/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos

  • Committer: Teddy Hogeborn
  • Date: 2012-05-26 22:56:38 UTC
  • mfrom: (589.1.1 socket-option)
  • Revision ID: teddy@recompile.se-20120526225638-4hvqyrvmj0036lfn
Merge "--socket" option for server.

This is suggested by the GNU Coding Standards' Table of Long Options,
and will probably also allow socket activation (e.g. by systemd(8)).

Show diffs side-by-side

added added

removed removed

Lines of Context:
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
13
13
# Everything else is
14
 
# Copyright © 2008-2014 Teddy Hogeborn
15
 
# Copyright © 2008-2014 Björn Påhlsson
 
14
# Copyright © 2008-2012 Teddy Hogeborn
 
15
# Copyright © 2008-2012 Björn Påhlsson
16
16
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
68
68
import binascii
69
69
import tempfile
70
70
import itertools
71
 
import collections
72
71
 
73
72
import dbus
74
73
import dbus.service
79
78
import ctypes.util
80
79
import xml.dom.minidom
81
80
import inspect
 
81
import GnuPGInterface
82
82
 
83
83
try:
84
84
    SO_BINDTODEVICE = socket.SO_BINDTODEVICE
88
88
    except ImportError:
89
89
        SO_BINDTODEVICE = None
90
90
 
91
 
version = "1.6.4"
 
91
version = "1.5.4"
92
92
stored_state_file = "clients.pickle"
93
93
 
94
94
logger = logging.getLogger()
95
 
syslogger = None
 
95
syslogger = (logging.handlers.SysLogHandler
 
96
             (facility = logging.handlers.SysLogHandler.LOG_DAEMON,
 
97
              address = str("/dev/log")))
96
98
 
97
99
try:
98
100
    if_nametoindex = (ctypes.cdll.LoadLibrary
114
116
def initlogger(debug, level=logging.WARNING):
115
117
    """init logger and add loglevel"""
116
118
    
117
 
    syslogger = (logging.handlers.SysLogHandler
118
 
                 (facility =
119
 
                  logging.handlers.SysLogHandler.LOG_DAEMON,
120
 
                  address = str("/dev/log")))
121
119
    syslogger.setFormatter(logging.Formatter
122
120
                           ('Mandos [%(process)d]: %(levelname)s:'
123
121
                            ' %(message)s'))
141
139
class PGPEngine(object):
142
140
    """A simple class for OpenPGP symmetric encryption & decryption"""
143
141
    def __init__(self):
 
142
        self.gnupg = GnuPGInterface.GnuPG()
144
143
        self.tempdir = tempfile.mkdtemp(prefix="mandos-")
145
 
        self.gnupgargs = ['--batch',
146
 
                          '--home', self.tempdir,
147
 
                          '--force-mdc',
148
 
                          '--quiet',
149
 
                          '--no-use-agent']
 
144
        self.gnupg = GnuPGInterface.GnuPG()
 
145
        self.gnupg.options.meta_interactive = False
 
146
        self.gnupg.options.homedir = self.tempdir
 
147
        self.gnupg.options.extra_args.extend(['--force-mdc',
 
148
                                              '--quiet',
 
149
                                              '--no-use-agent'])
150
150
    
151
151
    def __enter__(self):
152
152
        return self
174
174
    def password_encode(self, password):
175
175
        # Passphrase can not be empty and can not contain newlines or
176
176
        # NUL bytes.  So we prefix it and hex encode it.
177
 
        encoded = b"mandos" + binascii.hexlify(password)
178
 
        if len(encoded) > 2048:
179
 
            # GnuPG can't handle long passwords, so encode differently
180
 
            encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
181
 
                       .replace(b"\n", b"\\n")
182
 
                       .replace(b"\0", b"\\x00"))
183
 
        return encoded
 
177
        return b"mandos" + binascii.hexlify(password)
184
178
    
185
179
    def encrypt(self, data, password):
186
 
        passphrase = self.password_encode(password)
187
 
        with tempfile.NamedTemporaryFile(dir=self.tempdir
188
 
                                         ) as passfile:
189
 
            passfile.write(passphrase)
190
 
            passfile.flush()
191
 
            proc = subprocess.Popen(['gpg', '--symmetric',
192
 
                                     '--passphrase-file',
193
 
                                     passfile.name]
194
 
                                    + self.gnupgargs,
195
 
                                    stdin = subprocess.PIPE,
196
 
                                    stdout = subprocess.PIPE,
197
 
                                    stderr = subprocess.PIPE)
198
 
            ciphertext, err = proc.communicate(input = data)
199
 
        if proc.returncode != 0:
200
 
            raise PGPError(err)
 
180
        self.gnupg.passphrase = self.password_encode(password)
 
181
        with open(os.devnull, "w") as devnull:
 
182
            try:
 
183
                proc = self.gnupg.run(['--symmetric'],
 
184
                                      create_fhs=['stdin', 'stdout'],
 
185
                                      attach_fhs={'stderr': devnull})
 
186
                with contextlib.closing(proc.handles['stdin']) as f:
 
187
                    f.write(data)
 
188
                with contextlib.closing(proc.handles['stdout']) as f:
 
189
                    ciphertext = f.read()
 
190
                proc.wait()
 
191
            except IOError as e:
 
192
                raise PGPError(e)
 
193
        self.gnupg.passphrase = None
201
194
        return ciphertext
202
195
    
203
196
    def decrypt(self, data, password):
204
 
        passphrase = self.password_encode(password)
205
 
        with tempfile.NamedTemporaryFile(dir = self.tempdir
206
 
                                         ) as passfile:
207
 
            passfile.write(passphrase)
208
 
            passfile.flush()
209
 
            proc = subprocess.Popen(['gpg', '--decrypt',
210
 
                                     '--passphrase-file',
211
 
                                     passfile.name]
212
 
                                    + self.gnupgargs,
213
 
                                    stdin = subprocess.PIPE,
214
 
                                    stdout = subprocess.PIPE,
215
 
                                    stderr = subprocess.PIPE)
216
 
            decrypted_plaintext, err = proc.communicate(input
217
 
                                                        = data)
218
 
        if proc.returncode != 0:
219
 
            raise PGPError(err)
 
197
        self.gnupg.passphrase = self.password_encode(password)
 
198
        with open(os.devnull, "w") as devnull:
 
199
            try:
 
200
                proc = self.gnupg.run(['--decrypt'],
 
201
                                      create_fhs=['stdin', 'stdout'],
 
202
                                      attach_fhs={'stderr': devnull})
 
203
                with contextlib.closing(proc.handles['stdin']) as f:
 
204
                    f.write(data)
 
205
                with contextlib.closing(proc.handles['stdout']) as f:
 
206
                    decrypted_plaintext = f.read()
 
207
                proc.wait()
 
208
            except IOError as e:
 
209
                raise PGPError(e)
 
210
        self.gnupg.passphrase = None
220
211
        return decrypted_plaintext
221
212
 
222
213
 
242
233
               Used to optionally bind to the specified interface.
243
234
    name: string; Example: 'Mandos'
244
235
    type: string; Example: '_mandos._tcp'.
245
 
     See <https://www.iana.org/assignments/service-names-port-numbers>
 
236
                  See <http://www.dns-sd.org/ServiceTypes.html>
246
237
    port: integer; what port to announce
247
238
    TXT: list of strings; TXT record for the service
248
239
    domain: string; Domain to publish on, default to .local if empty.
448
439
    runtime_expansions: Allowed attributes for runtime expansion.
449
440
    expires:    datetime.datetime(); time (UTC) when a client will be
450
441
                disabled, or None
451
 
    server_settings: The server_settings dict from main()
452
442
    """
453
443
    
454
444
    runtime_expansions = ("approval_delay", "approval_duration",
456
446
                          "fingerprint", "host", "interval",
457
447
                          "last_approval_request", "last_checked_ok",
458
448
                          "last_enabled", "name", "timeout")
459
 
    client_defaults = { "timeout": "PT5M",
460
 
                        "extended_timeout": "PT15M",
461
 
                        "interval": "PT2M",
 
449
    client_defaults = { "timeout": "5m",
 
450
                        "extended_timeout": "15m",
 
451
                        "interval": "2m",
462
452
                        "checker": "fping -q -- %%(host)s",
463
453
                        "host": "",
464
 
                        "approval_delay": "PT0S",
465
 
                        "approval_duration": "PT1S",
 
454
                        "approval_delay": "0s",
 
455
                        "approval_duration": "1s",
466
456
                        "approved_by_default": "True",
467
457
                        "enabled": "True",
468
458
                        }
529
519
        
530
520
        return settings
531
521
    
532
 
    def __init__(self, settings, name = None, server_settings=None):
 
522
    def __init__(self, settings, name = None):
533
523
        self.name = name
534
 
        if server_settings is None:
535
 
            server_settings = {}
536
 
        self.server_settings = server_settings
537
524
        # adding all client settings
538
525
        for setting, value in settings.iteritems():
539
526
            setattr(self, setting, value)
692
679
        # If a checker exists, make sure it is not a zombie
693
680
        try:
694
681
            pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
695
 
        except AttributeError:
696
 
            pass
697
 
        except OSError as error:
698
 
            if error.errno != errno.ECHILD:
699
 
                raise
 
682
        except (AttributeError, OSError) as error:
 
683
            if (isinstance(error, OSError)
 
684
                and error.errno != errno.ECHILD):
 
685
                raise error
700
686
        else:
701
687
            if pid:
702
688
                logger.warning("Checker was a zombie")
724
710
                # in normal mode, that is already done by daemon(),
725
711
                # and in debug mode we don't want to.  (Stdin is
726
712
                # always replaced by /dev/null.)
727
 
                # The exception is when not debugging but nevertheless
728
 
                # running in the foreground; use the previously
729
 
                # created wnull.
730
 
                popen_args = {}
731
 
                if (not self.server_settings["debug"]
732
 
                    and self.server_settings["foreground"]):
733
 
                    popen_args.update({"stdout": wnull,
734
 
                                       "stderr": wnull })
735
713
                self.checker = subprocess.Popen(command,
736
714
                                                close_fds=True,
737
 
                                                shell=True, cwd="/",
738
 
                                                **popen_args)
 
715
                                                shell=True, cwd="/")
739
716
            except OSError as error:
740
717
                logger.error("Failed to start subprocess",
741
718
                             exc_info=error)
742
 
                return True
743
719
            self.checker_callback_tag = (gobject.child_watch_add
744
720
                                         (self.checker.pid,
745
721
                                          self.checker_callback,
746
722
                                          data=command))
747
723
            # The checker may have completed before the gobject
748
724
            # watch was added.  Check for this.
749
 
            try:
750
 
                pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
751
 
            except OSError as error:
752
 
                if error.errno == errno.ECHILD:
753
 
                    # This should never happen
754
 
                    logger.error("Child process vanished",
755
 
                                 exc_info=error)
756
 
                    return True
757
 
                raise
 
725
            pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
758
726
            if pid:
759
727
                gobject.source_remove(self.checker_callback_tag)
760
728
                self.checker_callback(pid, status, command)
936
904
            # The byte_arrays option is not supported yet on
937
905
            # signatures other than "ay".
938
906
            if prop._dbus_signature != "ay":
939
 
                raise ValueError("Byte arrays not supported for non-"
940
 
                                 "'ay' signature {0!r}"
941
 
                                 .format(prop._dbus_signature))
 
907
                raise ValueError
942
908
            value = dbus.ByteArray(b''.join(chr(byte)
943
909
                                            for byte in value))
944
910
        prop(value)
1102
1068
                interface_names.add(alt_interface)
1103
1069
                # Is this a D-Bus signal?
1104
1070
                if getattr(attribute, "_dbus_is_signal", False):
1105
 
                    # Extract the original non-method undecorated
1106
 
                    # function by black magic
 
1071
                    # Extract the original non-method function by
 
1072
                    # black magic
1107
1073
                    nonmethod_func = (dict(
1108
1074
                            zip(attribute.func_code.co_freevars,
1109
1075
                                attribute.__closure__))["func"]
1352
1318
                                       *args, **kwargs)
1353
1319
    
1354
1320
    def start_checker(self, *args, **kwargs):
1355
 
        old_checker_pid = getattr(self.checker, "pid", None)
 
1321
        old_checker = self.checker
 
1322
        if self.checker is not None:
 
1323
            old_checker_pid = self.checker.pid
 
1324
        else:
 
1325
            old_checker_pid = None
1356
1326
        r = Client.start_checker(self, *args, **kwargs)
1357
1327
        # Only if new checker process was started
1358
1328
        if (self.checker is not None
1703
1673
            logger.debug("Protocol version: %r", line)
1704
1674
            try:
1705
1675
                if int(line.strip().split()[0]) > 1:
1706
 
                    raise RuntimeError(line)
 
1676
                    raise RuntimeError
1707
1677
            except (ValueError, IndexError, RuntimeError) as error:
1708
1678
                logger.error("Unknown protocol version: %s", error)
1709
1679
                return
1916
1886
    
1917
1887
    def add_pipe(self, parent_pipe, proc):
1918
1888
        """Dummy function; override as necessary"""
1919
 
        raise NotImplementedError()
 
1889
        raise NotImplementedError
1920
1890
 
1921
1891
 
1922
1892
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1978
1948
                try:
1979
1949
                    self.socket.setsockopt(socket.SOL_SOCKET,
1980
1950
                                           SO_BINDTODEVICE,
1981
 
                                           str(self.interface + '\0'))
 
1951
                                           str(self.interface
 
1952
                                               + '\0'))
1982
1953
                except socket.error as error:
1983
1954
                    if error.errno == errno.EPERM:
1984
 
                        logger.error("No permission to bind to"
1985
 
                                     " interface %s", self.interface)
 
1955
                        logger.error("No permission to"
 
1956
                                     " bind to interface %s",
 
1957
                                     self.interface)
1986
1958
                    elif error.errno == errno.ENOPROTOOPT:
1987
1959
                        logger.error("SO_BINDTODEVICE not available;"
1988
1960
                                     " cannot bind to interface %s",
1989
1961
                                     self.interface)
1990
1962
                    elif error.errno == errno.ENODEV:
1991
 
                        logger.error("Interface %s does not exist,"
1992
 
                                     " cannot bind", self.interface)
 
1963
                        logger.error("Interface %s does not"
 
1964
                                     " exist, cannot bind",
 
1965
                                     self.interface)
1993
1966
                    else:
1994
1967
                        raise
1995
1968
        # Only bind(2) the socket if we really need to.
1998
1971
                if self.address_family == socket.AF_INET6:
1999
1972
                    any_address = "::" # in6addr_any
2000
1973
                else:
2001
 
                    any_address = "0.0.0.0" # INADDR_ANY
 
1974
                    any_address = socket.INADDR_ANY
2002
1975
                self.server_address = (any_address,
2003
1976
                                       self.server_address[1])
2004
1977
            elif not self.server_address[1]:
2120
2093
        return True
2121
2094
 
2122
2095
 
2123
 
def rfc3339_duration_to_delta(duration):
2124
 
    """Parse an RFC 3339 "duration" and return a datetime.timedelta
2125
 
    
2126
 
    >>> rfc3339_duration_to_delta("P7D")
2127
 
    datetime.timedelta(7)
2128
 
    >>> rfc3339_duration_to_delta("PT60S")
2129
 
    datetime.timedelta(0, 60)
2130
 
    >>> rfc3339_duration_to_delta("PT60M")
2131
 
    datetime.timedelta(0, 3600)
2132
 
    >>> rfc3339_duration_to_delta("PT24H")
2133
 
    datetime.timedelta(1)
2134
 
    >>> rfc3339_duration_to_delta("P1W")
2135
 
    datetime.timedelta(7)
2136
 
    >>> rfc3339_duration_to_delta("PT5M30S")
2137
 
    datetime.timedelta(0, 330)
2138
 
    >>> rfc3339_duration_to_delta("P1DT3M20S")
2139
 
    datetime.timedelta(1, 200)
2140
 
    """
2141
 
    
2142
 
    # Parsing an RFC 3339 duration with regular expressions is not
2143
 
    # possible - there would have to be multiple places for the same
2144
 
    # values, like seconds.  The current code, while more esoteric, is
2145
 
    # cleaner without depending on a parsing library.  If Python had a
2146
 
    # built-in library for parsing we would use it, but we'd like to
2147
 
    # avoid excessive use of external libraries.
2148
 
    
2149
 
    # New type for defining tokens, syntax, and semantics all-in-one
2150
 
    Token = collections.namedtuple("Token",
2151
 
                                   ("regexp", # To match token; if
2152
 
                                              # "value" is not None,
2153
 
                                              # must have a "group"
2154
 
                                              # containing digits
2155
 
                                    "value",  # datetime.timedelta or
2156
 
                                              # None
2157
 
                                    "followers")) # Tokens valid after
2158
 
                                                  # this token
2159
 
    # RFC 3339 "duration" tokens, syntax, and semantics; taken from
2160
 
    # the "duration" ABNF definition in RFC 3339, Appendix A.
2161
 
    token_end = Token(re.compile(r"$"), None, frozenset())
2162
 
    token_second = Token(re.compile(r"(\d+)S"),
2163
 
                         datetime.timedelta(seconds=1),
2164
 
                         frozenset((token_end,)))
2165
 
    token_minute = Token(re.compile(r"(\d+)M"),
2166
 
                         datetime.timedelta(minutes=1),
2167
 
                         frozenset((token_second, token_end)))
2168
 
    token_hour = Token(re.compile(r"(\d+)H"),
2169
 
                       datetime.timedelta(hours=1),
2170
 
                       frozenset((token_minute, token_end)))
2171
 
    token_time = Token(re.compile(r"T"),
2172
 
                       None,
2173
 
                       frozenset((token_hour, token_minute,
2174
 
                                  token_second)))
2175
 
    token_day = Token(re.compile(r"(\d+)D"),
2176
 
                      datetime.timedelta(days=1),
2177
 
                      frozenset((token_time, token_end)))
2178
 
    token_month = Token(re.compile(r"(\d+)M"),
2179
 
                        datetime.timedelta(weeks=4),
2180
 
                        frozenset((token_day, token_end)))
2181
 
    token_year = Token(re.compile(r"(\d+)Y"),
2182
 
                       datetime.timedelta(weeks=52),
2183
 
                       frozenset((token_month, token_end)))
2184
 
    token_week = Token(re.compile(r"(\d+)W"),
2185
 
                       datetime.timedelta(weeks=1),
2186
 
                       frozenset((token_end,)))
2187
 
    token_duration = Token(re.compile(r"P"), None,
2188
 
                           frozenset((token_year, token_month,
2189
 
                                      token_day, token_time,
2190
 
                                      token_week))),
2191
 
    # Define starting values
2192
 
    value = datetime.timedelta() # Value so far
2193
 
    found_token = None
2194
 
    followers = frozenset(token_duration,) # Following valid tokens
2195
 
    s = duration                # String left to parse
2196
 
    # Loop until end token is found
2197
 
    while found_token is not token_end:
2198
 
        # Search for any currently valid tokens
2199
 
        for token in followers:
2200
 
            match = token.regexp.match(s)
2201
 
            if match is not None:
2202
 
                # Token found
2203
 
                if token.value is not None:
2204
 
                    # Value found, parse digits
2205
 
                    factor = int(match.group(1), 10)
2206
 
                    # Add to value so far
2207
 
                    value += factor * token.value
2208
 
                # Strip token from string
2209
 
                s = token.regexp.sub("", s, 1)
2210
 
                # Go to found token
2211
 
                found_token = token
2212
 
                # Set valid next tokens
2213
 
                followers = found_token.followers
2214
 
                break
2215
 
        else:
2216
 
            # No currently valid tokens were found
2217
 
            raise ValueError("Invalid RFC 3339 duration")
2218
 
    # End token found
2219
 
    return value
2220
 
 
2221
 
 
2222
2096
def string_to_delta(interval):
2223
2097
    """Parse a string and return a datetime.timedelta
2224
2098
    
2235
2109
    >>> string_to_delta('5m 30s')
2236
2110
    datetime.timedelta(0, 330)
2237
2111
    """
2238
 
    
2239
 
    try:
2240
 
        return rfc3339_duration_to_delta(interval)
2241
 
    except ValueError:
2242
 
        pass
2243
 
    
2244
2112
    timevalue = datetime.timedelta(0)
2245
2113
    for s in interval.split():
2246
2114
        try:
2259
2127
            else:
2260
2128
                raise ValueError("Unknown suffix {0!r}"
2261
2129
                                 .format(suffix))
2262
 
        except IndexError as e:
 
2130
        except (ValueError, IndexError) as e:
2263
2131
            raise ValueError(*(e.args))
2264
2132
        timevalue += delta
2265
2133
    return timevalue
2309
2177
                        help="Run self-test")
2310
2178
    parser.add_argument("--debug", action="store_true",
2311
2179
                        help="Debug mode; run in foreground and log"
2312
 
                        " to terminal", default=None)
 
2180
                        " to terminal")
2313
2181
    parser.add_argument("--debuglevel", metavar="LEVEL",
2314
2182
                        help="Debug level for stdout output")
2315
2183
    parser.add_argument("--priority", help="GnuTLS"
2322
2190
                        " files")
2323
2191
    parser.add_argument("--no-dbus", action="store_false",
2324
2192
                        dest="use_dbus", help="Do not provide D-Bus"
2325
 
                        " system bus interface", default=None)
 
2193
                        " system bus interface")
2326
2194
    parser.add_argument("--no-ipv6", action="store_false",
2327
 
                        dest="use_ipv6", help="Do not use IPv6",
2328
 
                        default=None)
 
2195
                        dest="use_ipv6", help="Do not use IPv6")
2329
2196
    parser.add_argument("--no-restore", action="store_false",
2330
2197
                        dest="restore", help="Do not restore stored"
2331
 
                        " state", default=None)
 
2198
                        " state")
2332
2199
    parser.add_argument("--socket", type=int,
2333
2200
                        help="Specify a file descriptor to a network"
2334
2201
                        " socket to use instead of creating one")
2335
2202
    parser.add_argument("--statedir", metavar="DIR",
2336
2203
                        help="Directory to save/restore state in")
2337
 
    parser.add_argument("--foreground", action="store_true",
2338
 
                        help="Run in foreground", default=None)
2339
2204
    
2340
2205
    options = parser.parse_args()
2341
2206
    
2342
2207
    if options.check:
2343
2208
        import doctest
2344
 
        fail_count, test_count = doctest.testmod()
2345
 
        sys.exit(os.EX_OK if fail_count == 0 else 1)
 
2209
        doctest.testmod()
 
2210
        sys.exit()
2346
2211
    
2347
2212
    # Default values for config file for server-global settings
2348
2213
    server_defaults = { "interface": "",
2350
2215
                        "port": "",
2351
2216
                        "debug": "False",
2352
2217
                        "priority":
2353
 
                        "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
 
2218
                        "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2354
2219
                        "servicename": "Mandos",
2355
2220
                        "use_dbus": "True",
2356
2221
                        "use_ipv6": "True",
2357
2222
                        "debuglevel": "",
2358
2223
                        "restore": "True",
2359
2224
                        "socket": "",
2360
 
                        "statedir": "/var/lib/mandos",
2361
 
                        "foreground": "False",
 
2225
                        "statedir": "/var/lib/mandos"
2362
2226
                        }
2363
2227
    
2364
2228
    # Parse config file for server-global settings
2369
2233
    # Convert the SafeConfigParser object to a dict
2370
2234
    server_settings = server_config.defaults()
2371
2235
    # Use the appropriate methods on the non-string config options
2372
 
    for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
 
2236
    for option in ("debug", "use_dbus", "use_ipv6"):
2373
2237
        server_settings[option] = server_config.getboolean("DEFAULT",
2374
2238
                                                           option)
2375
2239
    if server_settings["port"]:
2391
2255
    for option in ("interface", "address", "port", "debug",
2392
2256
                   "priority", "servicename", "configdir",
2393
2257
                   "use_dbus", "use_ipv6", "debuglevel", "restore",
2394
 
                   "statedir", "socket", "foreground"):
 
2258
                   "statedir", "socket"):
2395
2259
        value = getattr(options, option)
2396
2260
        if value is not None:
2397
2261
            server_settings[option] = value
2400
2264
    for option in server_settings.keys():
2401
2265
        if type(server_settings[option]) is str:
2402
2266
            server_settings[option] = unicode(server_settings[option])
2403
 
    # Force all boolean options to be boolean
2404
 
    for option in ("debug", "use_dbus", "use_ipv6", "restore",
2405
 
                   "foreground"):
2406
 
        server_settings[option] = bool(server_settings[option])
2407
 
    # Debug implies foreground
2408
 
    if server_settings["debug"]:
2409
 
        server_settings["foreground"] = True
2410
2267
    # Now we have our good server settings in "server_settings"
2411
2268
    
2412
2269
    ##################################################################
2418
2275
    use_ipv6 = server_settings["use_ipv6"]
2419
2276
    stored_state_path = os.path.join(server_settings["statedir"],
2420
2277
                                     stored_state_file)
2421
 
    foreground = server_settings["foreground"]
2422
2278
    
2423
2279
    if debug:
2424
2280
        initlogger(debug, logging.DEBUG)
2456
2312
                              use_dbus=use_dbus,
2457
2313
                              socketfd=(server_settings["socket"]
2458
2314
                                        or None))
2459
 
    if not foreground:
2460
 
        pidfilename = "/run/mandos.pid"
2461
 
        if not os.path.isdir("/run/."):
2462
 
            pidfilename = "/var/run/mandos.pid"
2463
 
        pidfile = None
 
2315
    if not debug:
 
2316
        pidfilename = "/var/run/mandos.pid"
2464
2317
        try:
2465
2318
            pidfile = open(pidfilename, "w")
2466
2319
        except IOError as e:
2482
2335
        os.setuid(uid)
2483
2336
    except OSError as error:
2484
2337
        if error.errno != errno.EPERM:
2485
 
            raise
 
2338
            raise error
2486
2339
    
2487
2340
    if debug:
2488
2341
        # Enable all possible GnuTLS debugging
2505
2358
            os.close(null)
2506
2359
    
2507
2360
    # Need to fork before connecting to D-Bus
2508
 
    if not foreground:
 
2361
    if not debug:
2509
2362
        # Close all input and output, do double fork, etc.
2510
2363
        daemon()
2511
2364
    
2551
2404
    old_client_settings = {}
2552
2405
    clients_data = {}
2553
2406
    
2554
 
    # This is used to redirect stdout and stderr for checker processes
2555
 
    global wnull
2556
 
    wnull = open(os.devnull, "w") # A writable /dev/null
2557
 
    # Only used if server is running in foreground but not in debug
2558
 
    # mode
2559
 
    if debug or not foreground:
2560
 
        wnull.close()
2561
 
    
2562
2407
    # Get client data and settings from last running state.
2563
2408
    if server_settings["restore"]:
2564
2409
        try:
2580
2425
    
2581
2426
    with PGPEngine() as pgp:
2582
2427
        for client_name, client in clients_data.iteritems():
2583
 
            # Skip removed clients
2584
 
            if client_name not in client_settings:
2585
 
                continue
2586
 
            
2587
2428
            # Decide which value to use after restoring saved state.
2588
2429
            # We have three different values: Old config file,
2589
2430
            # new config file, and saved state.
2651
2492
    # Create all client objects
2652
2493
    for client_name, client in clients_data.iteritems():
2653
2494
        tcp_server.clients[client_name] = client_class(
2654
 
            name = client_name, settings = client,
2655
 
            server_settings = server_settings)
 
2495
            name = client_name, settings = client)
2656
2496
    
2657
2497
    if not tcp_server.clients:
2658
2498
        logger.warning("No clients defined")
2659
2499
    
2660
 
    if not foreground:
2661
 
        if pidfile is not None:
2662
 
            try:
2663
 
                with pidfile:
2664
 
                    pid = os.getpid()
2665
 
                    pidfile.write(str(pid) + "\n".encode("utf-8"))
2666
 
            except IOError:
2667
 
                logger.error("Could not write to file %r with PID %d",
2668
 
                             pidfilename, pid)
2669
 
        del pidfile
 
2500
    if not debug:
 
2501
        try:
 
2502
            with pidfile:
 
2503
                pid = os.getpid()
 
2504
                pidfile.write(str(pid) + "\n".encode("utf-8"))
 
2505
            del pidfile
 
2506
        except IOError:
 
2507
            logger.error("Could not write to file %r with PID %d",
 
2508
                         pidfilename, pid)
 
2509
        except NameError:
 
2510
            # "pidfile" was never created
 
2511
            pass
2670
2512
        del pidfilename
2671
2513
    
2672
2514
    signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2741
2583
        service.cleanup()
2742
2584
        
2743
2585
        multiprocessing.active_children()
2744
 
        wnull.close()
2745
2586
        if not (tcp_server.clients or client_settings):
2746
2587
            return
2747
2588
        
2759
2600
                # A list of attributes that can not be pickled
2760
2601
                # + secret.
2761
2602
                exclude = set(("bus", "changedstate", "secret",
2762
 
                               "checker", "server_settings"))
 
2603
                               "checker"))
2763
2604
                for name, typ in (inspect.getmembers
2764
2605
                                  (dbus.service.Object)):
2765
2606
                    exclude.add(name)
2793
2634
            else:
2794
2635
                logger.warning("Could not save persistent state:",
2795
2636
                               exc_info=e)
2796
 
                raise
 
2637
                raise e
2797
2638
        
2798
2639
        # Delete all clients, and settings from config
2799
2640
        while tcp_server.clients: