153 changed files with 0 additions and 10805 deletions
@ -1 +0,0 @@ |
|||
* * * * * root [ -e /usr/lib/cryptobox/cbox-manage.sh ] && /usr/lib/cryptobox/check_smb_idle.sh |
|||
@ -1,56 +0,0 @@ |
|||
# this file is directly sourced by some bash scripts |
|||
# so there should be no space around the "=" |
|||
|
|||
LANGUAGE=en |
|||
NET_IFACE=eth0 |
|||
FILE_USER=cryptobox-data |
|||
WEB_USER=www-data |
|||
SCAN_DEVICES="sda" |
|||
#SCAN_DEVICES="hda hdb hdc hdd hde hdf hdg scd sg sda sdb sdc sdd" |
|||
|
|||
# set this to "1" to create a dedicated configuration partition (very small) |
|||
# this should only be necessary, if your root filesystem is read-only (as for a live-cd) |
|||
USE_SEPERATE_CONFIG_PARTITION=0 |
|||
|
|||
# web interface |
|||
HTML_TEMPLATE_DIR=/usr/share/cryptobox/templates |
|||
STYLESHEET_URL=/cryptobox-misc/cryptobox.css |
|||
|
|||
# directories |
|||
LANGUAGE_DIR=/usr/share/cryptobox/lang |
|||
DOC_DIR=/usr/share/doc/cryptobox/html |
|||
CONFIG_DEFAULTS_DIR=/usr/share/cryptobox/defaults |
|||
CONFIG_DIR=/var/lib/cryptobox/config |
|||
MNT_PARENT=/var/lib/cryptobox/mnt |
|||
|
|||
# some files |
|||
CB_SCRIPT=/usr/lib/cryptobox/cbox-manage.sh |
|||
ROOT_PERM_SCRIPT=/usr/lib/cryptobox/cbox-root-actions.sh |
|||
DEV_FEATURES_SCRIPT=/usr/lib/cryptobox/devel-features.sh |
|||
FIREWALL_SCRIPT=/usr/lib/cryptobox/firewall.sh |
|||
MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh |
|||
LOG_FILE=/var/log/cryptobox.log |
|||
CERT_FILE=/var/lib/cryptobox/config/stunnel.pem |
|||
OPENSSL_CONF_FILE=/etc/cryptobox/ssl-cert.conf |
|||
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter |
|||
CONFIG_MARKER=cryptobox.marker |
|||
|
|||
# crypto settings |
|||
# there is no default hash, as this is ignored by luks |
|||
DEFAULT_CIPHER=aes-cbc-essiv:sha256 |
|||
DEV_MAPPER_DIR=/dev/mapper |
|||
|
|||
# some programs |
|||
SFDISK=/sbin/sfdisk |
|||
MKFS_DATA=/sbin/mkfs.ext3 |
|||
MKFS_CONFIG=/sbin/mkfs.ext2 |
|||
CRYPTSETUP=/sbin/cryptsetup |
|||
IPTABLES=/sbin/iptables |
|||
IFCONFIG=/sbin/ifconfig |
|||
|
|||
# firewall setings |
|||
# do not use multiports (iptables) as the timeout-script depends on |
|||
# single port rules |
|||
# ssh is allowed too, but the server is not started automatically |
|||
ALLOW_TCP_PORTS="22 80 139 443 445" |
|||
ALLOW_UDP_PORTS="137 138" |
|||
@ -1 +0,0 @@ |
|||
$Revision$ |
|||
@ -1,65 +0,0 @@ |
|||
# |
|||
# OpenSSL configuration file. |
|||
# |
|||
|
|||
# Establish working directory. |
|||
|
|||
dir = . |
|||
|
|||
[ ca ] |
|||
default_ca = CA_default |
|||
|
|||
[ CA_default ] |
|||
default_days = 3650 |
|||
default_md = md5 |
|||
policy = policy_match |
|||
#serial = $dir/serial |
|||
#database = $dir/index.txt |
|||
#new_certs_dir = $dir/newcert |
|||
#certificate = $dir/cacert.pem |
|||
#private_key = $dir/private/cakey.pem |
|||
#preserve = no |
|||
#email_in_dn = no |
|||
#nameopt = default_ca |
|||
#certopt = default_ca |
|||
|
|||
[ policy_match ] |
|||
countryName = match |
|||
stateOrProvinceName = match |
|||
organizationName = match |
|||
organizationalUnitName = match |
|||
commonName = supplied |
|||
emailAddress = optional |
|||
|
|||
[ req ] |
|||
default_bits = 1024 # Size of keys |
|||
default_keyfile = stunnel.pem # name of generated keys |
|||
default_md = md5 # message digest algorithm |
|||
distinguished_name = req_distinguished_name |
|||
|
|||
[ req_distinguished_name ] |
|||
# Variable name Prompt string |
|||
#---------------------- ---------------------------------- |
|||
0.organizationName = Organization Name (company) |
|||
organizationalUnitName = Organizational Unit Name (department, division) |
|||
emailAddress = Email Address |
|||
emailAddress_max = 40 |
|||
localityName = Locality Name (city, district) |
|||
stateOrProvinceName = State or Province Name (full name) |
|||
#countryName = Country Name (2 letter code) |
|||
#countryName_min = 2 |
|||
#countryName_max = 2 |
|||
#commonName = Common Name (hostname, IP, or your name) |
|||
#commonName_max = 64 |
|||
|
|||
# Default values for the above, for consistency and less typing. |
|||
# Variable name Value |
|||
#------------------------------ ------------------------------ |
|||
0.organizationName_default = CryptoBox |
|||
organizationalUnitName_default = s.l. |
|||
localityName_default = Kugelmugel |
|||
stateOrProvinceName_default = Metropolis |
|||
emailAddress_default = info@systemausfall.org |
|||
|
|||
|
|||
|
|||
@ -1,26 +0,0 @@ |
|||
# boot configuration file for the CryptoBox |
|||
# |
|||
# $Id$ |
|||
# |
|||
# the default setup of the cryptobox is complete inactivity |
|||
|
|||
# set to "1" to turn off the cryptobox - otherwise "0" |
|||
NO_START=1 |
|||
|
|||
# change the default configuration file if necessary |
|||
#CONF_FILE=/etc/cryptobox/cryptobox.conf |
|||
|
|||
# should the cryptobox skip the network interface configuration? |
|||
# "0" means skip (default) --- "1" causes the cryptobox to configure it |
|||
SKIP_NETWORK_CONFIG=1 |
|||
|
|||
# should the cryptobox set some firewall (iptables) rules? |
|||
# if this is turned off, then you have to add the appropriate |
|||
# rules manually (if you need the timeout feature of the cryptobox) |
|||
# default is 0 |
|||
EXEC_FIREWALL_RULES=0 |
|||
|
|||
# use stunnel for https support? |
|||
# default is 0 |
|||
USE_STUNNEL=0 |
|||
|
|||
@ -1,89 +0,0 @@ |
|||
#!/bin/sh |
|||
set -eu |
|||
# |
|||
# we give some hints for users, sitting in front of the cryptobox waiting for a login prompt |
|||
# |
|||
|
|||
# check if the cryptobox is installed |
|||
[ -e "/usr/lib/cryptobox/cbox-manage.sh" ] || exit 0 |
|||
|
|||
# read the default setting file, if it exists |
|||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox |
|||
|
|||
# startup switch defaults to zero (enabled) |
|||
NO_START=${NO_START:-0} |
|||
# check startup switch |
|||
if [ "$NO_START" = "1" ] |
|||
then [ $# -eq 0 ] && exit 0 |
|||
[ "$1" = "status" ] && exit 1 |
|||
[ "$1" = "stop" ] && exit 0 |
|||
echo "CryptoBox is disabled by default" |
|||
exit 0 |
|||
fi |
|||
|
|||
# stop-on-errors |
|||
set -eu |
|||
|
|||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox |
|||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} |
|||
|
|||
# parse config file |
|||
if [ -e "$CONF_FILE" ] |
|||
then . "$CONF_FILE" |
|||
else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2 |
|||
exit 1 |
|||
fi |
|||
|
|||
case "$1" in |
|||
start ) |
|||
# stop if already running |
|||
"$0" status && "$0" stop |
|||
# initialize |
|||
"$CB_SCRIPT" config-up |
|||
"$CB_SCRIPT" network-up |
|||
"$CB_SCRIPT" services-up |
|||
# check if we are on a developers CryptoBox |
|||
# if not give some usage hints |
|||
# otherwise give a warning and start the devel features |
|||
if [ ! -e "$DEV_FEATURES_SCRIPT" ]; then |
|||
echo |
|||
echo "How to use the CryptoBox:" |
|||
echo " * point a webbrowser from another computer to 'http://$(/usr/lib/cryptobox/cbox-manage.sh get_current_ip)/cryptobox'" |
|||
echo " * configure your CryptoBox via a webbrowser" |
|||
echo |
|||
else |
|||
echo |
|||
echo "+---------------------------------------------------------------+" |
|||
echo "| WARNING: Some CryptoBox development features are enabled |" |
|||
echo "| This should definitely NOT happen for a production CD. |" |
|||
echo "| as it offers no security at all. |" |
|||
echo "| If you don't plan to refine this CD, don't use it! |" |
|||
echo "+---------------------------------------------------------------+" |
|||
echo |
|||
"$DEV_FEATURES_SCRIPT" "$@" |
|||
fi |
|||
true |
|||
;; |
|||
stop ) |
|||
# exit if not running |
|||
"$0" status || exit 0 |
|||
# shut down |
|||
"$CB_SCRIPT" services-down |
|||
"$CB_SCRIPT" network-down |
|||
"$CB_SCRIPT" config-down |
|||
;; |
|||
restart | reload | force-reload ) |
|||
$0 stop |
|||
$0 start |
|||
;; |
|||
status ) |
|||
if "$CB_SCRIPT" is_config_mounted |
|||
then exit 0 |
|||
else exit 1 |
|||
fi |
|||
;; |
|||
* ) |
|||
echo "Syntax: $0 { start | stop | restart | reload | force-reload | status }" |
|||
;; |
|||
esac |
|||
|
|||
@ -1,704 +0,0 @@ |
|||
#!/usr/bin/perl |
|||
# |
|||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org> |
|||
# |
|||
# License: This script is distributed under the terms of version 2 |
|||
# of the GNU GPL. See the LICENSE file included with the package. |
|||
# |
|||
# $Id$ |
|||
# |
|||
# the web interface of the CryptoBox |
|||
# |
|||
|
|||
|
|||
############################################### |
|||
|
|||
use strict; |
|||
use CGI; |
|||
use ClearSilver; |
|||
use ConfigFile; |
|||
|
|||
my $CONFIG_FILE = '/etc/cryptobox/cryptobox.conf'; |
|||
|
|||
my $pagedata; |
|||
|
|||
my ($LANGUAGE_DIR, $DEFAULT_LANGUAGE, $HTML_TEMPLATE_DIR, $DOC_DIR); |
|||
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL); |
|||
|
|||
&fatal_error ("could not find configuration file ($CONFIG_FILE)") unless (-e $CONFIG_FILE); |
|||
my $config = ConfigFile::read_config_file($CONFIG_FILE); |
|||
|
|||
$CB_SCRIPT = $config->{CB_SCRIPT}; |
|||
$LOG_FILE = $config->{LOG_FILE}; |
|||
$LANGUAGE_DIR = $config->{LANGUAGE_DIR}; |
|||
$DEFAULT_LANGUAGE = $config->{LANGUAGE}; |
|||
$HTML_TEMPLATE_DIR = $config->{HTML_TEMPLATE_DIR}; |
|||
$DOC_DIR = $config->{DOC_DIR}; |
|||
$IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT}); |
|||
$STYLESHEET_URL = $config->{STYLESHEET_URL}; |
|||
|
|||
# TODO: just a quick-and-dirty hack during migration to multiple containers |
|||
my $CRYPTO_DEV = `$CB_SCRIPT get_available_disks | cut -f 1 -d " " | tr "\n" "2"`; |
|||
|
|||
my $query = new CGI; |
|||
|
|||
|
|||
#################### subs ###################### |
|||
|
|||
# for fatal errors without the chance of clearsilver-rendering |
|||
sub fatal_error() |
|||
{ |
|||
my $message = shift; |
|||
|
|||
print "Content-Type: text/html\n\n"; |
|||
print "<html><head><title>CryptoBox</title></head>\n"; |
|||
print "<body>\n"; |
|||
print '<h1 align="center">' . $message . "</h1>\n"; |
|||
print "</body></html>\n"; |
|||
die "[CryptoBox]: $message"; |
|||
} |
|||
|
|||
|
|||
sub load_hdf |
|||
{ |
|||
my $hdf = ClearSilver::HDF->new(); |
|||
|
|||
my $fname = "$HTML_TEMPLATE_DIR/main.cs"; |
|||
&fatal_error ("Template directory is invalid ($fname not found)!") unless (-e "$fname"); |
|||
$hdf->setValue("Settings.TemplateDir","$HTML_TEMPLATE_DIR"); |
|||
|
|||
&fatal_error ("Documentation directory ($DOC_DIR) not found!") unless (-d "$DOC_DIR"); |
|||
$hdf->setValue("Settings.DocDir","$DOC_DIR"); |
|||
|
|||
# if it was requested as directory index (link from index.html), we should |
|||
# set a real script name - otherwise links with a query string will break |
|||
# ignore POST part of the SCRIPT_NAME (after "&") |
|||
(my $script_url = $ENV{'SCRIPT_NAME'}) =~ m/^[^&]*/; |
|||
$hdf->setValue("ScriptName", ($ENV{'SCRIPT_NAME'} eq '/')? '/cryptobox' : $script_url ); |
|||
|
|||
# set stylesheet url |
|||
$hdf->setValue("Settings.Stylesheet",$STYLESHEET_URL); |
|||
|
|||
&load_selected_language($hdf); |
|||
|
|||
&get_available_languages($hdf); |
|||
|
|||
return $hdf; |
|||
} |
|||
|
|||
|
|||
sub load_selected_language |
|||
{ |
|||
my $data = shift; |
|||
my $config_language; |
|||
|
|||
# load $DEFAULT_LANGUAGE - this is necessary, if a translation is incomplete |
|||
$data->readFile("$LANGUAGE_DIR/$DEFAULT_LANGUAGE" . ".hdf"); |
|||
|
|||
# load configured language, if it is valid |
|||
$config_language = `$CB_SCRIPT get_config language`; |
|||
$config_language = $DEFAULT_LANGUAGE unless (&validate_language("$config_language")); |
|||
|
|||
# check for preferred browser language, if the box was not initialized yet |
|||
if ( ! &check_config()) |
|||
{ |
|||
my $prefLang = &get_browser_language(); |
|||
# take it, if a supported browser language was found |
|||
$config_language = $prefLang unless ($prefLang eq ''); |
|||
} |
|||
|
|||
######### temporary language setting? ############ |
|||
# the default language can be overriden by the language links in the |
|||
# upper right of the page |
|||
if ($query->param('weblang')) { |
|||
my $weblang = $query->param('weblang'); |
|||
if (&validate_language($weblang)) { |
|||
# load the data |
|||
$config_language = "$weblang"; |
|||
# add the setting to every link |
|||
$data->setValue('Data.PostData.weblang', "$weblang"); |
|||
} else { |
|||
# no valid language was selected - so you may ignore it |
|||
$data->setValue('Data.Warning', 'InvalidLanguage'); |
|||
} |
|||
} |
|||
# import the configured resp. the temporarily selected language |
|||
$data->readFile("$LANGUAGE_DIR/$config_language" . ".hdf"); |
|||
|
|||
########## select documentation language ########## |
|||
if (&validate_doc_language($config_language)) { |
|||
# selected web interface language |
|||
$data->setValue('Settings.DocLang', "$config_language"); |
|||
} elsif (&validate_doc_language($DEFAULT_LANGUAGE)) { |
|||
# configured CryptoBox language |
|||
$data->setValue('Settings.DocLang', "$DEFAULT_LANGUAGE"); |
|||
} else { |
|||
# default hardcoded language (english) |
|||
$data->setValue('Settings.DocLang', "en"); |
|||
} |
|||
} |
|||
|
|||
|
|||
sub get_available_languages |
|||
# import the names of all available languages |
|||
{ |
|||
my $data = shift; |
|||
my ($file, @files, $hdf, $lang_name); |
|||
|
|||
opendir(DIR, $LANGUAGE_DIR) or &fatal_error ("Language directory ($LANGUAGE_DIR) not accessible!"); |
|||
@files = sort grep { /.*\.hdf$/ } readdir(DIR); |
|||
close(DIR); |
|||
|
|||
foreach $file (@files) { |
|||
$hdf = ClearSilver::HDF->new(); |
|||
$hdf->readFile("$LANGUAGE_DIR/$file"); |
|||
substr($file, -4) = ""; |
|||
$lang_name = $hdf->getValue("Lang.Name", "$file"); |
|||
$data->setValue("Data.Languages." . "$file", "$lang_name"); |
|||
} |
|||
} |
|||
|
|||
|
|||
# look for preferred browser language setting |
|||
# this code was adapted from Per Cederberg - http://www.percederberg.net/home/perl/select.perl |
|||
# it returns an empty string, if no supported language was found |
|||
sub get_browser_language |
|||
{ |
|||
my ($str, @langs, @res); |
|||
|
|||
# Use language preference settings |
|||
if ($ENV{'HTTP_ACCEPT_LANGUAGE'} ne '') |
|||
{ |
|||
@langs = split(/,/, $ENV{'HTTP_ACCEPT_LANGUAGE'}); |
|||
foreach (@langs) |
|||
{ |
|||
# get the first part of the language setting |
|||
($str) = ($_ =~ m/([a-z]+)/); |
|||
# check, if it supported by the cryptobox |
|||
$res[$#res+1] = $str if validate_language($str); |
|||
} |
|||
} |
|||
|
|||
# if everything fails - return empty string |
|||
$res[0] = "" if ($#res lt 0); |
|||
return $res[0]; |
|||
} |
|||
|
|||
|
|||
sub log_msg |
|||
{ |
|||
my $text = shift; |
|||
open(LOGFILE,">> $LOG_FILE"); |
|||
print LOGFILE "$text"; |
|||
close(LOGFILE); |
|||
} |
|||
|
|||
|
|||
sub check_ssl |
|||
{ |
|||
# BEWARE: dirty trick - is there a better way? |
|||
# stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with |
|||
# its own IP (localhost, of course) |
|||
return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1'); |
|||
} |
|||
|
|||
|
|||
sub check_mounted |
|||
{ |
|||
return (system("$CB_SCRIPT","is_crypto_mounted",$CRYPTO_DEV) == 0); |
|||
} |
|||
|
|||
|
|||
sub check_config |
|||
{ |
|||
return (system("$CB_SCRIPT","is_config_mounted",$CRYPTO_DEV) == 0); |
|||
} |
|||
|
|||
|
|||
sub check_init_running |
|||
{ |
|||
return (system("$CB_SCRIPT","is_init_running") == 0); |
|||
} |
|||
|
|||
|
|||
sub is_harddisk_available |
|||
{ |
|||
return (system("$CB_SCRIPT","is_harddisk_available") == 0); |
|||
} |
|||
|
|||
sub get_available_disks |
|||
# TODO: this is useful for diskselection buttons |
|||
{ |
|||
return `$CB_SCRIPT get_available_disks`; |
|||
} |
|||
|
|||
sub get_current_ip |
|||
# the IP of eth0 - not the configured value of the box (only for validation) |
|||
{ |
|||
return `$CB_SCRIPT get_current_ip`; |
|||
} |
|||
|
|||
|
|||
sub get_admin_pw |
|||
# returns the current administration password - empty, if it is not used |
|||
{ |
|||
return `$CB_SCRIPT get_config admin_pw`; |
|||
} |
|||
|
|||
|
|||
sub render |
|||
{ |
|||
my $pagefile = "$HTML_TEMPLATE_DIR/main.cs"; |
|||
print "Content-Type: text/html\n\n"; |
|||
|
|||
my $cs = ClearSilver::CS->new($pagedata); |
|||
$cs->parseFile($pagefile); |
|||
|
|||
print $cs->render(); |
|||
} |
|||
|
|||
|
|||
sub mount_vol |
|||
{ |
|||
my $pw = shift; |
|||
|
|||
if (&check_mounted) { |
|||
$pagedata->setValue('Data.Warning', 'IsMounted'); |
|||
} else { |
|||
open(PW_INPUT, "| $CB_SCRIPT crypto-up $CRYPTO_DEV"); |
|||
print PW_INPUT $pw; |
|||
close(PW_INPUT); |
|||
} |
|||
} |
|||
|
|||
|
|||
sub umount_vol |
|||
{ |
|||
if (&check_mounted) { |
|||
system("$CB_SCRIPT", "crypto-down",$CRYPTO_DEV); |
|||
} else { |
|||
$pagedata->setValue('Data.Warning', 'NotMounted'); |
|||
} |
|||
} |
|||
|
|||
|
|||
sub box_init |
|||
{ |
|||
my ($crypto_pw, $admin_pw) = @_; |
|||
|
|||
system("$CB_SCRIPT", "init") || return 1; |
|||
|
|||
# partitioning, config and initial cryptsetup |
|||
# TODO: define the name of the crypto container |
|||
open(PW_INPUT, "|$CB_SCRIPT crypto-create '$CRYPTO_DEV' default"); |
|||
print PW_INPUT $crypto_pw; |
|||
close(PW_INPUT); |
|||
|
|||
# set administration password |
|||
system("$CB_SCRIPT", "set_config", "admin_pw", "$admin_pw"); |
|||
} |
|||
|
|||
sub box_purge |
|||
{ |
|||
system("$CB_SCRIPT", "box-purge"); |
|||
} |
|||
|
|||
sub system_poweroff |
|||
{ |
|||
&umount_vol() if (&check_mounted()); |
|||
system("$CB_SCRIPT", "poweroff"); |
|||
} |
|||
|
|||
|
|||
sub system_reboot |
|||
{ |
|||
&umount_vol() if (&check_mounted()); |
|||
system("$CB_SCRIPT", "reboot"); |
|||
} |
|||
|
|||
|
|||
sub validate_ip |
|||
{ |
|||
my $ip = shift; |
|||
my @octets = split /\./, $ip; |
|||
return 0 if ($#octets == 4); |
|||
# check for values and non-digits |
|||
return 0 if (($octets[0] <= 0) || ($octets[0] >= 255) || ($octets[0] =~ /\D/)); |
|||
return 0 if (($octets[1] < 0) || ($octets[1] >= 255) || ($octets[1] =~ /\D/)); |
|||
return 0 if (($octets[2] < 0) || ($octets[2] >= 255) || ($octets[2] =~ /\D/)); |
|||
return 0 if (($octets[3] <= 0) || ($octets[3] >= 255) || ($octets[3] =~ /\D/)); |
|||
return 1; |
|||
} |
|||
|
|||
|
|||
sub validate_timeout |
|||
{ |
|||
my $timeout = shift; |
|||
return 0 if ($timeout =~ /\D/); |
|||
return 1; |
|||
} |
|||
|
|||
|
|||
# check for a valid interface language |
|||
sub validate_language |
|||
{ |
|||
my $language = shift; |
|||
# check for non-alphanumeric character |
|||
return 0 if ($language =~ /\W/); |
|||
return 0 if ($language eq ""); |
|||
return 0 if ( ! -e "$LANGUAGE_DIR/$language" . '.hdf'); |
|||
return 1; |
|||
} |
|||
|
|||
|
|||
# check for a valid documentation language |
|||
sub validate_doc_language |
|||
{ |
|||
my $language = shift; |
|||
# check for non-alphanumeric character |
|||
return 0 if ($language =~ /\W/); |
|||
return 0 if ($language eq ""); |
|||
return 0 if ( ! -e "$DOC_DIR/$language"); |
|||
return 1; |
|||
} |
|||
|
|||
|
|||
################### main ######################### |
|||
|
|||
|
|||
$pagedata = load_hdf(); |
|||
|
|||
# BEWARE: there are two kinds of actions: |
|||
# * some require a harddisk |
|||
# * some do not require a harddisk |
|||
# take care, that you put a new action into the appropriate block below |
|||
|
|||
# first: check for ssl! |
|||
if ( ! &check_ssl()) { |
|||
$pagedata->setValue('Data.Error', 'NoSSL'); |
|||
$pagedata->setValue('Data.Redirect.URL', "https://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'}); |
|||
$pagedata->setValue('Data.Redirect.Delay', "3"); |
|||
} elsif ($query->param('action')) { |
|||
my $action = $query->param('action'); |
|||
#--------------------------------------------------------------# |
|||
# here you may define all cases that do not require a harddisk # |
|||
# put all other cases below the harddisk check # |
|||
#--------------------------------------------------------------# |
|||
#################### show_log ####################### |
|||
if ($action eq 'show_log') { |
|||
$pagedata->setValue('Data.Action', 'show_log'); |
|||
##################### doc ############################ |
|||
} elsif ($action eq 'doc') { |
|||
if ($query->param('page')) { |
|||
$pagedata->setValue('Data.Doc.Page', $query->param('page')); |
|||
$pagedata->setValue('Data.Action', 'show_doc'); |
|||
} else { |
|||
$pagedata->setValue('Data.Doc.Page', 'CryptoBoxUser'); |
|||
$pagedata->setValue('Data.Action', 'show_doc'); |
|||
} |
|||
##################### poweroff ###################### |
|||
} elsif ($action eq 'shutdown_ask') { |
|||
$pagedata->setValue('Data.Action', 'form_shutdown'); |
|||
##################### reboot ######################## |
|||
} elsif ($action eq 'shutdown_do') { |
|||
if ($query->param('type') eq 'reboot') { |
|||
&system_reboot(); |
|||
$pagedata->setValue('Data.Success', 'ReBoot'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "180"); |
|||
} else { |
|||
&system_poweroff(); |
|||
$pagedata->setValue('Data.Success', 'PowerOff'); |
|||
} |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
##################### check for a harddisk ########################## |
|||
# catch this error, to prevent all following actions from execution # |
|||
##################################################################### |
|||
} elsif ( ! &is_harddisk_available()) { |
|||
$pagedata->setValue('Data.Error', 'NoHardDisk'); |
|||
#-------------------------------------------------------# |
|||
# here you may define all cases that require a harddisk # |
|||
#-------------------------------------------------------# |
|||
################ umount_do ####################### |
|||
} elsif ($action eq 'umount_do') { |
|||
if ( ! &check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'NotInitialized'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif (&check_init_running()) { |
|||
$pagedata->setValue('Data.Warning', 'InitNotFinished'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'form_config'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} elsif ( ! &check_mounted()) { |
|||
$pagedata->setValue('Data.Warning', 'NotMounted'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
} else { |
|||
# unmounten |
|||
&umount_vol(); |
|||
if (&check_mounted()) { |
|||
$pagedata->setValue('Data.Warning', 'UmountFailed'); |
|||
$pagedata->setValue('Data.Action', 'form_umount'); |
|||
} else { |
|||
$pagedata->setValue('Data.Success', 'UmountDone'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} |
|||
} |
|||
################ mount_do ######################## |
|||
} elsif ($action eq 'mount_do') { |
|||
# mount requested |
|||
if ( ! &check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'NotInitialized'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif (&check_init_running()) { |
|||
$pagedata->setValue('Data.Warning', 'InitNotFinished'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'form_config'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} elsif (&check_mounted()) { |
|||
$pagedata->setValue('Data.Warning', 'IsMounted'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} elsif ($query->param('crypto_password') eq '') { |
|||
# leeres Passwort |
|||
$pagedata->setValue('Data.Warning', 'EmptyCryptoPassword'); |
|||
$pagedata->setValue('Data.Action', 'form_mount'); |
|||
} else { |
|||
# mounten |
|||
&mount_vol($query->param('crypto_password')); |
|||
if (!&check_mounted()) { |
|||
$pagedata->setValue('Data.Warning', 'MountFailed'); |
|||
$pagedata->setValue('Data.Action', 'form_mount'); |
|||
} else { |
|||
$pagedata->setValue('Data.Success', 'MountDone'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} |
|||
} |
|||
################## mount_ask ####################### |
|||
} elsif ($action eq 'mount_ask') { |
|||
if ( ! &check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'NotInitialized'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif (&check_init_running()) { |
|||
$pagedata->setValue('Data.Warning', 'InitNotFinished'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'form_config'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} elsif (&check_mounted()) { |
|||
$pagedata->setValue('Data.Warning', 'IsMounted'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} else { |
|||
$pagedata->setValue('Data.Action', 'form_mount'); |
|||
} |
|||
################# umount_ask ######################## |
|||
} elsif ($action eq 'umount_ask') { |
|||
if ( ! &check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'NotInitialized'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif ( ! &check_mounted()) { |
|||
$pagedata->setValue('Data.Warning', 'NotMounted'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} else { |
|||
$pagedata->setValue('Data.Action', 'form_umount'); |
|||
} |
|||
################## init_ask ######################### |
|||
} elsif ($action eq 'init_ask') { |
|||
if (&check_init_running()) { |
|||
$pagedata->setValue('Data.Warning', 'InitNotFinished'); |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} elsif (&check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'AlreadyConfigured'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} else { |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} |
|||
#################### init_do ######################## |
|||
} elsif ($action eq 'init_do') { |
|||
my $current_admin_pw = &get_admin_pw; |
|||
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) { |
|||
$pagedata->setValue('Data.Warning', 'WrongAdminPassword'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif ($query->param('admin_password') ne $query->param('admin_password2')) { |
|||
# different admin-passwords |
|||
$pagedata->setValue('Data.Warning', 'DifferentAdminPasswords'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif ($query->param('crypto_password') ne $query->param('crypto_password2')) { |
|||
# different crypto-passwords |
|||
$pagedata->setValue('Data.Warning', 'DifferentCryptoPasswords'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif ($query->param('crypto_password') eq '') { |
|||
# empty password |
|||
$pagedata->setValue('Data.Warning', 'EmptyCryptoPassword'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif ($query->param('confirm') ne $pagedata->getValue('Lang.Text.ConfirmInit','')) { |
|||
# wrong confirm string |
|||
$pagedata->setValue('Data.Warning', 'InitNotConfirmed'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} else { |
|||
# do init |
|||
&box_init($query->param('crypto_password'),$query->param('admin_password')); |
|||
if (!&check_init_running()) { |
|||
$pagedata->setValue('Data.Error', 'InitFailed'); |
|||
} else { |
|||
$pagedata->setValue('Data.Success', 'InitRunning'); |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} |
|||
} |
|||
#################### config_ask ###################### |
|||
} elsif ($action eq 'config_ask') { |
|||
if ( ! &check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'NotInitialized'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} else { |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} |
|||
#################### config_do ####################### |
|||
} elsif ($action eq 'config_do') { |
|||
if ( ! &check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'NotInitialized'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} else { |
|||
my $current_admin_pw = &get_admin_pw; |
|||
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) { |
|||
$pagedata->setValue('Data.Warning', 'WrongAdminPassword'); |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} elsif ( ! &validate_language($query->param('language'))) { |
|||
$pagedata->setValue('Data.Warning', 'InvalidLanguage'); |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} elsif ( ! &validate_ip($query->param('ip'))) { |
|||
$pagedata->setValue('Data.Warning', 'InvalidIP'); |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} elsif ( ! &validate_timeout($query->param('timeout'))) { |
|||
$pagedata->setValue('Data.Warning', 'InvalidTimeOut'); |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} else { |
|||
system("$CB_SCRIPT", "set_config", "language", $query->param('language')); |
|||
&load_selected_language($pagedata); |
|||
system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout')); |
|||
# check, if the ip was reconfigured |
|||
if ($query->param('ip') ne `$CB_SCRIPT get_config ip`) |
|||
{ |
|||
# set the new value |
|||
system("$CB_SCRIPT", "set_config", "ip", $query->param('ip')); |
|||
# reconfigure the network interface |
|||
system("$CB_SCRIPT", "update_ip_address"); |
|||
# redirect to the new address |
|||
$pagedata->setValue('Data.Redirect.URL', "https://" . $query->param('ip') . $ENV{'SCRIPT_NAME'}); |
|||
$pagedata->setValue('Data.Redirect.Delay', "5"); |
|||
# display a warning for the redirection |
|||
$pagedata->setValue('Data.Warning', 'IPAddressChanged'); |
|||
} |
|||
# check for success |
|||
if (`$CB_SCRIPT get_config timeout` ne $query->param('timeout')) { |
|||
$pagedata->setValue('Data.Warning', 'ConfigTimeOutFailed'); |
|||
} elsif (`$CB_SCRIPT get_config ip` ne $query->param('ip')) { |
|||
$pagedata->setValue('Data.Warning', 'ConfigIPFailed'); |
|||
} elsif (`$CB_SCRIPT get_config language` ne $query->param('language')) { |
|||
$pagedata->setValue('Data.Warning', 'ConfigLanguageFailed'); |
|||
} else { |
|||
$pagedata->setValue('Data.Success', 'ConfigSaved'); |
|||
} |
|||
$pagedata->setValue('Data.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} |
|||
} |
|||
#################### status ######################### |
|||
} elsif ($action eq 'show_status') { |
|||
if ( ! &check_config()) { |
|||
$pagedata->setValue('Data.Warning', 'NotInitialized'); |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} elsif (&check_init_running()) { |
|||
$pagedata->setValue('Data.Warning', 'InitNotFinished'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'form_config'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "30"); |
|||
} else { |
|||
$pagedata->setValue('Data.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "60"); |
|||
} |
|||
################### box_purge ####################### |
|||
# if we find an existing config partition, then check the adminpw |
|||
} elsif ($action eq 'do_purge') { |
|||
if ( &check_config()) { |
|||
my $current_admin_pw = &get_admin_pw; |
|||
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) { |
|||
$pagedata->setValue('Data.Warning', 'WrongAdminPassword'); |
|||
$pagedata->setValue('Data.Action', 'form_config'); |
|||
} else { |
|||
&box_purge; |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} |
|||
} |
|||
################### unknown ######################### |
|||
} else { |
|||
$pagedata->setValue('Data.Error', 'UnknownAction'); |
|||
} |
|||
#################### default action ########################## |
|||
# check for a harddisk again, as this check was skipped |
|||
# because there was no action defined |
|||
} elsif ( ! &is_harddisk_available()) { |
|||
$pagedata->setValue('Data.Error', 'NoHardDisk'); |
|||
} else { |
|||
if (&check_init_running()) { |
|||
$pagedata->setValue('Data.Warning', 'InitNotFinished'); |
|||
$pagedata->setValue('Data.Action', 'empty'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'form_config'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "60"); |
|||
} elsif (&check_config()) { |
|||
$pagedata->setValue('Data.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Action', 'show_status'); |
|||
$pagedata->setValue('Data.Redirect.Delay', "60"); |
|||
} else { |
|||
$pagedata->setValue('Data.Action', 'form_init'); |
|||
} |
|||
} |
|||
|
|||
# check state of the cryptobox |
|||
$pagedata->setValue('Data.Status.Config', &check_config() ? 1 : 0); |
|||
$pagedata->setValue('Data.Status.InitRunning', &check_init_running() ? 1 : 0); |
|||
$pagedata->setValue('Data.Status.Mounted', &check_mounted() ? 1 : 0) if (&check_config()); |
|||
my $output = &get_current_ip(); |
|||
$pagedata->setValue('Data.Status.IP', "$output"); |
|||
|
|||
$output = &get_admin_pw(); |
|||
$pagedata->setValue('Data.Config.AdminPasswordIsSet', 1) if ($output ne ''); |
|||
|
|||
$output = `$CB_SCRIPT diskinfo 2>&1 | sed 's#\$#<br/>#'`; |
|||
$pagedata->setValue('Data.PartitionInfo',"$output"); |
|||
|
|||
# preset config settings for clearsilver |
|||
$pagedata->setValue('Data.Config.IP', `$CB_SCRIPT get_config ip`); |
|||
$pagedata->setValue('Data.Config.TimeOut', `$CB_SCRIPT get_config timeout`); |
|||
$pagedata->setValue('Data.Config.Language', `$CB_SCRIPT get_config language`); |
|||
|
|||
# read log and add html linebreaks |
|||
$output = ''; |
|||
if (-e "$LOG_FILE") { |
|||
open(LOGFILE, "< $LOG_FILE"); |
|||
while (<LOGFILE>) { $output .= "$_<br/>" } |
|||
close(LOGFILE); |
|||
} |
|||
$pagedata->setValue('Data.Log',"$output"); |
|||
|
|||
$pagedata->setValue('Data.Status.DevelopmentMode', 1) if ($IS_DEVEL); |
|||
|
|||
# save QUERY_STRING (e.g. for weblang-links) |
|||
my $querystring = $ENV{'QUERY_STRING'}; |
|||
# remove weblang setting |
|||
$querystring =~ s/weblang=\w\w&?//; |
|||
$pagedata->setValue('Data.QueryString', "$querystring") if ($querystring ne ''); |
|||
|
|||
&render(); |
|||
|
|||
exit 0; |
|||
|
|||
@ -1,590 +0,0 @@ |
|||
#!/bin/sh |
|||
# |
|||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org> |
|||
# |
|||
# License: This script is distributed under the terms of version 2 |
|||
# of the GNU GPL. See the LICENSE file included with the package. |
|||
# |
|||
# $Id$ |
|||
# |
|||
# this script does EVERYTHING |
|||
# all other scripts are only frontends :) |
|||
# |
|||
# called by: |
|||
# - some rc-scripts |
|||
# - the web frontend cgi |
|||
# |
|||
|
|||
# TODO: check permissions and owners of config files, directories and scripts before |
|||
# running cbox-root-actions.sh |
|||
|
|||
set -eu |
|||
|
|||
# define reasonable defaults |
|||
USE_STUNNEL=0 |
|||
EXEC_FIREWALL_RULES=0 |
|||
SKIP_NETWORK_CONFIG=1 |
|||
CONF_FILE=/etc/cryptobox/cryptobox.conf |
|||
|
|||
|
|||
# read the default setting file, if it exists |
|||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox |
|||
|
|||
# parse config file |
|||
. "$CONF_FILE" |
|||
|
|||
# check for writable log file |
|||
[ -w "$LOG_FILE" ] || LOG_FILE=/tmp/$(basename "$LOG_FILE") |
|||
|
|||
## configuration |
|||
CERT_TEMP=/tmp/stunnel.pem |
|||
|
|||
######## stuff ########## |
|||
|
|||
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4) |
|||
|
|||
######################### |
|||
|
|||
function log_msg() |
|||
{ |
|||
# the log file is not writable during boot - try before writing ... |
|||
[ -w "$LOG_FILE" ] || return 0 |
|||
echo >>"$LOG_FILE" |
|||
echo "##### `date` #####" >>"$LOG_FILE" |
|||
echo "$1" >>"$LOG_FILE" |
|||
} |
|||
|
|||
|
|||
function error_msg() |
|||
# parameters: ExitCode ErrorMessage |
|||
{ |
|||
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2 |
|||
# print the execution stack - not usable with busybox |
|||
# caller | sed 's/^/\t/' >&2 |
|||
exit "$1" |
|||
} |
|||
|
|||
|
|||
function config_set_value() |
|||
# parameters: SettingName [SettingValue] |
|||
# read from stdin if SettingValue is not defined |
|||
{ |
|||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config rw |
|||
if [ $# -gt 1 ] |
|||
then echo -n "$2" > "$CONFIG_DIR/$1" |
|||
else cat - >"$CONFIG_DIR/$1" |
|||
fi |
|||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config ro |
|||
} |
|||
|
|||
|
|||
function config_get_value() |
|||
# parameters: SettingName |
|||
{ |
|||
# use mounted config, if it exists - otherwise use defaults |
|||
local conf_dir |
|||
if is_config_active |
|||
then conf_dir=$CONFIG_DIR |
|||
else conf_dir=$CONFIG_DEFAULTS_DIR |
|||
fi |
|||
[ -z "$1" ] && error_msg 1 "empty setting name" |
|||
# check for existence - maybe use default values (for old releases without this setting) |
|||
if [ ! -e "$conf_dir/$1" ] |
|||
then case "$1" in |
|||
# you may place default values for older versions here |
|||
# for compatibility |
|||
* ) |
|||
error_msg 2 "unknown configuration value ($1)" |
|||
# empty output |
|||
;; |
|||
esac |
|||
else echo -n $(cat "$conf_dir/$1") |
|||
# this removes the trailing line break |
|||
fi |
|||
# always return without error |
|||
true |
|||
} |
|||
|
|||
|
|||
function create_config() |
|||
# Parameter: device |
|||
{ |
|||
local device=$1 |
|||
unload_config |
|||
# create the new configuration filesystem if it is not static |
|||
if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ] |
|||
then log_msg "Using static configuration ..." |
|||
else log_msg "Creating config filesystem ..." |
|||
sudo "$ROOT_PERM_SCRIPT" create_config "$device" |
|||
log_msg "Mounting config partition ..." |
|||
sudo "$ROOT_PERM_SCRIPT" mount_config "$device" |
|||
sudo "$ROOT_PERM_SCRIPT" remount_config rw |
|||
fi |
|||
log_msg "Copying configuration defaults ..." |
|||
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR" |
|||
|
|||
log_msg "Copying temporary certificate file to config filesystem ..." |
|||
# beware: the temp file should always be there - even after reboot - see "load_config" |
|||
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE" |
|||
|
|||
log_msg "Setting inital values ..." |
|||
# beware: config_set_value remounts the config partition read-only |
|||
config_set_value "ip" "$(get_current_ip)" |
|||
# create database of readable names |
|||
config_set_value "names.db" "" |
|||
# create a marker to recognize a cryptobox partition |
|||
# this should be the last step, to prevent a half-initialized state |
|||
config_set_value "$CONFIG_MARKER" "$(date -I)" |
|||
} |
|||
|
|||
|
|||
function get_current_ip() |
|||
# not necessarily the same as configured (necessary for validation) |
|||
{ |
|||
# filter the output of ifconfig and remove trailing line break |
|||
echo -n $("$IFCONFIG" "$NET_IFACE" | grep "inet" | cut -d ":" -f2 | cut -d " " -f1) |
|||
} |
|||
|
|||
|
|||
function list_partitions_of_type() |
|||
# parameter: { config | crypto | plaindata | unused } |
|||
{ |
|||
local config= |
|||
local crypto= |
|||
local plaindata= |
|||
local unused= |
|||
for a in $ALL_PARTITIONS |
|||
do if sudo "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a" |
|||
then crypto="$crypto /dev/$a" |
|||
elif sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a" |
|||
then config="$config /dev/$a" |
|||
elif sudo "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a" |
|||
then plaindata="$plaindata /dev/$a" |
|||
else unused="$unused /dev/$a" |
|||
fi |
|||
done |
|||
case "$1" in |
|||
config | crypto | plaindata | unused ) |
|||
# dirty hack, but it works |
|||
eval "echo \$$1" |
|||
;; |
|||
* ) |
|||
errot_msg "wrong parameter ($1) for list_partition_types in $(basename $0)" |
|||
;; |
|||
esac | tr " " "\n" | grep -v '^$' |
|||
} |
|||
|
|||
|
|||
function get_crypto_uuid() |
|||
# Parameter: DEVICE |
|||
{ |
|||
sudo "$ROOT_PERM_SCRIPT" get_device_name "$1" |
|||
} |
|||
|
|||
|
|||
function get_crypto_name() |
|||
# Parameter: DEVICE |
|||
# return the readable name of the crypto container, it it is already defined |
|||
# if undefined - return the uuid |
|||
{ |
|||
local uuid=$(get_crypto_uuid "$1") |
|||
local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-) |
|||
if [ -z "$dbname" ] |
|||
then echo -n "$uuid" |
|||
else echo -n "$dbname" |
|||
fi |
|||
} |
|||
|
|||
|
|||
function set_crypto_name() |
|||
# TODO: the implementation is quite ugly, but it works (tm) |
|||
# Parameter: DEVICE NAME |
|||
{ |
|||
local uuid=$(get_crypto_uuid "$1") |
|||
# remove the old setting for this device and every possible entry with the same name |
|||
(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2") | config_set_value 'names.db' |
|||
} |
|||
|
|||
|
|||
function does_crypto_name_exist() |
|||
# Parameter: NAME |
|||
{ |
|||
config_get_value 'names.db' | grep -q "^[^:]*:$1$" |
|||
} |
|||
|
|||
|
|||
function create_crypto() |
|||
# Parameter: DEVICE NAME KEYFILE |
|||
# keyfile is necessary, to allow background execution via 'at' |
|||
# TODO: check if the keyfile is still necessary for sudo -b |
|||
{ |
|||
local device=$1 |
|||
local name=$2 |
|||
local keyfile=$3 |
|||
# otherwise the web interface will hang |
|||
# passphrase may be passed via command line |
|||
local key=$(<"$keyfile") |
|||
# remove the passphrase-file as soon as possible |
|||
dd if=/dev/zero of="$keyfile" bs=512 count=1 2>/dev/null |
|||
rm "$keyfile" |
|||
|
|||
log_msg "Creating crypto partition with the cipher $DEFAULT_CIPHER on $device" |
|||
echo "$key" | sudo "$ROOT_PERM_SCRIPT" create_crypto "$device" |
|||
|
|||
set_crypto_name "$device" "$name" |
|||
} |
|||
|
|||
|
|||
function is_config_active() |
|||
{ |
|||
test -f "$CONFIG_DIR/$CONFIG_MARKER" |
|||
} |
|||
|
|||
|
|||
function is_crypto_mounted() |
|||
# Parameter: DEVICE |
|||
{ |
|||
local name=$(get_crypto_uuid "$1") |
|||
[ -n "$name" ] && mountpoint -q "$MNT_PARENT/$name" |
|||
} |
|||
|
|||
|
|||
function is_init_running() |
|||
{ |
|||
check_at_command_queue " init" |
|||
} |
|||
|
|||
|
|||
# check if a specified command is in an at-queue |
|||
# Parameter: a regular expression of the commandline |
|||
# Return: the command is part of an at-queue (0) or not (1) |
|||
function check_at_command_queue() |
|||
{ |
|||
# 1) get the available job numbers |
|||
# 2) remove empty lines (especially the last one) |
|||
# 3) check every associated command for the regexp |
|||
at -l | cut -f 1 | while read jobnum |
|||
do at -c $jobnum | sed '/^$/d' | tail -1 |
|||
done | grep -q "$1" |
|||
} |
|||
|
|||
|
|||
function find_harddisk() |
|||
# look for the harddisk to be partitioned |
|||
{ |
|||
local device=$(get_available_disks | head -1) |
|||
if [ -z "$device" ] ; then |
|||
log_msg "no valid harddisk for initialisation found!" |
|||
cat /proc/partitions >>"$LOG_FILE" |
|||
# do not return with an error, to avoid a failing of the script ('break on error') |
|||
# the caller of this function should handle an empty return string |
|||
fi |
|||
echo -n "$device" |
|||
} |
|||
|
|||
|
|||
function get_available_disks() |
|||
# looks which allowed disks are at the moment connected with the cbox |
|||
{ |
|||
for scan in $SCAN_DEVICES |
|||
do for avail in $ALL_PARTITIONS |
|||
do [ "$scan" = "$avail" ] && echo "/dev/$avail" |
|||
done |
|||
done |
|||
} |
|||
|
|||
|
|||
function load_config() |
|||
{ |
|||
unload_config |
|||
local status=0 |
|||
# look for a configuration partition |
|||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \ |
|||
list_partitions_of_type config | while read part && [ "$status" = 0 ] |
|||
do log_msg "Trying to load configuration from /dev/$part ..." |
|||
if sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part" |
|||
then log_msg "configuraton found on $part" |
|||
sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part" |
|||
status=1 |
|||
fi |
|||
done |
|||
if is_config_active |
|||
then # copy certificate to /tmp in case of re-initialization |
|||
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d) |
|||
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP" |
|||
else log_msg "failed to locate config partition" |
|||
return 1 |
|||
fi |
|||
true |
|||
} |
|||
|
|||
|
|||
function unload_config() |
|||
{ |
|||
is_config_active || return |
|||
# only try to unmount, if it is not static (the config of a live-cd is always dynamic) |
|||
if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] |
|||
then sudo "$ROOT_PERM_SCRIPT" umount_config |
|||
else true |
|||
fi |
|||
} |
|||
|
|||
|
|||
function mount_crypto() |
|||
# Parameter: DEVICE |
|||
{ |
|||
local device=$1 |
|||
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1 |
|||
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return |
|||
# passphrase is read from stdin |
|||
log_msg "Mounting a crypto partition from $device" |
|||
sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1 |
|||
} |
|||
|
|||
|
|||
function umount_crypto() |
|||
# Parameter: DEVICE |
|||
{ |
|||
local device=$1 |
|||
local uuid=$(get_crypto_uuid $device) |
|||
sudo "$ROOT_PERM_SCRIPT" umount "$uuid" |
|||
} |
|||
|
|||
|
|||
function box_purge() |
|||
# removing just the first bytes from the harddisk should be enough |
|||
# every harddisk will be overriden! |
|||
{ |
|||
# TODO: not ALL harddisks, please! |
|||
get_available_disks | while read a |
|||
do log_msg "Purging $a ..." |
|||
sudo "$ROOT_PERM_SCRIPT" trash_device "$a" |
|||
done |
|||
} |
|||
|
|||
|
|||
function init_cryptobox() |
|||
# this is only the first part of initialisation that takes no time - good for a smooth web interface |
|||
{ |
|||
local device=$(find_harddisk) |
|||
[ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1 |
|||
turn_off_all_crypto |
|||
unload_config || true |
|||
log_msg "Partitioning the device ($device) ..." |
|||
sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n" |
|||
log_msg "Initializing config partition on ${device}1 ..." |
|||
# TODO: this should not be hard-coded |
|||
create_config "${device}1" |
|||
} |
|||
|
|||
|
|||
function turn_off_all_crypto() |
|||
{ |
|||
list_crypto_containers | while read a |
|||
do is_crypto_mounted "$a" && umount_crypto "$a" |
|||
done |
|||
} |
|||
|
|||
|
|||
### main ### |
|||
|
|||
# set PATH because thttpd removes /sbin and /usr/sbin for cgis |
|||
export PATH=/usr/sbin:/usr/bin:/sbin:/bin |
|||
|
|||
|
|||
ACTION=help |
|||
[ $# -gt 0 ] && ACTION=$1 && shift |
|||
|
|||
case "$ACTION" in |
|||
config-up ) |
|||
if load_config |
|||
then echo "Cryptobox configuration successfully loaded" |
|||
else error_msg 0 "Could not find a configuration partition!" |
|||
fi |
|||
;; |
|||
config-down ) |
|||
unload_config || error_msg 4 "Could not unmount configuration partition" |
|||
;; |
|||
network-up ) |
|||
if [ "$SKIP_NETWORK_CONFIG" != 1 ] |
|||
then conf_ip=$(config_get_value "ip") |
|||
log_msg "Configuring $NET_IFACE for $conf_ip ..." |
|||
echo "Configuring network interface for $NET_IFACE: $conf_ip" |
|||
"$IFCONFIG" "$NET_IFACE" "$conf_ip" |
|||
fi |
|||
if [ "$EXEC_FIREWALL_RULES" = 1 ] |
|||
then log_msg "Starting the firewall ..." |
|||
"$FIREWALL_SCRIPT" start |
|||
fi |
|||
if [ "$USE_STUNNEL" = 1 ] |
|||
then # start stunnel |
|||
if [ -f "$CERT_FILE" ] |
|||
then USE_CERT=$CERT_FILE |
|||
else USE_CERT=$CERT_TEMP |
|||
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1 |
|||
# TODO: this could be dangerous - right? |
|||
# this is necessary, to allow www-data to copy the certificate |
|||
chown "$WEB_USER" "$CERT_TEMP" |
|||
fi |
|||
log_msg "Starting stunnel ..." |
|||
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \ |
|||
|| echo "$USE_CERT not found - not starting stunnel" |
|||
fi |
|||
;; |
|||
network-down ) |
|||
if [ "$EXEC_FIREWALL_RULES" = 1 ] |
|||
then log_msg "Stopping the firewall ..." |
|||
"$FIREWALL_SCRIPT" stop |
|||
fi |
|||
if [ "$USE_STUNNEL" = 1 ] |
|||
then log_msg "Stopping stunnel ..." |
|||
# TODO: what about a pid? |
|||
killall stunnel 2>/dev/null || true |
|||
fi |
|||
if [ "$SKIP_NETWORK_CONFIG" != 1 ] |
|||
then log_msg "Shutting the network interface down ..." |
|||
"$IFCONFIG" "$NET_IFACE" down |
|||
fi |
|||
;; |
|||
services-up ) |
|||
# the mount point has to be writeable |
|||
# this action is called as root - so we are allowed to umount |
|||
# TODO: do this only for ro-filesystem |
|||
# TODO: this way of mounting is evil |
|||
if mountpoint -q "$MNT_PARENT" |
|||
then true |
|||
else mount -t tmpfs tmpfs "$MNT_PARENT" |
|||
fi |
|||
true |
|||
;; |
|||
services-down ) |
|||
# this action is called as root - so we are allowed to umount |
|||
mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT" |
|||
# TODO: we should not depend on samba and thttpd |
|||
# /etc/init.d/samba stop || true |
|||
# /etc/init.d/thttpd stop || true |
|||
true |
|||
;; |
|||
crypto-up ) |
|||
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'" |
|||
mount_crypto "$1" |
|||
;; |
|||
crypto-down ) |
|||
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'" |
|||
umount_crypto "$1" |
|||
;; |
|||
init ) |
|||
init_cryptobox </dev/null >>"$LOG_FILE" 2>&1 |
|||
;; |
|||
crypto-create ) |
|||
# Parameter: DEVICE NAME |
|||
[ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'" |
|||
# do it in the background to provide a smoother web interface |
|||
# messages and errors get written to $LOG_FILE |
|||
keyfile=/tmp/$(basename "$0")-passphrase-$(basename "$1") |
|||
# read the password |
|||
cat - >"$keyfile" |
|||
# execute it in the background |
|||
echo "'$0' crypto-create-bg '$1' '$2' '$keyfile' </dev/null >>'$LOG_FILE' 2>&1" | at now |
|||
;; |
|||
crypto-create-bg ) |
|||
create_crypto "$@" |
|||
;; |
|||
crypto-list ) |
|||
list_partitions_of_type crypto |
|||
;; |
|||
crypto-list-unused ) |
|||
list_partitions_of_type unused |
|||
;; |
|||
crypto-name ) |
|||
# Parameter: DEVICE |
|||
get_crypto_name "$1" |
|||
;; |
|||
is_crypto_mounted ) |
|||
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'" |
|||
is_crypto_mounted "$1" |
|||
;; |
|||
is_config_mounted ) |
|||
is_config_active |
|||
;; |
|||
is_init_running ) |
|||
is_init_running |
|||
;; |
|||
is_harddisk_available ) |
|||
[ -z "$(find_harddisk)" ] && exit 1 |
|||
exit 0 |
|||
;; |
|||
update_ip_address ) |
|||
# reconfigure the network interface to a new IP address |
|||
# wait for 5 seconds to finish present http requests |
|||
if [ "$SKIP_NETWORK_CONFIG" != 1 ] |
|||
then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now |
|||
fi |
|||
;; |
|||
get_available_disks ) |
|||
get_available_disks |
|||
;; |
|||
get_current_ip ) |
|||
get_current_ip |
|||
;; |
|||
set_config ) |
|||
[ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters" |
|||
config_set_value "$1" "$2" |
|||
;; |
|||
get_config ) |
|||
[ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter" |
|||
config_get_value "$1" |
|||
;; |
|||
diskinfo ) |
|||
get_available_disks | while read a |
|||
do sudo "$ROOT_PERM_SCRIPT" diskinfo "$a" |
|||
done |
|||
;; |
|||
box-purge ) |
|||
log_msg "Cleaning the CryptoBox ..." |
|||
turn_off_all_crypto |
|||
"$0" config-down |
|||
box_purge >>"$LOG_FILE" 2>&1 |
|||
;; |
|||
poweroff ) |
|||
log_msg "Turning off the CryptoBox ..." |
|||
turn_off_all_crypto |
|||
echo "poweroff" | at now |
|||
;; |
|||
reboot ) |
|||
log_msg "Rebooting the CryptoBox ..." |
|||
turn_off_all_crypto |
|||
echo "reboot" | at now |
|||
;; |
|||
* ) |
|||
echo "Syntax: `basename $0` ACTION [PARAMS]" |
|||
echo " config-up - scan for configuration partition and mount it" |
|||
echo " config-down - unmount configuration partition" |
|||
echo " network-up - enable network interface" |
|||
echo " network-down - disable network interface" |
|||
echo " services-up - run some cryptobox specific daemons" |
|||
echo " services-down - stop some cryptobox specific daemons" |
|||
echo " crypto-up - mount crypto partition" |
|||
echo " crypto-down - unmount crypto partition" |
|||
echo " box-init - initialize cryptobox (ALL data is LOST)" |
|||
echo " box-init-fg - the first part of initialization" |
|||
echo " box-init-bg - the last part of initialization (background)" |
|||
echo " is_crypto_mounted - check, if crypto partition is mounted" |
|||
echo " is_config_mounted - check, if configuration partition is mounted" |
|||
echo " is_init_running - check, if initialization is ongoing" |
|||
echo " is_harddisk_available - check, if there is a usable harddisk" |
|||
echo " get_available_disks - shows all connected and allowed disks" |
|||
echo " get_current_ip - get the current IP of the network interface" |
|||
echo " update_ip_address - update the network interface after reconfiguration" |
|||
echo " set_config NAME VALUE - change a configuration setting" |
|||
echo " get_config NAME - retrieve a configuration setting" |
|||
echo " diskinfo - show the partition table of the harddisk" |
|||
echo " box-purge - destroy partitiontable of all harddisks (delete everything)" |
|||
echo " poweroff - shutdown the cryptobox" |
|||
echo " reboot - reboot the cryptobox" |
|||
echo |
|||
;; |
|||
esac |
|||
|
|||
exit 0 |
|||
|
|||
@ -1,330 +0,0 @@ |
|||
#!/bin/sh |
|||
# |
|||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org> |
|||
# |
|||
# License: This script is distributed under the terms of version 2 |
|||
# of the GNU GPL. See the LICENSE file included with the package. |
|||
# |
|||
# $Id$ |
|||
# |
|||
# this script is responsible for all dangerous actions, that require root privileges |
|||
# every action should be checked at least TWICE a day for open holes :) |
|||
# usually will get call via sudo |
|||
# |
|||
# called by: |
|||
# - cbox-manage.sh |
|||
# |
|||
|
|||
set -eu |
|||
|
|||
[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100 |
|||
|
|||
# read the default setting file, if it exists |
|||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox |
|||
|
|||