fixed some ssl detection stuff

disabled 'help' plugin for now
enabled some ownership checks in CryptoBoxRootActions
documentation updates for proxy and ssl configurations

MANIFEST.in

@@ -1,6 +1,4 @@
-include README
-include README.samba
-include README.davfs
+include README*
 include LICENSE
 include changelog
 include copyright

README.proxy

@@ -1,4 +1,10 @@
-= apache in front of the cryptobox-server (cherrypy) =
+Running the CryptoBox behind a proxy
+
+This describes how to setup the CryptoBox webserver behind a apache or lighttpd
+as proxy webservers.
+
+
+-=-=-=- apache in front of the cryptobox-server (cherrypy) -=-=-=-
 
 The following section describes how to configure an apache2 webserver for
 forwarding requests to the cherrypy server of the CryptoBox.
@@ -37,29 +43,16 @@ forwarding requests to the cherrypy server of the CryptoBox.
 
 -----
 
-= lighttpd in front of the cryptobox-server (cherrypy) =
+-=-=-=- lighttpd in front of the cryptobox-server (cherrypy) -=-=-=-
 
 In this section we do the same as above, but with lighttpd.
 
 Your lighttpd config should contain something like this:
 
-	# default document-root
-	server.document-root = "/usr/share/cryptobox-server/www-data/"
-
-	# TCP port
-	server.port = 443
-
 	# selecting modules
-	server.modules = ( "mod_access",
-					"mod_scgi",
-					"mod_accesslog",
-                    "mod_rewrite",
-                    "mod_staticfile" )
+	server.modules = ( "mod_scgi" )
 
-	ssl.engine = "enable"
-	ssl.pemfile = "/etc/lighttpd/server.pem"
-
-	scgi.server = ( "/" =>
+	scgi.server = ( "/cryptobox" =>
 		((  "host" => "127.0.0.1",
 			"port" => 8080,
 			"check-local" => "disable"

README.ssl

@@ -1,13 +1,51 @@
-= https for the CryptoBox =
+Encrypting the communication with the CryptoBox webserver with SSL
 
-To secure your http connection from the box to your browser, 
-you may use "stunnel".
+This file describes how to encrypt your connection to the CryptoBox webserver.
+This is highly recommended as the encryption password for your data could be
+exposed to intruders in your local network otherwise.
 
-Please take a look into the "start_stunnel.sh" script. You may use it
-to create a certificate and dig a tunnel.
+There are two ways for setting up a SSL connection:
+	- run the CryptoBox webserver behind an ssl-enabled webserver 
+	- use stunnel to provide an SSL socket
 
-In the case, that you already have a certificate just run this
-command:
 
-	stunnel -p $YOUR_CERT -r localhost:80 -d 443
+1) CryptoBox behind an ssl-enabled webserver
+	Read the documentation of your favourite webserver to learn how to enable
+	ssl encryption.
+
+	The CryptoBox webserver cannot detect whether the connection is encrypted
+	or not  since it is behind the proxy webserver. Thus you have to tell the
+	CryptoBox whether the connection is encrypted or not.
+
+	for apache2:
+		1) enable the 'headers' module (for debian: "a2enmod headers")
+		2) add this line to your ssl-enabled virtualhost:
+			RequestHeader set X-SSL-Request 1
+		3) restart your webserver
+	
+	for lighthttpd:
+		TODO
+
+
+2) CryptoBox behind stunnel
+	If you do not have an ssl certificate yet, then you should create it first.
+	Please take a look into the "start_stunnel.sh" script. You may use it
+	to create a certificate and dig a tunnel.
+
+	In case, that you already have a certificate just run this command:
+
+		stunnel -p "$YOUR_CERT_FILE" -r localhost:80 -d 443
+	
+	Maybe you should add this to your bootup scripts.
+
+
+3) Problems with SSL detection?
+	If the CryptoBox continues to complain about the unencrypted connection, even
+	if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
+	one of the following things:
+		- set the request header value "X-SSL-Request" to "1" (one)
+		- set the environment setting "HTTPS" to a non-empty value during the
+		  startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
+		  would be the right place for this.
+		- let the CryptoBox webserver listen to port 443
 

bin/CryptoBoxRootActions

@@ -55,8 +55,6 @@ EVENT_MARKER = '_event_scripts_'
 
 def checkIfFileIsSafe(fname):
 	"""check if the file and its parents are only writeable for root"""
-	#FIXME: for now we may skip this test - but users will not like it this way :)
-	return True
 	props = os.stat(fname)
 	## check if it is owned by non-root
 	if props.st_uid != 0: return False
@@ -74,15 +72,14 @@ def	checkIfPluginIsValid(plugin):
 	import imp
 	try:
 		x = imp.load_source("cbox_plugin",plugin)
-	#TODO: no wildcard catches, please!
-	except Exception:
+	except (SyntaxError, IOError):
 		return False
 	try:
 		if getattr(x, "PLUGIN_TYPE") == "cryptobox":
 			return True
 		else:
 			return False
-	except Exception:
+	except AttributeError:
 		return False
 
 

conf-examples/start_stunnel.sh

@@ -39,3 +39,4 @@ rm "$TMP_FILE"
 #openssl x509 -subject -dates -fingerprint -in stunnel.pem
 
 stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}
+

debian/changelog

@@ -1,3 +1,11 @@
+cryptobox (0.2.57-1) unstable; urgency=low
+
+  * added some documentation
+  * fixed ssl issue
+  * turn on some ownership checks of CryptoBoxRootActions
+
+ -- Lars Kruse <devel@sumpfralle.de>  Thu, 14 Dec 2006 00:36:26 +0100
+
 cryptobox (0.2.56-1) unstable; urgency=low
 
   * added inline help texts

debian/cryptobox-server.default

@@ -14,3 +14,7 @@ PORT=8080
 # some more server options (rarely necessary)
 #SERVER_OPTS="--host localhost --datadir=/usr/share/cryptobox-server/html"
 
+# if the CryptoBox keeps complaining about a non-encrypted connection, then
+# you can override this warning by uncommenting the following line:
+#export HTTPS=1
+

debian/cryptobox-server.docs

@@ -1,6 +1,8 @@
 README
 README.samba
 README.davfs
+README.ssl
+README.proxy
 copyright
 changelog
 doc/html

plugins/help/help.py

@@ -29,7 +29,9 @@ class help(cryptobox.plugins.base.CryptoBoxPlugin):
 	"""The help feature of the CryptoBox.
 	"""
 
-	plugin_capabilities = [ "system" ]
+	#plugin_capabilities = [ "system" ]
+	#TODO: enable this plugin as soon as the user documentation is ready again
+	plugin_capabilities = [ ]
 	plugin_visibility = [ "menu" ]
 	request_auth = False
 	rank = 80

plugins/plugin_manager/plugin_list.cs

@@ -107,8 +107,8 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
 		<th></th>
 		<th></th>
 	</tr>
-<?cs # count non-volume plugins ?><?cs set: all_count = #0
-	?><?cs each:x = Settings.PluginList ?><?cs if: !x.Types.volume ?><?cs
+<?cs # count system plugins ?><?cs set: all_count = #0
+	?><?cs each:x = Settings.PluginList ?><?cs if: x.Types.system ?><?cs
 		set: all_count = all_count + 1 ?><?cs /if ?><?cs /each ?>
 	<tr>
 		<th><?cs var:html_escape(Lang.Plugins.plugin_manager.Text.PluginName) ?></th>
@@ -119,7 +119,7 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
 	</tr>
 <?cs set:run_counter = 0 ?><?cs
 loop:index = #0, #100, #1 ?><?cs
-each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && !x.Types.volume
+each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.system
 	?><?cs set: run_counter = run_counter + 1 ?><tr>
 		<td style="text-align:left"><a name="<?cs var:html_escape(name(x)) ?>"><?cs var:html_escape(x.Name) ?></a></td>
 		<td><input type="checkbox" name="<?cs var:name(x) ?>_visible_menu" <?cs if:x.Visible.menu ?>checked="checked"<?cs /if ?> /></td>

src/cryptobox/web/sites.py

@@ -415,6 +415,8 @@ class WebInterfaceSites:
 		if cherrypy.request.headers.has_key("X-SSL-Request") \
 				and (cherrypy.request.headers["X-SSL-Request"] == "1"):
 			return True
+		## plaintext connection
+		return False
 
 
 	def __set_web_lang(self, value):