mirror of
https://github.com/Llewellynvdm/Tomb.git
synced 2024-12-23 18:48:59 +00:00
commit
fb5eee002b
15
doc/tomb.1
15
doc/tomb.1
@ -298,13 +298,14 @@ example:
|
|||||||
.EE
|
.EE
|
||||||
|
|
||||||
.B
|
.B
|
||||||
.IP "post-hooks"
|
.IP "exec-hooks"
|
||||||
This hook file gets executed as user by tomb right after opening it;
|
This hook file gets executed as user by tomb with the first argument
|
||||||
it should be a regular shell script, starting with a shebang. Tomb
|
determining the step of execution: "open" or "close". The exec-hooks
|
||||||
executes this hook as user (dropping root privileges) and giving it
|
file should be an executable (ELF or shell script) present inside the
|
||||||
two arguments: "$1" is "open" or "close" depending from the tomb
|
Tomb. Tomb executes this hook as user supplying two or more arguments,
|
||||||
command given, "$2" is the full path to the mountpoint where the tomb
|
the first being the step, followed by the mountpoint of the tomb and,
|
||||||
is open.
|
on close events, its name, loopback device and dev-mapper device
|
||||||
|
paths.
|
||||||
|
|
||||||
.SH PRIVILEGE ESCALATION
|
.SH PRIVILEGE ESCALATION
|
||||||
|
|
||||||
|
50
tomb
50
tomb
@ -2065,10 +2065,11 @@ mount_tomb() {
|
|||||||
|
|
||||||
|
|
||||||
# process bind-hooks (mount -o bind of directories)
|
# process bind-hooks (mount -o bind of directories)
|
||||||
# and post-hooks (execute on open)
|
# and exec-hooks (execute on open)
|
||||||
{ option_is_set -n } || {
|
option_is_set -n || {
|
||||||
exec_safe_bind_hooks ${tombmount}
|
exec_safe_bind_hooks ${tombmount}
|
||||||
exec_safe_post_hooks ${tombmount} open }
|
exec_safe_func_hooks open ${tombmount}
|
||||||
|
}
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
@ -2145,27 +2146,23 @@ exec_safe_bind_hooks() {
|
|||||||
|
|
||||||
# Execute automated actions configured in the tomb.
|
# Execute automated actions configured in the tomb.
|
||||||
#
|
#
|
||||||
# Synopsis: exec_safe_post_hooks /path/to/mounted/tomb [open|close]
|
# Synopsis: exec_safe_func_hooks /path/to/mounted/tomb
|
||||||
#
|
#
|
||||||
# If an executable file named 'post-hooks' is found inside the tomb,
|
# If an executable file named 'exec-hooks' is found inside the tomb,
|
||||||
# run it as a user. This might need a dialog for security on what is
|
# run it as a user. This might need a dialog for security on what is
|
||||||
# being run, however we expect you know well what is inside your tomb.
|
# being run, however we expect you know well what is inside your tomb.
|
||||||
# If you're mounting an untrusted tomb, be safe and use the -n switch
|
# If you're mounting an untrusted tomb, be safe and use the -n switch
|
||||||
# to verify what it would run if you let it. This feature opens the
|
# to verify what it would run if you let it. This feature opens the
|
||||||
# possibility to make encrypted executables.
|
# possibility to make encrypted executables.
|
||||||
exec_safe_post_hooks() {
|
exec_safe_func_hooks() {
|
||||||
local mnt=$1 # First argument is where the tomb is mounted
|
|
||||||
local act=$2 # Either 'open' or 'close'
|
|
||||||
|
|
||||||
# Only run if post-hooks has the executable bit set
|
# Only run if post-hooks has the executable bit set
|
||||||
[[ -x $mnt/post-hooks ]] || return
|
[[ -x $mnt/exec-hooks ]] && {
|
||||||
|
_success "Exec hook: ::1 exec hook:: ::2 action:: ::3 argument::" \
|
||||||
# If the file starts with a shebang, run it.
|
"${mnt}/exec-hooks" "$1" "$2"
|
||||||
head -n1 $mnt/post-hooks | grep '^#!\s*/'
|
$mnt/exec-hooks "$1" "$2"
|
||||||
[[ $? == 0 ]] && {
|
return $?
|
||||||
_success "Post hooks found, executing as user ::1 user name::." $USERNAME
|
|
||||||
$mnt/post-hooks $act $mnt
|
|
||||||
}
|
}
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
# }}} - Tomb open
|
# }}} - Tomb open
|
||||||
@ -2629,6 +2626,16 @@ umount_tomb() {
|
|||||||
_warning "Please specify an existing tomb."
|
_warning "Please specify an existing tomb."
|
||||||
return 0 }
|
return 0 }
|
||||||
|
|
||||||
|
option_is_set -n || {
|
||||||
|
exec_safe_func_hooks \
|
||||||
|
close "$tombmount" "$tombname" "$tombloop" "$mapper"
|
||||||
|
exec_hook_res=$?
|
||||||
|
[[ $exec_hook_res = 0 ]] || {
|
||||||
|
_warning "close exec-hook returns a non-zero error code: ::1 error::" $exec_hook_res
|
||||||
|
_failure "Operation aborted"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
[[ -n $SLAM ]] && {
|
[[ -n $SLAM ]] && {
|
||||||
_success "Slamming tomb ::1 tomb name:: mounted on ::2 mount point::" \
|
_success "Slamming tomb ::1 tomb name:: mounted on ::2 mount point::" \
|
||||||
$tombname $tombmount
|
$tombname $tombmount
|
||||||
@ -2656,10 +2663,6 @@ umount_tomb() {
|
|||||||
}
|
}
|
||||||
done
|
done
|
||||||
|
|
||||||
# Execute post-hooks for eventual cleanup
|
|
||||||
{ option_is_set -n } || {
|
|
||||||
exec_safe_post_hooks ${tombmount%%/} close }
|
|
||||||
|
|
||||||
_verbose "Performing umount of ::1 mount point::" $tombmount
|
_verbose "Performing umount of ::1 mount point::" $tombmount
|
||||||
_sudo umount ${tombmount}
|
_sudo umount ${tombmount}
|
||||||
[[ $? = 0 ]] || { _failure "Tomb is busy, cannot umount!" }
|
[[ $? = 0 ]] || { _failure "Tomb is busy, cannot umount!" }
|
||||||
@ -2676,9 +2679,10 @@ umount_tomb() {
|
|||||||
_failure "Error occurred in cryptsetup luksClose ::1 mapper::" $mapper }
|
_failure "Error occurred in cryptsetup luksClose ::1 mapper::" $mapper }
|
||||||
|
|
||||||
# Normally the loopback device is detached when unused
|
# Normally the loopback device is detached when unused
|
||||||
[[ -e "/dev/$tombloop" ]] && _sudo losetup -d "/dev/$tombloop"
|
[[ -e "/dev/$tombloop" ]] && {
|
||||||
[[ $? = 0 ]] || {
|
_sudo losetup -d "/dev/$tombloop"
|
||||||
_verbose "/dev/$tombloop was already closed." }
|
[[ $? = 0 ]] || _verbose "/dev/$tombloop was already closed."
|
||||||
|
}
|
||||||
|
|
||||||
_success "Tomb ::1 tomb name:: closed: your bones will rest in peace." $tombname
|
_success "Tomb ::1 tomb name:: closed: your bones will rest in peace." $tombname
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user