From 12551a6bcdb0fa7915567db280073cb21de59a6c Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 7 Nov 2013 10:23:45 -0200 Subject: Use /etc/default/mumble-server for LD_PRELOAD ECDHE --- files/ecdhforce/mumble-server.Debian | 142 +++------------------------- files/ecdhforce/mumble-server.init.d.Debian | 129 +++++++++++++++++++++++++ manifests/ecdhforce.pp | 11 +++ 3 files changed, 153 insertions(+), 129 deletions(-) mode change 100755 => 100644 files/ecdhforce/mumble-server.Debian create mode 100755 files/ecdhforce/mumble-server.init.d.Debian diff --git a/files/ecdhforce/mumble-server.Debian b/files/ecdhforce/mumble-server.Debian old mode 100755 new mode 100644 index 61b6808..7c4f707 --- a/files/ecdhforce/mumble-server.Debian +++ b/files/ecdhforce/mumble-server.Debian @@ -1,133 +1,17 @@ -#! /bin/sh -# -### BEGIN INIT INFO -# Provides: mumble-server -# Required-Start: $network $local_fs $remote_fs dbus -# Required-Stop: $network $local_fs $remote_fs dbus -# Should-Start: $mysql -# Should-Stop: $mysql -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Mumble VoIP Server -### END INIT INFO +# 0 = don't start, 1 = start +MURMUR_DAEMON_START=1 -PATH=/sbin:/bin:/usr/sbin:/usr/bin -NAME=mumble-server -DESC="Mumble VoIP Server" -PIDDIR=/var/run/$NAME -PIDFILE=$PIDDIR/$NAME.pid -DAEMON=/usr/sbin/murmurd -USER=mumble-server -GROUP=mumble-server - -test -x $DAEMON || exit 0 - -INIFILE=/etc/mumble-server.ini -DAEMON_OPTS="-ini $INIFILE" -MURMUR_DAEMON_START=0 +# 0 = don't use capabilities, 1 = start process as root and drop to non-privileged user +# If started as root, mumble will keep the CAP_NET_ADMIN privilege and drop +# all others. This allows it to set high-priority TOS on outgoing IP packets. MURMUR_USE_CAPABILITIES=0 -MURMUR_LIMIT_NOFILE=0 - -# ECDHE Perfect Forward Secrecy on the Murmur server via an LD_PRELOAD -# https://github.com/ultramancool/ecdhforce -STARTSTOP="LD_PRELOAD=/var/lib/mumble-server/ecdhforce/ecdhforce.so start-stop-daemon" -# Include murmur defaults if available -if [ -f /etc/default/$NAME ] ; then - . /etc/default/$NAME -fi +# This controls how many file descriptors the murmur process can open. +# As a rule of thumb, you should have about 20 descriptors per virtaul +# server and one for each client. So 30 servers with 20 clients each would +# need at least 720 descriptors (30 * 4 + 30 * 20). +# MURMUR_LIMIT_NOFILE=65536 -. /lib/init/vars.sh -. /lib/lsb/init-functions - -if [ "$MURMUR_LIMIT_NOFILE" -gt 0 ] ; then - ulimit -n $MURMUR_LIMIT_NOFILE -fi - -case "$1" in - start) - if [ "$MURMUR_DAEMON_START" != "1" ] ; then - log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME" - exit 0 - fi - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - [ -d $PIDDIR ] || install -o $USER -d $PIDDIR - if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then - $STARTSTOP --start --quiet \ - --pidfile $PIDFILE \ - --chuid $USER:$GROUP \ - --exec $DAEMON \ - -- $DAEMON_OPTS - else - $STARTSTOP --start --quiet \ - --pidfile $PIDFILE \ - --exec $DAEMON \ - -- $DAEMON_OPTS - fi - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - $STARTSTOP --stop --quiet \ - --retry=TERM/30/KILL/5 \ - --pidfile $PIDFILE \ - --user $USER \ - --exec $DAEMON - case "$?" in - 0|1) rm -f $PIDFILE - [ "$VERBOSE" != no ] && log_end_msg 0 - ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - force-reload) - $STARTSTOP --stop --test --quiet \ - --pidfile $PIDFILE \ - --user $USER \ - --exec $DAEMON \ - && $0 restart || exit 0 - ;; - restart) - [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME" - $STARTSTOP --stop --quiet \ - --retry=TERM/30/KILL/5 \ - --pidfile $PIDFILE \ - --user $USER \ - --exec $DAEMON - case "$?" in - 0|1) - [ -d $PIDDIR ] || install -o $USER -d $PIDDIR - rm -f $PIDFILE - if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then - $STARTSTOP --start --quiet \ - --pidfile $PIDFILE \ - --chuid $USER:$GROUP \ - --exec $DAEMON \ - -- $DAEMON_OPTS - else - $STARTSTOP --start --quiet \ - --pidfile $PIDFILE \ - --exec $DAEMON \ - -- $DAEMON_OPTS - fi - case "$?" in - 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - *) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - *) - [ "$VERBOSE" != no ] && log_end_msg 0 - ;; - esac - ;; - *) - N=/etc/init.d/$NAME - echo "Usage: $N {start|stop|restart|force-reload}" >&2 - exit 3 - ;; -esac - -exit 0 +# ECDHE Perfect Forward Secrecy on the Murmur server via LD_PRELOAD +# https://github.com/ultramancool/ecdhforce +export LD_PRELOAD="/var/lib/mumble-server/ecdhforce/ecdhforce.so start-stop-daemon" diff --git a/files/ecdhforce/mumble-server.init.d.Debian b/files/ecdhforce/mumble-server.init.d.Debian new file mode 100755 index 0000000..00b5403 --- /dev/null +++ b/files/ecdhforce/mumble-server.init.d.Debian @@ -0,0 +1,129 @@ +#! /bin/sh +# +### BEGIN INIT INFO +# Provides: mumble-server +# Required-Start: $network $local_fs $remote_fs dbus +# Required-Stop: $network $local_fs $remote_fs dbus +# Should-Start: $mysql +# Should-Stop: $mysql +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Mumble VoIP Server +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +NAME=mumble-server +DESC="Mumble VoIP Server" +PIDDIR=/var/run/$NAME +PIDFILE=$PIDDIR/$NAME.pid +DAEMON=/usr/sbin/murmurd +USER=mumble-server +GROUP=mumble-server + +test -x $DAEMON || exit 0 + +INIFILE=/etc/mumble-server.ini +DAEMON_OPTS="-ini $INIFILE" +MURMUR_DAEMON_START=0 +MURMUR_USE_CAPABILITIES=0 +MURMUR_LIMIT_NOFILE=0 + +# Include murmur defaults if available +if [ -f /etc/default/$NAME ] ; then + . /etc/default/$NAME +fi + +. /lib/init/vars.sh +. /lib/lsb/init-functions + +if [ "$MURMUR_LIMIT_NOFILE" -gt 0 ] ; then + ulimit -n $MURMUR_LIMIT_NOFILE +fi + +case "$1" in + start) + if [ "$MURMUR_DAEMON_START" != "1" ] ; then + log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME" + exit 0 + fi + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + [ -d $PIDDIR ] || install -o $USER -d $PIDDIR + if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then + $start-stop-daemon --start --quiet \ + --pidfile $PIDFILE \ + --chuid $USER:$GROUP \ + --exec $DAEMON \ + -- $DAEMON_OPTS + else + $start-stop-daemon --start --quiet \ + --pidfile $PIDFILE \ + --exec $DAEMON \ + -- $DAEMON_OPTS + fi + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + $start-stop-daemon --stop --quiet \ + --retry=TERM/30/KILL/5 \ + --pidfile $PIDFILE \ + --user $USER \ + --exec $DAEMON + case "$?" in + 0|1) rm -f $PIDFILE + [ "$VERBOSE" != no ] && log_end_msg 0 + ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + force-reload) + $start-stop-daemon --stop --test --quiet \ + --pidfile $PIDFILE \ + --user $USER \ + --exec $DAEMON \ + && $0 restart || exit 0 + ;; + restart) + [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME" + $start-stop-daemon --stop --quiet \ + --retry=TERM/30/KILL/5 \ + --pidfile $PIDFILE \ + --user $USER \ + --exec $DAEMON + case "$?" in + 0|1) + [ -d $PIDDIR ] || install -o $USER -d $PIDDIR + rm -f $PIDFILE + if [ "$MURMUR_USE_CAPABILITIES" != "1" ] ; then + $start-stop-daemon --start --quiet \ + --pidfile $PIDFILE \ + --chuid $USER:$GROUP \ + --exec $DAEMON \ + -- $DAEMON_OPTS + else + $start-stop-daemon --start --quiet \ + --pidfile $PIDFILE \ + --exec $DAEMON \ + -- $DAEMON_OPTS + fi + case "$?" in + 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + *) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + *) + [ "$VERBOSE" != no ] && log_end_msg 0 + ;; + esac + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|force-reload}" >&2 + exit 3 + ;; +esac + +exit 0 diff --git a/manifests/ecdhforce.pp b/manifests/ecdhforce.pp index 1067b33..bf4104a 100644 --- a/manifests/ecdhforce.pp +++ b/manifests/ecdhforce.pp @@ -31,7 +31,18 @@ class mumble::ecdhforce { group => root, } + # TODO: remove definition in the future file { '/etc/init.d/mumble-server': + ensure => present, + owner => root, + group => root, + mode => 0755, + source => "puppet:///modules/mumble/ecdhforce/mumble-server.init.d.${::operatingsystem}", + require => Exec['ecdhforce-link'], + notify => Service['mumble-server'], + } + + file { '/etc/default/mumble-server': ensure => present, owner => root, group => root, -- cgit v1.2.3