config_do and init_do check administration password

setting of administration password is no part of initialization anymore

cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh

@@ -283,10 +283,6 @@ function init_cryptobox_part1()
 		create_partitions "$device"
 		create_config "$device"
 	) >>"$LOG_FILE" 2>&1
-	# read the admin-pw from the first line of input
-	local admin_pw
-	read admin_pw
-	config_set_value admin_pw "$admin_pw"
 	# the output of create_crypto may NOT be redirected - this would prevent cryptsetup from
 	# reading the passphrase from stdin
 	log_msg "Creating the crypto partition ..."

cbox-tree.d/usr/share/cryptobox/lang/de.hdf

@@ -17,6 +17,7 @@ Lang {
 	Text {
 		EnterNewCryptoPassword	= Das neue Crypto-Passwort eingeben:
 		EnterSameCryptoPassword	= Das Crypto-Passwort wiederholen:
+		EnterAdminPassword	= Das Admin-Passwort eingeben:
 		EnterNewAdminPassword	= Das neue Admin-Passwort eingeben:
 		EnterSameAdminPassword	= Das Admin-Passwort wiederholen:
 		InitWarning		= Bei der Initialisierung werden ALLE DATEN auf der Festplatte GELÖSCHT!
@@ -70,6 +71,11 @@ Lang {
 			Text	= Die beiden Passworte müssen identisch sein, um sicherzustellen, dass dies das gewünschte Passwort ist.
 		}
 
+		WrongAdminPassword {
+			Title	= Falsches Administratons-Passwort
+			Text	= Das eingegebene Administrations-Passwort ist falsch. Versuchen sie es noch einmal.
+		}
+
 		MountFailed {
 			Title	= Aktivierung schlug fehl
 			Text	= Das verschlüsselte Dateisystem konnte nicht aktiviert werden. Wahrscheinlich war das Passwort falsch.
@@ -80,7 +86,7 @@ Lang {
 			Text	= Das verschlüsselte Dateisystem konnte nicht abgeschaltet werden. Wahrscheinlich sind noch Dateien geöffnet. Also schließen sie alle potentiell unsauberen Programme (beispielsweise die weitverbreitete Textverarbeitung). Notfalls einfach die CryptoBox herunterfahren!
 		}
 
-		NotConfigured {
+		NotInitialized {
 			Title	= Keine Konfiguration gefunden
 			Text	= Die CryptoBox wurde noch nicht eingerichtet.
 		}

cbox-tree.d/usr/share/cryptobox/templates/config_form.cs

@@ -3,6 +3,11 @@
 
     <form action="<?cs call:getSelfURL('','') ?>" method="post"
 	    enctype="application/x-www-form-urlencoded">
+	
+	<?cs if:Data.Config.AdminPasswordIsSet ?>
+			<p><label for="admin_password"><?cs call:help_popUp(Lang.Text.EnterAdminPassword,"prove_admin_pw") ?></label><br/>
+				<input type="password" id="admin_password" name="admin_password" size="20" tabindex="1" maxlength="40" /> </p>
+	<?cs /if ?>
 
 	<p><label for="ip"><?cs call:help_popUp(Lang.Text.IPAddress,'set_ip_address') ?></label><br/>
 		<input type="text" id="ip" size="16" maxsize="15" name="ip"

cbox-tree.d/usr/share/cryptobox/templates/init_form.cs

@@ -4,10 +4,15 @@
 	<form action="<?cs call:getSelfURL('','') ?>" method="post" enctype="application/x-www-form-urlencoded">
 
 		<p class="note"><?cs var:Lang.Text.InitWarning ?></p>
-		<p><label for="admin_password"><?cs call:help_popUp(Lang.Text.EnterNewAdminPassword,"admin_pw") ?></label><br/>
-			<input type="password" id="admin_password" name="admin_password" size="20" tabindex="1" maxlength="40" /> </p>
-		<p><label for="admin_password2"><?cs call:help_popUp(Lang.Text.EnterSameAdminPassword,"admin_pw_repeat") ?></label><br/>
-			<input type="password" id="admin_password2" name="admin_password2" size="20" tabindex="1" maxlength="40" /></p>
+		<?cs if:Data.Config.AdminPasswordIsSet ?>
+			<p><label for="admin_password"><?cs call:help_popUp(Lang.Text.EnterAdminPassword,"prove_admin_pw") ?></label><br/>
+				<input type="password" id="admin_password" name="admin_password" size="20" tabindex="1" maxlength="40" /> </p>
+		<?cs else ?>
+			<p><label for="admin_password"><?cs call:help_popUp(Lang.Text.EnterNewAdminPassword,"new_admin_pw") ?></label><br/>
+				<input type="password" id="admin_password" name="admin_password" size="20" tabindex="1" maxlength="40" /> </p>
+			<p><label for="admin_password2"><?cs call:help_popUp(Lang.Text.EnterSameAdminPassword,"new_admin_pw_repeat") ?></label><br/>
+				<input type="password" id="admin_password2" name="admin_password2" size="20" tabindex="1" maxlength="40" /></p>
+		<?cs /if ?>
 		<p><label for="crypto_password"><?cs call:help_popUp(Lang.Text.EnterNewCryptoPassword,"crypto_pw") ?></label><br/>
 			<input type="password" id="crypto_password" name="crypto_password" size="20" tabindex="1" maxlength="40" /></p>
 		<p><label for="crypto_password2"><?cs call:help_popUp(Lang.Text.EnterSameCryptoPassword,'crypto_pw_repeat') ?></label><br/>

cbox-tree.d/usr/share/doc/cryptobox/html/en/hints/prove_admin_pw.html

@@ -0,0 +1,3 @@
+<h3>Administration password of the CryptoBox</h3>
+<p>Enter the administration password of the CryptoBox.</p>
+<p>This ensures, that only authorized people may re-initialize and re-configure the CryptoBox.</p>

cbox-tree.d/var/www/cgi-bin/cryptobox.pl

@@ -30,7 +30,7 @@ $IS_DEV = ( -e $config->{DEV_FEATURES_SCRIPT});
 
 #################### subs ######################
 
-sub load_hdf()
+sub load_hdf
 {
 	my $hdf = ClearSilver::HDF->new();
 
@@ -55,7 +55,7 @@ sub load_hdf()
 }
 
 
-sub load_language_data()
+sub load_language_data
 # import the specified language data
 # every call overrides previously loaded values
 # it is sufficient to call it somewhere before "render"
@@ -68,7 +68,7 @@ sub load_language_data()
 }
 
 
-sub get_available_languages()
+sub get_available_languages
 # import the names of all available languages
 {
 	my $data = shift;
@@ -88,7 +88,7 @@ sub get_available_languages()
 }
 
 
-sub log_msg()
+sub log_msg
 {
 	my $text = shift;
 	open(LOGFILE,">> $LOG_FILE");
@@ -137,7 +137,14 @@ sub get_current_ip
 }
 
 
-sub render()
+sub get_admin_pw
+# returns the current administration password - empty, if it is not used
+{
+	return `$CB_SCRIPT get_config admin_pw`;
+}
+
+
+sub render
 {
 	$pagedata->setValue("PageName","$pagename");
 	my $pagefile = "$TEMPLATE_DIR/main.cs";
@@ -181,30 +188,32 @@ sub box_init
 
 	# partitioning, config and initial cryptsetup
 	open(PW_INPUT, "|$CB_SCRIPT box-init-fg");
-	print PW_INPUT "$admin_pw";
-	print PW_INPUT "$crypto_pw";
+	print PW_INPUT $crypto_pw;
 	close(PW_INPUT);
 
+	# set administration password
+	system("$CB_SCRIPT", "set_config", "admin_pw", "$admin_pw");
+
 	# wipe and mkfs takes some time - it will be done in the background
 	system("$CB_SCRIPT", "box-init-bg");
 }
 
 
-sub system_poweroff()
+sub system_poweroff
 {
 	&umount_vol() if (&check_mounted());
 	system("$CB_SCRIPT", "poweroff");
 }
 
 
-sub system_reboot()
+sub system_reboot
 {
 	&umount_vol() if (&check_mounted());
 	system("$CB_SCRIPT", "reboot");
 }
 
 
-sub validate_ip()
+sub validate_ip
 {
 	my $ip = shift;
 	my @octets = split /\./, $ip;
@@ -218,7 +227,7 @@ sub validate_ip()
 }
 
 
-sub validate_timeout()
+sub validate_timeout
 {
 	my $timeout = shift;
 	return 0 if ($timeout =~ /\D/);
@@ -227,7 +236,7 @@ sub validate_timeout()
 
 
 # check for a valid interface language
-sub validate_language()
+sub validate_language
 {
 	my $language = shift;
 	# check for non-alphanumeric character
@@ -239,7 +248,7 @@ sub validate_language()
 
 
 # check for a valid documentation language
-sub validate_doc_language()
+sub validate_doc_language
 {
 	my $language = shift;
 	# check for non-alphanumeric character
@@ -298,7 +307,7 @@ if ( ! &check_ssl()) {
 	################ umount_do #######################
 	if ($action eq 'umount_do') {
 		if ( ! &check_config()) {
-			$pagedata->setValue('Data.Warning', 'NotConfigured');
+			$pagedata->setValue('Data.Warning', 'NotInitialized');
 			$pagedata->setValue('Data.Action', 'init_form');
 		} elsif (&check_init_running()) {
 			$pagedata->setValue('Data.Warning', 'InitNotFinished');
@@ -321,7 +330,7 @@ if ( ! &check_ssl()) {
 	} elsif ($action eq 'mount_do') {
 		# mount requested
 		if ( ! &check_config()) {
-			$pagedata->setValue('Data.Warning', 'NotConfigured');
+			$pagedata->setValue('Data.Warning', 'NotInitialized');
 			$pagedata->setValue('Data.Action', 'init_form');
 		} elsif (&check_init_running()) {
 			$pagedata->setValue('Data.Warning', 'InitNotFinished');
@@ -347,7 +356,7 @@ if ( ! &check_ssl()) {
 	################## mount_ask #######################
 	} elsif ($action eq 'mount_ask') {
 		if ( ! &check_config()) {
-			$pagedata->setValue('Data.Warning', 'NotConfigured');
+			$pagedata->setValue('Data.Warning', 'NotInitialized');
 			$pagedata->setValue('Data.Action', 'init_form');
 		} elsif (&check_init_running()) {
 			$pagedata->setValue('Data.Warning', 'InitNotFinished');
@@ -361,7 +370,7 @@ if ( ! &check_ssl()) {
 	################# umount_ask ########################
 	} elsif ($action eq 'umount_ask') {
 		if ( ! &check_config()) {
-			$pagedata->setValue('Data.Warning', 'NotConfigured');
+			$pagedata->setValue('Data.Warning', 'NotInitialized');
 			$pagedata->setValue('Data.Action', 'init_form');
 		} elsif ( ! &check_mounted()) {
 			$pagedata->setValue('Data.Warning', 'NotMounted');
@@ -382,7 +391,11 @@ if ( ! &check_ssl()) {
 		}
 	#################### init_do ########################
 	} elsif ($action eq 'init_do') {
-		if ($query->param('admin_password') ne $query->param('admin_password2')) {
+		my $admin_pw = &get_admin_pw;
+		if ($admin_pw ne '' && $admin_pw ne $query->param('admin_password'))
+			$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
+			$pagedata->setValue('Data.Action', 'init_form');
+		} elsif ($query->param('admin_password') ne $query->param('admin_password2')) {
 			# different admin-passwords
 			$pagedata->setValue('Data.Warning', 'DifferentAdminPasswords');
 			$pagedata->setValue('Data.Action', 'init_form');
@@ -411,7 +424,7 @@ if ( ! &check_ssl()) {
 	#################### config_ask ######################
 	} elsif ($action eq 'config_ask') {
 		if ( ! &check_config()) {
-			$pagedata->setValue('Data.Warning', 'NotConfigured');
+			$pagedata->setValue('Data.Warning', 'NotInitialized');
 			$pagedata->setValue('Data.Action', 'init_form');
 		} else {
 			$pagedata->setValue('Data.Action', 'config_form');
@@ -419,46 +432,49 @@ if ( ! &check_ssl()) {
 	#################### config_do #######################
 	} elsif ($action eq 'config_do') {
 		if ( ! &check_config()) {
-			$pagedata->setValue('Data.Warning', 'NotConfigured');
+			$pagedata->setValue('Data.Warning', 'NotInitialized');
 			$pagedata->setValue('Data.Action', 'init_form');
 		} else {
-			if ( ! &validate_language($query->param('language'))) {
-			$pagedata->setValue('Data.Warning', 'InvalidLanguage');
-			$pagedata->setValue('Data.Action', 'config_form');
+			my $admin_pw = &get_admin_pw;
+			if ( $admin_pw ne '' && $admin_pw ne $query->param('admin_password'))
+				$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
+				$pagedata->setValue('Data.Action', 'config_form');
+			} elsif ( ! &validate_language($query->param('language'))) {
+				$pagedata->setValue('Data.Warning', 'InvalidLanguage');
+				$pagedata->setValue('Data.Action', 'config_form');
 			} elsif ( ! &validate_ip($query->param('ip'))) {
-			$pagedata->setValue('Data.Warning', 'InvalidIP');
-			$pagedata->setValue('Data.Action', 'config_form');
+				$pagedata->setValue('Data.Warning', 'InvalidIP');
+				$pagedata->setValue('Data.Action', 'config_form');
 			} elsif ( ! &validate_timeout($query->param('timeout'))) {
-			$pagedata->setValue('Data.Warning', 'InvalidTimeOut');
-			$pagedata->setValue('Data.Action', 'config_form');
-			} else {
-			system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
-			system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
-			# check, if the ip was reconfigured
-			if ($query->param('ip') ne `$CB_SCRIPT get_config ip`)
-			{
-				# set the new value
-				system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
-				# reconfigure the network interface
-				system("$CB_SCRIPT", "update_ip_address");
-				# redirect to the new address
-				$pagedata->setValue('Data.Redirect.URL', "https://" . $query->param('ip') . $ENV{'SCRIPT_NAME'});
-				$pagedata->setValue('Data.Redirect.Delay', "5");
-				# display a warning for the redirection
-				$pagedata->setValue('Data.Warning', 'IPAddressChanged');
-			}
-
-			# check for success
-			if (`$CB_SCRIPT get_config timeout` ne $query->param('timeout')) {
-				$pagedata->setValue('Data.Warning', 'ConfigTimeOutFailed');
-			} elsif (`$CB_SCRIPT get_config ip` ne $query->param('ip')) {
-				$pagedata->setValue('Data.Warning', 'ConfigIPFailed');
-			} elsif (`$CB_SCRIPT get_config language` ne $query->param('language')) {
-				$pagedata->setValue('Data.Warning', 'ConfigLanguageFailed');
+				$pagedata->setValue('Data.Warning', 'InvalidTimeOut');
+				$pagedata->setValue('Data.Action', 'config_form');
 			} else {
-				$pagedata->setValue('Data.Success', 'ConfigSaved');
-			}
-			$pagedata->setValue('Data.Action', 'intro');
+				system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
+				system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
+				# check, if the ip was reconfigured
+				if ($query->param('ip') ne `$CB_SCRIPT get_config ip`)
+				{
+					# set the new value
+					system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
+					# reconfigure the network interface
+					system("$CB_SCRIPT", "update_ip_address");
+					# redirect to the new address
+					$pagedata->setValue('Data.Redirect.URL', "https://" . $query->param('ip') . $ENV{'SCRIPT_NAME'});
+					$pagedata->setValue('Data.Redirect.Delay', "5");
+					# display a warning for the redirection
+					$pagedata->setValue('Data.Warning', 'IPAddressChanged');
+				}
+				# check for success
+				if (`$CB_SCRIPT get_config timeout` ne $query->param('timeout')) {
+					$pagedata->setValue('Data.Warning', 'ConfigTimeOutFailed');
+				} elsif (`$CB_SCRIPT get_config ip` ne $query->param('ip')) {
+					$pagedata->setValue('Data.Warning', 'ConfigIPFailed');
+				} elsif (`$CB_SCRIPT get_config language` ne $query->param('language')) {
+					$pagedata->setValue('Data.Warning', 'ConfigLanguageFailed');
+				} else {
+					$pagedata->setValue('Data.Success', 'ConfigSaved');
+				}
+				$pagedata->setValue('Data.Action', 'intro');
 			}
 		}
 	#################### show_log #######################
@@ -502,6 +518,9 @@ $pagedata->setValue('Data.Status.Mounted', &check_mounted() ? 1 : 0);
 my $output = &get_current_ip();
 $pagedata->setValue('Data.Status.IP', "$output");
 
+$output = &get_admin_pw();
+$pagedata->setValue('Data.Config.AdminPasswordIsSet', 1) if ($output ne '');
+
 $output = `$CB_SCRIPT diskinfo 2>&1 | sed 's#\$#<br/>#'`;
 $pagedata->setValue('Data.PartitionInfo',"$output");