/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

  • Committer: Teddy Hogeborn
  • Date: 2016-03-04 22:07:35 UTC
  • Revision ID: teddy@recompile.se-20160304220735-4xeeqt5p4nhw5cuh
Restrict the Mandos server daemon in the systemd service file.

* mandos.service ([Service]/ProtectSystem): Set to "full".
 ([Service]/PrivateTmp, [Service]/PrivateDevices,
  [Service]/ProtectHome): Set to "yes".
 ([Service]/CapabilityBoundingSet): Set to "CAP_SETUID
                                    CAP_DAC_OVERRIDE CAP_NET_RAW".

Show diffs side-by-side

added added

removed removed

Lines of Context:
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "plugin-runner">
5
 
<!ENTITY TIMESTAMP "2008-09-30">
 
5
<!ENTITY TIMESTAMP "2016-02-28">
6
6
<!ENTITY % common SYSTEM "common.ent">
7
7
%common;
8
8
]>
19
19
        <firstname>Björn</firstname>
20
20
        <surname>Påhlsson</surname>
21
21
        <address>
22
 
          <email>belorn@fukt.bsnet.se</email>
 
22
          <email>belorn@recompile.se</email>
23
23
        </address>
24
24
      </author>
25
25
      <author>
26
26
        <firstname>Teddy</firstname>
27
27
        <surname>Hogeborn</surname>
28
28
        <address>
29
 
          <email>teddy@fukt.bsnet.se</email>
 
29
          <email>teddy@recompile.se</email>
30
30
        </address>
31
31
      </author>
32
32
    </authorgroup>
33
33
    <copyright>
34
34
      <year>2008</year>
 
35
      <year>2009</year>
 
36
      <year>2010</year>
 
37
      <year>2011</year>
 
38
      <year>2012</year>
 
39
      <year>2013</year>
 
40
      <year>2014</year>
 
41
      <year>2015</year>
 
42
      <year>2016</year>
35
43
      <holder>Teddy Hogeborn</holder>
36
44
      <holder>Björn Påhlsson</holder>
37
45
    </copyright>
112
120
      <arg><option>--plugin-dir=<replaceable
113
121
      >DIRECTORY</replaceable></option></arg>
114
122
      <sbr/>
 
123
      <arg><option>--plugin-helper-dir=<replaceable
 
124
      >DIRECTORY</replaceable></option></arg>
 
125
      <sbr/>
115
126
      <arg><option>--config-file=<replaceable
116
127
      >FILE</replaceable></option></arg>
117
128
      <sbr/>
259
270
            Disable the plugin named
260
271
            <replaceable>PLUGIN</replaceable>.  The plugin will not be
261
272
            started.
262
 
          </para>       
 
273
          </para>
263
274
        </listitem>
264
275
      </varlistentry>
265
276
      
318
329
      </varlistentry>
319
330
      
320
331
      <varlistentry>
 
332
        <term><option>--plugin-helper-dir
 
333
        <replaceable>DIRECTORY</replaceable></option></term>
 
334
        <listitem>
 
335
          <para>
 
336
            Specify a different plugin helper directory.  The default
 
337
            is <filename>/lib/mandos/plugin-helpers</filename>, which
 
338
            will exist in the initial <acronym>RAM</acronym> disk
 
339
            environment.  (This will simply be passed to all plugins
 
340
            via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
 
341
            variable.  See <xref linkend="writing_plugins"/>)
 
342
          </para>
 
343
        </listitem>
 
344
      </varlistentry>
 
345
      
 
346
      <varlistentry>
321
347
        <term><option>--config-file
322
348
        <replaceable>FILE</replaceable></option></term>
323
349
        <listitem>
424
450
      <para>
425
451
        The plugin will run in the initial RAM disk environment, so
426
452
        care must be taken not to depend on any files or running
427
 
        services not available there.
 
453
        services not available there.  Any helper executables required
 
454
        by the plugin (which are not in the <envar>PATH</envar>) can
 
455
        be placed in the plugin helper directory, the name of which
 
456
        will be made available to the plugin via the
 
457
        <envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
428
458
      </para>
429
459
      <para>
430
460
        The plugin must exit cleanly and free all allocated resources
473
503
      only passes on its environment to all the plugins.  The
474
504
      environment passed to plugins can be modified using the
475
505
      <option>--global-env</option> and <option>--env-for</option>
476
 
      options.
 
506
      options.  Also, the <option>--plugin-helper-dir</option> option
 
507
      will affect the environment variable
 
508
      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
477
509
    </para>
478
510
  </refsect1>
479
511
  
570
602
    </informalexample>
571
603
    <informalexample>
572
604
      <para>
573
 
        Run plugins from a different directory, read a different
574
 
        configuration file, and add two options to the
 
605
        Read a different configuration file, run plugins from a
 
606
        different directory, specify an alternate plugin helper
 
607
        directory and add two options to the
575
608
        <citerefentry><refentrytitle >mandos-client</refentrytitle>
576
609
        <manvolnum>8mandos</manvolnum></citerefentry> plugin:
577
610
      </para>
578
611
      <para>
579
612
 
580
613
<!-- do not wrap this line -->
581
 
<userinput>&COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/mandos/plugins.d --options-for=mandos-client:--pubkey=/etc/keys/mandos/pubkey.txt,--seckey=/etc/keys/mandos/seckey.txt</userinput>
 
614
<userinput>cd /etc/keys/mandos; &COMMANDNAME;  --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>
582
615
 
583
616
      </para>
584
617
    </informalexample>
616
649
  <refsect1 id="see_also">
617
650
    <title>SEE ALSO</title>
618
651
    <para>
 
652
      <citerefentry><refentrytitle>intro</refentrytitle>
 
653
      <manvolnum>8mandos</manvolnum></citerefentry>,
619
654
      <citerefentry><refentrytitle>cryptsetup</refentrytitle>
620
655
      <manvolnum>8</manvolnum></citerefentry>,
621
656
      <citerefentry><refentrytitle>crypttab</refentrytitle>