warning for unusable cdebootstrap version added
chroot procedure simplified cryptobox and perl-clearsilver package added to dfsbuild config init.d-script moved closer to "debian" style uninitialized config partition does not cause error in boot script anymore /etc/default/cryptobox completed initialization of network, stunnel and iptables now depends on /etc/default settings removed hard-coded dependencies on samba and thttpd
This commit is contained in:
parent
8d19f7a1b5
commit
da3774d537
|
@ -2,9 +2,25 @@
|
||||||
#
|
#
|
||||||
# $Id$
|
# $Id$
|
||||||
#
|
#
|
||||||
|
# the default setup of the cryptobox is complete inactivity
|
||||||
|
|
||||||
# set to "1" to turn off the cryptobox - otherwise "0"
|
# set to "1" to turn off the cryptobox - otherwise "0"
|
||||||
NO_START=0
|
NO_START=1
|
||||||
|
|
||||||
# change the default configuration file if necessary
|
# change the default configuration file if necessary
|
||||||
#CONF_FILE=/etc/cryptobox/cryptobox.conf
|
#CONF_FILE=/etc/cryptobox/cryptobox.conf
|
||||||
|
|
||||||
|
# should the cryptobox skip the network interface configuration?
|
||||||
|
# "0" means skip (default) --- "1" causes the cryptobox to configure it
|
||||||
|
SKIP_NETWORK_CONFIG=1
|
||||||
|
|
||||||
|
# should the cryptobox set some firewall (iptables) rules?
|
||||||
|
# if this is turned off, then you have to add the appropriate
|
||||||
|
# rules manually (if you need the timeout feature of the cryptobox)
|
||||||
|
# default is 0
|
||||||
|
EXEC_FIREWALL_RULES=0
|
||||||
|
|
||||||
|
# use stunnel for https support?
|
||||||
|
# default is 0
|
||||||
|
USE_STUNNEL=0
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,13 @@ set -eu
|
||||||
# startup switch defaults to zero (enabled)
|
# startup switch defaults to zero (enabled)
|
||||||
NO_START=${NO_START:-0}
|
NO_START=${NO_START:-0}
|
||||||
# check startup switch
|
# check startup switch
|
||||||
[ "$NO_START" = "1" ] && echo "CryptoBox is disabled" && exit 0
|
if [ "$NO_START" = "1" ]
|
||||||
|
then [ $# -eq 0 ] && exit 0
|
||||||
|
[ "$1" = "status" ] && exit 1
|
||||||
|
[ "$1" = "stop" ] && exit 0
|
||||||
|
echo "CryptoBox is disabled"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
# stop-on-errors
|
# stop-on-errors
|
||||||
set -eu
|
set -eu
|
||||||
|
@ -23,9 +29,9 @@ CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||||
|
|
||||||
# parse config file
|
# parse config file
|
||||||
if [ -e "$CONF_FILE" ]
|
if [ -e "$CONF_FILE" ]
|
||||||
then echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
|
then . "$CONF_FILE"
|
||||||
|
else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
|
||||||
exit 1
|
exit 1
|
||||||
else . "$CONF_FILE"
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
|
|
|
@ -17,8 +17,13 @@
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
# read the default setting file, if it exists
|
||||||
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||||
|
|
||||||
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||||
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||||
# parse config file
|
# parse config file
|
||||||
. /etc/cryptobox/cryptobox.conf
|
. "$CONF_FILE"
|
||||||
|
|
||||||
## configuration
|
## configuration
|
||||||
CERT_TEMP=/tmp/stunnel.pem
|
CERT_TEMP=/tmp/stunnel.pem
|
||||||
|
@ -54,10 +59,10 @@ function create_partitions()
|
||||||
{
|
{
|
||||||
# TODO: allow different layouts
|
# TODO: allow different layouts
|
||||||
# TODO: skip config partition if a configuration is already active
|
# TODO: skip config partition if a configuration is already active
|
||||||
local device="$1"
|
local device=$1
|
||||||
# first partition size is 1 sector, second goes til end
|
# first partition size is 1 sector, second goes til end
|
||||||
# sfdisk -n doesn't actually write (for testing purpose)
|
# sfdisk -n doesn't actually write (for testing purpose)
|
||||||
echo -e "0,1,L \n,,L\n" | $SFDISK "$device"
|
echo -e "0,1,L \n,,L\n" | "$SFDISK" "$device"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -105,7 +110,7 @@ function config_get_value()
|
||||||
function create_config()
|
function create_config()
|
||||||
# Parameter: device
|
# Parameter: device
|
||||||
{
|
{
|
||||||
local device="$1"
|
local device=$1
|
||||||
# create the new configuration filesystem if it is not static
|
# create the new configuration filesystem if it is not static
|
||||||
if is_config_mounted
|
if is_config_mounted
|
||||||
then log_msg "Using static configuration ..."
|
then log_msg "Using static configuration ..."
|
||||||
|
@ -228,6 +233,7 @@ function create_crypto()
|
||||||
$MKFS_DATA "$CRYPTMAPPER_DIR/$uuid" | tr '\0101' ' '
|
$MKFS_DATA "$CRYPTMAPPER_DIR/$uuid" | tr '\0101' ' '
|
||||||
|
|
||||||
# set user for samba
|
# set user for samba
|
||||||
|
# TODO: rename SAMBA_USER to something like FILE_USER
|
||||||
mkdir -p "$MNT_PARENT/$name"
|
mkdir -p "$MNT_PARENT/$name"
|
||||||
mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name"
|
mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name"
|
||||||
chown $SAMBA_USER "$MNT_PARENT/$name"
|
chown $SAMBA_USER "$MNT_PARENT/$name"
|
||||||
|
@ -301,7 +307,7 @@ function get_available_disks()
|
||||||
{
|
{
|
||||||
for scan in $SCAN_DEVICES
|
for scan in $SCAN_DEVICES
|
||||||
do for avail in $ALL_PARTITIONS
|
do for avail in $ALL_PARTITIONS
|
||||||
do [ "$scan" = "$avail" ] && echo "$a"
|
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
@ -319,10 +325,10 @@ function mount_config()
|
||||||
# modify all scan_devices to get regular expressions like "^hda[0-9]*$"
|
# modify all scan_devices to get regular expressions like "^hda[0-9]*$"
|
||||||
local scan_regex=$(echo "SCAN_DEVICES" | tr " " "\n" | sed 's/^/^/; s/$/[0-9]*$/')
|
local scan_regex=$(echo "SCAN_DEVICES" | tr " " "\n" | sed 's/^/^/; s/$/[0-9]*$/')
|
||||||
echo "$ALL_PARTITIONS" | grep "$scan_regex" | while read part
|
echo "$ALL_PARTITIONS" | grep "$scan_regex" | while read part
|
||||||
do log_msg "Trying to load configuration from $part ..."
|
do log_msg "Trying to load configuration from /dev/$part ..."
|
||||||
if config_mount_test "$part"
|
if config_mount_test "/dev/$part"
|
||||||
then log_msg "configuraton found on $part"
|
then log_msg "configuraton found on $part"
|
||||||
mount "$part" "$CONFIG_DIR"
|
mount "/dev/$part" "$CONFIG_DIR"
|
||||||
# copy certificate to /tmp in case of re-initialization
|
# copy certificate to /tmp in case of re-initialization
|
||||||
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
|
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
|
||||||
cp "$CERT_FILE" "$CERT_TEMP"
|
cp "$CERT_FILE" "$CERT_TEMP"
|
||||||
|
@ -351,16 +357,17 @@ function mount_crypto()
|
||||||
local device=$1
|
local device=$1
|
||||||
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
|
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
|
||||||
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
|
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
|
||||||
local uuid=$(get_crypto_uuid $device)
|
local uuid=$(get_crypto_uuid "$device")
|
||||||
local name=$(get_crypto_name $device)
|
local name=$(get_crypto_name "$device")
|
||||||
# passphrase is read from stdin
|
# passphrase is read from stdin
|
||||||
log_msg "Mounting crypto partition $name ($device)"
|
log_msg "Mounting crypto partition $name ($device)"
|
||||||
$CRYPTSETUP luksOpen "$device" "$uuid"
|
$CRYPTSETUP luksOpen "$device" "$uuid"
|
||||||
[ -e "$MNT_PARENT/$name" ] || mkdir -p "$MNT_PARENT/$name"
|
[ -e "$MNT_PARENT/$name" ] || mkdir -p "$MNT_PARENT/$name"
|
||||||
if mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name"
|
if mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name"
|
||||||
then log_msg "Mount succeeded - now starting samba ..."
|
then true
|
||||||
/etc/init.d/samba start
|
# log_msg "Mount succeeded - now starting samba ..."
|
||||||
return 0
|
# /etc/init.d/samba start
|
||||||
|
return 0
|
||||||
else log_msg "Mount failed - removing the crypto device $uuid ..."
|
else log_msg "Mount failed - removing the crypto device $uuid ..."
|
||||||
$CRYPTSETUP luksClose "$uuid"
|
$CRYPTSETUP luksClose "$uuid"
|
||||||
return 1
|
return 1
|
||||||
|
@ -375,14 +382,14 @@ function umount_crypto()
|
||||||
# do not break on error
|
# do not break on error
|
||||||
set +e
|
set +e
|
||||||
# TODO: do not stop samba - or do it just temporarily
|
# TODO: do not stop samba - or do it just temporarily
|
||||||
if ps -e | grep -q " [sn]mbd$"
|
#if ps -e | grep -q " [sn]mbd$"
|
||||||
then log_msg "Stopping samba ..."
|
# then log_msg "Stopping samba ..."
|
||||||
/etc/init.d/samba stop
|
# /etc/init.d/samba stop
|
||||||
ps -e | grep -q " smbd$" && killall smbd
|
# ps -e | grep -q " smbd$" && killall smbd
|
||||||
ps -e | grep -q " nmbd$" && killall nmbd
|
# ps -e | grep -q " nmbd$" && killall nmbd
|
||||||
ps -e | grep -q " smbd$" && killall -9 smbd
|
# ps -e | grep -q " smbd$" && killall -9 smbd
|
||||||
ps -e | grep -q " nmbd$" && killall -9 nmbd
|
# ps -e | grep -q " nmbd$" && killall -9 nmbd
|
||||||
fi
|
# fi
|
||||||
local uuid=$(get_crypto_uuid $device)
|
local uuid=$(get_crypto_uuid $device)
|
||||||
local name=$(get_crypto_name $device)
|
local name=$(get_crypto_name $device)
|
||||||
if mountpoint -q "$MNT_PARENT/$name"
|
if mountpoint -q "$MNT_PARENT/$name"
|
||||||
|
@ -439,46 +446,54 @@ export PATH=/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
|
||||||
|
|
||||||
ACTION=help
|
ACTION=help
|
||||||
[ $# -gt 0 ] && ACTION="$1" && shift
|
[ $# -gt 0 ] && ACTION=$1 && shift
|
||||||
|
|
||||||
case "$ACTION" in
|
case "$ACTION" in
|
||||||
config-up )
|
config-up )
|
||||||
if mount_config
|
if mount_config
|
||||||
then echo "Cryptobox configuration successfully loaded"
|
then echo "Cryptobox configuration successfully loaded"
|
||||||
else error_msg 3 "Could not find a configuration partition!"
|
else error_msg 0 "Could not find a configuration partition!"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
config-down )
|
config-down )
|
||||||
umount_config || error_msg 4 "Could not unmount configuration partition"
|
umount_config || error_msg 4 "Could not unmount configuration partition"
|
||||||
;;
|
;;
|
||||||
network-up )
|
network-up )
|
||||||
kudzu -s -q --class network
|
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
|
||||||
conf_ip=$(config_get_value "ip")
|
then conf_ip=$(config_get_value "ip")
|
||||||
log_msg "Configured $NET_IFACE for $conf_ip ..."
|
log_msg "Configuring $NET_IFACE for $conf_ip ..."
|
||||||
ifconfig $NET_IFACE "$conf_ip"
|
echo "Configuring network interface for $NET_IFACE: $conf_ip"
|
||||||
echo "Configured network interface for $NET_IFACE: $conf_ip"
|
ifconfig $NET_IFACE "$conf_ip"
|
||||||
log_msg "Starting the firewall ..."
|
fi
|
||||||
"$FIREWALL_SCRIPT" start
|
if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
|
||||||
# start stunnel
|
then log_msg "Starting the firewall ..."
|
||||||
if [ -f "$CERT_FILE" ]
|
"$FIREWALL_SCRIPT" start
|
||||||
then USE_CERT=$CERT_FILE
|
fi
|
||||||
else USE_CERT=$CERT_TEMP
|
if [ "${USE_STUNNEL:-0}" = 1 ]
|
||||||
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
|
then # start stunnel
|
||||||
|
if [ -f "$CERT_FILE" ]
|
||||||
|
then USE_CERT=$CERT_FILE
|
||||||
|
else USE_CERT=$CERT_TEMP
|
||||||
|
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
|
||||||
|
fi
|
||||||
|
log_msg "Starting stunnel ..."
|
||||||
|
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|
||||||
|
|| echo "$USE_CERT not found - not starting stunnel"
|
||||||
fi
|
fi
|
||||||
log_msg "Starting stunnel ..."
|
|
||||||
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|
|
||||||
|| echo "$USE_CERT not found - not starting stunnel"
|
|
||||||
# this ping allows other hosts to get the IP of
|
|
||||||
# the box, in case of misconfiguration
|
|
||||||
ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
|
|
||||||
;;
|
;;
|
||||||
network-down )
|
network-down )
|
||||||
log_msg "Stopping the firewall ..."
|
if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
|
||||||
"$FIREWALL_SCRIPT" stop
|
then log_msg "Stopping the firewall ..."
|
||||||
log_msg "Stopping stunnel ..."
|
"$FIREWALL_SCRIPT" stop
|
||||||
killall stunnel
|
fi
|
||||||
log_msg "Shutting the network interface down ..."
|
if [ "${USE_STUNNEL:-0}" = 1 ]
|
||||||
ifconfig "$NET_IFACE" down
|
then log_msg "Stopping stunnel ..."
|
||||||
|
killall stunnel
|
||||||
|
fi
|
||||||
|
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
|
||||||
|
then log_msg "Shutting the network interface down ..."
|
||||||
|
ifconfig "$NET_IFACE" down
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
services-up )
|
services-up )
|
||||||
# the mount point has to be writeable
|
# the mount point has to be writeable
|
||||||
|
@ -487,8 +502,9 @@ case "$ACTION" in
|
||||||
;;
|
;;
|
||||||
services-down )
|
services-down )
|
||||||
umount "$MNT_PARENT"
|
umount "$MNT_PARENT"
|
||||||
/etc/init.d/samba stop || true
|
# TODO: we should not depend on samba and thttpd
|
||||||
/etc/init.d/thttpd stop || true
|
# /etc/init.d/samba stop || true
|
||||||
|
# /etc/init.d/thttpd stop || true
|
||||||
true
|
true
|
||||||
;;
|
;;
|
||||||
crypto-up )
|
crypto-up )
|
||||||
|
@ -496,7 +512,7 @@ case "$ACTION" in
|
||||||
mount_crypto "$1"
|
mount_crypto "$1"
|
||||||
;;
|
;;
|
||||||
crypto-down )
|
crypto-down )
|
||||||
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
|
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
|
||||||
umount_crypto "$1"
|
umount_crypto "$1"
|
||||||
;;
|
;;
|
||||||
init )
|
init )
|
||||||
|
@ -543,7 +559,9 @@ case "$ACTION" in
|
||||||
update_ip_address )
|
update_ip_address )
|
||||||
# reconfigure the network interface to a new IP address
|
# reconfigure the network interface to a new IP address
|
||||||
# wait for 5 seconds to finish present http requests
|
# wait for 5 seconds to finish present http requests
|
||||||
echo -n "sleep 5; ifconfig $NET_IFACE `config_get_value ip`" | at now
|
if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
|
||||||
|
then echo -n "sleep 5; ifconfig $NET_IFACE $(config_get_value ip)" | at now
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
get_available_disks )
|
get_available_disks )
|
||||||
get_available_disks
|
get_available_disks
|
||||||
|
@ -561,7 +579,7 @@ case "$ACTION" in
|
||||||
;;
|
;;
|
||||||
diskinfo )
|
diskinfo )
|
||||||
get_available_disks | while read a
|
get_available_disks | while read a
|
||||||
do $SFDISK -L -q -l "$a"
|
do "$SFDISK" -L -q -l "$a"
|
||||||
done
|
done
|
||||||
;;
|
;;
|
||||||
box-purge )
|
box-purge )
|
||||||
|
@ -588,8 +606,8 @@ case "$ACTION" in
|
||||||
echo " network-down - disable network interface"
|
echo " network-down - disable network interface"
|
||||||
echo " services-up - run some cryptobox specific daemons"
|
echo " services-up - run some cryptobox specific daemons"
|
||||||
echo " services-down - stop some cryptobox specific daemons"
|
echo " services-down - stop some cryptobox specific daemons"
|
||||||
echo " crypto-up - mount crypto partition and start samba"
|
echo " crypto-up - mount crypto partition"
|
||||||
echo " crypto-down - unmount crypto partition and stop samba"
|
echo " crypto-down - unmount crypto partition"
|
||||||
echo " box-init - initialize cryptobox (ALL data is LOST)"
|
echo " box-init - initialize cryptobox (ALL data is LOST)"
|
||||||
echo " box-init-fg - the first part of initialization"
|
echo " box-init-fg - the first part of initialization"
|
||||||
echo " box-init-bg - the last part of initialization (background)"
|
echo " box-init-bg - the last part of initialization (background)"
|
||||||
|
|
|
@ -27,8 +27,13 @@
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
# read the default setting file, if it exists
|
||||||
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||||
|
|
||||||
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||||
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||||
# parse config file
|
# parse config file
|
||||||
. /etc/cryptobox/cryptobox.conf
|
. "$CONF_FILE"
|
||||||
|
|
||||||
|
|
||||||
############# some functions ##################
|
############# some functions ##################
|
||||||
|
|
|
@ -17,8 +17,13 @@
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
# read the default setting file, if it exists
|
||||||
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||||
|
|
||||||
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||||
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||||
# parse config file
|
# parse config file
|
||||||
. /etc/cryptobox/cryptobox.conf
|
. "$CONF_FILE"
|
||||||
|
|
||||||
RUNTIMEDIR=/opt/dfsruntime/runtimerd
|
RUNTIMEDIR=/opt/dfsruntime/runtimerd
|
||||||
TUNDEV=$RUNTIMEDIR/dev/net/tun
|
TUNDEV=$RUNTIMEDIR/dev/net/tun
|
||||||
|
@ -37,6 +42,12 @@ SERVICES_OFF="ssh samba setserial nviboot mountnfs ntpdate"
|
||||||
function configure_normal()
|
function configure_normal()
|
||||||
# the usual stuff - not optimized for security
|
# the usual stuff - not optimized for security
|
||||||
{
|
{
|
||||||
|
##### cryptobox settings ######
|
||||||
|
sed -i '/^NO_START=.*$/NO_START=0/'
|
||||||
|
sed -i '/^SKIP_NETWORK_CONFIG=.*$/SKIP_NETWORK_CONFIG=0/'
|
||||||
|
sed -i '/^EXEC_FIREWALL_RULES=.*$/EXEC_FIREWALL_RULES=1/'
|
||||||
|
sed -i '/^USE_STUNNEL=.*$/USE_STUNNEL=1/'
|
||||||
|
|
||||||
########### boot up ###########
|
########### boot up ###########
|
||||||
# turn off creation of "/etc/nologin" (read-only fs)
|
# turn off creation of "/etc/nologin" (read-only fs)
|
||||||
sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
|
sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
|
||||||
|
|
|
@ -17,8 +17,13 @@
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
# read the default setting file, if it exists
|
||||||
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||||
|
|
||||||
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||||
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||||
# parse config file
|
# parse config file
|
||||||
. /etc/cryptobox/cryptobox.conf
|
. "$CONF_FILE"
|
||||||
|
|
||||||
MIRROR_DIR=/tmp/mirror
|
MIRROR_DIR=/tmp/mirror
|
||||||
MIRROR_ORIG_DIR=/tmp/mirror.orig
|
MIRROR_ORIG_DIR=/tmp/mirror.orig
|
||||||
|
|
|
@ -15,8 +15,13 @@
|
||||||
|
|
||||||
set -u
|
set -u
|
||||||
|
|
||||||
|
# read the default setting file, if it exists
|
||||||
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||||
|
|
||||||
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||||
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||||
# parse config file
|
# parse config file
|
||||||
. /etc/cryptobox/cryptobox.conf
|
. "$CONF_FILE"
|
||||||
|
|
||||||
|
|
||||||
ACTION="help"
|
ACTION="help"
|
||||||
|
|
|
@ -17,11 +17,16 @@
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
|
# read the default setting file, if it exists
|
||||||
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
||||||
|
|
||||||
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
||||||
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
||||||
# parse config file
|
# parse config file
|
||||||
. /etc/cryptobox/cryptobox.conf
|
. "$CONF_FILE"
|
||||||
|
|
||||||
|
|
||||||
## vcert values are in openssl.conf
|
# vcert values are in OPENSSL_CONF_FILE
|
||||||
CERTFILE="$1"
|
CERTFILE="$1"
|
||||||
TMP_FILE=/tmp/cryptobox-cert.tmp
|
TMP_FILE=/tmp/cryptobox-cert.tmp
|
||||||
|
|
||||||
|
|
Binary file not shown.
|
@ -11,23 +11,26 @@
|
||||||
BUILD_DIR="$ROOT_DIR/_builddir"
|
BUILD_DIR="$ROOT_DIR/_builddir"
|
||||||
|
|
||||||
# the cryptobox development files
|
# the cryptobox development files
|
||||||
TEMPLATE_DIR="$ROOT_DIR/live-cd-tree.d"
|
CBOX_DEVEL_DIR=$ROOT_DIR/cbox-tree.d
|
||||||
|
|
||||||
|
# template for live-cd
|
||||||
|
TEMPLATE_DIR=$ROOT_DIR/live-cd-tree.d
|
||||||
|
|
||||||
# the iso image
|
# the iso image
|
||||||
IMAGE_FILE="$BUILD_DIR/cryptobox.iso"
|
IMAGE_FILE=$BUILD_DIR/cryptobox.iso
|
||||||
|
|
||||||
# temporary directory
|
# temporary directory
|
||||||
TMP_DIR="/tmp/`basename $0`-$$"
|
TMP_DIR=/tmp/$(basename $0)-$$
|
||||||
|
|
||||||
# the virtual harddisk image used for qemu
|
# the virtual harddisk image used for qemu
|
||||||
HD_IMAGE="/tmp/`basename $0`-testplatte.img"
|
HD_IMAGE=/tmp/$(basename $0)-testplatte.img
|
||||||
|
|
||||||
# mkisofs options (the option "-U" is not clean, but it prevents long
|
# mkisofs options (the option "-U" is not clean, but it prevents long
|
||||||
# filenames from getting mapped)
|
# filenames from getting mapped)
|
||||||
MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R"
|
MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R"
|
||||||
|
|
||||||
# for burning a CD
|
# for burning a CD
|
||||||
CDWRITER="0,0,0"
|
CDWRITER=0,0,0
|
||||||
|
|
||||||
|
|
||||||
####################### validation ########################
|
####################### validation ########################
|
||||||
|
|
|
@ -126,7 +126,7 @@ ramdisk_files = /etc/resolv.conf
|
||||||
/var/spool/cron
|
/var/spool/cron
|
||||||
|
|
||||||
# Directories to create on live fs
|
# Directories to create on live fs
|
||||||
makedirs = /root/.elinks
|
makedirs =
|
||||||
|
|
||||||
# Files to delete from live fs
|
# Files to delete from live fs
|
||||||
deletefiles = /etc/rcS.d/*discover
|
deletefiles = /etc/rcS.d/*discover
|
||||||
|
@ -145,18 +145,19 @@ deletefiles = /etc/rcS.d/*discover
|
||||||
#modules = /lib/modules/2.4.27-2-386
|
#modules = /lib/modules/2.4.27-2-386
|
||||||
|
|
||||||
# Debs from local fs to unpack on live FS (will not be configured)
|
# Debs from local fs to unpack on live FS (will not be configured)
|
||||||
# cryptsetup-luks can not be install regurlarly, because of a weird dpkg error
|
# cryptsetup-luks and perl-clearsilver can not be installed regurlarly, because of a weird
|
||||||
# ("statusoverride ... Debian-exim" - this can probably be fixed, by adding the group
|
# dpkg error ("statusoverride ... Debian-exim" - this can probably be fixed, by adding
|
||||||
# Debian-exim to the host system)
|
# the group Debian-exim to the host system)
|
||||||
unpackdebs = packages/kernel-image-2.6.12.6_cryptobox0.3_i386.deb
|
unpackdebs = packages/kernel-image-2.6.12.6_cryptobox0.3_i386.deb
|
||||||
packages/cryptsetup-luks_1.0.1-3_i386.deb
|
packages/cryptsetup-luks_1.0.1-3_i386.deb
|
||||||
|
packages/perl-clearsilver_0.9.13-3.2_all.deb
|
||||||
|
packages/cryptobox_0.3.0-1_all.deb
|
||||||
|
|
||||||
# Other packages to install besides the list in DEFAULT
|
# Other packages to install besides the list in DEFAULT
|
||||||
packages = %(allpackages)s
|
packages = %(allpackages)s
|
||||||
|
|
||||||
# Debs from local fs to isntall on live fs
|
# Debs from local fs to isntall on live fs
|
||||||
installdebs = packages/cryptobox_0.3.0-1_all.deb
|
#installdebs =
|
||||||
packages/perl-clearsilver_0.9.13-3.2_all.deb
|
|
||||||
|
|
||||||
# Bootloader (see options under default)
|
# Bootloader (see options under default)
|
||||||
bootloader = grub-no-emul
|
bootloader = grub-no-emul
|
||||||
|
|
|
@ -50,7 +50,10 @@ DFS_CONFIG=$(get_config_file dfs-cbox.conf)
|
||||||
function run_dfsbuild()
|
function run_dfsbuild()
|
||||||
{
|
{
|
||||||
[ ! -e "$BUILD_DIR" ] && mkdir -p "$BUILD_DIR" && echo "das BuildDir ($BUILD_DIR) wurde angelegt ..."
|
[ ! -e "$BUILD_DIR" ] && mkdir -p "$BUILD_DIR" && echo "das BuildDir ($BUILD_DIR) wurde angelegt ..."
|
||||||
dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR"
|
LANG=C dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR/"
|
||||||
|
|
||||||
|
# finish package installation
|
||||||
|
echo "dpkg --configure --prending" | chroot_image
|
||||||
|
|
||||||
# remove iso image of dfsbuild - it is not necessary
|
# remove iso image of dfsbuild - it is not necessary
|
||||||
[ -e "$BUILD_DIR/image.iso" ] && rm "$BUILD_DIR/image.iso"
|
[ -e "$BUILD_DIR/image.iso" ] && rm "$BUILD_DIR/image.iso"
|
||||||
|
@ -97,11 +100,11 @@ function configure_cb()
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "Copying files to the box ..."
|
echo "Copying files to the box ..."
|
||||||
svn export --force "$TEMPLATE_DIR/." "$IMAGE_DIR"
|
svn export --force "$TEMPLATE_DIR/." "$IMAGE_DIR"
|
||||||
|
|
||||||
echo "Configuring the cryptobox ..."
|
echo "Configuring the cryptobox ..."
|
||||||
chroot "$IMAGE_DIR" "$CHROOT_START" /usr/lib/cryptobox/configure-cryptobox.sh normal
|
echo "/usr/lib/cryptobox/configure-cryptobox.sh normal" | chroot_image
|
||||||
|
|
||||||
# source local configure scripts
|
# source local configure scripts
|
||||||
[ -d "$CUSTOM_CONFIGURE_DIR" ] && \
|
[ -d "$CUSTOM_CONFIGURE_DIR" ] && \
|
||||||
|
@ -144,6 +147,15 @@ while [ $# -gt 0 ]
|
||||||
# check if we are in ROOT_DIR - otherwise we will have problems with
|
# check if we are in ROOT_DIR - otherwise we will have problems with
|
||||||
# relative paths in dfs-box.conf
|
# relative paths in dfs-box.conf
|
||||||
[ "$ROOT_DIR" -ef "$(pwd)" ] || error_die 1 "Sorry: you have to run $0 while you are in '$ROOT_DIR'!"
|
[ "$ROOT_DIR" -ef "$(pwd)" ] || error_die 1 "Sorry: you have to run $0 while you are in '$ROOT_DIR'!"
|
||||||
|
# check for cdebootstrap version (there are problems after 0.3.4)
|
||||||
|
cde_version=$(cdebootstrap --version | head -1 | sed 's/[^0-9]//g')
|
||||||
|
if [ "$cde_version" -gt 034 ]
|
||||||
|
then echo "BEWARE: There have been problems with cdebootstrap after v0.3.4." >&2
|
||||||
|
echo " Maybe you should consider downgrading cdebootstrap to sarge/stable," >&2
|
||||||
|
echo " if you experience problems with dfsbuild." >&2
|
||||||
|
echo "Press return key to continue ..."
|
||||||
|
read
|
||||||
|
fi
|
||||||
run_dfsbuild
|
run_dfsbuild
|
||||||
;;
|
;;
|
||||||
config )
|
config )
|
||||||
|
@ -156,7 +168,7 @@ while [ $# -gt 0 ]
|
||||||
create_compressed_iso
|
create_compressed_iso
|
||||||
;;
|
;;
|
||||||
harden )
|
harden )
|
||||||
chroot "$IMAGE_DIR" "$CHROOT_START" /usr/lib/cryptobox/configure-cryptobox.sh secure
|
echo "/usr/lib/cryptobox/configure-cryptobox.sh secure" | chroot_image
|
||||||
;;
|
;;
|
||||||
burn )
|
burn )
|
||||||
blanknburn_cdrw
|
blanknburn_cdrw
|
||||||
|
|
|
@ -40,9 +40,9 @@ SSH_HOST=$(grep "^Host " "$SSH_CONFIG_FILE" | head -1 | sed 's/^Host *\(.*\)$/\1
|
||||||
|
|
||||||
|
|
||||||
# read some cryptobox settings (especially "DEV_FEATURES_SCRIPT")
|
# read some cryptobox settings (especially "DEV_FEATURES_SCRIPT")
|
||||||
if [ -e "$TEMPLATE_DIR/etc/cryptobox/cryptobox.conf" ]
|
if [ -e "$CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf" ]
|
||||||
then source "$TEMPLATE_DIR/etc/cryptobox/cryptobox.conf"
|
then source "$CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf"
|
||||||
else echo "cryptobox.conf ($TEMPLATE_DIR/etc/cryptobox/cryptobox.conf) does not exist!" >&2
|
else echo "cryptobox.conf ($CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf) does not exist!" >&2
|
||||||
fi
|
fi
|
||||||
|
|
||||||
####################### functions ######################
|
####################### functions ######################
|
||||||
|
@ -138,16 +138,12 @@ case "$1" in
|
||||||
chroot )
|
chroot )
|
||||||
# chroot may only be called as root
|
# chroot may only be called as root
|
||||||
[ "$(id -u)" -ne 0 ] && echo "the action 'chroot' may only be called as root!" >&2 && exit 1
|
[ "$(id -u)" -ne 0 ] && echo "the action 'chroot' may only be called as root!" >&2 && exit 1
|
||||||
if [ ! -x "$IMAGE_DIR/$CHROOT_START" ]
|
echo
|
||||||
then echo "the chroot init script ("$IMAGE_DIR/$CHROOT_START") is not executable"
|
echo "##############################################################################"
|
||||||
echo "maybe you should run '`basename $0` cb-config' first"
|
echo "# BEWARE: you can severly harm your real harddisk in the chroot environment! #"
|
||||||
else echo
|
echo "##############################################################################"
|
||||||
echo "##############################################################################"
|
echo
|
||||||
echo "# BEWARE: you can severly harm your real harddisk in the chroot environment! #"
|
chroot_image
|
||||||
echo "##############################################################################"
|
|
||||||
echo
|
|
||||||
chroot "$IMAGE_DIR" "$CHROOT_START"
|
|
||||||
fi
|
|
||||||
;;
|
;;
|
||||||
qemu )
|
qemu )
|
||||||
qemu_boot "$IMAGE_FILE"
|
qemu_boot "$IMAGE_FILE"
|
||||||
|
|
|
@ -21,6 +21,32 @@ function error_die()
|
||||||
exit $1
|
exit $1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function chroot_image()
|
||||||
|
{
|
||||||
|
MNT_SRC=$IMAGE_DIR/opt/dfsruntime/runtimerd
|
||||||
|
MNT_DST=$IMAGE_DIR/opt/dfsruntime/runtimemnt
|
||||||
|
TMP_DIR=/tmp/cryptobox-chroot-$(basename $0)-$$
|
||||||
|
[ -d "$TMP_DIR" ] && rm -rf "$TMP_DIR"
|
||||||
|
|
||||||
|
cp -a "$MNT_SRC/." "$TMP_DIR"
|
||||||
|
mount --bind "$TMP_DIR" "$MNT_DST"
|
||||||
|
|
||||||
|
[ ! -e "$TMP_DIR/dev/null" ] && mknod "$TMP_DIR/dev/null" c 1 3 && chmod 666 "$TMP_DIR/dev/null"
|
||||||
|
[ ! -e "$TMP_DIR/dev/urandom" ] && mknod "$TMP_DIR/dev/urandom" c 1 9 && chmod 444 "$TMP_DIR/dev/urandom"
|
||||||
|
[ ! -e "$TMP_DIR/dev/console" ] && mknod "$TMP_DIR/dev/console" c 1 5 && chmod 660 "$TMP_DIR/dev/console"
|
||||||
|
|
||||||
|
# remember, if proc was mounted before (e.g. because of a running chroot)
|
||||||
|
local PROC_WAS_MOUNTED=no
|
||||||
|
mount -t proc proc "$IMAGE_DIR/proc" 2>/dev/null || PROC_WAS_MOUNTED=yes
|
||||||
|
|
||||||
|
# default language setting - prevents dpkg error messages
|
||||||
|
# set default terminal (good if you are running in a screen session)
|
||||||
|
LANG=C TERM=linux chroot "$IMAGE_DIR" /bin/bash
|
||||||
|
|
||||||
|
umount "$MNT_DST"
|
||||||
|
[ "$PROC_WAS_MOUNTED" = "no" ] && umount "$IMAGE_DIR/proc"
|
||||||
|
rm -r "$TMP_DIR"
|
||||||
|
}
|
||||||
|
|
||||||
################### general settings ###################
|
################### general settings ###################
|
||||||
|
|
||||||
|
|
|
@ -19,7 +19,6 @@ source $(dirname $0)/common.sh.inc
|
||||||
DEB_BUILD_DIR=/tmp/cryptobox-debian-$$
|
DEB_BUILD_DIR=/tmp/cryptobox-debian-$$
|
||||||
[ -e "$DEB_BUILD_DIR" ] && rm -rf "$DEB_BUILD_DIR"
|
[ -e "$DEB_BUILD_DIR" ] && rm -rf "$DEB_BUILD_DIR"
|
||||||
|
|
||||||
DEB_ROOT_DIR=$TEMPLATE_DIR
|
|
||||||
DEB_CONTROL_DIR=$ROOT_DIR/DEBIAN
|
DEB_CONTROL_DIR=$ROOT_DIR/DEBIAN
|
||||||
DEB_PACKAGE_DIR=$ROOT_DIR/packages
|
DEB_PACKAGE_DIR=$ROOT_DIR/packages
|
||||||
|
|
||||||
|
@ -30,11 +29,8 @@ ACTION=build
|
||||||
|
|
||||||
case "$ACTION" in
|
case "$ACTION" in
|
||||||
build )
|
build )
|
||||||
# check for uid=0 (necessary for building)
|
svn export "$CBOX_DEVEL_DIR" "$DEB_BUILD_DIR" >/dev/null
|
||||||
#[ "$(id -u)" -ne 0 ] && echo "this script ($0) has to be called as root" >&2 && exit 1
|
|
||||||
svn export "$DEB_ROOT_DIR" "$DEB_BUILD_DIR" >/dev/null
|
|
||||||
svn export "$DEB_CONTROL_DIR" "$DEB_BUILD_DIR/DEBIAN" >/dev/null
|
svn export "$DEB_CONTROL_DIR" "$DEB_BUILD_DIR/DEBIAN" >/dev/null
|
||||||
#chown -R root. "$DEB_BUILD_DIR/usr/share/doc/"
|
|
||||||
fakeroot dpkg-deb --build "$DEB_BUILD_DIR" "$DEB_PACKAGE_DIR"
|
fakeroot dpkg-deb --build "$DEB_BUILD_DIR" "$DEB_PACKAGE_DIR"
|
||||||
rm -rf "$DEB_BUILD_DIR"
|
rm -rf "$DEB_BUILD_DIR"
|
||||||
;;
|
;;
|
||||||
|
|
Loading…
Reference in a new issue