/mandos/trunk : revision 738.1.1

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Teddy Hogeborn
Date: 2015-06-28 16:35:27 UTC
mto: This revision was merged to the branch mainline in revision 759.
Revision ID: teddy@recompile.se-20150628163527-cky0ec59zew7teua

Add a plugin helper directory, available to all plugins.

* Makefile (PLUGIN_HELPERS): New; list of plugin helpers.
  (CPROGS): Appended "$(PLUGIN_HELPERS)".
* initramfs-tools-hook: Create new plugin helper directory, and copy
                        plugin helpers provided by the system and/or
                        by the local administrator.
  (PLUGINHELPERDIR): New.
* plugin-runner.c: Take new --plugin-helper-dir option and provide
                   environment variable to all plugins.
  (PHDIR): New; set to "/lib/mandos/plugin-helpers".
  (main/pluginhelperdir): New.
  (main/options): New option "--plugin-helper-dir".
  (main/parse_opt, main/parse_opt_config_file): Accept new option.
  (main): Use new option to set MANDOSPLUGINHELPERDIR environment
          variable as if using --global-env MANDOSPLUGINHELPERDIR=...
* plugin-runner.xml: Document new --plugin-helper-dir option.
  (SYNOPSIS, OPTIONS): Add "--plugin-helper-dir" option.
  (PLUGINS/WRITING PLUGINS): Document new environment variable
                             available to plugins.
  (ENVIRONMENT): Document new environment variable
                 "MANDOSPLUGINHELPERDIR" affected by the new
                 --plugin-helper-dir option.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2008-09-01">

<!ENTITY TIMESTAMP "2015-06-28">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

<refname><command>&COMMANDNAME;</command></refname>

Run Mandos plugins. Pass data from first succesful one.

Run Mandos plugins, pass data from first to succeed.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>VAR</replaceable><literal>=</literal><replaceable

>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-e

<replaceable>VAR</replaceable><literal>=</literal><replaceable

<arg choice="plain"><option>-G

<replaceable>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

>PLUGIN</replaceable><literal>:</literal><replaceable

>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

PLUGIN</replaceable><literal>:</literal><replaceable

>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

<arg choice="plain"><option>--options-for=<replaceable

>PLUGIN</replaceable><literal>:</literal><replaceable

>OPTIONS</replaceable></option></arg>

PLUGIN</replaceable><literal>:</literal><replaceable

>OPTIONS</replaceable> </option></arg>

</group>

<replaceable>PLUGIN</replaceable> </option></arg>

</group>

100

<sbr/>

101

102

<arg choice="plain"><option>--enable=<replaceable

103

>PLUGIN</replaceable></option></arg>

104

<arg choice="plain"><option>-e

105

<replaceable>PLUGIN</replaceable> </option></arg>

106

</group>

107

<sbr/>

108

<arg><option>--groupid=<replaceable

109

>ID</replaceable></option></arg>

100

110

<sbr/>

104

114

<arg><option>--plugin-dir=<replaceable

105

115

>DIRECTORY</replaceable></option></arg>

106

116

<sbr/>

117

<arg><option>--plugin-helper-dir=<replaceable

118

>DIRECTORY</replaceable></option></arg>

119

<sbr/>

120

<arg><option>--config-file=<replaceable

121

>FILE</replaceable></option></arg>

122

<sbr/>

107

123

<arg><option>--debug</option></arg>

108

124

</cmdsynopsis>

109

125

130

146

<title>DESCRIPTION</title>

131

147

<para>

132

148

<command>&COMMANDNAME;</command> is a program which is meant to

133

be specified as <quote>keyscript</quote> in <citerefentry>

134

<refentrytitle>crypttab</refentrytitle>

135

<manvolnum>5</manvolnum></citerefentry> for the root disk. The

136

aim of this program is therefore to output a password, which

137

then <citerefentry><refentrytitle>cryptsetup</refentrytitle>

138

<manvolnum>8</manvolnum></citerefentry> will use to try and

139

unlock the root disk.

149

be specified as a <quote>keyscript</quote> for the root disk in

150

<citerefentry><refentrytitle>crypttab</refentrytitle>

151

<manvolnum>5</manvolnum></citerefentry>. The aim of this

152

program is therefore to output a password, which then

153

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

154

<manvolnum>8</manvolnum></citerefentry> will use to unlock the

155

root disk.

140

156

</para>

141

157

<para>

142

158

This program is not meant to be invoked directly, but can be in

160

176

161

177

162

178

<term><option>--global-env

163

<replaceable>VAR</replaceable><literal>=</literal><replaceable

179

<replaceable>ENV</replaceable><literal>=</literal><replaceable

164

180

>value</replaceable></option></term>

165

<term><option>-e

166

<replaceable>VAR</replaceable><literal>=</literal><replaceable

181

<term><option>-G

182

<replaceable>ENV</replaceable><literal>=</literal><replaceable

167

183

>value</replaceable></option></term>

168

184

169

185

<para>

170

186

This option will add an environment variable setting to

187

all plugins. This will override any inherited environment

188

variable.

171

189

</para>

172

190

</listitem>

173

191

</varlistentry>

177

195

<replaceable>PLUGIN</replaceable><literal>:</literal

178

196

><replaceable>ENV</replaceable><literal>=</literal

179

197

><replaceable>value</replaceable></option></term>

180

<term><option>-f

198

<term><option>-E

181

199

<replaceable>PLUGIN</replaceable><literal>:</literal

182

200

><replaceable>ENV</replaceable><literal>=</literal

183

201

><replaceable>value</replaceable></option></term>

184

202

185

203

<para>

204

This option will add an environment variable setting to

205

the <replaceable>PLUGIN</replaceable> plugin. This will

206

override any inherited environment variables or

207

environment variables specified using

208

<option>--global-env</option>.

186

209

</para>

187

210

</listitem>

188

211

</varlistentry>

198

221

<replaceable>OPTIONS</replaceable> is a comma separated

199

222

list of options. This is not a very useful option, except

200

223

for specifying the <quote><option>--debug</option></quote>

201

for all plugins.

224

option to all plugins.

202

225

</para>

203

226

</listitem>

204

227

</varlistentry>

224

247

<option>--bar</option> with the option argument

225

248

<quote>baz</quote> is either

226

249

<userinput>--options-for=foo:--bar=baz</userinput> or

227

<userinput>--options-for=foo:--bar,baz</userinput>, but

228

229

<userinput>--options-for="foo:--bar baz"</userinput>.

250

<userinput>--options-for=foo:--bar,baz</userinput>. Using

251

<userinput>--options-for="foo:--bar baz"</userinput>. will

252

<emphasis>not</emphasis> work.

230

253

</para>

231

254

</listitem>

232

255

</varlistentry>

233

256

234

257

235

<term><option> --disable

258

<term><option>--disable

236

259

<replaceable>PLUGIN</replaceable></option></term>

237

260

<term><option>-d

238

261

<replaceable>PLUGIN</replaceable></option></term>

241

264

Disable the plugin named

242

265

<replaceable>PLUGIN</replaceable>. The plugin will not be

243

266

started.

244

</para>

245

</listitem>

246

</varlistentry>

247

267

</para>

268

</listitem>

269

</varlistentry>

270

271

272

<term><option>--enable

273

<replaceable>PLUGIN</replaceable></option></term>

274

<term><option>-e

275

<replaceable>PLUGIN</replaceable></option></term>

276

277

<para>

278

Re-enable the plugin named

279

<replaceable>PLUGIN</replaceable>. This is only useful to

280

undo a previous <option>--disable</option> option, maybe

281

from the configuration file.

282

</para>

283

</listitem>

284

</varlistentry>

285

248

286

249

287

<term><option>--groupid

250

288

257

295

</para>

258

296

</listitem>

259

297

</varlistentry>

260

298

261

299

262

300

<term><option>--userid

263

301

270

308

</para>

271

309

</listitem>

272

310

</varlistentry>

273

311

274

312

275

313

<term><option>--plugin-dir

276

314

<replaceable>DIRECTORY</replaceable></option></term>

285

323

</varlistentry>

286

324

287

325

326

<term><option>--plugin-helper-dir

327

<replaceable>DIRECTORY</replaceable></option></term>

328

329

<para>

330

Specify a different plugin helper directory. The default

331

is <filename>/lib/mandos/plugin-helpers</filename>, which

332

will exist in the initial <acronym>RAM</acronym> disk

333

environment. (This will simply be passed to all plugins

334

via the <envar>MANDOSPLUGINHELPERDIR</envar> environment

335

variable. See <xref linkend="writing_plugins"/>)

336

</para>

337

</listitem>

338

</varlistentry>

339

340

341

<term><option>--config-file

342

343

344

<para>

345

Specify a different file to read additional options from.

346

See <xref linkend="files"/>. Other command line options

347

will override options specified in the file.

348

</para>

349

</listitem>

350

</varlistentry>

351

352

288

353

<term><option>--debug</option></term>

289

354

290

355

<para>

321

386

</para>

322

387

</listitem>

323

388

</varlistentry>

324

389

325

390

326

391

<term><option>--version</option></term>

327

392

333

398

</varlistentry>

334

399

</variablelist>

335

400

</refsect1>

336

401

337

402

338

403

<title>OVERVIEW</title>

339

404

<xi:include href="overview.xml"/>

359

424

code will make this plugin-runner output the password from that

360

425

plugin, stop any other plugins, and exit.

361

426

</para>

427

428

429

<title>WRITING PLUGINS</title>

430

<para>

431

A plugin is simply a program which prints a password to its

432

standard output and then exits with a successful (zero) exit

433

status. If the exit status is not zero, any output on

434

standard output will be ignored by the plugin runner. Any

435

output on its standard error channel will simply be passed to

436

the standard error of the plugin runner, usually the system

437

console.

438

</para>

439

<para>

440

If the password is a single-line, manually entered passprase,

441

a final trailing newline character should

442

<emphasis>not</emphasis> be printed.

443

</para>

444

<para>

445

The plugin will run in the initial RAM disk environment, so

446

care must be taken not to depend on any files or running

447

services not available there. Any helper executables required

448

by the plugin (which are not in the <envar>PATH</envar>) can

449

be placed in the plugin helper directory, the name of which

450

will be made available to the plugin via the

451

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

452

</para>

453

<para>

454

The plugin must exit cleanly and free all allocated resources

455

upon getting the TERM signal, since this is what the plugin

456

runner uses to stop all other plugins when one plugin has

457

output a password and exited cleanly.

458

</para>

459

<para>

460

The plugin must not use resources, like for instance reading

461

from the standard input, without knowing that no other plugin

462

is also using it.

463

</para>

464

<para>

465

It is useful, but not required, for the plugin to take the

466

<option>--debug</option> option.

467

</para>

468

</refsect2>

362

469

</refsect1>

363

470

364

471

386

493

387

494

<title>ENVIRONMENT</title>

388

495

<para>

389

496

This program does not use any environment variables itself, it

497

only passes on its environment to all the plugins. The

498

environment passed to plugins can be modified using the

499

<option>--global-env</option> and <option>--env-for</option>

500

options. Also, the <option>--plugin-helper-dir</option> option

501

will affect the environment variable

502

<envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.

390

503

</para>

391

504

</refsect1>

392

505

393

506

394

507

<title>FILES</title>

395

508

<para>

396

509

407

520

everything from a <quote>#</quote> character to the end

408

521

of a line is ignored.

409

522

</para>

523

<para>

524

This program is meant to run in the initial RAM disk

525

environment, so that is where this file is assumed to

526

exist. The file does not need to exist in the normal

527

file system.

528

</para>

529

<para>

530

This file will be processed <emphasis>before</emphasis>

531

the normal command line options, so the latter can

532

override the former, if need be.

533

</para>

534

<para>

535

This file name is the default; the file to read for

536

arguments can be changed using the

537

<option>--config-file</option> option.

538

</para>

410

539

</listitem>

411

540

</varlistentry>

412

541

</variablelist>

416

545

417

546

418

547

<para>

548

The <option>--config-file</option> option is ignored when

549

specified from within a configuration file.

419

550

</para>

420

551

</refsect1>

421

552

422

553

423

554

<title>EXAMPLE</title>

424

<para>

425

</para>

555

556

<para>

557

Normal invocation needs no options:

558

</para>

559

<para>

560

<userinput>&COMMANDNAME;</userinput>

561

</para>

562

</informalexample>

563

564

<para>

565

Run the program, but not the plugins, in debug mode:

566

</para>

567

<para>

568

569

570

<userinput>&COMMANDNAME; --debug</userinput>

571

572

</para>

573

</informalexample>

574

575

<para>

576

Run all plugins, but run the <quote>foo</quote> plugin in

577

debug mode:

578

</para>

579

<para>

580

581

582

<userinput>&COMMANDNAME; --options-for=foo:--debug</userinput>

583

584

</para>

585

</informalexample>

586

587

<para>

588

Run all plugins, but not the program, in debug mode:

589

</para>

590

<para>

591

592

593

<userinput>&COMMANDNAME; --global-options=--debug</userinput>

594

595

</para>

596

</informalexample>

597

598

<para>

599

Run plugins from a different directory, read a different

600

configuration file, and add two options to the

601

<citerefentry><refentrytitle >mandos-client</refentrytitle>

602

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

603

</para>

604

<para>

605

606

607

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

608

609

</para>

610

</informalexample>

426

611

</refsect1>

427

428

612

429

613

<title>SECURITY</title>

430

614

<para>

615

This program will, when starting, try to switch to another user.

616

If it is started as root, it will succeed, and will by default

617

switch to user and group 65534, which are assumed to be

618

non-privileged. This user and group is then what all plugins

619

will be started as. Therefore, the only way to run a plugin as

620

a privileged user is to have the set-user-ID or set-group-ID bit

621

set on the plugin executable file (see <citerefentry>

622

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

623

</citerefentry>).

624

</para>

625

<para>

626

If this program is used as a keyscript in <citerefentry

627

><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum>

628

</citerefentry>, there is a slight risk that if this program

629

fails to work, there might be no way to boot the system except

630

for booting from another media and editing the initial RAM disk

631

image to not run this program. This is, however, unlikely,

632

since the <citerefentry><refentrytitle

633

>password-prompt</refentrytitle><manvolnum>8mandos</manvolnum>

634

</citerefentry> plugin will read a password from the console in

635

case of failure of the other plugins, and this plugin runner

636

will also, in case of catastrophic failure, itself fall back to

637

asking and outputting a password on the console (see <xref

638

linkend="fallback"/>).

431

639

</para>

432

640

</refsect1>

433

641

434

642

435

643

436

644

<para>

645

<citerefentry><refentrytitle>intro</refentrytitle>

646

<manvolnum>8mandos</manvolnum></citerefentry>,

437

647

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

438

648

<manvolnum>8</manvolnum></citerefentry>,

649

<citerefentry><refentrytitle>crypttab</refentrytitle>

650

<manvolnum>5</manvolnum></citerefentry>,

651

<citerefentry><refentrytitle>execve</refentrytitle>

652

<manvolnum>2</manvolnum></citerefentry>,

439

653

<citerefentry><refentrytitle>mandos</refentrytitle>

440

654

<manvolnum>8</manvolnum></citerefentry>,

441

655

<citerefentry><refentrytitle>password-prompt</refentrytitle>

442

656

<manvolnum>8mandos</manvolnum></citerefentry>,

443

<citerefentry><refentrytitle>password-request</refentrytitle>

657

<citerefentry><refentrytitle>mandos-client</refentrytitle>

444

658

<manvolnum>8mandos</manvolnum></citerefentry>

445

659

</para>

446

660

</refsect1>

Older »