/mandos/trunk

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2019-07-26">

<!ENTITY % common SYSTEM "common.ent">

%common;

]>

<refentry xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>

    <title>Mandos Manual</title>

    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->

    <productname>Mandos</productname>

    <productnumber>&version;</productnumber>

    <date>&TIMESTAMP;</date>

    <authorgroup>

      <author>

	<firstname>Björn</firstname>

	<surname>Påhlsson</surname>

	<address>

	  <email>belorn@recompile.se</email>

	</address>

      </author>

      <author>

	<firstname>Teddy</firstname>

	<surname>Hogeborn</surname>

	<address>

	  <email>teddy@recompile.se</email>

	</address>

      </author>

    </authorgroup>

    <copyright>

      <year>2008</year>

      <year>2009</year>

      <year>2010</year>

      <year>2011</year>

      <year>2012</year>

      <year>2013</year>

      <year>2014</year>

      <year>2015</year>

      <year>2016</year>

      <year>2017</year>

      <year>2018</year>

      <year>2019</year>

      <holder>Teddy Hogeborn</holder>

      <holder>Björn Påhlsson</holder>

    </copyright>

    <xi:include href="legalnotice.xml"/>

  </refentryinfo>

  <refmeta>

    <refentrytitle>&COMMANDNAME;</refentrytitle>

    <manvolnum>8mandos</manvolnum>

  </refmeta>

  <refnamediv>

    <refname><command>&COMMANDNAME;</command></refname>

    <refpurpose>

      Run Mandos plugins, pass data from first to succeed.

    </refpurpose>

  </refnamediv>

  <refsynopsisdiv>

    <cmdsynopsis>

      <command>&COMMANDNAME;</command>

      <group rep="repeat">

	<arg choice="plain"><option>--global-env=<replaceable

	>ENV</replaceable><literal>=</literal><replaceable

	>value</replaceable></option></arg>

	<arg choice="plain"><option>-G

	<replaceable>ENV</replaceable><literal>=</literal><replaceable

	>value</replaceable> </option></arg>

      </group>

      <sbr/>

      <group rep="repeat">

	<arg choice="plain"><option>--env-for=<replaceable

	>PLUGIN</replaceable><literal>:</literal><replaceable

	>ENV</replaceable><literal>=</literal><replaceable

	>value</replaceable></option></arg>

	<arg choice="plain"><option>-E<replaceable>

	PLUGIN</replaceable><literal>:</literal><replaceable

	>ENV</replaceable><literal>=</literal><replaceable

	>value</replaceable> </option></arg>

      </group>

      <sbr/>

      <group rep="repeat">

	<arg choice="plain"><option>--global-options=<replaceable

	>OPTIONS</replaceable></option></arg>

	<arg choice="plain"><option>-g<replaceable>

	OPTIONS</replaceable> </option></arg>

      </group>

      <sbr/>

      <group rep="repeat">

	<arg choice="plain"><option>--options-for=<replaceable

	>PLUGIN</replaceable><literal>:</literal><replaceable

	>OPTIONS</replaceable></option></arg>

	<arg choice="plain"><option>-o<replaceable>

	PLUGIN</replaceable><literal>:</literal><replaceable

	>OPTIONS</replaceable> </option></arg>

      </group>

      <sbr/>

      <group rep="repeat">

	<arg choice="plain"><option>--disable=<replaceable

	>PLUGIN</replaceable></option></arg>

	<arg choice="plain"><option>-d

	<replaceable>PLUGIN</replaceable> </option></arg>

      </group>

      <sbr/>

      <group rep="repeat">

	<arg choice="plain"><option>--enable=<replaceable

	>PLUGIN</replaceable></option></arg>

	<arg choice="plain"><option>-e

	<replaceable>PLUGIN</replaceable> </option></arg>

      </group>

      <sbr/>

      <arg><option>--groupid=<replaceable

      >ID</replaceable></option></arg>

      <sbr/>

      <arg><option>--userid=<replaceable

      >ID</replaceable></option></arg>

      <sbr/>

      <arg><option>--plugin-dir=<replaceable

      >DIRECTORY</replaceable></option></arg>

      <sbr/>

      <arg><option>--plugin-helper-dir=<replaceable

      >DIRECTORY</replaceable></option></arg>

      <sbr/>

      <arg><option>--config-file=<replaceable

      >FILE</replaceable></option></arg>

      <sbr/>

      <arg><option>--debug</option></arg>

    </cmdsynopsis>

    <cmdsynopsis>

      <command>&COMMANDNAME;</command>

      <group choice="req">

	<arg choice="plain"><option>--help</option></arg>

	<arg choice="plain"><option>-?</option></arg>

      </group>

    </cmdsynopsis>

    <cmdsynopsis>

      <command>&COMMANDNAME;</command>

      <arg choice="plain"><option>--usage</option></arg>

    </cmdsynopsis>

    <cmdsynopsis>

      <command>&COMMANDNAME;</command>

      <group choice="req">

	<arg choice="plain"><option>--version</option></arg>

	<arg choice="plain"><option>-V</option></arg>

      </group>

    </cmdsynopsis>

  </refsynopsisdiv>

  <refsect1 id="description">

    <title>DESCRIPTION</title>

    <para>

      <command>&COMMANDNAME;</command> is a program which is meant to

      be specified as a <quote>keyscript</quote> for the root disk in

      <citerefentry><refentrytitle>crypttab</refentrytitle>

      <manvolnum>5</manvolnum></citerefentry>.  The aim of this

      program is therefore to output a password, which then

      <citerefentry><refentrytitle>cryptsetup</refentrytitle>

      <manvolnum>8</manvolnum></citerefentry> will use to unlock the

      root disk.

    </para>

    <para>

      This program is not meant to be invoked directly, but can be in

      order to test it.  Note that any password obtained will simply

      be output on standard output.

    </para>

  </refsect1>

  <refsect1 id="purpose">

    <title>PURPOSE</title>

    <para>

      The purpose of this is to enable <emphasis>remote and unattended

      rebooting</emphasis> of client host computer with an

      <emphasis>encrypted root file system</emphasis>.  See <xref

      linkend="overview"/> for details.

    </para>

  </refsect1>

  <refsect1>

    <title>OPTIONS</title>

    <variablelist>

      <varlistentry>

	<term><option>--global-env

	<replaceable>ENV</replaceable><literal>=</literal><replaceable

	>value</replaceable></option></term>

	<term><option>-G

	<replaceable>ENV</replaceable><literal>=</literal><replaceable

	>value</replaceable></option></term>

	<listitem>

	  <para>

	    This option will add an environment variable setting to

	    all plugins.  This will override any inherited environment

	    variable.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--env-for

	<replaceable>PLUGIN</replaceable><literal>:</literal

	><replaceable>ENV</replaceable><literal>=</literal

	><replaceable>value</replaceable></option></term>

	<term><option>-E

	<replaceable>PLUGIN</replaceable><literal>:</literal

	><replaceable>ENV</replaceable><literal>=</literal

	><replaceable>value</replaceable></option></term>

	<listitem>

	  <para>

	    This option will add an environment variable setting to

	    the <replaceable>PLUGIN</replaceable> plugin.  This will

	    override any inherited environment variables or

	    environment variables specified using

	    <option>--global-env</option>.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--global-options

	<replaceable>OPTIONS</replaceable></option></term>

	<term><option>-g

	<replaceable>OPTIONS</replaceable></option></term>

	<listitem>

	  <para>

	    Pass some options to <emphasis>all</emphasis> plugins.

	    <replaceable>OPTIONS</replaceable> is a comma separated

	    list of options.  This is not a very useful option, except

	    for specifying the <quote><option>--debug</option></quote>

	    option to all plugins.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--options-for

	<replaceable>PLUGIN</replaceable><literal>:</literal

	><replaceable>OPTION</replaceable></option></term>

	<term><option>-o

	<replaceable>PLUGIN</replaceable><literal>:</literal

	><replaceable>OPTION</replaceable></option></term>

	<listitem>

	  <para>

	    Pass some options to a specific plugin.  <replaceable

	    >PLUGIN</replaceable> is the name (file basename) of a

	    plugin, and <replaceable>OPTIONS</replaceable> is a comma

	    separated list of options.

	  </para>

	  <para>

	    Note that since options are not split on whitespace, the

	    way to pass, to the plugin

	    <quote><filename>foo</filename></quote>, the option

	    <option>--bar</option> with the option argument

	    <quote>baz</quote> is either

	    <userinput>--options-for=foo:--bar=baz</userinput> or

	    <userinput>--options-for=foo:--bar,baz</userinput>.  Using

	    <userinput>--options-for="foo:--bar baz"</userinput>. will

	    <emphasis>not</emphasis> work.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--disable

	<replaceable>PLUGIN</replaceable></option></term>

	<term><option>-d

	<replaceable>PLUGIN</replaceable></option></term>

	<listitem>

	  <para>

	    Disable the plugin named

	    <replaceable>PLUGIN</replaceable>.  The plugin will not be

	    started.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--enable

	<replaceable>PLUGIN</replaceable></option></term>

	<term><option>-e

	<replaceable>PLUGIN</replaceable></option></term>

	<listitem>

	  <para>

	    Re-enable the plugin named

	    <replaceable>PLUGIN</replaceable>.  This is only useful to

	    undo a previous <option>--disable</option> option, maybe

	    from the configuration file.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--groupid

	<replaceable>ID</replaceable></option></term>

	<listitem>

	  <para>

	    Change to group ID <replaceable>ID</replaceable> on

	    startup.  The default is 65534.  All plugins will be

	    started using this group ID.  <emphasis>Note:</emphasis>

	    This must be a number, not a name.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--userid

	<replaceable>ID</replaceable></option></term>

	<listitem>

	  <para>

	    Change to user ID <replaceable>ID</replaceable> on

	    startup.  The default is 65534.  All plugins will be

	    started using this user ID.  <emphasis>Note:</emphasis>

	    This must be a number, not a name.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--plugin-dir

	<replaceable>DIRECTORY</replaceable></option></term>

	<listitem>

	  <para>

	    Specify a different plugin directory.  The default is

	    <filename>/lib/mandos/plugins.d</filename>, which will

	    exist in the initial <acronym>RAM</acronym> disk

	    environment.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--plugin-helper-dir

	<replaceable>DIRECTORY</replaceable></option></term>

	<listitem>

	  <para>

	    Specify a different plugin helper directory.  The default

	    is <filename>/lib/mandos/plugin-helpers</filename>, which

	    will exist in the initial <acronym>RAM</acronym> disk

	    environment.  (This will simply be passed to all plugins

	    via the <envar>MANDOSPLUGINHELPERDIR</envar> environment

	    variable.  See <xref linkend="writing_plugins"/>)

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--config-file

	<replaceable>FILE</replaceable></option></term>

	<listitem>

	  <para>

	    Specify a different file to read additional options from.

	    See <xref linkend="files"/>.  Other command line options

	    will override options specified in the file.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--debug</option></term>

	<listitem>

	  <para>

	    Enable debug mode.  This will enable a lot of output to

	    standard error about what the program is doing.  The

	    program will still perform all other functions normally.

	    The default is to <emphasis>not</emphasis> run in debug

	    mode.

	  </para>

	  <para>

	    The plugins will <emphasis>not</emphasis> be affected by

	    this option.  Use

	    <userinput><option>--global-options=--debug</option></userinput>

	    if complete debugging eruption is desired.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--help</option></term>

	<term><option>-?</option></term>

	<listitem>

	  <para>

	    Gives a help message about options and their meanings.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--usage</option></term>

	<listitem>

	  <para>

	    Gives a short usage message.

	  </para>

	</listitem>

      </varlistentry>

      <varlistentry>

	<term><option>--version</option></term>

	<term><option>-V</option></term>

	<listitem>

	  <para>

	    Prints the program version.

	  </para>

	</listitem>

      </varlistentry>

    </variablelist>

  </refsect1>

  <refsect1 id="overview">

    <title>OVERVIEW</title>

    <xi:include href="overview.xml"/>

    <para>

      This program will run on the client side in the initial

      <acronym>RAM</acronym> disk environment, and is responsible for

      getting a password.  It does this by running plugins, one of

      which will normally be the actual client program communicating

      with the server.

    </para>

  </refsect1>

  <refsect1 id="plugins">

    <title>PLUGINS</title>

    <para>

      This program will get a password by running a number of

      <firstterm>plugins</firstterm>, which are simply executable

      programs in a directory in the initial <acronym>RAM</acronym>

      disk environment.  The default directory is

      <filename>/lib/mandos/plugins.d</filename>, but this can be

      changed with the <option>--plugin-dir</option> option.  The

      plugins are started in parallel, and the first plugin to output

      a password <emphasis>and</emphasis> exit with a successful exit

      code will make this plugin-runner output the password from that

      plugin, stop any other plugins, and exit.

    </para>

    <refsect2 id="writing_plugins">

      <title>WRITING PLUGINS</title>

      <para>

	A plugin is simply a program which prints a password to its

	standard output and then exits with a successful (zero) exit

	status.  If the exit status is not zero, any output on

	standard output will be ignored by the plugin runner.  Any

	output on its standard error channel will simply be passed to

	the standard error of the plugin runner, usually the system

	console.

      </para>

      <para>

	If the password is a single-line, manually entered passprase,

	a final trailing newline character should

	<emphasis>not</emphasis> be printed.

      </para>

      <para>

	The plugin will run in the initial RAM disk environment, so

	care must be taken not to depend on any files or running

	services not available there.  Any helper executables required

	by the plugin (which are not in the <envar>PATH</envar>) can

	be placed in the plugin helper directory, the name of which

	will be made available to the plugin via the

	<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

      </para>

      <para>

	The plugin must exit cleanly and free all allocated resources

	upon getting the TERM signal, since this is what the plugin

	runner uses to stop all other plugins when one plugin has

	output a password and exited cleanly.

      </para>

      <para>

	The plugin must not use resources, like for instance reading

	from the standard input, without knowing that no other plugin

	is also using it.

      </para>

      <para>

	It is useful, but not required, for the plugin to take the

	<option>--debug</option> option.

      </para>

    </refsect2>

  </refsect1>

  <refsect1 id="fallback">

    <title>FALLBACK</title>

    <para>

      If no plugins succeed, this program will, as a fallback, ask for

      a password on the console using <citerefentry><refentrytitle

      >getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>,

      and output it.  This is not meant to be the normal mode of

      operation, as there is a separate plugin for getting a password

      from the console.

    </para>

  </refsect1>

  <refsect1 id="exit_status">

    <title>EXIT STATUS</title>

    <para>

      Exit status of this program is zero if no errors were

      encountered, and otherwise not.  The fallback (see <xref

      linkend="fallback"/>) may or may not have succeeded in either

      case.

    </para>

  </refsect1>

  <refsect1 id="environment">

    <title>ENVIRONMENT</title>

    <para>

      This program does not use any environment variables itself, it

      only passes on its environment to all the plugins.  The

      environment passed to plugins can be modified using the

      <option>--global-env</option> and <option>--env-for</option>

      options.  Also, the <option>--plugin-helper-dir</option> option

      will affect the environment variable

      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.

    </para>

  </refsect1>

  <refsect1 id="files">

    <title>FILES</title>

    <para>

      <variablelist>

	<varlistentry>

	  <term><filename

	  >/conf/conf.d/mandos/plugin-runner.conf</filename></term>

	  <listitem>

	    <para>

	      Since this program will be run as a keyscript, there is

	      little to no opportunity to pass command line arguments

	      to it.  Therefore, it will <emphasis>also</emphasis>

	      read this file and use its contents as

	      whitespace-separated command line options.  Also,

	      everything from a <quote>#</quote> character to the end

	      of a line is ignored.

	    </para>

	    <para>

	      This program is meant to run in the initial RAM disk

	      environment, so that is where this file is assumed to

	      exist.  The file does not need to exist in the normal

	      file system.

	    </para>

	    <para>

	      This file will be processed <emphasis>before</emphasis>

	      the normal command line options, so the latter can

	      override the former, if need be.

	    </para>

	    <para>

	      This file name is the default; the file to read for

	      arguments can be changed using the

	      <option>--config-file</option> option.

	    </para>

	  </listitem>

	</varlistentry>

	<varlistentry>

	  <term><filename class="directory"

	  >/lib/mandos/plugins.d</filename></term>

	  <listitem>

	    <para>

	      The default plugin directory; can be changed by the

	      <option>--plugin-dir</option> option.

	    </para>

	  </listitem>

	</varlistentry>

	<varlistentry>

	  <term><filename class="directory"

	  >/lib/mandos/plugin-helpers</filename></term>

	  <listitem>

	    <para>

	      The default plugin helper directory; can be changed by

	      the <option>--plugin-helper-dir</option> option.

	    </para>

	  </listitem>

	</varlistentry>

      </variablelist>

    </para>

  </refsect1>

  <refsect1 id="bugs">

    <title>BUGS</title>

    <para>

      The <option>--config-file</option> option is ignored when

      specified from within a configuration file.

    </para>

    <xi:include href="bugs.xml"/>

  </refsect1>

  <refsect1 id="examples">

    <title>EXAMPLE</title>

    <informalexample>

      <para>

	Normal invocation needs no options:

      </para>

      <para>

	<userinput>&COMMANDNAME;</userinput>

      </para>

    </informalexample>

    <informalexample>

      <para>

	Run the program, but not the plugins, in debug mode:

      </para>

      <para>

	<!-- do not wrap this line -->

	<userinput>&COMMANDNAME; --debug</userinput>

      </para>

    </informalexample>

    <informalexample>

      <para>

	Run all plugins, but run the <quote>foo</quote> plugin in

	debug mode:

      </para>

      <para>

	<!-- do not wrap this line -->

	<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

      </para>

    </informalexample>

    <informalexample>

      <para>

	Run all plugins, but not the program, in debug mode:

      </para>

      <para>

	<!-- do not wrap this line -->

	<userinput>&COMMANDNAME; --global-options=--debug</userinput>

      </para>

    </informalexample>

    <informalexample>

      <para>

	Read a different configuration file, run plugins from a

	different directory, specify an alternate plugin helper

	directory and add four options to the

	<citerefentry><refentrytitle >mandos-client</refentrytitle>

	<manvolnum>8mandos</manvolnum></citerefentry> plugin:

      </para>

      <para>

<!-- do not wrap this line -->

<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,&#x200b;--seckey=seckey.txt,&#x200b;--tls-pubkey=tls-pubkey.pem,&#x200b;--tls-privkey=tls-privkey.pem</userinput>

      </para>

    </informalexample>

  </refsect1>

  <refsect1 id="security">

    <title>SECURITY</title>

    <para>

      This program will, when starting, try to switch to another user.

      If it is started as root, it will succeed, and will by default

      switch to user and group 65534, which are assumed to be

      non-privileged.  This user and group is then what all plugins

      will be started as.  Therefore, the only way to run a plugin as

      a privileged user is to have the set-user-ID or set-group-ID bit

      set on the plugin executable file (see <citerefentry>

      <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

      </citerefentry>).

    </para>

    <para>

      If this program is used as a keyscript in <citerefentry

      ><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

      </citerefentry>, there is a slight risk that if this program

      fails to work, there might be no way to boot the system except

      for booting from another media and editing the initial RAM disk

      image to not run this program.  This is, however, unlikely,

      since the <citerefentry><refentrytitle

      >password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

      </citerefentry> plugin will read a password from the console in

      case of failure of the other plugins, and this plugin runner

      will also, in case of catastrophic failure, itself fall back to

      asking and outputting a password on the console (see <xref

      linkend="fallback"/>).

    </para>

  </refsect1>

  <refsect1 id="see_also">

    <title>SEE ALSO</title>

    <para>

      <citerefentry><refentrytitle>intro</refentrytitle>

      <manvolnum>8mandos</manvolnum></citerefentry>,

      <citerefentry><refentrytitle>cryptsetup</refentrytitle>

      <manvolnum>8</manvolnum></citerefentry>,

      <citerefentry><refentrytitle>crypttab</refentrytitle>

      <manvolnum>5</manvolnum></citerefentry>,

      <citerefentry><refentrytitle>execve</refentrytitle>