|
|
|
@ -19,6 +19,16 @@ CERT_TEMP=/tmp/stunnel.pem
|
|
|
|
|
|
|
|
|
|
#####
|
|
|
|
|
|
|
|
|
|
log_msg()
|
|
|
|
|
{
|
|
|
|
|
# the log file is not writable during boot - try before writing ...
|
|
|
|
|
[ -w "$LOG_FILE" ] || return 0
|
|
|
|
|
echo >>"$LOG_FILE"
|
|
|
|
|
echo "################ `date` ####################" >>"$LOG_FILE"
|
|
|
|
|
echo "$1" >>"$LOG_FILE"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function error_msg()
|
|
|
|
|
# parameters: ExitCode ErrorMessage
|
|
|
|
|
{
|
|
|
|
@ -33,17 +43,17 @@ function initial_checks()
|
|
|
|
|
# Parameter: device
|
|
|
|
|
{
|
|
|
|
|
local device="$1"
|
|
|
|
|
[ ! -b "$device" ] && echo "blockdevice $device does not exist" && return 1
|
|
|
|
|
[ ! -b "$device" ] && log_msg "blockdevice $device does not exist" && return 1
|
|
|
|
|
## check if we have an existing configpartition
|
|
|
|
|
## TODO: why this config_mount_test?
|
|
|
|
|
# config_mount_test "$device"
|
|
|
|
|
[ ! -x "$WIPE" ] && echo "$WIPE not found" && return 1
|
|
|
|
|
[ ! -x "$SFDISK" ] && echo "$SFDISK not found" && return 1
|
|
|
|
|
[ ! -x "$WIPE" ] && log_msg "$WIPE not found" && return 1
|
|
|
|
|
[ ! -x "$SFDISK" ] && log_msg "$SFDISK not found" && return 1
|
|
|
|
|
for a in $ALGO $HASH
|
|
|
|
|
do grep -q "^name *: $a$" /proc/crypto || modprobe "$a"
|
|
|
|
|
grep -q "^name *: $a$" /proc/crypto || { echo "$a is not supported by kernel" && return 1; }
|
|
|
|
|
grep -q "^name *: $a$" /proc/crypto || { log_msg "$a is not supported by kernel" && return 1; }
|
|
|
|
|
done
|
|
|
|
|
mount | grep -q "^$device[ 1-9] " && echo "$device is mounted" && return 1
|
|
|
|
|
log_msg "inital checks successful"
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -86,24 +96,29 @@ function create_config()
|
|
|
|
|
# Parameter: device
|
|
|
|
|
{
|
|
|
|
|
local device="${1}1"
|
|
|
|
|
log_msg "Creating config filesystem ..."
|
|
|
|
|
$MKFS_CONFIG "$device"
|
|
|
|
|
# mount the config partition rw
|
|
|
|
|
log_msg "Mounting config partition ..."
|
|
|
|
|
mount "$device" "$CONFIG_DIR"
|
|
|
|
|
# create a marker to recognize a cryptobox partition
|
|
|
|
|
date -I >"$CONFIG_MARKER"
|
|
|
|
|
## write (network) interfaces
|
|
|
|
|
log_msg "Copying configuration defaults ..."
|
|
|
|
|
cp -a "$CONFIG_DEFAULTS_DIR/." "$CONFIG_DIR"
|
|
|
|
|
|
|
|
|
|
# copy stunnel cert
|
|
|
|
|
log_msg "Copying temporary cerificate file to config filesystem ..."
|
|
|
|
|
cp -p "$CERT_TEMP" "$CERT_FILE"
|
|
|
|
|
|
|
|
|
|
log_msg "Setting inital values ..."
|
|
|
|
|
# beware: config_set_value remounts the config partition read-only
|
|
|
|
|
config_set_value "device" "$1"
|
|
|
|
|
|
|
|
|
|
config_set_value "ip" "$(get_current_ip)"
|
|
|
|
|
|
|
|
|
|
# reinitialise configuration
|
|
|
|
|
log_msg "Unmounting config partition ..."
|
|
|
|
|
umount "$CONFIG_DIR"
|
|
|
|
|
log_msg "Reload configuration ..."
|
|
|
|
|
mount_config
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -164,6 +179,8 @@ function is_crypto_mounted()
|
|
|
|
|
function is_init_running()
|
|
|
|
|
{
|
|
|
|
|
ps -e | grep -q -E "$MKFS_DATA|$WIPE"
|
|
|
|
|
# this line is good for the "at" stuff - see cryptobox.pl
|
|
|
|
|
[ -n "`at -l`" ]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -177,7 +194,7 @@ function find_harddisk()
|
|
|
|
|
do grep -q " `basename $a`$" /proc/partitions && echo "$a" && break
|
|
|
|
|
done
|
|
|
|
|
fi )
|
|
|
|
|
[ -z "$dev" ] && echo "no valid partition for initialisation found!" >>"$ERROR_LOG"
|
|
|
|
|
[ -z "$dev" ] && echo "no valid partition for initialisation found!" >>"$LOG_FILE"
|
|
|
|
|
echo -n "$dev"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -187,14 +204,14 @@ function mount_config()
|
|
|
|
|
is_config_mounted && error_msg 3 "configuration directory ($CONFIG_DIR) is already mounted!"
|
|
|
|
|
local device=$(
|
|
|
|
|
for a in $SCAN_DEVICES
|
|
|
|
|
do echo "Trying to load configuration from $a ..." >&2
|
|
|
|
|
do log_msg "Trying to load configuration from $a ..."
|
|
|
|
|
config_mount_test "$a" && echo "$a" && break
|
|
|
|
|
done )
|
|
|
|
|
if [ -n "$device" ] && mount "${device}1" "$CONFIG_DIR"
|
|
|
|
|
then echo "configuraton found on $device" >&2
|
|
|
|
|
then log_msg "configuraton found on $device"
|
|
|
|
|
config_set_value "device" "$device"
|
|
|
|
|
return 0
|
|
|
|
|
else echo "failed to locate harddisk" >&2
|
|
|
|
|
else log_msg "failed to locate harddisk"
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
@ -206,10 +223,13 @@ function mount_crypto()
|
|
|
|
|
local device=`find_harddisk`
|
|
|
|
|
[ -z "$device" ] && error_msg 4 'no valid harddisk found!'
|
|
|
|
|
# passphrase is read from stdin
|
|
|
|
|
log_msg "Mounting crypto partition ..."
|
|
|
|
|
$CRYPTSETUP -h "$HASH" -c "$ALGO" create "`basename $CRYPTMAPPER_DEV`" "${device}2"
|
|
|
|
|
if mount "$CRYPTMAPPER_DEV" "$CRYPTO_DIR"
|
|
|
|
|
then /etc/init.d/samba start
|
|
|
|
|
else dmsetup remove $(basename $CRYPTMAPPER_DEV)
|
|
|
|
|
then log_msg "Mount succeded - now starting samba ..."
|
|
|
|
|
/etc/init.d/samba start
|
|
|
|
|
else log_msg "Mount failed - removing dev-mapper ..."
|
|
|
|
|
dmsetup remove $(basename $CRYPTMAPPER_DEV)
|
|
|
|
|
return 1
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
@ -219,13 +239,22 @@ function umount_crypto()
|
|
|
|
|
{
|
|
|
|
|
# do not break on error
|
|
|
|
|
set +e
|
|
|
|
|
/etc/init.d/samba stop
|
|
|
|
|
ps -e | grep -q " smbd$" && killall smbd
|
|
|
|
|
ps -e | grep -q " nmbd$" && killall nmbd
|
|
|
|
|
ps -e | grep -q " smbd$" && killall -9 smbd
|
|
|
|
|
ps -e | grep -q " nmbd$" && killall -9 nmbd
|
|
|
|
|
umount "$CRYPTO_DIR"
|
|
|
|
|
$CRYPTSETUP remove $(basename $CRYPTMAPPER_DEV)
|
|
|
|
|
if ps -e | grep -q " [sn]mbd$"
|
|
|
|
|
then log_msg "Stopping samba ..."
|
|
|
|
|
/etc/init.d/samba stop
|
|
|
|
|
ps -e | grep -q " smbd$" && killall smbd
|
|
|
|
|
ps -e | grep -q " nmbd$" && killall nmbd
|
|
|
|
|
ps -e | grep -q " smbd$" && killall -9 smbd
|
|
|
|
|
ps -e | grep -q " nmbd$" && killall -9 nmbd
|
|
|
|
|
fi
|
|
|
|
|
if mount | grep -q " $CRYPTO_DIR "
|
|
|
|
|
then log_msg "Unmounting crypto partition ..."
|
|
|
|
|
umount "$CRYPTO_DIR"
|
|
|
|
|
fi
|
|
|
|
|
if [ -e "$CRYPTMAPPER_DEV" ]
|
|
|
|
|
then log_msg "Removing dev-mapper ..."
|
|
|
|
|
$CRYPTSETUP remove $(basename $CRYPTMAPPER_DEV)
|
|
|
|
|
fi
|
|
|
|
|
set -e
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -233,13 +262,19 @@ function umount_crypto()
|
|
|
|
|
function init_cryptobox_part1()
|
|
|
|
|
# this is only the first part of initialisation that takes no time - good for a smooth web interface
|
|
|
|
|
{
|
|
|
|
|
umount_crypto || true
|
|
|
|
|
umount "$CONFIG_DIR" || true
|
|
|
|
|
local device=`find_harddisk`
|
|
|
|
|
[ -z "$device" ] && error_msg 4 'no valid harddisk found!'
|
|
|
|
|
initial_checks "$device" || error_msg 5 "Failure during initialisation - bye, bye"
|
|
|
|
|
create_partitions "$device"
|
|
|
|
|
create_config "$device"
|
|
|
|
|
[ -z "$device" ] && log_msg 'no valid harddisk found!' && return 1
|
|
|
|
|
(
|
|
|
|
|
log_msg "Initializing crypto partition on $device ..."
|
|
|
|
|
umount_crypto || true
|
|
|
|
|
mount | grep -q " $CONFIG_DIR " && umount "$CONFIG_DIR" || true
|
|
|
|
|
initial_checks "$device" || return 1
|
|
|
|
|
create_partitions "$device"
|
|
|
|
|
create_config "$device"
|
|
|
|
|
) >>"$LOG_FILE" 2>&1
|
|
|
|
|
# the output of create_crypto may NOT be redirected - this would prevent cryptsetup from
|
|
|
|
|
# reading the passphrase from stdin
|
|
|
|
|
log_msg "Creating the crypto partition ..."
|
|
|
|
|
create_crypto "$device"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -282,13 +317,15 @@ case "$ACTION" in
|
|
|
|
|
fi
|
|
|
|
|
;;
|
|
|
|
|
config-down )
|
|
|
|
|
umount "$CONFIG_DIR"
|
|
|
|
|
mount | grep -q " $CONFIG_DIR" && umount "$CONFIG_DIR"
|
|
|
|
|
;;
|
|
|
|
|
network-up )
|
|
|
|
|
kudzu -s -q --class network
|
|
|
|
|
conf_ip=$(config_get_value "ip")
|
|
|
|
|
ifconfig $NET_IFACE "$conf_ip"
|
|
|
|
|
log_msg "Configured $NET_IFACE for $conf_ip ..."
|
|
|
|
|
echo "Configured network interface for $NET_IFACE: $conf_ip"
|
|
|
|
|
log_msg "Starting the firewall ..."
|
|
|
|
|
$FIREWALL_SCRIPT start
|
|
|
|
|
# start stunnel
|
|
|
|
|
if [ -f "$CERT_FILE" ]
|
|
|
|
@ -296,6 +333,7 @@ case "$ACTION" in
|
|
|
|
|
else USE_CERT=$CERT_TEMP
|
|
|
|
|
$MAKE_CERT_SCRIPT "$CERT_TEMP" >>"$LOG_FILE" 2>&1
|
|
|
|
|
fi
|
|
|
|
|
log_msg "Starting stunnel ..."
|
|
|
|
|
stunnel -p "$USE_CERT" -r localhost:80 -d 443 \
|
|
|
|
|
|| echo "$USE_CERT not found - not starting stunnel"
|
|
|
|
|
# this ping allows other hosts to get the IP of
|
|
|
|
@ -303,8 +341,11 @@ case "$ACTION" in
|
|
|
|
|
ping -b -c 1 $(ifconfig $NET_IFACE | grep Bcast | cut -d ":" -f 3 | cut -d " " -f 1) &>/dev/null
|
|
|
|
|
;;
|
|
|
|
|
network-down )
|
|
|
|
|
log_msg "Stopping the firewall ..."
|
|
|
|
|
$FIREWALL_SCRIPT stop
|
|
|
|
|
log_msg "Stopping stunnel ..."
|
|
|
|
|
killall stunnel
|
|
|
|
|
log_msg "Shutting the network interface down ..."
|
|
|
|
|
ifconfig $NET_IFACE down
|
|
|
|
|
;;
|
|
|
|
|
services-up )
|
|
|
|
@ -323,14 +364,12 @@ case "$ACTION" in
|
|
|
|
|
# this is nice for the web interface, as it is fast
|
|
|
|
|
# output redirection does not work, as it prevents cryptsetup from asking
|
|
|
|
|
# for a password
|
|
|
|
|
init_cryptobox_part1 >>"$LOG_FILE" 2>&1
|
|
|
|
|
init_cryptobox_part1
|
|
|
|
|
;;
|
|
|
|
|
box-init-bg )
|
|
|
|
|
# do it in the background to provide a smoother web interface
|
|
|
|
|
# messages and errors get written to $LOG_FILE
|
|
|
|
|
# the 'exec' output redirection does not work, if called by a cgi, so
|
|
|
|
|
# redirect it as usual
|
|
|
|
|
init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1 &
|
|
|
|
|
init_cryptobox_part2 </dev/null >>"$LOG_FILE" 2>&1
|
|
|
|
|
;;
|
|
|
|
|
is_crypto_mounted )
|
|
|
|
|
is_crypto_mounted
|
|
|
|
|