/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-03-19 04:21:00 UTC
  • mto: (237.7.594 trunk)
  • mto: This revision was merged to the branch mainline in revision 341.
  • Revision ID: teddy@recompile.se-20160319042100-i581cfv65r934dnl
Client: Make plugin helper override directory mode u=rwx,go=

Even though it currently is not used, a local administrator might use
setuid (or setcap) executables as plugin helpers.  Thus, the plugin
helper override directory (/etc/mandos/plugin-helpers) must be
secured, just as the plugin override directory (/etc/mandos/plugins.d)
is.

* Makefile (install-client-nokey): Install plugin-helper directory as
                                   mode u=rwx.
* debian/mandos-client.lintian-overrides: Do not warn about
                               permissions on plugin helper directory.
* debian/mandos-client.postinst (configure): Fix permissions on plugin
  helper local override directory (/etc/mandos/plugin-helpers), but
  only if not listed by "dpkg-statoverride".

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "plugin-runner">
5
 
<!ENTITY TIMESTAMP "2011-10-03">
 
5
<!ENTITY TIMESTAMP "2016-03-17">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
 
36
      <year>2010</year>
36
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
37
43
      <holder>Teddy Hogeborn</holder>
38
44
      <holder>Björn Påhlsson</holder>
39
45
    </copyright>
114
120
      <arg><option>--plugin-dir=<replaceable
115
121
      >DIRECTORY</replaceable></option></arg>
116
122
      <sbr/>
 
123
      <arg><option>--plugin-helper-dir=<replaceable
 
124
      >DIRECTORY</replaceable></option></arg>
 
125
      <sbr/>
117
126
      <arg><option>--config-file=<replaceable
118
127
      >FILE</replaceable></option></arg>
119
128
      <sbr/>
261
270
            Disable the plugin named
262
271
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
263
272
            started.
264
 
          </para>       
 
273
          </para>
265
274
        </listitem>
266
275
      </varlistentry>
267
276
      
320
329
      </varlistentry>
321
330
      
322
331
      <varlistentry>
 
332
        <term><option>--plugin-helper-dir
 
333
        <replaceable>DIRECTORY</replaceable></option></term>
 
334
        <listitem>
 
335
          <para>
 
336
            Specify a different plugin helper directory.  The default
 
337
            is <filename>/lib/mandos/plugin-helpers</filename>, which
 
338
            will exist in the initial <acronym>RAM</acronym> disk
 
339
            environment.  (This will simply be passed to all plugins
 
340
            via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
 
341
            variable.  See <xref linkend="writing_plugins"/>)
 
342
          </para>
 
343
        </listitem>
 
344
      </varlistentry>
 
345
      
 
346
      <varlistentry>
323
347
        <term><option>--config-file
324
348
        <replaceable>FILE</replaceable></option></term>
325
349
        <listitem>
426
450
      <para>
427
451
        The plugin will run in the initial RAM disk environment, so
428
452
        care must be taken not to depend on any files or running
429
 
        services not available there.
 
453
        services not available there.  Any helper executables required
 
454
        by the plugin (which are not in the <envar>PATH</envar>) can
 
455
        be placed in the plugin helper directory, the name of which
 
456
        will be made available to the plugin via the
 
457
        <envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
430
458
      </para>
431
459
      <para>
432
460
        The plugin must exit cleanly and free all allocated resources
475
503
      only passes on its environment to all the plugins.  The
476
504
      environment passed to plugins can be modified using the
477
505
      <option>--global-env</option> and <option>--env-for</option>
478
 
      options.
 
506
      options.  Also, the <option>--plugin-helper-dir</option> option
 
507
      will affect the environment variable
 
508
      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
479
509
    </para>
480
510
  </refsect1>
481
511
  
514
544
            </para>
515
545
          </listitem>
516
546
        </varlistentry>
 
547
        <varlistentry>
 
548
          <term><filename class="directory"
 
549
          >/lib/mandos/plugins.d</filename></term>
 
550
          <listitem>
 
551
            <para>
 
552
              The default plugin directory; can be changed by the
 
553
              <option>--plugin-dir</option> option.
 
554
            </para>
 
555
          </listitem>
 
556
        </varlistentry>
 
557
        <varlistentry>
 
558
          <term><filename class="directory"
 
559
          >/lib/mandos/plugin-helpers</filename></term>
 
560
          <listitem>
 
561
            <para>
 
562
              The default plugin helper directory; can be changed by
 
563
              the <option>--plugin-helper-dir</option> option.
 
564
            </para>
 
565
          </listitem>
 
566
        </varlistentry>
517
567
      </variablelist>
518
568
    </para>
519
569
  </refsect1>
524
574
      The <option>--config-file</option> option is ignored when
525
575
      specified from within a configuration file.
526
576
    </para>
 
577
    <xi:include href="bugs.xml"/>
527
578
  </refsect1>
528
579
  
529
580
  <refsect1 id="examples">
572
623
    </informalexample>
573
624
    <informalexample>
574
625
      <para>
575
 
        Run plugins from a different directory, read a different
576
 
        configuration file, and add two options to the
 
626
        Read a different configuration file, run plugins from a
 
627
        different directory, specify an alternate plugin helper
 
628
        directory and add two options to the
577
629
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
578
630
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
579
631
      </para>
580
632
      <para>
581
633
 
582
634
<!-- do not wrap this line -->
583
 
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
 
635
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
584
636
 
585
637
      </para>
586
638
    </informalexample>