/mandos/trunk : revision 868

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.c

Committer: Teddy Hogeborn
Date: 2016-07-03 03:32:28 UTC
Revision ID: teddy@recompile.se-20160703033228-cafpnnfs53kdg52g

Change all http:// URLs to https:// wherever possible.

* INSTALL (Prerequisites/Libraries/Mandos Server): Change "http://" to
"https://" wherever possible.
* Makefile (FORTIFY): - '' -
* mandos.xml (SEE ALSO): - '' -
* plugin-runner.c (main): - '' -
* plugins.d/mandos-client.c (start_mandos_communication): - '' -
* plugins.d/mandos-client.xml (SEE ALSO): - '' -

files added:
bugs.xml

tmpfiles.d-mandos.conf

files modified:
INSTALL

Makefile

NEWS

README

TODO

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos.dirs

debian/mandos.postinst

debian/rules

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

Show diffs side-by-side

added added

removed removed

plugins.d/mandos-client.c

817

818

/* Set effective uid to 0, return errno */

819

__attribute__((warn_unused_result))

820

error_t raise_privileges(void){

821

error_t old_errno = errno;

822

error_t ret_errno = 0;

820

int raise_privileges(void){

821

int old_errno = errno;

822

int ret = 0;

823

if(seteuid(0) == -1){

824

ret_errno = errno;

824

ret = errno;

825

}

826

errno = old_errno;

827

return ret_errno;

827

return ret;

828

}

829

830

/* Set effective and real user ID to 0. Return errno. */

831

__attribute__((warn_unused_result))

832

error_t raise_privileges_permanently(void){

833

error_t old_errno = errno;

834

error_t ret_errno = raise_privileges();

835

if(ret_errno != 0){

832

int raise_privileges_permanently(void){

833

int old_errno = errno;

834

int ret = raise_privileges();

835

if(ret != 0){

836

errno = old_errno;

837

return ret_errno;

837

return ret;

838

}

839

if(setuid(0) == -1){

840

ret_errno = errno;

840

ret = errno;

841

}

842

errno = old_errno;

843

return ret_errno;

843

return ret;

844

}

845

846

/* Set effective user ID to unprivileged saved user ID */

847

__attribute__((warn_unused_result))

848

error_t lower_privileges(void){

849

error_t old_errno = errno;

850

error_t ret_errno = 0;

848

int lower_privileges(void){

849

int old_errno = errno;

850

int ret = 0;

851

if(seteuid(uid) == -1){

852

ret_errno = errno;

852

ret = errno;

853

}

854

errno = old_errno;

855

return ret_errno;

855

return ret;

856

}

857

858

/* Lower privileges permanently */

859

__attribute__((warn_unused_result))

860

error_t lower_privileges_permanently(void){

861

error_t old_errno = errno;

862

error_t ret_errno = 0;

860

int lower_privileges_permanently(void){

861

int old_errno = errno;

862

int ret = 0;

863

if(setuid(uid) == -1){

864

ret_errno = errno;

864

ret = errno;

865

}

866

errno = old_errno;

867

return ret_errno;

867

return ret;

868

}

869

870

/* Helper function to add_local_route() and delete_local_route() */

1237

with an explicit route added with the server's address.

1238

1239

Avahi bug reference:

1240

http://lists.freedesktop.org/archives/avahi/2010-February/001833.html

1240

https://lists.freedesktop.org/archives/avahi/2010-February/001833.html

1241

https://bugs.debian.org/587961

1242

1243

if(debug){

1423

&decrypted_buffer, mc);

1424

if(decrypted_buffer_size >= 0){

1425

1426

clearerr(stdout);

1426

1427

written = 0;

1427

1428

while(written < (size_t) decrypted_buffer_size){

1428

1429

if(quit_now){

1444

1445

}

1445

1446

written += (size_t)ret;

1446

1447

}

1448

ret = fflush(stdout);

1449

if(ret != 0){

1450

int e = errno;

1451

if(debug){

1452

fprintf_plus(stderr, "Error writing encrypted data: %s\n",

1453

strerror(errno));

1454

}

1455

errno = e;

1456

goto mandos_end;

1457

}

1447

1458

retval = 0;

1448

1459

}

1449

1460

}

1623

1634

__attribute__((nonnull, warn_unused_result))

1624

1635

bool get_flags(const char *ifname, struct ifreq *ifr){

1625

1636

int ret;

1626

error_t ret_errno;

1637

int old_errno;

1627

1638

1628

1639

int s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP);

1629

1640

if(s < 0){

1630

ret_errno = errno;

1641

old_errno = errno;

1631

1642

perror_plus("socket");

1632

errno = ret_errno;

1643

errno = old_errno;

1633

1644

return false;

1634

1645

}

1635

1646

strncpy(ifr->ifr_name, ifname, IF_NAMESIZE);

1637

1648

ret = ioctl(s, SIOCGIFFLAGS, ifr);

1638

1649

if(ret == -1){

1639

1650

if(debug){

1640

ret_errno = errno;

1651

old_errno = errno;

1641

1652

perror_plus("ioctl SIOCGIFFLAGS");

1642

errno = ret_errno;

1653

errno = old_errno;

1643

1654

}

1644

1655

return false;

1645

1656

}

2071

2082

}

2072

2083

2073

2084

__attribute__((nonnull, warn_unused_result))

2074

error_t bring_up_interface(const char *const interface,

2075

const float delay){

2076

error_t old_errno = errno;

2085

int bring_up_interface(const char *const interface,

2086

const float delay){

2087

int old_errno = errno;

2077

2088

int ret;

2078

2089

struct ifreq network;

2079

2090

unsigned int if_index = if_nametoindex(interface);

2089

2100

}

2090

2101

2091

2102

if(not interface_is_up(interface)){

2092

error_t ret_errno = 0, ioctl_errno = 0;

2103

int ret_errno = 0;

2104

int ioctl_errno = 0;

2093

2105

if(not get_flags(interface, &network)){

2094

2106

ret_errno = errno;

2095

2107

fprintf_plus(stderr, "Failed to get flags for interface "

2198

2210

}

2199

2211

2200

2212

__attribute__((nonnull, warn_unused_result))

2201

error_t take_down_interface(const char *const interface){

2202

error_t old_errno = errno;

2213

int take_down_interface(const char *const interface){

2214

int old_errno = errno;

2203

2215

struct ifreq network;

2204

2216

unsigned int if_index = if_nametoindex(interface);

2205

2217

if(if_index == 0){

2208

2220

return ENXIO;

2209

2221

}

2210

2222

if(interface_is_up(interface)){

2211

error_t ret_errno = 0, ioctl_errno = 0;

2223

int ret_errno = 0;

2224

int ioctl_errno = 0;

2212

2225

if(not get_flags(interface, &network) and debug){

2213

2226

ret_errno = errno;

2214

2227

fprintf_plus(stderr, "Failed to get flags for interface "

2464

2477

.args_doc = "",

2465

2478

.doc = "Mandos client -- Get and decrypt"

2466

2479

" passwords from a Mandos server" };

2467

ret = argp_parse(&argp, argc, argv,

2468

ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);

2469

switch(ret){

2480

ret_errno = argp_parse(&argp, argc, argv,

2481

ARGP_IN_ORDER | ARGP_NO_HELP, 0, NULL);

2482

switch(ret_errno){

2470

2483

case 0:

2471

2484

break;

2472

2485

case ENOMEM:

2473

2486

default:

2474

errno = ret;

2487

errno = ret_errno;

2475

2488

perror_plus("argp_parse");

2476

2489

exitcode = EX_OSERR;

2477

2490

goto end;

2483

2496

2484

2497

{

2485

2498

/* Work around Debian bug #633582:

2486

<http://bugs.debian.org/633582> */

2499

<https://bugs.debian.org/633582> */

2487

2500

2488

2501

/* Re-raise privileges */

2489

ret_errno = raise_privileges();

2490

if(ret_errno != 0){

2491

errno = ret_errno;

2502

ret = raise_privileges();

2503

if(ret != 0){

2504

errno = ret;

2492

2505

perror_plus("Failed to raise privileges");

2493

2506

} else {

2494

2507

struct stat st;

2558

2571

}

2559

2572

2560

2573

/* Lower privileges */

2561

ret_errno = lower_privileges();

2562

if(ret_errno != 0){

2563

errno = ret_errno;

2574

ret = lower_privileges();

2575

if(ret != 0){

2576

errno = ret;

2564

2577

perror_plus("Failed to lower privileges");

2565

2578

}

2566

2579

}

2894

2907

2895

2908

/* Allocate a new server */

2896

2909

mc.server = avahi_server_new(avahi_simple_poll_get(simple_poll),

2897

&config, NULL, NULL, &ret_errno);

2910

&config, NULL, NULL, &ret);

2898

2911

2899

2912

/* Free the Avahi configuration data */

2900

2913

avahi_server_config_free(&config);

2903

2916

/* Check if creating the Avahi server object succeeded */

2904

2917

if(mc.server == NULL){

2905

2918

fprintf_plus(stderr, "Failed to create Avahi server: %s\n",

2906

avahi_strerror(ret_errno));

2919

avahi_strerror(ret));

2907

2920

exitcode = EX_UNAVAILABLE;

2908

2921

goto end;

2909

2922

}

2989

3002

2990

3003

/* Re-raise privileges */

2991

3004

{

2992

ret_errno = raise_privileges();

2993

if(ret_errno != 0){

2994

errno = ret_errno;

3005

ret = raise_privileges();

3006

if(ret != 0){

3007

errno = ret;

2995

3008

perror_plus("Failed to raise privileges");

2996

3009

} else {

2997

3010

3005

3018

while((interface=argz_next(interfaces_to_take_down,

3006

3019

interfaces_to_take_down_size,

3007

3020

interface))){

3008

ret_errno = take_down_interface(interface);

3009

if(ret_errno != 0){

3010

errno = ret_errno;

3021

ret = take_down_interface(interface);

3022

if(ret != 0){

3023

errno = ret;

3011

3024

perror_plus("Failed to take down interface");

3012

3025

}

3013

3026

}

3018

3031

}

3019

3032

}

3020

3033

3021

ret_errno = lower_privileges_permanently();

3022

if(ret_errno != 0){

3023

errno = ret_errno;

3034

ret = lower_privileges_permanently();

3035

if(ret != 0){

3036

errno = ret;

3024

3037

perror_plus("Failed to lower privileges permanently");

3025

3038

}

3026

3039

}

Older »