fixed a couple of bugs
This commit is contained in:
parent
e616b2d316
commit
0d9534c8aa
10 changed files with 99 additions and 46 deletions
|
@ -1,5 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
# read the default setting file, if it exists
|
||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||
|
||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||
|
||||
# parse config file
|
||||
if [ -e "$CONF_FILE" ]
|
||||
then . "$CONF_FILE"
|
||||
# create mount and config directories with appropriate permissions
|
||||
[ ! -e "$MNT_PARENT" ] && mkdir -p "$MNT_PARENT" && \
|
||||
chown "$WEB_USER" "$MNT_PARENT" && chmod 700 "$MNT_PARENT"
|
||||
[ ! -e "$CONFIG_DIR" ] && mkdir -p "$CONFIG_DIR" && \
|
||||
chown "$WEB_USER" "$CONFIG_DIR" && chmod 700 "$CONFIG_DIR"
|
||||
[ ! -e "$LOG_FILE" ] && touch "$LOG_FILE" && chown "$WEB_USER" "$LOG_FILE"
|
||||
fi
|
||||
|
||||
|
||||
# add the cryptobox startup script to /etc/rc?.d
|
||||
update-rc.d cryptobox defaults 98
|
||||
|
||||
|
|
|
@ -6,6 +6,12 @@
|
|||
if [ "$1" = "purge" ] && grep -q "cryptobox package.*HEADER" /etc/sudoers
|
||||
then echo "Removing entry from /etc/sudoers"
|
||||
sed -i "/cryptobox package.*HEADER/,/cryptobox package.*FOOTER/d" /etc/sudoers
|
||||
echo "Removing mount and config directories (/var/lib/cryptobox) ..."
|
||||
rmdir /var/lib/cryptobox/mnt || echo " mount directory not empty - skipped" >&2
|
||||
mountpoint -q /var/lib/cryptobox/config || rm -rf /var/lib/cryptobox/config || \
|
||||
echo " failed to remove config directory - skipped" >&2
|
||||
rmdir /var/lib/cryptobox || \
|
||||
echo " the cryptobox directory (/var/lib/cryptobox) has not been removed" >&2
|
||||
fi
|
||||
|
||||
# return without error
|
||||
|
|
|
@ -29,7 +29,7 @@ DEV_FEATURES_SCRIPT=/usr/lib/cryptobox/devel-features.sh
|
|||
FIREWALL_SCRIPT=/usr/lib/cryptobox/firewall.sh
|
||||
MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
|
||||
LOG_FILE=/var/log/cryptobox.log
|
||||
CERT_FILE=/mnt/cb-etc/stunnel.pem
|
||||
CERT_FILE=/var/lib/cryptobox/config/stunnel.pem
|
||||
OPENSSL_CONF_FILE=/etc/cryptobox/ssl-cert.conf
|
||||
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
|
||||
CONFIG_MARKER=cryptobox.marker
|
||||
|
@ -37,7 +37,7 @@ CONFIG_MARKER=cryptobox.marker
|
|||
# crypto settings
|
||||
# there is no default hash, as this is ignored by luks
|
||||
DEFAULT_CIPHER=aes-cbc-essiv:sha256
|
||||
CRYPTMAPPER_DIR=/dev/mapper
|
||||
DEV_MAPPER_DIR=/dev/mapper
|
||||
|
||||
# some programs
|
||||
SFDISK=/sbin/sfdisk
|
||||
|
|
|
@ -47,8 +47,7 @@ case "$1" in
|
|||
# otherwise give a warning and start the devel features
|
||||
if [ ! -e "$DEV_FEATURES_SCRIPT" ]; then
|
||||
echo
|
||||
echo "Hints for usage:"
|
||||
echo " * for some reasons you can not login here :)"
|
||||
echo "How to use the CryptoBox:"
|
||||
echo " * point a webbrowser from another computer to 'http://$(/usr/lib/cryptobox/cbox-manage.sh get_current_ip)'"
|
||||
echo " * configure your CryptoBox via a webbrowser"
|
||||
echo
|
||||
|
|
|
@ -38,7 +38,7 @@ $IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT});
|
|||
$STYLESHEET_URL = $config->{STYLESHEET_URL};
|
||||
|
||||
# TODO: just a quick-and-dirty hack during migration to multiple containers
|
||||
my $CRYPTO_DEV = "`$CB_SCRIPT get_config device`2";
|
||||
my $CRYPTO_DEV = `$CB_SCRIPT get_available_disks | cut -f 1 -d " " | tr "\n" "2"`;
|
||||
|
||||
my $query = new CGI;
|
||||
|
||||
|
@ -286,11 +286,11 @@ sub box_init
|
|||
{
|
||||
my ($crypto_pw, $admin_pw) = @_;
|
||||
|
||||
system("$CB_SCRIPT", "init");
|
||||
system("$CB_SCRIPT", "init") || return 1;
|
||||
|
||||
# partitioning, config and initial cryptsetup
|
||||
# TODO: define the name of the crypto container
|
||||
# TODO: split init and create_crypto
|
||||
open(PW_INPUT, "|$CB_SCRIPT crypto-create",$CRYPTO_DEV,"default");
|
||||
open(PW_INPUT, "|$CB_SCRIPT crypto-create '$CRYPTO_DEV' default");
|
||||
print PW_INPUT $crypto_pw;
|
||||
close(PW_INPUT);
|
||||
|
||||
|
@ -404,7 +404,7 @@ if ( ! &check_ssl()) {
|
|||
if ($query->param('type') eq 'reboot') {
|
||||
&system_reboot();
|
||||
$pagedata->setValue('Data.Success', 'ReBoot');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "180");
|
||||
} else {
|
||||
&system_poweroff();
|
||||
|
@ -441,7 +441,7 @@ if ( ! &check_ssl()) {
|
|||
} else {
|
||||
$pagedata->setValue('Data.Success', 'UmountDone');
|
||||
$pagedata->setValue('Data.Action', 'empty');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "30");
|
||||
}
|
||||
}
|
||||
|
@ -459,7 +459,7 @@ if ( ! &check_ssl()) {
|
|||
} elsif (&check_mounted()) {
|
||||
$pagedata->setValue('Data.Warning', 'IsMounted');
|
||||
$pagedata->setValue('Data.Action', 'empty');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "30");
|
||||
} elsif ($query->param('crypto_password') eq '') {
|
||||
# leeres Passwort
|
||||
|
@ -474,7 +474,7 @@ if ( ! &check_ssl()) {
|
|||
} else {
|
||||
$pagedata->setValue('Data.Success', 'MountDone');
|
||||
$pagedata->setValue('Data.Action', 'empty');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "30");
|
||||
}
|
||||
}
|
||||
|
@ -491,7 +491,7 @@ if ( ! &check_ssl()) {
|
|||
} elsif (&check_mounted()) {
|
||||
$pagedata->setValue('Data.Warning', 'IsMounted');
|
||||
$pagedata->setValue('Data.Action', 'empty');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "30");
|
||||
} else {
|
||||
$pagedata->setValue('Data.Action', 'form_mount');
|
||||
|
@ -504,7 +504,7 @@ if ( ! &check_ssl()) {
|
|||
} elsif ( ! &check_mounted()) {
|
||||
$pagedata->setValue('Data.Warning', 'NotMounted');
|
||||
$pagedata->setValue('Data.Action', 'empty');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "30");
|
||||
} else {
|
||||
$pagedata->setValue('Data.Action', 'form_umount');
|
||||
|
@ -606,8 +606,8 @@ if ( ! &check_ssl()) {
|
|||
} else {
|
||||
$pagedata->setValue('Data.Success', 'ConfigSaved');
|
||||
}
|
||||
$pagedata->setValue('Data.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "30");
|
||||
}
|
||||
}
|
||||
|
@ -622,8 +622,8 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Redirect.Action', 'form_config');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "30");
|
||||
} else {
|
||||
$pagedata->setValue('Data.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "60");
|
||||
}
|
||||
################### box_purge #######################
|
||||
|
@ -655,8 +655,8 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Redirect.Action', 'form_config');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "60");
|
||||
} elsif (&check_config()) {
|
||||
$pagedata->setValue('Data.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'show_status');
|
||||
$pagedata->setValue('Data.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Action', 'status');
|
||||
$pagedata->setValue('Data.Redirect.Delay', "60");
|
||||
} else {
|
||||
$pagedata->setValue('Data.Action', 'form_init');
|
||||
|
|
|
@ -20,11 +20,16 @@
|
|||
|
||||
set -eu
|
||||
|
||||
# define reasonable defaults
|
||||
USE_STUNNEL=0
|
||||
EXEC_FIREWALL_RULES=0
|
||||
SKIP_NETWORK_CONFIG=1
|
||||
CONF_FILE=/etc/cryptobox/cryptobox.conf
|
||||
|
||||
|
||||
# read the default setting file, if it exists
|
||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||
|
||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||
# parse config file
|
||||
. "$CONF_FILE"
|
||||
|
||||
|
@ -106,7 +111,7 @@ function create_config()
|
|||
{
|
||||
local device=$1
|
||||
# create the new configuration filesystem if it is not static
|
||||
if is_config_active
|
||||
if is_config_active || [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
|
||||
then log_msg "Using static configuration ..."
|
||||
else log_msg "Creating config filesystem ..."
|
||||
sudo "$ROOT_PERM_SCRIPT" create_config "$device"
|
||||
|
@ -114,20 +119,21 @@ function create_config()
|
|||
sudo "$ROOT_PERM_SCRIPT" mount_config "$device"
|
||||
sudo "$ROOT_PERM_SCRIPT" remount_config rw
|
||||
fi
|
||||
# create a marker to recognize a cryptobox partition
|
||||
date -I >"$CONFIG_DIR/$CONFIG_MARKER"
|
||||
log_msg "Copying configuration defaults ..."
|
||||
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
|
||||
|
||||
log_msg "Copying temporary certificate file to config filesystem ..."
|
||||
# beware: the temp file should always be there - even after reboot - see "load_config"
|
||||
cp -p "$CERT_TEMP" "$CERT_FILE"
|
||||
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE"
|
||||
|
||||
log_msg "Setting inital values ..."
|
||||
# beware: config_set_value remounts the config partition read-only
|
||||
config_set_value "ip" "$(get_current_ip)"
|
||||
# create database of readable names
|
||||
config_set_value "names.db" ""
|
||||
# create a marker to recognize a cryptobox partition
|
||||
# this should be the last step, to prevent a half-initialized state
|
||||
config_set_value "$CONFIG_MARKER" "$(date -I)"
|
||||
}
|
||||
|
||||
|
||||
|
@ -308,7 +314,7 @@ function load_config()
|
|||
sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
|
||||
# copy certificate to /tmp in case of re-initialization
|
||||
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
|
||||
cp "$CERT_FILE" "$CERT_TEMP"
|
||||
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP"
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
@ -336,7 +342,7 @@ function mount_crypto()
|
|||
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
|
||||
# passphrase is read from stdin
|
||||
log_msg "Mounting a crypto partition from $device"
|
||||
sudo "$ROOT_PERM_SCRIPT" mount "$device"
|
||||
sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
|
||||
}
|
||||
|
||||
|
||||
|
@ -351,11 +357,12 @@ function umount_crypto()
|
|||
|
||||
function box_purge()
|
||||
# removing just the first bytes from the harddisk should be enough
|
||||
# every harddisk will be overriden!
|
||||
{
|
||||
# TODO: not ALL harddisks, please!
|
||||
get_available_disks | while read a
|
||||
do log_msg "Purging $a ..."
|
||||
sudo "$ROOT_PERM_SCRIPT" trash_device "$a"
|
||||
log_msg " "
|
||||
sudo "$ROOT_PERM_SCRIPT" trash_device "$a" >>"$LOG_FILE" 2>&1
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -368,7 +375,7 @@ function init_cryptobox()
|
|||
turn_off_all_crypto
|
||||
is_config_active && umount_config || true
|
||||
log_msg "Partitioning the device ($device) ..."
|
||||
create_partitions "$device"
|
||||
sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
|
||||
log_msg "Initializing config partition on ${device}1 ..."
|
||||
# TODO: this should not be hard-coded
|
||||
create_config "${device}1"
|
||||
|
@ -394,31 +401,37 @@ ACTION=help
|
|||
|
||||
case "$ACTION" in
|
||||
config-up )
|
||||
if mount_config
|
||||
if load_config
|
||||
then echo "Cryptobox configuration successfully loaded"
|
||||
else error_msg 0 "Could not find a configuration partition!"
|
||||
fi
|
||||
;;
|
||||
config-down )
|
||||
umount_config || error_msg 4 "Could not unmount configuration partition"
|
||||
if is_config_active && [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
|
||||
then umount_config || error_msg 4 "Could not unmount configuration partition"
|
||||
else true
|
||||
fi
|
||||
;;
|
||||
network-up )
|
||||
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
|
||||
if [ "$SKIP_NETWORK_CONFIG}" != 1 ]
|
||||
then conf_ip=$(config_get_value "ip")
|
||||
log_msg "Configuring $NET_IFACE for $conf_ip ..."
|
||||
echo "Configuring network interface for $NET_IFACE: $conf_ip"
|
||||
"$IFCONFIG" "$NET_IFACE" "$conf_ip"
|
||||
fi
|
||||
if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
|
||||
if [ "$EXEC_FIREWALL_RULES" = 1 ]
|
||||
then log_msg "Starting the firewall ..."
|
||||
"$FIREWALL_SCRIPT" start
|
||||
fi
|
||||
if [ "${USE_STUNNEL:-0}" = 1 ]
|
||||
if [ "$USE_STUNNEL" = 1 ]
|
||||
then # start stunnel
|
||||
if [ -f "$CERT_FILE" ]
|
||||
then USE_CERT=$CERT_FILE
|
||||
else USE_CERT=$CERT_TEMP
|
||||
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
|
||||
# TODO: this could be dangerous - right?
|
||||
# this is necessary, to allow www-data to copy the certificate
|
||||
chown "$WEB_USER" "$CERT_TEMP"
|
||||
fi
|
||||
log_msg "Starting stunnel ..."
|
||||
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|
||||
|
@ -426,15 +439,15 @@ case "$ACTION" in
|
|||
fi
|
||||
;;
|
||||
network-down )
|
||||
if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
|
||||
if [ "$EXEC_FIREWALL_RULES" = 1 ]
|
||||
then log_msg "Stopping the firewall ..."
|
||||
"$FIREWALL_SCRIPT" stop
|
||||
fi
|
||||
if [ "${USE_STUNNEL:-0}" = 1 ]
|
||||
if [ "$USE_STUNNEL" = 1 ]
|
||||
then log_msg "Stopping stunnel ..."
|
||||
killall stunnel
|
||||
fi
|
||||
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
|
||||
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
|
||||
then log_msg "Shutting the network interface down ..."
|
||||
"$IFCONFIG" "$NET_IFACE" down
|
||||
fi
|
||||
|
@ -505,7 +518,7 @@ case "$ACTION" in
|
|||
update_ip_address )
|
||||
# reconfigure the network interface to a new IP address
|
||||
# wait for 5 seconds to finish present http requests
|
||||
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
|
||||
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
|
||||
then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now
|
||||
fi
|
||||
;;
|
||||
|
@ -573,3 +586,6 @@ case "$ACTION" in
|
|||
echo
|
||||
;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
|
||||
|
|
|
@ -84,8 +84,11 @@ function partition_device()
|
|||
# TODO: allow different layouts
|
||||
# TODO: skip config partition if a configuration is already active
|
||||
# sfdisk -n doesn't actually write (for testing purpose)
|
||||
echo -e "$2" | "$SFDISK" -n "$1" && \
|
||||
echo -e "$2" | "$SFDISK" "$1"
|
||||
if echo -e "$2" | "$SFDISK" -n "$1"
|
||||
then echo -e "$2" | "$SFDISK" "$1" || return 1
|
||||
else return 2
|
||||
fi
|
||||
true
|
||||
}
|
||||
|
||||
|
||||
|
@ -165,9 +168,9 @@ case "$ACTION" in
|
|||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
# read the passphrase from stdin
|
||||
key=$(cat -)
|
||||
# the iter-time is in milliseconds
|
||||
# the iter-time is in milliseconds - keep it low for fast mounting
|
||||
echo "$key" | \
|
||||
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 50000 luksFormat "$1" || \
|
||||
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 luksFormat "$1" || \
|
||||
error_msg 11 "failed to create the encrypted partition"
|
||||
name=$(get_device_name "$1")
|
||||
echo "$key" | "$CRYPTSETUP" luksOpen "$1" "$name" || \
|
||||
|
@ -185,6 +188,18 @@ case "$ACTION" in
|
|||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
get_device_name "$1"
|
||||
;;
|
||||
mount_config )
|
||||
# parameter: device
|
||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
||||
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
|
||||
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
|
||||
is_device_allowed "$1" || \
|
||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
||||
mountpoint -q "$CONFIG_DIR" && \
|
||||
error_msg 0 "the configuration partition is already mounted"
|
||||
"$MKFS_CONFIG" -q "$1" || \
|
||||
error_msg 20 "failed to create config partition filesystem"
|
||||
;;
|
||||
mount_config )
|
||||
# parameter: device
|
||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
DO NOT REMOVE THIS FILE - it is a placeholder for the debian installer
|
|
@ -1 +0,0 @@
|
|||
DO NOT REMOVE THIS FILE - it is a placeholder for the debian installer
|
|
@ -344,6 +344,7 @@ button:hover {
|
|||
margin-left: 10%;
|
||||
margin-right: 10%;
|
||||
font-family: monospace
|
||||
text-align: left;
|
||||
}
|
||||
|
||||
/* ---------=-=-=-=- onscreen help -=-=-=-=--------- */
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue