moving around
This commit is contained in:
parent
e73d969053
commit
4142e11913
|
@ -1,590 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
||||||
#
|
|
||||||
# License: This script is distributed under the terms of version 2
|
|
||||||
# of the GNU GPL. See the LICENSE file included with the package.
|
|
||||||
#
|
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# this script does EVERYTHING
|
|
||||||
# all other scripts are only frontends :)
|
|
||||||
#
|
|
||||||
# called by:
|
|
||||||
# - some rc-scripts
|
|
||||||
# - the web frontend cgi
|
|
||||||
#
|
|
||||||
|
|
||||||
# TODO: check permissions and owners of config files, directories and scripts before
|
|
||||||
# running cbox-root-actions.sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
# define reasonable defaults
|
|
||||||
USE_STUNNEL=0
|
|
||||||
EXEC_FIREWALL_RULES=0
|
|
||||||
SKIP_NETWORK_CONFIG=1
|
|
||||||
CONF_FILE=/etc/cryptobox/cryptobox.conf
|
|
||||||
|
|
||||||
|
|
||||||
# read the default setting file, if it exists
|
|
||||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
||||||
|
|
||||||
# parse config file
|
|
||||||
. "$CONF_FILE"
|
|
||||||
|
|
||||||
# check for writable log file
|
|
||||||
[ -w "$LOG_FILE" ] || LOG_FILE=/tmp/$(basename "$LOG_FILE")
|
|
||||||
|
|
||||||
## configuration
|
|
||||||
CERT_TEMP=/tmp/stunnel.pem
|
|
||||||
|
|
||||||
######## stuff ##########
|
|
||||||
|
|
||||||
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4)
|
|
||||||
|
|
||||||
#########################
|
|
||||||
|
|
||||||
function log_msg()
|
|
||||||
{
|
|
||||||
# the log file is not writable during boot - try before writing ...
|
|
||||||
[ -w "$LOG_FILE" ] || return 0
|
|
||||||
echo >>"$LOG_FILE"
|
|
||||||
echo "##### `date` #####" >>"$LOG_FILE"
|
|
||||||
echo "$1" >>"$LOG_FILE"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function error_msg()
|
|
||||||
# parameters: ExitCode ErrorMessage
|
|
||||||
{
|
|
||||||
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
|
|
||||||
# print the execution stack - not usable with busybox
|
|
||||||
# caller | sed 's/^/\t/' >&2
|
|
||||||
exit "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function config_set_value()
|
|
||||||
# parameters: SettingName [SettingValue]
|
|
||||||
# read from stdin if SettingValue is not defined
|
|
||||||
{
|
|
||||||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config rw
|
|
||||||
if [ $# -gt 1 ]
|
|
||||||
then echo -n "$2" > "$CONFIG_DIR/$1"
|
|
||||||
else cat - >"$CONFIG_DIR/$1"
|
|
||||||
fi
|
|
||||||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config ro
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function config_get_value()
|
|
||||||
# parameters: SettingName
|
|
||||||
{
|
|
||||||
# use mounted config, if it exists - otherwise use defaults
|
|
||||||
local conf_dir
|
|
||||||
if is_config_active
|
|
||||||
then conf_dir=$CONFIG_DIR
|
|
||||||
else conf_dir=$CONFIG_DEFAULTS_DIR
|
|
||||||
fi
|
|
||||||
[ -z "$1" ] && error_msg 1 "empty setting name"
|
|
||||||
# check for existence - maybe use default values (for old releases without this setting)
|
|
||||||
if [ ! -e "$conf_dir/$1" ]
|
|
||||||
then case "$1" in
|
|
||||||
# you may place default values for older versions here
|
|
||||||
# for compatibility
|
|
||||||
* )
|
|
||||||
error_msg 2 "unknown configuration value ($1)"
|
|
||||||
# empty output
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
else echo -n $(cat "$conf_dir/$1")
|
|
||||||
# this removes the trailing line break
|
|
||||||
fi
|
|
||||||
# always return without error
|
|
||||||
true
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function create_config()
|
|
||||||
# Parameter: device
|
|
||||||
{
|
|
||||||
local device=$1
|
|
||||||
unload_config
|
|
||||||
# create the new configuration filesystem if it is not static
|
|
||||||
if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
|
|
||||||
then log_msg "Using static configuration ..."
|
|
||||||
else log_msg "Creating config filesystem ..."
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" create_config "$device"
|
|
||||||
log_msg "Mounting config partition ..."
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" mount_config "$device"
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" remount_config rw
|
|
||||||
fi
|
|
||||||
log_msg "Copying configuration defaults ..."
|
|
||||||
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
|
|
||||||
|
|
||||||
log_msg "Copying temporary certificate file to config filesystem ..."
|
|
||||||
# beware: the temp file should always be there - even after reboot - see "load_config"
|
|
||||||
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE"
|
|
||||||
|
|
||||||
log_msg "Setting inital values ..."
|
|
||||||
# beware: config_set_value remounts the config partition read-only
|
|
||||||
config_set_value "ip" "$(get_current_ip)"
|
|
||||||
# create database of readable names
|
|
||||||
config_set_value "names.db" ""
|
|
||||||
# create a marker to recognize a cryptobox partition
|
|
||||||
# this should be the last step, to prevent a half-initialized state
|
|
||||||
config_set_value "$CONFIG_MARKER" "$(date -I)"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function get_current_ip()
|
|
||||||
# not necessarily the same as configured (necessary for validation)
|
|
||||||
{
|
|
||||||
# filter the output of ifconfig and remove trailing line break
|
|
||||||
echo -n $("$IFCONFIG" "$NET_IFACE" | grep "inet" | cut -d ":" -f2 | cut -d " " -f1)
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function list_partitions_of_type()
|
|
||||||
# parameter: { config | crypto | plaindata | unused }
|
|
||||||
{
|
|
||||||
local config=
|
|
||||||
local crypto=
|
|
||||||
local plaindata=
|
|
||||||
local unused=
|
|
||||||
for a in $ALL_PARTITIONS
|
|
||||||
do if sudo "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a"
|
|
||||||
then crypto="$crypto /dev/$a"
|
|
||||||
elif sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a"
|
|
||||||
then config="$config /dev/$a"
|
|
||||||
elif sudo "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a"
|
|
||||||
then plaindata="$plaindata /dev/$a"
|
|
||||||
else unused="$unused /dev/$a"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
case "$1" in
|
|
||||||
config | crypto | plaindata | unused )
|
|
||||||
# dirty hack, but it works
|
|
||||||
eval "echo \$$1"
|
|
||||||
;;
|
|
||||||
* )
|
|
||||||
errot_msg "wrong parameter ($1) for list_partition_types in $(basename $0)"
|
|
||||||
;;
|
|
||||||
esac | tr " " "\n" | grep -v '^$'
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function get_crypto_uuid()
|
|
||||||
# Parameter: DEVICE
|
|
||||||
{
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" get_device_name "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function get_crypto_name()
|
|
||||||
# Parameter: DEVICE
|
|
||||||
# return the readable name of the crypto container, it it is already defined
|
|
||||||
# if undefined - return the uuid
|
|
||||||
{
|
|
||||||
local uuid=$(get_crypto_uuid "$1")
|
|
||||||
local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-)
|
|
||||||
if [ -z "$dbname" ]
|
|
||||||
then echo -n "$uuid"
|
|
||||||
else echo -n "$dbname"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function set_crypto_name()
|
|
||||||
# TODO: the implementation is quite ugly, but it works (tm)
|
|
||||||
# Parameter: DEVICE NAME
|
|
||||||
{
|
|
||||||
local uuid=$(get_crypto_uuid "$1")
|
|
||||||
# remove the old setting for this device and every possible entry with the same name
|
|
||||||
(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2") | config_set_value 'names.db'
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function does_crypto_name_exist()
|
|
||||||
# Parameter: NAME
|
|
||||||
{
|
|
||||||
config_get_value 'names.db' | grep -q "^[^:]*:$1$"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function create_crypto()
|
|
||||||
# Parameter: DEVICE NAME KEYFILE
|
|
||||||
# keyfile is necessary, to allow background execution via 'at'
|
|
||||||
# TODO: check if the keyfile is still necessary for sudo -b
|
|
||||||
{
|
|
||||||
local device=$1
|
|
||||||
local name=$2
|
|
||||||
local keyfile=$3
|
|
||||||
# otherwise the web interface will hang
|
|
||||||
# passphrase may be passed via command line
|
|
||||||
local key=$(<"$keyfile")
|
|
||||||
# remove the passphrase-file as soon as possible
|
|
||||||
dd if=/dev/zero of="$keyfile" bs=512 count=1 2>/dev/null
|
|
||||||
rm "$keyfile"
|
|
||||||
|
|
||||||
log_msg "Creating crypto partition with the cipher $DEFAULT_CIPHER on $device"
|
|
||||||
echo "$key" | sudo "$ROOT_PERM_SCRIPT" create_crypto "$device"
|
|
||||||
|
|
||||||
set_crypto_name "$device" "$name"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function is_config_active()
|
|
||||||
{
|
|
||||||
test -f "$CONFIG_DIR/$CONFIG_MARKER"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function is_crypto_mounted()
|
|
||||||
# Parameter: DEVICE
|
|
||||||
{
|
|
||||||
local name=$(get_crypto_uuid "$1")
|
|
||||||
[ -n "$name" ] && mountpoint -q "$MNT_PARENT/$name"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function is_init_running()
|
|
||||||
{
|
|
||||||
check_at_command_queue " init"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# check if a specified command is in an at-queue
|
|
||||||
# Parameter: a regular expression of the commandline
|
|
||||||
# Return: the command is part of an at-queue (0) or not (1)
|
|
||||||
function check_at_command_queue()
|
|
||||||
{
|
|
||||||
# 1) get the available job numbers
|
|
||||||
# 2) remove empty lines (especially the last one)
|
|
||||||
# 3) check every associated command for the regexp
|
|
||||||
at -l | cut -f 1 | while read jobnum
|
|
||||||
do at -c $jobnum | sed '/^$/d' | tail -1
|
|
||||||
done | grep -q "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function find_harddisk()
|
|
||||||
# look for the harddisk to be partitioned
|
|
||||||
{
|
|
||||||
local device=$(get_available_disks | head -1)
|
|
||||||
if [ -z "$device" ] ; then
|
|
||||||
log_msg "no valid harddisk for initialisation found!"
|
|
||||||
cat /proc/partitions >>"$LOG_FILE"
|
|
||||||
# do not return with an error, to avoid a failing of the script ('break on error')
|
|
||||||
# the caller of this function should handle an empty return string
|
|
||||||
fi
|
|
||||||
echo -n "$device"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function get_available_disks()
|
|
||||||
# looks which allowed disks are at the moment connected with the cbox
|
|
||||||
{
|
|
||||||
for scan in $SCAN_DEVICES
|
|
||||||
do for avail in $ALL_PARTITIONS
|
|
||||||
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
|
|
||||||
done
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function load_config()
|
|
||||||
{
|
|
||||||
unload_config
|
|
||||||
local status=0
|
|
||||||
# look for a configuration partition
|
|
||||||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \
|
|
||||||
list_partitions_of_type config | while read part && [ "$status" = 0 ]
|
|
||||||
do log_msg "Trying to load configuration from /dev/$part ..."
|
|
||||||
if sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part"
|
|
||||||
then log_msg "configuraton found on $part"
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
|
|
||||||
status=1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
if is_config_active
|
|
||||||
then # copy certificate to /tmp in case of re-initialization
|
|
||||||
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
|
|
||||||
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP"
|
|
||||||
else log_msg "failed to locate config partition"
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
true
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function unload_config()
|
|
||||||
{
|
|
||||||
is_config_active || return
|
|
||||||
# only try to unmount, if it is not static (the config of a live-cd is always dynamic)
|
|
||||||
if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
|
|
||||||
then sudo "$ROOT_PERM_SCRIPT" umount_config
|
|
||||||
else true
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function mount_crypto()
|
|
||||||
# Parameter: DEVICE
|
|
||||||
{
|
|
||||||
local device=$1
|
|
||||||
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
|
|
||||||
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
|
|
||||||
# passphrase is read from stdin
|
|
||||||
log_msg "Mounting a crypto partition from $device"
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function umount_crypto()
|
|
||||||
# Parameter: DEVICE
|
|
||||||
{
|
|
||||||
local device=$1
|
|
||||||
local uuid=$(get_crypto_uuid $device)
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" umount "$uuid"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function box_purge()
|
|
||||||
# removing just the first bytes from the harddisk should be enough
|
|
||||||
# every harddisk will be overriden!
|
|
||||||
{
|
|
||||||
# TODO: not ALL harddisks, please!
|
|
||||||
get_available_disks | while read a
|
|
||||||
do log_msg "Purging $a ..."
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" trash_device "$a"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function init_cryptobox()
|
|
||||||
# this is only the first part of initialisation that takes no time - good for a smooth web interface
|
|
||||||
{
|
|
||||||
local device=$(find_harddisk)
|
|
||||||
[ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1
|
|
||||||
turn_off_all_crypto
|
|
||||||
unload_config || true
|
|
||||||
log_msg "Partitioning the device ($device) ..."
|
|
||||||
sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
|
|
||||||
log_msg "Initializing config partition on ${device}1 ..."
|
|
||||||
# TODO: this should not be hard-coded
|
|
||||||
create_config "${device}1"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function turn_off_all_crypto()
|
|
||||||
{
|
|
||||||
list_crypto_containers | while read a
|
|
||||||
do is_crypto_mounted "$a" && umount_crypto "$a"
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
### main ###
|
|
||||||
|
|
||||||
# set PATH because thttpd removes /sbin and /usr/sbin for cgis
|
|
||||||
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
|
|
||||||
|
|
||||||
|
|
||||||
ACTION=help
|
|
||||||
[ $# -gt 0 ] && ACTION=$1 && shift
|
|
||||||
|
|
||||||
case "$ACTION" in
|
|
||||||
config-up )
|
|
||||||
if load_config
|
|
||||||
then echo "Cryptobox configuration successfully loaded"
|
|
||||||
else error_msg 0 "Could not find a configuration partition!"
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
config-down )
|
|
||||||
unload_config || error_msg 4 "Could not unmount configuration partition"
|
|
||||||
;;
|
|
||||||
network-up )
|
|
||||||
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
|
|
||||||
then conf_ip=$(config_get_value "ip")
|
|
||||||
log_msg "Configuring $NET_IFACE for $conf_ip ..."
|
|
||||||
echo "Configuring network interface for $NET_IFACE: $conf_ip"
|
|
||||||
"$IFCONFIG" "$NET_IFACE" "$conf_ip"
|
|
||||||
fi
|
|
||||||
if [ "$EXEC_FIREWALL_RULES" = 1 ]
|
|
||||||
then log_msg "Starting the firewall ..."
|
|
||||||
"$FIREWALL_SCRIPT" start
|
|
||||||
fi
|
|
||||||
if [ "$USE_STUNNEL" = 1 ]
|
|
||||||
then # start stunnel
|
|
||||||
if [ -f "$CERT_FILE" ]
|
|
||||||
then USE_CERT=$CERT_FILE
|
|
||||||
else USE_CERT=$CERT_TEMP
|
|
||||||
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
|
|
||||||
# TODO: this could be dangerous - right?
|
|
||||||
# this is necessary, to allow www-data to copy the certificate
|
|
||||||
chown "$WEB_USER" "$CERT_TEMP"
|
|
||||||
fi
|
|
||||||
log_msg "Starting stunnel ..."
|
|
||||||
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|
|
||||||
|| echo "$USE_CERT not found - not starting stunnel"
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
network-down )
|
|
||||||
if [ "$EXEC_FIREWALL_RULES" = 1 ]
|
|
||||||
then log_msg "Stopping the firewall ..."
|
|
||||||
"$FIREWALL_SCRIPT" stop
|
|
||||||
fi
|
|
||||||
if [ "$USE_STUNNEL" = 1 ]
|
|
||||||
then log_msg "Stopping stunnel ..."
|
|
||||||
# TODO: what about a pid?
|
|
||||||
killall stunnel 2>/dev/null || true
|
|
||||||
fi
|
|
||||||
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
|
|
||||||
then log_msg "Shutting the network interface down ..."
|
|
||||||
"$IFCONFIG" "$NET_IFACE" down
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
services-up )
|
|
||||||
# the mount point has to be writeable
|
|
||||||
# this action is called as root - so we are allowed to umount
|
|
||||||
# TODO: do this only for ro-filesystem
|
|
||||||
# TODO: this way of mounting is evil
|
|
||||||
if mountpoint -q "$MNT_PARENT"
|
|
||||||
then true
|
|
||||||
else mount -t tmpfs tmpfs "$MNT_PARENT"
|
|
||||||
fi
|
|
||||||
true
|
|
||||||
;;
|
|
||||||
services-down )
|
|
||||||
# this action is called as root - so we are allowed to umount
|
|
||||||
mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT"
|
|
||||||
# TODO: we should not depend on samba and thttpd
|
|
||||||
# /etc/init.d/samba stop || true
|
|
||||||
# /etc/init.d/thttpd stop || true
|
|
||||||
true
|
|
||||||
;;
|
|
||||||
crypto-up )
|
|
||||||
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
|
|
||||||
mount_crypto "$1"
|
|
||||||
;;
|
|
||||||
crypto-down )
|
|
||||||
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
|
|
||||||
umount_crypto "$1"
|
|
||||||
;;
|
|
||||||
init )
|
|
||||||
init_cryptobox </dev/null >>"$LOG_FILE" 2>&1
|
|
||||||
;;
|
|
||||||
crypto-create )
|
|
||||||
# Parameter: DEVICE NAME
|
|
||||||
[ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'"
|
|
||||||
# do it in the background to provide a smoother web interface
|
|
||||||
# messages and errors get written to $LOG_FILE
|
|
||||||
keyfile=/tmp/$(basename "$0")-passphrase-$(basename "$1")
|
|
||||||
# read the password
|
|
||||||
cat - >"$keyfile"
|
|
||||||
# execute it in the background
|
|
||||||
echo "'$0' crypto-create-bg '$1' '$2' '$keyfile' </dev/null >>'$LOG_FILE' 2>&1" | at now
|
|
||||||
;;
|
|
||||||
crypto-create-bg )
|
|
||||||
create_crypto "$@"
|
|
||||||
;;
|
|
||||||
crypto-list )
|
|
||||||
list_partitions_of_type crypto
|
|
||||||
;;
|
|
||||||
crypto-list-unused )
|
|
||||||
list_partitions_of_type unused
|
|
||||||
;;
|
|
||||||
crypto-name )
|
|
||||||
# Parameter: DEVICE
|
|
||||||
get_crypto_name "$1"
|
|
||||||
;;
|
|
||||||
is_crypto_mounted )
|
|
||||||
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'"
|
|
||||||
is_crypto_mounted "$1"
|
|
||||||
;;
|
|
||||||
is_config_mounted )
|
|
||||||
is_config_active
|
|
||||||
;;
|
|
||||||
is_init_running )
|
|
||||||
is_init_running
|
|
||||||
;;
|
|
||||||
is_harddisk_available )
|
|
||||||
[ -z "$(find_harddisk)" ] && exit 1
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
update_ip_address )
|
|
||||||
# reconfigure the network interface to a new IP address
|
|
||||||
# wait for 5 seconds to finish present http requests
|
|
||||||
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
|
|
||||||
then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
get_available_disks )
|
|
||||||
get_available_disks
|
|
||||||
;;
|
|
||||||
get_current_ip )
|
|
||||||
get_current_ip
|
|
||||||
;;
|
|
||||||
set_config )
|
|
||||||
[ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters"
|
|
||||||
config_set_value "$1" "$2"
|
|
||||||
;;
|
|
||||||
get_config )
|
|
||||||
[ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter"
|
|
||||||
config_get_value "$1"
|
|
||||||
;;
|
|
||||||
diskinfo )
|
|
||||||
get_available_disks | while read a
|
|
||||||
do sudo "$ROOT_PERM_SCRIPT" diskinfo "$a"
|
|
||||||
done
|
|
||||||
;;
|
|
||||||
box-purge )
|
|
||||||
log_msg "Cleaning the CryptoBox ..."
|
|
||||||
turn_off_all_crypto
|
|
||||||
"$0" config-down
|
|
||||||
box_purge >>"$LOG_FILE" 2>&1
|
|
||||||
;;
|
|
||||||
poweroff )
|
|
||||||
log_msg "Turning off the CryptoBox ..."
|
|
||||||
turn_off_all_crypto
|
|
||||||
echo "poweroff" | at now
|
|
||||||
;;
|
|
||||||
reboot )
|
|
||||||
log_msg "Rebooting the CryptoBox ..."
|
|
||||||
turn_off_all_crypto
|
|
||||||
echo "reboot" | at now
|
|
||||||
;;
|
|
||||||
* )
|
|
||||||
echo "Syntax: `basename $0` ACTION [PARAMS]"
|
|
||||||
echo " config-up - scan for configuration partition and mount it"
|
|
||||||
echo " config-down - unmount configuration partition"
|
|
||||||
echo " network-up - enable network interface"
|
|
||||||
echo " network-down - disable network interface"
|
|
||||||
echo " services-up - run some cryptobox specific daemons"
|
|
||||||
echo " services-down - stop some cryptobox specific daemons"
|
|
||||||
echo " crypto-up - mount crypto partition"
|
|
||||||
echo " crypto-down - unmount crypto partition"
|
|
||||||
echo " box-init - initialize cryptobox (ALL data is LOST)"
|
|
||||||
echo " box-init-fg - the first part of initialization"
|
|
||||||
echo " box-init-bg - the last part of initialization (background)"
|
|
||||||
echo " is_crypto_mounted - check, if crypto partition is mounted"
|
|
||||||
echo " is_config_mounted - check, if configuration partition is mounted"
|
|
||||||
echo " is_init_running - check, if initialization is ongoing"
|
|
||||||
echo " is_harddisk_available - check, if there is a usable harddisk"
|
|
||||||
echo " get_available_disks - shows all connected and allowed disks"
|
|
||||||
echo " get_current_ip - get the current IP of the network interface"
|
|
||||||
echo " update_ip_address - update the network interface after reconfiguration"
|
|
||||||
echo " set_config NAME VALUE - change a configuration setting"
|
|
||||||
echo " get_config NAME - retrieve a configuration setting"
|
|
||||||
echo " diskinfo - show the partition table of the harddisk"
|
|
||||||
echo " box-purge - destroy partitiontable of all harddisks (delete everything)"
|
|
||||||
echo " poweroff - shutdown the cryptobox"
|
|
||||||
echo " reboot - reboot the cryptobox"
|
|
||||||
echo
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
|
|
|
@ -1,330 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
||||||
#
|
|
||||||
# License: This script is distributed under the terms of version 2
|
|
||||||
# of the GNU GPL. See the LICENSE file included with the package.
|
|
||||||
#
|
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# this script is responsible for all dangerous actions, that require root privileges
|
|
||||||
# every action should be checked at least TWICE a day for open holes :)
|
|
||||||
# usually will get call via sudo
|
|
||||||
#
|
|
||||||
# called by:
|
|
||||||
# - cbox-manage.sh
|
|
||||||
#
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100
|
|
||||||
|
|
||||||
# read the default setting file, if it exists
|
|
||||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
||||||
|
|
||||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
|
||||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
|
||||||
# parse config file
|
|
||||||
. "$CONF_FILE"
|
|
||||||
|
|
||||||
|
|
||||||
############ some useful functions ###############
|
|
||||||
|
|
||||||
# check if the given device is part of the SCAN_DEVICE list
|
|
||||||
# every entry in SCAN_DEVICES is matched as "^/dev/${SCAN_DEVICE}[0-9]*$" against
|
|
||||||
# the given device
|
|
||||||
# other devices may not be touched
|
|
||||||
function is_device_allowed()
|
|
||||||
# parameter: device
|
|
||||||
{
|
|
||||||
for a in $SCAN_DEVICES
|
|
||||||
do [[ "$1" =~ "^/dev/${a}[0-9]*$" ]] && return 0
|
|
||||||
done
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function get_device_name()
|
|
||||||
# return the uuid of the device
|
|
||||||
# if there is no uuid, then the device name is "flattened" and returned
|
|
||||||
# ignore volume-id as it may be non-unique
|
|
||||||
{
|
|
||||||
local UUID=
|
|
||||||
# check for luksUUID or ext2/3-uuid
|
|
||||||
if is_luks_device "$1"
|
|
||||||
then UUID=$("$CRYPTSETUP" luksUUID "$1")
|
|
||||||
else [ -n "$(which dumpe2fs)" ] && UUID=$(dumpe2fs -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ *//g")
|
|
||||||
fi
|
|
||||||
# if there is no valid UUUD, then take the flattened device name
|
|
||||||
is_uuid_valid "$UUID" || UUID=${1//\//_}
|
|
||||||
echo "$UUID"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function is_uuid_valid()
|
|
||||||
# every devmapper name should look like a UUID
|
|
||||||
{
|
|
||||||
local hex=[0-9a-f]
|
|
||||||
[[ "$1" =~ "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$" ]]
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function error_msg()
|
|
||||||
# parameter ExitCode ErrorMessage
|
|
||||||
{
|
|
||||||
echo "CBOX-ERROR: [$(basename $0) - $ACTION] - $2" >&2
|
|
||||||
exit $1
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function partition_device()
|
|
||||||
# parameter: device sfdisk_layout_setup
|
|
||||||
# e.g.: /dev/hda "0,1,L \n,,L\n"
|
|
||||||
{
|
|
||||||
# TODO: allow different layouts
|
|
||||||
# TODO: skip config partition if a configuration is already active
|
|
||||||
# sfdisk -n doesn't actually write (for testing purpose)
|
|
||||||
if echo -e "$2" | "$SFDISK" -n "$1"
|
|
||||||
then echo -e "$2" | "$SFDISK" "$1" || return 1
|
|
||||||
else return 2
|
|
||||||
fi
|
|
||||||
true
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function is_luks_device()
|
|
||||||
# parameter: device
|
|
||||||
{
|
|
||||||
"$CRYPTSETUP" isLuks "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
################ main ####################
|
|
||||||
|
|
||||||
ACTION=unknown
|
|
||||||
[ $# -gt 0 ] && ACTION=$1 && shift
|
|
||||||
|
|
||||||
|
|
||||||
case "$ACTION" in
|
|
||||||
partition_disk )
|
|
||||||
[ $# -ne 2 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
partition_device "$1" "$2" || \
|
|
||||||
error_msg 2 "failed to create new partition table on device $1"
|
|
||||||
;;
|
|
||||||
mount )
|
|
||||||
# parameters: device
|
|
||||||
# returns the relative name of the mointpoint for success
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
name=$(get_device_name "$1")
|
|
||||||
mountpoint -q "$MNT_PARENT/$name" && \
|
|
||||||
error_msg 5 "a device with the same name ($name) is already mounted"
|
|
||||||
mkdir -p "$MNT_PARENT/$name"
|
|
||||||
if is_luks_device "$1"
|
|
||||||
then "$CRYPTSETUP" luksOpen "$1" "$name" || \
|
|
||||||
error_msg 6 "could not open encrypted device $1"
|
|
||||||
if mount "$DEV_MAPPER_DIR/$name" "$MNT_PARENT/$name"
|
|
||||||
then true
|
|
||||||
else "$CRYPTSETUP" luksClose "$name" || true
|
|
||||||
error_msg 7 "wrong password for $1 supplied"
|
|
||||||
fi
|
|
||||||
else mount "$1" "$MNT_PARENT/$name" || \
|
|
||||||
error_msg 8 "invalid filesystem on device $1"
|
|
||||||
fi
|
|
||||||
# just in case, that there is no ext2/3 filesystem:
|
|
||||||
# set uid option (will fail silently for ext2/3)
|
|
||||||
mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
|
||||||
# adapt top-level permission to current setup - again: may fail silently
|
|
||||||
chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
|
|
||||||
true
|
|
||||||
;;
|
|
||||||
umount )
|
|
||||||
#parameter: name (relative mountpoint)
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_uuid_valid "$1" || [[ "$1" =~ "^[_a-z0-9]*$" ]] || \
|
|
||||||
error_msg 4 "invalid UUID ($1)"
|
|
||||||
mountpoint -q "$MNT_PARENT/$1" || \
|
|
||||||
error_msg 9 "the device with the UUID ($1) is not mounted"
|
|
||||||
# try to unmount - continue even on errors
|
|
||||||
umount "$MNT_PARENT/$1" || \
|
|
||||||
error_msg 0 "unmount of device $1 failed - device is busy"
|
|
||||||
# remove (if necessary) the dev mapping
|
|
||||||
[ -e "$DEV_MAPPER_DIR/$1" ] && "$CRYPTSETUP" luksClose "$1" || \
|
|
||||||
error_msg 11 "could not remove the device mapper for device $1"
|
|
||||||
# try to remove the mountpoint - a failure is not important
|
|
||||||
rmdir "$MNT_PARENT/$1" || true
|
|
||||||
# set exitcode
|
|
||||||
mountpoint -q "$MNT_PARENT/$1" && exit 1
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
create_crypto )
|
|
||||||
# parameter: device
|
|
||||||
# the passphrase is expected on stdin
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
# read the passphrase from stdin
|
|
||||||
key=$(cat -)
|
|
||||||
# the iter-time is in milliseconds - keep it low for fast mounting
|
|
||||||
echo "$key" | \
|
|
||||||
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 luksFormat "$1" || \
|
|
||||||
error_msg 11 "failed to create the encrypted partition"
|
|
||||||
name=$(get_device_name "$1")
|
|
||||||
echo "$key" | "$CRYPTSETUP" luksOpen "$1" "$name" || \
|
|
||||||
error_msg 12 "failed to open the encrypted partition"
|
|
||||||
# silent output from mkfs.ext3
|
|
||||||
"$MKFS_DATA" -q "$DEV_MAPPER_DIR/$name" || \
|
|
||||||
error_msg 13 "failed to create the encrypted filesystem"
|
|
||||||
"$CRYPTSETUP" luksClose "$name" || \
|
|
||||||
error_msg 14 "failed to close the encrypted mapped device"
|
|
||||||
;;
|
|
||||||
get_device_name )
|
|
||||||
# parameter: device
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
get_device_name "$1"
|
|
||||||
;;
|
|
||||||
mount_config )
|
|
||||||
# parameter: device
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
|
|
||||||
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
mountpoint -q "$CONFIG_DIR" && \
|
|
||||||
error_msg 0 "the configuration partition is already mounted"
|
|
||||||
"$MKFS_CONFIG" -q "$1" || \
|
|
||||||
error_msg 20 "failed to create config partition filesystem"
|
|
||||||
;;
|
|
||||||
mount_config )
|
|
||||||
# parameter: device
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
|
|
||||||
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
mountpoint -q "$CONFIG_DIR" && \
|
|
||||||
error_msg 0 "the configuration partition is already mounted"
|
|
||||||
mount "$1" "$CONFIG_DIR" || \
|
|
||||||
error_msg 16 "failed to mount configuration partition"
|
|
||||||
# chown to fix permissions - may fail for non-ext2/3 filesystems
|
|
||||||
chown -R "$WEB_USER" "$CONFIG_DIR" || true
|
|
||||||
mount -o remount,ro "$CONFIG_DIR" || \
|
|
||||||
error_msg 18 "failed to remount configuration partition"
|
|
||||||
true
|
|
||||||
;;
|
|
||||||
remount_config )
|
|
||||||
# parameter: { ro | rw }
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
|
|
||||||
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
|
|
||||||
[[ "$1" =~ "^r[ow]$" ]] || error_msg 17 "only 'rw' and 'ro' are allowed"
|
|
||||||
mount -o "remount,$1" "$CONFIG_DIR" || \
|
|
||||||
error_msg 18 "failed to remount configuration partition"
|
|
||||||
true
|
|
||||||
;;
|
|
||||||
umount_config )
|
|
||||||
# no parameters
|
|
||||||
[ $# -ne 0 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
|
|
||||||
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
|
|
||||||
mountpoint -q "$CONFIG_DIR" && umount "$CONFIG_DIR" || \
|
|
||||||
error_msg 18 "failed to unmount configuration partition"
|
|
||||||
;;
|
|
||||||
is_config_partition )
|
|
||||||
# parameter: device
|
|
||||||
# returns exitcode 0 if the device contains a configuration
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
|
|
||||||
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
is_config=0
|
|
||||||
tmp_dir=/tmp/$(basename $0)-$$-mnt
|
|
||||||
mkdir -p "$tmp_dir"
|
|
||||||
# error means "no config partition"
|
|
||||||
if mount "$1" "$CONFIG_DIR"
|
|
||||||
then [ -e "$CONFIG_DIR/$CONFIG_MARKER" ] && is_config=1
|
|
||||||
umount "$CONFIG_DIR" || \
|
|
||||||
error_msg 14 "unable to unmount configation partition after probing"
|
|
||||||
fi
|
|
||||||
rmdir "$tmp_dir" || true
|
|
||||||
# return 0 if $device is a config partition
|
|
||||||
[ "$is_config" -eq 1 ] && exit 0
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
is_crypto_partition )
|
|
||||||
# parameter: device
|
|
||||||
# returns exitcode 0 if the device contains a luks header
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
is_luks_device "$1"
|
|
||||||
;;
|
|
||||||
is_data_partition )
|
|
||||||
# parameter: device
|
|
||||||
# returns exitcode 0 if the device contains a readable filesystem
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
status=0
|
|
||||||
tmp_dir=/tmp/$(basename $0)-$$-mnt
|
|
||||||
mkdir -p "$tmp_dir"
|
|
||||||
if mount "$1" "$tmp_dir"
|
|
||||||
then [ ! -e "$tmp_dir/$CONFIG_MARKER" ] && status=1
|
|
||||||
umount "$tmp_dir"
|
|
||||||
fi
|
|
||||||
rmdir "$tmp_dir" || true
|
|
||||||
[ "$status" -eq 1 ] && exit 0
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
trash_device )
|
|
||||||
# parameter: device
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
dd if=/dev/urandom of="$1" bs=512 count=1 2>/dev/null
|
|
||||||
;;
|
|
||||||
diskinfo )
|
|
||||||
# parameter: device
|
|
||||||
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
|
|
||||||
is_device_allowed "$1" || \
|
|
||||||
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
|
|
||||||
"$SFDISK" -L -q -l "$1"
|
|
||||||
;;
|
|
||||||
update_network )
|
|
||||||
# parameter: none
|
|
||||||
ip=
|
|
||||||
# TODO: can we avoid to hard-code the filename ($CONFIG_DIR/ip) here?
|
|
||||||
[ -e "$CONFIG_DIR/ip" ] && ip=$(<"$CONFIG_DIR/ip")
|
|
||||||
[ -n "$z" ] && ifconfig "$NET_IFACE" "$ip"
|
|
||||||
;;
|
|
||||||
* )
|
|
||||||
echo "Syntax: $(basename $0) ACTION PARAMETERS"
|
|
||||||
echo ' partition_disk $device $disk_layout'
|
|
||||||
echo ' get_device_name $device'
|
|
||||||
echo ' create_crypto $device'
|
|
||||||
echo ' mount $device'
|
|
||||||
echo ' umount $name'
|
|
||||||
echo ' create_config $device'
|
|
||||||
echo ' mount_config $device'
|
|
||||||
echo ' remount_config { ro | rw }'
|
|
||||||
echo ' umount_config'
|
|
||||||
echo ' is_config_partition $device'
|
|
||||||
echo ' is_plaindata_partition $device'
|
|
||||||
echo ' is_crypto_partition $device'
|
|
||||||
echo ' trash_device $device'
|
|
||||||
echo ' diskinfo $device'
|
|
||||||
echo ' update_network'
|
|
||||||
echo ' help'
|
|
||||||
echo
|
|
||||||
[ "$ACTION" == "help" ] && exit 0
|
|
||||||
# return error for any unknown/unspecified action
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
|
@ -1,92 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
||||||
#
|
|
||||||
# License: This script is distributed under the terms of version 2
|
|
||||||
# of the GNU GPL. See the LICENSE file included with the package.
|
|
||||||
#
|
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# a simple script to check, if there was no smb traffic for the specified
|
|
||||||
# number of minutes - then it unmounts the crypto partition
|
|
||||||
#
|
|
||||||
# you may want to adjust the function "filter_ipt_rules" according to
|
|
||||||
# your setup
|
|
||||||
#
|
|
||||||
# any Parameter are ignored
|
|
||||||
#
|
|
||||||
# this script has to run as root - as it invokes iptables
|
|
||||||
#
|
|
||||||
# the iptables rules to detect smb traffic could look like the following:
|
|
||||||
# iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
|
|
||||||
# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
|
|
||||||
#
|
|
||||||
# called by:
|
|
||||||
# - cron (/etc/cron.d/cryptobox)
|
|
||||||
#
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
# read the default setting file, if it exists
|
|
||||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
||||||
|
|
||||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
|
||||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
|
||||||
# parse config file
|
|
||||||
. "$CONF_FILE"
|
|
||||||
|
|
||||||
|
|
||||||
############# some functions ##################
|
|
||||||
|
|
||||||
filter_ipt_rules()
|
|
||||||
# get the input rules for smb datagram traffic
|
|
||||||
{
|
|
||||||
"$IPTABLES" -L INPUT -vnx | grep -E "udp dpt:138|tcp dpt:139"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function check_for_traffic()
|
|
||||||
{
|
|
||||||
local traffic_yes=0
|
|
||||||
# fallback if no rules were found
|
|
||||||
# extract the number of packets and calculate the sum
|
|
||||||
filter_ipt_rules | sed 's/ */ /g' | cut -d " " -f 3 | while read a
|
|
||||||
do [ "$a" -gt 0 ] && echo "$a"
|
|
||||||
done | grep -q "" && traffic_yes=1
|
|
||||||
"$IPTABLES" -Z INPUT
|
|
||||||
[ "$traffic_yes" = "1" ]
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
################### main ######################
|
|
||||||
|
|
||||||
# TODO: migrate to multi-container-setup
|
|
||||||
exit 0
|
|
||||||
|
|
||||||
# break, if crypto partition is not mounted
|
|
||||||
"$CB_SCRIPT" is_crypto_mounted || exit 0
|
|
||||||
|
|
||||||
# break, if idle timer is turned off
|
|
||||||
MAX_IDLE_COUNTER=$("$CB_SCRIPT" get_config timeout)
|
|
||||||
[ "$MAX_IDLE_COUNTER" -eq 0 ] && exit 0
|
|
||||||
|
|
||||||
# config test
|
|
||||||
[ -z "$(filter_ipt_rules)" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >>"$LOG_FILE" && exit 1
|
|
||||||
|
|
||||||
# read current idle counter
|
|
||||||
if [ -e "$IDLE_COUNTER_FILE" ]
|
|
||||||
then current_count=$(<$IDLE_COUNTER_FILE)
|
|
||||||
else current_count=0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# update counter
|
|
||||||
if check_for_traffic
|
|
||||||
then echo 0
|
|
||||||
else echo $((current_count + 1))
|
|
||||||
fi >"$IDLE_COUNTER_FILE"
|
|
||||||
|
|
||||||
# unmount crypto partition, if the threshold was reached
|
|
||||||
if [ "$(<$IDLE_COUNTER_FILE)" -ge "$MAX_IDLE_COUNTER" ]
|
|
||||||
then "$CB_SCRIPT" crypto-down >>"$LOG_FILE" 2>&1
|
|
||||||
echo "0" >"$IDLE_COUNTER_FILE"
|
|
||||||
fi
|
|
|
@ -1,55 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
||||||
#
|
|
||||||
# License: This script is distributed under the terms of version 2
|
|
||||||
# of the GNU GPL. See the LICENSE file included with the package.
|
|
||||||
#
|
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# FOR DEVELOPMENT ONLY!
|
|
||||||
#
|
|
||||||
# this script is used to prepare a chroot session for testing or configuring
|
|
||||||
#
|
|
||||||
# called by:
|
|
||||||
# - cbox-build.sh
|
|
||||||
#
|
|
||||||
# parameter: [commandline]
|
|
||||||
#
|
|
||||||
# if "commandline" is empty, "bash" will be used
|
|
||||||
#
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
MNT_SRC=/opt/dfsruntime/runtimerd
|
|
||||||
MNT_DST=/opt/dfsruntime/runtimemnt
|
|
||||||
# the directory /tmp/ can not be used, as it is still a broken link, too
|
|
||||||
TMP_DIR="/tmp-`basename $0`-$$"
|
|
||||||
|
|
||||||
|
|
||||||
cp -a "$MNT_SRC/." "$TMP_DIR"
|
|
||||||
mount -n --bind "$TMP_DIR" "$MNT_DST"
|
|
||||||
|
|
||||||
[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
|
|
||||||
[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
|
|
||||||
[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"
|
|
||||||
|
|
||||||
# remember, if proc was mounted before (e.g. because of a running chroot)
|
|
||||||
PROC_WAS_MOUNTED=no
|
|
||||||
mount -n -t proc proc /proc 2>/dev/null || PROC_WAS_MOUNTED=yes
|
|
||||||
|
|
||||||
# default language setting - prevents dpkg error messages
|
|
||||||
export LANG=C
|
|
||||||
|
|
||||||
# set default terminal (good if you are running in a screen session)
|
|
||||||
export TERM=linux
|
|
||||||
|
|
||||||
# execute parameters as commandline
|
|
||||||
if [ $# -gt 0 ]
|
|
||||||
then "$@"
|
|
||||||
else bash
|
|
||||||
fi
|
|
||||||
|
|
||||||
umount -n "$MNT_DST"
|
|
||||||
[ "$PROC_WAS_MOUNTED" = "no" ] && umount -n proc
|
|
||||||
rm -r "$TMP_DIR"
|
|
|
@ -1,145 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
||||||
#
|
|
||||||
# License: This script is distributed under the terms of version 2
|
|
||||||
# of the GNU GPL. See the LICENSE file included with the package.
|
|
||||||
#
|
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# this script is part of the building process of the cryptobox
|
|
||||||
# the "normal" action is necessary for every cryptobox (development & release)
|
|
||||||
# the "secure" action is mandatory for every release CD
|
|
||||||
#
|
|
||||||
# called by:
|
|
||||||
# - cbox-build.sh after copying custom files and before creating the iso image
|
|
||||||
#
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
# read the default setting file, if it exists
|
|
||||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
||||||
|
|
||||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
|
||||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
|
||||||
# parse config file
|
|
||||||
. "$CONF_FILE"
|
|
||||||
|
|
||||||
RUNTIMEDIR=/opt/dfsruntime/runtimerd
|
|
||||||
TUNDEV=$RUNTIMEDIR/dev/net/tun
|
|
||||||
|
|
||||||
REMOVE_PACKAGES="strace
|
|
||||||
nvi nano vim vim-common
|
|
||||||
unzip tar zip gzip bzip2
|
|
||||||
aptitude tasksel
|
|
||||||
ssh elinks curl wget netkit-inetd telnet
|
|
||||||
exim4-daemon-light exim4-config exim4-base
|
|
||||||
ppp pppconfig pppoe pppoeconf"
|
|
||||||
|
|
||||||
# remove rc symlinks for these services
|
|
||||||
SERVICES_OFF="ssh samba setserial nviboot mountnfs ntpdate"
|
|
||||||
|
|
||||||
function configure_normal()
|
|
||||||
# the usual stuff - not optimized for security
|
|
||||||
{
|
|
||||||
##### cryptobox settings ######
|
|
||||||
sed -i '/^NO_START=.*$/NO_START=0/'
|
|
||||||
sed -i '/^SKIP_NETWORK_CONFIG=.*$/SKIP_NETWORK_CONFIG=0/'
|
|
||||||
sed -i '/^EXEC_FIREWALL_RULES=.*$/EXEC_FIREWALL_RULES=1/'
|
|
||||||
sed -i '/^USE_STUNNEL=.*$/USE_STUNNEL=1/'
|
|
||||||
|
|
||||||
########### boot up ###########
|
|
||||||
# turn off creation of "/etc/nologin" (read-only fs)
|
|
||||||
sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
|
|
||||||
# turn off modifying /etc/motd (read-only fs)
|
|
||||||
sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS
|
|
||||||
|
|
||||||
######### devices ##########
|
|
||||||
# create tun device for running under qemu
|
|
||||||
if [ ! -e "$TUNDEV" ]
|
|
||||||
then mkdir -p `dirname "$TUNDEV"`
|
|
||||||
mknod "$TUNDEV" c 10 200
|
|
||||||
fi
|
|
||||||
|
|
||||||
######### thttpd ###########
|
|
||||||
# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
|
|
||||||
sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
|
|
||||||
# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
|
|
||||||
sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
|
|
||||||
|
|
||||||
# the thttpd documentations says "nosymlinkcheck" instead of
|
|
||||||
# "nosymlink" - TODO: "nosymlink" breaks "/cryptobox" URL!!!
|
|
||||||
#sed -i "/symlink/d" /etc/thttpd/thttpd.conf
|
|
||||||
#echo "nosymlink" >>/etc/thttpd/thttpd.conf
|
|
||||||
|
|
||||||
########## sshd ############
|
|
||||||
if [ -e "/etc/ssh" ]; then
|
|
||||||
# allow empty passwords for ssh
|
|
||||||
# the daemon is NOT started automatically, so you have to start it
|
|
||||||
# manually in case of need - as the root pw is empty and passwd is ro, you
|
|
||||||
# have to allow empty passwords for this rare case
|
|
||||||
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
|
|
||||||
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
|
|
||||||
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
|
|
||||||
# allow nput of password
|
|
||||||
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
|
|
||||||
fi
|
|
||||||
|
|
||||||
# remove symlinks for unwanted services
|
|
||||||
for a in $SERVICES_OFF; do
|
|
||||||
# echo "Turning off service $a ..."
|
|
||||||
find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b
|
|
||||||
do rm "$b"
|
|
||||||
done
|
|
||||||
done
|
|
||||||
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function configure_secure()
|
|
||||||
# remove everything that could weaken security
|
|
||||||
# configure_normal should be called too!
|
|
||||||
{
|
|
||||||
# disable keyboard login
|
|
||||||
sed -i '/getty/d' /etc/inittab
|
|
||||||
|
|
||||||
# remove unnecessary packages
|
|
||||||
dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true
|
|
||||||
|
|
||||||
# remove the development features script
|
|
||||||
[ -e "$DEV_FEATURES_SCRIPT" ] && rm -f "$DEV_FEATURES_SCRIPT"
|
|
||||||
|
|
||||||
# maybe an authorized_keys file was created - but it is not dangerous,
|
|
||||||
# as the openssh package was removed anyway
|
|
||||||
[ -d /root/.ssh ] && rm -rf /root/.ssh
|
|
||||||
|
|
||||||
############## clean up ################
|
|
||||||
# remove deb-files, that were left by dfsbuild
|
|
||||||
test -d /opt/packages && rm -r /opt/packages
|
|
||||||
# remove packages and package lists
|
|
||||||
rm -fr /var/cache/apt/
|
|
||||||
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
################ main ####################
|
|
||||||
|
|
||||||
|
|
||||||
ACTION=help
|
|
||||||
[ $# -gt 0 ] && ACTION=$1
|
|
||||||
|
|
||||||
case "$ACTION" in
|
|
||||||
normal )
|
|
||||||
configure_normal
|
|
||||||
;;
|
|
||||||
secure )
|
|
||||||
configure_secure
|
|
||||||
;;
|
|
||||||
* )
|
|
||||||
echo "Syntax: `basename $0` { normal | secure }"
|
|
||||||
echo
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
|
@ -1,67 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
||||||
#
|
|
||||||
# License: This script is distributed under the terms of version 2
|
|
||||||
# of the GNU GPL. See the LICENSE file included with the package.
|
|
||||||
#
|
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# set up the firewall of the cryptobox
|
|
||||||
#
|
|
||||||
# called by:
|
|
||||||
# - cbox-manage.sh during network-up
|
|
||||||
#
|
|
||||||
|
|
||||||
set -u
|
|
||||||
|
|
||||||
# read the default setting file, if it exists
|
|
||||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
||||||
|
|
||||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
|
||||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
|
||||||
# parse config file
|
|
||||||
. "$CONF_FILE"
|
|
||||||
|
|
||||||
|
|
||||||
ACTION="help"
|
|
||||||
[ $# -gt 0 ] && ACTION=$1
|
|
||||||
|
|
||||||
case "$ACTION" in
|
|
||||||
start)
|
|
||||||
iptables -P INPUT DROP
|
|
||||||
iptables -P FORWARD DROP
|
|
||||||
iptables -P OUTPUT ACCEPT
|
|
||||||
|
|
||||||
OFILE=/proc/sys/net/ipv4/tcp_syncookies
|
|
||||||
[ -e "$OFILE" ] && echo 1 >"$OFILE"
|
|
||||||
|
|
||||||
iptables -F
|
|
||||||
iptables -X
|
|
||||||
iptables -Z
|
|
||||||
|
|
||||||
iptables -A INPUT -i lo -j ACCEPT
|
|
||||||
|
|
||||||
for a in $ALLOW_TCP_PORTS
|
|
||||||
do iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
for a in $ALLOW_UDP_PORTS
|
|
||||||
do iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
|
|
||||||
done
|
|
||||||
|
|
||||||
iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
|
|
||||||
;;
|
|
||||||
stop)
|
|
||||||
iptables -P INPUT ACCEPT
|
|
||||||
iptables -P FORWARD ACCEPT
|
|
||||||
iptables -P OUTPUT ACCEPT
|
|
||||||
iptables -F
|
|
||||||
iptables -X
|
|
||||||
iptables -Z
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "usage $0 start | stop"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
|
@ -1,47 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
||||||
#
|
|
||||||
# License: This script is distributed under the terms of version 2
|
|
||||||
# of the GNU GPL. See the LICENSE file included with the package.
|
|
||||||
#
|
|
||||||
# $Id$
|
|
||||||
#
|
|
||||||
# this script creates the stunnel certificate for https
|
|
||||||
#
|
|
||||||
# parameter: "destination file"
|
|
||||||
#
|
|
||||||
# called by:
|
|
||||||
# - cbox-manage.sh during network-up if no certificate was found on the config partition
|
|
||||||
#
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
# read the default setting file, if it exists
|
|
||||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
||||||
|
|
||||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
|
||||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
|
||||||
# parse config file
|
|
||||||
. "$CONF_FILE"
|
|
||||||
|
|
||||||
|
|
||||||
# vcert values are in OPENSSL_CONF_FILE
|
|
||||||
CERTFILE="$1"
|
|
||||||
TMP_FILE=/tmp/cryptobox-cert.tmp
|
|
||||||
|
|
||||||
[ ! -f "$OPENSSL_CONF_FILE" ] && echo "`basename $0`: $OPENSSL_CONF_FILE not found" && exit 2
|
|
||||||
# this command creates the certificate
|
|
||||||
# this is required, because the certbuilding asks for 5 returns
|
|
||||||
echo -ne "\n\n\n\n\n" | openssl req -new -x509 -nodes -days 3650 -config "$OPENSSL_CONF_FILE" -out "$CERTFILE" -keyout "$CERTFILE"
|
|
||||||
chmod 600 "$CERTFILE"
|
|
||||||
|
|
||||||
# next step needs a lot of randomdata
|
|
||||||
dd if=/dev/urandom of="$TMP_FILE" bs=1024 count=1024
|
|
||||||
openssl dhparam -rand "$TMP_FILE" 512 >> "$CERTFILE"
|
|
||||||
rm "$TMP_FILE"
|
|
||||||
|
|
||||||
#ln -sf ${CERTPATH}stunnel.pem ${CERTPATH}`openssl x509 -noout -hash < "${CERTPATH}stunnel.pem"`.0
|
|
||||||
|
|
||||||
## print out cert values
|
|
||||||
#openssl x509 -subject -dates -fingerprint -in stunnel.pem
|
|
|
@ -1,6 +0,0 @@
|
||||||
by scp or webdav - the last one is the better choice
|
|
||||||
|
|
||||||
1) webdav
|
|
||||||
apt-get install davfs2
|
|
||||||
modprobe coda
|
|
||||||
mount -t davfs https://upload.codecoop.org/groups/cryptobox/ /mnt/ttt
|
|
|
@ -1,5 +0,0 @@
|
||||||
developer requirements:
|
|
||||||
- dfsbuild
|
|
||||||
- wget
|
|
||||||
- curl
|
|
||||||
- (qemu)
|
|
|
@ -1,26 +0,0 @@
|
||||||
as there is no debian-package for the perl bindings of clearsilver, you have to add it manually to the tree of the cbox-tree
|
|
||||||
|
|
||||||
1) download
|
|
||||||
- get it from: http://www.clearsilver.net/downloads
|
|
||||||
- unpack (tar xzf . ...)
|
|
||||||
|
|
||||||
|
|
||||||
2) configuration
|
|
||||||
./configure --disable-python --disable-ruby --disable-csharp --disable-apache --disable-java --disable-compression --enable-perl --enable-gettext --prefix=/tmp/clearsilver-perl
|
|
||||||
|
|
||||||
|
|
||||||
3) fix a problem in scripts/document.py
|
|
||||||
change the first line to "#!/usr/bin/env python"
|
|
||||||
|
|
||||||
|
|
||||||
4) build it
|
|
||||||
- make
|
|
||||||
- make install
|
|
||||||
|
|
||||||
|
|
||||||
5) cp to the cbox
|
|
||||||
cp -a /tmp/clearsilver-perl/local/lib/perl/5.8.7/. cryptobox.conf.d/usr/lib/perl5
|
|
||||||
rm cryptobox.conf.d/usr/lib/perl5/perllocal.pod
|
|
||||||
|
|
||||||
6) dependencies
|
|
||||||
add python-clearsilver to the box (dfsbuild.conf)
|
|
|
@ -1,23 +0,0 @@
|
||||||
Hints for building and integrating a new kernel into the cryptobox:
|
|
||||||
|
|
||||||
1) get the source
|
|
||||||
download it from http://kernel.org (at least 2.6.11)
|
|
||||||
|
|
||||||
2) configure
|
|
||||||
- copy the current kernel config from the cryptobox/trunk/kernel
|
|
||||||
directory to the kernel source directory as ".config" (the .config
|
|
||||||
can also be found in the current kernel-image-cryptoboxX.Y.deb packagefile)
|
|
||||||
- make menuconfig
|
|
||||||
- make-kpkg --rootcmd fakeroot --revision=cryptoboxY.X kernel_image
|
|
||||||
(replace "Y.X" by the current cryptobox release)
|
|
||||||
|
|
||||||
3) integrating
|
|
||||||
- copy the debian kernel package (see above) and the config file to cryptobox/trunk/kernel
|
|
||||||
- change the "unpackdebs" setting in cryptobox/trunk/etc-default.d/dfs-cbox.conf
|
|
||||||
- add the new kernel package and the config file to the repository (svn add)
|
|
||||||
|
|
||||||
4) afterwork
|
|
||||||
- run "cryptobox/trunk/scripts/cbox-build.sh dfsbuild" to create a fresh base system
|
|
||||||
including the new kernel
|
|
||||||
- test the box with your new kernel
|
|
||||||
- enjoy it! :)
|
|
|
@ -1,26 +0,0 @@
|
||||||
1) set current version
|
|
||||||
- README
|
|
||||||
- cbox-tree.d/usr/share/cryptobox/templates/footer.cs
|
|
||||||
- cover/cover_[en|de].[swx|pdf]
|
|
||||||
- etc/defaults.d/dfs-cbox.conf (version setting)
|
|
||||||
|
|
||||||
2) build image
|
|
||||||
- 'scripts/cbox-build.sh release'
|
|
||||||
|
|
||||||
4) release notes
|
|
||||||
- https://systemausfall.org/trac/wiki/ReleaseNotes
|
|
||||||
- update CHANGELOG
|
|
||||||
|
|
||||||
3) upload to codecoop
|
|
||||||
- type "scp $FILE $USERNAME@shell.codecoop.org:."
|
|
||||||
- upload a dummy file with the same name via upload-web-interface to codecoop
|
|
||||||
- ask Jan Kanzleiter <idfx_at_codecoop.org> to replace the dummy with the the scp-file
|
|
||||||
- upload the checksumfile created by "md5sum cryptobox_vY.X.iso >cryptobox_vY.X.iso.md5sum"
|
|
||||||
- add release notes and changelog
|
|
||||||
- upload cover_[en|de].pdf
|
|
||||||
|
|
||||||
4) release announcement
|
|
||||||
- http://codecoop.org
|
|
||||||
- http://distrowatch.com
|
|
||||||
- http://livedistro.org
|
|
||||||
- http://linuxlinks.com
|
|
|
@ -1,7 +0,0 @@
|
||||||
# sample startup file for running the cryptobox in a user-mode-linux environment
|
|
||||||
#
|
|
||||||
# it does not work, as the dfsbuild-cd-image is not being recognized during boot
|
|
||||||
#
|
|
||||||
# just as a reminder ...
|
|
||||||
#
|
|
||||||
kernel/uml-kernel-2.6.12.3-cryptobox dfscd=/dev/ubd1 ubd1r=_builddir/cd1/image.iso ubd0=_builddir/cd1/image-working/opt/dfsruntime/initrd.dfs con=null con0=fd:0,fd:1
|
|
|
@ -1,27 +0,0 @@
|
||||||
some useful macros:
|
|
||||||
* [[TOC]] - at the beginning of the document
|
|
||||||
* [[AutoNav]] - below [[TOC]], followed by a line with "----"
|
|
||||||
* [[AddComment]] - at the end of the page (below "----")
|
|
||||||
* [[WikiInclude($PAGENAME)]] - include another wiki page
|
|
||||||
* [[redirect(wiki:$PAGENAME)]] - redirect to another page (useful to redirect to default lang)
|
|
||||||
* [[Image(file/trunk/cbox-tree.d/var/www/cryptobox-img/screenshots/$NAME)]] - beware: you may use "wiki" or "ticket" instead of "file" - very unusual syntax
|
|
||||||
* [[FootNote(Text)]] - creates a reference to a footnote - the list of footnotes is expanded by "[[FootNote]]"
|
|
||||||
|
|
||||||
special things:
|
|
||||||
* the first level heading ("= TEXT =") is considered as the page title - only lower level headings will be a part of the table of contents
|
|
||||||
* links like "CryptoBoxUser/de" are not recogniced - use "[wiki:CryptoBoxUser/de CryptoBoxUser]" instead
|
|
||||||
* for a deeper level of items or enumerations, you have to add two(!) additional spaces in front of the symbol ("*" or "1.") - this is obviously strange ...
|
|
||||||
|
|
||||||
default page layout:
|
|
||||||
[[TOC]]
|
|
||||||
[[AutoNav]]
|
|
||||||
----
|
|
||||||
|
|
||||||
= Title =
|
|
||||||
|
|
||||||
== Heading ... ==
|
|
||||||
...
|
|
||||||
|
|
||||||
----
|
|
||||||
== Comments ==
|
|
||||||
[[AddComment]]
|
|
File diff suppressed because it is too large
Load diff
Binary file not shown.
|
@ -1,6 +0,0 @@
|
||||||
BEWARE: the uml kernel does not work correctly - see ../hints/starting_uml.txt for details
|
|
||||||
|
|
||||||
see hints/kernel-build.txt for details on how to build and include a new kernel
|
|
||||||
|
|
||||||
cryptsetup-luks is not yet officially available for debian
|
|
||||||
Source: http://einsteinmg.dyndns.org/debian/unstable/
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,59 +0,0 @@
|
||||||
# how to build the perl-clearsilver package:
|
|
||||||
# apt-get source clearsilver
|
|
||||||
# cat THIS_FILE | patch -p0
|
|
||||||
# cd clearsilver-*
|
|
||||||
# debian/rules binary
|
|
||||||
diff -ruN clearsilver-0.9.13.orig/debian/control clearsilver-0.9.13/debian/control
|
|
||||||
--- clearsilver-0.9.13.orig/debian/control 2005-11-30 23:09:24.000000000 +0100
|
|
||||||
+++ clearsilver-0.9.13/debian/control 2005-11-30 23:38:10.000000000 +0100
|
|
||||||
@@ -39,3 +39,13 @@
|
|
||||||
This Debian package is an empty dummy package that always depends on
|
|
||||||
a package built for Debian's default Python version.
|
|
||||||
|
|
||||||
+Package: perl-clearsilver
|
|
||||||
+Architecture: all
|
|
||||||
+Section: perl
|
|
||||||
+Priority: optional
|
|
||||||
+Depends: perl (>= 5.6)
|
|
||||||
+Description: perl bindings for clearsilver
|
|
||||||
+ Clearsilver is a fast, powerful, and language-neutral HTML template system.
|
|
||||||
+ In both static content sites and dynamic HTML applications, it
|
|
||||||
+ provides a separation between presentation code and application logic which
|
|
||||||
+ makes working with your project easier.
|
|
||||||
diff -ruN clearsilver-0.9.13.orig/debian/rules clearsilver-0.9.13/debian/rules
|
|
||||||
--- clearsilver-0.9.13.orig/debian/rules 2005-11-30 23:09:24.000000000 +0100
|
|
||||||
+++ clearsilver-0.9.13/debian/rules 2005-11-30 23:49:57.000000000 +0100
|
|
||||||
@@ -9,7 +9,7 @@
|
|
||||||
include /usr/share/cdbs/1/rules/simple-patchsys.mk
|
|
||||||
|
|
||||||
DEB_CONFIGURE_EXTRA_FLAGS := --with-python=/usr/bin/python2.3 \
|
|
||||||
- --disable-perl \
|
|
||||||
+ --with-perl=/usr/bin/perl \
|
|
||||||
--disable-ruby \
|
|
||||||
--disable-csharp \
|
|
||||||
--disable-apache \
|
|
||||||
@@ -18,6 +18,7 @@
|
|
||||||
CFLAGS += -fPIC
|
|
||||||
|
|
||||||
DEB_MAKE_INSTALL_TARGET := install DESTDIR=$(CURDIR)/debian/tmp
|
|
||||||
+DEB_SHLIBDEPS_INCLUDE_perl-clearsilver := debian/perl-clearsilver/usr/lib/perl5
|
|
||||||
DEB_SHLIBDEPS_INCLUDE_python2.3-clearsilver := debian/python2.3-clearsilver/usr/lib/python2.3/site-packages
|
|
||||||
|
|
||||||
build/python2.3-clearsilver::
|
|
||||||
@@ -27,3 +28,16 @@
|
|
||||||
|
|
||||||
binary-post-install/python2.3-clearsilver::
|
|
||||||
dh_movefiles --package=python2.3-clearsilver usr/lib/python2.3
|
|
||||||
+
|
|
||||||
+build/perl-clearsilver::
|
|
||||||
+ install -d debian/tmp/usr/lib/perl5
|
|
||||||
+ install -d debian/tmp/usr/lib/perl5/auto/ClearSilver
|
|
||||||
+ install -m644 $(DEB_BUILDDIR)/perl/ClearSilver.pm \
|
|
||||||
+ debian/tmp/usr/lib/perl5/ClearSilver.pm
|
|
||||||
+ install -m755 $(DEB_BUILDDIR)/perl/blib/arch/auto/ClearSilver/ClearSilver.so \
|
|
||||||
+ debian/tmp/usr/lib/perl5/auto/ClearSilver/ClearSilver.so
|
|
||||||
+ install -m644 $(DEB_BUILDDIR)/perl/ClearSilver.bs \
|
|
||||||
+ debian/tmp/usr/lib/perl5/auto/ClearSilver/ClearSilver.bs
|
|
||||||
+
|
|
||||||
+binary-post-install/perl-clearsilver::
|
|
||||||
+ dh_movefiles --package=perl-clearsilver usr/lib/perl5
|
|
Binary file not shown.
|
@ -1,17 +0,0 @@
|
||||||
every report summary will be constructed this way:
|
|
||||||
|
|
||||||
- header
|
|
||||||
|
|
||||||
- single_header
|
|
||||||
- result-ok | result-error
|
|
||||||
<the diff>
|
|
||||||
- single_footer
|
|
||||||
|
|
||||||
- single_header
|
|
||||||
- result-ok | result-error
|
|
||||||
<the diff>
|
|
||||||
- single_footer
|
|
||||||
|
|
||||||
...
|
|
||||||
|
|
||||||
- footer
|
|
|
@ -1,12 +0,0 @@
|
||||||
</div><!-- end of 'validation' -->
|
|
||||||
|
|
||||||
</div><!-- end of 'words' -->
|
|
||||||
|
|
||||||
<div id="footer">
|
|
||||||
<a href="https://systemausfall.org/prj/cryptobox" title="Projekt-Seite">CryptoBox-Home</a> Die CryptoBox ist ein Projekt von <a href="https://systemausfall.org/senselab" title="systemausfall.org">sense.lab</a>
|
|
||||||
</div>
|
|
||||||
|
|
||||||
</div>
|
|
||||||
</div>
|
|
||||||
</body>
|
|
||||||
</html>
|
|
|
@ -1,25 +0,0 @@
|
||||||
<?xml version="1.0" encoding="utf-8"?>
|
|
||||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
||||||
<head>
|
|
||||||
<title>CryptoBox</title>
|
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
||||||
<meta http-equiv="pragma" content="no-cache" />
|
|
||||||
<meta http-equiv="cache-control" content="no-cache" />
|
|
||||||
<meta http-equiv="expires" content="0" />
|
|
||||||
<link rel="stylesheet" media="screen" href="cryptobox.css" type="text/css" />
|
|
||||||
</head>
|
|
||||||
<body>
|
|
||||||
|
|
||||||
<div id="main">
|
|
||||||
<div id="head">
|
|
||||||
<h1>Die CryptoBox</h1>
|
|
||||||
<h2>und zwar richtig!</h2>
|
|
||||||
</div>
|
|
||||||
|
|
||||||
<div id="content">
|
|
||||||
|
|
||||||
<div id="words">
|
|
||||||
|
|
||||||
<div id="validation">
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
<p class="error">
|
|
|
@ -1 +0,0 @@
|
||||||
<p class="valid">
|
|
|
@ -1,2 +0,0 @@
|
||||||
</p>
|
|
||||||
</div>
|
|
|
@ -1,5 +0,0 @@
|
||||||
<div class="single_case">
|
|
||||||
|
|
||||||
<h1><a href="_TESTSERIES_/_TESTNAME_.html" title="retrieved page">/_TESTNAME_</a></h1>
|
|
||||||
<h2>_TESTDESCRIPTION_</h2>
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
purge the box
|
|
|
@ -1,4 +0,0 @@
|
||||||
url https://_HOST_IP_DEFAULT_/cryptobox
|
|
||||||
data weblang=_IFACE_LANG_
|
|
||||||
data action=do_purge
|
|
||||||
data current_admin_password=
|
|
|
@ -1,7 +0,0 @@
|
||||||
Data.Config.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Config.Language=en
|
|
||||||
Data.Config.TimeOut=30
|
|
||||||
Data.Status.Config=0
|
|
||||||
Data.Status.InitRunning=0
|
|
||||||
Data.Status.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Status.Mounted=0
|
|
|
@ -1 +0,0 @@
|
||||||
displays the warning for a non-ssl connection
|
|
|
@ -1,2 +0,0 @@
|
||||||
url http://_HOST_IP_DEFAULT_/cryptobox
|
|
||||||
data weblang=_IFACE_LANG_
|
|
|
@ -1,7 +0,0 @@
|
||||||
Data.Config.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Config.Language=en
|
|
||||||
Data.Config.TimeOut=30
|
|
||||||
Data.Status.Config=0
|
|
||||||
Data.Status.InitRunning=0
|
|
||||||
Data.Status.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Status.Mounted=0
|
|
|
@ -1 +0,0 @@
|
||||||
displays thttpd's error-404-page
|
|
|
@ -1,2 +0,0 @@
|
||||||
url https://_HOST_IP_DEFAULT_/croptyfox
|
|
||||||
data weblang=_IFACE_LANG_
|
|
|
@ -1 +0,0 @@
|
||||||
try root directory index
|
|
|
@ -1,2 +0,0 @@
|
||||||
url https://_HOST_IP_DEFAULT_
|
|
||||||
data weblang=_IFACE_LANG_
|
|
|
@ -1,7 +0,0 @@
|
||||||
Data.Config.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Config.Language=en
|
|
||||||
Data.Config.TimeOut=30
|
|
||||||
Data.Status.Config=0
|
|
||||||
Data.Status.InitRunning=0
|
|
||||||
Data.Status.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Status.Mounted=0
|
|
|
@ -1 +0,0 @@
|
||||||
display the init form
|
|
|
@ -1,3 +0,0 @@
|
||||||
url https://_HOST_IP_DEFAULT_/cryptobox
|
|
||||||
data action=init_ask
|
|
||||||
data weblang=_IFACE_LANG_
|
|
|
@ -1,7 +0,0 @@
|
||||||
Data.Config.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Config.Language=en
|
|
||||||
Data.Config.TimeOut=30
|
|
||||||
Data.Status.Config=0
|
|
||||||
Data.Status.InitRunning=0
|
|
||||||
Data.Status.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Status.Mounted=0
|
|
|
@ -1 +0,0 @@
|
||||||
try initialisation with empty passwords
|
|
|
@ -1,6 +0,0 @@
|
||||||
url https://_HOST_IP_DEFAULT_/cryptobox
|
|
||||||
data action=init_do
|
|
||||||
data crypto_password=
|
|
||||||
data crypto_password2=
|
|
||||||
data confirm=_CONFIRM_TEXT_
|
|
||||||
data weblang=_IFACE_LANG_
|
|
|
@ -1,7 +0,0 @@
|
||||||
Data.Config.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Config.Language=en
|
|
||||||
Data.Config.TimeOut=30
|
|
||||||
Data.Status.Config=0
|
|
||||||
Data.Status.InitRunning=0
|
|
||||||
Data.Status.IP=_HOST_IP_DEFAULT_
|
|
||||||
Data.Status.Mounted=0
|
|
|
@ -1 +0,0 @@
|
||||||
try initialisation with different passwords
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue