/mandos/trunk : revision 223

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to plugins.d/splashy.xml

Committer: Teddy Hogeborn
Date: 2008-10-03 09:32:30 UTC
Revision ID: teddy@fukt.bsnet.se-20081003093230-rshn19e0c19zz12i

* .bzrignore (plugins.d/askpass-fifo): Added.

* Makefile (FORTIFY): Added "-fstack-protector-all".
  (mandos, mandos-keygen): Use more strict regexps when updating the
                           version number.

* mandos (Client.__init__): Use os.path.expandvars() and
                            os.path.expanduser() on the "secfile"
                            config value.

* plugins.d/splashy.c: Update comments and order of #include's.
  (main): Check user and group when looking for running splashy
          process.  Do not ignore ENOENT from execl().  Use _exit()
          instead of "return" when an error happens in child
          processes.  Bug fix: Only wait for splashy_update
          completion if it was started.  Bug fix: detect failing
          waitpid().  Only kill splashy_update if it is running.  Do
          the killing of the old splashy process before the fork().
          Do setsid() and setuid(geteuid()) before starting the new
          splashy.  Report failing execl().

* plugins.d/usplash.c: Update comments and order of #include's.
  (main): Check user and group when looking for running usplash
          process.  Do not report execv() error if interrupted by a
          signal.

files added:
debian/mandos-client.config

debian/mandos-client.templates

debian/mandos.config

debian/mandos.templates

debian/po/POTFILES.in

debian/po/sv.po

files removed:
NEWS

debian/watch

mandos-ctl

mandos.lsm

plugins.d/askpass-fifo.xml

plugins.d/splashy.xml

plugins.d/usplash.xml

files modified:
INSTALL

Makefile

README

TODO

clients.conf

common.ent

debian/changelog

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.docs

debian/mandos.postinst

debian/mandos.prerm

debian/rules

initramfs-tools-hook

initramfs-tools-script

mandos

mandos-clients.conf.xml

mandos-keygen

mandos-keygen.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.xml

plugin-runner.c

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/password-prompt.c

plugins.d/password-prompt.xml

plugins.d/splashy.c

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

plugins.d/splashy.xml

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"

"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [

<!ENTITY COMMANDNAME "splashy">

<!ENTITY TIMESTAMP "2009-01-04">

<!ENTITY % common SYSTEM "../common.ent">

%common;

<title>Mandos Manual</title>

<productname>Mandos</productname>

<productnumber>&version;</productnumber>

<date>&TIMESTAMP;</date>

<firstname>Björn</firstname>

<surname>Påhlsson</surname>

<email>belorn@fukt.bsnet.se</email>

</address>

</author>

<firstname>Teddy</firstname>

<surname>Hogeborn</surname>

<email>teddy@fukt.bsnet.se</email>

</address>

</author>

</authorgroup>

<holder>Teddy Hogeborn</holder>

<holder>Björn Påhlsson</holder>

</copyright>

<xi:include href="../legalnotice.xml"/>

</refentryinfo>

<refentrytitle>&COMMANDNAME;</refentrytitle>

<manvolnum>8mandos</manvolnum>

</refmeta>

<refname><command>&COMMANDNAME;</command></refname>

<refpurpose>Mandos plugin to use splashy to get a

password.</refpurpose>

</refnamediv>

<command>&COMMANDNAME;</command>

</cmdsynopsis>

</refsynopsisdiv>

<title>DESCRIPTION</title>

<para>

This program prompts for a password using <citerefentry>

<refentrytitle>splashy_update</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> and outputs any given

password to standard output. If no <citerefentry><refentrytitle

>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry>

process can be found, this program will immediately exit with an

exit code indicating failure.

</para>

<para>

This program is not very useful on its own. This program is

really meant to run as a plugin in the <application

>Mandos</application> client-side system, where it is used as a

fallback and alternative to retrieving passwords from a

<application >Mandos</application> server.

</para>

<para>

If this program is killed (presumably by

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

<manvolnum>8mandos</manvolnum></citerefentry> because some other

plugin provided the password), it cannot tell <citerefentry>

<refentrytitle>splashy</refentrytitle><manvolnum>8</manvolnum>

</citerefentry> to abort requesting a password, because

<citerefentry><refentrytitle>splashy</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> does not support this.

Therefore, this program will then <emphasis>kill</emphasis> the

running <citerefentry><refentrytitle>splashy</refentrytitle>

<manvolnum>8</manvolnum></citerefentry> process and start a

<emphasis>new</emphasis> one, using <quote><literal

>boot</literal></quote> as the only argument.

</para>

</refsect1>

<title>OPTIONS</title>

<para>

This program takes no options.

</para>

</refsect1>

100

101

102

<title>EXIT STATUS</title>

103

<para>

104

If exit status is 0, the output from the program is the password

105

as it was read. Otherwise, if exit status is other than 0, the

106

program was interrupted or encountered an error, and any output

107

so far could be corrupt and/or truncated, and should therefore

108

be ignored.

109

</para>

110

</refsect1>

111

112

113

<title>ENVIRONMENT</title>

114

115

116

<term><envar>cryptsource</envar></term>

117

<term><envar>crypttarget</envar></term>

118

119

<para>

120

If set, these environment variables will be assumed to

121

contain the source device name and the target device

122

mapper name, respectively, and will be shown as part of

123

the prompt.

124

</para>

125

<para>

126

These variables will normally be inherited from

127

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

128

<manvolnum>8mandos</manvolnum></citerefentry>, which will

129

normally have inherited them from

130

<filename>/scripts/local-top/cryptroot</filename> in the

131

initial <acronym>RAM</acronym> disk environment, which will

132

have set them from parsing kernel arguments and

133

<filename>/conf/conf.d/cryptroot</filename> (also in the

134

initial RAM disk environment), which in turn will have been

135

created when the initial RAM disk image was created by

136

<filename

137

>/usr/share/initramfs-tools/hooks/cryptroot</filename>, by

138

extracting the information of the root file system from

139

<filename >/etc/crypttab</filename>.

140

</para>

141

<para>

142

This behavior is meant to exactly mirror the behavior of

143

<command>askpass</command>, the default password prompter.

144

</para>

145

</listitem>

146

</varlistentry>

147

</variablelist>

148

</refsect1>

149

150

151

<title>FILES</title>

152

153

154

<term><filename>/sbin/splashy_update</filename></term>

155

156

<para>

157

This is the command run to retrieve a password from

158

<citerefentry><refentrytitle>splashy</refentrytitle>

159

<manvolnum>8</manvolnum></citerefentry>. See

160

<citerefentry><refentrytitle

161

>splashy_update</refentrytitle><manvolnum>8</manvolnum>

162

</citerefentry>.

163

</para>

164

</listitem>

165

</varlistentry>

166

167

168

169

<para>

170

To find the running <citerefentry><refentrytitle

171

>splashy</refentrytitle><manvolnum>8</manvolnum>

172

</citerefentry>, this directory will be searched for

173

numeric entries which will be assumed to be directories.

174

In all those directories, the <filename>exe</filename>

175

entry will be used to determine the name of the running

176

binary and the effective user and group

177

<abbrev>ID</abbrev> of the process. See <citerefentry>

178

<refentrytitle>proc</refentrytitle><manvolnum

179

>5</manvolnum></citerefentry>.

180

</para>

181

</listitem>

182

</varlistentry>

183

184

<term><filename>/sbin/splashy</filename></term>

185

186

<para>

187

This is the name of the binary which will be searched for

188

in the process list. See <citerefentry><refentrytitle

189

>splashy</refentrytitle><manvolnum>8</manvolnum>

190

</citerefentry>.

191

</para>

192

</listitem>

193

</varlistentry>

194

</variablelist>

195

</refsect1>

196

197

198

199

<para>

200

Killing <citerefentry><refentrytitle>splashy</refentrytitle>

201

<manvolnum>8</manvolnum></citerefentry> and starting a new one

202

is ugly, but necessary as long as it does not support aborting a

203

password request.

204

</para>

205

</refsect1>

206

207

208

<title>EXAMPLE</title>

209

<para>

210

Note that normally, this program will not be invoked directly,

211

but instead started by the Mandos <citerefentry><refentrytitle

212

>plugin-runner</refentrytitle><manvolnum>8mandos</manvolnum>

213

</citerefentry>.

214

</para>

215

216

<para>

217

This program takes no options.

218

</para>

219

<para>

220

<userinput>&COMMANDNAME;</userinput>

221

</para>

222

</informalexample>

223

</refsect1>

224

225

226

<title>SECURITY</title>

227

<para>

228

If this program is killed by a signal, it will kill the process

229

<abbrev>ID</abbrev> which at the start of this program was

230

determined to run <citerefentry><refentrytitle

231

>splashy</refentrytitle><manvolnum>8</manvolnum></citerefentry>

232

as root (see also <xref linkend="files"/>). There is a very

233

slight risk that, in the time between those events, that process

234

<abbrev>ID</abbrev> was freed and then taken up by another

235

process; the wrong process would then be killed. Now, this

236

program can only be killed by the user who started it; see

237

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

238

<manvolnum>8mandos</manvolnum></citerefentry>. This program

239

should therefore be started by a completely separate

240

non-privileged user, and no other programs should be allowed to

241

run as that special user. This means that it is not recommended

242

to use the user "nobody" to start this program, as other

243

possibly less trusted programs could be running as "nobody", and

244

they would then be able to kill this program, triggering the

245

killing of the process <abbrev>ID</abbrev> which may or may not

246

be <citerefentry><refentrytitle>splashy</refentrytitle>

247

<manvolnum>8</manvolnum></citerefentry>.

248

</para>

249

<para>

250

The only other thing that could be considered worthy of note is

251

this: This program is meant to be run by <citerefentry>

252

<refentrytitle>plugin-runner</refentrytitle><manvolnum

253

>8mandos</manvolnum></citerefentry>, and will, when run

254

standalone, outside, in a normal environment, immediately output

255

on its standard output any presumably secret password it just

256

received. Therefore, when running this program standalone

257

(which should never normally be done), take care not to type in

258

any real secret password by force of habit, since it would then

259

immediately be shown as output.

260

</para>

261

</refsect1>

262

263

264

265

<para>

266

<citerefentry><refentrytitle>crypttab</refentrytitle>

267

<manvolnum>5</manvolnum></citerefentry>,

268

<citerefentry><refentrytitle>plugin-runner</refentrytitle>

269

<manvolnum>8mandos</manvolnum></citerefentry>,

270

271

<manvolnum>5</manvolnum></citerefentry>,

272

<citerefentry><refentrytitle>splashy</refentrytitle>

273

<manvolnum>8</manvolnum></citerefentry>,

274

<citerefentry><refentrytitle>splashy_update</refentrytitle>

275

276

</para>

277

</refsect1>

278

</refentry>

279

280

281

282

283

Older »