/mandos/release : revision 24.1.80

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Björn Påhlsson
Date: 2008-09-02 10:40:22 UTC
mfrom: (139 mandos)
mto: (237.7.1 mandos) (24.1.154 mandos)
mto: This revision was merged to the branch mainline in revision 149.
Revision ID: belorn@braxen-20080902104022-5x39n4gmle0j15ws

merge

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2015-07-20">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins, pass data from first to succeed.

Run Mandos plugins. Pass data from first succesful one.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>ENV</replaceable><literal>=</literal><replaceable

>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>ENV</replaceable><literal>=</literal><replaceable

<replaceable>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

119

111

<arg><option>--plugin-dir=<replaceable

120

112

>DIRECTORY</replaceable></option></arg>

121

113

<sbr/>

122

<arg><option>--plugin-helper-dir=<replaceable

123

>DIRECTORY</replaceable></option></arg>

124

<sbr/>

125

114

<arg><option>--config-file=<replaceable

126

115

>FILE</replaceable></option></arg>

127

116

<sbr/>

151

140

<title>DESCRIPTION</title>

152

141

<para>

153

142

<command>&COMMANDNAME;</command> is a program which is meant to

154

be specified as a <quote>keyscript</quote> for the root disk in

155

<citerefentry><refentrytitle>crypttab</refentrytitle>

156

<manvolnum>5</manvolnum></citerefentry>. The aim of this

157

program is therefore to output a password, which then

158

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

159

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

160

root disk.

143

be specified as <quote>keyscript</quote> in <citerefentry>

144

<refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

146

aim of this program is therefore to output a password, which

147

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to try and

149

unlock the root disk.

161

150

</para>

162

151

<para>

163

152

This program is not meant to be invoked directly, but can be in

181

170

182

171

183

172

<term><option>--global-env

184

<replaceable>ENV</replaceable><literal>=</literal><replaceable

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

185

174

>value</replaceable></option></term>

186

<term><option>-G

187

<replaceable>ENV</replaceable><literal>=</literal><replaceable

175

<term><option>-e

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

188

177

>value</replaceable></option></term>

189

178

190

179

<para>

200

189

<replaceable>PLUGIN</replaceable><literal>:</literal

201

190

><replaceable>ENV</replaceable><literal>=</literal

202

191

><replaceable>value</replaceable></option></term>

203

<term><option>-E

192

<term><option>-f

204

193

<replaceable>PLUGIN</replaceable><literal>:</literal

205

194

><replaceable>ENV</replaceable><literal>=</literal

206

195

><replaceable>value</replaceable></option></term>

226

215

<replaceable>OPTIONS</replaceable> is a comma separated

227

216

list of options. This is not a very useful option, except

228

217

for specifying the <quote><option>--debug</option></quote>

229

option to all plugins.

218

for all plugins.

230

219

</para>

231

220

</listitem>

232

221

</varlistentry>

252

241

<option>--bar</option> with the option argument

253

242

<quote>baz</quote> is either

254

243

<userinput>--options-for=foo:--bar=baz</userinput> or

255

<userinput>--options-for=foo:--bar,baz</userinput>. Using

256

<userinput>--options-for="foo:--bar baz"</userinput>. will

257

<emphasis>not</emphasis> work.

244

<userinput>--options-for=foo:--bar,baz</userinput>, but

245

246

<userinput>--options-for="foo:--bar baz"</userinput>.

258

247

</para>

259

248

</listitem>

260

249

</varlistentry>

261

250

262

251

263

252

<term><option>--disable

264

253

<replaceable>PLUGIN</replaceable></option></term>

269

258

Disable the plugin named

270

259

<replaceable>PLUGIN</replaceable>. The plugin will not be

271

260

started.

272

</para>

261

</para>

273

262

</listitem>

274

263

</varlistentry>

275

264

276

265

277

266

<term><option>--enable

278

267

<replaceable>PLUGIN</replaceable></option></term>

283

272

Re-enable the plugin named

284

273

<replaceable>PLUGIN</replaceable>. This is only useful to

285

274

undo a previous <option>--disable</option> option, maybe

286

from the configuration file.

275

from the config file.

287

276

</para>

288

277

</listitem>

289

278

</varlistentry>

290

279

291

280

292

281

<term><option>--groupid

293

282

300

289

</para>

301

290

</listitem>

302

291

</varlistentry>

303

292

304

293

305

294

<term><option>--userid

306

295

313

302

</para>

314

303

</listitem>

315

304

</varlistentry>

316

305

317

306

318

307

<term><option>--plugin-dir

319

308

<replaceable>DIRECTORY</replaceable></option></term>

328

317

</varlistentry>

329

318

330

319

331

<term><option>--plugin-helper-dir

332

<replaceable>DIRECTORY</replaceable></option></term>

333

334

<para>

335

Specify a different plugin helper directory. The default

336

is <filename>/lib/mandos/plugin-helpers</filename>, which

337

will exist in the initial <acronym>RAM</acronym> disk

338

environment. (This will simply be passed to all plugins

339

via the <envar>MANDOSPLUGINHELPERDIR</envar> environment

340

variable. See <xref linkend="writing_plugins"/>)

341

</para>

342

</listitem>

343

</varlistentry>

344

345

346

320

<term><option>--config-file

347

321

348

322

391

365

</para>

392

366

</listitem>

393

367

</varlistentry>

394

368

395

369

396

370

<term><option>--version</option></term>

397

371

403

377

</varlistentry>

404

378

</variablelist>

405

379

</refsect1>

406

380

407

381

408

382

<title>OVERVIEW</title>

409

383

<xi:include href="overview.xml"/>

429

403

code will make this plugin-runner output the password from that

430

404

plugin, stop any other plugins, and exit.

431

405

</para>

432

433

434

<title>WRITING PLUGINS</title>

435

<para>

436

A plugin is simply a program which prints a password to its

437

standard output and then exits with a successful (zero) exit

438

status. If the exit status is not zero, any output on

439

standard output will be ignored by the plugin runner. Any

440

output on its standard error channel will simply be passed to

441

the standard error of the plugin runner, usually the system

442

console.

443

</para>

444

<para>

445

If the password is a single-line, manually entered passprase,

446

a final trailing newline character should

447

<emphasis>not</emphasis> be printed.

448

</para>

449

<para>

450

The plugin will run in the initial RAM disk environment, so

451

care must be taken not to depend on any files or running

452

services not available there. Any helper executables required

453

by the plugin (which are not in the <envar>PATH</envar>) can

454

be placed in the plugin helper directory, the name of which

455

will be made available to the plugin via the

456

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

457

</para>

458

<para>

459

The plugin must exit cleanly and free all allocated resources

460

upon getting the TERM signal, since this is what the plugin

461

runner uses to stop all other plugins when one plugin has

462

output a password and exited cleanly.

463

</para>

464

<para>

465

The plugin must not use resources, like for instance reading

466

from the standard input, without knowing that no other plugin

467

is also using it.

468

</para>

469

<para>

470

It is useful, but not required, for the plugin to take the

471

<option>--debug</option> option.

472

</para>

473

</refsect2>

474

406

</refsect1>

475

407

476

408

502

434

only passes on its environment to all the plugins. The

503

435

environment passed to plugins can be modified using the

504

436

<option>--global-env</option> and <option>--env-for</option>

505

options. Also, the <option>--plugin-helper-dir</option> option

506

will affect the environment variable

507

<envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.

437

optins.

508

438

</para>

509

439

</refsect1>

510

440

550

480

551

481

552

482

<para>

553

The <option>--config-file</option> option is ignored when

554

specified from within a configuration file.

555

483

</para>

556

484

</refsect1>

557

485

558

486

559

487

<title>EXAMPLE</title>

560

561

<para>

562

Normal invocation needs no options:

563

</para>

564

<para>

565

<userinput>&COMMANDNAME;</userinput>

566

</para>

567

</informalexample>

568

569

<para>

570

Run the program, but not the plugins, in debug mode:

571

</para>

572

<para>

573

574

575

<userinput>&COMMANDNAME; --debug</userinput>

576

577

</para>

578

</informalexample>

579

580

<para>

581

Run all plugins, but run the <quote>foo</quote> plugin in

582

debug mode:

583

</para>

584

<para>

585

586

587

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

588

589

</para>

590

</informalexample>

591

592

<para>

593

Run all plugins, but not the program, in debug mode:

594

</para>

595

<para>

596

597

598

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

599

600

</para>

601

</informalexample>

602

603

<para>

604

Read a different configuration file, run plugins from a

605

different directory, specify an alternate plugin helper

606

directory and add two options to the

607

<citerefentry><refentrytitle >mandos-client</refentrytitle>

608

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

609

</para>

610

<para>

611

612

613

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

614

615

</para>

616

</informalexample>

488

<para>

489

</para>

617

490

</refsect1>

491

618

492

619

493

<title>SECURITY</title>

620

494

<para>

621

This program will, when starting, try to switch to another user.

622

If it is started as root, it will succeed, and will by default

623

switch to user and group 65534, which are assumed to be

624

non-privileged. This user and group is then what all plugins

625

will be started as. Therefore, the only way to run a plugin as

626

a privileged user is to have the set-user-ID or set-group-ID bit

627

set on the plugin executable file (see <citerefentry>

628

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

629

</citerefentry>).

630

</para>

631

<para>

632

If this program is used as a keyscript in <citerefentry

633

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

634

</citerefentry>, there is a slight risk that if this program

635

fails to work, there might be no way to boot the system except

636

for booting from another media and editing the initial RAM disk

637

image to not run this program. This is, however, unlikely,

638

since the <citerefentry><refentrytitle

639

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

640

</citerefentry> plugin will read a password from the console in

641

case of failure of the other plugins, and this plugin runner

642

will also, in case of catastrophic failure, itself fall back to

643

asking and outputting a password on the console (see <xref

644

linkend="fallback"/>).

645

495

</para>

646

496

</refsect1>

647

497

648

498

649

499

650

500

<para>

651

<citerefentry><refentrytitle>intro</refentrytitle>

652

<manvolnum>8mandos</manvolnum></citerefentry>,

653

501

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

654

502

<manvolnum>8</manvolnum></citerefentry>,

655

<citerefentry><refentrytitle>crypttab</refentrytitle>

656

<manvolnum>5</manvolnum></citerefentry>,

657

<citerefentry><refentrytitle>execve</refentrytitle>

658

<manvolnum>2</manvolnum></citerefentry>,

659

503

<citerefentry><refentrytitle>mandos</refentrytitle>

660

504

<manvolnum>8</manvolnum></citerefentry>,

661

505

<citerefentry><refentrytitle>password-prompt</refentrytitle>

662

506

<manvolnum>8mandos</manvolnum></citerefentry>,

663

<citerefentry><refentrytitle>mandos-client</refentrytitle>

507

<citerefentry><refentrytitle>password-request</refentrytitle>

664

508

<manvolnum>8mandos</manvolnum></citerefentry>

665

509

</para>

666

510

</refsect1>

Older »