/mandos/trunk : revision 24.1.80

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Björn Påhlsson
Date: 2008-09-02 10:40:22 UTC
mfrom: (139 mandos)
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 149.
Revision ID: belorn@braxen-20080902104022-5x39n4gmle0j15ws

merge

files removed:
README

default-mandos

init.d-mandos

plugin-runner.conf

files modified:
Makefile

TODO

initramfs-tools-hook

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf.xml

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.xml

plugins.d/password-request.c

plugins.d/password-request.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2008-09-05">

<!ENTITY TIMESTAMP "2008-09-02">

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins, pass data from first to succeed.

Run Mandos plugins. Pass data from first succesful one.

</refpurpose>

</refnamediv>

140

<title>DESCRIPTION</title>

141

<para>

142

<command>&COMMANDNAME;</command> is a program which is meant to

143

be specified as a <quote>keyscript</quote> for the root disk in

144

<citerefentry><refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry>. The aim of this

146

program is therefore to output a password, which then

147

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

149

root disk.

143

be specified as <quote>keyscript</quote> in <citerefentry>

144

<refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

146

aim of this program is therefore to output a password, which

147

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to try and

149

unlock the root disk.

150

</para>

151

<para>

152

This program is not meant to be invoked directly, but can be in

172

<term><option>--global-env

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

174

>value</replaceable></option></term>

175

<term><option>-G

175

<term><option>-e

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

177

>value</replaceable></option></term>

178

189

<replaceable>PLUGIN</replaceable><literal>:</literal

190

><replaceable>ENV</replaceable><literal>=</literal

191

><replaceable>value</replaceable></option></term>

192

<term><option>-E

192

<term><option>-f

193

<replaceable>PLUGIN</replaceable><literal>:</literal

194

><replaceable>ENV</replaceable><literal>=</literal

195

><replaceable>value</replaceable></option></term>

215

<replaceable>OPTIONS</replaceable> is a comma separated

216

list of options. This is not a very useful option, except

217

for specifying the <quote><option>--debug</option></quote>

218

option to all plugins.

218

for all plugins.

219

</para>

220

</listitem>

221

</varlistentry>

241

<option>--bar</option> with the option argument

242

<quote>baz</quote> is either

243

<userinput>--options-for=foo:--bar=baz</userinput> or

244

<userinput>--options-for=foo:--bar,baz</userinput>. Using

245

<userinput>--options-for="foo:--bar baz"</userinput>. will

246

<emphasis>not</emphasis> work.

244

<userinput>--options-for=foo:--bar,baz</userinput>, but

245

246

<userinput>--options-for="foo:--bar baz"</userinput>.

247

</para>

248

</listitem>

249

</varlistentry>

272

Re-enable the plugin named

273

<replaceable>PLUGIN</replaceable>. This is only useful to

274

undo a previous <option>--disable</option> option, maybe

275

from the configuration file.

275

from the config file.

276

</para>

277

</listitem>

278

</varlistentry>

403

code will make this plugin-runner output the password from that

404

plugin, stop any other plugins, and exit.

405

</para>

406

407

408

<title>WRITING PLUGINS</title>

409

<para>

410

A plugin is simply a program which prints a password to its

411

standard output and then exits with a successful (zero) exit

412

status. If the exit status is not zero, any output on

413

standard output will be ignored by the plugin runner. Any

414

output on its standard error channel will simply be passed to

415

the standard error of the plugin runner, usually the system

416

console.

417

</para>

418

<para>

419

The plugin will run in the initial RAM disk environment, so

420

care must be taken not to depend on any files or running

421

services not available there.

422

</para>

423

<para>

424

The plugin must exit cleanly and free all allocated resources

425

upon getting the TERM signal, since this is what the plugin

426

runner uses to stop all other plugins when one plugin has

427

output a password and exited cleanly.

428

</para>

429

<para>

430

The plugin must not use resources, like for instance reading

431

from the standard input, without knowing that no other plugin

432

is also using it.

433

</para>

434

<para>

435

It is useful, but not required, for the plugin to take the

436

<option>--debug</option> option.

437

</para>

438

</refsect2>

439

406

</refsect1>

440

407

441

408

467

434

only passes on its environment to all the plugins. The

468

435

environment passed to plugins can be modified using the

469

436

<option>--global-env</option> and <option>--env-for</option>

470

options.

437

optins.

471

438

</para>

472

439

</refsect1>

473

440

513

480

514

481

515

482

<para>

516

The <option>--config-file</option> option is ignored when

517

specified from within a configuration file.

518

483

</para>

519

484

</refsect1>

520

485

521

486

522

487

<title>EXAMPLE</title>

523

524

<para>

525

Normal invocation needs no options:

526

</para>

527

<para>

528

<userinput>&COMMANDNAME;</userinput>

529

</para>

530

</informalexample>

531

532

<para>

533

Run the program, but not the plugins, in debug mode:

534

</para>

535

<para>

536

537

538

<userinput>&COMMANDNAME; --debug</userinput>

539

540

</para>

541

</informalexample>

542

543

<para>

544

Run all plugins, but run the <quote>foo</quote> plugin in

545

debug mode:

546

</para>

547

<para>

548

549

550

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

551

552

</para>

553

</informalexample>

554

555

<para>

556

Run all plugins, but not the program, in debug mode:

557

</para>

558

<para>

559

560

561

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

562

563

</para>

564

</informalexample>

565

566

<para>

567

Run plugins from a different directory, read a different

568

configuration file, and add two options to the

569

<citerefentry><refentrytitle >password-request</refentrytitle>

570

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

571

</para>

572

<para>

573

574

575

<userinput>&COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=password-request:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>

576

577

</para>

578

</informalexample>

488

<para>

489

</para>

579

490

</refsect1>

491

580

492

581

493

<title>SECURITY</title>

582

494

<para>

583

This program will, when starting, try to switch to another user.

584

If it is started as root, it will succeed, and will by default

585

switch to user and group 65534, which are assumed to be

586

non-privileged. This user and group is then what all plugins

587

will be started as. Therefore, the only way to run a plugin as

588

a privileged user is to have the set-user-ID or set-group-ID bit

589

set on the plugin executable file (see <citerefentry>

590

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

591

</citerefentry>).

592

</para>

593

<para>

594

If this program is used as a keyscript in <citerefentry

595

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

596

</citerefentry>, there is a slight risk that if this program

597

fails to work, there might be no way to boot the system except

598

for booting from another media and editing the initial RAM disk

599

image to not run this program. This is, however, unlikely,

600

since the <citerefentry><refentrytitle

601

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

602

</citerefentry> plugin will read a password from the console in

603

case of failure of the other plugins, and this plugin runner

604

will also, in case of catastrophic failure, itself fall back to

605

asking and outputting a password on the console (see <xref

606

linkend="fallback"/>).

607

495

</para>

608

496

</refsect1>

609

497

612

500

<para>

613

501

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

614

502

<manvolnum>8</manvolnum></citerefentry>,

615

<citerefentry><refentrytitle>crypttab</refentrytitle>

616

<manvolnum>5</manvolnum></citerefentry>,

617

<citerefentry><refentrytitle>execve</refentrytitle>

618

<manvolnum>2</manvolnum></citerefentry>,

619

503

<citerefentry><refentrytitle>mandos</refentrytitle>

620

504

<manvolnum>8</manvolnum></citerefentry>,

621

505

<citerefentry><refentrytitle>password-prompt</refentrytitle>

Older »