/mandos/trunk : revision 953

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/splashy.xml

Committer: Teddy Hogeborn
Date: 2018-08-19 01:35:11 UTC
Revision ID: teddy@recompile.se-20180819013511-cku25q9yeub3dnr0

Adapt to changes in cryptsetup; use "cryptroot-unlock" program

* Makefile (install-client-nokey): Also install new script files
  "mandos-to-cryptroot-unlock" and "initramfs-tools-script-stop".
* debian/mandos-client.dirs: Add
  "usr/share/initramfs-tools/scripts/local-premount".
* initramfs-tools-hook: Also copy "mandos-to-cryptroot-unlock".
* initramfs-tools-script: Only modify keyscript setting in cryptroot
  file if the file exists, otherwise start
  "mandos-to-cryptroot-unlock" in background.
* initramfs-tools-script-stop: New script to make sure plugin-runner
  has stopped before continuing.
* mandos-to-cryptroot-unlock: New script to run plugin-runner and feed
  any password it gets into the "cryptroot-unlock" program.

files added:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

bugs.xml

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.examples

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/upstream

debian/upstream/signing-key.asc

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

initramfs-tools-script-stop

initramfs-unpack

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos-to-cryptroot-unlock

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

network-hooks.d/openvpn

network-hooks.d/openvpn.conf

network-hooks.d/wireless

network-hooks.d/wireless.conf

overview.xml

plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

tmpfiles.d-mandos.conf

files removed:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files renamed:
mandos-clients.conf => clients.conf

server.py => mandos

plugbasedclient.c => plugin-runner.c

plugins.d/mandosclient.c => plugins.d/mandos-client.c

plugins.d/passprompt.c => plugins.d/password-prompt.c

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

plugins.d/splashy.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "splashy">

<!ENTITY TIMESTAMP "2018-02-08">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@recompile.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@recompile.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

<refpurpose>Mandos plugin to use splashy to get a

password.</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

This program prompts for a password using <citerefentry>

<refentrytitle>splashy_update</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> and outputs any given

password to standard output. If no <citerefentry><refentrytitle

>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry>

process can be found, this program will immediately exit with an

exit code indicating failure.

</para>

<para>

This program is not very useful on its own. This program is

really meant to run as a plugin in the <application

>Mandos</application> client-side system, where it is used as a

fallback and alternative to retrieving passwords from a

<application >Mandos</application> server.

</para>

<para>

If this program is killed (presumably by

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

<manvolnum>8mandos</manvolnum></citerefentry> because some other

plugin provided the password), it cannot tell <citerefentry>

<refentrytitle>splashy</refentrytitle><manvolnum>8</manvolnum>

</citerefentry> to abort requesting a password, because

<citerefentry><refentrytitle>splashy</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> does not support this.

Therefore, this program will then <emphasis>kill</emphasis> the

running <citerefentry><refentrytitle>splashy</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> process and start a

<emphasis>new</emphasis> one, using <quote><literal

>boot</literal></quote> as the only argument.

100

</para>

101

</refsect1>

102

103

104

<title>OPTIONS</title>

105

<para>

106

This program takes no options.

107

</para>

108

</refsect1>

109

110

111

<title>EXIT STATUS</title>

112

<para>

113

If exit status is 0, the output from the program is the password

114

as it was read. Otherwise, if exit status is other than 0, the

115

program was interrupted or encountered an error, and any output

116

so far could be corrupt and/or truncated, and should therefore

117

be ignored.

118

</para>

119

</refsect1>

120

121

122

<title>ENVIRONMENT</title>

123

124

125

<term><envar>cryptsource</envar></term>

126

<term><envar>crypttarget</envar></term>

127

128

<para>

129

If set, these environment variables will be assumed to

130

contain the source device name and the target device

131

mapper name, respectively, and will be shown as part of

132

the prompt.

133

</para>

134

<para>

135

These variables will normally be inherited from

136

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

137

<manvolnum>8mandos</manvolnum></citerefentry>, which will

138

normally have inherited them from

139

<filename>/scripts/local-top/cryptroot</filename> in the

140

initial <acronym>RAM</acronym> disk environment, which will

141

have set them from parsing kernel arguments and

142

<filename>/conf/conf.d/cryptroot</filename> (also in the

143

initial RAM disk environment), which in turn will have been

144

created when the initial RAM disk image was created by

145

<filename

146

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

147

extracting the information of the root file system from

148

<filename >/etc/crypttab</filename>.

149

</para>

150

<para>

151

This behavior is meant to exactly mirror the behavior of

152

<command>askpass</command>, the default password prompter.

153

</para>

154

</listitem>

155

</varlistentry>

156

</variablelist>

157

</refsect1>

158

159

160

<title>FILES</title>

161

162

163

<term><filename>/sbin/splashy_update</filename></term>

164

165

<para>

166

This is the command run to retrieve a password from

167

<citerefentry><refentrytitle>splashy</refentrytitle>

168

<manvolnum>8</manvolnum></citerefentry>. See

169

<citerefentry><refentrytitle

170

>splashy_update</refentrytitle><manvolnum>8</manvolnum>

171

</citerefentry>.

172

</para>

173

</listitem>

174

</varlistentry>

175

176

177

178

<para>

179

To find the running <citerefentry><refentrytitle

180

>splashy</refentrytitle><manvolnum>8</manvolnum>

181

</citerefentry>, this directory will be searched for

182

numeric entries which will be assumed to be directories.

183

In all those directories, the <filename>exe</filename>

184

entry will be used to determine the name of the running

185

binary and the effective user and group

186

<abbrev>ID</abbrev> of the process. See <citerefentry>

187

<refentrytitle>proc</refentrytitle><manvolnum

188

>5</manvolnum></citerefentry>.

189

</para>

190

</listitem>

191

</varlistentry>

192

193

<term><filename>/sbin/splashy</filename></term>

194

195

<para>

196

This is the name of the binary which will be searched for

197

in the process list. See <citerefentry><refentrytitle

198

>splashy</refentrytitle><manvolnum>8</manvolnum>

199

</citerefentry>.

200

</para>

201

</listitem>

202

</varlistentry>

203

</variablelist>

204

</refsect1>

205

206

207

208

<para>

209

Killing <citerefentry><refentrytitle>splashy</refentrytitle>

210

<manvolnum>8</manvolnum></citerefentry> and starting a new one

211

is ugly, but necessary as long as it does not support aborting a

212

password request.

213

</para>

214

<xi:include href="../bugs.xml"/>

215

</refsect1>

216

217

218

<title>EXAMPLE</title>

219

<para>

220

Note that normally, this program will not be invoked directly,

221

but instead started by the Mandos <citerefentry><refentrytitle

222

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

223

</citerefentry>.

224

</para>

225

226

<para>

227

This program takes no options.

228

</para>

229

<para>

230

<userinput>&COMMANDNAME;</userinput>

231

</para>

232

</informalexample>

233

</refsect1>

234

235

236

<title>SECURITY</title>

237

<para>

238

If this program is killed by a signal, it will kill the process

239

<abbrev>ID</abbrev> which at the start of this program was

240

determined to run <citerefentry><refentrytitle

241

>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry>

242

as root (see also <xref linkend="files"/>). There is a very

243

slight risk that, in the time between those events, that process

244

<abbrev>ID</abbrev> was freed and then taken up by another

245

process; the wrong process would then be killed. Now, this

246

program can only be killed by the user who started it; see

247

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

248

<manvolnum>8mandos</manvolnum></citerefentry>. This program

249

should therefore be started by a completely separate

250

non-privileged user, and no other programs should be allowed to

251

run as that special user. This means that it is not recommended

252

to use the user "nobody" to start this program, as other

253

possibly less trusted programs could be running as "nobody", and

254

they would then be able to kill this program, triggering the

255

killing of the process <abbrev>ID</abbrev> which may or may not

256

be <citerefentry><refentrytitle>splashy</refentrytitle>

257

<manvolnum>8</manvolnum></citerefentry>.

258

</para>

259

<para>

260

The only other thing that could be considered worthy of note is

261

this: This program is meant to be run by <citerefentry>

262

<refentrytitle>plugin-runner</refentrytitle><manvolnum

263

>8mandos</manvolnum></citerefentry>, and will, when run

264

standalone, outside, in a normal environment, immediately output

265

on its standard output any presumably secret password it just

266

received. Therefore, when running this program standalone

267

(which should never normally be done), take care not to type in

268

any real secret password by force of habit, since it would then

269

immediately be shown as output.

270

</para>

271

</refsect1>

272

273

274

275

<para>

276

<citerefentry><refentrytitle>intro</refentrytitle>

277

<manvolnum>8mandos</manvolnum></citerefentry>,

278

<citerefentry><refentrytitle>crypttab</refentrytitle>

279

<manvolnum>5</manvolnum></citerefentry>,

280

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

281

<manvolnum>8mandos</manvolnum></citerefentry>,

282

283

<manvolnum>5</manvolnum></citerefentry>,

284

<citerefentry><refentrytitle>splashy</refentrytitle>

285

<manvolnum>8</manvolnum></citerefentry>,

286

<citerefentry><refentrytitle>splashy_update</refentrytitle>

287

288

</para>

289

</refsect1>

290

</refentry>

291

292

293

294

295

Older »