/mandos/trunk : revision 777

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.c

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
debian/upstream

debian/upstream/signing-key.asc

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files removed:
debian/upstream-signing-key.pgp

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.postinst

debian/mandos.prerm

debian/rules

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

plugin-runner.c

* Mandos plugin runner - Run Mandos plugins

* This program is free software: you can redistribute it and/or

* modify it under the terms of the GNU General Public License as

#define _GNU_SOURCE /* TEMP_FAILURE_RETRY(), getline(),

O_CLOEXEC */

O_CLOEXEC, pipe2() */

#include <stddef.h> /* size_t, NULL */

#include <stdlib.h> /* malloc(), exit(), EXIT_SUCCESS,

realloc() */

#include <stdbool.h> /* bool, true, false */

#include <stdio.h> /* fileno(), fprintf(),

stderr, STDOUT_FILENO, fclose() */

#include <sys/types.h> /* DIR, fdopendir(), fstat(), struct

stat, waitpid(), WIFEXITED(),

WEXITSTATUS(), wait(), pid_t,

uid_t, gid_t, getuid(), getgid(),

dirfd() */

#include <sys/types.h> /* fstat(), struct stat, waitpid(),

WIFEXITED(), WEXITSTATUS(), wait(),

pid_t, uid_t, gid_t, getuid(),

getgid() */

#include <sys/select.h> /* fd_set, select(), FD_ZERO(),

FD_SET(), FD_ISSET(), FD_CLR */

#include <sys/wait.h> /* wait(), waitpid(), WIFEXITED(),

WCOREDUMP() */

#include <sys/stat.h> /* struct stat, fstat(), S_ISREG() */

#include <iso646.h> /* and, or, not */

#include <dirent.h> /* DIR, struct dirent, fdopendir(),

readdir(), closedir(), dirfd() */

#include <dirent.h> /* struct dirent, scandirat() */

#include <unistd.h> /* fcntl(), F_GETFD, F_SETFD,

FD_CLOEXEC, write(), STDOUT_FILENO,

struct stat, fstat(), close(),

setgid(), setuid(), S_ISREG(),

faccessat() pipe(), fork(),

faccessat() pipe2(), fork(),

_exit(), dup2(), fexecve(), read()

#include <fcntl.h> /* fcntl(), F_GETFD, F_SETFD,

FD_CLOEXEC, openat() */

FD_CLOEXEC, openat(), scandirat(),

pipe2() */

#include <string.h> /* strsep, strlen(), strsignal(),

strcmp(), strncmp() */

#include <errno.h> /* errno */

EX_CONFIG, EX_UNAVAILABLE, EX_OK */

#include <errno.h> /* errno */

#include <error.h> /* error() */

#include <fnmatch.h> /* fnmatch() */

#define BUFFER_SIZE 256

#define PDIR "/lib/mandos/plugins.d"

#define PHDIR "/lib/mandos/plugin-helpers"

#define AFILE "/conf/conf.d/mandos/plugin-runner.conf"

const char *argp_program_version = "plugin-runner " VERSION;

240

241

return add_to_char_array(def, &(p->environ), &(p->envc));

241

242

}

242

243

244

#ifndef O_CLOEXEC

243

245

244

246

* Based on the example in the GNU LibC manual chapter 13.13 "File

245

247

* Descriptor Flags".

256

258

return (int)TEMP_FAILURE_RETRY(fcntl(fd, F_SETFD,

257

259

ret | FD_CLOEXEC));

258

260

}

261

#endif /* not O_CLOEXEC */

259

262

260

263

261

264

/* Mark processes as completed when they exit, and save their exit

345

348

346

349

int main(int argc, char *argv[]){

347

350

char *plugindir = NULL;

351

char *pluginhelperdir = NULL;

348

352

char *argfile = NULL;

349

353

FILE *conffp;

350

size_t d_name_len;

351

DIR *dir = NULL;

352

struct dirent *dirst;

354

struct dirent **direntries = NULL;

353

355

struct stat st;

354

356

fd_set rfds_all;

355

357

int ret, maxfd = 0;

363

365

.sa_flags = SA_NOCLDSTOP };

364

366

char **custom_argv = NULL;

365

367

int custom_argc = 0;

366

int dir_fd;

368

int dir_fd = -1;

367

369

368

370

/* Establish a signal handler */

369

371

sigemptyset(&sigchld_action.sa_mask);

414

416

.doc = "Group ID the plugins will run as", .group = 3 },

415

417

{ .name = "debug", .key = 132,

416

418

.doc = "Debug mode", .group = 4 },

419

{ .name = "plugin-helper-dir", .key = 133,

420

.arg = "DIRECTORY",

421

.doc = "Specify a different plugin helper directory",

422

.group = 2 },

417

423

418

424

* These reproduce what we would get without ARGP_NO_HELP

419

425

545

551

case 132: /* --debug */

546

552

debug = true;

547

553

break;

554

case 133: /* --plugin-helper-dir */

555

free(pluginhelperdir);

556

pluginhelperdir = strdup(arg);

557

if(pluginhelperdir != NULL){

558

errno = 0;

559

}

560

break;

548

561

549

562

* These reproduce what we would get without ARGP_NO_HELP

550

563

601

614

case 130: /* --userid */

602

615

case 131: /* --groupid */

603

616

case 132: /* --debug */

617

case 133: /* --plugin-helper-dir */

604

618

case '?': /* --help */

605

619

case -3: /* --usage */

606

620

case 'V': /* --version */

761

775

goto fallback;

762

776

}

763

777

778

{

779

char *pluginhelperenv;

780

bool bret = true;

781

ret = asprintf(&pluginhelperenv, "MANDOSPLUGINHELPERDIR=%s",

782

pluginhelperdir != NULL ? pluginhelperdir : PHDIR);

783

if(ret != -1){

784

bret = add_environment(getplugin(NULL), pluginhelperenv, true);

785

}

786

if(ret == -1 or not bret){

787

error(0, errno, "Failed to set MANDOSPLUGINHELPERDIR"

788

" environment variable to \"%s\" for all plugins\n",

789

pluginhelperdir != NULL ? pluginhelperdir : PHDIR);

790

}

791

if(ret != -1){

792

free(pluginhelperenv);

793

}

794

}

795

764

796

if(debug){

765

797

for(plugin *p = plugin_list; p != NULL; p=p->next){

766

798

fprintf(stderr, "Plugin: %s has %d arguments\n",

795

827

}

796

828

}

797

829

}

798

TEMP_FAILURE_RETRY(close(plugindir_fd));

830

close(plugindir_fd);

799

831

}

800

832

}

801

833

829

861

ret = set_cloexec_flag(dir_fd);

830

862

if(ret < 0){

831

863

error(0, errno, "set_cloexec_flag");

832

TEMP_FAILURE_RETRY(close(dir_fd));

833

864

exitstatus = EX_OSERR;

834

865

goto fallback;

835

866

}

836

867

#endif /* O_CLOEXEC */

837

838

dir = fdopendir(dir_fd);

839

if(dir == NULL){

840

error(0, errno, "Could not open plugin dir");

841

TEMP_FAILURE_RETRY(close(dir_fd));

842

exitstatus = EX_OSERR;

843

goto fallback;

868

}

869

870

int good_name(const struct dirent * const dirent){

871

const char * const patterns[] = { ".*", "#*#", "*~", "*.dpkg-new",

872

"*.dpkg-old", "*.dpkg-bak",

873

"*.dpkg-divert", NULL };

874

#ifdef __GNUC__

875

#pragma GCC diagnostic push

876

#pragma GCC diagnostic ignored "-Wcast-qual"

877

#endif

878

for(const char **pat = (const char **)patterns;

879

*pat != NULL; pat++){

880

#ifdef __GNUC__

881

#pragma GCC diagnostic pop

882

#endif

883

if(fnmatch(*pat, dirent->d_name, FNM_FILE_NAME | FNM_PERIOD)

884

!= FNM_NOMATCH){

885

if(debug){

886

fprintf(stderr, "Ignoring plugin dir entry \"%s\""

887

" matching pattern %s\n", dirent->d_name, *pat);

888

}

889

return 0;

890

}

844

891

}

892

return 1;

893

}

894

895

#ifdef __GLIBC__

896

#if __GLIBC_PREREQ(2, 15)

897

int numplugins = scandirat(dir_fd, ".", &direntries, good_name,

898

alphasort);

899

#else /* not __GLIBC_PREREQ(2, 15) */

900

int numplugins = scandir(plugindir != NULL ? plugindir : PDIR,

901

&direntries, good_name, alphasort);

902

#endif /* not __GLIBC_PREREQ(2, 15) */

903

#else /* not __GLIBC__ */

904

int numplugins = scandir(plugindir != NULL ? plugindir : PDIR,

905

&direntries, good_name, alphasort);

906

#endif /* not __GLIBC__ */

907

if(numplugins == -1){

908

error(0, errno, "Could not scan plugin dir");

909

direntries = NULL;

910

exitstatus = EX_OSERR;

911

goto fallback;

845

912

}

846

913

847

914

FD_ZERO(&rfds_all);

848

915

849

916

/* Read and execute any executable in the plugin directory*/

850

while(true){

851

do {

852

dirst = readdir(dir);

853

} while(dirst == NULL and errno == EINTR);

854

855

/* All directory entries have been processed */

856

if(dirst == NULL){

857

if(errno == EBADF){

858

error(0, errno, "readdir");

859

exitstatus = EX_IOERR;

860

goto fallback;

861

}

862

break;

863

}

864

865

d_name_len = strlen(dirst->d_name);

866

867

/* Ignore dotfiles, backup files and other junk */

868

{

869

bool bad_name = false;

870

871

const char * const bad_prefixes[] = { ".", "#", NULL };

872

873

const char * const bad_suffixes[] = { "~", "#", ".dpkg-new",

874

".dpkg-old",

875

".dpkg-bak",

876

".dpkg-divert", NULL };

877

#ifdef __GNUC__

878

#pragma GCC diagnostic push

879

#pragma GCC diagnostic ignored "-Wcast-qual"

880

#endif

881

for(const char **pre = (const char **)bad_prefixes;

882

*pre != NULL; pre++){

883

#ifdef __GNUC__

884

#pragma GCC diagnostic pop

885

#endif

886

size_t pre_len = strlen(*pre);

887

if((d_name_len >= pre_len)

888

and strncmp((dirst->d_name), *pre, pre_len) == 0){

889

if(debug){

890

fprintf(stderr, "Ignoring plugin dir entry \"%s\""

891

" with bad prefix %s\n", dirst->d_name, *pre);

892

}

893

bad_name = true;

894

break;

895

}

896

}

897

if(bad_name){

898

continue;

899

}

900

#ifdef __GNUC__

901

#pragma GCC diagnostic push

902

#pragma GCC diagnostic ignored "-Wcast-qual"

903

#endif

904

for(const char **suf = (const char **)bad_suffixes;

905

*suf != NULL; suf++){

906

#ifdef __GNUC__

907

#pragma GCC diagnostic pop

908

#endif

909

size_t suf_len = strlen(*suf);

910

if((d_name_len >= suf_len)

911

and (strcmp((dirst->d_name) + d_name_len-suf_len, *suf)

912

== 0)){

913

if(debug){

914

fprintf(stderr, "Ignoring plugin dir entry \"%s\""

915

" with bad suffix %s\n", dirst->d_name, *suf);

916

}

917

bad_name = true;

918

break;

919

}

920

}

921

922

if(bad_name){

923

continue;

924

}

925

}

926

927

int plugin_fd = openat(dir_fd, dirst->d_name, O_RDONLY |

928

#ifdef O_CLOEXEC

929

O_CLOEXEC

930

#else /* not O_CLOEXEC */

931

932

#endif /* not O_CLOEXEC */

933

);

917

for(int i = 0; i < numplugins; i++){

918

919

int plugin_fd = openat(dir_fd, direntries[i]->d_name, O_RDONLY);

934

920

if(plugin_fd == -1){

935

921

error(0, errno, "Could not open plugin");

936

continue;

937

}

938

#ifndef O_CLOEXEC

939

/* Set the FD_CLOEXEC flag on the plugin FD */

940

ret = set_cloexec_flag(plugin_fd);

941

if(ret < 0){

942

error(0, errno, "set_cloexec_flag");

943

TEMP_FAILURE_RETRY(close(plugin_fd));

944

continue;

945

}

946

#endif /* O_CLOEXEC */

922

free(direntries[i]);

923

continue;

924

}

947

925

ret = (int)TEMP_FAILURE_RETRY(fstat(plugin_fd, &st));

948

926

if(ret == -1){

949

927

error(0, errno, "stat");

950

TEMP_FAILURE_RETRY(close(plugin_fd));

928

close(plugin_fd);

929

free(direntries[i]);

951

930

continue;

952

931

}

953

932

954

933

/* Ignore non-executable files */

955

934

if(not S_ISREG(st.st_mode)

956

or (TEMP_FAILURE_RETRY(faccessat(dir_fd, dirst->d_name, X_OK,

957

0)) != 0)){

935

or (TEMP_FAILURE_RETRY(faccessat(dir_fd, direntries[i]->d_name,

936

X_OK, 0)) != 0)){

958

937

if(debug){

959

938

fprintf(stderr, "Ignoring plugin dir entry \"%s/%s\""

960

939

" with bad type or mode\n",

961

plugindir != NULL ? plugindir : PDIR, dirst->d_name);

940

plugindir != NULL ? plugindir : PDIR,

941

direntries[i]->d_name);

962

942

}

963

TEMP_FAILURE_RETRY(close(plugin_fd));

943

close(plugin_fd);

944

free(direntries[i]);

964

945

continue;

965

946

}

966

947

967

plugin *p = getplugin(dirst->d_name);

948

plugin *p = getplugin(direntries[i]->d_name);

968

949

if(p == NULL){

969

950

error(0, errno, "getplugin");

970

TEMP_FAILURE_RETRY(close(plugin_fd));

951

close(plugin_fd);

952

free(direntries[i]);

971

953

continue;

972

954

}

973

955

if(p->disabled){

974

956

if(debug){

975

957

fprintf(stderr, "Ignoring disabled plugin \"%s\"\n",

976

dirst->d_name);

958

direntries[i]->d_name);

977

959

}

978

TEMP_FAILURE_RETRY(close(plugin_fd));

960

close(plugin_fd);

961

free(direntries[i]);

979

962

continue;

980

963

}

981

964

{

1006

989

}

1007

990

1008

991

int pipefd[2];

992

#ifndef O_CLOEXEC

1009

993

ret = (int)TEMP_FAILURE_RETRY(pipe(pipefd));

994

#else /* O_CLOEXEC */

995

ret = (int)TEMP_FAILURE_RETRY(pipe2(pipefd, O_CLOEXEC));

996

#endif /* O_CLOEXEC */

1010

997

if(ret == -1){

1011

998

error(0, errno, "pipe");

1012

999

exitstatus = EX_OSERR;

1013

goto fallback;

1014

}

1000

free(direntries[i]);

1001

goto fallback;

1002

}

1003

if(pipefd[0] >= FD_SETSIZE){

1004

fprintf(stderr, "pipe()[0] (%d) >= FD_SETSIZE (%d)", pipefd[0],

1005

FD_SETSIZE);

1006

close(pipefd[0]);

1007

close(pipefd[1]);

1008

exitstatus = EX_OSERR;

1009

free(direntries[i]);

1010

goto fallback;

1011

}

1012

#ifndef O_CLOEXEC

1015

1013

/* Ask OS to automatic close the pipe on exec */

1016

1014

ret = set_cloexec_flag(pipefd[0]);

1017

1015

if(ret < 0){

1018

1016

error(0, errno, "set_cloexec_flag");

1017

close(pipefd[0]);

1018

close(pipefd[1]);

1019

exitstatus = EX_OSERR;

1020

free(direntries[i]);

1020

1021

goto fallback;

1021

1022

}

1022

1023

ret = set_cloexec_flag(pipefd[1]);

1023

1024

if(ret < 0){

1024

1025

error(0, errno, "set_cloexec_flag");

1026

close(pipefd[0]);

1027

close(pipefd[1]);

1025

1028

exitstatus = EX_OSERR;

1029

free(direntries[i]);

1026

1030

goto fallback;

1027

1031

}

1032

#endif /* not O_CLOEXEC */

1028

1033

/* Block SIGCHLD until process is safely in process list */

1029

1034

ret = (int)TEMP_FAILURE_RETRY(sigprocmask(SIG_BLOCK,

1030

1035

&sigchld_action.sa_mask,

1032

1037

if(ret < 0){

1033

1038

error(0, errno, "sigprocmask");

1034

1039

exitstatus = EX_OSERR;

1040

free(direntries[i]);

1035

1041

goto fallback;

1036

1042

}

1037

1043

/* Starting a new process to be watched */

1041

1047

} while(pid == -1 and errno == EINTR);

1042

1048

if(pid == -1){

1043

1049

error(0, errno, "fork");

1050

TEMP_FAILURE_RETRY(sigprocmask(SIG_UNBLOCK,

1051

&sigchld_action.sa_mask, NULL));

1052

close(pipefd[0]);

1053

close(pipefd[1]);

1044

1054

exitstatus = EX_OSERR;

1055

free(direntries[i]);

1045

1056

goto fallback;

1046

1057

}

1047

1058

if(pid == 0){

1063

1074

_exit(EX_OSERR);

1064

1075

}

1065

1076

1066

if(dirfd(dir) < 0){

1067

/* If dir has no file descriptor, we could not set FD_CLOEXEC

1068

above and must now close it manually here. */

1069

closedir(dir);

1070

}

1071

1077

if(fexecve(plugin_fd, p->argv,

1072

1078

(p->environ[0] != NULL) ? p->environ : environ) < 0){

1073

1079

error(0, errno, "fexecve for %s/%s",

1074

plugindir != NULL ? plugindir : PDIR, dirst->d_name);

1080

plugindir != NULL ? plugindir : PDIR,

1081

direntries[i]->d_name);

1075

1082

_exit(EX_OSERR);

1076

1083

}

1077

1084

/* no return */

1078

1085

}

1079

1086

/* Parent process */

1080

TEMP_FAILURE_RETRY(close(pipefd[1])); /* Close unused write end of

1081

pipe */

1082

TEMP_FAILURE_RETRY(close(plugin_fd));

1083

plugin *new_plugin = getplugin(dirst->d_name);

1087

close(pipefd[1]); /* Close unused write end of pipe */

1088

close(plugin_fd);

1089

plugin *new_plugin = getplugin(direntries[i]->d_name);

1084

1090

if(new_plugin == NULL){

1085

1091

error(0, errno, "getplugin");

1086

1092

ret = (int)(TEMP_FAILURE_RETRY

1090

1096

error(0, errno, "sigprocmask");

1091

1097

}

1092

1098

exitstatus = EX_OSERR;

1099

free(direntries[i]);

1093

1100

goto fallback;

1094

1101

}

1102

free(direntries[i]);

1095

1103

1096

1104

new_plugin->pid = pid;

1097

1105

new_plugin->fd = pipefd[0];

1127

1135

}

1128

1136

}

1129

1137

1130

TEMP_FAILURE_RETRY(closedir(dir));

1131

dir = NULL;

1138

free(direntries);

1139

direntries = NULL;

1140

close(dir_fd);

1141

dir_fd = -1;

1132

1142

free_plugin(getplugin(NULL));

1133

1143

1134

1144

for(plugin *p = plugin_list; p != NULL; p = p->next){

1328

1338

free(custom_argv);

1329

1339

}

1330

1340

1331

if(dir != NULL){

1332

closedir(dir);

1341

free(direntries);

1342

1343

if(dir_fd != -1){

1344

close(dir_fd);

1333

1345

}

1334

1346

1335

1347

/* Kill the processes */

1355

1367

free_plugin_list();

1356

1368

1357

1369

free(plugindir);

1370

free(pluginhelperdir);

1358

1371

free(argfile);

1359

1372

1360

1373

return exitstatus;

Older »