diff options
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rwxr-xr-x | scripts/install-system | 67 | ||||
| -rwxr-xr-x | scripts/vyatta-passwd-sync | 280 |
3 files changed, 339 insertions, 9 deletions
diff --git a/Makefile.am b/Makefile.am index 3ad950a8..c50c8560 100644 --- a/Makefile.am +++ b/Makefile.am @@ -16,6 +16,7 @@ sbin_SCRIPTS += scripts/rl-system.init sbin_SCRIPTS += scripts/install-system sbin_SCRIPTS += scripts/quick-install sbin_SCRIPTS += scripts/standalone_root_pw_reset +sbin_SCRIPTS += scripts/vyatta-passwd-sync sbin_SCRIPTS += scripts/system/vyatta_update_login.pl sbin_SCRIPTS += scripts/system/vyatta_update_logrotate.pl sbin_SCRIPTS += scripts/system/vyatta_update_resolv.pl diff --git a/scripts/install-system b/scripts/install-system index d11aca78..1259af3b 100755 --- a/scripts/install-system +++ b/scripts/install-system @@ -69,6 +69,13 @@ SPID=$$ # Path to standalone root password reset script PWRESET=/opt/vyatta/sbin/standalone_root_pw_reset +# Grub options +GRUB_OPTIONS="quiet" + +# Output to both console (last device is /dev/console) +VTY_CONSOLE="console=ttyS0,9600 console=tty0" +SERIAL_CONSOLE="console=tty0 console=ttyS0,9600" + # trap signals so we can kill runaway progress indicators trap 'progress_indicator stop; exit 1' 1 trap 'progress_indicator stop; exit 1' 2 @@ -95,7 +102,7 @@ get_response () { # get the response from the user read myresponse - myresponse=$(echo "$myresponse" | awk '{ printf (tolower($0)) }') + myresponse=$(echo "$myresponse" | tr [:upper:] [:lower:]) # Check to see if the user accepts the default if [ -z "$myresponse" ]; then @@ -157,6 +164,7 @@ get_drive_size () { echo $lsize } + # Probe hardrives not shown in /proc/partitions by default probe_drives () { # find IDE drives. Not all drives show up in /proc/partitions for @@ -209,7 +217,7 @@ select_drive () { size=$(get_drive_size $INSTALL_DRIVE) if [ $size -lt 11000 ] then - ISCF="ide=nodma" + GRUB_OPTIONS="$GRUB_OPTIONS ide=nodma" fi } @@ -527,6 +535,30 @@ copy_config () { fi } +change_password() { + local user=$1 + local pwd + read pwd + local epwd=$(mkpasswd -H md5 $pwd) + + sed -i \ + -e "/ user $user {/,/}/s/encrypted-password:.*\$/encrypted-password: \"$epwd\"/" \ + $rootfsdir$ofrconfdir/config.boot +} + +system_setup () { + echo -n "Would you like to set the passwords for system users (Yes/No) [Yes]: " + local response=$(get_response "Yes" "Yes No Y N") + + if [ "$response" == "yes" ] || [ "$response" == "y" ]; then + echo -n 'System adminstrator (root) password: ' + change_password root + echo -n 'Router adminstrator (vyatta) password: ' + change_password vyatta + fi +} + + # setup grub on the boot sector of a user queried drive install_grub () { orig_install_drive="$INSTALL_DRIVE" @@ -579,6 +611,17 @@ install_grub () { DEFAULT_CONSOLE="0" fi + # Read UUID off of filesystem and use it to tell GRUB where to mount drive + # This allows device to move around and grub will still find it + local rootdev="/dev/$ROOT_PARTITION"; + uuid=$(dumpe2fs -h $rootdev 2>/dev/null | awk '/^Filesystem UUID/ {print $3}') + if [ -z $uuid ] + then + GRUB_ROOT="root=$rootdev ro" + else + GRUB_ROOT="root=UUID=$uuid ro" + fi + ( # create the grub.cfg file for grub # The "default=" line selects which boot option will be used by default. @@ -606,7 +649,7 @@ install_grub () { if [ -f "/boot/vmlinuz" ]; then # Set first system boot option. Make KVM the default console in this one. echo -e "menuentry \"Vyatta OFR (KVM console)\" {" - echo -en "\tlinux /boot/vmlinuz root=/dev/$ROOT_PARTITION $ISCF console=ttyS0,9600 console=tty0 \n" + echo -e "\tlinux /boot/vmlinuz $GRUB_ROOT $GRUB_OPTIONS $VTY_CONSOLE" echo -e "\tinitrd /boot/initrd.img" echo -e "}" @@ -614,7 +657,7 @@ install_grub () { # console in this one. echo echo -e "menuentry \"Vyatta OFR (Serial console)\" {" - echo -en "\tlinux /boot/vmlinuz root=/dev/$ROOT_PARTITION $ISCF console=tty0 console=ttyS0,9600 \n" + echo -e "\tlinux /boot/vmlinuz $GRUB_ROOT $GRUB_OPTIONS $SERIAL_CONSOLE" echo -e "\tinitrd /boot/initrd.img" echo -e "}" fi @@ -626,7 +669,7 @@ install_grub () { echo echo -e "menuentry \"Vyatta Xen linux$xversion dom0\" {" echo -e "\tmultiboot /boot/$xen_version " - echo -en "\tmodule /boot/vmlinuz$xversion root=/dev/$ROOT_PARTITION $ISCF console=ttyS0,9600 console=tty0 \n" + echo -e "\tmodule /boot/vmlinuz$xversion $GRUB_ROOT $GRUB_OPTIONS $VTY_CONSOLE" echo -e "\tmodule /boot/initrd.img$xversion" echo -e "}" done @@ -637,12 +680,12 @@ install_grub () { for kversion in $kernel_versions; do echo echo -e "menuentry \"Vyatta OFR linux$kversion (KVM console)\" {" - echo -en "\tlinux /boot/vmlinuz$kversion root=/dev/$ROOT_PARTITION $ISCF console=ttyS0,9600 console=tty0 \n" + echo -e "\tlinux /boot/vmlinuz$kversion $GRUB_ROOT $GRUB_OPTIONS $VTY_CONSOLE" echo -e "\tinitrd /boot/initrd.img$kversion" echo -e "}" echo echo -e "menuentry \"Vyatta OFR linux$kversion (Serial console)\" {" - echo -en "\tlinux /boot/vmlinuz$kversion root=/dev/$ROOT_PARTITION $ISCF console=tty0 console=ttyS0,9600 \n" + echo -e "\tlinux /boot/vmlinuz$kversion $GRUB_ROOT $GRUB_OPTIONS $SERIAL_CONSOLE" echo -e "\tinitrd /boot/initrd.img$kversion" echo -e "}" done @@ -653,13 +696,13 @@ install_grub () { echo echo -e "menuentry \"Root password reset to factory (KVM console)\" {" - echo -e "\tlinux /boot/vmlinuz root=/dev/$ROOT_PARTITION $ISCF console=ttyS0,9600 console=tty0 init=$PWRESET" + echo -e "\tlinux /boot/vmlinuz $GRUB_ROOT $GRUB_OPTIONS $VTY_CONSOLE init=$PWRESET" echo -e "\tinitrd /boot/initrd.img" echo -e "}" echo echo -e "menuentry \"Root password reset to factory (Serial console)\" {" - echo -e "\tkernel /boot/vmlinuz root=/dev/$ROOT_PARTITION $ISCF console=tty0 console=ttyS0,9600 init=$PWRESET" + echo -e "\tkernel /boot/vmlinuz $GRUB_ROOT $GRUB_OPTIONS $SERIAL_CONSOLE init=$PWRESET" echo -e "\tinitrd /boot/initrd.img" echo -e "}" ) >"$rootfsdir/boot/grub/grub.cfg" @@ -937,6 +980,12 @@ install_root_filesystem "$ROOT_PARTITION" # Copy the config files copy_config "$CONFIG_PARTITION" +# Modify config to match system +# Assume user wants to keep password from old config +if [ ! -d /mnt/config ]; then + system_setup +fi + # check for xen part images in /var/xen setup_xen_partition_images diff --git a/scripts/vyatta-passwd-sync b/scripts/vyatta-passwd-sync new file mode 100755 index 00000000..29748b67 --- /dev/null +++ b/scripts/vyatta-passwd-sync @@ -0,0 +1,280 @@ +#! /usr/bin/perl +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2008 Vyatta, Inc. +# All Rights Reserved. +# **** End License **** + +use lib "/opt/vyatta/share/perl5/"; +use VyattaConfig; +use strict; +use Getopt::Long; + +my ( $resync, $verbose, $force, $check ); + +GetOptions( + "verbose" => \$verbose, + "resync" => \$resync, + "force" => \$force, + "check" => \$check, +); + +# +# These should move to VyattaConfig.pm?? +# + +sub add_node { + my ( $config, $level ) = @_; + $level =~ s/\//%2F/g; + $level =~ s/\s+/\//g; + + my $path = + $config->{_new_config_dir_base} + . $config->{_current_dir_level} . '/' + . $level; + if ( !-d $path ) { + mkdir $path or die "Can't make directory $path : $!\n"; + } +} + +sub set_node { + my ( $config, $level, $val ) = @_; + $level =~ s/\//%2F/g; + $level =~ s/\s+/\//g; + my $path = + $config->{_new_config_dir_base} + . $config->{_current_dir_level} . '/' + . $level; + + if ( !-d $path ) { + system("mkdir -p $path"); + } + + my $fname = $path . '/node.val'; + + open my $output, '>', $fname + or die "Can't open $fname: $!\n"; + print $output "$val\n"; + close $output; +} + +sub delete_node { + my ( $config, $level ) = @_; + $level =~ s/\//%2F/g; + $level =~ s/\s+/\//g; + my $path = + $config->{_new_config_dir_base} + . $config->{_current_dir_level} . '/' + . $level; + if ( -d $path ) { + system("rm -fr $path"); + } +} + +my $members; +( undef, undef, undef, $members ) = getgrnam('operator'); +my @operators = split( / /, $members ); + +( undef, undef, undef, $members ) = getgrnam('vyattacfg'); +my @admins = split( / /, $members ); + +sub get_user_level { + my $name = shift; + + return 'admin' if ( $name eq 'root' ); + + foreach my $id (@admins) { + return 'admin' if ( $id eq $name ); + } + + foreach my $id (@operators) { + return 'operator' if ( $id eq $name ); + } + + # If level indetermined returns undef +} + +my @field_names = + ( 'encrypted password', 'full name', 'home directory', 'level' ); + +sub system_vyatta_users { + my %users = (); + setpwent(); + while ( + my ( $name, $passwd, $uid, $gid, undef, $comment, undef, $home, $shell ) + = getpwent() ) + { + if ( $name eq 'root' || $shell eq '/bin/vbash' ) { + $users{$name} = [ $passwd, $comment, $home, get_user_level($name) ]; + } + } + endpwent(); + + return %users; +} + +sub listOrigUsers { + my $config = new VyattaConfig; + my %users = (); + + foreach my $name ( $config->listOrigNodes('system login user') ) { + $config->setLevel("system login user $name"); + + my $passwd = + $config->returnOrigValue('authentication encrypted-password'); + my $comment = $config->returnOrigValue('full-name'); + my $home = $config->returnOrigValue('home-directory'); + my $level = $config->returnOrigValue('level'); + $level = 'admin' if ( !defined $level ); + + $users{$name} = [ $passwd, $comment, $home, $level ]; + } + + return %users; +} + +sub check_config { + my %pwdusers = system_vyatta_users(); + my %vtyusers = listOrigUsers(); + my $exit_code = 0; + + if ($verbose) { + printf "System users: %s\n", join( ', ', keys %pwdusers ); + printf "Configured users: %s\n", join( ', ', keys %vtyusers ); + } + + while ( my ( $user, $fields ) = each(%vtyusers) ) { + my @pwd_fields = @{ $pwdusers{$user} }; + my @cfg_fields = @$fields; + + if (@pwd_fields) { + for ( my $i = 0 ; $i <= $#pwd_fields ; $i++ ) { + if ( $pwd_fields[$i] ne $cfg_fields[$i] ) { + printf "%s: %s mismatch: '%s' != '%s'\n", $user, + $field_names[$i], $pwd_fields[$i], $cfg_fields[$i]; + $exit_code = 1; + } + } + delete $pwdusers{$user}; + } + else { + print "$user: does not exist in system\n"; + $exit_code = 1; + } + } + + foreach my $user ( keys %pwdusers ) { + print "$user: does not exist in vyatta configuration\n"; + $exit_code = 1; + } + + exit $exit_code; +} + +sub listUsers { + my $config = new VyattaConfig; + my %users = (); + + foreach my $name ( $config->listOrigNodes('system login user') ) { + $config->setLevel("system login user $name"); + + my $passwd = + $config->returnOrigValue('authentication encrypted-password'); + my $comment = $config->returnOrigValue('full-name'); + my $home = $config->returnOrigValue('home-directory'); + my $level = $config->returnOrigValue('level'); + $level = 'admin' if ( !defined $level ); + + $users{$name} = [ $passwd, $comment, $home, $level ]; + } + + return %users; +} + +sub resync_config { + my %system_users = system_vyatta_users(); + my %vyatta_users = listUsers(); + my $config = new VyattaConfig; + + $config->setLevel('system login user'); + + foreach my $user ( keys %vyatta_users ) { + if ( !defined $system_users{$user} ) { + if ($force) { + print "Deleting user: $user\n" if ($verbose); + del_node( $config, $user ); + } + else { + print "user: $user does not exist in passwd file\n"; + } + } + } + + foreach my $user ( keys %system_users ) { + my ( $passwd, $comment, $home, $level ) = @{ $system_users{$user} }; + + if ( !defined $level ) { + print "user $user: could not determine level (incorrect groups)\n"; + next; + } + + my $existing = $vyatta_users{$user}; + if ( !defined $existing ) { + if ($force) { + print "Adding $user\n" if ($verbose); + add_node( $config, $user ); + } + else { + print "user: $user does not exist in vyatta config\n"; + next; + } + } + else { + my ( $opasswd, $ocomment, $ohome, $olevel ) = @{$existing}; + if ( $opasswd eq $passwd + && $ocomment eq $comment + && $ohome eq $home + && $olevel eq $level ) { + print "$user: no change\n" if ($verbose); + next; + } + else { + print "$user: fields don't match\n" if ($verbose); + } + } + + if ( $comment ne '' ) { + set_node( $config, "$user full-name", $comment ); + } + + set_node( $config, "$user authentication encrypted-password", $passwd ); + set_node( $config, "$user level", $level ); + set_node( $config, "$user home-directory", $home ); + } +} + +if ($check) { + check_config(); + exit 0; +} + +if ($resync) { + resync_config(); + exit 0; +} + +print <<EOF; +usage: vyatta-passwd-sync.pl [--verbose ] [--force ] --resync + vyatta-passwd-sync.pl [--verbose ] --check +EOF + +exit 1; |