bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
|
225
by Teddy Hogeborn
* Makefile (DOCS): Added "plugins.d/usplash.8mandos" and |
1 |
<?xml version="1.0" encoding="UTF-8"?>
|
2 |
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
3 |
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
4 |
<!ENTITY COMMANDNAME "splashy">
|
|
5 |
<!ENTITY TIMESTAMP "2008-10-04">
|
|
6 |
<!ENTITY % common SYSTEM "../common.ent">
|
|
7 |
%common; |
|
8 |
]> |
|
9 |
||
10 |
<refentry xmlns:xi="http://www.w3.org/2001/XInclude"> |
|
11 |
<refentryinfo> |
|
12 |
<title>Mandos Manual</title> |
|
13 |
<!-- NWalsh’s docbook scripts use this to generate the footer: --> |
|
14 |
<productname>Mandos</productname> |
|
15 |
<productnumber>&version;</productnumber> |
|
16 |
<date>&TIMESTAMP;</date> |
|
17 |
<authorgroup> |
|
18 |
<author> |
|
19 |
<firstname>Björn</firstname> |
|
20 |
<surname>Påhlsson</surname> |
|
21 |
<address> |
|
22 |
<email>belorn@fukt.bsnet.se</email> |
|
23 |
</address> |
|
24 |
</author> |
|
25 |
<author> |
|
26 |
<firstname>Teddy</firstname> |
|
27 |
<surname>Hogeborn</surname> |
|
28 |
<address> |
|
29 |
<email>teddy@fukt.bsnet.se</email> |
|
30 |
</address> |
|
31 |
</author> |
|
32 |
</authorgroup> |
|
33 |
<copyright> |
|
34 |
<year>2008</year> |
|
35 |
<holder>Teddy Hogeborn</holder> |
|
36 |
<holder>Björn Påhlsson</holder> |
|
37 |
</copyright> |
|
38 |
<xi:include href="../legalnotice.xml"/> |
|
39 |
</refentryinfo> |
|
40 |
|
|
41 |
<refmeta> |
|
42 |
<refentrytitle>&COMMANDNAME;</refentrytitle> |
|
43 |
<manvolnum>8mandos</manvolnum> |
|
44 |
</refmeta> |
|
45 |
|
|
46 |
<refnamediv> |
|
47 |
<refname><command>&COMMANDNAME;</command></refname> |
|
48 |
<refpurpose>Mandos plugin to use splashy to get a |
|
49 |
password.</refpurpose> |
|
50 |
</refnamediv> |
|
51 |
|
|
52 |
<refsynopsisdiv> |
|
53 |
<cmdsynopsis> |
|
54 |
<command>&COMMANDNAME;</command> |
|
55 |
</cmdsynopsis> |
|
56 |
</refsynopsisdiv> |
|
57 |
|
|
58 |
<refsect1 id="description"> |
|
59 |
<title>DESCRIPTION</title> |
|
60 |
<para> |
|
61 |
This program prompts for a password using <citerefentry> |
|
62 |
<refentrytitle>splashy_update</refentrytitle> |
|
63 |
<manvolnum>8</manvolnum></citerefentry> and outputs any given |
|
64 |
password to standard output. If no <citerefentry><refentrytitle |
|
65 |
>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
|
66 |
process can be found, this program will immediately exit with an |
|
67 |
exit code indicating failure. |
|
68 |
</para> |
|
69 |
<para> |
|
70 |
This program is not very useful on its own. This program is |
|
71 |
really meant to run as a plugin in the <application |
|
72 |
>Mandos</application> client-side system, where it is used as a |
|
73 |
fallback and alternative to retrieving passwords from a |
|
74 |
<application >Mandos</application> server. |
|
75 |
</para> |
|
76 |
<para> |
|
77 |
If this program is killed (presumably by |
|
78 |
<citerefentry><refentrytitle>plugin-runner</refentrytitle> |
|
79 |
<manvolnum>8mandos</manvolnum></citerefentry> because some other |
|
80 |
plugin provided the password), it cannot tell <citerefentry> |
|
81 |
<refentrytitle>splashy</refentrytitle><manvolnum>8</manvolnum> |
|
82 |
</citerefentry> to abort requesting a password, because |
|
83 |
<citerefentry><refentrytitle>splashy</refentrytitle> |
|
84 |
<manvolnum>8</manvolnum></citerefentry> does not support this. |
|
85 |
Therefore, this program will then <emphasis>kill</emphasis> the |
|
86 |
running <citerefentry><refentrytitle>splashy</refentrytitle> |
|
87 |
<manvolnum>8</manvolnum></citerefentry> process and start a |
|
88 |
<emphasis>new</emphasis> one, using <quote><literal |
|
89 |
>boot</literal></quote> as the only argument. |
|
90 |
</para> |
|
91 |
</refsect1> |
|
92 |
|
|
93 |
<refsect1 id="options"> |
|
94 |
<title>OPTIONS</title> |
|
95 |
<para> |
|
96 |
This program takes no options. |
|
97 |
</para> |
|
98 |
</refsect1> |
|
99 |
|
|
100 |
<refsect1 id="exit_status"> |
|
101 |
<title>EXIT STATUS</title> |
|
102 |
<para> |
|
103 |
If exit status is 0, the output from the program is the password |
|
104 |
as it was read. Otherwise, if exit status is other than 0, the |
|
105 |
program was interrupted or encountered an error, and any output |
|
106 |
so far could be corrupt and/or truncated, and should therefore |
|
107 |
be ignored. |
|
108 |
</para> |
|
109 |
</refsect1> |
|
110 |
|
|
111 |
<refsect1 id="environment"> |
|
112 |
<title>ENVIRONMENT</title> |
|
113 |
<variablelist> |
|
114 |
<varlistentry> |
|
115 |
<term><envar>cryptsource</envar></term> |
|
116 |
<term><envar>crypttarget</envar></term> |
|
117 |
<listitem> |
|
118 |
<para> |
|
119 |
If set, these environment variables will be assumed to |
|
120 |
contain the source device name and the target device |
|
121 |
mapper name, respectively, and will be shown as part of |
|
122 |
the prompt. |
|
123 |
</para> |
|
124 |
<para> |
|
125 |
These variables will normally be inherited from |
|
126 |
<citerefentry><refentrytitle>plugin-runner</refentrytitle> |
|
127 |
<manvolnum>8mandos</manvolnum></citerefentry>, which will |
|
128 |
normally have inherited them from |
|
129 |
<filename>/scripts/local-top/cryptroot</filename> in the |
|
130 |
initial <acronym>RAM</acronym> disk environment, which will |
|
131 |
have set them from parsing kernel arguments and |
|
132 |
<filename>/conf/conf.d/cryptroot</filename> (also in the |
|
133 |
initial RAM disk environment), which in turn will have been |
|
134 |
created when the initial RAM disk image was created by |
|
135 |
<filename |
|
136 |
>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by |
|
137 |
extracting the information of the root file system from |
|
138 |
<filename >/etc/crypttab</filename>. |
|
139 |
</para> |
|
140 |
<para> |
|
141 |
This behavior is meant to exactly mirror the behavior of |
|
142 |
<command>askpass</command>, the default password prompter. |
|
143 |
</para> |
|
144 |
</listitem> |
|
145 |
</varlistentry> |
|
146 |
</variablelist> |
|
147 |
</refsect1> |
|
148 |
|
|
149 |
<refsect1 id="files"> |
|
150 |
<title>FILES</title> |
|
151 |
<variablelist> |
|
152 |
<varlistentry> |
|
153 |
<term><filename>/sbin/splashy_update</filename></term> |
|
154 |
<listitem> |
|
155 |
<para> |
|
156 |
This is the command run to retrieve a password from |
|
157 |
<citerefentry><refentrytitle>splashy</refentrytitle> |
|
158 |
<manvolnum>8</manvolnum></citerefentry>. See |
|
159 |
<citerefentry><refentrytitle |
|
160 |
>splashy_update</refentrytitle><manvolnum>8</manvolnum> |
|
161 |
</citerefentry>. |
|
162 |
</para> |
|
163 |
</listitem> |
|
164 |
</varlistentry> |
|
165 |
<varlistentry> |
|
166 |
<term><filename>/proc</filename></term> |
|
167 |
<listitem> |
|
168 |
<para> |
|
169 |
To find the running <citerefentry><refentrytitle |
|
170 |
>splashy</refentrytitle><manvolnum>8</manvolnum> |
|
171 |
</citerefentry>, this directory will be searched for |
|
172 |
numeric entries which will be assumed to be directories. |
|
173 |
In all those directories, the <filename>exe</filename> |
|
174 |
entry will be used to determine the name of the running |
|
175 |
binary and the effective user and group |
|
176 |
<abbrev>ID</abbrev> of the process. See <citerefentry> |
|
177 |
<refentrytitle>proc</refentrytitle><manvolnum |
|
178 |
>5</manvolnum></citerefentry>. |
|
179 |
</para> |
|
180 |
</listitem> |
|
181 |
</varlistentry> |
|
182 |
<varlistentry> |
|
183 |
<term><filename>/sbin/splashy</filename></term> |
|
184 |
<listitem> |
|
185 |
<para> |
|
186 |
This is the name of the binary which will be searched for |
|
187 |
in the process list. See <citerefentry><refentrytitle |
|
188 |
>splashy</refentrytitle><manvolnum>8</manvolnum> |
|
189 |
</citerefentry>. |
|
190 |
</para> |
|
191 |
</listitem> |
|
192 |
</varlistentry> |
|
193 |
</variablelist> |
|
194 |
</refsect1> |
|
195 |
|
|
196 |
<refsect1 id="bugs"> |
|
197 |
<title>BUGS</title> |
|
198 |
<para> |
|
199 |
Killing <citerefentry><refentrytitle>splashy</refentrytitle> |
|
200 |
<manvolnum>8</manvolnum></citerefentry> and starting a new one |
|
201 |
is ugly, but necessary as long as it does not support aborting a |
|
202 |
password request. |
|
203 |
</para> |
|
204 |
</refsect1> |
|
205 |
|
|
206 |
<refsect1 id="example"> |
|
207 |
<title>EXAMPLE</title> |
|
208 |
<para> |
|
209 |
Note that normally, this program will not be invoked directly, |
|
210 |
but instead started by the Mandos <citerefentry><refentrytitle |
|
211 |
>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum> |
|
212 |
</citerefentry>. |
|
213 |
</para> |
|
214 |
<informalexample> |
|
215 |
<para> |
|
216 |
This program takes no options. |
|
217 |
</para> |
|
218 |
<para> |
|
219 |
<userinput>&COMMANDNAME;</userinput> |
|
220 |
</para> |
|
221 |
</informalexample> |
|
222 |
</refsect1> |
|
223 |
|
|
224 |
<refsect1 id="security"> |
|
225 |
<title>SECURITY</title> |
|
226 |
<para> |
|
227 |
If this program is killed by a signal, it will kill the process |
|
228 |
<abbrev>ID</abbrev> which at the start of this program was |
|
229 |
determined to run <citerefentry><refentrytitle |
|
230 |
>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
|
231 |
as root (see also <xref linkend="files"/>). There is a very |
|
232 |
slight risk that, in the time between those events, that process |
|
233 |
<abbrev>ID</abbrev> was freed and then taken up by another |
|
234 |
process; the wrong process would then be killed. Now, this |
|
235 |
program can only be killed by the user who started it; see |
|
236 |
<citerefentry><refentrytitle>plugin-runner</refentrytitle> |
|
237 |
<manvolnum>8mandos</manvolnum></citerefentry>. This program |
|
238 |
should therefore be started by a completely separate |
|
239 |
non-privileged user, and no other programs should be allowed to |
|
240 |
run as that special user. This means that it is not recommended |
|
241 |
to use the user "nobody" to start this program, as other |
|
242 |
possibly less trusted programs could be running as "nobody", and |
|
243 |
they would then be able to kill this program, triggering the |
|
244 |
killing of the process <abbrev>ID</abbrev> which may or may not |
|
245 |
be <citerefentry><refentrytitle>splashy</refentrytitle> |
|
246 |
<manvolnum>8</manvolnum></citerefentry>. |
|
247 |
</para> |
|
248 |
<para> |
|
249 |
The only other thing that could be considered worthy of note is |
|
250 |
this: This program is meant to be run by <citerefentry> |
|
251 |
<refentrytitle>plugin-runner</refentrytitle><manvolnum |
|
252 |
>8mandos</manvolnum></citerefentry>, and will, when run |
|
253 |
standalone, outside, in a normal environment, immediately output |
|
254 |
on its standard output any presumably secret password it just |
|
255 |
received. Therefore, when running this program standalone |
|
256 |
(which should never normally be done), take care not to type in |
|
257 |
any real secret password by force of habit, since it would then |
|
258 |
immediately be shown as output. |
|
259 |
</para> |
|
260 |
</refsect1> |
|
261 |
|
|
262 |
<refsect1 id="see_also"> |
|
263 |
<title>SEE ALSO</title> |
|
264 |
<para> |
|
265 |
<citerefentry><refentrytitle>crypttab</refentrytitle> |
|
266 |
<manvolnum>5</manvolnum></citerefentry>, |
|
267 |
<citerefentry><refentrytitle>plugin-runner</refentrytitle> |
|
268 |
<manvolnum>8mandos</manvolnum></citerefentry>, |
|
269 |
<citerefentry><refentrytitle>proc</refentrytitle> |
|
270 |
<manvolnum>5</manvolnum></citerefentry>, |
|
271 |
<citerefentry><refentrytitle>splashy</refentrytitle> |
|
272 |
<manvolnum>8</manvolnum></citerefentry>, |
|
273 |
<citerefentry><refentrytitle>splashy_update</refentrytitle> |
|
274 |
<manvolnum>8</manvolnum></citerefentry> |
|
275 |
</para> |
|
276 |
</refsect1> |
|
277 |
</refentry>
|
|
278 |
<!-- Local Variables: -->
|
|
279 |
<!-- time-stamp-start: "<!ENTITY TIMESTAMP [\"']" -->
|
|
280 |
<!-- time-stamp-end: "[\"']>" -->
|
|
281 |
<!-- time-stamp-format: "%:y-%02m-%02d" -->
|
|
282 |
<!-- End: -->
|