File: //proc/self/root/proc/self/root/usr/bin/pollinate
#!/bin/sh
#
# pollinate: an Entropy-as-a-Service client
#
# Copyright (C) 2012-2016 Dustin Kirkland <dustin.kirkland@gmail.com>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, version 3 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -e
set -f
PKG="pollinate"
TMPDIR=$(mktemp -d -t "${PKG}.XXXXXXXXXXXX")
trap "rm -rf ${TMPDIR} 2>/dev/null || true" EXIT HUP INT QUIT TERM
CACHEDIR="/var/cache/${PKG}"
FLAG="${CACHEDIR}/seeded"
LOG="${CACHEDIR}/log"
HOSTNAME=$(hostname)
STRICT=0
# Only recent logger version supports --id=[ID]
logger_ver=$(logger -V 2>&1 | awk '{print $4}')
dpkg --compare-versions $logger_ver ge 2.26.2 && LOGGER="logger --id=$$" || LOGGER="logger"
# Log to both syslog, and stderr, if we're on an interactive terminal
[ -t 0 ] && LOGGER="$LOGGER -s"
error() {
$LOGGER -t ${PKG} "ERROR: $@"
exit 1
}
warning() {
if [ "$STRICT" = "1" ]; then
$LOGGER -t ${PKG} "ERROR: $@"
exit 1
else
$LOGGER -t ${PKG} "WARNING: $@"
exit 0
fi
}
log() {
if [ "${QUIET}" = "1" ]; then
# quiet mode, don't log to stderr
if [ -w "$CACHEDIR" ]; then
# log to file, if we can
$LOGGER -t ${PKG} "$@" >>"${LOG}" 2>&1
else
# log to syslog, if its up
$LOGGER -t ${PKG} "$@"
fi
else
# log to both stderr and syslog
$LOGGER -t ${PKG} "$@"
fi
}
random_hash() {
# Read and print urandom bytes
head -c "${BYTES}" /dev/urandom | sha512sum | awk '{print $1}'
}
hash_and_write() {
# Whiten input with a hash, and write to device
local hex=$(cat "${TMPDIR}/out" "${TMPDIR}/err" | sha512sum | awk '{print $1}')
if [ "${BINARY}" = "1" ]; then
if [ "${DEVICE}" = "-" ]; then
printf "${hex}" | xxd -r -p
else
printf "${hex}" | xxd -r -p > "${DEVICE}"
fi
else
if [ "${DEVICE}" = "-" ]; then
printf "%s" "${hex}"
else
printf "%s" "${hex}" > "${DEVICE}"
fi
fi
log "client hashed response from [${1}]"
}
read_build_info() {
# ubuntu images place build information in /etc/cloud/build.info
# format of file is '<key>: <value>' put these under img/<key>/<value>
local bifile="${1:-/etc/cloud/build.info}" ret=""
_RET=""
[ -s "$bifile" ] || return 0
ret=$(awk '{
gsub(/#.*/, ""); gsub(/\s+$/, "");
if ($0 == "" || $0 !~ /:/) next;
gsub(/:\s*/, "/");
printf("img/%s ", $0) }' "$bifile") || return
_RET="${ret% }"
}
read_addl_info() {
# allow additinal info file to contain entries one per line. lines must
# have a '/' in them. remove trailing space and '#' as comment. example:
# key/value
# fookey/foovalue # written by foo
local aifile="${1:-/etc/pollinate/add-user-agent}" ret=""
_RET=""
[ -s "$aifile" ] || return 0
ret=$(awk '{
gsub(/#.*/, ""); gsub(/\s+$/, "");
if ($0 == "" || $0 !~ /\//) next;
printf("%s ", $0); }' "$aifile") || return
_RET=${ret% }
}
read_virt() {
# return virt/<value> where value is the virtualization platform the
# system is running on.
local ret=""
_RET=""
if command -v systemd-detect-virt >/dev/null; then
ret=$(systemd-detect-virt)
# systemd-detect-virt returns 1 for 'none'
[ $? -eq 0 -o "$ret" = "none" ] || ret=""
else
# trusty would take this path.
if [ -d /dev/xen ]; then
ret="xen"
elif [ -d /dev/lxd ]; then
# call this 'lxc' for consistency with systemd-detect-virt.
ret="lxc"
elif dmesg | grep --quiet " kvm-clock:"; then
ret="kvm"
fi
fi
[ -n "$ret" ] || return
_RET="virt/$ret"
}
read_package_versions() {
local pkgs="pollinate curl cloud-init" data="" p=""
data=$(dpkg-query \
-W --showformat='${Package}/${Version} ' $pkgs 2>/dev/null) || :
# fill in 'package/' for any package not installed.
for p in ${pkgs}; do
[ "${data#*$p/}" = "$data" ] && data="${data} $p/"
done
if [ -n "$TESTING" ]; then
p="pollinate"
data="${data%%$p/*}$p${TESTING}/${data#*$p/}"
fi
set -- $data
_RET="$*"
}
read_uname_info() {
# taken from cloud-init ds-identify.
# run uname, and parse output.
# uname is tricky to parse as it outputs always in a given order
# independent of option order. kernel-version is known to have spaces.
# 1 -s kernel-name
# 2 -n nodename
# 3 -r kernel-release
# 4.. -v kernel-version(whitespace)
# N-2 -m machine
# N-1 -o operating-system
local out="" krel="" machine="" os=""
out=$(uname -snrvmo) || { _RET=""; return; }
set -- $out
krel="$3"
shift 3
while [ $# -gt 2 ]; do
shift
done
machine=$1
os=$2
_RET="$os/$krel/$machine"
return 0
}
user_agent() {
# Construct a user agent, with useful debug information
# Very similar to Firefox and Chrome
. /etc/lsb-release
local pkg_info="" lsb="" platform="" cpu="" up="NA" idle="NA" uptime
read_package_versions && pkg_info="$_RET"
read_uname_info && platform="$_RET"
lsb=$(echo "${DISTRIB_DESCRIPTION}" | sed -e "s/ /\//g")
cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e "s:\s\+:/:g")"
{ read up idle < /proc/uptime ; } >/dev/null 2>&1 || :
uptime="uptime/$up/$idle"
local addl_data="" build_info="" virt=""
read_build_info && build_info="${_RET}"
read_addl_info && addl_data="${_RET}"
read_virt && virt="${_RET}"
USER_AGENT="${pkg_info} ${lsb} ${platform} ${cpu} ${uptime}${virt:+ ${virt}}${build_info:+ ${build_info}}${addl_data:+ ${addl_data}}"
}
exchange() {
local server="${1}"
local f1="${TMPDIR}/challenge"
case "${server}" in
"http://"*|"https://"*)
# looks good
true
;;
*)
# otherwise, default to https://
server="https://${server}"
;;
esac
if [ "${NO_CHALLENGE}" != "1" ]; then
# Create and enforce a challenge/response, to ensure personal communication
local challenge=$(random_hash)
local challenge_response=$(printf "${challenge}" | sha512sum | awk '{print $1}')
printf "challenge=%s" "$challenge" > "${f1}"
log "client sent challenge to [${1}]"
else
f1="/dev/null"
fi
local out="${TMPDIR}/out"
local err="${TMPDIR}/err"
user_agent
if curl --connect-timeout "${WAIT}" --max-time "${WAIT}" -A "${USER_AGENT}" -o- -v --trace-time --data @${f1} ${CURL_OPTS} ${server} >"${out}" 2>"${err}"; then
if [ "${NO_CHALLENGE}" != "1" ]; then
if [ "${challenge_response}" = $(head -n1 "${out}") ]; then
log "client verified challenge/response with [${server}]"
else
error "Server failed challenge/response [expected=${challenge_response}] != [got=$(head -n1 ${out})]"
fi
fi
hash_and_write "${server}"
log "client successfully seeded [${DEVICE}]"
else
case $? in
124)
warning "Network communication failed [$?], timeout after [${WAIT}s] $(cat ${out} ${err})"
;;
*)
warning "Network communication failed [$?] $(cat ${out} ${err})"
;;
esac
fi
}
# Source configuration
[ -r "/etc/default/${PKG}" ] && . "/etc/default/${PKG}"
while [ ! -z "$1" ]; do
case "${1}" in
-b|--binary)
BINARY=1
shift
;;
-c|--curl-opts)
CURL_OPTS="${CURL_OPTS} $2"
shift 2
;;
-d|--device)
DEVICE="$2"
shift 2
;;
-i|--insecure)
CURL_OPTS="${CURL_OPTS} --insecure"
shift 1
;;
-n|--no-challenge)
NO_CHALLENGE=1
shift 1
;;
-r|--reseed)
RESEED=1
shift 1
;;
-s|--server)
SERVER="$2"
shift 2
;;
-p|--pool)
POOL="${POOL} $2"
shift 2
;;
-q|--quiet)
QUIET=1
shift
;;
--strict)
STRICT=1
shift
;;
-t|--testing)
TESTING="-testing"
shift 1
;;
-w|--wait)
WAIT="$2"
shift 2
;;
--print-user-agent)
user_agent || error "Failed to get user-agent."
echo "${USER_AGENT}"
exit
;;
*)
error "Unknown options [$1]"
;;
esac
done
# Pollinate prefers to run as a privileged user unless --testing communications
if [ -z "${TESTING}" ]; then
if [ ! -w "${CACHEDIR}" ]; then
error "should execute as the [${PKG}] user"
fi
if [ -e "${FLAG}" ]; then
timestamp=$(stat -c "%y" "${FLAG}")
log "system was previously seeded at [${timestamp}]"
if [ "${RESEED}" != "1" ]; then
log "To re-seed this system again, use the -r|--reseed option"
exit 0
fi
fi
else
# Output device must be stdout if we're in testing mode
DEVICE="-"
fi
[ -n "${DEVICE}" ] || DEVICE="/dev/urandom"
[ -n "${BYTES}" ] || BYTES=64
[ -n "${WAIT}" ] || WAIT="10"
if [ -n "${SERVER}" ]; then
POOL="${SERVER}"
fi
if [ -z "${POOL}" ]; then
error "No servers configured in pool"
fi
for i in ${POOL}; do
exchange "${i}"
done
if [ -z "${TESTING}" ]; then
touch "${FLAG}"
fi