From 22b1e03e3b042e1899ef31d9759f88c87a3ab58e Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 15:30:52 -0700 Subject: add ssh key blacklists --- debian/vyatta-cfg-system.postinst.in | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'debian/vyatta-cfg-system.postinst.in') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 6e5fa735..26ae9a02 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -66,6 +66,20 @@ EOF %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done fi # update crontab for logrotate @@ -87,6 +101,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion +/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server + # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login -- cgit v1.2.3 From aed20563b004d8c274b8a3f72d161cf75bcf4e4c Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Mon, 13 Oct 2008 19:09:57 -0700 Subject: remove unused files --- debian/vyatta-cfg-system.postinst.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'debian/vyatta-cfg-system.postinst.in') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 26ae9a02..53fa062c 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -102,6 +102,8 @@ fi sed -i 's/^set /builtin set /' /etc/bash_completion /usr/sbin/dpkg-reconfigure -f noninteractive openssh-server +rm -f /etc/ssh/*.broken +update-rc.d -f ssh remove >/dev/null # Fix up PAM configuration for login so that invalid users are prompted # for password -- cgit v1.2.3 From 6a2393d8053ab9ff9651a6f9c3b243cced7e4439 Mon Sep 17 00:00:00 2001 From: Bob Gilligan Date: Tue, 14 Oct 2008 13:54:35 -0700 Subject: Bugfix: 3744 When a new member is added to a RAID group that holds the root filesystem, we need to re-install grub so that the new disk will be bootable. But this can only be done after the RAID set has completed rebuilding. Added mechanism that uses the event notification infrastructure of "mdadm" to trigger the re-installation of grub after the rebuild completes. --- debian/vyatta-cfg-system.postinst.in | 7 +++ scripts/vyatta-raid-event | 104 +++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 scripts/vyatta-raid-event (limited to 'debian/vyatta-cfg-system.postinst.in') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 53fa062c..21d7ff32 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -111,6 +111,13 @@ sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $root [ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist +# +# Ask mdadm to call our own event handling daemon +# +if [ -e /etc/default/mdadm ]; then + sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm +fi + # Local Variables: # mode: shell-script # sh-indentation: 4 diff --git a/scripts/vyatta-raid-event b/scripts/vyatta-raid-event new file mode 100644 index 00000000..f279a57d --- /dev/null +++ b/scripts/vyatta-raid-event @@ -0,0 +1,104 @@ +#!/bin/bash +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2006, 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Bob Gilligan +# Date: 2008 +# Description: A script to handle events from the Linux Software RAID +# subsystem. +# +# **** End License **** +# +# This script is called by the "mdadm" daemon running in "monitor" mode +# whenever an event occurs in in the RAID subsytem. The script is called +# with two or three arguments: The first argument is always the name of +# the event, e.g. "RebuildFinished". The second argument is the name of +# the RAID set device that the event pertains to, e.g. "/dev/md0". The +# third argument is provided for some events, and gives the name of the +# RAID set member that the event pertains to, e.g. "/dev/sda2". +# +# See the mdadm(8) man page for more details on the events that it provides. +# + +# Script will be called with 2 or 3 arguments, depending on the event +if [ $# -lt 2 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Error: Not enough args: $*" + # We can't do anything if we don't know event and RAID device it + # pertains to. + exit 1 +fi +if [ $# -gt 3 ]; then + logger -t "RAID" -p local0.warning "vyatta-raid-event: Warning: too many args: $*" + # Be Robust: Try to complete task with args we know about +fi + +event=$1 +raid_set=$2 + +case $event in + + RebuildFinished) + logger -t "RAID" -p local0.warning "event ${event} ${raid_set}" + + # We need to update grub at the time that a resync completes + # on the root filesystem so that the new member disk will be + # bootable. + mounted_on=`mount | grep "^${raid_set}" | awk '{ print $3 }'` + if [ "$mounted_on" = "/" ]; then + raid_set_dev=${raid_set##*/} + if [ -e /sys/block/${raid_set_dev}/md/degraded ]; then + degraded=`cat /sys/block/${raid_set_dev}/md/degraded` + else + degraded=0 + fi + if [ $degraded -eq 0 ]; then + drive=${member_to_add%%[0-9]*} + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} holds root filesystem. Updating grub." + touch /tmp/raid-grub-install-log + grub-install --no-floppy --recheck --root-directory=/ ${raid_set} \ + >> /tmp/raid-grub-install-log 2>&1 + if [ $? -ne 0 ]; then + logger -t "RAID" -p local0.warning \ + "grub-installed failed for $raid_set" + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} is still degraded. No action taken." + fi + else + logger -t "RAID" -p local0.warning \ + "RAID set ${raid_set} does not hold root filesystem. No action taken" + fi + ;; + + DeviceDisappeared | RebuildStarted | Rebuild?? | NewArray | \ + DegradedArray | MoveSpare | SparesMissing | TestMessage) + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set}: No action taken" + ;; + + Fail | FailSpare | SpareActive) + member=$3 + logger -t "RAID" -p local0.warning \ + "event ${event} ${raid_set} ${member}: No action taken" + ;; + + *) + logger -t "RAID" -p local0.warning \ + "event ${event} unknown. No action taken" + ;; + + esac -- cgit v1.2.3 From 25438666015dc5ea9695f5172b0f4925c3ae2d9a Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 15 Oct 2008 13:30:57 -0700 Subject: Block remote access to rpc-bind port Use hosts.deny to block access to portmapper Bugfix 3767 --- debian/vyatta-cfg-system.postinst.in | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'debian/vyatta-cfg-system.postinst.in') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 21d7ff32..498e431f 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -80,8 +80,17 @@ EOF cp $sysconfdir/$f /etc/ssh/$f fi done + + # block external rpc access + if ! grep -q "^portmap" /etc/hosts.deny + then cat <<-EOF >>/etc/hosts.deny + # Disable rpc access from other hosts + portmap: ALL + EOF + fi fi + # update crontab for logrotate grep -v logrotate /etc/crontab>/etc/crontab.$$ echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$ -- cgit v1.2.3 From 540cf454c6f7a5595a0fce42906f2656dc10cc9f Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Wed, 15 Oct 2008 13:47:03 -0700 Subject: Revert "Block remote access to rpc-bind port" This change isn't needed. This reverts commit 25438666015dc5ea9695f5172b0f4925c3ae2d9a. --- debian/vyatta-cfg-system.postinst.in | 9 --------- 1 file changed, 9 deletions(-) (limited to 'debian/vyatta-cfg-system.postinst.in') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 498e431f..21d7ff32 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -80,17 +80,8 @@ EOF cp $sysconfdir/$f /etc/ssh/$f fi done - - # block external rpc access - if ! grep -q "^portmap" /etc/hosts.deny - then cat <<-EOF >>/etc/hosts.deny - # Disable rpc access from other hosts - portmap: ALL - EOF - fi fi - # update crontab for logrotate grep -v logrotate /etc/crontab>/etc/crontab.$$ echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$ -- cgit v1.2.3 From 556580381ed0008c463aa0dd109f839f140f3443 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Wed, 22 Oct 2008 02:01:03 -0700 Subject: Fix Bug 3567 Debug messages are not logged by default on upgraded system - copy over default islavista syslog.conf during upgrade from hollywood --- debian/vyatta-cfg-system.postinst.in | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'debian/vyatta-cfg-system.postinst.in') diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 21d7ff32..e9541dbe 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -118,6 +118,15 @@ if [ -e /etc/default/mdadm ]; then sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm fi +# --following is added to resolve issues related to bug 3567 on upgrade from hollywood to islavista-- +# back-up existing /etc/syslog.conf file in hollywood which might be broken +# and replace it with the default syslog.conf in islavista. when system restarts +# after upgrade, whatever is configured in CLI will be written to syslog.conf +# + +cp -p /etc/syslog.conf /etc/syslog.conf.bak +cp -f /opt/vyatta/etc/syslog.conf /etc/syslog.conf + # Local Variables: # mode: shell-script # sh-indentation: 4 -- cgit v1.2.3