From 0b358d39a6f8d8c8eb4ae288b983a50e5085c910 Mon Sep 17 00:00:00 2001 From: Rob Date: Tue, 25 Aug 2009 15:59:13 +0200 Subject: [PATCH] Adapted manual for $() as an option to --file-source --- signduterre.py | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/signduterre.py b/signduterre.py index 86d3d7a..db808f6 100755 --- a/signduterre.py +++ b/signduterre.py @@ -66,8 +66,12 @@ Options:[[[/p]]][[[pre]]] --file-source=PATH Read all files from PATH. The PATH-string is prepended to every plain file-path that is read for a signature. Remote files can be checked with - 'ssh://@[/path]'. The option overrules any - File source specification in the --check-file. + 'ssh://@[/path]'. A shell command that + prints out the file can be entered as '$()'. The + filepath will be substituted for any '{}' string in + the command, or appended tot the command (without + white-space). The option overrules any File source + specification in the --check-file. -P FILE, --Private-file=FILE Print private information (passwords etc.) to FILE instead of STDERR. @@ -548,7 +552,10 @@ to hide changes in the system. In case of a real compromised system, it is conceivable that the signatures will need to be checked using known good statically linked programs, eg, cat or dd from a cyptographically secured container like ecryptfs or an encrypted loopback device. An existing signature can be tested against such statically linked programs using -the '--file-source $()' option. +the "--file-source '$()'" option. In this option, the plain file path will be substituted for every +occurence of the string '{}' in the command. If no '{}' is present in the command, the file will simply be +appended to the command. So, '$(/bin/dd if=)' is equivalent to '$(/bin/dd if={})' and '$(/bin/cat )' is +equivalent to '$(/bin/cat {})'. Note the trailing space in '$(/bin/cat )'. [[[/p]]][[[pre make=example7]]] # make: example7 # Create standard signature @@ -590,8 +597,9 @@ $ dd if=/bin/ps 2>/dev/null | python3.0 signduterre.py -edv -p SUGGESTED -s SUGG [[[/pre]]][[[p]]] - Reading URLs as file arguments should work when Python treats URLs identical to file descriptors. For the technically inclined: -when [[[br /]]][[[tt]]]with urllib.request.urlopen(url) as f:[[[/tt]]] [[[br /]]]works, URLs can be -entered where ever file paths can be entered.. +when:[[[br /]]] +[[[tt]]]with urllib.request.urlopen(url) as f:[[[/tt]]][[[br /]]] +works, URLs can be entered where ever file paths can be entered.. [[[/p]]][[[/body]]][[[/html]]] """ # @@ -807,7 +815,9 @@ parser.add_option("-o", "--output-file", help="Print to FILE instead of STDOUT.") parser.add_option("--file-source", dest="filesource", default=False, metavar="PATH", - help="Read all files from PATH. The PATH-string is prepended to every plain file-path that is read for a signature. Remote files can be checked with 'ssh://@[/path]'. The option overrules any File source specification in the --check-file.") + help="Read all files from PATH. The PATH-string is prepended to every plain file-path that is read for a signature. Remote files can be checked with 'ssh://@[/path]'. " + + "A shell command that prints out the file can be entered as '$()'. The filepath will be substituted for any '{}' string in the command, or appended tot the command (without white-space). " + + "The option overrules any File source specification in the --check-file.") parser.add_option("-P", "--Private-file", dest="private", default=False, metavar="FILE", help="Print private information (passwords etc.) to FILE instead of STDERR.") -- 2.11.4.GIT