Makefile created
debian installer improved binary suid wrappers added
This commit is contained in:
parent
6579b05754
commit
d0d27ea05e
19 changed files with 355 additions and 120 deletions
60
Makefile
Normal file
60
Makefile
Normal file
|
@ -0,0 +1,60 @@
|
|||
#
|
||||
# Makefile for the cryptobox web-interface
|
||||
#
|
||||
# Copyright (c) 02006 senselab
|
||||
#
|
||||
|
||||
CRYPTOBOX_ROOT = .
|
||||
|
||||
PREFIX = /usr/local
|
||||
SHARE_DIR = $(PREFIX)/share/cryptobox
|
||||
LIB_DIR = $(PREFIX)/lib/cryptobox
|
||||
DOC_DIR = $(PREFIX)/share/doc/cryptobox
|
||||
BUILD_DIR = build_dir
|
||||
INSTALL = install
|
||||
|
||||
.PHONY: install clean build
|
||||
|
||||
build:
|
||||
$(INSTALL) -d -m 755 $(BUILD_DIR)/etc
|
||||
$(INSTALL) -c -m 644 conf-examples/cryptobox.conf $(BUILD_DIR)/etc/
|
||||
@sed -i 's#^HTML_TEMPLATE_DIR=.*$$#HTML_TEMPLATE_DIR=$(SHARE_DIR)/templates#' $(BUILD_DIR)/etc/cryptobox.conf
|
||||
@sed -i 's#^LANGUAGE_DIR=.*$$#LANGUAGE_DIR=$(SHARE_DIR)/lang#' $(BUILD_DIR)/etc/cryptobox.conf
|
||||
@sed -i 's#^DOC_DIR=.*$$#DOC_DIR=$(DOC_DIR)/html#' $(BUILD_DIR)/etc/cryptobox.conf
|
||||
@sed -i 's#^CONFIG_DEFAULTS_DIR=.*$$#CONFIG_DEFAULTS_DIR=$(SHARE_DIR)/defaults#' $(BUILD_DIR)/etc/cryptobox.conf
|
||||
|
||||
# compile the suid wrapper
|
||||
$(MAKE) -C bin LIB_DIR=$(LIB_DIR)
|
||||
@touch $(BUILD_DIR)-stamp
|
||||
|
||||
|
||||
install: $(BUILD_DIR)-stamp
|
||||
$(INSTALL) -d -m 755 $(LIB_DIR)
|
||||
$(INSTALL) -c -m 755 bin/cbox-manage.sh $(LIB_DIR)
|
||||
$(INSTALL) -c -m 755 bin/cbox-root-actions.sh $(LIB_DIR)
|
||||
$(INSTALL) -c -m 755 bin/cryptobox.pl $(LIB_DIR)
|
||||
$(INSTALL) -c -m 755 bin/cryptobox_cgi_wrapper $(LIB_DIR)
|
||||
$(INSTALL) -c -m 4755 bin/cryptobox_root_wrapper $(LIB_DIR)
|
||||
$(INSTALL) -d -m 755 $(SHARE_DIR)/lang
|
||||
$(INSTALL) -c -m 644 lang/* $(SHARE_DIR)/lang/
|
||||
$(INSTALL) -d -m 755 $(SHARE_DIR)/templates
|
||||
$(INSTALL) -c -m 644 templates/*.cs $(SHARE_DIR)/templates
|
||||
$(INSTALL) -d -m 755 $(SHARE_DIR)/defaults
|
||||
$(INSTALL) -c -m 644 conf-examples/default-settings/* $(SHARE_DIR)/defaults/
|
||||
$(INSTALL) -d -m 755 $(SHARE_DIR)/html
|
||||
$(INSTALL) -c -m 644 www-data/*.css $(SHARE_DIR)/html/
|
||||
$(INSTALL) -c -m 644 www-data/*.png $(SHARE_DIR)/html/
|
||||
$(INSTALL) -c -m 644 www-data/*.gif $(SHARE_DIR)/html/
|
||||
$(INSTALL) -d -m 755 $(SHARE_DIR)/html/screenshots
|
||||
$(INSTALL) -c -m 644 www-data/screenshots/*.png $(SHARE_DIR)/html/screenshots/
|
||||
$(INSTALL) -d -m 755 $(DOC_DIR)/html/en
|
||||
$(INSTALL) -d -m 755 $(DOC_DIR)/html/de
|
||||
$(INSTALL) -c -m 644 doc/html/en/* $(DOC_DIR)/html/en/
|
||||
$(INSTALL) -c -m 644 doc/html/de/* $(DOC_DIR)/html/de/
|
||||
|
||||
|
||||
clean:
|
||||
$(MAKE) -C bin clean
|
||||
-rm -rf $(BUILD_DIR)
|
||||
-rm -f $(BUILD_DIR)-stamp
|
||||
|
37
bin/Makefile
Normal file
37
bin/Makefile
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Makefile to compile the binary suid-wrapper for cryptobox
|
||||
#
|
||||
# LIB_DIR should be defined in the higher level Makefile
|
||||
#
|
||||
|
||||
HEADER_FILE = cryptobox_wrapper.h
|
||||
SRC_FILE = cryptobox_wrapper.c
|
||||
CGI_SUID_FILE = cryptobox_cgi_wrapper
|
||||
ROOT_SUID_FILE = cryptobox_root_wrapper
|
||||
|
||||
CGI_FILENAME = cryptobox.pl
|
||||
ROOT_SCRIPT_FILENAME = cbox-root-actions.sh
|
||||
# fall back to default, if not overwritten
|
||||
LIB_DIR = /usr/local/lib/cryptobox
|
||||
|
||||
|
||||
# _always_ recompile (in case of a changed LIB_DIR)
|
||||
.PHONY: build clean $(CGI_SUID_FILE) $(ROOT_SUID_FILE)
|
||||
|
||||
build: $(CGI_SUID_FILE) $(ROOT_SUID_FILE)
|
||||
|
||||
|
||||
$(CGI_SUID_FILE): $(SRC_FILE)
|
||||
$(NOECHO) echo '#define EXEC_PATH "$(LIB_DIR)/$(CGI_FILENAME)"' >$(HEADER_FILE)
|
||||
$(CC) -o $(CGI_SUID_FILE) $(SRC_FILE)
|
||||
-rm $(HEADER_FILE)
|
||||
|
||||
|
||||
$(ROOT_SUID_FILE): $(SRC_FILE)
|
||||
$(NOECHO) echo '#define EXEC_PATH "$(LIB_DIR)/$(ROOT_SCRIPT_FILENAME)"' >$(HEADER_FILE)
|
||||
$(CC) -o $(ROOT_SUID_FILE) $(SRC_FILE)
|
||||
-rm $(HEADER_FILE)
|
||||
|
||||
|
||||
clean:
|
||||
-rm -f $(CGI_SUID_FILE) $(ROOT_SUID_FILE) $(HEADER_FILE)
|
||||
|
|
@ -26,6 +26,8 @@ EXEC_FIREWALL_RULES=0
|
|||
SKIP_NETWORK_CONFIG=1
|
||||
CONF_FILE=/etc/cryptobox/cryptobox.conf
|
||||
|
||||
LIB_DIR=$(dirname "$0")
|
||||
CONFIG_DIR=~/config
|
||||
|
||||
# read the default setting file, if it exists
|
||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||
|
@ -38,6 +40,9 @@ CONF_FILE=/etc/cryptobox/cryptobox.conf
|
|||
|
||||
## configuration
|
||||
CERT_TEMP=/tmp/stunnel.pem
|
||||
ROOT_PERM_SCRIPT=$(dirname "$0")/cryptobox_root_wrapper
|
||||
# ROOT_PERM_SCRIPT needs the MNT_PARENT setting
|
||||
export MNT_PARENT="$(cd ~; pwd)/mnt"
|
||||
|
||||
######## stuff ##########
|
||||
|
||||
|
@ -69,12 +74,12 @@ function config_set_value()
|
|||
# parameters: SettingName [SettingValue]
|
||||
# read from stdin if SettingValue is not defined
|
||||
{
|
||||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config rw
|
||||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && "$ROOT_PERM_SCRIPT" remount_config rw
|
||||
if [ $# -gt 1 ]
|
||||
then echo -n "$2" > "$CONFIG_DIR/$1"
|
||||
else cat - >"$CONFIG_DIR/$1"
|
||||
fi
|
||||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config ro
|
||||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && "$ROOT_PERM_SCRIPT" remount_config ro
|
||||
}
|
||||
|
||||
|
||||
|
@ -115,10 +120,10 @@ function create_config()
|
|||
if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
|
||||
then log_msg "Using static configuration ..."
|
||||
else log_msg "Creating config filesystem ..."
|
||||
sudo "$ROOT_PERM_SCRIPT" create_config "$device"
|
||||
"$ROOT_PERM_SCRIPT" create_config "$device"
|
||||
log_msg "Mounting config partition ..."
|
||||
sudo "$ROOT_PERM_SCRIPT" mount_config "$device"
|
||||
sudo "$ROOT_PERM_SCRIPT" remount_config rw
|
||||
"$ROOT_PERM_SCRIPT" mount_config "$device"
|
||||
"$ROOT_PERM_SCRIPT" remount_config rw
|
||||
fi
|
||||
log_msg "Copying configuration defaults ..."
|
||||
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
|
||||
|
@ -154,11 +159,11 @@ function list_partitions_of_type()
|
|||
local plaindata=
|
||||
local unused=
|
||||
for a in $ALL_PARTITIONS
|
||||
do if sudo "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a"
|
||||
do if "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a"
|
||||
then crypto="$crypto /dev/$a"
|
||||
elif sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a"
|
||||
elif "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a"
|
||||
then config="$config /dev/$a"
|
||||
elif sudo "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a"
|
||||
elif "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a"
|
||||
then plaindata="$plaindata /dev/$a"
|
||||
else unused="$unused /dev/$a"
|
||||
fi
|
||||
|
@ -178,7 +183,7 @@ function list_partitions_of_type()
|
|||
function get_crypto_uuid()
|
||||
# Parameter: DEVICE
|
||||
{
|
||||
sudo "$ROOT_PERM_SCRIPT" get_device_name "$1"
|
||||
"$ROOT_PERM_SCRIPT" get_device_name "$1"
|
||||
}
|
||||
|
||||
|
||||
|
@ -216,7 +221,6 @@ function does_crypto_name_exist()
|
|||
function create_crypto()
|
||||
# Parameter: DEVICE NAME KEYFILE
|
||||
# keyfile is necessary, to allow background execution via 'at'
|
||||
# TODO: check if the keyfile is still necessary for sudo -b
|
||||
{
|
||||
local device=$1
|
||||
local name=$2
|
||||
|
@ -229,7 +233,7 @@ function create_crypto()
|
|||
rm "$keyfile"
|
||||
|
||||
log_msg "Creating crypto partition with the cipher $DEFAULT_CIPHER on $device"
|
||||
echo "$key" | sudo "$ROOT_PERM_SCRIPT" create_crypto "$device"
|
||||
echo "$key" | "$ROOT_PERM_SCRIPT" create_crypto "$device"
|
||||
|
||||
set_crypto_name "$device" "$name"
|
||||
}
|
||||
|
@ -302,9 +306,9 @@ function load_config()
|
|||
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \
|
||||
list_partitions_of_type config | while read part && [ "$status" = 0 ]
|
||||
do log_msg "Trying to load configuration from /dev/$part ..."
|
||||
if sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part"
|
||||
if "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part"
|
||||
then log_msg "configuraton found on $part"
|
||||
sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
|
||||
"$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
|
||||
status=1
|
||||
fi
|
||||
done
|
||||
|
@ -324,7 +328,7 @@ function unload_config()
|
|||
is_config_active || return
|
||||
# only try to unmount, if it is not static (the config of a live-cd is always dynamic)
|
||||
if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
|
||||
then sudo "$ROOT_PERM_SCRIPT" umount_config
|
||||
then "$ROOT_PERM_SCRIPT" umount_config
|
||||
else true
|
||||
fi
|
||||
}
|
||||
|
@ -338,7 +342,7 @@ function mount_crypto()
|
|||
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
|
||||
# passphrase is read from stdin
|
||||
log_msg "Mounting a crypto partition from $device"
|
||||
sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
|
||||
"$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
|
||||
}
|
||||
|
||||
|
||||
|
@ -347,7 +351,7 @@ function umount_crypto()
|
|||
{
|
||||
local device=$1
|
||||
local uuid=$(get_crypto_uuid $device)
|
||||
sudo "$ROOT_PERM_SCRIPT" umount "$uuid"
|
||||
"$ROOT_PERM_SCRIPT" umount "$uuid"
|
||||
}
|
||||
|
||||
|
||||
|
@ -358,7 +362,7 @@ function box_purge()
|
|||
# TODO: not ALL harddisks, please!
|
||||
get_available_disks | while read a
|
||||
do log_msg "Purging $a ..."
|
||||
sudo "$ROOT_PERM_SCRIPT" trash_device "$a"
|
||||
"$ROOT_PERM_SCRIPT" trash_device "$a"
|
||||
done
|
||||
}
|
||||
|
||||
|
@ -371,7 +375,7 @@ function init_cryptobox()
|
|||
turn_off_all_crypto
|
||||
unload_config || true
|
||||
log_msg "Partitioning the device ($device) ..."
|
||||
sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
|
||||
"$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
|
||||
log_msg "Initializing config partition on ${device}1 ..."
|
||||
# TODO: this should not be hard-coded
|
||||
create_config "${device}1"
|
||||
|
@ -518,7 +522,7 @@ case "$ACTION" in
|
|||
# reconfigure the network interface to a new IP address
|
||||
# wait for 5 seconds to finish present http requests
|
||||
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
|
||||
then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now
|
||||
then echo -n "sleep 5; \"$ROOT_PERM_SCRIPT\" update_network" | at now
|
||||
fi
|
||||
;;
|
||||
get_available_disks )
|
||||
|
@ -537,7 +541,7 @@ case "$ACTION" in
|
|||
;;
|
||||
diskinfo )
|
||||
get_available_disks | while read a
|
||||
do sudo "$ROOT_PERM_SCRIPT" diskinfo "$a"
|
||||
do "$ROOT_PERM_SCRIPT" diskinfo "$a"
|
||||
done
|
||||
;;
|
||||
box-purge )
|
||||
|
|
|
@ -17,6 +17,13 @@ use strict;
|
|||
use CGI;
|
||||
use ClearSilver;
|
||||
use ConfigFile;
|
||||
use English;
|
||||
|
||||
# drop privileges
|
||||
$UID = $EUID;
|
||||
$GID = $EGID;
|
||||
|
||||
$ENV{'PATH'} = '/bin:/usr/bin';
|
||||
|
||||
my $CONFIG_FILE = '/etc/cryptobox/cryptobox.conf';
|
||||
|
||||
|
@ -25,10 +32,14 @@ my $pagedata;
|
|||
my ($LANGUAGE_DIR, $DEFAULT_LANGUAGE, $HTML_TEMPLATE_DIR, $DOC_DIR);
|
||||
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL);
|
||||
|
||||
# get the directory of the cryptobox scripts/binaries and untaint it
|
||||
$CB_SCRIPT = $0;
|
||||
$CB_SCRIPT =~ m/^(.*)\/[^\/]*$/;
|
||||
$CB_SCRIPT = "$1/cbox-manage.sh";
|
||||
|
||||
&fatal_error ("could not find configuration file ($CONFIG_FILE)") unless (-e $CONFIG_FILE);
|
||||
my $config = ConfigFile::read_config_file($CONFIG_FILE);
|
||||
|
||||
$CB_SCRIPT = $config->{CB_SCRIPT};
|
||||
$LOG_FILE = $config->{LOG_FILE};
|
||||
$LANGUAGE_DIR = $config->{LANGUAGE_DIR};
|
||||
$DEFAULT_LANGUAGE = $config->{LANGUAGE};
|
||||
|
@ -38,7 +49,9 @@ $IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT});
|
|||
$STYLESHEET_URL = $config->{STYLESHEET_URL};
|
||||
|
||||
# TODO: just a quick-and-dirty hack during migration to multiple containers
|
||||
my $CRYPTO_DEV = `$CB_SCRIPT get_available_disks | cut -f 1 -d " " | tr "\n" "2"`;
|
||||
my $CRYPTO_DEV = &get_available_disks();
|
||||
$CRYPTO_DEV =~ m/^([\w\/_\-\.]*)$/;
|
||||
$CRYPTO_DEV = "${1}2";
|
||||
|
||||
my $query = new CGI;
|
||||
|
||||
|
@ -96,7 +109,7 @@ sub load_selected_language
|
|||
$data->readFile("$LANGUAGE_DIR/$DEFAULT_LANGUAGE" . ".hdf");
|
||||
|
||||
# load configured language, if it is valid
|
||||
$config_language = `$CB_SCRIPT get_config language`;
|
||||
$config_language = &exec_cb_script("get_config","language");
|
||||
$config_language = $DEFAULT_LANGUAGE unless (&validate_language("$config_language"));
|
||||
|
||||
# check for preferred browser language, if the box was not initialized yet
|
||||
|
@ -199,50 +212,72 @@ sub check_ssl
|
|||
# BEWARE: dirty trick - is there a better way?
|
||||
# stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with
|
||||
# its own IP (localhost, of course)
|
||||
# TODO: this does not work with a native ssl webserver
|
||||
return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1');
|
||||
}
|
||||
|
||||
|
||||
sub check_mounted
|
||||
{
|
||||
return (system("$CB_SCRIPT","is_crypto_mounted",$CRYPTO_DEV) == 0);
|
||||
return (system($CB_SCRIPT,"is_crypto_mounted",$CRYPTO_DEV) == 0);
|
||||
}
|
||||
|
||||
|
||||
sub check_config
|
||||
{
|
||||
return (system("$CB_SCRIPT","is_config_mounted",$CRYPTO_DEV) == 0);
|
||||
return (system($CB_SCRIPT,"is_config_mounted") == 0);
|
||||
}
|
||||
|
||||
|
||||
sub exec_cb_script {
|
||||
my (@params) = @_;
|
||||
my ($pid, @result);
|
||||
&fatal_error("unable to fork process") unless defined($pid = open(PROG_OUT, "-|"));
|
||||
if (!$pid) {
|
||||
# child
|
||||
exec($CB_SCRIPT, @params) or &fatal_error("failed to execute $CB_SCRIPT!");
|
||||
exit 0;
|
||||
} else {
|
||||
# parent
|
||||
@result = <PROG_OUT>;
|
||||
close PROG_OUT or warn "error while running $CB_SCRIPT: $?";
|
||||
}
|
||||
if (wantarray) {
|
||||
return @result;
|
||||
} else {
|
||||
return join('',@result);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
sub check_init_running
|
||||
{
|
||||
return (system("$CB_SCRIPT","is_init_running") == 0);
|
||||
return (system($CB_SCRIPT,"is_init_running") == 0);
|
||||
}
|
||||
|
||||
|
||||
sub is_harddisk_available
|
||||
{
|
||||
return (system("$CB_SCRIPT","is_harddisk_available") == 0);
|
||||
return (system($CB_SCRIPT,"is_harddisk_available") == 0);
|
||||
}
|
||||
|
||||
sub get_available_disks
|
||||
# TODO: this is useful for diskselection buttons
|
||||
{
|
||||
return `$CB_SCRIPT get_available_disks`;
|
||||
return &exec_cb_script("get_available_disks");
|
||||
}
|
||||
|
||||
sub get_current_ip
|
||||
# the IP of eth0 - not the configured value of the box (only for validation)
|
||||
{
|
||||
return `$CB_SCRIPT get_current_ip`;
|
||||
return &exec_cb_script("get_current_ip");
|
||||
}
|
||||
|
||||
|
||||
sub get_admin_pw
|
||||
# returns the current administration password - empty, if it is not used
|
||||
{
|
||||
return `$CB_SCRIPT get_config admin_pw`;
|
||||
return &exec_cb_script("get_config","admin_pw");
|
||||
}
|
||||
|
||||
|
||||
|
@ -275,7 +310,7 @@ sub mount_vol
|
|||
sub umount_vol
|
||||
{
|
||||
if (&check_mounted) {
|
||||
system("$CB_SCRIPT", "crypto-down",$CRYPTO_DEV);
|
||||
system($CB_SCRIPT, "crypto-down",$CRYPTO_DEV);
|
||||
} else {
|
||||
$pagedata->setValue('Data.Warning', 'NotMounted');
|
||||
}
|
||||
|
@ -286,7 +321,7 @@ sub box_init
|
|||
{
|
||||
my ($crypto_pw, $admin_pw) = @_;
|
||||
|
||||
system("$CB_SCRIPT", "init") || return 1;
|
||||
system($CB_SCRIPT, "init") || return 1;
|
||||
|
||||
# partitioning, config and initial cryptsetup
|
||||
# TODO: define the name of the crypto container
|
||||
|
@ -295,25 +330,26 @@ sub box_init
|
|||
close(PW_INPUT);
|
||||
|
||||
# set administration password
|
||||
system("$CB_SCRIPT", "set_config", "admin_pw", "$admin_pw");
|
||||
$admin_pw =~ m/^(.*)$/;
|
||||
system($CB_SCRIPT, "set_config", "admin_pw", $1);
|
||||
}
|
||||
|
||||
sub box_purge
|
||||
{
|
||||
system("$CB_SCRIPT", "box-purge");
|
||||
system($CB_SCRIPT, "box-purge");
|
||||
}
|
||||
|
||||
sub system_poweroff
|
||||
{
|
||||
&umount_vol() if (&check_mounted());
|
||||
system("$CB_SCRIPT", "poweroff");
|
||||
system($CB_SCRIPT, "poweroff");
|
||||
}
|
||||
|
||||
|
||||
sub system_reboot
|
||||
{
|
||||
&umount_vol() if (&check_mounted());
|
||||
system("$CB_SCRIPT", "reboot");
|
||||
system($CB_SCRIPT, "reboot");
|
||||
}
|
||||
|
||||
|
||||
|
@ -367,6 +403,7 @@ sub validate_doc_language
|
|||
|
||||
|
||||
$pagedata = load_hdf();
|
||||
my $current_admin_pw;
|
||||
|
||||
# BEWARE: there are two kinds of actions:
|
||||
# * some require a harddisk
|
||||
|
@ -522,7 +559,7 @@ if ( ! &check_ssl()) {
|
|||
}
|
||||
#################### init_do ########################
|
||||
} elsif ($action eq 'init_do') {
|
||||
my $current_admin_pw = &get_admin_pw;
|
||||
$current_admin_pw = &get_admin_pw;
|
||||
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) {
|
||||
$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
|
||||
$pagedata->setValue('Data.Action', 'form_init');
|
||||
|
@ -566,7 +603,7 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Warning', 'NotInitialized');
|
||||
$pagedata->setValue('Data.Action', 'form_init');
|
||||
} else {
|
||||
my $current_admin_pw = &get_admin_pw;
|
||||
$current_admin_pw = &get_admin_pw;
|
||||
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) {
|
||||
$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
|
||||
$pagedata->setValue('Data.Action', 'form_config');
|
||||
|
@ -580,16 +617,16 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Warning', 'InvalidTimeOut');
|
||||
$pagedata->setValue('Data.Action', 'form_config');
|
||||
} else {
|
||||
system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
|
||||
system($CB_SCRIPT, "set_config", "language", $query->param('language'));
|
||||
&load_selected_language($pagedata);
|
||||
system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
|
||||
system($CB_SCRIPT, "set_config", "timeout", $query->param('timeout'));
|
||||
# check, if the ip was reconfigured
|
||||
if ($query->param('ip') ne `$CB_SCRIPT get_config ip`)
|
||||
if ($query->param('ip') ne &exec_cb_script("get_config","ip"))
|
||||
{
|
||||
# set the new value
|
||||
system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
|
||||
system($CB_SCRIPT, "set_config", "ip", $query->param('ip'));
|
||||
# reconfigure the network interface
|
||||
system("$CB_SCRIPT", "update_ip_address");
|
||||
system($CB_SCRIPT, "update_ip_address");
|
||||
# redirect to the new address
|
||||
$pagedata->setValue('Data.Redirect.URL', "https://" . $query->param('ip') . $ENV{'SCRIPT_NAME'});
|
||||
$pagedata->setValue('Data.Redirect.Delay', "5");
|
||||
|
@ -597,11 +634,11 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Warning', 'IPAddressChanged');
|
||||
}
|
||||
# check for success
|
||||
if (`$CB_SCRIPT get_config timeout` ne $query->param('timeout')) {
|
||||
if (&exec_cb_script("get_config","timeout") ne $query->param('timeout')) {
|
||||
$pagedata->setValue('Data.Warning', 'ConfigTimeOutFailed');
|
||||
} elsif (`$CB_SCRIPT get_config ip` ne $query->param('ip')) {
|
||||
} elsif (&exec_cb_script("get_config","ip") ne $query->param('ip')) {
|
||||
$pagedata->setValue('Data.Warning', 'ConfigIPFailed');
|
||||
} elsif (`$CB_SCRIPT get_config language` ne $query->param('language')) {
|
||||
} elsif (&exec_cb_script("get_config","language") ne $query->param('language')) {
|
||||
$pagedata->setValue('Data.Warning', 'ConfigLanguageFailed');
|
||||
} else {
|
||||
$pagedata->setValue('Data.Success', 'ConfigSaved');
|
||||
|
@ -630,7 +667,7 @@ if ( ! &check_ssl()) {
|
|||
# if we find an existing config partition, then check the adminpw
|
||||
} elsif ($action eq 'do_purge') {
|
||||
if ( &check_config()) {
|
||||
my $current_admin_pw = &get_admin_pw;
|
||||
$current_admin_pw = &get_admin_pw;
|
||||
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) {
|
||||
$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
|
||||
$pagedata->setValue('Data.Action', 'form_config');
|
||||
|
@ -673,13 +710,13 @@ $pagedata->setValue('Data.Status.IP', "$output");
|
|||
$output = &get_admin_pw();
|
||||
$pagedata->setValue('Data.Config.AdminPasswordIsSet', 1) if ($output ne '');
|
||||
|
||||
$output = `$CB_SCRIPT diskinfo 2>&1 | sed 's#\$#<br/>#'`;
|
||||
$output = join ("<br/>", &exec_cb_script("diskinfo"));
|
||||
$pagedata->setValue('Data.PartitionInfo',"$output");
|
||||
|
||||
# preset config settings for clearsilver
|
||||
$pagedata->setValue('Data.Config.IP', `$CB_SCRIPT get_config ip`);
|
||||
$pagedata->setValue('Data.Config.TimeOut', `$CB_SCRIPT get_config timeout`);
|
||||
$pagedata->setValue('Data.Config.Language', `$CB_SCRIPT get_config language`);
|
||||
$pagedata->setValue('Data.Config.IP', &exec_cb_script("get_config","ip"));
|
||||
$pagedata->setValue('Data.Config.TimeOut', &exec_cb_script("get_config","timeout"));
|
||||
$pagedata->setValue('Data.Config.Language', &exec_cb_script("get_config","language"));
|
||||
|
||||
# read log and add html linebreaks
|
||||
$output = '';
|
||||
|
|
21
bin/cryptobox_wrapper.c
Normal file
21
bin/cryptobox_wrapper.c
Normal file
|
@ -0,0 +1,21 @@
|
|||
/* $Id$ */
|
||||
|
||||
// define the location of your cryptobox.pl file in this header file
|
||||
#include "cryptobox_wrapper.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
/* C wrapper to allow cryptobox to run under a different uid */
|
||||
/* Copyright (C) 02006, senselab, All Rights Reserved */
|
||||
/* See the LICENSE file in this distribution for copyright information */
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
|
||||
// necessary for mount action of the root-script
|
||||
setreuid(geteuid(), -1);
|
||||
|
||||
argv[0] = EXEC_PATH;
|
||||
execv(EXEC_PATH, argv);
|
||||
|
||||
}
|
57
bin/init-script.sh
Executable file
57
bin/init-script.sh
Executable file
|
@ -0,0 +1,57 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# runlevel script of the cryptobox package
|
||||
#
|
||||
# Copyright (c) 02006, senselab
|
||||
#
|
||||
# see LICENSE file in this package for details
|
||||
#
|
||||
|
||||
# check if the cryptobox is installed
|
||||
[ -e "/usr/lib/cryptobox/cbox-manage.sh" ] || exit 0
|
||||
|
||||
# read the default setting file, if it exists
|
||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||
|
||||
# startup switch defaults to zero (enabled)
|
||||
NO_START=${NO_START:-0}
|
||||
|
||||
if [ "$NO_START" = "1" ]
|
||||
then [ $# -eq 0 ] && exit 0
|
||||
[ "$1" = "status" ] && exit 1
|
||||
[ "$1" = "stop" ] && exit 0
|
||||
echo "CryptoBox is disabled by default"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||
|
||||
# parse config file
|
||||
if [ -e "$CONF_FILE" ]
|
||||
then . "$CONF_FILE"
|
||||
else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
start )
|
||||
# nothing to be done
|
||||
;;
|
||||
stop )
|
||||
# unmount all active containers
|
||||
ls ~$CRYPTOBOX_USER/mnt/ | while read mnt_dir
|
||||
do grep -q " ~$CRYPTOBOX_USER/mnt/$mnt_dir " /proc/mounts || continue
|
||||
"$LIB_DIR/cbox-manage.sh" crypto-down "$mnt_dir"
|
||||
done
|
||||
;;
|
||||
restart )
|
||||
"$0" stop
|
||||
"$0" start
|
||||
;
|
||||
* )
|
||||
echo "invalid action specified - try { start | stop | restart }" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
|
@ -4,7 +4,7 @@
|
|||
LANGUAGE=en
|
||||
NET_IFACE=eth0
|
||||
FILE_USER=cryptobox-data
|
||||
WEB_USER=www-data
|
||||
CRYPTOBOX_USER=cryptobox
|
||||
SCAN_DEVICES="sda"
|
||||
#SCAN_DEVICES="hda hdb hdc hdd hde hdf hdg scd sg sda sdb sdc sdd"
|
||||
|
||||
|
@ -20,19 +20,9 @@ STYLESHEET_URL=/cryptobox-misc/cryptobox.css
|
|||
LANGUAGE_DIR=/usr/share/cryptobox/lang
|
||||
DOC_DIR=/usr/share/doc/cryptobox/html
|
||||
CONFIG_DEFAULTS_DIR=/usr/share/cryptobox/defaults
|
||||
CONFIG_DIR=/var/lib/cryptobox/config
|
||||
MNT_PARENT=/var/lib/cryptobox/mnt
|
||||
|
||||
# some files
|
||||
CB_SCRIPT=/usr/lib/cryptobox/cbox-manage.sh
|
||||
ROOT_PERM_SCRIPT=/usr/lib/cryptobox/cbox-root-actions.sh
|
||||
DEV_FEATURES_SCRIPT=/usr/lib/cryptobox/devel-features.sh
|
||||
FIREWALL_SCRIPT=/usr/lib/cryptobox/firewall.sh
|
||||
MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
|
||||
LOG_FILE=/var/log/cryptobox.log
|
||||
CERT_FILE=/var/lib/cryptobox/config/stunnel.pem
|
||||
OPENSSL_CONF_FILE=/etc/cryptobox/ssl-cert.conf
|
||||
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
|
||||
CONFIG_MARKER=cryptobox.marker
|
||||
|
||||
# crypto settings
|
||||
|
@ -45,12 +35,5 @@ SFDISK=/sbin/sfdisk
|
|||
MKFS_DATA=/sbin/mkfs.ext3
|
||||
MKFS_CONFIG=/sbin/mkfs.ext2
|
||||
CRYPTSETUP=/sbin/cryptsetup
|
||||
IPTABLES=/sbin/iptables
|
||||
IFCONFIG=/sbin/ifconfig
|
||||
|
||||
# firewall setings
|
||||
# do not use multiports (iptables) as the timeout-script depends on
|
||||
# single port rules
|
||||
# ssh is allowed too, but the server is not started automatically
|
||||
ALLOW_TCP_PORTS="22 80 139 443 445"
|
||||
ALLOW_UDP_PORTS="137 138"
|
||||
|
|
|
@ -10,17 +10,3 @@ NO_START=1
|
|||
# change the default configuration file if necessary
|
||||
#CONF_FILE=/etc/cryptobox/cryptobox.conf
|
||||
|
||||
# should the cryptobox skip the network interface configuration?
|
||||
# "0" means skip (default) --- "1" causes the cryptobox to configure it
|
||||
SKIP_NETWORK_CONFIG=1
|
||||
|
||||
# should the cryptobox set some firewall (iptables) rules?
|
||||
# if this is turned off, then you have to add the appropriate
|
||||
# rules manually (if you need the timeout feature of the cryptobox)
|
||||
# default is 0
|
||||
EXEC_FIREWALL_RULES=0
|
||||
|
||||
# use stunnel for https support?
|
||||
# default is 0
|
||||
USE_STUNNEL=0
|
||||
|
||||
|
|
4
debian/conffiles
vendored
4
debian/conffiles
vendored
|
@ -1,6 +1,2 @@
|
|||
/etc/cryptobox/cryptobox.conf
|
||||
/etc/cryptobox/ssl-cert.conf
|
||||
/etc/cryptobox/revision
|
||||
/etc/default/cryptobox
|
||||
/etc/cron.d/cryptobox
|
||||
/etc/init.d/cryptobox
|
||||
|
|
2
debian/control
vendored
2
debian/control
vendored
|
@ -2,7 +2,7 @@ Source: cryptobox
|
|||
Section: admin
|
||||
Priority: extra
|
||||
Maintainer: sense.lab <senselab@systemausfall.org>
|
||||
Build-Depends: debhelper (>>3.0.0), dpatch
|
||||
Build-Depends: debhelper (>>3.0.0), dpatch, gcc (>=2.95)
|
||||
Standards-Version: 3.6.2
|
||||
|
||||
Package: cryptobox
|
||||
|
|
4
debian/dirs
vendored
4
debian/dirs
vendored
|
@ -1,2 +1,4 @@
|
|||
etc/cryptobox
|
||||
usr/share/cryptobox
|
||||
etc/default
|
||||
etc/init.d
|
||||
usr/lib/cgi-bin
|
||||
|
|
1
debian/links
vendored
Normal file
1
debian/links
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
/usr/share/cryptobox/html /var/www/cryptobox-misc
|
44
debian/postinst
vendored
44
debian/postinst
vendored
|
@ -7,30 +7,40 @@
|
|||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||
|
||||
# parse config file
|
||||
if [ -e "$CONF_FILE" ]
|
||||
if test -e "$CONF_FILE"
|
||||
then . "$CONF_FILE"
|
||||
# create mount and config directories with appropriate permissions
|
||||
[ ! -e "$MNT_PARENT" ] && mkdir -p "$MNT_PARENT"
|
||||
[ ! -e "$CONFIG_DIR" ] && mkdir -p "$CONFIG_DIR" && \
|
||||
chown "$WEB_USER" "$CONFIG_DIR" && chmod 700 "$CONFIG_DIR"
|
||||
[ ! -e "$LOG_FILE" ] && touch "$LOG_FILE" && chown "$WEB_USER" "$LOG_FILE"
|
||||
test ! -e "$LOG_FILE" && touch "$LOG_FILE" && chown "$CRYPTOBOX_USER" "$LOG_FILE"
|
||||
fi
|
||||
|
||||
if getent passwd "$CRYPTOBOX_USER" &>/dev/null
|
||||
then # do nothing - the user already exists
|
||||
true
|
||||
else # create cryptobox user
|
||||
echo "Creating new user '$CRYPTOBOX_USER' ..."
|
||||
USER_HOME=/var/lib/cryptobox
|
||||
adduser --system --group --home "$USER_HOME" cryptobox
|
||||
# add the user to the group "plugdev" (necessary for pmount)
|
||||
adduser cryptobox plugdev
|
||||
cp -r "$CONFIG_DEFAULTS_DIR" "$USER_HOME/config"
|
||||
mkdir "$USER_HOME/mnt"
|
||||
chown -R ${CRYPTOBOX_USER}: "$USER_HOME"
|
||||
# only members of the cryptobox group may access the user directory
|
||||
chmod 750 "$USER_HOME"
|
||||
# no one may look into the config directory (protect init passwords)
|
||||
chmod 700 "$USER_HOME/config"
|
||||
fi
|
||||
|
||||
# set permissions for suid wrappers
|
||||
chown root:$CRYPTOBOX_USER "/usr/lib/cryptobox/cryptobox_root_wrapper"
|
||||
chmod 4750 "/usr/lib/cryptobox/cryptobox_root_wrapper"
|
||||
chown $CRYPTOBOX_USER: "/usr/lib/cgi-bin/cryptobox"
|
||||
chmod 6755 "/usr/lib/cgi-bin/cryptobox"
|
||||
|
||||
# add the cryptobox startup script to /etc/rc?.d
|
||||
update-rc.d cryptobox defaults 98
|
||||
update-rc.d cryptobox defaults
|
||||
|
||||
invoke-rc.d cryptobox restart
|
||||
|
||||
if grep -q "cryptobox package.*HEADER" /etc/sudoers
|
||||
then true
|
||||
else echo "Adding a new (disabled) entry to /etc/sudoers"
|
||||
cat >>/etc/sudoers <<-EOF
|
||||
######### Automatically inserted by cryptobox package - do not remove - HEADER ######
|
||||
# read /usr/share/doc/cryptobox/SECURITY carefully before enabling the following line
|
||||
#www-data ALL=NOPASSWD:/usr/lib/cryptobox/cbox-root-actions.sh
|
||||
######### Automatically inserted by cryptobox package - do not remove - FOOTER ######
|
||||
EOF
|
||||
fi
|
||||
|
||||
true
|
||||
|
||||
|
|
15
debian/postrm
vendored
15
debian/postrm
vendored
|
@ -3,16 +3,11 @@
|
|||
# remove symlinks in /etc/rc?.d
|
||||
[ "$1" = "purge" ] && update-rc.d cryptobox remove
|
||||
|
||||
if [ "$1" = "purge" ] && grep -q "cryptobox package.*HEADER" /etc/sudoers
|
||||
then echo "Removing entry from /etc/sudoers"
|
||||
sed -i "/cryptobox package.*HEADER/,/cryptobox package.*FOOTER/d" /etc/sudoers
|
||||
echo "Removing mount and config directories (/var/lib/cryptobox) ..."
|
||||
rmdir /var/lib/cryptobox/mnt || echo " mount directory not empty - skipped" >&2
|
||||
mountpoint -q /var/lib/cryptobox/config || rm -rf /var/lib/cryptobox/config || \
|
||||
echo " failed to remove config directory - skipped" >&2
|
||||
rmdir /var/lib/cryptobox || \
|
||||
echo " the cryptobox directory (/var/lib/cryptobox) has not been removed" >&2
|
||||
fi
|
||||
if test "$1" = "purge" && getent passwd cryptobox &>/dev/null \
|
||||
&& test "$(cd ~cryptobox;pwd)" = /var/lib/cryptobox
|
||||
then echo "Removing user 'cryptobox' ..."
|
||||
userdel -r cryptobox
|
||||
fi
|
||||
|
||||
# return without error
|
||||
true
|
||||
|
|
14
debian/prerm
vendored
14
debian/prerm
vendored
|
@ -1,5 +1,19 @@
|
|||
#!/bin/sh
|
||||
|
||||
# read the default setting file, if it exists
|
||||
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||
|
||||
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||
|
||||
# parse config file
|
||||
if test -e "$CONF_FILE"
|
||||
then . "$CONF_FILE"
|
||||
else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
invoke-rc.d cryptobox stop
|
||||
|
||||
true
|
||||
|
||||
|
|
12
debian/rules
vendored
12
debian/rules
vendored
|
@ -15,6 +15,7 @@ export DH_COMPAT=4
|
|||
# necessary for dpatch
|
||||
.NOTPARALLEL:
|
||||
|
||||
DEB_BUILD_DIR=$(CURDIR)/debian/cryptobox
|
||||
|
||||
configure: configure-stamp
|
||||
configure-stamp: patch
|
||||
|
@ -27,7 +28,7 @@ build: build-stamp
|
|||
|
||||
build-stamp: configure-stamp
|
||||
dh_testdir
|
||||
# PUT SOMETHING HERE
|
||||
$(MAKE) build PREFIX=/usr
|
||||
touch build-stamp
|
||||
|
||||
clean: clean-patched unpatch
|
||||
|
@ -35,7 +36,7 @@ clean: clean-patched unpatch
|
|||
clean-patched:
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
# PUT SOMETHING HERE
|
||||
$(MAKE) clean
|
||||
rm -f build-stamp configure-stamp
|
||||
dh_clean
|
||||
|
||||
|
@ -53,8 +54,11 @@ install: build
|
|||
dh_testroot
|
||||
dh_clean -k
|
||||
dh_installdirs
|
||||
|
||||
# PUT SOMETHING HERE
|
||||
$(MAKE) install PREFIX=$(DEB_BUILD_DIR)/usr
|
||||
install -c -m 644 build_dir/etc/cryptobox.conf $(DEB_BUILD_DIR)/etc/cryptobox/
|
||||
install -c -m 644 conf-examples/defaults-cryptobox.conf $(DEB_BUILD_DIR)/etc/default/cryptobox
|
||||
install -c -m 755 bin/init-script.sh $(DEB_BUILD_DIR)/etc/init.d/cryptobox
|
||||
install -c -m 755 bin/cryptobox_cgi_wrapper $(DEB_BUILD_DIR)/usr/lib/cgi-bin/cryptobox
|
||||
|
||||
|
||||
# Build architecture-independent files here.
|
||||
|
|
28
doc/changelog
Normal file
28
doc/changelog
Normal file
|
@ -0,0 +1,28 @@
|
|||
Version 0.3 - 01/??/02006
|
||||
* uses cryptsetup-luks instead of cryptsetup
|
||||
* bugfix: add /dev/hdd to device scan
|
||||
* support for usb, scsi and firewire cdrom drive
|
||||
* seperated cryptobox package
|
||||
|
||||
Version 0.2.1 - 10/22/02005
|
||||
* fixed a critical bug in the initialisation process
|
||||
* default cipher changed to "aes-cbc-essiv:sha256" (more secure)
|
||||
* the boot menue (grub) is now protected
|
||||
* support for usb and firewire harddisks
|
||||
* new kernel: Linux 2.6.12.6
|
||||
* minor language improvements
|
||||
|
||||
Version 0.2 - 10/04/02005
|
||||
* first public release
|
||||
* fully configurable via web interface
|
||||
* AES encryption via device-mapper
|
||||
* Samba v3.0.14a-3
|
||||
* Linux 2.6.11
|
||||
* based on Debian GNU/Linux 3.1
|
||||
* documentation languages:
|
||||
* English
|
||||
* German
|
||||
* interface languages:
|
||||
* English
|
||||
* German
|
||||
* Slovenian
|
Binary file not shown.
BIN
doc/changelog.gz
BIN
doc/changelog.gz
Binary file not shown.
Loading…
Reference in a new issue