free
/
freedombone
Seguir 1
Destacar 0
Cuchillo 0
Código Incidencias 0 Peticiones pull 0 Lanzamientos 0 Wiki Activity
Explorar el Código

Fixing gpg backups

Bob Mottram hace 7 años
padre
b277b5e570
commit
0aee39ae8a
Se han modificado 3 ficheros con 45 adiciones y 16 borrados
Dividir vista Mostrar estadísticas de diff
  1. 1
    1
      src/freedombone-adduser
  2. 7
    2
      src/freedombone-base-email
  3. 37
    13
      src/freedombone-utils-backup

+ 1
- 1
src/freedombone-adduser Ver fichero 

@@ -143,7 +143,7 @@ echo 'Subkey-Length: 4096' >> /home/$ADD_USERNAME/gpg-genkey.conf
143 143 
 echo "Name-Real:  $ADD_USERNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf
144 144 
 echo "Name-Email: $ADD_USERNAME@$HOSTNAME" >> /home/$ADD_USERNAME/gpg-genkey.conf
145 145 
 echo 'Expire-Date: 0' >> /home/$ADD_USERNAME/gpg-genkey.conf
146 
-echo "Passphrase: ''" >> /home/$ADD_USERNAME/gpg-genkey.conf
146 
+echo "Passphrase: $NEW_USER_PASSWORD" >> /home/$ADD_USERNAME/gpg-genkey.conf
147 147 
 chown $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/gpg-genkey.conf
148 148 
 su -m root -c "gpg --homedir /home/$ADD_USERNAME/.gnupg --batch --full-gen-key /home/$ADD_USERNAME/gpg-genkey.conf" - $ADD_USERNAME
149 149 
 chown -R $ADD_USERNAME:$ADD_USERNAME /home/$ADD_USERNAME/.gnupg

+ 7
- 2
src/freedombone-base-email Ver fichero 

@@ -1480,6 +1480,7 @@ function configure_imap_client_certs {
1480 1480 
 }
1481 1481
1482 1482 
 function create_gpg_subkey {
1483 
+    # Note: currently not used
1483 1484 
     if [ ! -d /etc/exim4 ]; then
1484 1485 
         return
1485 1486 
     fi
 
@@ -1508,7 +1509,7 @@ function create_gpg_subkey {
1508 1509 
     echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
1509 1510 
     echo "Name-Comment: $GPG_KEY_USAGE" >> /home/$MY_USERNAME/gpg-genkey.conf
1510 1511 
     echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
1511 
-    echo "Passphrase: ''" >> /home/$MY_USERNAME/gpg-genkey.conf
1512 
+    echo "Passphrase: $PROJECT_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
1512 1513 
     chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
1513 1514 
     su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
1514 1515 
     chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
 
@@ -1624,7 +1625,11 @@ function configure_gpg {
1624 1625 
         echo "Name-Real:  $MY_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
1625 1626 
         echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
1626 1627 
         echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
1627 
-        echo "Passphrase: ''" >> /home/$MY_USERNAME/gpg-genkey.conf
1628 
+        if [ -f $IMAGE_PASSWORD_FILE ]; then
1629 
+            echo "Passphrase: $(printf `cat $IMAGE_PASSWORD_FILE`)" >> /home/$MY_USERNAME/gpg-genkey.conf
1630 
+        else
1631 
+            echo "Passphrase: $PROJECT_NAME" >> /home/$MY_USERNAME/gpg-genkey.conf
1632 
+        fi
1628 1633 
         chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
1629 1634 
         echo $'Generating a new GPG key'
1630 1635 
         su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME

+ 37
- 13
src/freedombone-utils-backup Ver fichero 

@@ -31,6 +31,9 @@
31 31 
 # whether a given site is being suspended during backup
32 32 
 SUSPENDED_SITE=
33 33
34 
+# Dummy password used for the backup key
35 
+BACKUP_DUMMY_PASSWORD='backup'
36 
+
34 37 
 function suspend_site {
35 38 
     # suspends a given website
36 39 
     SUSPENDED_SITE="$1"
 
@@ -48,6 +51,22 @@ function restart_site {
48 51 
     SUSPENDED_SITE=
49 52 
 }
50 53
54 
+function backup_create_password {
55 
+    BACKUP_PASSWORD_FILE=$(mktemp /tmp/fileXXXXX)
56 
+    # Note: this doesn't need to be secure, it's just a way of
57 
+    # getting around the forced interactivity of the gpg agent
58 
+    echo -n "$BACKUP_DUMMY_PASSWORD" > $BACKUP_PASSWORD_FILE
59 
+}
60 
+
61 
+function backup_remove_password {
62 
+    if [ ! $BACKUP_PASSWORD_FILE ]; then
63 
+        return
64 
+    fi
65 
+    if [ -f $BACKUP_PASSWORD_FILE ]; then
66 
+        shred -zu $BACKUP_PASSWORD_FILE
67 
+    fi
68 
+}
69 
+
51 70 
 function configure_backup_key {
52 71 
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
53 72 
         return
 
@@ -59,6 +78,8 @@ function configure_backup_key {
59 78 
         return
60 79 
     fi
61 80
81 
+    backup_create_password
82 
+
62 83 
     # Generate a GPG key for backups
63 84 
     BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
64 85 
     if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
 
@@ -70,16 +91,16 @@ function configure_backup_key {
70 91 
         echo "Name-Email: $MY_EMAIL_ADDRESS" >> /home/$MY_USERNAME/gpg-genkey.conf
71 92 
         echo "Name-Comment: backup key" >> /home/$MY_USERNAME/gpg-genkey.conf
72 93 
         echo 'Expire-Date: 0' >> /home/$MY_USERNAME/gpg-genkey.conf
73 
-        echo "Passphrase: ''" >> /home/$MY_USERNAME/gpg-genkey.conf
74 94 
         chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/gpg-genkey.conf
75 95 
         echo $'Backup key does not exist. Creating it.'
76 
-        su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
96 
+        su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --passphrase-fd $BACKUP_PASSWORD_FILE --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - $MY_USERNAME
77 97 
         chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
78 98
79 99 
         shred -zu /home/$MY_USERNAME/gpg-genkey.conf
80 100 
         echo $'Checking that the Backup key was created'
81 101 
         BACKUP_KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_NAME (backup key)")
82 102 
         if [[ $BACKUP_KEY_EXISTS == "no" ]]; then
103 
+            backup_remove_password
83 104 
             echo $'Backup key could not be created'
84 105 
             exit 43382
85 106 
         fi
 
@@ -89,12 +110,14 @@ function configure_backup_key {
89 110 
     echo "Backup key: $MY_BACKUP_KEY_ID"
90 111 
     MY_BACKUP_KEY=/home/$MY_USERNAME/backup_key
91 112 
     su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_public.asc --armor --export $MY_BACKUP_KEY_ID" - $MY_USERNAME
92 
-    su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
113 
+    su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --output ${MY_BACKUP_KEY}_private.asc --armor --passphrase-fd $BACKUP_PASSWORD_FILE --export-secret-key $MY_BACKUP_KEY_ID" - $MY_USERNAME
93 114 
     if [ ! -f ${MY_BACKUP_KEY}_public.asc ]; then
115 
+        backup_remove_password
94 116 
         echo 'Public backup key could not be exported'
95 117 
         exit 36829
96 118 
     fi
97 119 
     if [ ! -f ${MY_BACKUP_KEY}_private.asc ]; then
120 
+        backup_remove_password
98 121 
         echo 'Private backup key could not be exported'
99 122 
         exit 29235
100 123 
     fi
 
@@ -105,6 +128,7 @@ function configure_backup_key {
105 128
106 129 
     shred -zu ${MY_BACKUP_KEY}_public.asc
107 130 
     shred -zu ${MY_BACKUP_KEY}_private.asc
131 
+    backup_remove_password
108 132
109 133 
     mark_completed $FUNCNAME
110 134 
 }
 
@@ -258,10 +282,10 @@ function backup_directory_to_usb {
258 282 
             mkdir -p $USB_MOUNT/backup/${2}
259 283 
         fi
260 284 
         set_obnam_client_name
261 
-        obnam force-lock -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
262 
-        obnam backup -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
285 
+        echo "$BACKUP_DUMMY_PASSWORD" | obnam force-lock -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
286 
+        echo "$BACKUP_DUMMY_PASSWORD" | obnam backup -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
263 287 
         if [[ $ENABLE_BACKUP_VERIFICATION == "yes" ]]; then
264 
-            obnam verify -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
288 
+            echo "$BACKUP_DUMMY_PASSWORD" | obnam verify -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID ${1}
265 289 
             if [ ! "$?" = "0" ]; then
266 290 
                 umount $USB_MOUNT
267 291 
                 rm -rf $USB_MOUNT
 
@@ -274,7 +298,7 @@ function backup_directory_to_usb {
274 298 
                 exit 683252
275 299 
             fi
276 300 
         fi
277 
-        obnam forget --keep=30d -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID
301 
+        echo "$BACKUP_DUMMY_PASSWORD" | obnam forget --keep=30d -r $USB_MOUNT/backup/${2} --encrypt-with $MY_BACKUP_KEY_ID
278 302 
         if [ ! "$?" = "0" ]; then
279 303 
             umount $USB_MOUNT
280 304 
             rm -rf $USB_MOUNT
 
@@ -308,7 +332,7 @@ function restore_directory_from_usb {
308 332 
         mkdir ${1}
309 333 
     fi
310 334 
     set_obnam_client_name
311 
-    obnam restore -r $USB_MOUNT/backup/${2} --to ${1}
335 
+    echo "$BACKUP_DUMMY_PASSWORD" | obnam restore -r $USB_MOUNT/backup/${2} --to ${1}
312 336 
 }
313 337
314 338 
 function restore_directory_from_friend {
 
@@ -326,7 +350,7 @@ function restore_directory_from_friend {
326 350 
         mkdir ${1}
327 351 
     fi
328 352 
     set_obnam_client_name
329 
-    obnam restore -r $SERVER_DIRECTORY/backup/${2} --to ${1}
353 
+    echo "$BACKUP_DUMMY_PASSWORD" | obnam restore -r $SERVER_DIRECTORY/backup/${2} --to ${1}
330 354 
 }
331 355
332 356 
 function backup_database_to_usb {
 
@@ -365,10 +389,10 @@ function backup_directory_to_friend {
365 389 
         mkdir -p $SERVER_DIRECTORY/backup/${2}
366 390 
     fi
367 391 
     set_obnam_client_name
368 
-    obnam force-lock -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
369 
-    obnam backup -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
392 
+    echo "$BACKUP_DUMMY_PASSWORD" | obnam force-lock -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
393 
+    echo "$BACKUP_DUMMY_PASSWORD" | obnam backup -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
370 394 
     if [[ $ENABLE_VERIFICATION == "yes" ]]; then
371 
-        obnam verify -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
395 
+        echo "$BACKUP_DUMMY_PASSWORD" | obnam verify -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID} ${1}
372 396 
         if [ ! "$?" = "0" ]; then
373 397 
             if [[ ${1} == "/root/temp"* || ${1} == *"tempbackup" ]]; then
374 398 
                 shred -zu /root/temp${2}/*
 
@@ -381,7 +405,7 @@ function backup_directory_to_friend {
381 405 
             exit 953
382 406 
         fi
383 407 
     fi
384 
-    obnam forget --keep=30d -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID}
408 
+    echo "$BACKUP_DUMMY_PASSWORD" | obnam forget --keep=30d -r $SERVER_DIRECTORY/backup/${2} --encrypt-with ${ADMIN_BACKUP_KEY_ID}
385 409 
     if [ ! "$?" = "0" ]; then
386 410 
         if [[ ${1} == "/root/temp"* || ${1} == *"tempbackup" ]]; then
387 411 
             shred -zu /root/temp${2}/*