/mandos/trunk

To get this branch, use:
bzr branch http://bzr.recompile.se/loggerhead/mandos/trunk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/bin/sh

# This script will be run by 'mkinitramfs' when it creates the image.
# Its job is to decide which files to install, then install them into
# the staging area, where the initramfs is being created.  This
# happens when a new 'linux-image' package is installed, or when the
# administrator runs 'update-initramfs' by hand to update an initramfs
# image.

# The environment contains at least:
#
#  DESTDIR -- The staging directory where the image is being built.

# No initramfs pre-requirements
PREREQ="cryptroot"

prereqs()
{
	echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
	prereqs
	exit 0
	;;
esac

. /usr/share/initramfs-tools/hook-functions

for d in /usr /usr/local; do
    if [ -d "$d"/lib/mandos ]; then
	prefix="$d"
	break
    fi
done
if [ -z "$prefix" ]; then
    # Mandos not found
    exit 1
fi

for d in /etc/keys/mandos /etc/mandos/keys; do
    if [ -d "$d" ]; then
	keydir="$d"
	break
    fi
done
if [ -z "$keydir" ]; then
    # Mandos key directory not found
    exit 1
fi

set `{ getent passwd _mandos \
    || getent passwd nobody \
    || echo ::65534:65534:::; } \
    | cut --delimiter=: --fields=3,4 --only-delimited \
    --output-delimiter=" "`
mandos_user="$1"
mandos_group="$2"

# The Mandos network client uses the network
auto_add_modules net
# The Mandos network client uses IPv6
force_load ipv6

# These are directories inside the initrd
CONFDIR="/conf/conf.d/mandos"
MANDOSDIR="/lib/mandos"
PLUGINDIR="${MANDOSDIR}/plugins.d"

# Make directories
install --directory --mode=u=rwx,go=rx "${DESTDIR}${CONFDIR}" \
	"${DESTDIR}${MANDOSDIR}"
install --owner=${mandos_user} --group=${mandos_group} --directory \
    --mode=u=rwx "${DESTDIR}${PLUGINDIR}"

# Copy the Mandos plugin runner
copy_exec "$prefix"/lib/mandos/plugin-runner "${MANDOSDIR}"

# Copy the plugins

# Copy the packaged plugins
for file in "$prefix"/lib/mandos/plugins.d/*; do
    base="`basename \"$file\"`"
    # Is this plugin overridden?
    if [ -e "/etc/mandos/plugins.d/$base" ]; then
	continue
    fi
    case "$base" in
	*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
	    : ;;
	"*") echo "W: Mandos client plugin directory is empty." >&2 ;;
	*) copy_exec "$file" "${PLUGINDIR}" ;;
    esac
done

# Copy any user-supplied plugins
for file in /etc/mandos/plugins.d/*; do
    base="`basename \"$file\"`"
    case "$base" in
	*~|.*|\#*\#|*.dpkg-old|*.dpkg-bak|*.dpkg-new|*.dpkg-divert)
	    : ;;
	"*") : ;;
	*) copy_exec "$file" "${PLUGINDIR}" ;;
    esac
done

# GPGME needs /usr/bin/gpg
if [ ! -e "${DESTDIR}/usr/bin/gpg" \
    -a -n "`ls \"${DESTDIR}\"/usr/lib/libgpgme.so* \
		2>/dev/null`" ]; then
    copy_exec /usr/bin/gpg
fi

# Config files
for file in /etc/mandos/plugin-runner.conf; do
    if [ -d "$file" ]; then
	continue
    fi
    cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}"
done

if [ ${mandos_user} != 65534 ]; then
    sed --in-place --expression="1i--userid=${mandos_user}" \
	"${DESTDIR}${CONFDIR}/plugin-runner.conf"
fi

if [ ${mandos_group} != 65534 ]; then
    sed --in-place --expression="1i--groupid=${mandos_group}" \
	"${DESTDIR}${CONFDIR}/plugin-runner.conf"
fi

# Key files 
for file in "$keydir"/*; do
    if [ -d "$file" ]; then
	continue
    fi
    cp --archive --sparse=always "$file" "${DESTDIR}${CONFDIR}"
    chown ${mandos_user}:${mandos_group} \
	"${DESTDIR}${CONFDIR}/`basename \"$file\"`"
done

# /lib/mandos/plugin-runner will drop priviliges, but needs access to
# its plugin directory and its config file.  However, since almost all
# files in initrd have been created with umask 027, this opening of
# permissions is needed.
# 
# (The umask is not really intended to affect the files inside the
# initrd; it is intended to affect the initrd.img file itself, since
# it now contains secret key files.  There is, however, no other way
# to set the permission of the initrd.img file without a race
# condition.  This umask is set by "initramfs-tools-hook-conf",
# installed as "/usr/share/initramfs-tools/conf-hooks.d/mandos".)
# 
for full in "${MANDOSDIR}" "${CONFDIR}"; do
    while [ "$full" != "/" ]; do
	chmod a+rX "${DESTDIR}$full"
	full="`dirname \"$full\"`"
    done
done

# Reset some other things to sane permissions which we have
# inadvertently affected with our umask setting.
for dir in / /bin /etc /keyscripts /sbin /scripts /usr /usr/bin; do
    if [ -d "${DESTDIR}$dir" ]; then
	chmod a+rX "${DESTDIR}$dir"
    fi
done
for dir in "${DESTDIR}"/lib* "${DESTDIR}"/usr/lib*; do
    if [ -d "$dir" ]; then
	find "$dir" \! -perm -u+rw,g+r -prune -or -print0 \
	    | xargs --null --no-run-if-empty chmod a+rX
    fi
done