/mandos/trunk : revision 833

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to mandos-ctl.xml

Committer: Teddy Hogeborn
Date: 2016-03-17 20:40:55 UTC
Revision ID: teddy@recompile.se-20160317204055-bhsh5xsidq7w5cxu

Client: Fix plymouth agent; broken since 1.7.2.

Fix an very old memory bug in the plymouth agent (which has been
present since its apperance in version 1.2), but which was only
recently detected at run time due to the new -fsanitize=address
compile- time flag, which has been used since version 1.7.2. This
detection of a memory access violation causes the program to abort,
making the Plymouth graphical boot system unable to accept interactive
input of passwords when using the Mandos client.

* plugins.d/plymouth.c (exec_and_wait): Fix memory allocation bug when
allocating new_argv. Also tolerate a zero-length argv.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

mandos-ctl.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "mandos-ctl">

<!ENTITY TIMESTAMP "2016-03-05">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

Control the operation of the Mandos server

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<group>

<arg choice="plain"><option>--enable</option></arg>

<sbr/>

<arg choice="plain"><option>--disable</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--bump-timeout</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--start-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--stop-checker</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--remove</option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--checker

<replaceable>COMMAND</replaceable></option></arg>

<arg choice="plain"><option>-c

<replaceable>COMMAND</replaceable></option></arg>

</group>

<sbr/>

<group>

<arg choice="plain"><option>--timeout

<arg choice="plain"><option>-t

100

</group>

101

<sbr/>

102

<group>

103

<arg choice="plain"><option>--extended-timeout

104

105

</group>

106

<sbr/>

107

<group>

108

<arg choice="plain"><option>--interval

109

110

<arg choice="plain"><option>-i

111

112

</group>

113

<sbr/>

114

<group>

115

<arg choice="plain"><option>--approve-by-default</option

116

></arg>

117

<sbr/>

118

<arg choice="plain"><option>--deny-by-default</option></arg>

119

</group>

120

<sbr/>

121

<group>

122

<arg choice="plain"><option>--approval-delay

123

124

</group>

125

<sbr/>

126

<group>

127

<arg choice="plain"><option>--approval-duration

128

129

</group>

130

<sbr/>

131

<group>

132

<arg choice="plain"><option>--interval

133

134

<arg choice="plain"><option>-i

135

136

</group>

137

<sbr/>

138

<group>

139

<arg choice="plain"><option>--host

140

<replaceable>STRING</replaceable></option></arg>

141

<arg choice="plain"><option>-H

142

<replaceable>STRING</replaceable></option></arg>

143

</group>

144

<sbr/>

145

<group>

146

<arg choice="plain"><option>--secret

147

<replaceable>FILENAME</replaceable></option></arg>

148

<arg choice="plain"><option>-s

149

<replaceable>FILENAME</replaceable></option></arg>

150

</group>

151

<sbr/>

152

<group>

153

<arg choice="plain"><option>--approve</option></arg>

154

155

<sbr/>

156

157

158

</group>

159

<sbr/>

160

161

162

163

164

<replaceable>CLIENT</replaceable>

165

</arg>

166

</group>

167

</cmdsynopsis>

168

169

<command>&COMMANDNAME;</command>

170

<group>

171

<arg choice="plain"><option>--verbose</option></arg>

172

173

</group>

174

<group>

175

176

<replaceable>CLIENT</replaceable>

177

</arg>

178

</group>

179

</cmdsynopsis>

180

181

<command>&COMMANDNAME;</command>

182

183

<arg choice="plain"><option>--is-enabled</option></arg>

184

185

</group>

186

<arg choice='plain'><replaceable>CLIENT</replaceable></arg>

187

</cmdsynopsis>

188

189

<command>&COMMANDNAME;</command>

190

191

192

193

</group>

194

</cmdsynopsis>

195

196

<command>&COMMANDNAME;</command>

197

198

<arg choice="plain"><option>--version</option></arg>

199

200

</group>

201

</cmdsynopsis>

202

203

<command>&COMMANDNAME;</command>

204

<arg choice="plain"><option>--check</option></arg>

205

</cmdsynopsis>

206

</refsynopsisdiv>

207

208

209

<title>DESCRIPTION</title>

210

<para>

211

<command>&COMMANDNAME;</command> is a program to control the

212

operation of the Mandos server <citerefentry><refentrytitle

213

>mandos</refentrytitle><manvolnum>8</manvolnum></citerefentry>.

214

</para>

215

<para>

216

This program can be used to change client settings, approve or

217

deny client requests, and to remove clients from the server.

218

</para>

219

</refsect1>

220

221

222

<title>PURPOSE</title>

223

<para>

224

The purpose of this is to enable <emphasis>remote and unattended

225

rebooting</emphasis> of client host computer with an

226

<emphasis>encrypted root file system</emphasis>. See <xref

227

linkend="overview"/> for details.

228

</para>

229

</refsect1>

230

231

232

<title>OPTIONS</title>

233

234

235

236

237

238

239

<para>

240

Show a help message and exit

241

</para>

242

</listitem>

243

</varlistentry>

244

245

246

<term><option>--enable</option></term>

247

248

249

<para>

250

Enable client(s). An enabled client will be eligble to

251

receive its secret.

252

</para>

253

</listitem>

254

</varlistentry>

255

256

257

<term><option>--disable</option></term>

258

259

260

<para>

261

Disable client(s). A disabled client will not be eligble

262

to receive its secret, and no checkers will be started for

263

it.

264

</para>

265

</listitem>

266

</varlistentry>

267

268

269

<term><option>--bump-timeout</option></term>

270

271

<para>

272

Bump the timeout of the specified client(s), just as if a

273

checker had completed successfully for it/them.

274

</para>

275

</listitem>

276

</varlistentry>

277

278

279

<term><option>--start-checker</option></term>

280

281

<para>

282

Start a new checker now for the specified client(s).

283

</para>

284

</listitem>

285

</varlistentry>

286

287

288

<term><option>--stop-checker</option></term>

289

290

<para>

291

Stop any running checker for the specified client(s).

292

</para>

293

</listitem>

294

</varlistentry>

295

296

297

<term><option>--remove</option></term>

298

299

300

<para>

301

Remove the specified client(s) from the server.

302

</para>

303

</listitem>

304

</varlistentry>

305

306

307

<term><option>--checker

308

<replaceable>COMMAND</replaceable></option></term>

309

<term><option>-c

310

<replaceable>COMMAND</replaceable></option></term>

311

312

<para>

313

Set the <varname>checker</varname> option of the specified

314

client(s); see <citerefentry><refentrytitle

315

>mandos-clients.conf</refentrytitle><manvolnum

316

>5</manvolnum></citerefentry>.

317

</para>

318

</listitem>

319

</varlistentry>

320

321

322

<term><option>--timeout

323

324

<term><option>-t

325

326

327

<para>

328

Set the <varname>timeout</varname> option of the specified

329

client(s); see <citerefentry><refentrytitle

330

>mandos-clients.conf</refentrytitle><manvolnum

331

>5</manvolnum></citerefentry>.

332

</para>

333

</listitem>

334

</varlistentry>

335

336

337

<term><option>--extended-timeout

338

339

340

<para>

341

Set the <varname>extended_timeout</varname> option of the

342

specified client(s); see <citerefentry><refentrytitle

343

>mandos-clients.conf</refentrytitle><manvolnum

344

>5</manvolnum></citerefentry>.

345

</para>

346

</listitem>

347

</varlistentry>

348

349

350

<term><option>--interval

351

352

<term><option>-i

353

354

355

<para>

356

Set the <varname>interval</varname> option of the

357

specified client(s); see <citerefentry><refentrytitle

358

>mandos-clients.conf</refentrytitle><manvolnum

359

>5</manvolnum></citerefentry>.

360

</para>

361

</listitem>

362

</varlistentry>

363

364

365

<term><option>--approve-by-default</option></term>

366

<term><option>--deny-by-default</option></term>

367

368

<para>

369

Set the <varname>approved_by_default</varname> option of

370

the specified client(s) to <literal>True</literal> or

371

<literal>False</literal>, respectively; see

372

<citerefentry><refentrytitle

373

>mandos-clients.conf</refentrytitle><manvolnum

374

>5</manvolnum></citerefentry>.

375

</para>

376

</listitem>

377

</varlistentry>

378

379

380

<term><option>--approval-delay

381

382

383

<para>

384

Set the <varname>approval_delay</varname> option of the

385

specified client(s); see <citerefentry><refentrytitle

386

>mandos-clients.conf</refentrytitle><manvolnum

387

>5</manvolnum></citerefentry>.

388

</para>

389

</listitem>

390

</varlistentry>

391

392

393

<term><option>--approval-duration

394

395

396

<para>

397

Set the <varname>approval_duration</varname> option of the

398

specified client(s); see <citerefentry><refentrytitle

399

>mandos-clients.conf</refentrytitle><manvolnum

400

>5</manvolnum></citerefentry>.

401

</para>

402

</listitem>

403

</varlistentry>

404

405

406

<term><option>--host

407

<replaceable>STRING</replaceable></option></term>

408

<term><option>-H

409

<replaceable>STRING</replaceable></option></term>

410

411

<para>

412

Set the <varname>host</varname> option of the specified

413

client(s); see <citerefentry><refentrytitle

414

>mandos-clients.conf</refentrytitle><manvolnum

415

>5</manvolnum></citerefentry>.

416

</para>

417

</listitem>

418

</varlistentry>

419

420

421

<term><option>--secret

422

<replaceable>FILENAME</replaceable></option></term>

423

<term><option>-s

424

<replaceable>FILENAME</replaceable></option></term>

425

426

<para>

427

Set the <varname>secfile</varname> option of the specified

428

client(s); see <citerefentry><refentrytitle

429

>mandos-clients.conf</refentrytitle><manvolnum

430

>5</manvolnum></citerefentry>.

431

</para>

432

</listitem>

433

</varlistentry>

434

435

436

<term><option>--approve</option></term>

437

438

439

<para>

440

Approve client(s) if currently waiting for approval.

441

</para>

442

</listitem>

443

</varlistentry>

444

445

446

447

448

449

<para>

450

Deny client(s) if currently waiting for approval.

451

</para>

452

</listitem>

453

</varlistentry>

454

455

456

457

458

459

<para>

460

Make the client-modifying options modify <emphasis

461

>all</emphasis> clients.

462

</para>

463

</listitem>

464

</varlistentry>

465

466

467

<term><option>--verbose</option></term>

468

469

470

<para>

471

Show all client settings, not just a subset.

472

</para>

473

</listitem>

474

</varlistentry>

475

476

477

<term><option>--is-enabled</option></term>

478

479

480

<para>

481

Check if a single client is enabled or not, and exit with

482

a successful exit status only if the client is enabled.

483

</para>

484

</listitem>

485

</varlistentry>

486

487

488

<term><option>--check</option></term>

489

490

<para>

491

Run self-tests. This includes any unit tests, etc.

492

</para>

493

</listitem>

494

</varlistentry>

495

496

</variablelist>

497

</refsect1>

498

499

500

<title>OVERVIEW</title>

501

<xi:include href="overview.xml"/>

502

<para>

503

This program is a small utility to generate new OpenPGP keys for

504

new Mandos clients, and to generate sections for inclusion in

505

<filename>clients.conf</filename> on the server.

506

</para>

507

</refsect1>

508

509

510

<title>EXIT STATUS</title>

511

<para>

512

If the <option>--is-enabled</option> option is used, the exit

513

status will be 0 only if the specified client is enabled.

514

</para>

515

</refsect1>

516

517

518

519

<xi:include href="bugs.xml"/>

520

</refsect1>

521

522

523

<title>EXAMPLE</title>

524

525

<para>

526

To list all clients:

527

</para>

528

<para>

529

<userinput>&COMMANDNAME;</userinput>

530

</para>

531

</informalexample>

532

533

534

<para>

535

To list <emphasis>all</emphasis> settings for the clients

536

named <quote>foo1.example.org</quote> and <quote

537

>foo2.example.org</quote>:

538

</para>

539

<para>

540

541

542

<userinput>&COMMANDNAME; --verbose foo1.example.org foo2.example.org</userinput>

543

544

</para>

545

</informalexample>

546

547

548

<para>

549

To enable all clients:

550

</para>

551

<para>

552

<userinput>&COMMANDNAME; --enable --all</userinput>

553

</para>

554

</informalexample>

555

556

557

<para>

558

To change timeout and interval value for the clients

559

named <quote>foo1.example.org</quote> and <quote

560

>foo2.example.org</quote>:

561

</para>

562

<para>

563

564

565

<userinput>&COMMANDNAME; --timeout="5m" --interval="1m" foo1.example.org foo2.example.org</userinput>

566

567

</para>

568

</informalexample>

569

570

571

<para>

572

To approve all clients currently waiting for it:

573

</para>

574

<para>

575

<userinput>&COMMANDNAME; --approve --all</userinput>

576

</para>

577

</informalexample>

578

</refsect1>

579

580

581

<title>SECURITY</title>

582

<para>

583

This program must be permitted to access the Mandos server via

584

the D-Bus interface. This normally requires the root user, but

585

could be configured otherwise by reconfiguring the D-Bus server.

586

</para>

587

</refsect1>

588

589

590

591

<para>

592

<citerefentry><refentrytitle>intro</refentrytitle>

593

<manvolnum>8mandos</manvolnum></citerefentry>,

594

<citerefentry><refentrytitle>mandos</refentrytitle>

595

<manvolnum>8</manvolnum></citerefentry>,

596

<citerefentry><refentrytitle>mandos-clients.conf</refentrytitle>

597

<manvolnum>5</manvolnum></citerefentry>,

598

<citerefentry><refentrytitle>mandos-monitor</refentrytitle>

599

600

</para>

601

</refsect1>

602

603

</refentry>

604

605

606

607

608

Older »