bzr branch
http://bzr.recompile.se/loggerhead/mandos/release
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
1 |
#!/bin/sh -e
|
2 |
#
|
|
3 |
# This script will run in the initrd environment at boot and edit
|
|
4 |
# /conf/conf.d/cryptroot to set /lib/mandos/plugin-runner as keyscript
|
|
5 |
# when no other keyscript is set, before cryptsetup.
|
|
6 |
#
|
|
7 |
||
8 |
# This script should be installed as
|
|
237.2.65
by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from |
9 |
# "/usr/share/initramfs-tools/scripts/init-premount/mandos" which will
|
10 |
# eventually be "/scripts/init-premount/mandos" in the initrd.img
|
|
11 |
# file.
|
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
12 |
|
237.2.65
by Teddy Hogeborn
* Makefile (install-client-nokey): Move "initramfs-tools-script" from |
13 |
PREREQ="udev" |
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
14 |
prereqs()
|
15 |
{
|
|
237.2.55
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
16 |
echo "$PREREQ" |
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
17 |
}
|
18 |
||
19 |
case $1 in |
|
20 |
prereqs)
|
|
237.2.55
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
21 |
prereqs
|
22 |
exit 0 |
|
23 |
;; |
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
24 |
esac
|
25 |
||
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
26 |
. /scripts/functions
|
27 |
||
237.2.32
by Teddy Hogeborn
* debian/watch: New file. |
28 |
for param in `cat /proc/cmdline`; do |
29 |
case "$param" in |
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
30 |
ip=*) IPOPTS="${param#ip=}" ;; |
31 |
mandos=*) |
|
32 |
# Split option line on commas |
|
33 |
old_ifs="$IFS" |
|
34 |
IFS="$IFS," |
|
35 |
for mpar in ${param#mandos=}; do |
|
36 |
IFS="$old_ifs" |
|
37 |
case "$mpar" in |
|
38 |
off) exit 0 ;; |
|
39 |
connect) connect="" ;; |
|
40 |
connect:*) connect="${mpar#connect:}" ;; |
|
41 |
*) log_warning_msg "$0: Bad option ${mpar}" ;; |
|
42 |
esac |
|
43 |
done |
|
44 |
unset mpar |
|
45 |
IFS="$old_ifs" |
|
46 |
unset old_ifs |
|
47 |
;; |
|
237.2.32
by Teddy Hogeborn
* debian/watch: New file. |
48 |
esac |
49 |
done
|
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
50 |
unset param |
237.2.32
by Teddy Hogeborn
* debian/watch: New file. |
51 |
|
178
by Teddy Hogeborn
* initramfs-tools-script: Fix permissions of "/tmp" in initrd. |
52 |
chmod a=rwxt /tmp |
53 |
||
237.2.55
by Teddy Hogeborn
* Makefile (run-server): Use "--no-dbus" unconditionally. |
54 |
test -r /conf/conf.d/cryptroot |
55 |
test -w /conf/conf.d |
|
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
56 |
|
237.2.67
by Teddy Hogeborn
Four new interrelated features: |
57 |
# Get DEVICE from /conf/initramfs.conf and other files
|
58 |
. /conf/initramfs.conf
|
|
59 |
for conf in /conf/conf.d/*; do |
|
60 |
[ -f ${conf} ] && . ${conf} |
|
61 |
done
|
|
62 |
if [ -e /conf/param.conf ]; then |
|
63 |
. /conf/param.conf |
|
64 |
fi
|
|
65 |
||
66 |
# Override DEVICE from sixth field of ip= kernel option, if passed
|
|
67 |
case "$IPOPTS" in |
|
68 |
*:*:*:*:*:*) # At least six fields |
|
69 |
# Remove the first five fields |
|
70 |
device="${IPOPTS#*:*:*:*:*:}" |
|
71 |
# Remove all fields except the first one |
|
72 |
DEVICE="${device%%:*}" |
|
73 |
;; |
|
74 |
esac
|
|
75 |
||
76 |
# Add device setting (if any) to plugin-runner.conf
|
|
77 |
if [ "${DEVICE+set}" = set ]; then |
|
78 |
# Did we get the device from an ip= option? |
|
79 |
if [ "${device+set}" = set ]; then |
|
80 |
# Let ip= option override local config; append: |
|
81 |
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf |
|
82 |
|
|
83 |
--options-for=mandos-client:--interface=${DEVICE}
|
|
84 |
EOF
|
|
85 |
else |
|
86 |
# Prepend device setting so any later options would override: |
|
87 |
sed -i -e \ |
|
88 |
'1i--options-for=mandos-client:--interface='"${DEVICE}" \ |
|
89 |
/conf/conf.d/mandos/plugin-runner.conf
|
|
90 |
fi |
|
91 |
fi
|
|
92 |
unset device |
|
93 |
||
94 |
# If we are connecting directly, run "configure_networking" (from
|
|
95 |
# /scripts/functions); it needs IPOPTS and DEVICE
|
|
96 |
if [ "${connect+set}" = set ]; then |
|
97 |
configure_networking
|
|
98 |
if [ -n "$connect" ]; then |
|
99 |
cat <<-EOF >>/conf/conf.d/mandos/plugin-runner.conf |
|
100 |
|
|
101 |
--options-for=mandos-client:--connect=${connect}
|
|
102 |
EOF
|
|
103 |
fi |
|
104 |
fi
|
|
105 |
||
74
by Teddy Hogeborn
* Makefile (PREFIX, CONFDIR): New. |
106 |
# Do not replace cryptroot file unless we need to.
|
107 |
replace_cryptroot=no |
|
108 |
||
109 |
# Our keyscript
|
|
110 |
mandos=/lib/mandos/plugin-runner |
|
111 |
||
112 |
# parse /conf/conf.d/cryptroot. Format:
|
|
113 |
# target=sda2_crypt,source=/dev/sda2,key=none,keyscript=/foo/bar/baz
|
|
114 |
exec 3>/conf/conf.d/cryptroot.mandos |
|
115 |
while read options; do |
|
116 |
newopts="" |
|
117 |
# Split option line on commas |
|
118 |
old_ifs="$IFS" |
|
119 |
IFS="$IFS," |
|
120 |
for opt in $options; do |
|
121 |
# Find the keyscript option, if any |
|
122 |
case "$opt" in |
|
123 |
keyscript=*) |
|
124 |
keyscript="${opt#keyscript=}" |
|
125 |
newopts="$newopts,$opt" |
|
126 |
;; |
|
127 |
"") : ;; |
|
128 |
*) |
|
129 |
newopts="$newopts,$opt" |
|
130 |
;; |
|
131 |
esac |
|
132 |
done |
|
133 |
IFS="$old_ifs" |
|
134 |
unset old_ifs |
|
135 |
# If there was no keyscript option, add one. |
|
136 |
if [ -z "$keyscript" ]; then |
|
137 |
replace_cryptroot=yes |
|
138 |
newopts="$newopts,keyscript=$mandos" |
|
139 |
fi |
|
140 |
newopts="${newopts#,}" |
|
141 |
echo "$newopts" >&3 |
|
142 |
done < /conf/conf.d/cryptroot |
|
143 |
exec 3>&- |
|
144 |
||
145 |
# If we need to, replace the old cryptroot file with the new file.
|
|
146 |
if [ "$replace_cryptroot" = yes ]; then |
|
147 |
mv /conf/conf.d/cryptroot /conf/conf.d/cryptroot.mandos-old |
|
148 |
mv /conf/conf.d/cryptroot.mandos /conf/conf.d/cryptroot |
|
149 |
else
|
|
150 |
rm /conf/conf.d/cryptroot.mandos |
|
151 |
fi
|
|
237.7.32
by Teddy Hogeborn
* Makefile (plugins.d/mandos-client): Bug fix: Put $^ before all |
152 |
|
153 |
## Work around Debian bug #633582: <http://bugs.debian.org/633582>
|
|
154 |
# First determine the mandos user and group ID
|
|
155 |
mandos_user="65534" |
|
156 |
mandos_group="65534" |
|
157 |
while read line; do |
|
158 |
line="${line%%#*}" |
|
159 |
TEMP=`getopt --quiet --longoptions userid:,groupid: -- $line` |
|
160 |
eval set -- "$TEMP" |
|
161 |
while true; do |
|
162 |
case "$1" in |
|
163 |
--userid) mandos_user="$2"; shift 2;; |
|
164 |
--groupid) mandos_group="$2"; shift 2;; |
|
165 |
--) shift; break;; |
|
166 |
esac |
|
167 |
done |
|
168 |
done < /conf/conf.d/mandos/plugin-runner.conf |
|
169 |
chown "${mandos_user}:${mandos_group}" \ |
|
170 |
/lib/mandos/plugins.d \ |
|
171 |
/conf/conf.d/mandos/pubkey.txt \ |
|
172 |
/conf/conf.d/mandos/seckey.txt
|