/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/password-prompt.xml

  • Committer: Teddy Hogeborn
  • Date: 2017-08-20 14:14:14 UTC
  • Revision ID: teddy@recompile.se-20170820141414-m034xuebg7ccaeui
Add some more restrictions to the systemd service file.

* mandos.service ([Service]/ProtectKernelTunables): New; set to "yes".
  ([Service]/ProtectControlGroups): - '' -

Show diffs side-by-side

added added

removed removed

Lines of Context:
plugins.d/password-prompt.xml
2
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3
3
        "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4
4
<!ENTITY COMMANDNAME "password-prompt">
5
 
<!ENTITY TIMESTAMP "2019-07-27">
 
5
<!ENTITY TIMESTAMP "2017-02-23">
6
6
<!ENTITY % common SYSTEM "../common.ent">
7
7
%common;
8
8
]>
41
41
      <year>2015</year>
42
42
      <year>2016</year>
43
43
      <year>2017</year>
44
 
      <year>2018</year>
45
 
      <year>2019</year>
46
44
      <holder>Teddy Hogeborn</holder>
47
45
      <holder>Björn Påhlsson</holder>
48
46
    </copyright>
69
67
        >PREFIX</replaceable></arg>
70
68
      </group>
71
69
      <sbr/>
72
 
      <arg choice="opt">
73
 
        <option>--prompt <replaceable>PROMPT</replaceable></option>
74
 
      </arg>
75
70
      <arg choice="opt"><option>--debug</option></arg>
76
71
    </cmdsynopsis>
77
72
    <cmdsynopsis>
113
108
      wrapper, although actual use of that function is not guaranteed
114
109
      or implied.
115
110
    </para>
116
 
    <para>
117
 
      This program tries to detect if a Plymouth daemon
118
 
      (<citerefentry><refentrytitle
119
 
      >plymouthd</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
120
 
      is running, by looking for a
121
 
      <filename>/run/plymouth/pid</filename> file or a process named
122
 
      <quote><literal>plymouthd</literal></quote>.  If it is detected,
123
 
      this process will immediately exit without doing anything.
124
 
    </para>
125
111
  </refsect1>
126
112
  
127
113
  <refsect1 id="options">
150
136
      </varlistentry>
151
137
      
152
138
      <varlistentry>
153
 
        <term><option>--prompt=<replaceable
154
 
        >PROMPT</replaceable></option></term>
155
 
        <listitem>
156
 
          <para>
157
 
            The password prompt.  Using this option will make this
158
 
            program ignore the <envar>CRYPTTAB_SOURCE</envar> and
159
 
            <envar>CRYPTTAB_NAME</envar> environment variables.
160
 
          </para>
161
 
        </listitem>
162
 
      </varlistentry>
163
 
      
164
 
      <varlistentry>
165
139
        <term><option>--debug</option></term>
166
140
        <listitem>
167
141
          <para>
221
195
        <term><envar>CRYPTTAB_NAME</envar></term>
222
196
        <listitem>
223
197
          <para>
224
 
            If set, and if the <option>--prompt</option> option is not
225
 
            used, these environment variables will be assumed to
 
198
            If set, these environment variables will be assumed to
226
199
            contain the source device name and the target device
227
200
            mapper name, respectively, and will be shown as part of
228
201
            the prompt.
230
203
        <para>
231
204
          These variables will normally be inherited from
232
205
          <citerefentry><refentrytitle>plugin-runner</refentrytitle>
233
 
          <manvolnum>8mandos</manvolnum></citerefentry>, which might
234
 
          have in turn inherited them from its calling process.
 
206
          <manvolnum>8mandos</manvolnum></citerefentry>, which will
 
207
          normally have inherited them from
 
208
          <filename>/scripts/local-top/cryptroot</filename> in the
 
209
          initial <acronym>RAM</acronym> disk environment, which will
 
210
          have set them from parsing kernel arguments and
 
211
          <filename>/conf/conf.d/cryptroot</filename> (also in the
 
212
          initial RAM disk environment), which in turn will have been
 
213
          created when the initial RAM disk image was created by
 
214
          <filename
 
215
          >/usr/share/initramfs-tools/hooks/cryptroot</filename>, by
 
216
          extracting the information of the root file system from
 
217
          <filename >/etc/crypttab</filename>.
235
218
        </para>
236
219
        <para>
237
220
          This behavior is meant to exactly mirror the behavior of
238
 
          <command>askpass</command>, the default password prompter
239
 
          from initramfs-tools.
 
221
          <command>askpass</command>, the default password prompter.
240
222
        </para>
241
223
        </listitem>
242
224
      </varlistentry>
317
299
    <title>SEE ALSO</title>
318
300
    <para>
319
301
      <citerefentry><refentrytitle>intro</refentrytitle>
320
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
302
      <manvolnum>8mandos</manvolnum></citerefentry>
 
303
      <citerefentry><refentrytitle>crypttab</refentrytitle>
 
304
      <manvolnum>5</manvolnum></citerefentry>
321
305
      <citerefentry><refentrytitle>mandos-client</refentrytitle>
322
 
      <manvolnum>8mandos</manvolnum></citerefentry>,
 
306
      <manvolnum>8mandos</manvolnum></citerefentry>
323
307
      <citerefentry><refentrytitle>plugin-runner</refentrytitle>
324
308
      <manvolnum>8mandos</manvolnum></citerefentry>,
325
 
      <citerefentry><refentrytitle>plymouthd</refentrytitle>
326
 
      <manvolnum>8</manvolnum></citerefentry>
327
309
    </para>
328
310
  </refsect1>
329
311
</refentry>