table of contents
other sections
PLYMOUTH(8mandos) | Mandos Manual | PLYMOUTH(8mandos) |
NAME¶
plymouth - Mandos plugin to use plymouth to get a password.SYNOPSIS¶
plymouth
DESCRIPTION¶
This program prompts for a password using plymouth(8) and outputs any given password to standard output. If no plymouth(8) process can be found, this program will immediately exit with an exit code indicating failure. This program is not very useful on its own. This program is really meant to run as a plugin in the Mandos client-side system, where it is used as a fallback and alternative to retrieving passwords from a Mandos server. If this program is killed (presumably by plugin-runner(8mandos) because some other plugin provided the password), it cannot tell plymouth(8) to abort requesting a password, because plymouth(8) does not support this. Therefore, this program will then kill the running plymouth(8) process and start a new one using the same command line arguments as the old one was using.OPTIONS¶
This program takes no options.EXIT STATUS¶
If exit status is 0, the output from the program is the password as it was read. Otherwise, if exit status is other than 0, the program was interrupted or encountered an error, and any output so far could be corrupt and/or truncated, and should therefore be ignored.ENVIRONMENT¶
cryptsource, crypttargetIf set, these environment variables will be
assumed to contain the source device name and the target device mapper name,
respectively, and will be shown as part of the prompt.
These variables will normally be inherited from plugin-runner(8mandos),
which will normally have inherited them from /scripts/local-top/cryptroot in
the initial RAM disk environment, which will have set them from parsing kernel
arguments and /conf/conf.d/cryptroot (also in the initial RAM disk
environment), which in turn will have been created when the initial RAM disk
image was created by /usr/share/initramfs-tools/hooks/cryptroot, by extracting
the information of the root file system from /etc/crypttab.
This behavior is meant to exactly mirror the behavior of askpass, the
default password prompter.
FILES¶
/bin/plymouthThis is the command run to retrieve a password
from plymouth(8).
/proc
To find the running plymouth(8), this
directory will be searched for numeric entries which will be assumed to be
directories. In all those directories, the exe and cmdline entries will be
used to determine the name of the running binary, effective user and group ID,
and the command line arguments. See proc(5).
/sbin/plymouthd
This is the name of the binary which will be
searched for in the process list. See plymouth(8).
BUGS¶
Killing the plymouth(8) daemon and starting a new one is ugly, but necessary as long as it does not support aborting a password request.EXAMPLE¶
Note that normally, this program will not be invoked directly, but instead started by the Mandos plugin-runner(8mandos). This program takes no options.SECURITY¶
If this program is killed by a signal, it will kill the process ID which at the start of this program was determined to run plymouth(8) as root (see also the section called “FILES”). There is a very slight risk that, in the time between those events, that process ID was freed and then taken up by another process; the wrong process would then be killed. Now, this program can only be killed by the user who started it; see plugin-runner(8mandos). This program should therefore be started by a completely separate non-privileged user, and no other programs should be allowed to run as that special user. This means that it is not recommended to use the user "nobody" to start this program, as other possibly less trusted programs could be running as "nobody", and they would then be able to kill this program, triggering the killing of the process ID which may or may not be plymouth(8). The only other thing that could be considered worthy of note is this: This program is meant to be run by plugin-runner(8mandos), and will, when run standalone, outside, in a normal environment, immediately output on its standard output any presumably secret password it just received. Therefore, when running this program standalone (which should never normally be done), take care not to type in any real secret password by force of habit, since it would then immediately be shown as output.SEE ALSO¶
COPYRIGHT¶
Copyright © 2010-2012 Teddy Hogeborn, Björn Påhlsson2012-01-01 | Mandos 1.5.5 |