/mandos/trunk : revision 24.1.81

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Björn Påhlsson
Date: 2008-09-03 18:47:50 UTC
mto: (24.1.154 mandos) (237.4.3 mandos-release)
mto: This revision was merged to the branch mainline in revision 149.
Revision ID: belorn@braxen-20080903184750-s0k0jrrq0lxiamwh

removed keyring pre-requirement for starting password-request.
Keys will now be imported in run-time to a run-time created keyring

Changed seckey and pubkey to be paths to private and public keys of the pgp encrypted password and gnutls authentication credentials.

files added:
plugins.d/usplash

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files renamed:
plugins.d/mandos-client.c => plugins.d/password-request.c

plugins.d/mandos-client.xml => plugins.d/password-request.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2016-03-17">

<!ENTITY % common SYSTEM "common.ent">

%common;

<!ENTITY TIMESTAMP "2008-09-02">

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<productnumber>&VERSION;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins, pass data from first to succeed.

Run Mandos plugins. Pass data from first succesful one.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>ENV</replaceable><literal>=</literal><replaceable

>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>ENV</replaceable><literal>=</literal><replaceable

<replaceable>VAR</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

120

111

<arg><option>--plugin-dir=<replaceable

121

112

>DIRECTORY</replaceable></option></arg>

122

113

<sbr/>

123

<arg><option>--plugin-helper-dir=<replaceable

124

>DIRECTORY</replaceable></option></arg>

125

<sbr/>

126

114

<arg><option>--config-file=<replaceable

127

115

>FILE</replaceable></option></arg>

128

116

<sbr/>

152

140

<title>DESCRIPTION</title>

153

141

<para>

154

142

<command>&COMMANDNAME;</command> is a program which is meant to

155

be specified as a <quote>keyscript</quote> for the root disk in

156

<citerefentry><refentrytitle>crypttab</refentrytitle>

157

<manvolnum>5</manvolnum></citerefentry>. The aim of this

158

program is therefore to output a password, which then

159

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

160

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

161

root disk.

143

be specified as <quote>keyscript</quote> in <citerefentry>

144

<refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

146

aim of this program is therefore to output a password, which

147

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to try and

149

unlock the root disk.

162

150

</para>

163

151

<para>

164

152

This program is not meant to be invoked directly, but can be in

182

170

183

171

184

172

<term><option>--global-env

185

<replaceable>ENV</replaceable><literal>=</literal><replaceable

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

186

174

>value</replaceable></option></term>

187

<term><option>-G

188

<replaceable>ENV</replaceable><literal>=</literal><replaceable

175

<term><option>-e

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

189

177

>value</replaceable></option></term>

190

178

191

179

<para>

201

189

<replaceable>PLUGIN</replaceable><literal>:</literal

202

190

><replaceable>ENV</replaceable><literal>=</literal

203

191

><replaceable>value</replaceable></option></term>

204

<term><option>-E

192

<term><option>-f

205

193

<replaceable>PLUGIN</replaceable><literal>:</literal

206

194

><replaceable>ENV</replaceable><literal>=</literal

207

195

><replaceable>value</replaceable></option></term>

227

215

<replaceable>OPTIONS</replaceable> is a comma separated

228

216

list of options. This is not a very useful option, except

229

217

for specifying the <quote><option>--debug</option></quote>

230

option to all plugins.

218

for all plugins.

231

219

</para>

232

220

</listitem>

233

221

</varlistentry>

253

241

<option>--bar</option> with the option argument

254

242

<quote>baz</quote> is either

255

243

<userinput>--options-for=foo:--bar=baz</userinput> or

256

<userinput>--options-for=foo:--bar,baz</userinput>. Using

257

<userinput>--options-for="foo:--bar baz"</userinput>. will

258

<emphasis>not</emphasis> work.

244

<userinput>--options-for=foo:--bar,baz</userinput>, but

245

246

<userinput>--options-for="foo:--bar baz"</userinput>.

259

247

</para>

260

248

</listitem>

261

249

</varlistentry>

262

250

263

251

264

252

<term><option>--disable

265

253

<replaceable>PLUGIN</replaceable></option></term>

270

258

Disable the plugin named

271

259

<replaceable>PLUGIN</replaceable>. The plugin will not be

272

260

started.

273

</para>

261

</para>

274

262

</listitem>

275

263

</varlistentry>

276

264

277

265

278

266

<term><option>--enable

279

267

<replaceable>PLUGIN</replaceable></option></term>

284

272

Re-enable the plugin named

285

273

<replaceable>PLUGIN</replaceable>. This is only useful to

286

274

undo a previous <option>--disable</option> option, maybe

287

from the configuration file.

275

from the config file.

288

276

</para>

289

277

</listitem>

290

278

</varlistentry>

291

279

292

280

293

281

<term><option>--groupid

294

282

301

289

</para>

302

290

</listitem>

303

291

</varlistentry>

304

292

305

293

306

294

<term><option>--userid

307

295

314

302

</para>

315

303

</listitem>

316

304

</varlistentry>

317

305

318

306

319

307

<term><option>--plugin-dir

320

308

<replaceable>DIRECTORY</replaceable></option></term>

329

317

</varlistentry>

330

318

331

319

332

<term><option>--plugin-helper-dir

333

<replaceable>DIRECTORY</replaceable></option></term>

334

335

<para>

336

Specify a different plugin helper directory. The default

337

is <filename>/lib/mandos/plugin-helpers</filename>, which

338

will exist in the initial <acronym>RAM</acronym> disk

339

environment. (This will simply be passed to all plugins

340

via the <envar>MANDOSPLUGINHELPERDIR</envar> environment

341

variable. See <xref linkend="writing_plugins"/>)

342

</para>

343

</listitem>

344

</varlistentry>

345

346

347

320

<term><option>--config-file

348

321

349

322

392

365

</para>

393

366

</listitem>

394

367

</varlistentry>

395

368

396

369

397

370

<term><option>--version</option></term>

398

371

404

377

</varlistentry>

405

378

</variablelist>

406

379

</refsect1>

407

380

408

381

409

382

<title>OVERVIEW</title>

410

383

<xi:include href="overview.xml"/>

430

403

code will make this plugin-runner output the password from that

431

404

plugin, stop any other plugins, and exit.

432

405

</para>

433

434

435

<title>WRITING PLUGINS</title>

436

<para>

437

A plugin is simply a program which prints a password to its

438

standard output and then exits with a successful (zero) exit

439

status. If the exit status is not zero, any output on

440

standard output will be ignored by the plugin runner. Any

441

output on its standard error channel will simply be passed to

442

the standard error of the plugin runner, usually the system

443

console.

444

</para>

445

<para>

446

If the password is a single-line, manually entered passprase,

447

a final trailing newline character should

448

<emphasis>not</emphasis> be printed.

449

</para>

450

<para>

451

The plugin will run in the initial RAM disk environment, so

452

care must be taken not to depend on any files or running

453

services not available there. Any helper executables required

454

by the plugin (which are not in the <envar>PATH</envar>) can

455

be placed in the plugin helper directory, the name of which

456

will be made available to the plugin via the

457

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

458

</para>

459

<para>

460

The plugin must exit cleanly and free all allocated resources

461

upon getting the TERM signal, since this is what the plugin

462

runner uses to stop all other plugins when one plugin has

463

output a password and exited cleanly.

464

</para>

465

<para>

466

The plugin must not use resources, like for instance reading

467

from the standard input, without knowing that no other plugin

468

is also using it.

469

</para>

470

<para>

471

It is useful, but not required, for the plugin to take the

472

<option>--debug</option> option.

473

</para>

474

</refsect2>

475

406

</refsect1>

476

407

477

408

503

434

only passes on its environment to all the plugins. The

504

435

environment passed to plugins can be modified using the

505

436

<option>--global-env</option> and <option>--env-for</option>

506

options. Also, the <option>--plugin-helper-dir</option> option

507

will affect the environment variable

508

<envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.

437

optins.

509

438

</para>

510

439

</refsect1>

511

440

544

473

</para>

545

474

</listitem>

546

475

</varlistentry>

547

548

<term><filename class="directory"

549

>/lib/mandos/plugins.d</filename></term>

550

551

<para>

552

The default plugin directory; can be changed by the

553

<option>--plugin-dir</option> option.

554

</para>

555

</listitem>

556

</varlistentry>

557

558

<term><filename class="directory"

559

>/lib/mandos/plugin-helpers</filename></term>

560

561

<para>

562

The default plugin helper directory; can be changed by

563

the <option>--plugin-helper-dir</option> option.

564

</para>

565

</listitem>

566

</varlistentry>

567

476

</variablelist>

568

477

</para>

569

478

</refsect1>

571

480

572

481

573

482

<para>

574

The <option>--config-file</option> option is ignored when

575

specified from within a configuration file.

576

483

</para>

577

<xi:include href="bugs.xml"/>

578

484

</refsect1>

579

485

580

486

581

487

<title>EXAMPLE</title>

582

583

<para>

584

Normal invocation needs no options:

585

</para>

586

<para>

587

<userinput>&COMMANDNAME;</userinput>

588

</para>

589

</informalexample>

590

591

<para>

592

Run the program, but not the plugins, in debug mode:

593

</para>

594

<para>

595

596

597

<userinput>&COMMANDNAME; --debug</userinput>

598

599

</para>

600

</informalexample>

601

602

<para>

603

Run all plugins, but run the <quote>foo</quote> plugin in

604

debug mode:

605

</para>

606

<para>

607

608

609

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

610

611

</para>

612

</informalexample>

613

614

<para>

615

Run all plugins, but not the program, in debug mode:

616

</para>

617

<para>

618

619

620

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

621

622

</para>

623

</informalexample>

624

625

<para>

626

Read a different configuration file, run plugins from a

627

different directory, specify an alternate plugin helper

628

directory and add two options to the

629

<citerefentry><refentrytitle >mandos-client</refentrytitle>

630

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

631

</para>

632

<para>

633

634

635

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

636

637

</para>

638

</informalexample>

488

<para>

489

</para>

639

490

</refsect1>

491

640

492

641

493

<title>SECURITY</title>

642

494

<para>

643

This program will, when starting, try to switch to another user.

644

If it is started as root, it will succeed, and will by default

645

switch to user and group 65534, which are assumed to be

646

non-privileged. This user and group is then what all plugins

647

will be started as. Therefore, the only way to run a plugin as

648

a privileged user is to have the set-user-ID or set-group-ID bit

649

set on the plugin executable file (see <citerefentry>

650

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

651

</citerefentry>).

652

</para>

653

<para>

654

If this program is used as a keyscript in <citerefentry

655

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

656

</citerefentry>, there is a slight risk that if this program

657

fails to work, there might be no way to boot the system except

658

for booting from another media and editing the initial RAM disk

659

image to not run this program. This is, however, unlikely,

660

since the <citerefentry><refentrytitle

661

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

662

</citerefentry> plugin will read a password from the console in

663

case of failure of the other plugins, and this plugin runner

664

will also, in case of catastrophic failure, itself fall back to

665

asking and outputting a password on the console (see <xref

666

linkend="fallback"/>).

667

495

</para>

668

496

</refsect1>

669

497

670

498

671

499

672

500

<para>

673

<citerefentry><refentrytitle>intro</refentrytitle>

674

<manvolnum>8mandos</manvolnum></citerefentry>,

675

501

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

676

502

<manvolnum>8</manvolnum></citerefentry>,

677

<citerefentry><refentrytitle>crypttab</refentrytitle>

678

<manvolnum>5</manvolnum></citerefentry>,

679

<citerefentry><refentrytitle>execve</refentrytitle>

680

<manvolnum>2</manvolnum></citerefentry>,

681

503

<citerefentry><refentrytitle>mandos</refentrytitle>

682

504

<manvolnum>8</manvolnum></citerefentry>,

683

505

<citerefentry><refentrytitle>password-prompt</refentrytitle>

684

506

<manvolnum>8mandos</manvolnum></citerefentry>,

685

<citerefentry><refentrytitle>mandos-client</refentrytitle>

507

<citerefentry><refentrytitle>password-request</refentrytitle>

686

508

<manvolnum>8mandos</manvolnum></citerefentry>

687

509

</para>

688

510

</refsect1>

Older »