Commit 4c6317c6 authored by Natanael Copa's avatar Natanael Copa

lbu encrypt fixes

parent d1ac4546
......@@ -20,12 +20,17 @@ COMMITED_TDB="$APK_DATA/commited.tdb"
EXCLUDE_LIST=/etc/lbu/exclude
INCLUDE_LIST=/etc/lbu/include
PACKAGES_LIST=/etc/lbu/packages.list
DEFAULT_CIPHER="aes-256-cbc"
MASK="Npugsh"
LBUDIRS=`echo "$APK_LBUDIRS" | sed 's/:/ /g'`
if [ -f /etc/lbu/lbu.conf ]; then
. /etc/lbu/lbu.conf
LBU_CONF=/etc/lbu/lbu.conf
if [ -f "$LBU_CONF" ]; then
. "$LBU_CONF"
fi
retcode=0
......@@ -50,7 +55,7 @@ Common options:
exit 1
}
# verify we have openssl is we want to encrypt
# verify we have openssl if we want to encrypt
check_openssl() {
[ -z "$ENCRYPTION" ] && return 0
OPENSSL=$(which openssl 2>/dev/null) || die "openssl was not found"
......@@ -171,8 +176,10 @@ cmd_package() {
local rc=0
local owd="$PWD"
local suff="apkovl.tar.gz"
local tmpdir tmppkg
check_openssl
init_tmpdir tmpdir
[ -n "$ENCRYPTION" ] && suff="$suff.$ENCRYPTION"
......@@ -183,15 +190,18 @@ cmd_package() {
pkg="$PWD/$(hostname).$suff"
fi
tmppkg="$tmpdir/$(basename $pkg)"
# generate the packages.list
cd "$ROOT"
mkdir -p /etc/lbu
echo "#This file is generated by 'lbu package'" > /etc/lbu/packages.list
mkdir -p $(dirname $PACKAGES_LIST)
echo "#This file is generated by 'lbu package' (lbu $VERSION)" \
> $PACKAGES_LIST
for i in $(apk_glob '*') ; do
reqby=$(apk_info -qr $i);
# only add the packages who has no REQUIRED_BY
[ -z "$reqby" ] && echo $i
done | sed 's/-[0-9].*//' >> /etc/lbu/packages.list
done | sed 's/-[0-9].*//' >> $PACKAGES_LIST
# Automatically add list and modified files
currentlist=`VERBOSE="" USE_DEFAULT="-a" cmd_status -a | grep -v ^D | awk '{print $2}'`
......@@ -203,22 +213,31 @@ cmd_package() {
# create tar archive
[ -f "$EXCLUDE_LIST" ] && excl="-X $EXCLUDE_LIST"
[ -f "$INCLUDE_LIST" ] && incl="-T $INCLUDE_LIST"
if [ -z "$ENCRYPTION" ]; then
if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c >"$pkg" ; then
rm -f "$CURRENT_TDB"
rc=1
fi
tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c >"$tmppkg"
rc=$?
else
if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c \
| $OPENSSL enc "-$ENCRYPTION" -salt > "$pkg"
then
rm -f "$CURRENT_TDB"
rc=1
if [ -n "$VERBOSE" ]; then
echo "Archiving the following files:" >&2
# we dont want to mess the tar output with the
# password prompt. Lets get the tar output first.
tar $excl $incl -c -v $currentlist > /dev/null
rc=$?
fi
if [ $rc -eq 0 ]; then
tar $excl $incl -c $currentlist | gzip -c \
| $OPENSSL enc "-$ENCRYPTION" -salt > "$tmppkg"
rc=$?
fi
fi
if [ $rc -eq 0 ]; then
[ -z "$DRYRUN" ] && cp "$tmppkg" "$pkg"
else
rm -f "$CURRENT_TDB"
fi
cd "$owd"
return $rc
}
......@@ -250,13 +269,19 @@ Create a backup of config to writeable media.
usage: $PROGRAM commit|ci [-nv] [<media>]
Options:
-d Remove old configuration files.
-d Remove old apk overlay files.
-e Protect configuration with a password.
-n Don't commit, just show what would have been commited.
-v Verbose mode.
The following values for <media> is supported: floppy usb
If <media> is not specified, the environment variable LBU_MEDIA will be used.
Passows protection will use $DEFAULT_CIPHER encryption. Other ciphers can be
used by setting the DEFAULT_CIPHER or ENCRYPTION environment variables.
For possible ciphers, try: openssl -v
The environment varialbes can also be set in $LBU_CONF
"
exit 1
}
......@@ -267,6 +292,9 @@ cmd_commit() {
check_openssl
# turn on verbose mode if dryrun
[ -n "$DRYRUN" ] && VERBOSE="-v"
# find what media to use
if [ "$1" ] ; then
media="$1"
......@@ -277,39 +305,36 @@ cmd_commit() {
# mount media unles its already mounted
mnt=/media/$media
[ -d $mnt ] || usage
[ -d "$mnt" ] || usage
was_mounted=`grep $mnt /proc/mounts`
if [ -z "$was_mounted" ]; then
mount $mnt || die "failed to mount $mnt."
fi
# find the outfile
outfile="$mnt/$(hostname).apkovl.tar.gz"
if [ -n "$ENCRYPTION" ]; then
outfile="$outfile.$ENCRYPTION"
fi
# remove old config files
if [ -n "$DELETEOLDCONFIGS" ] ; then
if [ -n "$DRYRUN" ] ; then
local rmfiles=$(ls "$mnt/*.apkovl.*" 2>/dev/null)
if [ -n "$rmfiles" ] ; then
echo "I would have removed:"
local rmfiles=$(ls "$mnt/"*.apkovl.tar.gz* 2>/dev/null)
if [ -n "$rmfiles" ] ; then
if [ -n "$VERBOSE" ]; then
echo "Removing old apk overlay files:" >&2
echo "$rmfiles"
echo "" >&2
fi
else
[ -n "$VERBOSE" ] && echo "Removing old config files"
rm "$mnt/*.apkovl.*" 2>/dev/null
[ -z "$DRYRUN" ] && rm "$mnt/"*.apkovl.tar.gz*
fi
else
lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null | wc -l )
if [ $lines -gt 1 ] ; then
lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null)
if [ -n "$lines" ] && [ "$lines" != "$outfile" ]; then
# More then one apkovl, this is a security concern
die "More than one apkovl file was found. Please use -d to erase old configs."
fi
fi
# commit files to archive
if [ "$DRYRUN" ] ; then
outfile=/dev/null
VERBOSE="-v"
else
outfile="$mnt/$(hostname).apkovl.tar.gz"
if [ -n "$ENCRYPTION" ]; then
outfile="$outfile.$ENCRYPTION"
[ -z "$was_mounted" ] && umount "$mnt"
[ -n "$VERBOSE" ] && echo "$lines"
die "Found multiple apkovl files. Please use -d to replace them all."
fi
fi
......@@ -320,17 +345,18 @@ cmd_commit() {
die "Problems creating archive. aborting"
fi
# remove obsolete file
# remove obsolete file. some older version of alpine needs this
# to be ble to upgrade
if [ -z "$DRYRUN" ] && [ -f $mnt/packages.list ]; then
echo "Note: Removing packages.list from $(basename $mnt)."
echo " /etc/lbu/packages.list will be used."
echo " $PACKAGES_LIST will be used."
rm -f $mnt/packages.list
fi
# make sure data is written and unmount the media
sync
sleep 1
[ -z "$was_mounted" ] && umount $mnt
[ -z "$was_mounted" ] && umount "$mnt"
# move current to commited.
[ "$DRYRUN" ] || mv "$CURRENT_TDB" "$COMMITED_TDB"
......@@ -476,9 +502,7 @@ while getopts "adehlM:nqrv" opt ; do
;;
d) DELETEOLDCONFIGS="yes"
;;
e) ENCRYPTION="aes-256-cbc" #hardcoded cyper for ssl, this can be expanded
# to use different cyphers, the lbu_commit code
# does not need to be changed
e) ENCRYPTION="$DEFAULT_CIPHER"
;;
h) usage_$SUBCMD
;;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment