warning for unusable cdebootstrap version added

chroot procedure simplified
cryptobox and perl-clearsilver package added to dfsbuild config
init.d-script moved closer to "debian" style
uninitialized config partition does not cause error in boot script anymore
/etc/default/cryptobox completed
initialization of network, stunnel and iptables now depends on /etc/default settings
removed hard-coded dependencies on samba and thttpd

cbox-tree.d/etc/default/cryptobox

@@ -2,9 +2,25 @@
 #
 # $Id$
 #
+# the default setup of the cryptobox is complete inactivity
 
 # set to "1" to turn off the cryptobox - otherwise "0"
-NO_START=0
+NO_START=1
 
 # change the default configuration file if necessary
 #CONF_FILE=/etc/cryptobox/cryptobox.conf
+
+# should the cryptobox skip the network interface configuration?
+# "0" means skip (default) --- "1" causes the cryptobox to configure it
+SKIP_NETWORK_CONFIG=1
+
+# should the cryptobox set some firewall (iptables) rules?
+# if this is turned off, then you have to add the appropriate
+# rules manually (if you need the timeout feature of the cryptobox)
+# default is 0
+EXEC_FIREWALL_RULES=0
+
+# use stunnel for https support?
+# default is 0
+USE_STUNNEL=0
+

cbox-tree.d/etc/init.d/cryptobox

@@ -13,7 +13,13 @@ set -eu
 # startup switch defaults to zero (enabled)
 NO_START=${NO_START:-0}
 # check startup switch
-[ "$NO_START" = "1" ] && echo "CryptoBox is disabled" && exit 0
+if [ "$NO_START" = "1" ]
+	then	[ $# -eq 0 ] && exit 0
+			[ "$1" = "status" ] && exit 1
+			[ "$1" = "stop" ] && exit 0
+			echo "CryptoBox is disabled"
+			exit 0
+  fi
 
 # stop-on-errors
 set -eu
@@ -23,9 +29,9 @@ CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
 
 # parse config file
 if [ -e "$CONF_FILE" ]
-	then	echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
+	then	. "$CONF_FILE"
+	else	echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
 			exit 1
-	else	. "$CONF_FILE"
   fi
 
 case "$1" in

cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh

@@ -17,8 +17,13 @@
 
 set -eu
 
+# read the default setting file, if it exists
+[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
+
+# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
+CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
 # parse config file
-. /etc/cryptobox/cryptobox.conf
+. "$CONF_FILE"
 
 ## configuration
 CERT_TEMP=/tmp/stunnel.pem
@@ -54,10 +59,10 @@ function create_partitions()
 {
 	# TODO: allow different layouts
 	# TODO: skip config partition if a configuration is already active
-	local device="$1"
+	local device=$1
 	# first partition size is 1 sector, second goes til end
 	# sfdisk -n doesn't actually write (for testing purpose)
-	echo -e "0,1,L \n,,L\n" | $SFDISK "$device"
+	echo -e "0,1,L \n,,L\n" | "$SFDISK" "$device"
 }
 
 
@@ -105,7 +110,7 @@ function config_get_value()
 function create_config()
 # Parameter: device
 {
-	local device="$1"
+	local device=$1
 	# create the new configuration filesystem if it is not static
 	if is_config_mounted
 	   then log_msg "Using static configuration ..."
@@ -228,6 +233,7 @@ function create_crypto()
 	$MKFS_DATA "$CRYPTMAPPER_DIR/$uuid" | tr '\0101' ' '
 
 	# set user for samba
+	# TODO: rename SAMBA_USER to something like FILE_USER
 	mkdir -p "$MNT_PARENT/$name"
 	mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name"
 	chown $SAMBA_USER "$MNT_PARENT/$name"
@@ -301,7 +307,7 @@ function get_available_disks()
 {
 	for scan in $SCAN_DEVICES
 		do	for avail in $ALL_PARTITIONS
-			  do	[ "$scan" = "$avail" ] && echo "$a" 
+			  do	[ "$scan" = "$avail" ] && echo "/dev/$avail" 
 			done
 	 done
 }
@@ -319,10 +325,10 @@ function mount_config()
 	# modify all scan_devices to get regular expressions like "^hda[0-9]*$"
 	local scan_regex=$(echo "SCAN_DEVICES" | tr " " "\n" | sed 's/^/^/; s/$/[0-9]*$/')
 	echo "$ALL_PARTITIONS" | grep "$scan_regex" | while read part
-		do	log_msg "Trying to load configuration from $part ..."
+		do	log_msg "Trying to load configuration from /dev/$part ..."
-			if config_mount_test "$part"
+			if config_mount_test "/dev/$part"
 			   then	log_msg "configuraton found on $part"
-					mount "$part" "$CONFIG_DIR"
+					mount "/dev/$part" "$CONFIG_DIR"
 					# copy certificate to /tmp in case of re-initialization
 					# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
 					cp "$CERT_FILE" "$CERT_TEMP"
@@ -351,16 +357,17 @@ function mount_crypto()
 	local device=$1
 	[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
 	is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
-	local uuid=$(get_crypto_uuid $device)
+	local uuid=$(get_crypto_uuid "$device")
-	local name=$(get_crypto_name $device)
+	local name=$(get_crypto_name "$device")
 	# passphrase is read from stdin
 	log_msg "Mounting crypto partition $name ($device)"
 	$CRYPTSETUP luksOpen "$device" "$uuid"
 	[ -e "$MNT_PARENT/$name" ] || mkdir -p "$MNT_PARENT/$name"
 	if mount "$CRYPTMAPPER_DIR/$uuid" "$MNT_PARENT/$name"
-		then	log_msg "Mount succeeded - now starting samba ..."
+		then	true
-			/etc/init.d/samba start
+				# log_msg "Mount succeeded - now starting samba ..."
-			return 0
+				# /etc/init.d/samba start
+				return 0
 		else	log_msg "Mount failed - removing the crypto device $uuid ..."
 			$CRYPTSETUP luksClose "$uuid"
 			return 1
@@ -375,14 +382,14 @@ function umount_crypto()
 	# do not break on error
 	set +e
 	# TODO: do not stop samba - or do it just temporarily
-	if ps -e | grep -q " [sn]mbd$" 
+	#if ps -e | grep -q " [sn]mbd$" 
-		then	log_msg "Stopping samba ..."
+	#	then	log_msg "Stopping samba ..."
-			/etc/init.d/samba stop
+	#		/etc/init.d/samba stop
-			ps -e | grep -q " smbd$" && killall smbd
+	#		ps -e | grep -q " smbd$" && killall smbd
-			ps -e | grep -q " nmbd$" && killall nmbd
+	#		ps -e | grep -q " nmbd$" && killall nmbd
-			ps -e | grep -q " smbd$" && killall -9 smbd
+	#		ps -e | grep -q " smbd$" && killall -9 smbd
-			ps -e | grep -q " nmbd$" && killall -9 nmbd
+	#		ps -e | grep -q " nmbd$" && killall -9 nmbd
-	  fi
+	#  fi
 	local uuid=$(get_crypto_uuid $device)
 	local name=$(get_crypto_name $device)
 	if mountpoint -q "$MNT_PARENT/$name"
@@ -439,46 +446,54 @@ export PATH=/usr/sbin:/usr/bin:/sbin:/bin
 
 
 ACTION=help
-[ $# -gt 0 ] && ACTION="$1" && shift
+[ $# -gt 0 ] && ACTION=$1 && shift
 
 case "$ACTION" in
 	config-up )
 		if mount_config
 		  then	echo "Cryptobox configuration successfully loaded"
-		  else	error_msg 3 "Could not find a configuration partition!"
+		  else	error_msg 0 "Could not find a configuration partition!"
 		 fi
 		;;
 	config-down )
 		umount_config || error_msg 4 "Could not unmount configuration partition"
 		;;
 	network-up )
-		kudzu -s -q --class network
+		if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
-		conf_ip=$(config_get_value "ip")
+			then	conf_ip=$(config_get_value "ip")
-		log_msg "Configured $NET_IFACE for $conf_ip ..."
+					log_msg "Configuring $NET_IFACE for $conf_ip ..."
-		ifconfig $NET_IFACE "$conf_ip"
+					echo "Configuring network interface for $NET_IFACE: $conf_ip"
-		echo "Configured network interface for $NET_IFACE: $conf_ip"
+					ifconfig $NET_IFACE "$conf_ip"
-		log_msg "Starting the firewall ..."
+		  fi
-		"$FIREWALL_SCRIPT" start
+		if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
-		# start stunnel
+			then	log_msg "Starting the firewall ..."
-		if [ -f "$CERT_FILE" ] 
+					"$FIREWALL_SCRIPT" start
-		   then	USE_CERT=$CERT_FILE
+		  fi
-		   else USE_CERT=$CERT_TEMP
+		if [ "${USE_STUNNEL:-0}" = 1 ]
-			$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
+			then	# start stunnel
+					if [ -f "$CERT_FILE" ] 
+					   then	USE_CERT=$CERT_FILE
+					   else USE_CERT=$CERT_TEMP
+							$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
+					  fi
+					log_msg "Starting stunnel ..."
+					stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
+						|| echo "$USE_CERT not found - not starting stunnel"
 		  fi
-		log_msg "Starting stunnel ..."
-		stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
-			|| echo "$USE_CERT not found - not starting stunnel"
-		# this ping allows other hosts to get the IP of
-		# the box, in case of misconfiguration
-		ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
 		;;
 	network-down )
-		log_msg "Stopping the firewall ..."
+		if [ "${EXEC_FIREWALL_RULES:-0}" = 1 ]
-		"$FIREWALL_SCRIPT" stop
+			then	log_msg "Stopping the firewall ..."
-		log_msg "Stopping stunnel ..."
+					"$FIREWALL_SCRIPT" stop
-		killall stunnel
+		  fi
-		log_msg "Shutting the network interface down ..."
+		if [ "${USE_STUNNEL:-0}" = 1 ]
-		ifconfig "$NET_IFACE" down
+			then	log_msg "Stopping stunnel ..."
+					killall stunnel
+		  fi
+		if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
+			then	log_msg "Shutting the network interface down ..."
+					ifconfig "$NET_IFACE" down
+		  fi
 		;;
 	services-up )
 		# the mount point has to be writeable
@@ -487,8 +502,9 @@ case "$ACTION" in
 		;;
 	services-down )
 		umount "$MNT_PARENT"
-		/etc/init.d/samba stop || true
+		# TODO: we should not depend on samba and thttpd
-		/etc/init.d/thttpd stop || true
+		# /etc/init.d/samba stop || true
+		# /etc/init.d/thttpd stop || true
 		true
 		;;
 	crypto-up )
@@ -496,7 +512,7 @@ case "$ACTION" in
 		mount_crypto "$1"
 		;;
 	crypto-down )
-		[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
+		[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
 		umount_crypto "$1"
 		;;
 	init )
@@ -543,7 +559,9 @@ case "$ACTION" in
 	update_ip_address )
 		# reconfigure the network interface to a new IP address
 		# wait for 5 seconds to finish present http requests
-		echo -n "sleep 5; ifconfig $NET_IFACE `config_get_value ip`" | at now
+		if [ "${SKIP_NETWORK_CONFIG:-1}" != 1 ]
+			then	echo -n "sleep 5; ifconfig $NET_IFACE $(config_get_value ip)" | at now
+		  fi
 		;;
 	get_available_disks )
 		get_available_disks
@@ -561,7 +579,7 @@ case "$ACTION" in
 		;;
 	diskinfo )
 		get_available_disks | while read a
-			do	$SFDISK -L -q -l "$a"
+			do	"$SFDISK" -L -q -l "$a"
 		  done
 		;;
 	box-purge )
@@ -588,8 +606,8 @@ case "$ACTION" in
 		echo "  network-down		- disable network interface"
 		echo "  services-up		- run some cryptobox specific daemons"
 		echo "  services-down		- stop some cryptobox specific daemons"
-		echo "  crypto-up		- mount crypto partition and start samba"
+		echo "  crypto-up		- mount crypto partition"
-		echo "  crypto-down		- unmount crypto partition and stop samba"
+		echo "  crypto-down		- unmount crypto partition"
 		echo "  box-init		- initialize cryptobox (ALL data is LOST)"
 		echo "  box-init-fg		- the first part of initialization"
 		echo "  box-init-bg		- the last part of initialization (background)"

cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh

@@ -27,8 +27,13 @@
 
 set -eu
 
+# read the default setting file, if it exists
+[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
+
+# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
+CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
 # parse config file
-. /etc/cryptobox/cryptobox.conf
+. "$CONF_FILE"
 
 
 ############# some functions ##################

cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh

@@ -17,8 +17,13 @@
 
 set -eu
 
+# read the default setting file, if it exists
+[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
+
+# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
+CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
 # parse config file
-. /etc/cryptobox/cryptobox.conf
+. "$CONF_FILE"
 
 RUNTIMEDIR=/opt/dfsruntime/runtimerd
 TUNDEV=$RUNTIMEDIR/dev/net/tun
@@ -37,6 +42,12 @@ SERVICES_OFF="ssh samba setserial nviboot mountnfs ntpdate"
 function configure_normal()
 # the usual stuff - not optimized for security
 {
+	##### cryptobox settings ######
+	sed -i '/^NO_START=.*$/NO_START=0/'
+	sed -i '/^SKIP_NETWORK_CONFIG=.*$/SKIP_NETWORK_CONFIG=0/'
+	sed -i '/^EXEC_FIREWALL_RULES=.*$/EXEC_FIREWALL_RULES=1/'
+	sed -i '/^USE_STUNNEL=.*$/USE_STUNNEL=1/'
+	
 	########### boot up ###########
 	# turn off creation of "/etc/nologin" (read-only fs)
 	sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS

cbox-tree.d/usr/lib/cryptobox/devel-features.sh

@@ -17,8 +17,13 @@
 
 set -eu
 
+# read the default setting file, if it exists
+[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
+
+# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
+CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
 # parse config file
-. /etc/cryptobox/cryptobox.conf
+. "$CONF_FILE"
 
 MIRROR_DIR=/tmp/mirror
 MIRROR_ORIG_DIR=/tmp/mirror.orig

cbox-tree.d/usr/lib/cryptobox/firewall.sh

@@ -15,8 +15,13 @@
 
 set -u
 
+# read the default setting file, if it exists
+[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
+
+# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
+CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
 # parse config file
-. /etc/cryptobox/cryptobox.conf
+. "$CONF_FILE"
 
 
 ACTION="help"

cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh

@@ -17,11 +17,16 @@
 
 set -eu
 
+# read the default setting file, if it exists
+[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
+
+# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
+CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
 # parse config file
-. /etc/cryptobox/cryptobox.conf
+. "$CONF_FILE"
 
 
-## vcert values are in openssl.conf
+# vcert values are in OPENSSL_CONF_FILE
 CERTFILE="$1"
 TMP_FILE=/tmp/cryptobox-cert.tmp
 

etc-defaults.d/cbox-dev.conf

@@ -11,23 +11,26 @@
 BUILD_DIR="$ROOT_DIR/_builddir"
 
 # the cryptobox development files
-TEMPLATE_DIR="$ROOT_DIR/live-cd-tree.d"
+CBOX_DEVEL_DIR=$ROOT_DIR/cbox-tree.d
+
+# template for live-cd
+TEMPLATE_DIR=$ROOT_DIR/live-cd-tree.d
 
 # the iso image
-IMAGE_FILE="$BUILD_DIR/cryptobox.iso"
+IMAGE_FILE=$BUILD_DIR/cryptobox.iso
 
 # temporary directory
-TMP_DIR="/tmp/`basename $0`-$$"
+TMP_DIR=/tmp/$(basename $0)-$$
 
 # the virtual harddisk image used for qemu
-HD_IMAGE="/tmp/`basename $0`-testplatte.img"
+HD_IMAGE=/tmp/$(basename $0)-testplatte.img
 
 # mkisofs options (the option "-U" is not clean, but it prevents long
 # filenames from getting mapped)
 MKISOFS_OPTIONS="-allow-multidot -U -D -iso-level 3 -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 1 -boot-info-table -pad -R"
 
 # for burning a CD
-CDWRITER="0,0,0"
+CDWRITER=0,0,0
 
 
 ####################### validation ########################

etc-defaults.d/dfs-cbox.conf

@@ -126,7 +126,7 @@ ramdisk_files = /etc/resolv.conf
 	/var/spool/cron
 
 # Directories to create on live fs
-makedirs = /root/.elinks
+makedirs = 
 
 # Files to delete from live fs
 deletefiles = /etc/rcS.d/*discover 
@@ -145,18 +145,19 @@ deletefiles = /etc/rcS.d/*discover
 #modules = /lib/modules/2.4.27-2-386
 
 # Debs from local fs to unpack on live FS (will not be configured)
-# cryptsetup-luks can not be install regurlarly, because of a weird dpkg error
+# cryptsetup-luks and perl-clearsilver can not be installed regurlarly, because of a weird
-# ("statusoverride ... Debian-exim" - this can probably be fixed, by adding the group
+# dpkg error ("statusoverride ... Debian-exim" - this can probably be fixed, by adding
-#  Debian-exim to the host system)
+# the group Debian-exim to the host system)
 unpackdebs = packages/kernel-image-2.6.12.6_cryptobox0.3_i386.deb
 	packages/cryptsetup-luks_1.0.1-3_i386.deb
+	packages/perl-clearsilver_0.9.13-3.2_all.deb
+	packages/cryptobox_0.3.0-1_all.deb
 
 # Other packages to install besides the list in DEFAULT
 packages = %(allpackages)s
 
 # Debs from local fs to isntall on live fs
-installdebs = packages/cryptobox_0.3.0-1_all.deb
+#installdebs = 
-	packages/perl-clearsilver_0.9.13-3.2_all.deb
 
 # Bootloader (see options under default)
 bootloader = grub-no-emul

scripts/cbox-build.sh

@@ -50,7 +50,10 @@ DFS_CONFIG=$(get_config_file dfs-cbox.conf)
 function run_dfsbuild()
 {
 	[ ! -e "$BUILD_DIR" ] && mkdir -p "$BUILD_DIR" && echo "das BuildDir ($BUILD_DIR) wurde angelegt ..."
-	dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR" 
+	LANG=C dfsbuild -c "$DFS_CONFIG" -w "$BUILD_DIR/" 
+
+	# finish package installation
+	echo "dpkg --configure --prending" | chroot_image
 	
 	# remove iso image of dfsbuild - it is not necessary
 	[ -e "$BUILD_DIR/image.iso" ] && rm "$BUILD_DIR/image.iso"
@@ -97,11 +100,11 @@ function configure_cb()
 		exit 1
 	fi
 
-echo "Copying files to the box ..."
+	echo "Copying files to the box ..."
 		svn export --force "$TEMPLATE_DIR/." "$IMAGE_DIR"
 	
 	echo "Configuring the cryptobox ..."
-		chroot "$IMAGE_DIR" "$CHROOT_START" /usr/lib/cryptobox/configure-cryptobox.sh normal
+		echo "/usr/lib/cryptobox/configure-cryptobox.sh normal" | chroot_image
 	
 	# source local configure scripts
 	[ -d "$CUSTOM_CONFIGURE_DIR" ] && \
@@ -144,6 +147,15 @@ while [ $# -gt 0 ]
 		# check if we are in ROOT_DIR - otherwise we will have problems with
 		# relative paths in dfs-box.conf
 		[ "$ROOT_DIR" -ef "$(pwd)" ] || error_die 1 "Sorry: you have to run $0 while you are in '$ROOT_DIR'!"
+		# check for cdebootstrap version (there are problems after 0.3.4)
+		cde_version=$(cdebootstrap --version | head -1 | sed 's/[^0-9]//g')
+		if [ "$cde_version" -gt 034 ]
+			then	echo "BEWARE: There have been problems with cdebootstrap after v0.3.4." >&2
+					echo "	Maybe you should consider downgrading cdebootstrap to sarge/stable," >&2
+					echo "	if you experience problems with dfsbuild." >&2
+					echo "Press return key to continue ..."
+					read
+		  fi
 		run_dfsbuild
 		;;
 	config )
@@ -156,7 +168,7 @@ while [ $# -gt 0 ]
 		create_compressed_iso
 		;;
 	harden )
-		chroot "$IMAGE_DIR" "$CHROOT_START" /usr/lib/cryptobox/configure-cryptobox.sh secure
+		echo "/usr/lib/cryptobox/configure-cryptobox.sh secure" | chroot_image
 		;;
 	burn )
 		blanknburn_cdrw

scripts/cbox-dev.sh

@@ -40,9 +40,9 @@ SSH_HOST=$(grep "^Host " "$SSH_CONFIG_FILE" | head -1 | sed 's/^Host *\(.*\)$/\1
 
 
 # read some cryptobox settings (especially "DEV_FEATURES_SCRIPT")
-if [ -e "$TEMPLATE_DIR/etc/cryptobox/cryptobox.conf" ]
+if [ -e "$CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf" ]
-	then	source "$TEMPLATE_DIR/etc/cryptobox/cryptobox.conf"
+	then	source "$CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf"
-	else	echo "cryptobox.conf ($TEMPLATE_DIR/etc/cryptobox/cryptobox.conf) does not exist!" >&2
+	else	echo "cryptobox.conf ($CBOX_DEVEL_DIR/etc/cryptobox/cryptobox.conf) does not exist!" >&2
   fi
 
 ####################### functions ######################
@@ -138,16 +138,12 @@ case "$1" in
 	chroot )
 		# chroot may only be called as root
 		[ "$(id -u)" -ne 0 ] && echo "the action 'chroot' may only be called as root!" >&2 && exit 1
-		if [ ! -x "$IMAGE_DIR/$CHROOT_START" ]
+		echo
-		   then	echo "the chroot init script ("$IMAGE_DIR/$CHROOT_START") is not executable"
+		echo "##############################################################################"
-			echo "maybe you should run '`basename $0` cb-config' first"
+		echo "# BEWARE: you can severly harm your real harddisk in the chroot environment! #"
-		   else echo
+		echo "##############################################################################"
-		   	echo "##############################################################################"
+		echo
-		   	echo "# BEWARE: you can severly harm your real harddisk in the chroot environment! #"
+		chroot_image
-		   	echo "##############################################################################"
-			echo
-		   	chroot "$IMAGE_DIR" "$CHROOT_START"
-		  fi
 		;;
 	qemu )
 		qemu_boot "$IMAGE_FILE"

scripts/common.sh.inc

@@ -21,6 +21,32 @@ function error_die()
 	exit $1
 }
 
+function chroot_image()
+{
+	MNT_SRC=$IMAGE_DIR/opt/dfsruntime/runtimerd
+	MNT_DST=$IMAGE_DIR/opt/dfsruntime/runtimemnt
+	TMP_DIR=/tmp/cryptobox-chroot-$(basename $0)-$$
+	[ -d "$TMP_DIR" ] && rm -rf "$TMP_DIR"
+
+	cp -a "$MNT_SRC/." "$TMP_DIR"
+	mount --bind "$TMP_DIR" "$MNT_DST"
+
+	[ ! -e "$TMP_DIR/dev/null" ] && mknod "$TMP_DIR/dev/null" c 1 3 && chmod 666 "$TMP_DIR/dev/null"
+	[ ! -e "$TMP_DIR/dev/urandom" ] && mknod "$TMP_DIR/dev/urandom" c 1 9 && chmod 444 "$TMP_DIR/dev/urandom"
+	[ ! -e "$TMP_DIR/dev/console" ] && mknod "$TMP_DIR/dev/console" c 1 5 && chmod 660 "$TMP_DIR/dev/console"
+
+	# remember, if proc was mounted before (e.g. because of a running chroot)
+	local PROC_WAS_MOUNTED=no
+	mount -t proc proc "$IMAGE_DIR/proc" 2>/dev/null || PROC_WAS_MOUNTED=yes
+
+	# default language setting - prevents dpkg error messages
+	# set default terminal (good if you are running in a screen session)
+	LANG=C TERM=linux chroot "$IMAGE_DIR" /bin/bash
+
+	umount "$MNT_DST"
+	[ "$PROC_WAS_MOUNTED" = "no" ] && umount "$IMAGE_DIR/proc"
+	rm -r "$TMP_DIR"
+}
 
 ################### general settings ###################
 

scripts/debian

@@ -19,7 +19,6 @@ source $(dirname $0)/common.sh.inc
 DEB_BUILD_DIR=/tmp/cryptobox-debian-$$
 [ -e "$DEB_BUILD_DIR" ] && rm -rf "$DEB_BUILD_DIR"
 
-DEB_ROOT_DIR=$TEMPLATE_DIR
 DEB_CONTROL_DIR=$ROOT_DIR/DEBIAN
 DEB_PACKAGE_DIR=$ROOT_DIR/packages
 
@@ -30,11 +29,8 @@ ACTION=build
 
 case "$ACTION" in
 	build )
-		# check for uid=0 (necessary for building)
+		svn export "$CBOX_DEVEL_DIR" "$DEB_BUILD_DIR" >/dev/null
-		#[ "$(id -u)" -ne 0 ] && echo "this script ($0) has to be called as root" >&2 && exit 1
-		svn export "$DEB_ROOT_DIR" "$DEB_BUILD_DIR" >/dev/null
 		svn export "$DEB_CONTROL_DIR" "$DEB_BUILD_DIR/DEBIAN" >/dev/null
-		#chown -R root. "$DEB_BUILD_DIR/usr/share/doc/"
 		fakeroot dpkg-deb --build "$DEB_BUILD_DIR" "$DEB_PACKAGE_DIR"
 		rm -rf "$DEB_BUILD_DIR"
 		;;