1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
#!/bin/bash
prefix=@prefix@
exec_prefix=@exec_prefix@
sysconfdir=@sysconfdir@
bindir=@bindir@
sbindir=@sbindir@
# remove init of daemons that we start/stop
for init in ntp ssh snmpd openhpid vyatta-keepalived ipvsadm dnsmasq ddclient; do
update-rc.d -f ${init} remove >/dev/null
done
case `grep '^RULES_FILE=' /lib/udev/write_net_rules` in
*z25_persistent-net.rules* )
vyatta_net_rules=z24_vyatta-net.rules;;
*70-persistent-net.rules* )
vyatta_net_rules=69-vyatta-net.rules;;
* )
vyatta_net_rules=21-vyatta-net.rules;;
esac
ln -sf ../vyatta-net.rules /etc/udev/rules.d/$vyatta_net_rules
if [ "$sysconfdir" != "/etc" ]; then
touch /etc/sudoers
cp -p /etc/sudoers /etc/sudoers.bak
# for "admin" level
sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
fi
# cleanup any old entries from previous versions
sed -i /etc/sudoers \
-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
-e '/sudo-users/d' \
-e '/env_keep+=VYATTA/d' || true
# Add Vyatta entries
cat <<"EOF" >>/etc/sudoers
### BEGIN VYATTA
Defaults syslog_goodpri=info
Defaults env_keep+=VYATTA_*
Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
/sbin/iptables -L -vn,\
/sbin/iptables -L * -vn,\
/sbin/iptables -t * -L -vn, \
/sbin/iptables -Z *,\
/sbin/iptables -Z -t nat
Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
/sbin/ip route flush cache *,\
/sbin/ip neigh flush to *, \
/sbin/ip neigh flush dev *, \
/sbin/ip -f inet6 route flush cache, \
/sbin/ip -f inet6 route flush cache *,\
/sbin/ip -f inet6 neigh flush to *, \
/sbin/ip -f inet6 neigh flush dev *
Cmnd_Alias ETHTOOL = /usr/sbin/ethtool -p *, \
/usr/sbin/ethtool -S *, \
/usr/sbin/ethtool -a *, \
/usr/sbin/ethtool -c *, \
/usr/sbin/ethtool -i *
Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate
Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, \
PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
/usr/bin/lsof, /usr/sbin/conntrack
EOF
cat <<EOF >>/etc/sudoers
%users ALL=NOPASSWD: ${bindir}/sudo-users/
### END VYATTA
EOF
# set up blacklists
for f in blacklist.DSA-1024 blacklist.RSA-2048; do
if [ -r "/etc/ssh/$f" ]; then
l=$(head -1 $sysconfdir/$f)
if ! grep -q "$l" /etc/ssh/$f; then
tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
mv $tmp /etc/ssh/$f
fi
else
cp $sysconfdir/$f /etc/ssh/$f
fi
done
fi
# update crontab for logrotate
grep -v logrotate /etc/crontab>/etc/crontab.$$
echo "*/10 * * * * root /usr/sbin/logrotate /etc/logrotate.conf" >> /etc/crontab.$$
rm /etc/crontab
mv /etc/crontab.$$ /etc/crontab
crontab /etc/crontab
# create needed directories
mkdir -p /var/log/{user,vrrpd}
touch /etc/environment
if [ ! -f /etc/bash_completion ]; then
echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi
sed -i 's/^set /builtin set /' /etc/bash_completion
/usr/sbin/dpkg-reconfigure -f noninteractive openssh-server
rm -f /etc/ssh/*.broken
update-rc.d -f ssh remove >/dev/null
# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
[ grep "blacklist.*snd-pcsp" >&/dev/null ] || echo "blacklist snd-pcsp" >>/etc/modprobe.d/blacklist
#
# Ask mdadm to call our own event handling daemon
#
if [ -e /etc/default/mdadm ]; then
sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
fi
# --following is added to resolve issues related to bug 3567 on upgrade from hollywood to islavista--
# back-up existing /etc/syslog.conf file in hollywood which might be broken
# and replace it with the default syslog.conf in islavista. when system restarts
# after upgrade, whatever is configured in CLI will be written to syslog.conf
#
cp -p /etc/syslog.conf /etc/syslog.conf.bak
cp -f /opt/vyatta/etc/syslog.conf /etc/syslog.conf
# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
# this logs unnecessary messages trying to start ddclient
rm -f /etc/ppp/ip-up.d/ddclient
# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End:
|