/mandos/trunk : revision 302

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Teddy Hogeborn
Date: 2009-02-07 04:50:39 UTC
Revision ID: teddy@fukt.bsnet.se-20090207045039-xkr6b80vtqwqrq8l

* Makefile (install-client-nokey): Move "initramfs-tools-script" from
                                   "/scripts/local-top/mandos" to
                                   "/scripts/init-premount/mandos".
  (uninstall-client): - '' -
* debian/mandos-client.dirs: - '' -
* initramfs-tools-script (PREREQ): Added "udev".

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

INSTALL

NEWS

README

common.ent

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/watch

default-mandos

init.d-mandos

mandos-ctl

mandos.lsm

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2008-09-02">

<!ENTITY TIMESTAMP "2009-01-17">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins. Pass data from first succesful one.

Run Mandos plugins, pass data from first to succeed.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>VAR</replaceable><literal>=</literal><replaceable

>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>VAR</replaceable><literal>=</literal><replaceable

<replaceable>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

140

142

<title>DESCRIPTION</title>

141

143

<para>

142

144

<command>&COMMANDNAME;</command> is a program which is meant to

143

be specified as <quote>keyscript</quote> in <citerefentry>

144

<refentrytitle>crypttab</refentrytitle>

145

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

146

aim of this program is therefore to output a password, which

147

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

148

<manvolnum>8</manvolnum></citerefentry> will use to try and

149

unlock the root disk.

145

be specified as a <quote>keyscript</quote> for the root disk in

146

<citerefentry><refentrytitle>crypttab</refentrytitle>

147

<manvolnum>5</manvolnum></citerefentry>. The aim of this

148

program is therefore to output a password, which then

149

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

150

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

151

root disk.

150

152

</para>

151

153

<para>

152

154

This program is not meant to be invoked directly, but can be in

170

172

171

173

172

174

<term><option>--global-env

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

175

<replaceable>ENV</replaceable><literal>=</literal><replaceable

174

176

>value</replaceable></option></term>

175

<term><option>-e

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

177

<term><option>-G

178

<replaceable>ENV</replaceable><literal>=</literal><replaceable

177

179

>value</replaceable></option></term>

178

180

179

181

<para>

189

191

<replaceable>PLUGIN</replaceable><literal>:</literal

190

192

><replaceable>ENV</replaceable><literal>=</literal

191

193

><replaceable>value</replaceable></option></term>

192

<term><option>-f

194

<term><option>-E

193

195

<replaceable>PLUGIN</replaceable><literal>:</literal

194

196

><replaceable>ENV</replaceable><literal>=</literal

195

197

><replaceable>value</replaceable></option></term>

215

217

<replaceable>OPTIONS</replaceable> is a comma separated

216

218

list of options. This is not a very useful option, except

217

219

for specifying the <quote><option>--debug</option></quote>

218

for all plugins.

220

option to all plugins.

219

221

</para>

220

222

</listitem>

221

223

</varlistentry>

241

243

<option>--bar</option> with the option argument

242

244

<quote>baz</quote> is either

243

245

<userinput>--options-for=foo:--bar=baz</userinput> or

244

<userinput>--options-for=foo:--bar,baz</userinput>, but

245

246

<userinput>--options-for="foo:--bar baz"</userinput>.

246

<userinput>--options-for=foo:--bar,baz</userinput>. Using

247

<userinput>--options-for="foo:--bar baz"</userinput>. will

248

<emphasis>not</emphasis> work.

247

249

</para>

248

250

</listitem>

249

251

</varlistentry>

250

252

251

253

252

254

<term><option>--disable

253

255

<replaceable>PLUGIN</replaceable></option></term>

261

263

</para>

262

264

</listitem>

263

265

</varlistentry>

264

266

265

267

266

268

<term><option>--enable

267

269

<replaceable>PLUGIN</replaceable></option></term>

272

274

Re-enable the plugin named

273

275

<replaceable>PLUGIN</replaceable>. This is only useful to

274

276

undo a previous <option>--disable</option> option, maybe

275

from the config file.

277

from the configuration file.

276

278

</para>

277

279

</listitem>

278

280

</varlistentry>

279

281

280

282

281

283

<term><option>--groupid

282

284

289

291

</para>

290

292

</listitem>

291

293

</varlistentry>

292

294

293

295

294

296

<term><option>--userid

295

297

302

304

</para>

303

305

</listitem>

304

306

</varlistentry>

305

307

306

308

307

309

<term><option>--plugin-dir

308

310

<replaceable>DIRECTORY</replaceable></option></term>

365

367

</para>

366

368

</listitem>

367

369

</varlistentry>

368

370

369

371

370

372

<term><option>--version</option></term>

371

373

377

379

</varlistentry>

378

380

</variablelist>

379

381

</refsect1>

380

382

381

383

382

384

<title>OVERVIEW</title>

383

385

<xi:include href="overview.xml"/>

403

405

code will make this plugin-runner output the password from that

404

406

plugin, stop any other plugins, and exit.

405

407

</para>

408

409

410

<title>WRITING PLUGINS</title>

411

<para>

412

A plugin is simply a program which prints a password to its

413

standard output and then exits with a successful (zero) exit

414

status. If the exit status is not zero, any output on

415

standard output will be ignored by the plugin runner. Any

416

output on its standard error channel will simply be passed to

417

the standard error of the plugin runner, usually the system

418

console.

419

</para>

420

<para>

421

If the password is a single-line, manually entered passprase,

422

a final trailing newline character should

423

<emphasis>not</emphasis> be printed.

424

</para>

425

<para>

426

The plugin will run in the initial RAM disk environment, so

427

care must be taken not to depend on any files or running

428

services not available there.

429

</para>

430

<para>

431

The plugin must exit cleanly and free all allocated resources

432

upon getting the TERM signal, since this is what the plugin

433

runner uses to stop all other plugins when one plugin has

434

output a password and exited cleanly.

435

</para>

436

<para>

437

The plugin must not use resources, like for instance reading

438

from the standard input, without knowing that no other plugin

439

is also using it.

440

</para>

441

<para>

442

It is useful, but not required, for the plugin to take the

443

<option>--debug</option> option.

444

</para>

445

</refsect2>

406

446

</refsect1>

407

447

408

448

434

474

only passes on its environment to all the plugins. The

435

475

environment passed to plugins can be modified using the

436

476

<option>--global-env</option> and <option>--env-for</option>

437

optins.

477

options.

438

478

</para>

439

479

</refsect1>

440

480

520

481

521

482

522

<para>

523

The <option>--config-file</option> option is ignored when

524

specified from within a configuration file.

483

525

</para>

484

526

</refsect1>

485

527

486

528

487

529

<title>EXAMPLE</title>

488

<para>

489

</para>

530

531

<para>

532

Normal invocation needs no options:

533

</para>

534

<para>

535

<userinput>&COMMANDNAME;</userinput>

536

</para>

537

</informalexample>

538

539

<para>

540

Run the program, but not the plugins, in debug mode:

541

</para>

542

<para>

543

544

545

<userinput>&COMMANDNAME; --debug</userinput>

546

547

</para>

548

</informalexample>

549

550

<para>

551

Run all plugins, but run the <quote>foo</quote> plugin in

552

debug mode:

553

</para>

554

<para>

555

556

557

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

558

559

</para>

560

</informalexample>

561

562

<para>

563

Run all plugins, but not the program, in debug mode:

564

</para>

565

<para>

566

567

568

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

569

570

</para>

571

</informalexample>

572

573

<para>

574

Run plugins from a different directory, read a different

575

configuration file, and add two options to the

576

<citerefentry><refentrytitle >mandos-client</refentrytitle>

577

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

578

</para>

579

<para>

580

581

582

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

583

584

</para>

585

</informalexample>

490

586

</refsect1>

491

492

587

493

588

<title>SECURITY</title>

494

589

<para>

590

This program will, when starting, try to switch to another user.

591

If it is started as root, it will succeed, and will by default

592

switch to user and group 65534, which are assumed to be

593

non-privileged. This user and group is then what all plugins

594

will be started as. Therefore, the only way to run a plugin as

595

a privileged user is to have the set-user-ID or set-group-ID bit

596

set on the plugin executable file (see <citerefentry>

597

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

598

</citerefentry>).

599

</para>

600

<para>

601

If this program is used as a keyscript in <citerefentry

602

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

603

</citerefentry>, there is a slight risk that if this program

604

fails to work, there might be no way to boot the system except

605

for booting from another media and editing the initial RAM disk

606

image to not run this program. This is, however, unlikely,

607

since the <citerefentry><refentrytitle

608

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

609

</citerefentry> plugin will read a password from the console in

610

case of failure of the other plugins, and this plugin runner

611

will also, in case of catastrophic failure, itself fall back to

612

asking and outputting a password on the console (see <xref

613

linkend="fallback"/>).

495

614

</para>

496

615

</refsect1>

497

616

500

619

<para>

501

620

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

502

621

<manvolnum>8</manvolnum></citerefentry>,

622

<citerefentry><refentrytitle>crypttab</refentrytitle>

623

<manvolnum>5</manvolnum></citerefentry>,

624

<citerefentry><refentrytitle>execve</refentrytitle>

625

<manvolnum>2</manvolnum></citerefentry>,

503

626

<citerefentry><refentrytitle>mandos</refentrytitle>

504

627

<manvolnum>8</manvolnum></citerefentry>,

505

628

<citerefentry><refentrytitle>password-prompt</refentrytitle>

506

629

<manvolnum>8mandos</manvolnum></citerefentry>,

507

<citerefentry><refentrytitle>password-request</refentrytitle>

630

<citerefentry><refentrytitle>mandos-client</refentrytitle>

508

631

<manvolnum>8mandos</manvolnum></citerefentry>

509

632

</para>

510

633

</refsect1>

Older »