/mandos/trunk : revision 904

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugin-runner.xml

Committer: Teddy Hogeborn
Date: 2017-08-20 14:08:59 UTC
Revision ID: teddy@recompile.se-20170820140859-6niaa0ebf6bdovfn

Use || instead of -o in shell scripts.

* mandos-keygen: Use || instead of -o.
* network-hooks.d/bridge: - '' -

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

DBUS-API

INSTALL

NEWS

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-unpack

intro.xml

mandos-ctl

mandos-ctl.xml

mandos-monitor

mandos-monitor.xml

mandos.lsm

mandos.service

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
plugins.d/usplash

files renamed:
plugins.d/password-request.c => plugins.d/mandos-client.c

plugins.d/password-request.xml => plugins.d/mandos-client.xml

files modified:
.bzrignore

Makefile

README

TODO

clients.conf

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

legalnotice.xml

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

overview.xml

plugin-runner.c

plugin-runner.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

Show diffs side-by-side

added added

removed removed

plugin-runner.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY VERSION "1.0">

<!ENTITY COMMANDNAME "plugin-runner">

<!ENTITY TIMESTAMP "2008-09-04">

<!ENTITY TIMESTAMP "2017-02-23">

<!ENTITY % common SYSTEM "common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&VERSION;</productnumber>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

Run Mandos plugins, pass data from first to succeed.

</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

<arg choice="plain"><option>--global-env=<replaceable

>VAR</replaceable><literal>=</literal><replaceable

>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable></option></arg>

<arg choice="plain"><option>-G

<replaceable>VAR</replaceable><literal>=</literal><replaceable

<replaceable>ENV</replaceable><literal>=</literal><replaceable

>value</replaceable> </option></arg>

</group>

<sbr/>

111

121

<arg><option>--plugin-dir=<replaceable

112

122

>DIRECTORY</replaceable></option></arg>

113

123

<sbr/>

124

<arg><option>--plugin-helper-dir=<replaceable

125

>DIRECTORY</replaceable></option></arg>

126

<sbr/>

114

127

<arg><option>--config-file=<replaceable

115

128

>FILE</replaceable></option></arg>

116

129

<sbr/>

170

183

171

184

172

185

<term><option>--global-env

173

<replaceable>VAR</replaceable><literal>=</literal><replaceable

186

<replaceable>ENV</replaceable><literal>=</literal><replaceable

174

187

>value</replaceable></option></term>

175

188

<term><option>-G

176

<replaceable>VAR</replaceable><literal>=</literal><replaceable

189

<replaceable>ENV</replaceable><literal>=</literal><replaceable

177

190

>value</replaceable></option></term>

178

191

179

192

<para>

247

260

</para>

248

261

</listitem>

249

262

</varlistentry>

250

263

251

264

252

265

<term><option>--disable

253

266

<replaceable>PLUGIN</replaceable></option></term>

258

271

Disable the plugin named

259

272

<replaceable>PLUGIN</replaceable>. The plugin will not be

260

273

started.

261

</para>

274

</para>

262

275

</listitem>

263

276

</varlistentry>

264

277

265

278

266

279

<term><option>--enable

267

280

<replaceable>PLUGIN</replaceable></option></term>

276

289

</para>

277

290

</listitem>

278

291

</varlistentry>

279

292

280

293

281

294

<term><option>--groupid

282

295

289

302

</para>

290

303

</listitem>

291

304

</varlistentry>

292

305

293

306

294

307

<term><option>--userid

295

308

302

315

</para>

303

316

</listitem>

304

317

</varlistentry>

305

318

306

319

307

320

<term><option>--plugin-dir

308

321

<replaceable>DIRECTORY</replaceable></option></term>

317

330

</varlistentry>

318

331

319

332

333

<term><option>--plugin-helper-dir

334

<replaceable>DIRECTORY</replaceable></option></term>

335

336

<para>

337

Specify a different plugin helper directory. The default

338

is <filename>/lib/mandos/plugin-helpers</filename>, which

339

will exist in the initial <acronym>RAM</acronym> disk

340

environment. (This will simply be passed to all plugins

341

via the <envar>MANDOSPLUGINHELPERDIR</envar> environment

342

variable. See <xref linkend="writing_plugins"/>)

343

</para>

344

</listitem>

345

</varlistentry>

346

347

320

348

<term><option>--config-file

321

349

322

350

365

393

</para>

366

394

</listitem>

367

395

</varlistentry>

368

396

369

397

370

398

<term><option>--version</option></term>

371

399

377

405

</varlistentry>

378

406

</variablelist>

379

407

</refsect1>

380

408

381

409

382

410

<title>OVERVIEW</title>

383

411

<xi:include href="overview.xml"/>

403

431

code will make this plugin-runner output the password from that

404

432

plugin, stop any other plugins, and exit.

405

433

</para>

406

434

407

435

408

436

<title>WRITING PLUGINS</title>

409

437

<para>

416

444

console.

417

445

</para>

418

446

<para>

447

If the password is a single-line, manually entered passprase,

448

a final trailing newline character should

449

<emphasis>not</emphasis> be printed.

450

</para>

451

<para>

419

452

The plugin will run in the initial RAM disk environment, so

420

453

care must be taken not to depend on any files or running

421

services not available there.

454

services not available there. Any helper executables required

455

by the plugin (which are not in the <envar>PATH</envar>) can

456

be placed in the plugin helper directory, the name of which

457

will be made available to the plugin via the

458

<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.

422

459

</para>

423

460

<para>

424

461

The plugin must exit cleanly and free all allocated resources

467

504

only passes on its environment to all the plugins. The

468

505

environment passed to plugins can be modified using the

469

506

<option>--global-env</option> and <option>--env-for</option>

470

options.

507

options. Also, the <option>--plugin-helper-dir</option> option

508

will affect the environment variable

509

<envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.

471

510

</para>

472

511

</refsect1>

473

512

506

545

</para>

507

546

</listitem>

508

547

</varlistentry>

548

549

<term><filename class="directory"

550

>/lib/mandos/plugins.d</filename></term>

551

552

<para>

553

The default plugin directory; can be changed by the

554

<option>--plugin-dir</option> option.

555

</para>

556

</listitem>

557

</varlistentry>

558

559

<term><filename class="directory"

560

>/lib/mandos/plugin-helpers</filename></term>

561

562

<para>

563

The default plugin helper directory; can be changed by

564

the <option>--plugin-helper-dir</option> option.

565

</para>

566

</listitem>

567

</varlistentry>

509

568

</variablelist>

510

569

</para>

511

570

</refsect1>

512

571

513

514

515

516

517

572

573

574

<para>

575

The <option>--config-file</option> option is ignored when

576

specified from within a configuration file.

577

</para>

578

<xi:include href="bugs.xml"/>

579

</refsect1>

518

580

519

581

520

582

<title>EXAMPLE</title>

562

624

</informalexample>

563

625

564

626

<para>

565

Run plugins from a different directory and add two

566

options to the <citerefentry><refentrytitle

567

>password-request</refentrytitle>

627

Read a different configuration file, run plugins from a

628

different directory, specify an alternate plugin helper

629

directory and add two options to the

630

<citerefentry><refentrytitle >mandos-client</refentrytitle>

568

631

<manvolnum>8mandos</manvolnum></citerefentry> plugin:

569

632

</para>

570

633

<para>

571

634

572

635

573

<userinput>&COMMANDNAME; --plugin-dir=plugins.d --options-for=password-request:--pubkey=keydir/pubkey.txt,--seckey=keydir/seckey.txt</userinput>

636

<userinput>cd /etc/keys/mandos; &COMMANDNAME; --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt</userinput>

574

637

575

638

</para>

576

639

</informalexample>

584

647

non-privileged. This user and group is then what all plugins

585

648

will be started as. Therefore, the only way to run a plugin as

586

649

a privileged user is to have the set-user-ID or set-group-ID bit

587

set on the plugin executable files (see <citerefentry>

650

set on the plugin executable file (see <citerefentry>

588

651

<refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>

589

652

</citerefentry>).

590

653

</para>

608

671

609

672

610

673

<para>

674

<citerefentry><refentrytitle>intro</refentrytitle>

675

<manvolnum>8mandos</manvolnum></citerefentry>,

611

676

<citerefentry><refentrytitle>cryptsetup</refentrytitle>

612

677

<manvolnum>8</manvolnum></citerefentry>,

613

678

<citerefentry><refentrytitle>crypttab</refentrytitle>

618

683

<manvolnum>8</manvolnum></citerefentry>,

619

684

<citerefentry><refentrytitle>password-prompt</refentrytitle>

620

685

<manvolnum>8mandos</manvolnum></citerefentry>,

621

<citerefentry><refentrytitle>password-request</refentrytitle>

686

<citerefentry><refentrytitle>mandos-client</refentrytitle>

622

687

<manvolnum>8mandos</manvolnum></citerefentry>

623

688

</para>

624

689

</refsect1>

Older »