mirror of
https://github.com/Llewellynvdm/Tomb.git
synced 2025-01-22 22:48:24 +00:00
Sudo loopback improve (#435)
* small improvements to loopback setup and --sudo * support reading hostname from file also tolerate not finding the hostname (fill localhost) address #428 * cleanup and support sup,sud,pkexec
This commit is contained in:
parent
5a5eb6ddcf
commit
03c93ef976
87
tomb
87
tomb
@ -113,9 +113,35 @@ export TEXTDOMAIN=tomb
|
||||
|
||||
# Wrap sudo with a more visible message or apply user-supplied alternative to sudo
|
||||
_sudo() {
|
||||
_verbose "Enter password for user ::1 user:: to gain superuser privileges" $USER
|
||||
_verbose "Using ::1 exec:: for privilege escalation" $SUDO
|
||||
${=SUDO} ${@}
|
||||
if option_is_set --sudo; then
|
||||
pescmd=`option_value --sudo`
|
||||
case `basename $pescmd` in
|
||||
"doas"|"sup"|"sud"|"pkexec")
|
||||
command -v $pescmd > /dev/null || _failure "$pescmd executable not found"
|
||||
_verbose "Super user execution using $pescmd"
|
||||
${pescmd} ${@}
|
||||
return $?
|
||||
;;
|
||||
"skip"|"none")
|
||||
_verbose "Super user execution skipped (SUID caller)"
|
||||
${@}
|
||||
return $?
|
||||
;;
|
||||
*)
|
||||
_failure "Super user execution not supported: ::1 sudo::" "`option_value --sudo`"
|
||||
;;
|
||||
esac
|
||||
|
||||
else
|
||||
local msg="[sudo] Enter password for user ::1 user:: to gain superuser privileges"
|
||||
command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$msg")"
|
||||
msg=${(S)msg//::1*::/$USER}
|
||||
sudo -p "
|
||||
$msg
|
||||
|
||||
" ${@}
|
||||
return $?
|
||||
fi
|
||||
}
|
||||
|
||||
# Cleanup anything sensitive before exiting.
|
||||
@ -557,7 +583,7 @@ is_valid_tomb() {
|
||||
|
||||
# Tomb file may be a LUKS FS (or we are creating it)
|
||||
[[ "`file $1`" =~ "luks encrypted file" ]] || {
|
||||
_warning "File is not yet a tomb: ::1 tomb file::" $1 }
|
||||
_message "File is not yet a tomb: ::1 tomb file::" $1 }
|
||||
|
||||
# We set global variables
|
||||
typeset -g TOMBPATH TOMBDIR TOMBFILE TOMBNAME TOMBMAPPER
|
||||
@ -581,8 +607,8 @@ is_valid_tomb() {
|
||||
|
||||
# checks if Tomb already mounted (or we cannot alter it)
|
||||
local maphash=`realpath $TOMBPATH | sha256sum -z`
|
||||
local nextloop=`_sudo losetup -f`
|
||||
TOMBMAPPER="tomb.$TOMBNAME.${maphash[(w)1]}.`basename $nextloop`"
|
||||
lo_mount # fills TOMBLOOP with next loop
|
||||
TOMBMAPPER="tomb.$TOMBNAME.${maphash[(w)1]}.`basename $TOMBLOOP`"
|
||||
local mounted_tombs=(`list_tomb_mounts`)
|
||||
local usedmapper
|
||||
for t in ${mounted_tombs}; do
|
||||
@ -604,7 +630,7 @@ lo_mount() {
|
||||
tpath="$1"
|
||||
|
||||
# check if we have support for loop mounting
|
||||
TOMBLOOP=`_sudo losetup -f`
|
||||
TOMBLOOP=`losetup -f`
|
||||
[[ $? = 0 ]] || {
|
||||
_warning "Loop mount of volumes is not possible on this machine, this error"
|
||||
_warning "often occurs on VPS and kernels that don't provide the loop module."
|
||||
@ -612,9 +638,14 @@ lo_mount() {
|
||||
_failure "Operation aborted."
|
||||
}
|
||||
|
||||
_sudo losetup -f "$tpath" # allocates the next loopback for our file
|
||||
[[ "$tpath" == "" ]] && return 0
|
||||
|
||||
|
||||
# allocates the next loopback for our file
|
||||
_sudo losetup -f "$tpath" || _failure "Loopback mount failed: ::1 path:: on ::2 loop::" "$tpath" $TOMBLOOP
|
||||
|
||||
TOMBLOOPDEVS+=("$TOMBLOOP") # add to array of lodevs used
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@ -702,7 +733,7 @@ usage() {
|
||||
_print " -g use a GnuPG key to encrypt a tomb key"
|
||||
_print " -r provide GnuPG recipients (separated by comma)"
|
||||
_print " -R provide GnuPG hidden recipients (separated by comma)"
|
||||
_print " --sudo alternative to sudo such as doas (command or absolute path)"
|
||||
_print " --sudo super user exec alternative to sudo (doas or none)"
|
||||
|
||||
[[ $SPHINX == 1 ]] && {
|
||||
_print " --sphx-user user associated with the key (for use with pitchforkedsphinx)"
|
||||
@ -2023,11 +2054,10 @@ lock_tomb_with_key() {
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
# TODO: check validity, only ext3 or 4 or btrfs support
|
||||
_success "Selected filesystem type $filesystem."
|
||||
}
|
||||
|
||||
lo_mount $TOMBPATH
|
||||
lo_mount "$TOMBPATH"
|
||||
|
||||
_verbose "Loop mounted on ::1 mount point::" $TOMBLOOP
|
||||
|
||||
@ -2114,7 +2144,7 @@ change_tomb_key() {
|
||||
|
||||
is_valid_tomb $tombpath
|
||||
|
||||
lo_mount $TOMBPATH
|
||||
lo_mount "$TOMBPATH"
|
||||
|
||||
_sudo cryptsetup isLuks ${TOMBLOOP}
|
||||
# is it a LUKS encrypted nest? we check one more time
|
||||
@ -2236,7 +2266,7 @@ mount_tomb() {
|
||||
_failure "Mountpoint already in use: ::1 mount point::" "$tombmount"
|
||||
done
|
||||
|
||||
lo_mount $TOMBPATH
|
||||
lo_mount "$TOMBPATH"
|
||||
|
||||
_sudo cryptsetup isLuks ${TOMBLOOP} || {
|
||||
# is it a LUKS encrypted nest? see cryptsetup(1)
|
||||
@ -2360,7 +2390,13 @@ mount_tomb() {
|
||||
_update_control_file "${tombmount}/.uid" $_UID
|
||||
_update_control_file "${tombmount}/.tty" $_TTY
|
||||
# also the hostname
|
||||
_update_control_file "${tombmount}/.host" `hostname`
|
||||
if command -v hostname >/dev/null; then
|
||||
_update_control_file "${tombmount}/.host" `hostname`
|
||||
elif [[ -r /etc/hostname ]]; then
|
||||
_update_control_file "${tombmount}/.host" $(_cat /etc/hostname)
|
||||
else
|
||||
_update_control_file "${tombmount}/.host" localhost
|
||||
fi
|
||||
# and the "last time opened" information
|
||||
# in minutes since 1970, this is printed at next open
|
||||
_update_control_file "${tombmount}/.last" `date +%s`
|
||||
@ -3255,27 +3291,8 @@ main() {
|
||||
option_is_set --tmp && TMPDIR=$(option_value --tmp)
|
||||
|
||||
option_is_set --sudo && {
|
||||
local _opt=`option_value --sudo`
|
||||
case $_opt in
|
||||
"sudo") # the worst default ever
|
||||
SUDO=sudo
|
||||
;;
|
||||
"doas") # openbsd
|
||||
SUDO=doas
|
||||
;;
|
||||
"pkexec") # policykit
|
||||
SUDO=pkexec
|
||||
;;
|
||||
"sup") # https://sup.dyne.org
|
||||
SUDO=sup
|
||||
;;
|
||||
"sud") # https://sud.dyne.org
|
||||
SUDO=sud
|
||||
;;
|
||||
*)
|
||||
_failure "Invalid privilege escalation tool: ::1 exec::" $_opt
|
||||
;;
|
||||
esac
|
||||
local _opt=`basename $(option_value --sudo)`
|
||||
_message "Privilege escalation tool configured: ::1 exec::" $_opt
|
||||
}
|
||||
|
||||
# When we run as root, we remember the original uid:gid to set
|
||||
|
Loading…
x
Reference in New Issue
Block a user