1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
#!/bin/bash
prefix=@prefix@
exec_prefix=@exec_prefix@
sysconfdir=@sysconfdir@
bindir=@bindir@
sbindir=@sbindir@
# remove init of daemons that we start/stop
for init in ntp ssh snmpd openhpid vyatta-keepalived ipvsadm dnsmasq ddclient; do
update-rc.d -f ${init} remove >/dev/null
done
case `grep '^RULES_FILE=' /lib/udev/write_net_rules` in
*z25_persistent-net.rules* )
vyatta_net_rules=z24_vyatta-net.rules;;
*70-persistent-net.rules* )
vyatta_net_rules=69-vyatta-net.rules;;
* )
vyatta_net_rules=21-vyatta-net.rules;;
esac
ln -sf ../vyatta-net.rules /etc/udev/rules.d/$vyatta_net_rules
if [ "$sysconfdir" != "/etc" ]; then
touch /etc/sudoers
cp -p /etc/sudoers /etc/sudoers.bak
# for "admin" level
sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
fi
# cleanup any old entries from previous versions
sed -i /etc/sudoers \
-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
-e '/sudo-users/d' \
-e '/env_keep+=VYATTA/d' || true
# Add Vyatta entries
cat <<"EOF" >>/etc/sudoers
### BEGIN VYATTA
Defaults syslog_goodpri=info
Defaults env_keep+=VYATTA_*
Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
/sbin/iptables -L -vn,\
/sbin/iptables -L * -vn,\
/sbin/iptables -t * -L -vn, \
/sbin/iptables -Z *,\
/sbin/iptables -Z -t nat
Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
/sbin/ip route flush cache *,\
/sbin/ip neigh flush to *, \
/sbin/ip neigh flush dev *
Cmnd_Alias ETHTOOLP = /usr/sbin/ethtool -p *
Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate
Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff
Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOLP, IPFLUSH, \
PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, /usr/bin/lsof
EOF
cat <<EOF >>/etc/sudoers
%users ALL=NOPASSWD: ${bindir}/sudo-users/
### END VYATTA
EOF
# set up blacklists
for f in blacklist.DSA-1024 blacklist.RSA-2048; do
if [ -r "/etc/ssh/$f" ]; then
l=$(head -1 $sysconfdir/$f)
if ! grep -q "$l" /etc/ssh/$f; then
tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
mv $tmp /etc/ssh/$f
fi
else
cp $sysconfdir/$f /etc/ssh/$f
fi
done
fi
# update crontab for logrotate
grep -v logrotate /etc/crontab>/etc/crontab.$$
echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$
rm /etc/crontab
mv /etc/crontab.$$ /etc/crontab
crontab /etc/crontab
# create needed directories
mkdir -p /var/log/{user,vrrpd}
touch /etc/environment
if [ ! -f /etc/bash_completion ]; then
echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi
sed -i 's/^set /builtin set /' /etc/bash_completion
/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
[ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist
# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End:
|