Fix overlapping edits of standalone_pw_reset

Put in new code to set password, rather than reset it to default

Although resetting passwd to default sounds good from a usuablity point
of view, it is a potential security hole when system is rebooted. Instead,
allow user to choose new passwd.

10 files changed, 100 insertions, 47 deletions

diff --git a/Makefile.am b/Makefile.am
index 27152ff0..9e66286c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,7 +15,7 @@ bin_SCRIPTS += scripts/vyatta-functions
 sbin_SCRIPTS += scripts/init-floppy
 sbin_SCRIPTS += scripts/rl-system.init
 sbin_SCRIPTS += scripts/install-system
-sbin_SCRIPTS += scripts/grub-setup
+sbin_SCRIPTS += scripts/vyatta-grub-setup
 sbin_SCRIPTS += scripts/quick-install
 sbin_SCRIPTS += scripts/standalone_root_pw_reset
 sbin_SCRIPTS += scripts/vyatta-passwd-sync
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 2cb0643c..925edcb5 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -87,6 +87,11 @@ fi
 
 sed -i 's/^set /builtin set /' /etc/bash_completion
 
+# Fix up PAM configuration for login so that invalid users are prompted
+# for password
+sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
+
+
 # Local Variables:
 # mode: shell-script
 # sh-indentation: 4
diff --git a/scripts/dns-forwarding/vyatta-dns-forwarding.pl b/scripts/dns-forwarding/vyatta-dns-forwarding.pl
index 4a011b6a..38f5ee67 100644
--- a/scripts/dns-forwarding/vyatta-dns-forwarding.pl
+++ b/scripts/dns-forwarding/vyatta-dns-forwarding.pl
@@ -119,7 +119,7 @@ sub dnsforwarding_get_values {
     if (@use_dhcp_nameservers != 0) {
 	$use_dnsmasq_conf = 1;
         foreach my $interface (@use_dhcp_nameservers) {
-           my $dhcp_nameserver_count=`grep nameserver /etc/resolv.conf.dhclient-new-$interface | wc -l`;
+           my $dhcp_nameserver_count=`grep nameserver /etc/resolv.conf.dhclient-new-$interface 2>/dev/null | wc -l`;
            if ($dhcp_nameserver_count > 0) {
 	       my @dhcp_nameservers = `grep nameserver /etc/resolv.conf.dhclient-new-$interface`;
 	       for my $each_nameserver (@dhcp_nameservers) {
@@ -149,7 +149,7 @@ sub dnsforwarding_write_file {
 
 sub check_nameserver {
 
-    my $cmd = `grep nameserver /etc/resolv.conf|wc -l`;
+    my $cmd = `grep nameserver /etc/resolv.conf 2>/dev/null | wc -l`;
     return $cmd;
 }
 
diff --git a/scripts/install-system b/scripts/install-system
index 8f4592f9..d06695e0 100755..100644
--- a/scripts/install-system
+++ b/scripts/install-system
@@ -206,6 +206,24 @@ probe_drives () {
 }
 
 
+warn_of_dire_consequences () {
+  # Give the user a requisite warning that we are about to nuke their drive
+  response=''
+  while [ -z $response ]
+  do
+    echo "This will destroy all data on /dev/$INSTALL_DRIVE."
+    echo -n "Continue? (Yes/No) [No]: "
+    response=$(get_response "No" "Yes No Y N")
+
+    if [ "$response" == "no" ] || [ "$response" == "n" ]; then
+      echo "Ok then.  Exiting..."
+      exit 1
+    fi
+  done
+}
+
+
+
 check_for_old_raid () {
     # First, trigger construction of previously configured RAID groups
     echo -n "Looking for pre-existing RAID groups..."
@@ -264,6 +282,9 @@ check_for_old_raid () {
     fi
 
     echo "Using RAID partition $INSTALL_DRIVE"
+
+    warn_of_dire_consequences
+
     ROOT_PARTITION=$INSTALL_DRIVE
 
     # make sure we aren't working on a mounted part
@@ -417,12 +438,16 @@ select_drive () {
     display="$display $drive\t$size"MB"\n"
   done
 
-  # Display the drives and ask the user which one to install to
-  echo -e "$display"
-  echo
-  echo -n "$1 [$INSTALL_DRIVE]:"
+  while true
+  do
+	# Display the drives and ask the user which one to install to
+	echo -e "$display"
+	echo
+	echo -n "$1 [$INSTALL_DRIVE]:"
+	response=$(get_response "$INSTALL_DRIVE" "$drives") && break
+  done
+  INSTALL_DRIVE="$response"
 
-  INSTALL_DRIVE=$(get_response "$INSTALL_DRIVE" "$drives")
   echo
 
   # Assume no dma if the disk is smaller than 10G (such as a CF drive)
@@ -891,12 +916,12 @@ install_grub () {
       fi
   fi
 
-  # if union install tell grub-setup
+  # if union install tell vyatta-grub-setup
   if eval "$UNION"; then
     version=$(egrep -i version /opt/vyatta/etc/version | awk '{ print $3 }')
     grub_args="-u $version"
   fi
-  if /opt/vyatta/sbin/grub-setup $grub_args "$ROOT_PARTITION" "$grub_options" /mnt/rootfs >>$INSTALL_LOG
+  if /opt/vyatta/sbin/vyatta-grub-setup $grub_args "$ROOT_PARTITION" "$grub_options" /mnt/rootfs >>$INSTALL_LOG
   then
     echo "OK"
   else
@@ -991,19 +1016,7 @@ setup_method_auto() {
     fi
   done
 
-  # Give the user a requisite warning that we are about to nuke their drive
-  response=''
-  while [ -z $response ]
-  do
-    echo "This will destroy all data on /dev/$INSTALL_DRIVE."
-    echo -n "Continue? (Yes/No) [No]: "
-    response=$(get_response "No" "Yes No Y N")
-
-    if [ "$response" == "no" ] || [ "$response" == "n" ]; then
-      echo "Ok then.  Exiting..."
-      exit 1
-    fi
-  done
+  warn_of_dire_consequences
 
   echo
 
diff --git a/scripts/standalone_root_pw_reset b/scripts/standalone_root_pw_reset
index eae5754e..f08bf7d6 100755
--- a/scripts/standalone_root_pw_reset
+++ b/scripts/standalone_root_pw_reset
@@ -14,7 +14,7 @@
 # All Rights Reserved.
 #
 # Author:	Bob Gilligan <gilligan@vyatta.com>
-# Description:	Standalone script to reset the root passwd to factory default
+# Description:	Standalone script to set the root passwd to new value
 #		value.  Note:  This script can ONLY be run as a standalone
 #		init program by grub.
 #
@@ -92,9 +92,7 @@ fi
 echo "Saving backup copy of config.boot..."
 cp $CF ${CF}.before_pwrecovery
 
-echo "Reseting the root password..."
-
-change_password root
+echo "Setting the root password..."
 
 echo $(date "+%b%e %T") $(hostname) "Root password changed" \
     | tee -a /var/log/auth.log  >>/var/log/messages
diff --git a/scripts/system/vyatta_update_login.pl b/scripts/system/vyatta_update_login.pl
index bd103c57..dbe4e338 100755
--- a/scripts/system/vyatta_update_login.pl
+++ b/scripts/system/vyatta_update_login.pl
@@ -53,8 +53,8 @@ my %reasons = (
 
 # Map of level to additional groups
 my %level_map = (
-    'admin'    => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', ],
-    'operator' => [ 'quaggavty', 'operator',  'adm', ],
+    'admin'    => [ 'quaggavty', 'vyattacfg', 'sudo', 'adm', 'dip', ],
+    'operator' => [ 'quaggavty', 'operator',  'adm', 'dip', ],
 );
 
 # we have some users
diff --git a/scripts/grub-setup b/scripts/vyatta-grub-setup
index 70da564e..1bf47dde 100755
--- a/scripts/grub-setup
+++ b/scripts/vyatta-grub-setup
@@ -71,26 +71,26 @@ serial_console="console=tty0 console=ttyS0,9600"
 #
 vga_logo="vga=785"
 
-  # get list of kernels, except Xen
-  kernel_versions=$(ls $ROOTFSDIR/boot/vmlinuz-* 2> /dev/null | grep -v xen | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r)
+# get list of kernels, except Xen
+kernel_versions=$(ls $ROOTFSDIR/boot/vmlinuz-* 2> /dev/null | grep -v xen | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r)
 
-  # get xen kernel info
-  xen_kernel_version=$(ls $ROOTFSDIR/boot/vmlinuz*xen 2> /dev/null | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r)
-  xen_version=$(ls $ROOTFSDIR/boot/xen-* 2> /dev/null | awk -F/ '{ print $5 }' | sort -r)
+# get xen kernel info
+xen_kernel_version=$(ls $ROOTFSDIR/boot/vmlinuz*xen 2> /dev/null | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r)
+xen_version=$(ls $ROOTFSDIR/boot/xen-* 2> /dev/null | awk -F/ '{ print $5 }' | sort -r)
 
-  # Figure out whether we are running on the serial or KVM console:
-  if [ "`tty`" == "/dev/ttyS0" ]; then
+# Figure out whether we are running on the serial or KVM console:
+if [ "`tty`" == "/dev/ttyS0" ]; then
       # Since user is running on serial console, make that the default.
       default_console=1
-  else
+else
       # Since user is running on KVM console, make that the default
       default_console=0
-  fi
+fi
 
-  if eval "$UNION"; then
+if eval "$UNION"; then
     GRUB_OPTIONS="boot=live live-media-path=/boot/$livedir module=$livedir quiet persistent noautologin nonetworking nouser hostname=vyatta"
     union_kernel_versions=$(ls $ROOTFSDIR/boot/$livedir/vmlinuz-* 2> /dev/null | grep -v xen | awk -F/ '{ print $6 }' | sed 's/vmlinuz//g' | sort -r)
-  else 
+else 
     # Read UUID off of filesystem and use it to tell GRUB where to mount drive
     # This allows device to move around and grub will still find it
     uuid=$(dumpe2fs -h /dev/${ROOT_PARTITION} 2>/dev/null | awk '/^Filesystem UUID/ {print $3}')
@@ -102,7 +102,37 @@ vga_logo="vga=785"
     else
         GRUB_OPTIONS="$GRUB_OPTIONS root=UUID=$uuid ro"
     fi
-  fi
+fi
+
+# Check for diagnostic partition residing in first partition of drive 
+# holding the root partition.
+
+diag_drive_number=""
+
+if [ ${ROOT_PARTITION:0:2} = "md" ]; then
+    # Select the first disk in the RAID group to look for diag partition on
+    root_disks=`echo /sys/block/$ROOT_PARTITION/slaves/*`
+    root_disk=`echo ${root_disks} | awk '{ print $1 }'`
+    root_disk=${root_disk##*/}
+    root_disk=${root_disk:0:${#root_disk}-1}
+else
+    # Shave off the partition number to get the disk name
+    root_disk=${ROOT_PARTITION:0:${#ROOT_PARTITION}-1}
+fi
+
+# If the root partition is not occupying the first partition, then we
+# can look for a diag partition there.
+if [ "$ROOT_PARTITION" != "${root_disk}1" ]; then
+    first_part_fstype=`fdisk -l /dev/$root_disk | grep ^/dev/${root_disk}1 | awk '{ print $6 }'`
+
+    if [ "$first_part_fstype" = "FAT16" -o "$first_part_fstype" = "Dell" ]; then
+        # Translate the Linux drive letter (e.g. the "a" in "/dev/sda") into
+        # a drive number that grub uses. i.e. "a" = 0, "b" = 1, etc.
+	diag_drive_letter=${root_disk:2:1}
+	diag_drive_number=`echo $diag_drive_letter | od -t u1 -N 1 | awk '{ print $2 }'`
+	let diag_drive_number-=97
+    fi
+fi
 
 (
     # create the grub.cfg file for grub
@@ -208,6 +238,15 @@ vga_logo="vga=785"
     echo -e "\tlinux /boot/vmlinuz $GRUB_OPTIONS $serial_console init=$pass_reset"
     echo -e "\tinitrd /boot/initrd.img"
     echo -e "}"
+
+    if [ -n "$diag_drive_number" ]; then
+	echo 
+	echo -e "menuentry \"Diagnostics\" {"
+	echo -e "\tchainloader (hd$diag_drive_number,1)+1"
+	echo -e "}"
+    fi
+    
+
 ) >"$ROOTFSDIR"/boot/grub/grub.cfg
 
 (   [ -s /boot/grub/menu.lst ] &&
diff --git a/sysconf/vyatta-sysctl.conf b/sysconf/vyatta-sysctl.conf
index fae11945..a021c42a 100644
--- a/sysconf/vyatta-sysctl.conf
+++ b/sysconf/vyatta-sysctl.conf
@@ -22,8 +22,5 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
 # Send ICMP responses with primary address of exiting interface
 net.ipv4.icmp_errors_use_inbound_ifaddr=1
 
-# Turn off SACK since it causes problems with MD5 due to lack of options space
-net.ipv4.tcp_sack=0
-
 # Enable packet forwarding for IPv6
 net.ipv6.conf.all.forwarding=1
diff --git a/templates/interfaces/bridge/node.def b/templates/interfaces/bridge/node.def
index 0dc3670c..641d369d 100644
--- a/templates/interfaces/bridge/node.def
+++ b/templates/interfaces/bridge/node.def
@@ -2,7 +2,7 @@ tag:
 type: txt
 help: Set bridge interface
 
-syntax:expression: $VAR(@) in "br0", "br1", "br2", "br3", "br4", "br5", "br6", "br7", "br8", "br9" ; "Must be (br0 - br9)"
+syntax:expression: pattern $VAR(@) "^br[0-9]+$" ; "Must be (br0 - br999)"
 
 create: sudo brctl addbr $VAR(@)
 
@@ -13,4 +13,4 @@ delete: if [ -n "`/usr/sbin/brctl show | grep $VAR(@) | grep eth`" ]; then
         sudo ip link set $VAR(@) down;
         sudo brctl delbr $VAR(@);
 
-comp_help: "Enter bridge interface name (br0 - br9)"
+comp_help: "Enter bridge interface name (br0 - br999)"
diff --git a/templates/interfaces/tunnel/node.def b/templates/interfaces/tunnel/node.def
index d152dbe5..89ee200c 100644
--- a/templates/interfaces/tunnel/node.def
+++ b/templates/interfaces/tunnel/node.def
@@ -2,7 +2,8 @@ tag:
 type: txt
 help: Set tunnel interface
 
-syntax:expression: exec "echo $VAR(@) | grep \"tun[0-9][0-9]\\{0,2\\}\$\" > /dev/null "; "tunnel must be (tun0-tun999)"
+syntax:expression: pattern $VAR(@) "^tun[0-9]+$" \
+		   ; "tunnel must be (tun0-tun999)"
 
 commit:expression: $VAR(./local-ip/) != "" ;                    \
                    "Must configure the tunnel local-ip for $VAR(@)"