/mandos/release : revision 139

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Teddy Hogeborn
Date: 2008-09-02 10:27:08 UTC
Revision ID: teddy@fukt.bsnet.se-20080902102708-j5k6ec3lcgkaeipv

* plugin-runner.xml: Changed short option for "--global-env" to "-G",
                     changed short option for "--env-for" to "-E".
                     added new options "--enable" ("-e") and
                     "--config-file".
  (ENVIRONMENT): Added text.
  (FILES): Changed id to "files".  Improved wording and add more text.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.config

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.config

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/po/POTFILES.in

debian/po/sv.po

debian/rules

default-mandos

init.d-mandos

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/splashy.c

plugins.d/usplash.c

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2008-09-30">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins, pass data from first to succeed.

Run Mandos plugins. Pass data from first succesful one.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>ENV</replaceable><literal>=</literal><replaceable

>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>ENV</replaceable><literal>=</literal><replaceable

<replaceable>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

141

140

<title>DESCRIPTION</title>

142

141

<para>

143

142

<command>&COMMANDNAME;</command> is a program which is meant to

144

be specified as a <quote>keyscript</quote> for the root disk in

145

<citerefentry><refentrytitle>crypttab</refentrytitle>

146

<manvolnum>5</manvolnum></citerefentry>. The aim of this

147

program is therefore to output a password, which then

148

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

149

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

150

root disk.

143

be specified as <quote>keyscript</quote> in <citerefentry>

144

<refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

146

aim of this program is therefore to output a password, which

147

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to try and

149

unlock the root disk.

151

150

</para>

152

151

<para>

153

152

This program is not meant to be invoked directly, but can be in

171

170

172

171

173

172

<term><option>--global-env

174

<replaceable>ENV</replaceable><literal>=</literal><replaceable

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

175

174

>value</replaceable></option></term>

176

<term><option>-G

177

<replaceable>ENV</replaceable><literal>=</literal><replaceable

175

<term><option>-e

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

178

177

>value</replaceable></option></term>

179

178

180

179

<para>

190

189

<replaceable>PLUGIN</replaceable><literal>:</literal

191

190

><replaceable>ENV</replaceable><literal>=</literal

192

191

><replaceable>value</replaceable></option></term>

193

<term><option>-E

192

<term><option>-f

194

193

<replaceable>PLUGIN</replaceable><literal>:</literal

195

194

><replaceable>ENV</replaceable><literal>=</literal

196

195

><replaceable>value</replaceable></option></term>

216

215

<replaceable>OPTIONS</replaceable> is a comma separated

217

216

list of options. This is not a very useful option, except

218

217

for specifying the <quote><option>--debug</option></quote>

219

option to all plugins.

218

for all plugins.

220

219

</para>

221

220

</listitem>

222

221

</varlistentry>

242

241

<option>--bar</option> with the option argument

243

242

<quote>baz</quote> is either

244

243

<userinput>--options-for=foo:--bar=baz</userinput> or

245

<userinput>--options-for=foo:--bar,baz</userinput>. Using

246

<userinput>--options-for="foo:--bar baz"</userinput>. will

247

<emphasis>not</emphasis> work.

244

<userinput>--options-for=foo:--bar,baz</userinput>, but

245

246

<userinput>--options-for="foo:--bar baz"</userinput>.

248

247

</para>

249

248

</listitem>

250

249

</varlistentry>

251

250

252

251

253

252

<term><option>--disable

254

253

<replaceable>PLUGIN</replaceable></option></term>

262

261

</para>

263

262

</listitem>

264

263

</varlistentry>

265

264

266

265

267

266

<term><option>--enable

268

267

<replaceable>PLUGIN</replaceable></option></term>

273

272

Re-enable the plugin named

274

273

<replaceable>PLUGIN</replaceable>. This is only useful to

275

274

undo a previous <option>--disable</option> option, maybe

276

from the configuration file.

275

from the config file.

277

276

</para>

278

277

</listitem>

279

278

</varlistentry>

280

279

281

280

282

281

<term><option>--groupid

283

282

290

289

</para>

291

290

</listitem>

292

291

</varlistentry>

293

292

294

293

295

294

<term><option>--userid

296

295

303

302

</para>

304

303

</listitem>

305

304

</varlistentry>

306

305

307

306

308

307

<term><option>--plugin-dir

309

308

<replaceable>DIRECTORY</replaceable></option></term>

366

365

</para>

367

366

</listitem>

368

367

</varlistentry>

369

368

370

369

371

370

<term><option>--version</option></term>

372

371

378

377

</varlistentry>

379

378

</variablelist>

380

379

</refsect1>

381

380

382

381

383

382

<title>OVERVIEW</title>

384

383

<xi:include href="overview.xml"/>

404

403

code will make this plugin-runner output the password from that

405

404

plugin, stop any other plugins, and exit.

406

405

</para>

407

408

409

<title>WRITING PLUGINS</title>

410

<para>

411

A plugin is simply a program which prints a password to its

412

standard output and then exits with a successful (zero) exit

413

status. If the exit status is not zero, any output on

414

standard output will be ignored by the plugin runner. Any

415

output on its standard error channel will simply be passed to

416

the standard error of the plugin runner, usually the system

417

console.

418

</para>

419

<para>

420

If the password is a single-line, manually entered passprase,

421

a final trailing newline character should

422

<emphasis>not</emphasis> be printed.

423

</para>

424

<para>

425

The plugin will run in the initial RAM disk environment, so

426

care must be taken not to depend on any files or running

427

services not available there.

428

</para>

429

<para>

430

The plugin must exit cleanly and free all allocated resources

431

upon getting the TERM signal, since this is what the plugin

432

runner uses to stop all other plugins when one plugin has

433

output a password and exited cleanly.

434

</para>

435

<para>

436

The plugin must not use resources, like for instance reading

437

from the standard input, without knowing that no other plugin

438

is also using it.

439

</para>

440

<para>

441

It is useful, but not required, for the plugin to take the

442

<option>--debug</option> option.

443

</para>

444

</refsect2>

445

406

</refsect1>

446

407

447

408

473

434

only passes on its environment to all the plugins. The

474

435

environment passed to plugins can be modified using the

475

436

<option>--global-env</option> and <option>--env-for</option>

476

options.

437

optins.

477

438

</para>

478

439

</refsect1>

479

440

519

480

520

481

521

482

<para>

522

The <option>--config-file</option> option is ignored when

523

specified from within a configuration file.

524

483

</para>

525

484

</refsect1>

526

485

527

486

528

487

<title>EXAMPLE</title>

529

530

<para>

531

Normal invocation needs no options:

532

</para>

533

<para>

534

<userinput>&COMMANDNAME;</userinput>

535

</para>

536

</informalexample>

537

538

<para>

539

Run the program, but not the plugins, in debug mode:

540

</para>

541

<para>

542

543

544

<userinput>&COMMANDNAME; --debug</userinput>

545

546

</para>

547

</informalexample>

548

549

<para>

550

Run all plugins, but run the <quote>foo</quote> plugin in

551

debug mode:

552

</para>

553

<para>

554

555

556

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

557

558

</para>

559

</informalexample>

560

561

<para>

562

Run all plugins, but not the program, in debug mode:

563

</para>

564

<para>

565

566

567

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

568

569

</para>

570

</informalexample>

571

572

<para>

573

Run plugins from a different directory, read a different

574

configuration file, and add two options to the

575

<citerefentry><refentrytitle >mandos-client</refentrytitle>

576

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

577

</para>

578

<para>

579

580

581

<userinput>&COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>

582

583

</para>

584

</informalexample>

488

<para>

489

</para>

585

490

</refsect1>

491

586

492

587

493

<title>SECURITY</title>

588

494

<para>

589

This program will, when starting, try to switch to another user.

590

If it is started as root, it will succeed, and will by default

591

switch to user and group 65534, which are assumed to be

592

non-privileged. This user and group is then what all plugins

593

will be started as. Therefore, the only way to run a plugin as

594

a privileged user is to have the set-user-ID or set-group-ID bit

595

set on the plugin executable file (see <citerefentry>

596

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

597

</citerefentry>).

598

</para>

599

<para>

600

If this program is used as a keyscript in <citerefentry

601

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

602

</citerefentry>, there is a slight risk that if this program

603

fails to work, there might be no way to boot the system except

604

for booting from another media and editing the initial RAM disk

605

image to not run this program. This is, however, unlikely,

606

since the <citerefentry><refentrytitle

607

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

608

</citerefentry> plugin will read a password from the console in

609

case of failure of the other plugins, and this plugin runner

610

will also, in case of catastrophic failure, itself fall back to

611

asking and outputting a password on the console (see <xref

612

linkend="fallback"/>).

613

495

</para>

614

496

</refsect1>

615

497

618

500

<para>

619

501

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

620

502

<manvolnum>8</manvolnum></citerefentry>,

621

<citerefentry><refentrytitle>crypttab</refentrytitle>

622

<manvolnum>5</manvolnum></citerefentry>,

623

<citerefentry><refentrytitle>execve</refentrytitle>

624

<manvolnum>2</manvolnum></citerefentry>,

625

503

<citerefentry><refentrytitle>mandos</refentrytitle>

626

504

<manvolnum>8</manvolnum></citerefentry>,

627

505

<citerefentry><refentrytitle>password-prompt</refentrytitle>

628

506

<manvolnum>8mandos</manvolnum></citerefentry>,

629

<citerefentry><refentrytitle>mandos-client</refentrytitle>

507

<citerefentry><refentrytitle>password-request</refentrytitle>

630

508

<manvolnum>8mandos</manvolnum></citerefentry>

631

509

</para>

632

510

</refsect1>

Older »