@ -17,8 +17,13 @@
set -eu
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE = ${ CONF_FILE :- /etc/cryptobox/cryptobox.conf }
# parse config file
. /etc/cryptobox/cryptobox.conf
. " $CONF_FILE "
## configuration
CERT_TEMP = /tmp/stunnel.pem
@ -54,10 +59,10 @@ function create_partitions()
{
# TODO: allow different layouts
# TODO: skip config partition if a configuration is already active
local device = " $1 "
local device = $1
# first partition size is 1 sector, second goes til end
# sfdisk -n doesn't actually write (for testing purpose)
echo -e "0,1,L \n,,L\n" | $SFDISK " $device "
echo -e "0,1,L \n,,L\n" | " $SFDISK " " $device "
}
@ -105,7 +110,7 @@ function config_get_value()
function create_config( )
# Parameter: device
{
local device = " $1 "
local device = $1
# create the new configuration filesystem if it is not static
if is_config_mounted
then log_msg "Using static configuration ..."
@ -228,6 +233,7 @@ function create_crypto()
$MKFS_DATA " $CRYPTMAPPER_DIR / $uuid " | tr '\0101' ' '
# set user for samba
# TODO: rename SAMBA_USER to something like FILE_USER
mkdir -p " $MNT_PARENT / $name "
mount " $CRYPTMAPPER_DIR / $uuid " " $MNT_PARENT / $name "
chown $SAMBA_USER " $MNT_PARENT / $name "
@ -301,7 +307,7 @@ function get_available_disks()
{
for scan in $SCAN_DEVICES
do for avail in $ALL_PARTITIONS
do [ " $scan " = " $avail " ] && echo " $a "
do [ " $scan " = " $avail " ] && echo " /dev/ $a vail "
done
done
}
@ -319,10 +325,10 @@ function mount_config()
# modify all scan_devices to get regular expressions like "^hda[0-9]*$"
local scan_regex = $( echo "SCAN_DEVICES" | tr " " "\n" | sed 's/^/^/; s/$/[0-9]*$/' )
echo " $ALL_PARTITIONS " | grep " $scan_regex " | while read part
do log_msg " Trying to load configuration from $part ... "
if config_mount_test " $part "
do log_msg " Trying to load configuration from /dev/ $part ... "
if config_mount_test " /dev/ $part "
then log_msg " configuraton found on $part "
mount " $part " " $CONFIG_DIR "
mount " /dev/ $part " " $CONFIG_DIR "
# copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
cp " $CERT_FILE " " $CERT_TEMP "
@ -351,16 +357,17 @@ function mount_crypto()
local device = $1
[ -z " $device " ] && error_msg 4 'No valid harddisk found!' && return 1
is_crypto_mounted " $device " && echo "The crypto filesystem is already active!" && return
local uuid = $( get_crypto_uuid $device )
local name = $( get_crypto_name $device )
local uuid = $( get_crypto_uuid " $device " )
local name = $( get_crypto_name " $device " )
# passphrase is read from stdin
log_msg " Mounting crypto partition $name ( $device ) "
$CRYPTSETUP luksOpen " $device " " $uuid "
[ -e " $MNT_PARENT / $name " ] || mkdir -p " $MNT_PARENT / $name "
if mount " $CRYPTMAPPER_DIR / $uuid " " $MNT_PARENT / $name "
then log_msg "Mount succeeded - now starting samba ..."
/etc/init.d/samba start
return 0
then true
# log_msg "Mount succeeded - now starting samba ..."
# /etc/init.d/samba start
return 0
else log_msg " Mount failed - removing the crypto device $uuid ... "
$CRYPTSETUP luksClose " $uuid "
return 1
@ -375,14 +382,14 @@ function umount_crypto()
# do not break on error
set +e
# TODO: do not stop samba - or do it just temporarily
if ps -e | grep -q " [sn]mbd $"
then log_msg "Stopping samba ..."
/etc/init.d/samba stop
ps -e | grep -q " smbd $ " && killall smbd
ps -e | grep -q " nmbd $ " && killall nmbd
ps -e | grep -q " smbd $ " && killall -9 smbd
ps -e | grep -q " nmbd $ " && killall -9 nmbd
fi
#if ps -e | grep -q " [sn]mbd$"
# then log_msg "Stopping samba ..."
# /etc/init.d/samba stop
# ps -e | grep -q " smbd$" && killall smbd
# ps -e | grep -q " nmbd$" && killall nmbd
# ps -e | grep -q " smbd$" && killall -9 smbd
# ps -e | grep -q " nmbd$" && killall -9 nmbd
# fi
local uuid = $( get_crypto_uuid $device )
local name = $( get_crypto_name $device )
if mountpoint -q " $MNT_PARENT / $name "
@ -439,46 +446,54 @@ export PATH=/usr/sbin:/usr/bin:/sbin:/bin
ACTION = help
[ $# -gt 0 ] && ACTION = " $1 " && shift
[ $# -gt 0 ] && ACTION = $1 && shift
case " $ACTION " in
config-up )
if mount_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 3 "Could not find a configuration partition!"
else error_msg 0 "Could not find a configuration partition!"
fi
; ;
config-down )
umount_config || error_msg 4 "Could not unmount configuration partition"
; ;
network-up )
kudzu -s -q --class network
conf_ip = $( config_get_value "ip" )
log_msg " Configured $NET_IFACE for $conf_ip ... "
ifconfig $NET_IFACE " $conf_ip "
echo " Configured network interface for $NET_IFACE : $conf_ip "
log_msg "Starting the firewall ..."
" $FIREWALL_SCRIPT " start
# start stunnel
if [ -f " $CERT_FILE " ]
then USE_CERT = $CERT_FILE
else USE_CERT = $CERT_TEMP
$MAKE_CERT_SCRIPT " $CERT_TEMP " >>" $LOG_FILE " 2>& 1
if [ " ${ SKIP_NETWORK_CONFIG :- 1 } " != 1 ]
then conf_ip = $( config_get_value "ip" )
log_msg " Configuring $NET_IFACE for $conf_ip ... "
echo " Configuring network interface for $NET_IFACE : $conf_ip "
ifconfig $NET_IFACE " $conf_ip "
fi
if [ " ${ EXEC_FIREWALL_RULES :- 0 } " = 1 ]
then log_msg "Starting the firewall ..."
" $FIREWALL_SCRIPT " start
fi
if [ " ${ USE_STUNNEL :- 0 } " = 1 ]
then # start stunnel
if [ -f " $CERT_FILE " ]
then USE_CERT = $CERT_FILE
else USE_CERT = $CERT_TEMP
$MAKE_CERT_SCRIPT " $CERT_TEMP " >>" $LOG_FILE " 2>& 1
fi
log_msg "Starting stunnel ..."
stunnel -p " $USE_CERT " -r localhost:80 -d 443 \
|| echo " $USE_CERT not found - not starting stunnel "
fi
log_msg "Starting stunnel ..."
stunnel -p " $USE_CERT " -r localhost:80 -d 443 \
|| echo " $USE_CERT not found - not starting stunnel "
# this ping allows other hosts to get the IP of
# the box, in case of misconfiguration
ping -b -c 1 $( ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) & >/dev/null
; ;
network-down )
log_msg "Stopping the firewall ..."
" $FIREWALL_SCRIPT " stop
log_msg "Stopping stunnel ..."
killall stunnel
log_msg "Shutting the network interface down ..."
ifconfig " $NET_IFACE " down
if [ " ${ EXEC_FIREWALL_RULES :- 0 } " = 1 ]
then log_msg "Stopping the firewall ..."
" $FIREWALL_SCRIPT " stop
fi
if [ " ${ USE_STUNNEL :- 0 } " = 1 ]
then log_msg "Stopping stunnel ..."
killall stunnel
fi
if [ " ${ SKIP_NETWORK_CONFIG :- 1 } " != 1 ]
then log_msg "Shutting the network interface down ..."
ifconfig " $NET_IFACE " down
fi
; ;
services-up )
# the mount point has to be writeable
@ -487,8 +502,9 @@ case "$ACTION" in
; ;
services-down )
umount " $MNT_PARENT "
/etc/init.d/samba stop || true
/etc/init.d/thttpd stop || true
# TODO: we should not depend on samba and thttpd
# /etc/init.d/samba stop || true
# /etc/init.d/thttpd stop || true
true
; ;
crypto-up )
@ -496,7 +512,7 @@ case "$ACTION" in
mount_crypto " $1 "
; ;
crypto-down )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto- up '"
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto- down '"
umount_crypto " $1 "
; ;
init )
@ -543,7 +559,9 @@ case "$ACTION" in
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
echo -n " sleep 5; ifconfig $NET_IFACE `config_get_value ip` " | at now
if [ " ${ SKIP_NETWORK_CONFIG :- 1 } " != 1 ]
then echo -n " sleep 5; ifconfig $NET_IFACE $( config_get_value ip) " | at now
fi
; ;
get_available_disks )
get_available_disks
@ -561,7 +579,7 @@ case "$ACTION" in
; ;
diskinfo )
get_available_disks | while read a
do $SFDISK -L -q -l " $a "
do " $SFDISK " -L -q -l " $a "
done
; ;
box-purge )
@ -588,8 +606,8 @@ case "$ACTION" in
echo " network-down - disable network interface"
echo " services-up - run some cryptobox specific daemons"
echo " services-down - stop some cryptobox specific daemons"
echo " crypto-up - mount crypto partition and start samba "
echo " crypto-down - unmount crypto partition and stop samba "
echo " crypto-up - mount crypto partition "
echo " crypto-down - unmount crypto partition "
echo " box-init - initialize cryptobox (ALL data is LOST)"
echo " box-init-fg - the first part of initialization"
echo " box-init-bg - the last part of initialization (background)"