/mandos/trunk : revision 163

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Teddy Hogeborn
Date: 2008-09-05 16:24:33 UTC
Revision ID: teddy@fukt.bsnet.se-20080905162433-58fgx91ae9foxlh1

* Makefile (PIDDIR, USER, GROUP): Removed.
  (install-server): Do not create $(PIDDIR).
  (uninstall-server): Do not remove $(PIDDIR).

* init.d-mandos (PIDFILE): Changed to "/var/run/$NAME.pid".

* mandos (IPv6_TCPServer.enabled): New attribute.
  (IPv6_TCPServer.server_activate): Only call method of superclass if
                                    "self.enabled".
  (IPv6_TCPServer.enable): Set "self.enabled" to True.
  (main): Create client Set() early.  Create IPv6_TCPServer object
          early.  Switch to user and group "mandos", "nobody" or
          65534, if possible.  Enable IPv6_TCPServer *after* switching
          user.

* mandos-keygen (KEYDIR): Changed to "/etc/keys/mandos".

* mandos.xml (FILES): Changed PID file.
  (SECURITY): The server does need to be privileged, but switches to a
              non-privileged user.

* plugin-runner.xml (EXAMPLE): Changed long example to something more
                               realistic.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2016-03-17">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-05">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

Run Mandos plugins, pass data from first to succeed.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>ENV</replaceable><literal>=</literal><replaceable

>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>ENV</replaceable><literal>=</literal><replaceable

<replaceable>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

120

111

<arg><option>--plugin-dir=<replaceable

121

112

>DIRECTORY</replaceable></option></arg>

122

113

<sbr/>

123

<arg><option>--plugin-helper-dir=<replaceable

124

>DIRECTORY</replaceable></option></arg>

125

<sbr/>

126

114

<arg><option>--config-file=<replaceable

127

115

>FILE</replaceable></option></arg>

128

116

<sbr/>

182

170

183

171

184

172

<term><option>--global-env

185

<replaceable>ENV</replaceable><literal>=</literal><replaceable

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

186

174

>value</replaceable></option></term>

187

175

<term><option>-G

188

<replaceable>ENV</replaceable><literal>=</literal><replaceable

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

189

177

>value</replaceable></option></term>

190

178

191

179

<para>

259

247

</para>

260

248

</listitem>

261

249

</varlistentry>

262

250

263

251

264

252

<term><option>--disable

265

253

<replaceable>PLUGIN</replaceable></option></term>

270

258

Disable the plugin named

271

259

<replaceable>PLUGIN</replaceable>. The plugin will not be

272

260

started.

273

</para>

261

</para>

274

262

</listitem>

275

263

</varlistentry>

276

264

277

265

278

266

<term><option>--enable

279

267

<replaceable>PLUGIN</replaceable></option></term>

288

276

</para>

289

277

</listitem>

290

278

</varlistentry>

291

279

292

280

293

281

<term><option>--groupid

294

282

301

289

</para>

302

290

</listitem>

303

291

</varlistentry>

304

292

305

293

306

294

<term><option>--userid

307

295

314

302

</para>

315

303

</listitem>

316

304

</varlistentry>

317

305

318

306

319

307

<term><option>--plugin-dir

320

308

<replaceable>DIRECTORY</replaceable></option></term>

329

317

</varlistentry>

330

318

331

319

332

<term><option>--plugin-helper-dir

333

<replaceable>DIRECTORY</replaceable></option></term>

334

335

<para>

336

Specify a different plugin helper directory. The default

337

is <filename>/lib/mandos/plugin-helpers</filename>, which

338

will exist in the initial <acronym>RAM</acronym> disk

339

environment. (This will simply be passed to all plugins

340

via the <envar>MANDOSPLUGINHELPERDIR</envar> environment

341

variable. See <xref linkend="writing_plugins"/>)

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

320

<term><option>--config-file

348

321

349

322

392

365

</para>

393

366

</listitem>

394

367

</varlistentry>

395

368

396

369

397

370

<term><option>--version</option></term>

398

371

404

377

</varlistentry>

405

378

</variablelist>

406

379

</refsect1>

407

380

408

381

409

382

<title>OVERVIEW</title>

410

383

<xi:include href="overview.xml"/>

430

403

code will make this plugin-runner output the password from that

431

404

plugin, stop any other plugins, and exit.

432

405

</para>

433

406

434

407

435

408

<title>WRITING PLUGINS</title>

436

409

<para>

443

416

console.

444

417

</para>

445

418

<para>

446

If the password is a single-line, manually entered passprase,

447

a final trailing newline character should

448

<emphasis>not</emphasis> be printed.

449

</para>

450

<para>

451

419

The plugin will run in the initial RAM disk environment, so

452

420

care must be taken not to depend on any files or running

453

services not available there. Any helper executables required

454

by the plugin (which are not in the <envar>PATH</envar>) can

455

be placed in the plugin helper directory, the name of which

456

will be made available to the plugin via the

457

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

421

services not available there.

458

422

</para>

459

423

<para>

460

424

The plugin must exit cleanly and free all allocated resources

503

467

only passes on its environment to all the plugins. The

504

468

environment passed to plugins can be modified using the

505

469

<option>--global-env</option> and <option>--env-for</option>

506

options. Also, the <option>--plugin-helper-dir</option> option

507

will affect the environment variable

508

<envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.

470

options.

509

471

</para>

510

472

</refsect1>

511

473

544

506

</para>

545

507

</listitem>

546

508

</varlistentry>

547

548

<term><filename class="directory"

549

>/lib/mandos/plugins.d</filename></term>

550

551

<para>

552

The default plugin directory; can be changed by the

553

<option>--plugin-dir</option> option.

554

</para>

555

</listitem>

556

</varlistentry>

557

558

<term><filename class="directory"

559

>/lib/mandos/plugin-helpers</filename></term>

560

561

<para>

562

The default plugin helper directory; can be changed by

563

the <option>--plugin-helper-dir</option> option.

564

</para>

565

</listitem>

566

</varlistentry>

567

509

</variablelist>

568

510

</para>

569

511

</refsect1>

574

516

The <option>--config-file</option> option is ignored when

575

517

specified from within a configuration file.

576

518

</para>

577

<xi:include href="bugs.xml"/>

578

519

</refsect1>

579

520

580

521

623

564

</informalexample>

624

565

625

566

<para>

626

Read a different configuration file, run plugins from a

627

different directory, specify an alternate plugin helper

628

directory and add two options to the

629

<citerefentry><refentrytitle >mandos-client</refentrytitle>

567

Run plugins from a different directory, read a different

568

configuration file, and add two options to the

569

<citerefentry><refentrytitle >password-request</refentrytitle>

630

570

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

631

571

</para>

632

572

<para>

633

573

634

574

635

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

575

<userinput>&COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=password-request:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>

636

576

637

577

</para>

638

578

</informalexample>

646

586

non-privileged. This user and group is then what all plugins

647

587

will be started as. Therefore, the only way to run a plugin as

648

588

a privileged user is to have the set-user-ID or set-group-ID bit

649

set on the plugin executable file (see <citerefentry>

589

set on the plugin executable files (see <citerefentry>

650

590

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

651

591

</citerefentry>).

652

592

</para>

670

610

671

611

672

612

<para>

673

<citerefentry><refentrytitle>intro</refentrytitle>

674

<manvolnum>8mandos</manvolnum></citerefentry>,

675

613

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

676

614

<manvolnum>8</manvolnum></citerefentry>,

677

615

<citerefentry><refentrytitle>crypttab</refentrytitle>

682

620

<manvolnum>8</manvolnum></citerefentry>,

683

621

<citerefentry><refentrytitle>password-prompt</refentrytitle>

684

622

<manvolnum>8mandos</manvolnum></citerefentry>,

685

<citerefentry><refentrytitle>mandos-client</refentrytitle>

623

<citerefentry><refentrytitle>password-request</refentrytitle>

686

624

<manvolnum>8mandos</manvolnum></citerefentry>

687

625

</para>

688

626

</refsect1>

Older »