#!/bin/bash prefix=@prefix@ exec_prefix=@exec_prefix@ sysconfdir=@sysconfdir@ bindir=@bindir@ sbindir=@sbindir@ # remove init of daemons that are controlled by Vyatta configuration process for init in ntp ssh snmpd openhpid logd \ ipvsadm dnsmasq ddclient radvd hostapd conntrackd do update-rc.d -f ${init} remove >/dev/null done # remove extra call to clock setup only need one. this speeds up boot # Mystery: why does Debian do it twice? if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then rm /etc/rcS.d/S*hwclock.sh fi # Udev package asks for user 'tss' early in boot process. # Want to avoid going out to remote services to look for this local user if ! grep -q '^tss' /etc/passwd; then adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss fi # Remove leftover udev files from earlier release if [ -d /etc/udev/rules.d/ ]; then rm -f /etc/udev/rules.d/*vyatta-net.rules fi # Remove rsyslog logrotate since it has hardcoded assumptions about syslog files rm -f /etc/logrotate.d/rsyslog # Force screenblanker to be off, it can be enabled later if desired if [ -f /etc/console-tools/config ]; then sed -i -e '/^POWERDOWN/s/=.*$/=0/' \ -e '/^BLANK_TIME/s/=.*$/=0/' \ -e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config fi if [ "$sysconfdir" != "/etc" ]; then touch /etc/sudoers cp -p /etc/sudoers /etc/sudoers.bak # enable ssh banner sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config # make sure PermitRoot is off sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config # make sure PasswordAuthentication is on sed -i 's/^#PasswordAuthentication/PasswordAuthentication/' /etc/ssh/sshd_config sed -i '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config # add HostKeys for protocol version 1 if ! grep -q '^HostKey /etc/ssh/ssh_host_key' /etc/ssh/sshd_config; then echo '# HostKey for protocol version 1' >> /etc/ssh/sshd_config echo 'HostKey /etc/ssh/ssh_host_key' >> /etc/ssh/sshd_config fi # add UseDNS line sed -i '/^UseDNS/d' /etc/ssh/sshd_config echo 'UseDNS yes' >>/etc/ssh/sshd_config # for "admin" level sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers fi # cleanup any old entries from previous versions sed -i /etc/sudoers \ -e '/### BEGIN VYATTA/,/### END VYATTA/d' \ -e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \ -e '/sudo-users/d' \ -e '/env_keep+=VYATTA/d' || true # Add Vyatta entries cat <<"EOF" >>/etc/sudoers ### BEGIN VYATTA Defaults syslog_goodpri=info Defaults env_keep+=VYATTA_* Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ /sbin/iptables -L -vn,\ /sbin/iptables -L * -vn,\ /sbin/iptables -t * -L *, \ /sbin/iptables -Z *,\ /sbin/iptables -Z -t nat, \ /sbin/iptables -t * -Z * Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ /sbin/ip6tables -t * -L * Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ /usr/sbin/conntrack -G *, \ /usr/sbin/conntrack -E * Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ /sbin/ip route flush cache *,\ /sbin/ip neigh flush to *, \ /sbin/ip neigh flush dev *, \ /sbin/ip -f inet6 route flush cache, \ /sbin/ip -f inet6 route flush cache *,\ /sbin/ip -f inet6 neigh flush to *, \ /sbin/ip -f inet6 neigh flush dev * Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ /sbin/ethtool -S *, \ /sbin/ethtool -a *, \ /sbin/ethtool -c *, \ /sbin/ethtool -i * Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump Cmnd_Alias HWINFO = /usr/bin/lspci Cmnd_Alias FORCE_CLUSTER = /usr/share/heartbeat/hb_takeover, \ /usr/share/heartbeat/hb_standby %operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ DISK, CONNTRACK, IP6TABLES, FORCE_CLUSTER EOF cat <>/etc/sudoers %users ALL=NOPASSWD: ${bindir}/sudo-users/ ### END VYATTA EOF # set up blacklists for f in blacklist.DSA-1024 blacklist.RSA-2048; do if [ -r "/etc/ssh/$f" ]; then l=$(head -1 $sysconfdir/$f) if ! grep -q "$l" /etc/ssh/$f; then tmp=$(mktemp /tmp/bl.XXXXXXXXXX) cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp mv $tmp /etc/ssh/$f fi else cp $sysconfdir/$f /etc/ssh/$f fi done # purge off ancient devfs stuff from /etc/securetty cp $sysconfdir/securetty /etc/securetty for f in issue issue.net; do if [ ! -e /etc/$f.old ]; then cp $sysconfdir/$f /etc/$f fi done cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf # Set file capabilities sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \ while read capability path; do touch -c $path setcap $capability $path done # Install pam_cap config cp $sysconfdir/capability.conf /etc/security/capability.conf # Install our own version of rsyslog.conf without # default targets mv /etc/rsyslog.conf /etc/rsyslog.conf.orig cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf # Install own version of cpufrequtils config cp $sysconfdir/cpufrequtils /etc/default/cpufrequtils fi # create needed directories mkdir -p /var/log/user mkdir -p /var/core mkdir -p /opt/vyatta/etc/config/auth mkdir -p /opt/vyatta/etc/config/scripts mkdir -p /opt/vyatta/etc/config/user-data mkdir -p /opt/vyatta/etc/config/support chown -R root.vyattacfg /opt/vyatta/etc/config chmod -R 775 /opt/vyatta/etc/config # create /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script # this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above if [ ! -x /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script ]; then touch /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script chmod 755 /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script cat <>/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script #!/bin/sh # This script is called from /etc/rc.local on boot after the Vyatta # configuration is fully applied. Any modifications done to work around # unfixed bugs and implement enhancements which are not complete in the Vyatta # system can be placed here. EOF fi # call vyatta-postconfig-bootup.script from /etc/rc.local if ! grep -q /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script \ /etc/rc.local then cat <>/etc/rc.local # Do not remove the following call to vyatta-postconfig-bootup.script. # Any boot time workarounds should be put in script below so that they # get preserved for the new image during image upgrade. sudo /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script EOF sh -c "sed -i -e '/exit 0/d' /etc/rc.local" cat <>/etc/rc.local exit 0 EOF fi touch /etc/environment if [ ! -f /etc/bash_completion ]; then echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion fi sed -i 's/^set /builtin set /' /etc/bash_completion dpkg-reconfigure -f noninteractive openssh-server rm -f /etc/ssh/*.broken update-rc.d -f ssh remove >/dev/null # Fix up PAM configuration for login so that invalid users are prompted # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login # Change default shell for new accounts sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf # Do not allow users to change full name field (controlled by Vyatta config) sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs # Only allow root to use passwd command if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then sed -i -e '/^@include/i \ password requisite pam_succeed_if.so user = root ' /etc/pam.d/passwd fi # # Ask mdadm to call our own event handling daemon # if [ -e /etc/default/mdadm ]; then sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm fi # remove unnecessary ddclient script in /etc/ppp/ip-up.d/ # this logs unnecessary messages trying to start ddclient rm -f /etc/ppp/ip-up.d/ddclient # remove old init that should have been cleaned up during upgrade but isn't if [ -f /etc/init.d/vyatta-ofr ]; then update-rc.d -f /etc/init.d/vyatta-ofr remove rm -f /etc/init.d/vyatta-ofr fi # comply with Squeeze version of modprobe # remove old versions of files during upgrade for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6 do if [ -f /etc/modprobe.d/${modprobe} ]; then mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf fi done # add vyatta-config-reboot-params to start at boot up update-rc.d vyatta-config-reboot-params defaults # Local Variables: # mode: shell-script # sh-indentation: 4 # End: