This file is indexed.

/usr/share/initramfs-tools/scripts/init-premount/mandos is in mandos-client 1.6.0-1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/sh -e
# 
# This script will run in the initrd environment at boot and edit
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
# when no other keyscript is set, before cryptsetup.
# 

# This script should be installed as
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
# eventually be "/scripts/init-premount/mandos" in the initrd.img
# file.

PREREQ="udev"
prereqs()
{
    echo "$PREREQ"
}

case $1 in
prereqs)
	prereqs
	exit 0
	;;
esac

. /scripts/functions

for param in `cat /proc/cmdline`; do
    case "$param" in
        ip=*) IPOPTS="${param#ip=}" ;;
        mandos=*)
            # Split option line on commas
            old_ifs="$IFS"
            IFS="$IFS,"
            for mpar in ${param#mandos=}; do
                IFS="$old_ifs"
                case "$mpar" in
                    off) exit 0 ;;
		    connect) connect="" ;;
                    connect:*) connect="${mpar#connect:}" ;;
                    *) log_warning_msg "$0: Bad option ${mpar}" ;;
                esac
            done
	    unset mpar
            IFS="$old_ifs"
            unset old_ifs
            ;;
    esac
done
unset param

chmod a=rwxt /tmp

test -r /conf/conf.d/cryptroot
test -w /conf/conf.d

# Get DEVICE from /conf/initramfs.conf and other files
. /conf/initramfs.conf
for conf in /conf/conf.d/*; do
    [ -f ${conf} ] && . ${conf}
done
if [ -e /conf/param.conf ]; then
    . /conf/param.conf
fi

# Override DEVICE from sixth field of ip= kernel option, if passed
case "$IPOPTS" in
    *:*:*:*:*:*)		# At least six fields
        # Remove the first five fields
	device="${IPOPTS#*:*:*:*:*:}"
        # Remove all fields except the first one
	DEVICE="${device%%:*}"
	;;
esac

# Add device setting (if any) to plugin-runner.conf
if [ "${DEVICE+set}" = set ]; then
    # Did we get the device from an ip= option?
    if [ "${device+set}" = set ]; then
	# Let ip= option override local config; append:
	cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
	
	--options-for=mandos-client:--interface=${DEVICE}
EOF
    else
        # Prepend device setting so any later options would override:
	sed -i -e \
	    '1i--options-for=mandos-client:--interface='"${DEVICE}" \
	    /conf/conf.d/mandos/plugin-runner.conf
    fi
fi
unset device

# If we are connecting directly, run "configure_networking" (from
# /scripts/functions); it needs IPOPTS and DEVICE
if [ "${connect+set}" = set ]; then
    configure_networking
    if [ -n "$connect" ]; then
	cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
	
	--options-for=mandos-client:--connect=${connect}
EOF
    fi
fi

# Do not replace cryptroot file unless we need to.
replace_cryptroot=no

# Our keyscript
mandos=/lib/mandos/plugin-runner
test -x "$mandos"

# parse /conf/conf.d/cryptroot.  Format:
# target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
exec 3>/conf/conf.d/cryptroot.mandos
while read options; do
    newopts=""
    # Split option line on commas
    old_ifs="$IFS"
    IFS="$IFS,"
    for opt in $options; do
	# Find the keyscript option, if any
	case "$opt" in
	    keyscript=*)
		keyscript="${opt#keyscript=}"
		newopts="$newopts,$opt"
		;;
	    "") : ;;
	    *)
		newopts="$newopts,$opt"
		;;
	esac
    done
    IFS="$old_ifs"
    unset old_ifs
    # If there was no keyscript option, add one.
    if [ -z "$keyscript" ]; then
	replace_cryptroot=yes
	newopts="$newopts,keyscript=$mandos"
    fi
    newopts="${newopts#,}"
    echo "$newopts" >&3
done < /conf/conf.d/cryptroot
exec 3>&-

# If we need to, replace the old cryptroot file with the new file.
if [ "$replace_cryptroot" = yes ]; then
    mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old
    mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot
else
    rm /conf/conf.d/cryptroot.mandos
fi