/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to initramfs-tools-hook

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
initramfs-tools-hook

initramfs-tools-hook-conf

mandos-client.xml

mandos-clients.conf.xml

mandos-keygen

mandos.conf

mandos.conf.xml

mandos.xml

network-protocol.txt

plugins.d/password-prompt.xml

plugins.d/password-request.xml

files renamed:
clients.conf => mandos-clients.conf

mandos-client.c => plugbasedclient.c

plugins.d/password-request.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

initramfs-tools-hook

#!/bin/sh

# This is an example hook script. It will be run by 'mkinitramfs'

# when it creates the image. It's job is to decide which files to

# install, then install them into the staging area, where the

# initramfs is being created. This happens when a new 'linux-image'

# package is installed, or when the administrator runs 'mkinitramfs'

# by hand to update an initramfs image.

# TODO: What about the case where you install something that should be

# added to the initramfs, but the linux-image it relates to has

# already been installed previously? Does this happen often

# enough that it needs to be handled? How can it be handled?

# * Think about the 'usplash'. The initramfs will need to be

# updated if a theme change or update is desired. Maybe it

# should not be totally automatic, but offered on upgrade

# predicated on a user response to a debconf question? That

# issue needs to be explored and a solution specified.

# * Do not assume that any needed subdirectories have been created

# yet, but don't bail out if they are already there.

# * All of the standard system tools are available, of course, since

# this hook is running in the real system, not the initramfs.

# * TODO: ... ? Anything else to tell them in this bullet-list?

# The environment contains at least:

# CONFDIR -- usually /etc/mkinitramfs, can be set on mkinitramfs

# command line.

# DESTDIR -- The staging directory where we are building the image.

# TODO: Decide what environment variables are meaningful and defined

# in this context, then document them as part of the interface.

# TODO: May need a version_compare function for comparison of VERSION?

# List the soft prerequisites here. This is a space separated list of

# names, of scripts that are in the same directory as this one, that

# must be run before this one can be.

PREREQ="cryptroot"

prereqs()

{

echo "$PREREQ"

}

case $1 in

# get pre-requisites

prereqs)

prereqs

exit 0

;;

esac

# You can do anything you need to from here on.

# Source the optional 'hook-functions' scriptlet, if you need the

# functions defined within it. Read it to see what is available to

# you. It contains functions for copying dynamically linked program

# binaries, and kernel modules into the DESTDIR.

. /usr/share/initramfs-tools/hook-functions

auto_add_modules net

# force_load tg3

force_load ipv6

CONFDIR="/conf/conf.d/mandos"

DESTCONFDIR="${DESTDIR}${CONFDIR}"

mkdir --parents "${DESTCONFDIR}"

PLUGINDIR="${CONFDIR}/plugins.d"

mkdir --parents "${DESTDIR}${PLUGINDIR}"

# We don't need to copy_exec mandos-client, hooks/cryptroot will do

# that. That will not copy the plugins, however, so we do that here.

# The standard plugins

for file in /usr/lib/mandos/plugins.d/*; do

base="`basename \"$file\"`"

# Is this plugin overridden?

if [ -e "/etc/mandos/plugins.d/$base" ]; then

continue

case "$base" in

*~|.*|\#*\#|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;;

*) copy_exec "$file" "${PLUGINDIR}";;

esac

100

done

101

102

# Any user-supplied plugins

103

for file in /etc/mandos/plugins.d/*; do

104

base="`basename \"$file\"`"

105

case "$base" in

106

*~|.*|*.dpkg-old|*.dpkg-new|*.dpkg-divert) : ;;

107

*) copy_exec "$file" "${PLUGINDIR}";;

108

esac

109

done

110

111

# GPGME needs /usr/bin/gpg

112

if [ -n "`ls \"${DESTDIR}\"/usr/lib/libgpgme.so* 2>/dev/null`" ]; then

113

copy_exec /usr/bin/gpg

114

115

116

# Key files

117

for file in /etc/mandos/*; do

118

if [ -d "$file" ]; then

119

continue

120

121

cp --archive --sparse=always "$file" "${DESTCONFDIR}"

122

done

123

# Create key ring files

124

gpg --no-random-seed-file --quiet --batch --no-tty \

125

--no-default-keyring --no-options --homedir "${DESTCONFDIR}" \

126

--no-permission-warning --import-options import-minimal \

127

--import "${DESTCONFDIR}/seckey.txt"

128

chown nobody "${DESTCONFDIR}/secring.gpg"

129

130

# /keyscripts/mandos-client will drop priviliges, but needs access to

131

# its plugin directory. However, since almost all files in initrd

132

# have been created with umask 027, this opening of permissions is needed.

133

134

# (The umask is not really intended to affect the files inside the

135

# initrd, but the initrd.img file itself, since it now contains secret

136

# key files. There is, however, no other way to set the permission of

137

# the initrd.img file without a race condition. This umask is set by

138

# "/usr/share/initramfs-tools/conf-hooks.d/mandos".)

139

140

full="${PLUGINDIR}"

141

while [ "$full" != "/" ]; do

142

chmod a+rX "${DESTDIR}$full"

143

full="`dirname \"$full\"`"

144

done

145

for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do

146

chmod a+rX "${DESTDIR}$dir"

147

done

148

for dir in /lib /usr/lib; do

149

chmod --recursive a+rX "${DESTDIR}$dir"

150

done

Older »