@ -20,24 +20,24 @@
set -eu
# define reasonable defaults
USE_STUNNEL = 0
EXEC_FIREWALL_RULES = 0
SKIP_NETWORK_CONFIG = 1
# default location of config file
CONF_FILE = /etc/cryptobox/cryptobox.conf
LIB_DIR = $( dirname " $0 " )
CONFIG_DIR = ~/config
# to determine a nice default partition name
DEVICE_NAME_PREFIX = "Disk #"
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
[ ! -e " $CONF_FILE " ] && error_msg 1 " Could not find the configuration file: $CONF_FILE "
[ ! -e " $CONF_FILE " ] && echo " Could not find the configuration file: $CONF_FILE " >& 2 && exit 1
# parse config file
source " $CONF_FILE "
[ ! -e " $CONF_FILE " ] && error_msg 1 " Could not find the distribution specific configuration file: $CONF_FILE "
[ ! -e " $CONF_FILE " ] && echo " Could not find the distribution specific configuration file: $CONF_FILE " >& 2 && exit 1
# parse the distribution specific file
source " $DISTRIBUTION_CONF "
@ -45,21 +45,26 @@ source "$DISTRIBUTION_CONF"
# check for writable log file
[ -w " $LOG_FILE " ] || LOG_FILE = /tmp/$( basename " $LOG_FILE " )
# retrieve configuration directory
CONFIG_DIR = " $( getent passwd '$CRYPTOBOX_USER' | cut -d ':' -f 6) /config "
CONFIG_MARKER = cryptobox.marker
## configuration
CERT_TEMP = /tmp/stunnel.pem
ROOT_PERM_SCRIPT = $( dirname " $0 " ) /cryptobox_root_wrapper
ROOT_PERM_SCRIPT = " $LIB_DIR /cryptobox_root_wrapper "
# ROOT_PERM_SCRIPT needs the MNT_PARENT setting
export MNT_PARENT = " $( cd ~; pwd ) /mnt "
######## stuff ##########
ALL_PARTITIONS = $( cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4)
# all partitions with a trailing number
ALL_PARTITIONS = $( cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4 | grep '[0-9]$' )
#########################
function log_msg( )
{
# the log file is not writable during boot - try before writing ...
# the log file is (maybe) not writable during boot - try
# before writing ...
[ -w " $LOG_FILE " ] || return 0
echo >>" $LOG_FILE "
echo "##### `date` #####" >>" $LOG_FILE "
@ -70,6 +75,8 @@ function log_msg()
function error_msg( )
# parameters: ExitCode ErrorMessage
{
local all = $@
test $# -ne 2 && error_msg 1 " *** invalid call of error_msg *** $all "
echo " [`date`] - $2 " | tee -a " $LOG_FILE " >& 2
# print the execution stack - not usable with busybox
# caller | sed 's/^/\t/' >&2
@ -77,16 +84,30 @@ function error_msg()
}
# Parameter: device
function is_device_allowed( ) {
# check for invalid characters and exit if one is found
local device = $( echo " $1 " | sed 's#[^a-zA-Z0-9_\-\./]##g' )
test " $1 " = " $device " || return 1
# remove leading "/dev/"
device = $( echo " $device " | sed 's#^/dev/##' )
# return for empty name
test -z " $device " && return 1
for a in $ALL_PARTITIONS
do echo " $device " | grep -q " ^ $a .* " && return 0
done
# no matching device found - exit with error
return 1
}
function config_set_value( )
# parameters: SettingName [SettingValue]
# read from stdin if SettingValue is not defined
{
[ " $USE_SEPERATE_CONFIG_PARTITION " = "1" ] && " $ROOT_PERM_SCRIPT " remount_config rw
if [ $# -gt 1 ]
then echo -n " $2 " > " $CONFIG_DIR / $1 "
then echo " $2 " > " $CONFIG_DIR / $1 "
else cat - >" $CONFIG_DIR / $1 "
fi
[ " $USE_SEPERATE_CONFIG_PARTITION " = "1" ] && " $ROOT_PERM_SCRIPT " remount_config ro
}
@ -95,66 +116,22 @@ function config_get_value()
{
# use mounted config, if it exists - otherwise use defaults
local conf_dir
if is_config_active
then conf_dir = $CONFIG_DIR
else conf_dir = $CONFIG_DEFAULTS_DIR
fi
[ -z " $1 " ] && error_msg 1 "empty setting name "
# check for existence - maybe use default values (for old releases without this setting)
if [ ! -e " $conf_dir / $1 " ]
then case " $1 " in
test -z " $1 " && error_msg 1 "empty setting name"
# check for existence - maybe use default values (even for old
# releases that did not contain this setting)
if test -e " $CONFIG_DIR / $1 "
then cat " $CONFIG_DIR / $1 "
elif test -e " $CONFIG_DEFAULTS_DIR / $1 "
then cat " $CONFIG_DEFAULTS_DIR / $1 "
else case " $1 " in
# you may place default values for older versions here
# for compatibility
* )
error_msg 2 " unknown configuration value ( $1 ) "
# empty output
; ;
esac
else echo -n $( cat " $conf_dir / $1 " )
# this removes the trailing line break
fi
# always return without error
true
}
function create_config( )
# Parameter: device
{
local device = $1
unload_config
# create the new configuration filesystem if it is not static
if [ " $USE_SEPERATE_CONFIG_PARTITION " != "1" ]
then log_msg "Using static configuration ..."
else log_msg "Creating config filesystem ..."
" $ROOT_PERM_SCRIPT " create_config " $device "
log_msg "Mounting config partition ..."
" $ROOT_PERM_SCRIPT " mount_config " $device "
" $ROOT_PERM_SCRIPT " remount_config rw
fi
log_msg "Copying configuration defaults ..."
cp -a " $CONFIG_DEFAULTS_DIR /. " " $CONFIG_DIR "
log_msg "Copying temporary certificate file to config filesystem ..."
# beware: the temp file should always be there - even after reboot - see "load_config"
[ " $USE_STUNNEL " = 1 ] && cp -p " $CERT_TEMP " " $CERT_FILE "
log_msg "Setting inital values ..."
# beware: config_set_value remounts the config partition read-only
config_set_value "ip" " $( get_current_ip) "
# create database of readable names
config_set_value "names.db" ""
# create a marker to recognize a cryptobox partition
# this should be the last step, to prevent a half-initialized state
config_set_value " $CONFIG_MARKER " " $( date -I) "
}
function get_current_ip( )
# not necessarily the same as configured (necessary for validation)
{
# filter the output of ifconfig and remove trailing line break
echo -n $( " $IFCONFIG " " $NET_IFACE " | grep "inet" | cut -d ":" -f2 | cut -d " " -f1)
fi
return 0
}
@ -176,45 +153,73 @@ function list_partitions_of_type()
fi
done
case " $1 " in
config | crypto | plaindata | unused )
# dirty hack, but it works
eval " echo \$ $1 "
config )
echo " $config "
; ;
crypto )
echo " $crypto "
; ;
plaindata )
echo " $plaindata "
; ;
unused )
echo " $unused "
; ;
* )
errot_msg " wrong parameter ( $1 ) for list_partition_types in $( basename $0 ) "
error_msg 11 " wrong parameter ( $1 ) for list_partition_types in $( basename $0 ) "
; ;
esac | tr " " "\n" | grep -v '^$'
return 0
}
function get_crypto_uuid( )
# Parameter: DEVICE
{
" $ROOT_PERM_SCRIPT " get_device_name " $1 "
function get_device_mnt_name( ) {
" $ROOT_PERM_SCRIPT " get_device_mnt_ name " $1 "
}
function get_crypto_name( )
# Parameter: DEVICE
# return the readable name of the crypto container, it it is already defined
function get_device_uuid( ) {
" $ROOT_PERM_SCRIPT " get_device_uuid " $1 "
}
# Parameter: DEVICE
# return the readable name of the crypto container, if it is already defined
# if undefined - return the uuid
{
local uuid = $( get_crypto_uuid " $1 " )
function get_device_name( ) {
local uuid = $( get_device _uuid " $1 " )
local dbname = $( config_get_value "names.db" | grep " ^ $uuid : " | cut -d ":" -f 2-)
if [ -z " $dbname " ]
then echo -n " $uuid "
else echo -n " $dbname "
fi
# return dbname if it exists
test -n " $dbname " && echo " $dbname " && return 0
# find a nice name for the new partition
local counter = 1
local test_name
local test_uuid
local test_result
# try to find a name with the defined "prefix" followed by a number ...
while true
do test_name = " $DEVICE_NAME_PREFIX $counter "
if config_get_value "names.db" | grep -q " : $test_name $"
then counter = $(( counter+1))
else # save it for next time
set_device_name " $1 " " $test_name "
echo " $test_name "
return 0
fi
done
}
function set_crypto_name( )
function set_device _name( )
# TODO: the implementation is quite ugly, but it works (tm)
# Parameter: DEVICE NAME
{
local uuid = $( get_crypto_uuid " $1 " )
local uuid = $( get_device _uuid " $1 " )
# remove the old setting for this device and every possible entry with the same name
( config_get_value 'names.db' | sed " /^ $uuid :/d; /^[^:]*: $2 $/d " ; echo " $uuid : $2 " ) | config_set_value 'names.db'
local new_config = $( config_get_value 'names.db' | sed " /^ $uuid :/d; /^[^:]*: $2 $/d " ; echo " $uuid : $2 " )
echo " $new_config " | config_set_value "names.db"
}
@ -252,45 +257,11 @@ function is_config_active()
}
function is_crypto_ mounted( )
function is_mounted( )
# Parameter: DEVICE
{
local name = $( get_crypto_uuid " $1 " )
[ -n " $name " ] && mountpoint -q " $MNT_PARENT / $name "
}
function is_init_running( )
{
check_at_command_queue " init"
}
# check if a specified command is in an at-queue
# Parameter: a regular expression of the commandline
# Return: the command is part of an at-queue (0) or not (1)
function check_at_command_queue( )
{
# 1) get the available job numbers
# 2) remove empty lines (especially the last one)
# 3) check every associated command for the regexp
at -l | cut -f 1 | while read jobnum
do at -c $jobnum | sed '/^$/d' | tail -1
done | grep -q " $1 "
}
function find_harddisk( )
# look for the harddisk to be partitioned
{
local device = $( get_available_disks | head -1)
if [ -z " $device " ] ; then
log_msg "no valid harddisk for initialisation found!"
cat /proc/partitions >>" $LOG_FILE "
# do not return with an error, to avoid a failing of the script ('break on error')
# the caller of this function should handle an empty return string
fi
echo -n " $device "
local name = $( get_device_mnt_name " $1 " )
test -n " $name " && mountpoint -q " $MNT_PARENT / $name "
}
@ -299,67 +270,29 @@ function get_available_disks()
{
for scan in $SCAN_DEVICES
do for avail in $ALL_PARTITIONS
do [ " $scan " = " $avail " ] && echo " /dev/ $avail "
do echo " $avail " | grep -q " ^ $scan [0-9]* " && echo " /dev/ $avail "
done
done
return 0
}
function load_config( )
{
unload_config
local status = 0
# look for a configuration partition
[ " $USE_SEPERATE_CONFIG_PARTITION " = "1" ] && \
list_partitions_of_type config | while read part && [ " $status " = 0 ]
do log_msg " Trying to load configuration from /dev/ $part ... "
if " $ROOT_PERM_SCRIPT " is_config_partition " /dev/ $part "
then log_msg " configuraton found on $part "
" $ROOT_PERM_SCRIPT " mount_config " /dev/ $part "
status = 1
fi
done
if is_config_active
then # copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
[ " $USE_STUNNEL " = 1 ] && cp " $CERT_FILE " " $CERT_TEMP "
else log_msg "failed to locate config partition"
return 1
fi
true
}
function unload_config( )
{
is_config_active || return
# only try to unmount, if it is not static (the config of a live-cd is always dynamic)
if [ " $USE_SEPERATE_CONFIG_PARTITION " = "1" ]
then " $ROOT_PERM_SCRIPT " umount_config
else true
fi
}
function mount_crypto( )
# Parameter: DEVICE
{
local device = $1
[ -z " $device " ] && error_msg 4 'No valid harddisk found!' && return 1
is_crypto_ mounted " $device " && echo "The crypto filesystem is already active!" && return
[ -z " $device " ] && error_msg 4 'No valid harddisk found!'
is_mounted " $device " && echo "The crypto filesystem is already active!" && return
# passphrase is read from stdin
log_msg " Mounting a crypto partition from $device "
" $ROOT_PERM_SCRIPT " mount " $device " >>" $LOG_FILE " 2>& 1
}
function umount_crypto( )
# Parameter: DEVICE
{
local device = $1
local uuid = $( get_crypto_uuid $device )
" $ROOT_PERM_SCRIPT " umount " $uuid "
function umount_partition( ) {
# Parameter: device
local container = $( get_device_name " $1 " )
" $ROOT_PERM_SCRIPT " umount " $1 "
}
@ -375,27 +308,9 @@ function box_purge()
done
}
function init_cryptobox( )
# this is only the first part of initialisation that takes no time - good for a smooth web interface
{
local device = $( find_harddisk)
[ -z " $device " ] && log_msg 'No valid harddisk found!' && return 1
turn_off_all_crypto
unload_config || true
log_msg " Partitioning the device ( $device ) ... "
" $ROOT_PERM_SCRIPT " partition_disk " $device " "0,1,L \n,,L\n"
log_msg " Initializing config partition on ${ device } 1 ... "
# TODO: this should not be hard-coded
create_config " ${ device } 1 "
}
function turn_off_all_crypto( )
{
list_crypto_containers | while read a
do is_crypto_mounted " $a " && umount_crypto " $a "
done
function turn_off_all_containers( ) {
" $ROOT_PERM_SCRIPT " create_plain " $1 "
}
@ -409,137 +324,68 @@ ACTION=help
[ $# -gt 0 ] && ACTION = $1 && shift
case " $ACTION " in
config-up )
if load_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 0 "Could not find a configuration partition!"
fi
; ;
config-down )
unload_config || error_msg 4 "Could not unmount configuration partition"
; ;
network-up )
if [ " $SKIP_NETWORK_CONFIG " != 1 ]
then conf_ip = $( config_get_value "ip" )
log_msg " Configuring $NET_IFACE for $conf_ip ... "
echo " Configuring network interface for $NET_IFACE : $conf_ip "
" $IFCONFIG " " $NET_IFACE " " $conf_ip "
fi
if [ " $EXEC_FIREWALL_RULES " = 1 ]
then log_msg "Starting the firewall ..."
" $FIREWALL_SCRIPT " start
fi
if [ " $USE_STUNNEL " = 1 ]
then # start stunnel
if [ -f " $CERT_FILE " ]
then USE_CERT = $CERT_FILE
else USE_CERT = $CERT_TEMP
$MAKE_CERT_SCRIPT " $CERT_TEMP " >>" $LOG_FILE " 2>& 1
# TODO: this could be dangerous - right?
# this is necessary, to allow www-data to copy the certificate
chown " $WEB_USER " " $CERT_TEMP "
fi
log_msg "Starting stunnel ..."
stunnel -p " $USE_CERT " -r localhost:80 -d 443 \
|| echo " $USE_CERT not found - not starting stunnel "
fi
; ;
network-down )
if [ " $EXEC_FIREWALL_RULES " = 1 ]
then log_msg "Stopping the firewall ..."
" $FIREWALL_SCRIPT " stop
fi
if [ " $USE_STUNNEL " = 1 ]
then log_msg "Stopping stunnel ..."
# TODO: what about a pid?
killall stunnel 2>/dev/null || true
fi
if [ " $SKIP_NETWORK_CONFIG " != 1 ]
then log_msg "Shutting the network interface down ..."
" $IFCONFIG " " $NET_IFACE " down
fi
; ;
services-up )
# the mount point has to be writeable
# this action is called as root - so we are allowed to umount
# TODO: do this only for ro-filesystem
# TODO: this way of mounting is evil
if mountpoint -q " $MNT_PARENT "
then true
else mount -t tmpfs tmpfs " $MNT_PARENT "
fi
true
; ;
services-down )
# this action is called as root - so we are allowed to umount
mountpoint -q " $MNT_PARENT " && umount " $MNT_PARENT "
# TODO: we should not depend on samba and thttpd
# /etc/init.d/samba stop || true
# /etc/init.d/thttpd stop || true
true
; ;
crypto-up )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'crypto-up'"
is_device_allowed " $1 " || error_msg 12 " invalid device: $1 "
mount_crypto " $1 "
; ;
crypto-down )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
umount_crypto " $1 "
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'crypto-down'"
is_device_allowed " $1 " || error_msg 12 " invalid device: $1 "
umount_partition " $1 "
; ;
init )
init_cryptobox </dev/null >>" $LOG_FILE " 2>& 1
; ;
crypto-create )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'"
# do it in the background to provide a smoother web interface
# messages and errors get written to $LOG_FILE
keyfile = /tmp/$( basename " $0 " ) -passphrase-$( basename " $1 " )
# read the password
cat - >" $keyfile "
# execute it in the background
echo " ' $0 ' crypto-create-bg ' $1 ' ' $2 ' ' $keyfile ' </dev/null >>' $LOG_FILE ' 2>&1 " | at now
; ;
crypto-create-bg )
create_crypto " $@ "
; ;
crypto-list )
list_partitions_of_type crypto
list_container )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'list_container'"
case " $1 " in
config | unused | plaindata | crypto )
list_partitions_of_type " $1 "
; ;
* )
return 1
; ;
esac
return 0
; ;
crypto-list-unused )
list_partitions_of_type unused
; ;
crypto-name )
get_device_name )
# Parameter: DEVICE
get_crypto_name " $1 "
; ;
is_crypto_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'"
is_crypto_mounted " $1 "
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'get_device_name'"
is_device_allowed " $1 " || error_msg 12 " invalid device: $1 "
get_device_name " $1 "
; ;
is_config_mounted )
is_config_active
set_device_name )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg 10 "invalid number of parameters for 'set_device_name'"
is_device_allowed " $1 " || error_msg 12 " invalid device: $1 "
set_device_name " $1 " " $2 "
; ;
is_init_running )
is_init_running
device_init )
# Parameter: DEVICE [KEYFILE]
test $# -lt 1 && error_msg 10 " invalid number of parameters for 'device_init' ( $@ ) "
test $# -gt 2 && error_msg 10 " invalid number of parameters for 'device_init' ( $@ ) "
if test $# -eq 2
then test -z " $2 " -o ! -e " $2 " && error_msg 11 " invalid keyfile ( $2 ) given for 'device_init' "
fi
is_device_allowed " $1 " || error_msg 12 " invalid device: $1 "
if test $# -eq 2
then " $ROOT_PERM_SCRIPT " create_crypto " $1 " " $2 "
else TODO " $1 "
fi
true
; ;
is_harddisk_available )
[ -z " $( find_harddisk) " ] && exit 1
exit 0
is_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_mounted'"
is_device_allowed " $1 " || error_msg 12 " invalid device: $1 "
is_mounted " $1 "
; ;
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
if [ " $SKIP_NETWORK_CONFIG " != 1 ]
then echo -n " sleep 5; \" $ROOT_PERM_SCRIPT \" update_network " | at now
fi
check_config)
is_config_active
; ;
get_available_disks )
get_available_disks
; ;
get_current_ip )
get_current_ip
; ;
set_config )
[ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters"
config_set_value " $1 " " $2 "
@ -548,53 +394,59 @@ case "$ACTION" in
[ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter"
config_get_value " $1 "
; ;
get_capacity_info )
[ $# -ne 1 ] && error_msg 6 "'get_capacity_info' requires exactly one parameter"
is_device_allowed " $1 " || error_msg 12 " invalid device: $1 "
is_mounted " $1 " || error_msg 13 " the device is not mounted: $1 "
name = $( get_device_mnt_name " $1 " )
df -h " $MNT_PARENT / $name " | tail -1
; ;
diskinfo )
get_available_disks | while read a
do " $ROOT_PERM_SCRIPT " diskinfo " $a "
done
done 2>/dev/null
; ;
box-purge )
log_msg "Cleaning the CryptoBox ..."
turn_off_all_crypto
turn_off_all_containers
" $0 " config-down
box_purge >>" $LOG_FILE " 2>& 1
; ;
poweroff )
log_msg " Turning off the CryptoB ox ..."
turn_off_all_crypto
echo "poweroff" | at now
log_msg " Shutting down the Cryptob ox ..."
turn_off_all_containers
" $ROOT_PERM_SCRIPT " poweroff
; ;
reboot )
log_msg "Rebooting the CryptoBox ..."
turn_off_all_crypto
echo "reboot" | at now
log_msg "Rebooting the Cryptobox ..."
turn_off_all_containers
" $ROOT_PERM_SCRIPT " reboot
; ;
umount_all )
log_msg "Unmounting all volumes ..."
turn_off_all_containers
; ;
* )
echo " Syntax: `basename $0 ` ACTION [PARAMS] "
echo " config-up - scan for configuration partition and mount it"
echo " config-down - unmount configuration partition"
echo " network-up - enable network interface"
echo " network-down - disable network interface"
echo " services-up - run some cryptobox specific daemons"
echo " services-down - stop some cryptobox specific daemons"
echo " [ $( basename $0 ) ] - unknown action: $ACTION " >& 2
echo " Syntax: $( basename $0 ) ACTION [PARAMS] "
echo " crypto-up - mount crypto partition"
echo " crypto-down - unmount crypto partition"
echo " box-init - initialize cryptobox (ALL data is LOST)"
echo " box-init-fg - the first part of initialization"
echo " box-init-bg - the last part of initialization (background)"
echo " is_crypto_mounted - check, if crypto partition is mounted"
echo " is_config_mounted - check, if configuration partition is mounted"
echo " is_init_running - check, if initialization is ongoing"
echo " is_harddisk_available - check, if there is a usable harddisk"
echo " get_available_disks - shows all connected and allowed disks"
echo " crypto-create - a wrapper for 'crypto-create-bg'"
echo " crypto-create-bg - create encrypted blockdevice and run mkfs"
echo " is_mounted - check, if crypto partition is mounted"
echo " check_config - check, if the configuration is usable"
echo " get_available_disks - shows all accessible disks"
echo " get_current_ip - get the current IP of the network interface"
echo " update_ip_address - update the network interface after reconfiguration"
echo " set_config NAME VALUE - change a configuration setting"
echo " get_config NAME - retrieve a configuration setting"
echo " get_device_name DEVICE - retrieve the human readable name of a partition"
echo " set_device_name DEVICE - set the human readable name of a partition"
echo " device_init DEVICE KEYFILE - initialize the filesystem of a partition (the keyfile just contains the passphrase)"
echo " get_capacity_info - print the output of 'df' for the (mounted) partition"
echo " diskinfo - show the partition table of the harddisk"
echo " box-purge - destroy partitiontable of all harddisks (delete everything)"
echo " poweroff - shutdown the cryptobox"
echo " reboot - reboot the cryptobox"
echo " box-purge - destroy the partition tables of all harddisks (delete everything)"
echo " poweroff - turn off the computer "
echo " reboot - reboot the computer "
echo
; ;
esac