Commit d1ac4546 authored by Natanael Copa's avatar Natanael Copa

preliminary support for encrypted configs - thanks to Alexander Povslavski

parent 831a7a5a
V=1.0 V=1.1
P=alpine-conf P=alpine-conf
PV=$(P)-$(V) PV=$(P)-$(V)
APKF=$(PV).apk APKF=$(PV).apk
...@@ -20,9 +20,11 @@ SBIN_FILES=albootstrap\ ...@@ -20,9 +20,11 @@ SBIN_FILES=albootstrap\
setup-sendbug\ setup-sendbug\
setup-webconf\ setup-webconf\
update-conf update-conf
ETC_LBU_FILES=lbu.conf
EXTRA_DIST=Makefile README EXTRA_DIST=Makefile README
DIST_FILES=$(LIB_FILES) $(SBIN_FILES) $(EXTRA_DIST) DIST_FILES=$(LIB_FILES) $(SBIN_FILES) $(ETC_LBU_FILES) $(EXTRA_DIST)
DESC="Alpine configuration scripts" DESC="Alpine configuration scripts"
WWW="http://alpinelinux.org/alpine-conf" WWW="http://alpinelinux.org/alpine-conf"
...@@ -59,6 +61,8 @@ install: ...@@ -59,6 +61,8 @@ install:
install -m 755 $(SBIN_FILES) $(DESTDIR)/$(PREFIX)/sbin install -m 755 $(SBIN_FILES) $(DESTDIR)/$(PREFIX)/sbin
install -m 755 -d $(DESTDIR)/$(PREFIX)/lib install -m 755 -d $(DESTDIR)/$(PREFIX)/lib
install -m 755 $(LIB_FILES) $(DESTDIR)/$(PREFIX)/lib install -m 755 $(LIB_FILES) $(DESTDIR)/$(PREFIX)/lib
install -m 755 -d $(DESTDIR)/etc/lbu
install -m 755 $(ETC_LBU_FILES) $(DESTDIR)/etc/lbu
uninstall: uninstall:
for i in $(SBIN_FILES); do \ for i in $(SBIN_FILES); do \
......
...@@ -9,7 +9,7 @@ PREFIX= ...@@ -9,7 +9,7 @@ PREFIX=
# this one is from apk-tools # this one is from apk-tools
. $PREFIX/lib/apk/libutil.sh . $PREFIX/lib/apk/libutil.sh
VERSION=0.9 VERSION=1.1
[ "$SFIC" ] && SFIC="$SFIC -i d" [ "$SFIC" ] && SFIC="$SFIC -i d"
# globals # globals
...@@ -24,6 +24,10 @@ MASK="Npugsh" ...@@ -24,6 +24,10 @@ MASK="Npugsh"
LBUDIRS=`echo "$APK_LBUDIRS" | sed 's/:/ /g'` LBUDIRS=`echo "$APK_LBUDIRS" | sed 's/:/ /g'`
if [ -f /etc/lbu/lbu.conf ]; then
. /etc/lbu/lbu.conf
fi
retcode=0 retcode=0
usage() { usage() {
echo "$PROGRAM $VERSION" echo "$PROGRAM $VERSION"
...@@ -46,18 +50,16 @@ Common options: ...@@ -46,18 +50,16 @@ Common options:
exit 1 exit 1
} }
# verify we have openssl is we want to encrypt
check_openssl() {
[ -z "$ENCRYPTION" ] && return 0
OPENSSL=$(which openssl 2>/dev/null) || die "openssl was not found"
#gen_temp_tdb() { $OPENSSL list-cipher-commands | grep "^$ENCRYPTION$" > /dev/null \
# # generate temp tdb || die "Cipher $ENCRYPTION is not supported"
# local opwd="$PWD" }
# rm -f "$TMP_TDB"
# cd "$ROOT"
# $SFIC -R --add "$TMP_TDB" $LBUDIRS
# cd "$opwd"
#}
gen_current_tdb() { gen_current_tdb() {
# [ -f "$TMP_TDB" ] || gen_temp_tdb
# generate current tdb # generate current tdb
rm -f "$CURRENT_TDB" rm -f "$CURRENT_TDB"
$SFIC -R -t --mask "$MASK" --old "$APK_DEFAULT_TDB" $LBUDIRS \ $SFIC -R -t --mask "$MASK" --old "$APK_DEFAULT_TDB" $LBUDIRS \
...@@ -98,7 +100,7 @@ list_delete() { ...@@ -98,7 +100,7 @@ list_delete() {
} }
# #
# lbu_include - add/remove files to include list # lbu_include - add/remove files to include list
# #
...@@ -123,7 +125,7 @@ cmd_include() { ...@@ -123,7 +125,7 @@ cmd_include() {
show_include show_include
return return
fi fi
[ $# -lt 1 ] && usage_include [ $# -lt 1 ] && usage_include
if [ "$REMOVE" ] ; then if [ "$REMOVE" ] ; then
list_delete "$INCLUDE_LIST" "$@" list_delete "$INCLUDE_LIST" "$@"
...@@ -158,7 +160,7 @@ be created in the specified directory. ...@@ -158,7 +160,7 @@ be created in the specified directory.
If <filename> is specified, and is not a direcotry, a package with the If <filename> is specified, and is not a direcotry, a package with the
specified name willbe created. specified name willbe created.
If <dirname> nor <filename> is not specified, a package named If <dirname> nor <filename> is not specified, a package named
<hostname>.apkovl.tar.gz will be created in current work directory. <hostname>.apkovl.tar.gz will be created in current work directory.
" "
exit 1 exit 1
...@@ -168,12 +170,17 @@ cmd_package() { ...@@ -168,12 +170,17 @@ cmd_package() {
local pkg="$1" local pkg="$1"
local rc=0 local rc=0
local owd="$PWD" local owd="$PWD"
local suff="apkovl.tar.gz"
check_openssl
[ -n "$ENCRYPTION" ] && suff="$suff.$ENCRYPTION"
# find filename # find filename
if [ -d "$pkg" ] ; then if [ -d "$pkg" ] ; then
pkg="$pkg/$(hostname).apkovl.tar.gz" pkg="$pkg/$(hostname).$suff"
elif [ -z "$pkg" ]; then elif [ -z "$pkg" ]; then
pkg="$PWD/$(hostname).apkovl.tar.gz" pkg="$PWD/$(hostname).$suff"
fi fi
# generate the packages.list # generate the packages.list
...@@ -185,20 +192,32 @@ cmd_package() { ...@@ -185,20 +192,32 @@ cmd_package() {
# only add the packages who has no REQUIRED_BY # only add the packages who has no REQUIRED_BY
[ -z "$reqby" ] && echo $i [ -z "$reqby" ] && echo $i
done | sed 's/-[0-9].*//' >> /etc/lbu/packages.list done | sed 's/-[0-9].*//' >> /etc/lbu/packages.list
# Automatically add list and modified files # Automatically add list and modified files
currentlist=`VERBOSE="" USE_DEFAULT="-a" cmd_status -a | grep -v ^D | awk '{print $2}'` currentlist=`VERBOSE="" USE_DEFAULT="-a" cmd_status -a | grep -v ^D | awk '{print $2}'`
# we generate a tmpcurrent before we commit to avoid race condition # we generate a tmpcurrent before we commit to avoid race condition
rm -f "$CURRENT_TDB" rm -f "$CURRENT_TDB"
$SFIC --add "$CURRENT_TDB" $currentlist $SFIC --add "$CURRENT_TDB" $currentlist
# create tar archive # create tar archive
[ -f "$EXCLUDE_LIST" ] && excl="-X $EXCLUDE_LIST" [ -f "$EXCLUDE_LIST" ] && excl="-X $EXCLUDE_LIST"
[ -f "$INCLUDE_LIST" ] && incl="-T $INCLUDE_LIST" [ -f "$INCLUDE_LIST" ] && incl="-T $INCLUDE_LIST"
if ! tar $VERBOSE $excl $incl -c $currentlist | gzip -c >"$pkg" ; then
rm -f "$CURRENT_TDB" if [ -z "$ENCRYPTION" ]; then
rc=1 if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c >"$pkg" ; then
rm -f "$CURRENT_TDB"
rc=1
fi
else
if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c \
| $OPENSSL enc "-$ENCRYPTION" -salt > "$pkg"
then
rm -f "$CURRENT_TDB"
rc=1
fi
fi fi
cd "$owd" cd "$owd"
return $rc return $rc
...@@ -231,6 +250,8 @@ Create a backup of config to writeable media. ...@@ -231,6 +250,8 @@ Create a backup of config to writeable media.
usage: $PROGRAM commit|ci [-nv] [<media>] usage: $PROGRAM commit|ci [-nv] [<media>]
Options: Options:
-d Remove old configuration files.
-e Protect configuration with a password.
-n Don't commit, just show what would have been commited. -n Don't commit, just show what would have been commited.
-v Verbose mode. -v Verbose mode.
...@@ -241,9 +262,11 @@ If <media> is not specified, the environment variable LBU_MEDIA will be used. ...@@ -241,9 +262,11 @@ If <media> is not specified, the environment variable LBU_MEDIA will be used.
} }
cmd_commit() { cmd_commit() {
local media mnt was_mounted statuslist tmplist currentlist local media mnt was_mounted statuslist tmplist currentlist
local incl excl outfile local incl excl outfile ovls lines
check_openssl
# find what media to use # find what media to use
if [ "$1" ] ; then if [ "$1" ] ; then
media="$1" media="$1"
...@@ -260,12 +283,34 @@ cmd_commit() { ...@@ -260,12 +283,34 @@ cmd_commit() {
mount $mnt || die "failed to mount $mnt." mount $mnt || die "failed to mount $mnt."
fi fi
if [ -n "$DELETEOLDCONFIGS" ] ; then
if [ -n "$DRYRUN" ] ; then
local rmfiles=$(ls "$mnt/*.apkovl.*" 2>/dev/null)
if [ -n "$rmfiles" ] ; then
echo "I would have removed:"
echo "$rmfiles"
fi
else
[ -n "$VERBOSE" ] && echo "Removing old config files"
rm "$mnt/*.apkovl.*" 2>/dev/null
fi
else
lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null | wc -l )
if [ $lines -gt 1 ] ; then
# More then one apkovl, this is a security concern
die "More than one apkovl file was found. Please use -d to erase old configs."
fi
fi
# commit files to archive # commit files to archive
if [ "$DRYRUN" ] ; then if [ "$DRYRUN" ] ; then
outfile=/dev/null outfile=/dev/null
VERBOSE="-v" VERBOSE="-v"
else else
outfile="$mnt/$(hostname).apkovl.tar.gz" outfile="$mnt/$(hostname).apkovl.tar.gz"
if [ -n "$ENCRYPTION" ]; then
outfile="$outfile.$ENCRYPTION"
fi
fi fi
# create package # create package
...@@ -315,7 +360,7 @@ cmd_exclude() { ...@@ -315,7 +360,7 @@ cmd_exclude() {
show_exclude show_exclude
return return
fi fi
[ $# -lt 1 ] && usage_exclude [ $# -lt 1 ] && usage_exclude
if [ "$REMOVE" ] ; then if [ "$REMOVE" ] ; then
list_delete "$EXCLUDE_LIST" "$@" list_delete "$EXCLUDE_LIST" "$@"
...@@ -329,7 +374,7 @@ show_exclude() { ...@@ -329,7 +374,7 @@ show_exclude() {
if [ -f "$EXCLUDE_LIST" ] ; then if [ -f "$EXCLUDE_LIST" ] ; then
[ "$VERBOSE" ] && echo "Exclude files:" [ "$VERBOSE" ] && echo "Exclude files:"
cat "$EXCLUDE_LIST" cat "$EXCLUDE_LIST"
fi fi
} }
#--------------------------------------------------------------------------- #---------------------------------------------------------------------------
...@@ -356,7 +401,7 @@ cmd_status() { ...@@ -356,7 +401,7 @@ cmd_status() {
# genereate temp tdb # genereate temp tdb
#gen_temp_tdb #gen_temp_tdb
if [ -f "$COMMITED_TDB" ] && [ -z "$USE_DEFAULT" ]; then if [ -f "$COMMITED_TDB" ] && [ -z "$USE_DEFAULT" ]; then
# generate current tdb # generate current tdb
gen_current_tdb gen_current_tdb
...@@ -383,7 +428,7 @@ cmd_status() { ...@@ -383,7 +428,7 @@ cmd_status() {
usage_update() { usage_update() {
echo "$PROGRAM $VERSION echo "$PROGRAM $VERSION
Update the commited database without commit to media. Update the commited database without commit to media.
usage: $PROGRAM update|up [-v] <file> ... usage: $PROGRAM update|up [-v] <file> ...
Options: Options:
...@@ -424,11 +469,17 @@ case "$cmd" in ...@@ -424,11 +469,17 @@ case "$cmd" in
esac esac
# parse common args # parse common args
while getopts "ahlM:nqrv" opt ; do while getopts "adehlM:nqrv" opt ; do
case "$opt" in case "$opt" in
a) [ $SUBCMD = status ] || usage_$SUBCMD a) [ $SUBCMD = status ] || usage_$SUBCMD
USE_DEFAULT="-a" USE_DEFAULT="-a"
;; ;;
d) DELETEOLDCONFIGS="yes"
;;
e) ENCRYPTION="aes-256-cbc" #hardcoded cyper for ssl, this can be expanded
# to use different cyphers, the lbu_commit code
# does not need to be changed
;;
h) usage_$SUBCMD h) usage_$SUBCMD
;; ;;
l) LIST="-l" l) LIST="-l"
...@@ -448,8 +499,8 @@ while getopts "ahlM:nqrv" opt ; do ...@@ -448,8 +499,8 @@ while getopts "ahlM:nqrv" opt ; do
esac esac
done done
shift `expr $OPTIND - 1` shift `expr $OPTIND - 1`
cmd_$SUBCMD "$@" cmd_$SUBCMD "$@"
# cleanup # cleanup
rm -f "$CURRENT_TDB" rm -f "$CURRENT_TDB"
exit $retcode exit $retcode
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment