mirror of
https://github.com/Llewellynvdm/Tomb.git
synced 2024-11-25 22:27:34 +00:00
Support for sudo alternatives such as doas
This commit is contained in:
parent
ae21619d04
commit
61386ca646
@ -27,4 +27,16 @@ if test_have_prereq SPHINX ORACLE; then
|
|||||||
'
|
'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if test_have_prereq DOAS; then
|
||||||
|
test_export "doas_test"
|
||||||
|
test_expect_success 'Testing tomb creation: dig, forge and lock (using doas instead of sudo)' '
|
||||||
|
tt_dig --sudo doas -s 20 &&
|
||||||
|
tt_forge --sudo doas --tomb-pwd $DUMMYPASS &&
|
||||||
|
print $DUMMYPASS \
|
||||||
|
| gpg --batch --passphrase-fd 0 --no-tty --no-options -d $tomb_key \
|
||||||
|
| hexdump -C &&
|
||||||
|
tt_lock --sudo doas --tomb-pwd $DUMMYPASS
|
||||||
|
'
|
||||||
|
fi
|
||||||
|
|
||||||
test_done
|
test_done
|
||||||
|
@ -52,5 +52,12 @@ if test_have_prereq SPHINX ORACLE; then
|
|||||||
'
|
'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if test_have_prereq DOAS; then
|
||||||
|
test_export "doas_test" # Using already generated tomb
|
||||||
|
test_expect_success 'Testing open with good password (using doas instead of sudo)' '
|
||||||
|
tt_open --sudo doas --tomb-pwd $DUMMYPASS &&
|
||||||
|
tt_close
|
||||||
|
'
|
||||||
|
fi
|
||||||
|
|
||||||
test_done
|
test_done
|
||||||
|
@ -3,7 +3,7 @@ FROM dyne/devuan:beowulf
|
|||||||
RUN echo "deb http://deb.devuan.org/merged chimaera main" >> /etc/apt/sources.list
|
RUN echo "deb http://deb.devuan.org/merged chimaera main" >> /etc/apt/sources.list
|
||||||
RUN apt-get update -y -q --allow-releaseinfo-change
|
RUN apt-get update -y -q --allow-releaseinfo-change
|
||||||
RUN apt-get install -y -q -t beowulf zsh cryptsetup gawk libgcrypt20-dev steghide qrencode python python2.7 python3-pip python3-dev libssl-dev make gcc g++ sudo gettext file bsdmainutils
|
RUN apt-get install -y -q -t beowulf zsh cryptsetup gawk libgcrypt20-dev steghide qrencode python python2.7 python3-pip python3-dev libssl-dev make gcc g++ sudo gettext file bsdmainutils
|
||||||
RUN apt-get install -y -q -t chimaera libsodium23 libsodium-dev
|
RUN apt-get install -y -q -t chimaera libsodium23 libsodium-dev doas
|
||||||
RUN pip3 install setuptools wheel
|
RUN pip3 install setuptools wheel
|
||||||
|
|
||||||
COPY . /Tomb/
|
COPY . /Tomb/
|
||||||
@ -11,6 +11,8 @@ COPY . /Tomb/
|
|||||||
WORKDIR /Tomb/extras
|
WORKDIR /Tomb/extras
|
||||||
RUN ./install_sphinx.sh
|
RUN ./install_sphinx.sh
|
||||||
|
|
||||||
|
COPY extras/test/doas.conf /etc/doas.conf
|
||||||
|
|
||||||
WORKDIR /Tomb
|
WORKDIR /Tomb
|
||||||
RUN make --directory=extras/kdf-keys
|
RUN make --directory=extras/kdf-keys
|
||||||
RUN make --directory=extras/kdf-keys install
|
RUN make --directory=extras/kdf-keys install
|
||||||
|
19
extras/test/doas.conf
Normal file
19
extras/test/doas.conf
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
permit nopass root cmd losetup
|
||||||
|
permit nopass root cmd lsblk
|
||||||
|
permit nopass root cmd mkfs.ext3
|
||||||
|
permit nopass root cmd mkfs.ext4
|
||||||
|
permit nopass root cmd mkfs.btrfs
|
||||||
|
permit nopass root cmd touch
|
||||||
|
permit nopass root cmd fsck
|
||||||
|
permit nopass root cmd btrfs
|
||||||
|
permit nopass root cmd tune2fs
|
||||||
|
permit nopass root cmd mkdir
|
||||||
|
permit nopass root cmd mount
|
||||||
|
permit nopass root cmd rmdir
|
||||||
|
permit nopass root cmd chown
|
||||||
|
permit nopass root cmd umount
|
||||||
|
permit nopass root cmd findmnd
|
||||||
|
permit nopass root cmd e2fsck
|
||||||
|
permit nopass root cmd resize2fs
|
||||||
|
permit nopass root cmd lsof
|
||||||
|
permit nopass root cmd kill
|
@ -57,6 +57,7 @@ command -v cloakify > /dev/null && test_set_prereq CLOAKIFY
|
|||||||
command -v decloakify > /dev/null && test_set_prereq DECLOAKIFY
|
command -v decloakify > /dev/null && test_set_prereq DECLOAKIFY
|
||||||
command -v sphinx > /dev/null && test_set_prereq SPHINX
|
command -v sphinx > /dev/null && test_set_prereq SPHINX
|
||||||
command -v oracle > /dev/null && test_set_prereq ORACLE
|
command -v oracle > /dev/null && test_set_prereq ORACLE
|
||||||
|
command -v doas > /dev/null && test_set_prereq DOAS
|
||||||
|
|
||||||
|
|
||||||
# GnuPG config
|
# GnuPG config
|
||||||
|
11
tomb
11
tomb
@ -110,8 +110,11 @@ export TEXTDOMAIN=tomb
|
|||||||
|
|
||||||
# {{{ Safety functions
|
# {{{ Safety functions
|
||||||
|
|
||||||
# Wrap sudo with a more visible message
|
# Wrap sudo with a more visible message or apply user-supplied alternative to sudo
|
||||||
_sudo() {
|
_sudo() {
|
||||||
|
if option_is_set --sudo; then
|
||||||
|
$(option_value --sudo) ${@};
|
||||||
|
else
|
||||||
local msg="[sudo] Enter password for user ::1 user:: to gain superuser privileges"
|
local msg="[sudo] Enter password for user ::1 user:: to gain superuser privileges"
|
||||||
command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$msg")"
|
command -v gettext 1>/dev/null 2>/dev/null && msg="$(gettext -s "$msg")"
|
||||||
msg=${(S)msg//::1*::/$USER}
|
msg=${(S)msg//::1*::/$USER}
|
||||||
@ -119,6 +122,7 @@ _sudo() {
|
|||||||
$msg
|
$msg
|
||||||
|
|
||||||
" ${@}
|
" ${@}
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# Cleanup anything sensitive before exiting.
|
# Cleanup anything sensitive before exiting.
|
||||||
@ -287,7 +291,7 @@ _is_encrypted_block() {
|
|||||||
lsblk --help | grep -Fq -- --inverse
|
lsblk --help | grep -Fq -- --inverse
|
||||||
[[ $? -eq 0 ]] && s="--inverse"
|
[[ $? -eq 0 ]] && s="--inverse"
|
||||||
|
|
||||||
sudo lsblk $s -o type -n $b 2>/dev/null \
|
_sudo lsblk $s -o type -n $b 2>/dev/null \
|
||||||
| egrep -q '^crypt$'
|
| egrep -q '^crypt$'
|
||||||
|
|
||||||
return $?
|
return $?
|
||||||
@ -710,6 +714,7 @@ usage() {
|
|||||||
_print " -g use a GnuPG key to encrypt a tomb key"
|
_print " -g use a GnuPG key to encrypt a tomb key"
|
||||||
_print " -r provide GnuPG recipients (separated by comma)"
|
_print " -r provide GnuPG recipients (separated by comma)"
|
||||||
_print " -R provide GnuPG hidden recipients (separated by comma)"
|
_print " -R provide GnuPG hidden recipients (separated by comma)"
|
||||||
|
_print " --sudo alternative to sudo such as doas (command or absolute path)"
|
||||||
|
|
||||||
[[ $SPHINX == 1 ]] && {
|
[[ $SPHINX == 1 ]] && {
|
||||||
_print " --sphx-user user associated with the key (for use with pitchforkedsphinx)"
|
_print " --sphx-user user associated with the key (for use with pitchforkedsphinx)"
|
||||||
@ -3127,7 +3132,7 @@ main() {
|
|||||||
# can only use the non-abbreviated long-option version like:
|
# can only use the non-abbreviated long-option version like:
|
||||||
# -force and NOT -f
|
# -force and NOT -f
|
||||||
#
|
#
|
||||||
main_opts=(q -quiet=q D -debug=D h -help=h v -version=v f -force=f -tmp: U: G: T: -no-color -unsafe g -gpgkey=g)
|
main_opts=(q -quiet=q D -debug=D h -help=h v -version=v f -force=f -tmp: U: G: T: -no-color -unsafe g -gpgkey=g -sudo)
|
||||||
subcommands_opts[__default]=""
|
subcommands_opts[__default]=""
|
||||||
# -o in open and mount is used to pass alternate mount options
|
# -o in open and mount is used to pass alternate mount options
|
||||||
subcommands_opts[open]="n -nohook=n k: -kdf: o: -ignore-swap -tomb-pwd: r: R: -sphx-host: -sphx-user: p -preserve-ownership=p"
|
subcommands_opts[open]="n -nohook=n k: -kdf: o: -ignore-swap -tomb-pwd: r: R: -sphx-host: -sphx-user: p -preserve-ownership=p"
|
||||||
|
Loading…
Reference in New Issue
Block a user