Fixed "scripts/cbox-dev.sh diff" (must run devel-features.sh manually first); cleaned up some pre-0.4 files

2008-09-13 00:00:58 +00:00 · 2008-09-13 00:00:58 +00:00 · 52d19f4ffe
commit 52d19f4ffe
parent 9d4f3d4f1e
17 changed files with 54 additions and 963 deletions
--- a/config/chroot_local-hooks/50cnas-config-chroot.sh
+++ b/config/chroot_local-hooks/50cnas-config-chroot.sh
@ -16,8 +16,8 @@

 set -eu

-#FIXME: no longer using dfs:
-RUNTIMEDIR=/opt/dfsruntime/runtimerd
+#this script runs in chroot, so RUNTIMEDIR is the null string
+RUNTIMEDIR=""
 TUNDEV=$RUNTIMEDIR/dev/net/tun

 REMOVE_PACKAGES="strace
@ -75,7 +75,7 @@ function configure_normal()
 	# by "config/chroot_local-includes/".
 	# Note that we are doing this at build time, not run time!
 	# Only fix files that are neither setuid nor setgid:
-	chown root:root `find / -xdev -nouser ! -perm -4000 ! -perm -2000`
+	find / -xdev -nouser ! -perm -4000 ! -perm -2000 -execdir chown root:root '{}' \+

 	############ webdav ############
    #TODO: FIXME: configure port; add webdav link in web frontend
--- a/config/chroot_local-includes/usr/share/cryptonas-live/chroot-start.sh
+++ b/config/chroot_local-includes/usr/share/cryptonas-live/chroot-start.sh
@ -1,56 +0,0 @@
-#!/bin/sh
-#
-#  Copyright (c) 02005-02006 sense.lab <senselab@systemausfall.org>
-#
-#  License:  This script is distributed under the terms of version 2
-#            of the GNU GPL. See the LICENSE file included with the package.
-#
-# $Id$
-#
-# FOR DEVELOPMENT ONLY!
-#
-# this script is used to prepare a chroot session for testing or configuring
-#
-# called by:
-#	- cbox-build.sh
-#
-# parameter: [commandline]
-#
-# if "commandline" is empty, "bash" will be used
-#
-
-set -eu
-
-MNT_SRC=/opt/dfsruntime/runtimerd
-MNT_DST=/opt/dfsruntime/runtimemnt
-# the directory /tmp/ can not be used, as it is still a broken link, too
-TMP_DIR="/tmp-`basename $0`-$$"
-
-
-cp -a "$MNT_SRC/." "$TMP_DIR"
-mount -n --bind "$TMP_DIR" "$MNT_DST"
-
-[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
-[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
-[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"
-
-# remember, if proc was mounted before (e.g. because of a running chroot)
-PROC_WAS_MOUNTED=no
-mount -n -t proc proc /proc 2>/dev/null || PROC_WAS_MOUNTED=yes
-
-# default language setting - prevents dpkg error messages
-export LANG=C
-
-# set default terminal (good if you are running in a screen session)
-export TERM=linux
-
-# execute parameters as commandline
-if [ $# -gt 0 ]
-	then	"$@"
-	else	bash
-  fi
-
-umount -l -n "$MNT_DST"
-[ "$PROC_WAS_MOUNTED" = "no" ] && umount -l -n proc
-rm -r "$TMP_DIR"
-
--- a/config/chroot_local-includes/usr/share/cryptonas-live/configure-cryptobox.sh
+++ b/config/chroot_local-includes/usr/share/cryptonas-live/configure-cryptobox.sh
@ -1,181 +0,0 @@
-#!/bin/sh
-#
-#  Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
-#
-#  License:  This script is distributed under the terms of version 2
-#            of the GNU GPL. See the LICENSE file included with the package.
-#
-# $Id$
-#
-# this script is part of the building process of the cryptobox
-# the "normal" action is necessary for every cryptobox (development & release)
-# the "secure" action is mandatory for every release CD
-#
-# called by:
-#	- cbox-build.sh after copying custom files and before creating the iso image
-#
-
-set -eu
-
-RUNTIMEDIR=/opt/dfsruntime/runtimerd
-TUNDEV=$RUNTIMEDIR/dev/net/tun
-ADD_GROUPS="floppy cdrom tape video plugdev"
-
-REMOVE_PACKAGES="strace
-	nvi nano vim vim-common vim-tiny
-	unzip zip aptitude tasksel locate
-	ssh elinks curl wget netkit-inetd telnet
-	exim4-daemon-light exim4-config exim4-base
-	ppp pppconfig pppoe pppoeconf iptables
-	subversion w3m wget lynx less screen
-    info iptables man-db manpages
-    openssh-server openssh-client"
-
-# remove rc symlinks for these services
-SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
-
-function configure_normal()
-# the usual stuff - not optimized for security
-{
-	##### cryptobox settings ######
-	# start during bootup
-	sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/cryptobox-server
-	# listen to port 80 by default
-	sed -i 's/^PORT=.*$/PORT=80/' /etc/default/cryptobox-server
-	# use a separate configuration partition
-	sed -i 's/^UseConfigPartition.*$/UseConfigPartition = 1/' /etc/cryptobox-server/cryptobox.conf
-	# all plugins are enabled (especially: "encrypted_webinterface")
-	sed -i 's#^DisabledPlugins.*$#DisabledPlugins = #' /etc/cryptobox-server/cryptobox.conf
-	# change the selection of devices, that can be used as the crypto harddisk
-	sed -i 's#^AllowedDevices.*$#AllowedDevices = /dev/#' /etc/cryptobox-server/cryptobox.conf
-	# add the cryptobox user to some more groups
-	for new_group in $ADD_GROUPS
-	  do	adduser cryptobox "$new_group"
-	 done
-
-	############ samba ############
-	# enable samba startup (disabled before via cbox-build.sh)
-	echo 'RUN_MODE="daemons"' >/etc/default/samba
-	# install the samba hook script
-	cp /usr/share/doc/cryptobox-server/event-scripts/samba /etc/cryptobox-server/events.d/samba 
-	chmod +x /etc/cryptobox-server/events.d/samba
-
-
-	############ webdav ############
-    #TODO: add apache2 packages; configure port; add webdav link in web frontend
-
-#This breaks the build until apache2 is integrated into the package list
-#	sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/apache2
-#	cp /usr/share/doc/cryptobox-server/event-scripts/apache2_dav /etc/cryptobox-server/events.d/apache2_dav
-#	chmod +x /etc/cryptobox-server/events.d/apache2_dav
-	
-	########### boot up ###########
-	# turn off creation of "/etc/nologin" (read-only fs)
-	sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
-	# turn off modifying /etc/motd (read-only fs)
-	sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS
-	# default runlevel (out of some strange reason, runlevel 2 is not working)
-	sed -i 's/^id:.*$/id:3:initdefault:/' /etc/inittab
-	# add tmpfs entry for mount parent
-	# remove old line, if fstab exists
-	test -e /etc/fstab && sed -i '#/var/cache/cryptobox-server/mnt#d' /etc/fstab
-	# add new line
-	echo "tmpfs	/var/cache/cryptobox-server/mnt	tmpfs	defaults	0	0" >>/etc/fstab
-	
-	######### devices ##########
-	# create tun device for running under qemu
-	if [ ! -e "$TUNDEV" ]
-		then	mkdir -p `dirname "$TUNDEV"`
-			mknod "$TUNDEV" c 10 200
-	  fi
-
-	########## sshd ############
-	if [ -e "/etc/ssh" ]; then
-	    # allow empty passwords for ssh
-	    #  the daemon is NOT started automatically, so you have to start it
-	    #  manually in case of need - as the root pw is empty and passwd is ro, you
-	    #  have to allow empty passwords for this rare case
-	    sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
-	    # turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
-	    sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
-	    # allow input of password
-	    sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
-	  fi
-
-	# remove symlinks for unwanted services
-	for a in $SERVICES_OFF; do
-	  # echo "Turning off service $a ..."
-	  find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b
-	    do	rm "$b"
-	   done
-	 done
-
-	return 0
-}
-
-
-function configure_secure()
-# remove everything that could weaken security
-# configure_normal should be called too!
-{
-	# disable keyboard login
-	sed -i '/getty/d' /etc/inittab
-
-	# remove unnecessary packages
-	dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true
-
-	# maybe an authorized_keys file was created - but it is not dangerous,
-	# as the openssh package was removed anyway
-	[ -d /root/.ssh ] && rm -rf /root/.ssh
-
-	# disable root account
-	passwd -l root
-
-	############## clean up ################
-	# remove deb-files, that were left by dfsbuild
-	# remove packages and package lists
-	# remove locale files
-	# remove doc files
-	# remove man pages
-	# some vim files stay behind?
-	rm -rf /opt/packages /var/cache/bootstrap /var/cache/apt/ /var/cache/locate 
-	rm -rf /usr/share/man /usr/share/vim /var/lib/apt /var/cache/debconf /var/cache/man
-	# remove docs except for the cryptobox's
-	ls /usr/share/doc | while read dname
-	  do	test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname"
-	 done
-	# remove all locale files and symlinks except for the cryptobox's
-	(find /usr/share/locale -type f; find /usr/share/locale -type l) | grep -v "cryptobox-server" | while read fname
-	  do	rm "$fname"
-	 done
-	# remove all empty locale directories
-	find /usr/share/locale -type d | while read dname
-	  do	test -d "$dname" && rmdir --ignore-fail-on-non-empty --parents "$dname"
-	 done
-
-	# change some dir permissions
-	chmod 660 /var/cache/cryptobox-server/settings/
-
-	return 0
-}
-
-
-################ main ####################
-
-
-ACTION=help
-[ $# -gt 0 ] && ACTION=$1
-
-case "$ACTION" in
-	normal )
-		configure_normal
-		;;
-	secure )
-		configure_secure
-		;;
-	* )
-		echo "Syntax: `basename $0` { normal | secure }"
-		echo
-		;;
-  esac
-
--- a/config/chroot_local-includes/usr/share/cryptonas-live/devel-features.sh
+++ b/config/chroot_local-includes/usr/share/cryptonas-live/devel-features.sh
@ -11,8 +11,9 @@
 #
 # it should really NEVER be found on a release CD
 # 
+##NOT currently called automatically in deb-live version
 # called by:
-#	- /etc/rc2.d/S99cb-devel-features
+#	- /etc/init.d/S99cnas-devel-features
 #

 set -eu
@ -20,14 +21,9 @@ set -eu
 # read the default setting file, if it exists
 [ -e /etc/default/cryptobox ] && . /etc/default/cryptobox

-# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
-CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
-# parse config file
-. "$CONF_FILE"
-
 MIRROR_DIR=/tmp/mirror
 MIRROR_ORIG_DIR=/tmp/mirror.orig
-WRITE_DIRS="/usr/share/cryptobox /var/www /usr/lib/cryptobox"
+WRITE_DIRS="/var/www /usr/share/cryptobox-server /usr/share/cryptonas-live"

 ACTION="--help"
 [ $# -gt 0 ] && ACTION="$1"
@ -67,8 +63,9 @@ case "$ACTION" in
 		;;
 	stop )
 		[ -x /etc/init.d/ssh ] && /etc/init.d/ssh stop
+#TODO: devel-features.sh stop appears to be broken on deb-live version
 		for a in $WRITE_DIRS
-			do	umount "$MIRROR_DIR/$a"
+			do	umount "$MIRROR_DIR/$a" "$a"
 		  done
 		rm -rf "$MIRROR_DIR"
 		;;
--- a/config/cnas-default-settings
+++ b/config/cnas-default-settings
@ -44,8 +44,14 @@ LH_APT_SECURE="enabled"

 #-----bootstrap-----
 # $LH_MIRROR_BOOTSTRAP: set mirror to bootstrap from
-# (Default: http://ftp.us.debian.org/debian/)
+#
+# (1) apt-cacher (default)
 LH_MIRROR_BOOTSTRAP="http://127.0.0.1:3142/apt-cacher/ftp.debian.org/debian/"
+# (2) apt-proxy
+#LH_MIRROR_BOOTSTRAP="http://127.0.0.1:9999/debian"
+# (3) no caching proxy for apt
+#LH_MIRROR_BOOTSTRAP="http://ftp.us.debian.org/debian/"
+

 # $LH_MIRROR_CHROOT: set mirror to fetch packages from
 # (Default: http://ftp.us.debian.org/debian/)
@ -144,7 +150,7 @@ LH_SOURCE="disabled"
 # runtime via the scoreboard file.
 ###############################################################

-#CNAS_DELETEFILES="/etc/rcS.d/*discover \
+#deletefiles (at build time, from old dfsbuild config)="/etc/rcS.d/*discover \
 #/etc/rcS.d/*lvm \
 #/var/log/dpkg.log \
 #/var/log/bootstrap.log"
@ -184,12 +190,7 @@ CNAS_SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
 CNAS_INTERFACES="$CNAS_SCOREBOARD_DIR/etc.d/network/interfaces"

 CNAS_KMODULES="$CNAS_SCOREBOARD_DIR/etc.d/modules"
-#FIXME: add to etc.d/network/interfaces
-#\tauto lo eth0
-#\tiface lo inet loopback
-#\tiface eth0 inet static
-#\t\taddress 192.168.0.23
-#\t\tnetmask 255.255.255.0
+

 # $LH_ENCRYPTION: set encryption type/key size
 # Encryption of the Debian Live media is broken under Etch. It may
@ -197,3 +198,12 @@ CNAS_KMODULES="$CNAS_SCOREBOARD_DIR/etc.d/modules"
 # in casper or initramfs-tools.
 #LH_ENCRYPTION="aes256"

+
+# More stuff from dfsbuild live-cd implementation to figure out:
+#/etc/profile = export TERM=vt100
+
+#
+#/etc/syslog.conf = *.*	/dev/tty8
+#	*.info	/dev/tty7
+
+#/etc/kernel-img.conf = do_initrd = Yes