/mandos/trunk : revision 742

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to Makefile

Committer: Teddy Hogeborn
Date: 2015-03-10 18:03:38 UTC
Revision ID: teddy@recompile.se-20150310180338-pcxw6r2qmw9k6br9

Add ":!RSA" to GnuTLS priority string, to disallow non-DHE kx.

If Mandos was somehow made to use a non-ephemeral Diffie-Hellman key
exchange algorithm in the TLS handshake, any saved network traffic
could then be decrypted later if the Mandos client key was obtained.
By default, Mandos uses ephemeral DH key exchanges which does not have
this problem, but a non-ephemeral key exchange algorithm was still
enabled by default. The simplest solution is to simply turn that off,
which ensures that Mandos will always use ephemeral DH key exchanges.

There is a "PFS" priority string specifier, but we can't use it because:

1. Security-wise, it is a mix between "NORMAL" and "SECURE128" - it
enables a lot more algorithms than "SECURE256".

2. It is only available since GnuTLS 3.2.4.

Thanks to Andreas Fischer <af@bantuX.org> for reporting this issue.

files added:
initramfs-tools-hook-conf

files removed:
bugs.xml

debian/mandos-client.templates

debian/mandos.templates

debian/po/POTFILES.in

debian/po/de.po

debian/po/en_US.po

debian/po/fr.po

debian/po/nl.po

debian/po/pt.po

debian/po/sv.po

debian/po/templates.pot

debian/source/lintian-overrides

debian/tests

debian/tests/control

debian/upstream/metadata

dracut-module

dracut-module/ask-password-mandos.path

dracut-module/ask-password-mandos.service

dracut-module/cmdline-mandos.sh

dracut-module/module-setup.sh

dracut-module/password-agent.c

dracut-module/password-agent.xml

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-script-stop

mandos-to-cryptroot-unlock

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

sysusers.d-mandos.conf

tmpfiles.d-mandos.conf

files modified:
.bzrignore

DBUS-API

INSTALL

Makefile

NEWS

README

TODO

clients.conf

common.ent

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.dirs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/rules

debian/watch

init.d-mandos

initramfs-tools-hook

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d/bridge

network-hooks.d/openvpn

network-hooks.d/wireless

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

Makefile

WARN:=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \

WARN=-O -Wall -Wextra -Wdouble-promotion -Wformat=2 -Winit-self \

-Wmissing-include-dirs -Wswitch-default -Wswitch-enum \

-Wunused -Wuninitialized -Wstrict-overflow=5 \

-Wsuggest-attribute=pure -Wsuggest-attribute=const \

-Wmissing-format-attribute -Wnormalized=nfc -Wpacked \

-Wredundant-decls -Wnested-externs -Winline -Wvla \

-Wvolatile-register-var -Woverlength-strings

#DEBUG:=-ggdb3 -fsanitize=address $(SANITIZE)

## Check which sanitizing options can be used

#SANITIZE:=$(foreach option,$(ALL_SANITIZE_OPTIONS),$(shell \

# echo 'int main(){}' | $(CC) --language=c $(option) \

# /dev/stdin -o /dev/null >/dev/null 2>&1 && echo $(option)))

# <https://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/>

ALL_SANITIZE_OPTIONS:=-fsanitize=leak -fsanitize=undefined \

-fsanitize=shift -fsanitize=integer-divide-by-zero \

-fsanitize=unreachable -fsanitize=vla-bound -fsanitize=null \

-fsanitize=return -fsanitize=signed-integer-overflow \

-fsanitize=bounds -fsanitize=alignment \

-fsanitize=object-size -fsanitize=float-divide-by-zero \

-fsanitize=float-cast-overflow -fsanitize=nonnull-attribute \

-fsanitize=returns-nonnull-attribute -fsanitize=bool \

-fsanitize=enum -fsanitize-address-use-after-scope

#DEBUG=-ggdb3

# For info about _FORTIFY_SOURCE, see feature_test_macros(7)

# and <https://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY:=-D_FORTIFY_SOURCE=3 -fstack-protector-all -fPIC

LINK_FORTIFY_LD:=-z relro -z now

LINK_FORTIFY:=

# and <http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html>.

FORTIFY=-D_FORTIFY_SOURCE=2 -fstack-protector-all -fPIC

LINK_FORTIFY_LD=-z relro -z now

LINK_FORTIFY=

# If BROKEN_PIE is set, do not build with -pie

ifndef BROKEN_PIE

LINK_FORTIFY += -pie

endif

#COVERAGE=--coverage

OPTIMIZE:=-Os -fno-strict-aliasing

LANGUAGE:=-std=gnu11

FEATURES:=-D_FILE_OFFSET_BITS=64

htmldir:=man

version:=1.8.14

SED:=sed

PKG_CONFIG?=pkg-config

USER:=$(firstword $(subst :, ,$(shell getent passwd _mandos \

|| getent passwd nobody || echo 65534)))

GROUP:=$(firstword $(subst :, ,$(shell getent group _mandos \

|| getent group nogroup || echo 65534)))

LINUXVERSION:=$(shell uname --kernel-release)

OPTIMIZE=-Os -fno-strict-aliasing

LANGUAGE=-std=gnu99

htmldir=man

version=1.6.9

SED=sed

USER=$(firstword $(subst :, ,$(shell getent passwd _mandos || getent passwd nobody || echo 65534)))

GROUP=$(firstword $(subst :, ,$(shell getent group _mandos || getent group nobody || echo 65534)))

## Use these settings for a traditional /usr/local install

# PREFIX:=$(DESTDIR)/usr/local

# CONFDIR:=$(DESTDIR)/etc/mandos

# KEYDIR:=$(DESTDIR)/etc/mandos/keys

# MANDIR:=$(PREFIX)/man

# INITRAMFSTOOLS:=$(DESTDIR)/etc/initramfs-tools

# DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos

# STATEDIR:=$(DESTDIR)/var/lib/mandos

# LIBDIR:=$(PREFIX)/lib

# PREFIX=$(DESTDIR)/usr/local

# CONFDIR=$(DESTDIR)/etc/mandos

# KEYDIR=$(DESTDIR)/etc/mandos/keys

# MANDIR=$(PREFIX)/man

# INITRAMFSTOOLS=$(DESTDIR)/etc/initramfs-tools

# STATEDIR=$(DESTDIR)/var/lib/mandos

# LIBDIR=$(PREFIX)/lib

## These settings are for a package-type install

PREFIX:=$(DESTDIR)/usr

CONFDIR:=$(DESTDIR)/etc/mandos

KEYDIR:=$(DESTDIR)/etc/keys/mandos

MANDIR:=$(PREFIX)/share/man

INITRAMFSTOOLS:=$(DESTDIR)/usr/share/initramfs-tools

DRACUTMODULE:=$(DESTDIR)/usr/lib/dracut/modules.d/90mandos

STATEDIR:=$(DESTDIR)/var/lib/mandos

LIBDIR:=$(shell \

PREFIX=$(DESTDIR)/usr

CONFDIR=$(DESTDIR)/etc/mandos

KEYDIR=$(DESTDIR)/etc/keys/mandos

MANDIR=$(PREFIX)/share/man

INITRAMFSTOOLS=$(DESTDIR)/usr/share/initramfs-tools

STATEDIR=$(DESTDIR)/var/lib/mandos

LIBDIR=$(shell \

for d in \

"/usr/lib/`dpkg-architecture \

-qDEB_HOST_MULTIARCH 2>/dev/null`" \

"/usr/lib/`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null`" \

"`rpm --eval='%{_libdir}' 2>/dev/null`" /usr/lib; do \

if [ -d "$$d" -a "$$d" = "$${d%/}" ]; then \

echo "$(DESTDIR)$$d"; \

done)

SYSTEMD:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=systemdsystemunitdir)

TMPFILES:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=tmpfilesdir)

SYSUSERS:=$(DESTDIR)$(shell $(PKG_CONFIG) systemd \

--variable=sysusersdir)

SYSTEMD=$(DESTDIR)$(shell pkg-config systemd --variable=systemdsystemunitdir)

GNUTLS_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I gnutls)

GNUTLS_LIBS:=$(shell $(PKG_CONFIG) --libs gnutls)

AVAHI_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I avahi-core)

AVAHI_LIBS:=$(shell $(PKG_CONFIG) --libs avahi-core)

GPGME_CFLAGS:=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

100

GPGME_LIBS:=$(shell gpgme-config --libs; getconf LFS_LIBS; \

GNUTLS_CFLAGS=$(shell pkg-config --cflags-only-I gnutls)

GNUTLS_LIBS=$(shell pkg-config --libs gnutls)

AVAHI_CFLAGS=$(shell pkg-config --cflags-only-I avahi-core)

AVAHI_LIBS=$(shell pkg-config --libs avahi-core)

GPGME_CFLAGS=$(shell gpgme-config --cflags; getconf LFS_CFLAGS)

GPGME_LIBS=$(shell gpgme-config --libs; getconf LFS_LIBS; \

101

getconf LFS_LDFLAGS)

102

LIBNL3_CFLAGS:=$(shell $(PKG_CONFIG) --cflags-only-I libnl-route-3.0)

103

LIBNL3_LIBS:=$(shell $(PKG_CONFIG) --libs libnl-route-3.0)

104

GLIB_CFLAGS:=$(shell $(PKG_CONFIG) --cflags glib-2.0)

105

GLIB_LIBS:=$(shell $(PKG_CONFIG) --libs glib-2.0)

106

107

# Do not change these two

108

CFLAGS+=$(WARN) $(DEBUG) $(FORTIFY) $(COVERAGE) $(OPTIMIZE) \

109

$(LANGUAGE) $(FEATURES) -DVERSION='"$(version)"'

110

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(strip \

111

) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

$(LANGUAGE) $(GNUTLS_CFLAGS) $(AVAHI_CFLAGS) $(GPGME_CFLAGS) \

-DVERSION='"$(version)"'

LDFLAGS+=-Xlinker --as-needed $(COVERAGE) $(LINK_FORTIFY) $(foreach flag,$(LINK_FORTIFY_LD),-Xlinker $(flag))

112

113

# Commands to format a DocBook <refentry> document into a manual page

114

DOCBOOKTOMAN=$(strip cd $(dir $<); xsltproc --nonet --xinclude \

120

/usr/share/xml/docbook/stylesheet/nwalsh/manpages/docbook.xsl \

121

$(notdir $<); \

122

if locale --all 2>/dev/null | grep --regexp='^en_US\.utf8$$' \

123

&& command -v man >/dev/null; then LANG=en_US.UTF-8 \

124

MANWIDTH=80 man --warnings --encoding=UTF-8 --local-file \

125

$(notdir $@); fi >/dev/null)

&& type man 2>/dev/null; then LANG=en_US.UTF-8 MANWIDTH=80 \

man --warnings --encoding=UTF-8 --local-file $(notdir $@); \

fi >/dev/null)

126

127

DOCBOOKTOHTML=$(strip xsltproc --nonet --xinclude \

128

--param make.year.ranges 1 \

134

100

/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl \

135

101

$<; $(HTMLPOST) $@)

136

102

# Fix citerefentry links

137

HTMLPOST:=$(SED) --in-place \

103

HTMLPOST=$(SED) --in-place \

138

104

--expression='s/$<a class="citerefentry" href="$$"><span class="citerefentry"><span class="refentrytitle">$$[^<]*$$<\/span>($$[^)]*$$)<\/span><\/a>$/\1\3.\5\2\3\4\5\6/g'

139

105

140

PLUGINS:=plugins.d/password-prompt plugins.d/mandos-client \

106

PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \

141

107

plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \

142

108

plugins.d/plymouth

143

PLUGIN_HELPERS:=plugin-helpers/mandos-client-iprouteadddel

144

CPROGS:=plugin-runner dracut-module/password-agent $(PLUGINS) \

145

$(PLUGIN_HELPERS)

146

PROGS:=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

147

DOCS:=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

109

CPROGS=plugin-runner $(PLUGINS)

110

PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)

111

DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \

148

112

mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \

149

dracut-module/password-agent.8mandos \

150

113

plugins.d/mandos-client.8mandos \

151

114

plugins.d/password-prompt.8mandos plugins.d/usplash.8mandos \

152

115

plugins.d/splashy.8mandos plugins.d/askpass-fifo.8mandos \

153

116

plugins.d/plymouth.8mandos intro.8mandos

154

117

155

htmldocs:=$(addsuffix .xhtml,$(DOCS))

156

157

objects:=$(addsuffix .o,$(CPROGS))

158

159

.PHONY: all

118

htmldocs=$(addsuffix .xhtml,$(DOCS))

119

120

objects=$(addsuffix .o,$(CPROGS))

121

160

122

all: $(PROGS) mandos.lsm

161

123

162

.PHONY: doc

163

124

doc: $(DOCS)

164

125

165

.PHONY: html

166

126

html: $(htmldocs)

167

127

168

128

%.5: %.xml common.ent legalnotice.xml

227

187

overview.xml legalnotice.xml

228

188

$(DOCBOOKTOHTML)

229

189

230

dracut-module/password-agent.8mandos: \

231

dracut-module/password-agent.xml common.ent \

232

overview.xml legalnotice.xml

233

$(DOCBOOKTOMAN)

234

dracut-module/password-agent.8mandos.xhtml: \

235

dracut-module/password-agent.xml common.ent \

236

overview.xml legalnotice.xml

237

$(DOCBOOKTOHTML)

238

239

190

plugins.d/mandos-client.8mandos: plugins.d/mandos-client.xml \

240

191

common.ent \

241

192

mandos-options.xml \

284

235

--expression='s/$mandos_$[0-9.]\+$\.orig\.tar\.gz$/\1$(version)\2/' \

285

236

$@)

286

237

287

# Need to add the GnuTLS, Avahi and GPGME libraries

288

plugins.d/mandos-client: CFLAGS += $(GNUTLS_CFLAGS) $(strip \

289

) $(AVAHI_CFLAGS) $(GPGME_CFLAGS)

290

plugins.d/mandos-client: LDLIBS += $(GNUTLS_LIBS) $(strip \

291

) $(AVAHI_LIBS) $(GPGME_LIBS)

292

293

# Need to add the libnl-route library

294

plugin-helpers/mandos-client-iprouteadddel: CFLAGS += $(LIBNL3_CFLAGS)

295

plugin-helpers/mandos-client-iprouteadddel: LDLIBS += $(LIBNL3_LIBS)

296

297

# Need to add the GLib and pthread libraries

298

dracut-module/password-agent: CFLAGS += $(GLIB_CFLAGS)

299

# Note: -lpthread is unnecessary with the GNU C library 2.34 or later

300

dracut-module/password-agent: LDLIBS += $(GLIB_LIBS) -lpthread

301

302

.PHONY: clean

238

plugins.d/mandos-client: plugins.d/mandos-client.c

239

$(LINK.c) $^ -lrt $(GNUTLS_LIBS) $(AVAHI_LIBS) $(strip\

240

) $(GPGME_LIBS) $(LOADLIBES) $(LDLIBS) -o $@

241

242

.PHONY : all doc html clean distclean mostlyclean maintainer-clean \

243

check run-client run-server install install-html \

244

install-server install-client-nokey install-client uninstall \

245

uninstall-server uninstall-client purge purge-server \

246

purge-client

247

303

248

clean:

304

249

-rm --force $(CPROGS) $(objects) $(htmldocs) $(DOCS) core

305

250

306

.PHONY: distclean

307

251

distclean: clean

308

.PHONY: mostlyclean

309

252

mostlyclean: clean

310

.PHONY: maintainer-clean

311

253

maintainer-clean: clean

312

254

-rm --force --recursive keydir confdir statedir

313

255

314

.PHONY: check

315

check: all

256

check: all

316

257

./mandos --check

317

258

./mandos-ctl --check

318

./mandos-keygen --version

319

./plugin-runner --version

320

./plugin-helpers/mandos-client-iprouteadddel --version

321

./dracut-module/password-agent --test

322

259

323

260

# Run the client with a local config and key

324

.PHONY: run-client

325

run-client: all keydir/seckey.txt keydir/pubkey.txt \

326

keydir/tls-privkey.pem keydir/tls-pubkey.pem

327

@echo '######################################################'

328

@echo '# The following error messages are harmless and can #'

329

@echo '# be safely ignored: #'

330

@echo '## From plugin-runner: #'

331

@echo '# setgid: Operation not permitted #'

332

@echo '# setuid: Operation not permitted #'

333

@echo '## From askpass-fifo: #'

334

@echo '# mkfifo: Permission denied #'

335

@echo '## From mandos-client: #'

336

@echo '# Failed to raise privileges: Operation not permi... #'

337

@echo '# Warning: network hook "*" exited with status * #'

338

@echo '# ioctl SIOCSIFFLAGS +IFF_UP: Operation not permi... #'

339

@echo '# Failed to bring up interface "*": Operation not... #'

340

@echo '# #'

341

@echo '# (The messages are caused by not running as root, #'

342

@echo '# but you should NOT run "make run-client" as root #'

343

@echo '# unless you also unpacked and compiled Mandos as #'

344

@echo '# root, which is also NOT recommended.) #'

345

@echo '######################################################'

261

run-client: all keydir/seckey.txt keydir/pubkey.txt

262

@echo "###################################################################"

263

@echo "# The following error messages are harmless and can be safely #"

264

@echo "# ignored. The messages are caused by not running as root, but #"

265

@echo "# you should NOT run \"make run-client\" as root unless you also #"

266

@echo "# unpacked and compiled Mandos as root, which is NOT recommended. #"

267

@echo "# From plugin-runner: setgid: Operation not permitted #"

268

@echo "# setuid: Operation not permitted #"

269

@echo "# From askpass-fifo: mkfifo: Permission denied #"

270

@echo "# From mandos-client: #"

271

@echo "# Failed to raise privileges: Operation not permitted #"

272

@echo "# Warning: network hook \"*\" exited with status * #"

273

@echo "###################################################################"

346

274

# We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring

347

275

./plugin-runner --plugin-dir=plugins.d \

348

--plugin-helper-dir=plugin-helpers \

349

276

--config-file=plugin-runner.conf \

350

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--tls-privkey=keydir/tls-privkey.pem,--tls-pubkey=keydir/tls-pubkey.pem,--network-hook-dir=network-hooks.d \

277

--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \

351

278

--env-for=mandos-client:GNOME_KEYRING_CONTROL= \

352

279

$(CLIENTARGS)

353

280

354

281

# Used by run-client

355

keydir/seckey.txt keydir/pubkey.txt keydir/tls-privkey.pem keydir/tls-pubkey.pem: mandos-keygen

282

keydir/seckey.txt keydir/pubkey.txt: mandos-keygen

356

283

install --directory keydir

357

284

./mandos-keygen --dir keydir --force

358

if ! [ -e keydir/tls-privkey.pem ]; then \

359

install --mode=u=rw /dev/null keydir/tls-privkey.pem; \

360

361

if ! [ -e keydir/tls-pubkey.pem ]; then \

362

install --mode=u=rw /dev/null keydir/tls-pubkey.pem; \

363

364

285

365

286

# Run the server with a local config

366

.PHONY: run-server

367

287

run-server: confdir/mandos.conf confdir/clients.conf statedir

368

288

./mandos --debug --no-dbus --configdir=confdir \

369

289

--statedir=statedir $(SERVERARGS)

372

292

confdir/mandos.conf: mandos.conf

373

293

install --directory confdir

374

294

install --mode=u=rw,go=r $^ $@

375

confdir/clients.conf: clients.conf keydir/seckey.txt keydir/tls-pubkey.pem

295

confdir/clients.conf: clients.conf keydir/seckey.txt

376

296

install --directory confdir

377

297

install --mode=u=rw $< $@

378

298

# Add a client password

380

300

statedir:

381

301

install --directory statedir

382

302

383

.PHONY: install

384

303

install: install-server install-client-nokey

385

304

386

.PHONY: install-html

387

305

install-html: html

388

306

install --directory $(htmldir)

389

307

install --mode=u=rw,go=r --target-directory=$(htmldir) \

390

308

$(htmldocs)

391

309

392

.PHONY: install-server

393

310

install-server: doc

394

311

install --directory $(CONFDIR)

395

312

if install --directory --mode=u=rwx --owner=$(USER) \

398

315

elif install --directory --mode=u=rwx $(STATEDIR); then \

399

316

chown -- $(USER):$(GROUP) $(STATEDIR) || :; \

400

317

401

if [ "$(TMPFILES)" != "$(DESTDIR)" \

402

-a -d "$(TMPFILES)" ]; then \

403

install --mode=u=rw,go=r tmpfiles.d-mandos.conf \

404

$(TMPFILES)/mandos.conf; \

405

406

if [ "$(SYSUSERS)" != "$(DESTDIR)" \

407

-a -d "$(SYSUSERS)" ]; then \

408

install --mode=u=rw,go=r sysusers.d-mandos.conf \

409

$(SYSUSERS)/mandos.conf; \

410

411

318

install --mode=u=rwx,go=rx mandos $(PREFIX)/sbin/mandos

412

319

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

413

320

mandos-ctl

442

349

gzip --best --to-stdout intro.8mandos \

443

350

> $(MANDIR)/man8/intro.8mandos.gz

444

351

445

.PHONY: install-client-nokey

446

352

install-client-nokey: all doc

447

353

install --directory $(LIBDIR)/mandos $(CONFDIR)

448

354

install --directory --mode=u=rwx $(KEYDIR) \

449

$(LIBDIR)/mandos/plugins.d \

450

$(LIBDIR)/mandos/plugin-helpers

451

if [ "$(SYSUSERS)" != "$(DESTDIR)" \

452

-a -d "$(SYSUSERS)" ]; then \

453

install --mode=u=rw,go=r sysusers.d-mandos.conf \

454

$(SYSUSERS)/mandos-client.conf; \

455

355

$(LIBDIR)/mandos/plugins.d

456

356

if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \

457

357

install --mode=u=rwx \

458

--directory "$(CONFDIR)/plugins.d" \

459

"$(CONFDIR)/plugin-helpers"; \

358

--directory "$(CONFDIR)/plugins.d"; \

460

359

461

360

install --mode=u=rwx,go=rx --directory \

462

361

"$(CONFDIR)/network-hooks.d"

463

362

install --mode=u=rwx,go=rx \

464

363

--target-directory=$(LIBDIR)/mandos plugin-runner

465

install --mode=u=rwx,go=rx \

466

--target-directory=$(LIBDIR)/mandos \

467

mandos-to-cryptroot-unlock

468

364

install --mode=u=rwx,go=rx --target-directory=$(PREFIX)/sbin \

469

365

mandos-keygen

470

366

install --mode=u=rwx,go=rx \

485

381

install --mode=u=rwxs,go=rx \

486

382

--target-directory=$(LIBDIR)/mandos/plugins.d \

487

383

plugins.d/plymouth

488

install --mode=u=rwx,go=rx \

489

--target-directory=$(LIBDIR)/mandos/plugin-helpers \

490

plugin-helpers/mandos-client-iprouteadddel

491

384

install initramfs-tools-hook \

492

385

$(INITRAMFSTOOLS)/hooks/mandos

493

install --mode=u=rw,go=r initramfs-tools-conf \

494

$(INITRAMFSTOOLS)/conf.d/mandos-conf

495

install --mode=u=rw,go=r initramfs-tools-conf-hook \

496

$(INITRAMFSTOOLS)/conf-hooks.d/zz-mandos

386

install --mode=u=rw,go=r initramfs-tools-hook-conf \

387

$(INITRAMFSTOOLS)/conf-hooks.d/mandos

497

388

install initramfs-tools-script \

498

389

$(INITRAMFSTOOLS)/scripts/init-premount/mandos

499

install initramfs-tools-script-stop \

500

$(INITRAMFSTOOLS)/scripts/local-premount/mandos

501

install --directory $(DRACUTMODULE)

502

install --mode=u=rw,go=r --target-directory=$(DRACUTMODULE) \

503

dracut-module/ask-password-mandos.path \

504

dracut-module/ask-password-mandos.service

505

install --mode=u=rwxs,go=rx \

506

--target-directory=$(DRACUTMODULE) \

507

dracut-module/module-setup.sh \

508

dracut-module/cmdline-mandos.sh \

509

dracut-module/password-agent

510

390

install --mode=u=rw,go=r plugin-runner.conf $(CONFDIR)

511

391

gzip --best --to-stdout mandos-keygen.8 \

512

392

> $(MANDIR)/man8/mandos-keygen.8.gz

524

404

> $(MANDIR)/man8/askpass-fifo.8mandos.gz

525

405

gzip --best --to-stdout plugins.d/plymouth.8mandos \

526

406

> $(MANDIR)/man8/plymouth.8mandos.gz

527

gzip --best --to-stdout dracut-module/password-agent.8mandos \

528

> $(MANDIR)/man8/password-agent.8mandos.gz

529

407

530

.PHONY: install-client

531

408

install-client: install-client-nokey

532

409

# Post-installation stuff

533

410

-$(PREFIX)/sbin/mandos-keygen --dir "$(KEYDIR)"

534

if command -v update-initramfs >/dev/null; then \

535

update-initramfs -k all -u; \

536

elif command -v dracut >/dev/null; then \

537

for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \

538

if [ -w "$$initrd" ]; then \

539

chmod go-r "$$initrd"; \

540

dracut --force "$$initrd"; \

541

fi; \

542

done; \

543

411

update-initramfs -k all -u

544

412

echo "Now run mandos-keygen --password --dir $(KEYDIR)"

545

413

546

.PHONY: uninstall

547

414

uninstall: uninstall-server uninstall-client

548

415

549

.PHONY: uninstall-server

550

416

uninstall-server:

551

417

-rm --force $(PREFIX)/sbin/mandos \

552

418

$(PREFIX)/sbin/mandos-ctl \

559

425

update-rc.d -f mandos remove

560

426

-rmdir $(CONFDIR)

561

427

562

.PHONY: uninstall-client

563

428

uninstall-client:

564

429

# Refuse to uninstall client if /etc/crypttab is explicitly configured

565

430

# to use it.

576

441

$(INITRAMFSTOOLS)/hooks/mandos \

577

442

$(INITRAMFSTOOLS)/conf-hooks.d/mandos \

578

443

$(INITRAMFSTOOLS)/scripts/init-premount/mandos \

579

$(INITRAMFSTOOLS)/scripts/local-premount/mandos \

580

$(DRACUTMODULE)/ask-password-mandos.path \

581

$(DRACUTMODULE)/ask-password-mandos.service \

582

$(DRACUTMODULE)/module-setup.sh \

583

$(DRACUTMODULE)/cmdline-mandos.sh \

584

$(DRACUTMODULE)/password-agent \

585

444

$(MANDIR)/man8/mandos-keygen.8.gz \

586

445

$(MANDIR)/man8/plugin-runner.8mandos.gz \

587

446

$(MANDIR)/man8/mandos-client.8mandos.gz

590

449

$(MANDIR)/man8/splashy.8mandos.gz \

591

450

$(MANDIR)/man8/askpass-fifo.8mandos.gz \

592

451

$(MANDIR)/man8/plymouth.8mandos.gz \

593

$(MANDIR)/man8/password-agent.8mandos.gz \

594

452

-rmdir $(LIBDIR)/mandos/plugins.d $(CONFDIR)/plugins.d \

595

$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR) $(DRACUTMODULE)

596

if command -v update-initramfs >/dev/null; then \

597

update-initramfs -k all -u; \

598

elif command -v dracut >/dev/null; then \

599

for initrd in $(DESTDIR)/boot/initr*-$(LINUXVERSION); do \

600

test -w "$$initrd" && dracut --force "$$initrd"; \

601

done; \

602

453

$(LIBDIR)/mandos $(CONFDIR) $(KEYDIR)

454

update-initramfs -k all -u

603

455

604

.PHONY: purge

605

456

purge: purge-server purge-client

606

457

607

.PHONY: purge-server

608

458

purge-server: uninstall-server

609

459

-rm --force $(CONFDIR)/mandos.conf $(CONFDIR)/clients.conf \

610

460

$(DESTDIR)/etc/dbus-1/system.d/mandos.conf

615

465

$(DESTDIR)/var/run/mandos.pid

616

466

-rmdir $(CONFDIR)

617

467

618

.PHONY: purge-client

619

468

purge-client: uninstall-client

620

-shred --remove $(KEYDIR)/seckey.txt $(KEYDIR)/tls-privkey.pem

469

-shred --remove $(KEYDIR)/seckey.txt

621

470

-rm --force $(CONFDIR)/plugin-runner.conf \

622

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt \

623

$(KEYDIR)/tls-pubkey.txt $(KEYDIR)/tls-privkey.txt

471

$(KEYDIR)/pubkey.txt $(KEYDIR)/seckey.txt

624

472

-rmdir $(KEYDIR) $(CONFDIR)/plugins.d $(CONFDIR)

Older »