=== modified file 'TODO' --- TODO 2011-11-13 13:55:45 +0000 +++ TODO 2011-11-28 00:27:49 +0000 @@ -7,7 +7,9 @@ * mandos-applet * mandos-client -** TODO [#A] Document network hook functionality +** TODO [#B] Flag fprintf_plus so compiler checks the format string. +** TODO [#A] OpenVPN network hook +** TODO [#A] Wireless network hook ** TODO [#B] Use capabilities instead of seteuid(). ** TODO [#B] Use struct sockaddr_storage instead of a union ** TODO [#B] Use getaddrinfo(hints=AI_NUMERICHOST) instead of inet_pton() @@ -75,6 +77,7 @@ ** TODO Generate Client.runtime_expansions from client options + extra ** TODO Allow %%(checker)s as a runtime expansion ** TODO Use python-tlslite? +** TODO D-Bus AddClient() method on server object * mandos.xml ** Add mandos contact info in manual pages === modified file 'network-hooks.d/bridge' --- network-hooks.d/bridge 2011-11-27 14:44:28 +0000 +++ network-hooks.d/bridge 2011-11-28 00:27:49 +0000 @@ -31,9 +31,9 @@ case "$1" in start) - brctl addbr "$BRIDGE" + /usr/sbin/brctl addbr "$BRIDGE" for port in $PORTS; do - brctl addif "$BRIDGE" "$port" + /usr/sbin/brctl addif "$BRIDGE" "$port" done ip link set up "$BRIDGE" if [ -n "$IPADDRS" ]; then @@ -50,9 +50,9 @@ stop) ip link set down "$BRIDGE" for port in $PORTS; do - brctl delif "$BRIDGE" "$port" + /usr/sbin/brctl delif "$BRIDGE" "$port" done - brctl delbr "$BRIDGE" + /usr/sbin/brctl delbr "$BRIDGE" ;; files) echo /bin/ip === modified file 'plugins.d/mandos-client.c' --- plugins.d/mandos-client.c 2011-11-27 15:32:06 +0000 +++ plugins.d/mandos-client.c 2011-11-28 00:27:49 +0000 @@ -87,6 +87,7 @@ EX_NOHOST, EX_IOERR, EX_PROTOCOL */ #include /* waitpid(), WIFEXITED(), WEXITSTATUS(), WTERMSIG() */ +#include /* setgroups() */ #ifdef __linux__ #include /* klogctl() */ @@ -1406,6 +1407,32 @@ pid_t hook_pid = fork(); if(hook_pid == 0){ /* Child */ + /* Raise privileges */ + errno = 0; + ret = seteuid(0); + if(ret == -1){ + perror_plus("seteuid"); + } + /* Raise privileges even more */ + errno = 0; + ret = setuid(0); + if(ret == -1){ + perror_plus("setuid"); + } + /* Set group */ + errno = 0; + ret = setgid(0); + if(ret == -1){ + perror_plus("setgid"); + } + /* Reset supplementary groups */ + errno = 0; + ret = setgroups(0, NULL); + if(ret == -1){ + perror_plus("setgroups"); + } + fprintf_plus(stderr, "Child: getuid() = %d\n", getuid()); + fprintf_plus(stderr, "Child: geteuid() = %d\n", geteuid()); dup2(devnull, STDIN_FILENO); close(devnull); dup2(STDERR_FILENO, STDOUT_FILENO); @@ -1678,82 +1705,60 @@ } } - if(getuid() == 0){ + { /* Work around Debian bug #633582: */ - struct stat st; /* Re-raise priviliges */ errno = 0; ret = seteuid(0); if(ret == -1){ perror_plus("seteuid"); - } - - if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){ - int seckey_fd = open(seckey, O_RDONLY); - if(seckey_fd == -1){ - perror_plus("open"); - } else { - ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st)); - if(ret == -1){ - perror_plus("fstat"); - } else { - if(S_ISREG(st.st_mode) - and st.st_uid == 0 and st.st_gid == 0){ - ret = fchown(seckey_fd, uid, gid); - if(ret == -1){ - perror_plus("fchown"); - } - } - } - TEMP_FAILURE_RETRY(close(seckey_fd)); - } - } - - if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){ - int pubkey_fd = open(pubkey, O_RDONLY); - if(pubkey_fd == -1){ - perror_plus("open"); - } else { - ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st)); - if(ret == -1){ - perror_plus("fstat"); - } else { - if(S_ISREG(st.st_mode) - and st.st_uid == 0 and st.st_gid == 0){ - ret = fchown(pubkey_fd, uid, gid); - if(ret == -1){ - perror_plus("fchown"); - } - } - } - TEMP_FAILURE_RETRY(close(pubkey_fd)); - } - } - - /* Lower privileges */ - errno = 0; - ret = seteuid(uid); - if(ret == -1){ - perror_plus("seteuid"); - } - } - - /* Run network hooks */ - { - if(getuid() == 0){ - /* Re-raise priviliges */ - errno = 0; - ret = seteuid(0); - if(ret == -1){ - perror_plus("seteuid"); - } - } - if(not run_network_hooks("start", interface, delay)){ - goto end; - } - if(getuid() == 0){ + } else { + struct stat st; + + if(strcmp(seckey, PATHDIR "/" SECKEY) == 0){ + int seckey_fd = open(seckey, O_RDONLY); + if(seckey_fd == -1){ + perror_plus("open"); + } else { + ret = (int)TEMP_FAILURE_RETRY(fstat(seckey_fd, &st)); + if(ret == -1){ + perror_plus("fstat"); + } else { + if(S_ISREG(st.st_mode) + and st.st_uid == 0 and st.st_gid == 0){ + ret = fchown(seckey_fd, uid, gid); + if(ret == -1){ + perror_plus("fchown"); + } + } + } + TEMP_FAILURE_RETRY(close(seckey_fd)); + } + } + + if(strcmp(pubkey, PATHDIR "/" PUBKEY) == 0){ + int pubkey_fd = open(pubkey, O_RDONLY); + if(pubkey_fd == -1){ + perror_plus("open"); + } else { + ret = (int)TEMP_FAILURE_RETRY(fstat(pubkey_fd, &st)); + if(ret == -1){ + perror_plus("fstat"); + } else { + if(S_ISREG(st.st_mode) + and st.st_uid == 0 and st.st_gid == 0){ + ret = fchown(pubkey_fd, uid, gid); + if(ret == -1){ + perror_plus("fchown"); + } + } + } + TEMP_FAILURE_RETRY(close(pubkey_fd)); + } + } + /* Lower privileges */ errno = 0; ret = seteuid(uid); @@ -1763,6 +1768,11 @@ } } + /* Run network hooks */ + if(not run_network_hooks("start", interface, delay)){ + goto end; + } + if(not debug){ avahi_set_log_function(empty_log); } @@ -2217,19 +2227,17 @@ } } + /* Run network hooks */ + run_network_hooks("stop", interface, delay); + /* Re-raise priviliges */ { - if(getuid() == 0){ - errno = 0; - ret = seteuid(0); - if(ret == -1){ - perror_plus("seteuid"); - } + errno = 0; + ret = seteuid(0); + if(ret == -1){ + perror_plus("seteuid"); } - /* Run network hooks */ - run_network_hooks("stop", interface, delay); - /* Take down the network interface */ if(take_down_interface and geteuid() == 0){ ret = ioctl(sd, SIOCGIFFLAGS, &network); @@ -2248,13 +2256,11 @@ } } } - if(getuid() == 0){ - /* Lower privileges permanently */ - errno = 0; - ret = setuid(uid); - if(ret == -1){ - perror_plus("setuid"); - } + /* Lower privileges permanently */ + errno = 0; + ret = setuid(uid); + if(ret == -1){ + perror_plus("setuid"); } /* Removes the GPGME temp directory and all files inside */