/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-09-05 16:24:33 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080905162433-58fgx91ae9foxlh1
* Makefile (PIDDIR, USER, GROUP): Removed.
  (install-server): Do not create $(PIDDIR).
  (uninstall-server): Do not remove $(PIDDIR).

* init.d-mandos (PIDFILE): Changed to "/var/run/$NAME.pid".

* mandos (IPv6_TCPServer.enabled): New attribute.
  (IPv6_TCPServer.server_activate): Only call method of superclass if
                                    "self.enabled".
  (IPv6_TCPServer.enable): Set "self.enabled" to True.
  (main): Create client Set() early.  Create IPv6_TCPServer object
          early.  Switch to user and group "mandos", "nobody" or
          65534, if possible.  Enable IPv6_TCPServer *after* switching
          user.

* mandos-keygen (KEYDIR): Changed to "/etc/keys/mandos".

* mandos.xml (FILES): Changed PID file.
  (SECURITY): The server does need to be privileged, but switches to a
              non-privileged user.

* plugin-runner.xml (EXAMPLE): Changed long example to something more
                               realistic.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "plugin-runner">
5
 
<!ENTITY TIMESTAMP "2016-02-28">
6
 
<!ENTITY % common SYSTEM "common.ent">
7
 
%common;
 
6
<!ENTITY TIMESTAMP "2008-09-05">
8
7
]>
9
8
 
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
11
    <title>Mandos Manual</title>
13
12
    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->
14
13
    <productname>Mandos</productname>
15
 
    <productnumber>&version;</productnumber>
 
14
    <productnumber>&VERSION;</productnumber>
16
15
    <date>&TIMESTAMP;</date>
17
16
    <authorgroup>
18
17
      <author>
19
18
        <firstname>Björn</firstname>
20
19
        <surname>Påhlsson</surname>
21
20
        <address>
22
 
          <email>belorn@recompile.se</email>
 
21
          <email>belorn@fukt.bsnet.se</email>
23
22
        </address>
24
23
      </author>
25
24
      <author>
26
25
        <firstname>Teddy</firstname>
27
26
        <surname>Hogeborn</surname>
28
27
        <address>
29
 
          <email>teddy@recompile.se</email>
 
28
          <email>teddy@fukt.bsnet.se</email>
30
29
        </address>
31
30
      </author>
32
31
    </authorgroup>
33
32
    <copyright>
34
33
      <year>2008</year>
35
 
      <year>2009</year>
36
 
      <year>2010</year>
37
 
      <year>2011</year>
38
 
      <year>2012</year>
39
 
      <year>2013</year>
40
 
      <year>2014</year>
41
 
      <year>2015</year>
42
 
      <year>2016</year>
43
34
      <holder>Teddy Hogeborn</holder>
44
35
      <holder>Björn Påhlsson</holder>
45
36
    </copyright>
46
37
    <xi:include href="legalnotice.xml"/>
47
38
  </refentryinfo>
48
 
  
 
39
 
49
40
  <refmeta>
50
41
    <refentrytitle>&COMMANDNAME;</refentrytitle>
51
42
    <manvolnum>8mandos</manvolnum>
57
48
      Run Mandos plugins, pass data from first to succeed.
58
49
    </refpurpose>
59
50
  </refnamediv>
60
 
  
 
51
 
61
52
  <refsynopsisdiv>
62
53
    <cmdsynopsis>
63
54
      <command>&COMMANDNAME;</command>
64
55
      <group rep="repeat">
65
56
        <arg choice="plain"><option>--global-env=<replaceable
66
 
        >ENV</replaceable><literal>=</literal><replaceable
 
57
        >VAR</replaceable><literal>=</literal><replaceable
67
58
        >value</replaceable></option></arg>
68
59
        <arg choice="plain"><option>-G
69
 
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
 
60
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
70
61
        >value</replaceable> </option></arg>
71
62
      </group>
72
63
      <sbr/>
120
111
      <arg><option>--plugin-dir=<replaceable
121
112
      >DIRECTORY</replaceable></option></arg>
122
113
      <sbr/>
123
 
      <arg><option>--plugin-helper-dir=<replaceable
124
 
      >DIRECTORY</replaceable></option></arg>
125
 
      <sbr/>
126
114
      <arg><option>--config-file=<replaceable
127
115
      >FILE</replaceable></option></arg>
128
116
      <sbr/>
182
170
    <variablelist>
183
171
      <varlistentry>
184
172
        <term><option>--global-env
185
 
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
 
173
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
186
174
        >value</replaceable></option></term>
187
175
        <term><option>-G
188
 
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
 
176
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
189
177
        >value</replaceable></option></term>
190
178
        <listitem>
191
179
          <para>
259
247
          </para>
260
248
        </listitem>
261
249
      </varlistentry>
262
 
      
 
250
 
263
251
      <varlistentry>
264
252
        <term><option>--disable
265
253
        <replaceable>PLUGIN</replaceable></option></term>
270
258
            Disable the plugin named
271
259
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
272
260
            started.
273
 
          </para>
 
261
          </para>       
274
262
        </listitem>
275
263
      </varlistentry>
276
 
      
 
264
 
277
265
      <varlistentry>
278
266
        <term><option>--enable
279
267
        <replaceable>PLUGIN</replaceable></option></term>
288
276
          </para>
289
277
        </listitem>
290
278
      </varlistentry>
291
 
      
 
279
 
292
280
      <varlistentry>
293
281
        <term><option>--groupid
294
282
        <replaceable>ID</replaceable></option></term>
301
289
          </para>
302
290
        </listitem>
303
291
      </varlistentry>
304
 
      
 
292
 
305
293
      <varlistentry>
306
294
        <term><option>--userid
307
295
        <replaceable>ID</replaceable></option></term>
314
302
          </para>
315
303
        </listitem>
316
304
      </varlistentry>
317
 
      
 
305
 
318
306
      <varlistentry>
319
307
        <term><option>--plugin-dir
320
308
        <replaceable>DIRECTORY</replaceable></option></term>
329
317
      </varlistentry>
330
318
      
331
319
      <varlistentry>
332
 
        <term><option>--plugin-helper-dir
333
 
        <replaceable>DIRECTORY</replaceable></option></term>
334
 
        <listitem>
335
 
          <para>
336
 
            Specify a different plugin helper directory.  The default
337
 
            is <filename>/lib/mandos/plugin-helpers</filename>, which
338
 
            will exist in the initial <acronym>RAM</acronym> disk
339
 
            environment.  (This will simply be passed to all plugins
340
 
            via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
341
 
            variable.  See <xref linkend="writing_plugins"/>)
342
 
          </para>
343
 
        </listitem>
344
 
      </varlistentry>
345
 
      
346
 
      <varlistentry>
347
320
        <term><option>--config-file
348
321
        <replaceable>FILE</replaceable></option></term>
349
322
        <listitem>
392
365
          </para>
393
366
        </listitem>
394
367
      </varlistentry>
395
 
      
 
368
 
396
369
      <varlistentry>
397
370
        <term><option>--version</option></term>
398
371
        <term><option>-V</option></term>
404
377
      </varlistentry>
405
378
    </variablelist>
406
379
  </refsect1>
407
 
  
 
380
 
408
381
  <refsect1 id="overview">
409
382
    <title>OVERVIEW</title>
410
383
    <xi:include href="overview.xml"/>
430
403
      code will make this plugin-runner output the password from that
431
404
      plugin, stop any other plugins, and exit.
432
405
    </para>
433
 
    
 
406
 
434
407
    <refsect2 id="writing_plugins">
435
408
      <title>WRITING PLUGINS</title>
436
409
      <para>
443
416
        console.
444
417
      </para>
445
418
      <para>
446
 
        If the password is a single-line, manually entered passprase,
447
 
        a final trailing newline character should
448
 
        <emphasis>not</emphasis> be printed.
449
 
      </para>
450
 
      <para>
451
419
        The plugin will run in the initial RAM disk environment, so
452
420
        care must be taken not to depend on any files or running
453
 
        services not available there.  Any helper executables required
454
 
        by the plugin (which are not in the <envar>PATH</envar>) can
455
 
        be placed in the plugin helper directory, the name of which
456
 
        will be made available to the plugin via the
457
 
        <envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
 
421
        services not available there.
458
422
      </para>
459
423
      <para>
460
424
        The plugin must exit cleanly and free all allocated resources
503
467
      only passes on its environment to all the plugins.  The
504
468
      environment passed to plugins can be modified using the
505
469
      <option>--global-env</option> and <option>--env-for</option>
506
 
      options.  Also, the <option>--plugin-helper-dir</option> option
507
 
      will affect the environment variable
508
 
      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
 
470
      options.
509
471
    </para>
510
472
  </refsect1>
511
473
  
602
564
    </informalexample>
603
565
    <informalexample>
604
566
      <para>
605
 
        Read a different configuration file, run plugins from a
606
 
        different directory, specify an alternate plugin helper
607
 
        directory and add two options to the
608
 
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
 
567
        Run plugins from a different directory, read a different
 
568
        configuration file, and add two options to the
 
569
        <citerefentry><refentrytitle >password-request</refentrytitle>
609
570
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
610
571
      </para>
611
572
      <para>
612
573
 
613
574
<!-- do not wrap this line -->
614
 
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
 
575
<userinput>&COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=password-request:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>
615
576
 
616
577
      </para>
617
578
    </informalexample>
625
586
      non-privileged.  This user and group is then what all plugins
626
587
      will be started as.  Therefore, the only way to run a plugin as
627
588
      a privileged user is to have the set-user-ID or set-group-ID bit
628
 
      set on the plugin executable file (see <citerefentry>
 
589
      set on the plugin executable files (see <citerefentry>
629
590
      <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
630
591
      </citerefentry>).
631
592
    </para>
649
610
  <refsect1 id="see_also">
650
611
    <title>SEE ALSO</title>
651
612
    <para>
652
 
      <citerefentry><refentrytitle>intro</refentrytitle>
653
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
654
613
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
655
614
      <manvolnum>8</manvolnum></citerefentry>,
656
615
      <citerefentry><refentrytitle>crypttab</refentrytitle>
661
620
      <manvolnum>8</manvolnum></citerefentry>,
662
621
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
663
622
      <manvolnum>8mandos</manvolnum></citerefentry>,
664
 
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
623
      <citerefentry><refentrytitle>password-request</refentrytitle>
665
624
      <manvolnum>8mandos</manvolnum></citerefentry>
666
625
    </para>
667
626
  </refsect1>