cryptonas
/
cryptonas
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

new directory layout (trunk, tags and branches)

This commit is contained in:
lars 2005-07-21 09:35:28 +00:00
commit f14351710c
160 changed files with 4781 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
cryptobox.conf.d/etc/cryptobox/cryptobox.conf Normal file
View File

@ -0,0 +1,45 @@
# this file is directly sourced by some bash scripts
# so there should be no space around the "="
LANGUAGE=de
NET_IFACE=eth0
SAMBA_USER=nobody
SCAN_DEVICES="/dev/hda /dev/hdb /dev/hdc /dev/hde /dev/hdf /dev/hdg /dev/scd0 /dev/scd1 /dev/scd2 /dev/scd3"
# directories
LANGUAGE_DIR=/usr/share/cryptobox/lang
TEMPLATE_DIR=/usr/share/cryptobox/templates
DOC_DIR=/usr/share/doc/cryptobox/html
CONFIG_DEFAULTS_DIR=/usr/share/cryptobox/defaults
REPORT_DIR=/var/www/report
CONFIG_DIR=/mnt/cb-etc
CRYPTO_DIR=/mnt/crypto
TEST_CASES_DIR=/usr/share/cryptobox/test-cases
SUMMARY_TEMPLATE_DIR=/usr/share/cryptobox/templates/test-summary
# some files
CB_SCRIPT=/scripts/cryptobox.sh
VALIDATE_SCRIPT=/usr/lib/cryptobox/validate.sh
LOG_FILE=/var/log/cryptobox.log
DEVELOPMENT_MARKER=/DEVELOPMENT_CRYPTOBOX
CERT_FILE=/mnt/cb-etc/stunnel.pem
OPENSSL_CONF_FILE=/etc/cryptobox/openssl.cnf
# crypto settings
HASH=sha512
ALGO=aes
CRYPTMAPPER_DEV=/dev/mapper/cryptobox-data
# some programs
SFDISK=/sbin/sfdisk
WIPE=/usr/bin/wipe
MKFS_DATA=/sbin/mkfs.ext3
MKFS_CONFIG=/sbin/mkfs.ext2
CRYPTSETUP=/sbin/cryptsetup
# firewall setings
# do not use multiports (iptables) as the timeout-script depends on
# single port rules
# ssh is allowed too, but the server is not started automatically
ALLOW_TCP_PORTS="22 80 139 443 445"
ALLOW_UDP_PORTS="137 138"

65
cryptobox.conf.d/etc/cryptobox/openssl.cnf Normal file
View File

@ -0,0 +1,65 @@
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
default_days = 3650
default_md = md5
policy = policy_match
#serial = $dir/serial
#database = $dir/index.txt
#new_certs_dir = $dir/newcert
#certificate = $dir/cacert.pem
#private_key = $dir/private/cakey.pem
#preserve = no
#email_in_dn = no
#nameopt = default_ca
#certopt = default_ca
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = stunnel.pem # name of generated keys
default_md = md5 # message digest algorithm
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
#countryName = Country Name (2 letter code)
#countryName_min = 2
#countryName_max = 2
#commonName = Common Name (hostname, IP, or your name)
#commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = CryptoBox
organizationalUnitName_default = s.l.
localityName_default = Kugelmugel
stateOrProvinceName_default = Metropolis
emailAddress_default = info@systemausfall.org

22
cryptobox.conf.d/etc/rc2.d/S98cryptobox.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -eu
ACTION=help
[ $# -gt 0 ] && ACTION="$1"
case "$ACTION" in
start )
/scripts/cryptobox.sh services-up
;;
stop )
/scripts/cryptobox.sh services-down
;;
restart )
$0 stop
$0 start
;;
* )
echo "Syntax: `basename $0` { start | stop | restart }"
;;
esac

25
cryptobox.conf.d/etc/rc2.d/S99cryptobox-devel-features.sh Executable file
View File

@ -0,0 +1,25 @@
#!/bin/sh
#
# this script looks for the file /DEVELOPMENT_CRYPTOBOX
# if it exists, the script $DEVEL_SCRIPT be executed - this is
# ONLY FOR DEVELOPMENT CDs!
# for production CD the file /DEVELOPMENT_CRYPTOBOX should never exist!
#
set -eu
MARKER=/DEVELOPMENT_CRYPTOBOX
# return, if it does not exist
[ ! -e "$MARKER" ] && exit 0
echo
echo "#---------------------------------------------------------------#"
echo "| WARNING: developers features are enabled |"
echo "| This definitely should NOT happen for production CDs! |"
echo "| If you are not a developer, then this CD is DANGEROUS, as it |"
echo "| offers no security at all! |"
echo "#---------------------------------------------------------------#"
echo
/scripts/devel-features.sh "$@"

23
cryptobox.conf.d/etc/rcS.d/S22mount-cb-config.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
set -eu
ACTION=help
[ $# -gt 0 ] && ACTION="$1"
case "$ACTION" in
start )
/scripts/cryptobox.sh config-up
;;
stop )
/scripts/cryptobox.sh config-down
;;
restart )
$0 stop
$0 start
;;
* )
echo "Syntax: `basename $0` { start | stop | restart }"
echo
;;
esac

23
cryptobox.conf.d/etc/rcS.d/S37cb-network.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
set -eu
ACTION=help
[ $# -gt 0 ] && ACTION="$1"
case "$ACTION" in
start )
/scripts/cryptobox.sh network-up
;;
stop )
/scripts/cryptobox.sh network-down
;;
restart )
$0 stop
$0 start
;;
* )
echo "Syntax: `basename $0` { start | stop | restart }"
echo
;;
esac

237
cryptobox.conf.d/etc/samba/smb.conf Normal file
View File

@ -0,0 +1,237 @@
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not many any basic syntactic
# errors.
#
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = CryptoBoxGroup
# server string is the equivalent of the NT Description field
server string = %h cryptobox (Samba %v)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
; syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
# package for details.
security = share
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam guest
obey pam restrictions = yes
guest account = nobody
; invalid users = root
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Augustin Luton <aluton@hybrigenics.fr> for
# sending the correct chat script for the passwd program in Debian Potato).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no
########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes
# lpr(ng) printing. You may wish to override the location of the
# printcap file
; printing = bsd
; printcap name = /etc/printcap
# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
; printing = cups
; printcap name = cups
# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
; printer admin = @ntadmin
######## File sharing ########
# Name mangling options
preserve case = yes
short preserve case = yes
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
domain master = no
local master = no
preferred master = no
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
#======================= Share Definitions =======================
;[homes]
; comment = Home Directories
; browseable = no
[public]
comment = public share
path = /mnt/crypto
public = yes
guest ok = yes
# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
;[printers]
; comment = All Printers
; browseable = no
; path = /tmp
; printable = yes
; public = no
; writable = no
; create mode = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
#[print$]
# comment = Printer Drivers
# path = /var/lib/samba/printers
# browseable = yes
# read only = yes
# guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
; write list = root, @ntadmin
# The next two parameters show how to auto-mount a CD-ROM when the
# cdrom share is accesed. For this to work /etc/fstab must contain
# an entry like this:
#
# /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
# is mounted on /cdrom
#
; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom

1
cryptobox.conf.d/mnt/crypto/info.txt Normal file
View File

@ -0,0 +1 @@
Hallo

51
cryptobox.conf.d/scripts/check_smb_idle.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/sh
#
# a simple script to check, if there was smb traffic since the last test
#
# you may want to adjust the function "filter_ipt_rules" according to your setup
#
# any Parameter are ignored
#
# this script has to run as root - as it invokes iptables
#
# possible deployment in crontab:
# smb_timeout.sh && (/etc/init.d/samba stop; umount /mnt/crypto)
#
# the iptables rules you need to detect smb traffic could look like the following:
# iptables -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
#
set -eu
# parse config file
. /etc/cryptobox/cryptobox.conf
filter_ipt_rules()
# get the input rules for smb datagram traffic
{
iptables -L INPUT -vnx | grep -E "tcp upt:138|udp dpt:139"
}
function count_traffic()
{
local sum=0
# fallback if no rules were found
echo "$sum"
# extract the number of packets and calculate the sum
filter_ipt_rules | sed 's/ */ /g' | cut -d " " -f 3 | while read a
do sum=$((sum+a))
echo "$sum"
done | tail -1
# sorry for the echo-tail-voodoo - i did not know it better :)
iptables -Z INPUT
}
# config test
[ -z "`filter_ipt_rules`" ] && echo "[`basename $0`]: Could not find a matching iptables rule!" >&2 && exit 1
# return true if it was idle
test "`count_traffic`" -eq 0
exit $?

23
cryptobox.conf.d/scripts/chroot-start.sh Executable file
View File

@ -0,0 +1,23 @@
#!/bin/sh
set -eu
TMPDIRS="var/run tmp root dev var/log"
TMPROOT="/opt/dfsruntime/runtimemnt"
for a in $TMPDIRS
do mkdir -p "$TMPROOT/$a"
done
[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"
[ ! -e /proc/mounts ] && mount -t proc proc /proc
bash
umount proc
rm -r "$TMPROOT"
mkdir "$TMPROOT"

44
cryptobox.conf.d/scripts/configure-cryptobox.sh Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh
#
# this script is only called during the making of the cryptobox cd
#
set -eu
# parse config file
. /etc/cryptobox/cryptobox.conf
RUNTIMEDIR=/opt/dfsruntime/runtimerd
TUNDEV=$RUNTIMEDIR/dev/net/tun
[ ! -e "/proc/mounts" ] && mount -t proc proc /proc
######### devices ##########
# create tun device for running under qemu
if [ ! -e "$TUNDEV" ]
then mkdir -p `dirname "$TUNDEV"`
mknod "$TUNDEV" c 10 200
fi
######### thttpd ###########
# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
######### bashrc ###########
# remove dfshints from bashrc
sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
########## sshd ############
# allow empty passwords for ssh
# the daemon is NOT started automatically, so you have to start it
# manually in case of need - as the root pw is empty and passwd is ro, you
# have to allow empty passwords for this rare case
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
# allow nput of password
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
umount /proc

362
cryptobox.conf.d/scripts/cryptobox.sh Executable file
View File

@ -0,0 +1,362 @@
#!/bin/sh
#
# this script does EVERYTHING
# all other scripts are only frontends :)
#
set -eu
# parse config file
. /etc/cryptobox/cryptobox.conf
## configuration
MARKER="$CONFIG_DIR/cryptobox.marker"
CERT_TEMP=/tmp/stunnel.pem
#####
function error_msg()
# parameters: ExitCode ErrorMessage
{
echo "[`date`] - $2" | tee -a "$LOG_FILE" >&2
# print the execution stack - not usable with busybox
#caller | sed 's/^/\t/' >&2
exit "$1"
}
function initial_checks()
# Parameter: device
{
local device="$1"
[ ! -b "$device" ] && echo "blockdevice $device does not exist" && return 1
## check if we have an existing configpartition
## TODO: why this config_mount_test?
# config_mount_test "$device"
[ ! -x "$WIPE" ] && echo "$WIPE not found" && return 1
[ ! -x "$SFDISK" ] && echo "$SFDISK not found" && return 1
for a in $ALGO $HASH
do grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
grep -q "^name *: $a$" /proc/crypto || { echo "$a is not supported by kernel" && return 1; }
done
mount | grep -q "^$device[ 1-9] " && echo "$device is mounted" && return 1
return 0
}
function create_partitions()
# Parameter: device
{
local device="$1"
# first partition size is 1 sector, second goes til end
# sfdisk -n doesn't actually write (for testing purpose)
echo -e "0,1,L \n,,L\n" | $SFDISK "$device"
}
function config_set_value()
# parameters: SettingName SettingValue
{
mount -o rw,remount "$CONFIG_DIR"
echo "$2" > "$CONFIG_DIR/$1"
mount -o ro,remount "$CONFIG_DIR"
}
function config_get_value()
# parameters: SettingName
{
# use mounted config, if it exists - otherwise use defaults
local conf_dir
if is_config_mounted
then conf_dir=$CONFIG_DIR
else conf_dir=$CONFIG_DEFAULTS_DIR
fi
[ -z "$1" ] && error_msg 1 "empty setting name"
[ ! -e "$conf_dir/$1" ] && error_msg 2 "unknown configuration value ($1)"
cat "$conf_dir/$1"
}
function create_config()
# Parameter: device
{
local device="${1}1"
$MKFS_CONFIG "$device"
# mount the config partition rw
mount "$device" "$CONFIG_DIR"
# create a marker to recognize a cryptobox partition
date -I >"$MARKER"
## write (network) interfaces
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
# copy stunnel cert
cp -p "$CERT_TEMP" "$CERT_FILE"
# beware: config_set_value remounts the config partition read-only
config_set_value "device" "$1"
config_set_value "ip" "$(get_current_ip)"
# reinitialise configuration
umount "$CONFIG_DIR"
mount_config
}
function get_current_ip()
# not necessarily the same as configured (necessary for validation)
{
ifconfig $NET_IFACE | grep "inet" | cut -d ":" -f2 | cut -d " " -f1
}
function create_crypto()
# Parameter: device
{
local device="$1"
# flood the crypto partition with noise
# - not needed -
#$WIPE -kq -R /dev/urandom "${device}2"
# passphrase may be passed via command line
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "$CRYPTMAPPER_DEV" "${device}2"
}
function mkfs_crypto()
# split from create_crypto to allow background execution via web interface
{
$MKFS_DATA "$CRYPTMAPPER_DEV"
}
function config_mount_test()
# Parameter: device
{
local device="${1}"
local STATUS=0
mount "${device}1" "$CONFIG_DIR" &>/dev/null || true
is_config_mounted && STATUS=1
umount "$CONFIG_DIR" &>/dev/null || true
# return code is the result of this expression
[ 1 -eq "$STATUS" ] && return 0
return 1
}
function is_config_mounted()
{
mount | grep -q " ${CONFIG_DIR} " && [ -f "$MARKER" ]
}
function is_crypto_mounted()
{
mount | grep -q " ${CRYPTO_DIR} "
}
function is_init_running()
{
ps -e | grep -q -E "$MKFS_DATA|$WIPE"
}
function find_harddisk()
# look for the harddisk to be partitioned
{
local dev=$(
if is_config_mounted
then config_get_value "device"
else for a in $SCAN_DEVICES
do grep -q " `basename $a`$" /proc/partitions && echo "$a" && break
done
fi )
[ -z "$dev" ] && error_msg 4 "no valid partition for initialisation found!"
echo -n "$dev"
}
function mount_config()
{
is_config_mounted && error_msg 3 "configuration directory ($CONFIG_DIR) is already mounted!"
local device=$(
for a in $SCAN_DEVICES
do echo "Trying to load configuration from $a ..." >&2
config_mount_test "$a" && echo "$a" && break
done )
if [ -n "$device" ] && mount "${device}1" "$CONFIG_DIR"
then echo "configuraton found on $device" >&2
config_set_value "device" "$device"
return 0
else echo "failed to locate harddisk" >&2
return 1
fi
}
function mount_crypto()
{
is_crypto_mounted && echo "Das Crypto-Dateisystem ist bereits aktiv!"
local device=`find_harddisk`
# passphrase is read from stdin
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "$CRYPTMAPPER_DEV" "${device}2"
if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
then /etc/init.d/samba start
else dmsetup remove "$CRYPTMAPPER_DEV"
return 1
fi
}
function umount_crypto()
{
# do not break on error
set +e
# thttpd removes PATH for cgis
/etc/init.d/samba stop
ps -e | grep -q " samba$" && killall samba
ps -e | grep -q " samba$" && killall -9 samba
umount "$CRYPTO_DIR"
$CRYPTSETUP remove "$CRYPTMAPPER_DEV"
set -e
}
function init_cryptobox_part1()
# this is only the first part of initialisation that takes no time - good for a smooth web interface
{
umount_crypto || true
umount "$CONFIG_DIR" || true
local device=`find_harddisk`
initial_checks "$device" || error_msg 5 "Failure during initialisation - bye, bye"
create_partitions "$device"
create_config "$device"
create_crypto "$device"
}
function init_cryptobox_part2()
# some things to be done in the background
# these are the final steps of initialisation
# thuid must be changed at the first time, therfore it needs to be
# mounted
{
mkfs_crypto
mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
chown $SAMBA_USER "$CRYPTO_DIR"
umount_crypto
}
function init_cryptobox_complete()
{
init_cryptobox_part1
init_cryptobox_part2
}
### main ###
# set PATH because thttpd removes /sbin and /usr/sbin for cgis
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
ACTION=help
[ $# -gt 0 ] && ACTION="$1"
case "$ACTION" in
config-up )
# die cruft option hilft vielleicht bei dem Fehler "interleaved files not (yet) supported"
mount -o remount,cruft /
if mount_config
then echo "Cryptobox configuration successfully loaded"
else error_msg 3 "Could not find a configuration partition!"
fi
;;
config-down )
umount "$CONFIG_DIR"
;;
network-up )
kudzu -s -q --class network
conf_ip=$(config_get_value "ip")
ifconfig $NET_IFACE "$conf_ip"
echo "Configured network interface for $NET_IFACE: $conf_ip"
/scripts/firewall.sh start
# start stunnel
if [ -f "$CERT_FILE" ]
then USE_CERT=$CERT_FILE
else USE_CERT=$CERT_TEMP
/scripts/make_stunnel_cert.sh "$CERT_TEMP" >>"$LOG_FILE" 2>&1
fi
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|| echo "$USE_CERT not found - not starting stunnel"
# this ping allows other hosts to get the IP of
# the box, in case of misconfiguration
ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
;;
network-down )
/scripts/firewall.sh stop
killall stunnel
ifconfig $NET_IFACE down
;;
services-up )
/etc/init.d/thttpd start
;;
services-down )
/etc/init.d/samba stop
/etc/init.d/thttpd stop
;;
box-init )
# this is good for commandline only, as it takes a lot of time
init_cryptobox_complete >>"$LOG_FILE" 2>&1
;;
box-init-fg )
# only partitioning and configuration
# this is nice for the web interface, as it is fast
# output redirection does not work, as it prevents cryptsetup from asking
# for a password
init_cryptobox_part1 >>"$LOG_FILE" 2>&1
;;
box-init-bg )
# do it in the background to provide a smoother web interface
# messages and errors get written to $LOG_FILE
# the 'exec' output redirection does not work, if called by a cgi, so
# redirect it as usual
init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1 &
;;
is_crypto_mounted )
is_crypto_mounted
;;
is_config_mounted )
is_config_mounted
;;
is_init_running )
is_init_running
;;
crypto-mount )
mount_crypto
;;
crypto-umount )
umount_crypto
;;
set_config )
[ $# -ne 3 ] && error_msg 7 "'set_config' requires two parameters"
config_set_value "$2" "$3"
;;
get_config )
[ $# -ne 2 ] && error_msg 6 "'get_config' requires exactly one parameter"
config_get_value "$2"
;;
diskinfo )
$SFDISK -L -q -l `find_harddisk`
;;
get_current_ip )
get_current_ip
;;
* )
# TODO: update this!
echo "Syntax: `basename $0` { mount_config | umount_config | init }"
echo
;;
esac

62
cryptobox.conf.d/scripts/devel-features.sh Executable file
View File

@ -0,0 +1,62 @@
#!/bin/sh
#
# this script is part of the boot process of a developer's cryptobox
#
# it should really NEVER be executed on a production system
#
set -eu
# parse config file
. /etc/cryptobox/cryptobox.conf
MIRROR_DIR=/tmp/mirror
MIRROR_ORIG_DIR=/tmp/mirror.orig
WRITE_DIRS="/usr/share/cryptobox /var/www /scripts /usr/lib/cryptobox"
ACTION="--help"
[ $# -gt 0 ] && ACTION="$1"
case "$ACTION" in
start )
# start ssh daemon
/etc/init.d/ssh start
# copy cryptobox files to tmpfs
for a in $WRITE_DIRS
do mkdir -p "$MIRROR_DIR/$a"
cp -a "$a/." "$MIRROR_DIR/$a"
mount --bind "$MIRROR_DIR/$a" "$a"
done
$0 set_diff_base
# thttpd needs to be restarted to reopen its files
/etc/init.d/thttpd restart
;;
set_diff_base )
# the present content of the tmpfs mirror get copied to
# MIRROR_ORIG_DIR for later diffs
# whenever you merged a diff, you should call this function
[ -e "$MIRROR_ORIG_DIR" ] && rm -rf "$MIRROR_ORIG_DIR"
cp -a "$MIRROR_DIR" "$MIRROR_ORIG_DIR"
;;
diff )
cd "`dirname \"$MIRROR_ORIG_DIR\"`"
# diff and remove "binary files differ"-warnings (vi-swap-files)
diff -ruN "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
;;
stop )
/etc/init.d/ssh stop
for a in $WRITE_DIRS
do umount "$MIRROR_DIR/$a"
done
rm -rf "$MIRROR_DIR"
;;
restart )
$0 stop
$0 start
;;
* )
echo "Syntax: `basename $0` { start | stop | restart }"
;;
esac

52
cryptobox.conf.d/scripts/firewall.sh Normal file
View File

@ -0,0 +1,52 @@
#!/bin/sh
#
# set up the firewall of the cryptobox
#
set -u
# parse config file
. /etc/cryptobox/cryptobox.conf
ACTION="help"
[ $# -gt 0 ] && ACTION=$1
case "$ACTION" in
start)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
OFILE=/proc/sys/net/ipv4/tcp_syncookies
[ -e "$OFILE" ] && echo 1 >"$OFILE"
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
for a in $ALLOW_TCP_PORTS
do iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
done
for a in $ALLOW_UDP_PORTS
do iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
done
iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
;;
stop)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -Z
;;
*)
echo "usage $0 start | stop"
;;
esac

32
cryptobox.conf.d/scripts/make_stunnel_cert.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/sh
#
# this script creates the stunnel certificate for https
#
# parameter: "destination file"
#
set -eu
# parse config file
. /etc/cryptobox/cryptobox.conf
## vcert values are in openssl.conf
CERTFILE="$1"
TMP_FILE=/tmp/cryptobox-cert.tmp
[ ! -f "$CONF_FILE" ] && echo "`basename $0`: $CONF_FILE not found" && exit 2
# this command creates the certificate
# this is required, because the certbuilding asks for 5 returns
echo -ne "\n\n\n\n\n" | openssl req -new -x509 -nodes -days 3650 -config "$OPENSSL_CONF_FILE" -out "$CERTFILE" -keyout "$CERTFILE"
chmod 600 "$CERTFILE"
# next step needs a lot of randomdata
dd if=/dev/urandom of="$TMP_FILE" bs=1024 count=1024
openssl dhparam -rand "$TMP_FILE" 512 >> "$CERTFILE"
rm "$TMP_FILE"
#ln -sf ${CERTPATH}stunnel.pem ${CERTPATH}`openssl x509 -noout -hash < "${CERTPATH}stunnel.pem"`.0
## print out cert values
#openssl x509 -subject -dates -fingerprint -in stunnel.pem

93
cryptobox.conf.d/usr/lib/cryptobox/validate.sh Executable file
View File

@ -0,0 +1,93 @@
#!/bin/sh
#
# do a validation
#
# use "--help" for a list of possible actions
#
set -eu
# parse config file
. /etc/cryptobox/cryptobox.conf
function error_die()
{
echo "$2" >&2
exit $1
}
function do_single()
# Parameter: "test case dir" "output directory for results"
{
local TESTNAME=$(basename $1)
curl --insecure --silent --output "${2}/${TESTNAME}.html" --config "$1/input.curl"
[ -e "${2}/${TESTNAME}.html" ] && sed "1,/CBOX-STATUS-begin/d; /CBOX-STATUS-end/,\$d" "${2}/${TESTNAME}.html" >"${2}/${TESTNAME}.status"
# the diff option "-B" is required, because the status output of
# the cryptobox.pl script contains some blank lines
diff -NB "${2}/${TESTNAME}.status" "$1/output" >"${2}/${TESTNAME}.diff" || true
rm "${2}/${TESTNAME}.status"
cp "$1/description" "${2}/${TESTNAME}.desc"
}
function do_series()
# parameter: name of the test case
{
[ -d "$REPORT_DIR/$1" ] && rm -r "$REPORT_DIR/$1"
mkdir -p "$REPORT_DIR/$1"
find "$TEST_CASES_DIR/$1" -type d -maxdepth 1 -mindepth 1 | grep -v "/\.\.*$" | sort | while read a
do do_single "$a" "$REPORT_DIR/$1"
done
create_summary "$REPORT_DIR/$1" >"$REPORT_DIR/$1/summary.html"
tar czf "$REPORT_DIR/${1}-results.tar.gz" -C "$REPORT_DIR" "$1"
echo "$REPORT_DIR/${1}-results.tar.gz"
}
create_summary()
# parameter: directory of results
{
cat "$SUMMARY_TEMPLATE_DIR/header"
find "$1" -type f -name \*.desc -maxdepth 1 | sort | while read a
do TESTNAME=$(basename ${a%.desc})
TESTDESCRIPTION=$(cat $a)
sed "s#_TESTNAME_#$TESTNAME#g; s/_TESTDESCRIPTION_/$TESTDESCRIPTION/" "$SUMMARY_TEMPLATE_DIR/single_header"
local DIFF_FILE=${a%.desc}.diff
if [ -s "$DIFF_FILE" ]
then cat "$SUMMARY_TEMPLATE_DIR/result-error"
cat "$DIFF_FILE"
else cat "$SUMMARY_TEMPLATE_DIR/result-ok"
echo "no differences found"
fi
cat "$SUMMARY_TEMPLATE_DIR/single_footer"
rm "$DIFF_FILE" "$a"
done
cat "$SUMMARY_TEMPLATE_DIR/footer"
}
ACTION="--help"
[ $# -gt 0 ] && ACTION=$1
case "$ACTION" in
list )
find "$TEST_CASES_DIR" -type d -maxdepth 1 -mindepth 1 | grep -v "/\.\.*$" | sort | while read a
do echo $(basename "$a")
done
;;
check )
[ $# -ne 2 ] && error_die 1 "Syntax: $(basename $0) check NAME"
CASE_DIR="$TEST_CASES_DIR/$2"
[ ! -d "$CASE_DIR" ] && error_die 2 "the test case was not found ($CASE_DIR)!"
do_series "$2"
;;
* )
echo "Syntax of $(basename $0)"
echo -e "\t list \t\t - show a list of available test cases"
echo -e "\t check NAME \t - execute a test case - if successful the filename of the report is printed"
echo -e "\t help \t\t - this syntax information"
echo
;;
esac

68
cryptobox.conf.d/usr/lib/perl5/ClearSilver.pm Normal file
View File

@ -0,0 +1,68 @@
package ClearSilver;
use 5.006;
use strict;
use warnings;
require Exporter;
require DynaLoader;
our @ISA = qw(Exporter DynaLoader);
# Items to export into callers namespace by default. Note: do not export
# names by default without a very good reason. Use EXPORT_OK instead.
# Do not simply export all your public functions/methods/constants.
# This allows declaration use ClearSilver ':all';
# If you do not need this, moving things directly into @EXPORT or @EXPORT_OK
# will save memory.
our %EXPORT_TAGS = ( 'all' => [ qw(
) ] );
our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
our @EXPORT = qw(
);
our $VERSION = '0.01';
bootstrap ClearSilver $VERSION;
# Preloaded methods go here.
1;
__END__
# Below is stub documentation for your module. You better edit it!
=head1 NAME
ClearSilver - Perl extension for blah blah blah
=head1 SYNOPSIS
use ClearSilver;
blah blah blah
=head1 DESCRIPTION
Stub documentation for ClearSilver, created by h2xs. It looks like the
author of the extension was negligent enough to leave the stub
unedited.
Blah blah blah.
=head2 EXPORT
None by default.
=head1 AUTHOR
A. U. Thor, E<lt>a.u.thor@a.galaxy.far.far.awayE<gt>
=head1 SEE ALSO
L<perl>.
=cut

4
cryptobox.conf.d/usr/lib/perl5/auto/ClearSilver/.packlist Normal file
View File

@ -0,0 +1,4 @@
/tmp/clearsilver-perl/local/lib/perl/5.8.7/ClearSilver.pm
/tmp/clearsilver-perl/local/lib/perl/5.8.7/auto/ClearSilver/ClearSilver.bs
/tmp/clearsilver-perl/local/lib/perl/5.8.7/auto/ClearSilver/ClearSilver.so
/tmp/clearsilver-perl/local/man/man3/ClearSilver.3pm

0
cryptobox.conf.d/usr/lib/perl5/auto/ClearSilver/ClearSilver.bs Normal file
View File

BIN
cryptobox.conf.d/usr/lib/perl5/auto/ClearSilver/ClearSilver.so Executable file
View File

Binary file not shown.

1
cryptobox.conf.d/usr/share/cryptobox/defaults/ip Normal file
View File

@ -0,0 +1 @@
192.168.0.23

1
cryptobox.conf.d/usr/share/cryptobox/defaults/language Normal file
View File

@ -0,0 +1 @@
de

1
cryptobox.conf.d/usr/share/cryptobox/defaults/timeout Normal file
View File

@ -0,0 +1 @@
30

113
cryptobox.conf.d/usr/share/cryptobox/lang/de.hdf Normal file
View File

@ -0,0 +1,113 @@
Lang {
Menu {
}
Title {
Init = Initialisierung der CryptoBox
Mount = Aktivierung der Cryptodaten
Umount = Deaktivierung der Cryptodaten
Config = Konfiguration der CryptoBox
Log = Protokoll der CryptoBox
}
Text {
EnterNewPassword = Das neue Passwort eingeben:
EnterSamePassword = Das neue Passwort wiederholen:
InitWarning = Bei der Initialisierung werden ALLE DATEN auf der Festplatte GEL&Ouml;SCHT!
InitDescription = Schritt ist nur einmalig vor der ersten Nutzung notwendig.<br>F&uuml;r den t&auml;glichen Gebrauch musst du das verschl&uuml;sselte Dateisystem lediglich aktivieren und deaktivieren
ConfirmInitHint = Um zu best&auml;tigen, dass du weisst, was du tust, tippe hier bitte exakt Folgendes ein:
ConfirmInit = ja, loesche alle Daten!
PartitionInfo = Derzeitige Partitionierung der Festplatte:
IPAddress = Netwerk-Adresse (IP) der CryptoBox:
TimeOut = Zeitabschaltung des Crypto-Dateisystems (in Minuten):
EmptyLog = Das Logbuch der CryptoBox ist leer.
SelectLanguage = Spracheinstellung:
}
Button {
DoInit = CryptoBox initialisieren
SaveConfig = Speichere Konfiguration
Update = Aktualisieren
Mount = CryptoDaten aktivieren
Umount = CryptoDaten deaktivieren
}
Warning {
InitNotConfirmed {
Title = Best&auml;tigung schlug fehl
Text = Der Best&auml;tigungssatz muss exakt eingegeben werden!
}
EmptyPassword {
Title = Ung&uuml;ltige Eingabe
Text = Das Passwort darf nicht leer sein!
}
DifferentPasswords {
Title = Ungleiche Passworte
Text = Die beiden Passworte m&uuml;ssen identisch sein, um sicherzustellen, dass dies das gew&uuml;nschte Passwort ist.
}
MountFailed {
Title = Aktivierung schlug fehl
Text = Das verschl&uuml;sselte Dateisystem konnte nicht aktiviert werden. Wahrscheinlich war das Passwort falsch.
}
UmountFailed {
Title = Deaktivierung schlug fehl
Text = Das verschl&uuml;sselte Dateisystem konnte nicht abgeschaltet werden. Wahrscheinlich sind noch Dateien ge&ouml;ffnet. Also schlie&szlig;e alle potentiell unsauberen Programme (beispielsweise die weitverbreitete Textverarbeitung). Notfalls ziehe einfach den Stromstecker!
}
NotConfigured {
Title = Keine Konfiguration gefunden
Text = Die CryptoBox wurde noch nicht eingerichtet.
}
InitNotFinished {
Title = Initalisierung noch nicht abgeschlossen
Text = Die Initialisierung wird in wenigen Minuten beendet sein. Erst danach ist diese Aktion m&ouml;glich.
}
IsMounted {
Title = Bereits aktiv
Text = Das verschl&uuml;sselte Dateisystem ist bereits aktiv.
}
NotMounted {
Title = Nicht aktiv
Text = Das verschl&uuml;sselte Dateisystem ist derzeit nicht aktiv.
}
AlreadyConfigured {
Title = Konfiguration gefunden
Text = Die CryptoBox wurde bereits eingerichtet. Bei einer erneuten Initialisierung werden alle Daten gel&ouml;scht!
}
}
Error {
UnknownAction {
Title = Unbekannte Aktion
Text = Du hast eine undefinierte Aktion angefordert. Falls du dies nicht bewusst getan hast, solltest du es deinem Administrator mitteilen, damit er das Problem an die Entwickler der CryptoBox weiterleiten kann.
}
MountUnavailableInitRunning {
Title = Die Initialisierung der CryptoBox l&auml;uft noch ...
Text = Solange die Einrichtung der Crypto-Partition nicht abgeschlossen ist, kannst du die CryptoBox nicht aktivieren. Versuche es in ein paar Minuten noch einmal</a>.
}
MountUnavailableNotInitialized {
Title = Die CryptoBox wurde noch nicht initialisiert
Text = Nach dem Abschluss der einmaligen <a href="/cgi-bin/init-cryptobox.pl" title="Initialisierung">Neueinrichtung</a> kannst du die Crypto-Partition nutzen.
}
}
}

23
cryptobox.conf.d/usr/share/cryptobox/templates/config_form.cs Normal file
View File

@ -0,0 +1,23 @@
<div id="config">
<h1><?cs var:Lang.Title.Config ?></h1>
<form action="<?cs var:ScriptName ?>" method="post"
enctype="application/x-www-form-urlencoded">
<table class="form">
<tr><td><?cs var:Lang.Text.IPAddress ?></td><td>
<input type="text" size="16" maxsize="15" name="ip"
value="<?cs var:Data.Config.IP ?>" /></td></tr>
<tr><td><?cs var:Lang.Text.TimeOut ?></td><td>
<input type="text" size="16" maxsize="5" name="timeout"
value="<?cs var:Data.Config.TimeOut ?>" /></td></tr>
<tr><td><?cs var:Lang.Text.SelectLanguage ?></td><td>
<select name="language">
<option value="de">Deutsch</option>
<option value="en">English</option>
</select></td></tr>
<tr><td colspan="2">
<button type="submit" name="action" value="config_do">
<?cs var:Lang.Button.SaveConfig ?></button></td></tr>
</table>
</form>
</div>

5
cryptobox.conf.d/usr/share/cryptobox/templates/doc.cs Normal file
View File

@ -0,0 +1,5 @@
<div class="doc">
<?cs include:DocDir + '/' + Data.Doc.Page ?>
</div>

1
cryptobox.conf.d/usr/share/cryptobox/templates/error.cs Normal file
View File

@ -0,0 +1 @@
<?cs call:error(Data.Error) ?>

21
cryptobox.conf.d/usr/share/cryptobox/templates/footer.cs Normal file
View File

@ -0,0 +1,21 @@
</div><!-- end of 'words' -->
<div id="footer">
<a href="https://systemausfall.org/prj/cryptobox" title="Projekt-Seite">CryptoBox-Home</a>&nbsp;&nbsp;Die CryptoBox ist ein Projekt von <a href="https://systemausfall.org/senselab" title="systemausfall.org">sense.lab</a>
</div>
</div>
</div>
<!-- CBOX-STATUS-begin - necessary for validation - do not touch!
Data.Config.IP=<?cs var:Data.Config.IP ?>
Data.Config.Language=<?cs var:Data.Config.Language ?>
Data.Config.TimeOut=<?cs var:Data.Config.TimeOut ?>
Data.Status.Config=<?cs var:Data.Status.Config ?>
Data.Status.InitRunning=<?cs var:Data.Status.InitRunning ?>
Data.Status.IP=<?cs var:Data.Status.IP ?>
Data.Status.Mounted=<?cs var:Data.Status.Mounted ?>
CBOX-STATUS-end -->
</body>
</html>

25
cryptobox.conf.d/usr/share/cryptobox/templates/header.cs Normal file
View File

@ -0,0 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>CryptoBox</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="pragma" content="no-cache" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires" content="0" />
<link rel="stylesheet" media="screen" href="/cryptobox.css" type="text/css" />
</head>
<body>
<div id="main">
<div id="head">
<h1>Die CryptoBox</h1>
<h2>und zwar umsonst!</h2>
</div>
<div id="content">
<div id="menu">
<?cs include:TemplateDir + '/nav.cs' ?>
</div>
<div id="words">

37
cryptobox.conf.d/usr/share/cryptobox/templates/init_form.cs Normal file
View File

@ -0,0 +1,37 @@
<h1><?cs var:Lang.Title.Init ?></h1>
<div class="init">
<form action="<?cs var:ScriptName ?>" method="post" enctype="application/x-www-form-urlencoded">
<table class="form">
<!-- TODO: replace colgroup by css? -->
<colgroup><col align="right" width="50%"/><col align="left" width="50%"/></colgroup>
<caption style="caption-side:top; text-align:center; font-weight:bold; color:red">
<?cs var:Lang.Text.InitWarning ?></caption>
<tr><td colspan="2" style="text-align:center"></td></tr>
<tr><td align="right"><?cs var:Lang.Text.EnterNewPassword ?></td><td>
<input type="password" name="password" size="20" tabindex="1" maxlength="40" />
</td></tr>
<tr><td align="right"><?cs var:Lang.Text.EnterSamePassword ?> </td><td>
<input type="password" name="password2" size="20" tabindex="2" maxlength="40" />
</td></tr>
<tr><td colspan="2" align="center">
<?cs var:Lang.Text.ConfirmInitHint ?> <span id="confirmtext"><?cs var:Lang.Text.ConfirmInit ?></span></td></tr>
<tr><td colspan="2" align="center">
<input type="text" name="confirm" size="30" tabindex="3" maxlength="50" />
</td></tr>
<tr><td colspan="2" align="center" style="padding:3%">
<button type="submit" name="action" value="init_do"><?cs var:Lang.Button.DoInit ?></button>
</td></tr>
</table>
</form>
</div>
<div class="partition_info">
<hr/>
<h2><?cs var:Lang.Text.PartitionInfo ?></h2>
<!-- TODO: CSS! -->
<p style="margin-left:10%; margin-right:10%; font-family:monospace">
<?cs var:Data.PartitionInfo ?>
</p>
</div>

1
cryptobox.conf.d/usr/share/cryptobox/templates/intro.cs Normal file
View File

@ -0,0 +1 @@
this is the cryptobox!

33
cryptobox.conf.d/usr/share/cryptobox/templates/macros.cs Normal file
View File

@ -0,0 +1,33 @@
<?cs def:warning(warnname) ?><?cs
each:item = Lang.Warning ?><?cs
if:(name(item) == warnname)
?><div class="warning">
<h1><?cs var:item.Title ?></h1>
<p><?cs var:item.Text ?></p></div>
<?cs
/if ?><?cs
/each ?><?cs
/def ?>
<?cs def:error(errname) ?><?cs
each:item = Lang.Error ?><?cs
if:(name(item) == errname)
?><div class="error">
<h1><?cs var:item.Title ?></h1>
<p><?cs var:item.Text ?></p>
<?cs
/if ?><?cs
/each ?><?cs
/def ?>
<?cs def:parseTree(root) ?>
<!-- the output looks quite ugly and is not very helpful as there are only a few values -->
<!-- data tree
<?cs each:item = root ?><?cs
name:item ?>: <?cs var:item ?><?cs
each:subitem = item ?> / <?cs name:subitem ?>=<?cs var:subitem ?><?cs /each ?>
<?cs /each ?>
-->
<?cs /def ?>

11
cryptobox.conf.d/usr/share/cryptobox/templates/main.cs Normal file
View File

@ -0,0 +1,11 @@