PLUGIN-RUNNER(8mandos) | Mandos Manual | PLUGIN-RUNNER(8mandos) |
NAME¶
plugin-runner - Run Mandos plugins, pass data from first to succeed.
SYNOPSIS¶
plugin-runner
[--global-env=ENV=value |
-G ENV=value ...]
[--env-for=PLUGIN:ENV=value
|
-E PLUGIN:ENV=value ...]
[--global-options=OPTIONS |
-g OPTIONS ...]
[--options-for=PLUGIN:OPTIONS |
-o PLUGIN:OPTIONS ...]
[--disable=PLUGIN |
-d PLUGIN ...]
[--enable=PLUGIN |
-e PLUGIN ...]
[--groupid=ID]
[--userid=ID]
[--plugin-dir=DIRECTORY]
[--plugin-helper-dir=DIRECTORY]
[--config-file=FILE]
[--debug]
plugin-runner {--help | -?}
plugin-runner --usage
plugin-runner {--version | -V}
DESCRIPTION¶
plugin-runner is a program which is meant to be specified as a “keyscript” for the root disk in crypttab(5). The aim of this program is therefore to output a password, which then cryptsetup(8) will use to unlock the root disk.
This program is not meant to be invoked directly, but can be in order to test it. Note that any password obtained will simply be output on standard output.
PURPOSE¶
The purpose of this is to enable remote and unattended rebooting of client host computer with an encrypted root file system. See the section called “OVERVIEW” for details.
OPTIONS¶
--global-env ENV=value, -G ENV=value
--env-for PLUGIN:ENV=value, -E PLUGIN:ENV=value
--global-options OPTIONS, -g OPTIONS
--options-for PLUGIN:OPTION, -o PLUGIN:OPTION
Note that since options are not split on whitespace, the way to pass, to the plugin “foo”, the option --bar with the option argument “baz” is either --options-for=foo:--bar=baz or --options-for=foo:--bar,baz. Using --options-for="foo:--bar baz". will not work.
--disable PLUGIN, -d PLUGIN
--enable PLUGIN, -e PLUGIN
--groupid ID
--userid ID
--plugin-dir DIRECTORY
--plugin-helper-dir DIRECTORY
--config-file FILE
--debug
The plugins will not be affected by this option. Use --global-options=--debug if complete debugging eruption is desired.
--help, -?
--usage
--version, -V
OVERVIEW¶
This is part of the Mandos system for allowing computers to have encrypted root file systems and at the same time be capable of remote and/or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using a TLS key; each client has one unique to it. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using a separate OpenPGP key, and the password is then used to unlock the root file system, whereupon the computers can continue booting normally.
This program will run on the client side in the initial RAM disk environment, and is responsible for getting a password. It does this by running plugins, one of which will normally be the actual client program communicating with the server.
PLUGINS¶
This program will get a password by running a number of plugins, which are simply executable programs in a directory in the initial RAM disk environment. The default directory is /lib/mandos/plugins.d, but this can be changed with the --plugin-dir option. The plugins are started in parallel, and the first plugin to output a password and exit with a successful exit code will make this plugin-runner output the password from that plugin, stop any other plugins, and exit.
WRITING PLUGINS¶
A plugin is simply a program which prints a password to its standard output and then exits with a successful (zero) exit status. If the exit status is not zero, any output on standard output will be ignored by the plugin runner. Any output on its standard error channel will simply be passed to the standard error of the plugin runner, usually the system console.
If the password is a single-line, manually entered passprase, a final trailing newline character should not be printed.
The plugin will run in the initial RAM disk environment, so care must be taken not to depend on any files or running services not available there. Any helper executables required by the plugin (which are not in the PATH) can be placed in the plugin helper directory, the name of which will be made available to the plugin via the MANDOSPLUGINHELPERDIR environment variable.
The plugin must exit cleanly and free all allocated resources upon getting the TERM signal, since this is what the plugin runner uses to stop all other plugins when one plugin has output a password and exited cleanly.
The plugin must not use resources, like for instance reading from the standard input, without knowing that no other plugin is also using it.
It is useful, but not required, for the plugin to take the --debug option.
FALLBACK¶
If no plugins succeed, this program will, as a fallback, ask for a password on the console using getpass(3), and output it. This is not meant to be the normal mode of operation, as there is a separate plugin for getting a password from the console.
EXIT STATUS¶
Exit status of this program is zero if no errors were encountered, and otherwise not. The fallback (see the section called “FALLBACK”) may or may not have succeeded in either case.
ENVIRONMENT¶
This program does not use any environment variables itself, it only passes on its environment to all the plugins. The environment passed to plugins can be modified using the --global-env and --env-for options. Also, the --plugin-helper-dir option will affect the environment variable MANDOSPLUGINHELPERDIR for the plugins.
FILES¶
/conf/conf.d/mandos/plugin-runner.conf
This program is meant to run in the initial RAM disk environment, so that is where this file is assumed to exist. The file does not need to exist in the normal file system.
This file will be processed before the normal command line options, so the latter can override the former, if need be.
This file name is the default; the file to read for arguments can be changed using the --config-file option.
/lib/mandos/plugins.d
/lib/mandos/plugin-helpers
BUGS¶
The --config-file option is ignored when specified from within a configuration file.
Please report bugs to the Mandos development mailing list: <mandos-dev@recompile.se> (subscription required). Note that this list is public. The developers can be reached privately at <mandos@recompile.se> (OpenPGP key fingerprint 153A 37F1 0BBA 0435 987F 2C4A 7223 2973 CA34 C2C4 for encrypted mail).
EXAMPLE¶
Normal invocation needs no options:
plugin-runner
Run the program, but not the plugins, in debug mode:
plugin-runner --debug
Run all plugins, but run the “foo” plugin in debug mode:
plugin-runner --options-for=foo:--debug
Run all plugins, but not the program, in debug mode:
plugin-runner --global-options=--debug
Read a different configuration file, run plugins from a different directory, specify an alternate plugin helper directory and add four options to the mandos-client(8mandos) plugin:
cd /etc/keys/mandos; plugin-runner --config-file=/etc/mandos/plugin-runner.conf --plugin-dir /usr/lib/x86_64-linux-gnu/mandos/plugins.d --plugin-helper-dir /usr/lib/x86_64-linux-gnu/mandos/plugin-helpers --options-for=mandos-client:--pubkey=pubkey.txt,--seckey=seckey.txt,--tls-pubkey=tls-pubkey.pem,--tls-privkey=tls-privkey.pem
SECURITY¶
This program will, when starting, try to switch to another user. If it is started as root, it will succeed, and will by default switch to user and group 65534, which are assumed to be non-privileged. This user and group is then what all plugins will be started as. Therefore, the only way to run a plugin as a privileged user is to have the set-user-ID or set-group-ID bit set on the plugin executable file (see execve(2)).
If this program is used as a keyscript in crypttab(5), there is a slight risk that if this program fails to work, there might be no way to boot the system except for booting from another media and editing the initial RAM disk image to not run this program. This is, however, unlikely, since the password-prompt(8mandos) plugin will read a password from the console in case of failure of the other plugins, and this plugin runner will also, in case of catastrophic failure, itself fall back to asking and outputting a password on the console (see the section called “FALLBACK”).
SEE ALSO¶
intro(8mandos), cryptsetup(8), crypttab(5), execve(2), mandos(8), password-prompt(8mandos), mandos-client(8mandos)
COPYRIGHT¶
Copyright © 2008-2019 Teddy Hogeborn, Björn
Påhlsson
This manual page is part of Mandos.
Mandos is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
Mandos is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with Mandos. If not, see http://www.gnu.org/licenses/.
2019-07-26 | Mandos 1.8.16 |