summaryrefslogtreecommitdiff
path: root/debian/vyatta-cfg-system.postinst.in
blob: 1f0b133ea05c980b7c783663525bd65b921cdd9b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#!/bin/bash

prefix=@prefix@
exec_prefix=@exec_prefix@
sysconfdir=@sysconfdir@
bindir=@bindir@
sbindir=@sbindir@

# remove init of daemons that are controlled by Vyatta configuration process
for init in ntp ssh snmpd openhpid \
            vyatta-keepalived ipvsadm dnsmasq ddclient radvd hostapd
do
  update-rc.d -f ${init} remove >/dev/null
done

# remove extra call to clock setup only need one. this speeds up boot 
# Mystery: why does Debian do it twice?
if [ -L /etc/rcS.d/S08hwclockfirst.sh -a -L /etc/rcS.d/S11hwclock.sh ]; then
    rm /etc/rcS.d/S11hwclock.sh
fi

# Udev package asks for user 'tss' early in boot process.
#  Want to avoid going out to remote services to look for this local user
if ! grep -q '^tss' /etc/passwd; then
    adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss
fi

# Make sure root account can not be used for login by turning off password
usermod -p ! root

case `grep '^RULES_FILE=' /lib/udev/write_net_rules` in
*z25_persistent-net.rules* )
	vyatta_net_rules=z24_vyatta-net.rules;;
*70-persistent-net.rules* )
	vyatta_net_rules=69-vyatta-net.rules;;
* )
	vyatta_net_rules=21-vyatta-net.rules;;
esac

ln -sf ../vyatta-net.rules /etc/udev/rules.d/$vyatta_net_rules

if [ "$sysconfdir" != "/etc" ]; then
    touch /etc/sudoers
    cp -p /etc/sudoers /etc/sudoers.bak

    # enable ssh banner
    sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
    # make sure PermitRoot is off
    sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config

    # for "admin" level
    sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
    if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
	echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
    fi

    # cleanup any old entries from previous versions
    sed -i /etc/sudoers \
	-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
	-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
	-e '/sudo-users/d' \
	-e '/env_keep+=VYATTA/d' || true

    # Add Vyatta entries
    cat <<"EOF" >>/etc/sudoers
### BEGIN VYATTA 
Defaults syslog_goodpri=info
Defaults env_keep+=VYATTA_*

Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
		      /sbin/iptables -L -vn,\
                      /sbin/iptables -L * -vn,\
		      /sbin/iptables -t * -L *, \
                      /sbin/iptables -Z *,\
		      /sbin/iptables -Z -t nat, \
                      /sbin/iptables -t * -Z *
Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
                       /sbin/ip6tables -t * -L *
Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
                       /usr/sbin/conntrack -G *, \
		       /usr/sbin/conntrack -E *
Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
		     /sbin/ip route flush cache *,\
		     /sbin/ip neigh flush to *, \
		     /sbin/ip neigh flush dev *, \
                     /sbin/ip -f inet6 route flush cache, \
		     /sbin/ip -f inet6 route flush cache *,\
		     /sbin/ip -f inet6 neigh flush to *, \
		     /sbin/ip -f inet6 neigh flush dev * 
Cmnd_Alias ETHTOOL = /usr/sbin/ethtool -p *, \
                     /usr/sbin/ethtool -S *, \
                     /usr/sbin/ethtool -a *, \
                     /usr/sbin/ethtool -c *, \
                     /usr/sbin/ethtool -i *
Cmnd_Alias DISK    = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
Cmnd_Alias HWINFO   = /usr/bin/lspci
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                        DISK, CONNTRACK, IP6TABLES
EOF
    cat <<EOF >>/etc/sudoers
%users ALL=NOPASSWD: ${bindir}/sudo-users/
### END VYATTA
EOF

    # set up blacklists
    for f in blacklist.DSA-1024 blacklist.RSA-2048; do
        if [ -r "/etc/ssh/$f" ]; then
            l=$(head -1 $sysconfdir/$f)
            if ! grep -q "$l" /etc/ssh/$f; then
                tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
                cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
                mv $tmp /etc/ssh/$f
            fi
        else
            cp $sysconfdir/$f /etc/ssh/$f
        fi
    done

    # purge off ancient devfs stuff from /etc/securetty
    cp $sysconfdir/securetty /etc/securetty

    for f in issue issue.net; do
	if [ ! -e /etc/$f.old ]; then
            cp $sysconfdir/$f /etc/$f
        fi
    done

    # Install pamradius config (should come with radius client eventually)
    cp $sysconfdir/pam_radius.cfg /usr/share/pam-configs/radius

    cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf
fi

# create needed directories
mkdir -p /var/log/user

touch /etc/environment

if [ ! -f /etc/bash_completion ]; then
  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi

sed -i 's/^set /builtin set /' /etc/bash_completion

dpkg-reconfigure -f noninteractive openssh-server
rm -f /etc/ssh/*.broken
update-rc.d -f ssh remove >/dev/null

# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login

# Change default shell for new accounts
sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf

# Do not allow users to change full name field (controlled by Vyatta config)
sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs

# Only allow root to use passwd command
if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
    sed -i -e '/^@include/i \
password	requisite pam_succeed_if.so user = root
' /etc/pam.d/passwd
fi

# Block pc speaker driver to keep system quiet
[ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist

#
# Ask mdadm to call our own event handling daemon
#
if [ -e /etc/default/mdadm ]; then
    sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
fi

# --following is added to resolve issues related to bug 3567 on upgrade from hollywood to islavista--
# back-up existing /etc/syslog.conf file in hollywood which might be broken
# and replace it with the default syslog.conf in islavista. when system restarts 
# after upgrade, whatever is configured in CLI will be written to syslog.conf
# 

cp -p /etc/syslog.conf /etc/syslog.conf.bak
cp -f /opt/vyatta/etc/syslog.conf /etc/syslog.conf

# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
# this logs unnecessary messages trying to start ddclient
rm -f /etc/ppp/ip-up.d/ddclient

# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End: