/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugins.d/mandos-client.xml

* plugins.d/mandos-client.c (main): Do not even try to work around
                                    Debian bug 633582 if --seckey or
                                    --pubkey specifies a different
                                    directory.  Bug fix: Remove all
                                    files in GPG temporary directory.

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "mandos-client">
5
 
<!ENTITY TIMESTAMP "2012-01-01">
 
5
<!ENTITY TIMESTAMP "2010-09-26">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
19
19
        <firstname>Björn</firstname>
20
20
        <surname>Påhlsson</surname>
21
21
        <address>
22
 
          <email>belorn@recompile.se</email>
 
22
          <email>belorn@fukt.bsnet.se</email>
23
23
        </address>
24
24
      </author>
25
25
      <author>
26
26
        <firstname>Teddy</firstname>
27
27
        <surname>Hogeborn</surname>
28
28
        <address>
29
 
          <email>teddy@recompile.se</email>
 
29
          <email>teddy@fukt.bsnet.se</email>
30
30
        </address>
31
31
      </author>
32
32
    </authorgroup>
33
33
    <copyright>
34
34
      <year>2008</year>
35
35
      <year>2009</year>
36
 
      <year>2012</year>
37
36
      <holder>Teddy Hogeborn</holder>
38
37
      <holder>Björn Påhlsson</holder>
39
38
    </copyright>
102
101
      </arg>
103
102
      <sbr/>
104
103
      <arg>
105
 
        <option>--network-hook-dir
106
 
        <replaceable>DIR</replaceable></option>
107
 
      </arg>
108
 
      <sbr/>
109
 
      <arg>
110
104
        <option>--debug</option>
111
105
      </arg>
112
106
    </cmdsynopsis>
148
142
      will wait indefinitely for new servers to appear.
149
143
    </para>
150
144
    <para>
151
 
      The network interface is selected like this: If an interface is
152
 
      specified using the <option>--interface</option> option, that
153
 
      interface is used.  Otherwise, <command>&COMMANDNAME;</command>
154
 
      will choose any interface that is up and running and is not a
155
 
      loopback interface, is not a point-to-point interface, is
156
 
      capable of broadcasting and does not have the NOARP flag (see
157
 
      <citerefentry><refentrytitle>netdevice</refentrytitle>
158
 
      <manvolnum>7</manvolnum></citerefentry>).  (If the
159
 
      <option>--connect</option> option is used, point-to-point
160
 
      interfaces and non-broadcast interfaces are accepted.)  If no
161
 
      acceptable interfaces are found, re-run the check but without
162
 
      the <quote>up and running</quote> requirement, and manually take
163
 
      the selected interface up (and later take it down on program
164
 
      exit).
165
 
    </para>
166
 
    <para>
167
 
      Before a network interface is selected, all <quote>network
168
 
      hooks</quote> are run; see <xref linkend="network-hooks"/>.
169
 
    </para>
170
 
    <para>
171
145
      This program is not meant to be run directly; it is really meant
172
146
      to run as a plugin of the <application>Mandos</application>
173
147
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
248
222
            can not be a pseudo-interface such as <quote>br0</quote>
249
223
            or <quote>tun0</quote>; such interfaces will not exist
250
224
            until much later in the boot process, and can not be used
251
 
            by this program, unless created by a <quote>network
252
 
            hook</quote> — see <xref linkend="network-hooks"/>.
 
225
            by this program.
253
226
          </para>
254
227
          <para>
255
228
            <replaceable>NAME</replaceable> can be the string
337
310
          </para>
338
311
        </listitem>
339
312
      </varlistentry>
340
 
 
341
 
      <varlistentry>
342
 
        <term><option>--network-hook-dir=<replaceable
343
 
        >DIR</replaceable></option></term>
344
 
        <listitem>
345
 
          <para>
346
 
            Network hook directory.  The default directory is
347
 
            <quote><filename class="directory"
348
 
            >/lib/mandos/network-hooks.d</filename></quote>.
349
 
          </para>
350
 
        </listitem>
351
 
      </varlistentry>
352
313
      
353
314
      <varlistentry>
354
315
        <term><option>--debug</option></term>
415
376
      <refentrytitle>plugin-runner</refentrytitle>
416
377
      <manvolnum>8mandos</manvolnum></citerefentry>) is used to run
417
378
      both this program and others in in parallel,
418
 
      <emphasis>one</emphasis> of which (<citerefentry>
419
 
      <refentrytitle>password-prompt</refentrytitle>
420
 
      <manvolnum>8mandos</manvolnum></citerefentry>) will prompt for
421
 
      passwords on the system console.
 
379
      <emphasis>one</emphasis> of which will prompt for passwords on
 
380
      the system console.
422
381
    </para>
423
382
  </refsect1>
424
383
  
445
404
    </para>
446
405
  </refsect1>
447
406
  
448
 
  <refsect1 id="network-hooks">
449
 
    <title>NETWORK HOOKS</title>
450
 
    <para>
451
 
      If a network interface like a bridge or tunnel is required to
452
 
      find a Mandos server, this requires the interface to be up and
453
 
      running before <command>&COMMANDNAME;</command> starts looking
454
 
      for Mandos servers.  This can be accomplished by creating a
455
 
      <quote>network hook</quote> program, and placing it in a special
456
 
      directory.
457
 
    </para>
458
 
    <para>
459
 
      Before the network is used (and again before program exit), any
460
 
      runnable programs found in the network hook directory are run
461
 
      with the argument <quote><literal>start</literal></quote> or
462
 
      <quote><literal>stop</literal></quote>.  This should bring up or
463
 
      down, respectively, any network interface which
464
 
      <command>&COMMANDNAME;</command> should use.
465
 
    </para>
466
 
    <refsect2 id="hook-requirements">
467
 
      <title>REQUIREMENTS</title>
468
 
      <para>
469
 
        A network hook must be an executable file, and its name must
470
 
        consist entirely of upper and lower case letters, digits,
471
 
        underscores, periods, and hyphens.
472
 
      </para>
473
 
      <para>
474
 
        A network hook will receive one argument, which can be one of
475
 
        the following:
476
 
      </para>
477
 
      <variablelist>
478
 
        <varlistentry>
479
 
          <term><literal>start</literal></term>
480
 
          <listitem>
481
 
            <para>
482
 
              This should make the network hook create (if necessary)
483
 
              and bring up a network interface.
484
 
            </para>
485
 
          </listitem>
486
 
        </varlistentry>
487
 
        <varlistentry>
488
 
          <term><literal>stop</literal></term>
489
 
          <listitem>
490
 
            <para>
491
 
              This should make the network hook take down a network
492
 
              interface, and delete it if it did not exist previously.
493
 
            </para>
494
 
          </listitem>
495
 
        </varlistentry>
496
 
        <varlistentry>
497
 
          <term><literal>files</literal></term>
498
 
          <listitem>
499
 
            <para>
500
 
              This should make the network hook print, <emphasis>one
501
 
              file per line</emphasis>, all the files needed for it to
502
 
              run.  (These files will be copied into the initial RAM
503
 
              filesystem.)  Typical use is for a network hook which is
504
 
              a shell script to print its needed binaries.
505
 
            </para>
506
 
            <para>
507
 
              It is not necessary to print any non-executable files
508
 
              already in the network hook directory, these will be
509
 
              copied implicitly if they otherwise satisfy the name
510
 
              requirement.
511
 
            </para>
512
 
          </listitem>
513
 
        </varlistentry>
514
 
        <varlistentry>
515
 
          <term><literal>modules</literal></term>
516
 
          <listitem>
517
 
            <para>
518
 
              This should make the network hook print, <emphasis>on
519
 
              separate lines</emphasis>, all the kernel modules needed
520
 
              for it to run.  (These modules will be copied into the
521
 
              initial RAM filesystem.)  For instance, a tunnel
522
 
              interface needs the
523
 
              <quote><literal>tun</literal></quote> module.
524
 
            </para>
525
 
          </listitem>
526
 
        </varlistentry>
527
 
      </variablelist>
528
 
      <para>
529
 
        The network hook will be provided with a number of environment
530
 
        variables:
531
 
      </para>
532
 
      <variablelist>
533
 
        <varlistentry>
534
 
          <term><envar>MANDOSNETHOOKDIR</envar></term>
535
 
          <listitem>
536
 
            <para>
537
 
              The network hook directory, specified to
538
 
              <command>&COMMANDNAME;</command> by the
539
 
              <option>--network-hook-dir</option> option.  Note: this
540
 
              should <emphasis>always</emphasis> be used by the
541
 
              network hook to refer to itself or any files in the hook
542
 
              directory it may require.
543
 
            </para>
544
 
          </listitem>
545
 
        </varlistentry>
546
 
        <varlistentry>
547
 
          <term><envar>DEVICE</envar></term>
548
 
          <listitem>
549
 
            <para>
550
 
              The network interface, as specified to
551
 
              <command>&COMMANDNAME;</command> by the
552
 
              <option>--interface</option> option.  If this is not the
553
 
              interface a hook will bring up, there is no reason for a
554
 
              hook to continue.
555
 
            </para>
556
 
          </listitem>
557
 
        </varlistentry>
558
 
        <varlistentry>
559
 
          <term><envar>MODE</envar></term>
560
 
          <listitem>
561
 
            <para>
562
 
              This will be the same as the first argument;
563
 
              i.e. <quote><literal>start</literal></quote>,
564
 
              <quote><literal>stop</literal></quote>,
565
 
              <quote><literal>files</literal></quote>, or
566
 
              <quote><literal>modules</literal></quote>.
567
 
            </para>
568
 
          </listitem>
569
 
        </varlistentry>
570
 
        <varlistentry>
571
 
          <term><envar>VERBOSITY</envar></term>
572
 
          <listitem>
573
 
            <para>
574
 
              This will be the <quote><literal>1</literal></quote> if
575
 
              the <option>--debug</option> option is passed to
576
 
              <command>&COMMANDNAME;</command>, otherwise
577
 
              <quote><literal>0</literal></quote>.
578
 
            </para>
579
 
          </listitem>
580
 
        </varlistentry>
581
 
        <varlistentry>
582
 
          <term><envar>DELAY</envar></term>
583
 
          <listitem>
584
 
            <para>
585
 
              This will be the same as the <option>--delay</option>
586
 
              option passed to <command>&COMMANDNAME;</command>.  Is
587
 
              only set if <envar>MODE</envar> is
588
 
              <quote><literal>start</literal></quote> or
589
 
              <quote><literal>stop</literal></quote>.
590
 
            </para>
591
 
          </listitem>
592
 
        </varlistentry>
593
 
        <varlistentry>
594
 
          <term><envar>CONNECT</envar></term>
595
 
          <listitem>
596
 
            <para>
597
 
              This will be the same as the <option>--connect</option>
598
 
              option passed to <command>&COMMANDNAME;</command>.  Is
599
 
              only set if <option>--connect</option> is passed and
600
 
              <envar>MODE</envar> is
601
 
              <quote><literal>start</literal></quote> or
602
 
              <quote><literal>stop</literal></quote>.
603
 
            </para>
604
 
          </listitem>
605
 
        </varlistentry>
606
 
      </variablelist>
607
 
      <para>
608
 
        A hook may not read from standard input, and should be
609
 
        restrictive in printing to standard output or standard error
610
 
        unless <varname>VERBOSITY</varname> is
611
 
        <quote><literal>1</literal></quote>.
612
 
      </para>
613
 
    </refsect2>
614
 
  </refsect1>
615
 
  
616
407
  <refsect1 id="files">
617
408
    <title>FILES</title>
618
409
    <variablelist>
630
421
          </para>
631
422
        </listitem>
632
423
      </varlistentry>
633
 
      <varlistentry>
634
 
        <term><filename
635
 
        class="directory">/lib/mandos/network-hooks.d</filename></term>
636
 
        <listitem>
637
 
          <para>
638
 
            Directory where network hooks are located.  Change this
639
 
            with the <option>--network-hook-dir</option> option.  See
640
 
            <xref linkend="network-hooks"/>.
641
 
          </para>
642
 
        </listitem>
643
 
      </varlistentry>
644
424
    </variablelist>
645
425
  </refsect1>
646
426
  
755
535
  <refsect1 id="see_also">
756
536
    <title>SEE ALSO</title>
757
537
    <para>
758
 
      <citerefentry><refentrytitle>intro</refentrytitle>
759
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
760
538
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
761
539
      <manvolnum>8</manvolnum></citerefentry>,
762
540
      <citerefentry><refentrytitle>crypttab</refentrytitle>