/mandos/trunk : revision 13

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk

« back to all changes in this revision

Viewing changes to initramfs-tools-hook

Committer: Björn Påhlsson
Date: 2008-07-20 02:52:20 UTC
Revision ID: belorn@braxen-20080720025220-r5u0388uy9iu23h6

Added following support:
Pluginbased client handler
rewritten Mandos client
Avahi instead of udp server discovery
openpgp encrypted key support
Passprompt stand alone application for direct console input
Added logging for Mandos server

files added:
ca.pem

cert.pem

client-cert.pem

client-key.pem

crl.pem

key.pem

plugins.d/Makefile

files removed:
.bzr-builddeb

.bzr-builddeb/default.conf

.bzrignore

COPYING

DBUS-API

INSTALL

NEWS

README

common.ent

dbus-mandos.conf

debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/mandos-client.README.Debian

debian/mandos-client.dirs

debian/mandos-client.docs

debian/mandos-client.links

debian/mandos-client.lintian-overrides

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.README.Debian

debian/mandos.dirs

debian/mandos.docs

debian/mandos.lintian-overrides

debian/mandos.postinst

debian/mandos.prerm

debian/po

debian/rules

debian/source

debian/source/format

debian/source/local-options

debian/watch

default-mandos

init.d-mandos

initramfs-tools-hook

initramfs-tools-hook-conf

initramfs-tools-script

intro.xml

legalnotice.xml

mandos-clients.conf.xml

mandos-ctl

mandos-ctl.xml

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.xml

network-hooks.d

network-hooks.d/bridge

network-hooks.d/bridge.conf

overview.xml

plugin-runner.conf

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/askpass-fifo.xml

plugins.d/mandos-client.xml

plugins.d/password-prompt.xml

plugins.d/plymouth.c

plugins.d/plymouth.xml

plugins.d/splashy.c

plugins.d/splashy.xml

plugins.d/usplash.c

plugins.d/usplash.xml

files renamed:
clients.conf => mandos-clients.conf

plugin-runner.c => plugbasedclient.c

plugins.d/mandos-client.c => plugins.d/mandosclient.c

plugins.d/password-prompt.c => plugins.d/passprompt.c

mandos => server.py

files modified:
Makefile

TODO

Show diffs side-by-side

added added

removed removed

initramfs-tools-hook

#!/bin/sh

# This script will be run by 'mkinitramfs' when it creates the image.

# Its job is to decide which files to install, then install them into

# the staging area, where the initramfs is being created. This

# happens when a new 'linux-image' package is installed, or when the

# administrator runs 'update-initramfs' by hand to update an initramfs

# image.

# The environment contains at least:

# DESTDIR -- The staging directory where the image is being built.

# No initramfs pre-requirements

PREREQ="cryptroot"

prereqs()

{

echo "$PREREQ"

}

case $1 in

# get pre-requisites

prereqs)

prereqs

exit 0

;;

esac

. /usr/share/initramfs-tools/hook-functions

for d in /usr /usr/local; do

if [ -d "$d"/lib/mandos ]; then

prefix="$d"

break

done

if [ -z "$prefix" ]; then

# Mandos not found

exit 1

for d in /etc/keys/mandos /etc/mandos/keys; do

if [ -d "$d" ]; then

keydir="$d"

break

done

if [ -z "$keydir" ]; then

# Mandos key directory not found

exit 1

set `{ getent passwd _mandos \

|| getent passwd nobody \

|| echo ::65534:65534:::; } \

| cut --delimiter=: --fields=3,4 --only-delimited \

--output-delimiter=" "`

mandos_user="$1"

mandos_group="$2"

# The Mandos network client uses the network

auto_add_modules net

# The Mandos network client uses IPv6

force_load ipv6

# These are directories inside the initrd

CONFDIR="/conf/conf.d/mandos"

MANDOSDIR="/lib/mandos"

PLUGINDIR="${MANDOSDIR}/plugins.d"

HOOKDIR="${MANDOSDIR}/network-hooks.d"

# Make directories

install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \

"${DESTDIR}${MANDOSDIR}" "${DESTDIR}${HOOKDIR}"

install --owner=${mandos_user} --group=${mandos_group} --directory \

--mode=u=rwx "${DESTDIR}${PLUGINDIR}"

# Copy the Mandos plugin runner

copy_exec "$prefix"/lib/mandos/plugin-runner "${MANDOSDIR}"

# Copy the plugins

# Copy the packaged plugins

for file in "$prefix"/lib/mandos/plugins.d/*; do

base="`basename \"$file\"`"

# Is this plugin overridden?

if [ -e "/etc/mandos/plugins.d/$base" ]; then

continue

case "$base" in

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

: ;;

"*") echo "W: Mandos client plugin directory is empty." >&2 ;;

*) copy_exec "$file" "${PLUGINDIR}" ;;

esac

done

# Copy any user-supplied plugins

100

for file in /etc/mandos/plugins.d/*; do

101

base="`basename \"$file\"`"

102

case "$base" in

103

*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)

104

: ;;

105

"*") : ;;

106

*) copy_exec "$file" "${PLUGINDIR}" ;;

107

esac

108

done

109

110

# Copy network hooks

111

for hook in /etc/mandos/network-hooks.d/*; do

112

case "`basename \"$hook\"`" in

113

"*") continue ;;

114

*[!A-Za-z0-9_.-]*) continue ;;

115

*) test -d "$hook" || copy_exec "$hook" "${HOOKDIR}" ;;

116

esac

117

if [ -x "$hook" ]; then

118

# Copy any files needed by the network hook

119

MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=files \

120

VERBOSITY=0 "$hook" files | while read file target; do

121

if [ -z "${target}" ]; then

122

copy_exec "$file"

123

else

124

copy_exec "$file" "$target"

125

126

done

127

# Copy and load any modules needed by the network hook

128

MANDOSNETHOOKDIR=/etc/mandos/network-hooks.d MODE=modules \

129

VERBOSITY=0 "$hook" modules | while read module; do

130

if [ -z "${target}" ]; then

131

force_load "$module"

132

133

done

134

135

done

136

137

# GPGME needs /usr/bin/gpg

138

if [ ! -e "${DESTDIR}/usr/bin/gpg" \

139

-a -n "`ls \"${DESTDIR}\"/usr/lib/libgpgme.so* \

140

2>/dev/null`" ]; then

141

copy_exec /usr/bin/gpg

142

143

144

# Config files

145

for file in /etc/mandos/plugin-runner.conf; do

146

if [ -d "$file" ]; then

147

continue

148

149

cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}"

150

done

151

152

if [ ${mandos_user} != 65534 ]; then

153

sed --in-place --expression="1i--userid=${mandos_user}" \

154

"${DESTDIR}${CONFDIR}/plugin-runner.conf"

155

156

157

if [ ${mandos_group} != 65534 ]; then

158

sed --in-place --expression="1i--groupid=${mandos_group}" \

159

"${DESTDIR}${CONFDIR}/plugin-runner.conf"

160

161

162

# Key files

163

for file in "$keydir"/*; do

164

if [ -d "$file" ]; then

165

continue

166

167

cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}"

168

chown ${mandos_user}:${mandos_group} \

169

"${DESTDIR}${CONFDIR}/`basename \"$file\"`"

170

done

171

172

# /lib/mandos/plugin-runner will drop priviliges, but needs access to

173

# its plugin directory and its config file. However, since almost all

174

# files in initrd have been created with umask 027, this opening of

175

# permissions is needed.

176

177

# (The umask is not really intended to affect the files inside the

178

# initrd; it is intended to affect the initrd.img file itself, since

179

# it now contains secret key files. There is, however, no other way

180

# to set the permission of the initrd.img file without a race

181

# condition. This umask is set by "initramfs-tools-hook-conf",

182

# installed as "/usr/share/initramfs-tools/conf-hooks.d/mandos".)

183

184

for full in "${MANDOSDIR}" "${CONFDIR}"; do

185

while [ "$full" != "/" ]; do

186

chmod a+rX "${DESTDIR}$full"

187

full="`dirname \"$full\"`"

188

done

189

done

190

191

# Reset some other things to sane permissions which we have

192

# inadvertently affected with our umask setting.

193

for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do

194

if [ -d "${DESTDIR}$dir" ]; then

195

chmod a+rX "${DESTDIR}$dir"

196

197

done

198

for dir in "${DESTDIR}"/lib* "${DESTDIR}"/usr/lib*; do

199

if [ -d "$dir" ]; then

200

find "$dir" \! -perm -u+rw,g+r -prune -or -print0 \

201

| xargs --null --no-run-if-empty chmod a+rX

202

203

done

Older »