140
140
<title>DESCRIPTION</title>
142
142
<command>&COMMANDNAME;</command> is a program which is meant to
143
be specified as <quote>keyscript</quote> in <citerefentry>
144
<refentrytitle>crypttab</refentrytitle>
145
<manvolnum>5</manvolnum></citerefentry> for the root disk. The
146
aim of this program is therefore to output a password, which
147
then <citerefentry><refentrytitle>cryptsetup</refentrytitle>
148
<manvolnum>8</manvolnum></citerefentry> will use to try and
149
unlock the root disk.
143
be specified as a <quote>keyscript</quote> for the root disk in
144
<citerefentry><refentrytitle>crypttab</refentrytitle>
145
<manvolnum>5</manvolnum></citerefentry>. The aim of this
146
program is therefore to output a password, which then
147
<citerefentry><refentrytitle>cryptsetup</refentrytitle>
148
<manvolnum>8</manvolnum></citerefentry> will use to unlock the
152
152
This program is not meant to be invoked directly, but can be in
241
241
<option>--bar</option> with the option argument
242
242
<quote>baz</quote> is either
243
243
<userinput>--options-for=foo:--bar=baz</userinput> or
244
<userinput>--options-for=foo:--bar,baz</userinput>, but
245
<emphasis>not</emphasis>
246
<userinput>--options-for="foo:--bar baz"</userinput>.
244
<userinput>--options-for=foo:--bar,baz</userinput>. Using
245
<userinput>--options-for="foo:--bar baz"</userinput>. will
246
<emphasis>not</emphasis> work.
403
403
code will make this plugin-runner output the password from that
404
404
plugin, stop any other plugins, and exit.
407
<refsect2 id="writing_plugins">
408
<title>WRITING PLUGINS</title>
410
A plugin is simply a program which prints a password to its
411
standard output and then exits with a successful (zero) exit
412
status. If the exit status is not zero, any output on
413
standard output will be ignored by the plugin runner. Any
414
output on its standard error channel will simply be passed to
415
the standard error of the plugin runner, usually the system
419
If the password is a single-line, manually entered passprase,
420
a final trailing newline character should
421
<emphasis>not</emphasis> be printed.
424
The plugin will run in the initial RAM disk environment, so
425
care must be taken not to depend on any files or running
426
services not available there.
429
The plugin must exit cleanly and free all allocated resources
430
upon getting the TERM signal, since this is what the plugin
431
runner uses to stop all other plugins when one plugin has
432
output a password and exited cleanly.
435
The plugin must not use resources, like for instance reading
436
from the standard input, without knowing that no other plugin
440
It is useful, but not required, for the plugin to take the
441
<option>--debug</option> option.
408
446
<refsect1 id="fallback">
480
518
<refsect1 id="bugs">
481
519
<title>BUGS</title>
521
The <option>--config-file</option> option is ignored when
522
specified from within a configuration file.
486
526
<refsect1 id="examples">
487
527
<title>EXAMPLE</title>
530
Normal invocation needs no options:
533
<userinput>&COMMANDNAME;</userinput>
538
Run the program, but not the plugins, in debug mode:
542
<!-- do not wrap this line -->
543
<userinput>&COMMANDNAME; --debug</userinput>
549
Run all plugins, but run the <quote>foo</quote> plugin in
554
<!-- do not wrap this line -->
555
<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>
561
Run all plugins, but not the program, in debug mode:
565
<!-- do not wrap this line -->
566
<userinput>&COMMANDNAME; --global-options=--debug</userinput>
572
Run plugins from a different directory, read a different
573
configuration file, and add two options to the
574
<citerefentry><refentrytitle >mandos-client</refentrytitle>
575
<manvolnum>8mandos</manvolnum></citerefentry> plugin:
579
<!-- do not wrap this line -->
580
<userinput>&COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>
492
585
<refsect1 id="security">
493
586
<title>SECURITY</title>
588
This program will, when starting, try to switch to another user.
589
If it is started as root, it will succeed, and will by default
590
switch to user and group 65534, which are assumed to be
591
non-privileged. This user and group is then what all plugins
592
will be started as. Therefore, the only way to run a plugin as
593
a privileged user is to have the set-user-ID or set-group-ID bit
594
set on the plugin executable file (see <citerefentry>
595
<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
599
If this program is used as a keyscript in <citerefentry
600
><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>
601
</citerefentry>, there is a slight risk that if this program
602
fails to work, there might be no way to boot the system except
603
for booting from another media and editing the initial RAM disk
604
image to not run this program. This is, however, unlikely,
605
since the <citerefentry><refentrytitle
606
>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>
607
</citerefentry> plugin will read a password from the console in
608
case of failure of the other plugins, and this plugin runner
609
will also, in case of catastrophic failure, itself fall back to
610
asking and outputting a password on the console (see <xref
611
linkend="fallback"/>).
501
618
<citerefentry><refentrytitle>cryptsetup</refentrytitle>
502
619
<manvolnum>8</manvolnum></citerefentry>,
620
<citerefentry><refentrytitle>crypttab</refentrytitle>
621
<manvolnum>5</manvolnum></citerefentry>,
622
<citerefentry><refentrytitle>execve</refentrytitle>
623
<manvolnum>2</manvolnum></citerefentry>,
503
624
<citerefentry><refentrytitle>mandos</refentrytitle>
504
625
<manvolnum>8</manvolnum></citerefentry>,
505
626
<citerefentry><refentrytitle>password-prompt</refentrytitle>
506
627
<manvolnum>8mandos</manvolnum></citerefentry>,
507
<citerefentry><refentrytitle>password-request</refentrytitle>
628
<citerefentry><refentrytitle>mandos-client</refentrytitle>
508
629
<manvolnum>8mandos</manvolnum></citerefentry>