From 4c6317c699e81251974c14c8ca452471db7f83e1 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Mon, 15 Oct 2007 13:23:07 +0000 Subject: lbu encrypt fixes --- lbu | 118 +++++++++++++++++++++++++++++++++++++++++--------------------------- 1 file changed, 71 insertions(+), 47 deletions(-) diff --git a/lbu b/lbu index 78089a2..f10caa8 100644 --- a/lbu +++ b/lbu @@ -20,12 +20,17 @@ COMMITED_TDB="$APK_DATA/commited.tdb" EXCLUDE_LIST=/etc/lbu/exclude INCLUDE_LIST=/etc/lbu/include +PACKAGES_LIST=/etc/lbu/packages.list + +DEFAULT_CIPHER="aes-256-cbc" + MASK="Npugsh" LBUDIRS=`echo "$APK_LBUDIRS" | sed 's/:/ /g'` -if [ -f /etc/lbu/lbu.conf ]; then - . /etc/lbu/lbu.conf +LBU_CONF=/etc/lbu/lbu.conf +if [ -f "$LBU_CONF" ]; then + . "$LBU_CONF" fi retcode=0 @@ -50,7 +55,7 @@ Common options: exit 1 } -# verify we have openssl is we want to encrypt +# verify we have openssl if we want to encrypt check_openssl() { [ -z "$ENCRYPTION" ] && return 0 OPENSSL=$(which openssl 2>/dev/null) || die "openssl was not found" @@ -171,8 +176,10 @@ cmd_package() { local rc=0 local owd="$PWD" local suff="apkovl.tar.gz" + local tmpdir tmppkg check_openssl + init_tmpdir tmpdir [ -n "$ENCRYPTION" ] && suff="$suff.$ENCRYPTION" @@ -183,15 +190,18 @@ cmd_package() { pkg="$PWD/$(hostname).$suff" fi + tmppkg="$tmpdir/$(basename $pkg)" + # generate the packages.list cd "$ROOT" - mkdir -p /etc/lbu - echo "#This file is generated by 'lbu package'" > /etc/lbu/packages.list + mkdir -p $(dirname $PACKAGES_LIST) + echo "#This file is generated by 'lbu package' (lbu $VERSION)" \ + > $PACKAGES_LIST for i in $(apk_glob '*') ; do reqby=$(apk_info -qr $i); # only add the packages who has no REQUIRED_BY [ -z "$reqby" ] && echo $i - done | sed 's/-[0-9].*//' >> /etc/lbu/packages.list + done | sed 's/-[0-9].*//' >> $PACKAGES_LIST # Automatically add list and modified files currentlist=`VERBOSE="" USE_DEFAULT="-a" cmd_status -a | grep -v ^D | awk '{print $2}'` @@ -203,22 +213,31 @@ cmd_package() { # create tar archive [ -f "$EXCLUDE_LIST" ] && excl="-X $EXCLUDE_LIST" [ -f "$INCLUDE_LIST" ] && incl="-T $INCLUDE_LIST" - if [ -z "$ENCRYPTION" ]; then - if ! tar $VERBOSE $excl $incl -c $currentlist \ - | gzip -c >"$pkg" ; then - rm -f "$CURRENT_TDB" - rc=1 - fi + tar $VERBOSE $excl $incl -c $currentlist \ + | gzip -c >"$tmppkg" + rc=$? else - if ! tar $VERBOSE $excl $incl -c $currentlist \ - | gzip -c \ - | $OPENSSL enc "-$ENCRYPTION" -salt > "$pkg" - then - rm -f "$CURRENT_TDB" - rc=1 + if [ -n "$VERBOSE" ]; then + echo "Archiving the following files:" >&2 + # we dont want to mess the tar output with the + # password prompt. Lets get the tar output first. + tar $excl $incl -c -v $currentlist > /dev/null + rc=$? + fi + if [ $rc -eq 0 ]; then + tar $excl $incl -c $currentlist | gzip -c \ + | $OPENSSL enc "-$ENCRYPTION" -salt > "$tmppkg" + rc=$? fi fi + + if [ $rc -eq 0 ]; then + [ -z "$DRYRUN" ] && cp "$tmppkg" "$pkg" + else + rm -f "$CURRENT_TDB" + fi + cd "$owd" return $rc } @@ -250,13 +269,19 @@ Create a backup of config to writeable media. usage: $PROGRAM commit|ci [-nv] [] Options: - -d Remove old configuration files. + -d Remove old apk overlay files. -e Protect configuration with a password. -n Don't commit, just show what would have been commited. -v Verbose mode. The following values for is supported: floppy usb If is not specified, the environment variable LBU_MEDIA will be used. + +Passows protection will use $DEFAULT_CIPHER encryption. Other ciphers can be +used by setting the DEFAULT_CIPHER or ENCRYPTION environment variables. +For possible ciphers, try: openssl -v + +The environment varialbes can also be set in $LBU_CONF " exit 1 } @@ -267,6 +292,9 @@ cmd_commit() { check_openssl + # turn on verbose mode if dryrun + [ -n "$DRYRUN" ] && VERBOSE="-v" + # find what media to use if [ "$1" ] ; then media="$1" @@ -277,39 +305,36 @@ cmd_commit() { # mount media unles its already mounted mnt=/media/$media - [ -d $mnt ] || usage + [ -d "$mnt" ] || usage was_mounted=`grep $mnt /proc/mounts` if [ -z "$was_mounted" ]; then mount $mnt || die "failed to mount $mnt." fi + # find the outfile + outfile="$mnt/$(hostname).apkovl.tar.gz" + if [ -n "$ENCRYPTION" ]; then + outfile="$outfile.$ENCRYPTION" + fi + + # remove old config files if [ -n "$DELETEOLDCONFIGS" ] ; then - if [ -n "$DRYRUN" ] ; then - local rmfiles=$(ls "$mnt/*.apkovl.*" 2>/dev/null) - if [ -n "$rmfiles" ] ; then - echo "I would have removed:" + local rmfiles=$(ls "$mnt/"*.apkovl.tar.gz* 2>/dev/null) + if [ -n "$rmfiles" ] ; then + if [ -n "$VERBOSE" ]; then + echo "Removing old apk overlay files:" >&2 echo "$rmfiles" + echo "" >&2 fi - else - [ -n "$VERBOSE" ] && echo "Removing old config files" - rm "$mnt/*.apkovl.*" 2>/dev/null + [ -z "$DRYRUN" ] && rm "$mnt/"*.apkovl.tar.gz* fi else - lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null | wc -l ) - if [ $lines -gt 1 ] ; then + lines=$(ls -1 "$mnt"/*.apkovl.tar.gz* 2>/dev/null) + if [ -n "$lines" ] && [ "$lines" != "$outfile" ]; then # More then one apkovl, this is a security concern - die "More than one apkovl file was found. Please use -d to erase old configs." - fi - fi - - # commit files to archive - if [ "$DRYRUN" ] ; then - outfile=/dev/null - VERBOSE="-v" - else - outfile="$mnt/$(hostname).apkovl.tar.gz" - if [ -n "$ENCRYPTION" ]; then - outfile="$outfile.$ENCRYPTION" + [ -z "$was_mounted" ] && umount "$mnt" + [ -n "$VERBOSE" ] && echo "$lines" + die "Found multiple apkovl files. Please use -d to replace them all." fi fi @@ -320,17 +345,18 @@ cmd_commit() { die "Problems creating archive. aborting" fi - # remove obsolete file + # remove obsolete file. some older version of alpine needs this + # to be ble to upgrade if [ -z "$DRYRUN" ] && [ -f $mnt/packages.list ]; then echo "Note: Removing packages.list from $(basename $mnt)." - echo " /etc/lbu/packages.list will be used." + echo " $PACKAGES_LIST will be used." rm -f $mnt/packages.list fi # make sure data is written and unmount the media sync sleep 1 - [ -z "$was_mounted" ] && umount $mnt + [ -z "$was_mounted" ] && umount "$mnt" # move current to commited. [ "$DRYRUN" ] || mv "$CURRENT_TDB" "$COMMITED_TDB" @@ -476,9 +502,7 @@ while getopts "adehlM:nqrv" opt ; do ;; d) DELETEOLDCONFIGS="yes" ;; - e) ENCRYPTION="aes-256-cbc" #hardcoded cyper for ssl, this can be expanded - # to use different cyphers, the lbu_commit code - # does not need to be changed + e) ENCRYPTION="$DEFAULT_CIPHER" ;; h) usage_$SUBCMD ;; -- cgit v1.2.3