/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

  • Committer: Teddy Hogeborn
  • Date: 2016-03-19 04:21:00 UTC
  • Revision ID: teddy@recompile.se-20160319042100-i581cfv65r934dnl
Client: Make plugin helper override directory mode u=rwx,go=

Even though it currently is not used, a local administrator might use
setuid (or setcap) executables as plugin helpers.  Thus, the plugin
helper override directory (/etc/mandos/plugin-helpers) must be
secured, just as the plugin override directory (/etc/mandos/plugins.d)
is.

* Makefile (install-client-nokey): Install plugin-helper directory as
                                   mode u=rwx.
* debian/mandos-client.lintian-overrides: Do not warn about
                               permissions on plugin helper directory.
* debian/mandos-client.postinst (configure): Fix permissions on plugin
  helper local override directory (/etc/mandos/plugin-helpers), but
  only if not listed by "dpkg-statoverride".

Show diffs side-by-side

added added

removed removed

Lines of Context:
47
47
                                   strtof(), abort() */
48
48
#include <stdbool.h>            /* bool, false, true */
49
49
#include <string.h>             /* strcmp(), strlen(), strerror(),
50
 
                                   asprintf(), strncpy(), strsignal()
51
 
                                */
 
50
                                   asprintf(), strncpy() */
52
51
#include <sys/ioctl.h>          /* ioctl */
53
52
#include <sys/types.h>          /* socket(), inet_pton(), sockaddr,
54
53
                                   sockaddr_in6, PF_INET6,
626
625
                     safer_gnutls_strerror(ret));
627
626
        dhparamsfilename = NULL;
628
627
      }
629
 
      free(params.data);
630
628
    } while(false);
631
629
  }
632
630
  if(dhparamsfilename == NULL){
1239
1237
           with an explicit route added with the server's address.
1240
1238
           
1241
1239
           Avahi bug reference:
1242
 
           https://lists.freedesktop.org/archives/avahi/2010-February/001833.html
 
1240
           http://lists.freedesktop.org/archives/avahi/2010-February/001833.html
1243
1241
           https://bugs.debian.org/587961
1244
1242
        */
1245
1243
        if(debug){
1425
1423
                                               &decrypted_buffer, mc);
1426
1424
    if(decrypted_buffer_size >= 0){
1427
1425
      
1428
 
      clearerr(stdout);
1429
1426
      written = 0;
1430
1427
      while(written < (size_t) decrypted_buffer_size){
1431
1428
        if(quit_now){
1447
1444
        }
1448
1445
        written += (size_t)ret;
1449
1446
      }
1450
 
      ret = fflush(stdout);
1451
 
      if(ret != 0){
1452
 
        int e = errno;
1453
 
        if(debug){
1454
 
          fprintf_plus(stderr, "Error writing encrypted data: %s\n",
1455
 
                       strerror(errno));
1456
 
        }
1457
 
        errno = e;
1458
 
        goto mandos_end;
1459
 
      }
1460
1447
      retval = 0;
1461
1448
    }
1462
1449
  }
2498
2485
  
2499
2486
  {
2500
2487
    /* Work around Debian bug #633582:
2501
 
       <https://bugs.debian.org/633582> */
 
2488
       <http://bugs.debian.org/633582> */
2502
2489
    
2503
2490
    /* Re-raise privileges */
2504
2491
    ret = raise_privileges();
2959
2946
 end:
2960
2947
  
2961
2948
  if(debug){
2962
 
    if(signal_received){
2963
 
      fprintf_plus(stderr, "%s exiting due to signal %d: %s\n",
2964
 
                   argv[0], signal_received,
2965
 
                   strsignal(signal_received));
2966
 
    } else {
2967
 
      fprintf_plus(stderr, "%s exiting\n", argv[0]);
2968
 
    }
 
2949
    fprintf_plus(stderr, "%s exiting\n", argv[0]);
2969
2950
  }
2970
2951
  
2971
2952
  /* Cleanup things */