mirror of
https://github.com/Llewellynvdm/Tomb.git
synced 2024-11-22 20:45:13 +00:00
1523 lines
42 KiB
Bash
Executable File
1523 lines
42 KiB
Bash
Executable File
#!/bin/zsh
|
|
#
|
|
# Tomb, the Crypto Undertaker
|
|
#
|
|
# a tool to easily operate file encryption of private and secret data
|
|
#
|
|
# {{{ Copyleft (C) 2007-2011 Denis Roio <jaromil@dyne.org>
|
|
#
|
|
# This source code is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This source code is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
# Please refer to the GNU Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Public License along with
|
|
# this source code; if not, write to:
|
|
# Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
# }}}
|
|
# {{{ GLOBAL VARIABLES
|
|
VERSION=1.2
|
|
DATE=Nov/2011
|
|
TOMBEXEC=$0
|
|
TOMBOPENEXEC="tomb-open"
|
|
typeset -a OLDARGS
|
|
for arg in ${argv}; do OLDARGS+=($arg); done
|
|
STEGHIDE=1
|
|
MKTEMP=1
|
|
MOUNTOPTS="rw,noatime,nodev"
|
|
|
|
#declare global variables
|
|
QUIET=0
|
|
DEBUG=0
|
|
typeset -A global_opts
|
|
typeset -A opts
|
|
|
|
# Set a sensible PATH
|
|
PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
|
[[ "$TOMBEXEC" =~ "^/usr/local" ]] && PATH="/usr/local/bin:/usr/local/sbin:$PATH"
|
|
|
|
# PATH=/usr/bin:/usr/sbin:/bin:/sbin
|
|
# }}}
|
|
# {{{ HELPER FUNCTIONS
|
|
# {{{ - Standard output message routines
|
|
# it's always useful to wrap them, in case we change behaviour later
|
|
notice() { if [[ $QUIET == 0 ]]; then print "$fg_bold[green][*]$fg_no_bold[white] $1" >&2; fi }
|
|
error() { if [[ $QUIET == 0 ]]; then print "$fg[red][!]$fg[white] $1" >&2; fi }
|
|
func() { if [[ $DEBUG == 1 ]]; then print "$fg[blue][D]$fg[white] $1" >&2; fi }
|
|
act() {
|
|
if [[ $QUIET == 0 ]]; then
|
|
if [ "$1" = "-n" ]; then
|
|
print -n "$fg_bold[white] . $fg_no_bold[white] $2" >&2;
|
|
else
|
|
print "$fg_bold[white] . $fg_no_bold[white] $1" >&2;
|
|
fi
|
|
fi
|
|
}
|
|
# }}}
|
|
# {{{ - CHECK BINARY DEPENDENCIES
|
|
check_bin() {
|
|
# which dd command to use
|
|
which dcfldd > /dev/null
|
|
if [ $? = 0 ]; then
|
|
DD="dcfldd"
|
|
else
|
|
DD=dd
|
|
fi
|
|
|
|
# which wipe command to use
|
|
which wipe > /dev/null
|
|
if [ $? = 0 ]; then
|
|
WIPE=(wipe -f -s)
|
|
else
|
|
WIPE=(rm -f)
|
|
fi
|
|
|
|
# check for filesystem creation progs
|
|
which mkfs.ext4 > /dev/null
|
|
if [ $? = 0 ]; then
|
|
MKFS=(mkfs.ext4 -q -F -j -L)
|
|
else
|
|
MKFS=(mkfs.ext3 -q -F -j -L)
|
|
fi
|
|
|
|
# check for sudo
|
|
which sudo > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "Cannot find sudo. Please install it"
|
|
exit 1
|
|
fi
|
|
|
|
# check for steghide
|
|
which steghide > /dev/null
|
|
if [ $? != 0 ]; then
|
|
STEGHIDE=0
|
|
fi
|
|
|
|
which cryptsetup > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "Cannot find cryptsetup. Please install it."
|
|
exit 1
|
|
fi
|
|
|
|
which pinentry > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "Cannot find pinentry. Please install it."
|
|
exit 1
|
|
fi
|
|
|
|
which mktemp > /dev/null
|
|
if [ $?! = 0 ]; then
|
|
MKTEMP=0
|
|
fi
|
|
|
|
# check for tomb-open script
|
|
if [ "$0" = "./tomb" ]; then
|
|
TOMBOPENEXEC="./tomb-open"
|
|
elif [ "$0" != "tomb" ]; then
|
|
TOMBOPENEXEC="`dirname $0`/tomb-open"
|
|
fi
|
|
}
|
|
# }}}
|
|
# {{{ - "SAFE" FUNCTIONS
|
|
# {{{ - Create a directory with caution
|
|
safe_dir() {
|
|
which mktemp &> /dev/null
|
|
if [[ $? = 0 ]]; then
|
|
mktemp -d /dev/shm/$1.$$.XXXXXXX
|
|
return
|
|
fi
|
|
dir="/dev/shm/$1.$$.$RANDOM.$RANDOM"
|
|
(umask 077 && mkdir "$dir") || print "-1"
|
|
print "$dir"
|
|
}
|
|
# }}}
|
|
# {{{ - Create a file with caution
|
|
safe_file() {
|
|
local tmpdir tmpfile
|
|
|
|
if [ "$MKTEMP" = "1" ]; then
|
|
mktemp -u /dev/shm/$1.$$.XXXXXXX
|
|
# this return needs to output ONLY the file
|
|
else
|
|
tmpfile="/dev/shm/$1.$$.$RANDOM.$RANDOM"
|
|
print $tmpfile
|
|
fi
|
|
}
|
|
# }}}
|
|
# {{{ - Check if swap is activated
|
|
check_swap() {
|
|
# Return 0 if NO swap is used, 1 if swap is used
|
|
# TODO: it should return 2 if swap is used, but encrypted
|
|
nlines=$(wc -l /proc/swaps|cut -f1 -d ' ')
|
|
if [[ $nlines -gt 1 ]]; then
|
|
r=1
|
|
else
|
|
#and return 2
|
|
r=0
|
|
fi
|
|
if [[ $1 == out ]]; then
|
|
echo $r;
|
|
fi
|
|
return $r;
|
|
}
|
|
# }}}
|
|
# {{{ - Ask user for a password
|
|
# we use pinentry now
|
|
# comes from gpg project and is much more secure
|
|
# it also conveniently uses the right toolkit
|
|
ask_password() {
|
|
|
|
# pinentry has no custom icon setting
|
|
# so we need to temporary modify the gtk theme
|
|
if [ -r /usr/local/share/themes/tomb/gtk-2.0-key/gtkrc ]; then
|
|
GTK2_RC=/usr/local/share/themes/tomb/gtk-2.0-key/gtkrc
|
|
elif [ -r /usr/share/themes/tomb/gtk-2.0-key/gtkrc ]; then
|
|
GTK2_RC=/usr/share/themes/tomb/gtk-2.0-key/gtkrc
|
|
fi
|
|
|
|
title="Insert tomb password"
|
|
if [ $2 ]; then title="$2"; fi
|
|
|
|
cat <<EOF | GTK2_RC_FILES=${GTK2_RC} pinentry 2>/dev/null | awk '/^D / { sub(/^D /, ""); print }'
|
|
OPTION ttyname=$TTY
|
|
OPTION lc-ctype=$LANG
|
|
SETTITLE $title
|
|
SETDESC $1
|
|
SETPROMPT Password:
|
|
GETPIN
|
|
EOF
|
|
|
|
}
|
|
# }}}
|
|
# {{{ - Drop privileges
|
|
exec_as_user() {
|
|
if ! [ $SUDO_USER ]; then
|
|
exec $@[@]
|
|
return $?
|
|
fi
|
|
|
|
func "exec_as_user '$SUDO_USER': ${(f)@}"
|
|
sudo -u $SUDO_USER "${@[@]}"
|
|
return $?
|
|
}
|
|
# }}}
|
|
# {{{ - Escalate privileges
|
|
check_priv() {
|
|
if [ $UID != 0 ]; then
|
|
func "Using sudo for root execution of 'tomb ${(f)OLDARGS}'"
|
|
# check if sudo has a timestamp active
|
|
sudok=false
|
|
sudo -n ${TOMBEXEC} &> /dev/null
|
|
if [ $? != 0 ]; then # if not then ask a password
|
|
cat <<EOF | pinentry 2>/dev/null | awk '/^D / { sub(/^D /, ""); print }' | sudo -S -v
|
|
OPTION ttyname=$TTY
|
|
OPTION lc-ctype=$LANG
|
|
SETTITLE Super user privileges required
|
|
SETDESC Sudo execution of Tomb ${OLDARGS[@]}
|
|
SETPROMPT Insert your USER password:
|
|
GETPIN
|
|
EOF
|
|
fi
|
|
sudo "${TOMBEXEC}" "${(@)OLDARGS}"
|
|
exit $?
|
|
fi # are we root already
|
|
return 0
|
|
}
|
|
# }}}
|
|
# }}}
|
|
# {{{ - TOMB USAGE
|
|
usage() {
|
|
cat <<EOF
|
|
Tomb $VERSION - a strong and gentle undertaker for your secrets
|
|
|
|
Copyright (C) 2007-2011 Dyne.org Foundation, License GNU GPL v3+
|
|
This is free software: you are free to change and redistribute it
|
|
The latest Tomb sourcecode is published on <http://tomb.dyne.org>
|
|
|
|
Syntax: tomb [options] command [file] [place]
|
|
|
|
Commands:
|
|
|
|
create create a new tomb FILE and its keys
|
|
open open an existing tomb FILE on PLACE
|
|
list list all open tombs or the one called FILE
|
|
close close the open tomb called FILE (or all)
|
|
slam close tomb FILE and kill all pids using it
|
|
passwd change the password of a tomb key FILE
|
|
EOF
|
|
if [ "$STEGHIDE" = 1 ]; then
|
|
cat <<EOF
|
|
bury hide a tomb key FILE inside a jpeg PLACE
|
|
exhume extract a tomb key FILE from a jpeg PLACE
|
|
EOF
|
|
fi
|
|
cat <<EOF
|
|
|
|
Options:
|
|
|
|
-s size of the tomb file when creating one (in MB)
|
|
-k path to the key to use for opening a tomb
|
|
-n don't process the hooks found in tomb
|
|
-o mount options used to open (default: rw,noatime,nodev)
|
|
|
|
-h print this help
|
|
-v version information for this tool
|
|
-q run quietly without printing informations
|
|
-D print debugging information at runtime
|
|
|
|
For more informations on Tomb read the manual: man tomb
|
|
Please report bugs on <http://bugs.dyne.org>.
|
|
EOF
|
|
}
|
|
# }}}
|
|
# {{{ - I18N FUNCTIONS
|
|
generate_translatable_strings() {
|
|
cat <<EOF
|
|
# Tomb - The Crypto Undertaker.
|
|
# Copyright (C) 2007-2011 Dyne.org Foundation
|
|
# Denis Roio <jaromil@dyne.org>, 2011.
|
|
#
|
|
#, fuzzy
|
|
msgid ""
|
|
msgstr ""
|
|
"Project-Id-Version: Tomb $VERSION\n"
|
|
"PO-Revision-Date: `date`\n"
|
|
"Last-Translator: Denis Roio <jaromil@dyne.org>\n"
|
|
"Language-Team: Tomb developers <crypto@lists.dyne.org>\n"
|
|
"MIME-Version: 1.0\n"
|
|
"Content-Type: text/plain; charset=CHARSET\n"
|
|
"Content-Transfer-Encoding: 8bit\n"
|
|
|
|
#
|
|
#: commandline help
|
|
#
|
|
|
|
msgid ""
|
|
EOF
|
|
|
|
usage | awk '
|
|
{ print "\"" $0 "\"" }'
|
|
cat <<EOF
|
|
msgstr ""
|
|
|
|
#
|
|
# tomb internal messages
|
|
#
|
|
|
|
EOF
|
|
|
|
cat $TOMBEXEC | awk '
|
|
/notice ".*"$/ { sub( /notice/ , "");
|
|
print "#: notice"; print "msgid " $0; print "msgstr \"\"\n" }
|
|
|
|
/act ".*"$/ { sub( /act/ , "");
|
|
print "#: act"; print "msgid " $0; print "msgstr \"\"\n" }
|
|
'
|
|
}
|
|
# }}}
|
|
# {{{ - HELPERS FOR KEYS
|
|
# {{{ - Encode Key
|
|
encode_key() {
|
|
tombkey=$CMD2
|
|
imagefile=$CMD3
|
|
|
|
file $tombkey | grep PGP > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "encode failed: $tombkey is not a tomb key"
|
|
return 1
|
|
fi
|
|
file $imagefile | grep JPEG > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "encode failed: $imagefile is not a jpeg image"
|
|
return 1
|
|
fi
|
|
|
|
notice "Encoding key $tombkey inside image $imagefile"
|
|
act "please choose a password for the encoding"
|
|
|
|
# here user is prompted for key password
|
|
for c in 1 2 3; do
|
|
# 3 tries to write two times a matching password
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Steg password for ${tombkey}"`
|
|
tombpasstmp=$tombpass
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Steg password for ${tombkey} (again)"`
|
|
if [ "$tombpasstmp" = "$tombpass" ]; then
|
|
break;
|
|
fi
|
|
unset tombpasstmp
|
|
unset tombpass
|
|
done
|
|
|
|
if [ -z $tombpass ]; then
|
|
error "passwords don't match, aborting operation."
|
|
return 1
|
|
fi
|
|
|
|
awk '
|
|
/^-----/ {next}
|
|
/^Version/ {next}
|
|
{print $0}' ${tombkey} \
|
|
| steghide embed --embedfile - --coverfile ${imagefile} \
|
|
-p ${tombpass} -z 9 -e serpent cbc
|
|
if [ $? != 0 ]; then
|
|
error "encoding error: steghide reports problems"
|
|
res=1
|
|
else
|
|
notice "tomb key encoded succesfully into image ${imagefile}"
|
|
res=0
|
|
fi
|
|
|
|
unset tombpass
|
|
|
|
return $res
|
|
}
|
|
# }}}
|
|
# {{{ - Decode Key
|
|
decode_key() {
|
|
tombname=$CMD2
|
|
imagefile=$CMD3
|
|
res=1
|
|
|
|
file $imagefile | grep JPEG > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "encode failed: $imagefile is not a jpeg image"
|
|
return 1
|
|
fi
|
|
|
|
keyfile=${tombname%%\.*}.tomb.key
|
|
if [[ -e "$keyfile" ]]; then
|
|
error "Key file $keyfile already exist."
|
|
return 1
|
|
fi
|
|
notice "Trying to exhume a key out of image $imagefile"
|
|
for c in 1 2 3; do
|
|
if [ $c = 1 ]; then
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Steg password for ${keyfile}"`
|
|
else
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Steg password for $keyfile (retry $c)"`
|
|
fi
|
|
steghide extract -sf ${imagefile} -p ${tombpass} -xf - \
|
|
| awk '
|
|
BEGIN {
|
|
print "-----BEGIN PGP MESSAGE-----"
|
|
}
|
|
{ print $0 }
|
|
END {
|
|
print "-----END PGP MESSAGE-----"
|
|
}' > ${keyfile}
|
|
|
|
if [ "`cat ${keyfile} | wc -l`" != "3" ]; then
|
|
act "${keyfile} succesfully decoded"
|
|
res=0
|
|
break;
|
|
fi
|
|
done
|
|
|
|
unset tombpass
|
|
|
|
if [ $res != 0 ]; then
|
|
error "nothing found."
|
|
fi
|
|
|
|
return $res
|
|
}
|
|
# }}}
|
|
# }}}
|
|
# {{{ - HOOK HELPERS
|
|
# {{{ - Execute Bind Hooks
|
|
exec_safe_bind_hooks() {
|
|
if [[ -n ${(k)opts[-o]} ]]; then
|
|
MOUNTOPTS=${opts[-o]}
|
|
fi
|
|
local MOUNTPOINT="${1}"
|
|
local ME=${SUDO_USER:-$(whoami)}
|
|
local HOME=$(awk -v a="$ME" -F ':' '{if ($1 == a) print $6}' /etc/passwd 2>/dev/null)
|
|
if [ $? -ne 0 ]; then
|
|
error "how pitiful! A tomb, and no HOME"
|
|
return 1
|
|
fi
|
|
if [ -z "$MOUNTPOINT" -o ! -d "$MOUNTPOINT" ]; then
|
|
error "cannot exec bind hooks without a mounted tomb."
|
|
return 1
|
|
fi
|
|
if ! [ -r "$MOUNTPOINT/bind-hooks" ]; then
|
|
func "bind-hooks not found in $MOUNTPOINT"
|
|
return 1
|
|
fi
|
|
typeset -al mounted
|
|
typeset -Al maps
|
|
maps=($(<"$MOUNTPOINT/bind-hooks"))
|
|
for dir in ${(k)maps}; do
|
|
if [ "${dir[1]}" = "/" -o "${dir[1,2]}" = ".." ]; then
|
|
error "bind-hooks map format: local/to/tomb local/to/\$HOME"
|
|
continue
|
|
fi
|
|
if [ "${${maps[$dir]}[1]}" = "/" -o "${${maps[$dir]}[1,2]}" = ".." ]; then
|
|
error "bind-hooks map format: local/to/tomb local/to/\$HOME. Rolling back"
|
|
for dir in ${mounted}; do umount $dir; done
|
|
return 1
|
|
fi
|
|
if [ ! -r "$HOME/${maps[$dir]}" ]; then
|
|
error "bind-hook target not existent, skipping $HOME/${maps[$dir]}"
|
|
elif [ ! -r "$MOUNTPOINT/$dir" ]; then
|
|
error "bind-hook source not found in tomb, skipping ${MOUNTPOINT}/${dir}"
|
|
else
|
|
mount -o bind,$MOUNTOPTS $MOUNTPOINT/$dir $HOME/${maps[$dir]}
|
|
mounted+=("$HOME/${maps[$dir]}")
|
|
fi
|
|
done
|
|
}
|
|
# }}}
|
|
# {{{ - POST-MOUNT HOOKS
|
|
exec_safe_post_hooks() {
|
|
local mnt=$1 # first argument is where the tomb is mounted
|
|
local ME=${SUDO_USER:-$(whoami)}
|
|
if ! [ -x ${mnt}/post-hooks ]; then return; fi
|
|
# if 'post-hooks' is found inside the tomb, check it: if it is an
|
|
# executable, launch it as a user this might need a dialog for
|
|
# security on what is being run, however we expect you know well
|
|
# what is inside your tomb. this feature opens the possibility to
|
|
# make encrypted executables.
|
|
cat ${mnt}/post-hooks | head -n1 | grep '^#!/'
|
|
if [ $? = 0 ]; then
|
|
act "post hooks found, executing as user $SUDO_USER"
|
|
exec_as_user ${mnt}/post-hooks $2
|
|
fi
|
|
}
|
|
# }}}
|
|
# }}}
|
|
# }}}
|
|
# {{{ TOMB SUB-COMMANDS
|
|
# {{{ - Create
|
|
create_tomb() {
|
|
if ! option_is_set --ignore-swap && [[ `check_swap out` == 1 ]]; then
|
|
error "You have swap activated; use --ignore-swap if you want to skip this check"
|
|
act "Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk."
|
|
act "However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check"
|
|
act "You seem to be using `tail -n +2 /proc/swaps|wc -l` swaps:"
|
|
tail -n +2 /proc/swaps
|
|
exit 1
|
|
fi
|
|
if ! [ ${CMD2} ]; then
|
|
error "no tomb name specified for creation"
|
|
return 1
|
|
fi
|
|
|
|
tombfile=`basename ${CMD2}`
|
|
tombdir=`dirname ${CMD2}`
|
|
# make sure the file has a .tomb extension
|
|
tombname=${tombfile%%\.*}
|
|
tombfile=${tombname}.tomb
|
|
tombsize=$opts[-s]
|
|
|
|
if [[ $tombsize != <-> ]]; then
|
|
error "Size is not an integer"
|
|
return 1
|
|
fi
|
|
|
|
if [ -e ${tombdir}/${tombfile} ]; then
|
|
error "tomb exists already. I'm not digging here:"
|
|
ls -lh ${tombdir}/${tombfile}
|
|
return 1
|
|
fi
|
|
|
|
if option_is_set -k; then
|
|
tombkey="`option_value -k`.tomb.key"
|
|
else
|
|
tombkey="${tombdir}/${tombfile}.key"
|
|
fi
|
|
|
|
if [ -e "${tombkey}" ]; then
|
|
error "tomb key already exists. Quitting."
|
|
ls -lh ${tombkey}
|
|
return 1
|
|
fi
|
|
|
|
notice "Creating a new tomb in ${tombdir}/${tombfile}"
|
|
|
|
if [ -z $tombsize ]; then
|
|
act "No size specified, summoning the Tomb Undertaker to guide us in the creation."
|
|
"$TOMBOPENEXEC" &
|
|
wait $!
|
|
return 0
|
|
fi
|
|
|
|
tombsize_4k=`expr $tombsize \* 1024 / 4`
|
|
act "Generating ${tombfile} of ${tombsize}Mb (${tombsize_4k} blocks of 4Kb)"
|
|
$DD if=/dev/urandom bs=4k count=${tombsize_4k} of=${tombdir}/${tombfile}
|
|
|
|
if [ $? = 0 -a -e ${tombdir}/${tombfile} ]; then
|
|
act "OK: `ls -lh ${tombdir}/${tombfile}`"
|
|
else
|
|
error "Error creating the tomb ${tombdir}/${tombfile}, operation aborted."
|
|
exit 1
|
|
fi
|
|
|
|
nstloop=`losetup -f` # get the number for next loopback device
|
|
losetup -f ${tombdir}/${tombfile} # allocates the next loopback for our file
|
|
|
|
# create the keyfile in tmpfs so that we leave less traces in RAM
|
|
keytmp=`safe_dir tomb`
|
|
if [ "$keytmp" = "-1" ]; then
|
|
error "error creating temp dir"
|
|
exit 1
|
|
fi
|
|
#rm -f $keytmp
|
|
# ?????? creo, cancello e ricreo ??????
|
|
#mkdir -p $keytmp
|
|
mount tmpfs "${keytmp}" -t tmpfs -o size=1m
|
|
if [ $? != 0 ]; then
|
|
error "cannot mount tmpfs filesystem in volatile memory"
|
|
error "operation aborted."
|
|
losetup -d $nstloop
|
|
rm -r "${keytmp}"
|
|
exit 1
|
|
fi
|
|
act "Generating secret key..."
|
|
act "this operation takes time, keep using this computer on other tasks,"
|
|
act "once done you will be asked to choose a password for your tomb."
|
|
act "To make it faster you can move the mouse around"
|
|
touch ${keytmp}/tomb.tmp
|
|
chmod 0600 ${keytmp}/tomb.tmp
|
|
if [[ $DD = "dcfldd" ]]; then
|
|
$DD bs=1 count=256 if=/dev/random of=${keytmp}/tomb.tmp statusinterval=1
|
|
else
|
|
$DD bs=1 count=256 if=/dev/random of=${keytmp}/tomb.tmp
|
|
fi
|
|
if ! [ -r ${keytmp}/tomb.tmp ]; then
|
|
error "cannot generate encryption key, operation aborted."
|
|
umount ${keytmp}
|
|
losetup -d $nstloop
|
|
rm -r $keytmp
|
|
exit 1
|
|
fi
|
|
|
|
notice "Setup your secret key file ${tombkey}"
|
|
|
|
# here user is prompted for key password
|
|
for c in 1 2 3; do
|
|
# 3 tries to write two times a matching password
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Secure key for ${tombname}"`
|
|
tombpasstmp=$tombpass
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Secure key for ${tombname} (again)"`
|
|
if [ "$tombpasstmp" = "$tombpass" ]; then
|
|
break;
|
|
fi
|
|
unset tombpasstmp
|
|
unset tombpass
|
|
done
|
|
|
|
if [ -z $tombpass ]; then
|
|
error "passwords don't match, aborting operation"
|
|
umount ${keytmp}
|
|
losetup -d $nstloop
|
|
rm -r $keytmp
|
|
exit 1
|
|
fi
|
|
|
|
|
|
gpg \
|
|
--openpgp --batch --no-options --no-tty --passphrase-fd 0 2>/dev/null \
|
|
-o "${tombkey}" -c -a ${keytmp}/tomb.tmp <<< ${tombpass}
|
|
|
|
# if [ $? != 0 ]; then
|
|
# error "setting password failed: gnupg returns 2"
|
|
# umount ${keytmp}
|
|
# losetup -d $nstloop
|
|
# rm -r $keytmp
|
|
# exit 1
|
|
# fi
|
|
|
|
act "formatting Luks mapped device"
|
|
# we use aes-cbc-essiv with sha256
|
|
# for security, performance and compatibility
|
|
cryptsetup --batch-mode \
|
|
--cipher aes-cbc-essiv:sha256 --key-size 256 \
|
|
luksFormat ${nstloop} ${keytmp}/tomb.tmp
|
|
|
|
if ! [ $? = 0 ]; then
|
|
act "operation aborted."
|
|
exit 0
|
|
fi
|
|
|
|
cryptsetup --key-file ${keytmp}/tomb.tmp --cipher aes luksOpen ${nstloop} tomb.tmp
|
|
${WIPE[@]} ${keytmp}/tomb.tmp
|
|
umount ${keytmp}
|
|
rm -r ${keytmp}
|
|
|
|
# cryptsetup luksDump ${nstloop}
|
|
|
|
act "formatting your Tomb with Ext3/Ext4 filesystem"
|
|
${MKFS} ${tombname} /dev/mapper/tomb.tmp
|
|
|
|
if [ $? != 0 ]; then
|
|
error "Tomb format returns error"
|
|
error "your tomb ${tombfile} maybe corrupt"
|
|
fi
|
|
|
|
sync
|
|
|
|
cryptsetup luksClose tomb.tmp
|
|
losetup -d ${nstloop}
|
|
|
|
# set permissions on the tomb
|
|
ME=${SUDO_USER:-$(whoami)}
|
|
chmod 0600 "${tombdir}/${tombfile}"
|
|
chown $(id -u $ME):$(id -g $ME) "${tombdir}/${tombfile}"
|
|
|
|
act "done creating $tombname encrypted storage (using Luks dm-crypt AES/SHA256)"
|
|
notice "Your tomb is ready in ${tombdir}/${tombfile} and secured with key ${tombkey}"
|
|
|
|
}
|
|
# }}}
|
|
# {{{ - Open
|
|
mount_tomb() {
|
|
notice "Commanded to open tomb $CMD2"
|
|
if ! option_is_set --ignore-swap && [[ `check_swap out` == 1 ]]; then
|
|
error "You have swap activated; use --ignore-swap if you want to skip this check"
|
|
act "Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk."
|
|
act "However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check"
|
|
act "You seem to be using `tail -n +2 /proc/swaps|wc -l` swaps:"
|
|
tail -n +2 /proc/swaps
|
|
exit 1
|
|
fi
|
|
if ! [ ${CMD2} ]; then
|
|
error "no tomb name specified for creation"
|
|
return 1
|
|
fi
|
|
|
|
# set up variables to be used
|
|
# the full path is made with $tombdir/$tombfile
|
|
local tombkey
|
|
local tombfile
|
|
local tombdir
|
|
local tombname
|
|
tombfile=`basename ${CMD2}`
|
|
tombdir=`dirname ${CMD2}`
|
|
# check file type (if its a Luks fs)
|
|
file ${tombdir}/${tombfile} | grep -i 'luks encrypted file' 2>&1 >/dev/null
|
|
if [ $? != 0 ]; then
|
|
error "$CMD2 is not a valid tomb file, operation aborted"
|
|
return 1
|
|
fi
|
|
tombname=${tombfile%%\.*}
|
|
func "tomb found: ${tombdir}/${tombfile}"
|
|
|
|
if option_is_set -k ; then
|
|
if [[ "`option_value -k`" == "-" ]]; then
|
|
# take key from stdin
|
|
local tombkeydir
|
|
tombkeydir=`safe_dir`
|
|
cat > ${tombkeydir}/stdin.tmp
|
|
tombkey=${tombkeydir}/stdin.tmp
|
|
else
|
|
# take key from a file
|
|
tombkey=`option_value -k`
|
|
fi
|
|
else
|
|
# guess key as lying besides the tomb
|
|
tombkey=${tombdir}/${tombfile}.key
|
|
fi
|
|
if ! [ -r ${tombkey} ]; then
|
|
error "key file not found: ${tombkey}"
|
|
error "operation aborted."
|
|
return 1
|
|
fi
|
|
|
|
if ! [ $CMD3 ]; then
|
|
tombmount=/media/${tombfile}
|
|
act "mountpoint not specified, using default: $tombmount"
|
|
elif ! [ -x $CMD3 ]; then
|
|
error "mountpoint $CMD3 doesn't exist, operation aborted."
|
|
return 1
|
|
else
|
|
tombmount=${CMD3}
|
|
fi
|
|
|
|
# check if its already open
|
|
mount -l | grep "${tombfile}.*\[$tombname\]$" 2>&1 > /dev/null
|
|
if [ $? = 0 ]; then
|
|
error "$tombname is already open on $tombmount"
|
|
act "here below its status is reported:"
|
|
list_tombs ${tombname}
|
|
return 1
|
|
fi
|
|
|
|
notice "mounting $tombfile on mountpoint $tombmount"
|
|
|
|
# we need root from here on
|
|
mkdir -p $tombmount
|
|
|
|
nstloop=`losetup -f`
|
|
if [ $? = 255 ]; then
|
|
error "too many tomb opened. Please close any of them to open another tomb"
|
|
exit 1
|
|
fi
|
|
losetup -f ${tombdir}/${tombfile}
|
|
|
|
act "check for a valid LUKS encrypted device"
|
|
cryptsetup isLuks ${nstloop}
|
|
if [ $? != 0 ]; then
|
|
# is it a LUKS encrypted nest? see cryptsetup(1)
|
|
error "$tombfile is not a valid Luks encrypted storage file"
|
|
$norm || rmdir $tombmount 2>/dev/null
|
|
return 1
|
|
fi
|
|
|
|
# save date of mount in minutes since 1970
|
|
mapdate=`date +%s`
|
|
|
|
mapper="tomb.${tombname}.${mapdate}.`basename $nstloop`"
|
|
keyname=`basename $tombkey | cut -d. -f1`
|
|
|
|
notice "Password is required for key ${keyname}"
|
|
for c in 1 2 3; do
|
|
if [ $c = 1 ]; then
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Open tomb ${keyname}"`
|
|
else
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Open tomb $keyname (retry $c)"`
|
|
fi
|
|
(gpg --batch --passphrase-fd 0 --no-tty --no-options \
|
|
-d "${tombkey}" 2> /dev/null <<< ${tombpass} ) \
|
|
| cryptsetup --key-file - luksOpen ${nstloop} ${mapper}
|
|
unset tombpass
|
|
|
|
# if key was from stdin delete temp file and dir
|
|
if [ $tombkeydir ]; then
|
|
${WIPE[@]} ${tombkey}
|
|
rmdir $tombkeydir
|
|
fi
|
|
|
|
if [ -r /dev/mapper/${mapper} ]; then
|
|
break; # password was correct
|
|
fi
|
|
done
|
|
|
|
if ! [ -r /dev/mapper/${mapper} ]; then
|
|
error "failure mounting the encrypted file"
|
|
losetup -d ${nstloop}
|
|
$norm || rmdir ${tombmount} 2>/dev/null
|
|
return 1
|
|
fi
|
|
|
|
act "encrypted storage filesystem check"
|
|
fsck -p -C0 /dev/mapper/${mapper}
|
|
func "tomb engraved as $tombname"
|
|
tune2fs -L ${tombname} /dev/mapper/${mapper} > /dev/null
|
|
|
|
mount -o $MOUNTOPTS /dev/mapper/${mapper} ${tombmount}
|
|
|
|
# Ensure the user can write the disk - 10x Hellekin :)
|
|
ME=${SUDO_USER:-$(whoami)}
|
|
chmod 0750 ${tombmount}
|
|
chown $(id -u $ME):$(id -g $ME) ${tombmount}
|
|
|
|
notice "encrypted storage $tombfile succesfully mounted on $tombmount"
|
|
if ! option_is_set -n ; then
|
|
exec_safe_bind_hooks ${tombmount}
|
|
exec_safe_post_hooks ${tombmount} open
|
|
fi
|
|
return 0
|
|
}
|
|
# }}}
|
|
# {{{ - Close
|
|
# {{{ - Slam the door
|
|
# Kill all processes using the tomb
|
|
slam_tomb() {
|
|
# $1 = tomb mount point
|
|
for s in INT TERM HUP KILL; do
|
|
fuser -s -m "$1" || return 0
|
|
fuser -s -m "$1" -k -M -$s && { option_is_set -f || sleep 3 }
|
|
done
|
|
return 1
|
|
}
|
|
# }}}
|
|
# {{{ - Unmount Tomb
|
|
umount_tomb() {
|
|
local tombs how_many_tombs
|
|
local pathmap mapper tombname tombmount loopdev
|
|
local ans pidk pname
|
|
|
|
if ! [ $1 ]; then
|
|
tombs=`find /dev/mapper -name 'tomb.*'`
|
|
how_many_tombs=`wc -w <<< "$tombs"`
|
|
if [[ "$how_many_tombs" == "0" ]]; then
|
|
error "There is no open tomb to be closed"
|
|
return 1
|
|
elif [[ "$how_many_tombs" == "1" ]]; then
|
|
#mapper=`find /dev/mapper -name 'tomb.*'`
|
|
func "closing mapper $tombs"
|
|
umount_tomb ${tombs}
|
|
return 1
|
|
else
|
|
error "Too many tombs mounted, please specify which to unmount:"
|
|
ls /dev/mapper/tomb.*
|
|
error "or issue the command 'tomb close all' to clos'em all."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
if [ "$1" = "all" ]; then
|
|
tombs=`find /dev/mapper -name 'tomb.*'`
|
|
if ! [ $tombs ]; then
|
|
notice "Tombs are all closed, cemetery is quiet."
|
|
return 0
|
|
fi
|
|
for t in ${(f)tombs}; do
|
|
umount_tomb ${t}
|
|
done
|
|
return 0
|
|
fi
|
|
|
|
# tomb close argument deduction
|
|
pathmap=`dirname "$1"`
|
|
|
|
if [ "${pathmap}" = "/dev/mapper" ]; then
|
|
mapper="$1" # argument is the mapper (or none which autofills mapper)
|
|
tombname="`print $mapper | cut -d. -f2`"
|
|
tombmount=`mount -l | \
|
|
awk -vtomb="[$tombname]" '/^\/dev\/mapper\/tomb/ { if($7==tomb) print $3 } '`
|
|
elif [ "$pathmap" = "." ]; then
|
|
tombname="$1" # argument is the name
|
|
mapper=`mount -l | \
|
|
awk -vtomb="[$tombname]" '/^\/dev\/mapper\/tomb/ { if($7==tomb) print $1 } '`
|
|
tombmount=`mount -l | \
|
|
awk -vtomb="[$tombname]" '/^\/dev\/mapper\/tomb/ { if($7==tomb) print $3 } '`
|
|
else
|
|
tombmount="$1" # argument should be the mount
|
|
mapper=`mount | awk -vmnt="$tombmount" '/^\/dev\/mapper\/tomb/ { if($3==mnt) print $1 }'`
|
|
tombname="`print $mapper | cut -d. -f2`"
|
|
fi
|
|
|
|
# avoid block when the same tomb is mounted, take only the first
|
|
for tm in ${(f)tombmount}; do tombmount=${tm}; break; done
|
|
|
|
func "tomb close argument: $1"
|
|
func "name:\t$tombname"
|
|
func "mount:\t$tombmount"
|
|
func "mapper:\t$mapper"
|
|
|
|
if ! [ -e "$mapper" ]; then
|
|
error "Tomb not found: $1"
|
|
error "Please specify an existing tomb."
|
|
return 0
|
|
fi
|
|
|
|
if [ $SLAM ]; then
|
|
notice "Slamming tomb $tombname mounted on $tombmount"
|
|
act "Kill all processes busy inside the tomb"
|
|
slam_tomb "$tombmount"
|
|
if [[ $? == 1 ]]; then
|
|
error "Cannot slam the tomb $tombname"
|
|
return 1
|
|
fi
|
|
else
|
|
notice "Closing tomb $tombname mounted on $tombmount"
|
|
fi
|
|
|
|
# check if there are binded dirs and close them
|
|
tombmount_esc=`sed 's:\/:\\\/:g' <<< $tombmount `
|
|
unbind=`mount | awk "/^$tombmount_esc.*bind/"' { print $3 }'`
|
|
for b in ${(f)unbind}; do
|
|
hook="`basename $b`"
|
|
act "closing tomb hook: $hook"
|
|
umount $b
|
|
if [[ $? != 0 ]]; then
|
|
if [ $SLAM ]; then
|
|
notice "Slamming tomb: killing all processes using this hook"
|
|
slam_tomb "$b"
|
|
if [[ $? == 1 ]]; then
|
|
error "Cannot slam the tomb $b"
|
|
return 1
|
|
fi
|
|
umount $b
|
|
else
|
|
error "Tomb hook is busy, cannot close tomb."
|
|
return 1
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# Execute post-hooks for eventual cleanup
|
|
if ! option_is_set -n ; then
|
|
exec_safe_post_hooks ${tombmount%%/} close
|
|
fi
|
|
|
|
if [ $tombmount ]; then # tomb is actively mounted
|
|
func "performing umount of $tombmount"
|
|
umount ${tombmount}
|
|
if ! [ $? = 0 ]; then
|
|
error "Tomb is busy, cannot umount!"
|
|
else
|
|
# this means we used a "default" mount point
|
|
if [ "${tombmount}" = "/media/${tombname}.tomb" ]; then
|
|
rmdir ${tombmount}
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
cryptsetup luksClose $mapper
|
|
if ! [ $? = 0 ]; then
|
|
error "error occurred in cryptsetup luksClose ${mapper}"
|
|
return 1
|
|
fi
|
|
|
|
loopdev=`cut -d '.' -f4 <<< "$mapper"`
|
|
losetup -d "/dev/$loopdev"
|
|
|
|
# kill the status tray widget if still present
|
|
# this makes the widget disappear when closing tomb from cli
|
|
awkmapper=`sed 's:\/:\\\/:g' <<< $mapper`
|
|
statustray_pid=`ps ax | awk "/tomb-status $awkmapper/"' {print $1} '`
|
|
if [ ${statustray_pid} ]; then
|
|
kill ${statustray_pid}
|
|
fi
|
|
|
|
notice "Tomb $tombname closed: your bones will rest in peace."
|
|
return 0
|
|
}
|
|
# }}}
|
|
# }}}
|
|
# {{{ - Change Password
|
|
# change tomb key password
|
|
change_passwd() {
|
|
if ! option_is_set --ignore-swap && [[ `check_swap out` == 1 ]]; then
|
|
error "You have swap activated; use --ignore-swap if you want to skip this check"
|
|
act "Using encryption with swap activated is very bad, because some files, or even your secret key, could be written on hard disk."
|
|
act "However, it could be that your swap is encrypted. If this is case, this is ok. Then, use --ignore-swap to skip this check"
|
|
act "You seem to be using `tail -n +2 /proc/swaps|wc -l` swaps:"
|
|
tail -n +2 /proc/swaps
|
|
return 1
|
|
fi
|
|
local keyfile="${1}"
|
|
|
|
# check the keyfile
|
|
if ! [ -r $keyfile ]; then
|
|
error "key not found: $keyfile"
|
|
return 1
|
|
fi
|
|
|
|
file $keyfile | grep PGP > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "file doesn't seems to be a tomb key: $keyfile"
|
|
error "operation aborted."
|
|
return 1
|
|
fi
|
|
|
|
local tmpnewkey tmpoldkey c tombpass tombpasstmp
|
|
|
|
tmpnewkey=`safe_file tomb`
|
|
tmpoldkey=`safe_file tomb`
|
|
|
|
notice "Changing password for $keyfile"
|
|
keyname=`basename $keyfile`
|
|
for c in 1 2 3; do
|
|
if [ $c = 1 ]; then
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Type old password for ${keyname}" "Change tomb key password"`
|
|
else
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Type old password for ${keyname} (retry $c)" "Change tomb key password"`
|
|
fi
|
|
gpg --batch --no-options --no-tty --passphrase-fd 0 -o "${tmpoldkey}" -d $keyfile <<< "$tombpass" &> /dev/null
|
|
if [ $? = 0 ]; then
|
|
tombpass="ok"
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ "$tombpass" != "ok" ]; then
|
|
error "You typed an Invalid old password. Operation aborted."
|
|
# /dev/null because the file cannot exists
|
|
${WIPE[@]} "${tmpnewkey}" 2> /dev/null
|
|
${WIPE[@]} "${tmpoldkey}" 2> /dev/null
|
|
return 1
|
|
fi
|
|
|
|
for c in 1 2 3; do
|
|
# 3 tries to write two times a matching password
|
|
if [ $c = 1 ]; then
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Type the new password for ${keyname}" "Change tomb key password"`
|
|
else
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Type the new password for ${keyname} (retry $c)" "Change tomb key password"`
|
|
fi
|
|
tombpasstmp=$tombpass
|
|
tombpass=`exec_as_user ${TOMBEXEC} askpass "Type the new password again" "Change tomb key password"`
|
|
if [ "$tombpasstmp" = "$tombpass" ]; then
|
|
break;
|
|
fi
|
|
unset tombpasstmp
|
|
unset tombpass
|
|
done
|
|
|
|
if [ -z $tombpass ]; then
|
|
error "You mistyped the new password. Operation aborted."
|
|
# /dev/null because the file cannot exists
|
|
${WIPE[@]} "${tmpnewkey}" 2> /dev/null
|
|
${WIPE[@]} "${tmpoldkey}" 2> /dev/null
|
|
return 1
|
|
fi
|
|
|
|
gpg \
|
|
--openpgp --batch --no-options --no-tty --passphrase-fd 0 \
|
|
-o "${tmpnewkey}" -c -a ${tmpoldkey} <<< ${tombpass}
|
|
|
|
if [ $? != 0 ]; then
|
|
error "Cannot change your key passphrase"
|
|
# /dev/null because the file cannot exists
|
|
${WIPE[@]} "${tmpnewkey}" 2> /dev/null
|
|
${WIPE[@]} "${tmpoldkey}" 2> /dev/null
|
|
return 1
|
|
fi
|
|
|
|
# wipe the previous, original, key
|
|
${WIPE[@]} "${keyfile}"
|
|
# copy the new key as the original keyfile name
|
|
cp "${tmpnewkey}" "${keyfile}"
|
|
|
|
act "Cleaning environment"
|
|
# wipe all temp file
|
|
${WIPE[@]} "${tmpnewkey}"
|
|
${WIPE[@]} "${tmpoldkey}"
|
|
|
|
notice "Your passphrase was successfully updated."
|
|
|
|
return 0
|
|
}
|
|
# }}}
|
|
# {{{ - List
|
|
# list all tombs mounted in a readable format
|
|
list_tombs() {
|
|
if [ $1 ]; then
|
|
# list a specific tomb
|
|
mounted_tombs=`mount -l |
|
|
awk -vtomb="[$1]" '/^\/dev\/mapper\/tomb/ { if($7==tomb) print $1 ";" $3 ";" $5 ";" $6 ";" $7 }'`
|
|
else
|
|
# list all open tombs
|
|
mounted_tombs=`mount -l |
|
|
awk '/^\/dev\/mapper\/tomb/ { print $1 ";" $3 ";" $5 ";" $6 ";" $7 }'`
|
|
fi
|
|
# 1 = full mapper path
|
|
# 2 = mountpont
|
|
# 3 = filesystem
|
|
# 4 = mount options
|
|
# 5 = name
|
|
|
|
if ! [ $mounted_tombs ]; then
|
|
if [ $1 ]; then
|
|
error "There seems to be no open tomb engraved as [${1}]"
|
|
else
|
|
error "I can't see any open tomb, may they all rest in peace."
|
|
fi
|
|
exit 1
|
|
fi
|
|
|
|
for t in ${(f)mounted_tombs}; do
|
|
mapper=`basename ${t[(ws:;:)1]}`
|
|
tombname=${t[(ws:;:)5]}
|
|
tombmount=${t[(ws:;:)2]}
|
|
tombfs=${t[(ws:;:)3]}
|
|
tombfsopts=${t[(ws:;:)4]}
|
|
|
|
# calculate tomb size
|
|
ts=`df -hP /dev/mapper/$mapper |
|
|
awk "/mapper/"' { print $2 ";" $3 ";" $4 ";" $5 }'`
|
|
tombtot=${ts[(ws:;:)1]}
|
|
tombused=${ts[(ws:;:)2]}
|
|
tombavail=${ts[(ws:;:)3]}
|
|
tombpercent=${ts[(ws:;:)4]}
|
|
tombp=${tombpercent%%%}
|
|
tombsince=`date --date=@${mapper[(ws:.:)3]} +%c`
|
|
|
|
# breaking up such strings is good for translation
|
|
print -n "$fg[green]$tombname"
|
|
print -n "$fg[white] open on "
|
|
print -n "$fg_bold[white]$tombmount"
|
|
print -n "$fg_no_bold[white] using "
|
|
print "$fg_bold[white]$tombfs $tombfsopts"
|
|
|
|
print -n "$fg_no_bold[green]$tombname"
|
|
print -n "$fg_no_bold[white] open since "
|
|
print "$fg_bold[white]$tombsince$fg_no_bold[white]"
|
|
|
|
print -n "$fg_no_bold[green]$tombname"
|
|
print -n "$fg[white] size "
|
|
print -n "$fg_bold[white]$tombtot"
|
|
print -n "$fg_no_bold[white] of which "
|
|
print -n "$fg_bold[white]$tombused"
|
|
print -n "$fg_no_bold[white] used: "
|
|
print -n "$fg_bold[white]$tombavail"
|
|
print -n "$fg_no_bold[white] free ("
|
|
print -n "$fg_bold[white]$tombpercent"
|
|
print "$fg_no_bold[white] full)"
|
|
|
|
if [[ ${tombp} -ge 90 ]]; then
|
|
print -n "$fg_no_bold[green]$tombname"
|
|
print "$fg_bold[red] Your tomb is almost full!"
|
|
fi
|
|
|
|
# now check hooks
|
|
mtomb=`sed 's:\/:\\\/:g' <<< $tombmount`
|
|
mounted_hooks=`mount | awk "/^$mtomb/"' {print $1 ";" $3}'`
|
|
for h in ${(f)mounted_hooks}; do
|
|
print -n "$fg_no_bold[green]$tombname"
|
|
print -n "$fg_no_bold[white] hooks "
|
|
print -n "$fg_bold[white]`basename ${h[(ws:;:)1]}`"
|
|
print -n "$fg_no_bold[white] on "
|
|
print "$fg_bold[white]${h[(ws:;:)2]}$fg_no_bold[white]"
|
|
done
|
|
done
|
|
}
|
|
# }}}
|
|
# {{{ - Status
|
|
launch_status() {
|
|
# calculates the correct arguments to launch tomb-status tray
|
|
# applet; it takes the tomb name as an argument and can be
|
|
# launched after a successful tomb mount.
|
|
|
|
which tomb-status > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "Cannot find tomb-status binary, operation aborted."
|
|
return 1
|
|
fi
|
|
|
|
if ! [ $DISPLAY ]; then
|
|
error "No active X display found, operation aborted."
|
|
error "Status launches a graphical tray applet, you need X running."
|
|
return 1
|
|
fi
|
|
|
|
# check argument. use single tomb mounted if no argument
|
|
# abort if more than one tomb is mounted.
|
|
if ! [ $1 ]; then
|
|
tombs=`find /dev/mapper -name 'tomb.*'`
|
|
how_many_tombs=`wc -w <<< "$tombs"`
|
|
if [[ "$how_many_tombs" == "0" ]]; then
|
|
error "There is no open tomb, status cannot be launched"
|
|
return 1
|
|
elif [[ "$how_many_tombs" == "1" ]]; then
|
|
#mapper=`find /dev/mapper -name 'tomb.*'`
|
|
tombname=`find /dev/mapper -name "tomb.*"`
|
|
tombname=`basename $tombname | cut -d. -f2`
|
|
notice "launching status for tomb $tombname"
|
|
else
|
|
error "Too many tombs mounted, please specify which one"
|
|
list_tombs
|
|
return 0
|
|
fi
|
|
else
|
|
# name was specified on command line
|
|
tombname=$1
|
|
ls /dev/mapper | grep "^tomb.${tombname}.*" > /dev/null
|
|
if [ $? != 0 ]; then
|
|
error "Cannot find any tomb named $tombname being open, operation aborted."
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
# finally we launch
|
|
tombmap=`mount -l | awk "/\[${tombname}\]$/"' { print $1 } '`
|
|
tombmount=`mount -l | awk "/\[${tombname}\]$/"' { print $3 } '`
|
|
tomb-status $tombmap $tombname $tombmount &!
|
|
return 0
|
|
}
|
|
# }}}
|
|
# {{{ - Install GUI
|
|
# install mime-types, bells and whistles for the desktop
|
|
# see http://developers.sun.com/solaris/articles/integrating_gnome.html
|
|
# and freedesktop specs
|
|
install_tomb() {
|
|
|
|
# TODO: distro package deps (for binary)
|
|
# debian: zsh, cryptsetup, sudo
|
|
act "updating mimetypes..."
|
|
cat <<EOF > /tmp/dyne-tomb.xml
|
|
<?xml version="1.0"?>
|
|
<mime-info xmlns='http://www.freedesktop.org/standards/shared-mime-info'>
|
|
<mime-type type="application/x-tomb-volume">
|
|
<comment>Tomb encrypted volume</comment>
|
|
<glob pattern="*.tomb"/>
|
|
</mime-type>
|
|
<mime-type type="application/x-tomb-key">
|
|
<comment>Tomb crypto key</comment>
|
|
<glob pattern="*.tomb.key"/>
|
|
</mime-type>
|
|
</mime-info>
|
|
EOF
|
|
xdg-mime install /tmp/dyne-tomb.xml
|
|
xdg-icon-resource install --context mimetypes --size 32 monmort.xpm monmort
|
|
xdg-icon-resource install --size 32 monmort.xpm dyne-monmort
|
|
|
|
rm /tmp/dyne-tomb.xml
|
|
|
|
act "updating desktop..."
|
|
cat <<EOF > /usr/share/applications/tomb.desktop
|
|
[Desktop Entry]
|
|
Version=1.0
|
|
Type=Application
|
|
Name=Tomb crypto undertaker
|
|
GenericName=Crypto undertaker
|
|
Comment=Keep your bones safe
|
|
Exec="${TOMBOPENEXEC}" %U
|
|
TryExec=tomb-open
|
|
Icon=monmort.xpm
|
|
Terminal=true
|
|
Categories=Utility;Security;Archiving;Filesystem;
|
|
MimeType=application/x-tomb-volume;
|
|
X-AppInstall-Package=tomb
|
|
EOF
|
|
update-desktop-database
|
|
|
|
act "updating menus..."
|
|
cat <<EOF > /etc/menu/tomb
|
|
?package(tomb):command="tomb" icon="/usr/share/pixmaps/monmort.xpm" needs="text" \
|
|
section="Applications/Accessories" title="Tomb" hints="Crypto" \
|
|
hotkey="Tomb"
|
|
EOF
|
|
update-menus
|
|
|
|
act "updating mime info..."
|
|
cat <<EOF > /usr/share/mime-info/tomb.keys
|
|
# actions for encrypted tomb storage
|
|
application/x-tomb-volume:
|
|
open="${TOMBOPENEXEC}" %f
|
|
view=tomb-open %f
|
|
icon-filename=monmort.xpm
|
|
short_list_application_ids_for_novice_user_level=tomb
|
|
EOF
|
|
cat <<EOF > /usr/share/mime-info/tomb.mime
|
|
# mime type for encrypted tomb storage
|
|
application/x-tomb-volume
|
|
ext: tomb
|
|
|
|
application/x-tomb-key
|
|
ext: tomb.key
|
|
EOF
|
|
cat <<EOF > /usr/lib/mime/packages/tomb
|
|
application/x-tomb-volume; tomb-open '%s'; priority=8
|
|
EOF
|
|
update-mime
|
|
|
|
act "updating application entry..."
|
|
|
|
cat <<EOF > /usr/share/application-registry/tomb.applications
|
|
tomb
|
|
command=tomb-open
|
|
name=Tomb - Crypto Undertaker
|
|
can_open_multiple_files=false
|
|
expects_uris=false
|
|
requires_terminal=true
|
|
mime-types=application/x-tomb-volume,application/x-tomb-key
|
|
EOF
|
|
act "Tomb is now installed."
|
|
}
|
|
# }}}
|
|
# }}}
|
|
# {{{ OPTION PARSING
|
|
# {{{ - Check an option
|
|
option_is_set() {
|
|
#First argument, the option (something like "-s")
|
|
#Second (optional) argument: if it's "out", command will print it out 'set'/'unset'
|
|
# This is useful for if conditions
|
|
#Return 0 if is set, 1 otherwise
|
|
[[ -n ${(k)opts[$1]} ]];
|
|
r=$?
|
|
if [[ $2 == out ]]; then
|
|
if [[ $r == 0 ]]; then
|
|
echo 'set'
|
|
else
|
|
echo 'unset'
|
|
fi
|
|
fi
|
|
return $r;
|
|
}
|
|
# }}}
|
|
# {{{ - Get an option value
|
|
option_value() {
|
|
#First argument, the option (something like "-s")
|
|
<<< ${opts[$1]}
|
|
}
|
|
# }}}
|
|
# }}}
|
|
# {{{ MAIN COMMAND
|
|
main() {
|
|
local -A subcommands_opts
|
|
### Options configuration
|
|
#Hi, dear developer! Are you trying to add a new subcommand, or to add some options?
|
|
#Well, keep in mind that:
|
|
# 1. An option CAN'T have differente meanings/behaviour in different subcommands.
|
|
# For example, "-s" means "size" and accept an argument. If you are tempted to add
|
|
# an option "-s" (that means, for example "silent", and doesn't accept an argument)
|
|
# DON'T DO IT!
|
|
# There are two reasons for that:
|
|
# I. usability; user expect that "-s" is "size
|
|
# II. Option parsing WILL EXPLODE if you do this kind of bad things
|
|
# (it will say "option defined more than once, and he's right")
|
|
main_opts=(q -quiet=q D -debug=D h -help=h v -version=v -no-color)
|
|
subcommands_opts[__default]=""
|
|
subcommands_opts[open]="n -nohook=n k: -key=k o: -mount-options=o -ignore-swap"
|
|
subcommands_opts[mount]=${subcommands_opts[open]}
|
|
subcommands_opts[create]="s: -size=s -ignore-swap k: -key=k"
|
|
subcommands_opts[passwd]="-ignore-swap"
|
|
subcommands_opts[close]=""
|
|
subcommands_opts[help]=""
|
|
subcommands_opts[slam]=""
|
|
subcommands_opts[list]=""
|
|
subcommands_opts[help]=""
|
|
subcommands_opts[bury]=""
|
|
subcommands_opts[exhume]=""
|
|
subcommands_opts[decompose]=""
|
|
subcommands_opts[recompose]=""
|
|
subcommands_opts[install]=""
|
|
subcommands_opts[askpass]=""
|
|
subcommands_opts[mktemp]=""
|
|
subcommands_opts[source]=""
|
|
subcommands_opts[status]=""
|
|
### Detect subcommand
|
|
local -aU every_opts #every_opts behave like a set; that is, an array with unique elements
|
|
for optspec in $subcommands_opts$main_opts; do
|
|
for opt in ${=optspec}; do
|
|
every_opts+=${opt}
|
|
done
|
|
done
|
|
local -a oldstar
|
|
oldstar=($argv)
|
|
zparseopts -M -E -D -Adiscardme ${every_opts}
|
|
unset discardme
|
|
subcommand=$1
|
|
if [[ -z $subcommand ]]; then
|
|
subcommand="__default"
|
|
fi
|
|
if [[ -z ${(k)subcommands_opts[$subcommand]} ]]; then #there's no such subcommand
|
|
error "Subcommand '$subcommand' doesn't exist"
|
|
exit 127
|
|
fi
|
|
argv=(${oldstar})
|
|
unset oldstar
|
|
|
|
### Parsing global + command-specific options
|
|
# zsh magic: ${=string} will split to multiple arguments when spaces occur
|
|
set -A cmd_opts ${main_opts} ${=subcommands_opts[$subcommand]}
|
|
# if there is no option, we don't need parsing
|
|
if [[ -n $cmd_opts ]]; then
|
|
zparseopts -M -E -D -Aopts ${cmd_opts}
|
|
if [[ $? != 0 ]]; then
|
|
error "Some error occurred during option processing. See \"tomb help\" for more info"
|
|
exit 127
|
|
fi
|
|
fi
|
|
#build PARAM (array of arguments) and check if there are unrecognized options
|
|
ok=0
|
|
PARAM=()
|
|
for arg in $*; do
|
|
if [[ $arg == '--' || $arg == '-' ]]; then
|
|
ok=1
|
|
continue #it shouldnt be appended to PARAM
|
|
elif [[ $arg[1] == '-' ]]; then
|
|
if [[ $ok == 0 ]]; then
|
|
error "unrecognized option $arg"
|
|
exit 127
|
|
fi
|
|
fi
|
|
PARAM+=$arg
|
|
done
|
|
#first parameter actually is the subcommand: delete it and shift
|
|
if [[ $subcommand != '__default' ]]; then
|
|
PARAM[1]=()
|
|
shift
|
|
fi
|
|
### End parsing command-specific options
|
|
|
|
if ! option_is_set --no-color; then
|
|
autoload colors; colors
|
|
fi
|
|
|
|
### Set global options (useless, but for code retro-compatibility)
|
|
for opt in ${(k)global_opts}; do
|
|
if [[ $opt == '-q' ]]; then
|
|
QUIET=1
|
|
elif [[ $opt == '-D' ]]; then
|
|
DEBUG=1
|
|
fi
|
|
done
|
|
|
|
CMD=$subcommand
|
|
CMD2=$PARAM[1]
|
|
CMD3=$PARAM[2]
|
|
|
|
func "Tomb command: $CMD $CMD2 $CMD3"
|
|
|
|
case "$subcommand" in
|
|
create)
|
|
check_priv
|
|
create_tomb
|
|
;;
|
|
mount|open)
|
|
check_priv
|
|
mount_tomb
|
|
;;
|
|
umount|close|slam)
|
|
check_priv
|
|
[ "$subcommand" = "slam" ] && SLAM=1
|
|
umount_tomb ${CMD2}
|
|
;;
|
|
passwd)
|
|
check_priv
|
|
change_passwd ${CMD2}
|
|
;;
|
|
list)
|
|
list_tombs ${CMD2}
|
|
;;
|
|
status)
|
|
launch_status ${CMD2}
|
|
;;
|
|
help)
|
|
usage
|
|
;;
|
|
bury)
|
|
if [ "$STEGHIDE" = 0 ]; then
|
|
error "steghide not installed. Cannot bury your key"
|
|
return 1
|
|
fi
|
|
encode_key ${CMD2} ${CMD3}
|
|
;;
|
|
exhume)
|
|
if [ "$STEGHIDE" = 0 ]; then
|
|
error "steghide not installed. Cannot exhume your key"
|
|
return 1
|
|
fi
|
|
decode_key ${CMD2}
|
|
;;
|
|
# internal commands useful to developers
|
|
'source') return 0 ;;
|
|
install) check_priv ; install_tomb ;;
|
|
askpass) ask_password ${CMD2} ${CMD3} ;;
|
|
mktemp) safe_dir ${CMD2} ;;
|
|
translate) generate_translatable_strings ;;
|
|
__default)
|
|
if option_is_set -v; then
|
|
echo Tomb - $VERSION
|
|
else
|
|
usage
|
|
fi
|
|
;;
|
|
*)
|
|
error "command \"$CMD\" not recognized"
|
|
act "try -h for help"
|
|
return 1
|
|
;;
|
|
esac
|
|
return $?
|
|
}
|
|
# }}}
|
|
# {{{ RUNTIME
|
|
check_bin
|
|
main $@
|
|
if [[ $? != 0 ]]; then #this "if" seems useless, but avoid source tomb source from exiting
|
|
exit $?
|
|
fi
|
|
# }}}
|