1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
|
#!/bin/bash
prefix=@prefix@
exec_prefix=@exec_prefix@
sysconfdir=@sysconfdir@
bindir=@bindir@
sbindir=@sbindir@
# remove init of daemons that are controlled by Vyatta configuration process
for init in ntp ssh snmpd openhpid logd \
vyatta-keepalived ipvsadm dnsmasq ddclient radvd hostapd conntrackd
do
update-rc.d -f ${init} remove >/dev/null
done
# remove extra call to clock setup only need one. this speeds up boot
# Mystery: why does Debian do it twice?
if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then
rm /etc/rcS.d/S*hwclock.sh
fi
# Udev package asks for user 'tss' early in boot process.
# Want to avoid going out to remote services to look for this local user
if ! grep -q '^tss' /etc/passwd; then
adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss
fi
# Remove leftover udev files from earlier release
if [ -d /etc/udev/rules.d/ ]; then
rm -f /etc/udev/rules.d/*vyatta-net.rules
fi
# Remove rsyslog logrotate since it has hardcoded assumptions about syslog files
rm -f /etc/logrotate.d/rsyslog
# Force screenblanker to be off, it can be enabled later if desired
if [ -f /etc/console-tools/config ]; then
sed -i -e '/^POWERDOWN/s/=.*$/=0/' \
-e '/^BLANK_TIME/s/=.*$/=0/' \
-e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config
fi
if [ "$sysconfdir" != "/etc" ]; then
touch /etc/sudoers
cp -p /etc/sudoers /etc/sudoers.bak
# enable ssh banner
sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
# make sure PermitRoot is off
sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
# make sure PasswordAuthentication is on
sed -i 's/^#PasswordAuthentication/PasswordAuthentication/' /etc/ssh/sshd_config
sed -i '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config
# add HostKeys for protocol version 1
if ! grep -q '^HostKey /etc/ssh/ssh_host_key' /etc/ssh/sshd_config; then
echo '# HostKey for protocol version 1' >> /etc/ssh/sshd_config
echo 'HostKey /etc/ssh/ssh_host_key' >> /etc/ssh/sshd_config
fi
# add UseDNS line
sed -i '/^UseDNS/d' /etc/ssh/sshd_config
echo 'UseDNS yes' >>/etc/ssh/sshd_config
# for "admin" level
sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then
echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers
fi
# cleanup any old entries from previous versions
sed -i /etc/sudoers \
-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
-e '/sudo-users/d' \
-e '/env_keep+=VYATTA/d' || true
# Add Vyatta entries
cat <<"EOF" >>/etc/sudoers
### BEGIN VYATTA
Defaults syslog_goodpri=info
Defaults env_keep+=VYATTA_*
Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\
/sbin/iptables -L -vn,\
/sbin/iptables -L * -vn,\
/sbin/iptables -t * -L *, \
/sbin/iptables -Z *,\
/sbin/iptables -Z -t nat, \
/sbin/iptables -t * -Z *
Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \
/sbin/ip6tables -t * -L *
Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \
/usr/sbin/conntrack -G *, \
/usr/sbin/conntrack -E *
Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \
/sbin/ip route flush cache *,\
/sbin/ip neigh flush to *, \
/sbin/ip neigh flush dev *, \
/sbin/ip -f inet6 route flush cache, \
/sbin/ip -f inet6 route flush cache *,\
/sbin/ip -f inet6 neigh flush to *, \
/sbin/ip -f inet6 neigh flush dev *
Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \
/sbin/ethtool -S *, \
/sbin/ethtool -a *, \
/sbin/ethtool -c *, \
/sbin/ethtool -i *
Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d *
Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate
Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats
Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump
Cmnd_Alias HWINFO = /usr/bin/lspci
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
DISK, CONNTRACK, IP6TABLES
EOF
cat <<EOF >>/etc/sudoers
%users ALL=NOPASSWD: ${bindir}/sudo-users/
### END VYATTA
EOF
# set up blacklists
for f in blacklist.DSA-1024 blacklist.RSA-2048; do
if [ -r "/etc/ssh/$f" ]; then
l=$(head -1 $sysconfdir/$f)
if ! grep -q "$l" /etc/ssh/$f; then
tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
mv $tmp /etc/ssh/$f
fi
else
cp $sysconfdir/$f /etc/ssh/$f
fi
done
# purge off ancient devfs stuff from /etc/securetty
cp $sysconfdir/securetty /etc/securetty
for f in issue issue.net; do
if [ ! -e /etc/$f.old ]; then
cp $sysconfdir/$f /etc/$f
fi
done
cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf
# Set file capabilities
sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \
while read capability path; do
touch -c $path
setcap $capability $path
done
# Install pam_cap config
cp $sysconfdir/capability.conf /etc/security/capability.conf
# Install our own version of rsyslog.conf without
# default targets
mv /etc/rsyslog.conf /etc/rsyslog.conf.orig
cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf
# Install own version of cpufrequtils config
cp $sysconfdir/cpufrequtils /etc/default/cpufrequtils
fi
# create needed directories
mkdir -p /var/log/user
mkdir -p /var/core
mkdir -p /opt/vyatta/etc/config/auth
mkdir -p /opt/vyatta/etc/config/scripts
mkdir -p /opt/vyatta/etc/config/user-data
# create /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
# this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above
if [ ! -x /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script ]; then
touch /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
chmod 755 /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
cat <<EOF >>/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
#!/bin/sh
# This script is called from /etc/rc.local on boot after the Vyatta
# configuration is fully applied. Any modifications done to work around
# unfixed bugs and implement enhancements which are not complete in the Vyatta
# system can be placed here.
EOF
fi
# call vyatta-postconfig-bootup.script from /etc/rc.local
if ! grep -q /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script \
/etc/rc.local
then
cat <<EOF >>/etc/rc.local
# Do not remove the following call to vyatta-postconfig-bootup.script.
# Any boot time workarounds should be put in script below so that they
# get preserved for the new image during image upgrade.
sudo /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
EOF
sh -c "sed -i -e '/exit 0/d' /etc/rc.local"
cat <<EOF >>/etc/rc.local
exit 0
EOF
fi
touch /etc/environment
if [ ! -f /etc/bash_completion ]; then
echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi
sed -i 's/^set /builtin set /' /etc/bash_completion
dpkg-reconfigure -f noninteractive openssh-server
rm -f /etc/ssh/*.broken
update-rc.d -f ssh remove >/dev/null
# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login
# Change default shell for new accounts
sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf
# Do not allow users to change full name field (controlled by Vyatta config)
sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs
# Only allow root to use passwd command
if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
sed -i -e '/^@include/i \
password requisite pam_succeed_if.so user = root
' /etc/pam.d/passwd
fi
#
# Ask mdadm to call our own event handling daemon
#
if [ -e /etc/default/mdadm ]; then
sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
fi
# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
# this logs unnecessary messages trying to start ddclient
rm -f /etc/ppp/ip-up.d/ddclient
# remove old init that should have been cleaned up during upgrade but isn't
if [ -f /etc/init.d/vyatta-ofr ]; then
update-rc.d -f /etc/init.d/vyatta-ofr remove
rm -f /etc/init.d/vyatta-ofr
fi
# comply with Squeeze version of modprobe
# remove old versions of files during upgrade
for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6
do
if [ -f /etc/modprobe.d/${modprobe} ]; then
mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf
fi
done
# add vyatta-config-reboot-params to start at boot up
update-rc.d vyatta-config-reboot-params defaults
# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End:
|