debian/vyatta-cfg-system.postinst.in


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

#!/bin/bash

prefix=@prefix@
exec_prefix=@exec_prefix@
sysconfdir=@sysconfdir@
bindir=@bindir@
sbindir=@sbindir@

# remove extra call to clock setup only need one. this speeds up boot
# Mystery: why does Debian do it twice?
if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then
    rm /etc/rcS.d/S*hwclock.sh
fi

# Remove rsyslog logrotate since it has hardcoded assumptions about syslog files
rm -f /etc/logrotate.d/rsyslog

# Force screenblanker to be off, it can be enabled later if desired
if [ -f /etc/console-tools/config ]; then
    sed -i -e '/^POWERDOWN/s/=.*$/=0/' \
	   -e '/^BLANK_TIME/s/=.*$/=0/' \
	   -e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config
fi

if [ "$sysconfdir" != "/etc" ]; then
    touch /etc/sudoers
    cp -p /etc/sudoers /etc/sudoers.bak

    # cleanup any old entries in /etc/sudoers from previous versions
    sed -i /etc/sudoers \
	-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
	-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
	-e '/sudo-users/d' \
	-e '/env_keep+=VYATTA/d' || true

    # Turn off Debian default for %sudo
    sed -i -e '/^%sudo/d' /etc/sudoers || true

    # Add Vyatta entries for sudoers
    cp $sysconfdir/sudoers /etc/sudoers.d/vyatta
    chmod 0440 /etc/sudoers.d/vyatta

    # purge off ancient devfs stuff from /etc/securetty
    cp $sysconfdir/securetty /etc/securetty

    # Set file capabilities
    sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \
    while read capability path; do
       touch -c $path
       setcap $capability $path
    done

    # Install pam_cap config
    cp $sysconfdir/capability.conf /etc/security/capability.conf

    # Install our own version of rsyslog.conf without
    # default targets
    mv /etc/rsyslog.conf /etc/rsyslog.conf.orig
    cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf
fi

# create needed directories
mkdir -p /var/log/user
mkdir -p /var/core
mkdir -p /opt/vyatta/etc/config/auth
mkdir -p /opt/vyatta/etc/config/scripts
mkdir -p /opt/vyatta/etc/config/user-data
mkdir -p /opt/vyatta/etc/config/support
chown -R root:vyattacfg /opt/vyatta/etc/config
chmod -R 775 /opt/vyatta/etc/config
mkdir -p /opt/vyatta/etc/logrotate
mkdir -p /opt/vyatta/etc/netdevice.d

# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
# this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above
if [ ! -x /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script ]; then
    touch /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
    chmod 755 /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
    cat <<EOF >>/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.

EOF
fi

touch /etc/environment

if [ ! -f /etc/bash_completion ]; then
  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi

sed -i 's/^set /builtin set /' /etc/bash_completion

dpkg-reconfigure -f noninteractive openssh-server
rm -f /etc/ssh/*.broken
update-rc.d -f ssh remove >/dev/null

# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login

# Change default shell for new accounts
sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf

# Do not allow users to change full name field (controlled by Vyatta config)
sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs

# Only allow root to use passwd command
if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
    sed -i -e '/^@include/i \
password	requisite pam_succeed_if.so user = root
' /etc/pam.d/passwd
fi

# Ask mdadm to call our own event handling daemon
# Don't start mdadm daemon when running on livecd
if [ -e /etc/default/mdadm ]; then
    sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
    sed -i 's/^START_DAEMON.*$/START_DAEMON=false/' /etc/default/mdadm
fi

# Disable reboot on ctrl-alt-delete
ln -sf /dev/null /lib/systemd/system/ctrl-alt-del.target

# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
# this logs unnecessary messages trying to start ddclient
rm -f /etc/ppp/ip-up.d/ddclient

# remove old init that should have been cleaned up during upgrade but isn't
if [ -f /etc/init.d/vyatta-ofr ]; then
    update-rc.d -f /etc/init.d/vyatta-ofr remove
    rm -f /etc/init.d/vyatta-ofr
fi

# comply with Squeeze version of modprobe
# remove old versions of files during upgrade
for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6
do
  if [ -f /etc/modprobe.d/${modprobe} ]; then
      mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf
  fi
done

# add vyatta-config-reboot-params to start at boot up
update-rc.d vyatta-config-reboot-params start 20 S

# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End: