=== modified file 'Makefile'
--- Makefile	2014-10-05 20:08:58 +0000
+++ Makefile	2015-06-28 16:35:27 +0000
@@ -106,7 +106,8 @@
 PLUGINS=plugins.d/password-prompt plugins.d/mandos-client \
 	plugins.d/usplash plugins.d/splashy plugins.d/askpass-fifo \
 	plugins.d/plymouth
-CPROGS=plugin-runner $(PLUGINS)
+PLUGIN_HELPERS=
+CPROGS=plugin-runner $(PLUGINS) $(PLUGIN_HELPERS)
 PROGS=mandos mandos-keygen mandos-ctl mandos-monitor $(CPROGS)
 DOCS=mandos.8 mandos-keygen.8 mandos-monitor.8 mandos-ctl.8 \
 	mandos.conf.5 mandos-clients.conf.5 plugin-runner.8mandos \
@@ -273,6 +274,7 @@
 	@echo "###################################################################"
 # We set GNOME_KEYRING_CONTROL to block pam_gnome_keyring
 	./plugin-runner --plugin-dir=plugins.d \
+		--plugin-helper-dir=plugin-helpers \
 		--config-file=plugin-runner.conf \
 		--options-for=mandos-client:--seckey=keydir/seckey.txt,--pubkey=keydir/pubkey.txt,--network-hook-dir=network-hooks.d \
 		--env-for=mandos-client:GNOME_KEYRING_CONTROL= \
@@ -356,6 +358,7 @@
 	if [ "$(CONFDIR)" != "$(LIBDIR)/mandos" ]; then \
 		install --mode=u=rwx \
 			--directory "$(CONFDIR)/plugins.d"; \
+		install --directory "$(CONFDIR)/plugin-helpers"; \
 	fi
 	install --mode=u=rwx,go=rx --directory \
 		"$(CONFDIR)/network-hooks.d"

=== modified file 'initramfs-tools-hook'
--- initramfs-tools-hook	2014-07-16 23:44:54 +0000
+++ initramfs-tools-hook	2015-06-28 16:35:27 +0000
@@ -70,11 +70,13 @@
 CONFDIR="/conf/conf.d/mandos"
 MANDOSDIR="/lib/mandos"
 PLUGINDIR="${MANDOSDIR}/plugins.d"
+PLUGINHELPERDIR="${MANDOSDIR}/plugins-helpers"
 HOOKDIR="${MANDOSDIR}/network-hooks.d"
 
 # Make directories
 install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \
-	"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}"
+	"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}" \
+	"${DESTDIR}${PLUGINHELPERDIR}"
 install --owner=${mandos_user} --group=${mandos_group} --directory \
     --mode=u=rwx "${DESTDIR}${PLUGINDIR}"
 
@@ -98,6 +100,21 @@
     esac
 done
 
+# Copy the packaged plugin helpers
+for file in "$libdir"/mandos/plugin-helpers/*; do
+    base="`basename \"$file\"`"
+    # Is this plugin overridden?
+    if [ -e "/etc/mandos/plugin-helpers/$base" ]; then
+	continue
+    fi
+    case "$base" in
+	*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
+	    : ;;
+	"*") : ;;
+	*) copy_exec "$file" "${PLUGINHELPERDIR}" ;;
+    esac
+done
+
 # Copy any user-supplied plugins
 for file in /etc/mandos/plugins.d/*; do
     base="`basename \"$file\"`"
@@ -109,6 +126,17 @@
     esac
 done
 
+# Copy any user-supplied plugin helpers
+for file in /etc/mandos/plugin-helpers/*; do
+    base="`basename \"$file\"`"
+    case "$base" in
+	*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
+	    : ;;
+	"*") : ;;
+	*) copy_exec "$file" "${PLUGINHELPERDIR}" ;;
+    esac
+done
+
 # Get DEVICE from initramfs.conf and other files
 . /etc/initramfs-tools/initramfs.conf
 for conf in /etc/initramfs-tools/conf.d/*; do

=== added directory 'plugin-helpers'
=== modified file 'plugin-runner.c'
--- plugin-runner.c	2014-07-16 01:41:23 +0000
+++ plugin-runner.c	2015-06-28 16:35:27 +0000
@@ -76,6 +76,7 @@
 #define BUFFER_SIZE 256
 
 #define PDIR "/lib/mandos/plugins.d"
+#define PHDIR "/lib/mandos/plugin-helpers"
 #define AFILE "/conf/conf.d/mandos/plugin-runner.conf"
 
 const char *argp_program_version = "plugin-runner " VERSION;
@@ -347,6 +348,7 @@
 
 int main(int argc, char *argv[]){
   char *plugindir = NULL;
+  char *pluginhelperdir = NULL;
   char *argfile = NULL;
   FILE *conffp;
   struct dirent **direntries = NULL;
@@ -414,6 +416,10 @@
       .doc = "Group ID the plugins will run as", .group = 3 },
     { .name = "debug", .key = 132,
       .doc = "Debug mode", .group = 4 },
+    { .name = "plugin-helper-dir", .key = 133,
+      .arg = "DIRECTORY",
+      .doc = "Specify a different plugin helper directory",
+      .group = 2 },
     /*
      * These reproduce what we would get without ARGP_NO_HELP
      */
@@ -545,6 +551,13 @@
     case 132:			/* --debug */
       debug = true;
       break;
+    case 133:			/* --plugin-helper-dir */
+      free(pluginhelperdir);
+      pluginhelperdir = strdup(arg);
+      if(pluginhelperdir != NULL){
+	errno = 0;
+      }
+      break;
       /*
        * These reproduce what we would get without ARGP_NO_HELP
        */
@@ -601,6 +614,7 @@
     case 130:			/* --userid */
     case 131:			/* --groupid */
     case 132:			/* --debug */
+    case 133:			/* --plugin-helper-dir */
     case '?':			/* --help */
     case -3:			/* --usage */
     case 'V':			/* --version */
@@ -761,6 +775,24 @@
     goto fallback;
   }
   
+  {
+    char *pluginhelperenv;
+    bool bret = true;
+    ret = asprintf(&pluginhelperenv, "MANDOSPLUGINHELPERDIR=%s",
+		   pluginhelperdir != NULL ? pluginhelperdir : PHDIR);
+    if(ret != -1){
+      bret = add_environment(getplugin(NULL), pluginhelperenv, true);
+    }
+    if(ret == -1 or not bret){
+      error(0, errno, "Failed to set MANDOSPLUGINHELPERDIR"
+	    " environment variable to \"%s\" for all plugins\n",
+	    pluginhelperdir != NULL ? pluginhelperdir : PHDIR);
+    }
+    if(ret != -1){
+      free(pluginhelperenv);
+    }
+  }
+  
   if(debug){
     for(plugin *p = plugin_list; p != NULL; p=p->next){
       fprintf(stderr, "Plugin: %s has %d arguments\n",
@@ -1336,6 +1368,7 @@
   free_plugin_list();
   
   free(plugindir);
+  free(pluginhelperdir);
   free(argfile);
   
   return exitstatus;

=== modified file 'plugin-runner.xml'
--- plugin-runner.xml	2011-12-31 23:05:34 +0000
+++ plugin-runner.xml	2015-06-28 16:35:27 +0000
@@ -2,7 +2,7 @@
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
 	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY COMMANDNAME "plugin-runner">
-<!ENTITY TIMESTAMP "2012-01-01">
+<!ENTITY TIMESTAMP "2015-06-28">
 <!ENTITY % common SYSTEM "common.ent">
 %common;
 ]>
@@ -114,6 +114,9 @@
       <arg><option>--plugin-dir=<replaceable
       >DIRECTORY</replaceable></option></arg>
       <sbr/>
+      <arg><option>--plugin-helper-dir=<replaceable
+      >DIRECTORY</replaceable></option></arg>
+      <sbr/>
       <arg><option>--config-file=<replaceable
       >FILE</replaceable></option></arg>
       <sbr/>
@@ -320,6 +323,21 @@
       </varlistentry>
       
       <varlistentry>
+	<term><option>--plugin-helper-dir
+	<replaceable>DIRECTORY</replaceable></option></term>
+	<listitem>
+	  <para>
+	    Specify a different plugin helper directory.  The default
+	    is <filename>/lib/mandos/plugin-helpers</filename>, which
+	    will exist in the initial <acronym>RAM</acronym> disk
+	    environment.  (This will simply be passed to all plugins
+	    via the <envar>MANDOSPLUGINHELPERDIR</envar> environment
+	    variable.  See <xref linkend="writing_plugins"/>)
+	  </para>
+	</listitem>
+      </varlistentry>
+      
+      <varlistentry>
 	<term><option>--config-file
 	<replaceable>FILE</replaceable></option></term>
 	<listitem>
@@ -426,7 +444,11 @@
       <para>
 	The plugin will run in the initial RAM disk environment, so
 	care must be taken not to depend on any files or running
-	services not available there.
+	services not available there.  Any helper executables required
+	by the plugin (which are not in the <envar>PATH</envar>) can
+	be placed in the plugin helper directory, the name of which
+	will be made available to the plugin via the
+	<envar>MANDOSPLUGINHELPERDIR</envar> environment variable.
       </para>
       <para>
 	The plugin must exit cleanly and free all allocated resources
@@ -475,7 +497,9 @@
       only passes on its environment to all the plugins.  The
       environment passed to plugins can be modified using the
       <option>--global-env</option> and <option>--env-for</option>
-      options.
+      options.  Also, the <option>--plugin-helper-dir</option> option
+      will affect the environment variable
+      <envar>MANDOSPLUGINHELPERDIR</envar> for the plugins.
     </para>
   </refsect1>