fixed a couple of bugs

This commit is contained in:
lars 2005-12-13 02:27:33 +00:00
parent e616b2d316
commit 0d9534c8aa
10 changed files with 99 additions and 46 deletions

View File

@ -1,5 +1,23 @@
#!/bin/sh
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
if [ -e "$CONF_FILE" ]
then . "$CONF_FILE"
# create mount and config directories with appropriate permissions
[ ! -e "$MNT_PARENT" ] && mkdir -p "$MNT_PARENT" && \
chown "$WEB_USER" "$MNT_PARENT" && chmod 700 "$MNT_PARENT"
[ ! -e "$CONFIG_DIR" ] && mkdir -p "$CONFIG_DIR" && \
chown "$WEB_USER" "$CONFIG_DIR" && chmod 700 "$CONFIG_DIR"
[ ! -e "$LOG_FILE" ] && touch "$LOG_FILE" && chown "$WEB_USER" "$LOG_FILE"
fi
# add the cryptobox startup script to /etc/rc?.d
update-rc.d cryptobox defaults 98

View File

@ -6,6 +6,12 @@
if [ "$1" = "purge" ] && grep -q "cryptobox package.*HEADER" /etc/sudoers
then echo "Removing entry from /etc/sudoers"
sed -i "/cryptobox package.*HEADER/,/cryptobox package.*FOOTER/d" /etc/sudoers
echo "Removing mount and config directories (/var/lib/cryptobox) ..."
rmdir /var/lib/cryptobox/mnt || echo " mount directory not empty - skipped" >&2
mountpoint -q /var/lib/cryptobox/config || rm -rf /var/lib/cryptobox/config || \
echo " failed to remove config directory - skipped" >&2
rmdir /var/lib/cryptobox || \
echo " the cryptobox directory (/var/lib/cryptobox) has not been removed" >&2
fi
# return without error

View File

@ -29,7 +29,7 @@ DEV_FEATURES_SCRIPT=/usr/lib/cryptobox/devel-features.sh
FIREWALL_SCRIPT=/usr/lib/cryptobox/firewall.sh
MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
LOG_FILE=/var/log/cryptobox.log
CERT_FILE=/mnt/cb-etc/stunnel.pem
CERT_FILE=/var/lib/cryptobox/config/stunnel.pem
OPENSSL_CONF_FILE=/etc/cryptobox/ssl-cert.conf
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
CONFIG_MARKER=cryptobox.marker
@ -37,7 +37,7 @@ CONFIG_MARKER=cryptobox.marker
# crypto settings
# there is no default hash, as this is ignored by luks
DEFAULT_CIPHER=aes-cbc-essiv:sha256
CRYPTMAPPER_DIR=/dev/mapper
DEV_MAPPER_DIR=/dev/mapper
# some programs
SFDISK=/sbin/sfdisk

View File

@ -47,8 +47,7 @@ case "$1" in
# otherwise give a warning and start the devel features
if [ ! -e "$DEV_FEATURES_SCRIPT" ]; then
echo
echo "Hints for usage:"
echo " * for some reasons you can not login here :)"
echo "How to use the CryptoBox:"
echo " * point a webbrowser from another computer to 'http://$(/usr/lib/cryptobox/cbox-manage.sh get_current_ip)'"
echo " * configure your CryptoBox via a webbrowser"
echo

View File

@ -38,7 +38,7 @@ $IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT});
$STYLESHEET_URL = $config->{STYLESHEET_URL};
# TODO: just a quick-and-dirty hack during migration to multiple containers
my $CRYPTO_DEV = "`$CB_SCRIPT get_config device`2";
my $CRYPTO_DEV = `$CB_SCRIPT get_available_disks | cut -f 1 -d " " | tr "\n" "2"`;
my $query = new CGI;
@ -286,11 +286,11 @@ sub box_init
{
my ($crypto_pw, $admin_pw) = @_;
system("$CB_SCRIPT", "init");
system("$CB_SCRIPT", "init") || return 1;
# partitioning, config and initial cryptsetup
# TODO: define the name of the crypto container
# TODO: split init and create_crypto
open(PW_INPUT, "|$CB_SCRIPT crypto-create",$CRYPTO_DEV,"default");
open(PW_INPUT, "|$CB_SCRIPT crypto-create '$CRYPTO_DEV' default");
print PW_INPUT $crypto_pw;
close(PW_INPUT);
@ -404,7 +404,7 @@ if ( ! &check_ssl()) {
if ($query->param('type') eq 'reboot') {
&system_reboot();
$pagedata->setValue('Data.Success', 'ReBoot');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "180");
} else {
&system_poweroff();
@ -441,7 +441,7 @@ if ( ! &check_ssl()) {
} else {
$pagedata->setValue('Data.Success', 'UmountDone');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "30");
}
}
@ -459,7 +459,7 @@ if ( ! &check_ssl()) {
} elsif (&check_mounted()) {
$pagedata->setValue('Data.Warning', 'IsMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif ($query->param('crypto_password') eq '') {
# leeres Passwort
@ -474,7 +474,7 @@ if ( ! &check_ssl()) {
} else {
$pagedata->setValue('Data.Success', 'MountDone');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "30");
}
}
@ -491,7 +491,7 @@ if ( ! &check_ssl()) {
} elsif (&check_mounted()) {
$pagedata->setValue('Data.Warning', 'IsMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "30");
} else {
$pagedata->setValue('Data.Action', 'form_mount');
@ -504,7 +504,7 @@ if ( ! &check_ssl()) {
} elsif ( ! &check_mounted()) {
$pagedata->setValue('Data.Warning', 'NotMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "30");
} else {
$pagedata->setValue('Data.Action', 'form_umount');
@ -606,8 +606,8 @@ if ( ! &check_ssl()) {
} else {
$pagedata->setValue('Data.Success', 'ConfigSaved');
}
$pagedata->setValue('Data.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Action', 'status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "30");
}
}
@ -622,8 +622,8 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} else {
$pagedata->setValue('Data.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Action', 'status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "60");
}
################### box_purge #######################
@ -655,8 +655,8 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "60");
} elsif (&check_config()) {
$pagedata->setValue('Data.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Action', 'status');
$pagedata->setValue('Data.Redirect.Action', 'status');
$pagedata->setValue('Data.Redirect.Delay', "60");
} else {
$pagedata->setValue('Data.Action', 'form_init');

View File

@ -20,11 +20,16 @@
set -eu
# define reasonable defaults
USE_STUNNEL=0
EXEC_FIREWALL_RULES=0
SKIP_NETWORK_CONFIG=1
CONF_FILE=/etc/cryptobox/cryptobox.conf
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
. "$CONF_FILE"
@ -106,7 +111,7 @@ function create_config()
{
local device=$1
# create the new configuration filesystem if it is not static
if is_config_active
if is_config_active || [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
then log_msg "Using static configuration ..."
else log_msg "Creating config filesystem ..."
sudo "$ROOT_PERM_SCRIPT" create_config "$device"
@ -114,20 +119,21 @@ function create_config()
sudo "$ROOT_PERM_SCRIPT" mount_config "$device"
sudo "$ROOT_PERM_SCRIPT" remount_config rw
fi
# create a marker to recognize a cryptobox partition
date -I >"$CONFIG_DIR/$CONFIG_MARKER"
log_msg "Copying configuration defaults ..."
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
log_msg "Copying temporary certificate file to config filesystem ..."
# beware: the temp file should always be there - even after reboot - see "load_config"
cp -p "$CERT_TEMP" "$CERT_FILE"
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE"
log_msg "Setting inital values ..."
# beware: config_set_value remounts the config partition read-only
config_set_value "ip" "$(get_current_ip)"
# create database of readable names
config_set_value "names.db" ""
# create a marker to recognize a cryptobox partition
# this should be the last step, to prevent a half-initialized state
config_set_value "$CONFIG_MARKER" "$(date -I)"
}
@ -308,7 +314,7 @@ function load_config()
sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
# copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
cp "$CERT_FILE" "$CERT_TEMP"
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP"
return
fi
done
@ -336,7 +342,7 @@ function mount_crypto()
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
# passphrase is read from stdin
log_msg "Mounting a crypto partition from $device"
sudo "$ROOT_PERM_SCRIPT" mount "$device"
sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
}
@ -351,11 +357,12 @@ function umount_crypto()
function box_purge()
# removing just the first bytes from the harddisk should be enough
# every harddisk will be overriden!
{
# TODO: not ALL harddisks, please!
get_available_disks | while read a
do log_msg "Purging $a ..."
sudo "$ROOT_PERM_SCRIPT" trash_device "$a"
log_msg " "
sudo "$ROOT_PERM_SCRIPT" trash_device "$a" >>"$LOG_FILE" 2>&1
done
}
@ -368,7 +375,7 @@ function init_cryptobox()
turn_off_all_crypto
is_config_active && umount_config || true
log_msg "Partitioning the device ($device) ..."
create_partitions "$device"
sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
log_msg "Initializing config partition on ${device}1 ..."
# TODO: this should not be hard-coded
create_config "${device}1"
@ -394,31 +401,37 @@ ACTION=help
case "$ACTION" in
config-up )
if mount_config
if load_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 0 "Could not find a configuration partition!"
fi
;;
config-down )
umount_config || error_msg 4 "Could not unmount configuration partition"
if is_config_active && [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
then umount_config || error_msg 4 "Could not unmount configuration partition"
else true
fi
;;
network-up )
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
if [ "$SKIP_NETWORK_CONFIG}" != 1 ]
then conf_ip=$(config_get_value "ip")
log_msg "Configuring $NET_IFACE for $conf_ip ..."
echo "Configuring network interface for $NET_IFACE: $conf_ip"
"$IFCONFIG" "$NET_IFACE" "$conf_ip"
fi
if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Starting the firewall ..."
"$FIREWALL_SCRIPT" start
fi
if [ "${USE_STUNNEL:-0}" = 1 ]
if [ "$USE_STUNNEL" = 1 ]
then # start stunnel
if [ -f "$CERT_FILE" ]
then USE_CERT=$CERT_FILE
else USE_CERT=$CERT_TEMP
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
# TODO: this could be dangerous - right?
# this is necessary, to allow www-data to copy the certificate
chown "$WEB_USER" "$CERT_TEMP"
fi
log_msg "Starting stunnel ..."
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
@ -426,15 +439,15 @@ case "$ACTION" in
fi
;;
network-down )
if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Stopping the firewall ..."
"$FIREWALL_SCRIPT" stop
fi
if [ "${USE_STUNNEL:-0}" = 1 ]
if [ "$USE_STUNNEL" = 1 ]
then log_msg "Stopping stunnel ..."
killall stunnel
fi
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then log_msg "Shutting the network interface down ..."
"$IFCONFIG" "$NET_IFACE" down
fi
@ -505,7 +518,7 @@ case "$ACTION" in
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now
fi
;;
@ -573,3 +586,6 @@ case "$ACTION" in
echo
;;
esac
exit 0

View File

@ -84,8 +84,11 @@ function partition_device()
# TODO: allow different layouts
# TODO: skip config partition if a configuration is already active
# sfdisk -n doesn't actually write (for testing purpose)
echo -e "$2" | "$SFDISK" -n "$1" && \
echo -e "$2" | "$SFDISK" "$1"
if echo -e "$2" | "$SFDISK" -n "$1"
then echo -e "$2" | "$SFDISK" "$1" || return 1
else return 2
fi
true
}
@ -165,9 +168,9 @@ case "$ACTION" in
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
# read the passphrase from stdin
key=$(cat -)
# the iter-time is in milliseconds
# the iter-time is in milliseconds - keep it low for fast mounting
echo "$key" | \
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 50000 luksFormat "$1" || \
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 luksFormat "$1" || \
error_msg 11 "failed to create the encrypted partition"
name=$(get_device_name "$1")
echo "$key" | "$CRYPTSETUP" luksOpen "$1" "$name" || \
@ -185,6 +188,18 @@ case "$ACTION" in
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
get_device_name "$1"
;;
mount_config )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && \
error_msg 0 "the configuration partition is already mounted"
"$MKFS_CONFIG" -q "$1" || \
error_msg 20 "failed to create config partition filesystem"
;;
mount_config )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"

View File

@ -1 +0,0 @@
DO NOT REMOVE THIS FILE - it is a placeholder for the debian installer

View File

@ -1 +0,0 @@
DO NOT REMOVE THIS FILE - it is a placeholder for the debian installer

View File

@ -344,6 +344,7 @@ button:hover {
margin-left: 10%;
margin-right: 10%;
font-family: monospace
text-align: left;
}
/* ---------=-=-=-=- onscreen help -=-=-=-=--------- */