cryptonas
/
cryptonas
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

moving ...

Browse Source
master
lars 17 years ago
parent 8153ebd010
commit 8e98fbdf83
20 changed files with 926 additions and 1223 deletions
Show Stats Download Patch File Download Diff File

1
COPYRIGHT
Unescape Escape View File

@ -1 +0,0 @@
cbox-tree.d/usr/share/doc/cryptobox/copyright

590
bin/cbox-manage.sh
Unescape Escape View File

@ -0,0 +1,590 @@
#!/bin/sh
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# this script does EVERYTHING
# all other scripts are only frontends :)
#
# called by:
# - some rc-scripts
# - the web frontend cgi
#
# TODO: check permissions and owners of config files, directories and scripts before
# running cbox-root-actions.sh
set -eu
# define reasonable defaults
USE_STUNNEL=0
EXEC_FIREWALL_RULES=0
SKIP_NETWORK_CONFIG=1
CONF_FILE=/etc/cryptobox/cryptobox.conf
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# parse config file
. "$CONF_FILE"
# check for writable log file
[ -w "$LOG_FILE" ] || LOG_FILE=/tmp/$(basename "$LOG_FILE")
## configuration
CERT_TEMP=/tmp/stunnel.pem
######## stuff ##########
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4)
#########################
function log_msg()
{
# the log file is not writable during boot - try before writing ...
[ -w "$LOG_FILE" ] || return 0
echo >>"$LOG_FILE"
echo "##### `date` #####" >>"$LOG_FILE"
echo "$1" >>"$LOG_FILE"
}
function error_msg()
# parameters: ExitCode ErrorMessage
{
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
# print the execution stack - not usable with busybox
# caller | sed 's/^/\t/' >&2
exit "$1"
}
function config_set_value()
# parameters: SettingName [SettingValue]
# read from stdin if SettingValue is not defined
{
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config rw
if [ $# -gt 1 ]
then echo -n "$2" > "$CONFIG_DIR/$1"
else cat - >"$CONFIG_DIR/$1"
fi
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config ro
}
function config_get_value()
# parameters: SettingName
{
# use mounted config, if it exists - otherwise use defaults
local conf_dir
if is_config_active
then conf_dir=$CONFIG_DIR
else conf_dir=$CONFIG_DEFAULTS_DIR
fi
[ -z "$1" ] && error_msg 1 "empty setting name"
# check for existence - maybe use default values (for old releases without this setting)
if [ ! -e "$conf_dir/$1" ]
then case "$1" in
# you may place default values for older versions here
# for compatibility
* )
error_msg 2 "unknown configuration value ($1)"
# empty output
;;
esac
else echo -n $(cat "$conf_dir/$1")
# this removes the trailing line break
fi
# always return without error
true
}
function create_config()
# Parameter: device
{
local device=$1
unload_config
# create the new configuration filesystem if it is not static
if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
then log_msg "Using static configuration ..."
else log_msg "Creating config filesystem ..."
sudo "$ROOT_PERM_SCRIPT" create_config "$device"
log_msg "Mounting config partition ..."
sudo "$ROOT_PERM_SCRIPT" mount_config "$device"
sudo "$ROOT_PERM_SCRIPT" remount_config rw
fi
log_msg "Copying configuration defaults ..."
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
log_msg "Copying temporary certificate file to config filesystem ..."
# beware: the temp file should always be there - even after reboot - see "load_config"
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE"
log_msg "Setting inital values ..."
# beware: config_set_value remounts the config partition read-only
config_set_value "ip" "$(get_current_ip)"
# create database of readable names
config_set_value "names.db" ""
# create a marker to recognize a cryptobox partition
# this should be the last step, to prevent a half-initialized state
config_set_value "$CONFIG_MARKER" "$(date -I)"
}
function get_current_ip()
# not necessarily the same as configured (necessary for validation)
{
# filter the output of ifconfig and remove trailing line break
echo -n $("$IFCONFIG" "$NET_IFACE" | grep "inet" | cut -d ":" -f2 | cut -d " " -f1)
}
function list_partitions_of_type()
# parameter: { config | crypto | plaindata | unused }
{
local config=
local crypto=
local plaindata=
local unused=
for a in $ALL_PARTITIONS
do if sudo "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a"
then crypto="$crypto /dev/$a"
elif sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a"
then config="$config /dev/$a"
elif sudo "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a"
then plaindata="$plaindata /dev/$a"
else unused="$unused /dev/$a"
fi
done
case "$1" in
config | crypto | plaindata | unused )
# dirty hack, but it works
eval "echo \$$1"
;;
* )
errot_msg "wrong parameter ($1) for list_partition_types in $(basename $0)"
;;
esac | tr " " "\n" | grep -v '^$'
}
function get_crypto_uuid()
# Parameter: DEVICE
{
sudo "$ROOT_PERM_SCRIPT" get_device_name "$1"
}
function get_crypto_name()
# Parameter: DEVICE
# return the readable name of the crypto container, it it is already defined
# if undefined - return the uuid
{
local uuid=$(get_crypto_uuid "$1")
local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-)
if [ -z "$dbname" ]
then echo -n "$uuid"
else echo -n "$dbname"
fi
}
function set_crypto_name()
# TODO: the implementation is quite ugly, but it works (tm)
# Parameter: DEVICE NAME
{
local uuid=$(get_crypto_uuid "$1")
# remove the old setting for this device and every possible entry with the same name
(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2") | config_set_value 'names.db'
}
function does_crypto_name_exist()
# Parameter: NAME
{
config_get_value 'names.db' | grep -q "^[^:]*:$1$"
}
function create_crypto()
# Parameter: DEVICE NAME KEYFILE
# keyfile is necessary, to allow background execution via 'at'
# TODO: check if the keyfile is still necessary for sudo -b
{
local device=$1
local name=$2
local keyfile=$3
# otherwise the web interface will hang
# passphrase may be passed via command line
local key=$(<"$keyfile")
# remove the passphrase-file as soon as possible
dd if=/dev/zero of="$keyfile" bs=512 count=1 2>/dev/null
rm "$keyfile"
log_msg "Creating crypto partition with the cipher $DEFAULT_CIPHER on $device"
echo "$key" | sudo "$ROOT_PERM_SCRIPT" create_crypto "$device"
set_crypto_name "$device" "$name"
}
function is_config_active()
{
test -f "$CONFIG_DIR/$CONFIG_MARKER"
}
function is_crypto_mounted()
# Parameter: DEVICE
{
local name=$(get_crypto_uuid "$1")
[ -n "$name" ] && mountpoint -q "$MNT_PARENT/$name"
}
function is_init_running()
{
check_at_command_queue " init"
}
# check if a specified command is in an at-queue
# Parameter: a regular expression of the commandline
# Return: the command is part of an at-queue (0) or not (1)
function check_at_command_queue()
{
# 1) get the available job numbers
# 2) remove empty lines (especially the last one)
# 3) check every associated command for the regexp
at -l | cut -f 1 | while read jobnum
do at -c $jobnum | sed '/^$/d' | tail -1
done | grep -q "$1"
}
function find_harddisk()
# look for the harddisk to be partitioned
{
local device=$(get_available_disks | head -1)
if [ -z "$device" ] ; then
log_msg "no valid harddisk for initialisation found!"
cat /proc/partitions >>"$LOG_FILE"
# do not return with an error, to avoid a failing of the script ('break on error')
# the caller of this function should handle an empty return string
fi
echo -n "$device"
}
function get_available_disks()
# looks which allowed disks are at the moment connected with the cbox
{
for scan in $SCAN_DEVICES
do for avail in $ALL_PARTITIONS
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
done
done
}
function load_config()
{
unload_config
local status=0
# look for a configuration partition
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \
list_partitions_of_type config | while read part && [ "$status" = 0 ]
do log_msg "Trying to load configuration from /dev/$part ..."
if sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part"
then log_msg "configuraton found on $part"
sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
status=1
fi
done
if is_config_active
then # copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP"
else log_msg "failed to locate config partition"
return 1
fi
true
}
function unload_config()
{
is_config_active || return
# only try to unmount, if it is not static (the config of a live-cd is always dynamic)
if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
then sudo "$ROOT_PERM_SCRIPT" umount_config
else true
fi
}
function mount_crypto()
# Parameter: DEVICE
{
local device=$1
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
# passphrase is read from stdin
log_msg "Mounting a crypto partition from $device"
sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
}
function umount_crypto()
# Parameter: DEVICE
{
local device=$1
local uuid=$(get_crypto_uuid $device)
sudo "$ROOT_PERM_SCRIPT" umount "$uuid"
}
function box_purge()
# removing just the first bytes from the harddisk should be enough
# every harddisk will be overriden!
{
# TODO: not ALL harddisks, please!
get_available_disks | while read a
do log_msg "Purging $a ..."
sudo "$ROOT_PERM_SCRIPT" trash_device "$a"
done
}
function init_cryptobox()
# this is only the first part of initialisation that takes no time - good for a smooth web interface
{
local device=$(find_harddisk)
[ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1
turn_off_all_crypto
unload_config || true
log_msg "Partitioning the device ($device) ..."
sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
log_msg "Initializing config partition on ${device}1 ..."
# TODO: this should not be hard-coded
create_config "${device}1"
}
function turn_off_all_crypto()
{
list_crypto_containers | while read a
do is_crypto_mounted "$a" && umount_crypto "$a"
done
}
### main ###
# set PATH because thttpd removes /sbin and /usr/sbin for cgis
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
ACTION=help
[ $# -gt 0 ] && ACTION=$1 && shift
case "$ACTION" in
config-up )
if load_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 0 "Could not find a configuration partition!"
fi
;;
config-down )
unload_config || error_msg 4 "Could not unmount configuration partition"
;;
network-up )
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then conf_ip=$(config_get_value "ip")
log_msg "Configuring $NET_IFACE for $conf_ip ..."
echo "Configuring network interface for $NET_IFACE: $conf_ip"
"$IFCONFIG" "$NET_IFACE" "$conf_ip"
fi
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Starting the firewall ..."
"$FIREWALL_SCRIPT" start
fi
if [ "$USE_STUNNEL" = 1 ]
then # start stunnel
if [ -f "$CERT_FILE" ]
then USE_CERT=$CERT_FILE
else USE_CERT=$CERT_TEMP
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
# TODO: this could be dangerous - right?
# this is necessary, to allow www-data to copy the certificate
chown "$WEB_USER" "$CERT_TEMP"
fi
log_msg "Starting stunnel ..."
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|| echo "$USE_CERT not found - not starting stunnel"
fi
;;
network-down )
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Stopping the firewall ..."
"$FIREWALL_SCRIPT" stop
fi
if [ "$USE_STUNNEL" = 1 ]
then log_msg "Stopping stunnel ..."
# TODO: what about a pid?
killall stunnel 2>/dev/null || true
fi
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then log_msg "Shutting the network interface down ..."
"$IFCONFIG" "$NET_IFACE" down
fi
;;
services-up )
# the mount point has to be writeable
# this action is called as root - so we are allowed to umount
# TODO: do this only for ro-filesystem
# TODO: this way of mounting is evil
if mountpoint -q "$MNT_PARENT"
then true
else mount -t tmpfs tmpfs "$MNT_PARENT"
fi
true
;;
services-down )
# this action is called as root - so we are allowed to umount
mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT"
# TODO: we should not depend on samba and thttpd
# /etc/init.d/samba stop || true
# /etc/init.d/thttpd stop || true
true
;;
crypto-up )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
mount_crypto "$1"
;;
crypto-down )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
umount_crypto "$1"
;;
init )
init_cryptobox </dev/null >>"$LOG_FILE" 2>&1
;;
crypto-create )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'"
# do it in the background to provide a smoother web interface
# messages and errors get written to $LOG_FILE
keyfile=/tmp/$(basename "$0")-passphrase-$(basename "$1")
# read the password
cat - >"$keyfile"
# execute it in the background
echo "'$0' crypto-create-bg '$1' '$2' '$keyfile' </dev/null >>'$LOG_FILE' 2>&1" | at now
;;
crypto-create-bg )
create_crypto "$@"
;;
crypto-list )
list_partitions_of_type crypto
;;
crypto-list-unused )
list_partitions_of_type unused
;;
crypto-name )
# Parameter: DEVICE
get_crypto_name "$1"
;;
is_crypto_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'"
is_crypto_mounted "$1"
;;
is_config_mounted )
is_config_active
;;
is_init_running )
is_init_running
;;
is_harddisk_available )
[ -z "$(find_harddisk)" ] && exit 1
exit 0
;;
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now
fi
;;
get_available_disks )
get_available_disks
;;
get_current_ip )
get_current_ip
;;
set_config )
[ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters"
config_set_value "$1" "$2"
;;
get_config )
[ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter"
config_get_value "$1"
;;
diskinfo )
get_available_disks | while read a
do sudo "$ROOT_PERM_SCRIPT" diskinfo "$a"
done
;;
box-purge )
log_msg "Cleaning the CryptoBox ..."
turn_off_all_crypto
"$0" config-down
box_purge >>"$LOG_FILE" 2>&1
;;
poweroff )
log_msg "Turning off the CryptoBox ..."
turn_off_all_crypto
echo "poweroff" | at now
;;
reboot )
log_msg "Rebooting the CryptoBox ..."
turn_off_all_crypto
echo "reboot" | at now
;;
* )
echo "Syntax: `basename $0` ACTION [PARAMS]"
echo " config-up - scan for configuration partition and mount it"
echo " config-down - unmount configuration partition"
echo " network-up - enable network interface"
echo " network-down - disable network interface"
echo " services-up - run some cryptobox specific daemons"
echo " services-down - stop some cryptobox specific daemons"
echo " crypto-up - mount crypto partition"
echo " crypto-down - unmount crypto partition"
echo " box-init - initialize cryptobox (ALL data is LOST)"
echo " box-init-fg - the first part of initialization"
echo " box-init-bg - the last part of initialization (background)"
echo " is_crypto_mounted - check, if crypto partition is mounted"
echo " is_config_mounted - check, if configuration partition is mounted"
echo " is_init_running - check, if initialization is ongoing"
echo " is_harddisk_available - check, if there is a usable harddisk"
echo " get_available_disks - shows all connected and allowed disks"
echo " get_current_ip - get the current IP of the network interface"
echo " update_ip_address - update the network interface after reconfiguration"
echo " set_config NAME VALUE - change a configuration setting"
echo " get_config NAME - retrieve a configuration setting"
echo " diskinfo - show the partition table of the harddisk"
echo " box-purge - destroy partitiontable of all harddisks (delete everything)"
echo " poweroff - shutdown the cryptobox"
echo " reboot - reboot the cryptobox"
echo
;;
esac
exit 0

330
bin/cbox-root-actions.sh
Unescape Escape View File

@ -0,0 +1,330 @@
#!/bin/sh
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# this script is responsible for all dangerous actions, that require root privileges
# every action should be checked at least TWICE a day for open holes :)
# usually will get call via sudo
#
# called by:
# - cbox-manage.sh
#
set -eu
[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
. "$CONF_FILE"
############ some useful functions ###############
# check if the given device is part of the SCAN_DEVICE list
# every entry in SCAN_DEVICES is matched as "^/dev/${SCAN_DEVICE}[0-9]*$" against
# the given device
# other devices may not be touched
function is_device_allowed()
# parameter: device
{
for a in $SCAN_DEVICES
do [[ "$1" =~ "^/dev/${a}[0-9]*$" ]] && return 0
done
return 1
}
function get_device_name()
# return the uuid of the device
# if there is no uuid, then the device name is "flattened" and returned
# ignore volume-id as it may be non-unique
{
local UUID=
# check for luksUUID or ext2/3-uuid
if is_luks_device "$1"
then UUID=$("$CRYPTSETUP" luksUUID "$1")
else [ -n "$(which dumpe2fs)" ] && UUID=$(dumpe2fs -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ *//g")
fi
# if there is no valid UUUD, then take the flattened device name
is_uuid_valid "$UUID" || UUID=${1//\//_}
echo "$UUID"
}
function is_uuid_valid()
# every devmapper name should look like a UUID
{
local hex=[0-9a-f]
[[ "$1" =~ "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$" ]]
}
function error_msg()
# parameter ExitCode ErrorMessage
{
echo "CBOX-ERROR: [$(basename $0) - $ACTION] - $2" >&2
exit $1
}
function partition_device()
# parameter: device sfdisk_layout_setup
# e.g.: /dev/hda "0,1,L \n,,L\n"
{
# TODO: allow different layouts
# TODO: skip config partition if a configuration is already active
# sfdisk -n doesn't actually write (for testing purpose)
if echo -e "$2" | "$SFDISK" -n "$1"
then echo -e "$2" | "$SFDISK" "$1" || return 1
else return 2
fi
true
}
function is_luks_device()
# parameter: device
{
"$CRYPTSETUP" isLuks "$1"
}
################ main ####################
ACTION=unknown
[ $# -gt 0 ] && ACTION=$1 && shift
case "$ACTION" in
partition_disk )
[ $# -ne 2 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
partition_device "$1" "$2" || \
error_msg 2 "failed to create new partition table on device $1"
;;
mount )
# parameters: device
# returns the relative name of the mointpoint for success
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
name=$(get_device_name "$1")
mountpoint -q "$MNT_PARENT/$name" && \
error_msg 5 "a device with the same name ($name) is already mounted"
mkdir -p "$MNT_PARENT/$name"
if is_luks_device "$1"
then "$CRYPTSETUP" luksOpen "$1" "$name" || \
error_msg 6 "could not open encrypted device $1"
if mount "$DEV_MAPPER_DIR/$name" "$MNT_PARENT/$name"
then true
else "$CRYPTSETUP" luksClose "$name" || true
error_msg 7 "wrong password for $1 supplied"
fi
else mount "$1" "$MNT_PARENT/$name" || \
error_msg 8 "invalid filesystem on device $1"
fi
# just in case, that there is no ext2/3 filesystem:
# set uid option (will fail silently for ext2/3)
mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
# adapt top-level permission to current setup - again: may fail silently
chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true
true
;;
umount )
#parameter: name (relative mountpoint)
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_uuid_valid "$1" || [[ "$1" =~ "^[_a-z0-9]*$" ]] || \
error_msg 4 "invalid UUID ($1)"
mountpoint -q "$MNT_PARENT/$1" || \
error_msg 9 "the device with the UUID ($1) is not mounted"
# try to unmount - continue even on errors
umount "$MNT_PARENT/$1" || \
error_msg 0 "unmount of device $1 failed - device is busy"
# remove (if necessary) the dev mapping
[ -e "$DEV_MAPPER_DIR/$1" ] && "$CRYPTSETUP" luksClose "$1" || \
error_msg 11 "could not remove the device mapper for device $1"
# try to remove the mountpoint - a failure is not important
rmdir "$MNT_PARENT/$1" || true
# set exitcode
mountpoint -q "$MNT_PARENT/$1" && exit 1
exit 0
;;
create_crypto )
# parameter: device
# the passphrase is expected on stdin
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
# read the passphrase from stdin
key=$(cat -)
# the iter-time is in milliseconds - keep it low for fast mounting
echo "$key" | \
"$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 luksFormat "$1" || \
error_msg 11 "failed to create the encrypted partition"
name=$(get_device_name "$1")
echo "$key" | "$CRYPTSETUP" luksOpen "$1" "$name" || \
error_msg 12 "failed to open the encrypted partition"
# silent output from mkfs.ext3
"$MKFS_DATA" -q "$DEV_MAPPER_DIR/$name" || \
error_msg 13 "failed to create the encrypted filesystem"
"$CRYPTSETUP" luksClose "$name" || \
error_msg 14 "failed to close the encrypted mapped device"
;;
get_device_name )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
get_device_name "$1"
;;
mount_config )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && \
error_msg 0 "the configuration partition is already mounted"
"$MKFS_CONFIG" -q "$1" || \
error_msg 20 "failed to create config partition filesystem"
;;
mount_config )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && \
error_msg 0 "the configuration partition is already mounted"
mount "$1" "$CONFIG_DIR" || \
error_msg 16 "failed to mount configuration partition"
# chown to fix permissions - may fail for non-ext2/3 filesystems
chown -R "$WEB_USER" "$CONFIG_DIR" || true
mount -o remount,ro "$CONFIG_DIR" || \
error_msg 18 "failed to remount configuration partition"
true
;;
remount_config )
# parameter: { ro | rw }
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
[[ "$1" =~ "^r[ow]$" ]] || error_msg 17 "only 'rw' and 'ro' are allowed"
mount -o "remount,$1" "$CONFIG_DIR" || \
error_msg 18 "failed to remount configuration partition"
true
;;
umount_config )
# no parameters
[ $# -ne 0 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
mountpoint -q "$CONFIG_DIR" && umount "$CONFIG_DIR" || \
error_msg 18 "failed to unmount configuration partition"
;;
is_config_partition )
# parameter: device
# returns exitcode 0 if the device contains a configuration
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
[ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \
error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
is_config=0
tmp_dir=/tmp/$(basename $0)-$$-mnt
mkdir -p "$tmp_dir"
# error means "no config partition"
if mount "$1" "$CONFIG_DIR"
then [ -e "$CONFIG_DIR/$CONFIG_MARKER" ] && is_config=1
umount "$CONFIG_DIR" || \
error_msg 14 "unable to unmount configation partition after probing"
fi
rmdir "$tmp_dir" || true
# return 0 if $device is a config partition
[ "$is_config" -eq 1 ] && exit 0
exit 1
;;
is_crypto_partition )
# parameter: device
# returns exitcode 0 if the device contains a luks header
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
is_luks_device "$1"
;;
is_data_partition )
# parameter: device
# returns exitcode 0 if the device contains a readable filesystem
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
status=0
tmp_dir=/tmp/$(basename $0)-$$-mnt
mkdir -p "$tmp_dir"
if mount "$1" "$tmp_dir"
then [ ! -e "$tmp_dir/$CONFIG_MARKER" ] && status=1
umount "$tmp_dir"
fi
rmdir "$tmp_dir" || true
[ "$status" -eq 1 ] && exit 0
exit 1
;;
trash_device )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
dd if=/dev/urandom of="$1" bs=512 count=1 2>/dev/null
;;
diskinfo )
# parameter: device
[ $# -ne 1 ] && error_msg 1 "wrong number of parameters"
is_device_allowed "$1" || \
error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)"
"$SFDISK" -L -q -l "$1"
;;
update_network )
# parameter: none
ip=
# TODO: can we avoid to hard-code the filename ($CONFIG_DIR/ip) here?
[ -e "$CONFIG_DIR/ip" ] && ip=$(<"$CONFIG_DIR/ip")
[ -n "$z" ] && ifconfig "$NET_IFACE" "$ip"
;;
* )
echo "Syntax: $(basename $0) ACTION PARAMETERS"
echo ' partition_disk $device $disk_layout'
echo ' get_device_name $device'
echo ' create_crypto $device'
echo ' mount $device'
echo ' umount $name'
echo ' create_config $device'
echo ' mount_config $device'
echo ' remount_config { ro | rw }'
echo ' umount_config'
echo ' is_config_partition $device'
echo ' is_plaindata_partition $device'
echo ' is_crypto_partition $device'
echo ' trash_device $device'
echo ' diskinfo $device'
echo ' update_network'
echo ' help'
echo
[ "$ACTION" == "help" ] && exit 0
# return error for any unknown/unspecified action
exit 1
;;
esac

0
cgi/cryptobox.pl → bin/cryptobox.pl
Unescape Escape View File

1
changelog.gz
Unescape Escape View File

@ -1 +0,0 @@
link cbox-tree.d/usr/share/doc/cryptobox/changelog.gz

0
etc/cryptobox/cryptobox.conf → conf-examples/cryptobox.conf
Unescape Escape View File

0
etc/default/cryptobox → conf-examples/defaults-cryptobox.conf
Unescape Escape View File

BIN
cover/antlogo-big.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
cover/antlogo-big.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 52 KiB

BIN
cover/antlogo-small.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.0 KiB

1048
cover/cover_de.pdf
View File

File diff suppressed because it is too large Load Diff

BIN
cover/cover_de.sxw
View File

Binary file not shown.

BIN
cover/cover_en.pdf
View File

Binary file not shown.

BIN
cover/cover_en.sxw
View File

Binary file not shown.

6
debian/README.Debian vendored
Unescape Escape View File

@ -0,0 +1,6 @@
CryptoBox for Debian - installation notes
be aware of two things:
1) you need cryptsetup with luks support (for now only in unstable)
2) the debian perl-clearsilver package is broken (at least until April 02006)

18
doc/README.Debian
Unescape Escape View File

@ -1,18 +0,0 @@
CryptoBox for Debian - installation notes
1) additional dependencies
you need the following packages, which are not (yet) part of the main debian distribution:
* cryptsetup_luks - http://luks.endorphin.org/masses
* clearsilver for perl (>=0.9.14) - http://www.clearsilver.net/downloads/
2) cgi-bin
If you do not use thttpd as your webserver, you should add the cgi-bin path to
your script directory. For apache this would be something like the following:
(file /etc/apache???/conf.d/cryptobox)
Alias /cryptobox-misc /var/www/cryptobox-misc
ScriptAlias /cryptobox /usr/lib/cgi-bin/cryptobox.pl
-- Lars Kruse <devel@sumpfralle.de> Sun, 4 Dec 2005 21:05:45 +0100

1
etc/cryptobox/revision
Unescape Escape View File

@ -1 +0,0 @@
$Revision$

65
etc/cryptobox/ssl-cert.conf
Unescape Escape View File

@ -1,65 +0,0 @@
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 3650
default_md = md5
policy = policy_match
#serial = $dir/serial
#database = $dir/index.txt
#new_certs_dir = $dir/newcert
#certificate = $dir/cacert.pem
#private_key = $dir/private/cakey.pem
#preserve = no
#email_in_dn = no
#nameopt = default_ca
#certopt = default_ca
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = stunnel.pem # name of generated keys
default_md = md5 # message digest algorithm
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
#countryName = Country Name (2 letter code)
#countryName_min = 2
#countryName_max = 2
#commonName = Common Name (hostname, IP, or your name)
#commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = CryptoBox
organizationalUnitName_default = s.l.
localityName_default = Kugelmugel
stateOrProvinceName_default = Metropolis
emailAddress_default = info@systemausfall.org

89
etc/init.d/cryptobox
Unescape Escape View File

@ -1,89 +0,0 @@
#!/bin/sh
set -eu
#
# we give some hints for users, sitting in front of the cryptobox waiting for a login prompt
#
# check if the cryptobox is installed
[ -e "/usr/lib/cryptobox/cbox-manage.sh" ] || exit 0
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# startup switch defaults to zero (enabled)
NO_START=${NO_START:-0}
# check startup switch
if [ "$NO_START" = "1" ]
then [ $# -eq 0 ] && exit 0
[ "$1" = "status" ] && exit 1
[ "$1" = "stop" ] && exit 0
echo "CryptoBox is disabled by default"
exit 0
fi
# stop-on-errors
set -eu
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
if [ -e "$CONF_FILE" ]
then . "$CONF_FILE"
else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
exit 1
fi
case "$1" in
start )
# stop if already running
"$0" status && "$0" stop
# initialize
"$CB_SCRIPT" config-up
"$CB_SCRIPT" network-up
"$CB_SCRIPT" services-up
# check if we are on a developers CryptoBox
# if not give some usage hints
# otherwise give a warning and start the devel features
if [ ! -e "$DEV_FEATURES_SCRIPT" ]; then
echo
echo "How to use the CryptoBox:"
echo " * point a webbrowser from another computer to 'http://$(/usr/lib/cryptobox/cbox-manage.sh get_current_ip)/cryptobox'"
echo " * configure your CryptoBox via a webbrowser"
echo
else
echo
echo "+---------------------------------------------------------------+"
echo "| WARNING: Some CryptoBox development features are enabled |"
echo "| This should definitely NOT happen for a production CD. |"
echo "| as it offers no security at all. |"
echo "| If you don't plan to refine this CD, don't use it! |"
echo "+---------------------------------------------------------------+"
echo
"$DEV_FEATURES_SCRIPT" "$@"
fi
true
;;
stop )
# exit if not running
"$0" status || exit 0
# shut down
"$CB_SCRIPT" services-down
"$CB_SCRIPT" network-down
"$CB_SCRIPT" config-down
;;
restart | reload | force-reload )
$0 stop
$0 start
;;
status )
if "$CB_SCRIPT" is_config_mounted
then exit 0
else exit 1
fi
;;
* )
echo "Syntax: $0 { start | stop | restart | reload | force-reload | status }"
;;
esac

0
etc/cron.d/cryptobox → stuff/cron-cryptobox
Unescape Escape View File

Write Preview
Loading…
Cancel
Save