/mandos/release

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/release
74 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New.
1
#!/bin/sh -e
2
# 
3
# This script will run in the initrd environment at boot and edit
4
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
5
# when no other keyscript is set, before cryptsetup.
6
# 
7
8
# This script should be installed as
237.2.65 by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from
9
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
10
# eventually be "/scripts/init-premount/mandos" in the initrd.img
11
# file.
74 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New.
12
237.2.65 by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from
13
PREREQ="udev"
74 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New.
14
prereqs()
15
{
237.2.55 by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally.
16
    echo "$PREREQ"
74 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New.
17
}
18
19
case $1 in
20
prereqs)
237.2.55 by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally.
21
	prereqs
22
	exit 0
23
	;;
74 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New.
24
esac
25
237.2.67 by Teddy Hogeborn
Four new interrelated features:
26
. /scripts/functions
27
237.2.32 by Teddy Hogeborn
* debian/watch: New file.
28
for param in `cat /proc/cmdline`; do
29
    case "$param" in
237.2.67 by Teddy Hogeborn
Four new interrelated features:
30
        ip=*) IPOPTS="${param#ip=}" ;;
31
        mandos=*)
32
            # Split option line on commas
33
            old_ifs="$IFS"
34
            IFS="$IFS,"
35
            for mpar in ${param#mandos=}; do
36
                IFS="$old_ifs"
37
                case "$mpar" in
38
                    off) exit 0 ;;
39
		    connect) connect="" ;;
40
                    connect:*) connect="${mpar#connect:}" ;;
41
                    *) log_warning_msg "$0: Bad option ${mpar}" ;;
42
                esac
43
            done
44
	    unset mpar
45
            IFS="$old_ifs"
46
            unset old_ifs
47
            ;;
237.2.32 by Teddy Hogeborn
* debian/watch: New file.
48
    esac
49
done
237.2.67 by Teddy Hogeborn
Four new interrelated features:
50
unset param
237.2.32 by Teddy Hogeborn
* debian/watch: New file.
51
178 by Teddy Hogeborn
* initramfs-tools-script: Fix permissions of "/tmp" in initrd.
52
chmod a=rwxt /tmp
53
237.2.55 by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally.
54
test -r /conf/conf.d/cryptroot
55
test -w /conf/conf.d
74 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New.
56
237.2.67 by Teddy Hogeborn
Four new interrelated features:
57
# Get DEVICE from /conf/initramfs.conf and other files
58
. /conf/initramfs.conf
59
for conf in /conf/conf.d/*; do
60
    [ -f ${conf} ] && . ${conf}
61
done
62
if [ -e /conf/param.conf ]; then
63
    . /conf/param.conf
64
fi
65
66
# Override DEVICE from sixth field of ip= kernel option, if passed
67
case "$IPOPTS" in
68
    *:*:*:*:*:*)		# At least six fields
69
        # Remove the first five fields
70
	device="${IPOPTS#*:*:*:*:*:}"
71
        # Remove all fields except the first one
72
	DEVICE="${device%%:*}"
73
	;;
74
esac
75
76
# Add device setting (if any) to plugin-runner.conf
77
if [ "${DEVICE+set}" = set ]; then
78
    # Did we get the device from an ip= option?
79
    if [ "${device+set}" = set ]; then
80
	# Let ip= option override local config; append:
81
	cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
82
	
83
	--options-for=mandos-client:--interface=${DEVICE}
84
EOF
85
    else
86
        # Prepend device setting so any later options would override:
87
	sed -i -e \
88
	    '1i--options-for=mandos-client:--interface='"${DEVICE}" \
89
	    /conf/conf.d/mandos/plugin-runner.conf
90
    fi
91
fi
92
unset device
93
94
# If we are connecting directly, run "configure_networking" (from
95
# /scripts/functions); it needs IPOPTS and DEVICE
96
if [ "${connect+set}" = set ]; then
97
    configure_networking
98
    if [ -n "$connect" ]; then
99
	cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf
100
	
101
	--options-for=mandos-client:--connect=${connect}
102
EOF
103
    fi
104
fi
105
74 by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New.
106
# Do not replace cryptroot file unless we need to.
107
replace_cryptroot=no
108
109
# Our keyscript
110
mandos=/lib/mandos/plugin-runner
111
112
# parse /conf/conf.d/cryptroot.  Format:
113
# target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
114
exec 3>/conf/conf.d/cryptroot.mandos
115
while read options; do
116
    newopts=""
117
    # Split option line on commas
118
    old_ifs="$IFS"
119
    IFS="$IFS,"
120
    for opt in $options; do
121
	# Find the keyscript option, if any
122
	case "$opt" in
123
	    keyscript=*)
124
		keyscript="${opt#keyscript=}"
125
		newopts="$newopts,$opt"
126
		;;
127
	    "") : ;;
128
	    *)
129
		newopts="$newopts,$opt"
130
		;;
131
	esac
132
    done
133
    IFS="$old_ifs"
134
    unset old_ifs
135
    # If there was no keyscript option, add one.
136
    if [ -z "$keyscript" ]; then
137
	replace_cryptroot=yes
138
	newopts="$newopts,keyscript=$mandos"
139
    fi
140
    newopts="${newopts#,}"
141
    echo "$newopts" >&3
142
done < /conf/conf.d/cryptroot
143
exec 3>&-
144
145
# If we need to, replace the old cryptroot file with the new file.
146
if [ "$replace_cryptroot" = yes ]; then
147
    mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old
148
    mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot
149
else
150
    rm /conf/conf.d/cryptroot.mandos
151
fi
237.7.32 by Teddy Hogeborn
* Makefile (plugins.d/mandos-client): Bug fix: Put $^ before all
152
153
## Work around Debian bug #633582: <http://bugs.debian.org/633582>
154
# First determine the mandos user and group ID
155
mandos_user="65534"
156
mandos_group="65534"
157
while read line; do
158
    line="${line%%#*}"
159
    TEMP=`getopt --quiet --longoptions userid:,groupid: -- $line`
160
    eval set -- "$TEMP"
161
    while true; do
162
	case "$1" in
163
	    --userid) mandos_user="$2"; shift 2;;
164
	    --groupid) mandos_group="$2"; shift 2;;
165
	    --) shift; break;;
166
	esac
167
    done
168
done < /conf/conf.d/mandos/plugin-runner.conf
169
chown "${mandos_user}:${mandos_group}" \
170
    /lib/mandos/plugins.d \
171
    /conf/conf.d/mandos/pubkey.txt \
172
    /conf/conf.d/mandos/seckey.txt