cryptonas-archive/v0.2/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh

482 lines
13 KiB
Bash
Raw Normal View History

2005-10-05 02:51:03 +02:00
#!/bin/sh
#
# this script does EVERYTHING
# all other scripts are only frontends :)
#
# called by:
# - some rc-scripts
# - the web frontend cgi
#
set -eu
# parse config file
. /etc/cryptobox/cryptobox.conf
## configuration
CONFIG_MARKER="$CONFIG_DIR/cryptobox.marker"
CERT_TEMP=/tmp/stunnel.pem
#####
function log_msg()
{
# the log file is not writable during boot - try before writing ...
[ -w "$LOG_FILE" ] || return 0
echo >>"$LOG_FILE"
echo "##### `date` #####" >>"$LOG_FILE"
echo "$1" >>"$LOG_FILE"
}
function error_msg()
# parameters: ExitCode ErrorMessage
{
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
# print the execution stack - not usable with busybox
#caller | sed 's/^/\t/' >&2
exit "$1"
}
function initial_checks()
# Parameter: device
{
local device="$1"
[ ! -b "$device" ] && log_msg "blockdevice $device does not exist" && return 1
[ ! -x "$WIPE" ] && log_msg "$WIPE not found" && return 1
[ ! -x "$SFDISK" ] && log_msg "$SFDISK not found" && return 1
for a in $ALGO $HASH
do grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
grep -q "^name *: $a$" /proc/crypto || { log_msg "$a is not supported by kernel" && return 1; }
done
log_msg "inital checks successful"
return 0
}
function create_partitions()
# Parameter: device
{
local device="$1"
# first partition size is 1 sector, second goes til end
# sfdisk -n doesn't actually write (for testing purpose)
echo -e "0,1,L \n,,L\n" | $SFDISK "$device"
}
function config_set_value()
# parameters: SettingName SettingValue
{
mount -o rw,remount "$CONFIG_DIR"
echo -n "$2" > "$CONFIG_DIR/$1"
mount -o ro,remount "$CONFIG_DIR"
}
function config_get_value()
# parameters: SettingName
{
# use mounted config, if it exists - otherwise use defaults
local conf_dir
if is_config_mounted
then conf_dir=$CONFIG_DIR
else conf_dir=$CONFIG_DEFAULTS_DIR
fi
[ -z "$1" ] && error_msg 1 "empty setting name"
[ ! -e "$conf_dir/$1" ] && error_msg 2 "unknown configuration value ($1)"
# remove trailing line break
echo -n $(cat "$conf_dir/$1")
}
function create_config()
# Parameter: device
{
local device="${1}1"
log_msg "Creating config filesystem ..."
# filter output through 'tr' to replace tabs
$MKFS_CONFIG "$device" | tr '\010' ' '
# mount the config partition rw
log_msg "Mounting config partition ..."
mount "$device" "$CONFIG_DIR"
# create a marker to recognize a cryptobox partition
date -I >"$CONFIG_MARKER"
log_msg "Copying configuration defaults ..."
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
log_msg "Copying temporary cerificate file to config filesystem ..."
# beware: the temp file should always be there - even after reboot - see "mount_config"
cp -p "$CERT_TEMP" "$CERT_FILE"
log_msg "Setting inital values ..."
# beware: config_set_value remounts the config partition read-only
config_set_value "device" "$1"
config_set_value "ip" "$(get_current_ip)"
# reinitialise configuration
log_msg "Unmounting config partition ..."
umount "$CONFIG_DIR"
log_msg "Reload configuration ..."
mount_config
}
function get_current_ip()
# not necessarily the same as configured (necessary for validation)
{
# filter the output of ifconfig and remove trailing line break
echo -n $(ifconfig $NET_IFACE | grep "inet" | cut -d ":" -f2 | cut -d " " -f1)
}
function create_crypto()
# Parameter: device
{
local device="$1"
# passphrase may be passed via command line
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
}
function mkfs_crypto()
# split from create_crypto to allow background execution via web interface
{
local device=$(find_harddisk)
# flood the crypto partition with noise
# writing to the real partition is faster
# TODO: this takes _much_ too long - maybe add a "secure wipe" switch to the interface?
#dd if=/dev/urandom of="${device}2" bs=512
# filter output through 'tr' to replace tabs
$MKFS_DATA "$CRYPTMAPPER_DEV" | tr '\0101' ' '
}
function config_mount_test()
# Parameter: device
{
local device="${1}"
local STATUS=0
mount "${device}1" "$CONFIG_DIR" &>/dev/null || true
is_config_mounted && STATUS=1
umount "$CONFIG_DIR" &>/dev/null || true
# return code is the result of this expression
[ 1 -eq "$STATUS" ] && return 0
return 1
}
function is_config_mounted()
{
mount | grep -q " ${CONFIG_DIR} " && [ -f "$CONFIG_MARKER" ]
}
function is_crypto_mounted()
{
mount | grep -q " ${CRYPTO_DIR} "
}
function is_init_running()
{
check_at_command_queue " box-init-bg"
}
# check if a specified command is in an at-queue
# Parameter: a regular expression of the commandline
# Return: the command is part of an at-queue (0) or not (1)
function check_at_command_queue()
{
# 1) get the available job numbers
# 2) remove empty lines (especially the last one)
# 3) check every associated command for the regexp
at -l | cut -f 1 | while read jobnum
do at -c $jobnum | sed '/^$/d' | tail -1
done | grep -q "$1"
}
function find_harddisk()
# look for the harddisk to be partitioned
{
local dev=$(
if is_config_mounted
then config_get_value "device"
else for a in $SCAN_DEVICES
do grep -q " `basename $a`$" /proc/partitions && echo "$a" && break
done
fi )
[ -z "$dev" ] && echo "no valid partition for initialisation found!" >>"$LOG_FILE"
echo -n "$dev"
}
function mount_config()
{
is_config_mounted && error_msg 3 "configuration directory ($CONFIG_DIR) is already mounted!"
local device=$(
for a in $SCAN_DEVICES
do log_msg "Trying to load configuration from $a ..."
config_mount_test "$a" && echo "$a" && break
done )
if [ -n "$device" ] && mount "${device}1" "$CONFIG_DIR"
then log_msg "configuraton found on $device"
config_set_value "device" "$device"
# copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
cp "$CERT_FILE" "$CERT_TEMP"
return 0
else log_msg "failed to locate harddisk"
return 1
fi
}
function mount_crypto()
{
is_crypto_mounted && echo "Das Crypto-Dateisystem ist bereits aktiv!" && return
local device=`find_harddisk`
[ -z "$device" ] && error_msg 4 'no valid harddisk found!'
# passphrase is read from stdin
log_msg "Mounting crypto partition ..."
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
then log_msg "Mount succeded - now starting samba ..."
/etc/init.d/samba start
else log_msg "Mount failed - removing dev-mapper ..."
dmsetup remove $(basename $CRYPTMAPPER_DEV)
return 1
fi
}
function umount_crypto()
{
# do not break on error
set +e
if ps -e | grep -q " [sn]mbd$"
then log_msg "Stopping samba ..."
/etc/init.d/samba stop
ps -e | grep -q " smbd$" && killall smbd
ps -e | grep -q " nmbd$" && killall nmbd
ps -e | grep -q " smbd$" && killall -9 smbd
ps -e | grep -q " nmbd$" && killall -9 nmbd
fi
if mount | grep -q " $CRYPTO_DIR "
then log_msg "Unmounting crypto partition ..."
umount "$CRYPTO_DIR"
fi
if [ -e "$CRYPTMAPPER_DEV" ]
then log_msg "Removing dev-mapper ..."
$CRYPTSETUP remove $(basename $CRYPTMAPPER_DEV)
fi
set -e
}
function init_cryptobox_part1()
# this is only the first part of initialisation that takes no time - good for a smooth web interface
{
local device=$(find_harddisk)
[ -z "$device" ] && log_msg 'no valid harddisk found!' && return 1
(
log_msg "Initializing crypto partition on $device ..."
umount_crypto || true
mount | grep -q " $CONFIG_DIR " && umount "$CONFIG_DIR" || true
initial_checks "$device" || return 1
create_partitions "$device"
create_config "$device"
) >>"$LOG_FILE" 2>&1
# the output of create_crypto may NOT be redirected - this would prevent cryptsetup from
# reading the passphrase from stdin
log_msg "Creating the crypto partition ..."
create_crypto "$device"
}
function init_cryptobox_part2()
# some things to be done in the background
# these are the final steps of initialisation
# the uid must be changed initially, therfore it needs to be mounted
{
mkfs_crypto
mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
chown $SAMBA_USER "$CRYPTO_DIR"
umount_crypto
}
function init_cryptobox_complete()
{
init_cryptobox_part1
init_cryptobox_part2
}
### main ###
# set PATH because thttpd removes /sbin and /usr/sbin for cgis
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
ACTION=help
[ $# -gt 0 ] && ACTION="$1"
case "$ACTION" in
config-up )
if mount_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 3 "Could not find a configuration partition!"
fi
;;
config-down )
umount "$CONFIG_DIR" || error_msg 4 "Could not unmount configuration partition"
;;
network-up )
kudzu -s -q --class network
conf_ip=$(config_get_value "ip")
ifconfig $NET_IFACE "$conf_ip"
log_msg "Configured $NET_IFACE for $conf_ip ..."
echo "Configured network interface for $NET_IFACE: $conf_ip"
log_msg "Starting the firewall ..."
"$FIREWALL_SCRIPT" start
# start stunnel
if [ -f "$CERT_FILE" ]
then USE_CERT=$CERT_FILE
else USE_CERT=$CERT_TEMP
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
fi
log_msg "Starting stunnel ..."
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|| echo "$USE_CERT not found - not starting stunnel"
# this ping allows other hosts to get the IP of
# the box, in case of misconfiguration
ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
;;
network-down )
log_msg "Stopping the firewall ..."
"$FIREWALL_SCRIPT" stop
log_msg "Stopping stunnel ..."
killall stunnel
log_msg "Shutting the network interface down ..."
ifconfig $NET_IFACE down
;;
services-up )
# is something special necessary?
;;
services-down )
/etc/init.d/samba stop
/etc/init.d/thttpd stop
;;
crypto-up )
mount_crypto
;;
crypto-down )
umount_crypto
;;
box-init )
# do complete initialization
"$0" box-init-fg
# the background part will recall itself as an at-command
"$0" box-init-bg
;;
box-init-fg )
# only partitioning and configuration
# this is nice for the web interface, as it is fast
# output redirection does not work, as it prevents cryptsetup from asking
# for a password
init_cryptobox_part1
;;
box-init-bg )
# do it in the background to provide a smoother web interface
# messages and errors get written to $LOG_FILE
# make sure, that this is always called via 'at':
if check_at_command_queue " box-init-bg"
then init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1
else echo -n "'$0' box-init-bg" | at now
fi
;;
is_crypto_mounted )
is_crypto_mounted
;;
is_config_mounted )
is_config_mounted
;;
is_init_running )
is_init_running
;;
is_harddisk_available )
[ -z "$(find_harddisk)" ] && exit 1
exit 0
;;
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
echo -n "sleep 5; ifconfig $NET_IFACE `config_get_value ip`" | at now
;;
get_current_ip )
get_current_ip
;;
set_config )
[ $# -ne 3 ] && error_msg 7 "'set_config' requires two parameters"
config_set_value "$2" "$3"
;;
get_config )
[ $# -ne 2 ] && error_msg 6 "'get_config' requires exactly one parameter"
config_get_value "$2"
;;
diskinfo )
$SFDISK -L -q -l `find_harddisk`
;;
poweroff )
is_crypto_mounted && umount_crypto
log_msg "Turning off the CryptoBox ..."
echo "poweroff" | at now
;;
reboot )
is_crypto_mounted && umount_crypto
log_msg "Rebooting the CryptoBox ..."
echo "reboot" | at now
;;
clean )
# only for development
log_msg "Cleaning the CryptoBox ..."
device=$(find_harddisk)
$0 crypto-down
$0 config-down
# TODO: test this!
echo -e ";\n;\n;\n;\n" | $SFDISK "$device"
;;
* )
echo "Syntax: `basename $0` ACTION [PARAMS]"
echo " config-up - scan for configuration partition and mount it"
echo " config-down - unmount configuration partition"
echo " network-up - enable network interface"
echo " network-down - disable network interface"
echo " services-up - run some cryptobox specific daemons"
echo " services-down - stop some cryptobox specific daemons"
echo " crypto-up - mount crypto partition and start samba"
echo " crypto-down - unmount crypto partition and stop samba"
echo " box-init - initialize cryptobox (ALL data is LOST)"
echo " box-init-fg - the first part of initialization"
echo " box-init-bg - the last part of initialization (background)"
echo " is_crypto_mounted - check, if crypto partition is mounted"
echo " is_config_mounted - check, if configuration partition is mounted"
echo " is_init_running - check, if initialization is ongoing"
echo " is_harddisk_available - check, if there is a usable harddisk"
echo " get_current_ip - get the current IP of the network interface"
echo " update_ip_address - update the network interface after reconfiguration"
echo " set_config NAME VALUE - change a configuration setting"
echo " get_config NAME - retrieve a configuration setting"
echo " diskinfo - show the partition table of the harddisk"
echo " poweroff - shutdown the cryptobox"
echo " clean - remove all partitions [only for development]"
echo " reboot - reboot the cryptobox"
echo
;;
esac