cryptonas/cryptonas-livecd
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fixed "scripts/cbox-dev.sh diff" (must run devel-features.sh manually first); cleaned up some pre-0.4 files

Browse source
This commit is contained in:
frisco 2008-09-13 00:00:58 +00:00
parent 9d4f3d4f1e
commit 52d19f4ffe
17 changed files with 54 additions and 963 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.devel
View file

@ -32,6 +32,7 @@ will now be used at boot time if they exist. The developer can specify
alternative files using the $CNAS_KMODULES and $CNAS_INTERFACES
variables.
`scripts/cbox-dev.sh diff' works now.
Source Code Info
----------------
@ -65,7 +66,7 @@ stream music
check filesystems periodically
make drive identification more user-friendly (not just "/dev/foo")
"install to hard disk or similar device" function (not high priority)
for release live cd, set an invalid hash to disable misusing the syslinux bootloader
Short term goals:

6
config/chroot_local-hooks/50cnas-config-chroot.sh
View file

@ -16,8 +16,8 @@
set -eu
#FIXME: no longer using dfs:
RUNTIMEDIR=/opt/dfsruntime/runtimerd
#this script runs in chroot, so RUNTIMEDIR is the null string
RUNTIMEDIR=""
TUNDEV=$RUNTIMEDIR/dev/net/tun
REMOVE_PACKAGES="strace
@ -75,7 +75,7 @@ function configure_normal()
# by "config/chroot_local-includes/".
# Note that we are doing this at build time, not run time!
# Only fix files that are neither setuid nor setgid:
chown root:root `find / -xdev -nouser ! -perm -4000 ! -perm -2000`
find / -xdev -nouser ! -perm -4000 ! -perm -2000 -execdir chown root:root '{}' \+
############ webdav ############
#TODO: FIXME: configure port; add webdav link in web frontend

56
config/chroot_local-includes/usr/share/cryptonas-live/chroot-start.sh
View file

@ -1,56 +0,0 @@
#!/bin/sh
#
# Copyright (c) 02005-02006 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# FOR DEVELOPMENT ONLY!
#
# this script is used to prepare a chroot session for testing or configuring
#
# called by:
# - cbox-build.sh
#
# parameter: [commandline]
#
# if "commandline" is empty, "bash" will be used
#
set -eu
MNT_SRC=/opt/dfsruntime/runtimerd
MNT_DST=/opt/dfsruntime/runtimemnt
# the directory /tmp/ can not be used, as it is still a broken link, too
TMP_DIR="/tmp-`basename $0`-$$"
cp -a "$MNT_SRC/." "$TMP_DIR"
mount -n --bind "$TMP_DIR" "$MNT_DST"
[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"
# remember, if proc was mounted before (e.g. because of a running chroot)
PROC_WAS_MOUNTED=no
mount -n -t proc proc /proc 2>/dev/null || PROC_WAS_MOUNTED=yes
# default language setting - prevents dpkg error messages
export LANG=C
# set default terminal (good if you are running in a screen session)
export TERM=linux
# execute parameters as commandline
if [ $# -gt 0 ]
then "$@"
else bash
fi
umount -l -n "$MNT_DST"
[ "$PROC_WAS_MOUNTED" = "no" ] && umount -l -n proc
rm -r "$TMP_DIR"

181
config/chroot_local-includes/usr/share/cryptonas-live/configure-cryptobox.sh
View file

@ -1,181 +0,0 @@
#!/bin/sh
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# this script is part of the building process of the cryptobox
# the "normal" action is necessary for every cryptobox (development & release)
# the "secure" action is mandatory for every release CD
#
# called by:
# - cbox-build.sh after copying custom files and before creating the iso image
#
set -eu
RUNTIMEDIR=/opt/dfsruntime/runtimerd
TUNDEV=$RUNTIMEDIR/dev/net/tun
ADD_GROUPS="floppy cdrom tape video plugdev"
REMOVE_PACKAGES="strace
nvi nano vim vim-common vim-tiny
unzip zip aptitude tasksel locate
ssh elinks curl wget netkit-inetd telnet
exim4-daemon-light exim4-config exim4-base
ppp pppconfig pppoe pppoeconf iptables
subversion w3m wget lynx less screen
info iptables man-db manpages
openssh-server openssh-client"
# remove rc symlinks for these services
SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
function configure_normal()
# the usual stuff - not optimized for security
{
##### cryptobox settings ######
# start during bootup
sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/cryptobox-server
# listen to port 80 by default
sed -i 's/^PORT=.*$/PORT=80/' /etc/default/cryptobox-server
# use a separate configuration partition
sed -i 's/^UseConfigPartition.*$/UseConfigPartition = 1/' /etc/cryptobox-server/cryptobox.conf
# all plugins are enabled (especially: "encrypted_webinterface")
sed -i 's#^DisabledPlugins.*$#DisabledPlugins = #' /etc/cryptobox-server/cryptobox.conf
# change the selection of devices, that can be used as the crypto harddisk
sed -i 's#^AllowedDevices.*$#AllowedDevices = /dev/#' /etc/cryptobox-server/cryptobox.conf
# add the cryptobox user to some more groups
for new_group in $ADD_GROUPS
do adduser cryptobox "$new_group"
done
############ samba ############
# enable samba startup (disabled before via cbox-build.sh)
echo 'RUN_MODE="daemons"' >/etc/default/samba
# install the samba hook script
cp /usr/share/doc/cryptobox-server/event-scripts/samba /etc/cryptobox-server/events.d/samba
chmod +x /etc/cryptobox-server/events.d/samba
############ webdav ############
#TODO: add apache2 packages; configure port; add webdav link in web frontend
#This breaks the build until apache2 is integrated into the package list
# sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/apache2
# cp /usr/share/doc/cryptobox-server/event-scripts/apache2_dav /etc/cryptobox-server/events.d/apache2_dav
# chmod +x /etc/cryptobox-server/events.d/apache2_dav
########### boot up ###########
# turn off creation of "/etc/nologin" (read-only fs)
sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
# turn off modifying /etc/motd (read-only fs)
sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS
# default runlevel (out of some strange reason, runlevel 2 is not working)
sed -i 's/^id:.*$/id:3:initdefault:/' /etc/inittab
# add tmpfs entry for mount parent
# remove old line, if fstab exists
test -e /etc/fstab && sed -i '#/var/cache/cryptobox-server/mnt#d' /etc/fstab
# add new line
echo "tmpfs /var/cache/cryptobox-server/mnt tmpfs defaults 0 0" >>/etc/fstab
######### devices ##########
# create tun device for running under qemu
if [ ! -e "$TUNDEV" ]
then mkdir -p `dirname "$TUNDEV"`
mknod "$TUNDEV" c 10 200
fi
########## sshd ############
if [ -e "/etc/ssh" ]; then
# allow empty passwords for ssh
# the daemon is NOT started automatically, so you have to start it
# manually in case of need - as the root pw is empty and passwd is ro, you
# have to allow empty passwords for this rare case
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
# allow input of password
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
fi
# remove symlinks for unwanted services
for a in $SERVICES_OFF; do
# echo "Turning off service $a ..."
find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b
do rm "$b"
done
done
return 0
}
function configure_secure()
# remove everything that could weaken security
# configure_normal should be called too!
{
# disable keyboard login
sed -i '/getty/d' /etc/inittab
# remove unnecessary packages
dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true
# maybe an authorized_keys file was created - but it is not dangerous,
# as the openssh package was removed anyway
[ -d /root/.ssh ] && rm -rf /root/.ssh
# disable root account
passwd -l root
############## clean up ################
# remove deb-files, that were left by dfsbuild
# remove packages and package lists
# remove locale files
# remove doc files
# remove man pages
# some vim files stay behind?
rm -rf /opt/packages /var/cache/bootstrap /var/cache/apt/ /var/cache/locate
rm -rf /usr/share/man /usr/share/vim /var/lib/apt /var/cache/debconf /var/cache/man
# remove docs except for the cryptobox's
ls /usr/share/doc | while read dname
do test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname"
done
# remove all locale files and symlinks except for the cryptobox's
(find /usr/share/locale -type f; find /usr/share/locale -type l) | grep -v "cryptobox-server" | while read fname
do rm "$fname"
done
# remove all empty locale directories
find /usr/share/locale -type d | while read dname
do test -d "$dname" && rmdir --ignore-fail-on-non-empty --parents "$dname"
done
# change some dir permissions
chmod 660 /var/cache/cryptobox-server/settings/
return 0
}
################ main ####################
ACTION=help
[ $# -gt 0 ] && ACTION=$1
case "$ACTION" in
normal )
configure_normal
;;
secure )
configure_secure
;;
* )
echo "Syntax: `basename $0` { normal | secure }"
echo
;;
esac

13
config/chroot_local-includes/usr/share/cryptonas-live/devel-features.sh
View file

@ -11,8 +11,9 @@
#
# it should really NEVER be found on a release CD
#
##NOT currently called automatically in deb-live version
# called by:
# - /etc/rc2.d/S99cb-devel-features
# - /etc/init.d/S99cnas-devel-features
#
set -eu
@ -20,14 +21,9 @@ set -eu
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
. "$CONF_FILE"
MIRROR_DIR=/tmp/mirror
MIRROR_ORIG_DIR=/tmp/mirror.orig
WRITE_DIRS="/usr/share/cryptobox /var/www /usr/lib/cryptobox"
WRITE_DIRS="/var/www /usr/share/cryptobox-server /usr/share/cryptonas-live"
ACTION="--help"
[ $# -gt 0 ] && ACTION="$1"
@ -67,8 +63,9 @@ case "$ACTION" in
;;
stop )
[ -x /etc/init.d/ssh ] && /etc/init.d/ssh stop
#TODO: devel-features.sh stop appears to be broken on deb-live version
for a in $WRITE_DIRS
do umount "$MIRROR_DIR/$a"
do umount "$MIRROR_DIR/$a" "$a"
done
rm -rf "$MIRROR_DIR"
;;

26
config/cnas-default-settings
View file

@ -44,8 +44,14 @@ LH_APT_SECURE="enabled"
#-----bootstrap-----
# $LH_MIRROR_BOOTSTRAP: set mirror to bootstrap from
# (Default: http://ftp.us.debian.org/debian/)
#
# (1) apt-cacher (default)
LH_MIRROR_BOOTSTRAP="http://127.0.0.1:3142/apt-cacher/ftp.debian.org/debian/"
# (2) apt-proxy
#LH_MIRROR_BOOTSTRAP="http://127.0.0.1:9999/debian"
# (3) no caching proxy for apt
#LH_MIRROR_BOOTSTRAP="http://ftp.us.debian.org/debian/"
# $LH_MIRROR_CHROOT: set mirror to fetch packages from
# (Default: http://ftp.us.debian.org/debian/)
@ -144,7 +150,7 @@ LH_SOURCE="disabled"
# runtime via the scoreboard file.
###############################################################
#CNAS_DELETEFILES="/etc/rcS.d/*discover \
#deletefiles (at build time, from old dfsbuild config)="/etc/rcS.d/*discover \
#/etc/rcS.d/*lvm \
#/var/log/dpkg.log \
#/var/log/bootstrap.log"
@ -184,12 +190,7 @@ CNAS_SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
CNAS_INTERFACES="$CNAS_SCOREBOARD_DIR/etc.d/network/interfaces"
CNAS_KMODULES="$CNAS_SCOREBOARD_DIR/etc.d/modules"
#FIXME: add to etc.d/network/interfaces
#\tauto lo eth0
#\tiface lo inet loopback
#\tiface eth0 inet static
#\t\taddress 192.168.0.23
#\t\tnetmask 255.255.255.0
# $LH_ENCRYPTION: set encryption type/key size
# Encryption of the Debian Live media is broken under Etch. It may
@ -197,3 +198,12 @@ CNAS_KMODULES="$CNAS_SCOREBOARD_DIR/etc.d/modules"
# in casper or initramfs-tools.
#LH_ENCRYPTION="aes256"
# More stuff from dfsbuild live-cd implementation to figure out:
#/etc/profile = export TERM=vt100
#
#/etc/syslog.conf = *.* /dev/tty8
# *.info /dev/tty7
#/etc/kernel-img.conf = do_initrd = Yes

32
configure-examples.d/README
View file

@ -1,30 +1,20 @@
#Note: these files have NOT been tested with CryptoNAS 0.4 or later.
#They *may* work if added to config/chroot_local-includes/etc/init.d/
#and symbolic links created from /etc/rcS.d/*.
1) Overview
the files in this directory are examples for specific hook scripts to change the
configuration of the box
2) How to use these scripts
Copy the scripts, you would like to use into 'configure-local.d'.
They will be sourced in alphabetic order AFTER the default configuration of the
cryptobox.
3) The examples
the files in this directory are examples for specific hook scripts
to change the configuration of the box
set_root_pw
- replace the empty root password (the default) with a choosen password
- replace the disabled root password (the default) with
a choosen password
- useful if your development cryptobox:
- is located in an insecure environment
- or your development team is geographically distributed, so the
cryptobox for testing has to be publicly available
import_authorized_keys
- create a new rsa key (etc-local.d/id_rsa) and copy the public
key to the image directory
- this is useful, if you secured the development cryptobox with a
password (see 'set_root_pw')
set_hostname
- change the default hostname ("cryptobox")
set_scan_devices
- change the default selection of devices, that can be used as the crypto harddisk
set_allowed_devices
- change the default selection of devices that can be used
as the crypto harddisk

19
configure-examples.d/import_authorized_keys
View file

@ -1,19 +0,0 @@
# import a public rsa key into the cryptobox for ssh authentication
#
# see README in configure-examples.d for details
#
SSH_KEY_FILE="$LOCALCONF_DIR/id_rsa"
# create a rsa key if it does not yet exist
if [ ! -e "$SSH_KEY_FILE" ]
then echo "Creating ssh key ($SSH_KEY_FILE) ..."
mkdir -p $(dirname "$SSH_KEY_FILE")
ssh-keygen -t rsa -b 1024 -N '' -q -f "$SSH_KEY_FILE"
fi
# copy new public ssh key to ~/.ssh/authorized_keys on cryptobox
echo "Copying local public ssh key file to the box ..."
mkdir -p "$IMAGE_DIR/opt/dfsbuild/runtimerd/root/.ssh"
cp "${SSH_KEY_FILE}.pub" "$IMAGE_DIR/opt/dfsbuild/runtimerd/root/.ssh/authorized_keys"

4
configure-examples.d/set_hostname
View file

@ -1,4 +0,0 @@
# change the hostname (default value: "cryptobox")
echo "cryptobox" >"$IMAGE_DIR"/etc/hostname

18
etc-defaults.d/cbox-dev.conf
View file

@ -34,21 +34,3 @@ MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito
CDWRITER=0,0,0
####################### validation ########################
# language of validation (select web interface language)
VALIDATE_LANGUAGE=en
# directory of the test-cases
VALIDATE_TEST_CASES_DIR=$ROOT_DIR/validation/test-cases
# override these settings if the CryptoBox uses a non-default IP
VALIDATE_HOST_IP_DEFAULT=192.168.0.23
VALIDATE_HOST_IP_CHANGED=192.168.0.24
# destination directories for the results
VALIDATE_REPORT_DIR=/tmp/cryptobox-validation-$$
VALIDATE_REPORT_DIR=$ROOT_DIR/validation/report
VALIDATE_SUMMARY_TEMPLATE_DIR=$ROOT_DIR/validation/templates

236
etc-defaults.d/dfs-cbox.conf
View file

@ -1,236 +0,0 @@
# arch-tag: Default configuration file
# Copyright (c) 2004 John Goerzen
[DEFAULT]
######################################################################
# Overall settings, set defaults for all archs
######################################################################
# Name of generated disc & hostname
# BEWARE: hostname does not work - you have to set the hostname manually at the end of this file
name = CryptoBox
# Version of generated disc
version = 0.3.4
# Person that built it
builder = sense.lab
# Repositories to mirror. Details about each one are configured below.
dlrepos = stable
# Repository to build the CD with. Must be in above list.
suite = stable
# Whether or not to use zftree compression on ISO image
compress = no
# Files to never compress if the above is yes
# If a dir is given, that dir and everything below is not compressed
dontcompress = /boot
/etc/*boot*
/opt/dfsruntime/initrd.dfs
# Location of dfsbuild support files
libdir = /usr/lib/dfsbuild
# Location of docs for CD
docdir = /usr/share/doc/dfsbuild
# Bootloader to place on CD. Choices are:
# grub-hd GRUB with ElTorito hard disk emulation (not working yet)
# grub-no-emul "raw" ElTorito image
# aboot Alpha SRM bootloader
# yaboot PowerPC bootloader
# (usually set in arch area)
#bootloader = grub-no-emul
# Packages to install on live FS, on all archs, besides base system
allpackages =
util-linux
grub
parted
dmsetup
perl
tar
bash
coreutils
module-init-tools
ifupdown
busybox
usbutils
pciutils
discover
hdparm
binutils
debconf
sysutils
stunnel4
samba
hashalot
python-clearsilver
python-cherrypy
python-configobj
python-central
super
dosfstools
cryptsetup
python-m2crypto
# support for file systems
e2tools
e2fsprogs
xfsprogs
hfsutils
jfsutils
## ntfs-3g is not in etch
#ntfs-3g
# TODO: remove the following packages for the final version
subversion
strace
ssh
vim
nano
less
lynx
w3m
screen
elinks
# select a mirror for the repository (apt-cacher, apt-proxy, no caching) by
# uncommenting the line of your choice
# (1) apt-cacher (default)
mirror = http://127.0.0.1/apt-cacher/ftp.debian.org/debian
# (2) apt-proxy
#mirror = http://127.0.0.1:9999/debian
# (3) no caching proxy for apt
#mirror = http://ftp.debian.org/debian
# Files to place on the ramdisk
ramdisk_files = /etc/resolv.conf
/etc/lvm*
/tmp
/var/tmp
/dev
/var/lib/dhcp
/var/lib/samba
/var/log
/var/cache/samba
/var/lock
/var/run
/var/state
/etc/mtab
/root
/etc/network
/var/lib/misc
/var/lib/urandom
#/etc/hotplug/.run
/var/spool/cron
# Directories to create on live fs
makedirs =
# Files to delete from live fs
deletefiles = /etc/rcS.d/*discover
/etc/rcS.d/*lvm
/var/log/dpkg.log
/var/log/bootstrap.log
preparescripts =
../scripts/prepare_target.sh
cleanupscripts =
../scripts/cleanup_target.sh
######################################################################
# Arch settings: i386
######################################################################
[i386]
# Name of any kernel images to install directly from your current filesystem
#kernels = /boot/vmlinuz-2.4.27-2-386
# Modules to copy from host filesystem
#modules = /lib/modules/2.4.27-2-386
# Debs from local fs to unpack on live FS (will not be configured)
unpackdebs =
../packages/linux-image-2.6.20_cryptobox0.3.3_i386.deb
# Other packages to install besides the list in DEFAULT
packages = %(allpackages)s
# Debs from local fs to install on live fs
## fetch newest ntfs-3g from debian backports
installdebs =
../packages/cryptobox-server.deb
../packages/ntfs-3g_1%3a1.516-1~bpo.1_i386.deb
# Bootloader (see options under default)
bootloader = grub-no-emul
# Extra lines for grub config
grubconfig = timeout 0
password -md5 this_invalid_hash_protects_grub_config
#####################################################################
# Repository configuration
######################################################################
# Repositories to download
[repo testing]
suite = testing
[repo amd64]
suite = unstable
# Override default mirror
#mirror = http://debian-amd64.alioth.debian.org/pure64/
# Override default arch
arch = amd64
######################################################################
# Text to add to existing files
######################################################################
[appendfiles]
/etc/network/interfaces =
auto lo eth0
iface lo inet loopback
iface eth0 inet static
address 192.168.0.23
netmask 255.255.255.0
# /etc/modules =
/etc/profile = export TERM=vt100
######################################################################
# Files to create or truncate
######################################################################
[createfiles]
/etc/hostname = CryptoBox
/etc/syslog.conf = *.* /dev/tty8
*.info /dev/tty7
/etc/hosts = 127.0.0.1 localhost
/etc/kernel-img.conf = do_initrd = Yes
# exit the samba startup script during install immediately - otherwise
# there would be /proc problems - it will get replaced later via
# live-cd-tree.d/usr/lib/cryptobox-cd/configure-cryptobox.sh
/etc/default/samba = exit
######################################################################
# Symlinks to create (from = to format)
######################################################################
# this does not work anymore
#[symlinks]
#/etc/mtab = /proc/mounts

17
etc-defaults.d/ssh-options.default
View file

@ -1,17 +0,0 @@
Host cryptobox
# change this part according to your needs
HostName 192.168.0.23
Port 22
# maybe you want to use rsa authentication?
# see misc/custom-configure.s/README for examples
#IdentityFile local.conf.d/id_rsa
# this should be valid for everyone
User root
CheckHostIP no
StrictHostKeyChecking no
# nice for frequently changing server key due to a rebuild of the base system
UserKnownHostsFile /tmp/cryptobox-ssh-known_hosts

7
etc-defaults.d/ssh_config
View file

@ -1,4 +1,9 @@
Host cryptobox
## ssh_config
## This configuration file is intended to be supplied to the ssh client on the
## developer's *local* console system (using the -F option) when using ssh
## to connect to a CryptoNAS Live "devel build" system.
Host cryptonas
# change this part according to your needs
HostName 192.168.0.23

2
rm-tmps.sh
View file

@ -7,4 +7,4 @@
#If you want to build the disk image, use "lh_build" as documented at
# http://devel.cryptobox.org/wiki/DebianLiveBuild
find config -type f -name \*~ -exec rm --verbose -f '{}' \;
find config -type f -name \*~ -execdir rm --verbose -f '{}' \;

237
scripts/cbox-build.sh
View file

@ -1,237 +0,0 @@
#!/bin/bash
#
# Copyright (c) 02005-02006 sense.lab <devel@senselab.org.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# managing our work at the cryptobox
#
# usual workflow:
# dfsbuild - create the image directory with dfsbuild
# config - apply cryptobox specific changes to the image directory
# harden - remove unnecessary packages and disable developer features
# iso - create the iso image
# isoz - create a compressed iso image
# burn - burns the image on a cd-rw
#
# final action:
# release - the same as "dfsbuild config harden isoz"
#
#
# problems of this script:
# - has to run as root
# - 'harden' is strangely integrated
#
# you may run this script with multiple arguments, e.g.:
# cb-build.sh dfsbuild config isoz
#
# the action "release" does what it says :)
# (all developer's features like sshd, writable templates and
# the test-suite are deactivated, some packages get removed)
#
set -ue
# include common functions and settings
source "$(dirname $0)/common.sh.inc"
################### some settings ######################
# dfsbuild config
DFS_CONFIG=$(get_config_file dfs-cbox.conf)
# debian package of cryptobox-server
DEB_PACKAGE=$ROOT_DIR/packages/cryptobox-server.deb
####################### functions ######################
# samba fails to install if /proc/ is empty
# we force samba to skip startup during configuring
function workaround_samba_proc()
{
# let dfsbuild start first
sleep 15
local DEFAULT_DIR=$IMAGE_DIR/etc/default
mkdir -p "$DEFAULT_DIR"
echo "exit" >"$DEFAULT_DIR/samba"
}
function run_dfsbuild()
{
# we need a secret gpg key for apt-move/reprepro(?) - very strange
# see: http://lists.debian.org/debian-user/2005/09/msg03288.html
if test -z "$(gpg --list-secret-keys 2>/dev/null)"
then echo "*************************************************************"
echo "* Sorry - for some strange reason you/root need a secret *"
echo "* gpg key without a passphrase! *"
echo "* Please create a key first: 'gpg --gen-key' *"
echo "*************************************************************"
exit 1
fi >&2
if [ -e "$BUILD_DIR" ]
then ## umount all other directories below
mount | cut -d " " -f 3- | sed "s/ type .*$//" | grep "$IMAGE_DIR" | while read mdir
do umount "$mdir"
done
echo "removing the build directory ($BUILD_DIR) to guarantee a clean build ..."
rm -r "$BUILD_DIR"
fi
workaround_samba_proc &
# build the target directory
LANG=C dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR/"
# remove iso image of dfsbuild - it is not necessary
[ -e "$BUILD_DIR/image.iso" ] && rm "$BUILD_DIR/image.iso"
# finish package installation
echo "dpkg --configure --pending" | chroot_image
}
function create_uncompressed_iso()
{
# check for a mounted procfs
mount | grep -q " $IMAGE_DIR/proc " && umount "$IMAGE_DIR/proc"
echo "Creating the iso ..."
mkisofs $MKISOFS_OPTIONS -o "$IMAGE_FILE" "$IMAGE_DIR"
}
function create_compressed_iso()
{
# check for a mounted procfs
mount | grep -q " $IMAGE_DIR/proc " && umount "$IMAGE_DIR/proc"
echo "Creating the compressed iso ..."
[ -e "$IMAGEZ_DIR" ] && rm -r "$IMAGEZ_DIR"
mkdir "$IMAGEZ_DIR"
for a in $(ls "$IMAGE_DIR")
do if echo "$UNCOMPRESSED_ITEMS" | grep -q -w "$a"
then echo " Copying uncompressed item: $a ..."
cp -a "$IMAGE_DIR/$a" "$IMAGEZ_DIR"
else if [ -h "$IMAGE_DIR/$a" ]
then echo " Copying link: $a ..."
cp -a "$IMAGE_DIR/$a" "$IMAGEZ_DIR"
else echo " Compressing item: $a ..."
mkzftree "$IMAGE_DIR/$a" "$IMAGEZ_DIR/$a"
fi
fi
done
mkisofs -z $MKISOFS_OPTIONS -o "$IMAGEZ_FILE" "$IMAGEZ_DIR"
}
function configure_cb()
{
if [ ! -e "$IMAGE_DIR" ]; then
echo -e "Directory \"$IMAGE_DIR\" not found!"
echo -e "Did you run \"$0 dfsbuild\"?"
exit 1
fi
echo "Copying files to the box ..."
svn export --force "$TEMPLATE_DIR/." "$IMAGE_DIR"
echo "Configuring the cryptobox ..."
echo "/usr/lib/cryptobox-cd/configure-cryptobox.sh normal" | chroot_image
# source local configure scripts
[ -d "$CUSTOM_CONFIGURE_DIR" ] && \
find "$CUSTOM_CONFIGURE_DIR" -xtype f | sort | while read file
do echo "Sourcing custom configure script $(basename $file) ..."
# execute it in its own environment (to be safe)
# 'source' implicitly imports all current settings
# indent these lines to improve the output
( source "$file" ) 2>&1 | sed 's/^/\t/'
done
}
function install_package()
{
## first disable automatic startup to avoid conflicts with local servers
local conf_file=$IMAGE_DIR/etc/default/cryptobox-server
test -e "$conf_file" && sed -i 's/^NO_START=.*$/NO_START=1/' "$conf_file"
local chroot_deb_file=/cryptobox-server.deb
cp "$DEB_PACKAGE" "$IMAGE_DIR$chroot_deb_file"
echo "dpkg -i $chroot_deb_file" | chroot_image
rm "$IMAGE_DIR$chroot_deb_file"
}
function blanknburn_cdrw()
{
cdrecord -v dev=$CDWRITER blank=fast
if [ -e "$IMAGEZ_FILE" ]; then
cdrecord -v dev=$CDWRITER $IMAGEZ_FILE
elif [ -e "IMAGE_FILE" ]; then
cdrecord -v dev=$CDWRITER $IMAGE_FILE
else
echo "can't find CryptoBox image to burn" && exit 1
fi
}
################ do it! ######################
[ $# -eq 0 ] && echo "[`basename $0`] - no arguments supplied - maybe you want to use '--help'"
# initialize local directories (easier for users)
for a in $LOCALCONF_DIR $CUSTOM_CONFIGURE_DIR
do [ ! -e "$a" ] && mkdir "$a" && chown --reference=. "$a"
done
# check for uid=0 (necessary for all operations)
[ "$(id -u)" -ne 0 ] && echo "this script ($0) has to be called as root" >&2 && exit 1
while [ $# -gt 0 ]
do case "$1" in
dfsbuild )
# check if we are in ROOT_DIR - otherwise we will have problems with
# relative paths in dfs-box.conf
[ "$ROOT_DIR" -ef "$(pwd)" ] || error_die 1 "Sorry: you have to run $0 while you are in '$ROOT_DIR'!"
run_dfsbuild
;;
config )
install_package
configure_cb normal
;;
iso )
create_uncompressed_iso
;;
isoz )
create_compressed_iso
;;
harden )
echo "/usr/lib/cryptobox-cd/configure-cryptobox.sh normal" | chroot_image
echo "/usr/lib/cryptobox-cd/configure-cryptobox.sh secure" | chroot_image
;;
burn )
blanknburn_cdrw
;;
release )
"$0" dfsbuild config harden isoz
md5sum $IMAGEZ_FILE > ${IMAGEZ_FILE}.md5sum
sha1sum $IMAGEZ_FILE > ${IMAGEZ_FILE}.sha1sum
;;
help|--help )
echo "Syntax: `basename $0` ( release | dfsbuild | config | harden | iso | isoz | burn | help )"
echo " (you may specify more than one action)"
echo
;;
* )
echo -e "unknown action: $1"
echo
$0 help
exit 1
;;
esac
shift
done

13
scripts/cbox-dev.sh
View file

@ -21,6 +21,12 @@
# problems of this script:
# - chroot has to run as root
#
# jwc 9/08: started modifications to work with CryptoNAS Live
#Note: It appears to have been a long time since this script was maintained.
#(For example, where *was* $DEV_FEATURES_SCRIPT defined previously?)
#It may work or it may fail.
DEV_FEATURES_SCRIPT="/usr/share/cryptonas-live/devel-features.sh"
set -ue
@ -61,7 +67,7 @@ function upload2box()
# of course, only the directories that are mapped to tmpfs can
# be updated this way
{
local DIRS="var/www usr/share/cryptobox usr/lib/cryptobox"
local DIRS="var/www usr/share/cryptobox-server usr/share/cryptonas-live"
echo "Uploading the following dirs: $DIRS "
[ -e "$TMP_DIR" ] || mkdir -p "$TMP_DIR"
for a in $DIRS
@ -137,14 +143,11 @@ case "$1" in
qemu )
qemu_boot "$IMAGE_FILE"
;;
qemuz )
qemu_boot "$IMAGEZ_FILE"
;;
ssh )
ssh -F "$SSH_CONFIG_FILE" "$SSH_HOST"
;;
help|--help )
echo "Syntax: `basename $0` ( qemu | qemuz | chroot | upload | diff | merge | ssh | help )"
echo "Syntax: `basename $0` ( qemu | chroot | upload | diff | merge | ssh | help )"
echo
;;
* )

147
scripts/validate.sh
View file

@ -1,147 +0,0 @@
#!/bin/sh
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# do a validation
#
# use "--help" for a list of possible actions
#
set -eu
# include common functions and settings
source $(dirname $0)/common.sh.inc
# extract confirmation text from language file
confirmtext=$(grep "\<ConfirmInit\>" "$TEMPLATE_DIR/usr/share/cryptobox/lang/${VALIDATE_LANGUAGE}.hdf" | sed 's/[^=]*=[^a-zA-Z]*\(.*\)$/\1/; s/ /%20/g; s/!/%21/g; s/,/%2C/g')
##################### some functions ########################
function do_single()
# Parameter: "test case dir" "output directory for results"
{
local TESTNAME=$(basename $1)
# replace IPs and ports in the curl-file by local settings
cat "$1/input.curl" | substitute_constants | curl --insecure --silent --output "${2}/${TESTNAME}.html" --config -
# remove possible refresh-redirect
sed -i 's/<meta http-equiv="refresh"[^>]*>//g' "${2}/${TESTNAME}.html"
# there is no status in certain cases - e.g. for error 404
if [ -e "${2}/${TESTNAME}.html" ]
then sed "1,/CBOX-STATUS-begin/d; /CBOX-STATUS-end/,\$d" "${2}/${TESTNAME}.html" >"${2}/${TESTNAME}.status"
# the diff option "-B" is required, because the status output of
# the cryptobox.pl script contains some blank lines
cat "$1/output" | substitute_constants | diff -NB - "${2}/${TESTNAME}.status" | sed 's/</\&lt;/g; s/>/\&gt;/g' >"${2}/${TESTNAME}.diff" || true
rm "${2}/${TESTNAME}.status"
fi
cp "$1/description" "${2}/${TESTNAME}.desc"
# sleep, if a file called 'delay' exists
[ -e "$1/delay" ] && sleep "$(<$1/delay)"
true
}
function do_series()
# parameter: name of the test case
{
[ -d "$VALIDATE_REPORT_DIR/$1" ] && rm -r "$VALIDATE_REPORT_DIR/$1"
mkdir -p "$VALIDATE_REPORT_DIR/$1"
find "$VALIDATE_TEST_CASES_DIR/$1" -maxdepth 1 -mindepth 1 -type d | grep -v "/\.[^/]*$" | sort | while read a
do do_single "$a" "$VALIDATE_REPORT_DIR/$1"
done
create_summary "$1" >"$VALIDATE_REPORT_DIR/summary-$1.html"
}
function create_summary()
# parameter: name of test series
{
cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/header"
find "$VALIDATE_REPORT_DIR/$1" -maxdepth 1 -type f -name \*.desc | sort | while read a
do TESTNAME=$(basename ${a%.desc})
TESTDESCRIPTION=$(cat $a)
sed "s#_TESTSERIES_#$1#g; s#_TESTNAME_#$TESTNAME#g; s/_TESTDESCRIPTION_/$TESTDESCRIPTION/" "$VALIDATE_SUMMARY_TEMPLATE_DIR/single_header"
local DIFF_FILE=${a%.desc}.diff
if [ -s "$DIFF_FILE" ]
then cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/result-error"
sed 's#$#<br/>#' "$DIFF_FILE"
else cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/result-ok"
echo "no differences found"
# remove empty diff
[ -e "$DIFF_FILE" ] && rm "$DIFF_FILE"
fi
cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/single_footer"
# remove description file
rm "$a"
done
cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/footer"
}
function import_style()
# get the stylesheet file and images
# change the stylesheet link
{
[ -d "$VALIDATE_REPORT_DIR/cryptobox-misc" ] && rm -r "$VALIDATE_REPORT_DIR/cryptobox-misc"
mkdir -p "$VALIDATE_REPORT_DIR/cryptobox-misc"
wget -q -O "$VALIDATE_REPORT_DIR/cryptobox-misc/cryptobox.css" http://$VALIDATE_HOST_IP_DEFAULT/cryptobox-misc/cryptobox.css
# extract image file names
grep "url(" "$VALIDATE_REPORT_DIR/cryptobox.css" | sed 's#^.*url(\(.*\)).*$#\1#' | while read a
do wget -q -O "$VALIDATE_REPORT_DIR/cryptobox-misc/$a" "http://$VALIDATE_HOST_IP_DEFAULT/cryptobox-misc/$a"
done
# change the stylesheet link in every html file in REPORT_DIR
find "$VALIDATE_REPORT_DIR" -type f -name \*.html | while read a
do sed -i '/stylesheet/s#href=\"/cryptobox-misc/cryptobox.css\"#href=\"../cryptobox-misc/cryptobox.css\"#g' "$a"
done
}
function substitute_constants()
{
sed "s/_HOST_IP_DEFAULT_/$VALIDATE_HOST_IP_DEFAULT/g; \
s/_HOST_IP_CHANGED_/$VALIDATE_HOST_IP_CHANGED/g; \
s/_IFACE_LANG_/$VALIDATE_LANGUAGE/g;
s/_CONFIRM_TEXT_/$confirmtext/g"
}
##################### main ###########################
# do all checks, if nothing is specified
ACTION="check_all"
[ $# -gt 0 ] && ACTION=$1
case "$ACTION" in
list )
find "$VALIDATE_TEST_CASES_DIR" -maxdepth 1 -mindepth 1 -type d | grep -v "/\.[^/]*$" | sort | while read a
do echo $(basename "$a")
done
;;
check )
[ $# -ne 2 ] && error_die 1 "Syntax: $(basename $0) check NAME"
case_dir="$VALIDATE_TEST_CASES_DIR/$2"
[ ! -d "$case_dir" ] && error_die 2 "the test case was not found ($case_dir)!"
do_series "$2"
import_style
;;
check_all )
# default action
"$0" list | sort | while read a
do echo -n "Validating $a ..."
"$0" check "$a"
echo
done
;;
* )
echo "Syntax of $(basename $0)"
echo -e "\t check_all \t - execute all test cases [default]"
echo -e "\t check NAME \t - execute a test case"
echo -e "\t list \t\t - show a list of available test cases"
echo -e "\t help \t\t - this syntax information"
echo
;;
esac