Commit d1ac4546 authored by Natanael Copa's avatar Natanael Copa

preliminary support for encrypted configs - thanks to Alexander Povslavski

parent 831a7a5a
V=1.0
V=1.1
P=alpine-conf
PV=$(P)-$(V)
APKF=$(PV).apk
......@@ -20,9 +20,11 @@ SBIN_FILES=albootstrap\
setup-sendbug\
setup-webconf\
update-conf
ETC_LBU_FILES=lbu.conf
EXTRA_DIST=Makefile README
DIST_FILES=$(LIB_FILES) $(SBIN_FILES) $(EXTRA_DIST)
DIST_FILES=$(LIB_FILES) $(SBIN_FILES) $(ETC_LBU_FILES) $(EXTRA_DIST)
DESC="Alpine configuration scripts"
WWW="http://alpinelinux.org/alpine-conf"
......@@ -59,6 +61,8 @@ install:
install -m 755 $(SBIN_FILES) $(DESTDIR)/$(PREFIX)/sbin
install -m 755 -d $(DESTDIR)/$(PREFIX)/lib
install -m 755 $(LIB_FILES) $(DESTDIR)/$(PREFIX)/lib
install -m 755 -d $(DESTDIR)/etc/lbu
install -m 755 $(ETC_LBU_FILES) $(DESTDIR)/etc/lbu
uninstall:
for i in $(SBIN_FILES); do \
......
......@@ -9,7 +9,7 @@ PREFIX=
# this one is from apk-tools
. $PREFIX/lib/apk/libutil.sh
VERSION=0.9
VERSION=1.1
[ "$SFIC" ] && SFIC="$SFIC -i d"
# globals
......@@ -24,6 +24,10 @@ MASK="Npugsh"
LBUDIRS=`echo "$APK_LBUDIRS" | sed 's/:/ /g'`
if [ -f /etc/lbu/lbu.conf ]; then
. /etc/lbu/lbu.conf
fi
retcode=0
usage() {
echo "$PROGRAM $VERSION"
......@@ -46,18 +50,16 @@ Common options:
exit 1
}
# verify we have openssl is we want to encrypt
check_openssl() {
[ -z "$ENCRYPTION" ] && return 0
OPENSSL=$(which openssl 2>/dev/null) || die "openssl was not found"
#gen_temp_tdb() {
# # generate temp tdb
# local opwd="$PWD"
# rm -f "$TMP_TDB"
# cd "$ROOT"
# $SFIC -R --add "$TMP_TDB" $LBUDIRS
# cd "$opwd"
#}
$OPENSSL list-cipher-commands | grep "^$ENCRYPTION$" > /dev/null \
|| die "Cipher $ENCRYPTION is not supported"
}
gen_current_tdb() {
# [ -f "$TMP_TDB" ] || gen_temp_tdb
# generate current tdb
rm -f "$CURRENT_TDB"
$SFIC -R -t --mask "$MASK" --old "$APK_DEFAULT_TDB" $LBUDIRS \
......@@ -168,12 +170,17 @@ cmd_package() {
local pkg="$1"
local rc=0
local owd="$PWD"
local suff="apkovl.tar.gz"
check_openssl
[ -n "$ENCRYPTION" ] && suff="$suff.$ENCRYPTION"
# find filename
if [ -d "$pkg" ] ; then
pkg="$pkg/$(hostname).apkovl.tar.gz"
pkg="$pkg/$(hostname).$suff"
elif [ -z "$pkg" ]; then
pkg="$PWD/$(hostname).apkovl.tar.gz"
pkg="$PWD/$(hostname).$suff"
fi
# generate the packages.list
......@@ -196,10 +203,22 @@ cmd_package() {
# create tar archive
[ -f "$EXCLUDE_LIST" ] && excl="-X $EXCLUDE_LIST"
[ -f "$INCLUDE_LIST" ] && incl="-T $INCLUDE_LIST"
if ! tar $VERBOSE $excl $incl -c $currentlist | gzip -c >"$pkg" ; then
if [ -z "$ENCRYPTION" ]; then
if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c >"$pkg" ; then
rm -f "$CURRENT_TDB"
rc=1
fi
else
if ! tar $VERBOSE $excl $incl -c $currentlist \
| gzip -c \
| $OPENSSL enc "-$ENCRYPTION" -salt > "$pkg"
then
rm -f "$CURRENT_TDB"
rc=1
fi
fi
cd "$owd"
return $rc
}
......@@ -231,6 +250,8 @@ Create a backup of config to writeable media.
usage: $PROGRAM commit|ci [-nv] [<media>]
Options:
-d Remove old configuration files.
-e Protect configuration with a password.
-n Don't commit, just show what would have been commited.
-v Verbose mode.
......@@ -242,7 +263,9 @@ If <media> is not specified, the environment variable LBU_MEDIA will be used.
cmd_commit() {
local media mnt was_mounted statuslist tmplist currentlist
local incl excl outfile
local incl excl outfile ovls lines
check_openssl
# find what media to use
if [ "$1" ] ; then
......@@ -260,12 +283,34 @@ cmd_commit() {
mount $mnt || die "failed to mount $mnt."
fi
if [ -n "$DELETEOLDCONFIGS" ] ; then
if [ -n "$DRYRUN" ] ; then
local rmfiles=$(ls "$mnt/*.apkovl.*" 2>/dev/null)
if [ -n "$rmfiles" ] ; then
echo "I would have removed:"
echo "$rmfiles"
fi
else
[ -n "$VERBOSE" ] && echo "Removing old config files"
rm "$mnt/*.apkovl.*" 2>/dev/null
fi
else
lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null | wc -l )
if [ $lines -gt 1 ] ; then
# More then one apkovl, this is a security concern
die "More than one apkovl file was found. Please use -d to erase old configs."
fi
fi
# commit files to archive
if [ "$DRYRUN" ] ; then
outfile=/dev/null
VERBOSE="-v"
else
outfile="$mnt/$(hostname).apkovl.tar.gz"
if [ -n "$ENCRYPTION" ]; then
outfile="$outfile.$ENCRYPTION"
fi
fi
# create package
......@@ -424,11 +469,17 @@ case "$cmd" in
esac
# parse common args
while getopts "ahlM:nqrv" opt ; do
while getopts "adehlM:nqrv" opt ; do
case "$opt" in
a) [ $SUBCMD = status ] || usage_$SUBCMD
USE_DEFAULT="-a"
;;
d) DELETEOLDCONFIGS="yes"
;;
e) ENCRYPTION="aes-256-cbc" #hardcoded cyper for ssl, this can be expanded
# to use different cyphers, the lbu_commit code
# does not need to be changed
;;
h) usage_$SUBCMD
;;
l) LIST="-l"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment