From 0f1cc128cfa1c6d693639e5a4a70097eec11df1b Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 5 Jun 2014 10:59:44 -0500 Subject: add version command --- changes/feature-bitmask-root-versioning | 1 + pkg/linux/bitmask-root | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 changes/feature-bitmask-root-versioning diff --git a/changes/feature-bitmask-root-versioning b/changes/feature-bitmask-root-versioning new file mode 100644 index 00000000..bfe69041 --- /dev/null +++ b/changes/feature-bitmask-root-versioning @@ -0,0 +1 @@ +- Add versioning support to bitmask-root. diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index d1bf656e..2c423da1 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -51,6 +51,7 @@ cmdcheck = subprocess.check_output ## CONSTANTS ## +VERSION = "1" SCRIPT = "bitmask-root" NAMESERVER = "10.42.0.1" BITMASK_CHAIN = "bitmask" @@ -819,7 +820,12 @@ def firewall_stop(): def main(): - if len(sys.argv) >= 3: + """ + Entry point for cmdline execution. + """ + # TODO use argparse instead. + + if len(sys.argv) >= 2: command = "_".join(sys.argv[1:3]) args = sys.argv[3:] @@ -828,6 +834,10 @@ def main(): is_restart = True args.remove('restart') + if command == "version": + print(VERSION) + exit(0) + if command == "openvpn_start": openvpn_start(args) -- cgit v1.2.3 From 15758f43dd53f3b330b9786b531d7d3924f4b106 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 5 Jun 2014 11:08:46 -0500 Subject: check for uid == 0 --- pkg/linux/bitmask-root | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 2c423da1..c6685877 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -838,6 +838,9 @@ def main(): print(VERSION) exit(0) + if os.getuid() != 0: + bail("ERROR: must be run as root") + if command == "openvpn_start": openvpn_start(args) -- cgit v1.2.3 From 460429b6016046fd91e521b371da1b9eb75735a5 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 5 Jun 2014 11:00:05 -0500 Subject: pep8 cleanup --- pkg/linux/bitmask-root | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index c6685877..1929b51b 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -765,11 +765,13 @@ def firewall_start(args): "--jump", "ACCEPT") # allow multicast Simple Service Discovery Protocol ip4tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", + "--protocol", "udp", + "--destination", "239.255.255.250", "--dport", "1900", "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS ip4tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", + "--protocol", "udp", + "--destination", "224.0.0.251", "--dport", "5353", "-o", default_device, "--jump", "RETURN") if local_network_ipv6: ip6tables("--append", BITMASK_CHAIN, @@ -777,11 +779,13 @@ def firewall_start(args): "--jump", "ACCEPT") # allow multicast Simple Service Discovery Protocol ip6tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", + "--protocol", "udp", + "--destination", "FF05::C", "--dport", "1900", "-o", default_device, "--jump", "RETURN") # allow multicast Bonjour/mDNS ip6tables("--append", BITMASK_CHAIN, - "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", + "--protocol", "udp", + "--destination", "FF02::FB", "--dport", "5353", "-o", default_device, "--jump", "RETURN") # allow ipv4 traffic to gateways @@ -792,15 +796,19 @@ def firewall_start(args): # log rejected packets to syslog if DEBUG: iptables("--append", BITMASK_CHAIN, "-o", default_device, - "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") + "--jump", "LOG", "--log-prefix", "iptables denied: ", + "--log-level", "7") - # for now, ensure all other ipv6 packets get rejected (regardless of device) + # for now, ensure all other ipv6 packets get rejected (regardless of + # device) # (not sure why, but "-p any" doesn't work) ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT") ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT") # reject all other ipv4 sent over the default device - ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") + ip4tables("--append", BITMASK_CHAIN, "-o", + default_device, "--jump", "REJECT") + def firewall_stop(): """ @@ -853,8 +861,8 @@ def main(): nameserver_setter.start(NAMESERVER) except Exception as ex: if not is_restart: - nameserver_restorer.start() - firewall_stop() + nameserver_restorer.start() + firewall_stop() bail("ERROR: could not start firewall", ex) elif command == "firewall_stop": -- cgit v1.2.3 From d550c15da5eed6c51735fcc0ef50bf004dd9e0e6 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 5 Jun 2014 11:00:22 -0500 Subject: add bitmask-root notes to checklist --- docs/release_checklist.wiki | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release_checklist.wiki b/docs/release_checklist.wiki index fc99fdf0..075591a7 100644 --- a/docs/release_checklist.wiki +++ b/docs/release_checklist.wiki @@ -1,5 +1,6 @@ = Bitmask Release Checklist (*) = * [ ] Check that all tests are passing! + * [ ] Check that the version in bitmask_client/pkg/linux/bitmask-root is bumped if needed. * [ ] Tag everything * Should be done for the following packages, in order: * [ ] 1. leap.common -- cgit v1.2.3 From 556c589dd470ed2b48b5421c38156333da78c369 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Thu, 5 Jun 2014 11:18:43 -0500 Subject: update manpages --- docs/man/bitmask-root.1.rst | 17 ++++++++++++----- docs/man/bitmask.1.rst | 4 ++-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/docs/man/bitmask-root.1.rst b/docs/man/bitmask-root.1.rst index 7ed53aa9..c18cc4d6 100644 --- a/docs/man/bitmask-root.1.rst +++ b/docs/man/bitmask-root.1.rst @@ -7,23 +7,24 @@ privileged helper for bitmask, the encrypted internet access toolkit. ------------------------------------------------------------------------ :Author: LEAP Encryption Access Project https://leap.se -:Date: 2014-05-19 +:Date: 2014-06-05 :Copyright: GPLv3+ -:Version: 0.5.1 +:Version: 0.5.2 :Manual section: 1 :Manual group: General Commands Manual SYNOPSIS ======== -bitmask-root [openvpn | firewall | isup ] [start | stop] [ARGS] +bitmask-root [openvpn | firewall | version] [start | stop | isup] [ARGS] DESCRIPTION =========== *bitmask-root* is a privileged helper for bitmask. -It is used to start or stop openvpn and the bitmask firewall. +It is used to start or stop openvpn and the bitmask firewall. To operate, it +needs to be executed with root privileges. OPTIONS @@ -33,7 +34,9 @@ openvpn -------- **start** [ARGS] Starts openvpn. All args are passed to openvpn, and - filtered against a list of allowed args. + filtered against a list of allowed args. If the next + argument is `restart`, the firewall will not be teared + down in the case of errors lauching openvpn. **stop** Stops openvpn. @@ -46,6 +49,10 @@ firewall **stop** Stops the firewall. +version +-------- + +**version** Prints the `bitmask-root` version string. BUGS diff --git a/docs/man/bitmask.1.rst b/docs/man/bitmask.1.rst index 38da64af..6eae7ff5 100644 --- a/docs/man/bitmask.1.rst +++ b/docs/man/bitmask.1.rst @@ -7,9 +7,9 @@ graphical client to control LEAP, the encrypted internet access toolkit. ------------------------------------------------------------------------ :Author: LEAP Encryption Access Project https://leap.se -:Date: 2014-05-19 +:Date: 2014-06-05 :Copyright: GPLv3+ -:Version: 0.5.1 +:Version: 0.5.2 :Manual section: 1 :Manual group: General Commands Manual -- cgit v1.2.3