mirror of
https://github.com/Llewellynvdm/Tomb.git
synced 2024-11-05 21:07:58 +00:00
Jaromil
GitHub
commit
fb5eee002b
15
doc/tomb.1
15
doc/tomb.1
@ -298,13 +298,14 @@ example:
|
||||
.EE
|
||||
|
||||
.B
|
||||
.IP "post-hooks"
|
||||
This hook file gets executed as user by tomb right after opening it;
|
||||
it should be a regular shell script, starting with a shebang. Tomb
|
||||
executes this hook as user (dropping root privileges) and giving it
|
||||
two arguments: "$1" is "open" or "close" depending from the tomb
|
||||
command given, "$2" is the full path to the mountpoint where the tomb
|
||||
is open.
|
||||
.IP "exec-hooks"
|
||||
This hook file gets executed as user by tomb with the first argument
|
||||
determining the step of execution: "open" or "close". The exec-hooks
|
||||
file should be an executable (ELF or shell script) present inside the
|
||||
Tomb. Tomb executes this hook as user supplying two or more arguments,
|
||||
the first being the step, followed by the mountpoint of the tomb and,
|
||||
on close events, its name, loopback device and dev-mapper device
|
||||
paths.
|
||||
|
||||
.SH PRIVILEGE ESCALATION
|
||||
|
||||
|
||||
50
tomb
50
tomb
@ -2065,10 +2065,11 @@ mount_tomb() {
|
||||
|
||||
|
||||
# process bind-hooks (mount -o bind of directories)
|
||||
# and post-hooks (execute on open)
|
||||
{ option_is_set -n } || {
|
||||
# and exec-hooks (execute on open)
|
||||
option_is_set -n || {
|
||||
exec_safe_bind_hooks ${tombmount}
|
||||
exec_safe_post_hooks ${tombmount} open }
|
||||
exec_safe_func_hooks open ${tombmount}
|
||||
}
|
||||
|
||||
return 0
|
||||
}
|
||||
@ -2145,27 +2146,23 @@ exec_safe_bind_hooks() {
|
||||
|
||||
# Execute automated actions configured in the tomb.
|
||||
#
|
||||
# Synopsis: exec_safe_post_hooks /path/to/mounted/tomb [open|close]
|
||||
# Synopsis: exec_safe_func_hooks /path/to/mounted/tomb
|
||||
#
|
||||
# If an executable file named 'post-hooks' is found inside the tomb,
|
||||
# If an executable file named 'exec-hooks' is found inside the tomb,
|
||||
# run it as a user. This might need a dialog for security on what is
|
||||
# being run, however we expect you know well what is inside your tomb.
|
||||
# If you're mounting an untrusted tomb, be safe and use the -n switch
|
||||
# to verify what it would run if you let it. This feature opens the
|
||||
# possibility to make encrypted executables.
|
||||
exec_safe_post_hooks() {
|
||||
local mnt=$1 # First argument is where the tomb is mounted
|
||||
local act=$2 # Either 'open' or 'close'
|
||||
|
||||
exec_safe_func_hooks() {
|
||||
# Only run if post-hooks has the executable bit set
|
||||
[[ -x $mnt/post-hooks ]] || return
|
||||
|
||||
# If the file starts with a shebang, run it.
|
||||
head -n1 $mnt/post-hooks | grep '^#!\s*/'
|
||||
[[ $? == 0 ]] && {
|
||||
_success "Post hooks found, executing as user ::1 user name::." $USERNAME
|
||||
$mnt/post-hooks $act $mnt
|
||||
[[ -x $mnt/exec-hooks ]] && {
|
||||
_success "Exec hook: ::1 exec hook:: ::2 action:: ::3 argument::" \
|
||||
"${mnt}/exec-hooks" "$1" "$2"
|
||||
$mnt/exec-hooks "$1" "$2"
|
||||
return $?
|
||||
}
|
||||
return 0
|
||||
}
|
||||
|
||||
# }}} - Tomb open
|
||||
@ -2629,6 +2626,16 @@ umount_tomb() {
|
||||
_warning "Please specify an existing tomb."
|
||||
return 0 }
|
||||
|
||||
option_is_set -n || {
|
||||
exec_safe_func_hooks \
|
||||
close "$tombmount" "$tombname" "$tombloop" "$mapper"
|
||||
exec_hook_res=$?
|
||||
[[ $exec_hook_res = 0 ]] || {
|
||||
_warning "close exec-hook returns a non-zero error code: ::1 error::" $exec_hook_res
|
||||
_failure "Operation aborted"
|
||||
}
|
||||
}
|
||||
|
||||
[[ -n $SLAM ]] && {
|
||||
_success "Slamming tomb ::1 tomb name:: mounted on ::2 mount point::" \
|
||||
$tombname $tombmount
|
||||
@ -2656,10 +2663,6 @@ umount_tomb() {
|
||||
}
|
||||
done
|
||||
|
||||
# Execute post-hooks for eventual cleanup
|
||||
{ option_is_set -n } || {
|
||||
exec_safe_post_hooks ${tombmount%%/} close }
|
||||
|
||||
_verbose "Performing umount of ::1 mount point::" $tombmount
|
||||
_sudo umount ${tombmount}
|
||||
[[ $? = 0 ]] || { _failure "Tomb is busy, cannot umount!" }
|
||||
@ -2676,9 +2679,10 @@ umount_tomb() {
|
||||
_failure "Error occurred in cryptsetup luksClose ::1 mapper::" $mapper }
|
||||
|
||||
# Normally the loopback device is detached when unused
|
||||
[[ -e "/dev/$tombloop" ]] && _sudo losetup -d "/dev/$tombloop"
|
||||
[[ $? = 0 ]] || {
|
||||
_verbose "/dev/$tombloop was already closed." }
|
||||
[[ -e "/dev/$tombloop" ]] && {
|
||||
_sudo losetup -d "/dev/$tombloop"
|
||||
[[ $? = 0 ]] || _verbose "/dev/$tombloop was already closed."
|
||||
}
|
||||
|
||||
_success "Tomb ::1 tomb name:: closed: your bones will rest in peace." $tombname
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user