From 87af175764666e7f17424b79cace30b79d8f9e87 Mon Sep 17 00:00:00 2001
From: lars <lars@systemausfall.org>
Date: Thu, 14 Dec 2006 00:23:10 +0000
Subject: [PATCH] fixed some ssl detection stuff disabled 'help' plugin for now
 enabled some ownership checks in CryptoBoxRootActions documentation updates
 for proxy and ssl configurations

---
 MANIFEST.in                                 |  4 +-
 README.proxy                                | 27 ++++-------
 README.ssl                                  | 54 ++++++++++++++++++---
 bin/CryptoBoxRootActions                    |  7 +--
 {scripts => conf-examples}/start_stunnel.sh |  1 +
 debian/changelog                            |  8 +++
 debian/cryptobox-server.default             |  4 ++
 debian/cryptobox-server.docs                |  2 +
 plugins/help/help.py                        |  4 +-
 plugins/plugin_manager/plugin_list.cs       |  6 +--
 src/cryptobox/web/sites.py                  |  2 +
 11 files changed, 82 insertions(+), 37 deletions(-)
 rename {scripts => conf-examples}/start_stunnel.sh (99%)

diff --git a/MANIFEST.in b/MANIFEST.in
index b8640f5..5eb8cfe 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,6 +1,4 @@
-include README
-include README.samba
-include README.davfs
+include README*
 include LICENSE
 include changelog
 include copyright
diff --git a/README.proxy b/README.proxy
index 707e294..d71c420 100644
--- a/README.proxy
+++ b/README.proxy
@@ -1,4 +1,10 @@
-= apache in front of the cryptobox-server (cherrypy) =
+Running the CryptoBox behind a proxy
+
+This describes how to setup the CryptoBox webserver behind a apache or lighttpd
+as proxy webservers.
+
+
+-=-=-=- apache in front of the cryptobox-server (cherrypy) -=-=-=-
 
 The following section describes how to configure an apache2 webserver for
 forwarding requests to the cherrypy server of the CryptoBox.
@@ -37,29 +43,16 @@ forwarding requests to the cherrypy server of the CryptoBox.
 
 -----
 
-= lighttpd in front of the cryptobox-server (cherrypy) =
+-=-=-=- lighttpd in front of the cryptobox-server (cherrypy) -=-=-=-
 
 In this section we do the same as above, but with lighttpd.
 
 Your lighttpd config should contain something like this:
 
-	# default document-root
-	server.document-root = "/usr/share/cryptobox-server/www-data/"
-
-	# TCP port
-	server.port = 443
-
 	# selecting modules
-	server.modules = ( "mod_access",
-					"mod_scgi",
-					"mod_accesslog",
-                    "mod_rewrite",
-                    "mod_staticfile" )
+	server.modules = ( "mod_scgi" )
 
-	ssl.engine = "enable"
-	ssl.pemfile = "/etc/lighttpd/server.pem"
-
-	scgi.server = ( "/" =>
+	scgi.server = ( "/cryptobox" =>
 		((  "host" => "127.0.0.1",
 			"port" => 8080,
 			"check-local" => "disable"
diff --git a/README.ssl b/README.ssl
index 19d43e3..b263334 100644
--- a/README.ssl
+++ b/README.ssl
@@ -1,13 +1,51 @@
-= https for the CryptoBox =
+Encrypting the communication with the CryptoBox webserver with SSL
 
-To secure your http connection from the box to your browser, 
-you may use "stunnel".
+This file describes how to encrypt your connection to the CryptoBox webserver.
+This is highly recommended as the encryption password for your data could be
+exposed to intruders in your local network otherwise.
 
-Please take a look into the "start_stunnel.sh" script. You may use it
-to create a certificate and dig a tunnel.
+There are two ways for setting up a SSL connection:
+	- run the CryptoBox webserver behind an ssl-enabled webserver 
+	- use stunnel to provide an SSL socket
 
-In the case, that you already have a certificate just run this
-command:
 
-	stunnel -p $YOUR_CERT -r localhost:80 -d 443
+1) CryptoBox behind an ssl-enabled webserver
+	Read the documentation of your favourite webserver to learn how to enable
+	ssl encryption.
+
+	The CryptoBox webserver cannot detect whether the connection is encrypted
+	or not  since it is behind the proxy webserver. Thus you have to tell the
+	CryptoBox whether the connection is encrypted or not.
+
+	for apache2:
+		1) enable the 'headers' module (for debian: "a2enmod headers")
+		2) add this line to your ssl-enabled virtualhost:
+			RequestHeader set X-SSL-Request 1
+		3) restart your webserver
+	
+	for lighthttpd:
+		TODO
+
+
+2) CryptoBox behind stunnel
+	If you do not have an ssl certificate yet, then you should create it first.
+	Please take a look into the "start_stunnel.sh" script. You may use it
+	to create a certificate and dig a tunnel.
+
+	In case, that you already have a certificate just run this command:
+
+		stunnel -p "$YOUR_CERT_FILE" -r localhost:80 -d 443
+	
+	Maybe you should add this to your bootup scripts.
+
+
+3) Problems with SSL detection?
+	If the CryptoBox continues to complain about the unencrypted connection, even
+	if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
+	one of the following things:
+		- set the request header value "X-SSL-Request" to "1" (one)
+		- set the environment setting "HTTPS" to a non-empty value during the
+		  startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
+		  would be the right place for this.
+		- let the CryptoBox webserver listen to port 443
 
diff --git a/bin/CryptoBoxRootActions b/bin/CryptoBoxRootActions
index 6781de1..22664d3 100755
--- a/bin/CryptoBoxRootActions
+++ b/bin/CryptoBoxRootActions
@@ -55,8 +55,6 @@ EVENT_MARKER = '_event_scripts_'
 
 def checkIfFileIsSafe(fname):
 	"""check if the file and its parents are only writeable for root"""
-	#FIXME: for now we may skip this test - but users will not like it this way :)
-	return True
 	props = os.stat(fname)
 	## check if it is owned by non-root
 	if props.st_uid != 0: return False
@@ -74,15 +72,14 @@ def	checkIfPluginIsValid(plugin):
 	import imp
 	try:
 		x = imp.load_source("cbox_plugin",plugin)
-	#TODO: no wildcard catches, please!
-	except Exception:
+	except (SyntaxError, IOError):
 		return False
 	try:
 		if getattr(x, "PLUGIN_TYPE") == "cryptobox":
 			return True
 		else:
 			return False
-	except Exception:
+	except AttributeError:
 		return False
 
 
diff --git a/scripts/start_stunnel.sh b/conf-examples/start_stunnel.sh
similarity index 99%
rename from scripts/start_stunnel.sh
rename to conf-examples/start_stunnel.sh
index 50774cf..a5cf0a5 100755
--- a/scripts/start_stunnel.sh
+++ b/conf-examples/start_stunnel.sh
@@ -39,3 +39,4 @@ rm "$TMP_FILE"
 #openssl x509 -subject -dates -fingerprint -in stunnel.pem
 
 stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}
+
diff --git a/debian/changelog b/debian/changelog
index f001d21..78e6633 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+cryptobox (0.2.57-1) unstable; urgency=low
+
+  * added some documentation
+  * fixed ssl issue
+  * turn on some ownership checks of CryptoBoxRootActions
+
+ -- Lars Kruse <devel@sumpfralle.de>  Thu, 14 Dec 2006 00:36:26 +0100
+
 cryptobox (0.2.56-1) unstable; urgency=low
 
   * added inline help texts
diff --git a/debian/cryptobox-server.default b/debian/cryptobox-server.default
index d4bea5a..4e40894 100644
--- a/debian/cryptobox-server.default
+++ b/debian/cryptobox-server.default
@@ -14,3 +14,7 @@ PORT=8080
 # some more server options (rarely necessary)
 #SERVER_OPTS="--host localhost --datadir=/usr/share/cryptobox-server/html"
 
+# if the CryptoBox keeps complaining about a non-encrypted connection, then
+# you can override this warning by uncommenting the following line:
+#export HTTPS=1
+
diff --git a/debian/cryptobox-server.docs b/debian/cryptobox-server.docs
index fffb547..3285b8a 100644
--- a/debian/cryptobox-server.docs
+++ b/debian/cryptobox-server.docs
@@ -1,6 +1,8 @@
 README
 README.samba
 README.davfs
+README.ssl
+README.proxy
 copyright
 changelog
 doc/html
diff --git a/plugins/help/help.py b/plugins/help/help.py
index fedd067..dd6800e 100644
--- a/plugins/help/help.py
+++ b/plugins/help/help.py
@@ -29,7 +29,9 @@ class help(cryptobox.plugins.base.CryptoBoxPlugin):
 	"""The help feature of the CryptoBox.
 	"""
 
-	plugin_capabilities = [ "system" ]
+	#plugin_capabilities = [ "system" ]
+	#TODO: enable this plugin as soon as the user documentation is ready again
+	plugin_capabilities = [ ]
 	plugin_visibility = [ "menu" ]
 	request_auth = False
 	rank = 80
diff --git a/plugins/plugin_manager/plugin_list.cs b/plugins/plugin_manager/plugin_list.cs
index 35c922b..daea4f3 100644
--- a/plugins/plugin_manager/plugin_list.cs
+++ b/plugins/plugin_manager/plugin_list.cs
@@ -107,8 +107,8 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
 		<th></th>
 		<th></th>
 	</tr>
-<?cs # count non-volume plugins ?><?cs set: all_count = #0
-	?><?cs each:x = Settings.PluginList ?><?cs if: !x.Types.volume ?><?cs
+<?cs # count system plugins ?><?cs set: all_count = #0
+	?><?cs each:x = Settings.PluginList ?><?cs if: x.Types.system ?><?cs
 		set: all_count = all_count + 1 ?><?cs /if ?><?cs /each ?>
 	<tr>
 		<th><?cs var:html_escape(Lang.Plugins.plugin_manager.Text.PluginName) ?></th>
@@ -119,7 +119,7 @@ each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.volume
 	</tr>
 <?cs set:run_counter = 0 ?><?cs
 loop:index = #0, #100, #1 ?><?cs
-each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && !x.Types.volume
+each:x = Settings.PluginList ?><?cs if:(x.Rank == index) && x.Types.system
 	?><?cs set: run_counter = run_counter + 1 ?><tr>
 		<td style="text-align:left"><a name="<?cs var:html_escape(name(x)) ?>"><?cs var:html_escape(x.Name) ?></a></td>
 		<td><input type="checkbox" name="<?cs var:name(x) ?>_visible_menu" <?cs if:x.Visible.menu ?>checked="checked"<?cs /if ?> /></td>
diff --git a/src/cryptobox/web/sites.py b/src/cryptobox/web/sites.py
index a16513b..df21a8b 100644
--- a/src/cryptobox/web/sites.py
+++ b/src/cryptobox/web/sites.py
@@ -415,6 +415,8 @@ class WebInterfaceSites:
 		if cherrypy.request.headers.has_key("X-SSL-Request") \
 				and (cherrypy.request.headers["X-SSL-Request"] == "1"):
 			return True
+		## plaintext connection
+		return False
 
 
 	def __set_web_lang(self, value):