|
|
|
@ -20,10 +20,10 @@ set -eu
|
|
|
|
|
LIB_DIR=$(dirname "$0")
|
|
|
|
|
LIB_DIR=$(cd "$LIB_DIR"; pwd)
|
|
|
|
|
|
|
|
|
|
[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100
|
|
|
|
|
test "$(id -u)" -ne 0 && echo "$(basename $0) - only root may call this script" >&2 && exit 100
|
|
|
|
|
|
|
|
|
|
# read the default setting file, if it exists
|
|
|
|
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
|
|
|
test -e /etc/default/cryptobox && . /etc/default/cryptobox
|
|
|
|
|
|
|
|
|
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
|
|
|
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
|
|
|
@ -39,14 +39,14 @@ CONFIG_MARKER=cryptobox.marker
|
|
|
|
|
############ some useful functions ###############
|
|
|
|
|
|
|
|
|
|
# check if the given device is part of the SCAN_DEVICE list
|
|
|
|
|
# every entry in SCAN_DEVICES is matched as "^/dev/${SCAN_DEVICE}[0-9]*$" against
|
|
|
|
|
# every entry in SCAN_DEVICES is matched as "^/dev/${SCAN_DEVICE}[^/]*$" against
|
|
|
|
|
# the given device
|
|
|
|
|
# other devices may not be touched
|
|
|
|
|
function is_device_allowed()
|
|
|
|
|
# parameter: device
|
|
|
|
|
{
|
|
|
|
|
for a in $SCAN_DEVICES
|
|
|
|
|
do [[ "$1" =~ "^/dev/${a}[0-9]*$" ]] && return 0
|
|
|
|
|
do echo "$1" | grep -q "^/dev/${a}[^/]*$" && return 0
|
|
|
|
|
done
|
|
|
|
|
return 1
|
|
|
|
|
}
|
|
|
|
@ -59,7 +59,7 @@ function get_device_uuid() {
|
|
|
|
|
# check for luksUUID or ext2/3-uuid
|
|
|
|
|
if is_luks_device "$1"
|
|
|
|
|
then UUID=$("$CRYPTSETUP" luksUUID "$1")
|
|
|
|
|
else [ -x "$BLKID" ] && UUID=$("$BLKID" -s UUID -o value -c /dev/null -w /dev/null "$1" 2>/dev/null)
|
|
|
|
|
else test -x "$BLKID" && UUID=$("$BLKID" -s UUID -o value -c /dev/null -w /dev/null "$1" 2>/dev/null)
|
|
|
|
|
fi
|
|
|
|
|
if test -z "$UUID"
|
|
|
|
|
then get_device_flat_name "$1"
|
|
|
|
@ -84,8 +84,7 @@ function get_device_mnt_name() {
|
|
|
|
|
# every devmapper name should look like a UUID
|
|
|
|
|
function is_uuid_valid() {
|
|
|
|
|
local hex=[0-9a-f]
|
|
|
|
|
# TODO: this is very bash-specific - translate it to grep :)
|
|
|
|
|
[[ "$1" =~ "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$" ]]
|
|
|
|
|
echo "$1" | grep -q "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -120,12 +119,12 @@ function is_luks_device()
|
|
|
|
|
################ main ####################
|
|
|
|
|
|
|
|
|
|
ACTION=unknown
|
|
|
|
|
[ $# -gt 0 ] && ACTION=$1 && shift
|
|
|
|
|
test $# -gt 0 && ACTION=$1 && shift
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
case "$ACTION" in
|
|
|
|
|
partition_disk )
|
|
|
|
|
[ $# -ne 2 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 2 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
partition_device "$1" "$2" || \
|
|
|
|
@ -134,7 +133,7 @@ case "$ACTION" in
|
|
|
|
|
mount )
|
|
|
|
|
# parameters: device
|
|
|
|
|
# returns the relative name of the mointpoint for success
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
mnt_name=$(get_device_mnt_name "$1")
|
|
|
|
@ -162,7 +161,7 @@ case "$ACTION" in
|
|
|
|
|
;;
|
|
|
|
|
umount )
|
|
|
|
|
#parameter: device
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
mnt_name=$(get_device_mnt_name "$1")
|
|
|
|
@ -184,9 +183,9 @@ case "$ACTION" in
|
|
|
|
|
;;
|
|
|
|
|
create_crypto )
|
|
|
|
|
# parameter: device keyfile
|
|
|
|
|
[ $# -ne 2 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 2 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
keyfile=$2
|
|
|
|
|
[ -e "$keyfile" ] || error_msg 2 "keyfile ($keyfile) not found"
|
|
|
|
|
test -e "$keyfile" || error_msg 2 "keyfile ($keyfile) not found"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
# read the passphrase from stdin
|
|
|
|
@ -208,31 +207,31 @@ case "$ACTION" in
|
|
|
|
|
error_msg 13 "failed to create the encrypted filesystem"
|
|
|
|
|
"$CRYPTSETUP" --batch-mode luksClose "$name" || \
|
|
|
|
|
error_msg 14 "failed to close the encrypted mapped device"
|
|
|
|
|
) </dev/null &>/dev/null &
|
|
|
|
|
) </dev/null >/dev/null 2>/dev/null &
|
|
|
|
|
true
|
|
|
|
|
;;
|
|
|
|
|
create_plain )
|
|
|
|
|
# parameter: device
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters for 'create_plain'"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters for 'create_plain'"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
# complete in background
|
|
|
|
|
(
|
|
|
|
|
"$MKFS_DATA" "$1" || \
|
|
|
|
|
error_msg 15 "failed to create the plaintext filesystem"
|
|
|
|
|
) </dev/null &>/dev/null &
|
|
|
|
|
) </dev/null >/dev/null 2>/dev/null &
|
|
|
|
|
true
|
|
|
|
|
;;
|
|
|
|
|
get_device_mnt_name )
|
|
|
|
|
# parameter: device
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
get_device_mnt_name "$1"
|
|
|
|
|
;;
|
|
|
|
|
get_device_uuid )
|
|
|
|
|
# parameter: device
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
get_device_uuid "$1"
|
|
|
|
@ -240,7 +239,7 @@ case "$ACTION" in
|
|
|
|
|
is_config_partition )
|
|
|
|
|
# parameter: device
|
|
|
|
|
# returns exitcode 0 if the device contains a configuration
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
is_config=0
|
|
|
|
@ -248,19 +247,19 @@ case "$ACTION" in
|
|
|
|
|
mkdir -p "$tmp_dir"
|
|
|
|
|
# error means "no config partition"
|
|
|
|
|
if mount "$1" "$CONFIG_DIR"
|
|
|
|
|
then [ -e "$CONFIG_DIR/$CONFIG_MARKER" ] && is_config=1
|
|
|
|
|
then test -e "$CONFIG_DIR/$CONFIG_MARKER" && is_config=1
|
|
|
|
|
umount "$CONFIG_DIR" || \
|
|
|
|
|
error_msg 14 "unable to unmount configation partition after probing"
|
|
|
|
|
fi
|
|
|
|
|
rmdir "$tmp_dir" || true
|
|
|
|
|
# return 0 if $device is a config partition
|
|
|
|
|
[ "$is_config" -eq 1 ] && exit 0
|
|
|
|
|
test "$is_config" -eq 1 && exit 0
|
|
|
|
|
exit 1
|
|
|
|
|
;;
|
|
|
|
|
is_crypto_partition )
|
|
|
|
|
# parameter: device
|
|
|
|
|
# returns exitcode 0 if the device contains a luks header
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
is_luks_device "$1"
|
|
|
|
@ -268,14 +267,14 @@ case "$ACTION" in
|
|
|
|
|
is_plain_partition )
|
|
|
|
|
# parameter: device
|
|
|
|
|
# returns exitcode 0 if the device contains a readable filesystem
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
status=0
|
|
|
|
|
tmp_dir=/tmp/$(basename $0)-$$-mnt
|
|
|
|
|
mkdir -p "$tmp_dir"
|
|
|
|
|
if mount -o ro "$1" "$tmp_dir"
|
|
|
|
|
then [ ! -e "$tmp_dir/$CONFIG_MARKER" ] && status=1
|
|
|
|
|
if mount "$1" "$tmp_dir" >/dev/null 2>/dev/null
|
|
|
|
|
then test ! -e "$tmp_dir/$CONFIG_MARKER" && status=1
|
|
|
|
|
umount "$tmp_dir"
|
|
|
|
|
fi
|
|
|
|
|
rmdir "$tmp_dir" || true
|
|
|
|
@ -284,14 +283,14 @@ case "$ACTION" in
|
|
|
|
|
;;
|
|
|
|
|
trash_device )
|
|
|
|
|
# parameter: device
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
dd if=/dev/urandom of="$1" bs=512 count=1 2>/dev/null
|
|
|
|
|
;;
|
|
|
|
|
diskinfo )
|
|
|
|
|
# parameter: device
|
|
|
|
|
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
|
|
|
test $# -ne 1 && error_msg 1 "wrong number of parameters"
|
|
|
|
|
is_device_allowed "$1" || \
|
|
|
|
|
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
|
|
|
"$SFDISK" -L -q -l "$1"
|
|
|
|
@ -300,8 +299,8 @@ case "$ACTION" in
|
|
|
|
|
# parameter: none
|
|
|
|
|
ip=
|
|
|
|
|
# TODO: can we avoid to hard-code the filename ($CONFIG_DIR/ip) here?
|
|
|
|
|
[ -e "$CONFIG_DIR/ip" ] && ip=$(<"$CONFIG_DIR/ip")
|
|
|
|
|
[ -n "$z" ] && ifconfig "$NET_IFACE" "$ip"
|
|
|
|
|
test -e "$CONFIG_DIR/ip" && ip=$(<"$CONFIG_DIR/ip")
|
|
|
|
|
test -n "$z" && ifconfig "$NET_IFACE" "$ip"
|
|
|
|
|
;;
|
|
|
|
|
poweroff )
|
|
|
|
|
# TODO: check configuration setting before
|
|
|
|
@ -334,7 +333,7 @@ case "$ACTION" in
|
|
|
|
|
echo ' reboot'
|
|
|
|
|
echo ' help'
|
|
|
|
|
echo
|
|
|
|
|
[ "$ACTION" == "help" ] && exit 0
|
|
|
|
|
test "$ACTION" = "help" && exit 0
|
|
|
|
|
# return error for any unknown/unspecified action
|
|
|
|
|
exit 1
|
|
|
|
|
;;
|
|
|
|
|