cryptonas
/
cryptonas
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

moved to a volume based web interface

Browse Source 
initialization now uses a single volume (no partitioning)
SCAN_DEVICES now define only the allowed prefix ("hd" -> all harddisks)
DEBUG_LEVEL added
check for https improved
master
lars 17 years ago
parent 49a5f739a5
commit 5fb9108640
34 changed files with 1289 additions and 785 deletions
Show Stats Download Patch File Download Diff File

508
bin/cbox-manage.sh
Unescape Escape View File

@ -20,24 +20,24 @@
set -eu
# define reasonable defaults
USE_STUNNEL=0
EXEC_FIREWALL_RULES=0
SKIP_NETWORK_CONFIG=1
# default location of config file
CONF_FILE=/etc/cryptobox/cryptobox.conf
LIB_DIR=$(dirname "$0")
CONFIG_DIR=~/config
# to determine a nice default partition name
DEVICE_NAME_PREFIX="Disk #"
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
[ ! -e "$CONF_FILE" ] && error_msg 1 "Could not find the configuration file: $CONF_FILE"
[ ! -e "$CONF_FILE" ] && echo "Could not find the configuration file: $CONF_FILE" >&2 && exit 1
# parse config file
source "$CONF_FILE"
[ ! -e "$CONF_FILE" ] && error_msg 1 "Could not find the distribution specific configuration file: $CONF_FILE"
[ ! -e "$CONF_FILE" ] && echo "Could not find the distribution specific configuration file: $CONF_FILE" >&2 && exit 1
# parse the distribution specific file
source "$DISTRIBUTION_CONF"
@ -45,21 +45,26 @@ source "$DISTRIBUTION_CONF"
# check for writable log file
[ -w "$LOG_FILE" ] || LOG_FILE=/tmp/$(basename "$LOG_FILE")
# retrieve configuration directory
CONFIG_DIR="$(getent passwd '$CRYPTOBOX_USER' | cut -d ':' -f 6)/config"
CONFIG_MARKER=cryptobox.marker
## configuration
CERT_TEMP=/tmp/stunnel.pem
ROOT_PERM_SCRIPT=$(dirname "$0")/cryptobox_root_wrapper
ROOT_PERM_SCRIPT="$LIB_DIR/cryptobox_root_wrapper"
# ROOT_PERM_SCRIPT needs the MNT_PARENT setting
export MNT_PARENT="$(cd ~; pwd)/mnt"
######## stuff ##########
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4)
# all partitions with a trailing number
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4 | grep '[0-9]$')
#########################
function log_msg()
{
# the log file is not writable during boot - try before writing ...
# the log file is (maybe) not writable during boot - try
# before writing ...
[ -w "$LOG_FILE" ] || return 0
echo >>"$LOG_FILE"
echo "##### `date` #####" >>"$LOG_FILE"
@ -70,6 +75,8 @@ function log_msg()
function error_msg()
# parameters: ExitCode ErrorMessage
{
local all=$@
test $# -ne 2 && error_msg 1 "*** invalid call of error_msg *** $all"
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
# print the execution stack - not usable with busybox
# caller | sed 's/^/\t/' >&2
@ -77,16 +84,30 @@ function error_msg()
}
# Parameter: device
function is_device_allowed() {
# check for invalid characters and exit if one is found
local device=$(echo "$1" | sed 's#[^a-zA-Z0-9_\-\./]##g')
test "$1" = "$device" || return 1
# remove leading "/dev/"
device=$(echo "$device" | sed 's#^/dev/##')
# return for empty name
test -z "$device" && return 1
for a in $ALL_PARTITIONS
do echo "$device" | grep -q "^$a.*" && return 0
done
# no matching device found - exit with error
return 1
}
function config_set_value()
# parameters: SettingName [SettingValue]
# read from stdin if SettingValue is not defined
{
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && "$ROOT_PERM_SCRIPT" remount_config rw
if [ $# -gt 1 ]
then echo -n "$2" > "$CONFIG_DIR/$1"
then echo "$2" > "$CONFIG_DIR/$1"
else cat - >"$CONFIG_DIR/$1"
fi
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && "$ROOT_PERM_SCRIPT" remount_config ro
}
@ -95,66 +116,22 @@ function config_get_value()
{
# use mounted config, if it exists - otherwise use defaults
local conf_dir
if is_config_active
then conf_dir=$CONFIG_DIR
else conf_dir=$CONFIG_DEFAULTS_DIR
fi
[ -z "$1" ] && error_msg 1 "empty setting name"
# check for existence - maybe use default values (for old releases without this setting)
if [ ! -e "$conf_dir/$1" ]
then case "$1" in
test -z "$1" && error_msg 1 "empty setting name"
# check for existence - maybe use default values (even for old
# releases that did not contain this setting)
if test -e "$CONFIG_DIR/$1"
then cat "$CONFIG_DIR/$1"
elif test -e "$CONFIG_DEFAULTS_DIR/$1"
then cat "$CONFIG_DEFAULTS_DIR/$1"
else case "$1" in
# you may place default values for older versions here
# for compatibility
* )
error_msg 2 "unknown configuration value ($1)"
# empty output
;;
esac
else echo -n $(cat "$conf_dir/$1")
# this removes the trailing line break
fi
# always return without error
true
}
function create_config()
# Parameter: device
{
local device=$1
unload_config
# create the new configuration filesystem if it is not static
if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
then log_msg "Using static configuration ..."
else log_msg "Creating config filesystem ..."
"$ROOT_PERM_SCRIPT" create_config "$device"
log_msg "Mounting config partition ..."
"$ROOT_PERM_SCRIPT" mount_config "$device"
"$ROOT_PERM_SCRIPT" remount_config rw
fi
log_msg "Copying configuration defaults ..."
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
log_msg "Copying temporary certificate file to config filesystem ..."
# beware: the temp file should always be there - even after reboot - see "load_config"
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE"
log_msg "Setting inital values ..."
# beware: config_set_value remounts the config partition read-only
config_set_value "ip" "$(get_current_ip)"
# create database of readable names
config_set_value "names.db" ""
# create a marker to recognize a cryptobox partition
# this should be the last step, to prevent a half-initialized state
config_set_value "$CONFIG_MARKER" "$(date -I)"
}
function get_current_ip()
# not necessarily the same as configured (necessary for validation)
{
# filter the output of ifconfig and remove trailing line break
echo -n $("$IFCONFIG" "$NET_IFACE" | grep "inet" | cut -d ":" -f2 | cut -d " " -f1)
fi
return 0
}
@ -176,45 +153,73 @@ function list_partitions_of_type()
fi
done
case "$1" in
config | crypto | plaindata | unused )
# dirty hack, but it works
eval "echo \$$1"
config )
echo "$config"
;;
crypto )
echo "$crypto"
;;
plaindata )
echo "$plaindata"
;;
unused )
echo "$unused"
;;
* )
errot_msg "wrong parameter ($1) for list_partition_types in $(basename $0)"
error_msg 11 "wrong parameter ($1) for list_partition_types in $(basename $0)"
;;
esac | tr " " "\n" | grep -v '^$'
return 0
}
function get_crypto_uuid()
# Parameter: DEVICE
{
"$ROOT_PERM_SCRIPT" get_device_name "$1"
function get_device_mnt_name() {
"$ROOT_PERM_SCRIPT" get_device_mnt_name "$1"
}
function get_crypto_name()
# Parameter: DEVICE
# return the readable name of the crypto container, it it is already defined
function get_device_uuid() {
"$ROOT_PERM_SCRIPT" get_device_uuid "$1"
}
# Parameter: DEVICE
# return the readable name of the crypto container, if it is already defined
# if undefined - return the uuid
{
local uuid=$(get_crypto_uuid "$1")
function get_device_name() {
local uuid=$(get_device_uuid "$1")
local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-)
if [ -z "$dbname" ]
then echo -n "$uuid"
else echo -n "$dbname"
fi
# return dbname if it exists
test -n "$dbname" && echo "$dbname" && return 0
# find a nice name for the new partition
local counter=1
local test_name
local test_uuid
local test_result
# try to find a name with the defined "prefix" followed by a number ...
while true
do test_name="$DEVICE_NAME_PREFIX$counter"
if config_get_value "names.db" | grep -q ":$test_name$"
then counter=$((counter+1))
else # save it for next time
set_device_name "$1" "$test_name"
echo "$test_name"
return 0
fi
done
}
function set_crypto_name()
function set_device_name()
# TODO: the implementation is quite ugly, but it works (tm)
# Parameter: DEVICE NAME
{
local uuid=$(get_crypto_uuid "$1")
local uuid=$(get_device_uuid "$1")
# remove the old setting for this device and every possible entry with the same name
(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2") | config_set_value 'names.db'
local new_config=$(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2")
echo "$new_config" | config_set_value "names.db"
}
@ -252,45 +257,11 @@ function is_config_active()
}
function is_crypto_mounted()
function is_mounted()
# Parameter: DEVICE
{
local name=$(get_crypto_uuid "$1")
[ -n "$name" ] && mountpoint -q "$MNT_PARENT/$name"
}
function is_init_running()
{
check_at_command_queue " init"
}
# check if a specified command is in an at-queue
# Parameter: a regular expression of the commandline
# Return: the command is part of an at-queue (0) or not (1)
function check_at_command_queue()
{
# 1) get the available job numbers
# 2) remove empty lines (especially the last one)
# 3) check every associated command for the regexp
at -l | cut -f 1 | while read jobnum
do at -c $jobnum | sed '/^$/d' | tail -1
done | grep -q "$1"
}
function find_harddisk()
# look for the harddisk to be partitioned
{
local device=$(get_available_disks | head -1)
if [ -z "$device" ] ; then
log_msg "no valid harddisk for initialisation found!"
cat /proc/partitions >>"$LOG_FILE"
# do not return with an error, to avoid a failing of the script ('break on error')
# the caller of this function should handle an empty return string
fi
echo -n "$device"
local name=$(get_device_mnt_name "$1")
test -n "$name" && mountpoint -q "$MNT_PARENT/$name"
}
@ -299,67 +270,29 @@ function get_available_disks()
{
for scan in $SCAN_DEVICES
do for avail in $ALL_PARTITIONS
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
do echo "$avail" | grep -q "^$scan[0-9]*" && echo "/dev/$avail"
done
done
return 0
}
function load_config()
{
unload_config
local status=0
# look for a configuration partition
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \
list_partitions_of_type config | while read part && [ "$status" = 0 ]
do log_msg "Trying to load configuration from /dev/$part ..."
if "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part"
then log_msg "configuraton found on $part"
"$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
status=1
fi
done
if is_config_active
then # copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP"
else log_msg "failed to locate config partition"
return 1
fi
true
}
function unload_config()
{
is_config_active || return
# only try to unmount, if it is not static (the config of a live-cd is always dynamic)
if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
then "$ROOT_PERM_SCRIPT" umount_config
else true
fi
}
function mount_crypto()
# Parameter: DEVICE
{
local device=$1
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
[ -z "$device" ] && error_msg 4 'No valid harddisk found!'
is_mounted "$device" && echo "The crypto filesystem is already active!" && return
# passphrase is read from stdin
log_msg "Mounting a crypto partition from $device"
"$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
}
function umount_crypto()
# Parameter: DEVICE
{
local device=$1
local uuid=$(get_crypto_uuid $device)
"$ROOT_PERM_SCRIPT" umount "$uuid"
function umount_partition() {
# Parameter: device
local container=$(get_device_name "$1")
"$ROOT_PERM_SCRIPT" umount "$1"
}
@ -375,27 +308,9 @@ function box_purge()
done
}
function init_cryptobox()
# this is only the first part of initialisation that takes no time - good for a smooth web interface
{
local device=$(find_harddisk)
[ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1
turn_off_all_crypto
unload_config || true
log_msg "Partitioning the device ($device) ..."
"$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
log_msg "Initializing config partition on ${device}1 ..."
# TODO: this should not be hard-coded
create_config "${device}1"
}
function turn_off_all_crypto()
{
list_crypto_containers | while read a
do is_crypto_mounted "$a" && umount_crypto "$a"
done
function turn_off_all_containers() {
"$ROOT_PERM_SCRIPT" create_plain "$1"
}
@ -409,137 +324,68 @@ ACTION=help
[ $# -gt 0 ] && ACTION=$1 && shift
case "$ACTION" in
config-up )
if load_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 0 "Could not find a configuration partition!"
fi
;;
config-down )
unload_config || error_msg 4 "Could not unmount configuration partition"
;;
network-up )
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then conf_ip=$(config_get_value "ip")
log_msg "Configuring $NET_IFACE for $conf_ip ..."
echo "Configuring network interface for $NET_IFACE: $conf_ip"
"$IFCONFIG" "$NET_IFACE" "$conf_ip"
fi
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Starting the firewall ..."
"$FIREWALL_SCRIPT" start
fi
if [ "$USE_STUNNEL" = 1 ]
then # start stunnel
if [ -f "$CERT_FILE" ]
then USE_CERT=$CERT_FILE
else USE_CERT=$CERT_TEMP
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
# TODO: this could be dangerous - right?
# this is necessary, to allow www-data to copy the certificate
chown "$WEB_USER" "$CERT_TEMP"
fi
log_msg "Starting stunnel ..."
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|| echo "$USE_CERT not found - not starting stunnel"
fi
;;
network-down )
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Stopping the firewall ..."
"$FIREWALL_SCRIPT" stop
fi
if [ "$USE_STUNNEL" = 1 ]
then log_msg "Stopping stunnel ..."
# TODO: what about a pid?
killall stunnel 2>/dev/null || true
fi
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then log_msg "Shutting the network interface down ..."
"$IFCONFIG" "$NET_IFACE" down
fi
;;
services-up )
# the mount point has to be writeable
# this action is called as root - so we are allowed to umount
# TODO: do this only for ro-filesystem
# TODO: this way of mounting is evil
if mountpoint -q "$MNT_PARENT"
then true
else mount -t tmpfs tmpfs "$MNT_PARENT"
fi
true
;;
services-down )
# this action is called as root - so we are allowed to umount
mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT"
# TODO: we should not depend on samba and thttpd
# /etc/init.d/samba stop || true
# /etc/init.d/thttpd stop || true
true
;;
crypto-up )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'crypto-up'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
mount_crypto "$1"
;;
crypto-down )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
umount_crypto "$1"
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'crypto-down'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
umount_partition "$1"
;;
init )
init_cryptobox </dev/null >>"$LOG_FILE" 2>&1
;;
crypto-create )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'"
# do it in the background to provide a smoother web interface
# messages and errors get written to $LOG_FILE
keyfile=/tmp/$(basename "$0")-passphrase-$(basename "$1")
# read the password
cat - >"$keyfile"
# execute it in the background
echo "'$0' crypto-create-bg '$1' '$2' '$keyfile' </dev/null >>'$LOG_FILE' 2>&1" | at now
;;
crypto-create-bg )
create_crypto "$@"
;;
crypto-list )
list_partitions_of_type crypto
list_container )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'list_container'"
case "$1" in
config | unused | plaindata | crypto )
list_partitions_of_type "$1"
;;
* )
return 1
;;
esac
return 0
;;
crypto-list-unused )
list_partitions_of_type unused
;;
crypto-name )
get_device_name )
# Parameter: DEVICE
get_crypto_name "$1"
;;
is_crypto_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'"
is_crypto_mounted "$1"
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'get_device_name'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
get_device_name "$1"
;;
is_config_mounted )
is_config_active
set_device_name )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg 10 "invalid number of parameters for 'set_device_name'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
set_device_name "$1" "$2"
;;
is_init_running )
is_init_running
device_init )
# Parameter: DEVICE [KEYFILE]
test $# -lt 1 && error_msg 10 "invalid number of parameters for 'device_init' ($@)"
test $# -gt 2 && error_msg 10 "invalid number of parameters for 'device_init' ($@)"
if test $# -eq 2
then test -z "$2" -o ! -e "$2" && error_msg 11 "invalid keyfile ($2) given for 'device_init'"
fi
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
if test $# -eq 2
then "$ROOT_PERM_SCRIPT" create_crypto "$1" "$2"
else TODO "$1"
fi
true
;;
is_harddisk_available )
[ -z "$(find_harddisk)" ] && exit 1
exit 0
is_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_mounted'"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
is_mounted "$1"
;;
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then echo -n "sleep 5; \"$ROOT_PERM_SCRIPT\" update_network" | at now
fi
check_config)
is_config_active
;;
get_available_disks )
get_available_disks
;;
get_current_ip )
get_current_ip
;;
set_config )
[ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters"
config_set_value "$1" "$2"
@ -548,53 +394,59 @@ case "$ACTION" in
[ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter"
config_get_value "$1"
;;
get_capacity_info )
[ $# -ne 1 ] && error_msg 6 "'get_capacity_info' requires exactly one parameter"
is_device_allowed "$1" || error_msg 12 "invalid device: $1"
is_mounted "$1" || error_msg 13 "the device is not mounted: $1"
name=$(get_device_mnt_name "$1")
df -h "$MNT_PARENT/$name" | tail -1
;;
diskinfo )
get_available_disks | while read a
do "$ROOT_PERM_SCRIPT" diskinfo "$a"
done
done 2>/dev/null
;;
box-purge )
log_msg "Cleaning the CryptoBox ..."
turn_off_all_crypto
turn_off_all_containers
"$0" config-down
box_purge >>"$LOG_FILE" 2>&1
;;
poweroff )
log_msg "Turning off the CryptoBox ..."
turn_off_all_crypto
echo "poweroff" | at now
log_msg "Shutting down the Cryptobox ..."
turn_off_all_containers
"$ROOT_PERM_SCRIPT" poweroff
;;
reboot )
log_msg "Rebooting the CryptoBox ..."
turn_off_all_crypto
echo "reboot" | at now
log_msg "Rebooting the Cryptobox ..."
turn_off_all_containers
"$ROOT_PERM_SCRIPT" reboot
;;
umount_all )
log_msg "Unmounting all volumes ..."
turn_off_all_containers
;;
* )
echo "Syntax: `basename $0` ACTION [PARAMS]"
echo " config-up - scan for configuration partition and mount it"
echo " config-down - unmount configuration partition"
echo " network-up - enable network interface"
echo " network-down - disable network interface"
echo " services-up - run some cryptobox specific daemons"
echo " services-down - stop some cryptobox specific daemons"
echo "[$(basename $0)] - unknown action: $ACTION" >&2
echo "Syntax: $(basename $0) ACTION [PARAMS]"
echo " crypto-up - mount crypto partition"
echo " crypto-down - unmount crypto partition"
echo " box-init - initialize cryptobox (ALL data is LOST)"
echo " box-init-fg - the first part of initialization"
echo " box-init-bg - the last part of initialization (background)"
echo " is_crypto_mounted - check, if crypto partition is mounted"
echo " is_config_mounted - check, if configuration partition is mounted"
echo " is_init_running - check, if initialization is ongoing"
echo " is_harddisk_available - check, if there is a usable harddisk"
echo " get_available_disks - shows all connected and allowed disks"
echo " crypto-create - a wrapper for 'crypto-create-bg'"
echo " crypto-create-bg - create encrypted blockdevice and run mkfs"
echo " is_mounted - check, if crypto partition is mounted"
echo " check_config - check, if the configuration is usable"
echo " get_available_disks - shows all accessible disks"
echo " get_current_ip - get the current IP of the network interface"
echo " update_ip_address - update the network interface after reconfiguration"
echo " set_config NAME VALUE - change a configuration setting"
echo " get_config NAME - retrieve a configuration setting"
echo " get_device_name DEVICE - retrieve the human readable name of a partition"
echo " set_device_name DEVICE - set the human readable name of a partition"
echo " device_init DEVICE KEYFILE - initialize the filesystem of a partition (the keyfile just contains the passphrase)"
echo " get_capacity_info - print the output of 'df' for the (mounted) partition"
echo " diskinfo - show the partition table of the harddisk"
echo " box-purge - destroy partitiontable of all harddisks (delete everything)"
echo " poweroff - shutdown the cryptobox"
echo " reboot - reboot the cryptobox"
echo " box-purge - destroy the partition tables of all harddisks (delete everything)"
echo " poweroff - turn off the computer"
echo " reboot - reboot the computer"
echo
;;
esac

196
bin/cbox-root-actions.sh
Unescape Escape View File

@ -17,6 +17,9 @@
set -eu
LIB_DIR=$(dirname "$0")
LIB_DIR=$(cd "$LIB_DIR"; pwd)
[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100
# read the default setting file, if it exists
@ -29,6 +32,9 @@ source "$CONF_FILE"
# parse distribution specific file
source "$DISTRIBUTION_CONF"
CB_SCRIPT="$LIB_DIR/cbox-manage.sh"
CONFIG_MARKER=cryptobox.marker
############ some useful functions ###############
@ -46,43 +52,54 @@ function is_device_allowed()
}
function get_device_name()
# return the uuid of the device
# if there is no uuid, then the device name is "flattened" and returned
# return the uuid of the partition (if possible)
# this only works for luks or ext2/3 partitions
# ignore volume-id as it may be non-unique
{
local UUID=
function get_device_uuid() {
local UUID
# check for luksUUID or ext2/3-uuid
if is_luks_device "$1"
then UUID=$("$CRYPTSETUP" luksUUID "$1")
else [ -n "$(which dumpe2fs)" ] && UUID=$(dumpe2fs -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ *//g")
else [ -x "$DUMPE2FS" ] && UUID=$("$DUMPE2FS" -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ //g")
fi
# if there is no valid UUUD, then take the flattened device name
is_uuid_valid "$UUID" || UUID=${1//\//_}
echo "$UUID"
if test -z "$UUID"
then get_device_flat_name "$1"
else echo "$UUID"
fi
return 0
}
# the device name is "flattened"
function get_device_flat_name() {
echo "$1" | sed 's#/#_#g'
}
# the basename of the mountpoint for this device - should be somehow human_readable
function get_device_mnt_name() {
"$CB_SCRIPT" get_device_name "$1"
}
function is_uuid_valid()
# every devmapper name should look like a UUID
{
function is_uuid_valid() {
local hex=[0-9a-f]
# TODO: this is very bash-specific - translate it to grep :)
[[ "$1" =~ "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$" ]]
}
function error_msg()
# parameter ExitCode ErrorMessage
{
function error_msg() {
echo "CBOX-ERROR: [$(basename $0) - $ACTION] - $2" >&2
exit $1
}
function partition_device()
# parameter: device sfdisk_layout_setup
# e.g.: /dev/hda "0,1,L \n,,L\n"
{
function partition_device() {
# TODO: allow different layouts
# TODO: skip config partition if a configuration is already active
# sfdisk -n doesn't actually write (for testing purpose)
@ -97,7 +114,7 @@ function partition_device()
function is_luks_device()
# parameter: device
{
"$CRYPTSETUP" isLuks "$1"
"$CRYPTSETUP" isLuks "$1" 2>/dev/null
}
@ -121,19 +138,19 @@ case "$ACTION" in
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
name=$(get_device_name "$1")
mountpoint -q "$MNT_PARENT/$name" && \
error_msg 5 "a device with the same name ($name) is already mounted"
mkdir -p "$MNT_PARENT/$name"
mnt_name=$(get_device_mnt_name "$1")
mountpoint -q "$MNT_PARENT/$mnt_name" && \
error_msg 5 "a device with the same name ($mnt_name) is already mounted"
mkdir -p "$MNT_PARENT/$mnt_name"
if is_luks_device "$1"
then "$CRYPTSETUP" luksOpen "$1" "$name" || \
then "$CRYPTSETUP" luksOpen "$1" "$mnt_name" || \
error_msg 6 "could not open encrypted device $1"
if mount "$DEV_MAPPER_DIR/$name" "$MNT_PARENT/$name"
if mount "$DEV_MAPPER_DIR/$mnt_name" "$MNT_PARENT/$mnt_name"
then true
else "$CRYPTSETUP" luksClose "$name" || true
else "$CRYPTSETUP" luksClose "$mnt_name" || true
error_msg 7 "wrong password for $1 supplied"
fi
else mount "$1" "$MNT_PARENT/$name" || \
else mount "$1" "$MNT_PARENT/$mnt_name" || \
error_msg 8 "invalid filesystem on device $1"
fi
# just in case, that there is no ext2/3 filesystem:
@ -145,105 +162,86 @@ case "$ACTION" in
true
;;
umount )
#parameter: name (relative mountpoint)
#parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_uuid_valid "$1" || [[ "$1" =~ "^[_a-z0-9]*$" ]] || \
error_msg 4 "invalid UUID ($1)"
mountpoint -q "$MNT_PARENT/$1" || \
error_msg 9 "the device with the UUID ($1) is not mounted"
# try to unmount - continue even on errors
umount "$MNT_PARENT/$1" || \
error_msg 0 "unmount of device $1 failed - device is busy"
# remove (if necessary) the dev mapping
[ -e "$DEV_MAPPER_DIR/$1" ] && "$CRYPTSETUP" luksClose "$1" || \
error_msg 11 "could not remove the device mapper for device $1"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mnt_name=$(get_device_mnt_name "$1")
mountpoint -q "$MNT_PARENT/$mnt_name" || \
error_msg 9 "the device ($1) is not mounted as '$mnt_name'"
# try to unmount - do it in lazy mode
umount -l "$MNT_PARENT/$mnt_name"
# TODO: check, what happens, if there are open files - does the device gets mapping removed?
# remove (if necessary) the device mapping
if test -e "$DEV_MAPPER_DIR/$mnt_name"
then "$CRYPTSETUP" luksClose "$mnt_name" || \
error_msg 11 "could not remove the device mapper ($mnt_name) for device $1"
fi
# try to remove the mountpoint - a failure is not important
rmdir "$MNT_PARENT/$1" || true
rmdir "$MNT_PARENT/$mnt_name" || true
# set exitcode
mountpoint -q "$MNT_PARENT/$1" && exit 1
exit 0
mountpoint -q "$MNT_PARENT/$mnt_name" && exit 1
true
;;
create_crypto )
# parameter: device
# the passphrase is expected on stdin
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
# parameter: device keyfile
[ $# -ne 2 ] && error_msg 1 "wrong number of parameters"
keyfile=$2
[ -e "$keyfile" ] || error_msg 2 "keyfile ($keyfile) not found"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
# read the passphrase from stdin
key=$(cat -)
# the iter-time is in milliseconds - keep it low for fast mounting
echo "$key" | \
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 luksFormat "$1" || \
cat "$keyfile" | \
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 --batch-mode luksFormat "$1" || \
error_msg 11 "failed to create the encrypted partition"
name=$(get_device_name "$1")
echo "$key" | "$CRYPTSETUP" luksOpen "$1" "$name" || \
name=$(get_device_mnt_name "$1")
cat "$keyfile" | "$CRYPTSETUP" --batch-mode luksOpen "$1" "$name" || \
error_msg 12 "failed to open the encrypted partition"
# silent output from mkfs.ext3
"$MKFS_DATA" -q "$DEV_MAPPER_DIR/$name" || \
error_msg 13 "failed to create the encrypted filesystem"
"$CRYPTSETUP" luksClose "$name" || \
error_msg 14 "failed to close the encrypted mapped device"
# trash the passphrase in keyfile
echo "0123456789abcdefghijklmnopqrstuvwxyz" > "$keyfile"
# the disk cache surely prevents the previous line from being written, but we do it anyway ...
echo "zyxwvutsrqponmlkjihgfedcba9876543210" > "$keyfile"
rm "$keyfile"
# complete in background
( # silent output from mkfs.ext3
"$MKFS_DATA" -q "$DEV_MAPPER_DIR/$name" || \
error_msg 13 "failed to create the encrypted filesystem"
"$CRYPTSETUP" --batch-mode luksClose "$name" || \
error_msg 14 "failed to close the encrypted mapped device"
) </dev/null &>/dev/null &
true
;;
get_device_name )
create_plain )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters for 'create_plain'"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
get_device_name "$1"
# complete in background
( # silent output from mkfs.ext3
"$MKFS_DATA" -q "$1" || \
error_msg 15 "failed to create the plaintext filesystem"
) </dev/null &>/dev/null &
true
;;
mount_config )
get_device_mnt_name )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && \
error_msg 0 "the configuration partition is already mounted"
"$MKFS_CONFIG" -q "$1" || \
error_msg 20 "failed to create config partition filesystem"
get_device_mnt_name "$1"
;;
mount_config )
get_device_uuid )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && \
error_msg 0 "the configuration partition is already mounted"
mount "$1" "$CONFIG_DIR" || \
error_msg 16 "failed to mount configuration partition"
# chown to fix permissions - may fail for non-ext2/3 filesystems
chown -R "$WEB_USER" "$CONFIG_DIR" || true
mount -o remount,ro "$CONFIG_DIR" || \
error_msg 18 "failed to remount configuration partition"
true
;;
remount_config )
# parameter: { ro | rw }
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
[[ "$1" =~ "^r[ow]$" ]] || error_msg 17 "only 'rw' and 'ro' are allowed"
mount -o "remount,$1" "$CONFIG_DIR" || \
error_msg 18 "failed to remount configuration partition"
true
;;
umount_config )
# no parameters
[ $# -ne 0 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && umount "$CONFIG_DIR" || \
error_msg 18 "failed to unmount configuration partition"
get_device_uuid "$1"
;;
is_config_partition )
# parameter: device
# returns exitcode 0 if the device contains a configuration
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
is_config=0
@ -306,10 +304,20 @@ case "$ACTION" in
[ -e "$CONFIG_DIR/ip" ] && ip=$(<"$CONFIG_DIR/ip")
[ -n "$z" ] && ifconfig "$NET_IFACE" "$ip"
;;
poweroff )
# TODO: check configuration setting before
"$POWEROFF"
;;
reboot )
# TODO: check configuration setting before
"$REBOOT"
;;
* )
echo "[$(basename $0)] - unknown action: $ACTION" >&2
echo "Syntax: $(basename $0) ACTION PARAMETERS"
echo ' partition_disk $device $disk_layout'
echo ' get_device_name $device'
echo ' get_device_uuid $device'
echo ' create_crypto $device'
echo ' mount $device'
echo ' umount $name'
@ -323,6 +331,8 @@ case "$ACTION" in
echo ' trash_device $device'
echo ' diskinfo $device'
echo ' update_network'
echo ' poweroff'
echo ' reboot'
echo ' help'
echo
[ "$ACTION" == "help" ] && exit 0

485
bin/cryptobox.pl
Unescape Escape View File

@ -19,24 +19,36 @@ use ClearSilver;
use ConfigFile;
use English;
use CGI::Carp;
use IO::File;
use POSIX;
use constant CRYPTOBOX_VERSION => 0.3;
# debug levels
use constant DEBUG_NONE => 0;
use constant DEBUG_ERROR => 1;
use constant DEBUG_WARN => 2;
use constant DEBUG_INFO => 3;
# drop privileges
$UID = $EUID;
$GID = $EGID;
# necessary for suid perl scripts (see 'man perlsec' for details)
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer
my $CONFIG_FILE = '/etc/cryptobox/cryptobox.conf';
my $pagedata;
my ($LANGUAGE_DIR, $DEFAULT_LANGUAGE, $HTML_TEMPLATE_DIR, $DOC_DIR);
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL);
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL, $DEBUG_LEVEL);
# get the directory of the cryptobox scripts/binaries and untaint it
$CB_SCRIPT = $0;
$CB_SCRIPT =~ m/^(.*)\/[^\/]*$/;
$CB_SCRIPT = "$1/cbox-manage.sh";
$CB_SCRIPT = ($1)? "$1/cbox-manage.sh" : './cbox-manage.sh';
&fatal_error ("could not find configuration file ($CONFIG_FILE)") unless (-e $CONFIG_FILE);
my $config = ConfigFile::read_config_file($CONFIG_FILE);
@ -48,20 +60,18 @@ $HTML_TEMPLATE_DIR = $config->{HTML_TEMPLATE_DIR};
$DOC_DIR = $config->{DOC_DIR};
$IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT});
$STYLESHEET_URL = $config->{STYLESHEET_URL};
# TODO: just a quick-and-dirty hack during migration to multiple containers
my $CRYPTO_DEV = &get_available_disks();
$CRYPTO_DEV =~ m/^([\w\/_\-\.]*)$/;
$CRYPTO_DEV = "${1}2";
if (defined($config->{DEBUG_LEVEL})) {
$DEBUG_LEVEL = $config->{DEBUG_LEVEL};
} else {
$DEBUG_LEVEL = DEBUG_ERROR; # default debug level
}
my $query = new CGI;
#################### subs ######################
# for fatal errors without the chance of clearsilver-rendering
sub fatal_error()
{
sub fatal_error() {
my $message = shift;
print "Content-Type: text/html\n\n";
@ -73,8 +83,14 @@ sub fatal_error()
}
sub load_hdf
{
sub debug_msg() {
my ($level, $message) = @_;
return 0 unless ($level >= $DEBUG_LEVEL);
warn "[cryptobox]: $message";
}
sub load_hdf {
my $hdf = ClearSilver::HDF->new();
my $fname = "$HTML_TEMPLATE_DIR/main.cs";
@ -101,8 +117,7 @@ sub load_hdf
}
sub load_selected_language
{
sub load_selected_language {
my $data = shift;
my $config_language;
@ -110,7 +125,7 @@ sub load_selected_language
$data->readFile("$LANGUAGE_DIR/$DEFAULT_LANGUAGE" . ".hdf");
# load configured language, if it is valid
$config_language = &exec_cb_script("get_config","language");
$config_language = &get_cbox_config("language");
$config_language = $DEFAULT_LANGUAGE unless (&validate_language("$config_language"));
# check for preferred browser language, if the box was not initialized yet
@ -130,6 +145,9 @@ sub load_selected_language
# load the data
$config_language = "$weblang";
# add the setting to every link
# how it should be done now ...
$data->setValue('Settings.LinkAttrs.weblang', "$weblang");
# old way of doing this ... (TODO: to be removed)
$data->setValue('Data.PostData.weblang', "$weblang");
} else {
# no valid language was selected - so you may ignore it
@ -153,9 +171,8 @@ sub load_selected_language
}
sub get_available_languages
# import the names of all available languages
{
sub get_available_languages {
my $data = shift;
my ($file, @files, $hdf, $lang_name);
@ -176,8 +193,7 @@ sub get_available_languages
# look for preferred browser language setting
# this code was adapted from Per Cederberg - http://www.percederberg.net/home/perl/select.perl
# it returns an empty string, if no supported language was found
sub get_browser_language
{
sub get_browser_language {
my ($str, @langs, @res);
# Use language preference settings
@ -199,8 +215,7 @@ sub get_browser_language
}
sub log_msg
{
sub log_msg {
my $text = shift;
open(LOGFILE,">> $LOG_FILE");
print LOGFILE "$text";
@ -208,28 +223,28 @@ sub log_msg
}
sub check_ssl
{
sub check_ssl {
# check, if we are behind a proxy with ssl (e.g. pound)
return (0==0) if ($ENV{'HTTP_FRONT_END_HTTPS'} =~ m/^on$/i);
# environment variable set (e.g. via apache directive "SetEnv HTTPS On")
return (0==0) if ($ENV{'HTTPS'} =~ m/^on$/i);
# port 80 -> not encrypted
return (0==1) if ($ENV{'SERVER_PORT'} = 80);
return (0==1) if ($ENV{'SERVER_PORT'} == 80);
# other ports -> maybe ok - we accept it
return (0==0);
}
sub check_mounted
{
return (system($CB_SCRIPT,"is_crypto_mounted",$CRYPTO_DEV) == 0);
# check, if the given device is mounted/used somehow
# Paramter: device
sub check_mounted {
my ($dev) = @_;
return (system($CB_SCRIPT,"is_mounted",$dev) == 0);
}
sub check_config
{
return (system($CB_SCRIPT,"is_config_mounted") == 0);
sub check_config {
return (system($CB_SCRIPT,"check_config") == 0);
}
@ -243,50 +258,65 @@ sub exec_cb_script {
exit 0;
} else {
# parent
@result = <PROG_OUT>;
close PROG_OUT or warn "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?";
# only read lines containing at least one non-whitespace character
@result = grep /\S/, <PROG_OUT>;
foreach (@result) { chomp; }
unless (close PROG_OUT) {
&debug_msg(DEBUG_WARN, "error while running $CB_SCRIPT (params:" . join(" ",@params) . "): $?");
return undef;
}
}
if (wantarray) {
return @result;
} else {
} elsif (@result > 0) {
return join('',@result);
} else {
return "";
}
}
sub check_init_running
{
return (system($CB_SCRIPT,"is_init_running") == 0);
sub check_init_running {
# TODO: improve this
return (0==1);
}
sub is_harddisk_available
{
return (system($CB_SCRIPT,"is_harddisk_available") == 0);
sub is_harddisk_available {
my @all_disks = &exec_cb_script("get_available_disks");
return @all_disks > 0;
}
sub get_available_disks
# TODO: this is useful for diskselection buttons
{
return &exec_cb_script("get_available_disks");
sub get_available_disks {
my @all_disks = &exec_cb_script("get_available_disks");
my ($disk, @return_disks);
foreach $disk (@all_disks) {
$disk =~ m#^([/\._\-\w]*)$#;
push @return_disks, $1 if ($1);
}
return @return_disks;
}
sub get_current_ip
# the IP of eth0 - not the configured value of the box (only for validation)
{
return &exec_cb_script("get_current_ip");
sub get_disk_name {
my ($dev) = @_;
my $disk_name = &exec_cb_script("get_device_name", $dev);
return $disk_name;
}
sub get_admin_pw
# returns the current administration password - empty, if it is not used
{
return &exec_cb_script("get_config","admin_pw");
# return the value of a configuration setting (timeout, language, ip, ...)
# Parameter: setting_name
sub get_cbox_config {
my ($setting) = @_;
# tell the exec function, that we want a scalar instead of an array
my $scalar = &exec_cb_script("get_config",$setting);
return $scalar;
}
sub render
{
sub render {
my $pagefile = "$HTML_TEMPLATE_DIR/main.cs";
print "Content-Type: text/html\n\n";
@ -297,68 +327,82 @@ sub render
}
sub mount_vol
{
my $pw = shift;
# mount an encrypted volume
# Parameter: device password
sub mount_vol {
my ($device, $pw) = @_;
if (&check_mounted) {
if (&check_mounted($device)) {
$pagedata->setValue('Data.Warning', 'IsMounted');
} else {
open(PW_INPUT, "| $CB_SCRIPT crypto-up $CRYPTO_DEV");
open(PW_INPUT, "| $CB_SCRIPT crypto-up $device");
print PW_INPUT $pw;
close(PW_INPUT);
}
}
sub umount_vol
{
if (&check_mounted) {
system($CB_SCRIPT, "crypto-down",$CRYPTO_DEV);
# unmount a volume
# Parameter: device
sub umount_vol {
my ($device) = @_;
if (&check_mounted($device)) {
system($CB_SCRIPT, "crypto-down",$device);
} else {
$pagedata->setValue('Data.Warning', 'NotMounted');
}
}
sub box_init
{
my ($crypto_pw, $admin_pw) = @_;
system($CB_SCRIPT, "init") || return 1;
# Parameter: device passphrase
# ignore passphrase (or leave it empty) to create a plaintext volume
sub volume_init {
my ($device, $crypto_pw) = @_;
my $result;
# only for encrypted volumes:
# write passphrase to a file - necessary as perl in secured mode does not allow
# the 'open(FH, "|/bin/prog ....")' call because of possible shell expansion - stupid 'open' :(
if ($crypto_pw) {
my ($fh, $temp_file);
# generate a temporary filename (as suggested by the Perl Cookbook)
do { $temp_file = POSIX::tmpnam() }
# TODO: reduce the file mask to the minimum - maybe 0600 would be a good choice
until $fh = IO::File->new($temp_file, O_RDWR|O_CREAT|O_EXCL);
close $fh;
unless (open(TMP, ">$temp_file")) {
&debug_msg(DEBUG_ERROR, "could not open a temporary file");
return (1==0);
}
print TMP $crypto_pw;
close TMP;
$result = &exec_cb_script("device_init", $device, $temp_file);
unlink ($temp_file) if (-e $temp_file);
} else {
$result = &exec_cb_script("device_init", $device);
}
# just to be sure, that the file does not get left behind
# usually the script should overwrite and remove it
return defined($result);
}
# partitioning, config and initial cryptsetup
# TODO: define the name of the crypto container
open(PW_INPUT, "|$CB_SCRIPT crypto-create '$CRYPTO_DEV' default");
print PW_INPUT $crypto_pw;
close(PW_INPUT);
# set administration password
$admin_pw =~ m/^(.*)$/;
system($CB_SCRIPT, "set_config", "admin_pw", $1);
sub box_purge {
&exec_cb_script("box-purge");
}
sub box_purge
{
system($CB_SCRIPT, "box-purge");
}
sub system_poweroff
{
&umount_vol() if (&check_mounted());
system($CB_SCRIPT, "poweroff");
sub system_poweroff {
&exec_cb_script("poweroff");
}
sub system_reboot
{
&umount_vol() if (&check_mounted());
system($CB_SCRIPT, "reboot");
sub system_reboot {
&exec_cb_script("reboot");
}
sub validate_ip
{
sub validate_ip {
my $ip = shift;
my @octets = split /\./, $ip;
return 0 if ($#octets == 4);
@ -371,8 +415,7 @@ sub validate_ip
}
sub validate_timeout
{
sub validate_timeout {
my $timeout = shift;
return 0 if ($timeout =~ /\D/);
return 1;
@ -380,8 +423,7 @@ sub validate_timeout
# check for a valid interface language
sub validate_language
{
sub validate_language {
my $language = shift;
# check for non-alphanumeric character
return 0 if ($language =~ /\W/);
@ -392,8 +434,7 @@ sub validate_language
# check for a valid documentation language
sub validate_doc_language
{
sub validate_doc_language {
my $language = shift;
# check for non-alphanumeric character
return 0 if ($language =~ /\W/);
@ -409,6 +450,14 @@ sub validate_doc_language
$pagedata = load_hdf();
my $current_admin_pw;
my $action = $query->param('action');
$action =~ m#^([\w\._\-]*)$#;
$action = ($1)? $1 : '';
my $device = $query->param('device');
$device =~ m#^([/_\-\w\.]*)$#;
$device = ($1)? $1 : '';
# BEWARE: there are two kinds of actions:
# * some require a harddisk
# * some do not require a harddisk
@ -423,7 +472,6 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Redirect.URL', "https://" . $hostname . $ENV{'SCRIPT_NAME'});
$pagedata->setValue('Data.Redirect.Delay', "3");
} elsif ($query->param('action')) {
my $action = $query->param('action');
#--------------------------------------------------------------#
# here you may define all cases that do not require a harddisk #
# put all other cases below the harddisk check #
@ -441,8 +489,8 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Action', 'show_doc');
}
##################### poweroff ######################
} elsif ($action eq 'shutdown_ask') {
$pagedata->setValue('Data.Action', 'form_shutdown');
} elsif ($action eq 'system_ask') {
$pagedata->setValue('Data.Action', 'form_system');
##################### reboot ########################
} elsif ($action eq 'shutdown_do') {
if ($query->param('type') eq 'reboot') {
@ -465,7 +513,11 @@ if ( ! &check_ssl()) {
#-------------------------------------------------------#
################ umount_do #######################
} elsif ($action eq 'umount_do') {
if ( ! &check_config()) {
if ($device eq '') {
&debug_msg(DEBUG_INFO, "invalid device: " . $query->param('device'));
$pagedata->setValue('Data.Warning', 'InvalidDevice');
$pagedata->setValue('Data.Action', 'emptu');
} elsif ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif (&check_init_running()) {
@ -473,26 +525,27 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif ( ! &check_mounted()) {
} elsif ( ! &check_mounted($device)) {
$pagedata->setValue('Data.Warning', 'NotMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Action', 'show_volume');
} else {
# unmounten
&umount_vol();
if (&check_mounted()) {
&umount_vol($device);
if (&check_mounted($device)) {
$pagedata->setValue('Data.Warning', 'UmountFailed');
$pagedata->setValue('Data.Action', 'form_umount');
$pagedata->setValue('Data.Action', 'show_volume');
} else {
$pagedata->setValue('Data.Success', 'UmountDone');
$pagedata->setValue('Data.Action', 'empty');