From 959adf45fad678bfd7bf3de15033753c95ade2fb Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Thu, 2 Oct 2008 23:02:11 -0700 Subject: Fix Bug 3609 - "show tech-support" does not display open file information for operator level user - add lsof to sudoers file for use by an operator level user --- debian/vyatta-cfg-system.postinst.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 925edcb5..46a7b5c7 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -60,7 +60,7 @@ Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump %operator ALL=NOPASSWD: /sbin/reboot, DATE, IPTABLES, ETHTOOLP, IPFLUSH, \ - PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon + PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, /usr/bin/lsof EOF cat <>/etc/sudoers %users ALL=NOPASSWD: ${bindir}/sudo-users/ -- cgit v1.2.3 From 764d9b48880b321e166dce8941bedd87733cbf7d Mon Sep 17 00:00:00 2001 From: rbalocca Date: Fri, 3 Oct 2008 16:09:42 -0700 Subject: Fix for bug http://bugzilla.vyatta.com/show_bug.cgi?id=3735 --- debian/vyatta-cfg-system.postinst.in | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 925edcb5..d2ca0a95 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -91,6 +91,7 @@ sed -i 's/^set /builtin set /' /etc/bash_completion # for password sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login +[ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist # Local Variables: # mode: shell-script -- cgit v1.2.3 From 41a724bb81b713ab86430c34ccbc9171cdd9d4d0 Mon Sep 17 00:00:00 2001 From: Mohit Mehta Date: Mon, 6 Oct 2008 17:17:34 -0700 Subject: don't poll resolv files for nameserver changes - it messes up statistics we already make sure that nameservers are re-reread when any change from any configured source of nameservers happen --- scripts/dns-forwarding/vyatta-dns-forwarding.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/dns-forwarding/vyatta-dns-forwarding.pl b/scripts/dns-forwarding/vyatta-dns-forwarding.pl index 38f5ee67..6cdcfaa0 100644 --- a/scripts/dns-forwarding/vyatta-dns-forwarding.pl +++ b/scripts/dns-forwarding/vyatta-dns-forwarding.pl @@ -50,6 +50,7 @@ sub dnsforwarding_get_constants { chomp $date; $output = "#\n# autogenerated by vyatta-dns-forwarding.pl on $date\n#\n"; $output .= "log-facility=/var/log/dnsmasq.log\n"; + $output .= "no-poll\n"; system("rm -f /var/log/dnsmasq.log; touch /var/log/dnsmasq.log"); return $output; } -- cgit v1.2.3 From 7232e04d5d021f60e4cf6463328c165f19d56c6c Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 7 Oct 2008 17:10:25 +0200 Subject: Change allow-root nodes to boolean These are boolean, not text fields. Only allowed value is true/false --- templates/service/ssh/allow-root/node.def | 8 +++++--- templates/service/telnet/allow-root/node.def | 10 +++++----- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 9aa98826..058735ed 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -1,7 +1,6 @@ -type: txt +type: bool default: false help: Enable/disable root login over ssh -syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" update: if [ \"$VAR(@)\" == \"true\" ]; then sudo ed - /etc/ssh/sshd_config <<-"EOF" /^PermitRootLogin/s/no/yes/ @@ -13,4 +12,7 @@ update: if [ \"$VAR(@)\" == \"true\" ]; then wq EOF fi - /bin/true +comp_help: possible completions: + true Allow root to login over ssh + false Don't allow root to login over ssh(default) + diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def index 347a9476..e01763b6 100644 --- a/templates/service/telnet/allow-root/node.def +++ b/templates/service/telnet/allow-root/node.def @@ -1,9 +1,7 @@ -type: txt +type: bool default: false help: Enable/disable root login -syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" - update: pids=`who -u | awk -F " " '{print $7}'` for i in $pids do @@ -20,7 +18,6 @@ update: pids=`who -u | awk -F " " '{print $7}'` else sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null fi - /bin/true delete: pids=`who -u | awk -F " " '{print $7}'` for i in $pids @@ -33,4 +30,7 @@ delete: pids=`who -u | awk -F " " '{print $7}'` fi done sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null - /bin/true + +comp_help: possible completions: + true Allow root to login via telnet + false Don't allow root to login via telnet(default) -- cgit v1.2.3 From 2d73e504545f05cd7b9a7f561e319d1f21ee8bcc Mon Sep 17 00:00:00 2001 From: slioch Date: Tue, 7 Oct 2008 17:49:01 -0700 Subject: Revert "Change allow-root nodes to boolean" This reverts commit 7232e04d5d021f60e4cf6463328c165f19d56c6c. --- templates/service/ssh/allow-root/node.def | 8 +++----- templates/service/telnet/allow-root/node.def | 10 +++++----- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/templates/service/ssh/allow-root/node.def b/templates/service/ssh/allow-root/node.def index 058735ed..9aa98826 100644 --- a/templates/service/ssh/allow-root/node.def +++ b/templates/service/ssh/allow-root/node.def @@ -1,6 +1,7 @@ -type: bool +type: txt default: false help: Enable/disable root login over ssh +syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" update: if [ \"$VAR(@)\" == \"true\" ]; then sudo ed - /etc/ssh/sshd_config <<-"EOF" /^PermitRootLogin/s/no/yes/ @@ -12,7 +13,4 @@ update: if [ \"$VAR(@)\" == \"true\" ]; then wq EOF fi -comp_help: possible completions: - true Allow root to login over ssh - false Don't allow root to login over ssh(default) - + /bin/true diff --git a/templates/service/telnet/allow-root/node.def b/templates/service/telnet/allow-root/node.def index e01763b6..347a9476 100644 --- a/templates/service/telnet/allow-root/node.def +++ b/templates/service/telnet/allow-root/node.def @@ -1,7 +1,9 @@ -type: bool +type: txt default: false help: Enable/disable root login +syntax:expression: $VAR(@) in "true", "false" ; "must be true or false" + update: pids=`who -u | awk -F " " '{print $7}'` for i in $pids do @@ -18,6 +20,7 @@ update: pids=`who -u | awk -F " " '{print $7}'` else sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null fi + /bin/true delete: pids=`who -u | awk -F " " '{print $7}'` for i in $pids @@ -30,7 +33,4 @@ delete: pids=`who -u | awk -F " " '{print $7}'` fi done sudo mv -f /etc/securetty.allow-root /etc/securetty >&/dev/null - -comp_help: possible completions: - true Allow root to login via telnet - false Don't allow root to login via telnet(default) + /bin/true -- cgit v1.2.3 From d9ba657ceb39904efa09cbddc73ab38d517f5c7f Mon Sep 17 00:00:00 2001 From: An-Cheng Huang Date: Wed, 8 Oct 2008 14:07:56 -0700 Subject: fix xen grub setup --- scripts/vyatta-grub-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/vyatta-grub-setup b/scripts/vyatta-grub-setup index 1bf47dde..c37bf7a8 100755 --- a/scripts/vyatta-grub-setup +++ b/scripts/vyatta-grub-setup @@ -76,7 +76,7 @@ kernel_versions=$(ls $ROOTFSDIR/boot/vmlinuz-* 2> /dev/null | grep -v xen | awk # get xen kernel info xen_kernel_version=$(ls $ROOTFSDIR/boot/vmlinuz*xen 2> /dev/null | awk -F/ '{ print $5 }' | sed 's/vmlinuz//g' | sort -r) -xen_version=$(ls $ROOTFSDIR/boot/xen-* 2> /dev/null | awk -F/ '{ print $5 }' | sort -r) +xen_version=$(ls $ROOTFSDIR/boot/xen-*.gz 2> /dev/null | head -1 | awk -F/ '{ print $5 }' | sort -r) # Figure out whether we are running on the serial or KVM console: if [ "`tty`" == "/dev/ttyS0" ]; then -- cgit v1.2.3 From 5e806c8e42e1b70675916963e14cc0fe5928ec07 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Thu, 9 Oct 2008 16:56:29 +0200 Subject: Set correct mode on configuration mode Set configuration file to be owned by administrator and writable by all admins in configuration mode and visible by public. --- scripts/install-system | 3 ++- scripts/vyatta_net_name | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/install-system b/scripts/install-system index 20b9f6a3..a6bfd127 100644 --- a/scripts/install-system +++ b/scripts/install-system @@ -781,8 +781,9 @@ copy_config () { mkdir -p $rootfsdir$ofrconfdir # create the proper perms on the new config partition + chown vyatta $rootfsdir$ofrconfdir chgrp vyattacfg $rootfsdir$ofrconfdir - chmod 775 $rootfsdir$ofrconfdir + chmod 664 $rootfsdir$ofrconfdir # create our config partition marker touch $rootfsdir$ofrconfdir/.vyatta_config diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name index 0a96ebb8..f67c2349 100755 --- a/scripts/vyatta_net_name +++ b/scripts/vyatta_net_name @@ -57,8 +57,9 @@ done if [ ! -f $BOOTFILE ] ; then cp $DEFAULT_BOOTFILE $BOOTFILE + chown vyatta $BOOTFILE chgrp vyattacfg $BOOTFILE - chmod 660 $BOOTFILE + chmod 664 $BOOTFILE fi shopt -s extglob nullglob -- cgit v1.2.3 From 2e20a0901c98266daec3056b0226d4672942bcad Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Fri, 10 Oct 2008 00:39:22 +0200 Subject: Revert "Set correct mode on configuration mode" This reverts commit 5e806c8e42e1b70675916963e14cc0fe5928ec07. There are passwords (like Tcp md5) that should not be displayed to operator. --- scripts/install-system | 3 +-- scripts/vyatta_net_name | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/install-system b/scripts/install-system index a6bfd127..20b9f6a3 100644 --- a/scripts/install-system +++ b/scripts/install-system @@ -781,9 +781,8 @@ copy_config () { mkdir -p $rootfsdir$ofrconfdir # create the proper perms on the new config partition - chown vyatta $rootfsdir$ofrconfdir chgrp vyattacfg $rootfsdir$ofrconfdir - chmod 664 $rootfsdir$ofrconfdir + chmod 775 $rootfsdir$ofrconfdir # create our config partition marker touch $rootfsdir$ofrconfdir/.vyatta_config diff --git a/scripts/vyatta_net_name b/scripts/vyatta_net_name index f67c2349..0a96ebb8 100755 --- a/scripts/vyatta_net_name +++ b/scripts/vyatta_net_name @@ -57,9 +57,8 @@ done if [ ! -f $BOOTFILE ] ; then cp $DEFAULT_BOOTFILE $BOOTFILE - chown vyatta $BOOTFILE chgrp vyattacfg $BOOTFILE - chmod 664 $BOOTFILE + chmod 660 $BOOTFILE fi shopt -s extglob nullglob -- cgit v1.2.3