mirror of
https://github.com/Llewellynvdm/Tomb.git
synced 2025-01-10 17:24:41 +00:00
fixed chown of user permissions on tombs and added optional cipher (xts-plain etc.)
This commit is contained in:
Jaromil
parent
c46596987c
commit
957e820c29
46
src/tomb
46
src/tomb
@ -35,6 +35,9 @@ MOUNTOPTS="rw,noatime,nodev"
|
|||||||
|
|
||||||
typeset -A global_opts
|
typeset -A global_opts
|
||||||
typeset -A opts
|
typeset -A opts
|
||||||
|
typeset -h username
|
||||||
|
typeset -h _uid
|
||||||
|
typeset -h _gid
|
||||||
|
|
||||||
# Set a sensible PATH
|
# Set a sensible PATH
|
||||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
@ -281,6 +284,8 @@ exec_as_user() {
|
|||||||
# }}}
|
# }}}
|
||||||
# {{{ - Escalate privileges
|
# {{{ - Escalate privileges
|
||||||
check_priv() {
|
check_priv() {
|
||||||
|
# save original user
|
||||||
|
username=$USER
|
||||||
if [ $UID != 0 ]; then
|
if [ $UID != 0 ]; then
|
||||||
xxx "Using sudo for root execution of 'tomb ${(f)OLDARGS}'"
|
xxx "Using sudo for root execution of 'tomb ${(f)OLDARGS}'"
|
||||||
# check if sudo has a timestamp active
|
# check if sudo has a timestamp active
|
||||||
@ -296,7 +301,7 @@ SETPROMPT Insert your USER password:
|
|||||||
GETPIN
|
GETPIN
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
sudo "${TOMBEXEC}" "${(@)OLDARGS}"
|
sudo "${TOMBEXEC}" "${(@)OLDARGS}" -U ${UID} -G ${GID}
|
||||||
exit $?
|
exit $?
|
||||||
fi # are we root already
|
fi # are we root already
|
||||||
return 0
|
return 0
|
||||||
@ -612,6 +617,11 @@ exec_safe_post_hooks() {
|
|||||||
|
|
||||||
create_tomb() {
|
create_tomb() {
|
||||||
_message "Commanded to create tomb $1"
|
_message "Commanded to create tomb $1"
|
||||||
|
|
||||||
|
# running as root, remembering the uid:gid
|
||||||
|
if option_is_set -U; then _uid="`option_value -U`"; fi
|
||||||
|
if option_is_set -G; then _gid="`option_value -G`"; fi
|
||||||
|
|
||||||
if ! option_is_set -f; then check_swap; fi
|
if ! option_is_set -f; then check_swap; fi
|
||||||
|
|
||||||
if ! [ $1 ]; then
|
if ! [ $1 ]; then
|
||||||
@ -619,6 +629,12 @@ create_tomb() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if ! [ $2 ]; then
|
||||||
|
create_cipher=aes-cbc-essiv
|
||||||
|
else
|
||||||
|
create_cipher=${2}
|
||||||
|
fi
|
||||||
|
|
||||||
tombfile=`basename $1`
|
tombfile=`basename $1`
|
||||||
tombdir=`dirname $1`
|
tombdir=`dirname $1`
|
||||||
# make sure the file has a .tomb extension
|
# make sure the file has a .tomb extension
|
||||||
@ -732,6 +748,8 @@ create_tomb() {
|
|||||||
-o "${tombkey}" -c -a ${keytmp}/tomb.tmp <<< ${tombpass}
|
-o "${tombkey}" -c -a ${keytmp}/tomb.tmp <<< ${tombpass}
|
||||||
|
|
||||||
unset tombpass
|
unset tombpass
|
||||||
|
chown ${_uid}:${_gid} ${tombkey}
|
||||||
|
chmod 0600 ${tombkey}
|
||||||
|
|
||||||
# if [ $? != 0 ]; then
|
# if [ $? != 0 ]; then
|
||||||
# _warning "setting password failed: gnupg returns 2"
|
# _warning "setting password failed: gnupg returns 2"
|
||||||
@ -746,14 +764,18 @@ create_tomb() {
|
|||||||
# for security, performance and compatibility
|
# for security, performance and compatibility
|
||||||
# XXX: More for compatibility then, because xts-plain is better nowadays.
|
# XXX: More for compatibility then, because xts-plain is better nowadays.
|
||||||
cryptsetup --batch-mode \
|
cryptsetup --batch-mode \
|
||||||
--cipher aes-cbc-essiv:sha256 --key-size 256 \
|
--cipher ${create_cipher}:sha256 --key-size 256 \
|
||||||
luksFormat ${nstloop} ${keytmp}/tomb.tmp
|
luksFormat ${nstloop} ${keytmp}/tomb.tmp
|
||||||
|
|
||||||
if ! [ $? = 0 ]; then
|
if ! [ $? = 0 ]; then
|
||||||
|
umount ${keytmp}
|
||||||
|
losetup -d $nstloop
|
||||||
|
rm -r $keytmp
|
||||||
|
rm ${tombdir}/${tombfile}
|
||||||
die "operation aborted." 0
|
die "operation aborted." 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cryptsetup --key-file ${keytmp}/tomb.tmp --cipher aes luksOpen ${nstloop} tomb.tmp
|
cryptsetup --key-file ${keytmp}/tomb.tmp --cipher ${create_cipher}:sha256 luksOpen ${nstloop} tomb.tmp
|
||||||
${=WIPE} ${keytmp}/tomb.tmp
|
${=WIPE} ${keytmp}/tomb.tmp
|
||||||
umount ${keytmp}
|
umount ${keytmp}
|
||||||
rm -r ${keytmp}
|
rm -r ${keytmp}
|
||||||
@ -774,11 +796,10 @@ create_tomb() {
|
|||||||
losetup -d ${nstloop}
|
losetup -d ${nstloop}
|
||||||
|
|
||||||
# set permissions on the tomb
|
# set permissions on the tomb
|
||||||
ME=${SUDO_USER:-$(whoami)}
|
chown ${_uid}:${_gid} "${tombdir}/${tombfile}"
|
||||||
chmod 0600 "${tombdir}/${tombfile}"
|
chmod 0600 "${tombdir}/${tombfile}"
|
||||||
chown $(id -u $ME):$(id -g $ME) "${tombdir}/${tombfile}"
|
|
||||||
|
|
||||||
_message "done creating $tombname encrypted storage (using Luks dm-crypt AES/SHA256)"
|
_message "done creating $tombname encrypted storage (using Luks dm-crypt ${create_cipher}:sha256)"
|
||||||
_success "Your tomb is ready in ${tombdir}/${tombfile} and secured with key ${tombkey}"
|
_success "Your tomb is ready in ${tombdir}/${tombfile} and secured with key ${tombkey}"
|
||||||
|
|
||||||
}
|
}
|
||||||
@ -789,6 +810,7 @@ create_tomb() {
|
|||||||
# $1 = tombfile $2(optional) = mountpoint
|
# $1 = tombfile $2(optional) = mountpoint
|
||||||
mount_tomb() {
|
mount_tomb() {
|
||||||
_message "Commanded to open tomb $1"
|
_message "Commanded to open tomb $1"
|
||||||
|
|
||||||
if ! option_is_set -f; then check_swap; fi
|
if ! option_is_set -f; then check_swap; fi
|
||||||
|
|
||||||
if ! [ ${1} ]; then
|
if ! [ ${1} ]; then
|
||||||
@ -796,6 +818,10 @@ mount_tomb() {
|
|||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# running as root, remembering the uid:gid
|
||||||
|
if option_is_set -U; then _uid="`option_value -U`"; fi
|
||||||
|
if option_is_set -G; then _gid="`option_value -G`"; fi
|
||||||
|
|
||||||
# set up variables to be used
|
# set up variables to be used
|
||||||
# the full path is made with $tombdir/$tombfile
|
# the full path is made with $tombdir/$tombfile
|
||||||
|
|
||||||
@ -938,10 +964,8 @@ mount_tomb() {
|
|||||||
|
|
||||||
mount -o $MOUNTOPTS /dev/mapper/${mapper} ${tombmount}
|
mount -o $MOUNTOPTS /dev/mapper/${mapper} ${tombmount}
|
||||||
|
|
||||||
# Ensure the user can write the disk - 10x Hellekin :)
|
chown ${_uid}:${_gid} ${tombmount}
|
||||||
ME=${SUDO_USER:-$(whoami)}
|
|
||||||
chmod 0750 ${tombmount}
|
chmod 0750 ${tombmount}
|
||||||
chown $(id -u $ME):$(id -g $ME) ${tombmount}
|
|
||||||
|
|
||||||
_success "Success opening $tombfile on $tombmount"
|
_success "Success opening $tombfile on $tombmount"
|
||||||
if ! option_is_set -n ; then
|
if ! option_is_set -n ; then
|
||||||
@ -1647,7 +1671,7 @@ main() {
|
|||||||
subcommands_opts[__default]=""
|
subcommands_opts[__default]=""
|
||||||
subcommands_opts[open]="f n -nohook=n k: -key=k o: -mount-options=o"
|
subcommands_opts[open]="f n -nohook=n k: -key=k o: -mount-options=o"
|
||||||
subcommands_opts[mount]=${subcommands_opts[open]}
|
subcommands_opts[mount]=${subcommands_opts[open]}
|
||||||
subcommands_opts[create]="f s: -size=s -force k: -key=k"
|
subcommands_opts[create]="f s: -size=s -force k: -key=k U: -uid=U G: -gid=G"
|
||||||
subcommands_opts[passwd]="f"
|
subcommands_opts[passwd]="f"
|
||||||
subcommands_opts[close]=""
|
subcommands_opts[close]=""
|
||||||
subcommands_opts[help]=""
|
subcommands_opts[help]=""
|
||||||
@ -1744,7 +1768,7 @@ main() {
|
|||||||
case "$subcommand" in
|
case "$subcommand" in
|
||||||
create)
|
create)
|
||||||
check_priv
|
check_priv
|
||||||
create_tomb $PARAM[1]
|
create_tomb ${=PARAM}
|
||||||
;;
|
;;
|
||||||
mount|open)
|
mount|open)
|
||||||
check_priv
|
check_priv
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user