mirror of
https://github.com/Llewellynvdm/Tomb.git
synced 2024-11-22 04:25:12 +00:00
Support for sudo alternatives such as doas
This commit is contained in:
parent
ae21619d04
commit
61386ca646
@ -18,13 +18,25 @@ test_expect_success 'Testing tomb creation: dig, forge and lock' '
|
||||
if test_have_prereq SPHINX ORACLE; then
|
||||
test_export "sphinx_test"
|
||||
test_expect_success 'Testing tomb creation: dig, forge and lock (sphinx password handling)' '
|
||||
tt_dig -s 20 &&
|
||||
tt_forge --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
|
||||
print $(echo $DUMMYPASS | sphinx get $DUMMYUSER $DUMMYHOST) \
|
||||
| gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
|
||||
| hexdump -C &&
|
||||
tt_lock --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST
|
||||
'
|
||||
tt_dig -s 20 &&
|
||||
tt_forge --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST &&
|
||||
print $(echo $DUMMYPASS | sphinx get $DUMMYUSER $DUMMYHOST) \
|
||||
| gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
|
||||
| hexdump -C &&
|
||||
tt_lock --tomb-pwd $DUMMYPASS --sphx-user $DUMMYUSER --sphx-host $DUMMYHOST
|
||||
'
|
||||
fi
|
||||
|
||||
if test_have_prereq DOAS; then
|
||||
test_export "doas_test"
|
||||
test_expect_success 'Testing tomb creation: dig, forge and lock (using doas instead of sudo)' '
|
||||
tt_dig --sudo doas -s 20 &&
|
||||
tt_forge --sudo doas --tomb-pwd $DUMMYPASS &&
|
||||
print $DUMMYPASS \
|
||||
| gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
|
||||
| hexdump -C &&
|
||||
tt_lock --sudo doas --tomb-pwd $DUMMYPASS
|
||||
'
|
||||
fi
|
||||
|
||||
test_done
|
||||
|
@ -52,5 +52,12 @@ if test_have_prereq SPHINX ORACLE; then
|
||||
'
|
||||
fi
|
||||
|
||||
if test_have_prereq DOAS; then
|
||||
test_export "doas_test" # Using already generated tomb
|
||||
test_expect_success 'Testing open with good password (using doas instead of sudo)' '
|
||||
tt_open --sudo doas --tomb-pwd $DUMMYPASS &&
|
||||
tt_close
|
||||
'
|
||||
fi
|
||||
|
||||
test_done
|
||||
|
@ -3,7 +3,7 @@ FROM dyne/devuan:beowulf
|
||||
RUN echo "deb http://deb.devuan.org/merged chimaera main" >> /etc/apt/sources.list
|
||||
RUN apt-get update -y -q --allow-releaseinfo-change
|
||||
RUN apt-get install -y -q -t beowulf zsh cryptsetup gawk libgcrypt20-dev steghide qrencode python python2.7 python3-pip python3-dev libssl-dev make gcc g++ sudo gettext file bsdmainutils
|
||||
RUN apt-get install -y -q -t chimaera libsodium23 libsodium-dev
|
||||
RUN apt-get install -y -q -t chimaera libsodium23 libsodium-dev doas
|
||||
RUN pip3 install setuptools wheel
|
||||
|
||||
COPY . /Tomb/
|
||||
@ -11,6 +11,8 @@ COPY . /Tomb/
|
||||
WORKDIR /Tomb/extras
|
||||
RUN ./install_sphinx.sh
|
||||
|
||||
COPY extras/test/doas.conf /etc/doas.conf
|
||||
|
||||
WORKDIR /Tomb
|
||||
RUN make --directory=extras/kdf-keys
|
||||
RUN make --directory=extras/kdf-keys install
|
||||
|
19
extras/test/doas.conf
Normal file
19
extras/test/doas.conf
Normal file
@ -0,0 +1,19 @@
|
||||
permit nopass root cmd losetup
|
||||
permit nopass root cmd lsblk
|
||||
permit nopass root cmd mkfs.ext3
|
||||
permit nopass root cmd mkfs.ext4
|
||||
permit nopass root cmd mkfs.btrfs
|
||||
permit nopass root cmd touch
|
||||
permit nopass root cmd fsck
|
||||
permit nopass root cmd btrfs
|
||||
permit nopass root cmd tune2fs
|
||||
permit nopass root cmd mkdir
|
||||
permit nopass root cmd mount
|
||||
permit nopass root cmd rmdir
|
||||
permit nopass root cmd chown
|
||||
permit nopass root cmd umount
|
||||
permit nopass root cmd findmnd
|
||||
permit nopass root cmd e2fsck
|
||||
permit nopass root cmd resize2fs
|
||||
permit nopass root cmd lsof
|
||||
permit nopass root cmd kill
|
@ -57,6 +57,7 @@ command -v cloakify > /dev/null && test_set_prereq CLOAKIFY
|
||||
command -v decloakify > /dev/null && test_set_prereq DECLOAKIFY
|
||||
command -v sphinx > /dev/null && test_set_prereq SPHINX
|
||||
command -v oracle > /dev/null && test_set_prereq ORACLE
|
||||
command -v doas > /dev/null && test_set_prereq DOAS
|
||||
|
||||
|
||||
# GnuPG config
|
||||
|
21
tomb
21
tomb
@ -110,16 +110,20 @@ export TEXTDOMAIN=tomb
|
||||
|
||||
# {{{ Safety functions
|
||||
|
||||
# Wrap sudo with a more visible message
|
||||
# Wrap sudo with a more visible message or apply user-supplied alternative to sudo
|
||||
_sudo() {
|
||||
local msg="[sudo] Enter password for user ::1 user:: to gain superuser privileges"
|
||||
command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$msg")"
|
||||
msg=${(S)msg//::1*::/$USER}
|
||||
sudo -p "
|
||||
if option_is_set --sudo; then
|
||||
$(option_value --sudo) ${@};
|
||||
else
|
||||
local msg="[sudo] Enter password for user ::1 user:: to gain superuser privileges"
|
||||
command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$msg")"
|
||||
msg=${(S)msg//::1*::/$USER}
|
||||
sudo -p "
|
||||
$msg
|
||||
|
||||
" ${@}
|
||||
}
|
||||
fi
|
||||
}
|
||||
|
||||
# Cleanup anything sensitive before exiting.
|
||||
_endgame() {
|
||||
@ -287,7 +291,7 @@ _is_encrypted_block() {
|
||||
lsblk --help | grep -Fq -- --inverse
|
||||
[[ $? -eq 0 ]] && s="--inverse"
|
||||
|
||||
sudo lsblk $s -o type -n $b 2>/dev/null \
|
||||
_sudo lsblk $s -o type -n $b 2>/dev/null \
|
||||
| egrep -q '^crypt$'
|
||||
|
||||
return $?
|
||||
@ -710,6 +714,7 @@ usage() {
|
||||
_print " -g use a GnuPG key to encrypt a tomb key"
|
||||
_print " -r provide GnuPG recipients (separated by comma)"
|
||||
_print " -R provide GnuPG hidden recipients (separated by comma)"
|
||||
_print " --sudo alternative to sudo such as doas (command or absolute path)"
|
||||
|
||||
[[ $SPHINX == 1 ]] && {
|
||||
_print " --sphx-user user associated with the key (for use with pitchforkedsphinx)"
|
||||
@ -3127,7 +3132,7 @@ main() {
|
||||
# can only use the non-abbreviated long-option version like:
|
||||
# -force and NOT -f
|
||||
#
|
||||
main_opts=(q -quiet=q D -debug=D h -help=h v -version=v f -force=f -tmp: U: G: T: -no-color -unsafe g -gpgkey=g)
|
||||
main_opts=(q -quiet=q D -debug=D h -help=h v -version=v f -force=f -tmp: U: G: T: -no-color -unsafe g -gpgkey=g -sudo)
|
||||
subcommands_opts[__default]=""
|
||||
# -o in open and mount is used to pass alternate mount options
|
||||
subcommands_opts[open]="n -nohook=n k: -kdf: o: -ignore-swap -tomb-pwd: r: R: -sphx-host: -sphx-user: p -preserve-ownership=p"
|
||||
|
Loading…
Reference in New Issue
Block a user