Browse Source

moved to a volume based web interface

initialization now uses a single volume (no partitioning)
SCAN_DEVICES now define only the allowed prefix ("hd" -> all harddisks)
DEBUG_LEVEL added
check for https improved
master
lars 16 years ago
parent
commit
5fb9108640
  1. 508
      bin/cbox-manage.sh
  2. 196
      bin/cbox-root-actions.sh
  3. 485
      bin/cryptobox.pl
  4. 5
      bin/init-script.sh
  5. 191
      bin/ro-system.sh
  6. 17
      conf-examples/cryptobox.conf
  7. 3
      conf-examples/distributions/gnu_linux
  8. 4
      debian/control
  9. 4
      debian/prerm
  10. 8
      lang/de.hdf
  11. 58
      lang/en.hdf
  12. 26
      scripts/check_languages.sh
  13. 4
      templates/empty.cs
  14. 2
      templates/error.cs
  15. 13
      templates/footer.cs
  16. 23
      templates/form_config.cs
  17. 20
      templates/form_init.cs
  18. 33
      templates/form_init_partition.cs
  19. 44
      templates/form_mount.cs
  20. 19
      templates/form_shutdown.cs
  21. 29
      templates/form_system.cs
  22. 41
      templates/form_umount.cs
  23. 17
      templates/header.cs
  24. 139
      templates/macros.cs
  25. 4
      templates/main.cs
  26. 36
      templates/nav.cs
  27. 2
      templates/show_doc.cs
  28. 2
      templates/show_log.cs
  29. 29
      templates/show_status.cs
  30. 64
      templates/show_volume.cs
  31. 15
      templates/show_volumes.cs
  32. 33
      www-data/cryptobox.css
  33. BIN
      www-data/disc_green.png
  34. BIN
      www-data/disc_red.png

508
bin/cbox-manage.sh

@ -20,24 +20,24 @@
set -eu
# define reasonable defaults
USE_STUNNEL=0
EXEC_FIREWALL_RULES=0
SKIP_NETWORK_CONFIG=1
# default location of config file
CONF_FILE=/etc/cryptobox/cryptobox.conf
LIB_DIR=$(dirname "$0")
CONFIG_DIR=~/config
# to determine a nice default partition name
DEVICE_NAME_PREFIX="Disk #"
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
[ ! -e "$CONF_FILE" ] && error_msg 1 "Could not find the configuration file: $CONF_FILE"
[ ! -e "$CONF_FILE" ] && echo "Could not find the configuration file: $CONF_FILE" >&2 && exit 1
# parse config file
source "$CONF_FILE"
[ ! -e "$CONF_FILE" ] && error_msg 1 "Could not find the distribution specific configuration file: $CONF_FILE"
[ ! -e "$CONF_FILE" ] && echo "Could not find the distribution specific configuration file: $CONF_FILE" >&2 && exit 1
# parse the distribution specific file
source "$DISTRIBUTION_CONF"
@ -45,21 +45,26 @@ source "$DISTRIBUTION_CONF"
# check for writable log file
[ -w "$LOG_FILE" ] || LOG_FILE=/tmp/$(basename "$LOG_FILE")
# retrieve configuration directory
CONFIG_DIR="$(getent passwd '$CRYPTOBOX_USER' | cut -d ':' -f 6)/config"
CONFIG_MARKER=cryptobox.marker
## configuration
CERT_TEMP=/tmp/stunnel.pem
ROOT_PERM_SCRIPT=$(dirname "$0")/cryptobox_root_wrapper
ROOT_PERM_SCRIPT="$LIB_DIR/cryptobox_root_wrapper"
# ROOT_PERM_SCRIPT needs the MNT_PARENT setting
export MNT_PARENT="$(cd ~; pwd)/mnt"
######## stuff ##########
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4)
# all partitions with a trailing number
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4 | grep '[0-9]$')
#########################
function log_msg()
{
# the log file is not writable during boot - try before writing ...
# the log file is (maybe) not writable during boot - try
# before writing ...
[ -w "$LOG_FILE" ] || return 0
echo >>"$LOG_FILE"
echo "##### `date` #####" >>"$LOG_FILE"
@ -70,6 +75,8 @@ function log_msg()
function error_msg()
# parameters: ExitCode ErrorMessage
{
local all=$@
test $# -ne 2 && error_msg 1 "*** invalid call of error_msg *** $all"
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
# print the execution stack - not usable with busybox
# caller | sed 's/^/\t/' >&2
@ -77,16 +84,30 @@ function error_msg()
}
# Parameter: device
function is_device_allowed() {
# check for invalid characters and exit if one is found
local device=$(echo "$1" | sed 's#[^a-zA-Z0-9_\-\./]##g')
test "$1" = "$device" || return 1
# remove leading "/dev/"
device=$(echo "$device" | sed 's#^/dev/##')
# return for empty name
test -z "$device" && return 1
for a in $ALL_PARTITIONS
do echo "$device" | grep -q "^$a.*" && return 0
done
# no matching device found - exit with error
return 1
}
function config_set_value()
# parameters: SettingName [SettingValue]
# read from stdin if SettingValue is not defined
{
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && "$ROOT_PERM_SCRIPT" remount_config rw
if [ $# -gt 1 ]
then echo -n "$2" > "$CONFIG_DIR/$1"
then echo "$2" > "$CONFIG_DIR/$1"
else cat - >"$CONFIG_DIR/$1"
fi
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && "$ROOT_PERM_SCRIPT" remount_config ro
}
@ -95,66 +116,22 @@ function config_get_value()
{
# use mounted config, if it exists - otherwise use defaults
local conf_dir
if is_config_active
then conf_dir=$CONFIG_DIR
else conf_dir=$CONFIG_DEFAULTS_DIR
fi
[ -z "$1" ] && error_msg 1 "empty setting name"
# check for existence - maybe use default values (for old releases without this setting)
if [ ! -e "$conf_dir/$1" ]
then case "$1" in
test -z "$1" && error_msg 1 "empty setting name"
# check for existence - maybe use default values (even for old
# releases that did not contain this setting)
if test -e "$CONFIG_DIR/$1"
then cat "$CONFIG_DIR/$1"
elif test -e "$CONFIG_DEFAULTS_DIR/$1"
then cat "$CONFIG_DEFAULTS_DIR/$1"
else case "$1" in
# you may place default values for older versions here
# for compatibility
* )
error_msg 2 "unknown configuration value ($1)"
# empty output
;;
esac
else echo -n $(cat "$conf_dir/$1")
# this removes the trailing line break
fi
# always return without error
true
}
function create_config()
# Parameter: device
{
local device=$1
unload_config
# create the new configuration filesystem if it is not static
if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
then log_msg "Using static configuration ..."
else log_msg "Creating config filesystem ..."
"$ROOT_PERM_SCRIPT" create_config "$device"
log_msg "Mounting config partition ..."
"$ROOT_PERM_SCRIPT" mount_config "$device"
"$ROOT_PERM_SCRIPT" remount_config rw
fi
log_msg "Copying configuration defaults ..."
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
log_msg "Copying temporary certificate file to config filesystem ..."
# beware: the temp file should always be there - even after reboot - see "load_config"
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE"
log_msg "Setting inital values ..."
# beware: config_set_value remounts the config partition read-only
config_set_value "ip" "$(get_current_ip)"
# create database of readable names
config_set_value "names.db" ""
# create a marker to recognize a cryptobox partition
# this should be the last step, to prevent a half-initialized state
config_set_value "$CONFIG_MARKER" "$(date -I)"
}
function get_current_ip()
# not necessarily the same as configured (necessary for validation)
{
# filter the output of ifconfig and remove trailing line break
echo -n $("$IFCONFIG" "$NET_IFACE" | grep "inet" | cut -d ":" -f2 | cut -d " " -f1)
fi
return 0
}
@ -176,45 +153,73 @@ function list_partitions_of_type()
fi
done
case "$1" in
config | crypto | plaindata | unused )
# dirty hack, but it works
eval "echo \$$1"
config )
echo "$config"
;;
crypto )
echo "$crypto"
;;
plaindata )
echo "$plaindata"
;;
unused )
echo "$unused"
;;
* )
errot_msg "wrong parameter ($1) for list_partition_types in $(basename $0)"
error_msg 11 "wrong parameter ($1) for list_partition_types in $(basename $0)"
;;
esac | tr " " "\n" | grep -v '^$'
return 0
}
function get_crypto_uuid()
# Parameter: DEVICE
{
"$ROOT_PERM_SCRIPT" get_device_name "$1"
function get_device_mnt_name() {
"$ROOT_PERM_SCRIPT" get_device_mnt_name "$1"
}
function get_crypto_name()
# Parameter: DEVICE
# return the readable name of the crypto container, it it is already defined
function get_device_uuid() {
"$ROOT_PERM_SCRIPT" get_device_uuid "$1"
}
# Parameter: DEVICE
# return the readable name of the crypto container, if it is already defined
# if undefined - return the uuid
{
local uuid=$(get_crypto_uuid "$1")
function get_device_name() {
local uuid=$(get_device_uuid "$1")
local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-)
if [ -z "$dbname" ]
then echo -n "$uuid"
else echo -n "$dbname"
fi
# return dbname if it exists
test -n "$dbname" && echo "$dbname" && return 0
# find a nice name for the new partition
local counter=1
local test_name
local test_uuid
local test_result
# try to find a name with the defined "prefix" followed by a number ...
while true
do test_name="$DEVICE_NAME_PREFIX$counter"
if config_get_value "names.db" | grep -q ":$test_name$"
then counter=$((counter+1))
else # save it for next time
set_device_name "$1" "$test_name"
echo "$test_name"
return 0
fi
done
}
function set_crypto_name()
function set_device_name()
# TODO: the implementation is quite ugly, but it works (tm)
# Parameter: DEVICE NAME
{
local uuid=$(get_crypto_uuid "$1")
local uuid=$(get_device_uuid "$1")
# remove the old setting for this device and every possible entry with the same name
(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2") | config_set_value 'names.db'
local new_config=$(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2")
echo "$new_config" | config_set_value "names.db"
}
@ -252,45 +257,11 @@ function is_config_active()
}
function is_crypto_mounted()
function is_mounted()
# Parameter: DEVICE
{
local name=$(get_crypto_uuid "$1")
[ -n "$name" ] && mountpoint -q "$MNT_PARENT/$name"
}
function is_init_running()
{
check_at_command_queue " init"
}
# check if a specified command is in an at-queue
# Parameter: a regular expression of the commandline
# Return: the command is part of an at-queue (0) or not (1)
function check_at_command_queue()
{
# 1) get the available job numbers
# 2) remove empty lines (especially the last one)
# 3) check every associated command for the regexp
at -l | cut -f 1 | while read jobnum
do at -c $jobnum | sed '/^$/d' | tail -1
done | grep -q "$1"
}
function find_harddisk()
# look for the harddisk to be partitioned
{
local device=$(get_available_disks | head -1)
if [ -z "$device" ] ; then
log_msg "no valid harddisk for initialisation found!"
cat /proc/partitions >>"$LOG_FILE"
# do not return with an error, to avoid a failing of the script ('break on error')
# the caller of this function should handle an empty return string
fi
echo -n "$device"
local name=$(get_device_mnt_name "$1")
test -n "$name" && mountpoint -q "$MNT_PARENT/$name"
}
@ -299,67 +270,29 @@ function get_available_disks()
{
for scan in $SCAN_DEVICES
do for avail in $ALL_PARTITIONS
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
do echo "$avail" | grep -q "^$scan[0-9]*" && echo "/dev/$avail"
done
done
return 0
}
function load_config()
{
unload_config
local status=0
# look for a configuration partition
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \
list_partitions_of_type config | while read part && [ "$status" = 0 ]
do log_msg "Trying to load configuration from /dev/$part ..."
if "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part"
then log_msg "configuraton found on $part"
"$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
status=1
fi
done
if is_config_active
then # copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP"
else log_msg "failed to locate config partition"
return 1
fi
true
}
function unload_config()
{
is_config_active || return
# only try to unmount, if it is not static (the config of a live-cd is always dynamic)
if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
then "$ROOT_PERM_SCRIPT" umount_config
else true
fi
}
function mount_crypto()
# Parameter: DEVICE
{
local device=$1
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
[ -z "$device" ] && error_msg 4 'No valid harddisk found!'
is_mounted "$device" && echo "The crypto filesystem is already active!" && return
# passphrase is read from stdin
log_msg "Mounting a crypto partition from $device"
"$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
}
function umount_crypto()
# Parameter: DEVICE
{
local device=$1
local uuid=$(get_crypto_uuid $device)
"$ROOT_PERM_SCRIPT" umount "$uuid"
function umount_partition() {
# Parameter: device
local container=$(get_device_name "$1")
"$ROOT_PERM_SCRIPT" umount "$1"
}
@ -375,27 +308,9 @@ function box_purge()
done
}
function init_cryptobox()
# this is only the first part of initialisation that takes no time - good for a smooth web interface
{
local device=$(find_harddisk)
[ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1
turn_off_all_crypto
unload_config || true
log_msg "Partitioning the device ($device) ..."
"$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
log_msg "Initializing config partition on ${device}1 ..."
# TODO: this should not be hard-coded
create_config "${device}1"
}
function turn_off_all_crypto()
{
list_crypto_containers | while read a
do is_crypto_mounted "$a" && umount_crypto "$a"
done
function turn_off_all_containers() {
"$ROOT_PERM_SCRIPT" create_plain "$1"
}
@ -409,137 +324,68 @@ ACTION=help
[ $# -gt 0 ] && ACTION=$1 && shift
case "$ACTION" in
config-up )
if load_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 0 "Could not find a configuration partition!"
fi
;;
config-down )
unload_config || error_msg 4 "Could not unmount configuration partition"
;;
network-up )
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then conf_ip=$(config_get_value "ip")
log_msg "Configuring $NET_IFACE for $conf_ip ..."
echo "Configuring network interface for $NET_IFACE: $conf_ip"
"$IFCONFIG" "$NET_IFACE" "$conf_ip"
fi
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Starting the firewall ..."
"$FIREWALL_SCRIPT" start
fi
if [ "$USE_STUNNEL" = 1 ]
then # start stunnel
if [ -f "$CERT_FILE" ]
then USE_CERT=$CERT_FILE
else USE_CERT=$CERT_TEMP
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
# TODO: this could be dangerous - right?
# this is necessary, to allow www-data to copy the certificate
chown "$WEB_USER" "$CERT_TEMP"
fi
log_msg "Starting stunnel ..."
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|| echo "$USE_CERT not found - not starting stunnel"
fi
;;
network-down )
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Stopping the firewall ..."
"$FIREWALL_SCRIPT" stop
fi
if [ "$USE_STUNNEL" = 1 ]
then log_msg "Stopping stunnel ..."
# TODO: what about a pid?
killall stunnel 2>/dev/null || true
fi
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then log_msg "Shutting the network interface down ..."
"$IFCONFIG" "$NET_IFACE" down
fi
;;
services-up )
# the mount point has to be writeable
# this action is called as root - so we are allowed to umount
# TODO: do this only for ro-filesystem
# TODO: this way of mounting is evil
if mountpoint -q "$MNT_PARENT"
then true
else mount -t tmpfs tmpfs "$MNT_PARENT"
fi
true
;;
services-down )
# this action is called as root - so we are allowed to umount
mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT"
# TODO: we should not depend on samba and thttpd
# /etc/init.d/samba stop || true
# /etc/init.d/thttpd stop || true
true
;;
crypto-up )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'crypto-up'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
mount_crypto "$1"
;;
crypto-down )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
umount_crypto "$1"
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'crypto-down'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
umount_partition "$1"
;;
init )
init_cryptobox </dev/null >>"$LOG_FILE" 2>&1
;;
crypto-create )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'"
# do it in the background to provide a smoother web interface
# messages and errors get written to $LOG_FILE
keyfile=/tmp/$(basename "$0")-passphrase-$(basename "$1")
# read the password
cat - >"$keyfile"
# execute it in the background
echo "'$0' crypto-create-bg '$1' '$2' '$keyfile' </dev/null >>'$LOG_FILE' 2>&1" | at now
;;
crypto-create-bg )
create_crypto "$@"
;;
crypto-list )
list_partitions_of_type crypto
list_container )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'list_container'"
case "$1" in
config | unused | plaindata | crypto )
list_partitions_of_type "$1"
;;
* )
return 1
;;
esac
return 0
;;
crypto-list-unused )
list_partitions_of_type unused
;;
crypto-name )
get_device_name )
# Parameter: DEVICE
get_crypto_name "$1"
;;
is_crypto_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'"
is_crypto_mounted "$1"
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'get_device_name'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
get_device_name "$1"
;;
is_config_mounted )
is_config_active
set_device_name )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg 10 "invalid number of parameters for 'set_device_name'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
set_device_name "$1" "$2"
;;
is_init_running )
is_init_running
device_init )
# Parameter: DEVICE [KEYFILE]
test $# -lt 1 && error_msg 10 "invalid number of parameters for 'device_init' ($@)"
test $# -gt 2 && error_msg 10 "invalid number of parameters for 'device_init' ($@)"
if test $# -eq 2
then test -z "$2" -o ! -e "$2" && error_msg 11 "invalid keyfile ($2) given for 'device_init'"
fi
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
if test $# -eq 2
then "$ROOT_PERM_SCRIPT" create_crypto "$1" "$2"
else TODO "$1"
fi
true
;;
is_harddisk_available )
[ -z "$(find_harddisk)" ] && exit 1
exit 0
is_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_mounted'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
is_mounted "$1"
;;
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then echo -n "sleep 5; \"$ROOT_PERM_SCRIPT\" update_network" | at now
fi
check_config)
is_config_active
;;
get_available_disks )
get_available_disks
;;
get_current_ip )
get_current_ip
;;
set_config )
[ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters"
config_set_value "$1" "$2"
@ -548,53 +394,59 @@ case "$ACTION" in
[ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter"
config_get_value "$1"
;;
get_capacity_info )
[ $# -ne 1 ] && error_msg 6 "'get_capacity_info' requires exactly one parameter"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
is_mounted "$1" || error_msg 13 "the device is not mounted: $1"
name=$(get_device_mnt_name "$1")
df -h "$MNT_PARENT/$name" | tail -1
;;
diskinfo )
get_available_disks | while read a
do "$ROOT_PERM_SCRIPT" diskinfo "$a"
done
done 2>/dev/null
;;
box-purge )
log_msg "Cleaning the CryptoBox ..."
turn_off_all_crypto
turn_off_all_containers
"$0" config-down
box_purge >>"$LOG_FILE" 2>&1
;;
poweroff )
log_msg "Turning off the CryptoBox ..."
turn_off_all_crypto
echo "poweroff" | at now
log_msg "Shutting down the Cryptobox ..."
turn_off_all_containers
"$ROOT_PERM_SCRIPT" poweroff
;;
reboot )
log_msg "Rebooting the CryptoBox ..."
turn_off_all_crypto
echo "reboot" | at now
log_msg "Rebooting the Cryptobox ..."
turn_off_all_containers
"$ROOT_PERM_SCRIPT" reboot
;;
umount_all )
log_msg "Unmounting all volumes ..."
turn_off_all_containers
;;
* )
echo "Syntax: `basename $0` ACTION [PARAMS]"
echo " config-up - scan for configuration partition and mount it"
echo " config-down - unmount configuration partition"
echo " network-up - enable network interface"
echo " network-down - disable network interface"
echo " services-up - run some cryptobox specific daemons"
echo " services-down - stop some cryptobox specific daemons"
echo "[$(basename $0)] - unknown action: $ACTION" >&2
echo "Syntax: $(basename $0) ACTION [PARAMS]"
echo " crypto-up - mount crypto partition"
echo " crypto-down - unmount crypto partition"
echo " box-init - initialize cryptobox (ALL data is LOST)"
echo " box-init-fg - the first part of initialization"
echo " box-init-bg - the last part of initialization (background)"
echo " is_crypto_mounted - check, if crypto partition is mounted"
echo " is_config_mounted - check, if configuration partition is mounted"
echo " is_init_running - check, if initialization is ongoing"
echo " is_harddisk_available - check, if there is a usable harddisk"
echo " get_available_disks - shows all connected and allowed disks"
echo " crypto-create - a wrapper for 'crypto-create-bg'"
echo " crypto-create-bg - create encrypted blockdevice and run mkfs"
echo " is_mounted - check, if crypto partition is mounted"
echo " check_config - check, if the configuration is usable"
echo " get_available_disks - shows all accessible disks"
echo " get_current_ip - get the current IP of the network interface"
echo " update_ip_address - update the network interface after reconfiguration"
echo " set_config NAME VALUE - change a configuration setting"
echo " get_config NAME - retrieve a configuration setting"
echo " get_device_name DEVICE - retrieve the human readable name of a partition"
echo " set_device_name DEVICE - set the human readable name of a partition"
echo " device_init DEVICE KEYFILE - initialize the filesystem of a partition (the keyfile just contains the passphrase)"
echo " get_capacity_info - print the output of 'df' for the (mounted) partition"
echo " diskinfo - show the partition table of the harddisk"
echo " box-purge - destroy partitiontable of all harddisks (delete everything)"
echo " poweroff - shutdown the cryptobox"
echo " reboot - reboot the cryptobox"
echo " box-purge - destroy the partition tables of all harddisks (delete everything)"
echo " poweroff - turn off the computer"
echo " reboot - reboot the computer"
echo
;;
esac

196
bin/cbox-root-actions.sh

@ -17,6 +17,9 @@
set -eu
LIB_DIR=$(dirname "$0")
LIB_DIR=$(cd "$LIB_DIR"; pwd)
[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100
# read the default setting file, if it exists
@ -29,6 +32,9 @@ source "$CONF_FILE"
# parse distribution specific file
source "$DISTRIBUTION_CONF"
CB_SCRIPT="$LIB_DIR/cbox-manage.sh"
CONFIG_MARKER=cryptobox.marker
############ some useful functions ###############
@ -46,43 +52,54 @@ function is_device_allowed()
}
function get_device_name()
# return the uuid of the device
# if there is no uuid, then the device name is "flattened" and returned
# return the uuid of the partition (if possible)
# this only works for luks or ext2/3 partitions
# ignore volume-id as it may be non-unique
{
local UUID=
function get_device_uuid() {
local UUID
# check for luksUUID or ext2/3-uuid
if is_luks_device "$1"
then UUID=$("$CRYPTSETUP" luksUUID "$1")
else [ -n "$(which dumpe2fs)" ] && UUID=$(dumpe2fs -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ *//g")
else [ -x "$DUMPE2FS" ] && UUID=$("$DUMPE2FS" -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ //g")
fi
# if there is no valid UUUD, then take the flattened device name
is_uuid_valid "$UUID" || UUID=${1//\//_}
echo "$UUID"
if test -z "$UUID"
then get_device_flat_name "$1"
else echo "$UUID"
fi
return 0
}
# the device name is "flattened"
function get_device_flat_name() {
echo "$1" | sed 's#/#_#g'
}
# the basename of the mountpoint for this device - should be somehow human_readable
function get_device_mnt_name() {
"$CB_SCRIPT" get_device_name "$1"
}
function is_uuid_valid()
# every devmapper name should look like a UUID
{
function is_uuid_valid() {
local hex=[0-9a-f]
# TODO: this is very bash-specific - translate it to grep :)
[[ "$1" =~ "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$" ]]
}
function error_msg()
# parameter ExitCode ErrorMessage
{
function error_msg() {
echo "CBOX-ERROR: [$(basename $0) - $ACTION] - $2" >&2
exit $1
}
function partition_device()
# parameter: device sfdisk_layout_setup
# e.g.: /dev/hda "0,1,L \n,,L\n"
{
function partition_device() {
# TODO: allow different layouts
# TODO: skip config partition if a configuration is already active
# sfdisk -n doesn't actually write (for testing purpose)
@ -97,7 +114,7 @@ function partition_device()
function is_luks_device()
# parameter: device
{
"$CRYPTSETUP" isLuks "$1"
"$CRYPTSETUP" isLuks "$1" 2>/dev/null
}
@ -121,19 +138,19 @@ case "$ACTION" in
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
name=$(get_device_name "$1")
mountpoint -q "$MNT_PARENT/$name" && \
error_msg 5 "a device with the same name ($name) is already mounted"
mkdir -p "$MNT_PARENT/$name"
mnt_name=$(get_device_mnt_name "$1")
mountpoint -q "$MNT_PARENT/$mnt_name" && \
error_msg 5 "a device with the same name ($mnt_name) is already mounted"
mkdir -p "$MNT_PARENT/$mnt_name"
if is_luks_device "$1"
then "$CRYPTSETUP" luksOpen "$1" "$name" || \
then "$CRYPTSETUP" luksOpen "$1" "$mnt_name" || \
error_msg 6 "could not open encrypted device $1"
if mount "$DEV_MAPPER_DIR/$name" "$MNT_PARENT/$name"
if mount "$DEV_MAPPER_DIR/$mnt_name" "$MNT_PARENT/$mnt_name"
then true
else "$CRYPTSETUP" luksClose "$name" || true
else "$CRYPTSETUP" luksClose "$mnt_name" || true
error_msg 7 "wrong password for $1 supplied"
fi
else mount "$1" "$MNT_PARENT/$name" || \
else mount "$1" "$MNT_PARENT/$mnt_name" || \
error_msg 8 "invalid filesystem on device $1"
fi
# just in case, that there is no ext2/3 filesystem:
@ -145,105 +162,86 @@ case "$ACTION" in
true
;;
umount )
#parameter: name (relative mountpoint)
#parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_uuid_valid "$1" || [[ "$1" =~ "^[_a-z0-9]*$" ]] || \
error_msg 4 "invalid UUID ($1)"
mountpoint -q "$MNT_PARENT/$1" || \
error_msg 9 "the device with the UUID ($1) is not mounted"
# try to unmount - continue even on errors
umount "$MNT_PARENT/$1" || \
error_msg 0 "unmount of device $1 failed - device is busy"
# remove (if necessary) the dev mapping
[ -e "$DEV_MAPPER_DIR/$1" ] && "$CRYPTSETUP" luksClose "$1" || \
error_msg 11 "could not remove the device mapper for device $1"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mnt_name=$(get_device_mnt_name "$1")
mountpoint -q "$MNT_PARENT/$mnt_name" || \
error_msg 9 "the device ($1) is not mounted as '$mnt_name'"
# try to unmount - do it in lazy mode
umount -l "$MNT_PARENT/$mnt_name"
# TODO: check, what happens, if there are open files - does the device gets mapping removed?
# remove (if necessary) the device mapping
if test -e "$DEV_MAPPER_DIR/$mnt_name"
then "$CRYPTSETUP" luksClose "$mnt_name" || \
error_msg 11 "could not remove the device mapper ($mnt_name) for device $1"
fi
# try to remove the mountpoint - a failure is not important
rmdir "$MNT_PARENT/$1" || true
rmdir "$MNT_PARENT/$mnt_name" || true
# set exitcode
mountpoint -q "$MNT_PARENT/$1" && exit 1
exit 0
mountpoint -q "$MNT_PARENT/$mnt_name" && exit 1
true
;;
create_crypto )
# parameter: device
# the passphrase is expected on stdin
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
# parameter: device keyfile
[ $# -ne 2 ] && error_msg 1 "wrong number of parameters"
keyfile=$2
[ -e "$keyfile" ] || error_msg 2 "keyfile ($keyfile) not found"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
# read the passphrase from stdin
key=$(cat -)
# the iter-time is in milliseconds - keep it low for fast mounting
echo "$key" | \
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 luksFormat "$1" || \
cat "$keyfile" | \
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 --batch-mode luksFormat "$1" || \
error_msg 11 "failed to create the encrypted partition"
name=$(get_device_name "$1")
echo "$key" | "$CRYPTSETUP" luksOpen "$1" "$name" || \
name=$(get_device_mnt_name "$1")
cat "$keyfile" | "$CRYPTSETUP" --batch-mode luksOpen "$1" "$name" || \
error_msg 12 "failed to open the encrypted partition"
# silent output from mkfs.ext3
"$MKFS_DATA" -q "$DEV_MAPPER_DIR/$name" || \
error_msg 13 "failed to create the encrypted filesystem"
"$CRYPTSETUP" luksClose "$name" || \
error_msg 14 "failed to close the encrypted mapped device"
# trash the passphrase in keyfile
echo "0123456789abcdefghijklmnopqrstuvwxyz" > "$keyfile"
# the disk cache surely prevents the previous line from being written, but we do it anyway ...
echo "zyxwvutsrqponmlkjihgfedcba9876543210" > "$keyfile"
rm "$keyfile"
# complete in background
( # silent output from mkfs.ext3
"$MKFS_DATA" -q "$DEV_MAPPER_DIR/$name" || \
error_msg 13 "failed to create the encrypted filesystem"
"$CRYPTSETUP" --batch-mode luksClose "$name" || \
error_msg 14 "failed to close the encrypted mapped device"
) </dev/null &>/dev/null &
true
;;
get_device_name )
create_plain )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters for 'create_plain'"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
get_device_name "$1"
# complete in background
( # silent output from mkfs.ext3
"$MKFS_DATA" -q "$1" || \
error_msg 15 "failed to create the plaintext filesystem"
) </dev/null &>/dev/null &
true
;;
mount_config )
get_device_mnt_name )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && \
error_msg 0 "the configuration partition is already mounted"
"$MKFS_CONFIG" -q "$1" || \
error_msg 20 "failed to create config partition filesystem"
get_device_mnt_name "$1"
;;
mount_config )
get_device_uuid )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && \
error_msg 0 "the configuration partition is already mounted"
mount "$1" "$CONFIG_DIR" || \
error_msg 16 "failed to mount configuration partition"
# chown to fix permissions - may fail for non-ext2/3 filesystems
chown -R "$WEB_USER" "$CONFIG_DIR" || true
mount -o remount,ro "$CONFIG_DIR" || \
error_msg 18 "failed to remount configuration partition"
true
;;
remount_config )
# parameter: { ro | rw }
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
[[ "$1" =~ "^r[ow]$" ]] || error_msg 17 "only 'rw' and 'ro' are allowed"
mount -o "remount,$1" "$CONFIG_DIR" || \
error_msg 18 "failed to remount configuration partition"
true
;;
umount_config )
# no parameters
[ $# -ne 0 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && umount "$CONFIG_DIR" || \
error_msg 18 "failed to unmount configuration partition"
get_device_uuid "$1"
;;
is_config_partition )
# parameter: device
# returns exitcode 0 if the device contains a configuration
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
is_config=0
@ -306,10 +304,20 @@ case "$ACTION" in
[ -e "$CONFIG_DIR/ip" ] && ip=$(<"$CONFIG_DIR/ip")
[ -n "$z" ] && ifconfig "$NET_IFACE" "$ip"
;;
poweroff )
# TODO: check configuration setting before
"$POWEROFF"
;;
reboot )
# TODO: check configuration setting before
"$REBOOT"
;;
* )
echo "[$(basename $0)] - unknown action: $ACTION" >&2
echo "Syntax: $(basename $0) ACTION PARAMETERS"
echo ' partition_disk $device $disk_layout'
echo ' get_device_name $device'
echo ' get_device_uuid $device'
echo ' create_crypto $device'
echo ' mount $device'
echo ' umount $name'
@ -323,6 +331,8 @@ case "$ACTION" in
echo ' trash_device $device'
echo ' diskinfo $device'
echo ' update_network'
echo ' poweroff'
echo ' reboot'
echo ' help'
echo
[ "$ACTION" == "help" ] && exit 0

485
bin/cryptobox.pl

@ -19,24 +19,36 @@ use ClearSilver;
use ConfigFile;
use English;
use CGI::Carp;
use IO::File;
use POSIX;
use constant CRYPTOBOX_VERSION => 0.3;
# debug levels
use constant DEBUG_NONE => 0;
use constant DEBUG_ERROR => 1;
use constant DEBUG_WARN => 2;
use constant DEBUG_INFO => 3;
# drop privileges
$UID = $EUID;
$GID = $EGID;
# necessary for suid perl scripts (see 'man perlsec' for details)
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer
my $CONFIG_FILE = '/etc/cryptobox/cryptobox.conf';
my $pagedata;
my ($LANGUAGE_DIR, $DEFAULT_LANGUAGE, $HTML_TEMPLATE_DIR, $DOC_DIR);
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL);
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL, $DEBUG_LEVEL);
# get the directory of the cryptobox scripts/binaries and untaint it
$CB_SCRIPT = $0;
$CB_SCRIPT =~ m/^(.*)\/[^\/]*$/;
$CB_SCRIPT = "$1/cbox-manage.sh";
$CB_SCRIPT = ($1)? "$1/cbox-manage.sh" : './cbox-manage.sh';
&fatal_error ("could not find configuration file ($CONFIG_FILE)") unless (-e $CONFIG_FILE);
my $config = ConfigFile::read_config_file($CONFIG_FILE);
@ -48,20 +60,18 @@ $HTML_TEMPLATE_DIR = $config->{HTML_TEMPLATE_DIR};
$DOC_DIR = $config->{DOC_DIR};
$IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT});
$STYLESHEET_URL = $config->{STYLESHEET_URL};
# TODO: just a quick-and-dirty hack during migration to multiple containers
my $CRYPTO_DEV = &get_available_disks();
$CRYPTO_DEV =~ m/^([\w\/_\-\.]*)$/;
$CRYPTO_DEV = "${1}2";
if (defined($config->{DEBUG_LEVEL})) {
$DEBUG_LEVEL = $config->{DEBUG_LEVEL};
} else {
$DEBUG_LEVEL = DEBUG_ERROR; # default debug level
}
my $query = new CGI;
#################### subs ######################
# for fatal errors without the chance of clearsilver-rendering
sub fatal_error()
{
sub fatal_error() {
my $message = shift;
print "Content-Type: text/html\n\n";
@ -73,8 +83,14 @@ sub fatal_error()
}
sub load_hdf
{
sub debug_msg() {
my ($level, $message) = @_;
return 0 unless ($level >= $DEBUG_LEVEL);
warn "[cryptobox]: $message";
}
sub load_hdf {
my $hdf = ClearSilver::HDF->new();
my $fname = "$HTML_TEMPLATE_DIR/main.cs";
@ -101,8 +117,7 @@ sub load_hdf
}
sub load_selected_language
{
sub load_selected_language {
my $data = shift;
my $config_language;
@ -110,7 +125,7 @@ sub load_selected_language
$data->readFile("$LANGUAGE_DIR/$DEFAULT_LANGUAGE" . ".hdf");
# load configured language, if it is valid
$config_language = &exec_cb_script("get_config","language");
$config_language = &get_cbox_config("language");
$config_language = $DEFAULT_LANGUAGE unless (&validate_language("$config_language"));
# check for preferred browser language, if the box was not initialized yet
@ -130,6 +145,9 @@ sub load_selected_language
# load the data
$config_language = "$weblang";
# add the setting to every link
# how it should be done now ...
$data->setValue('Settings.LinkAttrs.weblang', "$weblang");
# old way of doing this ... (TODO: to be removed)
$data->setValue('Data.PostData.weblang', "$weblang");
} else {
# no valid language was selected - so you may ignore it
@ -153,9 +171,8 @@ sub load_selected_language
}
sub get_available_languages
# import the names of all available languages
{
sub get_available_languages {
my $data = shift;
my ($file, @files, $hdf, $lang_name);
@ -176,8 +193,7 @@ sub get_available_languages
# look for preferred browser language setting
# this code was adapted from Per Cederberg - http://www.percederberg.net/home/perl/select.perl
# it returns an empty string, if no supported language was found
sub get_browser_language
{
sub get_browser_language {
my ($str, @langs, @res);
# Use language preference settings
@ -199,8 +215,7 @@ sub get_browser_language
}
sub log_msg
{
sub log_msg {
my $text = shift;
open(LOGFILE,">> $LOG_FILE");
print LOGFILE "$text";
@ -208,28 +223,28 @@ sub log_msg
}
sub check_ssl
{
sub check_ssl {
# check, if we are behind a proxy with ssl (e.g. pound)
return (0==0) if ($ENV{'HTTP_FRONT_END_HTTPS'} =~ m/^on$/i);
# environment variable set (e.g. via apache directive "SetEnv HTTPS On")
return (0==0) if ($ENV{'HTTPS'} =~ m/^on$/i);
# port 80 -> not encrypted
return (0==1) if ($ENV{'SERVER_PORT'} = 80);
return (0==1) if ($ENV{'SERVER_PORT'} == 80);
# other ports -> maybe ok - we accept it
return (0==0);
}
sub check_mounted
{
return (system($CB_SCRIPT,"is_crypto_mounted",$CRYPTO_DEV) == 0);
# check, if the given device is mounted/used somehow
# Paramter: device
sub check_mounted {
my ($dev) = @_;
return (system($CB_SCRIPT,"is_mounted",$dev) == 0);
}
sub check_config
{
return (system($CB_SCRIPT,"is_config_mounted") == 0);
sub check_config {
return (system($CB_SCRIPT,"check_config") == 0);
}
@ -243,50 +258,65 @@ sub exec_cb_script {
exit 0;
} else {
# parent
@result = <PROG_OUT>;
close PROG_OUT or warn "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?";
# only read lines containing at least one non-whitespace character
@result = grep /\S/, <PROG_OUT>;
foreach (@result) { chomp; }
unless (close PROG_OUT) {
&debug_msg(DEBUG_WARN, "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?");
return undef;
}
}
if (wantarray) {
return @result;
} else {
} elsif (@result > 0) {
return join('',@result);
} else {
return "";
}
}
sub check_init_running
{
return (system($CB_SCRIPT,"is_init_running") == 0);
sub check_init_running {
# TODO: improve this
return (0==1);
}
sub is_harddisk_available
{
return (system($CB_SCRIPT,"is_harddisk_available") == 0);
sub is_harddisk_available {
my @all_disks = &exec_cb_script("get_available_disks");
return @all_disks > 0;
}
sub get_available_disks
# TODO: this is useful for diskselection buttons
{
return &exec_cb_script("get_available_disks");
sub get_available_disks {
my @all_disks = &exec_cb_script("get_available_disks");
my ($disk, @return_disks);
foreach $disk (@all_disks) {
$disk =~ m#^([/\._\-\w]*)$#;
push @return_disks, $1 if ($1);
}
return @return_disks;
}
sub get_current_ip
# the IP of eth0 - not the configured value of the box (only for validation)
{
return &exec_cb_script("get_current_ip");
sub get_disk_name {
my ($dev) = @_;
my $disk_name = &exec_cb_script("get_device_name", $dev);
return $disk_name;
}
sub get_admin_pw
# returns the current administration password - empty, if it is not used
{
return &exec_cb_script("get_config","admin_pw");
# return the value of a configuration setting (timeout, language, ip, ...)
# Parameter: setting_name
sub get_cbox_config {
my ($setting) = @_;
# tell the exec function, that we want a scalar instead of an array
my $scalar = &exec_cb_script("get_config",$setting);
return $scalar;
}
sub render
{
sub render {
my $pagefile = "$HTML_TEMPLATE_DIR/main.cs";
print "Content-Type: text/html\n\n";
@ -297,68 +327,82 @@ sub render
}
sub mount_vol
{
my $pw = shift;
# mount an encrypted volume
# Parameter: device password
sub mount_vol {
my ($device, $pw) = @_;
if (&check_mounted) {
if (&check_mounted($device)) {
$pagedata->setValue('Data.Warning', 'IsMounted');
} else {
open(PW_INPUT, "| $CB_SCRIPT crypto-up $CRYPTO_DEV");
open(PW_INPUT, "| $CB_SCRIPT crypto-up $device");
print PW_INPUT $pw;
close(PW_INPUT);
}
}
sub umount_vol
{
if (&check_mounted) {
system($CB_SCRIPT, "crypto-down",$CRYPTO_DEV);
# unmount a volume
# Parameter: device
sub umount_vol {
my ($device) = @_;
if (&check_mounted($device)) {
system($CB_SCRIPT, "crypto-down",$device);
} else {
$pagedata->setValue('Data.Warning', 'NotMounted');
}
}
sub box_init
{
my ($crypto_pw, $admin_pw) = @_;
system($CB_SCRIPT, "init") || return 1;
# Parameter: device passphrase
# ignore passphrase (or leave it empty) to create a plaintext volume
sub volume_init {
my ($device, $crypto_pw) = @_;
my $result;
# only for encrypted volumes:
# write passphrase to a file - necessary as perl in secured mode does not allow
# the 'open(FH, "|/bin/prog ....")' call because of possible shell expansion - stupid 'open' :(
if ($crypto_pw) {
my ($fh, $temp_file);
# generate a temporary filename (as suggested by the Perl Cookbook)
do { $temp_file = POSIX::tmpnam() }
# TODO: reduce the file mask to the minimum - maybe 0600 would be a good choice
until $fh = IO::File->new($temp_file, O_RDWR|O_CREAT|O_EXCL);
close $fh;
unless (open(TMP, ">$temp_file")) {
&debug_msg(DEBUG_ERROR, "could not open a temporary file");
return (1==0);
}
print TMP $crypto_pw;
close TMP;
$result = &exec_cb_script("device_init", $device, $temp_file);
unlink ($temp_file) if (-e $temp_file);
} else {
$result = &exec_cb_script("device_init", $device);
}
# just to be sure, that the file does not get left behind
# usually the script should overwrite and remove it
return defined($result);
}
# partitioning, config and initial cryptsetup
# TODO: define the name of the crypto container
open(PW_INPUT, "|$CB_SCRIPT crypto-create '$CRYPTO_DEV' default");
print PW_INPUT $crypto_pw;
close(PW_INPUT);
# set administration password
$admin_pw =~ m/^(.*)$/;
system($CB_SCRIPT, "set_config", "admin_pw", $1);
sub box_purge {
&exec_cb_script("box-purge");
}
sub box_purge
{
system($CB_SCRIPT, "box-purge");
}
sub system_poweroff
{
&umount_vol() if (&check_mounted());
system($CB_SCRIPT, "poweroff");
sub system_poweroff {
&exec_cb_script("poweroff");
}
sub system_reboot
{
&umount_vol() if (&check_mounted());
system($CB_SCRIPT, "reboot");
sub system_reboot {
&exec_cb_script("reboot");
}
sub validate_ip
{
sub validate_ip {
my $ip = shift;
my @octets = split /\./, $ip;
return 0 if ($#octets == 4);
@ -371,8 +415,7 @@ sub validate_ip
}
sub validate_timeout
{
sub validate_timeout {
my $timeout = shift;
return 0 if ($timeout =~ /\D/);
return 1;
@ -380,8 +423,7 @@ sub validate_timeout
# check for a valid interface language
sub validate_language
{
sub validate_language {
my $language = shift;
# check for non-alphanumeric character
return 0 if ($language =~ /\W/);
@ -392,8 +434,7 @@ sub validate_language
# check for a valid documentation language
sub validate_doc_language
{
sub validate_doc_language {
my $language = shift;
# check for non-alphanumeric character
return 0 if ($language =~ /\W/);
@ -409,6 +450,14 @@ sub validate_doc_language
$pagedata = load_hdf();
my $current_admin_pw;
my $action = $query->param('action');
$action =~ m#^([\w\._\-]*)$#;
$action = ($1)? $1 : '';
my $device = $query->param('device');
$device =~ m#^([/_\-\w\.]*)$#;
$device = ($1)? $1 : '';
# BEWARE: there are two kinds of actions:
# * some require a harddisk
# * some do not require a harddisk
@ -423,7 +472,6 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Redirect.URL', "https://" . $hostname . $ENV{'SCRIPT_NAME'});
$pagedata->setValue('Data.Redirect.Delay', "3");
} elsif ($query->param('action')) {
my $action = $query->param('action');
#--------------------------------------------------------------#
# here you may define all cases that do not require a harddisk #
# put all other cases below the harddisk check #
@ -441,8 +489,8 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Action', 'show_doc');
}
##################### poweroff ######################
} elsif ($action eq 'shutdown_ask') {
$pagedata->setValue('Data.Action', 'form_shutdown');
} elsif ($action eq 'system_ask') {
$pagedata->setValue('Data.Action', 'form_system');
##################### reboot ########################
} elsif ($action eq 'shutdown_do') {
if ($query->param('type') eq 'reboot') {
@ -465,7 +513,11 @@ if ( ! &check_ssl()) {
#-------------------------------------------------------#
################ umount_do #######################
} elsif ($action eq 'umount_do') {
if ( ! &check_config()) {
if ($device eq '') {
&debug_msg(DEBUG_INFO, "invalid device: " . $query->param('device'));
$pagedata->setValue('Data.Warning', 'InvalidDevice');
$pagedata->setValue('Data.Action', 'emptu');
} elsif ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif (&check_init_running()) {
@ -473,26 +525,27 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif ( ! &check_mounted()) {
} elsif ( ! &check_mounted($device)) {
$pagedata->setValue('Data.Warning', 'NotMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Action', 'show_volume');
} else {
# unmounten
&umount_vol();
if (&check_mounted()) {
&umount_vol($device);
if (&check_mounted($device)) {
$pagedata->setValue('Data.Warning', 'UmountFailed');
$pagedata->setValue('Data.Action', 'form_umount');
$pagedata->setValue('Data.Action', 'show_volume');
} else {
$pagedata->setValue('Data.Success', 'UmountDone');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
#$pagedata->setValue('Data.Success', 'UmountDone');
$pagedata->setValue('Data.Action', 'show_volume');
}
}
################ mount_do ########################
} elsif ($action eq 'mount_do') {
# mount requested
if ( ! &check_config()) {
if ($device eq '') {
&debug_msg(DEBUG_INFO, "invalid device: " . $query->param('device'));
$pagedata->setValue('Data.Warning', 'InvalidDevice');
$pagedata->setValue('Data.Action', 'empty');
} elsif ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif (&check_init_running()) {
@ -500,26 +553,22 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif (&check_mounted()) {
} elsif (&check_mounted($device)) {
$pagedata->setValue('Data.Warning', 'IsMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
$pagedata->setValue('Data.Action', 'show_volume');
} elsif ($query->param('crypto_password') eq '') {
# leeres Passwort
$pagedata->setValue('Data.Warning', 'EmptyCryptoPassword');
$pagedata->setValue('Data.Action', 'form_mount')