summaryrefslogtreecommitdiff
path: root/debian/vyatta-cfg-system.postinst.in
blob: 498e431f0027b31b9f8330f2c5f2ce23aa1d1df6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#!/bin/bash

prefix=@prefix@
exec_prefix=@exec_prefix@
sysconfdir=@sysconfdir@
bindir=@bindir@
sbindir=@sbindir@

# remove init of daemons that we start/stop
for init in ntp ssh snmpd openhpid vyatta-keepalived ipvsadm dnsmasq ddclient; do
  update-rc.d -f ${init} remove >/dev/null
done

case `grep '^RULES_FILE=' /lib/udev/write_net_rules` in
*z25_persistent-net.rules* )
	vyatta_net_rules=z24_vyatta-net.rules;;
*70-persistent-net.rules* )
	vyatta_net_rules=69-vyatta-net.rules;;
* )
	vyatta_net_rules=21-vyatta-net.rules;;
esac

ln -sf ../vyatta-net.rules /etc/udev/rules.d/$vyatta_net_rules

if [ "$sysconfdir" != "/etc" ]; then
    touch /etc/sudoers
    cp -p /etc/sudoers /etc/sudoers.bak

    # for "admin" level
    sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
    if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
	echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
    fi

    # cleanup any old entries from previous versions
    sed -i /etc/sudoers \
	-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
	-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
	-e '/sudo-users/d' \
	-e '/env_keep+=VYATTA/d' || true

    # Add Vyatta entries
    cat <<"EOF" >>/etc/sudoers
### BEGIN VYATTA 
Defaults syslog_goodpri=info
Defaults env_keep+=VYATTA_*

Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
		      /sbin/iptables -L -vn,\
                      /sbin/iptables -L * -vn,\
		      /sbin/iptables -t * -L -vn, \
                      /sbin/iptables -Z *,\
		      /sbin/iptables -Z -t nat
Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
		     /sbin/ip route flush cache *,\
		     /sbin/ip neigh flush to *, \
		     /sbin/ip neigh flush dev *
Cmnd_Alias ETHTOOLP = /usr/sbin/ethtool -p *
Cmnd_Alias DATE    = /bin/date, /usr/sbin/ntpdate
Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff
Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOLP, IPFLUSH, \
			PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, /usr/bin/lsof
EOF
    cat <<EOF >>/etc/sudoers
%users ALL=NOPASSWD: ${bindir}/sudo-users/
### END VYATTA
EOF

    # set up blacklists
    for f in blacklist.DSA-1024 blacklist.RSA-2048; do
        if [ -r "/etc/ssh/$f" ]; then
            l=$(head -1 $sysconfdir/$f)
            if ! grep -q "$l" /etc/ssh/$f; then
                tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
                cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
                mv $tmp /etc/ssh/$f
            fi
        else
            cp $sysconfdir/$f /etc/ssh/$f
        fi
    done

    # block external rpc access
    if ! grep -q "^portmap" /etc/hosts.deny
    then cat <<-EOF >>/etc/hosts.deny
	# Disable rpc access from other hosts
	portmap: ALL
	EOF
    fi
fi


# update crontab for logrotate
grep -v logrotate /etc/crontab>/etc/crontab.$$
echo "*/10 *	* * *	root	/usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$
rm /etc/crontab
mv /etc/crontab.$$ /etc/crontab
crontab /etc/crontab

# create needed directories
mkdir -p /var/log/{user,vrrpd}

touch /etc/environment

if [ ! -f /etc/bash_completion ]; then
  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi

sed -i 's/^set /builtin set /' /etc/bash_completion

/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
rm -f /etc/ssh/*.broken
update-rc.d -f ssh remove >/dev/null

# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login

[ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist

#
# Ask mdadm to call our own event handling daemon
#
if [ -e /etc/default/mdadm ]; then
    sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
fi

# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End: