/mandos/trunk : revision 1120

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/splashy.xml

Committer: Teddy Hogeborn
Date: 2019-07-18 00:02:43 UTC
Revision ID: teddy@recompile.se-20190718000243-okz4s9xao1r1tfnx

Document bug in mandos-keygen which strips white space from passwords

Passwords, as read by mandos-keygen when given the --password or -p
options, are stripped of white space from the start and from the end
of the password.  This is because mandos-keygen is a shell script, and
the Bourne Shell "read" builtin does not seem to have a way to avoid
this.  Document this bug.

* manods-keygen.xml (OPTIONS): Document the white space-stripping
                               nature of the --password/-p option, and
                               also note in the description of
                               --passfile and -F that they avoid this
                               behavior.
  (BUGS): Again mention the problem with the --password and -p
          options, and suggest --passfile as a possible workaround.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos-client.templates

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/mandos.templates

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/tests

debian/tests/control

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-conf

initramfs-tools-conf-hook

initramfs-tools-hook

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/splashy.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "splashy">

<!ENTITY TIMESTAMP "2019-02-10">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

<refpurpose>Mandos plugin to use splashy to get a

password.</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

This program prompts for a password using <citerefentry>

<refentrytitle>splashy_update</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> and outputs any given

password to standard output. If no <citerefentry><refentrytitle

>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry>

process can be found, this program will immediately exit with an

exit code indicating failure.

</para>

<para>

This program is not very useful on its own. This program is

really meant to run as a plugin in the <application

>Mandos</application> client-side system, where it is used as a

fallback and alternative to retrieving passwords from a

<application >Mandos</application> server.

</para>

<para>

If this program is killed (presumably by

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

<manvolnum>8mandos</manvolnum></citerefentry> because some other

plugin provided the password), it cannot tell <citerefentry>

<refentrytitle>splashy</refentrytitle><manvolnum>8</manvolnum>

</citerefentry> to abort requesting a password, because

<citerefentry><refentrytitle>splashy</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> does not support this.

Therefore, this program will then <emphasis>kill</emphasis> the

running <citerefentry><refentrytitle>splashy</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> process and start a

<emphasis>new</emphasis> one, using <quote><literal

100

>boot</literal></quote> as the only argument.

101

</para>

102

</refsect1>

103

104

105

<title>OPTIONS</title>

106

<para>

107

This program takes no options.

108

</para>

109

</refsect1>

110

111

112

<title>EXIT STATUS</title>

113

<para>

114

If exit status is 0, the output from the program is the password

115

as it was read. Otherwise, if exit status is other than 0, the

116

program was interrupted or encountered an error, and any output

117

so far could be corrupt and/or truncated, and should therefore

118

be ignored.

119

</para>

120

</refsect1>

121

122

123

<title>ENVIRONMENT</title>

124

125

126

<term><envar>cryptsource</envar></term>

127

<term><envar>crypttarget</envar></term>

128

129

<para>

130

If set, these environment variables will be assumed to

131

contain the source device name and the target device

132

mapper name, respectively, and will be shown as part of

133

the prompt.

134

</para>

135

<para>

136

These variables will normally be inherited from

137

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

138

<manvolnum>8mandos</manvolnum></citerefentry>, which will

139

normally have inherited them from

140

<filename>/scripts/local-top/cryptroot</filename> in the

141

initial <acronym>RAM</acronym> disk environment, which will

142

have set them from parsing kernel arguments and

143

<filename>/conf/conf.d/cryptroot</filename> (also in the

144

initial RAM disk environment), which in turn will have been

145

created when the initial RAM disk image was created by

146

<filename

147

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

148

extracting the information of the root file system from

149

<filename >/etc/crypttab</filename>.

150

</para>

151

<para>

152

This behavior is meant to exactly mirror the behavior of

153

<command>askpass</command>, the default password prompter.

154

</para>

155

</listitem>

156

</varlistentry>

157

</variablelist>

158

</refsect1>

159

160

161

<title>FILES</title>

162

163

164

<term><filename>/sbin/splashy_update</filename></term>

165

166

<para>

167

This is the command run to retrieve a password from

168

<citerefentry><refentrytitle>splashy</refentrytitle>

169

<manvolnum>8</manvolnum></citerefentry>. See

170

<citerefentry><refentrytitle

171

>splashy_update</refentrytitle><manvolnum>8</manvolnum>

172

</citerefentry>.

173

</para>

174

</listitem>

175

</varlistentry>

176

177

178

179

<para>

180

To find the running <citerefentry><refentrytitle

181

>splashy</refentrytitle><manvolnum>8</manvolnum>

182

</citerefentry>, this directory will be searched for

183

numeric entries which will be assumed to be directories.

184

In all those directories, the <filename>exe</filename>

185

entry will be used to determine the name of the running

186

binary and the effective user and group

187

<abbrev>ID</abbrev> of the process. See <citerefentry>

188

<refentrytitle>proc</refentrytitle><manvolnum

189

>5</manvolnum></citerefentry>.

190

</para>

191

</listitem>

192

</varlistentry>

193

194

<term><filename>/sbin/splashy</filename></term>

195

196

<para>

197

This is the name of the binary which will be searched for

198

in the process list. See <citerefentry><refentrytitle

199

>splashy</refentrytitle><manvolnum>8</manvolnum>

200

</citerefentry>.

201

</para>

202

</listitem>

203

</varlistentry>

204

</variablelist>

205

</refsect1>

206

207

208

209

<para>

210

Killing <citerefentry><refentrytitle>splashy</refentrytitle>

211

<manvolnum>8</manvolnum></citerefentry> and starting a new one

212

is ugly, but necessary as long as it does not support aborting a

213

password request.

214

</para>

215

<xi:include href="../bugs.xml"/>

216

</refsect1>

217

218

219

<title>EXAMPLE</title>

220

<para>

221

Note that normally, this program will not be invoked directly,

222

but instead started by the Mandos <citerefentry><refentrytitle

223

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

224

</citerefentry>.

225

</para>

226

227

<para>

228

This program takes no options.

229

</para>

230

<para>

231

<userinput>&COMMANDNAME;</userinput>

232

</para>

233

</informalexample>

234

</refsect1>

235

236

237

<title>SECURITY</title>

238

<para>

239

If this program is killed by a signal, it will kill the process

240

<abbrev>ID</abbrev> which at the start of this program was

241

determined to run <citerefentry><refentrytitle

242

>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry>

243

as root (see also <xref linkend="files"/>). There is a very

244

slight risk that, in the time between those events, that process

245

<abbrev>ID</abbrev> was freed and then taken up by another

246

process; the wrong process would then be killed. Now, this

247

program can only be killed by the user who started it; see

248

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

249

<manvolnum>8mandos</manvolnum></citerefentry>. This program

250

should therefore be started by a completely separate

251

non-privileged user, and no other programs should be allowed to

252

run as that special user. This means that it is not recommended

253

to use the user "nobody" to start this program, as other

254

possibly less trusted programs could be running as "nobody", and

255

they would then be able to kill this program, triggering the

256

killing of the process <abbrev>ID</abbrev> which may or may not

257

be <citerefentry><refentrytitle>splashy</refentrytitle>

258

<manvolnum>8</manvolnum></citerefentry>.

259

</para>

260

<para>

261

The only other thing that could be considered worthy of note is

262

this: This program is meant to be run by <citerefentry>

263

<refentrytitle>plugin-runner</refentrytitle><manvolnum

264

>8mandos</manvolnum></citerefentry>, and will, when run

265

standalone, outside, in a normal environment, immediately output

266

on its standard output any presumably secret password it just

267

received. Therefore, when running this program standalone

268

(which should never normally be done), take care not to type in

269

any real secret password by force of habit, since it would then

270

immediately be shown as output.

271

</para>

272

</refsect1>

273

274

275

276

<para>

277

<citerefentry><refentrytitle>intro</refentrytitle>

278

<manvolnum>8mandos</manvolnum></citerefentry>,

279

<citerefentry><refentrytitle>crypttab</refentrytitle>

280

<manvolnum>5</manvolnum></citerefentry>,

281

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

282

<manvolnum>8mandos</manvolnum></citerefentry>,

283

284

<manvolnum>5</manvolnum></citerefentry>,

285

<citerefentry><refentrytitle>splashy</refentrytitle>

286

<manvolnum>8</manvolnum></citerefentry>,

287

<citerefentry><refentrytitle>splashy_update</refentrytitle>

288

289

</para>

290

</refsect1>

291

</refentry>

292

293

294

295

296

Older »