diff --git a/cbox-tree.d/etc/default/cryptobox b/cbox-tree.d/etc/default/cryptobox index 01b7b9d..49dc265 100644 --- a/cbox-tree.d/etc/default/cryptobox +++ b/cbox-tree.d/etc/default/cryptobox @@ -2,9 +2,25 @@ # # $Id$ # +# the default setup of the cryptobox is complete inactivity # set to "1" to turn off the cryptobox - otherwise "0" -NO_START=0 +NO_START=1 # change the default configuration file if necessary #CONF_FILE=/etc/cryptobox/cryptobox.conf + +# should the cryptobox skip the network interface configuration? +# "0" means skip (default) --- "1" causes the cryptobox to configure it +SKIP_NETWORK_CONFIG=1 + +# should the cryptobox set some firewall (iptables) rules? +# if this is turned off, then you have to add the appropriate +# rules manually (if you need the timeout feature of the cryptobox) +# default is 0 +EXEC_FIREWALL_RULES=0 + +# use stunnel for https support? +# default is 0 +USE_STUNNEL=0 + diff --git a/cbox-tree.d/etc/init.d/cryptobox b/cbox-tree.d/etc/init.d/cryptobox index c411cae..dde464b 100755 --- a/cbox-tree.d/etc/init.d/cryptobox +++ b/cbox-tree.d/etc/init.d/cryptobox @@ -13,7 +13,13 @@ set -eu # startup switch defaults to zero (enabled) NO_START=${NO_START:-0} # check startup switch -[ "$NO_START" = "1" ] && echo "CryptoBox is disabled" && exit 0 +if [ "$NO_START" = "1" ] + then [ $# -eq 0 ] && exit 0 + [ "$1" = "status" ] && exit 1 + [ "$1" = "stop" ] && exit 0 + echo "CryptoBox is disabled" + exit 0 + fi # stop-on-errors set -eu @@ -23,9 +29,9 @@ CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file if [ -e "$CONF_FILE" ] - then echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2 + then . "$CONF_FILE" + else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2 exit 1 - else . "$CONF_FILE" fi case "$1" in diff --git a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh index 2adfd39..ca106ec 100755 --- a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh +++ b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh @@ -17,8 +17,13 @@ set -eu +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file -. /etc/cryptobox/cryptobox.conf +. "$CONF_FILE" ## configuration CERT_TEMP=/tmp/stunnel.pem @@ -54,10 +59,10 @@ function create_partitions() { # TODO: allow different layouts # TODO: skip config partition if a configuration is already active - local device="$1" + local device=$1 # first partition size is 1 sector, second goes til end # sfdisk -n doesn't actually write (for testing purpose) - echo -e "0,1,L \n,,L\n" | $SFDISK "$device" + echo -e "0,1,L \n,,L\n" | "$SFDISK" "$device" } @@ -105,7 +110,7 @@ function config_get_value() function create_config() # Parameter: device { - local device="$1" + local device=$1 # create the new configuration filesystem if it is not static if is_config_mounted then log_msg "Using static configuration ..." @@ -228,6 +233,7 @@ function create_crypto() $MKFS_DATA "$CRYPTMAPPER_DIR/$uuid" | tr '\0101' ' ' # set user for samba + # TODO: rename SAMBA_USER to something like FILE_USER mkdir -p "$MNT_PARENT/$name" mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name" chown $SAMBA_USER "$MNT_PARENT/$name" @@ -301,7 +307,7 @@ function get_available_disks() { for scan in $SCAN_DEVICES do for avail in $ALL_PARTITIONS - do [ "$scan" = "$avail" ] && echo "$a" + do [ "$scan" = "$avail" ] && echo "/dev/$avail" done done } @@ -319,10 +325,10 @@ function mount_config() # modify all scan_devices to get regular expressions like "^hda[0-9]*$" local scan_regex=$(echo "SCAN_DEVICES" | tr " " "\n" | sed 's/^/^/; s/$/[0-9]*$/') echo "$ALL_PARTITIONS" | grep "$scan_regex" | while read part - do log_msg "Trying to load configuration from $part ..." - if config_mount_test "$part" + do log_msg "Trying to load configuration from /dev/$part ..." + if config_mount_test "/dev/$part" then log_msg "configuraton found on $part" - mount "$part" "$CONFIG_DIR" + mount "/dev/$part" "$CONFIG_DIR" # copy certificate to /tmp in case of re-initialization # /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d) cp "$CERT_FILE" "$CERT_TEMP" @@ -351,16 +357,17 @@ function mount_crypto() local device=$1 [ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1 is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return - local uuid=$(get_crypto_uuid $device) - local name=$(get_crypto_name $device) + local uuid=$(get_crypto_uuid "$device") + local name=$(get_crypto_name "$device") # passphrase is read from stdin log_msg "Mounting crypto partition $name ($device)" $CRYPTSETUP luksOpen "$device" "$uuid" [ -e "$MNT_PARENT/$name" ] || mkdir -p "$MNT_PARENT/$name" if mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name" - then log_msg "Mount succeeded - now starting samba ..." - /etc/init.d/samba start - return 0 + then true + # log_msg "Mount succeeded - now starting samba ..." + # /etc/init.d/samba start + return 0 else log_msg "Mount failed - removing the crypto device $uuid ..." $CRYPTSETUP luksClose "$uuid" return 1 @@ -375,14 +382,14 @@ function umount_crypto() # do not break on error set +e # TODO: do not stop samba - or do it just temporarily - if ps -e | grep -q " [sn]mbd$" - then log_msg "Stopping samba ..." - /etc/init.d/samba stop - ps -e | grep -q " smbd$" && killall smbd - ps -e | grep -q " nmbd$" && killall nmbd - ps -e | grep -q " smbd$" && killall -9 smbd - ps -e | grep -q " nmbd$" && killall -9 nmbd - fi + #if ps -e | grep -q " [sn]mbd$" + # then log_msg "Stopping samba ..." + # /etc/init.d/samba stop + # ps -e | grep -q " smbd$" && killall smbd + # ps -e | grep -q " nmbd$" && killall nmbd + # ps -e | grep -q " smbd$" && killall -9 smbd + # ps -e | grep -q " nmbd$" && killall -9 nmbd + # fi local uuid=$(get_crypto_uuid $device) local name=$(get_crypto_name $device) if mountpoint -q "$MNT_PARENT/$name" @@ -439,46 +446,54 @@ export PATH=/usr/sbin:/usr/bin:/sbin:/bin ACTION=help -[ $# -gt 0 ] && ACTION="$1" && shift +[ $# -gt 0 ] && ACTION=$1 && shift case "$ACTION" in config-up ) if mount_config then echo "Cryptobox configuration successfully loaded" - else error_msg 3 "Could not find a configuration partition!" + else error_msg 0 "Could not find a configuration partition!" fi ;; config-down ) umount_config || error_msg 4 "Could not unmount configuration partition" ;; network-up ) - kudzu -s -q --class network - conf_ip=$(config_get_value "ip") - log_msg "Configured $NET_IFACE for $conf_ip ..." - ifconfig $NET_IFACE "$conf_ip" - echo "Configured network interface for $NET_IFACE: $conf_ip" - log_msg "Starting the firewall ..." - "$FIREWALL_SCRIPT" start - # start stunnel - if [ -f "$CERT_FILE" ] - then USE_CERT=$CERT_FILE - else USE_CERT=$CERT_TEMP - $MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1 + if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ] + then conf_ip=$(config_get_value "ip") + log_msg "Configuring $NET_IFACE for $conf_ip ..." + echo "Configuring network interface for $NET_IFACE: $conf_ip" + ifconfig $NET_IFACE "$conf_ip" + fi + if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ] + then log_msg "Starting the firewall ..." + "$FIREWALL_SCRIPT" start + fi + if [ "${USE_STUNNEL:-0}" = 1 ] + then # start stunnel + if [ -f "$CERT_FILE" ] + then USE_CERT=$CERT_FILE + else USE_CERT=$CERT_TEMP + $MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1 + fi + log_msg "Starting stunnel ..." + stunnel -p "$USE_CERT" -r localhost:80 -d 443 \ + || echo "$USE_CERT not found - not starting stunnel" fi - log_msg "Starting stunnel ..." - stunnel -p "$USE_CERT" -r localhost:80 -d 443 \ - || echo "$USE_CERT not found - not starting stunnel" - # this ping allows other hosts to get the IP of - # the box, in case of misconfiguration - ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null ;; network-down ) - log_msg "Stopping the firewall ..." - "$FIREWALL_SCRIPT" stop - log_msg "Stopping stunnel ..." - killall stunnel - log_msg "Shutting the network interface down ..." - ifconfig "$NET_IFACE" down + if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ] + then log_msg "Stopping the firewall ..." + "$FIREWALL_SCRIPT" stop + fi + if [ "${USE_STUNNEL:-0}" = 1 ] + then log_msg "Stopping stunnel ..." + killall stunnel + fi + if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ] + then log_msg "Shutting the network interface down ..." + ifconfig "$NET_IFACE" down + fi ;; services-up ) # the mount point has to be writeable @@ -487,8 +502,9 @@ case "$ACTION" in ;; services-down ) umount "$MNT_PARENT" - /etc/init.d/samba stop || true - /etc/init.d/thttpd stop || true + # TODO: we should not depend on samba and thttpd + # /etc/init.d/samba stop || true + # /etc/init.d/thttpd stop || true true ;; crypto-up ) @@ -496,7 +512,7 @@ case "$ACTION" in mount_crypto "$1" ;; crypto-down ) - [ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'" + [ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'" umount_crypto "$1" ;; init ) @@ -543,7 +559,9 @@ case "$ACTION" in update_ip_address ) # reconfigure the network interface to a new IP address # wait for 5 seconds to finish present http requests - echo -n "sleep 5; ifconfig $NET_IFACE `config_get_value ip`" | at now + if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ] + then echo -n "sleep 5; ifconfig $NET_IFACE $(config_get_value ip)" | at now + fi ;; get_available_disks ) get_available_disks @@ -561,7 +579,7 @@ case "$ACTION" in ;; diskinfo ) get_available_disks | while read a - do $SFDISK -L -q -l "$a" + do "$SFDISK" -L -q -l "$a" done ;; box-purge ) @@ -588,8 +606,8 @@ case "$ACTION" in echo " network-down - disable network interface" echo " services-up - run some cryptobox specific daemons" echo " services-down - stop some cryptobox specific daemons" - echo " crypto-up - mount crypto partition and start samba" - echo " crypto-down - unmount crypto partition and stop samba" + echo " crypto-up - mount crypto partition" + echo " crypto-down - unmount crypto partition" echo " box-init - initialize cryptobox (ALL data is LOST)" echo " box-init-fg - the first part of initialization" echo " box-init-bg - the last part of initialization (background)" diff --git a/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh b/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh index 5712ccc..fa3583d 100755 --- a/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh +++ b/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh @@ -27,8 +27,13 @@ set -eu +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file -. /etc/cryptobox/cryptobox.conf +. "$CONF_FILE" ############# some functions ################## diff --git a/cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh b/cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh index cd4cc5e..34a2036 100755 --- a/cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh +++ b/cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh @@ -17,8 +17,13 @@ set -eu +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file -. /etc/cryptobox/cryptobox.conf +. "$CONF_FILE" RUNTIMEDIR=/opt/dfsruntime/runtimerd TUNDEV=$RUNTIMEDIR/dev/net/tun @@ -37,6 +42,12 @@ SERVICES_OFF="ssh samba setserial nviboot mountnfs ntpdate" function configure_normal() # the usual stuff - not optimized for security { + ##### cryptobox settings ###### + sed -i '/^NO_START=.*$/NO_START=0/' + sed -i '/^SKIP_NETWORK_CONFIG=.*$/SKIP_NETWORK_CONFIG=0/' + sed -i '/^EXEC_FIREWALL_RULES=.*$/EXEC_FIREWALL_RULES=1/' + sed -i '/^USE_STUNNEL=.*$/USE_STUNNEL=1/' + ########### boot up ########### # turn off creation of "/etc/nologin" (read-only fs) sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS diff --git a/cbox-tree.d/usr/lib/cryptobox/devel-features.sh b/cbox-tree.d/usr/lib/cryptobox/devel-features.sh index 0c86c02..f1117a7 100755 --- a/cbox-tree.d/usr/lib/cryptobox/devel-features.sh +++ b/cbox-tree.d/usr/lib/cryptobox/devel-features.sh @@ -17,8 +17,13 @@ set -eu +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file -. /etc/cryptobox/cryptobox.conf +. "$CONF_FILE" MIRROR_DIR=/tmp/mirror MIRROR_ORIG_DIR=/tmp/mirror.orig diff --git a/cbox-tree.d/usr/lib/cryptobox/firewall.sh b/cbox-tree.d/usr/lib/cryptobox/firewall.sh index 5509dba..1edb172 100755 --- a/cbox-tree.d/usr/lib/cryptobox/firewall.sh +++ b/cbox-tree.d/usr/lib/cryptobox/firewall.sh @@ -15,8 +15,13 @@ set -u +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file -. /etc/cryptobox/cryptobox.conf +. "$CONF_FILE" ACTION="help" diff --git a/cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh b/cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh index 8972475..138cde7 100755 --- a/cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh +++ b/cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh @@ -17,11 +17,16 @@ set -eu +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file -. /etc/cryptobox/cryptobox.conf +. "$CONF_FILE" -## vcert values are in openssl.conf +# vcert values are in OPENSSL_CONF_FILE CERTFILE="$1" TMP_FILE=/tmp/cryptobox-cert.tmp diff --git a/cbox-tree.d/usr/share/doc/cryptobox/changelog.gz b/cbox-tree.d/usr/share/doc/cryptobox/changelog.gz index b072e75..93d334e 100644 Binary files a/cbox-tree.d/usr/share/doc/cryptobox/changelog.gz and b/cbox-tree.d/usr/share/doc/cryptobox/changelog.gz differ diff --git a/etc-defaults.d/cbox-dev.conf b/etc-defaults.d/cbox-dev.conf index f4e0252..950ef9a 100644 --- a/etc-defaults.d/cbox-dev.conf +++ b/etc-defaults.d/cbox-dev.conf @@ -11,23 +11,26 @@ BUILD_DIR="$ROOT_DIR/_builddir" # the cryptobox development files -TEMPLATE_DIR="$ROOT_DIR/live-cd-tree.d" +CBOX_DEVEL_DIR=$ROOT_DIR/cbox-tree.d + +# template for live-cd +TEMPLATE_DIR=$ROOT_DIR/live-cd-tree.d # the iso image -IMAGE_FILE="$BUILD_DIR/cryptobox.iso" +IMAGE_FILE=$BUILD_DIR/cryptobox.iso # temporary directory -TMP_DIR="/tmp/`basename $0`-$$" +TMP_DIR=/tmp/$(basename $0)-$$ # the virtual harddisk image used for qemu -HD_IMAGE="/tmp/`basename $0`-testplatte.img" +HD_IMAGE=/tmp/$(basename $0)-testplatte.img # mkisofs options (the option "-U" is not clean, but it prevents long # filenames from getting mapped) MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R" # for burning a CD -CDWRITER="0,0,0" +CDWRITER=0,0,0 ####################### validation ######################## diff --git a/etc-defaults.d/dfs-cbox.conf b/etc-defaults.d/dfs-cbox.conf index 0c4d6e8..c84f4e4 100644 --- a/etc-defaults.d/dfs-cbox.conf +++ b/etc-defaults.d/dfs-cbox.conf @@ -126,7 +126,7 @@ ramdisk_files = /etc/resolv.conf /var/spool/cron # Directories to create on live fs -makedirs = /root/.elinks +makedirs = # Files to delete from live fs deletefiles = /etc/rcS.d/*discover @@ -145,18 +145,19 @@ deletefiles = /etc/rcS.d/*discover #modules = /lib/modules/2.4.27-2-386 # Debs from local fs to unpack on live FS (will not be configured) -# cryptsetup-luks can not be install regurlarly, because of a weird dpkg error -# ("statusoverride ... Debian-exim" - this can probably be fixed, by adding the group -# Debian-exim to the host system) +# cryptsetup-luks and perl-clearsilver can not be installed regurlarly, because of a weird +# dpkg error ("statusoverride ... Debian-exim" - this can probably be fixed, by adding +# the group Debian-exim to the host system) unpackdebs = packages/kernel-image-2.6.12.6_cryptobox0.3_i386.deb packages/cryptsetup-luks_1.0.1-3_i386.deb + packages/perl-clearsilver_0.9.13-3.2_all.deb + packages/cryptobox_0.3.0-1_all.deb # Other packages to install besides the list in DEFAULT packages = %(allpackages)s # Debs from local fs to isntall on live fs -installdebs = packages/cryptobox_0.3.0-1_all.deb - packages/perl-clearsilver_0.9.13-3.2_all.deb +#installdebs = # Bootloader (see options under default) bootloader = grub-no-emul diff --git a/scripts/cbox-build.sh b/scripts/cbox-build.sh index 0fb2093..bbb8304 100755 --- a/scripts/cbox-build.sh +++ b/scripts/cbox-build.sh @@ -50,7 +50,10 @@ DFS_CONFIG=$(get_config_file dfs-cbox.conf) function run_dfsbuild() { [ ! -e "$BUILD_DIR" ] && mkdir -p "$BUILD_DIR" && echo "das BuildDir ($BUILD_DIR) wurde angelegt ..." - dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR" + LANG=C dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR/" + + # finish package installation + echo "dpkg --configure --prending" | chroot_image # remove iso image of dfsbuild - it is not necessary [ -e "$BUILD_DIR/image.iso" ] && rm "$BUILD_DIR/image.iso" @@ -97,11 +100,11 @@ function configure_cb() exit 1 fi -echo "Copying files to the box ..." + echo "Copying files to the box ..." svn export --force "$TEMPLATE_DIR/." "$IMAGE_DIR" echo "Configuring the cryptobox ..." - chroot "$IMAGE_DIR" "$CHROOT_START" /usr/lib/cryptobox/configure-cryptobox.sh normal + echo "/usr/lib/cryptobox/configure-cryptobox.sh normal" | chroot_image # source local configure scripts [ -d "$CUSTOM_CONFIGURE_DIR" ] && \ @@ -144,6 +147,15 @@ while [ $# -gt 0 ] # check if we are in ROOT_DIR - otherwise we will have problems with # relative paths in dfs-box.conf [ "$ROOT_DIR" -ef "$(pwd)" ] || error_die 1 "Sorry: you have to run $0 while you are in '$ROOT_DIR'!" + # check for cdebootstrap version (there are problems after 0.3.4) + cde_version=$(cdebootstrap --version | head -1 | sed 's/[^0-9]//g') + if [ "$cde_version" -gt 034 ] + then echo "BEWARE: There have been problems with cdebootstrap after v0.3.4." >&2 + echo " Maybe you should consider downgrading cdebootstrap to sarge/stable," >&2 + echo " if you experience problems with dfsbuild." >&2 + echo "Press return key to continue ..." + read + fi run_dfsbuild ;; config ) @@ -156,7 +168,7 @@ while [ $# -gt 0 ] create_compressed_iso ;; harden ) - chroot "$IMAGE_DIR" "$CHROOT_START" /usr/lib/cryptobox/configure-cryptobox.sh secure + echo "/usr/lib/cryptobox/configure-cryptobox.sh secure" | chroot_image ;; burn ) blanknburn_cdrw diff --git a/scripts/cbox-dev.sh b/scripts/cbox-dev.sh index f275d28..c903fa0 100755 --- a/scripts/cbox-dev.sh +++ b/scripts/cbox-dev.sh @@ -40,9 +40,9 @@ SSH_HOST=$(grep "^Host " "$SSH_CONFIG_FILE" | head -1 | sed 's/^Host *\(.*\)$/\1 # read some cryptobox settings (especially "DEV_FEATURES_SCRIPT") -if [ -e "$TEMPLATE_DIR/etc/cryptobox/cryptobox.conf" ] - then source "$TEMPLATE_DIR/etc/cryptobox/cryptobox.conf" - else echo "cryptobox.conf ($TEMPLATE_DIR/etc/cryptobox/cryptobox.conf) does not exist!" >&2 +if [ -e "$CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf" ] + then source "$CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf" + else echo "cryptobox.conf ($CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf) does not exist!" >&2 fi ####################### functions ###################### @@ -138,16 +138,12 @@ case "$1" in chroot ) # chroot may only be called as root [ "$(id -u)" -ne 0 ] && echo "the action 'chroot' may only be called as root!" >&2 && exit 1 - if [ ! -x "$IMAGE_DIR/$CHROOT_START" ] - then echo "the chroot init script ("$IMAGE_DIR/$CHROOT_START") is not executable" - echo "maybe you should run '`basename $0` cb-config' first" - else echo - echo "##############################################################################" - echo "# BEWARE: you can severly harm your real harddisk in the chroot environment! #" - echo "##############################################################################" - echo - chroot "$IMAGE_DIR" "$CHROOT_START" - fi + echo + echo "##############################################################################" + echo "# BEWARE: you can severly harm your real harddisk in the chroot environment! #" + echo "##############################################################################" + echo + chroot_image ;; qemu ) qemu_boot "$IMAGE_FILE" diff --git a/scripts/common.sh.inc b/scripts/common.sh.inc index 2718762..94036d0 100644 --- a/scripts/common.sh.inc +++ b/scripts/common.sh.inc @@ -21,6 +21,32 @@ function error_die() exit $1 } +function chroot_image() +{ + MNT_SRC=$IMAGE_DIR/opt/dfsruntime/runtimerd + MNT_DST=$IMAGE_DIR/opt/dfsruntime/runtimemnt + TMP_DIR=/tmp/cryptobox-chroot-$(basename $0)-$$ + [ -d "$TMP_DIR" ] && rm -rf "$TMP_DIR" + + cp -a "$MNT_SRC/." "$TMP_DIR" + mount --bind "$TMP_DIR" "$MNT_DST" + + [ ! -e "$TMP_DIR/dev/null" ] && mknod "$TMP_DIR/dev/null" c 1 3 && chmod 666 "$TMP_DIR/dev/null" + [ ! -e "$TMP_DIR/dev/urandom" ] && mknod "$TMP_DIR/dev/urandom" c 1 9 && chmod 444 "$TMP_DIR/dev/urandom" + [ ! -e "$TMP_DIR/dev/console" ] && mknod "$TMP_DIR/dev/console" c 1 5 && chmod 660 "$TMP_DIR/dev/console" + + # remember, if proc was mounted before (e.g. because of a running chroot) + local PROC_WAS_MOUNTED=no + mount -t proc proc "$IMAGE_DIR/proc" 2>/dev/null || PROC_WAS_MOUNTED=yes + + # default language setting - prevents dpkg error messages + # set default terminal (good if you are running in a screen session) + LANG=C TERM=linux chroot "$IMAGE_DIR" /bin/bash + + umount "$MNT_DST" + [ "$PROC_WAS_MOUNTED" = "no" ] && umount "$IMAGE_DIR/proc" + rm -r "$TMP_DIR" +} ################### general settings ################### diff --git a/scripts/debian b/scripts/debian index bcfa4bd..95498a8 100644 --- a/scripts/debian +++ b/scripts/debian @@ -19,7 +19,6 @@ source $(dirname $0)/common.sh.inc DEB_BUILD_DIR=/tmp/cryptobox-debian-$$ [ -e "$DEB_BUILD_DIR" ] && rm -rf "$DEB_BUILD_DIR" -DEB_ROOT_DIR=$TEMPLATE_DIR DEB_CONTROL_DIR=$ROOT_DIR/DEBIAN DEB_PACKAGE_DIR=$ROOT_DIR/packages @@ -30,11 +29,8 @@ ACTION=build case "$ACTION" in build ) - # check for uid=0 (necessary for building) - #[ "$(id -u)" -ne 0 ] && echo "this script ($0) has to be called as root" >&2 && exit 1 - svn export "$DEB_ROOT_DIR" "$DEB_BUILD_DIR" >/dev/null + svn export "$CBOX_DEVEL_DIR" "$DEB_BUILD_DIR" >/dev/null svn export "$DEB_CONTROL_DIR" "$DEB_BUILD_DIR/DEBIAN" >/dev/null - #chown -R root. "$DEB_BUILD_DIR/usr/share/doc/" fakeroot dpkg-deb --build "$DEB_BUILD_DIR" "$DEB_PACKAGE_DIR" rm -rf "$DEB_BUILD_DIR" ;;