/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2009-12-25 23:13:47 UTC
  • Revision ID: teddy@fukt.bsnet.se-20091225231347-gg9u9ru0wj0f24hh
More consistent terminology: Clients are no longer "invalid" - they
are "disabled".  All code and documentation changed to reflect this.

D=Bus API change: The "properties" argument was removed from the
"ClientAdded" signal on interface "se.bsnet.fukt.Mandos".  All code in
both "mandos" and "mandos-monitor" changed to reflect this.

* mandos: Replaced "with closing(F)" with simply "with F" in all
          places where F is a file object.
  (Client.still_valid): Removed.  All callers changed to look at
                        "Client.enabled" instead.
  (dbus_service_property): Check for unsupported signatures with the
                           "byte_arrays" option.
  (DBusObjectWithProperties.Set): - '' -
  (ClientHandler.handle): Use the reverse pipe to receive the
                          "Client.enabled" attribute instead of the
                          now-removed "Client.still_valid()" method.
  (ForkingMixInWithPipe): Renamed to "ForkingMixInWithPipes" (all
                          users changed).  Now also create a reverse
                          pipe for sending data to the child process.
  (ForkingMixInWithPipes.add_pipe): Now takes two pipe fd's as
                                    arguments.  All callers changed.
  (IPv6_TCPServer.handle_ipc): Take an additional "reply_fd" argument
                               (all callers changed).  Close the reply
                               pipe when the child data pipe is
                               closed.  New "GETATTR" IPC method; will
                               pickle client attribute and send it
                               over the reply pipe FD.
  (MandosDBusService.ClientAdded): Removed "properties" argument.  All
                                   emitters changed.
* mandos-clients.conf.xml (DESCRIPTION, OPTIONS): Use
                                                  "enabled/disabled"
                                                  terminology.
* mandos-ctl: Option "--is-valid" renamed to "--is-enabled".
* mandos-monitor: Enable user locale.  Try to log exceptions.
  (MandosClientPropertyCache.__init__): Removed "properties" argument.
                                        All callers changed.
  (UserInterface.add_new_client): Remove "properties" argument.  All
                                  callers changed.  Supply "logger"
                                  argument to MandosClientWidget().
  (UserInterface.add_client): New "logger" argument.  All callers
                              changed.
* mandos.xml (BUGS, SECURITY/CLIENTS): Use "enabled/disabled"
                                       terminology.

Show diffs side-by-side

added added

removed removed

Lines of Context:
1
1
<?xml version="1.0" encoding="UTF-8"?>
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
 
<!ENTITY VERSION "1.0">
5
4
<!ENTITY COMMANDNAME "plugin-runner">
6
 
<!ENTITY TIMESTAMP "2008-09-04">
 
5
<!ENTITY TIMESTAMP "2009-01-17">
 
6
<!ENTITY % common SYSTEM "common.ent">
 
7
%common;
7
8
]>
8
9
 
9
10
<refentry xmlns:xi="http://www.w3.org/2001/XInclude">
11
12
    <title>Mandos Manual</title>
12
13
    <!-- Nwalsh’s docbook scripts use this to generate the footer: -->
13
14
    <productname>Mandos</productname>
14
 
    <productnumber>&VERSION;</productnumber>
 
15
    <productnumber>&version;</productnumber>
15
16
    <date>&TIMESTAMP;</date>
16
17
    <authorgroup>
17
18
      <author>
31
32
    </authorgroup>
32
33
    <copyright>
33
34
      <year>2008</year>
 
35
      <year>2009</year>
34
36
      <holder>Teddy Hogeborn</holder>
35
37
      <holder>Björn Påhlsson</holder>
36
38
    </copyright>
37
39
    <xi:include href="legalnotice.xml"/>
38
40
  </refentryinfo>
39
 
 
 
41
  
40
42
  <refmeta>
41
43
    <refentrytitle>&COMMANDNAME;</refentrytitle>
42
44
    <manvolnum>8mandos</manvolnum>
48
50
      Run Mandos plugins, pass data from first to succeed.
49
51
    </refpurpose>
50
52
  </refnamediv>
51
 
 
 
53
  
52
54
  <refsynopsisdiv>
53
55
    <cmdsynopsis>
54
56
      <command>&COMMANDNAME;</command>
55
57
      <group rep="repeat">
56
58
        <arg choice="plain"><option>--global-env=<replaceable
57
 
        >VAR</replaceable><literal>=</literal><replaceable
 
59
        >ENV</replaceable><literal>=</literal><replaceable
58
60
        >value</replaceable></option></arg>
59
61
        <arg choice="plain"><option>-G
60
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
62
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
61
63
        >value</replaceable> </option></arg>
62
64
      </group>
63
65
      <sbr/>
170
172
    <variablelist>
171
173
      <varlistentry>
172
174
        <term><option>--global-env
173
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
175
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
174
176
        >value</replaceable></option></term>
175
177
        <term><option>-G
176
 
        <replaceable>VAR</replaceable><literal>=</literal><replaceable
 
178
        <replaceable>ENV</replaceable><literal>=</literal><replaceable
177
179
        >value</replaceable></option></term>
178
180
        <listitem>
179
181
          <para>
247
249
          </para>
248
250
        </listitem>
249
251
      </varlistentry>
250
 
 
 
252
      
251
253
      <varlistentry>
252
254
        <term><option>--disable
253
255
        <replaceable>PLUGIN</replaceable></option></term>
261
263
          </para>       
262
264
        </listitem>
263
265
      </varlistentry>
264
 
 
 
266
      
265
267
      <varlistentry>
266
268
        <term><option>--enable
267
269
        <replaceable>PLUGIN</replaceable></option></term>
276
278
          </para>
277
279
        </listitem>
278
280
      </varlistentry>
279
 
 
 
281
      
280
282
      <varlistentry>
281
283
        <term><option>--groupid
282
284
        <replaceable>ID</replaceable></option></term>
289
291
          </para>
290
292
        </listitem>
291
293
      </varlistentry>
292
 
 
 
294
      
293
295
      <varlistentry>
294
296
        <term><option>--userid
295
297
        <replaceable>ID</replaceable></option></term>
302
304
          </para>
303
305
        </listitem>
304
306
      </varlistentry>
305
 
 
 
307
      
306
308
      <varlistentry>
307
309
        <term><option>--plugin-dir
308
310
        <replaceable>DIRECTORY</replaceable></option></term>
365
367
          </para>
366
368
        </listitem>
367
369
      </varlistentry>
368
 
 
 
370
      
369
371
      <varlistentry>
370
372
        <term><option>--version</option></term>
371
373
        <term><option>-V</option></term>
377
379
      </varlistentry>
378
380
    </variablelist>
379
381
  </refsect1>
380
 
 
 
382
  
381
383
  <refsect1 id="overview">
382
384
    <title>OVERVIEW</title>
383
385
    <xi:include href="overview.xml"/>
403
405
      code will make this plugin-runner output the password from that
404
406
      plugin, stop any other plugins, and exit.
405
407
    </para>
406
 
 
 
408
    
407
409
    <refsect2 id="writing_plugins">
408
410
      <title>WRITING PLUGINS</title>
409
411
      <para>
416
418
        console.
417
419
      </para>
418
420
      <para>
 
421
        If the password is a single-line, manually entered passprase,
 
422
        a final trailing newline character should
 
423
        <emphasis>not</emphasis> be printed.
 
424
      </para>
 
425
      <para>
419
426
        The plugin will run in the initial RAM disk environment, so
420
427
        care must be taken not to depend on any files or running
421
428
        services not available there.
564
571
    </informalexample>
565
572
    <informalexample>
566
573
      <para>
567
 
        Run plugins from a different directory and add two
568
 
        options to the <citerefentry><refentrytitle
569
 
        >password-request</refentrytitle>
 
574
        Run plugins from a different directory, read a different
 
575
        configuration file, and add two options to the
 
576
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
570
577
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
571
578
      </para>
572
579
      <para>
573
580
 
574
581
<!-- do not wrap this line -->
575
 
<userinput>&COMMANDNAME;  --plugin-dir=plugins.d --options-for=password-request:--pubkey=keydir/pubkey.txt,--seckey=keydir/seckey.txt</userinput>
 
582
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
576
583
 
577
584
      </para>
578
585
    </informalexample>
586
593
      non-privileged.  This user and group is then what all plugins
587
594
      will be started as.  Therefore, the only way to run a plugin as
588
595
      a privileged user is to have the set-user-ID or set-group-ID bit
589
 
      set on the plugin executable files (see <citerefentry>
 
596
      set on the plugin executable file (see <citerefentry>
590
597
      <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
591
598
      </citerefentry>).
592
599
    </para>
620
627
      <manvolnum>8</manvolnum></citerefentry>,
621
628
      <citerefentry><refentrytitle>password-prompt</refentrytitle>
622
629
      <manvolnum>8mandos</manvolnum></citerefentry>,
623
 
      <citerefentry><refentrytitle>password-request</refentrytitle>
 
630
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
624
631
      <manvolnum>8mandos</manvolnum></citerefentry>
625
632
    </para>
626
633
  </refsect1>