/mandos/trunk : revision 139

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Teddy Hogeborn
Date: 2008-09-02 10:27:08 UTC
Revision ID: teddy@fukt.bsnet.se-20080902102708-j5k6ec3lcgkaeipv

* plugin-runner.xml: Changed short option for "--global-env" to "-G",
                     changed short option for "--env-for" to "-E".
                     added new options "--enable" ("-e") and
                     "--config-file".
  (ENVIRONMENT): Added text.
  (FILES): Changed id to "files".  Improved wording and add more text.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos-monitor

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth

plugins.d/plymouth.c

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2009-01-17">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins, pass data from first to succeed.

Run Mandos plugins. Pass data from first succesful one.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>ENV</replaceable><literal>=</literal><replaceable

>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>ENV</replaceable><literal>=</literal><replaceable

<replaceable>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

142

140

<title>DESCRIPTION</title>

143

141

<para>

144

142

<command>&COMMANDNAME;</command> is a program which is meant to

145

be specified as a <quote>keyscript</quote> for the root disk in

146

<citerefentry><refentrytitle>crypttab</refentrytitle>

147

<manvolnum>5</manvolnum></citerefentry>. The aim of this

148

program is therefore to output a password, which then

149

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

150

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

151

root disk.

143

be specified as <quote>keyscript</quote> in <citerefentry>

144

<refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

146

aim of this program is therefore to output a password, which

147

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to try and

149

unlock the root disk.

152

150

</para>

153

151

<para>

154

152

This program is not meant to be invoked directly, but can be in

172

170

173

171

174

172

<term><option>--global-env

175

<replaceable>ENV</replaceable><literal>=</literal><replaceable

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

176

174

>value</replaceable></option></term>

177

<term><option>-G

178

<replaceable>ENV</replaceable><literal>=</literal><replaceable

175

<term><option>-e

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

179

177

>value</replaceable></option></term>

180

178

181

179

<para>

191

189

<replaceable>PLUGIN</replaceable><literal>:</literal

192

190

><replaceable>ENV</replaceable><literal>=</literal

193

191

><replaceable>value</replaceable></option></term>

194

<term><option>-E

192

<term><option>-f

195

193

<replaceable>PLUGIN</replaceable><literal>:</literal

196

194

><replaceable>ENV</replaceable><literal>=</literal

197

195

><replaceable>value</replaceable></option></term>

217

215

<replaceable>OPTIONS</replaceable> is a comma separated

218

216

list of options. This is not a very useful option, except

219

217

for specifying the <quote><option>--debug</option></quote>

220

option to all plugins.

218

for all plugins.

221

219

</para>

222

220

</listitem>

223

221

</varlistentry>

243

241

<option>--bar</option> with the option argument

244

242

<quote>baz</quote> is either

245

243

<userinput>--options-for=foo:--bar=baz</userinput> or

246

<userinput>--options-for=foo:--bar,baz</userinput>. Using

247

<userinput>--options-for="foo:--bar baz"</userinput>. will

248

<emphasis>not</emphasis> work.

244

<userinput>--options-for=foo:--bar,baz</userinput>, but

245

246

<userinput>--options-for="foo:--bar baz"</userinput>.

249

247

</para>

250

248

</listitem>

251

249

</varlistentry>

252

250

253

251

254

252

<term><option>--disable

255

253

<replaceable>PLUGIN</replaceable></option></term>

263

261

</para>

264

262

</listitem>

265

263

</varlistentry>

266

264

267

265

268

266

<term><option>--enable

269

267

<replaceable>PLUGIN</replaceable></option></term>

274

272

Re-enable the plugin named

275

273

<replaceable>PLUGIN</replaceable>. This is only useful to

276

274

undo a previous <option>--disable</option> option, maybe

277

from the configuration file.

275

from the config file.

278

276

</para>

279

277

</listitem>

280

278

</varlistentry>

281

279

282

280

283

281

<term><option>--groupid

284

282

291

289

</para>

292

290

</listitem>

293

291

</varlistentry>

294

292

295

293

296

294

<term><option>--userid

297

295

304

302

</para>

305

303

</listitem>

306

304

</varlistentry>

307

305

308

306

309

307

<term><option>--plugin-dir

310

308

<replaceable>DIRECTORY</replaceable></option></term>

367

365

</para>

368

366

</listitem>

369

367

</varlistentry>

370

368

371

369

372

370

<term><option>--version</option></term>

373

371

379

377

</varlistentry>

380

378

</variablelist>

381

379

</refsect1>

382

380

383

381

384

382

<title>OVERVIEW</title>

385

383

<xi:include href="overview.xml"/>

405

403

code will make this plugin-runner output the password from that

406

404

plugin, stop any other plugins, and exit.

407

405

</para>

408

409

410

<title>WRITING PLUGINS</title>

411

<para>

412

A plugin is simply a program which prints a password to its

413

standard output and then exits with a successful (zero) exit

414

status. If the exit status is not zero, any output on

415

standard output will be ignored by the plugin runner. Any

416

output on its standard error channel will simply be passed to

417

the standard error of the plugin runner, usually the system

418

console.

419

</para>

420

<para>

421

If the password is a single-line, manually entered passprase,

422

a final trailing newline character should

423

<emphasis>not</emphasis> be printed.

424

</para>

425

<para>

426

The plugin will run in the initial RAM disk environment, so

427

care must be taken not to depend on any files or running

428

services not available there.

429

</para>

430

<para>

431

The plugin must exit cleanly and free all allocated resources

432

upon getting the TERM signal, since this is what the plugin

433

runner uses to stop all other plugins when one plugin has

434

output a password and exited cleanly.

435

</para>

436

<para>

437

The plugin must not use resources, like for instance reading

438

from the standard input, without knowing that no other plugin

439

is also using it.

440

</para>

441

<para>

442

It is useful, but not required, for the plugin to take the

443

<option>--debug</option> option.

444

</para>

445

</refsect2>

446

406

</refsect1>

447

407

448

408

474

434

only passes on its environment to all the plugins. The

475

435

environment passed to plugins can be modified using the

476

436

<option>--global-env</option> and <option>--env-for</option>

477

options.

437

optins.

478

438

</para>

479

439

</refsect1>

480

440

520

480

521

481

522

482

<para>

523

The <option>--config-file</option> option is ignored when

524

specified from within a configuration file.

525

483

</para>

526

484

</refsect1>

527

485

528

486

529

487

<title>EXAMPLE</title>

530

531

<para>

532

Normal invocation needs no options:

533

</para>

534

<para>

535

<userinput>&COMMANDNAME;</userinput>

536

</para>

537

</informalexample>

538

539

<para>

540

Run the program, but not the plugins, in debug mode:

541

</para>

542

<para>

543

544

545

<userinput>&COMMANDNAME; --debug</userinput>

546

547

</para>

548

</informalexample>

549

550

<para>

551

Run all plugins, but run the <quote>foo</quote> plugin in

552

debug mode:

553

</para>

554

<para>

555

556

557

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

558

559

</para>

560

</informalexample>

561

562

<para>

563

Run all plugins, but not the program, in debug mode:

564

</para>

565

<para>

566

567

568

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

569

570

</para>

571

</informalexample>

572

573

<para>

574

Run plugins from a different directory, read a different

575

configuration file, and add two options to the

576

<citerefentry><refentrytitle >mandos-client</refentrytitle>

577

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

578

</para>

579

<para>

580

581

582

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

583

584

</para>

585

</informalexample>

488

<para>

489

</para>

586

490

</refsect1>

491

587

492

588

493

<title>SECURITY</title>

589

494

<para>

590

This program will, when starting, try to switch to another user.

591

If it is started as root, it will succeed, and will by default

592

switch to user and group 65534, which are assumed to be

593

non-privileged. This user and group is then what all plugins

594

will be started as. Therefore, the only way to run a plugin as

595

a privileged user is to have the set-user-ID or set-group-ID bit

596

set on the plugin executable file (see <citerefentry>

597

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

598

</citerefentry>).

599

</para>

600

<para>

601

If this program is used as a keyscript in <citerefentry

602

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

603

</citerefentry>, there is a slight risk that if this program

604

fails to work, there might be no way to boot the system except

605

for booting from another media and editing the initial RAM disk

606

image to not run this program. This is, however, unlikely,

607

since the <citerefentry><refentrytitle

608

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

609

</citerefentry> plugin will read a password from the console in

610

case of failure of the other plugins, and this plugin runner

611

will also, in case of catastrophic failure, itself fall back to

612

asking and outputting a password on the console (see <xref

613

linkend="fallback"/>).

614

495

</para>

615

496

</refsect1>

616

497

619

500

<para>

620

501

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

621

502

<manvolnum>8</manvolnum></citerefentry>,

622

<citerefentry><refentrytitle>crypttab</refentrytitle>

623

<manvolnum>5</manvolnum></citerefentry>,

624

<citerefentry><refentrytitle>execve</refentrytitle>

625

<manvolnum>2</manvolnum></citerefentry>,

626

503

<citerefentry><refentrytitle>mandos</refentrytitle>

627

504

<manvolnum>8</manvolnum></citerefentry>,

628

505

<citerefentry><refentrytitle>password-prompt</refentrytitle>

629

506

<manvolnum>8mandos</manvolnum></citerefentry>,

630

<citerefentry><refentrytitle>mandos-client</refentrytitle>

507

<citerefentry><refentrytitle>password-request</refentrytitle>

631

508

<manvolnum>8mandos</manvolnum></citerefentry>

632

509

</para>

633

510

</refsect1>

Older »