From 72a704d2e2b06bfedc4f1ee841814f983fc34baa Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sun, 30 Jun 2024 07:35:25 +0200 Subject: T6527: add legacy Vyatta interpreter files still in use --- debian/control | 46 ++++++++++++++++++++++++++++++++++------- debian/rules | 4 ++++ debian/vyos-1x.install | 2 ++ debian/vyos-1x.postinst | 55 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 7 deletions(-) (limited to 'debian') diff --git a/debian/control b/debian/control index 883e08649..189a959b0 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,6 @@ Build-Depends: iproute2, libvyosconfig0 (>= 0.0.7), libzmq3-dev, - procps, python3 (>= 3.10), # For QA pylint, @@ -38,14 +37,24 @@ Standards-Version: 3.9.6 Package: vyos-1x Architecture: amd64 arm64 Pre-Depends: + libpam-runtime [amd64], libnss-tacplus [amd64], libpam-tacplus [amd64], libpam-radius-auth [amd64] Depends: ## Fundamentals ${python3:Depends} (>= 3.10), + dialog, libvyosconfig0, + libpam-cap, + bash-completion, + ipvsadm, + udev, + less, + at, + rsync, vyatta-bash, + vyatta-biosdevname, vyatta-cfg, vyos-http-api-tools, vyos-utils, @@ -72,6 +81,7 @@ Depends: python3-zmq, ## End of Python libraries ## Basic System services and utilities + coreutils, sudo, systemd, bsdmainutils, @@ -84,7 +94,6 @@ Depends: # ipaddrcheck is widely used in IP value validators ipaddrcheck, ethtool, - fdisk, lm-sensors, procps, netplug, @@ -97,6 +106,14 @@ Depends: grc, ## End of System services and utilities ## For the installer + fdisk, + gdisk, + mdadm, + efibootmgr, + libefivar1, + dosfstools, + grub-efi-amd64-bin [amd64], + grub-efi-arm64-bin [arm64], # Image signature verification tool minisign, # Live filesystem tools @@ -105,6 +122,7 @@ Depends: ## End installer auditd, iputils-arping, + iputils-ping, isc-dhcp-client, # For "vpn pptp", "vpn l2tp", "vpn sstp", "service ipoe-server" accel-ppp, @@ -143,7 +161,7 @@ Depends: sstp-client, # End "interfaces sstpc" # For "protocols *" - frr (>= 7.5), + frr (>= 9.1), frr-pythontools, frr-rpki-rtrlib, frr-snmp, @@ -179,9 +197,12 @@ Depends: # For "service router-advert" radvd, # End "service route-advert" -# For "high-availability reverse-proxy" +# For "load-balancing reverse-proxy" haproxy, -# End "high-availability reverse-proxy" +# End "load-balancing reverse-proxy" +# For "load-balancing wan" + vyatta-wanloadbalance, +# End "load-balancing wan" # For "service dhcp-relay" isc-dhcp-relay, # For "service dhcp-server" @@ -235,6 +256,9 @@ Depends: # For "high-availability vrrp" keepalived (>=2.0.5), # End "high-availability-vrrp" +# For "system console" + util-linux, +# End "system console" # For "system task-scheduler" cron, # End "system task-scheduler" @@ -267,7 +291,7 @@ Depends: # For "system conntrack modules rtsp" nat-rtsp, # End "system conntrack modules rtsp" -# For "system ntp" +# For "service ntp" chrony, # End "system ntp" # For "vpn openconnect" @@ -276,7 +300,13 @@ Depends: # For "system flow-accounting" pmacct (>= 1.6.0), # End "system flow-accounting" -# For container +# For "system syslog" + rsyslog, +# End "system syslog" +# For "system option keyboard-layout" + kbd, +# End "system option keyboard-layout" +# For "container" podman, netavark, aardvark-dns, @@ -314,6 +344,8 @@ Depends: ndisc6, # For "run monitor bandwidth" bmon, +# For "run format disk" + parted, # End Operational mode ## TPM tools cryptsetup, diff --git a/debian/rules b/debian/rules index 9da40465f..df1d9e7f3 100755 --- a/debian/rules +++ b/debian/rules @@ -103,6 +103,10 @@ override_dh_auto_install: mkdir -p $(DIR)/etc cp -r src/etc/* $(DIR)/etc + # Install legacy Vyatta files + mkdir -p $(DIR)/opt + cp -r src/opt/* $(DIR)/opt + # Install PAM configuration snippets mkdir -p $(DIR)/usr/share/pam-configs cp -r src/pam-configs/* $(DIR)/usr/share/pam-configs diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install index b3978d38a..7171911dc 100644 --- a/debian/vyos-1x.install +++ b/debian/vyos-1x.install @@ -1,4 +1,6 @@ +etc/bash_completion.d etc/commit +etc/default etc/dhcp etc/ipsec.d etc/logrotate.d diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst index 78e895d6e..26b81db6f 100644 --- a/debian/vyos-1x.postinst +++ b/debian/vyos-1x.postinst @@ -120,6 +120,61 @@ fi # ensure the proxy user has a proper shell chsh -s /bin/sh proxy +# Set file capabilities +setcap cap_net_admin=pe /sbin/ethtool +setcap cap_net_admin=pe /sbin/tc +setcap cap_net_admin=pe /bin/ip +setcap cap_net_admin=pe /sbin/xtables-legacy-multi +setcap cap_net_admin=pe /sbin/xtables-nft-multi +setcap cap_net_admin=pe /usr/sbin/conntrack +setcap cap_net_admin=pe /usr/sbin/arp +setcap cap_net_raw=pe /usr/bin/tcpdump +setcap cap_net_admin,cap_sys_admin=pe /sbin/sysctl +setcap cap_sys_module=pe /bin/kmod +setcap cap_sys_time=pe /bin/date + +# create needed directories +mkdir -p /var/log/user +mkdir -p /var/core +mkdir -p /opt/vyatta/etc/config/auth +mkdir -p /opt/vyatta/etc/config/scripts +mkdir -p /opt/vyatta/etc/config/user-data +mkdir -p /opt/vyatta/etc/config/support +chown -R root:vyattacfg /opt/vyatta/etc/config +chmod -R 775 /opt/vyatta/etc/config +mkdir -p /opt/vyatta/etc/logrotate +mkdir -p /opt/vyatta/etc/netdevice.d + +touch /etc/environment + +if [ ! -f /etc/bash_completion ]; then + echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion + echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion +fi + +sed -i 's/^set /builtin set /' /etc/bash_completion + +# Fix up PAM configuration for login so that invalid users are prompted +# for password +sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login + +# Change default shell for new accounts +sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf + +# Do not allow users to change full name field (controlled by vyos-1x) +sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs + +# Only allow root to use passwd command +if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then + sed -i -e '/^@include/i \ +password requisite pam_succeed_if.so user = root +' /etc/pam.d/passwd +fi + +# remove unnecessary ddclient script in /etc/ppp/ip-up.d/ +# this logs unnecessary messages trying to start ddclient +rm -f /etc/ppp/ip-up.d/ddclient + # create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script if [ ! -x $PRECONFIG_SCRIPT ]; then -- cgit v1.2.3