Commit d1ac4546 authored by Natanael Copa's avatar Natanael Copa

preliminary support for encrypted configs - thanks to Alexander Povslavski

parent 831a7a5a
V=1.0
V=1.1
P=alpine-conf
PV=$(P)-$(V)
APKF=$(PV).apk
......@@ -20,9 +20,11 @@ SBIN_FILES=albootstrap\
setup-sendbug\
setup-webconf\
update-conf
ETC_LBU_FILES=lbu.conf
EXTRA_DIST=Makefile README
DIST_FILES=$(LIB_FILES) $(SBIN_FILES) $(EXTRA_DIST)
DIST_FILES=$(LIB_FILES) $(SBIN_FILES) $(ETC_LBU_FILES) $(EXTRA_DIST)
DESC="Alpine configuration scripts"
WWW="http://alpinelinux.org/alpine-conf"
......@@ -59,6 +61,8 @@ install:
install -m 755 $(SBIN_FILES) $(DESTDIR)/$(PREFIX)/sbin
install -m 755 -d $(DESTDIR)/$(PREFIX)/lib
install -m 755 $(LIB_FILES) $(DESTDIR)/$(PREFIX)/lib
install -m 755 -d $(DESTDIR)/etc/lbu
install -m 755 $(ETC_LBU_FILES) $(DESTDIR)/etc/lbu
uninstall:
for i in $(SBIN_FILES); do \
......
......@@ -9,7 +9,7 @@ PREFIX=
# this one is from apk-tools
. $PREFIX/lib/apk/libutil.sh
VERSION=0.9
VERSION=1.1
[ "$SFIC" ] && SFIC="$SFIC -i d"
# globals
......@@ -24,6 +24,10 @@ MASK="Npugsh"
LBUDIRS=`echo "$APK_LBUDIRS" | sed 's/:/ /g'`
if [ -f /etc/lbu/lbu.conf ]; then
. /etc/lbu/lbu.conf
fi
retcode=0
usage() {
echo "$PROGRAM $VERSION"
......@@ -46,18 +50,16 @@ Common options:
exit 1
}
# verify we have openssl is we want to encrypt
check_openssl() {
[ -z "$ENCRYPTION" ] && return 0
OPENSSL=$(which openssl 2>/dev/null) || die "openssl was not found"
#gen_temp_tdb() {
# # generate temp tdb
# local opwd="$PWD"
# rm -f "$TMP_TDB"
# cd "$ROOT"
# $SFIC -R --add "$TMP_TDB" $LBUDIRS
# cd "$opwd"
#}
$OPENSSL list-cipher-commands | grep "^$ENCRYPTION$" > /dev/null \
|| die "Cipher $ENCRYPTION is not supported"
}
gen_current_tdb() {
# [ -f "$TMP_TDB" ] || gen_temp_tdb
# generate current tdb
rm -f "$CURRENT_TDB"
$SFIC -R -t --mask "$MASK" --old "$APK_DEFAULT_TDB" $LBUDIRS \
......@@ -98,7 +100,7 @@ list_delete() {
}
#
# lbu_include - add/remove files to include list
#
......@@ -123,7 +125,7 @@ cmd_include() {
show_include
return
fi
[ $# -lt 1 ] && usage_include
if [ "$REMOVE" ] ; then
list_delete "$INCLUDE_LIST" "$@"
......@@ -158,7 +160,7 @@ be created in the specified directory.
If <filename> is specified, and is not a direcotry, a package with the
specified name willbe created.
If <dirname> nor <filename> is not specified, a package named
If <dirname> nor <filename> is not specified, a package named
<hostname>.apkovl.tar.gz will be created in current work directory.
"
exit 1
......@@ -168,12 +170,17 @@ cmd_package() {
local pkg="$1"
local rc=0
local owd="$PWD"
local suff="apkovl.tar.gz"
check_openssl
[ -n "$ENCRYPTION" ] && suff="$suff.$ENCRYPTION"
# find filename
if [ -d "$pkg" ] ; then
pkg="$pkg/$(hostname).apkovl.tar.gz"
pkg="$pkg/$(hostname).$suff"
elif [ -z "$pkg" ]; then
pkg="$PWD/$(hostname).apkovl.tar.gz"
pkg="$PWD/$(hostname).$suff"
fi
# generate the packages.list
......@@ -185,20 +192,32 @@ cmd_package() {
# only add the packages who has no REQUIRED_BY
[ -z "$reqby" ] && echo $i
done | sed 's/-[0-9].*//' >> /etc/lbu/packages.list
# Automatically add list and modified files
currentlist=`VERBOSE="" USE_DEFAULT="-a" cmd_status -a | grep -v ^D | awk '{print $2}'`
# we generate a tmpcurrent before we commit to avoid race condition
rm -f "$CURRENT_TDB"
$SFIC --add "$CURRENT_TDB" $currentlist
# create tar archive
[ -f "$EXCLUDE_LIST" ] && excl="-X $EXCLUDE_LIST"
[ -f "$INCLUDE_LIST" ] && incl="-T $INCLUDE_LIST"
if ! tar $VERBOSE $excl $incl -c $currentlist | gzip -c >"$pkg" ; then
rm -f "$CURRENT_TDB"
rc=1
if [ -z "$ENCRYPTION" ]; then
if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c >"$pkg" ; then
rm -f "$CURRENT_TDB"
rc=1
fi
else
if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c \
| $OPENSSL enc "-$ENCRYPTION" -salt > "$pkg"
then
rm -f "$CURRENT_TDB"
rc=1
fi
fi
cd "$owd"
return $rc
......@@ -231,6 +250,8 @@ Create a backup of config to writeable media.
usage: $PROGRAM commit|ci [-nv] [<media>]
Options:
-d Remove old configuration files.
-e Protect configuration with a password.
-n Don't commit, just show what would have been commited.
-v Verbose mode.
......@@ -241,9 +262,11 @@ If <media> is not specified, the environment variable LBU_MEDIA will be used.
}
cmd_commit() {
local media mnt was_mounted statuslist tmplist currentlist
local incl excl outfile
local media mnt was_mounted statuslist tmplist currentlist
local incl excl outfile ovls lines
check_openssl
# find what media to use
if [ "$1" ] ; then
media="$1"
......@@ -260,12 +283,34 @@ cmd_commit() {
mount $mnt || die "failed to mount $mnt."
fi
if [ -n "$DELETEOLDCONFIGS" ] ; then
if [ -n "$DRYRUN" ] ; then
local rmfiles=$(ls "$mnt/*.apkovl.*" 2>/dev/null)
if [ -n "$rmfiles" ] ; then
echo "I would have removed:"
echo "$rmfiles"
fi
else
[ -n "$VERBOSE" ] && echo "Removing old config files"
rm "$mnt/*.apkovl.*" 2>/dev/null
fi
else
lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null | wc -l )
if [ $lines -gt 1 ] ; then
# More then one apkovl, this is a security concern
die "More than one apkovl file was found. Please use -d to erase old configs."
fi
fi
# commit files to archive
if [ "$DRYRUN" ] ; then
outfile=/dev/null
VERBOSE="-v"
else
outfile="$mnt/$(hostname).apkovl.tar.gz"
if [ -n "$ENCRYPTION" ]; then
outfile="$outfile.$ENCRYPTION"
fi
fi
# create package
......@@ -315,7 +360,7 @@ cmd_exclude() {
show_exclude
return
fi
[ $# -lt 1 ] && usage_exclude
if [ "$REMOVE" ] ; then
list_delete "$EXCLUDE_LIST" "$@"
......@@ -329,7 +374,7 @@ show_exclude() {
if [ -f "$EXCLUDE_LIST" ] ; then
[ "$VERBOSE" ] && echo "Exclude files:"
cat "$EXCLUDE_LIST"
fi
fi
}
#---------------------------------------------------------------------------
......@@ -356,7 +401,7 @@ cmd_status() {
# genereate temp tdb
#gen_temp_tdb
if [ -f "$COMMITED_TDB" ] && [ -z "$USE_DEFAULT" ]; then
# generate current tdb
gen_current_tdb
......@@ -383,7 +428,7 @@ cmd_status() {
usage_update() {
echo "$PROGRAM $VERSION
Update the commited database without commit to media.
usage: $PROGRAM update|up [-v] <file> ...
Options:
......@@ -424,11 +469,17 @@ case "$cmd" in
esac
# parse common args
while getopts "ahlM:nqrv" opt ; do
while getopts "adehlM:nqrv" opt ; do
case "$opt" in
a) [ $SUBCMD = status ] || usage_$SUBCMD
USE_DEFAULT="-a"
;;
d) DELETEOLDCONFIGS="yes"
;;
e) ENCRYPTION="aes-256-cbc" #hardcoded cyper for ssl, this can be expanded
# to use different cyphers, the lbu_commit code
# does not need to be changed
;;
h) usage_$SUBCMD
;;
l) LIST="-l"
......@@ -448,8 +499,8 @@ while getopts "ahlM:nqrv" opt ; do
esac
done
shift `expr $OPTIND - 1`
cmd_$SUBCMD "$@"
cmd_$SUBCMD "$@"
# cleanup
rm -f "$CURRENT_TDB"
exit $retcode
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment