/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

* plugins.d/mandos-client.c (main): Do not even try to work around
                                    Debian bug 633582 if --seckey or
                                    --pubkey specifies a different
                                    directory.  Bug fix: Remove all
                                    files in GPG temporary directory.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "plugin-runner">
6
 
<!ENTITY TIMESTAMP "2008-09-04">
 
5
<!ENTITY TIMESTAMP "2009-01-17">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
    <title>Mandos Manual</title>
12
13
    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->
13
14
    <productname>Mandos</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
15
    <productnumber>&version;</productnumber>
15
16
    <date>&TIMESTAMP;</date>
16
17
    <authorgroup>
17
18
      <author>
31
32
    </authorgroup>
32
33
    <copyright>
33
34
      <year>2008</year>
 
35
      <year>2009</year>
34
36
      <holder>Teddy Hogeborn</holder>
35
37
      <holder>Björn Påhlsson</holder>
36
38
    </copyright>
37
39
    <xi:include href="legalnotice.xml"/>
38
40
  </refentryinfo>
39
 
 
 
41
  
40
42
  <refmeta>
41
43
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
44
    <manvolnum>8mandos</manvolnum>
48
50
      Run Mandos plugins, pass data from first to succeed.
49
51
    </refpurpose>
50
52
  </refnamediv>
51
 
 
 
53
  
52
54
  <refsynopsisdiv>
53
55
    <cmdsynopsis>
54
56
      <command>&COMMANDNAME;</command>
55
57
      <group rep="repeat">
56
58
        <arg choice="plain"><option>--global-env=<replaceable
57
 
        >VAR</replaceable><literal>=</literal><replaceable
 
59
        >ENV</replaceable><literal>=</literal><replaceable
58
60
        >value</replaceable></option></arg>
59
61
        <arg choice="plain"><option>-G
60
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
62
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
61
63
        >value</replaceable> </option></arg>
62
64
      </group>
63
65
      <sbr/>
170
172
    <variablelist>
171
173
      <varlistentry>
172
174
        <term><option>--global-env
173
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
175
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
174
176
        >value</replaceable></option></term>
175
177
        <term><option>-G
176
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
178
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
177
179
        >value</replaceable></option></term>
178
180
        <listitem>
179
181
          <para>
247
249
          </para>
248
250
        </listitem>
249
251
      </varlistentry>
250
 
 
 
252
      
251
253
      <varlistentry>
252
254
        <term><option>--disable
253
255
        <replaceable>PLUGIN</replaceable></option></term>
261
263
          </para>       
262
264
        </listitem>
263
265
      </varlistentry>
264
 
 
 
266
      
265
267
      <varlistentry>
266
268
        <term><option>--enable
267
269
        <replaceable>PLUGIN</replaceable></option></term>
276
278
          </para>
277
279
        </listitem>
278
280
      </varlistentry>
279
 
 
 
281
      
280
282
      <varlistentry>
281
283
        <term><option>--groupid
282
284
        <replaceable>ID</replaceable></option></term>
289
291
          </para>
290
292
        </listitem>
291
293
      </varlistentry>
292
 
 
 
294
      
293
295
      <varlistentry>
294
296
        <term><option>--userid
295
297
        <replaceable>ID</replaceable></option></term>
302
304
          </para>
303
305
        </listitem>
304
306
      </varlistentry>
305
 
 
 
307
      
306
308
      <varlistentry>
307
309
        <term><option>--plugin-dir
308
310
        <replaceable>DIRECTORY</replaceable></option></term>
365
367
          </para>
366
368
        </listitem>
367
369
      </varlistentry>
368
 
 
 
370
      
369
371
      <varlistentry>
370
372
        <term><option>--version</option></term>
371
373
        <term><option>-V</option></term>
377
379
      </varlistentry>
378
380
    </variablelist>
379
381
  </refsect1>
380
 
 
 
382
  
381
383
  <refsect1 id="overview">
382
384
    <title>OVERVIEW</title>
383
385
    <xi:include href="overview.xml"/>
403
405
      code will make this plugin-runner output the password from that
404
406
      plugin, stop any other plugins, and exit.
405
407
    </para>
406
 
 
 
408
    
407
409
    <refsect2 id="writing_plugins">
408
410
      <title>WRITING PLUGINS</title>
409
411
      <para>
416
418
        console.
417
419
      </para>
418
420
      <para>
 
421
        If the password is a single-line, manually entered passprase,
 
422
        a final trailing newline character should
 
423
        <emphasis>not</emphasis> be printed.
 
424
      </para>
 
425
      <para>
419
426
        The plugin will run in the initial RAM disk environment, so
420
427
        care must be taken not to depend on any files or running
421
428
        services not available there.
564
571
    </informalexample>
565
572
    <informalexample>
566
573
      <para>
567
 
        Run plugins from a different directory and add two
568
 
        options to the <citerefentry><refentrytitle
569
 
        >password-request</refentrytitle>
 
574
        Run plugins from a different directory, read a different
 
575
        configuration file, and add two options to the
 
576
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
570
577
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
571
578
      </para>
572
579
      <para>
573
580
 
574
581
<!-- do not wrap this line -->
575
 
<userinput>&COMMANDNAME;  --plugin-dir=plugins.d --options-for=password-request:--pubkey=keydir/pubkey.txt,--seckey=keydir/seckey.txt</userinput>
 
582
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
576
583
 
577
584
      </para>
578
585
    </informalexample>
586
593
      non-privileged.  This user and group is then what all plugins
587
594
      will be started as.  Therefore, the only way to run a plugin as
588
595
      a privileged user is to have the set-user-ID or set-group-ID bit
589
 
      set on the plugin executable files (see <citerefentry>
 
596
      set on the plugin executable file (see <citerefentry>
590
597
      <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
591
598
      </citerefentry>).
592
599
    </para>
620
627
      <manvolnum>8</manvolnum></citerefentry>,
621
628
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
622
629
      <manvolnum>8mandos</manvolnum></citerefentry>,
623
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
630
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
624
631
      <manvolnum>8mandos</manvolnum></citerefentry>
625
632
    </para>
626
633
  </refsect1>