/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-03-07 23:39:36 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 337.
  • Revision ID: teddy@recompile.se-20160307233936-mhgpxhggamde443n
Server bug fix: Include CAP_SETGID so it does not run as root

* debian/mandos.postinst (configure): If old version was 1.7.4-1 or
  1.7.4-1~bpo8+1, fix situation where clients.pickle file is owned by
  root.
* mandos (main): Print debug info about setuid() and setgid()
* mandos.service ([Service]/CapabilityBoundingSet): Add "CAP_KILL
  CAP_SETGID"; the latter is needed for setgid() to be allowed.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "plugin-runner">
5
 
<!ENTITY TIMESTAMP "2008-09-30">
 
5
<!ENTITY TIMESTAMP "2016-03-05">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
        <firstname>Björn</firstname>
20
20
        <surname>Påhlsson</surname>
21
21
        <address>
22
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
23
23
        </address>
24
24
      </author>
25
25
      <author>
26
26
        <firstname>Teddy</firstname>
27
27
        <surname>Hogeborn</surname>
28
28
        <address>
29
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
30
30
        </address>
31
31
      </author>
32
32
    </authorgroup>
33
33
    <copyright>
34
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
35
43
      <holder>Teddy Hogeborn</holder>
36
44
      <holder>Björn Påhlsson</holder>
37
45
    </copyright>
112
120
      <arg><option>--plugin-dir=<replaceable
113
121
      >DIRECTORY</replaceable></option></arg>
114
122
      <sbr/>
 
123
      <arg><option>--plugin-helper-dir=<replaceable
 
124
      >DIRECTORY</replaceable></option></arg>
 
125
      <sbr/>
115
126
      <arg><option>--config-file=<replaceable
116
127
      >FILE</replaceable></option></arg>
117
128
      <sbr/>
259
270
            Disable the plugin named
260
271
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
261
272
            started.
262
 
          </para>       
 
273
          </para>
263
274
        </listitem>
264
275
      </varlistentry>
265
276
      
318
329
      </varlistentry>
319
330
      
320
331
      <varlistentry>
 
332
        <term><option>--plugin-helper-dir
 
333
        <replaceable>DIRECTORY</replaceable></option></term>
 
334
        <listitem>
 
335
          <para>
 
336
            Specify a different plugin helper directory.  The default
 
337
            is <filename>/lib/mandos/plugin-helpers</filename>, which
 
338
            will exist in the initial <acronym>RAM</acronym> disk
 
339
            environment.  (This will simply be passed to all plugins
 
340
            via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
 
341
            variable.  See <xref linkend="writing_plugins"/>)
 
342
          </para>
 
343
        </listitem>
 
344
      </varlistentry>
 
345
      
 
346
      <varlistentry>
321
347
        <term><option>--config-file
322
348
        <replaceable>FILE</replaceable></option></term>
323
349
        <listitem>
424
450
      <para>
425
451
        The plugin will run in the initial RAM disk environment, so
426
452
        care must be taken not to depend on any files or running
427
 
        services not available there.
 
453
        services not available there.  Any helper executables required
 
454
        by the plugin (which are not in the <envar>PATH</envar>) can
 
455
        be placed in the plugin helper directory, the name of which
 
456
        will be made available to the plugin via the
 
457
        <envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
428
458
      </para>
429
459
      <para>
430
460
        The plugin must exit cleanly and free all allocated resources
473
503
      only passes on its environment to all the plugins.  The
474
504
      environment passed to plugins can be modified using the
475
505
      <option>--global-env</option> and <option>--env-for</option>
476
 
      options.
 
506
      options.  Also, the <option>--plugin-helper-dir</option> option
 
507
      will affect the environment variable
 
508
      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
477
509
    </para>
478
510
  </refsect1>
479
511
  
522
554
      The <option>--config-file</option> option is ignored when
523
555
      specified from within a configuration file.
524
556
    </para>
 
557
    <xi:include href="bugs.xml"/>
525
558
  </refsect1>
526
559
  
527
560
  <refsect1 id="examples">
570
603
    </informalexample>
571
604
    <informalexample>
572
605
      <para>
573
 
        Run plugins from a different directory, read a different
574
 
        configuration file, and add two options to the
 
606
        Read a different configuration file, run plugins from a
 
607
        different directory, specify an alternate plugin helper
 
608
        directory and add two options to the
575
609
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
576
610
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
577
611
      </para>
578
612
      <para>
579
613
 
580
614
<!-- do not wrap this line -->
581
 
<userinput>&COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>
 
615
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
582
616
 
583
617
      </para>
584
618
    </informalexample>
616
650
  <refsect1 id="see_also">
617
651
    <title>SEE ALSO</title>
618
652
    <para>
 
653
      <citerefentry><refentrytitle>intro</refentrytitle>
 
654
      <manvolnum>8mandos</manvolnum></citerefentry>,
619
655
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
620
656
      <manvolnum>8</manvolnum></citerefentry>,
621
657
      <citerefentry><refentrytitle>crypttab</refentrytitle>