Browse Source

moving the cryptobox tree back to its place :)

master
lars 16 years ago
parent
commit
e73d969053
  1. 1
      cbox-tree.d/etc/cron.d/cryptobox
  2. 56
      cbox-tree.d/etc/cryptobox/cryptobox.conf
  3. 1
      cbox-tree.d/etc/cryptobox/revision
  4. 65
      cbox-tree.d/etc/cryptobox/ssl-cert.conf
  5. 26
      cbox-tree.d/etc/default/cryptobox
  6. 89
      cbox-tree.d/etc/init.d/cryptobox
  7. 704
      cbox-tree.d/usr/lib/cgi-bin/cryptobox.pl
  8. 590
      cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh
  9. 330
      cbox-tree.d/usr/lib/cryptobox/cbox-root-actions.sh
  10. 92
      cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh
  11. 55
      cbox-tree.d/usr/lib/cryptobox/chroot-start.sh
  12. 145
      cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh
  13. 67
      cbox-tree.d/usr/lib/cryptobox/firewall.sh
  14. 47
      cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh
  15. 0
      cbox-tree.d/usr/share/cryptobox/defaults/admin_pw
  16. 1
      cbox-tree.d/usr/share/cryptobox/defaults/ip
  17. 1
      cbox-tree.d/usr/share/cryptobox/defaults/language
  18. 0
      cbox-tree.d/usr/share/cryptobox/defaults/names.db
  19. 1
      cbox-tree.d/usr/share/cryptobox/defaults/timeout
  20. 1
      cbox-tree.d/usr/share/cryptobox/defaults/version
  21. 28
      cbox-tree.d/usr/share/cryptobox/lang/README
  22. 16
      cbox-tree.d/usr/share/cryptobox/lang/TODO
  23. 215
      cbox-tree.d/usr/share/cryptobox/lang/de.hdf
  24. 215
      cbox-tree.d/usr/share/cryptobox/lang/en.hdf
  25. 215
      cbox-tree.d/usr/share/cryptobox/lang/si.hdf
  26. 3
      cbox-tree.d/usr/share/cryptobox/templates/empty.cs
  27. 3
      cbox-tree.d/usr/share/cryptobox/templates/error.cs
  28. 35
      cbox-tree.d/usr/share/cryptobox/templates/footer.cs
  29. 31
      cbox-tree.d/usr/share/cryptobox/templates/form_config.cs
  30. 34
      cbox-tree.d/usr/share/cryptobox/templates/form_init.cs
  31. 15
      cbox-tree.d/usr/share/cryptobox/templates/form_mount.cs
  32. 19
      cbox-tree.d/usr/share/cryptobox/templates/form_shutdown.cs
  33. 12
      cbox-tree.d/usr/share/cryptobox/templates/form_umount.cs
  34. 47
      cbox-tree.d/usr/share/cryptobox/templates/header.cs
  35. 93
      cbox-tree.d/usr/share/cryptobox/templates/macros.cs
  36. 16
      cbox-tree.d/usr/share/cryptobox/templates/main.cs
  37. 22
      cbox-tree.d/usr/share/cryptobox/templates/nav.cs
  38. 7
      cbox-tree.d/usr/share/cryptobox/templates/show_doc.cs
  39. 13
      cbox-tree.d/usr/share/cryptobox/templates/show_log.cs
  40. 5
      cbox-tree.d/usr/share/cryptobox/templates/show_status.cs
  41. 24
      cbox-tree.d/usr/share/doc/cryptobox/README
  42. 18
      cbox-tree.d/usr/share/doc/cryptobox/README.Debian
  43. BIN
      cbox-tree.d/usr/share/doc/cryptobox/changelog.Debian.gz
  44. BIN
      cbox-tree.d/usr/share/doc/cryptobox/changelog.gz
  45. 18
      cbox-tree.d/usr/share/doc/cryptobox/copyright
  46. 93
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBox.html
  47. 107
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDev.html
  48. 61
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevBackground.html
  49. 85
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomBuild.html
  50. 60
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomConfigure.html
  51. 39
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevKnownProblems.html
  52. 77
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevPreparation.html
  53. 78
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevValidation.html
  54. 151
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevWorkFlow.html
  55. 59
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUser.html
  56. 109
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserConfiguration.html
  57. 124
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserDailyUse.html
  58. 57
      cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserGettingStarted.html
  59. 89
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBox.html
  60. 107
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDev.html
  61. 61
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevBackground.html
  62. 85
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomBuild.html
  63. 60
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomConfigure.html
  64. 39
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevKnownProblems.html
  65. 77
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevPreparation.html
  66. 78
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevValidation.html
  67. 151
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevWorkFlow.html
  68. 60
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUser.html
  69. 103
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserConfiguration.html
  70. 114
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserDailyUse.html
  71. 64
      cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserGettingStarted.html
  72. BIN
      cbox-tree.d/var/www/cryptobox-misc/antlogo100px.png
  73. BIN
      cbox-tree.d/var/www/cryptobox-misc/antlogo100px_green.png
  74. BIN
      cbox-tree.d/var/www/cryptobox-misc/antlogo100px_red.png
  75. BIN
      cbox-tree.d/var/www/cryptobox-misc/backg.gif
  76. 391
      cbox-tree.d/var/www/cryptobox-misc/cryptobox.css
  77. BIN
      cbox-tree.d/var/www/cryptobox-misc/list.gif
  78. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/de_config.png
  79. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/de_init.png
  80. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/de_mount.png
  81. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_login.png
  82. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_network_drive.png
  83. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_not_logged_in.png
  84. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/en_config.png
  85. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/en_mount.png
  86. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_login.png
  87. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_network_drive.png
  88. BIN
      cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_not_logged_in.png
  89. BIN
      cbox-tree.d/var/www/cryptobox-misc/smile.png
  90. BIN
      cbox-tree.d/var/www/cryptobox-misc/smile4.png
  91. BIN
      cbox-tree.d/var/www/cryptobox-misc/somerights20.gif

1
cbox-tree.d/etc/cron.d/cryptobox

@ -0,0 +1 @@
* * * * * root [ -e /usr/lib/cryptobox/cbox-manage.sh ] && /usr/lib/cryptobox/check_smb_idle.sh

56
cbox-tree.d/etc/cryptobox/cryptobox.conf

@ -0,0 +1,56 @@
# this file is directly sourced by some bash scripts
# so there should be no space around the "="
LANGUAGE=en
NET_IFACE=eth0
FILE_USER=cryptobox-data
WEB_USER=www-data
SCAN_DEVICES="sda"
#SCAN_DEVICES="hda hdb hdc hdd hde hdf hdg scd sg sda sdb sdc sdd"
# set this to "1" to create a dedicated configuration partition (very small)
# this should only be necessary, if your root filesystem is read-only (as for a live-cd)
USE_SEPERATE_CONFIG_PARTITION=0
# web interface
HTML_TEMPLATE_DIR=/usr/share/cryptobox/templates
STYLESHEET_URL=/cryptobox-misc/cryptobox.css
# directories
LANGUAGE_DIR=/usr/share/cryptobox/lang
DOC_DIR=/usr/share/doc/cryptobox/html
CONFIG_DEFAULTS_DIR=/usr/share/cryptobox/defaults
CONFIG_DIR=/var/lib/cryptobox/config
MNT_PARENT=/var/lib/cryptobox/mnt
# some files
CB_SCRIPT=/usr/lib/cryptobox/cbox-manage.sh
ROOT_PERM_SCRIPT=/usr/lib/cryptobox/cbox-root-actions.sh
DEV_FEATURES_SCRIPT=/usr/lib/cryptobox/devel-features.sh
FIREWALL_SCRIPT=/usr/lib/cryptobox/firewall.sh
MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh
LOG_FILE=/var/log/cryptobox.log
CERT_FILE=/var/lib/cryptobox/config/stunnel.pem
OPENSSL_CONF_FILE=/etc/cryptobox/ssl-cert.conf
IDLE_COUNTER_FILE=/tmp/cbox-idle-counter
CONFIG_MARKER=cryptobox.marker
# crypto settings
# there is no default hash, as this is ignored by luks
DEFAULT_CIPHER=aes-cbc-essiv:sha256
DEV_MAPPER_DIR=/dev/mapper
# some programs
SFDISK=/sbin/sfdisk
MKFS_DATA=/sbin/mkfs.ext3
MKFS_CONFIG=/sbin/mkfs.ext2
CRYPTSETUP=/sbin/cryptsetup
IPTABLES=/sbin/iptables
IFCONFIG=/sbin/ifconfig
# firewall setings
# do not use multiports (iptables) as the timeout-script depends on
# single port rules
# ssh is allowed too, but the server is not started automatically
ALLOW_TCP_PORTS="22 80 139 443 445"
ALLOW_UDP_PORTS="137 138"

1
cbox-tree.d/etc/cryptobox/revision

@ -0,0 +1 @@
$Revision$

65
cbox-tree.d/etc/cryptobox/ssl-cert.conf

@ -0,0 +1,65 @@
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 3650
default_md = md5
policy = policy_match
#serial = $dir/serial
#database = $dir/index.txt
#new_certs_dir = $dir/newcert
#certificate = $dir/cacert.pem
#private_key = $dir/private/cakey.pem
#preserve = no
#email_in_dn = no
#nameopt = default_ca
#certopt = default_ca
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = stunnel.pem # name of generated keys
default_md = md5 # message digest algorithm
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
#countryName = Country Name (2 letter code)
#countryName_min = 2
#countryName_max = 2
#commonName = Common Name (hostname, IP, or your name)
#commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = CryptoBox
organizationalUnitName_default = s.l.
localityName_default = Kugelmugel
stateOrProvinceName_default = Metropolis
emailAddress_default = info@systemausfall.org

26
cbox-tree.d/etc/default/cryptobox

@ -0,0 +1,26 @@
# boot configuration file for the CryptoBox
#
# $Id$
#
# the default setup of the cryptobox is complete inactivity
# set to "1" to turn off the cryptobox - otherwise "0"
NO_START=1
# change the default configuration file if necessary
#CONF_FILE=/etc/cryptobox/cryptobox.conf
# should the cryptobox skip the network interface configuration?
# "0" means skip (default) --- "1" causes the cryptobox to configure it
SKIP_NETWORK_CONFIG=1
# should the cryptobox set some firewall (iptables) rules?
# if this is turned off, then you have to add the appropriate
# rules manually (if you need the timeout feature of the cryptobox)
# default is 0
EXEC_FIREWALL_RULES=0
# use stunnel for https support?
# default is 0
USE_STUNNEL=0

89
cbox-tree.d/etc/init.d/cryptobox

@ -0,0 +1,89 @@
#!/bin/sh
set -eu
#
# we give some hints for users, sitting in front of the cryptobox waiting for a login prompt
#
# check if the cryptobox is installed
[ -e "/usr/lib/cryptobox/cbox-manage.sh" ] || exit 0
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# startup switch defaults to zero (enabled)
NO_START=${NO_START:-0}
# check startup switch
if [ "$NO_START" = "1" ]
then [ $# -eq 0 ] && exit 0
[ "$1" = "status" ] && exit 1
[ "$1" = "stop" ] && exit 0
echo "CryptoBox is disabled by default"
exit 0
fi
# stop-on-errors
set -eu
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
if [ -e "$CONF_FILE" ]
then . "$CONF_FILE"
else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2
exit 1
fi
case "$1" in
start )
# stop if already running
"$0" status && "$0" stop
# initialize
"$CB_SCRIPT" config-up
"$CB_SCRIPT" network-up
"$CB_SCRIPT" services-up
# check if we are on a developers CryptoBox
# if not give some usage hints
# otherwise give a warning and start the devel features
if [ ! -e "$DEV_FEATURES_SCRIPT" ]; then
echo
echo "How to use the CryptoBox:"
echo " * point a webbrowser from another computer to 'http://$(/usr/lib/cryptobox/cbox-manage.sh get_current_ip)/cryptobox'"
echo " * configure your CryptoBox via a webbrowser"
echo
else
echo
echo "+---------------------------------------------------------------+"
echo "| WARNING: Some CryptoBox development features are enabled |"
echo "| This should definitely NOT happen for a production CD. |"
echo "| as it offers no security at all. |"
echo "| If you don't plan to refine this CD, don't use it! |"
echo "+---------------------------------------------------------------+"
echo
"$DEV_FEATURES_SCRIPT" "$@"
fi
true
;;
stop )
# exit if not running
"$0" status || exit 0
# shut down
"$CB_SCRIPT" services-down
"$CB_SCRIPT" network-down
"$CB_SCRIPT" config-down
;;
restart | reload | force-reload )
$0 stop
$0 start
;;
status )
if "$CB_SCRIPT" is_config_mounted
then exit 0
else exit 1
fi
;;
* )
echo "Syntax: $0 { start | stop | restart | reload | force-reload | status }"
;;
esac

704
cbox-tree.d/usr/lib/cgi-bin/cryptobox.pl

@ -0,0 +1,704 @@
#!/usr/bin/perl
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# the web interface of the CryptoBox
#
###############################################
use strict;
use CGI;
use ClearSilver;
use ConfigFile;
my $CONFIG_FILE = '/etc/cryptobox/cryptobox.conf';
my $pagedata;
my ($LANGUAGE_DIR, $DEFAULT_LANGUAGE, $HTML_TEMPLATE_DIR, $DOC_DIR);
my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL);
&fatal_error ("could not find configuration file ($CONFIG_FILE)") unless (-e $CONFIG_FILE);
my $config = ConfigFile::read_config_file($CONFIG_FILE);
$CB_SCRIPT = $config->{CB_SCRIPT};
$LOG_FILE = $config->{LOG_FILE};
$LANGUAGE_DIR = $config->{LANGUAGE_DIR};
$DEFAULT_LANGUAGE = $config->{LANGUAGE};
$HTML_TEMPLATE_DIR = $config->{HTML_TEMPLATE_DIR};
$DOC_DIR = $config->{DOC_DIR};
$IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT});
$STYLESHEET_URL = $config->{STYLESHEET_URL};
# TODO: just a quick-and-dirty hack during migration to multiple containers
my $CRYPTO_DEV = `$CB_SCRIPT get_available_disks | cut -f 1 -d " " | tr "\n" "2"`;
my $query = new CGI;
#################### subs ######################
# for fatal errors without the chance of clearsilver-rendering
sub fatal_error()
{
my $message = shift;
print "Content-Type: text/html\n\n";
print "<html><head><title>CryptoBox</title></head>\n";
print "<body>\n";
print '<h1 align="center">' . $message . "</h1>\n";
print "</body></html>\n";
die "[CryptoBox]: $message";
}
sub load_hdf
{
my $hdf = ClearSilver::HDF->new();
my $fname = "$HTML_TEMPLATE_DIR/main.cs";
&fatal_error ("Template directory is invalid ($fname not found)!") unless (-e "$fname");
$hdf->setValue("Settings.TemplateDir","$HTML_TEMPLATE_DIR");
&fatal_error ("Documentation directory ($DOC_DIR) not found!") unless (-d "$DOC_DIR");
$hdf->setValue("Settings.DocDir","$DOC_DIR");
# if it was requested as directory index (link from index.html), we should
# set a real script name - otherwise links with a query string will break
# ignore POST part of the SCRIPT_NAME (after "&")
(my $script_url = $ENV{'SCRIPT_NAME'}) =~ m/^[^&]*/;
$hdf->setValue("ScriptName", ($ENV{'SCRIPT_NAME'} eq '/')? '/cryptobox' : $script_url );
# set stylesheet url
$hdf->setValue("Settings.Stylesheet",$STYLESHEET_URL);
&load_selected_language($hdf);
&get_available_languages($hdf);
return $hdf;
}
sub load_selected_language
{
my $data = shift;
my $config_language;
# load $DEFAULT_LANGUAGE - this is necessary, if a translation is incomplete
$data->readFile("$LANGUAGE_DIR/$DEFAULT_LANGUAGE" . ".hdf");
# load configured language, if it is valid
$config_language = `$CB_SCRIPT get_config language`;
$config_language = $DEFAULT_LANGUAGE unless (&validate_language("$config_language"));
# check for preferred browser language, if the box was not initialized yet
if ( ! &check_config())
{
my $prefLang = &get_browser_language();
# take it, if a supported browser language was found
$config_language = $prefLang unless ($prefLang eq '');
}
######### temporary language setting? ############
# the default language can be overriden by the language links in the
# upper right of the page
if ($query->param('weblang')) {
my $weblang = $query->param('weblang');
if (&validate_language($weblang)) {
# load the data
$config_language = "$weblang";
# add the setting to every link
$data->setValue('Data.PostData.weblang', "$weblang");
} else {
# no valid language was selected - so you may ignore it
$data->setValue('Data.Warning', 'InvalidLanguage');
}
}
# import the configured resp. the temporarily selected language
$data->readFile("$LANGUAGE_DIR/$config_language" . ".hdf");
########## select documentation language ##########
if (&validate_doc_language($config_language)) {
# selected web interface language
$data->setValue('Settings.DocLang', "$config_language");
} elsif (&validate_doc_language($DEFAULT_LANGUAGE)) {
# configured CryptoBox language
$data->setValue('Settings.DocLang', "$DEFAULT_LANGUAGE");
} else {
# default hardcoded language (english)
$data->setValue('Settings.DocLang', "en");
}
}
sub get_available_languages
# import the names of all available languages
{
my $data = shift;
my ($file, @files, $hdf, $lang_name);
opendir(DIR, $LANGUAGE_DIR) or &fatal_error ("Language directory ($LANGUAGE_DIR) not accessible!");
@files = sort grep { /.*\.hdf$/ } readdir(DIR);
close(DIR);
foreach $file (@files) {
$hdf = ClearSilver::HDF->new();
$hdf->readFile("$LANGUAGE_DIR/$file");
substr($file, -4) = "";
$lang_name = $hdf->getValue("Lang.Name", "$file");
$data->setValue("Data.Languages." . "$file", "$lang_name");
}
}
# look for preferred browser language setting
# this code was adapted from Per Cederberg - http://www.percederberg.net/home/perl/select.perl
# it returns an empty string, if no supported language was found
sub get_browser_language
{
my ($str, @langs, @res);
# Use language preference settings
if ($ENV{'HTTP_ACCEPT_LANGUAGE'} ne '')
{
@langs = split(/,/, $ENV{'HTTP_ACCEPT_LANGUAGE'});
foreach (@langs)
{
# get the first part of the language setting
($str) = ($_ =~ m/([a-z]+)/);
# check, if it supported by the cryptobox
$res[$#res+1] = $str if validate_language($str);
}
}
# if everything fails - return empty string
$res[0] = "" if ($#res lt 0);
return $res[0];
}
sub log_msg
{
my $text = shift;
open(LOGFILE,">> $LOG_FILE");
print LOGFILE "$text";
close(LOGFILE);
}
sub check_ssl
{
# BEWARE: dirty trick - is there a better way?
# stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with
# its own IP (localhost, of course)
return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1');
}
sub check_mounted
{
return (system("$CB_SCRIPT","is_crypto_mounted",$CRYPTO_DEV) == 0);
}
sub check_config
{
return (system("$CB_SCRIPT","is_config_mounted",$CRYPTO_DEV) == 0);
}
sub check_init_running
{
return (system("$CB_SCRIPT","is_init_running") == 0);
}
sub is_harddisk_available
{
return (system("$CB_SCRIPT","is_harddisk_available") == 0);
}
sub get_available_disks
# TODO: this is useful for diskselection buttons
{
return `$CB_SCRIPT get_available_disks`;
}
sub get_current_ip
# the IP of eth0 - not the configured value of the box (only for validation)
{
return `$CB_SCRIPT get_current_ip`;
}
sub get_admin_pw
# returns the current administration password - empty, if it is not used
{
return `$CB_SCRIPT get_config admin_pw`;
}
sub render
{
my $pagefile = "$HTML_TEMPLATE_DIR/main.cs";
print "Content-Type: text/html\n\n";
my $cs = ClearSilver::CS->new($pagedata);
$cs->parseFile($pagefile);
print $cs->render();
}
sub mount_vol
{
my $pw = shift;
if (&check_mounted) {
$pagedata->setValue('Data.Warning', 'IsMounted');
} else {
open(PW_INPUT, "| $CB_SCRIPT crypto-up $CRYPTO_DEV");
print PW_INPUT $pw;
close(PW_INPUT);
}
}
sub umount_vol
{
if (&check_mounted) {
system("$CB_SCRIPT", "crypto-down",$CRYPTO_DEV);
} else {
$pagedata->setValue('Data.Warning', 'NotMounted');
}
}
sub box_init
{
my ($crypto_pw, $admin_pw) = @_;
system("$CB_SCRIPT", "init") || return 1;
# partitioning, config and initial cryptsetup
# TODO: define the name of the crypto container
open(PW_INPUT, "|$CB_SCRIPT crypto-create '$CRYPTO_DEV' default");
print PW_INPUT $crypto_pw;
close(PW_INPUT);
# set administration password
system("$CB_SCRIPT", "set_config", "admin_pw", "$admin_pw");
}
sub box_purge
{
system("$CB_SCRIPT", "box-purge");
}
sub system_poweroff
{
&umount_vol() if (&check_mounted());
system("$CB_SCRIPT", "poweroff");
}
sub system_reboot
{
&umount_vol() if (&check_mounted());
system("$CB_SCRIPT", "reboot");
}
sub validate_ip
{
my $ip = shift;
my @octets = split /\./, $ip;
return 0 if ($#octets == 4);
# check for values and non-digits
return 0 if (($octets[0] <= 0) || ($octets[0] >= 255) || ($octets[0] =~ /\D/));
return 0 if (($octets[1] < 0) || ($octets[1] >= 255) || ($octets[1] =~ /\D/));
return 0 if (($octets[2] < 0) || ($octets[2] >= 255) || ($octets[2] =~ /\D/));
return 0 if (($octets[3] <= 0) || ($octets[3] >= 255) || ($octets[3] =~ /\D/));
return 1;
}
sub validate_timeout
{
my $timeout = shift;
return 0 if ($timeout =~ /\D/);
return 1;
}
# check for a valid interface language
sub validate_language
{
my $language = shift;
# check for non-alphanumeric character
return 0 if ($language =~ /\W/);
return 0 if ($language eq "");
return 0 if ( ! -e "$LANGUAGE_DIR/$language" . '.hdf');
return 1;
}
# check for a valid documentation language
sub validate_doc_language
{
my $language = shift;
# check for non-alphanumeric character
return 0 if ($language =~ /\W/);
return 0 if ($language eq "");
return 0 if ( ! -e "$DOC_DIR/$language");
return 1;
}
################### main #########################
$pagedata = load_hdf();
# BEWARE: there are two kinds of actions:
# * some require a harddisk
# * some do not require a harddisk
# take care, that you put a new action into the appropriate block below
# first: check for ssl!
if ( ! &check_ssl()) {
$pagedata->setValue('Data.Error', 'NoSSL');
$pagedata->setValue('Data.Redirect.URL', "https://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'});
$pagedata->setValue('Data.Redirect.Delay', "3");
} elsif ($query->param('action')) {
my $action = $query->param('action');
#--------------------------------------------------------------#
# here you may define all cases that do not require a harddisk #
# put all other cases below the harddisk check #
#--------------------------------------------------------------#
#################### show_log #######################
if ($action eq 'show_log') {
$pagedata->setValue('Data.Action', 'show_log');
##################### doc ############################
} elsif ($action eq 'doc') {
if ($query->param('page')) {
$pagedata->setValue('Data.Doc.Page', $query->param('page'));
$pagedata->setValue('Data.Action', 'show_doc');
} else {
$pagedata->setValue('Data.Doc.Page', 'CryptoBoxUser');
$pagedata->setValue('Data.Action', 'show_doc');
}
##################### poweroff ######################
} elsif ($action eq 'shutdown_ask') {
$pagedata->setValue('Data.Action', 'form_shutdown');
##################### reboot ########################
} elsif ($action eq 'shutdown_do') {
if ($query->param('type') eq 'reboot') {
&system_reboot();
$pagedata->setValue('Data.Success', 'ReBoot');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "180");
} else {
&system_poweroff();
$pagedata->setValue('Data.Success', 'PowerOff');
}
$pagedata->setValue('Data.Action', 'empty');
##################### check for a harddisk ##########################
# catch this error, to prevent all following actions from execution #
#####################################################################
} elsif ( ! &is_harddisk_available()) {
$pagedata->setValue('Data.Error', 'NoHardDisk');
#-------------------------------------------------------#
# here you may define all cases that require a harddisk #
#-------------------------------------------------------#
################ umount_do #######################
} elsif ($action eq 'umount_do') {
if ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif (&check_init_running()) {
$pagedata->setValue('Data.Warning', 'InitNotFinished');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif ( ! &check_mounted()) {
$pagedata->setValue('Data.Warning', 'NotMounted');
$pagedata->setValue('Data.Action', 'empty');
} else {
# unmounten
&umount_vol();
if (&check_mounted()) {
$pagedata->setValue('Data.Warning', 'UmountFailed');
$pagedata->setValue('Data.Action', 'form_umount');
} else {
$pagedata->setValue('Data.Success', 'UmountDone');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
}
}
################ mount_do ########################
} elsif ($action eq 'mount_do') {
# mount requested
if ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif (&check_init_running()) {
$pagedata->setValue('Data.Warning', 'InitNotFinished');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif (&check_mounted()) {
$pagedata->setValue('Data.Warning', 'IsMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif ($query->param('crypto_password') eq '') {
# leeres Passwort
$pagedata->setValue('Data.Warning', 'EmptyCryptoPassword');
$pagedata->setValue('Data.Action', 'form_mount');
} else {
# mounten
&mount_vol($query->param('crypto_password'));
if (!&check_mounted()) {
$pagedata->setValue('Data.Warning', 'MountFailed');
$pagedata->setValue('Data.Action', 'form_mount');
} else {
$pagedata->setValue('Data.Success', 'MountDone');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
}
}
################## mount_ask #######################
} elsif ($action eq 'mount_ask') {
if ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif (&check_init_running()) {
$pagedata->setValue('Data.Warning', 'InitNotFinished');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} elsif (&check_mounted()) {
$pagedata->setValue('Data.Warning', 'IsMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
} else {
$pagedata->setValue('Data.Action', 'form_mount');
}
################# umount_ask ########################
} elsif ($action eq 'umount_ask') {
if ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif ( ! &check_mounted()) {
$pagedata->setValue('Data.Warning', 'NotMounted');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
} else {
$pagedata->setValue('Data.Action', 'form_umount');
}
################## init_ask #########################
} elsif ($action eq 'init_ask') {
if (&check_init_running()) {
$pagedata->setValue('Data.Warning', 'InitNotFinished');
$pagedata->setValue('Data.Action', 'form_config');
} elsif (&check_config()) {
$pagedata->setValue('Data.Warning', 'AlreadyConfigured');
$pagedata->setValue('Data.Action', 'form_init');
} else {
$pagedata->setValue('Data.Action', 'form_init');
}
#################### init_do ########################
} elsif ($action eq 'init_do') {
my $current_admin_pw = &get_admin_pw;
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) {
$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
$pagedata->setValue('Data.Action', 'form_init');
} elsif ($query->param('admin_password') ne $query->param('admin_password2')) {
# different admin-passwords
$pagedata->setValue('Data.Warning', 'DifferentAdminPasswords');
$pagedata->setValue('Data.Action', 'form_init');
} elsif ($query->param('crypto_password') ne $query->param('crypto_password2')) {
# different crypto-passwords
$pagedata->setValue('Data.Warning', 'DifferentCryptoPasswords');
$pagedata->setValue('Data.Action', 'form_init');
} elsif ($query->param('crypto_password') eq '') {
# empty password
$pagedata->setValue('Data.Warning', 'EmptyCryptoPassword');
$pagedata->setValue('Data.Action', 'form_init');
} elsif ($query->param('confirm') ne $pagedata->getValue('Lang.Text.ConfirmInit','')) {
# wrong confirm string
$pagedata->setValue('Data.Warning', 'InitNotConfirmed');
$pagedata->setValue('Data.Action', 'form_init');
} else {
# do init
&box_init($query->param('crypto_password'),$query->param('admin_password'));
if (!&check_init_running()) {
$pagedata->setValue('Data.Error', 'InitFailed');
} else {
$pagedata->setValue('Data.Success', 'InitRunning');
$pagedata->setValue('Data.Action', 'form_config');
}
}
#################### config_ask ######################
} elsif ($action eq 'config_ask') {
if ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} else {
$pagedata->setValue('Data.Action', 'form_config');
}
#################### config_do #######################
} elsif ($action eq 'config_do') {
if ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} else {
my $current_admin_pw = &get_admin_pw;
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) {
$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
$pagedata->setValue('Data.Action', 'form_config');
} elsif ( ! &validate_language($query->param('language'))) {
$pagedata->setValue('Data.Warning', 'InvalidLanguage');
$pagedata->setValue('Data.Action', 'form_config');
} elsif ( ! &validate_ip($query->param('ip'))) {
$pagedata->setValue('Data.Warning', 'InvalidIP');
$pagedata->setValue('Data.Action', 'form_config');
} elsif ( ! &validate_timeout($query->param('timeout'))) {
$pagedata->setValue('Data.Warning', 'InvalidTimeOut');
$pagedata->setValue('Data.Action', 'form_config');
} else {
system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
&load_selected_language($pagedata);
system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
# check, if the ip was reconfigured
if ($query->param('ip') ne `$CB_SCRIPT get_config ip`)
{
# set the new value
system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
# reconfigure the network interface
system("$CB_SCRIPT", "update_ip_address");
# redirect to the new address
$pagedata->setValue('Data.Redirect.URL', "https://" . $query->param('ip') . $ENV{'SCRIPT_NAME'});
$pagedata->setValue('Data.Redirect.Delay', "5");
# display a warning for the redirection
$pagedata->setValue('Data.Warning', 'IPAddressChanged');
}
# check for success
if (`$CB_SCRIPT get_config timeout` ne $query->param('timeout')) {
$pagedata->setValue('Data.Warning', 'ConfigTimeOutFailed');
} elsif (`$CB_SCRIPT get_config ip` ne $query->param('ip')) {
$pagedata->setValue('Data.Warning', 'ConfigIPFailed');
} elsif (`$CB_SCRIPT get_config language` ne $query->param('language')) {
$pagedata->setValue('Data.Warning', 'ConfigLanguageFailed');
} else {
$pagedata->setValue('Data.Success', 'ConfigSaved');
}
$pagedata->setValue('Data.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "30");
}
}
#################### status #########################
} elsif ($action eq 'show_status') {
if ( ! &check_config()) {
$pagedata->setValue('Data.Warning', 'NotInitialized');
$pagedata->setValue('Data.Action', 'form_init');
} elsif (&check_init_running()) {
$pagedata->setValue('Data.Warning', 'InitNotFinished');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "30");
} else {
$pagedata->setValue('Data.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "60");
}
################### box_purge #######################
# if we find an existing config partition, then check the adminpw
} elsif ($action eq 'do_purge') {
if ( &check_config()) {
my $current_admin_pw = &get_admin_pw;
if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) {
$pagedata->setValue('Data.Warning', 'WrongAdminPassword');
$pagedata->setValue('Data.Action', 'form_config');
} else {
&box_purge;
$pagedata->setValue('Data.Action', 'form_init');
}
}
################### unknown #########################
} else {
$pagedata->setValue('Data.Error', 'UnknownAction');
}
#################### default action ##########################
# check for a harddisk again, as this check was skipped
# because there was no action defined
} elsif ( ! &is_harddisk_available()) {
$pagedata->setValue('Data.Error', 'NoHardDisk');
} else {
if (&check_init_running()) {
$pagedata->setValue('Data.Warning', 'InitNotFinished');
$pagedata->setValue('Data.Action', 'empty');
$pagedata->setValue('Data.Redirect.Action', 'form_config');
$pagedata->setValue('Data.Redirect.Delay', "60");
} elsif (&check_config()) {
$pagedata->setValue('Data.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Action', 'show_status');
$pagedata->setValue('Data.Redirect.Delay', "60");
} else {
$pagedata->setValue('Data.Action', 'form_init');
}
}
# check state of the cryptobox
$pagedata->setValue('Data.Status.Config', &check_config() ? 1 : 0);
$pagedata->setValue('Data.Status.InitRunning', &check_init_running() ? 1 : 0);
$pagedata->setValue('Data.Status.Mounted', &check_mounted() ? 1 : 0) if (&check_config());
my $output = &get_current_ip();
$pagedata->setValue('Data.Status.IP', "$output");
$output = &get_admin_pw();
$pagedata->setValue('Data.Config.AdminPasswordIsSet', 1) if ($output ne '');
$output = `$CB_SCRIPT diskinfo 2>&1 | sed 's#\$#<br/>#'`;
$pagedata->setValue('Data.PartitionInfo',"$output");
# preset config settings for clearsilver
$pagedata->setValue('Data.Config.IP', `$CB_SCRIPT get_config ip`);
$pagedata->setValue('Data.Config.TimeOut', `$CB_SCRIPT get_config timeout`);
$pagedata->setValue('Data.Config.Language', `$CB_SCRIPT get_config language`);
# read log and add html linebreaks
$output = '';
if (-e "$LOG_FILE") {
open(LOGFILE, "< $LOG_FILE");
while (<LOGFILE>) { $output .= "$_<br/>" }
close(LOGFILE);
}
$pagedata->setValue('Data.Log',"$output");
$pagedata->setValue('Data.Status.DevelopmentMode', 1) if ($IS_DEVEL);
# save QUERY_STRING (e.g. for weblang-links)
my $querystring = $ENV{'QUERY_STRING'};
# remove weblang setting
$querystring =~ s/weblang=\w\w&?//;
$pagedata->setValue('Data.QueryString', "$querystring") if ($querystring ne '');
&render();
exit 0;

590
cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh

@ -0,0 +1,590 @@
#!/bin/sh
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# this script does EVERYTHING
# all other scripts are only frontends :)
#
# called by:
# - some rc-scripts
# - the web frontend cgi
#
# TODO: check permissions and owners of config files, directories and scripts before
# running cbox-root-actions.sh
set -eu
# define reasonable defaults
USE_STUNNEL=0
EXEC_FIREWALL_RULES=0
SKIP_NETWORK_CONFIG=1
CONF_FILE=/etc/cryptobox/cryptobox.conf
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# parse config file
. "$CONF_FILE"
# check for writable log file
[ -w "$LOG_FILE" ] || LOG_FILE=/tmp/$(basename "$LOG_FILE")
## configuration
CERT_TEMP=/tmp/stunnel.pem
######## stuff ##########
ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4)
#########################
function log_msg()
{
# the log file is not writable during boot - try before writing ...
[ -w "$LOG_FILE" ] || return 0
echo >>"$LOG_FILE"
echo "##### `date` #####" >>"$LOG_FILE"
echo "$1" >>"$LOG_FILE"
}
function error_msg()
# parameters: ExitCode ErrorMessage
{
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
# print the execution stack - not usable with busybox
# caller | sed 's/^/\t/' >&2
exit "$1"
}
function config_set_value()
# parameters: SettingName [SettingValue]
# read from stdin if SettingValue is not defined
{
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config rw
if [ $# -gt 1 ]
then echo -n "$2" > "$CONFIG_DIR/$1"
else cat - >"$CONFIG_DIR/$1"
fi
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config ro
}
function config_get_value()
# parameters: SettingName
{
# use mounted config, if it exists - otherwise use defaults
local conf_dir
if is_config_active
then conf_dir=$CONFIG_DIR
else conf_dir=$CONFIG_DEFAULTS_DIR
fi
[ -z "$1" ] && error_msg 1 "empty setting name"
# check for existence - maybe use default values (for old releases without this setting)
if [ ! -e "$conf_dir/$1" ]
then case "$1" in
# you may place default values for older versions here
# for compatibility
* )
error_msg 2 "unknown configuration value ($1)"
# empty output
;;
esac
else echo -n $(cat "$conf_dir/$1")
# this removes the trailing line break
fi
# always return without error
true
}
function create_config()
# Parameter: device
{
local device=$1
unload_config
# create the new configuration filesystem if it is not static
if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ]
then log_msg "Using static configuration ..."
else log_msg "Creating config filesystem ..."
sudo "$ROOT_PERM_SCRIPT" create_config "$device"
log_msg "Mounting config partition ..."
sudo "$ROOT_PERM_SCRIPT" mount_config "$device"
sudo "$ROOT_PERM_SCRIPT" remount_config rw
fi
log_msg "Copying configuration defaults ..."
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
log_msg "Copying temporary certificate file to config filesystem ..."
# beware: the temp file should always be there - even after reboot - see "load_config"
[ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE"
log_msg "Setting inital values ..."
# beware: config_set_value remounts the config partition read-only
config_set_value "ip" "$(get_current_ip)"
# create database of readable names
config_set_value "names.db" ""
# create a marker to recognize a cryptobox partition
# this should be the last step, to prevent a half-initialized state
config_set_value "$CONFIG_MARKER" "$(date -I)"
}
function get_current_ip()
# not necessarily the same as configured (necessary for validation)
{
# filter the output of ifconfig and remove trailing line break
echo -n $("$IFCONFIG" "$NET_IFACE" | grep "inet" | cut -d ":" -f2 | cut -d " " -f1)
}
function list_partitions_of_type()
# parameter: { config | crypto | plaindata | unused }
{
local config=
local crypto=
local plaindata=
local unused=
for a in $ALL_PARTITIONS
do if sudo "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a"
then crypto="$crypto /dev/$a"
elif sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a"
then config="$config /dev/$a"
elif sudo "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a"
then plaindata="$plaindata /dev/$a"
else unused="$unused /dev/$a"
fi
done
case "$1" in
config | crypto | plaindata | unused )
# dirty hack, but it works
eval "echo \$$1"
;;
* )
errot_msg "wrong parameter ($1) for list_partition_types in $(basename $0)"
;;
esac | tr " " "\n" | grep -v '^$'
}
function get_crypto_uuid()
# Parameter: DEVICE
{
sudo "$ROOT_PERM_SCRIPT" get_device_name "$1"
}
function get_crypto_name()
# Parameter: DEVICE
# return the readable name of the crypto container, it it is already defined
# if undefined - return the uuid
{
local uuid=$(get_crypto_uuid "$1")
local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-)
if [ -z "$dbname" ]
then echo -n "$uuid"
else echo -n "$dbname"
fi
}
function set_crypto_name()
# TODO: the implementation is quite ugly, but it works (tm)
# Parameter: DEVICE NAME
{
local uuid=$(get_crypto_uuid "$1")
# remove the old setting for this device and every possible entry with the same name
(config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2") | config_set_value 'names.db'
}
function does_crypto_name_exist()
# Parameter: NAME
{
config_get_value 'names.db' | grep -q "^[^:]*:$1$"
}
function create_crypto()
# Parameter: DEVICE NAME KEYFILE
# keyfile is necessary, to allow background execution via 'at'
# TODO: check if the keyfile is still necessary for sudo -b
{
local device=$1
local name=$2
local keyfile=$3
# otherwise the web interface will hang
# passphrase may be passed via command line
local key=$(<"$keyfile")
# remove the passphrase-file as soon as possible
dd if=/dev/zero of="$keyfile" bs=512 count=1 2>/dev/null
rm "$keyfile"
log_msg "Creating crypto partition with the cipher $DEFAULT_CIPHER on $device"
echo "$key" | sudo "$ROOT_PERM_SCRIPT" create_crypto "$device"
set_crypto_name "$device" "$name"
}
function is_config_active()
{
test -f "$CONFIG_DIR/$CONFIG_MARKER"
}
function is_crypto_mounted()
# Parameter: DEVICE
{
local name=$(get_crypto_uuid "$1")
[ -n "$name" ] && mountpoint -q "$MNT_PARENT/$name"
}
function is_init_running()
{
check_at_command_queue " init"
}
# check if a specified command is in an at-queue
# Parameter: a regular expression of the commandline
# Return: the command is part of an at-queue (0) or not (1)
function check_at_command_queue()
{
# 1) get the available job numbers
# 2) remove empty lines (especially the last one)
# 3) check every associated command for the regexp
at -l | cut -f 1 | while read jobnum
do at -c $jobnum | sed '/^$/d' | tail -1
done | grep -q "$1"
}
function find_harddisk()
# look for the harddisk to be partitioned
{
local device=$(get_available_disks | head -1)
if [ -z "$device" ] ; then
log_msg "no valid harddisk for initialisation found!"
cat /proc/partitions >>"$LOG_FILE"
# do not return with an error, to avoid a failing of the script ('break on error')
# the caller of this function should handle an empty return string
fi
echo -n "$device"
}
function get_available_disks()
# looks which allowed disks are at the moment connected with the cbox
{
for scan in $SCAN_DEVICES
do for avail in $ALL_PARTITIONS
do [ "$scan" = "$avail" ] && echo "/dev/$avail"
done
done
}
function load_config()
{
unload_config
local status=0
# look for a configuration partition
[ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \
list_partitions_of_type config | while read part && [ "$status" = 0 ]
do log_msg "Trying to load configuration from /dev/$part ..."
if sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part"
then log_msg "configuraton found on $part"
sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part"
status=1
fi
done
if is_config_active
then # copy certificate to /tmp in case of re-initialization
# /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d)
[ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP"
else log_msg "failed to locate config partition"
return 1
fi
true
}
function unload_config()
{
is_config_active || return
# only try to unmount, if it is not static (the config of a live-cd is always dynamic)
if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ]
then sudo "$ROOT_PERM_SCRIPT" umount_config
else true
fi
}
function mount_crypto()
# Parameter: DEVICE
{
local device=$1
[ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1
is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return
# passphrase is read from stdin
log_msg "Mounting a crypto partition from $device"
sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1
}
function umount_crypto()
# Parameter: DEVICE
{
local device=$1
local uuid=$(get_crypto_uuid $device)
sudo "$ROOT_PERM_SCRIPT" umount "$uuid"
}
function box_purge()
# removing just the first bytes from the harddisk should be enough
# every harddisk will be overriden!
{
# TODO: not ALL harddisks, please!
get_available_disks | while read a
do log_msg "Purging $a ..."
sudo "$ROOT_PERM_SCRIPT" trash_device "$a"
done
}
function init_cryptobox()
# this is only the first part of initialisation that takes no time - good for a smooth web interface
{
local device=$(find_harddisk)
[ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1
turn_off_all_crypto
unload_config || true
log_msg "Partitioning the device ($device) ..."
sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n"
log_msg "Initializing config partition on ${device}1 ..."
# TODO: this should not be hard-coded
create_config "${device}1"
}
function turn_off_all_crypto()
{
list_crypto_containers | while read a
do is_crypto_mounted "$a" && umount_crypto "$a"
done
}
### main ###
# set PATH because thttpd removes /sbin and /usr/sbin for cgis
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
ACTION=help
[ $# -gt 0 ] && ACTION=$1 && shift
case "$ACTION" in
config-up )
if load_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 0 "Could not find a configuration partition!"
fi
;;
config-down )
unload_config || error_msg 4 "Could not unmount configuration partition"
;;
network-up )
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then conf_ip=$(config_get_value "ip")
log_msg "Configuring $NET_IFACE for $conf_ip ..."
echo "Configuring network interface for $NET_IFACE: $conf_ip"
"$IFCONFIG" "$NET_IFACE" "$conf_ip"
fi
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Starting the firewall ..."
"$FIREWALL_SCRIPT" start
fi
if [ "$USE_STUNNEL" = 1 ]
then # start stunnel
if [ -f "$CERT_FILE" ]
then USE_CERT=$CERT_FILE
else USE_CERT=$CERT_TEMP
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
# TODO: this could be dangerous - right?
# this is necessary, to allow www-data to copy the certificate
chown "$WEB_USER" "$CERT_TEMP"
fi
log_msg "Starting stunnel ..."
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|| echo "$USE_CERT not found - not starting stunnel"
fi
;;
network-down )
if [ "$EXEC_FIREWALL_RULES" = 1 ]
then log_msg "Stopping the firewall ..."
"$FIREWALL_SCRIPT" stop
fi
if [ "$USE_STUNNEL" = 1 ]
then log_msg "Stopping stunnel ..."
# TODO: what about a pid?
killall stunnel 2>/dev/null || true
fi
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then log_msg "Shutting the network interface down ..."
"$IFCONFIG" "$NET_IFACE" down
fi
;;
services-up )
# the mount point has to be writeable
# this action is called as root - so we are allowed to umount
# TODO: do this only for ro-filesystem
# TODO: this way of mounting is evil
if mountpoint -q "$MNT_PARENT"
then true
else mount -t tmpfs tmpfs "$MNT_PARENT"
fi
true
;;
services-down )
# this action is called as root - so we are allowed to umount
mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT"
# TODO: we should not depend on samba and thttpd
# /etc/init.d/samba stop || true
# /etc/init.d/thttpd stop || true
true
;;
crypto-up )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'"
mount_crypto "$1"
;;
crypto-down )
[ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'"
umount_crypto "$1"
;;
init )
init_cryptobox </dev/null >>"$LOG_FILE" 2>&1
;;
crypto-create )
# Parameter: DEVICE NAME
[ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'"
# do it in the background to provide a smoother web interface
# messages and errors get written to $LOG_FILE
keyfile=/tmp/$(basename "$0")-passphrase-$(basename "$1")
# read the password
cat - >"$keyfile"
# execute it in the background
echo "'$0' crypto-create-bg '$1' '$2' '$keyfile' </dev/null >>'$LOG_FILE' 2>&1" | at now
;;
crypto-create-bg )
create_crypto "$@"
;;
crypto-list )
list_partitions_of_type crypto
;;
crypto-list-unused )
list_partitions_of_type unused
;;
crypto-name )
# Parameter: DEVICE
get_crypto_name "$1"
;;
is_crypto_mounted )
[ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'"
is_crypto_mounted "$1"
;;
is_config_mounted )
is_config_active
;;
is_init_running )
is_init_running
;;
is_harddisk_available )
[ -z "$(find_harddisk)" ] && exit 1
exit 0
;;
update_ip_address )
# reconfigure the network interface to a new IP address
# wait for 5 seconds to finish present http requests
if [ "$SKIP_NETWORK_CONFIG" != 1 ]
then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now
fi
;;
get_available_disks )
get_available_disks
;;
get_current_ip )
get_current_ip
;;
set_config )
[ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters"
config_set_value "$1" "$2"
;;
get_config )
[ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter"
config_get_value "$1"
;;
diskinfo )
get_available_disks | while read a
do sudo "$ROOT_PERM_SCRIPT" diskinfo "$a"
done
;;
box-purge )
log_msg "Cleaning the CryptoBox ..."
turn_off_all_crypto
"$0" config-down
box_purge >>"$LOG_FILE" 2>&1
;;
poweroff )
log_msg "Turning off the CryptoBox ..."
turn_off_all_crypto
echo "poweroff" | at now
;;
reboot )
log_msg "Rebooting the CryptoBox ..."
turn_off_all_crypto
echo "reboot" | at now
;;
* )
echo "Syntax: `basename $0` ACTION [PARAMS]"
echo " config-up - scan for configuration partition and mount it"
echo " config-down - unmount configuration partition"
echo " network-up - enable network interface"
echo " network-down - disable network interface"
echo " services-up - run some cryptobox specific daemons"
echo " services-down - stop some cryptobox specific daemons"
echo " crypto-up - mount crypto partition"
echo " crypto-down - unmount crypto partition"
echo " box-init - initialize cryptobox (ALL data is LOST)"
echo " box-init-fg - the first part of initialization"
echo " box-init-bg - the last part of initialization (background)"
echo " is_crypto_mounted - check, if crypto partition is mounted"
echo " is_config_mounted - check, if configuration partition is mounted"
echo " is_init_running - check, if initialization is ongoing"
echo " is_harddisk_available - check, if there is a usable harddisk"
echo " get_available_disks - shows all connected and allowed disks"
echo " get_current_ip - get the current IP of the network interface"
echo " update_ip_address - update the network interface after reconfiguration"
echo " set_config NAME VALUE - change a configuration setting"
echo " get_config NAME - retrieve a configuration setting"
echo " diskinfo - show the partition table of the harddisk"
echo " box-purge - destroy partitiontable of all harddisks (delete everything)"
echo " poweroff - shutdown the cryptobox"
echo " reboot - reboot the cryptobox"
echo
;;
esac
exit 0

330
cbox-tree.d/usr/lib/cryptobox/cbox-root-actions.sh

@ -0,0 +1,330 @@
#!/bin/sh
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# this script is responsible for all dangerous actions, that require root privileges
# every action should be checked at least TWICE a day for open holes :)
# usually will get call via sudo
#
# called by:
# - cbox-manage.sh
#
set -eu
[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100
# read the default setting file, if it exists
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
# parse config file
. "$CONF_FILE"
############ some useful functions ###############
# check if the given device is part of the SCAN_DEVICE list
# every entry in SCAN_DEVICES is matched as "^/dev/${SCAN_DEVICE}[0-9]*$" against
# the given device
# other devices may not be touched
function is_device_allowed()
# parameter: device
{
for a in $SCAN_DEVICES
do [[ "$1" =~ "^/dev/${a}[0-9]*$" ]] && return 0
done
return 1
}
function get_device_name()
# return the uuid of the device
# if there is no uuid, then the device name is "flattened" and returned
# ignore volume-id as it may be non-unique
{
local UUID=
# check for luksUUID or ext2/3-uuid
if is_luks_device "$1"
then UUID=$("$CRYPTSETUP" luksUUID "$1")
else [ -n "$(which dumpe2fs)" ] && UUID=$(dumpe2fs -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ *//g")
fi
# if there is no valid UUUD, then take the flattened device name
is_uuid_valid "$UUID" || UUID=${1//\//_}
echo "$UUID"