"secure" build now works; moved /usr/lib/cryptobox-cd to /usr/share/cryptonas-live; removed some obsolete files; added gettext to

development build

config/chroot_local-hooks/50cnas-config-chroot.sh

@@ -16,24 +16,30 @@
 
 set -eu
 
+#FIXME: no longer using dfs:
 RUNTIMEDIR=/opt/dfsruntime/runtimerd
 TUNDEV=$RUNTIMEDIR/dev/net/tun
 
 REMOVE_PACKAGES="strace
 	nvi nano vim vim-common vim-tiny
-	unzip zip aptitude tasksel locate
-	ssh elinks curl wget netkit-inetd telnet
+	unzip zip locate
+	ssh elinks curl netkit-inetd telnet
 	exim4-daemon-light exim4-config exim4-base
-	ppp pppconfig pppoe pppoeconf iptables
+	ppp pppconfig pppoe pppoeconf
 	subversion w3m wget lynx less screen
-    info iptables man-db manpages
+    info man-db manpages
     openssh-server openssh-client"
 
+# Removing these packages would be better for security, but
+# breaks the build:
+#aptitude tasksel wget iptables
+#TODO: evaluate whether to remove other packages under Debian Live
+
 # remove rc symlinks for these services
 SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
 
 #We run in a chroot environment, so source files accordingly.
-. /usr/lib/cryptobox-cd/etc-scoreboard
+. /usr/share/cryptonas-live/etc-scoreboard
 
 function configure_normal()
 # the usual stuff - not optimized for security
@@ -145,8 +151,12 @@ function configure_secure()
 	# remove doc files
 	# remove man pages
 	# some vim files stay behind?
-	rm -rf /opt/packages /var/cache/bootstrap /var/cache/apt/ /var/cache/locate 
-	rm -rf /usr/share/man /usr/share/vim /var/lib/apt /var/cache/debconf /var/cache/man
+
+	# Need to keep these files for live-helper to complete successfully
+	# rm -rf /var/cache/apt /var/lib/apt /var/cache/debconf /opt/packages
+
+	rm -rf /var/cache/bootstrap /var/cache/locate
+	rm -rf /usr/share/man /usr/share/vim /var/cache/man
 	# remove docs except for the cryptobox's
 	ls /usr/share/doc | while read dname
 	  do	test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname"
@@ -161,7 +171,7 @@ function configure_secure()
 	 done
 
 	# change some dir permissions
-	chmod 660 /var/cache/cryptobox-server/settings/
+	chmod 770 /var/cache/cryptobox-server/settings/
 
 	return 0
 }

config/chroot_local-includes/etc/cbox-dev.conf

@@ -1,54 +0,0 @@
-# some local settings for cbox-build.sh and validate.sh
-#
-# previously defined settings:
-#	- ROOT_DIR
-#
-
-
-####################### cbox-build ########################
-
-# the build directory (will be ERASED without warning)
-BUILD_DIR="$ROOT_DIR/_builddir"
-
-# the cryptobox development files
-CBOX_DEVEL_DIR=$ROOT_DIR/cbox-tree.d
-
-# template for live-cd
-TEMPLATE_DIR=$ROOT_DIR/live-cd-tree.d
-
-# the iso image
-IMAGE_FILE=$BUILD_DIR/cryptobox.iso
-
-# temporary directory
-TMP_DIR=/tmp/$(basename $0)-$$
-
-# the virtual harddisk image used for qemu
-HD_IMAGE=/tmp/$(basename $0)-testplatte.img
-
-# mkisofs options (the option "-U" is not clean, but it prevents long
-# filenames from getting mapped)
-# TODO: this may prevent windows user from reading the documentation
-MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R"
-
-# for burning a CD
-CDWRITER=0,0,0
-
-
-####################### validation ########################
-
-# language of validation (select web interface language)
-VALIDATE_LANGUAGE=en
-
-# directory of the test-cases
-VALIDATE_TEST_CASES_DIR=$ROOT_DIR/validation/test-cases
-
-# override these settings if the CryptoBox uses a non-default IP
-VALIDATE_HOST_IP_DEFAULT=192.168.0.23
-VALIDATE_HOST_IP_CHANGED=192.168.0.24
-
-# destination directories for the results
-VALIDATE_REPORT_DIR=/tmp/cryptobox-validation-$$
-VALIDATE_REPORT_DIR=$ROOT_DIR/validation/report
-VALIDATE_SUMMARY_TEMPLATE_DIR=$ROOT_DIR/validation/templates
-
-

config/chroot_local-includes/etc/dfs-cbox.conf

@@ -1,236 +0,0 @@
-# arch-tag: Default configuration file
-# Copyright (c) 2004 John Goerzen
-
-[DEFAULT]
-######################################################################
-# Overall settings, set defaults for all archs
-######################################################################
-
-# Name of generated disc & hostname
-# BEWARE: hostname does not work - you have to set the hostname manually at the end of this file
-name = CryptoBox
-
-# Version of generated disc
-version = 0.3.4
-
-# Person that built it
-builder = sense.lab
-
-# Repositories to mirror.  Details about each one are configured below.
-dlrepos = stable
-
-# Repository to build the CD with.  Must be in above list.
-suite = stable
-
-# Whether or not to use zftree compression on ISO image
-compress = no
-
-# Files to never compress if the above is yes
-# If a dir is given, that dir and everything below is not compressed
-dontcompress = /boot
-	/etc/*boot*
-	/opt/dfsruntime/initrd.dfs
-
-# Location of dfsbuild support files
-libdir = /usr/lib/dfsbuild
-
-# Location of docs for CD
-docdir = /usr/share/doc/dfsbuild
-
-# Bootloader to place on CD.  Choices are:
-# grub-hd              GRUB with ElTorito hard disk emulation (not working yet)
-# grub-no-emul         "raw" ElTorito image
-# aboot                Alpha SRM bootloader
-# yaboot               PowerPC bootloader
-# (usually set in arch area)
-#bootloader = grub-no-emul
-
-
-# Packages to install on live FS, on all archs, besides base system
-allpackages =	
-		util-linux
-		grub
-		parted
-		dmsetup
-		perl
-		tar 
-		bash 
-		coreutils 
-		module-init-tools 
-		ifupdown 
-		busybox
-		usbutils 
-		pciutils 
-		discover 
-		hdparm 
-		binutils
-		debconf 
-		sysutils 
-		stunnel4
-		samba
-		hashalot
-		python-clearsilver
-		python-cherrypy
-		python-configobj
-		python-central
-		super
-		dosfstools
-		cryptsetup
-		python-m2crypto
-		# support for file systems
-		e2tools 
-		e2fsprogs
-		xfsprogs
-		hfsutils
-		jfsutils
-		## ntfs-3g is not in etch
-		#ntfs-3g
-		# TODO: remove the following packages for the final version
-		subversion
-		strace
-		ssh
-		vim
-		nano 
-		less 
-		lynx
-		w3m
-		screen
-		elinks
-
-
-# select a mirror for the repository (apt-cacher, apt-proxy, no caching) by
-# uncommenting the line of your choice
-# (1) apt-cacher (default)
-mirror = http://127.0.0.1/apt-cacher/ftp.debian.org/debian
-# (2) apt-proxy
-#mirror = http://127.0.0.1:9999/debian
-# (3) no caching proxy for apt
-#mirror = http://ftp.debian.org/debian
-
-
-# Files to place on the ramdisk
-ramdisk_files = /etc/resolv.conf
-	/etc/lvm*
-	/tmp
-	/var/tmp
-	/dev
-	/var/lib/dhcp
-	/var/lib/samba
-	/var/log
-	/var/cache/samba
-	/var/lock
-	/var/run
-	/var/state
-	/etc/mtab
-	/root
-	/etc/network
-	/var/lib/misc
-	/var/lib/urandom
-	#/etc/hotplug/.run
-	/var/spool/cron
-
-# Directories to create on live fs
-makedirs = 
-
-# Files to delete from live fs
-deletefiles = /etc/rcS.d/*discover 
-	/etc/rcS.d/*lvm
-	/var/log/dpkg.log
-	/var/log/bootstrap.log
-
-preparescripts =
-	../scripts/prepare_target.sh
-
-cleanupscripts =
-	../scripts/cleanup_target.sh
-
-######################################################################
-# Arch settings: i386
-######################################################################
-
-[i386]
-# Name of any kernel images to install directly from your current filesystem
-#kernels = /boot/vmlinuz-2.4.27-2-386
-
-# Modules to copy from host filesystem
-#modules = /lib/modules/2.4.27-2-386
-
-# Debs from local fs to unpack on live FS (will not be configured)
-unpackdebs =
-	../packages/linux-image-2.6.20_cryptobox0.3.3_i386.deb
-
-# Other packages to install besides the list in DEFAULT
-packages = %(allpackages)s
-
-# Debs from local fs to install on live fs
-## fetch newest ntfs-3g from debian backports
-installdebs = 
-	../packages/cryptobox-server.deb
-	../packages/ntfs-3g_1%3a1.516-1~bpo.1_i386.deb
-
-# Bootloader (see options under default)
-bootloader = grub-no-emul
-
-# Extra lines for grub config
-grubconfig = timeout 0
-	password -md5 this_invalid_hash_protects_grub_config
-
-#####################################################################
-# Repository configuration
-######################################################################
-
-# Repositories to download
-[repo testing]
-suite = testing
-
-[repo amd64]
-suite = unstable
-# Override default mirror
-#mirror = http://debian-amd64.alioth.debian.org/pure64/
-# Override default arch
-arch = amd64
-
-######################################################################
-# Text to add to existing files
-######################################################################
-
-[appendfiles]
-
-/etc/network/interfaces =
-	auto lo eth0
-	iface lo inet loopback
-	iface eth0 inet static
-		address 192.168.0.23
-		netmask 255.255.255.0
-
-# /etc/modules =
-
-/etc/profile = export TERM=vt100
-
-######################################################################
-# Files to create or truncate
-######################################################################
-
-[createfiles]
-/etc/hostname = CryptoBox
-
-/etc/syslog.conf = *.*	/dev/tty8
-	*.info	/dev/tty7
-
-/etc/hosts = 127.0.0.1 localhost
-
-/etc/kernel-img.conf = do_initrd = Yes
-
-# exit the samba startup script during install immediately - otherwise
-# there would be /proc problems - it will get replaced later via
-# live-cd-tree.d/usr/lib/cryptobox-cd/configure-cryptobox.sh
-/etc/default/samba = exit
-
-######################################################################
-# Symlinks to create (from = to format)
-######################################################################
-
-# this does not work anymore
-#[symlinks]
-#/etc/mtab = /proc/mounts
-

config/chroot_local-includes/etc/init.d/qemu-ifup

@@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# this is the qemu-ifup script that should be run at qemu's boot
+#
+
+# determine the interface to the outside
+IF_WORLD=`/sbin/route -n | grep " UG " | sed "s/  */ /g" | cut -d " " -f 8 | head -1`
+# nothing found? - sorry!
+[ -z "$IF_WORLD" ] && IF_WORLD=eth0
+
+
+if [ "$UID" -ne 0 ] 
+	then	sudo $0 $*
+		exit 0
+  fi
+
+echo "Laufe als root ..."
+
+IPT=/sbin/iptables
+[ ! -x $IPT ] && IPT=/usr/sbin/iptables
+
+IPT_RULES="	FORWARD -i tun0 -o $IF_WORLD -j ACCEPT
+		FORWARD -i $IF_WORLD -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+		POSTROUTING -t nat -o $IF_WORLD -j MASQUERADE
+		INPUT -i tun0 -j ACCEPT
+		OUTPUT -o tun0 -j ACCEPT"
+
+aktiviere_forward()
+{
+	echo "$IPT_RULES" | while read a
+		do	$IPT -A $a
+	  done
+	echo 1 >/proc/sys/net/ipv4/ip_forward
+}
+
+deaktiviere_forward()
+{
+	echo "$IPT_RULES" | while read a
+		do	$IPT -D $a
+	  done
+	echo 0 >/proc/sys/net/ipv4/ip_forward
+}
+
+case "$1" in
+	stop )
+		deaktiviere_forward
+		#/etc/init.d/dhcp stop
+		;;
+	* )
+		/sbin/ifconfig $1 192.168.0.1
+		#/etc/init.d/dhcp start
+		aktiviere_forward
+		;;
+  esac
+

config/chroot_local-includes/usr/share/initramfs-tools/scripts/casper-bottom/90cnas_setup_etc

@@ -57,7 +57,7 @@ esac
 
 log_begin_msg "$DESCRIPTION"
 
-. ${CNAS_ROOT_DIR}/usr/lib/cryptobox-cd/etc-scoreboard
+. ${CNAS_ROOT_DIR}/usr/share/cryptonas-live/etc-scoreboard
 
 # "/" must be writeable only by root, or else some CryptoNAS
 # scripts will refuse to run for security reasons.
@@ -70,18 +70,30 @@ test -e ${CNAS_ROOT_DIR}/etc/fstab && sed -i '#/var/cache/cryptobox-server/mnt#d
 # add new line
 echo "tmpfs	/var/cache/cryptobox-server/mnt	tmpfs	defaults	0	0" >> ${CNAS_ROOT_DIR}/etc/fstab
 
-#Set up /etc/modules with user-provided contents
-MODULES="$CNAS_ROOT_DIR/$CNAS_SCOREBOARD_DIR/etc.d/modules"
-if [ -f "$MODULES"  ]
+#Set up /etc/modules with user-provided contents ('K' stands for "kernel")
+_CNAS_KMODULES="$CNAS_ROOT_DIR/$CNAS_SCOREBOARD_DIR/etc.d/modules"
+# if $CNAS_KMODULES is not null then use that file as /etc/modules
+if [ -n "$CNAS_KMODULES" ]
     then
-    cp $MODULES ${CNAS_ROOT_DIR}/etc/modules
+    _CNAS_KMODULES="${CNAS_KMODULES}"
+fi
+
+if [ -f "$_CNAS_KMODULES"  ]
+    then
+    cp $_CNAS_KMODULES ${CNAS_ROOT_DIR}/etc/modules
 fi
 
 #Set up /etc/network/interfaces with user-provided contents
-INTERFACES="$CNAS_ROOT_DIR/$CNAS_SCOREBOARD_DIR/etc.d/network/interfaces"
-if [ -f "$INTERFACES" ]
+_CNAS_INTERFACES="$CNAS_ROOT_DIR/$CNAS_SCOREBOARD_DIR/etc.d/network/interfaces"
+# if $CNAS_INTERFACES is not null then use that file as /etc/network/interfaces
+if [ -n "$CNAS_INTERFACES" ]
     then
-    cp $INTERFACES ${CNAS_ROOT_DIR}/etc/network/interfaces
+    _CNAS_INTERFACES="${CNAS_INTERFACES}"
+fi
+
+if [ -f "$CNAS_INTERFACES" ]
+    then
+    cp $_CNAS_INTERFACES ${CNAS_ROOT_DIR}/etc/network/interfaces
 fi
 
 #"hard" and "secure" are synonyms, so test for both of them

config/chroot_local-packageslists/cryptonas-devel

@@ -12,3 +12,4 @@ sysklogd
 w3m
 screen
 elinks
+gettext

config/cnas-active-settings

@@ -40,14 +40,15 @@ _CNAS_STAGE=".stage/chroot_cnas-scoreboard"
 #the settings scoreboard file, update it.
 _CNAS_FIND="find config -regextype posix-extended -maxdepth 1 -type f -newer ${_CNAS_STAGE} -true " 
 
-#FIXME: refine regexp, try remembering during a rebuild...?
-# -regex '[^~]+' "
-# \( -name 'common -o -name 'bootstrap' -o -name 'chroot' -o -name 'binary' -o -name 'source' -o -name 'cnas-default-settings' -o -name 'cnas-custom-settings' -o -name 'cnas-active-settings' \) "
-#echo ${_CNAS_FIND}
-#_CNAS_FOUND=`${_CNAS_FIND}`
 
+_CNAS_SCOREBOARD="config/chroot_local-includes/usr/share/cryptonas-live/etc-scoreboard"
+
+#supporting unnecessary synonyms complicates change control
+if [ "$CNAS_HARDNESS" == "hard" ] || [ "$CNAS_HARDNESS" == "normal" ]
+    then
+    echo "warning: \$CNAS_HARDNESS settings `hard' and `normal' deprecated; use `secure' or `devel' instead"
+fi
 
-_CNAS_SCOREBOARD="config/chroot_local-includes/usr/lib/cryptobox-cd/etc-scoreboard"
 
 #Only run the scoreboard hack if the ".stage" directory exists
 if [ -d ${_CNAS_STAGE_DIR} ] 
@@ -57,9 +58,19 @@ then
 #If the stage file does not exist or the "find" found something
 if [ ! -f "${_CNAS_STAGE}" ] || [ -n "`${_CNAS_FIND}`" ]
     then
+    #Add explanatory banner to scoreboard file
+    cat > ${_CNAS_SCOREBOARD} <<EOF
+#/usr/share/cryptonas-live/etc-scoreboard
+# This file is used by the CryptoNAS Live system to pass
+# configuration settings within the build system and to
+# the Debian Live runtime. It should NOT be checked in to
+# the CryptoNAS project's SVN repository.
+
+EOF
+
     #Update the scoreboard file from the current shell vars
     echo "CryptoNAS: updating scoreboard file..."
-    set | grep -e "^CNAS_" > ${_CNAS_SCOREBOARD}
+    set | grep -e "^CNAS_" >> ${_CNAS_SCOREBOARD}
     
     #If we updated the scoreboard, touch the .stage/... 
     #file we use for time stamping.

config/cnas-default-settings

@@ -152,20 +152,34 @@ LH_SOURCE="disabled"
 #CNAS_MAKEDIRS=""
 
 
-# $LH_BINARY_IMAGES: set image type
-# (Default: usb-hdd)
-# Valid choices are:
-# "iso" for CD-ROM builds
-# "usb-hdd" for other block devices
-# "net" for netboot
-# "tar" for ???
-LH_BINARY_IMAGES="usb-hdd"
-
-
 CNAS_ROOT_FS="/root"
 CNAS_HARDNESS="devel"
 
-CNAS_SCOREBOARD_DIR="/usr/lib/cryptobox-cd"
+CNAS_SCOREBOARD_DIR="/usr/share/cryptonas-live"
+
+
+# remove rc symlinks for these services
+CNAS_SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
+
+# This part only applies if CNAS_HARDNESS is set to "secure":
+#CNAS_REMOVE_PACKAGES="strace \
+#	nvi nano vim vim-common vim-tiny \
+#	unzip zip aptitude tasksel locate \
+#	ssh elinks curl wget netkit-inetd telnet \
+#	exim4-daemon-light exim4-config exim4-base \
+#	ppp pppconfig pppoe pppoeconf iptables \
+#	subversion w3m wget lynx less screen \
+#    info iptables man-db manpages \
+#    openssh-server openssh-client"
+
+
+#CNAS_REMOVE_PACKAGES="strace nvi nano vim vim-common vim-tiny unzip zip aptitude tasksel locate ssh elinks curl wget netkit-inetd telnet exim4-daemon-light exim4-config exim4-base ppp pppconfig pppoe pppoeconf iptables subversion w3m wget lynx less screen info iptables man-db manpages openssh-server openssh-client"
+
+# config/chroot_local-includes/usr/lib/cryptobox-cd/etc.d/modules and
+# config/chroot_local-includes/usr/lib/cryptobox-cd/etc.d/network/interfaces
+# will now be used at boot time if they exist. The developer can specify 
+# alternative files using the $CNAS_KMODULES and $CNAS_INTERFACES
+# variables.
 
 #FIXME: add to etc.d/network/interfaces
 #\tauto lo eth0