scripts moved to usr/lib/cryptobox

cryptobox.conf.d/usr/lib/cryptobox/check_smb_idle.sh

@@ -0,0 +1,51 @@
+#!/bin/sh
+#
+# a simple script to check, if there was smb traffic since the last test
+#
+# you may want to adjust the function "filter_ipt_rules" according to your setup
+#
+# any Parameter are ignored
+# 
+# this script has to run as root - as it invokes iptables
+#
+# possible deployment in crontab:
+#   smb_timeout.sh && (/etc/init.d/samba stop; umount /mnt/crypto)
+#
+# the iptables rules you need to detect smb traffic could look like the following:
+#   iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
+#   iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+
+filter_ipt_rules()
+# get the input rules for smb datagram traffic
+{
+	iptables -L INPUT -vnx | grep -E "tcp upt:138|udp dpt:139"
+}
+
+
+function count_traffic()
+{
+	local sum=0
+	# fallback if no rules were found
+	echo "$sum"
+	# extract the number of packets and calculate the sum
+	filter_ipt_rules | sed 's/  */ /g' | cut -d " " -f 3 | while read a
+		do	sum=$((sum+a))
+			echo "$sum"
+	  done | tail -1
+	# sorry for the echo-tail-voodoo - i did not know it better :)
+	iptables -Z INPUT
+}
+
+# config test
+[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >&2 && exit 1
+
+# return true if it was idle
+test "`count_traffic`" -eq 0
+exit $?

cryptobox.conf.d/usr/lib/cryptobox/chroot-start.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -eu
+
+TMPDIRS="var/run tmp root dev var/log"
+TMPROOT="/opt/dfsruntime/runtimemnt"
+
+
+for a in $TMPDIRS
+	do	mkdir -p "$TMPROOT/$a"
+  done
+
+[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
+[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
+[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"
+
+[ ! -e /proc/mounts ] && mount -t proc proc /proc
+
+bash
+
+umount proc
+rm -r "$TMPROOT"
+mkdir "$TMPROOT"

cryptobox.conf.d/usr/lib/cryptobox/configure-cryptobox.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# this script is only called during the making of the cryptobox cd
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+RUNTIMEDIR=/opt/dfsruntime/runtimerd
+TUNDEV=$RUNTIMEDIR/dev/net/tun
+
+[ ! -e "/proc/mounts" ] && mount -t proc proc /proc
+
+######### devices ##########
+# create tun device for running under qemu
+if [ ! -e "$TUNDEV" ]
+	then	mkdir -p `dirname "$TUNDEV"`
+		mknod "$TUNDEV" c 10 200
+  fi
+
+######### thttpd ###########
+# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
+sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
+# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
+sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
+
+######### bashrc ###########
+# remove dfshints from bashrc
+sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
+
+########## sshd ############
+# allow empty passwords for ssh
+#  the daemon is NOT started automatically, so you have to start it
+#  manually in case of need - as the root pw is empty and passwd is ro, you
+#  have to allow empty passwords for this rare case
+sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
+# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
+sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
+# allow nput of password
+sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
+
+umount /proc

cryptobox.conf.d/usr/lib/cryptobox/cryptobox.sh

@@ -0,0 +1,362 @@
+#!/bin/sh
+#
+# this script does EVERYTHING
+# all other scripts are only frontends :)
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+## configuration
+MARKER="$CONFIG_DIR/cryptobox.marker"
+CERT_TEMP=/tmp/stunnel.pem
+
+#####
+
+function error_msg()
+# parameters: ExitCode ErrorMessage
+{
+	echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
+	# print the execution stack - not usable with busybox
+	#caller | sed 's/^/\t/' >&2
+	exit "$1"
+}
+
+
+function initial_checks()
+# Parameter: device
+{
+	local device="$1"
+	[ ! -b "$device" ] && echo "blockdevice $device does not exist" && return 1
+	## check if we have an existing configpartition
+	## TODO: why this config_mount_test?
+	# config_mount_test "$device"
+	[ ! -x "$WIPE" ] && echo "$WIPE not found" && return 1
+	[ ! -x "$SFDISK" ] && echo "$SFDISK not found" && return 1
+	for a in $ALGO $HASH
+		do	grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
+			grep -q "^name *: $a$" /proc/crypto || { echo "$a is not supported by kernel" && return 1; }
+	  done
+	mount | grep -q "^$device[ 1-9] " && echo "$device is mounted" && return 1
+	return 0
+}
+
+
+function create_partitions()
+# Parameter: device
+{
+	local device="$1"
+	# first partition size is 1 sector, second goes til end
+	# sfdisk -n doesn't actually write (for testing purpose)
+	echo -e "0,1,L \n,,L\n" | $SFDISK "$device"
+}
+
+
+function config_set_value()
+# parameters: SettingName SettingValue
+{
+	mount -o rw,remount "$CONFIG_DIR"
+	echo "$2" > "$CONFIG_DIR/$1"
+	mount -o ro,remount "$CONFIG_DIR"
+}
+
+
+function config_get_value()
+# parameters: SettingName
+{
+	# use mounted config, if it exists - otherwise use defaults
+	local conf_dir
+	if is_config_mounted
+		then	conf_dir=$CONFIG_DIR
+		else	conf_dir=$CONFIG_DEFAULTS_DIR
+	  fi
+	[ -z "$1" ] && error_msg 1 "empty setting name"
+	[ ! -e "$conf_dir/$1" ] && error_msg 2 "unknown configuration value ($1)"
+	cat "$conf_dir/$1"
+}
+
+
+function create_config()
+# Parameter: device
+{
+	local device="${1}1"
+	$MKFS_CONFIG "$device"
+	# mount the config partition rw
+	mount "$device" "$CONFIG_DIR"
+	# create a marker to recognize a cryptobox partition
+	date -I >"$MARKER" 
+	## write (network) interfaces 
+	cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
+
+	# copy stunnel cert
+	cp -p "$CERT_TEMP" "$CERT_FILE"
+
+	# beware: config_set_value remounts the config partition read-only
+	config_set_value "device" "$1"
+
+	config_set_value "ip" "$(get_current_ip)"
+
+	# reinitialise configuration
+	umount "$CONFIG_DIR"
+	mount_config
+}
+
+
+function get_current_ip()
+# not necessarily the same as configured (necessary for validation)
+{
+	ifconfig $NET_IFACE | grep "inet" | cut -d ":" -f2 | cut -d " " -f1
+}
+
+
+function create_crypto()
+# Parameter: device
+{
+	local device="$1"
+	# flood the crypto partition with noise
+	# - not needed -
+	#$WIPE -kq -R /dev/urandom "${device}2"
+
+	# passphrase may be passed via command line
+	$CRYPTSETUP -h "$HASH" -c "$ALGO" create "$CRYPTMAPPER_DEV" "${device}2"
+}
+
+
+function mkfs_crypto()
+# split from create_crypto to allow background execution via web interface
+{
+	$MKFS_DATA "$CRYPTMAPPER_DEV"
+}
+
+
+function config_mount_test()
+# Parameter: device
+{
+	local device="${1}"
+	local STATUS=0
+	mount "${device}1" "$CONFIG_DIR" &>/dev/null || true
+	is_config_mounted && STATUS=1
+	umount "$CONFIG_DIR" &>/dev/null || true
+	# return code is the result of this expression
+	[ 1 -eq "$STATUS" ] && return 0
+	return 1
+}
+
+
+function is_config_mounted()
+{
+	mount | grep -q " ${CONFIG_DIR} " && [ -f "$MARKER" ]
+}
+
+
+function is_crypto_mounted()
+{
+	mount | grep -q " ${CRYPTO_DIR} "
+}
+
+
+function is_init_running()
+{
+	ps -e | grep -q -E "$MKFS_DATA|$WIPE"
+}
+
+
+function find_harddisk()
+# look for the harddisk to be partitioned
+{
+	local dev=$(
+		if is_config_mounted
+		  then	config_get_value "device"
+		  else	for a in $SCAN_DEVICES
+			do	grep -q " `basename $a`$" /proc/partitions && echo "$a" && break
+			    done
+		fi )
+	[ -z "$dev" ] && error_msg 4 "no valid partition for initialisation found!"
+	echo -n "$dev"
+}
+
+
+function mount_config()
+{
+	is_config_mounted && error_msg 3 "configuration directory ($CONFIG_DIR) is already mounted!"
+	local device=$(
+	    for a in $SCAN_DEVICES
+		do	echo "Trying to load configuration from $a ..." >&2
+			config_mount_test "$a" && echo "$a" && break
+		  done )
+	if [ -n "$device" ] && mount "${device}1" "$CONFIG_DIR"
+		then	echo "configuraton found on $device" >&2
+			config_set_value "device" "$device"
+			return 0
+		else	echo "failed to locate harddisk" >&2
+			return 1
+	fi
+}
+
+
+function mount_crypto()
+{
+	is_crypto_mounted && echo "Das Crypto-Dateisystem ist bereits aktiv!"
+	local device=`find_harddisk`
+	# passphrase is read from stdin
+	$CRYPTSETUP -h "$HASH" -c "$ALGO" create "$CRYPTMAPPER_DEV" "${device}2"
+	if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
+		then	/etc/init.d/samba start
+		else	dmsetup remove "$CRYPTMAPPER_DEV"
+			return 1
+	fi
+}
+
+
+function umount_crypto()
+{
+	# do not break on error
+	set +e
+	# thttpd removes PATH for cgis
+	/etc/init.d/samba stop
+	ps -e | grep -q " samba$" && killall samba
+	ps -e | grep -q " samba$" && killall -9 samba
+	umount "$CRYPTO_DIR"
+	$CRYPTSETUP remove "$CRYPTMAPPER_DEV"
+	set -e
+}
+
+		
+function init_cryptobox_part1()
+# this is only the first part of initialisation that takes no time - good for a smooth web interface
+{
+	umount_crypto || true
+	umount "$CONFIG_DIR" || true
+	local device=`find_harddisk`
+	initial_checks "$device" || error_msg 5 "Failure during initialisation - bye, bye"
+	create_partitions "$device"
+	create_config "$device"
+	create_crypto "$device"
+}
+
+
+function init_cryptobox_part2()
+# some things to be done in the background
+# these are the final steps of initialisation
+# thuid must be changed at the first time, therfore it needs to be
+# mounted
+{
+	mkfs_crypto
+	mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
+	chown $SAMBA_USER "$CRYPTO_DIR"
+	umount_crypto
+}
+
+
+function init_cryptobox_complete()
+{
+	init_cryptobox_part1
+	init_cryptobox_part2
+}
+
+### main ###
+
+# set PATH because thttpd removes /sbin and /usr/sbin for cgis
+export PATH=/usr/sbin:/usr/bin:/sbin:/bin
+
+
+ACTION=help
+[ $# -gt 0 ] && ACTION="$1"
+
+case "$ACTION" in
+	config-up )
+		# die cruft option hilft vielleicht bei dem Fehler "interleaved files not (yet) supported"
+		mount -o remount,cruft /
+		if mount_config
+		  then	echo "Cryptobox configuration successfully loaded"
+		  else	error_msg 3 "Could not find a configuration partition!"
+		 fi
+		;;
+	config-down )
+		umount "$CONFIG_DIR"
+		;;
+	network-up )
+		kudzu -s -q --class network
+		conf_ip=$(config_get_value "ip")
+		ifconfig $NET_IFACE "$conf_ip"
+		echo "Configured network interface for $NET_IFACE: $conf_ip"
+		/scripts/firewall.sh start
+		# start stunnel
+		if [ -f "$CERT_FILE" ] 
+		   then	USE_CERT=$CERT_FILE
+		   else USE_CERT=$CERT_TEMP
+			/scripts/make_stunnel_cert.sh "$CERT_TEMP" >>"$LOG_FILE" 2>&1
+		  fi
+		stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
+			|| echo "$USE_CERT not found - not starting stunnel"
+		# this ping allows other hosts to get the IP of
+		# the box, in case of misconfiguration
+		ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
+		;;
+	network-down )
+		/scripts/firewall.sh stop
+		killall stunnel
+		ifconfig $NET_IFACE down
+		;;
+	services-up )
+		/etc/init.d/thttpd start
+		;;
+	services-down )
+		/etc/init.d/samba stop
+		/etc/init.d/thttpd stop
+		;;
+	box-init )
+		# this is good for commandline only, as it takes a lot of time
+		init_cryptobox_complete >>"$LOG_FILE" 2>&1
+		;;
+	box-init-fg )
+		# only partitioning and configuration
+		# this is nice for the web interface, as it is fast
+		# output redirection does not work, as it prevents cryptsetup from asking
+		# for a password
+		init_cryptobox_part1 >>"$LOG_FILE" 2>&1
+		;;
+	box-init-bg )
+		# do it in the background to provide a smoother web interface
+		# messages and errors get written to $LOG_FILE
+		# the 'exec' output redirection does not work, if called by a cgi, so
+		# redirect it as usual
+		init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1 &
+		;;
+	is_crypto_mounted )
+		is_crypto_mounted
+		;;
+	is_config_mounted )
+		is_config_mounted
+		;;
+	is_init_running )
+		is_init_running
+		;;
+	crypto-mount )
+		mount_crypto
+		;;
+	crypto-umount )
+		umount_crypto
+		;;
+	set_config )
+		[ $# -ne 3 ] && error_msg 7 "'set_config' requires two parameters"
+		config_set_value "$2" "$3"
+		;;
+	get_config )
+		[ $# -ne 2 ] && error_msg 6 "'get_config' requires exactly one parameter"
+		config_get_value "$2"
+		;;
+	diskinfo )
+		$SFDISK -L -q -l `find_harddisk`
+		;;
+	get_current_ip )
+		get_current_ip
+		;;
+	* )
+		# TODO: update this!
+		echo "Syntax: `basename $0` { mount_config | umount_config | init }"
+		echo
+		;;
+  esac

cryptobox.conf.d/usr/lib/cryptobox/devel-features.sh

@@ -0,0 +1,62 @@
+#!/bin/sh
+#
+# this script is part of the boot process of a developer's cryptobox
+#
+# it should really NEVER be executed on a production system
+# 
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+MIRROR_DIR=/tmp/mirror
+MIRROR_ORIG_DIR=/tmp/mirror.orig
+WRITE_DIRS="/usr/share/cryptobox /var/www /scripts /usr/lib/cryptobox"
+
+ACTION="--help"
+[ $# -gt 0 ] && ACTION="$1"
+
+case "$ACTION" in
+	start )
+		# start ssh daemon
+		/etc/init.d/ssh start
+
+		# copy cryptobox files to tmpfs
+		for a in $WRITE_DIRS
+			do	mkdir -p "$MIRROR_DIR/$a"
+				cp -a "$a/." "$MIRROR_DIR/$a"
+				mount --bind "$MIRROR_DIR/$a" "$a"
+		  done
+		$0 set_diff_base
+
+		# thttpd needs to be restarted to reopen its files
+		/etc/init.d/thttpd restart
+		;;
+	set_diff_base )
+		# the present content of the tmpfs mirror get copied to
+		# MIRROR_ORIG_DIR for later diffs
+		# whenever you merged a diff, you should call this function
+		[ -e "$MIRROR_ORIG_DIR" ] && rm -rf "$MIRROR_ORIG_DIR"
+		cp -a "$MIRROR_DIR" "$MIRROR_ORIG_DIR"
+		;;
+	diff )
+		cd "`dirname \"$MIRROR_ORIG_DIR\"`" 
+		# diff and remove "binary files differ"-warnings (vi-swap-files)
+		diff -ruN "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
+		;;
+	stop )
+		/etc/init.d/ssh stop
+		for a in $WRITE_DIRS
+			do	umount "$MIRROR_DIR/$a"
+		  done
+		rm -rf "$MIRROR_DIR"
+		;;
+	restart )
+		$0 stop
+		$0 start
+		;;
+	* )
+		echo "Syntax: `basename $0` { start | stop | restart }"
+		;;
+  esac

cryptobox.conf.d/usr/lib/cryptobox/firewall.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# set up the firewall of the cryptobox
+#
+
+set -u
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+
+ACTION="help"
+[ $# -gt 0 ] && ACTION=$1
+
+case "$ACTION" in 
+	start)
+		iptables -P INPUT DROP
+		iptables -P FORWARD DROP
+		iptables -P OUTPUT ACCEPT
+
+		OFILE=/proc/sys/net/ipv4/tcp_syncookies
+		[ -e "$OFILE" ] && echo 1 >"$OFILE"
+
+		iptables -F
+		iptables -X 
+		iptables -Z
+
+		iptables -A INPUT -i lo -j ACCEPT
+
+		for a in $ALLOW_TCP_PORTS
+		    do	iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
+		  done
+		
+		for a in $ALLOW_UDP_PORTS
+		    do	iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
+		  done
+		
+		iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
+	;;
+	stop)
+		iptables -P INPUT ACCEPT
+		iptables -P FORWARD ACCEPT
+		iptables -P OUTPUT ACCEPT
+		iptables -F
+		iptables -X 
+		iptables -Z
+	;;
+	*)
+		echo "usage $0 start | stop"
+	;;
+esac
+

cryptobox.conf.d/usr/lib/cryptobox/make_stunnel_cert.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+#
+# this script creates the stunnel certificate for https
+#
+# parameter: "destination file"
+#
+
+set -eu
+
+# parse config file
+. /etc/cryptobox/cryptobox.conf
+
+
+## vcert values are in openssl.conf
+CERTFILE="$1"
+TMP_FILE=/tmp/cryptobox-cert.tmp
+
+[ ! -f "$CONF_FILE" ] && echo "`basename $0`: $CONF_FILE not found" && exit 2
+# this command creates the certificate
+# this is required, because the certbuilding asks for 5 returns
+echo -ne "\n\n\n\n\n" | openssl req -new -x509 -nodes -days 3650 -config "$OPENSSL_CONF_FILE" -out "$CERTFILE" -keyout "$CERTFILE"
+chmod 600 "$CERTFILE"
+
+# next step needs a lot of randomdata
+dd if=/dev/urandom of="$TMP_FILE" bs=1024 count=1024
+openssl dhparam -rand "$TMP_FILE" 512 >> "$CERTFILE"
+rm "$TMP_FILE"
+
+#ln -sf ${CERTPATH}stunnel.pem ${CERTPATH}`openssl x509 -noout -hash < "${CERTPATH}stunnel.pem"`.0
+
+## print out cert values
+#openssl x509 -subject -dates -fingerprint -in stunnel.pem