parent
25aae11576
commit
33a8c4a1bb
@ -0,0 +1,15 @@
|
||||
include README*
|
||||
include LICENSE
|
||||
include changelog
|
||||
include copyright
|
||||
graft man
|
||||
graft scripts
|
||||
graft doc
|
||||
graft conf-examples
|
||||
graft event-scripts
|
||||
graft www-data
|
||||
graft templates
|
||||
graft lang
|
||||
graft plugins
|
||||
graft intl
|
||||
prune package.exclude
|
@ -0,0 +1,177 @@
|
||||
********************************************
|
||||
* CryptoBox v0.2.99 *
|
||||
********************************************
|
||||
|
||||
$Id$
|
||||
|
||||
This file describes the webserver CryptoBox.
|
||||
The CryptoBox enables you to control the plaintext or encrypted harddisks of
|
||||
your server via a webinterface.
|
||||
Read on if you want to install the CryptoBox-server package on your computer.
|
||||
|
||||
For more information, see the website:
|
||||
http://cryptobox.org
|
||||
|
||||
Table of contents:
|
||||
1) Requirements
|
||||
2) Installation
|
||||
3) Setup
|
||||
4) Usage
|
||||
5) Development
|
||||
6) Acknowledgements
|
||||
7) Licence
|
||||
|
||||
--------------------------------------------
|
||||
|
||||
1) Requirements
|
||||
- Linux 2.6
|
||||
- super (to selectively gain root privileges)
|
||||
- Python 2.4
|
||||
- some python packages:
|
||||
clearsilver 0.10 for python
|
||||
python-configobj 4.x
|
||||
cherrypy 2.x
|
||||
|
||||
|
||||
2) Installation
|
||||
For Debian, Ubuntu and other derivates you should use the debian package:
|
||||
see http://systemausfall.org/toolforge/debian/
|
||||
|
||||
Please follow the /usr/share/doc/cryptobox-server/README.Debian for
|
||||
any special steps regarding Debian.
|
||||
|
||||
There are currently no official rpm packages of the CryptoBox.
|
||||
|
||||
For source installation follow these steps:
|
||||
Get the source:
|
||||
http://cryptobox.org/download
|
||||
|
||||
Extract tarball and change to the new directory:
|
||||
tar xzf cryptobox-0.?.?.tar.gz
|
||||
|
||||
Install the program:
|
||||
python setup.by install
|
||||
|
||||
The installed files can be found in your local python installation directory.
|
||||
The default location should be:
|
||||
/usr/lib/python2.4/site-packages/cryptobox
|
||||
|
||||
Adapt the directories given in /etc/cryptobox-server/cryptobox.conf to your
|
||||
local installation. The paths below /usr/share should be below your python
|
||||
directoy instead (see above) - sorry for this inconvenience!
|
||||
|
||||
The CryptoBox webserver daemon that is given in /etc/init.d/cryptobox-server
|
||||
may have to be changed to /usr/bin instead of /usr/sbin.
|
||||
|
||||
As some actions of the cryptobox require root privileges, you have to add the
|
||||
following line to /etc/super.tab:
|
||||
CryptoBoxRootActions /usr/bin/CryptoBoxRootActions cryptobox
|
||||
The script /usr/bin/CryptoBoxRootActions is used to execute all actions
|
||||
requiring root privileges. Please check it to make sure, that your system will
|
||||
not get compromised.
|
||||
|
||||
|
||||
3) Setup
|
||||
|
||||
a) Start at bootup
|
||||
Set NO_START in /etc/default/cryptobox-server to "0".
|
||||
The CryptoBox webserver will get started by its runlevel control script
|
||||
after bootup.
|
||||
|
||||
b) Define managed devices
|
||||
You may restrict which blockdevices should be accessible to the CryptoBox.
|
||||
Simply set [Main]->AllowedDevices in /etc/cryptobox-server/cryptobox.conf
|
||||
to a comma separated list of device prefixes: e.g. /dev/sd gives access to
|
||||
all SCSI devices, while /dev/hda3 restricts it to this single partition.
|
||||
The user executing the webserver (by default: 'cryptobox') must have write
|
||||
access to these devices. Usually the cryptobox user is member of the 'disk'
|
||||
group. This gives control over most devices.
|
||||
Be careful with this setting, as you may expose important data to public
|
||||
read and write access.
|
||||
|
||||
c) Listening port and interface
|
||||
By default, the CryptoBox webserver listens to tcp port 8080 on all network
|
||||
interfaces. You can change this setting in /etc/default/cryptobox-server.
|
||||
Also take a look at your firewall settings.
|
||||
|
||||
d) Disable plugins
|
||||
The CryptoBox contains a lot of plugins. As some of them could expose
|
||||
unwanted features to your users, you should carefully select which plugins
|
||||
to disable.
|
||||
Quite likely candidates for disabling are:
|
||||
- shutdown: poweroff or reboot the computer
|
||||
- network: change IP, gateway or dns settings of the server
|
||||
- partition: partition blockdevices
|
||||
- volume_format_fs: format a disk/partition (plaintext/encrypted)
|
||||
Take a look at /usr/share/cryptobox-server/plugins for the list of
|
||||
other plugins.
|
||||
The setting [Main]->DisabledPlugins in /etc/cryptobox-server/cryptobox.conf
|
||||
is a comma separated list of plugin names. Capitalization is important!
|
||||
|
||||
e) Separate configuration partition
|
||||
The CryptoBox webserver requires a writeable directory for proper
|
||||
operation. If your root filesystem is not writeable (e.g. booting from a
|
||||
cdrom, read-only mounted flash memory, ...) you may use a seperated
|
||||
partition to store runtime settings. The CryptoBox will automatically
|
||||
creates it, when you use partition one of your disks with its interface.
|
||||
The setting [Main]->UseConfigPartition (see
|
||||
/etc/cryptobox-server/cryptobox.conf) defines, whether you want to use a
|
||||
separate partition (value "1") or if you want to store your runtime
|
||||
settings in the root filesystem (typically below
|
||||
/var/cache/cryptobox-server).
|
||||
|
||||
f) Samba/WebDAV/NFS/??? integration (aka. event script handling)
|
||||
The CryptoBox allows you to add event handling scripts for most of the
|
||||
interesting events: bootup/shutdown of the webserver and mount/umount
|
||||
of single volumes.
|
||||
If you want to automatically publish your mounted volumes with samba
|
||||
or similar fileservers, then you should take a closer look at the
|
||||
example scripts for samba and apache-webdav in
|
||||
/usr/share/doc/cryptobox-server/event-scripts.
|
||||
You may also just publish the mount directory of the CryptoBox. This
|
||||
will expose all mounted volumes very easily. Review the configuration
|
||||
file for the setting [Locations]->MountParentDir.
|
||||
|
||||
g) Take a close look at the configuration file to check all other options
|
||||
before you start the CryptoBox webserver.
|
||||
|
||||
|
||||
4) Usage
|
||||
Use your favourite web browser to go to http://localhost:8080 and browse the
|
||||
webinterface of the CryptoBox.
|
||||
Some parts of the interface are restricted to administrative access. The
|
||||
default access combination is the user 'admin' and the password 'admin'. Please
|
||||
change this setting immediately.
|
||||
The plugin 'user_manager' allows you to add users and to change passwords.
|
||||
The plugin 'plugin_manager' lets you configure, which plugins require
|
||||
administrative authentication.
|
||||
|
||||
The user manual (available via the 'help' plugin) should give you exhaustive
|
||||
usage information.
|
||||
The current version of the online manual is available at:
|
||||
https://systemausfall.org/trac/cryptobox/wiki/CryptoBoxUser
|
||||
|
||||
|
||||
5) Development
|
||||
bug reports: please use our issue tracker
|
||||
https://systemausfall.org/trac/cryptobox/newticket
|
||||
|
||||
email:
|
||||
cryptobox@systemausfall.org
|
||||
|
||||
The CryptoBox project is mainly driven by sense.lab (http://senselab.org).
|
||||
|
||||
|
||||
6) Acknowledgements
|
||||
Besides the core development team, these people helped a lot:
|
||||
Clavdia Horvat, Tadej Brce & Duลกan Rebolj - slovenian translation
|
||||
rike - french translation
|
||||
|
||||
We also want to thank the numerous developers of the Free Software, the
|
||||
CryptoBox depends on and that was used in development.
|
||||
|
||||
|
||||
7) Licence
|
||||
All scripts are GPL code (v2.0 or above).
|
||||
The documentation is licenced under "Creative Commons 2.5 share-alike" (http://creativecommons.org/licenses/by-sa/2.5/).
|
||||
|
@ -0,0 +1,47 @@
|
||||
Integration of apach2 as a (Web)DAV server into the CryptoBox
|
||||
|
||||
This file describes how to expose the volumes that are managed by the CryptoBox
|
||||
through WebDAV shares.
|
||||
Apache2 including the dav_fs module is the most common server for the WebDAV
|
||||
filesystem. The following description will focus on this server.
|
||||
|
||||
First you have to install apache2 and the dav_fs module.
|
||||
Use your favourite package manager to install them.
|
||||
(Note for debian: the dav_fs module is part of the apache2-common package.
|
||||
Just activate the module via 'a2enmod dav_fs'.)
|
||||
|
||||
There are two different ways to do use dav shares:
|
||||
|
||||
|
||||
A) one share for all volumes together
|
||||
|
||||
Just create a file with the following lines to your /etc/apache2/conf.d directory:
|
||||
Alias "/cryptobox" "/var/cache/cryptobox-server/mnt"
|
||||
<Location "/cryptobox">
|
||||
Dav filesystem
|
||||
</Location>
|
||||
|
||||
Reload the new apache2 configuration by calling:
|
||||
invoke-rc.d apache2 reload
|
||||
|
||||
|
||||
|
||||
B) one share for each volume
|
||||
|
||||
Copy the example event script
|
||||
/usr/share/doc/cryptobox-server/event-script/apache2_dav to
|
||||
/etc/cryptobox-server/events.d/apache2_dav. This event handler will add and remove
|
||||
shares whenever a volume is mounted or unmounted via the CryptoBox webinterface.
|
||||
|
||||
Copy the file /usr/share/doc/cryptobox-server/conf-examples/apache2_dav.conf to
|
||||
/etc/apache2/conf.d/apache2_dav.
|
||||
|
||||
Create a directory for the apache share config files:
|
||||
mkdir -p /var/cache/cryptobox-server/apache2_dav.conf.d
|
||||
|
||||
Chown it to the cryptobox user:
|
||||
chown cryptobox /var/cache/cryptobox-server/apache2_dav.conf.d
|
||||
|
||||
Reload the new apache2 configuration by calling:
|
||||
invoke-rc.d apache2 reload
|
||||
|
@ -0,0 +1,61 @@
|
||||
Running the CryptoBox behind a proxy
|
||||
|
||||
This describes how to setup the CryptoBox webserver behind a apache or lighttpd
|
||||
as proxy webservers.
|
||||
|
||||
|
||||
-=-=-=- apache in front of the cryptobox-server (cherrypy) -=-=-=-
|
||||
|
||||
The following section describes how to configure an apache2 webserver for
|
||||
forwarding requests to the cherrypy server of the CryptoBox.
|
||||
|
||||
|
||||
1) Required modules
|
||||
- proxy
|
||||
- header
|
||||
Both module should be part of usual default installations of apache2.
|
||||
Activate these modules. For debian you should run: a2enmod MOD_NAME
|
||||
|
||||
|
||||
2) Configuration directives
|
||||
The following example should help you to create your own proxy configuration
|
||||
for apache2.
|
||||
|
||||
ProxyRequests Off
|
||||
|
||||
<Proxy *>
|
||||
Order Deny,Allow
|
||||
Allow from all
|
||||
</Proxy>
|
||||
|
||||
<Location /cryptobox/>
|
||||
ProxyPass http://localhost:8080/
|
||||
ProxyPassReverse http://localhost:8080/
|
||||
RequestHeader set CryptoBox-Location /cryptobox
|
||||
</Location>
|
||||
|
||||
Now you should to a restart of apache2.
|
||||
|
||||
|
||||
3) Testing
|
||||
Now you should point your webserver to the proxy host and check if
|
||||
the CryptoBox layout ist working properly.
|
||||
|
||||
-----
|
||||
|
||||
-=-=-=- lighttpd in front of the cryptobox-server (cherrypy) -=-=-=-
|
||||
|
||||
In this section we do the same as above, but with lighttpd.
|
||||
|
||||
Your lighttpd config should contain something like this:
|
||||
|
||||
# selecting modules
|
||||
server.modules = ( "mod_scgi" )
|
||||
|
||||
scgi.server = ( "/cryptobox" =>
|
||||
(( "host" => "127.0.0.1",
|
||||
"port" => 8080,
|
||||
"check-local" => "disable"
|
||||
))
|
||||
)
|
||||
|
@ -0,0 +1,31 @@
|
||||
Integration of samba into the CryptoBox
|
||||
|
||||
This file describes how to expose the volumes that are managed by the CryptoBox
|
||||
through samba shares.
|
||||
|
||||
There are two different ways to do this:
|
||||
|
||||
|
||||
A) one share for all volumes together
|
||||
|
||||
Just add the following lines to your /etc/samba/smb.conf:
|
||||
[cryptobox]
|
||||
path = /var/cache/cryptobox-server/mnt
|
||||
browseable = yes
|
||||
read only = no
|
||||
guest ok = yes
|
||||
|
||||
Reload the new samba configuration by calling:
|
||||
invoke-rc.d samba reload
|
||||
|
||||
|
||||
B) one share for each volume
|
||||
|
||||
Copy the example event script /usr/share/doc/cryptobox-server/event-scripts/samba
|
||||
to /etc/cryptobox-server/events.d/samba and make sure it is executable
|
||||
by root. This event handler will add and remove shares whenever a volume is mounted
|
||||
or unmounted via the CryptoBox webinterface.
|
||||
|
||||
Add the following line to your /etc/samba/smb.conf:
|
||||
include = /var/cache/cryptobox-server/settings/misc/samba-include.conf
|
||||
|
@ -0,0 +1,57 @@
|
||||
Encrypting the communication with the CryptoBox webserver with SSL
|
||||
|
||||
This file describes how to encrypt your connection to the CryptoBox webserver.
|
||||
This is highly recommended as the encryption password for your data could be
|
||||
exposed to intruders in your local network otherwise.
|
||||
|
||||
There are two ways for setting up a SSL connection:
|
||||
- run the CryptoBox webserver behind an ssl-enabled webserver
|
||||
- use stunnel to provide an SSL socket
|
||||
|
||||
|
||||
1) CryptoBox behind an ssl-enabled webserver
|
||||
Read the documentation of your favourite webserver to learn how to enable
|
||||
ssl encryption.
|
||||
|
||||
The CryptoBox webserver cannot detect whether the connection is encrypted
|
||||
or not since it is behind the proxy webserver. Thus you have to tell the
|
||||
CryptoBox whether the connection is encrypted or not.
|
||||
|
||||
for apache2:
|
||||
1) enable the 'headers' module (for debian: "a2enmod headers")
|
||||
2) add this line to your ssl-enabled virtualhost:
|
||||
RequestHeader set X-SSL-Request 1
|
||||
3) restart your webserver
|
||||
|
||||
for lighthttpd:
|
||||
TODO
|
||||
|
||||
|
||||
2) CryptoBox behind stunnel
|
||||
You may want to tunnel the traffic between the cryptobox-server
|
||||
and your browser. "stunnel" is an excellent candidate for this job.
|
||||
|
||||
If you do not have an ssl certificate yet, then you should create
|
||||
one first. On Debian: "apt-get install ssl-cert" and run the following
|
||||
command (replace the <NAMES>; a default CERT_CONF is shipped with the
|
||||
cryptobox-server package):
|
||||
|
||||
make-ssl-cert <CERT_CONF> <CERT_FILE_NAME>
|
||||
|
||||
In case, that you already have a certificate just run this command:
|
||||
|
||||
stunnel -p <CERT_FILE_NAME> -r localhost:80 -d 443
|
||||
|
||||
And maybe you want to add the last command to your bootup scripts.
|
||||
|
||||
|
||||
3) Problems with SSL detection?
|
||||
If the CryptoBox continues to complain about the unencrypted connection, even
|
||||
if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
|
||||
one of the following things:
|
||||
- set the request header value "X-SSL-Request" to "1" (one)
|
||||
- set the environment setting "HTTPS" to a non-empty value during the
|
||||
startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
|
||||
would be the right place for this.
|
||||
- let the CryptoBox webserver listen to port 443
|
||||
|
@ -0,0 +1,37 @@
|
||||
# Makefile to compile the binary suid-wrapper for cryptobox
|
||||
#
|
||||
# LIB_DIR should be defined in the higher level Makefile
|
||||
#
|
||||
|
||||
HEADER_FILE = cryptobox_wrapper.h
|
||||
SRC_FILE = cryptobox_wrapper.c
|
||||
CGI_SUID_FILE = cryptobox_cgi_wrapper
|
||||
ROOT_SUID_FILE = cryptobox_root_wrapper
|
||||
|
||||
CGI_FILENAME = cryptobox.pl
|
||||
ROOT_SCRIPT_FILENAME = cbox-root-actions.sh
|
||||
# fall back to default, if not overwritten
|
||||
LIB_DIR = /usr/local/lib/cryptobox
|
||||
|
||||
|
||||
# _always_ recompile (in case of a changed LIB_DIR)
|
||||
.PHONY: build clean $(CGI_SUID_FILE) $(ROOT_SUID_FILE)
|
||||
|
||||
build: $(CGI_SUID_FILE) $(ROOT_SUID_FILE)
|
||||
|
||||
|
||||
$(CGI_SUID_FILE): $(SRC_FILE)
|
||||
@echo '#define EXEC_PATH "$(LIB_DIR)/$(CGI_FILENAME)"' >$(HEADER_FILE)
|
||||
$(CC) -o $(CGI_SUID_FILE) $(SRC_FILE)
|
||||
-rm $(HEADER_FILE)
|
||||
|
||||
|
||||
$(ROOT_SUID_FILE): $(SRC_FILE)
|
||||
@echo '#define EXEC_PATH "$(LIB_DIR)/$(ROOT_SCRIPT_FILENAME)"' >$(HEADER_FILE)
|
||||
$(CC) -o $(ROOT_SUID_FILE) $(SRC_FILE)
|
||||
-rm $(HEADER_FILE)
|
||||
|
||||
|
||||
clean:
|
||||
-rm -f $(CGI_SUID_FILE) $(ROOT_SUID_FILE) $(HEADER_FILE)
|
||||
|
@ -0,0 +1,474 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
||||
#
|
||||
# License: This script is distributed under the terms of version 2
|
||||
# of the GNU GPL. See the LICENSE file included with the package.
|
||||
#
|
||||
# $Id$
|
||||
#
|
||||
# this script does EVERYTHING
|
||||
# all other scripts are only frontends :)
|
||||
#
|
||||
# called by:
|
||||
# - some rc-scripts
|
||||
# - the web frontend cgi
|
||||
#
|
||||
|
||||
# TODO: check permissions and owners of config files, directories and scripts before
|
||||
# running cbox-root-actions.sh
|
||||
|
||||
set -eu
|
||||
|
||||
|
||||
# default location of config file
|
||||
CONF_FILE=/etc/cryptobox/cryptobox.conf
|
||||
|
||||
LIB_DIR=$(dirname "$0")
|
||||
|
||||
# to determine a nice default partition name
|
||||
DEVICE_NAME_PREFIX="Disk #"
|
||||
|
||||
# read the default setting file, if it exists
|
||||
test -e /etc/default/cryptobox && . /etc/default/cryptobox
|
||||
|
||||
test ! -e "$CONF_FILE" && echo "Could not find the configuration file: $CONF_FILE" >&2 && exit 1
|
||||
|
||||
# parse config file
|
||||
. "$CONF_FILE"
|
||||
|
||||
test ! -e "$CONF_FILE" && echo "Could not find the distribution specific configuration file: $CONF_FILE" >&2 && exit 1
|
||||
|
||||
# parse the distribution specific file
|
||||
. "$DISTRIBUTION_CONF"
|
||||
|
||||
# check for writable log file
|
||||
test -w "$LOG_FILE" || LOG_FILE=/tmp/$(basename "$LOG_FILE")
|
||||
|
||||
# retrieve configuration directory
|
||||
CONFIG_DIR="$(getent passwd $CRYPTOBOX_USER | cut -d ':' -f 6)/config"
|
||||
CONFIG_MARKER=cryptobox.marker
|
||||
|
||||
## configuration
|
||||
ROOT_PERM_SCRIPT="$LIB_DIR/cryptobox_root_wrapper"
|
||||
# ROOT_PERM_SCRIPT needs the MNT_PARENT setting
|
||||
export MNT_PARENT="$(cd ~; pwd)/mnt"
|
||||
|
||||
######## stuff ##########
|
||||
|
||||
# all partitions with a trailing number
|
||||
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4 | grep '[0-9]$')
|
||||
|
||||
#########################
|
||||
|
||||
function log_msg()
|
||||
{
|
||||
# the log file is (maybe) not writable during boot - try
|
||||
# before writing ...
|
||||
test -w "$LOG_FILE" || return 0
|
||||
echo >>"$LOG_FILE"
|
||||
echo "##### `date` #####" >>"$LOG_FILE"
|
||||
echo "$1" >>"$LOG_FILE"
|
||||
}
|
||||
|
||||
|
||||
function error_msg()
|
||||
# parameters: ExitCode ErrorMessage
|
||||
{
|
||||
local all=$@
|
||||
test $# -ne 2 && error_msg 1 "*** invalid call of error_msg *** $all"
|
||||
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
|
||||
# print the execution stack - not usable with busybox
|
||||
# caller | sed 's/^/\t/' >&2
|
||||
exit "$1"
|
||||
}
|
||||
|
||||
|
||||
# Parameter: device
|
||||
function is_device_allowed() {
|
||||
# check for invalid characters and exit if one is found
|
||||
local device=$(echo "$1" | sed 's#[^a-zA-Z0-9_\-\./]##g')
|
||||
test "$1" = "$device" || return 1
|
||||
# remove leading "/dev/"
|
||||
device=$(echo "$device" | sed 's#^/dev/##')
|
||||
# return for empty name
|
||||
test -z "$device" && return 1
|
||||
for a in $ALL_PARTITIONS
|
||||
do echo "$device" | grep -q "^$a.*" && return 0
|
||||
done
|
||||
# no matching device found - exit with error
|
||||
return 1
|
||||
}
|
||||
|
||||
function config_set_value()
|
||||
# parameters: SettingName [SettingValue]
|
||||
# read from stdin if SettingValue is not defined
|
||||
{
|
||||
if test $# -gt 1
|
||||
then echo "$2" > "$CONFIG_DIR/$1"
|
||||
else cat - >"$CONFIG_DIR/$1"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function config_get_value()
|
||||
# parameters: SettingName
|
||||
{
|
||||
# use mounted config, if it exists - otherwise use defaults
|
||||
local conf_dir
|
||||
test -z "$1" && error_msg 1 "empty setting name"
|
||||
# check for existence - maybe use default values (even for old
|
||||
# releases that did not contain this setting)
|
||||
if test -e "$CONFIG_DIR/$1"
|
||||
then cat "$CONFIG_DIR/$1"
|
||||
elif test -e "$CONFIG_DEFAULTS_DIR/$1"
|
||||
then cat "$CONFIG_DEFAULTS_DIR/$1"
|
||||
else case "$1" in
|
||||
# you may place default values for older versions here
|
||||
# for compatibility
|
||||
* )
|
||||
error_msg 2 "unknown configuration value ($1)"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
function list_partitions_of_type()
|
||||
# parameter: { config | crypto | plaindata | unused }
|
||||
{
|
||||
local config=
|
||||
local crypto=
|
||||
local plaindata=
|
||||
local unused=
|
||||
for a in $ALL_PARTITIONS
|
||||
do if "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a"
|
||||
then crypto="$crypto /dev/$a"
|
||||
elif "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a"
|
||||
then config="$config /dev/$a"
|
||||
elif "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a"
|
||||
then plaindata="$plaindata /dev/$a"
|
||||
else unused="$unused /dev/$a"
|
||||
fi
|
||||
done
|
||||
case "$1" in
|
||||
config )
|
||||
echo "$config"
|
||||
;;
|
||||
crypto )
|
||||
echo "$crypto"
|
||||
;;
|
||||
plaindata )
|
||||
echo "$plaindata"
|
||||
;;
|
||||
unused )
|
||||
echo "$unused"
|
||||
;;
|
||||
* )
|
||||
error_msg 11 "wrong parameter ($1) for list_partition_types in $(basename $0)"
|
||||
;;
|
||||
esac | tr " " "\n" | grep -v '^$'
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
# Parameter: DEVICE
|
||||
function get_device_mnt_name() {
|
||||
"$ROOT_PERM_SCRIPT" get_device_mnt_name "$1"
|
||||
}
|
||||
|
||||
|
||||
# Parameter: DEVICE
|
||||
function get_device_uuid() {
|
||||
"$ROOT_PERM_SCRIPT" get_device_uuid "$1"
|
||||
}
|
||||
|
||||
|
||||
# Parameter: DEVICE
|
||||
# return the readable name of the crypto container, if it is already defined
|
||||
# if undefined - return the uuid
|
||||
function get_device_name() {
|
||||
local uuid=$(get_device_uuid "$1")
|
||||
local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-)
|
||||
# return dbname if it exists
|
||||
test -n "$dbname" && echo "$dbname" && return 0
|
||||
# find a nice name for the new partition
|
||||
local counter=1
|
||||
local test_name
|
||||
local test_uuid
|
||||
local test_result
|
||||
# try to find a name with the defined "prefix" followed by a number ...
|
||||
while true
|
||||
do test_name="$DEVICE_NAME_PREFIX$counter"
|
||||
if config_get_value "names.db" | grep -q ":$test_name$"
|
||||
then counter=$((counter+1))
|
||||
else # save it for next time
|
||||
set_device_name "$1" "$test_name"
|
||||
echo "$test_name"
|
||||
return 0
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
function set_device_name()
|
||||
# TODO: the implementation is quite ugly, but it works (tm)
|
||||
# Parameter: DEVICE NAME
|
||||
{
|
||||
local uuid=$(get_device_uuid "$1")
|
||||
# remove the old setting for this device and every possible entry with the same name
|
||||
local new_config=$(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2")
|
||||
echo "$new_config" | config_set_value "names.db"
|
||||
}
|
||||
|
||||
|
||||
function does_crypto_name_exist()
|
||||
# Parameter: NAME
|
||||
{
|
||||
config_get_value 'names.db' | grep -q "^[^:]*:$1$"
|
||||
}
|
||||
|
||||
|
||||
function create_crypto()
|
||||
# Parameter: DEVICE NAME KEYFILE
|
||||
# keyfile is necessary, to allow background execution via 'at'
|
||||
{
|
||||
local device=$1
|
||||
local name=$2
|
||||
local keyfile=$3
|
||||
# otherwise the web interface will hang
|
||||
# passphrase may be passed via command line
|
||||
local key=$(<"$keyfile")
|
||||
# remove the passphrase-file as soon as possible
|
||||
dd if=/dev/zero of="$keyfile" bs=512 count=1 2>/dev/null
|
||||
rm "$keyfile"
|
||||
|
||||
log_msg "Creating crypto partition with the cipher $DEFAULT_CIPHER on $device"
|
||||
echo "$key" | "$ROOT_PERM_SCRIPT" create_crypto "$device"
|
||||
|
||||
set_crypto_name "$device" "$name"
|
||||
}
|
||||
|
||||
|
||||
function is_config_active() {
|
||||
test -f "$CONFIG_DIR/$CONFIG_MARKER"
|
||||
}
|
||||
|
||||
|
||||
# Parameter: DEVICE
|
||||
function is_mounted() {
|
||||
local name=$(get_device_mnt_name "$1")
|
||||
test -n "$name" && mountpoint -q "$MNT_PARENT/$name"
|
||||
}
|
||||
|
||||
|
||||
# Parameter: DEVICE
|
||||
function is_plain() {
|
||||
"$ROOT_PERM_SCRIPT" is_plain_partition "$1"
|
||||
}
|
||||
|
||||
|
||||
# Parameter: DEVICE
|
||||
function is_encrypted() {
|
||||
"$ROOT_PERM_SCRIPT" is_crypto_partition "$1"
|
||||
}
|
||||
|
||||
|
||||
# list which allowed disks are at the moment connected with the cbox
|
||||
function get_available_disks() {
|
||||
for scan in $SCAN_DEVICES
|
||||
do for avail in $ALL_PARTITIONS
|
||||
do echo "$avail" | grep -q "^$scan[^/]*" && echo "/dev/$avail"
|
||||
done
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
# Parameter: DEVICE
|
||||
function mount_crypto() {
|
||||
local device=$1
|
||||
test -z "$device" && error_msg 4 'No valid harddisk found!'
|
||||
is_mounted "$device" && echo "The crypto filesystem is already active!" && return
|
||||
# passphrase is read from stdin
|
||||
log_msg "Mounting a crypto partition from $device"
|
||||
"$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
|
||||
}
|
||||
|
||||
|
||||
function umount_partition() {
|
||||
# Parameter: device
|
||||
local container=$(get_device_name "$1")
|
||||
"$ROOT_PERM_SCRIPT" umount "$1"
|
||||
}
|
||||
|
||||
|
||||
function box_purge()
|
||||
# removing just the first bytes from the harddisk should be enough
|
||||
# every harddisk will be overriden!
|
||||
# this feature is only useful for validation
|
||||
{
|
||||
# TODO: not ALL harddisks, please!
|
||||
get_available_disks | while read a
|
||||
do log_msg "Purging $a ..."
|
||||
"$ROOT_PERM_SCRIPT" trash_device "$a"
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
function turn_off_all_containers() {
|
||||
# TODO - needs to be implemented
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
### main ###
|
||||
|
||||
# set PATH because thttpd removes /sbin and /usr/sbin for cgis
|
||||
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
|
||||
|
||||
|
||||
ACTION=help
|
||||
test $# -gt 0 && ACTION=$1 && shift
|
||||
|
||||
case "$ACTION" in
|
||||
crypto-up )
|
||||
test $# -ne 1 && error_msg 10 "invalid number of parameters for 'crypto-up'"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
mount_crypto "$1"
|
||||
;;
|
||||
crypto-down )
|
||||
test $# -ne 1 && error_msg 10 "invalid number of parameters for 'crypto-down'"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
umount_partition "$1"
|
||||
;;
|
||||
init )
|
||||
init_cryptobox </dev/null >>"$LOG_FILE" 2>&1
|
||||
;;
|
||||
list_container )
|
||||
test $# -ne 1 && error_msg 10 "invalid number of parameters for 'list_container'"
|
||||
case "$1" in
|
||||
config | unused | plaindata | crypto )
|
||||
list_partitions_of_type "$1"
|
||||
;;
|
||||
* )
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
return 0
|
||||
;;
|
||||
get_device_name )
|
||||
# Parameter: DEVICE
|
||||
test $# -ne 1 && error_msg 10 "invalid number of parameters for 'get_device_name'"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
get_device_name "$1"
|
||||
;;
|
||||
set_device_name )
|
||||
# Parameter: DEVICE NAME
|
||||
test $# -ne 2 && error_msg 10 "invalid number of parameters for 'set_device_name'"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
set_device_name "$1" "$2"
|
||||
;;
|
||||
device_init )
|
||||
# Parameter: DEVICE [KEYFILE]
|
||||
test $# -lt 1 && error_msg 10 "invalid number of parameters for 'device_init' ($@)"
|
||||
test $# -gt 2 && error_msg 10 "invalid number of parameters for 'device_init' ($@)"
|
||||
if test $# -eq 2
|
||||
then test -z "$2" -o ! -e "$2" && error_msg 11 "invalid keyfile ($2) given for 'device_init'"
|
||||
fi
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
if test $# -eq 2
|
||||
then "$ROOT_PERM_SCRIPT" create_crypto "$1" "$2"
|
||||
else "$ROOT_PERM_SCRIPT" create_plain "$1"
|
||||
fi
|
||||
true
|
||||
;;
|
||||
is_mounted )
|
||||
test $# -ne 1 && error_msg 10 "invalid number of parameters for 'is_mounted'"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
is_mounted "$1"
|
||||
;;
|
||||
is_encrypted )
|
||||
test $# -ne 1 && error_msg 10 "invalid number of parameters for 'is_encrypted'"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
is_encrypted "$1"
|
||||
;;
|
||||
is_plain )
|
||||
test $# -ne 1 && error_msg 10 "invalid number of parameters for 'is_plain'"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
is_plain "$1"
|
||||
;;
|
||||
check_config)
|
||||
is_config_active
|
||||
;;
|
||||
get_available_disks )
|
||||
get_available_disks
|
||||
;;
|
||||
set_config )
|
||||
test $# -ne 2 && error_msg 7 "'set_config' requires two parameters"
|
||||
config_set_value "$1" "$2"
|
||||
;;
|
||||
get_config )
|
||||
test $# -ne 1 && error_msg 6 "'get_config' requires exactly one parameter"
|
||||
config_get_value "$1"
|
||||
;;
|
||||
get_capacity_info )
|
||||
test $# -ne 1 && error_msg 6 "'get_capacity_info' requires exactly one parameter"
|
||||
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
|
||||
is_mounted "$1" || error_msg 13 "the device is not mounted: $1"
|
||||
name=$(get_device_mnt_name "$1")
|
||||
df -h "$MNT_PARENT/$name" | tail -1
|
||||
;;
|
||||
diskinfo )
|
||||
get_available_disks | while read a
|
||||
do "$ROOT_PERM_SCRIPT" diskinfo "$a"
|
||||
done 2>/dev/null
|
||||
;;
|
||||
box-purge )
|
||||
log_msg "Cleaning the CryptoBox ..."
|
||||
turn_off_all_containers
|
||||
"$0" config-down
|
||||
box_purge >>"$LOG_FILE" 2>&1
|
||||
;;
|
||||
poweroff )
|
||||
log_msg "Shutting down the Cryptobox ..."
|
||||
turn_off_all_containers
|
||||
"$ROOT_PERM_SCRIPT" poweroff
|
||||
;;
|
||||
reboot )
|
||||
log_msg "Rebooting the Cryptobox ..."
|
||||
turn_off_all_containers
|
||||
"$ROOT_PERM_SCRIPT" reboot
|
||||
;;
|
||||
umount_all )
|
||||
log_msg "Unmounting all volumes ..."
|
||||
turn_off_all_containers
|
||||
;;
|
||||
* )
|
||||
echo "[$(basename $0)] - unknown action: $ACTION" >&2
|
||||
echo "Syntax: $(basename $0) ACTION [PARAMS]"
|
||||
echo " crypto-up - mount crypto partition"
|
||||
echo " crypto-down - unmount crypto partition"
|
||||
echo " crypto-create - a wrapper for 'crypto-create-bg'"
|
||||
echo " crypto-create-bg - create encrypted blockdevice and run mkfs"
|
||||
echo " is_mounted - check, if crypto partition is mounted"
|
||||
echo " check_config - check, if the configuration is usable"
|
||||
echo " get_available_disks - shows all accessible disks"
|
||||
echo " get_current_ip - get the current IP of the network interface"
|
||||
echo " set_config NAME VALUE - change a configuration setting"
|
||||
echo " get_config NAME - retrieve a configuration setting"
|
||||
echo " get_device_name DEVICE - retrieve the human readable name of a partition"
|
||||
echo " set_device_name DEVICE - set the human readable name of a partition"
|
||||
echo " device_init DEVICE KEYFILE - initialize the filesystem of a partition (the keyfile just contains the passphrase)"
|
||||
echo " get_capacity_info - print the output of 'df' for the (mounted) partition"
|
||||
echo " diskinfo - show the partition table of the harddisk"
|
||||
echo " box-purge - destroy the partition tables of all harddisks (delete everything)"
|
||||
echo " poweroff - turn off the computer"
|
||||
echo " reboot - reboot the computer"
|
||||
echo
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
|
@ -0,0 +1,341 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
||||
#
|
||||
# License: This script is distributed under the terms of version 2
|
||||
# of the GNU GPL. See the LICENSE file included with the package.
|
||||
#
|
||||
# $Id$
|
||||
#
|
||||
# this script is responsible for all dangerous actions, that require root privileges
|
||||
# every action should be checked at least TWICE a day for open holes :)
|
||||
# usually will get call via sudo
|
||||
#
|
||||
# called by:
|
||||
# - cbox-manage.sh
|
||||
#
|
||||
|
||||
set -eu
|
||||
|
||||
LIB_DIR=$(dirname "$0")
|
||||
LIB_DIR=$(cd "$LIB_DIR"; pwd)
|
||||
|
||||
test "$(id -u)" -ne 0 && echo "$(basename $0) - only root may call this script" >&2 && exit 100
|
||||
|
||||
# read the default setting file, if it exists
|
||||
test -e /etc/default/cryptobox && . /etc/default/cryptobox
|
||||
|
||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||
# parse config file
|
||||
. "$CONF_FILE"
|
||||
# parse distribution specific file
|
||||
. "$DISTRIBUTION_CONF"
|
||||
|
||||
CB_SCRIPT="$LIB_DIR/cbox-manage.sh"
|
||||
CONFIG_MARKER=cryptobox.marker
|
||||
|
||||
|
||||
############ some useful functions ###############
|
||||
|
||||
# check if the given device is part of the SCAN_DEVICE list
|
||||
# every entry in SCAN_DEVICES is matched as "^/dev/${SCAN_DEVICE}[^/]*$" against
|
||||
# the given device
|
||||
# other devices may not be touched
|
||||
function is_device_allowed()
|
||||
# parameter: device
|
||||
{
|
||||
for a in $SCAN_DEVICES
|
||||
do echo "$1" | grep -q "^/dev/${a}[^/]*$" && return 0
|
||||
done
|
||||
return 1
|
||||
}
|
||||
|
||||
|
||||
# return the uuid of the partition (if possible)
|
||||
# this works at least for luks, ext2/3 and vfat partitions
|
||||
function get_device_uuid() {
|
||||
local UUID
|
||||
# check for luksUUID or ext2/3-uuid
|
||||
if is_luks_device "$1"
|
||||
then UUID=$("$CRYPTSETUP" luksUUID "$1")
|
||||
else test -x "$BLKID" && UUID=$("$BLKID" -s UUID -o value -c /dev/null -w /dev/null "$1" 2>/dev/null)
|
||||
fi
|
||||
if test -z "$UUID"
|
||||
then get_device_flat_name "$1"
|
||||
else echo "$UUID"
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
# the device name is "flattened"
|
||||
function get_device_flat_name() {
|
||||
echo "$1" | sed 's#/#_#g'
|
||||
}
|
||||
|
||||
|
||||
# the basename of the mountpoint for this device - should be somehow human_readable
|
||||
function get_device_mnt_name() {
|
||||
"$CB_SCRIPT" get_device_name "$1"
|
||||
}
|
||||
|
||||
|
||||
# every devmapper name should look like a UUID
|
||||
function is_uuid_valid() {
|
||||
local hex=[0-9a-f]
|
||||
echo "$1" | grep -q "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$"
|
||||
}
|
||||
|
||||
|
||||
# parameter ExitCode ErrorMessage
|
||||
function error_msg() {
|
||||
echo "CBOX-ERROR: [$(basename $0) - $ACTION] - $2" >&2
|
||||
exit $1
|
||||
}
|
||||
|
||||
|
||||
# parameter: device sfdisk_layout_setup
|
||||
# e.g.: /dev/hda "0,1,L \n,,L\n"
|
||||
function partition_device() {
|
||||
# TODO: allow different layouts
|
||||
# TODO: skip config partition if a configuration is already active
|
||||
# sfdisk -n doesn't actually write (for testing purpose)
|
||||
if echo -e "$2" | "$SFDISK" -n "$1"
|
||||
then echo -e "$2" | "$SFDISK" "$1" || return 1
|
||||
else return 2
|
||||
fi
|
||||
true
|
||||
}
|
||||
|
||||
|
||||
function is_luks_device()
|
||||
# parameter: device
|
||||
{
|
||||
"$CRYPTSETUP" isLuks "$1" 2>/dev/null
|
||||
}
|
||||
|
||||
|
||||
################ main ####################
|
||||
|
||||
ACTION=unknown
|
||||
test $# -gt 0 && ACTION=$1 && shift
|
||||
|
||||
|
||||
case "$ACTION" in
|
||||
partition_disk )
|
||||
test $# -ne 2 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
partition_device "$1" "$2" || \
|
||||
error_msg 2 "failed to create new partition table on device $1"
|
||||
;;
|
||||
mount )
|
||||
# parameters: device
|
||||
# returns the relative name of the mointpoint for success
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
mnt_name=$(get_device_mnt_name "$1")
|
||||
mountpoint -q "$MNT_PARENT/$mnt_name" && \
|
||||
error_msg 5 "a device with the same name ($mnt_name) is already mounted"
|
||||
mkdir -p "$MNT_PARENT/$mnt_name"
|
||||
if is_luks_device "$1"
|
||||
then "$CRYPTSETUP" luksOpen "$1" "$mnt_name" || \
|
||||
error_msg 6 "could not open encrypted device $1"
|
||||
if mount "$DEV_MAPPER_DIR/$mnt_name" "$MNT_PARENT/$mnt_name"
|
||||
then true
|
||||
else "$CRYPTSETUP" luksClose "$mnt_name" || true
|
||||
error_msg 7 "wrong password for $1 supplied"
|
||||
fi
|
||||
else mount "$1" "$MNT_PARENT/$mnt_name" || \
|
||||
error_msg 8 "invalid filesystem on device $1"
|
||||
fi
|
||||
# just in case, that there is no ext2/3 filesystem:
|
||||
# set uid option (will fail silently for ext2/3)
|
||||
# TODO: there is no FILE_USER setting anymore - do we still need it?
|
||||
#mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||
# adapt top-level permission to current setup - again: may fail silently
|
||||
#chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
||||
true
|
||||
;;
|
||||
umount )
|
||||
#parameter: device
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
mnt_name=$(get_device_mnt_name "$1")
|
||||
mountpoint -q "$MNT_PARENT/$mnt_name" || \
|
||||
error_msg 9 "the device ($1) is not mounted as '$mnt_name'"
|
||||
# try to unmount - do it in lazy mode
|
||||
umount -l "$MNT_PARENT/$mnt_name"
|
||||
# TODO: check, what happens, if there are open files - does the device gets mapping removed?
|
||||
# remove (if necessary) the device mapping
|
||||
if test -e "$DEV_MAPPER_DIR/$mnt_name"
|
||||
then "$CRYPTSETUP" luksClose "$mnt_name" || \
|
||||
error_msg 11 "could not remove the device mapper ($mnt_name) for device $1"
|
||||
fi
|
||||
# try to remove the mountpoint - a failure is not important
|
||||
rmdir "$MNT_PARENT/$mnt_name" || true
|
||||
# set exitcode
|
||||
mountpoint -q "$MNT_PARENT/$mnt_name" && exit 1
|
||||
true
|
||||
;;
|
||||
create_crypto )
|
||||
# parameter: device keyfile
|
||||
test $# -ne 2 && error_msg 1 "wrong number of parameters"
|
||||
keyfile=$2
|
||||
test -e "$keyfile" || error_msg 2 "keyfile ($keyfile) not found"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
# read the passphrase from stdin
|
||||
# the iter-time is in milliseconds - keep it low for fast mounting
|
||||
cat "$keyfile" | \
|
||||
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 --batch-mode luksFormat "$1" || \
|
||||
error_msg 11 "failed to create the encrypted partition"
|
||||
name=$(get_device_mnt_name "$1")
|
||||
cat "$keyfile" | "$CRYPTSETUP" --batch-mode luksOpen "$1" "$name" || \
|
||||
error_msg 12 "failed to open the encrypted partition"
|
||||
# trash the passphrase in keyfile
|
||||
echo "0123456789abcdefghijklmnopqrstuvwxyz" > "$keyfile"
|
||||
# the disk cache surely prevents the previous line from being written, but we do it anyway ...
|
||||
echo "zyxwvutsrqponmlkjihgfedcba9876543210" > "$keyfile"
|
||||
rm "$keyfile"
|
||||
# complete in background
|
||||
(
|
||||
"$MKFS_DATA" "$DEV_MAPPER_DIR/$name" || \
|
||||
error_msg 13 "failed to create the encrypted filesystem"
|
||||
"$CRYPTSETUP" --batch-mode luksClose "$name" || \
|
||||
error_msg 14 "failed to close the encrypted mapped device"
|
||||
) </dev/null >/dev/null 2>/dev/null &
|
||||
true
|
||||
;;
|
||||
create_plain )
|
||||
# parameter: device
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters for 'create_plain'"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
# complete in background
|
||||
(
|
||||
"$MKFS_DATA" "$1" || \
|
||||
error_msg 15 "failed to create the plaintext filesystem"
|
||||
) </dev/null >/dev/null 2>/dev/null &
|
||||
true
|
||||
;;
|
||||
get_device_mnt_name )
|
||||
# parameter: device
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
get_device_mnt_name "$1"
|
||||
;;
|
||||
get_device_uuid )
|
||||
# parameter: device
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
get_device_uuid "$1"
|
||||
;;
|
||||
is_config_partition )
|
||||
# parameter: device
|
||||
# returns exitcode 0 if the device contains a configuration
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
is_config=0
|
||||
tmp_dir=/tmp/$(basename $0)-$$-mnt
|
||||
mkdir -p "$tmp_dir"
|
||||
# error means "no config partition"
|
||||
if mount "$1" "$CONFIG_DIR"
|
||||
then test -e "$CONFIG_DIR/$CONFIG_MARKER" && is_config=1
|
||||
umount "$CONFIG_DIR" || \
|
||||
error_msg 14 "unable to unmount configation partition after probing"
|
||||
fi
|
||||
rmdir "$tmp_dir" || true
|
||||
# return 0 if $device is a config partition
|
||||
test "$is_config" -eq 1 && exit 0
|
||||
exit 1
|
||||
;;
|
||||
is_crypto_partition )
|
||||
# parameter: device
|
||||
# returns exitcode 0 if the device contains a luks header
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
is_luks_device "$1"
|
||||
;;
|
||||
is_plain_partition )
|
||||
# parameter: device
|
||||
# returns exitcode 0 if the device contains a readable filesystem
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
status=0
|
||||
tmp_dir=/tmp/$(basename $0)-$$-mnt
|
||||
mkdir -p "$tmp_dir"
|
||||
if mount "$1" "$tmp_dir" >/dev/null 2>/dev/null
|
||||
then test ! -e "$tmp_dir/$CONFIG_MARKER" && status=1
|
||||
umount "$tmp_dir"
|
||||
fi
|
||||
rmdir "$tmp_dir" || true
|
||||
test "$status" -eq 1 && exit 0
|
||||
exit 1
|
||||
;;
|
||||
trash_device )
|
||||
# parameter: device
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
dd if=/dev/urandom of="$1" bs=512 count=1 2>/dev/null
|
||||
;;
|
||||
diskinfo )
|
||||
# parameter: device
|
||||
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
"$SFDISK" -L -q -l "$1"
|
||||
;;
|
||||
update_network )
|
||||
# parameter: none
|
||||
ip=
|
||||
# TODO: can we avoid to hard-code the filename ($CONFIG_DIR/ip) here?
|
||||
test -e "$CONFIG_DIR/ip" && ip=$(<"$CONFIG_DIR/ip")
|
||||
test -n "$z" && ifconfig "$NET_IFACE" "$ip"
|
||||
;;
|
||||
poweroff )
|
||||
# TODO: check configuration setting before
|
||||
"$POWEROFF"
|
||||
;;
|
||||
reboot )
|
||||
# TODO: check configuration setting before
|
||||
"$REBOOT"
|
||||
;;
|
||||
* )
|
||||
echo "[$(basename $0)] - unknown action: $ACTION" >&2
|
||||
echo "Syntax: $(basename $0) ACTION PARAMETERS"
|
||||
echo ' partition_disk $device $disk_layout'
|
||||
echo ' get_device_name $device'
|
||||
echo ' get_device_uuid $device'
|
||||
echo ' create_crypto $device'
|
||||
echo ' mount $device'
|
||||
echo ' umount $name'
|
||||
echo ' create_config $device'
|
||||
echo ' mount_config $device'
|
||||
echo ' remount_config { ro | rw }'
|
||||
echo ' umount_config'
|
||||
echo ' is_config_partition $device'
|
||||
echo ' is_plain_partition $device'
|
||||
echo ' is_crypto_partition $device'
|
||||
echo ' trash_device $device'
|
||||
echo ' diskinfo $device'
|
||||
echo ' update_network'
|
||||
echo ' poweroff'
|
||||
echo ' reboot'
|
||||
echo ' help'
|
||||
echo
|
||||
test "$ACTION" = "help" && exit 0
|
||||
# return error for any unknown/unspecified action
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
@ -0,0 +1,946 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
||||
#
|
||||
# License: This script is distributed under the terms of version 2
|
||||
# of the GNU GPL. See the LICENSE file included with the package.
|
||||
#
|
||||
# $Id$
|
||||
#
|
||||
# the web interface of the CryptoBox
|
||||
#
|
||||
|
||||
|
||||
###############################################
|
||||
|
||||
use strict;
|
||||
use CGI;
|
||||
use ClearSilver;
|
||||
use ConfigFile;
|
||||
use English;
|
||||
use CGI::Carp;
|
||||
use IO::File;
|
||||
use POSIX;
|
||||
|
||||
use constant CRYPTOBOX_VERSION => 0.3;
|
||||
|
||||
# debug levels
|
||||
use constant DEBUG_NONE => 0;
|
||||
use constant DEBUG_ERROR => 1;
|
||||
use constant DEBUG_WARN => 2;
|
||||
use constant DEBUG_INFO => 3;
|
||||
|
||||
# drop privileges
|
||||
$UID = $EUID;
|
||||
$GID = $EGID;
|
||||
|
||||
# necessary for suid perl scripts (see 'man perlsec' for details)
|
||||
$ENV{'PATH'} = '/bin:/usr/bin';
|
||||
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer
|
||||
|
||||
my $CONFIG_FILE = '/etc/cryptobox/cryptobox.conf';
|
||||
|
||||
my $pagedata;
|
||||
|
||||
my ($LANGUAGE_DIR, $DEFAULT_LANGUAGE, $HTML_TEMPLATE_DIR, $DOC_DIR);
|
||||
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL, $DEBUG_LEVEL);
|
||||
|
||||
# get the directory of the cryptobox scripts/binaries and untaint it
|
||||
$CB_SCRIPT = $0;
|
||||
$CB_SCRIPT =~ m/^(.*)\/[^\/]*$/;
|
||||
$CB_SCRIPT = ($1)? "$1/cbox-manage.sh" : './cbox-manage.sh';
|
||||
|
||||
&fatal_error ("could not find configuration file ($CONFIG_FILE)") unless (-e $CONFIG_FILE);
|
||||
my $config = ConfigFile::read_config_file($CONFIG_FILE);
|
||||
|
||||
$LOG_FILE = $config->{LOG_FILE};
|
||||
$LANGUAGE_DIR = $config->{LANGUAGE_DIR};
|
||||
$DEFAULT_LANGUAGE = $config->{LANGUAGE};
|
||||
$HTML_TEMPLATE_DIR = $config->{HTML_TEMPLATE_DIR};
|
||||
$DOC_DIR = $config->{DOC_DIR};
|
||||
$IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT});
|
||||
$STYLESHEET_URL = $config->{STYLESHEET_URL};
|
||||