320
423
<title>PLUGINS</title>
322
425
This program will get a password by running a number of
323
<firstterm>plugins</firstterm>, which are simply executable
324
programs in a directory in the initial <acronym>RAM</acronym>
325
disk environment. The default directory is
426
<firstterm>plugins</firstterm>, which are executable programs in
427
a directory in the initial <acronym>RAM</acronym> disk
428
environment. The default directory is
326
429
<filename>/lib/mandos/plugins.d</filename>, but this can be
327
430
changed with the <option>--plugin-dir</option> option. The
328
431
plugins are started in parallel, and the first plugin to output
329
a password and exit with a successful exit code will make this
330
plugin-runner output that password, stop any other plugins, and
432
a password <emphasis>and</emphasis> exit with a successful exit
433
code will make this plugin-runner output the password from that
434
plugin, stop any other plugins, and exit.
437
<refsect2 id="writing_plugins">
438
<title>WRITING PLUGINS</title>
440
A plugin is an executable program which prints a password to
441
its standard output and then exits with a successful (zero)
442
exit status. If the exit status is not zero, any output on
443
standard output will be ignored by the plugin runner. Any
444
output on its standard error channel will simply be passed to
445
the standard error of the plugin runner, usually the system
449
If the password is a single-line, manually entered passprase,
450
a final trailing newline character should
451
<emphasis>not</emphasis> be printed.
454
The plugin will run in the initial RAM disk environment, so
455
care must be taken not to depend on any files or running
456
services not available there. Any helper executables required
457
by the plugin (which are not in the <envar>PATH</envar>) can
458
be placed in the plugin helper directory, the name of which
459
will be made available to the plugin via the
460
<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
463
The plugin must exit cleanly and free all allocated resources
464
upon getting the TERM signal, since this is what the plugin
465
runner uses to stop all other plugins when one plugin has
466
output a password and exited cleanly.
469
The plugin must not use resources, like for instance reading
470
from the standard input, without knowing that no other plugin
474
It is useful, but not required, for the plugin to take the
475
<option>--debug</option> option.
480
<refsect1 id="fallback">
336
481
<title>FALLBACK</title>
483
If no plugins succeed, this program will, as a fallback, ask for
484
a password on the console using <citerefentry><refentrytitle
485
>getpass</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
486
and output it. This is not meant to be the normal mode of
487
operation, as there is a separate plugin for getting a password
340
492
<refsect1 id="exit_status">
341
493
<title>EXIT STATUS</title>
495
Exit status of this program is zero if no errors were
496
encountered, and otherwise not. The fallback (see <xref
497
linkend="fallback"/>) may or may not have succeeded in either
502
<refsect1 id="environment">
503
<title>ENVIRONMENT</title>
505
This program does not use any environment variables itself, it
506
only passes on its environment to all the plugins. The
507
environment passed to plugins can be modified using the
508
<option>--global-env</option> and <option>--env-for</option>
509
options. Also, the <option>--plugin-helper-dir</option> option
510
will affect the environment variable
511
<envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
515
<refsect1 id="files">
347
516
<title>FILES</title>
352
<refsect1 id="notes">
521
>/conf/conf.d/mandos/plugin-runner.conf</filename></term>
524
Since this program will be run as a keyscript, there is
525
little to no opportunity to pass command line arguments
526
to it. Therefore, it will <emphasis>also</emphasis>
527
read this file and use its contents as
528
whitespace-separated command line options. Also,
529
everything from a <quote>#</quote> character to the end
530
of a line is ignored.
533
This program is meant to run in the initial RAM disk
534
environment, so that is where this file is assumed to
535
exist. The file does not need to exist in the normal
539
This file will be processed <emphasis>before</emphasis>
540
the normal command line options, so the latter can
541
override the former, if need be.
544
This file name is the default; the file to read for
545
arguments can be changed using the
546
<option>--config-file</option> option.
551
<term><filename class="directory"
552
>/lib/mandos/plugins.d</filename></term>
555
The default plugin directory; can be changed by the
556
<option>--plugin-dir</option> option.
561
<term><filename class="directory"
562
>/lib/mandos/plugin-helpers</filename></term>
565
The default plugin helper directory; can be changed by
566
the <option>--plugin-helper-dir</option> option.
358
574
<refsect1 id="bugs">
359
575
<title>BUGS</title>
577
The <option>--config-file</option> option is ignored when
578
specified from within a configuration file.
580
<xi:include href="bugs.xml"/>
364
583
<refsect1 id="examples">
365
584
<title>EXAMPLE</title>
587
Normal invocation needs no options:
590
<userinput>&COMMANDNAME;</userinput>
595
Run the program, but not the plugins, in debug mode:
599
<!-- do not wrap this line -->
600
<userinput>&COMMANDNAME; --debug</userinput>
606
Run all plugins, but run the <quote>foo</quote> plugin in
611
<!-- do not wrap this line -->
612
<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>
618
Run all plugins, but not the program, in debug mode:
622
<!-- do not wrap this line -->
623
<userinput>&COMMANDNAME; --global-options=--debug</userinput>
629
Read a different configuration file, run plugins from a
630
different directory, specify an alternate plugin helper
631
directory and add four options to the
632
<citerefentry><refentrytitle >mandos-client</refentrytitle>
633
<manvolnum>8mandos</manvolnum></citerefentry> plugin:
637
<!-- do not wrap this line -->
638
<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,​--seckey=seckey.txt,​--tls-pubkey=tls-pubkey.pem,​--tls-privkey=tls-privkey.pem</userinput>
370
643
<refsect1 id="security">
371
644
<title>SECURITY</title>
646
This program will, when starting, try to switch to another user.
647
If it is started as root, it will succeed, and will by default
648
switch to user and group 65534, which are assumed to be
649
non-privileged. This user and group is then what all plugins
650
will be started as. Therefore, the only way to run a plugin as
651
a privileged user is to have the set-user-ID or set-group-ID bit
652
set on the plugin executable file (see <citerefentry>
653
<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
657
If this program is used as a keyscript in <citerefentry
658
><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>
659
</citerefentry>, there is a slight risk that if this program
660
fails to work, there might be no way to boot the system except
661
for booting from another media and editing the initial RAM disk
662
image to not run this program. This is, however, unlikely,
663
since the <citerefentry><refentrytitle
664
>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>
665
</citerefentry> plugin will read a password from the console in
666
case of failure of the other plugins, and this plugin runner
667
will also, in case of catastrophic failure, itself fall back to
668
asking and outputting a password on the console (see <xref
669
linkend="fallback"/>).
376
673
<refsect1 id="see_also">
377
674
<title>SEE ALSO</title>
676
<citerefentry><refentrytitle>intro</refentrytitle>
677
<manvolnum>8mandos</manvolnum></citerefentry>,
379
678
<citerefentry><refentrytitle>cryptsetup</refentrytitle>
380
679
<manvolnum>8</manvolnum></citerefentry>,
680
<citerefentry><refentrytitle>crypttab</refentrytitle>
681
<manvolnum>5</manvolnum></citerefentry>,
682
<citerefentry><refentrytitle>execve</refentrytitle>
683
<manvolnum>2</manvolnum></citerefentry>,
381
684
<citerefentry><refentrytitle>mandos</refentrytitle>
382
685
<manvolnum>8</manvolnum></citerefentry>,
383
686
<citerefentry><refentrytitle>password-prompt</refentrytitle>
384
687
<manvolnum>8mandos</manvolnum></citerefentry>,
385
<citerefentry><refentrytitle>password-request</refentrytitle>
688
<citerefentry><refentrytitle>mandos-client</refentrytitle>
386
689
<manvolnum>8mandos</manvolnum></citerefentry>
391
694
<!-- Local Variables: -->
392
695
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->