From 52d19f4ffe3d29d2f88297f8327c8157a46ed52c Mon Sep 17 00:00:00 2001 From: frisco <> Date: Sat, 13 Sep 2008 00:00:58 +0000 Subject: [PATCH] Fixed "scripts/cbox-dev.sh diff" (must run devel-features.sh manually first); cleaned up some pre-0.4 files --- README.devel | 3 +- .../50cnas-config-chroot.sh | 6 +- .../usr/share/cryptonas-live/chroot-start.sh | 56 ----- .../cryptonas-live/configure-cryptobox.sh | 181 ------------- .../share/cryptonas-live/devel-features.sh | 13 +- config/cnas-default-settings | 26 +- configure-examples.d/README | 32 +-- configure-examples.d/import_authorized_keys | 19 -- configure-examples.d/set_hostname | 4 - etc-defaults.d/cbox-dev.conf | 18 -- etc-defaults.d/dfs-cbox.conf | 236 ----------------- etc-defaults.d/ssh-options.default | 17 -- etc-defaults.d/ssh_config | 7 +- rm-tmps.sh | 2 +- scripts/cbox-build.sh | 237 ------------------ scripts/cbox-dev.sh | 13 +- scripts/validate.sh | 147 ----------- 17 files changed, 54 insertions(+), 963 deletions(-) delete mode 100755 config/chroot_local-includes/usr/share/cryptonas-live/chroot-start.sh delete mode 100755 config/chroot_local-includes/usr/share/cryptonas-live/configure-cryptobox.sh delete mode 100644 configure-examples.d/import_authorized_keys delete mode 100644 configure-examples.d/set_hostname delete mode 100644 etc-defaults.d/dfs-cbox.conf delete mode 100644 etc-defaults.d/ssh-options.default delete mode 100755 scripts/cbox-build.sh delete mode 100755 scripts/validate.sh diff --git a/README.devel b/README.devel index 2903701..15124c9 100644 --- a/README.devel +++ b/README.devel @@ -32,6 +32,7 @@ will now be used at boot time if they exist. The developer can specify alternative files using the $CNAS_KMODULES and $CNAS_INTERFACES variables. +`scripts/cbox-dev.sh diff' works now. Source Code Info ---------------- @@ -65,7 +66,7 @@ stream music check filesystems periodically make drive identification more user-friendly (not just "/dev/foo") "install to hard disk or similar device" function (not high priority) - +for release live cd, set an invalid hash to disable misusing the syslinux bootloader Short term goals: diff --git a/config/chroot_local-hooks/50cnas-config-chroot.sh b/config/chroot_local-hooks/50cnas-config-chroot.sh index 9121604..d14f7a8 100755 --- a/config/chroot_local-hooks/50cnas-config-chroot.sh +++ b/config/chroot_local-hooks/50cnas-config-chroot.sh @@ -16,8 +16,8 @@ set -eu -#FIXME: no longer using dfs: -RUNTIMEDIR=/opt/dfsruntime/runtimerd +#this script runs in chroot, so RUNTIMEDIR is the null string +RUNTIMEDIR="" TUNDEV=$RUNTIMEDIR/dev/net/tun REMOVE_PACKAGES="strace @@ -75,7 +75,7 @@ function configure_normal() # by "config/chroot_local-includes/". # Note that we are doing this at build time, not run time! # Only fix files that are neither setuid nor setgid: - chown root:root `find / -xdev -nouser ! -perm -4000 ! -perm -2000` + find / -xdev -nouser ! -perm -4000 ! -perm -2000 -execdir chown root:root '{}' \+ ############ webdav ############ #TODO: FIXME: configure port; add webdav link in web frontend diff --git a/config/chroot_local-includes/usr/share/cryptonas-live/chroot-start.sh b/config/chroot_local-includes/usr/share/cryptonas-live/chroot-start.sh deleted file mode 100755 index 626672f..0000000 --- a/config/chroot_local-includes/usr/share/cryptonas-live/chroot-start.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 02005-02006 sense.lab -# -# License: This script is distributed under the terms of version 2 -# of the GNU GPL. See the LICENSE file included with the package. -# -# $Id$ -# -# FOR DEVELOPMENT ONLY! -# -# this script is used to prepare a chroot session for testing or configuring -# -# called by: -# - cbox-build.sh -# -# parameter: [commandline] -# -# if "commandline" is empty, "bash" will be used -# - -set -eu - -MNT_SRC=/opt/dfsruntime/runtimerd -MNT_DST=/opt/dfsruntime/runtimemnt -# the directory /tmp/ can not be used, as it is still a broken link, too -TMP_DIR="/tmp-`basename $0`-$$" - - -cp -a "$MNT_SRC/." "$TMP_DIR" -mount -n --bind "$TMP_DIR" "$MNT_DST" - -[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null" -[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom" -[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console" - -# remember, if proc was mounted before (e.g. because of a running chroot) -PROC_WAS_MOUNTED=no -mount -n -t proc proc /proc 2>/dev/null || PROC_WAS_MOUNTED=yes - -# default language setting - prevents dpkg error messages -export LANG=C - -# set default terminal (good if you are running in a screen session) -export TERM=linux - -# execute parameters as commandline -if [ $# -gt 0 ] - then "$@" - else bash - fi - -umount -l -n "$MNT_DST" -[ "$PROC_WAS_MOUNTED" = "no" ] && umount -l -n proc -rm -r "$TMP_DIR" - diff --git a/config/chroot_local-includes/usr/share/cryptonas-live/configure-cryptobox.sh b/config/chroot_local-includes/usr/share/cryptonas-live/configure-cryptobox.sh deleted file mode 100755 index bc8c42c..0000000 --- a/config/chroot_local-includes/usr/share/cryptonas-live/configure-cryptobox.sh +++ /dev/null @@ -1,181 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 02005 sense.lab -# -# License: This script is distributed under the terms of version 2 -# of the GNU GPL. See the LICENSE file included with the package. -# -# $Id$ -# -# this script is part of the building process of the cryptobox -# the "normal" action is necessary for every cryptobox (development & release) -# the "secure" action is mandatory for every release CD -# -# called by: -# - cbox-build.sh after copying custom files and before creating the iso image -# - -set -eu - -RUNTIMEDIR=/opt/dfsruntime/runtimerd -TUNDEV=$RUNTIMEDIR/dev/net/tun -ADD_GROUPS="floppy cdrom tape video plugdev" - -REMOVE_PACKAGES="strace - nvi nano vim vim-common vim-tiny - unzip zip aptitude tasksel locate - ssh elinks curl wget netkit-inetd telnet - exim4-daemon-light exim4-config exim4-base - ppp pppconfig pppoe pppoeconf iptables - subversion w3m wget lynx less screen - info iptables man-db manpages - openssh-server openssh-client" - -# remove rc symlinks for these services -SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate" - -function configure_normal() -# the usual stuff - not optimized for security -{ - ##### cryptobox settings ###### - # start during bootup - sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/cryptobox-server - # listen to port 80 by default - sed -i 's/^PORT=.*$/PORT=80/' /etc/default/cryptobox-server - # use a separate configuration partition - sed -i 's/^UseConfigPartition.*$/UseConfigPartition = 1/' /etc/cryptobox-server/cryptobox.conf - # all plugins are enabled (especially: "encrypted_webinterface") - sed -i 's#^DisabledPlugins.*$#DisabledPlugins = #' /etc/cryptobox-server/cryptobox.conf - # change the selection of devices, that can be used as the crypto harddisk - sed -i 's#^AllowedDevices.*$#AllowedDevices = /dev/#' /etc/cryptobox-server/cryptobox.conf - # add the cryptobox user to some more groups - for new_group in $ADD_GROUPS - do adduser cryptobox "$new_group" - done - - ############ samba ############ - # enable samba startup (disabled before via cbox-build.sh) - echo 'RUN_MODE="daemons"' >/etc/default/samba - # install the samba hook script - cp /usr/share/doc/cryptobox-server/event-scripts/samba /etc/cryptobox-server/events.d/samba - chmod +x /etc/cryptobox-server/events.d/samba - - - ############ webdav ############ - #TODO: add apache2 packages; configure port; add webdav link in web frontend - -#This breaks the build until apache2 is integrated into the package list -# sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/apache2 -# cp /usr/share/doc/cryptobox-server/event-scripts/apache2_dav /etc/cryptobox-server/events.d/apache2_dav -# chmod +x /etc/cryptobox-server/events.d/apache2_dav - - ########### boot up ########### - # turn off creation of "/etc/nologin" (read-only fs) - sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS - # turn off modifying /etc/motd (read-only fs) - sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS - # default runlevel (out of some strange reason, runlevel 2 is not working) - sed -i 's/^id:.*$/id:3:initdefault:/' /etc/inittab - # add tmpfs entry for mount parent - # remove old line, if fstab exists - test -e /etc/fstab && sed -i '#/var/cache/cryptobox-server/mnt#d' /etc/fstab - # add new line - echo "tmpfs /var/cache/cryptobox-server/mnt tmpfs defaults 0 0" >>/etc/fstab - - ######### devices ########## - # create tun device for running under qemu - if [ ! -e "$TUNDEV" ] - then mkdir -p `dirname "$TUNDEV"` - mknod "$TUNDEV" c 10 200 - fi - - ########## sshd ############ - if [ -e "/etc/ssh" ]; then - # allow empty passwords for ssh - # the daemon is NOT started automatically, so you have to start it - # manually in case of need - as the root pw is empty and passwd is ro, you - # have to allow empty passwords for this rare case - sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config - # turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour) - sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config - # allow input of password - sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config - fi - - # remove symlinks for unwanted services - for a in $SERVICES_OFF; do - # echo "Turning off service $a ..." - find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b - do rm "$b" - done - done - - return 0 -} - - -function configure_secure() -# remove everything that could weaken security -# configure_normal should be called too! -{ - # disable keyboard login - sed -i '/getty/d' /etc/inittab - - # remove unnecessary packages - dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true - - # maybe an authorized_keys file was created - but it is not dangerous, - # as the openssh package was removed anyway - [ -d /root/.ssh ] && rm -rf /root/.ssh - - # disable root account - passwd -l root - - ############## clean up ################ - # remove deb-files, that were left by dfsbuild - # remove packages and package lists - # remove locale files - # remove doc files - # remove man pages - # some vim files stay behind? - rm -rf /opt/packages /var/cache/bootstrap /var/cache/apt/ /var/cache/locate - rm -rf /usr/share/man /usr/share/vim /var/lib/apt /var/cache/debconf /var/cache/man - # remove docs except for the cryptobox's - ls /usr/share/doc | while read dname - do test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname" - done - # remove all locale files and symlinks except for the cryptobox's - (find /usr/share/locale -type f; find /usr/share/locale -type l) | grep -v "cryptobox-server" | while read fname - do rm "$fname" - done - # remove all empty locale directories - find /usr/share/locale -type d | while read dname - do test -d "$dname" && rmdir --ignore-fail-on-non-empty --parents "$dname" - done - - # change some dir permissions - chmod 660 /var/cache/cryptobox-server/settings/ - - return 0 -} - - -################ main #################### - - -ACTION=help -[ $# -gt 0 ] && ACTION=$1 - -case "$ACTION" in - normal ) - configure_normal - ;; - secure ) - configure_secure - ;; - * ) - echo "Syntax: `basename $0` { normal | secure }" - echo - ;; - esac - diff --git a/config/chroot_local-includes/usr/share/cryptonas-live/devel-features.sh b/config/chroot_local-includes/usr/share/cryptonas-live/devel-features.sh index c3dd82c..50db234 100755 --- a/config/chroot_local-includes/usr/share/cryptonas-live/devel-features.sh +++ b/config/chroot_local-includes/usr/share/cryptonas-live/devel-features.sh @@ -11,8 +11,9 @@ # # it should really NEVER be found on a release CD # +##NOT currently called automatically in deb-live version # called by: -# - /etc/rc2.d/S99cb-devel-features +# - /etc/init.d/S99cnas-devel-features # set -eu @@ -20,14 +21,9 @@ set -eu # read the default setting file, if it exists [ -e /etc/default/cryptobox ] && . /etc/default/cryptobox -# set CONF_FILE to default value, if not configured in /etc/default/cryptobox -CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} -# parse config file -. "$CONF_FILE" - MIRROR_DIR=/tmp/mirror MIRROR_ORIG_DIR=/tmp/mirror.orig -WRITE_DIRS="/usr/share/cryptobox /var/www /usr/lib/cryptobox" +WRITE_DIRS="/var/www /usr/share/cryptobox-server /usr/share/cryptonas-live" ACTION="--help" [ $# -gt 0 ] && ACTION="$1" @@ -67,8 +63,9 @@ case "$ACTION" in ;; stop ) [ -x /etc/init.d/ssh ] && /etc/init.d/ssh stop +#TODO: devel-features.sh stop appears to be broken on deb-live version for a in $WRITE_DIRS - do umount "$MIRROR_DIR/$a" + do umount "$MIRROR_DIR/$a" "$a" done rm -rf "$MIRROR_DIR" ;; diff --git a/config/cnas-default-settings b/config/cnas-default-settings index a1e213d..3044061 100644 --- a/config/cnas-default-settings +++ b/config/cnas-default-settings @@ -44,8 +44,14 @@ LH_APT_SECURE="enabled" #-----bootstrap----- # $LH_MIRROR_BOOTSTRAP: set mirror to bootstrap from -# (Default: http://ftp.us.debian.org/debian/) +# +# (1) apt-cacher (default) LH_MIRROR_BOOTSTRAP="http://127.0.0.1:3142/apt-cacher/ftp.debian.org/debian/" +# (2) apt-proxy +#LH_MIRROR_BOOTSTRAP="http://127.0.0.1:9999/debian" +# (3) no caching proxy for apt +#LH_MIRROR_BOOTSTRAP="http://ftp.us.debian.org/debian/" + # $LH_MIRROR_CHROOT: set mirror to fetch packages from # (Default: http://ftp.us.debian.org/debian/) @@ -144,7 +150,7 @@ LH_SOURCE="disabled" # runtime via the scoreboard file. ############################################################### -#CNAS_DELETEFILES="/etc/rcS.d/*discover \ +#deletefiles (at build time, from old dfsbuild config)="/etc/rcS.d/*discover \ #/etc/rcS.d/*lvm \ #/var/log/dpkg.log \ #/var/log/bootstrap.log" @@ -184,12 +190,7 @@ CNAS_SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate" CNAS_INTERFACES="$CNAS_SCOREBOARD_DIR/etc.d/network/interfaces" CNAS_KMODULES="$CNAS_SCOREBOARD_DIR/etc.d/modules" -#FIXME: add to etc.d/network/interfaces -#\tauto lo eth0 -#\tiface lo inet loopback -#\tiface eth0 inet static -#\t\taddress 192.168.0.23 -#\t\tnetmask 255.255.255.0 + # $LH_ENCRYPTION: set encryption type/key size # Encryption of the Debian Live media is broken under Etch. It may @@ -197,3 +198,12 @@ CNAS_KMODULES="$CNAS_SCOREBOARD_DIR/etc.d/modules" # in casper or initramfs-tools. #LH_ENCRYPTION="aes256" + +# More stuff from dfsbuild live-cd implementation to figure out: +#/etc/profile = export TERM=vt100 + +# +#/etc/syslog.conf = *.* /dev/tty8 +# *.info /dev/tty7 + +#/etc/kernel-img.conf = do_initrd = Yes diff --git a/configure-examples.d/README b/configure-examples.d/README index 2f75cec..2f4917f 100644 --- a/configure-examples.d/README +++ b/configure-examples.d/README @@ -1,30 +1,20 @@ +#Note: these files have NOT been tested with CryptoNAS 0.4 or later. +#They *may* work if added to config/chroot_local-includes/etc/init.d/ +#and symbolic links created from /etc/rcS.d/*. + 1) Overview -the files in this directory are examples for specific hook scripts to change the -configuration of the box - -2) How to use these scripts -Copy the scripts, you would like to use into 'configure-local.d'. -They will be sourced in alphabetic order AFTER the default configuration of the -cryptobox. - -3) The examples +the files in this directory are examples for specific hook scripts +to change the configuration of the box set_root_pw - - replace the empty root password (the default) with a choosen password + - replace the disabled root password (the default) with + a choosen password - useful if your development cryptobox: - is located in an insecure environment - or your development team is geographically distributed, so the cryptobox for testing has to be publicly available -import_authorized_keys - - create a new rsa key (etc-local.d/id_rsa) and copy the public - key to the image directory - - this is useful, if you secured the development cryptobox with a - password (see 'set_root_pw') - -set_hostname - - change the default hostname ("cryptobox") - -set_scan_devices - - change the default selection of devices, that can be used as the crypto harddisk +set_allowed_devices + - change the default selection of devices that can be used + as the crypto harddisk diff --git a/configure-examples.d/import_authorized_keys b/configure-examples.d/import_authorized_keys deleted file mode 100644 index 17cba07..0000000 --- a/configure-examples.d/import_authorized_keys +++ /dev/null @@ -1,19 +0,0 @@ -# import a public rsa key into the cryptobox for ssh authentication -# -# see README in configure-examples.d for details -# - -SSH_KEY_FILE="$LOCALCONF_DIR/id_rsa" - -# create a rsa key if it does not yet exist -if [ ! -e "$SSH_KEY_FILE" ] - then echo "Creating ssh key ($SSH_KEY_FILE) ..." - mkdir -p $(dirname "$SSH_KEY_FILE") - ssh-keygen -t rsa -b 1024 -N '' -q -f "$SSH_KEY_FILE" - fi - -# copy new public ssh key to ~/.ssh/authorized_keys on cryptobox -echo "Copying local public ssh key file to the box ..." -mkdir -p "$IMAGE_DIR/opt/dfsbuild/runtimerd/root/.ssh" -cp "${SSH_KEY_FILE}.pub" "$IMAGE_DIR/opt/dfsbuild/runtimerd/root/.ssh/authorized_keys" - diff --git a/configure-examples.d/set_hostname b/configure-examples.d/set_hostname deleted file mode 100644 index 35233c1..0000000 --- a/configure-examples.d/set_hostname +++ /dev/null @@ -1,4 +0,0 @@ -# change the hostname (default value: "cryptobox") - -echo "cryptobox" >"$IMAGE_DIR"/etc/hostname - diff --git a/etc-defaults.d/cbox-dev.conf b/etc-defaults.d/cbox-dev.conf index 0cb115b..97750ca 100644 --- a/etc-defaults.d/cbox-dev.conf +++ b/etc-defaults.d/cbox-dev.conf @@ -34,21 +34,3 @@ MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito CDWRITER=0,0,0 -####################### validation ######################## - -# language of validation (select web interface language) -VALIDATE_LANGUAGE=en - -# directory of the test-cases -VALIDATE_TEST_CASES_DIR=$ROOT_DIR/validation/test-cases - -# override these settings if the CryptoBox uses a non-default IP -VALIDATE_HOST_IP_DEFAULT=192.168.0.23 -VALIDATE_HOST_IP_CHANGED=192.168.0.24 - -# destination directories for the results -VALIDATE_REPORT_DIR=/tmp/cryptobox-validation-$$ -VALIDATE_REPORT_DIR=$ROOT_DIR/validation/report -VALIDATE_SUMMARY_TEMPLATE_DIR=$ROOT_DIR/validation/templates - - diff --git a/etc-defaults.d/dfs-cbox.conf b/etc-defaults.d/dfs-cbox.conf deleted file mode 100644 index 23bad8b..0000000 --- a/etc-defaults.d/dfs-cbox.conf +++ /dev/null @@ -1,236 +0,0 @@ -# arch-tag: Default configuration file -# Copyright (c) 2004 John Goerzen - -[DEFAULT] -###################################################################### -# Overall settings, set defaults for all archs -###################################################################### - -# Name of generated disc & hostname -# BEWARE: hostname does not work - you have to set the hostname manually at the end of this file -name = CryptoBox - -# Version of generated disc -version = 0.3.4 - -# Person that built it -builder = sense.lab - -# Repositories to mirror. Details about each one are configured below. -dlrepos = stable - -# Repository to build the CD with. Must be in above list. -suite = stable - -# Whether or not to use zftree compression on ISO image -compress = no - -# Files to never compress if the above is yes -# If a dir is given, that dir and everything below is not compressed -dontcompress = /boot - /etc/*boot* - /opt/dfsruntime/initrd.dfs - -# Location of dfsbuild support files -libdir = /usr/lib/dfsbuild - -# Location of docs for CD -docdir = /usr/share/doc/dfsbuild - -# Bootloader to place on CD. Choices are: -# grub-hd GRUB with ElTorito hard disk emulation (not working yet) -# grub-no-emul "raw" ElTorito image -# aboot Alpha SRM bootloader -# yaboot PowerPC bootloader -# (usually set in arch area) -#bootloader = grub-no-emul - - -# Packages to install on live FS, on all archs, besides base system -allpackages = - util-linux - grub - parted - dmsetup - perl - tar - bash - coreutils - module-init-tools - ifupdown - busybox - usbutils - pciutils - discover - hdparm - binutils - debconf - sysutils - stunnel4 - samba - hashalot - python-clearsilver - python-cherrypy - python-configobj - python-central - super - dosfstools - cryptsetup - python-m2crypto - # support for file systems - e2tools - e2fsprogs - xfsprogs - hfsutils - jfsutils - ## ntfs-3g is not in etch - #ntfs-3g - # TODO: remove the following packages for the final version - subversion - strace - ssh - vim - nano - less - lynx - w3m - screen - elinks - - -# select a mirror for the repository (apt-cacher, apt-proxy, no caching) by -# uncommenting the line of your choice -# (1) apt-cacher (default) -mirror = http://127.0.0.1/apt-cacher/ftp.debian.org/debian -# (2) apt-proxy -#mirror = http://127.0.0.1:9999/debian -# (3) no caching proxy for apt -#mirror = http://ftp.debian.org/debian - - -# Files to place on the ramdisk -ramdisk_files = /etc/resolv.conf - /etc/lvm* - /tmp - /var/tmp - /dev - /var/lib/dhcp - /var/lib/samba - /var/log - /var/cache/samba - /var/lock - /var/run - /var/state - /etc/mtab - /root - /etc/network - /var/lib/misc - /var/lib/urandom - #/etc/hotplug/.run - /var/spool/cron - -# Directories to create on live fs -makedirs = - -# Files to delete from live fs -deletefiles = /etc/rcS.d/*discover - /etc/rcS.d/*lvm - /var/log/dpkg.log - /var/log/bootstrap.log - -preparescripts = - ../scripts/prepare_target.sh - -cleanupscripts = - ../scripts/cleanup_target.sh - -###################################################################### -# Arch settings: i386 -###################################################################### - -[i386] -# Name of any kernel images to install directly from your current filesystem -#kernels = /boot/vmlinuz-2.4.27-2-386 - -# Modules to copy from host filesystem -#modules = /lib/modules/2.4.27-2-386 - -# Debs from local fs to unpack on live FS (will not be configured) -unpackdebs = - ../packages/linux-image-2.6.20_cryptobox0.3.3_i386.deb - -# Other packages to install besides the list in DEFAULT -packages = %(allpackages)s - -# Debs from local fs to install on live fs -## fetch newest ntfs-3g from debian backports -installdebs = - ../packages/cryptobox-server.deb - ../packages/ntfs-3g_1%3a1.516-1~bpo.1_i386.deb - -# Bootloader (see options under default) -bootloader = grub-no-emul - -# Extra lines for grub config -grubconfig = timeout 0 - password -md5 this_invalid_hash_protects_grub_config - -##################################################################### -# Repository configuration -###################################################################### - -# Repositories to download -[repo testing] -suite = testing - -[repo amd64] -suite = unstable -# Override default mirror -#mirror = http://debian-amd64.alioth.debian.org/pure64/ -# Override default arch -arch = amd64 - -###################################################################### -# Text to add to existing files -###################################################################### - -[appendfiles] - -/etc/network/interfaces = - auto lo eth0 - iface lo inet loopback - iface eth0 inet static - address 192.168.0.23 - netmask 255.255.255.0 - -# /etc/modules = - -/etc/profile = export TERM=vt100 - -###################################################################### -# Files to create or truncate -###################################################################### - -[createfiles] -/etc/hostname = CryptoBox - -/etc/syslog.conf = *.* /dev/tty8 - *.info /dev/tty7 - -/etc/hosts = 127.0.0.1 localhost - -/etc/kernel-img.conf = do_initrd = Yes - -# exit the samba startup script during install immediately - otherwise -# there would be /proc problems - it will get replaced later via -# live-cd-tree.d/usr/lib/cryptobox-cd/configure-cryptobox.sh -/etc/default/samba = exit - -###################################################################### -# Symlinks to create (from = to format) -###################################################################### - -# this does not work anymore -#[symlinks] -#/etc/mtab = /proc/mounts - diff --git a/etc-defaults.d/ssh-options.default b/etc-defaults.d/ssh-options.default deleted file mode 100644 index de831bd..0000000 --- a/etc-defaults.d/ssh-options.default +++ /dev/null @@ -1,17 +0,0 @@ -Host cryptobox - -# change this part according to your needs -HostName 192.168.0.23 -Port 22 - -# maybe you want to use rsa authentication? -# see misc/custom-configure.s/README for examples -#IdentityFile local.conf.d/id_rsa - -# this should be valid for everyone -User root -CheckHostIP no -StrictHostKeyChecking no - -# nice for frequently changing server key due to a rebuild of the base system -UserKnownHostsFile /tmp/cryptobox-ssh-known_hosts diff --git a/etc-defaults.d/ssh_config b/etc-defaults.d/ssh_config index 4e78e56..b4288c0 100644 --- a/etc-defaults.d/ssh_config +++ b/etc-defaults.d/ssh_config @@ -1,4 +1,9 @@ -Host cryptobox +## ssh_config +## This configuration file is intended to be supplied to the ssh client on the +## developer's *local* console system (using the -F option) when using ssh +## to connect to a CryptoNAS Live "devel build" system. + +Host cryptonas # change this part according to your needs HostName 192.168.0.23 diff --git a/rm-tmps.sh b/rm-tmps.sh index 002091a..62d62cd 100755 --- a/rm-tmps.sh +++ b/rm-tmps.sh @@ -7,4 +7,4 @@ #If you want to build the disk image, use "lh_build" as documented at # http://devel.cryptobox.org/wiki/DebianLiveBuild -find config -type f -name \*~ -exec rm --verbose -f '{}' \; +find config -type f -name \*~ -execdir rm --verbose -f '{}' \; diff --git a/scripts/cbox-build.sh b/scripts/cbox-build.sh deleted file mode 100755 index aadb289..0000000 --- a/scripts/cbox-build.sh +++ /dev/null @@ -1,237 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 02005-02006 sense.lab -# -# License: This script is distributed under the terms of version 2 -# of the GNU GPL. See the LICENSE file included with the package. -# -# $Id$ -# -# managing our work at the cryptobox -# -# usual workflow: -# dfsbuild - create the image directory with dfsbuild -# config - apply cryptobox specific changes to the image directory -# harden - remove unnecessary packages and disable developer features -# iso - create the iso image -# isoz - create a compressed iso image -# burn - burns the image on a cd-rw -# -# final action: -# release - the same as "dfsbuild config harden isoz" -# -# -# problems of this script: -# - has to run as root -# - 'harden' is strangely integrated -# -# you may run this script with multiple arguments, e.g.: -# cb-build.sh dfsbuild config isoz -# -# the action "release" does what it says :) -# (all developer's features like sshd, writable templates and -# the test-suite are deactivated, some packages get removed) -# - -set -ue - -# include common functions and settings -source "$(dirname $0)/common.sh.inc" - - -################### some settings ###################### - -# dfsbuild config -DFS_CONFIG=$(get_config_file dfs-cbox.conf) - -# debian package of cryptobox-server -DEB_PACKAGE=$ROOT_DIR/packages/cryptobox-server.deb - - -####################### functions ###################### - -# samba fails to install if /proc/ is empty -# we force samba to skip startup during configuring -function workaround_samba_proc() -{ - # let dfsbuild start first - sleep 15 - local DEFAULT_DIR=$IMAGE_DIR/etc/default - mkdir -p "$DEFAULT_DIR" - echo "exit" >"$DEFAULT_DIR/samba" -} - - -function run_dfsbuild() -{ - # we need a secret gpg key for apt-move/reprepro(?) - very strange - # see: http://lists.debian.org/debian-user/2005/09/msg03288.html - if test -z "$(gpg --list-secret-keys 2>/dev/null)" - then echo "*************************************************************" - echo "* Sorry - for some strange reason you/root need a secret *" - echo "* gpg key without a passphrase! *" - echo "* Please create a key first: 'gpg --gen-key' *" - echo "*************************************************************" - exit 1 - fi >&2 - if [ -e "$BUILD_DIR" ] - then ## umount all other directories below - mount | cut -d " " -f 3- | sed "s/ type .*$//" | grep "$IMAGE_DIR" | while read mdir - do umount "$mdir" - done - echo "removing the build directory ($BUILD_DIR) to guarantee a clean build ..." - rm -r "$BUILD_DIR" - fi - - workaround_samba_proc & - - # build the target directory - LANG=C dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR/" - - # remove iso image of dfsbuild - it is not necessary - [ -e "$BUILD_DIR/image.iso" ] && rm "$BUILD_DIR/image.iso" - - # finish package installation - echo "dpkg --configure --pending" | chroot_image -} - - -function create_uncompressed_iso() -{ - # check for a mounted procfs - mount | grep -q " $IMAGE_DIR/proc " && umount "$IMAGE_DIR/proc" - echo "Creating the iso ..." - mkisofs $MKISOFS_OPTIONS -o "$IMAGE_FILE" "$IMAGE_DIR" -} - - -function create_compressed_iso() -{ - # check for a mounted procfs - mount | grep -q " $IMAGE_DIR/proc " && umount "$IMAGE_DIR/proc" - echo "Creating the compressed iso ..." - [ -e "$IMAGEZ_DIR" ] && rm -r "$IMAGEZ_DIR" - mkdir "$IMAGEZ_DIR" - for a in $(ls "$IMAGE_DIR") - do if echo "$UNCOMPRESSED_ITEMS" | grep -q -w "$a" - then echo " Copying uncompressed item: $a ..." - cp -a "$IMAGE_DIR/$a" "$IMAGEZ_DIR" - else if [ -h "$IMAGE_DIR/$a" ] - then echo " Copying link: $a ..." - cp -a "$IMAGE_DIR/$a" "$IMAGEZ_DIR" - else echo " Compressing item: $a ..." - mkzftree "$IMAGE_DIR/$a" "$IMAGEZ_DIR/$a" - fi - fi - done - mkisofs -z $MKISOFS_OPTIONS -o "$IMAGEZ_FILE" "$IMAGEZ_DIR" -} - - -function configure_cb() -{ - if [ ! -e "$IMAGE_DIR" ]; then - echo -e "Directory \"$IMAGE_DIR\" not found!" - echo -e "Did you run \"$0 dfsbuild\"?" - exit 1 - fi - - echo "Copying files to the box ..." - svn export --force "$TEMPLATE_DIR/." "$IMAGE_DIR" - - echo "Configuring the cryptobox ..." - echo "/usr/lib/cryptobox-cd/configure-cryptobox.sh normal" | chroot_image - - # source local configure scripts - [ -d "$CUSTOM_CONFIGURE_DIR" ] && \ - find "$CUSTOM_CONFIGURE_DIR" -xtype f | sort | while read file - do echo "Sourcing custom configure script $(basename $file) ..." - # execute it in its own environment (to be safe) - # 'source' implicitly imports all current settings - # indent these lines to improve the output - ( source "$file" ) 2>&1 | sed 's/^/\t/' - done -} - - -function install_package() -{ - ## first disable automatic startup to avoid conflicts with local servers - local conf_file=$IMAGE_DIR/etc/default/cryptobox-server - test -e "$conf_file" && sed -i 's/^NO_START=.*$/NO_START=1/' "$conf_file" - local chroot_deb_file=/cryptobox-server.deb - cp "$DEB_PACKAGE" "$IMAGE_DIR$chroot_deb_file" - echo "dpkg -i $chroot_deb_file" | chroot_image - rm "$IMAGE_DIR$chroot_deb_file" -} - - -function blanknburn_cdrw() -{ - cdrecord -v dev=$CDWRITER blank=fast - if [ -e "$IMAGEZ_FILE" ]; then - cdrecord -v dev=$CDWRITER $IMAGEZ_FILE - elif [ -e "IMAGE_FILE" ]; then - cdrecord -v dev=$CDWRITER $IMAGE_FILE - else - echo "can't find CryptoBox image to burn" && exit 1 - fi -} - - -################ do it! ###################### - -[ $# -eq 0 ] && echo "[`basename $0`] - no arguments supplied - maybe you want to use '--help'" - -# initialize local directories (easier for users) -for a in $LOCALCONF_DIR $CUSTOM_CONFIGURE_DIR - do [ ! -e "$a" ] && mkdir "$a" && chown --reference=. "$a" -done - -# check for uid=0 (necessary for all operations) -[ "$(id -u)" -ne 0 ] && echo "this script ($0) has to be called as root" >&2 && exit 1 - -while [ $# -gt 0 ] - do case "$1" in - dfsbuild ) - # check if we are in ROOT_DIR - otherwise we will have problems with - # relative paths in dfs-box.conf - [ "$ROOT_DIR" -ef "$(pwd)" ] || error_die 1 "Sorry: you have to run $0 while you are in '$ROOT_DIR'!" - run_dfsbuild - ;; - config ) - install_package - configure_cb normal - ;; - iso ) - create_uncompressed_iso - ;; - isoz ) - create_compressed_iso - ;; - harden ) - echo "/usr/lib/cryptobox-cd/configure-cryptobox.sh normal" | chroot_image - echo "/usr/lib/cryptobox-cd/configure-cryptobox.sh secure" | chroot_image - ;; - burn ) - blanknburn_cdrw - ;; - release ) - "$0" dfsbuild config harden isoz - md5sum $IMAGEZ_FILE > ${IMAGEZ_FILE}.md5sum - sha1sum $IMAGEZ_FILE > ${IMAGEZ_FILE}.sha1sum - ;; - help|--help ) - echo "Syntax: `basename $0` ( release | dfsbuild | config | harden | iso | isoz | burn | help )" - echo " (you may specify more than one action)" - echo - ;; - * ) - echo -e "unknown action: $1" - echo - $0 help - exit 1 - ;; - esac - shift - done diff --git a/scripts/cbox-dev.sh b/scripts/cbox-dev.sh index 1c57b2d..c76bc41 100755 --- a/scripts/cbox-dev.sh +++ b/scripts/cbox-dev.sh @@ -21,6 +21,12 @@ # problems of this script: # - chroot has to run as root # +# jwc 9/08: started modifications to work with CryptoNAS Live + +#Note: It appears to have been a long time since this script was maintained. +#(For example, where *was* $DEV_FEATURES_SCRIPT defined previously?) +#It may work or it may fail. +DEV_FEATURES_SCRIPT="/usr/share/cryptonas-live/devel-features.sh" set -ue @@ -61,7 +67,7 @@ function upload2box() # of course, only the directories that are mapped to tmpfs can # be updated this way { - local DIRS="var/www usr/share/cryptobox usr/lib/cryptobox" + local DIRS="var/www usr/share/cryptobox-server usr/share/cryptonas-live" echo "Uploading the following dirs: $DIRS " [ -e "$TMP_DIR" ] || mkdir -p "$TMP_DIR" for a in $DIRS @@ -137,14 +143,11 @@ case "$1" in qemu ) qemu_boot "$IMAGE_FILE" ;; - qemuz ) - qemu_boot "$IMAGEZ_FILE" - ;; ssh ) ssh -F "$SSH_CONFIG_FILE" "$SSH_HOST" ;; help|--help ) - echo "Syntax: `basename $0` ( qemu | qemuz | chroot | upload | diff | merge | ssh | help )" + echo "Syntax: `basename $0` ( qemu | chroot | upload | diff | merge | ssh | help )" echo ;; * ) diff --git a/scripts/validate.sh b/scripts/validate.sh deleted file mode 100755 index fee79a3..0000000 --- a/scripts/validate.sh +++ /dev/null @@ -1,147 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 02005 sense.lab -# -# License: This script is distributed under the terms of version 2 -# of the GNU GPL. See the LICENSE file included with the package. -# -# $Id$ -# -# do a validation -# -# use "--help" for a list of possible actions -# - -set -eu - -# include common functions and settings -source $(dirname $0)/common.sh.inc - -# extract confirmation text from language file -confirmtext=$(grep "\" "$TEMPLATE_DIR/usr/share/cryptobox/lang/${VALIDATE_LANGUAGE}.hdf" | sed 's/[^=]*=[^a-zA-Z]*\(.*\)$/\1/; s/ /%20/g; s/!/%21/g; s/,/%2C/g') - -##################### some functions ######################## - -function do_single() -# Parameter: "test case dir" "output directory for results" -{ - local TESTNAME=$(basename $1) - # replace IPs and ports in the curl-file by local settings - cat "$1/input.curl" | substitute_constants | curl --insecure --silent --output "${2}/${TESTNAME}.html" --config - - # remove possible refresh-redirect - sed -i 's/]*>//g' "${2}/${TESTNAME}.html" - # there is no status in certain cases - e.g. for error 404 - if [ -e "${2}/${TESTNAME}.html" ] - then sed "1,/CBOX-STATUS-begin/d; /CBOX-STATUS-end/,\$d" "${2}/${TESTNAME}.html" >"${2}/${TESTNAME}.status" - # the diff option "-B" is required, because the status output of - # the cryptobox.pl script contains some blank lines - cat "$1/output" | substitute_constants | diff -NB - "${2}/${TESTNAME}.status" | sed 's//\>/g' >"${2}/${TESTNAME}.diff" || true - rm "${2}/${TESTNAME}.status" - fi - cp "$1/description" "${2}/${TESTNAME}.desc" - # sleep, if a file called 'delay' exists - [ -e "$1/delay" ] && sleep "$(<$1/delay)" - true -} - - -function do_series() -# parameter: name of the test case -{ - [ -d "$VALIDATE_REPORT_DIR/$1" ] && rm -r "$VALIDATE_REPORT_DIR/$1" - mkdir -p "$VALIDATE_REPORT_DIR/$1" - find "$VALIDATE_TEST_CASES_DIR/$1" -maxdepth 1 -mindepth 1 -type d | grep -v "/\.[^/]*$" | sort | while read a - do do_single "$a" "$VALIDATE_REPORT_DIR/$1" - done - create_summary "$1" >"$VALIDATE_REPORT_DIR/summary-$1.html" -} - - -function create_summary() -# parameter: name of test series -{ - cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/header" - find "$VALIDATE_REPORT_DIR/$1" -maxdepth 1 -type f -name \*.desc | sort | while read a - do TESTNAME=$(basename ${a%.desc}) - TESTDESCRIPTION=$(cat $a) - sed "s#_TESTSERIES_#$1#g; s#_TESTNAME_#$TESTNAME#g; s/_TESTDESCRIPTION_/$TESTDESCRIPTION/" "$VALIDATE_SUMMARY_TEMPLATE_DIR/single_header" - local DIFF_FILE=${a%.desc}.diff - if [ -s "$DIFF_FILE" ] - then cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/result-error" - sed 's#$#
#' "$DIFF_FILE" - else cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/result-ok" - echo "no differences found" - # remove empty diff - [ -e "$DIFF_FILE" ] && rm "$DIFF_FILE" - fi - cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/single_footer" - # remove description file - rm "$a" - done - cat "$VALIDATE_SUMMARY_TEMPLATE_DIR/footer" -} - - -function import_style() -# get the stylesheet file and images -# change the stylesheet link -{ - [ -d "$VALIDATE_REPORT_DIR/cryptobox-misc" ] && rm -r "$VALIDATE_REPORT_DIR/cryptobox-misc" - mkdir -p "$VALIDATE_REPORT_DIR/cryptobox-misc" - wget -q -O "$VALIDATE_REPORT_DIR/cryptobox-misc/cryptobox.css" http://$VALIDATE_HOST_IP_DEFAULT/cryptobox-misc/cryptobox.css - # extract image file names - grep "url(" "$VALIDATE_REPORT_DIR/cryptobox.css" | sed 's#^.*url(\(.*\)).*$#\1#' | while read a - do wget -q -O "$VALIDATE_REPORT_DIR/cryptobox-misc/$a" "http://$VALIDATE_HOST_IP_DEFAULT/cryptobox-misc/$a" - done - - # change the stylesheet link in every html file in REPORT_DIR - find "$VALIDATE_REPORT_DIR" -type f -name \*.html | while read a - do sed -i '/stylesheet/s#href=\"/cryptobox-misc/cryptobox.css\"#href=\"../cryptobox-misc/cryptobox.css\"#g' "$a" - done -} - - -function substitute_constants() -{ - sed "s/_HOST_IP_DEFAULT_/$VALIDATE_HOST_IP_DEFAULT/g; \ - s/_HOST_IP_CHANGED_/$VALIDATE_HOST_IP_CHANGED/g; \ - s/_IFACE_LANG_/$VALIDATE_LANGUAGE/g; - s/_CONFIRM_TEXT_/$confirmtext/g" -} - -##################### main ########################### - -# do all checks, if nothing is specified -ACTION="check_all" -[ $# -gt 0 ] && ACTION=$1 - -case "$ACTION" in - list ) - find "$VALIDATE_TEST_CASES_DIR" -maxdepth 1 -mindepth 1 -type d | grep -v "/\.[^/]*$" | sort | while read a - do echo $(basename "$a") - done - ;; - check ) - [ $# -ne 2 ] && error_die 1 "Syntax: $(basename $0) check NAME" - case_dir="$VALIDATE_TEST_CASES_DIR/$2" - [ ! -d "$case_dir" ] && error_die 2 "the test case was not found ($case_dir)!" - do_series "$2" - import_style - ;; - check_all ) - # default action - "$0" list | sort | while read a - do echo -n "Validating $a ..." - "$0" check "$a" - echo - done - ;; - * ) - echo "Syntax of $(basename $0)" - echo -e "\t check_all \t - execute all test cases [default]" - echo -e "\t check NAME \t - execute a test case" - echo -e "\t list \t\t - show a list of available test cases" - echo -e "\t help \t\t - this syntax information" - echo - ;; - esac