/mandos/trunk : revision 24.1.81

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Björn Påhlsson
Date: 2008-09-03 18:47:50 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 149.
Revision ID: belorn@braxen-20080903184750-s0k0jrrq0lxiamwh

removed keyring pre-requirement for starting password-request.
Keys will now be imported in run-time to a run-time created keyring

Changed seckey and pubkey to be paths to private and public keys of the pgp encrypted password and gnutls authentication credentials.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2016-02-28">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins, pass data from first to succeed.

Run Mandos plugins. Pass data from first succesful one.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>ENV</replaceable><literal>=</literal><replaceable

>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>ENV</replaceable><literal>=</literal><replaceable

<replaceable>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

120

111

<arg><option>--plugin-dir=<replaceable

121

112

>DIRECTORY</replaceable></option></arg>

122

113

<sbr/>

123

<arg><option>--plugin-helper-dir=<replaceable

124

>DIRECTORY</replaceable></option></arg>

125

<sbr/>

126

114

<arg><option>--config-file=<replaceable

127

115

>FILE</replaceable></option></arg>

128

116

<sbr/>

152

140

<title>DESCRIPTION</title>

153

141

<para>

154

142

<command>&COMMANDNAME;</command> is a program which is meant to

155

be specified as a <quote>keyscript</quote> for the root disk in

156

<citerefentry><refentrytitle>crypttab</refentrytitle>

157

<manvolnum>5</manvolnum></citerefentry>. The aim of this

158

program is therefore to output a password, which then

159

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

160

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

161

root disk.

143

be specified as <quote>keyscript</quote> in <citerefentry>

144

<refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

146

aim of this program is therefore to output a password, which

147

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to try and

149

unlock the root disk.

162

150

</para>

163

151

<para>

164

152

This program is not meant to be invoked directly, but can be in

182

170

183

171

184

172

<term><option>--global-env

185

<replaceable>ENV</replaceable><literal>=</literal><replaceable

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

186

174

>value</replaceable></option></term>

187

<term><option>-G

188

<replaceable>ENV</replaceable><literal>=</literal><replaceable

175

<term><option>-e

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

189

177

>value</replaceable></option></term>

190

178

191

179

<para>

201

189

<replaceable>PLUGIN</replaceable><literal>:</literal

202

190

><replaceable>ENV</replaceable><literal>=</literal

203

191

><replaceable>value</replaceable></option></term>

204

<term><option>-E

192

<term><option>-f

205

193

<replaceable>PLUGIN</replaceable><literal>:</literal

206

194

><replaceable>ENV</replaceable><literal>=</literal

207

195

><replaceable>value</replaceable></option></term>

227

215

<replaceable>OPTIONS</replaceable> is a comma separated

228

216

list of options. This is not a very useful option, except

229

217

for specifying the <quote><option>--debug</option></quote>

230

option to all plugins.

218

for all plugins.

231

219

</para>

232

220

</listitem>

233

221

</varlistentry>

253

241

<option>--bar</option> with the option argument

254

242

<quote>baz</quote> is either

255

243

<userinput>--options-for=foo:--bar=baz</userinput> or

256

<userinput>--options-for=foo:--bar,baz</userinput>. Using

257

<userinput>--options-for="foo:--bar baz"</userinput>. will

258

<emphasis>not</emphasis> work.

244

<userinput>--options-for=foo:--bar,baz</userinput>, but

245

246

<userinput>--options-for="foo:--bar baz"</userinput>.

259

247

</para>

260

248

</listitem>

261

249

</varlistentry>

262

250

263

251

264

252

<term><option>--disable

265

253

<replaceable>PLUGIN</replaceable></option></term>

270

258

Disable the plugin named

271

259

<replaceable>PLUGIN</replaceable>. The plugin will not be

272

260

started.

273

</para>

261

</para>

274

262

</listitem>

275

263

</varlistentry>

276

264

277

265

278

266

<term><option>--enable

279

267

<replaceable>PLUGIN</replaceable></option></term>

284

272

Re-enable the plugin named

285

273

<replaceable>PLUGIN</replaceable>. This is only useful to

286

274

undo a previous <option>--disable</option> option, maybe

287

from the configuration file.

275

from the config file.

288

276

</para>

289

277

</listitem>

290

278

</varlistentry>

291

279

292

280

293

281

<term><option>--groupid

294

282

301

289

</para>

302

290

</listitem>

303

291

</varlistentry>

304

292

305

293

306

294

<term><option>--userid

307

295

314

302

</para>

315

303

</listitem>

316

304

</varlistentry>

317

305

318

306

319

307

<term><option>--plugin-dir

320

308

<replaceable>DIRECTORY</replaceable></option></term>

329

317

</varlistentry>

330

318

331

319

332

<term><option>--plugin-helper-dir

333

<replaceable>DIRECTORY</replaceable></option></term>

334

335

<para>

336

Specify a different plugin helper directory. The default

337

is <filename>/lib/mandos/plugin-helpers</filename>, which

338

will exist in the initial <acronym>RAM</acronym> disk

339

environment. (This will simply be passed to all plugins

340

via the <envar>MANDOSPLUGINHELPERDIR</envar> environment

341

variable. See <xref linkend="writing_plugins"/>)

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

320

<term><option>--config-file

348

321

349

322

392

365

</para>

393

366

</listitem>

394

367

</varlistentry>

395

368

396

369

397

370

<term><option>--version</option></term>

398

371

404

377

</varlistentry>

405

378

</variablelist>

406

379

</refsect1>

407

380

408

381

409

382

<title>OVERVIEW</title>

410

383

<xi:include href="overview.xml"/>

430

403

code will make this plugin-runner output the password from that

431

404

plugin, stop any other plugins, and exit.

432

405

</para>

433

434

435

<title>WRITING PLUGINS</title>

436

<para>

437

A plugin is simply a program which prints a password to its

438

standard output and then exits with a successful (zero) exit

439

status. If the exit status is not zero, any output on

440

standard output will be ignored by the plugin runner. Any

441

output on its standard error channel will simply be passed to

442

the standard error of the plugin runner, usually the system

443

console.

444

</para>

445

<para>

446

If the password is a single-line, manually entered passprase,

447

a final trailing newline character should

448

<emphasis>not</emphasis> be printed.

449

</para>

450

<para>

451

The plugin will run in the initial RAM disk environment, so

452

care must be taken not to depend on any files or running

453

services not available there. Any helper executables required

454

by the plugin (which are not in the <envar>PATH</envar>) can

455

be placed in the plugin helper directory, the name of which

456

will be made available to the plugin via the

457

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

458

</para>

459

<para>

460

The plugin must exit cleanly and free all allocated resources

461

upon getting the TERM signal, since this is what the plugin

462

runner uses to stop all other plugins when one plugin has

463

output a password and exited cleanly.

464

</para>

465

<para>

466

The plugin must not use resources, like for instance reading

467

from the standard input, without knowing that no other plugin

468

is also using it.

469

</para>

470

<para>

471

It is useful, but not required, for the plugin to take the

472

<option>--debug</option> option.

473

</para>

474

</refsect2>

475

406

</refsect1>

476

407

477

408

503

434

only passes on its environment to all the plugins. The

504

435

environment passed to plugins can be modified using the

505

436

<option>--global-env</option> and <option>--env-for</option>

506

options. Also, the <option>--plugin-helper-dir</option> option

507

will affect the environment variable

508

<envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.

437

optins.

509

438

</para>

510

439

</refsect1>

511

440

551

480

552

481

553

482

<para>

554

The <option>--config-file</option> option is ignored when

555

specified from within a configuration file.

556

483

</para>

557

484

</refsect1>

558

485

559

486

560

487

<title>EXAMPLE</title>

561

562

<para>

563

Normal invocation needs no options:

564

</para>

565

<para>

566

<userinput>&COMMANDNAME;</userinput>

567

</para>

568

</informalexample>

569

570

<para>

571

Run the program, but not the plugins, in debug mode:

572

</para>

573

<para>

574

575

576

<userinput>&COMMANDNAME; --debug</userinput>

577

578

</para>

579

</informalexample>

580

581

<para>

582

Run all plugins, but run the <quote>foo</quote> plugin in

583

debug mode:

584

</para>

585

<para>

586

587

588

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

589

590

</para>

591

</informalexample>

592

593

<para>

594

Run all plugins, but not the program, in debug mode:

595

</para>

596

<para>

597

598

599

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

600

601

</para>

602

</informalexample>

603

604

<para>

605

Read a different configuration file, run plugins from a

606

different directory, specify an alternate plugin helper

607

directory and add two options to the

608

<citerefentry><refentrytitle >mandos-client</refentrytitle>

609

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

610

</para>

611

<para>

612

613

614

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

615

616

</para>

617

</informalexample>

488

<para>

489

</para>

618

490

</refsect1>

491

619

492

620

493

<title>SECURITY</title>

621

494

<para>

622

This program will, when starting, try to switch to another user.

623

If it is started as root, it will succeed, and will by default

624

switch to user and group 65534, which are assumed to be

625

non-privileged. This user and group is then what all plugins

626

will be started as. Therefore, the only way to run a plugin as

627

a privileged user is to have the set-user-ID or set-group-ID bit

628

set on the plugin executable file (see <citerefentry>

629

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

630

</citerefentry>).

631

</para>

632

<para>

633

If this program is used as a keyscript in <citerefentry

634

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

635

</citerefentry>, there is a slight risk that if this program

636

fails to work, there might be no way to boot the system except

637

for booting from another media and editing the initial RAM disk

638

image to not run this program. This is, however, unlikely,

639

since the <citerefentry><refentrytitle

640

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

641

</citerefentry> plugin will read a password from the console in

642

case of failure of the other plugins, and this plugin runner

643

will also, in case of catastrophic failure, itself fall back to

644

asking and outputting a password on the console (see <xref

645

linkend="fallback"/>).

646

495

</para>

647

496

</refsect1>

648

497

649

498

650

499

651

500

<para>

652

<citerefentry><refentrytitle>intro</refentrytitle>

653

<manvolnum>8mandos</manvolnum></citerefentry>,

654

501

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

655

502

<manvolnum>8</manvolnum></citerefentry>,

656

<citerefentry><refentrytitle>crypttab</refentrytitle>

657

<manvolnum>5</manvolnum></citerefentry>,

658

<citerefentry><refentrytitle>execve</refentrytitle>

659

<manvolnum>2</manvolnum></citerefentry>,

660

503

<citerefentry><refentrytitle>mandos</refentrytitle>

661

504

<manvolnum>8</manvolnum></citerefentry>,

662

505

<citerefentry><refentrytitle>password-prompt</refentrytitle>

663

506

<manvolnum>8mandos</manvolnum></citerefentry>,

664

<citerefentry><refentrytitle>mandos-client</refentrytitle>

507

<citerefentry><refentrytitle>password-request</refentrytitle>

665

508

<manvolnum>8mandos</manvolnum></citerefentry>

666

509

</para>

667

510

</refsect1>

Older »