/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

  • Committer: Teddy Hogeborn
  • Date: 2016-03-07 23:39:36 UTC
  • Revision ID: teddy@recompile.se-20160307233936-mhgpxhggamde443n
Server bug fix: Include CAP_SETGID so it does not run as root

* debian/mandos.postinst (configure): If old version was 1.7.4-1 or
  1.7.4-1~bpo8+1, fix situation where clients.pickle file is owned by
  root.
* mandos (main): Print debug info about setuid() and setgid()
* mandos.service ([Service]/CapabilityBoundingSet): Add "CAP_KILL
  CAP_SETGID"; the latter is needed for setgid() to be allowed.

Show diffs side-by-side

added added

removed removed

Lines of Context:
47
47
                                   strtof(), abort() */
48
48
#include <stdbool.h>            /* bool, false, true */
49
49
#include <string.h>             /* strcmp(), strlen(), strerror(),
50
 
                                   asprintf(), strncpy(), strsignal()
51
 
                                */
 
50
                                   asprintf(), strncpy() */
52
51
#include <sys/ioctl.h>          /* ioctl */
53
52
#include <sys/types.h>          /* socket(), inet_pton(), sockaddr,
54
53
                                   sockaddr_in6, PF_INET6,
626
625
                     safer_gnutls_strerror(ret));
627
626
        dhparamsfilename = NULL;
628
627
      }
629
 
      free(params.data);
630
628
    } while(false);
631
629
  }
632
630
  if(dhparamsfilename == NULL){
1079
1077
    bool match = false;
1080
1078
    {
1081
1079
      char *interface = NULL;
1082
 
      while((interface = argz_next(mc->interfaces,
1083
 
                                   mc->interfaces_size,
1084
 
                                   interface))){
 
1080
      while((interface=argz_next(mc->interfaces, mc->interfaces_size,
 
1081
                                 interface))){
1085
1082
        if(if_nametoindex(interface) == (unsigned int)if_index){
1086
1083
          match = true;
1087
1084
          break;
1240
1237
           with an explicit route added with the server's address.
1241
1238
           
1242
1239
           Avahi bug reference:
1243
 
           https://lists.freedesktop.org/archives/avahi/2010-February/001833.html
 
1240
           http://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1244
1241
           https://bugs.debian.org/587961
1245
1242
        */
1246
1243
        if(debug){
1426
1423
                                               &decrypted_buffer, mc);
1427
1424
    if(decrypted_buffer_size >= 0){
1428
1425
      
1429
 
      clearerr(stdout);
1430
1426
      written = 0;
1431
1427
      while(written < (size_t) decrypted_buffer_size){
1432
1428
        if(quit_now){
1448
1444
        }
1449
1445
        written += (size_t)ret;
1450
1446
      }
1451
 
      ret = fflush(stdout);
1452
 
      if(ret != 0){
1453
 
        int e = errno;
1454
 
        if(debug){
1455
 
          fprintf_plus(stderr, "Error writing encrypted data: %s\n",
1456
 
                       strerror(errno));
1457
 
        }
1458
 
        errno = e;
1459
 
        goto mandos_end;
1460
 
      }
1461
1447
      retval = 0;
1462
1448
    }
1463
1449
  }
1494
1480
  return retval;
1495
1481
}
1496
1482
 
 
1483
__attribute__((nonnull))
1497
1484
static void resolve_callback(AvahiSServiceResolver *r,
1498
1485
                             AvahiIfIndex interface,
1499
1486
                             AvahiProtocol proto,
2196
2183
  
2197
2184
  /* Sleep checking until interface is running.
2198
2185
     Check every 0.25s, up to total time of delay */
2199
 
  for(int i = 0; i < delay * 4; i++){
 
2186
  for(int i=0; i < delay * 4; i++){
2200
2187
    if(interface_is_running(interface)){
2201
2188
      break;
2202
2189
    }
2498
2485
  
2499
2486
  {
2500
2487
    /* Work around Debian bug #633582:
2501
 
       <https://bugs.debian.org/633582> */
 
2488
       <http://bugs.debian.org/633582> */
2502
2489
    
2503
2490
    /* Re-raise privileges */
2504
2491
    ret = raise_privileges();
2959
2946
 end:
2960
2947
  
2961
2948
  if(debug){
2962
 
    if(signal_received){
2963
 
      fprintf_plus(stderr, "%s exiting due to signal %d: %s\n",
2964
 
                   argv[0], signal_received,
2965
 
                   strsignal(signal_received));
2966
 
    } else {
2967
 
      fprintf_plus(stderr, "%s exiting\n", argv[0]);
2968
 
    }
 
2949
    fprintf_plus(stderr, "%s exiting\n", argv[0]);
2969
2950
  }
2970
2951
  
2971
2952
  /* Cleanup things */
3023
3004
      /* Take down the network interfaces which were brought up */
3024
3005
      {
3025
3006
        char *interface = NULL;
3026
 
        while((interface = argz_next(interfaces_to_take_down,
3027
 
                                     interfaces_to_take_down_size,
3028
 
                                     interface))){
 
3007
        while((interface=argz_next(interfaces_to_take_down,
 
3008
                                   interfaces_to_take_down_size,
 
3009
                                   interface))){
3029
3010
          ret = take_down_interface(interface);
3030
3011
          if(ret != 0){
3031
3012
            errno = ret;