forked from godsflaw/killallthehumans
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathkillallthehumansd
executable file
·124 lines (106 loc) · 3.31 KB
/
killallthehumansd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/env perl
#
# notes:
# gpg --passphrase-file only reads the first line so we xor the keyfile with 0x0a to remove newlines
use warnings;
use strict;
use POE qw/Wheel::FollowTail/;
my $killdir = "/etc/killallthehumans";
my $gpgkey = "$killdir/humans.key";
my $ramfs = "/mnt/ramfs";
my $mntpoint = "/mnt/shadow";
my $shadow = "$mntpoint/shadow.gpg";
my $shadow_decrypted = "$ramfs/shadow";
my $shadow_original = "/etc/shadow";
my $file = "/var/log/syslog";
my $setup = "FALSE";
$SIG{INT} = \&_cleanup;
$SIG{TERM} = \&_cleanup;
sub do_cleanup {
system("shred -u -n 1 $shadow_decrypted &> /dev/null");
system("umount $ramfs");
}
sub do_mounts {
system("mount -t ramfs -o size=1m ramfs $ramfs");
system("mount -t auto /dev/$dev $mntpoint");
}
sub do_setup {
# make sure directories exist
mkdir($ramfs) if (! -d $ramfs)
mkdir($mntpoint) if (! -d $mntpoint)
mkdir($killdir) if (! -d $killdir)
# create keyfile if it does not exist
# set keyfile to immutable to try preventing modification/removal
# gpg --passphrase-file only reads the first line so we xor the keyfile with 0x0a to remove newlines
if (! -f $gpgkey) {
system("dd if=/dev/urandom bs=64 count=1 of=$gpgkey.tmp 2>/dev/null");
my $keybuffer;
open(TMP, "$gpgkey.tmp");
open(KEY, ">$gpgkey");
binmode(TMP);
binmode(KEY);
read(TMP, $keybuffer, 64, 0);
foreach (split(//, $buffer)) {
my $byte = $_ ^ 0x0a;
print KEY $byte;
}
close(KEY);
close(TMP);
system("shred -u -n 1 $gpgkey.tmp");
system("chattr +i $gpgkey");
}
# check if shadow file is a symlink, and if not:
## set up mounts
## encrypt shadow file to $shadow
## shred original shadow file
## create symlink to $shadow
if (! -l $shadow_original) {
&do_mounts;
system("gpg -c -q --batch --cipher-algo AES256 -o $shadow --passphrase-file $gpgkey < $shadow_original");
system("shred -u -n 1 $shadow_decrypted &> /dev/null");
system("ln -s $shadow $shadow_original");
}
# switch setup flag to TRUE
$setup = "TRUE";
}
POE::Session->create(
inline_states => {
_start => sub {
$_[HEAP]->{wheel} = POE::Wheel::FollowTail->new(
Filename => $file,
InputEvent => 'got_line',
ErrorEvent => 'got_error',
);
},
got_line => sub {
my ($line, $wheel_id) = @_[ARG0, ARG1];
my $child = $_[HEAP]{children_by_wid}{$wheel_id};
if ($line =~ /(sd[a-z][0-9]+)/) {
my $dev = $1;
print "${line}\n";
# XXX: make sure everything is setup for the first time
if ($setup eq "FALSE") {
&do_setup;
}
# XXX: now we need to clean up and unmount old ramfs if it exists
&do_cleanup;
# XXX: make new ramfs and mount
&do_mounts;
# XXX: once device is mounted do a decrypt and write data out to ramfs
system("gpg -d -q --batch --cipher-algo AES256 -o $shadow_decrypted --passphrase-file $gpgkey <$shadow");
}
},
got_error => sub {
my ($line, $wheel_id) = @_[ARG0, ARG1];
my $child = $_[HEAP]{children_by_wid}{$wheel_id};
warn "${line}\n"
},
},
args => [$file],
);
POE::Kernel->run();
sub _cleanup {
print "KILL ALL THE ... wait, me?\n";
exit 0;
}
exit 0;