100
88
except ImportError:
101
89
SO_BINDTODEVICE = None
103
if sys.version_info.major == 2:
107
92
stored_state_file = "clients.pickle"
109
94
logger = logging.getLogger()
95
syslogger = (logging.handlers.SysLogHandler
96
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
97
address = str("/dev/log")))
113
if_nametoindex = ctypes.cdll.LoadLibrary(
114
ctypes.util.find_library("c")).if_nametoindex
100
if_nametoindex = (ctypes.cdll.LoadLibrary
101
(ctypes.util.find_library("c"))
115
103
except (OSError, AttributeError):
117
104
def if_nametoindex(interface):
118
105
"Get an interface index the hard way, i.e. using fcntl()"
119
106
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
120
107
with contextlib.closing(socket.socket()) as s:
121
108
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
122
struct.pack(b"16s16x", interface))
123
interface_index = struct.unpack("I", ifreq[16:20])[0]
109
struct.pack(str("16s16x"),
111
interface_index = struct.unpack(str("I"),
124
113
return interface_index
127
116
def initlogger(debug, level=logging.WARNING):
128
117
"""init logger and add loglevel"""
131
syslogger = (logging.handlers.SysLogHandler(
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
134
119
syslogger.setFormatter(logging.Formatter
135
120
('Mandos [%(process)d]: %(levelname)s:'
188
174
def password_encode(self, password):
189
175
# Passphrase can not be empty and can not contain newlines or
190
176
# NUL bytes. So we prefix it and hex encode it.
191
encoded = b"mandos" + binascii.hexlify(password)
192
if len(encoded) > 2048:
193
# GnuPG can't handle long passwords, so encode differently
194
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
195
.replace(b"\n", b"\\n")
196
.replace(b"\0", b"\\x00"))
177
return b"mandos" + binascii.hexlify(password)
199
179
def encrypt(self, data, password):
200
passphrase = self.password_encode(password)
201
with tempfile.NamedTemporaryFile(
202
dir=self.tempdir) as passfile:
203
passfile.write(passphrase)
205
proc = subprocess.Popen(['gpg', '--symmetric',
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
213
if proc.returncode != 0:
180
self.gnupg.passphrase = self.password_encode(password)
181
with open(os.devnull, "w") as devnull:
183
proc = self.gnupg.run(['--symmetric'],
184
create_fhs=['stdin', 'stdout'],
185
attach_fhs={'stderr': devnull})
186
with contextlib.closing(proc.handles['stdin']) as f:
188
with contextlib.closing(proc.handles['stdout']) as f:
189
ciphertext = f.read()
193
self.gnupg.passphrase = None
215
194
return ciphertext
217
196
def decrypt(self, data, password):
218
passphrase = self.password_encode(password)
219
with tempfile.NamedTemporaryFile(
220
dir = self.tempdir) as passfile:
221
passfile.write(passphrase)
223
proc = subprocess.Popen(['gpg', '--decrypt',
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
231
if proc.returncode != 0:
197
self.gnupg.passphrase = self.password_encode(password)
198
with open(os.devnull, "w") as devnull:
200
proc = self.gnupg.run(['--decrypt'],
201
create_fhs=['stdin', 'stdout'],
202
attach_fhs={'stderr': devnull})
203
with contextlib.closing(proc.handles['stdin']) as f:
205
with contextlib.closing(proc.handles['stdout']) as f:
206
decrypted_plaintext = f.read()
210
self.gnupg.passphrase = None
233
211
return decrypted_plaintext
236
214
class AvahiError(Exception):
237
215
def __init__(self, value, *args, **kwargs):
238
216
self.value = value
239
return super(AvahiError, self).__init__(value, *args,
217
super(AvahiError, self).__init__(value, *args, **kwargs)
218
def __unicode__(self):
219
return unicode(repr(self.value))
243
221
class AvahiServiceError(AvahiError):
247
224
class AvahiGroupError(AvahiError):
296
266
self.entry_group_state_changed_match = None
298
def rename(self, remove=True):
299
269
"""Derived from the Avahi example code"""
300
270
if self.rename_count >= self.max_renames:
301
271
logger.critical("No suitable Zeroconf service name found"
302
272
" after %i retries, exiting.",
303
273
self.rename_count)
304
274
raise AvahiServiceError("Too many renames")
306
self.server.GetAlternativeServiceName(self.name))
307
self.rename_count += 1
275
self.name = unicode(self.server
276
.GetAlternativeServiceName(self.name))
308
277
logger.info("Changing Zeroconf service name to %r ...",
314
282
except dbus.exceptions.DBusException as error:
315
if (error.get_dbus_name()
316
== "org.freedesktop.Avahi.CollisionError"):
317
logger.info("Local Zeroconf service name collision.")
318
return self.rename(remove=False)
320
logger.critical("D-Bus Exception", exc_info=error)
283
logger.critical("D-Bus Exception", exc_info=error)
286
self.rename_count += 1
324
288
def remove(self):
325
289
"""Derived from the Avahi example code"""
380
345
def server_state_changed(self, state, error=None):
381
346
"""Derived from the Avahi example code"""
382
347
logger.debug("Avahi server state change: %i", state)
384
avahi.SERVER_INVALID: "Zeroconf server invalid",
385
avahi.SERVER_REGISTERING: None,
386
avahi.SERVER_COLLISION: "Zeroconf server name collision",
387
avahi.SERVER_FAILURE: "Zeroconf server failure",
348
bad_states = { avahi.SERVER_INVALID:
349
"Zeroconf server invalid",
350
avahi.SERVER_REGISTERING: None,
351
avahi.SERVER_COLLISION:
352
"Zeroconf server name collision",
353
avahi.SERVER_FAILURE:
354
"Zeroconf server failure" }
389
355
if state in bad_states:
390
356
if bad_states[state] is not None:
391
357
if error is None:
410
376
follow_name_owner_changes=True),
411
377
avahi.DBUS_INTERFACE_SERVER)
412
378
self.server.connect_to_signal("StateChanged",
413
self.server_state_changed)
379
self.server_state_changed)
414
380
self.server_state_changed(self.server.GetState())
417
383
class AvahiServiceToSyslog(AvahiService):
418
def rename(self, *args, **kwargs):
419
385
"""Add the new name to the syslog messages"""
420
ret = AvahiService.rename(self, *args, **kwargs)
421
syslogger.setFormatter(logging.Formatter(
422
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
386
ret = AvahiService.rename(self)
387
syslogger.setFormatter(logging.Formatter
388
('Mandos ({0}) [%(process)d]:'
389
' %(levelname)s: %(message)s'
394
def timedelta_to_milliseconds(td):
395
"Convert a datetime.timedelta() to milliseconds"
396
return ((td.days * 24 * 60 * 60 * 1000)
397
+ (td.seconds * 1000)
398
+ (td.microseconds // 1000))
427
401
class Client(object):
428
402
"""A representation of a client host served by this server.
473
446
"fingerprint", "host", "interval",
474
447
"last_approval_request", "last_checked_ok",
475
448
"last_enabled", "name", "timeout")
478
"extended_timeout": "PT15M",
480
"checker": "fping -q -- %%(host)s",
482
"approval_delay": "PT0S",
483
"approval_duration": "PT1S",
484
"approved_by_default": "True",
449
client_defaults = { "timeout": "5m",
450
"extended_timeout": "15m",
452
"checker": "fping -q -- %%(host)s",
454
"approval_delay": "0s",
455
"approval_duration": "1s",
456
"approved_by_default": "True",
460
def timeout_milliseconds(self):
461
"Return the 'timeout' attribute in milliseconds"
462
return timedelta_to_milliseconds(self.timeout)
464
def extended_timeout_milliseconds(self):
465
"Return the 'extended_timeout' attribute in milliseconds"
466
return timedelta_to_milliseconds(self.extended_timeout)
468
def interval_milliseconds(self):
469
"Return the 'interval' attribute in milliseconds"
470
return timedelta_to_milliseconds(self.interval)
472
def approval_delay_milliseconds(self):
473
return timedelta_to_milliseconds(self.approval_delay)
489
476
def config_parser(config):
567
551
self.current_checker_command = None
568
552
self.approved = None
569
553
self.approvals_pending = 0
570
self.changedstate = multiprocessing_manager.Condition(
571
multiprocessing_manager.Lock())
572
self.client_structure = [attr
573
for attr in self.__dict__.iterkeys()
554
self.changedstate = (multiprocessing_manager
555
.Condition(multiprocessing_manager
557
self.client_structure = [attr for attr in
558
self.__dict__.iterkeys()
574
559
if not attr.startswith("_")]
575
560
self.client_structure.append("client_structure")
577
for name, t in inspect.getmembers(
578
type(self), lambda obj: isinstance(obj, property)):
562
for name, t in inspect.getmembers(type(self),
579
566
if not name.startswith("_"):
580
567
self.client_structure.append(name)
623
610
# and every interval from then on.
624
611
if self.checker_initiator_tag is not None:
625
612
gobject.source_remove(self.checker_initiator_tag)
626
self.checker_initiator_tag = gobject.timeout_add(
627
int(self.interval.total_seconds() * 1000),
613
self.checker_initiator_tag = (gobject.timeout_add
614
(self.interval_milliseconds(),
629
616
# Schedule a disable() when 'timeout' has passed
630
617
if self.disable_initiator_tag is not None:
631
618
gobject.source_remove(self.disable_initiator_tag)
632
self.disable_initiator_tag = gobject.timeout_add(
633
int(self.timeout.total_seconds() * 1000), self.disable)
619
self.disable_initiator_tag = (gobject.timeout_add
620
(self.timeout_milliseconds(),
634
622
# Also start a new checker *right now*.
635
623
self.start_checker()
703
692
# Start a new checker if needed
704
693
if self.checker is None:
705
694
# Escape attributes for the shell
707
attr: re.escape(str(getattr(self, attr)))
708
for attr in self.runtime_expansions }
695
escaped_attrs = dict(
696
(attr, re.escape(unicode(getattr(self, attr))))
698
self.runtime_expansions)
710
700
command = self.checker_command % escaped_attrs
711
701
except TypeError as error:
712
702
logger.error('Could not format string "%s"',
713
self.checker_command,
715
return True # Try again later
703
self.checker_command, exc_info=error)
704
return True # Try again later
716
705
self.current_checker_command = command
718
logger.info("Starting checker %r for %s", command,
707
logger.info("Starting checker %r for %s",
720
709
# We don't need to redirect stdout and stderr, since
721
710
# in normal mode, that is already done by daemon(),
722
711
# and in debug mode we don't want to. (Stdin is
723
712
# always replaced by /dev/null.)
724
# The exception is when not debugging but nevertheless
725
# running in the foreground; use the previously
728
if (not self.server_settings["debug"]
729
and self.server_settings["foreground"]):
730
popen_args.update({"stdout": wnull,
732
713
self.checker = subprocess.Popen(command,
737
716
except OSError as error:
738
717
logger.error("Failed to start subprocess",
741
self.checker_callback_tag = gobject.child_watch_add(
742
self.checker.pid, self.checker_callback, data=command)
719
self.checker_callback_tag = (gobject.child_watch_add
721
self.checker_callback,
743
723
# The checker may have completed before the gobject
744
724
# watch was added. Check for this.
746
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
747
except OSError as error:
748
if error.errno == errno.ECHILD:
749
# This should never happen
750
logger.error("Child process vanished",
725
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
755
727
gobject.source_remove(self.checker_callback_tag)
756
728
self.checker_callback(pid, status, command)
835
801
"""Decorator to annotate D-Bus methods, signals or properties
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
"org.freedesktop.DBus.Property."
840
"EmitsChangedSignal": "false"})
841
804
@dbus_service_property("org.example.Interface", signature="b",
806
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
807
"org.freedesktop.DBus.Property."
808
"EmitsChangedSignal": "false"})
843
809
def Property_dbus_property(self):
844
810
return dbus.Boolean(False)
847
812
def decorator(func):
848
813
func._dbus_annotations = annotations
854
818
class DBusPropertyException(dbus.exceptions.DBusException):
855
819
"""A base class for D-Bus property-related exceptions
821
def __unicode__(self):
822
return unicode(str(self))
860
825
class DBusPropertyAccessException(DBusPropertyException):
884
849
If called like _is_dbus_thing("method") it returns a function
885
850
suitable for use as predicate to inspect.getmembers().
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
852
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
890
855
def _get_all_dbus_things(self, thing):
891
856
"""Returns a generator of (name, attribute) pairs
893
return ((getattr(athing.__get__(self), "_dbus_name", name),
858
return ((getattr(athing.__get__(self), "_dbus_name",
894
860
athing.__get__(self))
895
861
for cls in self.__class__.__mro__
896
862
for name, athing in
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
863
inspect.getmembers(cls,
864
self._is_dbus_thing(thing)))
899
866
def _get_dbus_property(self, interface_name, property_name):
900
867
"""Returns a bound method if one exists which is a D-Bus
901
868
property with the specified name and interface.
903
for cls in self.__class__.__mro__:
904
for name, value in inspect.getmembers(
905
cls, self._is_dbus_thing("property")):
870
for cls in self.__class__.__mro__:
871
for name, value in (inspect.getmembers
873
self._is_dbus_thing("property"))):
906
874
if (value._dbus_name == property_name
907
875
and value._dbus_interface == interface_name):
908
876
return value.__get__(self)
910
878
# No such property
911
raise DBusPropertyNotFound("{}:{}.{}".format(
912
self.dbus_object_path, interface_name, property_name))
879
raise DBusPropertyNotFound(self.dbus_object_path + ":"
880
+ interface_name + "."
914
@dbus.service.method(dbus.PROPERTIES_IFACE,
883
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
916
884
out_signature="v")
917
885
def Get(self, interface_name, property_name):
918
886
"""Standard D-Bus property Get() method, see D-Bus standard.
1100
1057
# Ignore non-D-Bus attributes, and D-Bus attributes
1101
1058
# with the wrong interface name
1102
1059
if (not hasattr(attribute, "_dbus_interface")
1103
or not attribute._dbus_interface.startswith(
1104
orig_interface_name)):
1060
or not attribute._dbus_interface
1061
.startswith(orig_interface_name)):
1106
1063
# Create an alternate D-Bus interface name based on
1107
1064
# the current name
1108
alt_interface = attribute._dbus_interface.replace(
1109
orig_interface_name, alt_interface_name)
1065
alt_interface = (attribute._dbus_interface
1066
.replace(orig_interface_name,
1067
alt_interface_name))
1110
1068
interface_names.add(alt_interface)
1111
1069
# Is this a D-Bus signal?
1112
1070
if getattr(attribute, "_dbus_is_signal", False):
1113
# Extract the original non-method undecorated
1114
# function by black magic
1071
# Extract the original non-method function by
1115
1073
nonmethod_func = (dict(
1116
zip(attribute.func_code.co_freevars,
1117
attribute.__closure__))
1118
["func"].cell_contents)
1074
zip(attribute.func_code.co_freevars,
1075
attribute.__closure__))["func"]
1119
1077
# Create a new, but exactly alike, function
1120
1078
# object, and decorate it to be a new D-Bus signal
1121
1079
# with the alternate D-Bus interface name
1122
new_function = (dbus.service.signal(
1123
alt_interface, attribute._dbus_signature)
1080
new_function = (dbus.service.signal
1082
attribute._dbus_signature)
1124
1083
(types.FunctionType(
1125
nonmethod_func.func_code,
1126
nonmethod_func.func_globals,
1127
nonmethod_func.func_name,
1128
nonmethod_func.func_defaults,
1129
nonmethod_func.func_closure)))
1084
nonmethod_func.func_code,
1085
nonmethod_func.func_globals,
1086
nonmethod_func.func_name,
1087
nonmethod_func.func_defaults,
1088
nonmethod_func.func_closure)))
1130
1089
# Copy annotations, if any
1132
new_function._dbus_annotations = dict(
1133
attribute._dbus_annotations)
1091
new_function._dbus_annotations = (
1092
dict(attribute._dbus_annotations))
1134
1093
except AttributeError:
1136
1095
# Define a creator of a function to call both the
1158
1115
# object. Decorate it to be a new D-Bus method
1159
1116
# with the alternate D-Bus interface name. Add it
1160
1117
# to the class.
1162
dbus.service.method(
1164
attribute._dbus_in_signature,
1165
attribute._dbus_out_signature)
1166
(types.FunctionType(attribute.func_code,
1167
attribute.func_globals,
1168
attribute.func_name,
1169
attribute.func_defaults,
1170
attribute.func_closure)))
1118
attr[attrname] = (dbus.service.method
1120
attribute._dbus_in_signature,
1121
attribute._dbus_out_signature)
1123
(attribute.func_code,
1124
attribute.func_globals,
1125
attribute.func_name,
1126
attribute.func_defaults,
1127
attribute.func_closure)))
1171
1128
# Copy annotations, if any
1173
attr[attrname]._dbus_annotations = dict(
1174
attribute._dbus_annotations)
1130
attr[attrname]._dbus_annotations = (
1131
dict(attribute._dbus_annotations))
1175
1132
except AttributeError:
1177
1134
# Is this a D-Bus property?
1180
1137
# object, and decorate it to be a new D-Bus
1181
1138
# property with the alternate D-Bus interface
1182
1139
# name. Add it to the class.
1183
attr[attrname] = (dbus_service_property(
1184
alt_interface, attribute._dbus_signature,
1185
attribute._dbus_access,
1186
attribute._dbus_get_args_options
1188
(types.FunctionType(
1189
attribute.func_code,
1190
attribute.func_globals,
1191
attribute.func_name,
1192
attribute.func_defaults,
1193
attribute.func_closure)))
1140
attr[attrname] = (dbus_service_property
1142
attribute._dbus_signature,
1143
attribute._dbus_access,
1145
._dbus_get_args_options
1148
(attribute.func_code,
1149
attribute.func_globals,
1150
attribute.func_name,
1151
attribute.func_defaults,
1152
attribute.func_closure)))
1194
1153
# Copy annotations, if any
1196
attr[attrname]._dbus_annotations = dict(
1197
attribute._dbus_annotations)
1155
attr[attrname]._dbus_annotations = (
1156
dict(attribute._dbus_annotations))
1198
1157
except AttributeError:
1200
1159
# Is this a D-Bus interface?
1257
1213
Client.__init__(self, *args, **kwargs)
1258
1214
# Only now, when this client is initialized, can it show up on
1260
client_object_name = str(self.name).translate(
1216
client_object_name = unicode(self.name).translate(
1261
1217
{ord("."): ord("_"),
1262
1218
ord("-"): ord("_")})
1263
self.dbus_object_path = dbus.ObjectPath(
1264
"/clients/" + client_object_name)
1219
self.dbus_object_path = (dbus.ObjectPath
1220
("/clients/" + client_object_name))
1265
1221
DBusObjectWithProperties.__init__(self, self.bus,
1266
1222
self.dbus_object_path)
1268
def notifychangeproperty(transform_func, dbus_name,
1269
type_func=lambda x: x,
1271
invalidate_only=False,
1272
_interface=_interface):
1224
def notifychangeproperty(transform_func,
1225
dbus_name, type_func=lambda x: x,
1273
1227
""" Modify a variable so that it's a property which announces
1274
1228
its changes to DBus.
1280
1234
to the D-Bus. Default: no transform
1281
1235
variant_level: D-Bus variant level. Default: 1
1283
attrname = "_{}".format(dbus_name)
1237
attrname = "_{0}".format(dbus_name)
1285
1238
def setter(self, value):
1286
1239
if hasattr(self, "dbus_object_path"):
1287
1240
if (not hasattr(self, attrname) or
1288
1241
type_func(getattr(self, attrname, None))
1289
1242
!= type_func(value)):
1291
self.PropertiesChanged(
1292
_interface, dbus.Dictionary(),
1293
dbus.Array((dbus_name, )))
1295
dbus_value = transform_func(
1297
variant_level = variant_level)
1298
self.PropertyChanged(dbus.String(dbus_name),
1300
self.PropertiesChanged(
1302
dbus.Dictionary({ dbus.String(dbus_name):
1243
dbus_value = transform_func(type_func(value),
1246
self.PropertyChanged(dbus.String(dbus_name),
1305
1248
setattr(self, attrname, value)
1307
1250
return property(lambda self: getattr(self, attrname), setter)
1324
1267
datetime_to_dbus, "LastApprovalRequest")
1325
1268
approved_by_default = notifychangeproperty(dbus.Boolean,
1326
1269
"ApprovedByDefault")
1327
approval_delay = notifychangeproperty(
1328
dbus.UInt64, "ApprovalDelay",
1329
type_func = lambda td: td.total_seconds() * 1000)
1270
approval_delay = notifychangeproperty(dbus.UInt64,
1273
timedelta_to_milliseconds)
1330
1274
approval_duration = notifychangeproperty(
1331
1275
dbus.UInt64, "ApprovalDuration",
1332
type_func = lambda td: td.total_seconds() * 1000)
1276
type_func = timedelta_to_milliseconds)
1333
1277
host = notifychangeproperty(dbus.String, "Host")
1334
timeout = notifychangeproperty(
1335
dbus.UInt64, "Timeout",
1336
type_func = lambda td: td.total_seconds() * 1000)
1278
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1280
timedelta_to_milliseconds)
1337
1281
extended_timeout = notifychangeproperty(
1338
1282
dbus.UInt64, "ExtendedTimeout",
1339
type_func = lambda td: td.total_seconds() * 1000)
1340
interval = notifychangeproperty(
1341
dbus.UInt64, "Interval",
1342
type_func = lambda td: td.total_seconds() * 1000)
1283
type_func = timedelta_to_milliseconds)
1284
interval = notifychangeproperty(dbus.UInt64,
1287
timedelta_to_milliseconds)
1343
1288
checker_command = notifychangeproperty(dbus.String, "Checker")
1344
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1345
invalidate_only=True)
1347
1290
del notifychangeproperty
1492
1444
self.approved_by_default = bool(value)
1494
1446
# ApprovalDelay - property
1495
@dbus_service_property(_interface,
1447
@dbus_service_property(_interface, signature="t",
1497
1448
access="readwrite")
1498
1449
def ApprovalDelay_dbus_property(self, value=None):
1499
1450
if value is None: # get
1500
return dbus.UInt64(self.approval_delay.total_seconds()
1451
return dbus.UInt64(self.approval_delay_milliseconds())
1502
1452
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1504
1454
# ApprovalDuration - property
1505
@dbus_service_property(_interface,
1455
@dbus_service_property(_interface, signature="t",
1507
1456
access="readwrite")
1508
1457
def ApprovalDuration_dbus_property(self, value=None):
1509
1458
if value is None: # get
1510
return dbus.UInt64(self.approval_duration.total_seconds()
1459
return dbus.UInt64(timedelta_to_milliseconds(
1460
self.approval_duration))
1512
1461
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1514
1463
# Name - property
1600
1546
gobject.source_remove(self.disable_initiator_tag)
1601
self.disable_initiator_tag = gobject.timeout_add(
1602
int((self.expires - now).total_seconds() * 1000),
1547
self.disable_initiator_tag = (
1548
gobject.timeout_add(
1549
timedelta_to_milliseconds(self.expires - now),
1605
1552
# ExtendedTimeout - property
1606
@dbus_service_property(_interface,
1553
@dbus_service_property(_interface, signature="t",
1608
1554
access="readwrite")
1609
1555
def ExtendedTimeout_dbus_property(self, value=None):
1610
1556
if value is None: # get
1611
return dbus.UInt64(self.extended_timeout.total_seconds()
1557
return dbus.UInt64(self.extended_timeout_milliseconds())
1613
1558
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1615
1560
# Interval - property
1616
@dbus_service_property(_interface,
1561
@dbus_service_property(_interface, signature="t",
1618
1562
access="readwrite")
1619
1563
def Interval_dbus_property(self, value=None):
1620
1564
if value is None: # get
1621
return dbus.UInt64(self.interval.total_seconds() * 1000)
1565
return dbus.UInt64(self.interval_milliseconds())
1622
1566
self.interval = datetime.timedelta(0, 0, 0, value)
1623
1567
if getattr(self, "checker_initiator_tag", None) is None:
1625
1569
if self.enabled:
1626
1570
# Reschedule checker run
1627
1571
gobject.source_remove(self.checker_initiator_tag)
1628
self.checker_initiator_tag = gobject.timeout_add(
1629
value, self.start_checker)
1630
self.start_checker() # Start one now, too
1572
self.checker_initiator_tag = (gobject.timeout_add
1573
(value, self.start_checker))
1574
self.start_checker() # Start one now, too
1632
1576
# Checker - property
1633
@dbus_service_property(_interface,
1577
@dbus_service_property(_interface, signature="s",
1635
1578
access="readwrite")
1636
1579
def Checker_dbus_property(self, value=None):
1637
1580
if value is None: # get
1638
1581
return dbus.String(self.checker_command)
1639
self.checker_command = str(value)
1582
self.checker_command = unicode(value)
1641
1584
# CheckerRunning - property
1642
@dbus_service_property(_interface,
1585
@dbus_service_property(_interface, signature="b",
1644
1586
access="readwrite")
1645
1587
def CheckerRunning_dbus_property(self, value=None):
1646
1588
if value is None: # get
1871
1814
def fingerprint(openpgp):
1872
1815
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1873
1816
# New GnuTLS "datum" with the OpenPGP public key
1874
datum = gnutls.library.types.gnutls_datum_t(
1875
ctypes.cast(ctypes.c_char_p(openpgp),
1876
ctypes.POINTER(ctypes.c_ubyte)),
1877
ctypes.c_uint(len(openpgp)))
1817
datum = (gnutls.library.types
1818
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1821
ctypes.c_uint(len(openpgp))))
1878
1822
# New empty GnuTLS certificate
1879
1823
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1880
gnutls.library.functions.gnutls_openpgp_crt_init(
1824
(gnutls.library.functions
1825
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
1882
1826
# Import the OpenPGP public key into the certificate
1883
gnutls.library.functions.gnutls_openpgp_crt_import(
1884
crt, ctypes.byref(datum),
1885
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
1827
(gnutls.library.functions
1828
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1829
gnutls.library.constants
1830
.GNUTLS_OPENPGP_FMT_RAW))
1886
1831
# Verify the self signature in the key
1887
1832
crtverify = ctypes.c_uint()
1888
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1889
crt, 0, ctypes.byref(crtverify))
1833
(gnutls.library.functions
1834
.gnutls_openpgp_crt_verify_self(crt, 0,
1835
ctypes.byref(crtverify)))
1890
1836
if crtverify.value != 0:
1891
1837
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1892
raise gnutls.errors.CertificateSecurityError(
1838
raise (gnutls.errors.CertificateSecurityError
1894
1840
# New buffer for the fingerprint
1895
1841
buf = ctypes.create_string_buffer(20)
1896
1842
buf_len = ctypes.c_size_t()
1897
1843
# Get the fingerprint from the certificate into the buffer
1898
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1899
crt, ctypes.byref(buf), ctypes.byref(buf_len))
1844
(gnutls.library.functions
1845
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1846
ctypes.byref(buf_len)))
1900
1847
# Deinit the certificate
1901
1848
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1902
1849
# Convert the buffer to a Python bytestring
1953
1898
interface: None or a network interface name (string)
1954
1899
use_ipv6: Boolean; to use IPv6 or not
1957
1901
def __init__(self, server_address, RequestHandlerClass,
1961
"""If socketfd is set, use that file descriptor instead of
1962
creating a new one with socket.socket().
1902
interface=None, use_ipv6=True):
1964
1903
self.interface = interface
1966
1905
self.address_family = socket.AF_INET6
1967
if socketfd is not None:
1968
# Save the file descriptor
1969
self.socketfd = socketfd
1970
# Save the original socket.socket() function
1971
self.socket_socket = socket.socket
1972
# To implement --socket, we monkey patch socket.socket.
1974
# (When socketserver.TCPServer is a new-style class, we
1975
# could make self.socket into a property instead of monkey
1976
# patching socket.socket.)
1978
# Create a one-time-only replacement for socket.socket()
1979
@functools.wraps(socket.socket)
1980
def socket_wrapper(*args, **kwargs):
1981
# Restore original function so subsequent calls are
1983
socket.socket = self.socket_socket
1984
del self.socket_socket
1985
# This time only, return a new socket object from the
1986
# saved file descriptor.
1987
return socket.fromfd(self.socketfd, *args, **kwargs)
1988
# Replace socket.socket() function with wrapper
1989
socket.socket = socket_wrapper
1990
# The socketserver.TCPServer.__init__ will call
1991
# socket.socket(), which might be our replacement,
1992
# socket_wrapper(), if socketfd was set.
1993
1906
socketserver.TCPServer.__init__(self, server_address,
1994
1907
RequestHandlerClass)
1996
1908
def server_bind(self):
1997
1909
"""This overrides the normal server_bind() function
1998
1910
to bind to an interface if one was specified, and also NOT to
2004
1916
self.interface)
2007
self.socket.setsockopt(
2008
socket.SOL_SOCKET, SO_BINDTODEVICE,
2009
(self.interface + "\0").encode("utf-8"))
1919
self.socket.setsockopt(socket.SOL_SOCKET,
2010
1923
except socket.error as error:
2011
1924
if error.errno == errno.EPERM:
2012
logger.error("No permission to bind to"
2013
" interface %s", self.interface)
1925
logger.error("No permission to"
1926
" bind to interface %s",
2014
1928
elif error.errno == errno.ENOPROTOOPT:
2015
1929
logger.error("SO_BINDTODEVICE not available;"
2016
1930
" cannot bind to interface %s",
2017
1931
self.interface)
2018
1932
elif error.errno == errno.ENODEV:
2019
logger.error("Interface %s does not exist,"
2020
" cannot bind", self.interface)
1933
logger.error("Interface %s does not"
1934
" exist, cannot bind",
2023
1938
# Only bind(2) the socket if we really need to.
2080
1989
def add_pipe(self, parent_pipe, proc):
2081
1990
# Call "handle_ipc" for both data and EOF events
2082
gobject.io_add_watch(
2083
parent_pipe.fileno(),
2084
gobject.IO_IN | gobject.IO_HUP,
2085
functools.partial(self.handle_ipc,
2086
parent_pipe = parent_pipe,
1991
gobject.io_add_watch(parent_pipe.fileno(),
1992
gobject.IO_IN | gobject.IO_HUP,
1993
functools.partial(self.handle_ipc,
2089
def handle_ipc(self, source, condition,
2092
client_object=None):
1998
def handle_ipc(self, source, condition, parent_pipe=None,
1999
proc = None, client_object=None):
2093
2000
# error, or the other end of multiprocessing.Pipe has closed
2094
2001
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2095
2002
# Wait for other process to exit
2157
def rfc3339_duration_to_delta(duration):
2158
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2160
>>> rfc3339_duration_to_delta("P7D")
2161
datetime.timedelta(7)
2162
>>> rfc3339_duration_to_delta("PT60S")
2163
datetime.timedelta(0, 60)
2164
>>> rfc3339_duration_to_delta("PT60M")
2165
datetime.timedelta(0, 3600)
2166
>>> rfc3339_duration_to_delta("PT24H")
2167
datetime.timedelta(1)
2168
>>> rfc3339_duration_to_delta("P1W")
2169
datetime.timedelta(7)
2170
>>> rfc3339_duration_to_delta("PT5M30S")
2171
datetime.timedelta(0, 330)
2172
>>> rfc3339_duration_to_delta("P1DT3M20S")
2173
datetime.timedelta(1, 200)
2176
# Parsing an RFC 3339 duration with regular expressions is not
2177
# possible - there would have to be multiple places for the same
2178
# values, like seconds. The current code, while more esoteric, is
2179
# cleaner without depending on a parsing library. If Python had a
2180
# built-in library for parsing we would use it, but we'd like to
2181
# avoid excessive use of external libraries.
2183
# New type for defining tokens, syntax, and semantics all-in-one
2184
Token = collections.namedtuple("Token",
2185
("regexp", # To match token; if
2186
# "value" is not None,
2187
# must have a "group"
2189
"value", # datetime.timedelta or
2191
"followers")) # Tokens valid after
2193
Token = collections.namedtuple("Token", (
2194
"regexp", # To match token; if "value" is not None, must have
2195
# a "group" containing digits
2196
"value", # datetime.timedelta or None
2197
"followers")) # Tokens valid after this token
2198
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2199
# the "duration" ABNF definition in RFC 3339, Appendix A.
2200
token_end = Token(re.compile(r"$"), None, frozenset())
2201
token_second = Token(re.compile(r"(\d+)S"),
2202
datetime.timedelta(seconds=1),
2203
frozenset((token_end, )))
2204
token_minute = Token(re.compile(r"(\d+)M"),
2205
datetime.timedelta(minutes=1),
2206
frozenset((token_second, token_end)))
2207
token_hour = Token(re.compile(r"(\d+)H"),
2208
datetime.timedelta(hours=1),
2209
frozenset((token_minute, token_end)))
2210
token_time = Token(re.compile(r"T"),
2212
frozenset((token_hour, token_minute,
2214
token_day = Token(re.compile(r"(\d+)D"),
2215
datetime.timedelta(days=1),
2216
frozenset((token_time, token_end)))
2217
token_month = Token(re.compile(r"(\d+)M"),
2218
datetime.timedelta(weeks=4),
2219
frozenset((token_day, token_end)))
2220
token_year = Token(re.compile(r"(\d+)Y"),
2221
datetime.timedelta(weeks=52),
2222
frozenset((token_month, token_end)))
2223
token_week = Token(re.compile(r"(\d+)W"),
2224
datetime.timedelta(weeks=1),
2225
frozenset((token_end, )))
2226
token_duration = Token(re.compile(r"P"), None,
2227
frozenset((token_year, token_month,
2228
token_day, token_time,
2230
# Define starting values
2231
value = datetime.timedelta() # Value so far
2233
followers = frozenset((token_duration,)) # Following valid tokens
2234
s = duration # String left to parse
2235
# Loop until end token is found
2236
while found_token is not token_end:
2237
# Search for any currently valid tokens
2238
for token in followers:
2239
match = token.regexp.match(s)
2240
if match is not None:
2242
if token.value is not None:
2243
# Value found, parse digits
2244
factor = int(match.group(1), 10)
2245
# Add to value so far
2246
value += factor * token.value
2247
# Strip token from string
2248
s = token.regexp.sub("", s, 1)
2251
# Set valid next tokens
2252
followers = found_token.followers
2255
# No currently valid tokens were found
2256
raise ValueError("Invalid RFC 3339 duration")
2261
2065
def string_to_delta(interval):
2262
2066
"""Parse a string and return a datetime.timedelta
2361
2160
parser.add_argument("--no-dbus", action="store_false",
2362
2161
dest="use_dbus", help="Do not provide D-Bus"
2363
" system bus interface", default=None)
2162
" system bus interface")
2364
2163
parser.add_argument("--no-ipv6", action="store_false",
2365
dest="use_ipv6", help="Do not use IPv6",
2164
dest="use_ipv6", help="Do not use IPv6")
2367
2165
parser.add_argument("--no-restore", action="store_false",
2368
2166
dest="restore", help="Do not restore stored"
2369
" state", default=None)
2370
parser.add_argument("--socket", type=int,
2371
help="Specify a file descriptor to a network"
2372
" socket to use instead of creating one")
2373
2168
parser.add_argument("--statedir", metavar="DIR",
2374
2169
help="Directory to save/restore state in")
2375
parser.add_argument("--foreground", action="store_true",
2376
help="Run in foreground", default=None)
2377
parser.add_argument("--no-zeroconf", action="store_false",
2378
dest="zeroconf", help="Do not use Zeroconf",
2381
2171
options = parser.parse_args()
2383
2173
if options.check:
2385
fail_count, test_count = doctest.testmod()
2386
sys.exit(os.EX_OK if fail_count == 0 else 1)
2388
2178
# Default values for config file for server-global settings
2389
2179
server_defaults = { "interface": "",
2392
2182
"debug": "False",
2394
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2395
":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2184
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2396
2185
"servicename": "Mandos",
2397
2186
"use_dbus": "True",
2398
2187
"use_ipv6": "True",
2399
2188
"debuglevel": "",
2400
2189
"restore": "True",
2402
"statedir": "/var/lib/mandos",
2403
"foreground": "False",
2190
"statedir": "/var/lib/mandos"
2407
2193
# Parse config file for server-global settings
2408
2194
server_config = configparser.SafeConfigParser(server_defaults)
2409
2195
del server_defaults
2410
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2196
server_config.read(os.path.join(options.configdir,
2411
2198
# Convert the SafeConfigParser object to a dict
2412
2199
server_settings = server_config.defaults()
2413
2200
# Use the appropriate methods on the non-string config options
2414
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2201
for option in ("debug", "use_dbus", "use_ipv6"):
2415
2202
server_settings[option] = server_config.getboolean("DEFAULT",
2417
2204
if server_settings["port"]:
2418
2205
server_settings["port"] = server_config.getint("DEFAULT",
2420
if server_settings["socket"]:
2421
server_settings["socket"] = server_config.getint("DEFAULT",
2423
# Later, stdin will, and stdout and stderr might, be dup'ed
2424
# over with an opened os.devnull. But we don't want this to
2425
# happen with a supplied network socket.
2426
if 0 <= server_settings["socket"] <= 2:
2427
server_settings["socket"] = os.dup(server_settings
2429
2207
del server_config
2431
2209
# Override the settings from the config file with command line
2432
2210
# options, if set.
2433
2211
for option in ("interface", "address", "port", "debug",
2434
"priority", "servicename", "configdir", "use_dbus",
2435
"use_ipv6", "debuglevel", "restore", "statedir",
2436
"socket", "foreground", "zeroconf"):
2212
"priority", "servicename", "configdir",
2213
"use_dbus", "use_ipv6", "debuglevel", "restore",
2437
2215
value = getattr(options, option)
2438
2216
if value is not None:
2439
2217
server_settings[option] = value
2441
2219
# Force all strings to be unicode
2442
2220
for option in server_settings.keys():
2443
if isinstance(server_settings[option], bytes):
2444
server_settings[option] = (server_settings[option]
2446
# Force all boolean options to be boolean
2447
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2448
"foreground", "zeroconf"):
2449
server_settings[option] = bool(server_settings[option])
2450
# Debug implies foreground
2451
if server_settings["debug"]:
2452
server_settings["foreground"] = True
2221
if type(server_settings[option]) is str:
2222
server_settings[option] = unicode(server_settings[option])
2453
2223
# Now we have our good server settings in "server_settings"
2455
2225
##################################################################
2457
if (not server_settings["zeroconf"]
2458
and not (server_settings["port"]
2459
or server_settings["socket"] != "")):
2460
parser.error("Needs port or socket to work without Zeroconf")
2462
2227
# For convenience
2463
2228
debug = server_settings["debug"]
2464
2229
debuglevel = server_settings["debuglevel"]
2493
2257
global mandos_dbus_service
2494
2258
mandos_dbus_service = None
2497
if server_settings["socket"] != "":
2498
socketfd = server_settings["socket"]
2499
tcp_server = MandosServer(
2500
(server_settings["address"], server_settings["port"]),
2502
interface=(server_settings["interface"] or None),
2504
gnutls_priority=server_settings["priority"],
2508
pidfilename = "/run/mandos.pid"
2509
if not os.path.isdir("/run/."):
2510
pidfilename = "/var/run/mandos.pid"
2260
tcp_server = MandosServer((server_settings["address"],
2261
server_settings["port"]),
2263
interface=(server_settings["interface"]
2267
server_settings["priority"],
2270
pidfilename = "/var/run/mandos.pid"
2513
2272
pidfile = open(pidfilename, "w")
2514
2273
except IOError as e:
2572
2329
bus_name = dbus.service.BusName("se.recompile.Mandos",
2575
old_bus_name = dbus.service.BusName(
2576
"se.bsnet.fukt.Mandos", bus,
2330
bus, do_not_queue=True)
2331
old_bus_name = (dbus.service.BusName
2332
("se.bsnet.fukt.Mandos", bus,
2578
2334
except dbus.exceptions.NameExistsException as e:
2579
2335
logger.error("Disabling D-Bus:", exc_info=e)
2580
2336
use_dbus = False
2581
2337
server_settings["use_dbus"] = False
2582
2338
tcp_server.use_dbus = False
2584
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2585
service = AvahiServiceToSyslog(
2586
name = server_settings["servicename"],
2587
servicetype = "_mandos._tcp",
2588
protocol = protocol,
2590
if server_settings["interface"]:
2591
service.interface = if_nametoindex(
2592
server_settings["interface"].encode("utf-8"))
2339
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2340
service = AvahiServiceToSyslog(name =
2341
server_settings["servicename"],
2342
servicetype = "_mandos._tcp",
2343
protocol = protocol, bus = bus)
2344
if server_settings["interface"]:
2345
service.interface = (if_nametoindex
2346
(str(server_settings["interface"])))
2594
2348
global multiprocessing_manager
2595
2349
multiprocessing_manager = multiprocessing.Manager()
2602
2356
old_client_settings = {}
2603
2357
clients_data = {}
2605
# This is used to redirect stdout and stderr for checker processes
2607
wnull = open(os.devnull, "w") # A writable /dev/null
2608
# Only used if server is running in foreground but not in debug
2610
if debug or not foreground:
2613
2359
# Get client data and settings from last running state.
2614
2360
if server_settings["restore"]:
2616
2362
with open(stored_state_path, "rb") as stored_state:
2617
clients_data, old_client_settings = pickle.load(
2363
clients_data, old_client_settings = (pickle.load
2619
2365
os.remove(stored_state_path)
2620
2366
except IOError as e:
2621
2367
if e.errno == errno.ENOENT:
2622
logger.warning("Could not load persistent state:"
2623
" {}".format(os.strerror(e.errno)))
2368
logger.warning("Could not load persistent state: {0}"
2369
.format(os.strerror(e.errno)))
2625
2371
logger.critical("Could not load persistent state:",
2628
2374
except EOFError as e:
2629
2375
logger.warning("Could not load persistent state: "
2376
"EOFError:", exc_info=e)
2633
2378
with PGPEngine() as pgp:
2634
for client_name, client in clients_data.items():
2635
# Skip removed clients
2636
if client_name not in client_settings:
2379
for client_name, client in clients_data.iteritems():
2639
2380
# Decide which value to use after restoring saved state.
2640
2381
# We have three different values: Old config file,
2641
2382
# new config file, and saved state.
2662
2403
if datetime.datetime.utcnow() >= client["expires"]:
2663
2404
if not client["last_checked_ok"]:
2664
2405
logger.warning(
2665
"disabling client {} - Client never "
2666
"performed a successful checker".format(
2406
"disabling client {0} - Client never "
2407
"performed a successful checker"
2408
.format(client_name))
2668
2409
client["enabled"] = False
2669
2410
elif client["last_checker_status"] != 0:
2670
2411
logger.warning(
2671
"disabling client {} - Client last"
2672
" checker failed with error code"
2675
client["last_checker_status"]))
2412
"disabling client {0} - Client "
2413
"last checker failed with error code {1}"
2414
.format(client_name,
2415
client["last_checker_status"]))
2676
2416
client["enabled"] = False
2678
client["expires"] = (
2679
datetime.datetime.utcnow()
2680
+ client["timeout"])
2418
client["expires"] = (datetime.datetime
2420
+ client["timeout"])
2681
2421
logger.debug("Last checker succeeded,"
2682
" keeping {} enabled".format(
2422
" keeping {0} enabled"
2423
.format(client_name))
2685
client["secret"] = pgp.decrypt(
2686
client["encrypted_secret"],
2687
client_settings[client_name]["secret"])
2425
client["secret"] = (
2426
pgp.decrypt(client["encrypted_secret"],
2427
client_settings[client_name]
2688
2429
except PGPError:
2689
2430
# If decryption fails, we use secret from new settings
2690
logger.debug("Failed to decrypt {} old secret".format(
2692
client["secret"] = (client_settings[client_name]
2431
logger.debug("Failed to decrypt {0} old secret"
2432
.format(client_name))
2433
client["secret"] = (
2434
client_settings[client_name]["secret"])
2695
2436
# Add/remove clients based on new changes made to config
2696
2437
for client_name in (set(old_client_settings)
2701
2442
clients_data[client_name] = client_settings[client_name]
2703
2444
# Create all client objects
2704
for client_name, client in clients_data.items():
2445
for client_name, client in clients_data.iteritems():
2705
2446
tcp_server.clients[client_name] = client_class(
2708
server_settings = server_settings)
2447
name = client_name, settings = client)
2710
2449
if not tcp_server.clients:
2711
2450
logger.warning("No clients defined")
2714
if pidfile is not None:
2718
pidfile.write("{}\n".format(pid).encode("utf-8"))
2720
logger.error("Could not write to file %r with PID %d",
2456
pidfile.write(str(pid) + "\n".encode("utf-8"))
2459
logger.error("Could not write to file %r with PID %d",
2462
# "pidfile" was never created
2723
2464
del pidfilename
2725
2466
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2726
2467
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2730
@alternate_dbus_interfaces(
2731
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2470
@alternate_dbus_interfaces({"se.recompile.Mandos":
2471
"se.bsnet.fukt.Mandos"})
2732
2472
class MandosDBusService(DBusObjectWithProperties):
2733
2473
"""A D-Bus proxy object"""
2735
2474
def __init__(self):
2736
2475
dbus.service.Object.__init__(self, bus, "/")
2738
2476
_interface = "se.recompile.Mandos"
2740
2478
@dbus_interface_annotations(_interface)
2741
2479
def _foo(self):
2743
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2480
return { "org.freedesktop.DBus.Property"
2481
".EmitsChangedSignal":
2746
2484
@dbus.service.signal(_interface, signature="o")
2747
2485
def ClientAdded(self, objpath):
2830
2567
del client_settings[client.name]["secret"]
2833
with tempfile.NamedTemporaryFile(
2837
dir=os.path.dirname(stored_state_path),
2838
delete=False) as stored_state:
2570
with (tempfile.NamedTemporaryFile
2571
(mode='wb', suffix=".pickle", prefix='clients-',
2572
dir=os.path.dirname(stored_state_path),
2573
delete=False)) as stored_state:
2839
2574
pickle.dump((clients, client_settings), stored_state)
2840
tempname = stored_state.name
2575
tempname=stored_state.name
2841
2576
os.rename(tempname, stored_state_path)
2842
2577
except (IOError, OSError) as e: