diff options
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 41 | ||||
| -rw-r--r-- | debian/vyatta-cfg-system.postrm | 3 | ||||
| -rwxr-xr-x | scripts/install-system | 35 | ||||
| -rwxr-xr-x | scripts/standalone_root_pw_reset | 41 | ||||
| -rw-r--r-- | sysconf/syslog.conf | 16 | ||||
| -rw-r--r-- | templates/system/package/repository/node.def | 15 | ||||
| -rw-r--r-- | templates/system/package/repository/node.tag/password/node.def | 8 | ||||
| -rw-r--r-- | templates/system/package/repository/node.tag/url/node.def | 4 | ||||
| -rw-r--r-- | templates/system/package/repository/node.tag/username/node.def | 8 |
9 files changed, 119 insertions, 52 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 0852319e..b21437a5 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -23,16 +23,28 @@ esac ln -sf ../vyatta-net.rules /etc/udev/rules.d/$vyatta_net_rules if [ "$sysconfdir" != "/etc" ]; then - # for "admin" level (FIXME) + cp -p /etc/sudoers /etc/sudoers.bak + + # for "admin" level sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers fi - # Allow operator to do a limited number of commands without password - if ! grep -q '^%operator ALL=NOPASSWD:' /etc/sudoers; then - cat <<"EOF" >>/etc/sudoers -### BEGIN VYATTA OPERATOR COMMANDS + # cleanup any old entries from previous versions + ed - /etc/sudoers <<EOF +/### BEGIN VYATTA/,/### END VYATTA/d +/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d +g/sudo-users/d +g/env_keep+=VYATTA/d +wq +EOF + # Add Vyatta entries + cat <<"EOF" >>/etc/sudoers +### BEGIN VYATTA +Defaults syslog_goodpri=info +Defaults env_keep+=VYATTA_* + Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ /sbin/iptables -L -vn,\ /sbin/iptables -L * -vn,\ @@ -46,21 +58,14 @@ Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ Cmnd_Alias ETHTOOLP = /usr/sbin/ethtool -p * Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff +Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump %operator ALL=NOPASSWD: /sbin/reboot, DATE, IPTABLES, ETHTOOLP, IPFLUSH, \ - PPPOE_CMDS, /usr/bin/tshark, /usr/sbin/wanpipemon -### END VYATTA OPERATOR COMMANDS + PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon +EOF + cat <<EOF >>/etc/sudoers +%users ALL=NOPASSWD: ${bindir}/sudo-users/ +### END VYATTA EOF - fi - - # for "users" level (FIXME) - if ! grep -q "^%users ALL=NOPASSWD: ${bindir}/sudo-users/" /etc/sudoers; then - echo -e "\n%users ALL=NOPASSWD: ${bindir}/sudo-users/" >> /etc/sudoers - fi - - # keep env vars - if ! grep -q 'env_keep+=VYATTA_*' /etc/sudoers ; then - echo "Defaults env_keep+=VYATTA_*" >> /etc/sudoers - fi fi # update crontab for logrotate diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm index d668f55d..46ec1aaa 100644 --- a/debian/vyatta-cfg-system.postrm +++ b/debian/vyatta-cfg-system.postrm @@ -2,6 +2,9 @@ if [ "$1" = "purge" ]; then rm -f /etc/udev/rules.d/*vyatta-net.rules + + sed -i '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers + fi # Local Variables: diff --git a/scripts/install-system b/scripts/install-system index 71233ccb..d6ea9b74 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -229,7 +229,7 @@ select_drive () { # Assume no dma if the disk is smaller than 10G (such as a CF drive) size=$(get_drive_size $INSTALL_DRIVE) - if [ $size -lt 11000 ] + if [[ $size -lt 11000 && ! $GRUB_OPTIONS =~ 'ide=nodma' ]] then GRUB_OPTIONS="$GRUB_OPTIONS ide=nodma" fi @@ -309,6 +309,9 @@ rename_old_config() { check_config_partition() { lpart=$1 + # Cleanup from possible partial last run + rm -fr /mnt/config + # Look to see if this is a config partition mkdir -p /mnt/tmp output=$(mount /dev/$lpart /mnt/tmp 2>&1) @@ -476,7 +479,15 @@ install_root_filesystem () { output=$(umount /mnt/squashfs) # create the fstab - echo -e "/dev/$ROOT_PARTITION\t/\text3\tdefaults\t0 1" >> $rootfsdir/etc/fstab + local rootdev="/dev/$ROOT_PARTITION"; + uuid=$(dumpe2fs -h $rootdev 2>/dev/null | awk '/^Filesystem UUID/ {print $3}') + if [ -z "$uuid" ] + then + echo "Unable to read filesystem UUID. Exiting." + exit 1 + else + echo -e "UUID=$uuid\t/\text3\tdefaults\t0 1" >> $rootfsdir/etc/fstab + fi #setup the hostname file cp /etc/hostname $rootfsdir/etc/ @@ -517,16 +528,19 @@ copy_config () { if [ -z "$config" ]; then config="$fdconfdir/config.boot" else - config="$config\n$fdconfdir/config.boot" + config="$config $fdconfdir/config.boot" fi fi if [ -n "$config" ]; then echo "I found the following configuration files" - echo -e "$config" - default=$(echo -e $config| head -1) + for file in $config + do + echo $file + done + + default=$(echo -e $config | awk '{ print $1 }') - resp='' while [ -z "$configfile" ] do echo -n "Which one should I copy to $INSTALL_DRIVE? [$default]: " @@ -553,7 +567,7 @@ change_password() { local user=$1 local pwd read pwd - local epwd=$(mkpasswd -H md5 $pwd | sed 's:/:\\/':) + local epwd=$(mkpasswd -H md5 $pwd | sed 's:/:\\/:g') sed -i \ -e "/ user $user {/,/}/s/encrypted-password:.*\$/encrypted-password: \"$epwd\"/" \ @@ -629,9 +643,10 @@ install_grub () { # This allows device to move around and grub will still find it local rootdev="/dev/$ROOT_PARTITION"; uuid=$(dumpe2fs -h $rootdev 2>/dev/null | awk '/^Filesystem UUID/ {print $3}') - if [ -z $uuid ] + if [ -z "$uuid" ] then - GRUB_ROOT="root=$rootdev ro" + echo "Unable to read filesystem UUID. Exiting." + exit 1 else GRUB_ROOT="root=UUID=$uuid ro" fi @@ -716,7 +731,7 @@ install_grub () { echo echo -e "menuentry \"Root password reset to factory (Serial console)\" {" - echo -e "\tkernel /boot/vmlinuz $GRUB_ROOT $GRUB_OPTIONS $SERIAL_CONSOLE init=$PWRESET" + echo -e "\tlinux /boot/vmlinuz $GRUB_ROOT $GRUB_OPTIONS $SERIAL_CONSOLE init=$PWRESET" echo -e "\tinitrd /boot/initrd.img" echo -e "}" ) >"$rootfsdir/boot/grub/grub.cfg" diff --git a/scripts/standalone_root_pw_reset b/scripts/standalone_root_pw_reset index 0dc65fd2..b173f22d 100755 --- a/scripts/standalone_root_pw_reset +++ b/scripts/standalone_root_pw_reset @@ -24,7 +24,7 @@ CF=/opt/vyatta/etc/config/config.boot echo "Standalone root password recovery tool." - +echo # # Check to see if we are running in standalone mode. We'll # know that we are if our pid is 1. @@ -38,12 +38,8 @@ fi # OK, now we know we are running in standalone mode. Talk to the # user. # -echo "Do you wish to reset the reset the root password to its" -echo -n "factory setting value of \"vyatta\"? (Yes/No) [No]: " - -# -# Parse the user's response -# +echo "Do you wish to reset the root password" +echo -n "to the original default value (vyatta)? (Yes/No) [No]: " read response response=${response:0:1} @@ -55,26 +51,39 @@ if [ "$response" != "y" -a "$response" != "Y" ]; then /sbin/reboot -f fi + echo "Starting process to reset the root password..." echo "Re-mounting root filesystem read/write..." mount -o remount,rw / -echo "Mounting the config filesystem..." -mount /opt/vyatta/etc/config/ +# Leftover from V3.0 +if grep -q /opt/vyatta/etc/config /etc/fstab +then + echo "Mounting the config filesystem..." + mount /opt/vyatta/etc/config/ +fi echo "Saving backup copy of config.boot..." cp $CF ${CF}.before_pwrecovery echo "Reseting the root password..." -sed -i -e "/^.* user root {/,/^.* }/s/encrypted-password: .*$/encrypted-password: \"\$1\$\$Ht7gBYnxI1xCdO\/JOnodh.\"/" $CF -echo "Root password has been reset." -echo "Logging the activity..." -echo "`date`: Root password reset to factory value" >> /var/log/messages +# change system first +newpwd=$(mkpasswd -H md5 vyatta) +usermod --password "$newpwd" root + +# escape / in encrypted passwd +pw=$(echo $newpwd | sed 's:/:\\/:g') +sed -i \ + -e "/^.* user root {/,/}/s/encrypted-password:.*\$/encrypted-password: \"$pw\"/" \ + $CF + +echo $(date "+%b%e %T") $(hostname) "Root password reset to factory value" \ + | tee -a /var/log/auth.log >>/var/log/messages -echo -n "Machine will reboot in 5 seconds..." sync -sleep 5 -echo + +echo "System will reboot in 10 seconds..." +sleep 10 /sbin/reboot -f diff --git a/sysconf/syslog.conf b/sysconf/syslog.conf index 4281cfd6..f732affc 100644 --- a/sysconf/syslog.conf +++ b/sysconf/syslog.conf @@ -1,2 +1,14 @@ -*.warning /var/log/messages -local7.* /var/log/messages +# Standard logfiles by facility +auth.*;,authpriv.notice /var/log/auth.log + +# Some other (unused) standard entries +#cron.* /var/log/cron.log +#kern.* -/var/log/kern.log +#lpr.* -/var/log/lpr.log +#mail.* -/var/log/mail.log +#user.* -/var/log/user.log + +# Catch-all log file used by CLI +*.warning;local7.*;\ + auth,authpriv.none;\ + cron,daemon.none; -/var/log/messages diff --git a/templates/system/package/repository/node.def b/templates/system/package/repository/node.def index 8d753918..b2f0349f 100644 --- a/templates/system/package/repository/node.def +++ b/templates/system/package/repository/node.def @@ -2,15 +2,22 @@ tag: type: txt -help: Set name of a debian archive +help: Set the name of a debian archive commit:expression: $VAR(./url/) != ""; "Must configure the repository URL" commit:expression: $VAR(./distribution/) != ""; "Must configure the repository distribution" commit:expression: $VAR(./components/) != ""; "Must configure the repository components" -update: sudo sh -c "touch /etc/apt/sources.list && \ -sed -i '\\!# $VAR(@) #!d' /etc/apt/sources.list && \ -echo \"deb $VAR(url/@)/ $VAR(distribution/@) $VAR(components/@) # $VAR(@) #\" >> /etc/apt/sources.list" +update: sudo bash -c "touch /etc/apt/sources.list && \ + sed -i '\\!# $VAR(@) #!d' /etc/apt/sources.list && \ + echo \"deb $VAR(url/@) $VAR(distribution/@) $VAR(components/@) # $VAR(@) #\" >> /tmp/$$-sources.list && \ + if [ $VAR(password/@) ] || [ $VAR(username/@) ]; \ + then \ + sed -i "s!://.*@!://!" /tmp/$$-sources.list; \ + sed -i "s!://!://$VAR(username/@):$VAR(password/@)@!" /tmp/$$-sources.list; \ + fi && \ + cat /tmp/$$-sources.list>>/etc/apt/sources.list ; \ + rm -f /tmp/$$-sources.list" delete: sudo sh -c "touch /etc/apt/sources.list && \ sed -i '\\!# $VAR(@) #!d' /etc/apt/sources.list" diff --git a/templates/system/package/repository/node.tag/password/node.def b/templates/system/package/repository/node.tag/password/node.def new file mode 100644 index 00000000..34ccff27 --- /dev/null +++ b/templates/system/package/repository/node.tag/password/node.def @@ -0,0 +1,8 @@ +type: txt + +help: Repository password + +default: "" + +# need to prohibit '!' in url (sed delimiter) +syntax:expression: pattern $VAR(@) "^[^!]*$" ; "Do not use '!' in url" diff --git a/templates/system/package/repository/node.tag/url/node.def b/templates/system/package/repository/node.tag/url/node.def index 9cb3a472..07021671 100644 --- a/templates/system/package/repository/node.tag/url/node.def +++ b/templates/system/package/repository/node.tag/url/node.def @@ -1,4 +1,4 @@ type: txt -help: Set repository URL +help: Repository URL # need to prohibit '!' in url (sed delimiter) -syntax:expression: pattern $VAR(@) "^[^!]+$" ; "Do not use '!' in url" +syntax:expression: pattern $VAR(@) "^[^!]+$" ; "URL must not be null and must not contain '!'" diff --git a/templates/system/package/repository/node.tag/username/node.def b/templates/system/package/repository/node.tag/username/node.def new file mode 100644 index 00000000..d22dd7cb --- /dev/null +++ b/templates/system/package/repository/node.tag/username/node.def @@ -0,0 +1,8 @@ +type: txt + +help: Repository username + +default: "" + +# need to prohibit '!' in url (sed delimiter) +syntax:expression: pattern $VAR(@) "^[^!]*$" ; "Do not use '!' in url" |