/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-03-02 16:45:38 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 335.
  • Revision ID: teddy@recompile.se-20160302164538-n9ocll4izthzw1ov
Ignore any error from initramfs-tools' "configure_networking".

* initramfs-tools-script: Wrap call to "configure_networking" with
  "set +e" and "set -e", since configure_networking was not designed
  to run in a "set -e" environment.

Closes: 816513
Thanks: Carlos Alberto Lopez Perez <clopez@igalia.com>
Thanks: Ben Hutchings <ben@decadent.org.uk>

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "plugin-runner">
6
 
<!ENTITY TIMESTAMP "2008-09-04">
 
5
<!ENTITY TIMESTAMP "2016-02-28">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
    <title>Mandos Manual</title>
12
13
    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->
13
14
    <productname>Mandos</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
15
    <productnumber>&version;</productnumber>
15
16
    <date>&TIMESTAMP;</date>
16
17
    <authorgroup>
17
18
      <author>
18
19
        <firstname>Björn</firstname>
19
20
        <surname>Påhlsson</surname>
20
21
        <address>
21
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
22
23
        </address>
23
24
      </author>
24
25
      <author>
25
26
        <firstname>Teddy</firstname>
26
27
        <surname>Hogeborn</surname>
27
28
        <address>
28
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
29
30
        </address>
30
31
      </author>
31
32
    </authorgroup>
32
33
    <copyright>
33
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
34
43
      <holder>Teddy Hogeborn</holder>
35
44
      <holder>Björn Påhlsson</holder>
36
45
    </copyright>
37
46
    <xi:include href="legalnotice.xml"/>
38
47
  </refentryinfo>
39
 
 
 
48
  
40
49
  <refmeta>
41
50
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
51
    <manvolnum>8mandos</manvolnum>
48
57
      Run Mandos plugins, pass data from first to succeed.
49
58
    </refpurpose>
50
59
  </refnamediv>
51
 
 
 
60
  
52
61
  <refsynopsisdiv>
53
62
    <cmdsynopsis>
54
63
      <command>&COMMANDNAME;</command>
55
64
      <group rep="repeat">
56
65
        <arg choice="plain"><option>--global-env=<replaceable
57
 
        >VAR</replaceable><literal>=</literal><replaceable
 
66
        >ENV</replaceable><literal>=</literal><replaceable
58
67
        >value</replaceable></option></arg>
59
68
        <arg choice="plain"><option>-G
60
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
69
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
61
70
        >value</replaceable> </option></arg>
62
71
      </group>
63
72
      <sbr/>
111
120
      <arg><option>--plugin-dir=<replaceable
112
121
      >DIRECTORY</replaceable></option></arg>
113
122
      <sbr/>
 
123
      <arg><option>--plugin-helper-dir=<replaceable
 
124
      >DIRECTORY</replaceable></option></arg>
 
125
      <sbr/>
114
126
      <arg><option>--config-file=<replaceable
115
127
      >FILE</replaceable></option></arg>
116
128
      <sbr/>
170
182
    <variablelist>
171
183
      <varlistentry>
172
184
        <term><option>--global-env
173
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
185
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
174
186
        >value</replaceable></option></term>
175
187
        <term><option>-G
176
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
188
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
177
189
        >value</replaceable></option></term>
178
190
        <listitem>
179
191
          <para>
247
259
          </para>
248
260
        </listitem>
249
261
      </varlistentry>
250
 
 
 
262
      
251
263
      <varlistentry>
252
264
        <term><option>--disable
253
265
        <replaceable>PLUGIN</replaceable></option></term>
258
270
            Disable the plugin named
259
271
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
260
272
            started.
261
 
          </para>       
 
273
          </para>
262
274
        </listitem>
263
275
      </varlistentry>
264
 
 
 
276
      
265
277
      <varlistentry>
266
278
        <term><option>--enable
267
279
        <replaceable>PLUGIN</replaceable></option></term>
276
288
          </para>
277
289
        </listitem>
278
290
      </varlistentry>
279
 
 
 
291
      
280
292
      <varlistentry>
281
293
        <term><option>--groupid
282
294
        <replaceable>ID</replaceable></option></term>
289
301
          </para>
290
302
        </listitem>
291
303
      </varlistentry>
292
 
 
 
304
      
293
305
      <varlistentry>
294
306
        <term><option>--userid
295
307
        <replaceable>ID</replaceable></option></term>
302
314
          </para>
303
315
        </listitem>
304
316
      </varlistentry>
305
 
 
 
317
      
306
318
      <varlistentry>
307
319
        <term><option>--plugin-dir
308
320
        <replaceable>DIRECTORY</replaceable></option></term>
317
329
      </varlistentry>
318
330
      
319
331
      <varlistentry>
 
332
        <term><option>--plugin-helper-dir
 
333
        <replaceable>DIRECTORY</replaceable></option></term>
 
334
        <listitem>
 
335
          <para>
 
336
            Specify a different plugin helper directory.  The default
 
337
            is <filename>/lib/mandos/plugin-helpers</filename>, which
 
338
            will exist in the initial <acronym>RAM</acronym> disk
 
339
            environment.  (This will simply be passed to all plugins
 
340
            via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
 
341
            variable.  See <xref linkend="writing_plugins"/>)
 
342
          </para>
 
343
        </listitem>
 
344
      </varlistentry>
 
345
      
 
346
      <varlistentry>
320
347
        <term><option>--config-file
321
348
        <replaceable>FILE</replaceable></option></term>
322
349
        <listitem>
365
392
          </para>
366
393
        </listitem>
367
394
      </varlistentry>
368
 
 
 
395
      
369
396
      <varlistentry>
370
397
        <term><option>--version</option></term>
371
398
        <term><option>-V</option></term>
377
404
      </varlistentry>
378
405
    </variablelist>
379
406
  </refsect1>
380
 
 
 
407
  
381
408
  <refsect1 id="overview">
382
409
    <title>OVERVIEW</title>
383
410
    <xi:include href="overview.xml"/>
403
430
      code will make this plugin-runner output the password from that
404
431
      plugin, stop any other plugins, and exit.
405
432
    </para>
406
 
 
 
433
    
407
434
    <refsect2 id="writing_plugins">
408
435
      <title>WRITING PLUGINS</title>
409
436
      <para>
416
443
        console.
417
444
      </para>
418
445
      <para>
 
446
        If the password is a single-line, manually entered passprase,
 
447
        a final trailing newline character should
 
448
        <emphasis>not</emphasis> be printed.
 
449
      </para>
 
450
      <para>
419
451
        The plugin will run in the initial RAM disk environment, so
420
452
        care must be taken not to depend on any files or running
421
 
        services not available there.
 
453
        services not available there.  Any helper executables required
 
454
        by the plugin (which are not in the <envar>PATH</envar>) can
 
455
        be placed in the plugin helper directory, the name of which
 
456
        will be made available to the plugin via the
 
457
        <envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
422
458
      </para>
423
459
      <para>
424
460
        The plugin must exit cleanly and free all allocated resources
467
503
      only passes on its environment to all the plugins.  The
468
504
      environment passed to plugins can be modified using the
469
505
      <option>--global-env</option> and <option>--env-for</option>
470
 
      options.
 
506
      options.  Also, the <option>--plugin-helper-dir</option> option
 
507
      will affect the environment variable
 
508
      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
471
509
    </para>
472
510
  </refsect1>
473
511
  
564
602
    </informalexample>
565
603
    <informalexample>
566
604
      <para>
567
 
        Run plugins from a different directory and add two
568
 
        options to the <citerefentry><refentrytitle
569
 
        >password-request</refentrytitle>
 
605
        Read a different configuration file, run plugins from a
 
606
        different directory, specify an alternate plugin helper
 
607
        directory and add two options to the
 
608
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
570
609
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
571
610
      </para>
572
611
      <para>
573
612
 
574
613
<!-- do not wrap this line -->
575
 
<userinput>&COMMANDNAME;  --plugin-dir=plugins.d --options-for=password-request:--pubkey=keydir/pubkey.txt,--seckey=keydir/seckey.txt</userinput>
 
614
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
576
615
 
577
616
      </para>
578
617
    </informalexample>
586
625
      non-privileged.  This user and group is then what all plugins
587
626
      will be started as.  Therefore, the only way to run a plugin as
588
627
      a privileged user is to have the set-user-ID or set-group-ID bit
589
 
      set on the plugin executable files (see <citerefentry>
 
628
      set on the plugin executable file (see <citerefentry>
590
629
      <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
591
630
      </citerefentry>).
592
631
    </para>
610
649
  <refsect1 id="see_also">
611
650
    <title>SEE ALSO</title>
612
651
    <para>
 
652
      <citerefentry><refentrytitle>intro</refentrytitle>
 
653
      <manvolnum>8mandos</manvolnum></citerefentry>,
613
654
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
614
655
      <manvolnum>8</manvolnum></citerefentry>,
615
656
      <citerefentry><refentrytitle>crypttab</refentrytitle>
620
661
      <manvolnum>8</manvolnum></citerefentry>,
621
662
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
622
663
      <manvolnum>8mandos</manvolnum></citerefentry>,
623
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
664
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
624
665
      <manvolnum>8mandos</manvolnum></citerefentry>
625
666
    </para>
626
667
  </refsect1>