diff --git a/cbox-tree.d/etc/cron.d/cryptobox b/cbox-tree.d/etc/cron.d/cryptobox new file mode 100644 index 0000000..67d9661 --- /dev/null +++ b/cbox-tree.d/etc/cron.d/cryptobox @@ -0,0 +1 @@ +* * * * * root [ -e /usr/lib/cryptobox/cbox-manage.sh ] && /usr/lib/cryptobox/check_smb_idle.sh diff --git a/cbox-tree.d/etc/cryptobox/cryptobox.conf b/cbox-tree.d/etc/cryptobox/cryptobox.conf new file mode 100644 index 0000000..342f46f --- /dev/null +++ b/cbox-tree.d/etc/cryptobox/cryptobox.conf @@ -0,0 +1,56 @@ +# this file is directly sourced by some bash scripts +# so there should be no space around the "=" + +LANGUAGE=en +NET_IFACE=eth0 +FILE_USER=cryptobox-data +WEB_USER=www-data +SCAN_DEVICES="sda" +#SCAN_DEVICES="hda hdb hdc hdd hde hdf hdg scd sg sda sdb sdc sdd" + +# set this to "1" to create a dedicated configuration partition (very small) +# this should only be necessary, if your root filesystem is read-only (as for a live-cd) +USE_SEPERATE_CONFIG_PARTITION=0 + +# web interface +HTML_TEMPLATE_DIR=/usr/share/cryptobox/templates +STYLESHEET_URL=/cryptobox-misc/cryptobox.css + +# directories +LANGUAGE_DIR=/usr/share/cryptobox/lang +DOC_DIR=/usr/share/doc/cryptobox/html +CONFIG_DEFAULTS_DIR=/usr/share/cryptobox/defaults +CONFIG_DIR=/var/lib/cryptobox/config +MNT_PARENT=/var/lib/cryptobox/mnt + +# some files +CB_SCRIPT=/usr/lib/cryptobox/cbox-manage.sh +ROOT_PERM_SCRIPT=/usr/lib/cryptobox/cbox-root-actions.sh +DEV_FEATURES_SCRIPT=/usr/lib/cryptobox/devel-features.sh +FIREWALL_SCRIPT=/usr/lib/cryptobox/firewall.sh +MAKE_CERT_SCRIPT=/usr/lib/cryptobox/make_stunnel_cert.sh +LOG_FILE=/var/log/cryptobox.log +CERT_FILE=/var/lib/cryptobox/config/stunnel.pem +OPENSSL_CONF_FILE=/etc/cryptobox/ssl-cert.conf +IDLE_COUNTER_FILE=/tmp/cbox-idle-counter +CONFIG_MARKER=cryptobox.marker + +# crypto settings +# there is no default hash, as this is ignored by luks +DEFAULT_CIPHER=aes-cbc-essiv:sha256 +DEV_MAPPER_DIR=/dev/mapper + +# some programs +SFDISK=/sbin/sfdisk +MKFS_DATA=/sbin/mkfs.ext3 +MKFS_CONFIG=/sbin/mkfs.ext2 +CRYPTSETUP=/sbin/cryptsetup +IPTABLES=/sbin/iptables +IFCONFIG=/sbin/ifconfig + +# firewall setings +# do not use multiports (iptables) as the timeout-script depends on +# single port rules +# ssh is allowed too, but the server is not started automatically +ALLOW_TCP_PORTS="22 80 139 443 445" +ALLOW_UDP_PORTS="137 138" diff --git a/cbox-tree.d/etc/cryptobox/revision b/cbox-tree.d/etc/cryptobox/revision new file mode 100644 index 0000000..31cc7b9 --- /dev/null +++ b/cbox-tree.d/etc/cryptobox/revision @@ -0,0 +1 @@ +$Revision$ diff --git a/cbox-tree.d/etc/cryptobox/ssl-cert.conf b/cbox-tree.d/etc/cryptobox/ssl-cert.conf new file mode 100644 index 0000000..a1a1a63 --- /dev/null +++ b/cbox-tree.d/etc/cryptobox/ssl-cert.conf @@ -0,0 +1,65 @@ +# +# OpenSSL configuration file. +# + +# Establish working directory. + +dir = . + +[ ca ] +default_ca = CA_default + +[ CA_default ] +default_days = 3650 +default_md = md5 +policy = policy_match +#serial = $dir/serial +#database = $dir/index.txt +#new_certs_dir = $dir/newcert +#certificate = $dir/cacert.pem +#private_key = $dir/private/cakey.pem +#preserve = no +#email_in_dn = no +#nameopt = default_ca +#certopt = default_ca + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = match +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 1024 # Size of keys +default_keyfile = stunnel.pem # name of generated keys +default_md = md5 # message digest algorithm +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +# Variable name Prompt string +#---------------------- ---------------------------------- +0.organizationName = Organization Name (company) +organizationalUnitName = Organizational Unit Name (department, division) +emailAddress = Email Address +emailAddress_max = 40 +localityName = Locality Name (city, district) +stateOrProvinceName = State or Province Name (full name) +#countryName = Country Name (2 letter code) +#countryName_min = 2 +#countryName_max = 2 +#commonName = Common Name (hostname, IP, or your name) +#commonName_max = 64 + +# Default values for the above, for consistency and less typing. +# Variable name Value +#------------------------------ ------------------------------ +0.organizationName_default = CryptoBox +organizationalUnitName_default = s.l. +localityName_default = Kugelmugel +stateOrProvinceName_default = Metropolis +emailAddress_default = info@systemausfall.org + + + diff --git a/cbox-tree.d/etc/default/cryptobox b/cbox-tree.d/etc/default/cryptobox new file mode 100644 index 0000000..49dc265 --- /dev/null +++ b/cbox-tree.d/etc/default/cryptobox @@ -0,0 +1,26 @@ +# boot configuration file for the CryptoBox +# +# $Id$ +# +# the default setup of the cryptobox is complete inactivity + +# set to "1" to turn off the cryptobox - otherwise "0" +NO_START=1 + +# change the default configuration file if necessary +#CONF_FILE=/etc/cryptobox/cryptobox.conf + +# should the cryptobox skip the network interface configuration? +# "0" means skip (default) --- "1" causes the cryptobox to configure it +SKIP_NETWORK_CONFIG=1 + +# should the cryptobox set some firewall (iptables) rules? +# if this is turned off, then you have to add the appropriate +# rules manually (if you need the timeout feature of the cryptobox) +# default is 0 +EXEC_FIREWALL_RULES=0 + +# use stunnel for https support? +# default is 0 +USE_STUNNEL=0 + diff --git a/cbox-tree.d/etc/init.d/cryptobox b/cbox-tree.d/etc/init.d/cryptobox new file mode 100755 index 0000000..9e6c35c --- /dev/null +++ b/cbox-tree.d/etc/init.d/cryptobox @@ -0,0 +1,89 @@ +#!/bin/sh +set -eu +# +# we give some hints for users, sitting in front of the cryptobox waiting for a login prompt +# + +# check if the cryptobox is installed +[ -e "/usr/lib/cryptobox/cbox-manage.sh" ] || exit 0 + +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# startup switch defaults to zero (enabled) +NO_START=${NO_START:-0} +# check startup switch +if [ "$NO_START" = "1" ] + then [ $# -eq 0 ] && exit 0 + [ "$1" = "status" ] && exit 1 + [ "$1" = "stop" ] && exit 0 + echo "CryptoBox is disabled by default" + exit 0 + fi + +# stop-on-errors +set -eu + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} + +# parse config file +if [ -e "$CONF_FILE" ] + then . "$CONF_FILE" + else echo "[$(basename $0)] - configuration file ($CONF_FILE) not found!" >&2 + exit 1 + fi + +case "$1" in + start ) + # stop if already running + "$0" status && "$0" stop + # initialize + "$CB_SCRIPT" config-up + "$CB_SCRIPT" network-up + "$CB_SCRIPT" services-up + # check if we are on a developers CryptoBox + # if not give some usage hints + # otherwise give a warning and start the devel features + if [ ! -e "$DEV_FEATURES_SCRIPT" ]; then + echo + echo "How to use the CryptoBox:" + echo " * point a webbrowser from another computer to 'http://$(/usr/lib/cryptobox/cbox-manage.sh get_current_ip)/cryptobox'" + echo " * configure your CryptoBox via a webbrowser" + echo + else + echo + echo "+---------------------------------------------------------------+" + echo "| WARNING: Some CryptoBox development features are enabled |" + echo "| This should definitely NOT happen for a production CD. |" + echo "| as it offers no security at all. |" + echo "| If you don't plan to refine this CD, don't use it! |" + echo "+---------------------------------------------------------------+" + echo + "$DEV_FEATURES_SCRIPT" "$@" + fi + true + ;; + stop ) + # exit if not running + "$0" status || exit 0 + # shut down + "$CB_SCRIPT" services-down + "$CB_SCRIPT" network-down + "$CB_SCRIPT" config-down + ;; + restart | reload | force-reload ) + $0 stop + $0 start + ;; + status ) + if "$CB_SCRIPT" is_config_mounted + then exit 0 + else exit 1 + fi + ;; + * ) + echo "Syntax: $0 { start | stop | restart | reload | force-reload | status }" + ;; + esac + diff --git a/cbox-tree.d/usr/lib/cgi-bin/cryptobox.pl b/cbox-tree.d/usr/lib/cgi-bin/cryptobox.pl new file mode 100755 index 0000000..dd6c545 --- /dev/null +++ b/cbox-tree.d/usr/lib/cgi-bin/cryptobox.pl @@ -0,0 +1,704 @@ +#!/usr/bin/perl +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# the web interface of the CryptoBox +# + + +############################################### + +use strict; +use CGI; +use ClearSilver; +use ConfigFile; + +my $CONFIG_FILE = '/etc/cryptobox/cryptobox.conf'; + +my $pagedata; + +my ($LANGUAGE_DIR, $DEFAULT_LANGUAGE, $HTML_TEMPLATE_DIR, $DOC_DIR); +my ($CB_SCRIPT, $LOG_FILE, $IS_DEVEL, $STYLESHEET_URL); + +&fatal_error ("could not find configuration file ($CONFIG_FILE)") unless (-e $CONFIG_FILE); +my $config = ConfigFile::read_config_file($CONFIG_FILE); + +$CB_SCRIPT = $config->{CB_SCRIPT}; +$LOG_FILE = $config->{LOG_FILE}; +$LANGUAGE_DIR = $config->{LANGUAGE_DIR}; +$DEFAULT_LANGUAGE = $config->{LANGUAGE}; +$HTML_TEMPLATE_DIR = $config->{HTML_TEMPLATE_DIR}; +$DOC_DIR = $config->{DOC_DIR}; +$IS_DEVEL = ( -e $config->{DEV_FEATURES_SCRIPT}); +$STYLESHEET_URL = $config->{STYLESHEET_URL}; + +# TODO: just a quick-and-dirty hack during migration to multiple containers +my $CRYPTO_DEV = `$CB_SCRIPT get_available_disks | cut -f 1 -d " " | tr "\n" "2"`; + +my $query = new CGI; + + +#################### subs ###################### + +# for fatal errors without the chance of clearsilver-rendering +sub fatal_error() +{ + my $message = shift; + + print "Content-Type: text/html\n\n"; + print "CryptoBox\n"; + print "\n"; + print '

' . $message . "

\n"; + print "\n"; + die "[CryptoBox]: $message"; +} + + +sub load_hdf +{ + my $hdf = ClearSilver::HDF->new(); + + my $fname = "$HTML_TEMPLATE_DIR/main.cs"; + &fatal_error ("Template directory is invalid ($fname not found)!") unless (-e "$fname"); + $hdf->setValue("Settings.TemplateDir","$HTML_TEMPLATE_DIR"); + + &fatal_error ("Documentation directory ($DOC_DIR) not found!") unless (-d "$DOC_DIR"); + $hdf->setValue("Settings.DocDir","$DOC_DIR"); + + # if it was requested as directory index (link from index.html), we should + # set a real script name - otherwise links with a query string will break + # ignore POST part of the SCRIPT_NAME (after "&") + (my $script_url = $ENV{'SCRIPT_NAME'}) =~ m/^[^&]*/; + $hdf->setValue("ScriptName", ($ENV{'SCRIPT_NAME'} eq '/')? '/cryptobox' : $script_url ); + + # set stylesheet url + $hdf->setValue("Settings.Stylesheet",$STYLESHEET_URL); + + &load_selected_language($hdf); + + &get_available_languages($hdf); + + return $hdf; +} + + +sub load_selected_language +{ + my $data = shift; + my $config_language; + + # load $DEFAULT_LANGUAGE - this is necessary, if a translation is incomplete + $data->readFile("$LANGUAGE_DIR/$DEFAULT_LANGUAGE" . ".hdf"); + + # load configured language, if it is valid + $config_language = `$CB_SCRIPT get_config language`; + $config_language = $DEFAULT_LANGUAGE unless (&validate_language("$config_language")); + + # check for preferred browser language, if the box was not initialized yet + if ( ! &check_config()) + { + my $prefLang = &get_browser_language(); + # take it, if a supported browser language was found + $config_language = $prefLang unless ($prefLang eq ''); + } + + ######### temporary language setting? ############ + # the default language can be overriden by the language links in the + # upper right of the page + if ($query->param('weblang')) { + my $weblang = $query->param('weblang'); + if (&validate_language($weblang)) { + # load the data + $config_language = "$weblang"; + # add the setting to every link + $data->setValue('Data.PostData.weblang', "$weblang"); + } else { + # no valid language was selected - so you may ignore it + $data->setValue('Data.Warning', 'InvalidLanguage'); + } + } + # import the configured resp. the temporarily selected language + $data->readFile("$LANGUAGE_DIR/$config_language" . ".hdf"); + + ########## select documentation language ########## + if (&validate_doc_language($config_language)) { + # selected web interface language + $data->setValue('Settings.DocLang', "$config_language"); + } elsif (&validate_doc_language($DEFAULT_LANGUAGE)) { + # configured CryptoBox language + $data->setValue('Settings.DocLang', "$DEFAULT_LANGUAGE"); + } else { + # default hardcoded language (english) + $data->setValue('Settings.DocLang', "en"); + } +} + + +sub get_available_languages +# import the names of all available languages +{ + my $data = shift; + my ($file, @files, $hdf, $lang_name); + + opendir(DIR, $LANGUAGE_DIR) or &fatal_error ("Language directory ($LANGUAGE_DIR) not accessible!"); + @files = sort grep { /.*\.hdf$/ } readdir(DIR); + close(DIR); + + foreach $file (@files) { + $hdf = ClearSilver::HDF->new(); + $hdf->readFile("$LANGUAGE_DIR/$file"); + substr($file, -4) = ""; + $lang_name = $hdf->getValue("Lang.Name", "$file"); + $data->setValue("Data.Languages." . "$file", "$lang_name"); + } +} + + +# look for preferred browser language setting +# this code was adapted from Per Cederberg - http://www.percederberg.net/home/perl/select.perl +# it returns an empty string, if no supported language was found +sub get_browser_language +{ + my ($str, @langs, @res); + + # Use language preference settings + if ($ENV{'HTTP_ACCEPT_LANGUAGE'} ne '') + { + @langs = split(/,/, $ENV{'HTTP_ACCEPT_LANGUAGE'}); + foreach (@langs) + { + # get the first part of the language setting + ($str) = ($_ =~ m/([a-z]+)/); + # check, if it supported by the cryptobox + $res[$#res+1] = $str if validate_language($str); + } + } + + # if everything fails - return empty string + $res[0] = "" if ($#res lt 0); + return $res[0]; +} + + +sub log_msg +{ + my $text = shift; + open(LOGFILE,">> $LOG_FILE"); + print LOGFILE "$text"; + close(LOGFILE); +} + + +sub check_ssl +{ + # BEWARE: dirty trick - is there a better way? + # stunnel is not in transparent mode -> that means, it replaces REMOTE_ADDR with + # its own IP (localhost, of course) + return ($ENV{'REMOTE_ADDR'} eq '127.0.0.1'); +} + + +sub check_mounted +{ + return (system("$CB_SCRIPT","is_crypto_mounted",$CRYPTO_DEV) == 0); +} + + +sub check_config +{ + return (system("$CB_SCRIPT","is_config_mounted",$CRYPTO_DEV) == 0); +} + + +sub check_init_running +{ + return (system("$CB_SCRIPT","is_init_running") == 0); +} + + +sub is_harddisk_available +{ + return (system("$CB_SCRIPT","is_harddisk_available") == 0); +} + +sub get_available_disks +# TODO: this is useful for diskselection buttons +{ + return `$CB_SCRIPT get_available_disks`; +} + +sub get_current_ip +# the IP of eth0 - not the configured value of the box (only for validation) +{ + return `$CB_SCRIPT get_current_ip`; +} + + +sub get_admin_pw +# returns the current administration password - empty, if it is not used +{ + return `$CB_SCRIPT get_config admin_pw`; +} + + +sub render +{ + my $pagefile = "$HTML_TEMPLATE_DIR/main.cs"; + print "Content-Type: text/html\n\n"; + + my $cs = ClearSilver::CS->new($pagedata); + $cs->parseFile($pagefile); + + print $cs->render(); +} + + +sub mount_vol +{ + my $pw = shift; + + if (&check_mounted) { + $pagedata->setValue('Data.Warning', 'IsMounted'); + } else { + open(PW_INPUT, "| $CB_SCRIPT crypto-up $CRYPTO_DEV"); + print PW_INPUT $pw; + close(PW_INPUT); + } +} + + +sub umount_vol +{ + if (&check_mounted) { + system("$CB_SCRIPT", "crypto-down",$CRYPTO_DEV); + } else { + $pagedata->setValue('Data.Warning', 'NotMounted'); + } +} + + +sub box_init +{ + my ($crypto_pw, $admin_pw) = @_; + + system("$CB_SCRIPT", "init") || return 1; + + # partitioning, config and initial cryptsetup + # TODO: define the name of the crypto container + open(PW_INPUT, "|$CB_SCRIPT crypto-create '$CRYPTO_DEV' default"); + print PW_INPUT $crypto_pw; + close(PW_INPUT); + + # set administration password + system("$CB_SCRIPT", "set_config", "admin_pw", "$admin_pw"); +} + +sub box_purge +{ + system("$CB_SCRIPT", "box-purge"); +} + +sub system_poweroff +{ + &umount_vol() if (&check_mounted()); + system("$CB_SCRIPT", "poweroff"); +} + + +sub system_reboot +{ + &umount_vol() if (&check_mounted()); + system("$CB_SCRIPT", "reboot"); +} + + +sub validate_ip +{ + my $ip = shift; + my @octets = split /\./, $ip; + return 0 if ($#octets == 4); + # check for values and non-digits + return 0 if (($octets[0] <= 0) || ($octets[0] >= 255) || ($octets[0] =~ /\D/)); + return 0 if (($octets[1] < 0) || ($octets[1] >= 255) || ($octets[1] =~ /\D/)); + return 0 if (($octets[2] < 0) || ($octets[2] >= 255) || ($octets[2] =~ /\D/)); + return 0 if (($octets[3] <= 0) || ($octets[3] >= 255) || ($octets[3] =~ /\D/)); + return 1; +} + + +sub validate_timeout +{ + my $timeout = shift; + return 0 if ($timeout =~ /\D/); + return 1; +} + + +# check for a valid interface language +sub validate_language +{ + my $language = shift; + # check for non-alphanumeric character + return 0 if ($language =~ /\W/); + return 0 if ($language eq ""); + return 0 if ( ! -e "$LANGUAGE_DIR/$language" . '.hdf'); + return 1; +} + + +# check for a valid documentation language +sub validate_doc_language +{ + my $language = shift; + # check for non-alphanumeric character + return 0 if ($language =~ /\W/); + return 0 if ($language eq ""); + return 0 if ( ! -e "$DOC_DIR/$language"); + return 1; +} + + +################### main ######################### + + +$pagedata = load_hdf(); + +# BEWARE: there are two kinds of actions: +# * some require a harddisk +# * some do not require a harddisk +# take care, that you put a new action into the appropriate block below + +# first: check for ssl! +if ( ! &check_ssl()) { + $pagedata->setValue('Data.Error', 'NoSSL'); + $pagedata->setValue('Data.Redirect.URL', "https://" . $ENV{'HTTP_HOST'} . $ENV{'SCRIPT_NAME'}); + $pagedata->setValue('Data.Redirect.Delay', "3"); +} elsif ($query->param('action')) { + my $action = $query->param('action'); + #--------------------------------------------------------------# + # here you may define all cases that do not require a harddisk # + # put all other cases below the harddisk check # + #--------------------------------------------------------------# + #################### show_log ####################### + if ($action eq 'show_log') { + $pagedata->setValue('Data.Action', 'show_log'); + ##################### doc ############################ + } elsif ($action eq 'doc') { + if ($query->param('page')) { + $pagedata->setValue('Data.Doc.Page', $query->param('page')); + $pagedata->setValue('Data.Action', 'show_doc'); + } else { + $pagedata->setValue('Data.Doc.Page', 'CryptoBoxUser'); + $pagedata->setValue('Data.Action', 'show_doc'); + } + ##################### poweroff ###################### + } elsif ($action eq 'shutdown_ask') { + $pagedata->setValue('Data.Action', 'form_shutdown'); + ##################### reboot ######################## + } elsif ($action eq 'shutdown_do') { + if ($query->param('type') eq 'reboot') { + &system_reboot(); + $pagedata->setValue('Data.Success', 'ReBoot'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "180"); + } else { + &system_poweroff(); + $pagedata->setValue('Data.Success', 'PowerOff'); + } + $pagedata->setValue('Data.Action', 'empty'); + ##################### check for a harddisk ########################## + # catch this error, to prevent all following actions from execution # + ##################################################################### + } elsif ( ! &is_harddisk_available()) { + $pagedata->setValue('Data.Error', 'NoHardDisk'); + #-------------------------------------------------------# + # here you may define all cases that require a harddisk # + #-------------------------------------------------------# + ################ umount_do ####################### + } elsif ($action eq 'umount_do') { + if ( ! &check_config()) { + $pagedata->setValue('Data.Warning', 'NotInitialized'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif (&check_init_running()) { + $pagedata->setValue('Data.Warning', 'InitNotFinished'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'form_config'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } elsif ( ! &check_mounted()) { + $pagedata->setValue('Data.Warning', 'NotMounted'); + $pagedata->setValue('Data.Action', 'empty'); + } else { + # unmounten + &umount_vol(); + if (&check_mounted()) { + $pagedata->setValue('Data.Warning', 'UmountFailed'); + $pagedata->setValue('Data.Action', 'form_umount'); + } else { + $pagedata->setValue('Data.Success', 'UmountDone'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } + } + ################ mount_do ######################## + } elsif ($action eq 'mount_do') { + # mount requested + if ( ! &check_config()) { + $pagedata->setValue('Data.Warning', 'NotInitialized'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif (&check_init_running()) { + $pagedata->setValue('Data.Warning', 'InitNotFinished'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'form_config'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } elsif (&check_mounted()) { + $pagedata->setValue('Data.Warning', 'IsMounted'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } elsif ($query->param('crypto_password') eq '') { + # leeres Passwort + $pagedata->setValue('Data.Warning', 'EmptyCryptoPassword'); + $pagedata->setValue('Data.Action', 'form_mount'); + } else { + # mounten + &mount_vol($query->param('crypto_password')); + if (!&check_mounted()) { + $pagedata->setValue('Data.Warning', 'MountFailed'); + $pagedata->setValue('Data.Action', 'form_mount'); + } else { + $pagedata->setValue('Data.Success', 'MountDone'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } + } + ################## mount_ask ####################### + } elsif ($action eq 'mount_ask') { + if ( ! &check_config()) { + $pagedata->setValue('Data.Warning', 'NotInitialized'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif (&check_init_running()) { + $pagedata->setValue('Data.Warning', 'InitNotFinished'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'form_config'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } elsif (&check_mounted()) { + $pagedata->setValue('Data.Warning', 'IsMounted'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } else { + $pagedata->setValue('Data.Action', 'form_mount'); + } + ################# umount_ask ######################## + } elsif ($action eq 'umount_ask') { + if ( ! &check_config()) { + $pagedata->setValue('Data.Warning', 'NotInitialized'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif ( ! &check_mounted()) { + $pagedata->setValue('Data.Warning', 'NotMounted'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } else { + $pagedata->setValue('Data.Action', 'form_umount'); + } + ################## init_ask ######################### + } elsif ($action eq 'init_ask') { + if (&check_init_running()) { + $pagedata->setValue('Data.Warning', 'InitNotFinished'); + $pagedata->setValue('Data.Action', 'form_config'); + } elsif (&check_config()) { + $pagedata->setValue('Data.Warning', 'AlreadyConfigured'); + $pagedata->setValue('Data.Action', 'form_init'); + } else { + $pagedata->setValue('Data.Action', 'form_init'); + } + #################### init_do ######################## + } elsif ($action eq 'init_do') { + my $current_admin_pw = &get_admin_pw; + if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) { + $pagedata->setValue('Data.Warning', 'WrongAdminPassword'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif ($query->param('admin_password') ne $query->param('admin_password2')) { + # different admin-passwords + $pagedata->setValue('Data.Warning', 'DifferentAdminPasswords'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif ($query->param('crypto_password') ne $query->param('crypto_password2')) { + # different crypto-passwords + $pagedata->setValue('Data.Warning', 'DifferentCryptoPasswords'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif ($query->param('crypto_password') eq '') { + # empty password + $pagedata->setValue('Data.Warning', 'EmptyCryptoPassword'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif ($query->param('confirm') ne $pagedata->getValue('Lang.Text.ConfirmInit','')) { + # wrong confirm string + $pagedata->setValue('Data.Warning', 'InitNotConfirmed'); + $pagedata->setValue('Data.Action', 'form_init'); + } else { + # do init + &box_init($query->param('crypto_password'),$query->param('admin_password')); + if (!&check_init_running()) { + $pagedata->setValue('Data.Error', 'InitFailed'); + } else { + $pagedata->setValue('Data.Success', 'InitRunning'); + $pagedata->setValue('Data.Action', 'form_config'); + } + } + #################### config_ask ###################### + } elsif ($action eq 'config_ask') { + if ( ! &check_config()) { + $pagedata->setValue('Data.Warning', 'NotInitialized'); + $pagedata->setValue('Data.Action', 'form_init'); + } else { + $pagedata->setValue('Data.Action', 'form_config'); + } + #################### config_do ####################### + } elsif ($action eq 'config_do') { + if ( ! &check_config()) { + $pagedata->setValue('Data.Warning', 'NotInitialized'); + $pagedata->setValue('Data.Action', 'form_init'); + } else { + my $current_admin_pw = &get_admin_pw; + if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) { + $pagedata->setValue('Data.Warning', 'WrongAdminPassword'); + $pagedata->setValue('Data.Action', 'form_config'); + } elsif ( ! &validate_language($query->param('language'))) { + $pagedata->setValue('Data.Warning', 'InvalidLanguage'); + $pagedata->setValue('Data.Action', 'form_config'); + } elsif ( ! &validate_ip($query->param('ip'))) { + $pagedata->setValue('Data.Warning', 'InvalidIP'); + $pagedata->setValue('Data.Action', 'form_config'); + } elsif ( ! &validate_timeout($query->param('timeout'))) { + $pagedata->setValue('Data.Warning', 'InvalidTimeOut'); + $pagedata->setValue('Data.Action', 'form_config'); + } else { + system("$CB_SCRIPT", "set_config", "language", $query->param('language')); + &load_selected_language($pagedata); + system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout')); + # check, if the ip was reconfigured + if ($query->param('ip') ne `$CB_SCRIPT get_config ip`) + { + # set the new value + system("$CB_SCRIPT", "set_config", "ip", $query->param('ip')); + # reconfigure the network interface + system("$CB_SCRIPT", "update_ip_address"); + # redirect to the new address + $pagedata->setValue('Data.Redirect.URL', "https://" . $query->param('ip') . $ENV{'SCRIPT_NAME'}); + $pagedata->setValue('Data.Redirect.Delay', "5"); + # display a warning for the redirection + $pagedata->setValue('Data.Warning', 'IPAddressChanged'); + } + # check for success + if (`$CB_SCRIPT get_config timeout` ne $query->param('timeout')) { + $pagedata->setValue('Data.Warning', 'ConfigTimeOutFailed'); + } elsif (`$CB_SCRIPT get_config ip` ne $query->param('ip')) { + $pagedata->setValue('Data.Warning', 'ConfigIPFailed'); + } elsif (`$CB_SCRIPT get_config language` ne $query->param('language')) { + $pagedata->setValue('Data.Warning', 'ConfigLanguageFailed'); + } else { + $pagedata->setValue('Data.Success', 'ConfigSaved'); + } + $pagedata->setValue('Data.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } + } + #################### status ######################### + } elsif ($action eq 'show_status') { + if ( ! &check_config()) { + $pagedata->setValue('Data.Warning', 'NotInitialized'); + $pagedata->setValue('Data.Action', 'form_init'); + } elsif (&check_init_running()) { + $pagedata->setValue('Data.Warning', 'InitNotFinished'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'form_config'); + $pagedata->setValue('Data.Redirect.Delay', "30"); + } else { + $pagedata->setValue('Data.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "60"); + } + ################### box_purge ####################### + # if we find an existing config partition, then check the adminpw + } elsif ($action eq 'do_purge') { + if ( &check_config()) { + my $current_admin_pw = &get_admin_pw; + if ($current_admin_pw ne '' && $current_admin_pw ne $query->param('current_admin_password')) { + $pagedata->setValue('Data.Warning', 'WrongAdminPassword'); + $pagedata->setValue('Data.Action', 'form_config'); + } else { + &box_purge; + $pagedata->setValue('Data.Action', 'form_init'); + } + } + ################### unknown ######################### + } else { + $pagedata->setValue('Data.Error', 'UnknownAction'); + } +#################### default action ########################## +# check for a harddisk again, as this check was skipped +# because there was no action defined +} elsif ( ! &is_harddisk_available()) { + $pagedata->setValue('Data.Error', 'NoHardDisk'); +} else { + if (&check_init_running()) { + $pagedata->setValue('Data.Warning', 'InitNotFinished'); + $pagedata->setValue('Data.Action', 'empty'); + $pagedata->setValue('Data.Redirect.Action', 'form_config'); + $pagedata->setValue('Data.Redirect.Delay', "60"); + } elsif (&check_config()) { + $pagedata->setValue('Data.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Action', 'show_status'); + $pagedata->setValue('Data.Redirect.Delay', "60"); + } else { + $pagedata->setValue('Data.Action', 'form_init'); + } +} + +# check state of the cryptobox +$pagedata->setValue('Data.Status.Config', &check_config() ? 1 : 0); +$pagedata->setValue('Data.Status.InitRunning', &check_init_running() ? 1 : 0); +$pagedata->setValue('Data.Status.Mounted', &check_mounted() ? 1 : 0) if (&check_config()); +my $output = &get_current_ip(); +$pagedata->setValue('Data.Status.IP', "$output"); + +$output = &get_admin_pw(); +$pagedata->setValue('Data.Config.AdminPasswordIsSet', 1) if ($output ne ''); + +$output = `$CB_SCRIPT diskinfo 2>&1 | sed 's#\$#
#'`; +$pagedata->setValue('Data.PartitionInfo',"$output"); + +# preset config settings for clearsilver +$pagedata->setValue('Data.Config.IP', `$CB_SCRIPT get_config ip`); +$pagedata->setValue('Data.Config.TimeOut', `$CB_SCRIPT get_config timeout`); +$pagedata->setValue('Data.Config.Language', `$CB_SCRIPT get_config language`); + +# read log and add html linebreaks +$output = ''; +if (-e "$LOG_FILE") { + open(LOGFILE, "< $LOG_FILE"); + while () { $output .= "$_
" } + close(LOGFILE); +} +$pagedata->setValue('Data.Log',"$output"); + +$pagedata->setValue('Data.Status.DevelopmentMode', 1) if ($IS_DEVEL); + +# save QUERY_STRING (e.g. for weblang-links) +my $querystring = $ENV{'QUERY_STRING'}; +# remove weblang setting +$querystring =~ s/weblang=\w\w&?//; +$pagedata->setValue('Data.QueryString', "$querystring") if ($querystring ne ''); + +&render(); + +exit 0; + diff --git a/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh new file mode 100755 index 0000000..d79b215 --- /dev/null +++ b/cbox-tree.d/usr/lib/cryptobox/cbox-manage.sh @@ -0,0 +1,590 @@ +#!/bin/sh +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# this script does EVERYTHING +# all other scripts are only frontends :) +# +# called by: +# - some rc-scripts +# - the web frontend cgi +# + +# TODO: check permissions and owners of config files, directories and scripts before +# running cbox-root-actions.sh + +set -eu + +# define reasonable defaults +USE_STUNNEL=0 +EXEC_FIREWALL_RULES=0 +SKIP_NETWORK_CONFIG=1 +CONF_FILE=/etc/cryptobox/cryptobox.conf + + +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# parse config file +. "$CONF_FILE" + +# check for writable log file +[ -w "$LOG_FILE" ] || LOG_FILE=/tmp/$(basename "$LOG_FILE") + +## configuration +CERT_TEMP=/tmp/stunnel.pem + +######## stuff ########## + +ALL_PARTITIONS=$(cat /proc/partitions | sed '1,2d; s/ */ /g; s/^ *//' | cut -d " " -f 4) + +######################### + +function log_msg() +{ + # the log file is not writable during boot - try before writing ... + [ -w "$LOG_FILE" ] || return 0 + echo >>"$LOG_FILE" + echo "##### `date` #####" >>"$LOG_FILE" + echo "$1" >>"$LOG_FILE" +} + + +function error_msg() +# parameters: ExitCode ErrorMessage +{ + echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2 + # print the execution stack - not usable with busybox + # caller | sed 's/^/\t/' >&2 + exit "$1" +} + + +function config_set_value() +# parameters: SettingName [SettingValue] +# read from stdin if SettingValue is not defined +{ + [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config rw + if [ $# -gt 1 ] + then echo -n "$2" > "$CONFIG_DIR/$1" + else cat - >"$CONFIG_DIR/$1" + fi + [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && sudo "$ROOT_PERM_SCRIPT" remount_config ro +} + + +function config_get_value() +# parameters: SettingName +{ + # use mounted config, if it exists - otherwise use defaults + local conf_dir + if is_config_active + then conf_dir=$CONFIG_DIR + else conf_dir=$CONFIG_DEFAULTS_DIR + fi + [ -z "$1" ] && error_msg 1 "empty setting name" + # check for existence - maybe use default values (for old releases without this setting) + if [ ! -e "$conf_dir/$1" ] + then case "$1" in + # you may place default values for older versions here + # for compatibility + * ) + error_msg 2 "unknown configuration value ($1)" + # empty output + ;; + esac + else echo -n $(cat "$conf_dir/$1") + # this removes the trailing line break + fi + # always return without error + true +} + + +function create_config() +# Parameter: device +{ + local device=$1 + unload_config + # create the new configuration filesystem if it is not static + if [ "$USE_SEPERATE_CONFIG_PARTITION" != "1" ] + then log_msg "Using static configuration ..." + else log_msg "Creating config filesystem ..." + sudo "$ROOT_PERM_SCRIPT" create_config "$device" + log_msg "Mounting config partition ..." + sudo "$ROOT_PERM_SCRIPT" mount_config "$device" + sudo "$ROOT_PERM_SCRIPT" remount_config rw + fi + log_msg "Copying configuration defaults ..." + cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR" + + log_msg "Copying temporary certificate file to config filesystem ..." + # beware: the temp file should always be there - even after reboot - see "load_config" + [ "$USE_STUNNEL" = 1 ] && cp -p "$CERT_TEMP" "$CERT_FILE" + + log_msg "Setting inital values ..." + # beware: config_set_value remounts the config partition read-only + config_set_value "ip" "$(get_current_ip)" + # create database of readable names + config_set_value "names.db" "" + # create a marker to recognize a cryptobox partition + # this should be the last step, to prevent a half-initialized state + config_set_value "$CONFIG_MARKER" "$(date -I)" +} + + +function get_current_ip() +# not necessarily the same as configured (necessary for validation) +{ + # filter the output of ifconfig and remove trailing line break + echo -n $("$IFCONFIG" "$NET_IFACE" | grep "inet" | cut -d ":" -f2 | cut -d " " -f1) +} + + +function list_partitions_of_type() +# parameter: { config | crypto | plaindata | unused } +{ + local config= + local crypto= + local plaindata= + local unused= + for a in $ALL_PARTITIONS + do if sudo "$ROOT_PERM_SCRIPT" is_crypto_partition "/dev/$a" + then crypto="$crypto /dev/$a" + elif sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$a" + then config="$config /dev/$a" + elif sudo "$ROOT_PERM_SCRIPT" is_plaindata_partition "/dev/$a" + then plaindata="$plaindata /dev/$a" + else unused="$unused /dev/$a" + fi + done + case "$1" in + config | crypto | plaindata | unused ) + # dirty hack, but it works + eval "echo \$$1" + ;; + * ) + errot_msg "wrong parameter ($1) for list_partition_types in $(basename $0)" + ;; + esac | tr " " "\n" | grep -v '^$' +} + + +function get_crypto_uuid() +# Parameter: DEVICE +{ + sudo "$ROOT_PERM_SCRIPT" get_device_name "$1" +} + + +function get_crypto_name() +# Parameter: DEVICE +# return the readable name of the crypto container, it it is already defined +# if undefined - return the uuid +{ + local uuid=$(get_crypto_uuid "$1") + local dbname=$(config_get_value "names.db" | grep "^$uuid:" | cut -d ":" -f 2-) + if [ -z "$dbname" ] + then echo -n "$uuid" + else echo -n "$dbname" + fi +} + + +function set_crypto_name() +# TODO: the implementation is quite ugly, but it works (tm) +# Parameter: DEVICE NAME +{ + local uuid=$(get_crypto_uuid "$1") + # remove the old setting for this device and every possible entry with the same name + (config_get_value 'names.db' | sed "/^$uuid:/d; /^[^:]*:$2$/d"; echo "$uuid:$2") | config_set_value 'names.db' +} + + +function does_crypto_name_exist() +# Parameter: NAME +{ + config_get_value 'names.db' | grep -q "^[^:]*:$1$" +} + + +function create_crypto() +# Parameter: DEVICE NAME KEYFILE +# keyfile is necessary, to allow background execution via 'at' +# TODO: check if the keyfile is still necessary for sudo -b +{ + local device=$1 + local name=$2 + local keyfile=$3 + # otherwise the web interface will hang + # passphrase may be passed via command line + local key=$(<"$keyfile") + # remove the passphrase-file as soon as possible + dd if=/dev/zero of="$keyfile" bs=512 count=1 2>/dev/null + rm "$keyfile" + + log_msg "Creating crypto partition with the cipher $DEFAULT_CIPHER on $device" + echo "$key" | sudo "$ROOT_PERM_SCRIPT" create_crypto "$device" + + set_crypto_name "$device" "$name" +} + + +function is_config_active() +{ + test -f "$CONFIG_DIR/$CONFIG_MARKER" +} + + +function is_crypto_mounted() +# Parameter: DEVICE +{ + local name=$(get_crypto_uuid "$1") + [ -n "$name" ] && mountpoint -q "$MNT_PARENT/$name" +} + + +function is_init_running() +{ + check_at_command_queue " init" +} + + +# check if a specified command is in an at-queue +# Parameter: a regular expression of the commandline +# Return: the command is part of an at-queue (0) or not (1) +function check_at_command_queue() +{ + # 1) get the available job numbers + # 2) remove empty lines (especially the last one) + # 3) check every associated command for the regexp + at -l | cut -f 1 | while read jobnum + do at -c $jobnum | sed '/^$/d' | tail -1 + done | grep -q "$1" +} + + +function find_harddisk() +# look for the harddisk to be partitioned +{ + local device=$(get_available_disks | head -1) + if [ -z "$device" ] ; then + log_msg "no valid harddisk for initialisation found!" + cat /proc/partitions >>"$LOG_FILE" + # do not return with an error, to avoid a failing of the script ('break on error') + # the caller of this function should handle an empty return string + fi + echo -n "$device" +} + + +function get_available_disks() +# looks which allowed disks are at the moment connected with the cbox +{ + for scan in $SCAN_DEVICES + do for avail in $ALL_PARTITIONS + do [ "$scan" = "$avail" ] && echo "/dev/$avail" + done + done +} + + +function load_config() +{ + unload_config + local status=0 + # look for a configuration partition + [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] && \ + list_partitions_of_type config | while read part && [ "$status" = 0 ] + do log_msg "Trying to load configuration from /dev/$part ..." + if sudo "$ROOT_PERM_SCRIPT" is_config_partition "/dev/$part" + then log_msg "configuraton found on $part" + sudo "$ROOT_PERM_SCRIPT" mount_config "/dev/$part" + status=1 + fi + done + if is_config_active + then # copy certificate to /tmp in case of re-initialization + # /tmp should be writable, so tmpfs has to be mounted before (/etc/rcS.d) + [ "$USE_STUNNEL" = 1 ] && cp "$CERT_FILE" "$CERT_TEMP" + else log_msg "failed to locate config partition" + return 1 + fi + true +} + + +function unload_config() +{ + is_config_active || return + # only try to unmount, if it is not static (the config of a live-cd is always dynamic) + if [ "$USE_SEPERATE_CONFIG_PARTITION" = "1" ] + then sudo "$ROOT_PERM_SCRIPT" umount_config + else true + fi +} + + +function mount_crypto() +# Parameter: DEVICE +{ + local device=$1 + [ -z "$device" ] && error_msg 4 'No valid harddisk found!' && return 1 + is_crypto_mounted "$device" && echo "The crypto filesystem is already active!" && return + # passphrase is read from stdin + log_msg "Mounting a crypto partition from $device" + sudo "$ROOT_PERM_SCRIPT" mount "$device" >>"$LOG_FILE" 2>&1 +} + + +function umount_crypto() +# Parameter: DEVICE +{ + local device=$1 + local uuid=$(get_crypto_uuid $device) + sudo "$ROOT_PERM_SCRIPT" umount "$uuid" +} + + +function box_purge() +# removing just the first bytes from the harddisk should be enough +# every harddisk will be overriden! +{ + # TODO: not ALL harddisks, please! + get_available_disks | while read a + do log_msg "Purging $a ..." + sudo "$ROOT_PERM_SCRIPT" trash_device "$a" + done +} + + +function init_cryptobox() +# this is only the first part of initialisation that takes no time - good for a smooth web interface +{ + local device=$(find_harddisk) + [ -z "$device" ] && log_msg 'No valid harddisk found!' && return 1 + turn_off_all_crypto + unload_config || true + log_msg "Partitioning the device ($device) ..." + sudo "$ROOT_PERM_SCRIPT" partition_disk "$device" "0,1,L \n,,L\n" + log_msg "Initializing config partition on ${device}1 ..." + # TODO: this should not be hard-coded + create_config "${device}1" +} + + +function turn_off_all_crypto() +{ + list_crypto_containers | while read a + do is_crypto_mounted "$a" && umount_crypto "$a" + done +} + + +### main ### + +# set PATH because thttpd removes /sbin and /usr/sbin for cgis +export PATH=/usr/sbin:/usr/bin:/sbin:/bin + + +ACTION=help +[ $# -gt 0 ] && ACTION=$1 && shift + +case "$ACTION" in + config-up ) + if load_config + then echo "Cryptobox configuration successfully loaded" + else error_msg 0 "Could not find a configuration partition!" + fi + ;; + config-down ) + unload_config || error_msg 4 "Could not unmount configuration partition" + ;; + network-up ) + if [ "$SKIP_NETWORK_CONFIG" != 1 ] + then conf_ip=$(config_get_value "ip") + log_msg "Configuring $NET_IFACE for $conf_ip ..." + echo "Configuring network interface for $NET_IFACE: $conf_ip" + "$IFCONFIG" "$NET_IFACE" "$conf_ip" + fi + if [ "$EXEC_FIREWALL_RULES" = 1 ] + then log_msg "Starting the firewall ..." + "$FIREWALL_SCRIPT" start + fi + if [ "$USE_STUNNEL" = 1 ] + then # start stunnel + if [ -f "$CERT_FILE" ] + then USE_CERT=$CERT_FILE + else USE_CERT=$CERT_TEMP + $MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1 + # TODO: this could be dangerous - right? + # this is necessary, to allow www-data to copy the certificate + chown "$WEB_USER" "$CERT_TEMP" + fi + log_msg "Starting stunnel ..." + stunnel -p "$USE_CERT" -r localhost:80 -d 443 \ + || echo "$USE_CERT not found - not starting stunnel" + fi + ;; + network-down ) + if [ "$EXEC_FIREWALL_RULES" = 1 ] + then log_msg "Stopping the firewall ..." + "$FIREWALL_SCRIPT" stop + fi + if [ "$USE_STUNNEL" = 1 ] + then log_msg "Stopping stunnel ..." + # TODO: what about a pid? + killall stunnel 2>/dev/null || true + fi + if [ "$SKIP_NETWORK_CONFIG" != 1 ] + then log_msg "Shutting the network interface down ..." + "$IFCONFIG" "$NET_IFACE" down + fi + ;; + services-up ) + # the mount point has to be writeable + # this action is called as root - so we are allowed to umount + # TODO: do this only for ro-filesystem + # TODO: this way of mounting is evil + if mountpoint -q "$MNT_PARENT" + then true + else mount -t tmpfs tmpfs "$MNT_PARENT" + fi + true + ;; + services-down ) + # this action is called as root - so we are allowed to umount + mountpoint -q "$MNT_PARENT" && umount "$MNT_PARENT" + # TODO: we should not depend on samba and thttpd + # /etc/init.d/samba stop || true + # /etc/init.d/thttpd stop || true + true + ;; + crypto-up ) + [ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-up'" + mount_crypto "$1" + ;; + crypto-down ) + [ $# -ne 1 ] && error_msg "invalid number of parameters for 'crypto-down'" + umount_crypto "$1" + ;; + init ) + init_cryptobox >"$LOG_FILE" 2>&1 + ;; + crypto-create ) + # Parameter: DEVICE NAME + [ $# -ne 2 ] && error_msg "invalid number of parameters for 'crypto-create'" + # do it in the background to provide a smoother web interface + # messages and errors get written to $LOG_FILE + keyfile=/tmp/$(basename "$0")-passphrase-$(basename "$1") + # read the password + cat - >"$keyfile" + # execute it in the background + echo "'$0' crypto-create-bg '$1' '$2' '$keyfile' >'$LOG_FILE' 2>&1" | at now + ;; + crypto-create-bg ) + create_crypto "$@" + ;; + crypto-list ) + list_partitions_of_type crypto + ;; + crypto-list-unused ) + list_partitions_of_type unused + ;; + crypto-name ) + # Parameter: DEVICE + get_crypto_name "$1" + ;; + is_crypto_mounted ) + [ $# -ne 1 ] && error_msg 10 "invalid number of parameters for 'is_crypto_mounted'" + is_crypto_mounted "$1" + ;; + is_config_mounted ) + is_config_active + ;; + is_init_running ) + is_init_running + ;; + is_harddisk_available ) + [ -z "$(find_harddisk)" ] && exit 1 + exit 0 + ;; + update_ip_address ) + # reconfigure the network interface to a new IP address + # wait for 5 seconds to finish present http requests + if [ "$SKIP_NETWORK_CONFIG" != 1 ] + then echo -n "sleep 5; sudo $ROOT_PERM_SCRIPT update_network" | at now + fi + ;; + get_available_disks ) + get_available_disks + ;; + get_current_ip ) + get_current_ip + ;; + set_config ) + [ $# -ne 2 ] && error_msg 7 "'set_config' requires two parameters" + config_set_value "$1" "$2" + ;; + get_config ) + [ $# -ne 1 ] && error_msg 6 "'get_config' requires exactly one parameter" + config_get_value "$1" + ;; + diskinfo ) + get_available_disks | while read a + do sudo "$ROOT_PERM_SCRIPT" diskinfo "$a" + done + ;; + box-purge ) + log_msg "Cleaning the CryptoBox ..." + turn_off_all_crypto + "$0" config-down + box_purge >>"$LOG_FILE" 2>&1 + ;; + poweroff ) + log_msg "Turning off the CryptoBox ..." + turn_off_all_crypto + echo "poweroff" | at now + ;; + reboot ) + log_msg "Rebooting the CryptoBox ..." + turn_off_all_crypto + echo "reboot" | at now + ;; + * ) + echo "Syntax: `basename $0` ACTION [PARAMS]" + echo " config-up - scan for configuration partition and mount it" + echo " config-down - unmount configuration partition" + echo " network-up - enable network interface" + echo " network-down - disable network interface" + echo " services-up - run some cryptobox specific daemons" + echo " services-down - stop some cryptobox specific daemons" + echo " crypto-up - mount crypto partition" + echo " crypto-down - unmount crypto partition" + echo " box-init - initialize cryptobox (ALL data is LOST)" + echo " box-init-fg - the first part of initialization" + echo " box-init-bg - the last part of initialization (background)" + echo " is_crypto_mounted - check, if crypto partition is mounted" + echo " is_config_mounted - check, if configuration partition is mounted" + echo " is_init_running - check, if initialization is ongoing" + echo " is_harddisk_available - check, if there is a usable harddisk" + echo " get_available_disks - shows all connected and allowed disks" + echo " get_current_ip - get the current IP of the network interface" + echo " update_ip_address - update the network interface after reconfiguration" + echo " set_config NAME VALUE - change a configuration setting" + echo " get_config NAME - retrieve a configuration setting" + echo " diskinfo - show the partition table of the harddisk" + echo " box-purge - destroy partitiontable of all harddisks (delete everything)" + echo " poweroff - shutdown the cryptobox" + echo " reboot - reboot the cryptobox" + echo + ;; + esac + +exit 0 + diff --git a/cbox-tree.d/usr/lib/cryptobox/cbox-root-actions.sh b/cbox-tree.d/usr/lib/cryptobox/cbox-root-actions.sh new file mode 100755 index 0000000..0d33271 --- /dev/null +++ b/cbox-tree.d/usr/lib/cryptobox/cbox-root-actions.sh @@ -0,0 +1,330 @@ +#!/bin/sh +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# this script is responsible for all dangerous actions, that require root privileges +# every action should be checked at least TWICE a day for open holes :) +# usually will get call via sudo +# +# called by: +# - cbox-manage.sh +# + +set -eu + +[ "$(id -u)" -ne 0 ] && echo "$(basename $0) - only root may call this script" >&2 && exit 100 + +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} +# parse config file +. "$CONF_FILE" + + +############ some useful functions ############### + +# check if the given device is part of the SCAN_DEVICE list +# every entry in SCAN_DEVICES is matched as "^/dev/${SCAN_DEVICE}[0-9]*$" against +# the given device +# other devices may not be touched +function is_device_allowed() +# parameter: device +{ + for a in $SCAN_DEVICES + do [[ "$1" =~ "^/dev/${a}[0-9]*$" ]] && return 0 + done + return 1 +} + + +function get_device_name() +# return the uuid of the device +# if there is no uuid, then the device name is "flattened" and returned +# ignore volume-id as it may be non-unique +{ + local UUID= + # check for luksUUID or ext2/3-uuid + if is_luks_device "$1" + then UUID=$("$CRYPTSETUP" luksUUID "$1") + else [ -n "$(which dumpe2fs)" ] && UUID=$(dumpe2fs -h "$1" 2>/dev/null | grep "UUID" | cut -d ":" -f 2 | sed "s/ *//g") + fi + # if there is no valid UUUD, then take the flattened device name + is_uuid_valid "$UUID" || UUID=${1//\//_} + echo "$UUID" +} + + +function is_uuid_valid() +# every devmapper name should look like a UUID +{ + local hex=[0-9a-f] + [[ "$1" =~ "^$hex\{8\}-$hex\{4\}-$hex\{4\}-$hex\{4\}-$hex\{12\}$" ]] +} + + +function error_msg() +# parameter ExitCode ErrorMessage +{ + echo "CBOX-ERROR: [$(basename $0) - $ACTION] - $2" >&2 + exit $1 +} + + +function partition_device() +# parameter: device sfdisk_layout_setup +# e.g.: /dev/hda "0,1,L \n,,L\n" +{ + # TODO: allow different layouts + # TODO: skip config partition if a configuration is already active + # sfdisk -n doesn't actually write (for testing purpose) + if echo -e "$2" | "$SFDISK" -n "$1" + then echo -e "$2" | "$SFDISK" "$1" || return 1 + else return 2 + fi + true +} + + +function is_luks_device() +# parameter: device +{ + "$CRYPTSETUP" isLuks "$1" +} + + +################ main #################### + +ACTION=unknown +[ $# -gt 0 ] && ACTION=$1 && shift + + +case "$ACTION" in + partition_disk ) + [ $# -ne 2 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + partition_device "$1" "$2" || \ + error_msg 2 "failed to create new partition table on device $1" + ;; + mount ) + # parameters: device + # returns the relative name of the mointpoint for success + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + name=$(get_device_name "$1") + mountpoint -q "$MNT_PARENT/$name" && \ + error_msg 5 "a device with the same name ($name) is already mounted" + mkdir -p "$MNT_PARENT/$name" + if is_luks_device "$1" + then "$CRYPTSETUP" luksOpen "$1" "$name" || \ + error_msg 6 "could not open encrypted device $1" + if mount "$DEV_MAPPER_DIR/$name" "$MNT_PARENT/$name" + then true + else "$CRYPTSETUP" luksClose "$name" || true + error_msg 7 "wrong password for $1 supplied" + fi + else mount "$1" "$MNT_PARENT/$name" || \ + error_msg 8 "invalid filesystem on device $1" + fi + # just in case, that there is no ext2/3 filesystem: + # set uid option (will fail silently for ext2/3) + mount -o remount,uid="$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true + # adapt top-level permission to current setup - again: may fail silently + chown "$FILE_USER" "$MNT_PARENT/$name" 2>/dev/null || true + true + ;; + umount ) + #parameter: name (relative mountpoint) + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_uuid_valid "$1" || [[ "$1" =~ "^[_a-z0-9]*$" ]] || \ + error_msg 4 "invalid UUID ($1)" + mountpoint -q "$MNT_PARENT/$1" || \ + error_msg 9 "the device with the UUID ($1) is not mounted" + # try to unmount - continue even on errors + umount "$MNT_PARENT/$1" || \ + error_msg 0 "unmount of device $1 failed - device is busy" + # remove (if necessary) the dev mapping + [ -e "$DEV_MAPPER_DIR/$1" ] && "$CRYPTSETUP" luksClose "$1" || \ + error_msg 11 "could not remove the device mapper for device $1" + # try to remove the mountpoint - a failure is not important + rmdir "$MNT_PARENT/$1" || true + # set exitcode + mountpoint -q "$MNT_PARENT/$1" && exit 1 + exit 0 + ;; + create_crypto ) + # parameter: device + # the passphrase is expected on stdin + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + # read the passphrase from stdin + key=$(cat -) + # the iter-time is in milliseconds - keep it low for fast mounting + echo "$key" | \ + "$CRYPTSETUP" --cipher "$DEFAULT_CIPHER" --iter-time 2000 luksFormat "$1" || \ + error_msg 11 "failed to create the encrypted partition" + name=$(get_device_name "$1") + echo "$key" | "$CRYPTSETUP" luksOpen "$1" "$name" || \ + error_msg 12 "failed to open the encrypted partition" + # silent output from mkfs.ext3 + "$MKFS_DATA" -q "$DEV_MAPPER_DIR/$name" || \ + error_msg 13 "failed to create the encrypted filesystem" + "$CRYPTSETUP" luksClose "$name" || \ + error_msg 14 "failed to close the encrypted mapped device" + ;; + get_device_name ) + # parameter: device + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + get_device_name "$1" + ;; + mount_config ) + # parameter: device + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + [ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \ + error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + mountpoint -q "$CONFIG_DIR" && \ + error_msg 0 "the configuration partition is already mounted" + "$MKFS_CONFIG" -q "$1" || \ + error_msg 20 "failed to create config partition filesystem" + ;; + mount_config ) + # parameter: device + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + [ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \ + error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + mountpoint -q "$CONFIG_DIR" && \ + error_msg 0 "the configuration partition is already mounted" + mount "$1" "$CONFIG_DIR" || \ + error_msg 16 "failed to mount configuration partition" + # chown to fix permissions - may fail for non-ext2/3 filesystems + chown -R "$WEB_USER" "$CONFIG_DIR" || true + mount -o remount,ro "$CONFIG_DIR" || \ + error_msg 18 "failed to remount configuration partition" + true + ;; + remount_config ) + # parameter: { ro | rw } + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + [ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \ + error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)" + [[ "$1" =~ "^r[ow]$" ]] || error_msg 17 "only 'rw' and 'ro' are allowed" + mount -o "remount,$1" "$CONFIG_DIR" || \ + error_msg 18 "failed to remount configuration partition" + true + ;; + umount_config ) + # no parameters + [ $# -ne 0 ] && error_msg 1 "wrong number of parameters" + [ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \ + error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)" + mountpoint -q "$CONFIG_DIR" && umount "$CONFIG_DIR" || \ + error_msg 18 "failed to unmount configuration partition" + ;; + is_config_partition ) + # parameter: device + # returns exitcode 0 if the device contains a configuration + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + [ "$USE_SEPERATE_CONFIG_DIR" != "1" ] && \ + error_msg 19 "I am configured to work without a seperate config partition (see $CONF_FILE)" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + is_config=0 + tmp_dir=/tmp/$(basename $0)-$$-mnt + mkdir -p "$tmp_dir" + # error means "no config partition" + if mount "$1" "$CONFIG_DIR" + then [ -e "$CONFIG_DIR/$CONFIG_MARKER" ] && is_config=1 + umount "$CONFIG_DIR" || \ + error_msg 14 "unable to unmount configation partition after probing" + fi + rmdir "$tmp_dir" || true + # return 0 if $device is a config partition + [ "$is_config" -eq 1 ] && exit 0 + exit 1 + ;; + is_crypto_partition ) + # parameter: device + # returns exitcode 0 if the device contains a luks header + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + is_luks_device "$1" + ;; + is_data_partition ) + # parameter: device + # returns exitcode 0 if the device contains a readable filesystem + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + status=0 + tmp_dir=/tmp/$(basename $0)-$$-mnt + mkdir -p "$tmp_dir" + if mount "$1" "$tmp_dir" + then [ ! -e "$tmp_dir/$CONFIG_MARKER" ] && status=1 + umount "$tmp_dir" + fi + rmdir "$tmp_dir" || true + [ "$status" -eq 1 ] && exit 0 + exit 1 + ;; + trash_device ) + # parameter: device + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + dd if=/dev/urandom of="$1" bs=512 count=1 2>/dev/null + ;; + diskinfo ) + # parameter: device + [ $# -ne 1 ] && error_msg 1 "wrong number of parameters" + is_device_allowed "$1" || \ + error_msg 3 "this device ($1) is not listed in SCAN_DEVICES (see $CONF_FILE)" + "$SFDISK" -L -q -l "$1" + ;; + update_network ) + # parameter: none + ip= + # TODO: can we avoid to hard-code the filename ($CONFIG_DIR/ip) here? + [ -e "$CONFIG_DIR/ip" ] && ip=$(<"$CONFIG_DIR/ip") + [ -n "$z" ] && ifconfig "$NET_IFACE" "$ip" + ;; + * ) + echo "Syntax: $(basename $0) ACTION PARAMETERS" + echo ' partition_disk $device $disk_layout' + echo ' get_device_name $device' + echo ' create_crypto $device' + echo ' mount $device' + echo ' umount $name' + echo ' create_config $device' + echo ' mount_config $device' + echo ' remount_config { ro | rw }' + echo ' umount_config' + echo ' is_config_partition $device' + echo ' is_plaindata_partition $device' + echo ' is_crypto_partition $device' + echo ' trash_device $device' + echo ' diskinfo $device' + echo ' update_network' + echo ' help' + echo + [ "$ACTION" == "help" ] && exit 0 + # return error for any unknown/unspecified action + exit 1 + ;; + esac + diff --git a/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh b/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh new file mode 100755 index 0000000..fa3583d --- /dev/null +++ b/cbox-tree.d/usr/lib/cryptobox/check_smb_idle.sh @@ -0,0 +1,92 @@ +#!/bin/sh +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# a simple script to check, if there was no smb traffic for the specified +# number of minutes - then it unmounts the crypto partition +# +# you may want to adjust the function "filter_ipt_rules" according to +# your setup +# +# any Parameter are ignored +# +# this script has to run as root - as it invokes iptables +# +# the iptables rules to detect smb traffic could look like the following: +# iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT +# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT +# +# called by: +# - cron (/etc/cron.d/cryptobox) +# + +set -eu + +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} +# parse config file +. "$CONF_FILE" + + +############# some functions ################## + +filter_ipt_rules() +# get the input rules for smb datagram traffic +{ + "$IPTABLES" -L INPUT -vnx | grep -E "udp dpt:138|tcp dpt:139" +} + + +function check_for_traffic() +{ + local traffic_yes=0 + # fallback if no rules were found + # extract the number of packets and calculate the sum + filter_ipt_rules | sed 's/ */ /g' | cut -d " " -f 3 | while read a + do [ "$a" -gt 0 ] && echo "$a" + done | grep -q "" && traffic_yes=1 + "$IPTABLES" -Z INPUT + [ "$traffic_yes" = "1" ] +} + + +################### main ###################### + +# TODO: migrate to multi-container-setup +exit 0 + +# break, if crypto partition is not mounted +"$CB_SCRIPT" is_crypto_mounted || exit 0 + +# break, if idle timer is turned off +MAX_IDLE_COUNTER=$("$CB_SCRIPT" get_config timeout) +[ "$MAX_IDLE_COUNTER" -eq 0 ] && exit 0 + +# config test +[ -z "$(filter_ipt_rules)" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >>"$LOG_FILE" && exit 1 + +# read current idle counter +if [ -e "$IDLE_COUNTER_FILE" ] + then current_count=$(<$IDLE_COUNTER_FILE) + else current_count=0 + fi + +# update counter +if check_for_traffic + then echo 0 + else echo $((current_count + 1)) + fi >"$IDLE_COUNTER_FILE" + +# unmount crypto partition, if the threshold was reached +if [ "$(<$IDLE_COUNTER_FILE)" -ge "$MAX_IDLE_COUNTER" ] + then "$CB_SCRIPT" crypto-down >>"$LOG_FILE" 2>&1 + echo "0" >"$IDLE_COUNTER_FILE" + fi diff --git a/cbox-tree.d/usr/lib/cryptobox/chroot-start.sh b/cbox-tree.d/usr/lib/cryptobox/chroot-start.sh new file mode 100755 index 0000000..5ac37ed --- /dev/null +++ b/cbox-tree.d/usr/lib/cryptobox/chroot-start.sh @@ -0,0 +1,55 @@ +#!/bin/sh +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# FOR DEVELOPMENT ONLY! +# +# this script is used to prepare a chroot session for testing or configuring +# +# called by: +# - cbox-build.sh +# +# parameter: [commandline] +# +# if "commandline" is empty, "bash" will be used +# + +set -eu + +MNT_SRC=/opt/dfsruntime/runtimerd +MNT_DST=/opt/dfsruntime/runtimemnt +# the directory /tmp/ can not be used, as it is still a broken link, too +TMP_DIR="/tmp-`basename $0`-$$" + + +cp -a "$MNT_SRC/." "$TMP_DIR" +mount -n --bind "$TMP_DIR" "$MNT_DST" + +[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null" +[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom" +[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console" + +# remember, if proc was mounted before (e.g. because of a running chroot) +PROC_WAS_MOUNTED=no +mount -n -t proc proc /proc 2>/dev/null || PROC_WAS_MOUNTED=yes + +# default language setting - prevents dpkg error messages +export LANG=C + +# set default terminal (good if you are running in a screen session) +export TERM=linux + +# execute parameters as commandline +if [ $# -gt 0 ] + then "$@" + else bash + fi + +umount -n "$MNT_DST" +[ "$PROC_WAS_MOUNTED" = "no" ] && umount -n proc +rm -r "$TMP_DIR" diff --git a/cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh b/cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh new file mode 100755 index 0000000..34a2036 --- /dev/null +++ b/cbox-tree.d/usr/lib/cryptobox/configure-cryptobox.sh @@ -0,0 +1,145 @@ +#!/bin/sh +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# this script is part of the building process of the cryptobox +# the "normal" action is necessary for every cryptobox (development & release) +# the "secure" action is mandatory for every release CD +# +# called by: +# - cbox-build.sh after copying custom files and before creating the iso image +# + +set -eu + +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} +# parse config file +. "$CONF_FILE" + +RUNTIMEDIR=/opt/dfsruntime/runtimerd +TUNDEV=$RUNTIMEDIR/dev/net/tun + +REMOVE_PACKAGES="strace + nvi nano vim vim-common + unzip tar zip gzip bzip2 + aptitude tasksel + ssh elinks curl wget netkit-inetd telnet + exim4-daemon-light exim4-config exim4-base + ppp pppconfig pppoe pppoeconf" + +# remove rc symlinks for these services +SERVICES_OFF="ssh samba setserial nviboot mountnfs ntpdate" + +function configure_normal() +# the usual stuff - not optimized for security +{ + ##### cryptobox settings ###### + sed -i '/^NO_START=.*$/NO_START=0/' + sed -i '/^SKIP_NETWORK_CONFIG=.*$/SKIP_NETWORK_CONFIG=0/' + sed -i '/^EXEC_FIREWALL_RULES=.*$/EXEC_FIREWALL_RULES=1/' + sed -i '/^USE_STUNNEL=.*$/USE_STUNNEL=1/' + + ########### boot up ########### + # turn off creation of "/etc/nologin" (read-only fs) + sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS + # turn off modifying /etc/motd (read-only fs) + sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS + + ######### devices ########## + # create tun device for running under qemu + if [ ! -e "$TUNDEV" ] + then mkdir -p `dirname "$TUNDEV"` + mknod "$TUNDEV" c 10 200 + fi + + ######### thttpd ########### + # change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run + sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf + # change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...) + sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf + + # the thttpd documentations says "nosymlinkcheck" instead of + # "nosymlink" - TODO: "nosymlink" breaks "/cryptobox" URL!!! + #sed -i "/symlink/d" /etc/thttpd/thttpd.conf + #echo "nosymlink" >>/etc/thttpd/thttpd.conf + + ########## sshd ############ + if [ -e "/etc/ssh" ]; then + # allow empty passwords for ssh + # the daemon is NOT started automatically, so you have to start it + # manually in case of need - as the root pw is empty and passwd is ro, you + # have to allow empty passwords for this rare case + sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config + # turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour) + sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config + # allow nput of password + sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config + fi + + # remove symlinks for unwanted services + for a in $SERVICES_OFF; do + # echo "Turning off service $a ..." + find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b + do rm "$b" + done + done + + return 0 +} + + +function configure_secure() +# remove everything that could weaken security +# configure_normal should be called too! +{ + # disable keyboard login + sed -i '/getty/d' /etc/inittab + + # remove unnecessary packages + dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true + + # remove the development features script + [ -e "$DEV_FEATURES_SCRIPT" ] && rm -f "$DEV_FEATURES_SCRIPT" + + # maybe an authorized_keys file was created - but it is not dangerous, + # as the openssh package was removed anyway + [ -d /root/.ssh ] && rm -rf /root/.ssh + + ############## clean up ################ + # remove deb-files, that were left by dfsbuild + test -d /opt/packages && rm -r /opt/packages + # remove packages and package lists + rm -fr /var/cache/apt/ + + return 0 +} + + +################ main #################### + + +ACTION=help +[ $# -gt 0 ] && ACTION=$1 + +case "$ACTION" in + normal ) + configure_normal + ;; + secure ) + configure_secure + ;; + * ) + echo "Syntax: `basename $0` { normal | secure }" + echo + ;; + esac + diff --git a/cbox-tree.d/usr/lib/cryptobox/firewall.sh b/cbox-tree.d/usr/lib/cryptobox/firewall.sh new file mode 100755 index 0000000..1edb172 --- /dev/null +++ b/cbox-tree.d/usr/lib/cryptobox/firewall.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# set up the firewall of the cryptobox +# +# called by: +# - cbox-manage.sh during network-up +# + +set -u + +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} +# parse config file +. "$CONF_FILE" + + +ACTION="help" +[ $# -gt 0 ] && ACTION=$1 + +case "$ACTION" in + start) + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT ACCEPT + + OFILE=/proc/sys/net/ipv4/tcp_syncookies + [ -e "$OFILE" ] && echo 1 >"$OFILE" + + iptables -F + iptables -X + iptables -Z + + iptables -A INPUT -i lo -j ACCEPT + + for a in $ALLOW_TCP_PORTS + do iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT + done + + for a in $ALLOW_UDP_PORTS + do iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT + done + + iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT + ;; + stop) + iptables -P INPUT ACCEPT + iptables -P FORWARD ACCEPT + iptables -P OUTPUT ACCEPT + iptables -F + iptables -X + iptables -Z + ;; + *) + echo "usage $0 start | stop" + ;; +esac + diff --git a/cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh b/cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh new file mode 100755 index 0000000..138cde7 --- /dev/null +++ b/cbox-tree.d/usr/lib/cryptobox/make_stunnel_cert.sh @@ -0,0 +1,47 @@ +#!/bin/sh +# +# Copyright (c) 02005 sense.lab +# +# License: This script is distributed under the terms of version 2 +# of the GNU GPL. See the LICENSE file included with the package. +# +# $Id$ +# +# this script creates the stunnel certificate for https +# +# parameter: "destination file" +# +# called by: +# - cbox-manage.sh during network-up if no certificate was found on the config partition +# + +set -eu + +# read the default setting file, if it exists +[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox + +# set CONF_FILE to default value, if not configured in /etc/default/cryptobox +CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} +# parse config file +. "$CONF_FILE" + + +# vcert values are in OPENSSL_CONF_FILE +CERTFILE="$1" +TMP_FILE=/tmp/cryptobox-cert.tmp + +[ ! -f "$OPENSSL_CONF_FILE" ] && echo "`basename $0`: $OPENSSL_CONF_FILE not found" && exit 2 +# this command creates the certificate +# this is required, because the certbuilding asks for 5 returns +echo -ne "\n\n\n\n\n" | openssl req -new -x509 -nodes -days 3650 -config "$OPENSSL_CONF_FILE" -out "$CERTFILE" -keyout "$CERTFILE" +chmod 600 "$CERTFILE" + +# next step needs a lot of randomdata +dd if=/dev/urandom of="$TMP_FILE" bs=1024 count=1024 +openssl dhparam -rand "$TMP_FILE" 512 >> "$CERTFILE" +rm "$TMP_FILE" + +#ln -sf ${CERTPATH}stunnel.pem ${CERTPATH}`openssl x509 -noout -hash < "${CERTPATH}stunnel.pem"`.0 + +## print out cert values +#openssl x509 -subject -dates -fingerprint -in stunnel.pem diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/admin_pw b/cbox-tree.d/usr/share/cryptobox/defaults/admin_pw new file mode 100644 index 0000000..e69de29 diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/ip b/cbox-tree.d/usr/share/cryptobox/defaults/ip new file mode 100644 index 0000000..1cad3c7 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/defaults/ip @@ -0,0 +1 @@ +192.168.0.23 diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/language b/cbox-tree.d/usr/share/cryptobox/defaults/language new file mode 100644 index 0000000..c574d07 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/defaults/language @@ -0,0 +1 @@ +en diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/names.db b/cbox-tree.d/usr/share/cryptobox/defaults/names.db new file mode 100644 index 0000000..e69de29 diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/timeout b/cbox-tree.d/usr/share/cryptobox/defaults/timeout new file mode 100644 index 0000000..64bb6b7 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/defaults/timeout @@ -0,0 +1 @@ +30 diff --git a/cbox-tree.d/usr/share/cryptobox/defaults/version b/cbox-tree.d/usr/share/cryptobox/defaults/version new file mode 100644 index 0000000..be58634 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/defaults/version @@ -0,0 +1 @@ +0.3 diff --git a/cbox-tree.d/usr/share/cryptobox/lang/README b/cbox-tree.d/usr/share/cryptobox/lang/README new file mode 100644 index 0000000..8edf0b0 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/lang/README @@ -0,0 +1,28 @@ +$Id$ + +You may want to translate the CryptoBox into another language? +Most welcome! + +Existing translation can be found in the .hdf files. There are three +easy steps, that won't take longer than one hour to go through: + +1.) Download one .hdf in your preferred language (e.g. en.hdf if you're a native english speaker). + +2.) Start to change the text behind the equal sign line for line. + +3.) Send us your changed .hdf file. That's it - thank you! + + +Hints: +We are available via mail (cryptobox@systemausfall.org) for any questions. Don't worry to ask us if +something is vague. We prefer "utf" encoded hdf-files. If you don't +know what udf means - just don't care, send us your file and +everything else will be fine. You don't have to translate the whole +file, some minor parts are enough to send back. The community will do +the rest. ;) + +Again, thanks for your help! We do the Cryptobox things in our +freetime for fun and to provide an open source solution for this +special purpose. By helping us, you're taking part in this +development. + diff --git a/cbox-tree.d/usr/share/cryptobox/lang/TODO b/cbox-tree.d/usr/share/cryptobox/lang/TODO new file mode 100644 index 0000000..8afaa30 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/lang/TODO @@ -0,0 +1,16 @@ +$Id$ + +Here are some minor fixes that have to be done. Thanks a lot for your +help! + + +################################ slovenian ################################## + +- SuccessMessage.InitRunning contains only the first sentence +- SuccessMessage.ReBoot: add a hint for automatic redirection (3rd sentence) +- EmptyCryptoPassword: change 'Text' accordingly to English string. + +Below are some smaller changes in English sentences. Someone may change it accordingly. +- MountFailed: add 'Pleasy try again' to the end of the string. +- UmountFailed: changed 'Also close all unclean programs' to 'Close all unclean programs'. +- InitRunning: changed 'You may configure it now. You may activate the encrypted filesystem in a few minutes.' to 'You may configure it now and activate the encrypted filesystem in a few minutes.' diff --git a/cbox-tree.d/usr/share/cryptobox/lang/de.hdf b/cbox-tree.d/usr/share/cryptobox/lang/de.hdf new file mode 100644 index 0000000..fcf9bc4 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/lang/de.hdf @@ -0,0 +1,215 @@ +Lang { + + Name = deutsch + + Status = $Id$ + + Title { + Top = Die CryptoBox + Slogan = ... und 1984 war gestern! + Init = Initialisierung der CryptoBox + Mount = Aktivierung der Crypto-Daten + Umount = Deaktivierung der Crypto-Daten + Config = Konfiguration der CryptoBox + Log = Protokoll der CryptoBox + ShutDown = System + Status = Status der CryptoBox + } + + + Text { + EnterCurrentCryptoPassword = Das Crypto-Passwort eingeben: + EnterNewCryptoPassword = Das neue Crypto-Passwort eingeben: + EnterSameCryptoPassword = Das Crypto-Passwort wiederholen: + EnterCurrentAdminPassword = Das aktuelle Admin-Passwort eingeben: + EnterNewAdminPassword = Das neue Admin-Passwort eingeben: + EnterSameAdminPassword = Das neue Admin-Passwort wiederholen: + InitWarning = Bei der Initialisierung werden ALLE DATEN auf der Festplatte GELÖSCHT! + ConfirmInitHint = Um zu bestätigen, dass du weisst, was du tust, tippe hier bitte exakt Folgendes ein: + ConfirmInit = Ja, loesche alle Daten! + PartitionInfo = Derzeitige Partitionierung der Festplatte: + IPAddress = Netzwerk-Adresse (IP) der CryptoBox: + TimeOut = Zeitabschaltung des Crypto-Dateisystems (in Minuten): + EmptyLog = Das Logbuch der CryptoBox ist leer. + SelectLanguage = Spracheinstellung: + RedirectNote = Klicke hier, falls dein Browser die automatische Weiterleitung nicht unterstützt. + ProjectHomePage = Projekt-Seite + ProjectNote = Die CryptoBox ist ein Projekt von + DoUmount = Deaktivierung des verschlüsselten Dateisystems + DoMount = Aktivierung des verschlüsselten Dateisystems + Configuration = Einstellungen + CryptoIsActive = Die Crypto-Daten sind verfügbar. + CryptoIsDown = Die Crypto-Daten sind vor jedem Zugriff geschützt. + } + + + Button { + DoInit = CryptoBox initialisieren + SaveConfig = Speichere Konfiguration + Update = Aktualisieren + Mount = Crypto-Daten aktivieren + Umount = Crypto-Daten deaktivieren + Config = Einstellungen + PowerOff = ausschalten + ReBoot = neu starten + Protocol = Protokoll + Documentation = Handbuch + Status = Status + } + + + WarningMessage { + InitNotConfirmed { + Title = Bestätigung schlug fehl + Text = Der Bestätigungssatz muss exakt eingegeben werden! + } + + EmptyCryptoPassword { + Title = Ungültiges Crypto-Passwort + Text = Du musst ein Crypto-Passwort eingeben! + } + + DifferentCryptoPasswords { + Title = Ungleiche Crypto-Passworte + Text = Die beiden Passworte müssen identisch sein, um Eingabefehler zu verhindern. + } + + DifferentAdminPasswords { + Title = Ungleiche Administrations-Passworte + Text = Die beiden Passworte müssen identisch sein, um Eingabefehler zu verhindern. + } + + WrongAdminPassword { + Title = Falsches Administrations-Passwort + Text = Das eingegebene Administrations-Passwort ist falsch. Versuche es noch einmal. + } + + MountFailed { + Title = Aktivierung schlug fehl + Text = Das verschlüsselte Dateisystem konnte nicht aktiviert werden. Wahrscheinlich war das Passwort falsch. Versuche es noch einmal. + } + + UmountFailed { + Title = Deaktivierung schlug fehl + Text = Das verschlüsselte Dateisystem konnte nicht abgeschaltet werden. Wahrscheinlich sind noch Dateien geöffnet. Schließe alle potentiell unsauberen Programme (beispielsweise die weitverbreitete Textverarbeitung). Notfalls einfach die CryptoBox ausschalten! + } + + NotInitialized { + Title = Keine Konfiguration gefunden + Text = Die CryptoBox wurde noch nicht eingerichtet. + } + + InitNotFinished { + Title = Initalisierung noch nicht abgeschlossen + Text = Die Initialisierung wird in wenigen Minuten beendet sein. Erst danach ist diese Aktion möglich. + } + + IsMounted { + Title = Bereits aktiv + Text = Das verschlüsselte Dateisystem ist bereits aktiv. + } + + NotMounted { + Title = Nicht aktiv + Text = Das verschlüsselte Dateisystem ist derzeit nicht aktiv. + } + + AlreadyConfigured { + Title = Konfiguration gefunden + Text = Die CryptoBox wurde bereits eingerichtet. Bei einer erneuten Initialisierung werden alle Daten gelöscht! + } + + InvalidLanguage { + Title = Ungültige Sprache + Text = Die ausgewählte Sprache ist nicht verfügbar! + } + + InvalidIP { + Title = Ungültige IP + Text = Die ausgewählte Netzwerkadresse ist nicht gültig! + } + + InvalidTimeOut { + Title = Ungültige Zeitabschaltung + Text = Der ausgewählte Wert der Zeitabschaltung ist nicht gültig! + } + + ConfigTimeOutFailed { + Title = Fehler beim Ändern der Zeitabschaltung + Text = Der Wert der Zeitabschaltung konnte nicht geändert werden! + } + + ConfigLanguageFailed { + Title = Fehler beim Ändern der Spracheinstellung + Text = Die Spracheinstellung konnte nicht geändert werden! + } + + ConfigIPFailed { + Title = Fehler beim Ändern der Netzwerkadresse + Text = Die Netzwerkadresse konnte nicht geändert werden! + } + + IPAddressChanged { + Title = Änderung der Netzwerk-Adresse + Text = Die Netzwerk-Adresse der CryptoBox wurde verändert. In wenigen Sekunden werden sie zu der neuen Adresse umgeleitet. + } + } + + + SuccessMessage { + InitRunning { + Title = Initialisierung läuft + Text = Die Initialisierung der CryptoBox wird im Hintergrund abgeschlossen. Du kannst die CryptoBox nun konfigurieren und das verschlüsselte Dateisystem in ein paar Minuten aktivieren. + } + + ConfigSaved { + Title = Konfiguration gespeichert + Text = Die neuen Einstellungen der CryptoBox wurden übernommem. + } + + MountDone { + Title = Crypto-Daten aktiviert + Text = Das verschlüsselte Dateisystem ist nun verfügbar. + } + + UmountDone { + Title = Crypto-Daten deaktiviert + Text = Das verschlüsselte Dateisystem ist nun vor jedem Zugriff geschützt. + } + + PowerOff { + Title = Abschaltung + Text = Die CryptoBox wird gerade heruntergefahren. In wenigen Sekunden kannst du sie ausschalten (falls dies nicht automatisch geschieht). + } + + ReBoot { + Title = Neustart + Text = Die CryptoBox wird gerade neu gestartet. In wenigen Sekunden ist sie wieder verfügbar. Bitte warte solange - du wirst automatisch weitergeleitet. + } + } + + + ErrorMessage { + + UnknownAction { + Title = Unbekannte Aktion + Text = Du hast eine undefinierte Aktion angefordert. + } + + NoSSL { + Title = Unverschlüsselte Verbindung + Text = Die CryptoBox akzeptiert nur verschlüsselte Verbindungen (https). So bleibt das Passwort vor neugierigen Augen geschützt. In wenigen Sekunden wird eine verschlüsselte Verbindung hergestellt. + } + + InitFailed { + Title = Initialisierung fehlgeschlagen + Text = Sende bitte den Inhalt des Protokolls (siehe oben) an die Entwickler der CryptoBox (cryptobox@systemausfall.org). + } + + NoHardDisk { + Title = Keine Festplatte + Text = Es wurde kein Datenträger gefunden, der zur Speicherung der verschlüsselten Daten geeignet ist. Prüfe bitte, ob beim Anschalten des Computers eine Festplatte vom BIOS erkannt wurde. + } + } + +} diff --git a/cbox-tree.d/usr/share/cryptobox/lang/en.hdf b/cbox-tree.d/usr/share/cryptobox/lang/en.hdf new file mode 100644 index 0000000..5236178 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/lang/en.hdf @@ -0,0 +1,215 @@ +Lang { + + Name = english + + Status = $Id$ + + Title { + Top = The CryptoBox + Slogan = Privacy for the rest of us. + Init = CryptoBox initialization + Mount = Activation of encrypted data + Umount = Deactivation of encrypted data + Config = CryptoBox configuration + Log = CryptoBox logfiles + ShutDown = System + Status = Status + } + + + Text { + EnterCurrentCryptoPassword = Enter the crypto password: + EnterNewCryptoPassword = Enter the new crypto password: + EnterSameCryptoPassword = Repeat the new crypto password: + EnterCurrentAdminPassword = Enter the current administration password: + EnterNewAdminPassword = Enter the new administration password: + EnterSameAdminPassword = Repeat the new administration password: + InitWarning = During the process of initialization ALL DATA on the hard drive WILL BE DELETED! + ConfirmInitHint = To confirm that you know what you are doing, please enter exactly the following sequence: + ConfirmInit = Yes, delete all data! + PartitionInfo = Current partioning of the hard drive: + IPAddress = Network address (IP) of the CryptoBox: + TimeOut = Timeout for deactivation of the encrypted filesystem (in minutes): + EmptyLog = The logfiles of the CryptoBox are empty. + SelectLanguage = Language preferences: + RedirectNote = Click here if your browser does not support automatic redirection. + ProjectHomePage = Website of project + ProjectNote = The CryptoBox is a project of + DoUmount = Deactivation of the encrypted filesystem + DoMount = Activation of the encrypted filesystem + Configuration = Configuration + CryptoIsActive = The encrypted data is accessible. + CryptoIsDown = The encrypted data is protected from any access. + } + + + Button { + DoInit = Initialize CryptoBox + SaveConfig = Save configuration + Update = Refresh + Mount = Activate encrypted filesystem + Umount = Deactivate encrypted filesystem + Config = Configuration + PowerOff = Shutdown + ReBoot = Reboot + Protocol = Logfiles + Documentation = Manual + Status = Status + } + + + WarningMessage { + InitNotConfirmed { + Title = Confirmation failed + Text = The sentence has to be entered exactly as shown! + } + + EmptyCryptoPassword { + Title = Invalid crypto password + Text = You have to enter a crypto password! + } + + DifferentCryptoPasswords { + Title = Crypto passwords do not match + Text = Both entered passwords have to be identical to ensure this is the desired password. + } + + DifferentAdminPasswords { + Title = Administration passwords do not match + Text = Both entered passwords have to be identical to ensure this is the desired password. + } + + WrongAdminPassword { + Title = Wrong Administration password + Text = The entered administration password is wrong. Please try again. + } + + MountFailed { + Title = Activation failed + Text = The encrypted filesystem could not be activated. Probably the given password was wrong. Please try again. + } + + UmountFailed { + Title = Deactivation failed + Text = The encrypted filesystem could not be activated. Probably some files are still in use. Close all unclean programs (for example that widely used word processor). In case of need just shut down the CryptoBox! + } + + NotInitialized { + Title = No configuration found + Text = The CryptoBox has not yet been configured. + } + + InitNotFinished { + Title = Initialization not yet completed + Text = Initialization will be completed in a few minutes. After completed initialization this action will become available. + } + + IsMounted { + Title = Already active + Text = The encrypted filesystem has already been activated. + } + + NotMounted { + Title = Inactive + Text = The encrypted filesystem is currently not active. + } + + AlreadyConfigured { + Title = Configuration found + Text = The CryptoBox has already been configured. If you initialize again, all data will be deleted! + } + + InvalidLanguage { + Title = Invalid language + Text = The selected language is not available! + } + + InvalidIP { + Title = Invalid IP address + Text = The selected network address is not valid! + } + + InvalidTimeOut { + Title = Invalid timeout + Text = The selected timeout is not valid! + } + + ConfigTimeOutFailed { + Title = Error during change of timeout + Text = The timeout value could not be changed! + } + + ConfigLanguageFailed { + Title = Error during change of language preferences + Text = The language preferences could not be changed! + } + + ConfigIPFailed { + Title = Error during change of network address + Text = The network address could not be changed! + } + + IPAddressChanged { + Title = Change of network address + Text = The network address has been changed. In a few seconds you will get redirected to the new address. + } + } + + + SuccessMessage { + InitRunning { + Title = Initialization running + Text = The initialization will be completed in background. You may configure it now and activate the encrypted filesystem in a few minutes. + } + + ConfigSaved { + Title = Configuration saved + Text = The new settings have been accepted. + } + + MountDone { + Title = Encrypted filesystem activated + Text = The encrypted filesystem is now available. + } + + UmountDone { + Title = Encrypted filesystem deactivated + Text = The encrypted filesystem is now secured from all forms of access. + } + + PowerOff { + Title = Shutdown + Text = The CryptoBox is currently going to halt. In a few seconds you can power it off (in case this does not happen automatically). + } + + ReBoot { + Title = Reboot + Text = The CryptoBox is currently rebooting. In a few seconds it will be available again. Please wait - you will get redirected, when the reboot has finished. + } + } + + + ErrorMessage { + + UnknownAction { + Title = Unknown action + Text = You have requested an undefined action. + } + + NoSSL { + Title = Unencrypted connection + Text = The CryptoBox only accepts encrypted connections (https), so the password is safe from curious eyes. The encrypted connection will be established in a few seconds. + } + + InitFailed { + Title = Initialization failed + Text = Please send the logfiles (see above) to the developers of the CryptoBox (cryptobox@systemausfall.org). + } + + NoHardDisk { + Title = No hard drive + Text = No hard drive suitable for saving the encrypted filesystem found. Please ensure the BIOS detected the hard drive during power-on of the comuter. + } + } + +} diff --git a/cbox-tree.d/usr/share/cryptobox/lang/si.hdf b/cbox-tree.d/usr/share/cryptobox/lang/si.hdf new file mode 100644 index 0000000..2ec7a35 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/lang/si.hdf @@ -0,0 +1,215 @@ +Lang { + + Name = slovenščina + + Status = $Id$ + + Title { + Top = The CryptoBox + Slogan = Privatnost v vsako vas! + Init = CryptoBox zagon + Mount = Aktivacija kriptiranih podatkov + Umount = Deaktivacija kriptiranih podatkov + Config = CryptoBox konfiguracija + Log = CryptoBox dnevnik + ShutDown = Ugasni + Status = Stanje + } + + + Text { + EnterCurrentCryptoPassword = Vpišite geslo: + EnterNewCryptoPassword = Vpišite novo geslo: + EnterSameCryptoPassword = Ponovite novo geslo: + EnterCurrentAdminPassword = Vnesite trenutno obstoječe geslo administratorja/ke: + EnterNewAdminPassword = Vnesite novo geslo administratorja/ke: + EnterSameAdminPassword = Ponovite novo geslo administratorja/ke: + InitWarning = Med incializacijo bodo VSI PODATKI z vašega trdega diska IZBRISANI! + ConfirmInitHint = Vsled potrditve vaših dejanj vpišite naslednje besedilo: + ConfirmInit = Da, zbirši vse podatke! + PartitionInfo = trenutna porazdelitev trdega diska: + IPAddress = IP CryptoBoxa: + TimeOut = Čas preklica deaktivacije kriptiranega datotečnega sistema:(v minutah) + EmptyLog = Dnevnik CryptoBoxa je prazen. + SelectLanguage = Jezikovne nastavitve: + RedirectNote = Kliknite če vaš iskalnik ne podpira avtomatične preusmeritve. + ProjectHomePage = Spletna stran projekta + ProjectNote = CryptoBox je projekt + DoUmount = Deaktivacija kriptiranega datotečnega sistema + DoMount = Aktivacija kriptiranega datotečnega sistema + Configuration = Konfiguracija + CryptoIsActive = Kriptirani podatki so dostopni. + CryptoIsDown = Kriptirani podatki soso zaèiteni pred kakr nimkoli dostopom. + } + + + Button { + DoInit = Zagon CryptoBoxa + SaveConfig = Shrani konfiguracijo + Update = Osveži + Mount = Aktivacija kriptiranega datotečnega sistema + Umount = Deaktivacija kriptiranega datotečnega sistema + Config = Konfiguracija + PowerOff = Ugasni + ReBoot = Ponovni zagon + Protocol = Dnevnik + Documentation = Priročnik + Status = Stanje + } + + + WarningMessage { + InitNotConfirmed { + Title = Potrditev ni uspela + Text = Besedilo mora biti vpisano natanko kot je prikazano! + } + + EmptyCryptoPassword { + Title = Nepravilno geslo + Text = Geslo ne sme biti prazno! + } + + DifferentCryptoPasswords { + Title = Gesli se ne ujemata! + Text = Obe vnešeni gesli morata biti identični, v zagotovilo, da je vpisano željeno geslo. + } + + DifferentAdminPasswords { + Title = Administracijski gesli se ne ujemata + Text = Obe vnešeni gesli morata biti identični, v zagotovilo da je vpisano željeno geslo. + } + + WrongAdminPassword { + Title = Napačno administracijsko geslo! + Text = Vnešeno administracijsko geslo je nepravilno. Prosimo poskusite znova! + } + + MountFailed { + Title = Aktivacija ni uspela + Text = Kriptiran datotečni sistem se ni aktiviral.Po vsej verjetnosti je bilo geslo napačno. + } + + UmountFailed { + Title = Deaktivacija ni uspela + Text = Kriptiran datotečni sistem se ni aktiviral.Datoteke so morda v uporabi. Zaprite vse programe. (naprimer ta nadvse razširjen urejevalnik besedil). V primeru nuje ugasnite CryptoBox! + } + + NotInitialized { + Title = Konfiguracija ni najdena + Text = CryptoBox še ni bil konfiguriran. + } + + InitNotFinished { + Title = Zagon še ni dovršen + Text = Zagon bo dovršen v nekaj minutah. Po končanem zagonu bo ta možnost omogočena. + } + + IsMounted { + Title = Že aktivno + Text = Kriptiran datotečni sistem je že aktiviran. + } + + NotMounted { + Title = Onemogočeno + Text = Kriptiran datotečni sistem trenutno ni aktiven. + } + + AlreadyConfigured { + Title = Konfiguracija uspela + Text = CryptoBox je đe bil konfiguriran. Če ponovno zaženete bodo vsi podatki izbrisani! + } + + InvalidLanguage { + Title = Nepravilna izbira jezika + Text = Izbrani jezik ni na voljo! + } + + InvalidIP { + Title = Napačen IP naslov + Text = Izbran omrežni naslov ni veljaven! + } + + InvalidTimeOut { + Title = Nepravilen čas preklica + Text = Izbran čas preklica ni veljaven! + } + + ConfigTimeOutFailed { + Title = Napaka med spremembo časa preklica + Text = Časa preklica ne morete spremeniti! + } + + ConfigLanguageFailed { + Title = Napaka med spremembo jezikovnih nastavitev + Text = Spreminjanje jezikovnih nastavitev ni mogoče. + } + + ConfigIPFailed { + Title = Napaka med spreminjanjem omrežnega naslova. + Text = Spreminjanje omrežnega naslova ni mogoče. + } + + IPAddressChanged { + Title = Sprememba omrežnega naslova + Text = Omrežni naslov je spremenjen. V nekaj sekundah boste preusmerjeni na nov naslov. + } + } + + + SuccessMessage { + InitRunning { + Title = Zagon poteka + Text = Zagon bo dokončan v ozadju. + } + + ConfigSaved { + Title = Konfiguracija spravljena + Text = Nove nastavitve so sprejete. + } + + MountDone { + Title = Kriptiran datotečni sistem aktiviran + Text = Kriptiran datotečni sistem je na voljo. + } + + UmountDone { + Title = Kriptiran datotečni sistem deaktiviran. + Text = Kriptiran datotečni sistem je varovan pred vstopom. + } + + PowerOff { + Title = Ugasni + Text = CryptoBox se zaustavlja. V nekaj sekundah ga lahko izklopite.(v kolikor se to ne zgodi avtomatično). + } + + ReBoot { + Title = Ponovni zagon + Text = CryptoBox se zaganja. V nekaj sekundah bo zopet na voljo. + } + } + + + ErrorMessage { + + UnknownAction { + Title = Neznan zahtevek + Text = Podali ste nedefiniran zahtevek. + } + + NoSSL { + Title = Nekriptirana povezava + Text = CryptoBox sprejme le kriptirane povezave (https), da je geslo zaščiteno pred radovednimi očmi. V nekaj sekundah bo kriptirana povezava vzpostavljena. + } + + InitFailed { + Title = Zagon ni uspel + Text = Prosim pošljite dnevnik (poglejte zgoraj) razvijalcem CryptoBoxa (cryptobox@systemausfall.org). + } + + NoHardDisk { + Title = Ni trdega diska + Text = Primeren trdi disk za shranjenje kriptiranega datotečnega sistema ni zaznan. Poskrbite da bo med zagonom BIOS zaznal trdi disk. + } + } + +} diff --git a/cbox-tree.d/usr/share/cryptobox/templates/empty.cs b/cbox-tree.d/usr/share/cryptobox/templates/empty.cs new file mode 100644 index 0000000..8db0381 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/empty.cs @@ -0,0 +1,3 @@ + + + diff --git a/cbox-tree.d/usr/share/cryptobox/templates/error.cs b/cbox-tree.d/usr/share/cryptobox/templates/error.cs new file mode 100644 index 0000000..ac56d9a --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/error.cs @@ -0,0 +1,3 @@ + + + diff --git a/cbox-tree.d/usr/share/cryptobox/templates/footer.cs b/cbox-tree.d/usr/share/cryptobox/templates/footer.cs new file mode 100644 index 0000000..afb8a6b --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/footer.cs @@ -0,0 +1,35 @@ + + + +

+ + + + + + + + + + + + + + + diff --git a/cbox-tree.d/usr/share/cryptobox/templates/form_config.cs b/cbox-tree.d/usr/share/cryptobox/templates/form_config.cs new file mode 100644 index 0000000..fcc7ee4 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/form_config.cs @@ -0,0 +1,31 @@ + + +
+

+ + + +


+

+ + +


+

+ +


+

+ +


+

+ + + + + +
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/form_init.cs b/cbox-tree.d/usr/share/cryptobox/templates/form_init.cs new file mode 100644 index 0000000..1e22803 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/form_init.cs @@ -0,0 +1,34 @@ + + +

+ +
+ + +

+ +


+

+ +


+

+


+

+


+

+


+

+


+

+ + + +
+ +
+ +
+

+

+
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/form_mount.cs b/cbox-tree.d/usr/share/cryptobox/templates/form_mount.cs new file mode 100644 index 0000000..a55dc00 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/form_mount.cs @@ -0,0 +1,15 @@ + + +

+ +
+ + +

+

+ + + + + +
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/form_shutdown.cs b/cbox-tree.d/usr/share/cryptobox/templates/form_shutdown.cs new file mode 100644 index 0000000..3a27662 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/form_shutdown.cs @@ -0,0 +1,19 @@ + + +

+ +
+ + + + + + +   + + + + + + +
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/form_umount.cs b/cbox-tree.d/usr/share/cryptobox/templates/form_umount.cs new file mode 100644 index 0000000..f11b963 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/form_umount.cs @@ -0,0 +1,12 @@ + + +

+ +
+ + + + + + +
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/header.cs b/cbox-tree.d/usr/share/cryptobox/templates/header.cs new file mode 100644 index 0000000..e87dcf8 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/header.cs @@ -0,0 +1,47 @@ + + + + + + + CryptoBox + + + + + + + + + + +
+ +
+ +
+ +
+ +
+ +
+ +

+

+
+ +
+ + +
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/macros.cs b/cbox-tree.d/usr/share/cryptobox/templates/macros.cs new file mode 100644 index 0000000..c58624f --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/macros.cs @@ -0,0 +1,93 @@ + + +
+

+

+ + + +
+

+

+ + + +
+

+

+ + + + + + + + + + + + + +
+ diff --git a/cbox-tree.d/usr/share/cryptobox/templates/main.cs b/cbox-tree.d/usr/share/cryptobox/templates/main.cs new file mode 100644 index 0000000..d93cc61 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/main.cs @@ -0,0 +1,16 @@ + + + + + + + + + + + + + + + + diff --git a/cbox-tree.d/usr/share/cryptobox/templates/nav.cs b/cbox-tree.d/usr/share/cryptobox/templates/nav.cs new file mode 100644 index 0000000..5528d7a --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/nav.cs @@ -0,0 +1,22 @@ + + + + + + + + + + + + + + + + + + + + + + diff --git a/cbox-tree.d/usr/share/cryptobox/templates/show_doc.cs b/cbox-tree.d/usr/share/cryptobox/templates/show_doc.cs new file mode 100644 index 0000000..20146db --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/show_doc.cs @@ -0,0 +1,7 @@ + + +
+ + + +
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/show_log.cs b/cbox-tree.d/usr/share/cryptobox/templates/show_log.cs new file mode 100644 index 0000000..3544b63 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/show_log.cs @@ -0,0 +1,13 @@ + + +
+ +

+ + +

+ +

+ + +
diff --git a/cbox-tree.d/usr/share/cryptobox/templates/show_status.cs b/cbox-tree.d/usr/share/cryptobox/templates/show_status.cs new file mode 100644 index 0000000..00e2ab4 --- /dev/null +++ b/cbox-tree.d/usr/share/cryptobox/templates/show_status.cs @@ -0,0 +1,5 @@ + + +

+

+

diff --git a/cbox-tree.d/usr/share/doc/cryptobox/README b/cbox-tree.d/usr/share/doc/cryptobox/README new file mode 100644 index 0000000..7161412 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/README @@ -0,0 +1,24 @@ +$Id$ +CryptoBox version 0.3 + +1) Documentation +The documentation is available at https://systemausfall.org/trac/cryptobox/wiki/CryptoBoxUser + +2) Building a LiveCD +try: "scripts/cbox-build.sh release" +or look at the developer's documentation: https://systemausfall.org/trac/cryptobox/wiki/CryptoBoxDev + +3) Bug reporting +Use our issue tracker at https://systemausfall.org/trac/cryptobox/newticket + +4) Licence +All scripts are GPL code (v2.0 or above). +The documentation is licenced under "Creative Commons 2.5 share-alike" (http://creativecommons.org/licenses/by-sa/2.5/). + +5) Contributors +Clavdia Horvat, Tadej Brce & Dušan Rebolj - slovenian translation + +6) Contact +email: cryptobox@systemausfall.org + +The CryptoBox project is mainly driven by sense.lab (https://systemausfall.org/senselab). diff --git a/cbox-tree.d/usr/share/doc/cryptobox/README.Debian b/cbox-tree.d/usr/share/doc/cryptobox/README.Debian new file mode 100644 index 0000000..72c1a65 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/README.Debian @@ -0,0 +1,18 @@ +CryptoBox for Debian - installation notes + +1) additional dependencies +you need the following packages, which are not (yet) part of the main debian distribution: + * cryptsetup_luks - http://luks.endorphin.org/masses + * clearsilver for perl (>=0.9.14) - http://www.clearsilver.net/downloads/ + + +2) cgi-bin +If you do not use thttpd as your webserver, you should add the cgi-bin path to +your script directory. For apache this would be something like the following: +(file /etc/apache???/conf.d/cryptobox) +Alias /cryptobox-misc /var/www/cryptobox-misc +ScriptAlias /cryptobox /usr/lib/cgi-bin/cryptobox.pl + + +-- Lars Kruse Sun, 4 Dec 2005 21:05:45 +0100 + diff --git a/cbox-tree.d/usr/share/doc/cryptobox/changelog.Debian.gz b/cbox-tree.d/usr/share/doc/cryptobox/changelog.Debian.gz new file mode 100644 index 0000000..938ac74 Binary files /dev/null and b/cbox-tree.d/usr/share/doc/cryptobox/changelog.Debian.gz differ diff --git a/cbox-tree.d/usr/share/doc/cryptobox/changelog.gz b/cbox-tree.d/usr/share/doc/cryptobox/changelog.gz new file mode 100644 index 0000000..93d334e Binary files /dev/null and b/cbox-tree.d/usr/share/doc/cryptobox/changelog.gz differ diff --git a/cbox-tree.d/usr/share/doc/cryptobox/copyright b/cbox-tree.d/usr/share/doc/cryptobox/copyright new file mode 100644 index 0000000..5441f59 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/copyright @@ -0,0 +1,18 @@ +Copyright (c) 02005 sense.lab + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation, version 2. + +This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details. + +You should have received a copy of the GNU General Public License with +your Debian GNU/Linux system, in /usr/share/common-licenses/GPL, or with the +Debian GNU/Linux hello source package as the file COPYING. If not, +write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, +Boston, MA 02110-1301 USA + +$Id$ diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBox.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBox.html new file mode 100644 index 0000000..76e4f40 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBox.html @@ -0,0 +1,93 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Neuigkeiten
    2. +
  2. Überblick
    3. +
  3. Download
    4. +
  4. Spezifikation
    5. +
  5. Dokumentation
    6. +
  6. Entwicklung
    7. +
  7. Mitwirkende
    8. +
  8. Rechtliches
    9. +
  9. Kommentare
    10. +
+
+ +

+

Die CryptoBox

+

+English version +

+

Neuigkeiten

+

+Das erste Release der CryptoBox ist unter https://codecoop.org/projects/cryptobox/ verfügbar. +

+

Überblick

+

+Die CryptoBox ist eine Live-CD mit der sich jeder alte Rechner in Sekundenschnelle in einen verschlüsselnden Server umwandeln lässt. Damit kannst du sensible Daten speichern, ohne dass du etwas über Kryptografie wissen musst. +

+

Download

+

Spezifikation

+ +
SystemDebian GNU/Linux-basierte Live-CD +
benötigter Computer"ausrangierter" PC (i386 ab p1 mind. 32MB RAM) +
unterstützte Clients*nix; *bsd; Windows; Mac OS +
interner Fileserversamba (Netzwerkfreigaben) +
Benutzerschnittstelleper Browser bedienbares Web-Interface +
VerschlüsselungAES via device-mapper +
+

+Das Web-Interface der CryptoBox ünterstützt derzeit folgende Sprachen: +

+
  • deutsch +
  • englisch +
  • slowenisch +

+Du kannst gern weitere Übersetzungen in andere Sprachen hinzufügen (idealerweise utf-encodiert). +

+

Dokumentation

+

+Das Nutzerhandbuch ist unter CryptoBoxUser verfügbar. +

+

Entwicklung

+

+Beteilige dich an der Entwicklung der CryptoBox und werde reich und schön! ;)
+Nee im Ernst, wir freuen uns über jeden partizipierenden Menschen. Du wirst in einem entspannten Team reichlich Erfahrungen sammeln, eine nützliche Sache voranbringen und - wer weiß - vielleicht macht dich das auch schön. Schreib eine Mail an cryptobox[at]systemausfall.org und hab Spaß. +

+

+Probleme und Anregungen kannst du in unserer Fehlerdatenbank melden. +

+

+Die englischsprachige Entwickler-Doku findest du unter CryptoBoxDev. +

+

+Die Quell-Daten kannst du hier begutachten. +

+

+Für allgemeine Fragen, schreibe eine Email an cryptobox[at]systemausfall.org. +

+

Mitwirkende

+

+

  • Clavdia Horvat, Tadej Brce & Dušan Rebolj - slovenian translation +
  • http://codecoop.org - webspace +
+

+

Rechtliches

+
  1. Alle Skripte unterliegen der GPL - sie sind also quasi vollständig frei. +
  2. Die Dokumentation unterliegt einer Creative Commons-Lizenz, damit wird die Möglichkeit der freien Verbreitung des gesammelten Wissens gewährleistet. +
  3. Wir übernehmen keinerlei Haftung für eventuelle Folgen, die durch die Nutzung einer CryptoBox entstehen könnten. +
+

Kommentare

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDev.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDev.html new file mode 100644 index 0000000..33fc754 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDev.html @@ -0,0 +1,107 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Preparations for developers
    2. +
    1. Software requirements
      2. +
      1. Packages
        2. +
      2. Kernel
        3. +
    2. Get the source
      3. +
    3. First build
      4. +
    4. Finished
      5. +
    5. Comments
      6. +
    +
  2. Development workflow
    3. +
    1. Preparations
      2. +
    2. Create a CryptoBox-LiveCD
      3. +
      1. Build the base system
        2. +
      2. Configure the base image
        3. +
      3. Remove development features
        4. +
      4. Create an iso image
        5. +
      5. Burn the CD
        6. +
    3. Test the CryptoBox-LiveCD
      4. +
      1. Chroot: quick & dirty tests
        2. +
      2. Qemu: nearly complete emulation
        3. +
    4. Debugging and merging
      5. +
      1. Development on a running system
        2. +
      2. Uploading a new release
        3. +
    5. Comments
      6. +
    +
  3. Custom builds of the CryptoBox
    4. +
    1. Overview
      2. +
    2. Settings
      3. +
      1. dfsbuild settings
        2. +
      2. CryptoBox development configuration
        3. +
      3. SSH connection
        4. +
      4. qemu network configuration
        5. +
    3. Comments
      4. +
    +
  4. Custom configuration of the CryptoBox
    5. +
    1. Overview
      2. +
    2. Locations
      3. +
    3. Examples
      4. +
    4. Comments
      5. +
    +
  5. Validation of the CryptoBox
    6. +
    1. Overview
      2. +
    2. Validate
      3. +
    3. How to create a test
      4. +
    4. Comments
      5. +
    +
  6. Details of the CryptoBox
    7. +
    1. dfsbuild
      2. +
    2. the kernel
      3. +
    3. qemu
      4. +
    4. alternative LiveCDs
      5. +
    5. Comments
      6. +
    +
  7. Known problems
    8. +
    1. qemu
      2. +
      1. interleaved files not (yet) supported
        2. +
      2. smbd: segfault
        3. +
    2. Comments
      3. +
    +
+
+ +

+

+Navigation: ( CryptoBox/de, CryptoBox/en) + +

+
+

Development documentation

+

+The following pages are written for developers only.
+Users of the CryptoBox should read CryptoBoxUser instead. +

+

Source

+

+You may browse the source code. +

+

Contact

+

+We are waiting for your emails to cryptobox[at]systemausfall.org. +

+

Bug reports

+

+Please use our issue tracker, if you discover problems: https://systemausfall.org/trac/cryptobox/newticket +

+
+
+ + + diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevBackground.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevBackground.html new file mode 100644 index 0000000..57a5809 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevBackground.html @@ -0,0 +1,61 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. dfsbuild
    2. +
  2. the kernel
    3. +
  3. qemu
    4. +
  4. alternative LiveCDs
    5. +
  5. Comments
    6. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Details of the CryptoBox

+

dfsbuild

+

+The base system of the CryptoBox Live-CD is created by dfsbuild. +

+

+It is recommended to use some kind of caching tool for the retrieval of the debian packages (e.g.: apt-cacher, apt-proxy or approx). This saves a lot of bandwidth and time. +

+

+The documentation for dfsbuild is sparse. But it is quite unlikely, that you will get in direct contact with it, as it is wrapped by cbox-build. However the following links may help you for specific problems: +

+

the kernel

+

+The linux kernel for the CryptoBox is compiled statically. If you want to change it, you could follow this steps: +

+
  1. get the sources: apt-get install kernel-tree-2.6.11 (or the version of your choice) +
  2. copy the exisiting config file kernel/config-2.6.11 as .config into your kernel source directory +
  3. build the debian kernel package make-kpkg --revision=1.dfs --rootcmd=fakeroot kernel_image +
  4. change the kernel in the unpackdebs setting in dfs-cbox.conf (see CryptoBoxDevCustomBuild for details) +

qemu

+

+Qemu is a portable system emulator. It is a convenient tool to ease the development workflow, as you do not need to burn LiveCDs for testing. +

+

alternative LiveCDs

+

+We tried some other LiveCDs before we decided to use dfsbuild. The following pages describe their advantages and disadvantages as the base system for the CryptoBox: +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomBuild.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomBuild.html new file mode 100644 index 0000000..6607d93 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomBuild.html @@ -0,0 +1,85 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Overview
    2. +
  2. Settings
    3. +
    1. dfsbuild settings
      2. +
    2. CryptoBox development configuration
      3. +
    3. SSH connection
      4. +
    4. qemu network configuration
      5. +
  3. Comments
    4. +
+
+ +

+

+Navigation: ( CryptoBoxDev, CryptoBoxDevBackground, CryptoBoxDevPreparation, CryptoBoxDevWorkFlow) + +

+
+

Custom builds of the CryptoBox

+

Overview

+

+The following sections are useful, if you want to change the default settings of your personal CryptoBox development environment. +

+

+You should have completed the steps described in CryptoBoxDevPreparation. +

+

Settings

+

dfsbuild settings

+

+All settings for dfsbuild can be found in etc-defaults.d/dfs-cbox.conf. +

+

+If you want to change any of them, you should do the following: +

+
  1. copy etc-defaults.d/dfs-cbox.conf file to etc-local.d/ +
  2. change etc-local.d/dfs-cbox.conf according to your needs +

+This allows you to use your own (personal) settings, without interfering with files under version control. +

+

CryptoBox development configuration

+

+Some settings regarding the building, configuring and validating of the CryptoBox can be found in etc-defaults.d/cbox-dev.conf. +

+

+If you want to change any of them, you should do the following: +

+
  1. copy etc-defaults.d/cbox-dev.conf file to etc-local.d/ +
  2. change etc-local.d/cbox-dev.conf according to your needs +

SSH connection

+

+The file ssh_config is used to establish a connection to a running CryptoBox system. +

+

+It can be necessary to change these settings, if: +

+
  • you do not want to use the default IP for the CryptoBox +
  • or the CryptoBox is not within your local network. +

+If you want to change some settings, you should do the following: +

+
  1. copy etc-defaults.d/ssh_config file to etc-local.d/ +
  2. change etc-local.d/ssh_config according to your needs +

qemu network configuration

+

+The file etc-defauolts.d/qemu-ifup is used for the CryptoBox emulation with qemu. See man qemu for details. +

+

+If you want to change some settings, you should do the following: +

+
  1. copy etc-defaults.d/qemu-ifup file to etc-local.d/ +
  2. change etc-local.d/qemu-ifup according to your needs +
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomConfigure.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomConfigure.html new file mode 100644 index 0000000..9b93359 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevCustomConfigure.html @@ -0,0 +1,60 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Overview
    2. +
  2. Locations
    3. +
  3. Examples
    4. +
  4. Comments
    5. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Custom configuration of the CryptoBox

+

Overview

+

+You may change nearly every aspect of the CryptoBox by using the custom configuration hook directory. +

+

+Any script inside of this directory will be executed after the default configuration procedure (see CryptoBoxDevWorkFlow). +

+

+The order of execution is defined by the names of the scripts (alphabetically). +

+

Locations

+

+Some example customization scripts can be found in configure-examples.d/. +

+

+You may put your scripts into configure-local.d/. They will be sourced by cbox-build.sh. +

+

Examples

+

+The examples in configure-examples.d/ can be copied to configure-local.d/ and adjusted to your needs. +

+ +
set_default_ipchange the default IP address of the CryptoBox +
set_default_languageset the default language +
set_default_timeoutset the default idle time for automatic unmounting +
set_hostnamechange the default hostname +
set_root_pwchange the password of root (only useful for a development CryptoBox) +
import_authorized_keysupload a ssh key for passwordless access to a development CryptoBox +
set_scan_deviceswhere to look for usable harddisks +
+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevKnownProblems.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevKnownProblems.html new file mode 100644 index 0000000..787bc2f --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevKnownProblems.html @@ -0,0 +1,39 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. qemu
    2. +
    1. interleaved files not (yet) supported
      2. +
    2. smbd: segfault
      3. +
  2. Comments
    3. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Known problems

+

qemu

+

interleaved files not (yet) supported

+

+You should update qemu to version 0.7 or higher. +

+

smbd: segfault

+

+This happens under certain circumstances. We do not know a solution for this problem. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevPreparation.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevPreparation.html new file mode 100644 index 0000000..64be90c --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevPreparation.html @@ -0,0 +1,77 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Software requirements
    2. +
    1. Packages
      2. +
    2. Kernel
      3. +
  2. Get the source
    3. +
  3. First build
    4. +
  4. Finished
    5. +
  5. Comments
    6. +
+
+ +

+

+Navigation: ( CryptoBoxDev, CryptoBoxDevCustomBuild, CryptoBoxDevWorkFlow) + +

+
+

Preparations for developers

+

Software requirements

+

Packages

+

+We use Debian as our development environment. This was a natural choice, as the CryptoBox-LiveCD is also based on Debian. Other distributions should work too, of course - your mileage may vary. +

+

+required: +

+

+recommended: +

+

Kernel

+

+If you want to use qemu to test your CryptoBox in a virtual environment, then you will need the tun/tap kernel feature. +

+
CONFIG_TUN=m
+

Get the source

+

+Download the latest release from our subversion-Repository: +

+
svn checkout https://svn.systemausfall.org/svn/cryptobox/trunk
+

First build

+

+run scripts/cbox-build.sh release as root - hopefully, there should be no errors :) +

+

+Hint: This step will fail, if you did not install apt-cacher. See CryptoBoxDevCustomBuild for details on how to change the build-configuration settings (in this case: mirror in dfs-cbox.conf). +

+

Finished

+

+Now you can start to pariticipate in the development of the CryptoBox or simply customize your own CryptoBox-LiveCD. +

+

+See CryptoBoxDevWorkFlow for details of how to use the developer's tools of the CryptoBox. +

+

+CryptoBoxDevCustomBuild shows some examples for local customizations of the CryptoBox. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevValidation.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevValidation.html new file mode 100644 index 0000000..9276cd0 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevValidation.html @@ -0,0 +1,78 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Overview
    2. +
  2. Validate
    3. +
  3. How to create a test
    4. +
  4. Comments
    5. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Validation of the CryptoBox

+

Overview

+

+The validation feature helps you to check the programming logic of the CryptoBox. A lot of test cases are defined to verify as many functions of the CryptoBox as possible. +

+

+The requests are processed with curl. +

+

+The received web page is saved to allow a later design review or css debugging. +

+

+The current state of the CryptoBox is represented by ten single values (e.g.: box is configured, IP of the box, current language setting, ...), which are invisibly a part of each html page (as comments). The returned status of every request is compared to the predicted value of the test case. +

+

+Similar test cases are pooled into test groups (e.g.: initialization, configuration and mounting). +

+

Validate

+

+Run scripts/validate.sh] to conduct all tests of all groups. See scripts/validate.sh help for other actions. +

+

+The results will be saved in validation/report. +

+

+In addition to every single retrieved page, a html page called summary-?.html is created, which contains the state checks of all tests in a group. +

+

How to create a test

+

+All test cases can be found in validation/test-cases. +

+

+Every test consists of the following files: +

+ +
input.curlthe configuration file for the curl request +
outputthe predicted state of the CryptoBox after the call +
descriptiona short description of the test (will be used for the summary) +
delay[optional] time to wait after this test +
+

+Use the existing test cases as templates for new tests. +

+

+Read validation/test-cases/README for details. +

+

+Every logical path of the web interface CGI should be validated by a test case. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevWorkFlow.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevWorkFlow.html new file mode 100644 index 0000000..85f73ec --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxDevWorkFlow.html @@ -0,0 +1,151 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Preparations
    2. +
  2. Create a CryptoBox-LiveCD
    3. +
    1. Build the base system
      2. +
    2. Configure the base image
      3. +
    3. Remove development features
      4. +
    4. Create an iso image
      5. +
    5. Burn the CD
      6. +
  3. Test the CryptoBox-LiveCD
    4. +
    1. Chroot: quick & dirty tests
      2. +
    2. Qemu: nearly complete emulation
      3. +
  4. Debugging and merging
    5. +
    1. Development on a running system
      2. +
    2. Uploading a new release
      3. +
  5. Comments
    6. +
+
+ +

+

+Navigation: ( CryptoBoxDev, CryptoBoxDevCustomConfigure, CryptoBoxDevPreparation) + +

+
+

Development workflow

+

Preparations

+

+You should have completed the steps described in CryptoBoxDevPreparation. +

+

Create a CryptoBox-LiveCD

+

+The following steps can be executed in the order of their appearance. +

+

+Usually there is no need to repeat the whole process, after you changed some parts of the CryptoBox. Especially the first step (building of the base system with dfsbuild) may usually be skipped. +

+

+Every step of the building process must be executed as root. +

+

Build the base system

+

+Run scripts/cbox-build.sh dfsbuild to create the base system for the LiveCD. +

+

+The result can be found in _builddir/cd1/image. +

+

+If you do not want to use the apt-cacher to save bandwidth and time, then you should modify the mirror-setting in dfs-cbox.conf (see CryptoBoxDevCustomBuild for details). +

+

Configure the base image

+

+Run scripts/cbox-build.sh config to copy the CryptoBox-specific files to the base image. +

+

+TODO: link to cbox-build.sh-manpage +

+

Remove development features

+

+The original base system, that was created by dfsbuild contains a lot packages and some scripts, that are only useful during development. You should remove them, as they cause severe security implications. +

+

+To reduce the CryptoBox-LiveCD to the usable minimum for operational use, you should run scripts/cbox-build.sh harden. +

+

Create an iso image

+

+To burn a CryptoBox-LiveCD, you need an bootable iso9660-image. +

+

+Create the iso image with scripts/cbox-build.sh iso. The resulting file can be found at _builddir/cd1/cryptobox.iso. +

+

Burn the CD

+

+Do it manually: +

+
cdrecord -v dev=0,0,0 _builddir/cryptobox.iso
+

+(change the dev setting according to your setup). +

+

+Let the script do it for you: scripts/cbox-build.sh burn (maybe you have to change the CDWRITER setting in cbox-dev.conf - see CryptoBoxDevCustomBuild). +

+

+Of course, it is not wise to use CD-R media. CD-RW consume less resources. +

+

Test the CryptoBox-LiveCD

+

+This section is only useful for developers, who want to improve or change the CryptoBox system. +

+

Chroot: quick & dirty tests

+

+If you modified the perl- or shell-scripts of the CryptoBox, then you can check for syntax errors by running them in a chroot environment. Be careful: you have access to all ressources of your computer, while you are working within a chroot environment - so you can easily repartition your real disk ... +

+

+To start a chroot environment, you can execute scripts/cbox-dev.sh chroot. +

+

+For more intensive tests, you may use qemu (see below) or burn real LiveCDs - of course this would take much more time. +

+

Qemu: nearly complete emulation

+

+The processor emulator qemu allows you test the CryptoBox in a virtual environment, that is completely separated from your real computer's resources. It is the tool of choice, if you do nat have a real computer around for testing. +

+

+Beware - there are some problems, when using qemu: +

+
  • smbd does not start (segfault) +
  • ??? +

+To start a qemu emulation of the iso image, you may type: +

+
scripts/cbox-dev.sh qemu
+

Debugging and merging

+

+This section is only useful for developers, who want to develop on a running CryptoBox system (emulated or real). +

+

+You may access the CryptoBox directly or you can use ssh to open a remote session: +

+
./cbox-dev.sh ssh
+

Development on a running system

+

+When you run an emulation or test a real LiveCD, you may encounter problems and bugs. To test your fixes for these problems, it is convenient, to change the running test system. Afterwards you can merge these changes to your local development copy. +

+

+Type scripts/cbox-dev.sh diff to see the changes, you made on the running CryptoBox system. +

+

+Type scripts/cbox-dev.sh merge to merge these changes to your local working copy. +

+

Uploading a new release

+

+Alternatively you may also upload a new version of your local working copy to the running CryptoBox system. +

+

+Type scripts/cbox-dev.sh upload - beware: all recent changes you made to the running CryptoBox system, are lost. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUser.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUser.html new file mode 100644 index 0000000..17ebd31 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUser.html @@ -0,0 +1,59 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Wie geht es los
    2. +
    1. Erste Schritte
      2. +
    2. Hinweise / Fallstricke
      3. +
    3. Kommentare
      4. +
    +
  2. Die Konfiguration deiner CryptoBox
    3. +
    1. Überblick
      2. +
    2. Vorwort
      3. +
    3. Initialisierung
      4. +
    4. Konfiguration
      5. +
    5. Hinweise / Fallstricke
      6. +
    6. Kommentare
      7. +
    +
  3. Tägliche Nutzung
    4. +
    1. Aktivieren des verschlüsselten Dateisystems
      2. +
    2. Zugriff auf die verschlüsselten Daten
      3. +
    3. Abschalten des verschlüsselten Dateisystems
      4. +
    4. Abschaltung der CryptoBox
      5. +
    5. Notfall-Abschaltung
      6. +
    6. Fragen und Antworten
      7. +
    7. Kommentare
      8. +
    +
+
+ +

+

+Navigation: ( CryptoBox/de) + +

+
+

Nutzerhandbuch

+

+Die folgenden Seiten beschreiben die Nutzung der CryptoBox. +

+

+Die online-Version dieses Handbuchs ist ein Wiki. Das bedeutet, dass du diese Seiten verändern kannst. Falls du also Fragen oder Anregungen hast, schreibe bitte deine Anmerkungen in den Kommentar-Abschnitt am Ende der jeweiligen Seite. Die Entwickler werden deine Fragen beantworten und das Handbuch schnellstmöglich aktualisieren. Auf diese Art und Weise kannst du die Nutzbarkeit der CryptoBox für alle Nutzer verbessern! +

+
  1. CryptoBoxUserGettingStarted -- die Vorbereitung der Hardware +
  2. CryptoBoxUserConfiguration -- die Einrichtung deines neuen verschlüsselten Dateiservers +
  3. CryptoBoxUserDailyUse -- die tägliche Nutzung der CryptoBox +

+Die online-Version dieses Handbuchs befindet sich unter https://systemausfall.org/trac/cryptobox/wiki/CryptoBoxUser/de. +

+
+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserConfiguration.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserConfiguration.html new file mode 100644 index 0000000..fccc749 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserConfiguration.html @@ -0,0 +1,109 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Überblick
    2. +
  2. Vorwort
    3. +
  3. Initialisierung
    4. +
  4. Konfiguration
    5. +
  5. Hinweise / Fallstricke
    6. +
  6. Kommentare
    7. +
+
+ +

+

+Navigation: ( CryptoBoxUser/de) + +

+
+

Die Konfiguration deiner CryptoBox

+

Überblick

+

+Alle Funktionen der CryptoBox können durch das komfortable Web-Interface bedient werden. Zur Erst-Einrichtung der CryptoBox folge einfach den folgenden Schritten. +

+

+Falls du in Eile bist, kannst du das Vorwort überspringen. +

+

+Die Initialisierung erklärt die Einrichtung der Festplatte. Dieser Schritt ist nur bei der ersten Einrichtung oder nach einem Festplattenwechsel notwendig. +

+

+Im Konfigurations-Abschnitt werden die verfügbaren Einstellungen der CryptoBox beschrieben. Hier kannst du beispielsweise die Sprache des Web-Interfaces oder die Netzwerkadresse deiner CryptoBox einstellen. +

+

+Vergiss nicht, auch den Hinweise/Fallstricke-Abschnitt zu lesen. +

+

Vorwort

+

+Du bist den Anweisungen aus CryptoBoxUserGettingStarted gefolgt und sitzt nun vor deinem Arbeits-Rechner. Nun kannst du in deinem Web-Browser das Web-Interface der CryptoBox ansteuern: https://192.168.0.23. +

+

+Bevor du Daten auf deiner CryptoBox speichern kannst, muss die Festplatte mit einem verschlüsselten Dateisystem versehen werden. Das klingt kompliziert, ist jedoch mit einem Klick erledigt. :) +

+

Initialisierung

+

+Klicke auf Initialisierung in der Menü-Zeile. +

+

+Jetzt wirst du zur Eingabe zweier Passworte aufgefordert (jeweils mit Wiederholung - zum Training deiner Tipp-Fertigkeiten ;)). +

+

+de_init.png +

+
  • Das erste Passwort ist das Administrations-Password. +
    • Es schützt die Konfiguration deiner CryptoBox. +
    • Dies ist notwendig, um zu verhindern, dass jemand unerlaubt die Daten auf deiner CryptoBox durch eine erneute Initialisierung löscht. +
    • Wahrscheinlich wirst du dieses Passwort nie wieder benötigen. +
    • Du kannst das Administrations-Passwort leer lassen - dies wird jedoch nicht empfohlen. +
  • Das Crypto-Passwort ist wesentlich wichtiger, da es der einzige Schutz der Daten auf der verschlüsselten Festplatte ist. Wähle es mit Sorgfalt! +
    • Du benötigst es, um auf deine Daten zuzugreifen. +
    • Ein sicheres Passwort sollte aus mindestens 15 Zeichen (einschließlich Ziffern und Sonderzeichen) bestehen. Die Sicherheit deiner Daten steht und fällt mit der Qualität dieses Passworts. +
  • Um dich daran zu erinnern, dass dieser Schritt die Festplatte der CryptoBox komplett löschen wird, musst du den angezeigten roten Warnhinweis im letzten Formularfeld eingeben. +
  • Nun kannst du die Initialisierung durch einen Klick auf Initialisiere die CryptoBox abschließen. +

+Das war es dann auch schon. Kryptographie war wohl nie einfacher zu verwenden, oder? ;) +

+

+Der Initialisierungsvorgang läuft nun im Hintergrund ab und wird nach wenigen Minuten (abhängig von der Größe deiner Festplatte) abgeschlossen. +

+

Konfiguration

+

+Im Gegensatz zur Initialisierung, die nur einmal durchgeführt werden muss, kannst du die Konfiguration jederzeit deinen Wünschen anpassen. Dazu klickst du einfach auf Konfiguration in der Menü-Zeile des Web-Interfaces. Nun wird dir ein Formular mit vier Feldern präsentiert: +

+

+de_config.png +

+
  • Falls du ein Administrator-Passwort während der Initialisierung festgelegt hast, musst du es nun eingeben. Andernfalls wird dieses Formularfeld nicht angezeigt. +
  • Du kannst die voreingestellte Netzwerk-Adresse (IP) verändern, falls sie nicht zu deiner Netzwerk-Struktur passt. +
  • Die Zeitabschaltung sorgt dafür, dass nach einer festgelegten Dauer von Inaktivität (in Minuten), das Crypto-Dateisystem deaktiviert wird (damit sind deine Daten wieder geschützt). Laufende Dateiübertragungen werden dadurch natürlich nicht gestört. +
    • Es ist ratsam, eine kurze Abschalt-Zeit einzustellen (wenige Minuten). +
    • Der Wert 0 deaktiviert die automatische Abschaltung. +
  • Die Sprache ist der Standard für alle Nutzer des CryptoBox-Web-Interfaces. Sie kann individuell durch die Sprach-Links am rechten oberen Bildschirmrand überschrieben werden. +

+Speichere deine neuen Einstellungen durch einen Klick auf Speichere Konfiguration. +

+

+Das ist alles - deine CryptoBox ist jetzt bereit für die tägliche Nutzung! +

+

Hinweise / Fallstricke

+
  • Alle Daten auf der Festplatte in der CryptoBox werden bei der Initialisierung gelöscht. +
  • Die Passworte müssen jeweils zweimal eingegeben werden, um die Gefahr von Tipp-Fehlern zu vermindern. +
  • Das optionale Administrations-Passwort ist nur für die Konfiguration oder eine erneute Initialisierung erforderlich. +
  • Das Crypto-Passwort beschützt deine sensiblen Daten. +
  • Falls die CryptoBox nicht über die Adresse 192.168.0.23 erreichbar ist, musst du die Netzwerk-Adresse deines Arbeits-Rechners für die Dauer der Initialisierung der CryptoBox vorübergehend ändern. +

+zurück zu CryptoBoxUser +

+
+

Kommentare

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserDailyUse.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserDailyUse.html new file mode 100644 index 0000000..7647341 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserDailyUse.html @@ -0,0 +1,124 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Aktivieren des verschlüsselten Dateisystems
    2. +
  2. Zugriff auf die verschlüsselten Daten
    3. +
  3. Abschalten des verschlüsselten Dateisystems
    4. +
  4. Abschaltung der CryptoBox
    5. +
  5. Notfall-Abschaltung
    6. +
  6. Fragen und Antworten
    7. +
  7. Kommentare
    8. +
+
+ +

+

+Navigation: ( CryptoBoxUser/de, CryptoBoxUserConfiguration/de) + +

+
+

Tägliche Nutzung

+

Aktivieren des verschlüsselten Dateisystems

+

+Du kannst dein verschlüsseltes Dateisystem mit folgenden Schritten aktivieren: +

+
  • Wähle mit deinem Web-Browser die Adresse deiner CryptoBox an. Die Voreinstellung ist https://192.168.0.23. +
  • Klicke auf Aktivieren der Crypto-Daten. Daraufhin erscheint ein Formular zur Eingabe des Crypto-Passworts. +
  • Gib dein Crypto-Passwort ein und klicke auf die darunterliegende Schaltfläche. +

+de_mount.png +

+

+Nun ist das verschlüsselte Dateisystem verfügbar. Um es zu nutzen, suche in deiner Netzwerkumgebung nach der Netzwerk-Adresse deiner CryptoBox (Voreinstellung: 192.168.0.23). Nun kannst du das Netzlaufwerk wie üblich verwenden. +

+

Zugriff auf die verschlüsselten Daten

+

Linux - Kommandozeile

+

+Um als normaler Nutzer auf die Crypto-Partition zuzugreifen, solltest du folgende Zeile zur /etc/fstab hinzufügen: +

+
//192.168.0.23/public   /mnt/    smbfs   defaults,noexec,noauto,user,guest      0       0
+

+Nun kannst du die Crypto-Partition nach /mnt mounten: +

+
mount /mnt/
+

+bzw. unmounten: +

+
smbumount /mnt
+

Windows

+

+Starte den Windows Explorer und wähle im Menü unter Extras die Option Netzlaufwerke verbinden aus. +

+

+de_w98_network_drive.png +

+

+Trage unter Pfad die Adresse des Verzeichnisse der CryptoBox ein, auf das du zugreifen willst (Standard: \\192.168.0.23\public). Soll die Verbindung beim jedem Start von Windows wiederhergestellt werden, aktiviere Verbindung beim Start wiederherstellen. +

+

+Nun kannst du auf das verschlüsselte Dateisystem wie jedes andere Laufwerk benutzen. +

+

Abschalten des verschlüsselten Dateisystems

+

+Du kannst das verschlüsselte Dateisystem abschalten, indem du in der Menü-Zeile des Web-Interfaces der CryptoBox auf Deaktivierung der Crypto-Daten klickst. +

+

+Deine Daten sind nun wieder vor jedem Zugriff geschützt. +

+

Abschaltung der CryptoBox

+

+Klicke auf System in der Menü-Zeile des Web-Interfaces. Nun kannst du zwischen Abschaltung und Neustart wählen. Die Abschaltung dauert einige Sekunden. +

+

+Falls dein CryptoBox-Rechner relativ neu ist (ungefähr ab Baujahr 02000), wird er sich nun selbständig abschalten. Andernfalls musst du dies per Hand tun. +

+

Notfall-Abschaltung

+

+Falls du deine Daten wirklich schnell vor neugierigen Augen schützen musst, dann ziehe einfach den Stecker der CryptoBox. Dies ist nicht besonders sauber und kann (in sehr seltenen Ausnahmefällen) geöffnete Dateien beschädigen. Es ist jedoch die schnellste Methode zur Sicherung deiner Daten vor unbefugtem Zugriff. +

+

+zurück zu CryptoBoxUser +

+
+

Fragen und Antworten

+

Windows: Netzlaufwerk kann nicht verbunden werden

+

+de_w98_not_logged_in.png +

+

+Erscheint diese Fehlermeldung, hast du dich beim Start von Windows nicht angemeldet bzw. das Anmeldefenster mit der Taste Esc (Escape) verschwinden lassen. Klicke auf Start und Abmelden und melde dich neu an - sobald das Anmeldefenster erscheint, klicke auf OK: +

+

+de_w98_login.png +

+

Linux: only root can unmount //192.168.0.23/public

+

+Das Unmounten der Crypto-Partition mit umount funktioniert nicht. +

+

+Lösung: Verwende stattdessen: +

+
smbumount /mnt
+

Linux: Operation not permitted / smbmnt failed: 1

+

+Der Versuch die Partition als normaler Nutzer zu mounten schlägt fehl: +

+
cannot mount on /mnt/: Operation not permitted
+smbmnt failed: 1
+

+Lösung: Das Mount-Verzeichnis muss dem selben Nutzer gehören, der den mount-Befehl ausführt (bspw. phil): +

+
chown phil. /mnt
+
+

Kommentare

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserGettingStarted.html b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserGettingStarted.html new file mode 100644 index 0000000..3c74e14 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/de/CryptoBoxUserGettingStarted.html @@ -0,0 +1,57 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Erste Schritte
    2. +
  2. Hinweise / Fallstricke
    3. +
  3. Kommentare
    4. +
+
+ +

+

+Navigation: ( CryptoBoxUser/de, CryptoBoxUserConfiguration/de) + +

+
+

Wie geht es los

+

Erste Schritte

+

+Die CryptoBox ist schnell aufgebaut: +

+
  1. Du brauchst einen alten Computer (mindestens 100MHZ, 48MB RAM) (Faustregel: nach 1996 gekauft). Dazu eine passende Netzwerkkarte, ein CD-ROM Laufwerk und eine riesige Festplatte. +
    • Die Festplatte muss nicht riesig sein, je nachdem was du speichern willst, reicht auch 'ne kleine ;) +
    • Du brauchst keinen Monitor, keine Tastatur und keine Maus, um die CryptoBox zu benutzen (bzw. nur für die Erst-Einrichtung). +
    • Du kannst natürlich einen schnelleren Rechner verwenden - der unbedeutende Performance-Zuwachs wird jedoch wohl nicht durch den erhöhten Energiebedarf gerechtfertigt. +
  2. Lade die aktuellste Version der CryptoBox als iso-image herunter und brenne dieses auf einen CD-Rohling. +
  3. Konfiguriere den PC, so dass er vom CD Laufwerk bootet. Dazu solltest du im BIOS als "boot device" "CD-ROM" einstellen. +
  4. Pack die frisch gebrannte CryptoBox CD ins Laufwerk und starte den Computer. +

+Wenn der Computer jetzt von der CD startet, hast du alle Anforderungen erfüllt. +

+

+Du kannst nun zu deinem Arbeits-Rechner in demselben Netzwerk gehen und "https://192.168.0.23" ansurfen. Dort sollte die CryptoBox-Konfigurationsseite erscheinen. Ist doch kinderleicht, oder? +

+

+Die weiteren Schritte werden unter CryptoBoxUserConfiguration beschrieben. +

+

Hinweise / Fallstricke

+
  • Eventuell musst du für die Einrichtung der CryptoBox kurzzeitig deine Netzwerkaddresse (IP) ändern. Falls du nicht weißt, wie und warum, dann frage jemanden um Rat ... (wahrscheinlich klappt es aber ohne Änderungen) +
  • Falls du eine neue Festplatte kaufen willst, beachte, dass alte PCs nicht mit modernen Festplattengrößen klarkommen. +
  • Einige alte PCs können nicht vom CD-ROM-Laufwerk booten. +
  • Falls dir der Begriff "BIOS" nichts sagt, bitte Menschen um Hilfe, bevor du was veränderst ;) +
  • Vergiss nicht, den CryptoBox-Rechner ans Netzwerk anzuschliessen! +
  • Du brauchst einen Monitor und eine Tastatur für die Konfiguration des BIOS. +
+

Kommentare

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBox.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBox.html new file mode 100644 index 0000000..c87150c --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBox.html @@ -0,0 +1,89 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. News
    2. +
  2. Overview
    3. +
  3. Download
    4. +
  4. Specs
    5. +
  5. Documentation
    6. +
  6. Development
    7. +
  7. Acknowledgements
    8. +
  8. Legal stuff
    9. +
  9. Comments
    10. +
+
+ +

+

The CryptoBox

+

+deutsche Version +

+

News

+

+The first release of the CryptoBox is available at https://codecoop.org/projects/cryptobox/ +

+

Overview

+

+The CryptoBox is a Debian/Linux based live-cd. This CD boots up, starting a secure fileserver. Even non-technical users are able to store their data on its encrypted harddisk. There is no special knowledge about cryptography or servers required at all. +

+

Download

+

Specs

+ +
systemDebian/Linux based Live-CD +
needed hardware "outdated" PC (i386 p1-100 32MB RAM minimum) +
supported clients*nix; *bsd; Windows; Mac OS +
fileserversamba (network shares) +
userinterfacefully remote controlled via webbrowser +
encryptionAES via device-mapper +
+

+The web interface of the CryptoBox supports the following languages: +

+
  • English +
  • German +
  • Slovenian +

+Feel free to contribute a translation for another language (preferably utf-encoded). +

+

Documentation

+

+The user documentation has its home at CryptoBoxUser. +

+

Development

+

+Take a look at the developer's documentation at CryptoBoxDev. +

+

+Report bugs to https://systemausfall.org/trac/cryptobox/newticket. +

+

+Browse the source code. +

+

+Anything else? Write us an email: cryptobox[at]systemausfall.org +

+

Acknowledgements

+

+

  • Clavdia Horvat, Tadej Brce & Dušan Rebolj - slovenian translation +
  • http://codecoop.org - webspace +
+

+

Legal stuff

+
  1. All scripts are GPL licensed +
  2. The documentation is licensed under a Creative Commons License +
  3. We do not take any warranty for the functionality or usability of the CryptoBox. +
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDev.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDev.html new file mode 100644 index 0000000..ced5e8a --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDev.html @@ -0,0 +1,107 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Preparations for developers
    2. +
    1. Software requirements
      2. +
      1. Packages
        2. +
      2. Kernel
        3. +
    2. Get the source
      3. +
    3. First build
      4. +
    4. Finished
      5. +
    5. Comments
      6. +
    +
  2. Development workflow
    3. +
    1. Preparations
      2. +
    2. Create a CryptoBox-LiveCD
      3. +
      1. Build the base system
        2. +
      2. Configure the base image
        3. +
      3. Remove development features
        4. +
      4. Create an iso image
        5. +
      5. Burn the CD
        6. +
    3. Test the CryptoBox-LiveCD
      4. +
      1. Chroot: quick & dirty tests
        2. +
      2. Qemu: nearly complete emulation
        3. +
    4. Debugging and merging
      5. +
      1. Development on a running system
        2. +
      2. Uploading a new release
        3. +
    5. Comments
      6. +
    +
  3. Custom builds of the CryptoBox
    4. +
    1. Overview
      2. +
    2. Settings
      3. +
      1. dfsbuild settings
        2. +
      2. CryptoBox development configuration
        3. +
      3. SSH connection
        4. +
      4. qemu network configuration
        5. +
    3. Comments
      4. +
    +
  4. Custom configuration of the CryptoBox
    5. +
    1. Overview
      2. +
    2. Locations
      3. +
    3. Examples
      4. +
    4. Comments
      5. +
    +
  5. Validation of the CryptoBox
    6. +
    1. Overview
      2. +
    2. Validate
      3. +
    3. How to create a test
      4. +
    4. Comments
      5. +
    +
  6. Details of the CryptoBox
    7. +
    1. dfsbuild
      2. +
    2. the kernel
      3. +
    3. qemu
      4. +
    4. alternative LiveCDs
      5. +
    5. Comments
      6. +
    +
  7. Known problems
    8. +
    1. qemu
      2. +
      1. interleaved files not (yet) supported
        2. +
      2. smbd: segfault
        3. +
    2. Comments
      3. +
    +
+
+ +

+

+Navigation: ( CryptoBox/de, CryptoBox/en) + +

+
+

Development documentation

+

+The following pages are written for developers only.
+Users of the CryptoBox should read CryptoBoxUser instead. +

+

Source

+

+You may browse the source code. +

+

Contact

+

+We are waiting for your emails to cryptobox[at]systemausfall.org. +

+

Bug reports

+

+Please use our issue tracker, if you discover problems: https://systemausfall.org/trac/cryptobox/newticket +

+
+
+ + + diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevBackground.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevBackground.html new file mode 100644 index 0000000..3e12ac3 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevBackground.html @@ -0,0 +1,61 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. dfsbuild
    2. +
  2. the kernel
    3. +
  3. qemu
    4. +
  4. alternative LiveCDs
    5. +
  5. Comments
    6. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Details of the CryptoBox

+

dfsbuild

+

+The base system of the CryptoBox Live-CD is created by dfsbuild. +

+

+It is recommended to use some kind of caching tool for the retrieval of the debian packages (e.g.: apt-cacher, apt-proxy or approx). This saves a lot of bandwidth and time. +

+

+The documentation for dfsbuild is sparse. But it is quite unlikely, that you will get in direct contact with it, as it is wrapped by cbox-build. However the following links may help you for specific problems: +

+

the kernel

+

+The linux kernel for the CryptoBox is compiled statically. If you want to change it, you could follow this steps: +

+
  1. get the sources: apt-get install kernel-tree-2.6.11 (or the version of your choice) +
  2. copy the exisiting config file kernel/config-2.6.11 as .config into your kernel source directory +
  3. build the debian kernel package make-kpkg --revision=1.dfs --rootcmd=fakeroot kernel_image +
  4. change the kernel in the unpackdebs setting in dfs-cbox.conf (see CryptoBoxDevCustomBuild for details) +

qemu

+

+Qemu is a portable system emulator. It is a convenient tool to ease the development workflow, as you do not need to burn LiveCDs for testing. +

+

alternative LiveCDs

+

+We tried some other LiveCDs before we decided to use dfsbuild. The following pages describe their advantages and disadvantages as the base system for the CryptoBox: +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomBuild.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomBuild.html new file mode 100644 index 0000000..b975168 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomBuild.html @@ -0,0 +1,85 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Overview
    2. +
  2. Settings
    3. +
    1. dfsbuild settings
      2. +
    2. CryptoBox development configuration
      3. +
    3. SSH connection
      4. +
    4. qemu network configuration
      5. +
  3. Comments
    4. +
+
+ +

+

+Navigation: ( CryptoBoxDev, CryptoBoxDevBackground, CryptoBoxDevPreparation, CryptoBoxDevWorkFlow) + +

+
+

Custom builds of the CryptoBox

+

Overview

+

+The following sections are useful, if you want to change the default settings of your personal CryptoBox development environment. +

+

+You should have completed the steps described in CryptoBoxDevPreparation. +

+

Settings

+

dfsbuild settings

+

+All settings for dfsbuild can be found in etc-defaults.d/dfs-cbox.conf. +

+

+If you want to change any of them, you should do the following: +

+
  1. copy etc-defaults.d/dfs-cbox.conf file to etc-local.d/ +
  2. change etc-local.d/dfs-cbox.conf according to your needs +

+This allows you to use your own (personal) settings, without interfering with files under version control. +

+

CryptoBox development configuration

+

+Some settings regarding the building, configuring and validating of the CryptoBox can be found in etc-defaults.d/cbox-dev.conf. +

+

+If you want to change any of them, you should do the following: +

+
  1. copy etc-defaults.d/cbox-dev.conf file to etc-local.d/ +
  2. change etc-local.d/cbox-dev.conf according to your needs +

SSH connection

+

+The file ssh_config is used to establish a connection to a running CryptoBox system. +

+

+It can be necessary to change these settings, if: +

+
  • you do not want to use the default IP for the CryptoBox +
  • or the CryptoBox is not within your local network. +

+If you want to change some settings, you should do the following: +

+
  1. copy etc-defaults.d/ssh_config file to etc-local.d/ +
  2. change etc-local.d/ssh_config according to your needs +

qemu network configuration

+

+The file etc-defauolts.d/qemu-ifup is used for the CryptoBox emulation with qemu. See man qemu for details. +

+

+If you want to change some settings, you should do the following: +

+
  1. copy etc-defaults.d/qemu-ifup file to etc-local.d/ +
  2. change etc-local.d/qemu-ifup according to your needs +
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomConfigure.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomConfigure.html new file mode 100644 index 0000000..c823caf --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevCustomConfigure.html @@ -0,0 +1,60 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Overview
    2. +
  2. Locations
    3. +
  3. Examples
    4. +
  4. Comments
    5. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Custom configuration of the CryptoBox

+

Overview

+

+You may change nearly every aspect of the CryptoBox by using the custom configuration hook directory. +

+

+Any script inside of this directory will be executed after the default configuration procedure (see CryptoBoxDevWorkFlow). +

+

+The order of execution is defined by the names of the scripts (alphabetically). +

+

Locations

+

+Some example customization scripts can be found in configure-examples.d/. +

+

+You may put your scripts into configure-local.d/. They will be sourced by cbox-build.sh. +

+

Examples

+

+The examples in configure-examples.d/ can be copied to configure-local.d/ and adjusted to your needs. +

+ +
set_default_ipchange the default IP address of the CryptoBox +
set_default_languageset the default language +
set_default_timeoutset the default idle time for automatic unmounting +
set_hostnamechange the default hostname +
set_root_pwchange the password of root (only useful for a development CryptoBox) +
import_authorized_keysupload a ssh key for passwordless access to a development CryptoBox +
set_scan_deviceswhere to look for usable harddisks +
+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevKnownProblems.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevKnownProblems.html new file mode 100644 index 0000000..abe55bd --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevKnownProblems.html @@ -0,0 +1,39 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. qemu
    2. +
    1. interleaved files not (yet) supported
      2. +
    2. smbd: segfault
      3. +
  2. Comments
    3. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Known problems

+

qemu

+

interleaved files not (yet) supported

+

+You should update qemu to version 0.7 or higher. +

+

smbd: segfault

+

+This happens under certain circumstances. We do not know a solution for this problem. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevPreparation.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevPreparation.html new file mode 100644 index 0000000..e8a78d7 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevPreparation.html @@ -0,0 +1,77 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Software requirements
    2. +
    1. Packages
      2. +
    2. Kernel
      3. +
  2. Get the source
    3. +
  3. First build
    4. +
  4. Finished
    5. +
  5. Comments
    6. +
+
+ +

+

+Navigation: ( CryptoBoxDev, CryptoBoxDevCustomBuild, CryptoBoxDevWorkFlow) + +

+
+

Preparations for developers

+

Software requirements

+

Packages

+

+We use Debian as our development environment. This was a natural choice, as the CryptoBox-LiveCD is also based on Debian. Other distributions should work too, of course - your mileage may vary. +

+

+required: +

+

+recommended: +

+

Kernel

+

+If you want to use qemu to test your CryptoBox in a virtual environment, then you will need the tun/tap kernel feature. +

+
CONFIG_TUN=m
+

Get the source

+

+Download the latest release from our subversion-Repository: +

+
svn checkout https://svn.systemausfall.org/svn/cryptobox/trunk
+

First build

+

+run scripts/cbox-build.sh release as root - hopefully, there should be no errors :) +

+

+Hint: This step will fail, if you did not install apt-cacher. See CryptoBoxDevCustomBuild for details on how to change the build-configuration settings (in this case: mirror in dfs-cbox.conf). +

+

Finished

+

+Now you can start to pariticipate in the development of the CryptoBox or simply customize your own CryptoBox-LiveCD. +

+

+See CryptoBoxDevWorkFlow for details of how to use the developer's tools of the CryptoBox. +

+

+CryptoBoxDevCustomBuild shows some examples for local customizations of the CryptoBox. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevValidation.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevValidation.html new file mode 100644 index 0000000..2511b22 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevValidation.html @@ -0,0 +1,78 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Overview
    2. +
  2. Validate
    3. +
  3. How to create a test
    4. +
  4. Comments
    5. +
+
+ +

+

+Navigation: ( CryptoBoxDev) + +

+
+

Validation of the CryptoBox

+

Overview

+

+The validation feature helps you to check the programming logic of the CryptoBox. A lot of test cases are defined to verify as many functions of the CryptoBox as possible. +

+

+The requests are processed with curl. +

+

+The received web page is saved to allow a later design review or css debugging. +

+

+The current state of the CryptoBox is represented by ten single values (e.g.: box is configured, IP of the box, current language setting, ...), which are invisibly a part of each html page (as comments). The returned status of every request is compared to the predicted value of the test case. +

+

+Similar test cases are pooled into test groups (e.g.: initialization, configuration and mounting). +

+

Validate

+

+Run scripts/validate.sh] to conduct all tests of all groups. See scripts/validate.sh help for other actions. +

+

+The results will be saved in validation/report. +

+

+In addition to every single retrieved page, a html page called summary-?.html is created, which contains the state checks of all tests in a group. +

+

How to create a test

+

+All test cases can be found in validation/test-cases. +

+

+Every test consists of the following files: +

+ +
input.curlthe configuration file for the curl request +
outputthe predicted state of the CryptoBox after the call +
descriptiona short description of the test (will be used for the summary) +
delay[optional] time to wait after this test +
+

+Use the existing test cases as templates for new tests. +

+

+Read validation/test-cases/README for details. +

+

+Every logical path of the web interface CGI should be validated by a test case. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevWorkFlow.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevWorkFlow.html new file mode 100644 index 0000000..f3c3825 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxDevWorkFlow.html @@ -0,0 +1,151 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Preparations
    2. +
  2. Create a CryptoBox-LiveCD
    3. +
    1. Build the base system
      2. +
    2. Configure the base image
      3. +
    3. Remove development features
      4. +
    4. Create an iso image
      5. +
    5. Burn the CD
      6. +
  3. Test the CryptoBox-LiveCD
    4. +
    1. Chroot: quick & dirty tests
      2. +
    2. Qemu: nearly complete emulation
      3. +
  4. Debugging and merging
    5. +
    1. Development on a running system
      2. +
    2. Uploading a new release
      3. +
  5. Comments
    6. +
+
+ +

+

+Navigation: ( CryptoBoxDev, CryptoBoxDevCustomConfigure, CryptoBoxDevPreparation) + +

+
+

Development workflow

+

Preparations

+

+You should have completed the steps described in CryptoBoxDevPreparation. +

+

Create a CryptoBox-LiveCD

+

+The following steps can be executed in the order of their appearance. +

+

+Usually there is no need to repeat the whole process, after you changed some parts of the CryptoBox. Especially the first step (building of the base system with dfsbuild) may usually be skipped. +

+

+Every step of the building process must be executed as root. +

+

Build the base system

+

+Run scripts/cbox-build.sh dfsbuild to create the base system for the LiveCD. +

+

+The result can be found in _builddir/cd1/image. +

+

+If you do not want to use the apt-cacher to save bandwidth and time, then you should modify the mirror-setting in dfs-cbox.conf (see CryptoBoxDevCustomBuild for details). +

+

Configure the base image

+

+Run scripts/cbox-build.sh config to copy the CryptoBox-specific files to the base image. +

+

+TODO: link to cbox-build.sh-manpage +

+

Remove development features

+

+The original base system, that was created by dfsbuild contains a lot packages and some scripts, that are only useful during development. You should remove them, as they cause severe security implications. +

+

+To reduce the CryptoBox-LiveCD to the usable minimum for operational use, you should run scripts/cbox-build.sh harden. +

+

Create an iso image

+

+To burn a CryptoBox-LiveCD, you need an bootable iso9660-image. +

+

+Create the iso image with scripts/cbox-build.sh iso. The resulting file can be found at _builddir/cd1/cryptobox.iso. +

+

Burn the CD

+

+Do it manually: +

+
cdrecord -v dev=0,0,0 _builddir/cryptobox.iso
+

+(change the dev setting according to your setup). +

+

+Let the script do it for you: scripts/cbox-build.sh burn (maybe you have to change the CDWRITER setting in cbox-dev.conf - see CryptoBoxDevCustomBuild). +

+

+Of course, it is not wise to use CD-R media. CD-RW consume less resources. +

+

Test the CryptoBox-LiveCD

+

+This section is only useful for developers, who want to improve or change the CryptoBox system. +

+

Chroot: quick & dirty tests

+

+If you modified the perl- or shell-scripts of the CryptoBox, then you can check for syntax errors by running them in a chroot environment. Be careful: you have access to all ressources of your computer, while you are working within a chroot environment - so you can easily repartition your real disk ... +

+

+To start a chroot environment, you can execute scripts/cbox-dev.sh chroot. +

+

+For more intensive tests, you may use qemu (see below) or burn real LiveCDs - of course this would take much more time. +

+

Qemu: nearly complete emulation

+

+The processor emulator qemu allows you test the CryptoBox in a virtual environment, that is completely separated from your real computer's resources. It is the tool of choice, if you do nat have a real computer around for testing. +

+

+Beware - there are some problems, when using qemu: +

+
  • smbd does not start (segfault) +
  • ??? +

+To start a qemu emulation of the iso image, you may type: +

+
scripts/cbox-dev.sh qemu
+

Debugging and merging

+

+This section is only useful for developers, who want to develop on a running CryptoBox system (emulated or real). +

+

+You may access the CryptoBox directly or you can use ssh to open a remote session: +

+
./cbox-dev.sh ssh
+

Development on a running system

+

+When you run an emulation or test a real LiveCD, you may encounter problems and bugs. To test your fixes for these problems, it is convenient, to change the running test system. Afterwards you can merge these changes to your local development copy. +

+

+Type scripts/cbox-dev.sh diff to see the changes, you made on the running CryptoBox system. +

+

+Type scripts/cbox-dev.sh merge to merge these changes to your local working copy. +

+

Uploading a new release

+

+Alternatively you may also upload a new version of your local working copy to the running CryptoBox system. +

+

+Type scripts/cbox-dev.sh upload - beware: all recent changes you made to the running CryptoBox system, are lost. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUser.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUser.html new file mode 100644 index 0000000..a7e95d7 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUser.html @@ -0,0 +1,60 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Getting started
    2. +
    1. First Steps
      2. +
    2. Hints / Caveats
      3. +
    3. Comments
      4. +
    +
  2. Configuration of your CryptoBox
    3. +
    1. Overview
      2. +
    2. Foreword
      3. +
    3. Initialization
      4. +
    4. Configuration
      5. +
    5. Hints / Caveats
      6. +
    6. Comments
      7. +
    +
  3. Daily use of the CryptoBox
    4. +
    1. Activate your encrypted filesystem
      2. +
    2. Use your encrypted data
      3. +
    3. Deactivate your encrypted filesystem
      4. +
    4. Shut down your CryptoBox
      5. +
    5. In case of emergency
      6. +
    6. Questions and Answers
      7. +
    7. Comments
      8. +
    +
+
+ +

+

+Navigation: ( CryptoBox/en, CryptoBoxUser) + +

+
+

User Documentation

+

+The following pages describe the easy use of the CryptoBox. +

+

+The online version of this manual is a wiki, which means you can edit the pages. So if you have a question or you perceive a description as unclear, please post it on the bottom of the relevant page. The developers will answer your questions and update the manual as fast as possible. This way you can contribute in making the CryptoBox a better experience for everyone! +

+
  1. CryptoBoxUserGettingStarted -- first steps to get the Cryptobox up and running +
  2. CryptoBoxUserConfiguration -- configure the details of your new encrypted fileserver +
  3. CryptoBoxUserDailyUse -- daily use of your CryptoBox +

+The online version of this manual can be found at https://systemausfall.org/trac/cryptobox/wiki/CryptoBoxUser/en. +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserConfiguration.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserConfiguration.html new file mode 100644 index 0000000..88236ba --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserConfiguration.html @@ -0,0 +1,103 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Overview
    2. +
  2. Foreword
    3. +
  3. Initialization
    4. +
  4. Configuration
    5. +
  5. Hints / Caveats
    6. +
  6. Comments
    7. +
+
+ +

+

+Navigation: ( CryptoBoxUser/en, CryptoBoxUserConfiguration) + +

+
+

Configuration of your CryptoBox

+

Overview

+

+All parts of administration of the CryptoBox are done through a comfortable web interface. If this is the first time you use the CryptoBox, just follow the steps below. +

+

+You can safely ignore the Foreword if you are in a hurry. +

+

+Initialization describes the process of integrating a new harddisk. You usually have to perform this steps if you start with a new CryptoBox or after replacing the harddisk. +

+

+In the Configuration section, you can configure the CryptoBox according to your personal needs, e.g. change your desired language for the web interface or change the IP address of the CryptoBox. +

+

+Do not forget to read the Hints / Caveats section too. +

+

Foreword

+

+Okay, you finished the CryptoBoxUserGettingStarted and are now sitting in front of a computer that is connected via network with your CryptoBox. You point a browser to "https://192.168.0.23" and the CryptoBox interface appears. +

+

+Before you can save data on your CryptoBox, its harddisk has to be formatted with a cryptographic filesystem. Sounds complicated but don't be scared - it's really a "one click" thing. :) +

+

Initialization

+

+Click on Initialize CryptoBox in the title bar. +

+

+Now you are promted to enter two passwords twice (because we want to train your typing skills ;). +

+
  • The first password is the administration password. +
    • It is used to protect the configuration of the CryptoBox. +
    • This is necessary to make sure, that no one without your permission can destroy your data by re-initializing the CryptoBox. +
    • Chances are good, that you will only need it once. +
    • You may leave it empty, but this is not recommended. +
  • The crypto password is the more important password, protecting the data on your harddisk. Choose it wisely! +
    • You will need it, whenever you want to access your encrypted data. +
    • For a secure password consider a length of at least 15 characters including digits and special characters. The security of your encrypted data stands or falls with a good password. +
  • To avoid mistakes and to remind you on what you're going to do, you have to type the displayed red phrase into the last field. +
  • Now you can complete the initialization by clicking on the Initialize !CryptoBox button at the bottom of the form. +

+That's all. Wasn't it a real "one click" thing? Cryptography has never been easier to use. ;) +

+

+The initialization process takes place in the background and will be completed after a few minutes, depending on your harddisk's size. +

+

Configuration

+

+While the initialization is usually done only once, the configuration can be changed at any time you want. You can reach it by clicking at Configuration in the menu bar of the website. Now you see a form with four fields: +

+
  • If you defined a administration passwort during Initialization, you have to enter it first. Otherwise this field does not appear. +
  • If the default network address (IP) doesn't fit into your network infrastructure, you can change it in the second field. +
  • The timeout defines the amount of time (in minutes) after that the CryptoBox deactivates the access to the encrypted data. If you e.g. copy a file on the box, it starts counting at zero, so down-/uploads won't be interrupted. +
  • It's good choice to enter a small number (few minutes). +
  • A timeout of 0 turns off the automatic deactivation - this is not recommended. +
  • At language preferences you can select the default language for the CryptoBox interface. +

+Complete your changes by clicking on Save configuration. +

+

+That's all - your CryptoBox is now ready for daily use! +

+

Hints / Caveats

+
  • All data on the CryptoBox harddisk will be erased during Initialization. +
  • All passwords have to be typed twice to reduce the chance of a typo. +
  • The optional adminstration password is necessary for configuration only. +
  • The crypto password protects your beloved data. +
  • If the cryptobox is not reachable by browsing to 192.168.0.23, you may have to adjust the network settings of your computer for initialization of the CryptoBox. +

+back to CryptoBoxUser +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserDailyUse.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserDailyUse.html new file mode 100644 index 0000000..1f2b0c8 --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserDailyUse.html @@ -0,0 +1,114 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. Activate your encrypted filesystem
    2. +
  2. Use your encrypted data
    3. +
  3. Deactivate your encrypted filesystem
    4. +
  4. Shut down your CryptoBox
    5. +
  5. In case of emergency
    6. +
  6. Questions and Answers
    7. +
  7. Comments
    8. +
+
+ +

+

+Navigation: ( CryptoBoxUser/en, CryptoBoxUserConfiguration/en, CryptoBoxUserDailyUse) + +

+
+

Daily use of the CryptoBox

+

Activate your encrypted filesystem

+

+You can activate your encrypted filesystem by doing following these steps: +

+
  • Point your web browser at the address of your CryptoBox. The default is https://192.168.0.23. +
  • Click on Activation of encrypted data. A new page asking for your crypto password appears. +
  • Enter your crypto password and click on the button below labeled activate encrypted filesystem. +

+Now the filesystem is accessible. To use it, search for a computer in your network neighborhood. When asked for the name, enter the above IP address (default: 192.168.0.23). Now you can use it like any other network resource. +

+

Use your encrypted data

+

Linux - command line

+

+To use the encrypted data partition with regular user rights add the line below to your /etc/fstab: +

+
//192.168.0.23/public   /mnt/    smbfs   defaults,noexec,noauto,user,guest      0       0
+

+Now you can mount the encrypted data partition to /mnt: +

+
mount /mnt
+

+resp. unmount: +

+
smbumount /mnt
+

Windows

+

+Run the the Windows Explorer and choose Map network drive in the Extras menu: +

+
  • select a drive of your choice +
  • enter \\192.168.0.23\public (default setting) as target +

+Now you can use your encrypted data like any other network resource. +

+

Deactivate your encrypted filesystem

+

+You can deactivate the encrypted filesystem by clicking at Deactivation of encrypted data in the web interface of your CryptoBox. +

+

+Your data is now protected again. +

+

Shut down your CryptoBox

+

+Click at the Shutdown link in the menu of the web interface. There you can choose poweroff or reboot. The shutdown takes some seconds. +

+

+If the hardware of your CryptoBox is quite recent, it will power-off automatically. Otherwise you have to do it manually. +

+

In case of emergency

+

+If you have to protect the drive really fast, just power-off the CryptoBox machine instantly by pulling the plug or pushing the power button. This is not very clean and can (in very rare circumstances) corrupt open files, but it is the fasted method to secure your data. +

+

+back to CryptoBoxUser +

+
+

Questions and Answers

+

Windows: network drive cannot be mapped

+

+This error message may appear, if you did not login during the booting of you windows machine (or you closed the login dialog by pressing ESC). +

+

+Solution: Choose Logout in the Start menu and login again. +

+

Linux: only root can unmount //192.168.0.23/public

+

+You can't unmount the partition with umount. +

+

+Solution: Use smbumount instead: +

+
smbumount /mnt
+

Linux: Operation not permitted / smbmnt failed: 1

+

+The attempt to mount the partition as a regular user ends up with: +

+
cannot mount on /mnt/: Operation not permitted
+smbmnt failed: 1
+

+Solution: Set the directory's owner to the same user that mounts the share (e.g. phil): +

+
chown phil. /mnt
+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserGettingStarted.html b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserGettingStarted.html new file mode 100644 index 0000000..0ee4f8e --- /dev/null +++ b/cbox-tree.d/usr/share/doc/cryptobox/html/en/CryptoBoxUserGettingStarted.html @@ -0,0 +1,64 @@ + + + + + +
+

+

+

Table of Contents

+
    +
  1. First Steps
    2. +
  2. Hints / Caveats
    3. +
  3. Comments
    4. +
+
+ +

+

+Navigation: ( CryptoBoxUser/en, CryptoBoxUserConfiguration/en, CryptoBoxUserGettingStarted) + +

+
+

Getting started

+

First Steps

+

+Getting the CryptoBox started doesn't take much: +

+
  1. You need an old Computer (at least 100MHz, 48MB RAM) (rule of thumb: bought at least after 1996). This PC needs a network card, a CD-ROM drive and a huge harddisk. +
    • Well the disk doesn't need to be huge, it should just suit your filestorage needs ;) +
    • You don't need a monitor or a keyboard to use your CryptoBox (with one exception, see below). +
    • Of course, you may use a faster computer, but they usually consume much more energy and do not provide signifcant advantages. +
  2. Then download the latest version of the CryptoBox as an iso-image and burn this image onto a CD. +
  3. Configure your PC, so it can boot from the CD. Therefore you have to enter the BIOS and configure the CD-ROM as boot device. +
  4. Insert the shiny new CryptoBox CD you've just burned and start the computer. +

+ +If it now boots from the CD, you accomplished all of the requirements. +

+

+Now you can just go to your current desktop computer and point your browser to https://192.168.0.23 where the CryptoBox interface should be displayed. Easy - isn't it? +

+

+For further steps go to CryptoBoxUserConfiguration. +

+

Hints / Caveats

+

+ +

+
  • Maybe you need to change the network address (IP) of your PC to configure the CryptoBox for the first time. Ask someone for help, if you don't know how and why ... +
  • If you're going to buy a new harddisk keep in mind that very old hardware can't handle current disk sizes! +
  • Some old PCs are not able to boot from CD. +
  • If you don't know what a BIOS is, better ask someone, before you try to change something. ;) +
  • Don't forget to connect your PC to your local area network! +
  • To configure the BIOS, you need a keyboard and a monitor. But this has to be done only once. +

+back to CryptoBoxUser +

+
+

Comments

+

+ +

+
diff --git a/cbox-tree.d/var/www/cryptobox-misc/antlogo100px.png b/cbox-tree.d/var/www/cryptobox-misc/antlogo100px.png new file mode 100644 index 0000000..454709d Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/antlogo100px.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/antlogo100px_green.png b/cbox-tree.d/var/www/cryptobox-misc/antlogo100px_green.png new file mode 100644 index 0000000..fd1d2d9 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/antlogo100px_green.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/antlogo100px_red.png b/cbox-tree.d/var/www/cryptobox-misc/antlogo100px_red.png new file mode 100644 index 0000000..18e33d4 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/antlogo100px_red.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/backg.gif b/cbox-tree.d/var/www/cryptobox-misc/backg.gif new file mode 100644 index 0000000..8e37ccc Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/backg.gif differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/cryptobox.css b/cbox-tree.d/var/www/cryptobox-misc/cryptobox.css new file mode 100644 index 0000000..e12c610 --- /dev/null +++ b/cbox-tree.d/var/www/cryptobox-misc/cryptobox.css @@ -0,0 +1,391 @@ +body { + background-image: url(backg.gif); + background-position: top center; + background-attachment: fixed; + background-repeat: no-repeat; + text-align: center; + margin: 0; + padding: 0; + font-family: verdana, lucida, arial, helvetica, sans-serif; + } + +#main { + background: none; + width: 600px; + padding: 0px; + margin-left: auto; + margin-right: auto; + } + +#main h1, h2, h3 { + font-family: sans-serif, arial; + font-weight: normal; + letter-spacing: 0.05em; + color: #acacac; + font-variant: small-caps; + padding: 0 1em; + text-align: left; + } + +#main h1 { + font-size: 2em; + } + +#main h2 { + font-size: 1.5em; + } + +#main h3 { + font-size: 1.2em; + } + +#head { + width: 600px; + height: 120px; + margin: 0; + padding: 0; + background-image: url(antlogo100px.png); + background-position: top right; + background-attachment: scroll; + background-repeat: no-repeat; + } + +#head_green { + width: 600px; + height: 120px; + margin: 0; + padding: 0; + background-image: url(antlogo100px_green.png); + background-position: top right; + background-attachment: scroll; + background-repeat: no-repeat; + } + +#head_red { + width: 600px; + height: 120px; + margin: 0; + padding: 0; + background-image: url(antlogo100px_red.png); + background-position: top right; + background-attachment: scroll; + background-repeat: no-repeat; + } +#development { + font-weight: bold; +} + + +#content { + margin: 0; + padding: 0; + width: 600px; + font-size: 0.9em; + min-height: 300px; + } + +#content a { + line-height: 1.2em; + color: black; + text-decoration: none; + font-weight: bold; + font-size: 0.9em; + } + +#content a:hover { + text-decoration: underline; + } + +#content a:visited { + color: #acacac; + } + +#content p { + font-size: 0.9em; + padding: 0 1em; + text-align: justify; + } + +#menu { + text-align: center; + border-top: 1px solid #5e5e5e; + border-bottom: 1px solid #5e5e5e; + background-color: #ACE149; + } + +#menu a:link, #menu a:visited { + color: #5e5e5e; + margin: 5px; + text-decoration: none; + border: none; + padding: 4px; + font-size: 0.8em; + } + +#menu a:hover { + color: #8e8e8e; + } + +#words { + width: 565px; + padding: 1.1em 0em 1.1em 1.1em; + margin-top: 0; + } + +#words h1{ + font-size: 1.8em; + } + +#words h2{ + font-size: 1.4em; + } + +#words ol, #words ul { + font-size: 0.9em; + } + +#words ol li { + padding: 0 1em; + line-height: 1.7em; + } + +#words ul li { + padding: 0 1em; + line-height: 1.7em; + list-style-image: url(list.gif); + } + +#footer { + clear: both; + text-align: center; + border-top: 1px solid #5e5e5e; + border-bottom: 1px solid #5e5e5e; + background-color: #ACE149; + font-size: 0.8em; + color: #5e5e5e; + } + +#footer a:link, #footer a:visited { + color: #5e5e5e; + margin: 5px; + text-decoration: none; + border: none; + padding: 4px; + } + +#footer a:hover { + text-decoration: underline; + } + +#confirmtext span { + color: red; + font-weight: bold; + } + + +/* -------=-=-=- warnings, errors and success messages-=-=-=-------- */ + +#words div.warning,div.error,div.success { + margin-top: 20px; + margin-bottom: 20px; + padding-top: 10px; + padding-bottom: 15px; + color: #707070; + } + +#words .warning,.error,.success { + border: 1px dashed #808080; + text-align: center; + color: #5e5e5e; + text-decoration: none; + font-weight: bold; + font-size: 0.9em; + padding-left: 40px; + padding-right: 40px; + } + +#words .warning { + background-color: #f5f5f5; + } + +#words .error { + background-color: #f5f5f5; + } + +#words .success { +/* nice green color - but no one likes it right? + background-color: #90EE90; */ + } + +#words div.warning,div.error,div.success h1,h2 { + color: #808080; + } + +#words .warning,.error,.success a { + color: #5e5e5e; + text-decoration: none; + font-weight: bold; + font-size: 0.9em; +} + +#words .note { + text-align: center; + color: #F48659; + font-style: italic; + } + +/* ----------------------=-=-=- Forms -=-=-=--------------------- */ +/* pretty forms and buttons */ +input { + border: 1px solid #BFBFBF; + color: #949494; + background-color: white; + padding: 2px 5px 1px 5px; + font-size: 1em; + } + +input:hover { + border: 1px solid #ACE149; + color: #7DA721; + background-color: white; + font-size: 1em; + } + +textarea { + font-family: arial, verdana, helvetica, sans-serif; + font-size: 1.1em; + border: 1px solid #BFBFBF; + color: #949494; + padding: 2px 5px 1px 5px; + width: 450px; + } + +textarea:hover { + color: #7DA721; + background-color: white; + border: 1px solid #ACE149; + } + +button { + color: #5e5e5e; + background-color: #ACE149; + border: 1px solid #5e5e5e; + font-size: 0.8em; + font-weight: bold; + cursor: pointer; + } + +button:hover { + color: #5e5e5e; + background-color: #D0F0A0; + border: 1px solid #ACE149; + font-size: 0.8em; + font-weight: bold; + cursor: pointer; + } + +#words form label { + min-width: 20em; + } + +#words form p { + text-align: center; + } + +/* ------------=-=-=- language selection -=-=-=------------- */ + +#lang { + position: absolute; + float: right; + right: 5px; + top: 5px; + text-align: right; + } + +#lang a { + color: #acacac; + font-family: verdana, lucida, arial, helvetica, sans-serif; + font-size: smaller; + } + +#lang a:hover { + color: #707070; + } + + +/* ------------=-=-=- documentation -=-=-=------------- */ + +#doc ol,ul li { + text-align: left; + margin-left: 20px; + } + +#doc dl dt { + text-align: left; + margin-left: 20px; + font-style: italic; + } + +#doc h1 { + padding-top: 25px; +} + +#doc h2 { + padding-top: 20px; +} + +#doc h3 { + padding-top: 10px; + } + +/* ------------=-=-=- special things -=-=-=------------- */ + +#partition_info p, #log p.console { + margin-left: 10%; + margin-right: 10%; + font-family: monospace + text-align: left; + } + +/* ---------=-=-=-=- onscreen help -=-=-=-=--------- */ +/* not active anymore */ + +#words a.popup { + line-height: inherit; + color: inherit; + background-color: inherit; + text-decoration: inherit; + font-weight: inherit; + font-size: inherit; + } + +#words a.popup:hover { + text-decoration: inherit; + } + +#words a.popup span { + display: none; + position: fixed; + bottom: 10px; + left: 9%; + width: 80%; + background: #f0f0f0; + padding: 10px; + border-color: #e0e0e0; + border-width: 2px; + border-style: solid; + margin: 0; + } + +#words a.popup:hover span { + display: inline; + } + +#words a.popup span p { + text-align: left; + } + +#words a.popup span h3 { + color: #909090; + margin-top: 0px; + } diff --git a/cbox-tree.d/var/www/cryptobox-misc/list.gif b/cbox-tree.d/var/www/cryptobox-misc/list.gif new file mode 100644 index 0000000..fe15cc9 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/list.gif differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_config.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_config.png new file mode 100644 index 0000000..3dc3228 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_config.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_init.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_init.png new file mode 100644 index 0000000..abb7b2a Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_init.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_mount.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_mount.png new file mode 100644 index 0000000..37920b2 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_mount.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_login.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_login.png new file mode 100644 index 0000000..f7cef41 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_login.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_network_drive.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_network_drive.png new file mode 100644 index 0000000..da72c6f Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_network_drive.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_not_logged_in.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_not_logged_in.png new file mode 100644 index 0000000..33a6766 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/de_w98_not_logged_in.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_config.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_config.png new file mode 100644 index 0000000..e74b416 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_config.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_mount.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_mount.png new file mode 100644 index 0000000..eca7049 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_mount.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_login.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_login.png new file mode 100644 index 0000000..9ff45fb Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_login.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_network_drive.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_network_drive.png new file mode 100644 index 0000000..d1e89d7 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_network_drive.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_not_logged_in.png b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_not_logged_in.png new file mode 100644 index 0000000..adb129a Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/screenshots/en_w98_not_logged_in.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/smile.png b/cbox-tree.d/var/www/cryptobox-misc/smile.png new file mode 100644 index 0000000..b51b3ff Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/smile.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/smile4.png b/cbox-tree.d/var/www/cryptobox-misc/smile4.png new file mode 100644 index 0000000..f8f5b52 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/smile4.png differ diff --git a/cbox-tree.d/var/www/cryptobox-misc/somerights20.gif b/cbox-tree.d/var/www/cryptobox-misc/somerights20.gif new file mode 100644 index 0000000..0860fa9 Binary files /dev/null and b/cbox-tree.d/var/www/cryptobox-misc/somerights20.gif differ