(old_action.sa_handler != SIG_IGN){

194

365

ret = sigaction(SIGINT, &new_action, NULL);

195

366

if(ret == -1){

196

perror("sigaction");

367

error_plus(0, errno, "sigaction");

197

368

return EX_OSERR;

198

369

}

199

370

}

200

371

ret = sigaction(SIGHUP, NULL, &old_action);

201

372

if(ret == -1){

202

perror("sigaction");

373

error_plus(0, errno, "sigaction");

203

374

return EX_OSERR;

204

375

}

205

376

if(old_action.sa_handler != SIG_IGN){

206

377

ret = sigaction(SIGHUP, &new_action, NULL);

207

378

if(ret == -1){

208

perror("sigaction");

379

error_plus(0, errno, "sigaction");

209

380

return EX_OSERR;

210

381

}

211

382

}

212

383

ret = sigaction(SIGTERM, NULL, &old_action);

213

384

if(ret == -1){

214

perror("sigaction");

385

error_plus(0, errno, "sigaction");

215

386

return EX_OSERR;

216

387

}

217

388

if(old_action.sa_handler != SIG_IGN){

218

389

ret = sigaction(SIGTERM, &new_action, NULL);

219

390

if(ret == -1){

220

perror("sigaction");

391

error_plus(0, errno, "sigaction");

221

392

return EX_OSERR;

222

393

}

223

394

}

231

402

t_new.c_lflag &= ~(tcflag_t)ECHO;

232

403

if(tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_new) != 0){

233

404

int e = errno;

234

perror("tcsetattr-echo");

405

error_plus(0, errno, "tcsetattr-echo");

235

406

switch(e){

236

407

case EBADF:

237

408

case ENOTTY:

258

429

fprintf(stderr, "%s ", prefix);

259

430

}

260

431

{

261

const char *cryptsource = getenv("cryptsource");

262

const char *crypttarget = getenv("crypttarget");

263

const char *const prompt

264

= "Enter passphrase to unlock the disk";

432

const char *cryptsource = getenv("CRYPTTAB_SOURCE");

433

const char *crypttarget = getenv("CRYPTTAB_NAME");

434

/* Before cryptsetup 1.1.0~rc2 */

435

if(cryptsource == NULL){

436

cryptsource = getenv("cryptsource");

437

}

438

if(crypttarget == NULL){

439

crypttarget = getenv("crypttarget");

440

}

441

const char *const prompt1 = "Unlocking the disk";

442

const char *const prompt2 = "Enter passphrase";

265

443

if(cryptsource == NULL){

266

444

if(crypttarget == NULL){

267

fprintf(stderr, "%s: ", prompt);

445

fprintf(stderr, "%s to unlock the disk: ", prompt2);

268

446

} else {

269

fprintf(stderr, "%s (%s): ", prompt, crypttarget);

447

fprintf(stderr, "%s (%s)\n%s: ", prompt1, crypttarget,

448

prompt2);

270

449

}

271

450

} else {

272

451

if(crypttarget == NULL){

273

fprintf(stderr, "%s %s: ", prompt, cryptsource);

452

fprintf(stderr, "%s %s\n%s: ", prompt1, cryptsource,

453

prompt2);

274

454

} else {

275

fprintf(stderr, "%s %s (%s): ", prompt, cryptsource,

276

crypttarget);

455

fprintf(stderr, "%s %s (%s)\n%s: ", prompt1, cryptsource,

456

crypttarget, prompt2);

277

457

}

278

458

}

279

459

}

280

ret = getline(&buffer, &n, stdin);

281

if(ret > 0){

460

sret = getline(&buffer, &n, stdin);

461

if(sret > 0){

282

462

status = EXIT_SUCCESS;

283

463

/* Make n = data size instead of allocated buffer size */

284

n = (size_t)ret;

464

n = (size_t)sret;

285

465

/* Strip final newline */

286

466

if(n > 0 and buffer[n-1] == '\n'){

287

467

buffer[n-1] = '\0'; /* not strictly necessary */

289

469

}

290

470

size_t written = 0;

291

471

while(written < n){

292

ret = write(STDOUT_FILENO, buffer + written, n - written);

293

if(ret < 0){

472

sret = write(STDOUT_FILENO, buffer + written, n - written);

473

if(sret < 0){

294

474

int e = errno;

295

perror("write");

475

error_plus(0, errno, "write");

296

476

switch(e){

297

477

case EBADF:

298

478

case EFAULT:

309

489

}

310

490

break;

311

491

}

312

written += (size_t)ret;

492

written += (size_t)sret;

313

493

}

314

ret = close(STDOUT_FILENO);

315

if(ret == -1){

494

sret = close(STDOUT_FILENO);

495

if(sret == -1){

316

496

int e = errno;

317

perror("close");

497

error_plus(0, errno, "close");

318

498

switch(e){

319

499

case EBADF:

320

500

status = EX_OSFILE;

327

507

}

328

508

break;

329

509

}

330

if(ret < 0){

510

if(sret < 0){

331

511

int e = errno;

332

512

if(errno != EINTR and not feof(stdin)){

333

perror("getline");

513

error_plus(0, errno, "getline");

334

514

switch(e){

335

515

case EBADF:

336

516

status = EX_UNAVAILABLE;

517

break;

337

518

case EIO:

338

519

case EINVAL:

339

520

default:

343

524

break;

344

525

}

345

526

}

346

/* if(ret == 0), then the only sensible thing to do is to retry to

347

read from stdin */

527

/* if(sret == 0), then the only sensible thing to do is to retry

528

to read from stdin */

348

529

fputc('\n', stderr);

349

530

if(debug and not quit_now){

350

531

/* If quit_now is nonzero, we were interrupted by a signal, and

359

540

fprintf(stderr, "Restoring terminal attributes\n");

360

541

}

361

542

if(tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_old) != 0){

362

perror("tcsetattr+echo");

543

error_plus(0, errno, "tcsetattr+echo");

363

544

}

364

545

365

546

if(quit_now){

367

548

old_action.sa_handler = SIG_DFL;

368

549

ret = sigaction(signal_received, &old_action, NULL);

369

550

if(ret == -1){

370

perror("sigaction");

551

error_plus(0, errno, "sigaction");

371

552

}

372

553

raise(signal_received);

373

554

}

Older »