/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2008-09-05 16:24:33 UTC
  • Revision ID: teddy@fukt.bsnet.se-20080905162433-58fgx91ae9foxlh1
* Makefile (PIDDIR, USER, GROUP): Removed.
  (install-server): Do not create $(PIDDIR).
  (uninstall-server): Do not remove $(PIDDIR).

* init.d-mandos (PIDFILE): Changed to "/var/run/$NAME.pid".

* mandos (IPv6_TCPServer.enabled): New attribute.
  (IPv6_TCPServer.server_activate): Only call method of superclass if
                                    "self.enabled".
  (IPv6_TCPServer.enable): Set "self.enabled" to True.
  (main): Create client Set() early.  Create IPv6_TCPServer object
          early.  Switch to user and group "mandos", "nobody" or
          65534, if possible.  Enable IPv6_TCPServer *after* switching
          user.

* mandos-keygen (KEYDIR): Changed to "/etc/keys/mandos".

* mandos.xml (FILES): Changed PID file.
  (SECURITY): The server does need to be privileged, but switches to a
              non-privileged user.

* plugin-runner.xml (EXAMPLE): Changed long example to something more
                               realistic.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 
4
<!ENTITY VERSION "1.0">
4
5
<!ENTITY COMMANDNAME "plugin-runner">
5
 
<!ENTITY TIMESTAMP "2011-08-08">
6
 
<!ENTITY % common SYSTEM "common.ent">
7
 
%common;
 
6
<!ENTITY TIMESTAMP "2008-09-05">
8
7
]>
9
8
 
10
9
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
12
11
    <title>Mandos Manual</title>
13
12
    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->
14
13
    <productname>Mandos</productname>
15
 
    <productnumber>&version;</productnumber>
 
14
    <productnumber>&VERSION;</productnumber>
16
15
    <date>&TIMESTAMP;</date>
17
16
    <authorgroup>
18
17
      <author>
32
31
    </authorgroup>
33
32
    <copyright>
34
33
      <year>2008</year>
35
 
      <year>2009</year>
36
 
      <year>2011</year>
37
34
      <holder>Teddy Hogeborn</holder>
38
35
      <holder>Björn Påhlsson</holder>
39
36
    </copyright>
40
37
    <xi:include href="legalnotice.xml"/>
41
38
  </refentryinfo>
42
 
  
 
39
 
43
40
  <refmeta>
44
41
    <refentrytitle>&COMMANDNAME;</refentrytitle>
45
42
    <manvolnum>8mandos</manvolnum>
51
48
      Run Mandos plugins, pass data from first to succeed.
52
49
    </refpurpose>
53
50
  </refnamediv>
54
 
  
 
51
 
55
52
  <refsynopsisdiv>
56
53
    <cmdsynopsis>
57
54
      <command>&COMMANDNAME;</command>
58
55
      <group rep="repeat">
59
56
        <arg choice="plain"><option>--global-env=<replaceable
60
 
        >ENV</replaceable><literal>=</literal><replaceable
 
57
        >VAR</replaceable><literal>=</literal><replaceable
61
58
        >value</replaceable></option></arg>
62
59
        <arg choice="plain"><option>-G
63
 
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
 
60
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
64
61
        >value</replaceable> </option></arg>
65
62
      </group>
66
63
      <sbr/>
173
170
    <variablelist>
174
171
      <varlistentry>
175
172
        <term><option>--global-env
176
 
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
 
173
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
177
174
        >value</replaceable></option></term>
178
175
        <term><option>-G
179
 
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
 
176
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
180
177
        >value</replaceable></option></term>
181
178
        <listitem>
182
179
          <para>
250
247
          </para>
251
248
        </listitem>
252
249
      </varlistentry>
253
 
      
 
250
 
254
251
      <varlistentry>
255
252
        <term><option>--disable
256
253
        <replaceable>PLUGIN</replaceable></option></term>
264
261
          </para>       
265
262
        </listitem>
266
263
      </varlistentry>
267
 
      
 
264
 
268
265
      <varlistentry>
269
266
        <term><option>--enable
270
267
        <replaceable>PLUGIN</replaceable></option></term>
279
276
          </para>
280
277
        </listitem>
281
278
      </varlistentry>
282
 
      
 
279
 
283
280
      <varlistentry>
284
281
        <term><option>--groupid
285
282
        <replaceable>ID</replaceable></option></term>
292
289
          </para>
293
290
        </listitem>
294
291
      </varlistentry>
295
 
      
 
292
 
296
293
      <varlistentry>
297
294
        <term><option>--userid
298
295
        <replaceable>ID</replaceable></option></term>
305
302
          </para>
306
303
        </listitem>
307
304
      </varlistentry>
308
 
      
 
305
 
309
306
      <varlistentry>
310
307
        <term><option>--plugin-dir
311
308
        <replaceable>DIRECTORY</replaceable></option></term>
368
365
          </para>
369
366
        </listitem>
370
367
      </varlistentry>
371
 
      
 
368
 
372
369
      <varlistentry>
373
370
        <term><option>--version</option></term>
374
371
        <term><option>-V</option></term>
380
377
      </varlistentry>
381
378
    </variablelist>
382
379
  </refsect1>
383
 
  
 
380
 
384
381
  <refsect1 id="overview">
385
382
    <title>OVERVIEW</title>
386
383
    <xi:include href="overview.xml"/>
406
403
      code will make this plugin-runner output the password from that
407
404
      plugin, stop any other plugins, and exit.
408
405
    </para>
409
 
    
 
406
 
410
407
    <refsect2 id="writing_plugins">
411
408
      <title>WRITING PLUGINS</title>
412
409
      <para>
419
416
        console.
420
417
      </para>
421
418
      <para>
422
 
        If the password is a single-line, manually entered passprase,
423
 
        a final trailing newline character should
424
 
        <emphasis>not</emphasis> be printed.
425
 
      </para>
426
 
      <para>
427
419
        The plugin will run in the initial RAM disk environment, so
428
420
        care must be taken not to depend on any files or running
429
421
        services not available there.
574
566
      <para>
575
567
        Run plugins from a different directory, read a different
576
568
        configuration file, and add two options to the
577
 
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
 
569
        <citerefentry><refentrytitle >password-request</refentrytitle>
578
570
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
579
571
      </para>
580
572
      <para>
581
573
 
582
574
<!-- do not wrap this line -->
583
 
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
 
575
<userinput>&COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=password-request:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>
584
576
 
585
577
      </para>
586
578
    </informalexample>
594
586
      non-privileged.  This user and group is then what all plugins
595
587
      will be started as.  Therefore, the only way to run a plugin as
596
588
      a privileged user is to have the set-user-ID or set-group-ID bit
597
 
      set on the plugin executable file (see <citerefentry>
 
589
      set on the plugin executable files (see <citerefentry>
598
590
      <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
599
591
      </citerefentry>).
600
592
    </para>
618
610
  <refsect1 id="see_also">
619
611
    <title>SEE ALSO</title>
620
612
    <para>
621
 
      <citerefentry><refentrytitle>intro</refentrytitle>
622
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
623
613
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
624
614
      <manvolnum>8</manvolnum></citerefentry>,
625
615
      <citerefentry><refentrytitle>crypttab</refentrytitle>
630
620
      <manvolnum>8</manvolnum></citerefentry>,
631
621
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
632
622
      <manvolnum>8mandos</manvolnum></citerefentry>,
633
 
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
 
623
      <citerefentry><refentrytitle>password-request</refentrytitle>
634
624
      <manvolnum>8mandos</manvolnum></citerefentry>
635
625
    </para>
636
626
  </refsect1>