path: root/debian/vyatta-cfg-system.postinst.in

#!/bin/bash

prefix=@prefix@
exec_prefix=@exec_prefix@
sysconfdir=@sysconfdir@
bindir=@bindir@
sbindir=@sbindir@

# remove init of daemons that are controlled by Vyatta configuration process
for init in ntp ssh snmpd openhpid logd \
            ipvsadm dnsmasq ddclient radvd hostapd conntrackd
do
  update-rc.d -f ${init} remove >/dev/null
done

# remove extra call to clock setup only need one. this speeds up boot 
# Mystery: why does Debian do it twice?
if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then
    rm /etc/rcS.d/S*hwclock.sh
fi

# Udev package asks for user 'tss' early in boot process.
#  Want to avoid going out to remote services to look for this local user
if ! grep -q '^tss' /etc/passwd; then
    adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss
fi

# Remove leftover udev files from earlier release
if [ -d /etc/udev/rules.d/ ]; then
    rm -f /etc/udev/rules.d/*vyatta-net.rules
fi

# Remove rsyslog logrotate since it has hardcoded assumptions about syslog files
rm -f /etc/logrotate.d/rsyslog

# Force screenblanker to be off, it can be enabled later if desired
if [ -f /etc/console-tools/config ]; then
    sed -i -e '/^POWERDOWN/s/=.*$/=0/' \
	   -e '/^BLANK_TIME/s/=.*$/=0/' \
	   -e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config
fi

if [ "$sysconfdir" != "/etc" ]; then
    touch /etc/sudoers
    cp -p /etc/sudoers /etc/sudoers.bak

    # enable ssh banner
    sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config
    # make sure PermitRoot is off
    sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
    # make sure PasswordAuthentication is on
    sed -i 's/^#PasswordAuthentication/PasswordAuthentication/' /etc/ssh/sshd_config
    sed -i '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config

    # add HostKeys for protocol version 1
    if ! grep -q '^HostKey /etc/ssh/ssh_host_key' /etc/ssh/sshd_config; then
	echo '# HostKey for protocol version 1' >> /etc/ssh/sshd_config
	echo 'HostKey /etc/ssh/ssh_host_key' >> /etc/ssh/sshd_config
    fi

    # add UseDNS line
    sed -i '/^UseDNS/d' /etc/ssh/sshd_config
    echo 'UseDNS yes' >>/etc/ssh/sshd_config

    # cleanup any old entries in /etc/sudoers from previous versions
    sed -i /etc/sudoers \
	-e '/### BEGIN VYATTA/,/### END VYATTA/d' \
	-e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \
	-e '/sudo-users/d' \
	-e '/env_keep+=VYATTA/d' || true

    # Turn off Debian default for %sudo
    sed -i -e '/^%sudo/d' /etc/sudoers || true

    # Add Vyatta entries for sudoers
    cp $sysconfdir/sudoers /etc/sudoers.d/vyatta
    chmod 0440 /etc/sudoers.d/vyatta

    # set up blacklists
    for f in blacklist.DSA-1024 blacklist.RSA-2048; do
        if [ -r "/etc/ssh/$f" ]; then
            l=$(head -1 $sysconfdir/$f)
            if ! grep -q "$l" /etc/ssh/$f; then
                tmp=$(mktemp /tmp/bl.XXXXXXXXXX)
                cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp
                mv $tmp /etc/ssh/$f
            fi
        else
            cp $sysconfdir/$f /etc/ssh/$f
        fi
    done

    # purge off ancient devfs stuff from /etc/securetty
    cp $sysconfdir/securetty /etc/securetty

    for f in issue issue.net; do
	if [ ! -e /etc/$f.old ]; then
            cp $sysconfdir/$f /etc/$f
        fi
    done

    cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf

     # Set file capabilities
    sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \
    while read capability path; do 
       touch -c $path
       setcap $capability $path
    done

    # Install pam_cap config
    cp $sysconfdir/capability.conf /etc/security/capability.conf

    # Install our own version of rsyslog.conf without
    # default targets
    mv /etc/rsyslog.conf /etc/rsyslog.conf.orig
    cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf

    # Install own version of cpufrequtils config
    cp $sysconfdir/cpufrequtils /etc/default/cpufrequtils
fi

# create needed directories
mkdir -p /var/log/user
mkdir -p /var/core
mkdir -p /opt/vyatta/etc/config/auth
mkdir -p /opt/vyatta/etc/config/scripts
mkdir -p /opt/vyatta/etc/config/user-data
mkdir -p /opt/vyatta/etc/config/support
chown -R root:vyattacfg /opt/vyatta/etc/config
chmod -R 775 /opt/vyatta/etc/config

# create /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
# this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above
if [ ! -x /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script ]; then
    touch /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
    chmod 755 /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
    cat <<EOF >>/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
#!/bin/sh
# This script is called from /etc/rc.local on boot after the Vyatta
# configuration is fully applied. Any modifications done to work around
# unfixed bugs and implement enhancements which are not complete in the Vyatta
# system can be placed here.
EOF
fi

# call vyatta-postconfig-bootup.script from /etc/rc.local
if ! grep -q /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script \
    /etc/rc.local
then
    cat <<EOF >>/etc/rc.local
# Do not remove the following call to vyatta-postconfig-bootup.script.
# Any boot time workarounds should be put in script below so that they
# get preserved for the new image during image upgrade.
POSTCONFIG=/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script
[ -x \$POSTCONFIG ] && \$POSTCONFIG
EOF
    sh -c "sed -i -e '/exit 0/d' /etc/rc.local"
    cat <<EOF >>/etc/rc.local
exit 0
EOF
fi

touch /etc/environment

if [ ! -f /etc/bash_completion ]; then
  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi

sed -i 's/^set /builtin set /' /etc/bash_completion

dpkg-reconfigure -f noninteractive openssh-server
rm -f /etc/ssh/*.broken
update-rc.d -f ssh remove >/dev/null

# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login

# Change default shell for new accounts
sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf

# Do not allow users to change full name field (controlled by Vyatta config)
sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs

# Only allow root to use passwd command
if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
    sed -i -e '/^@include/i \
password	requisite pam_succeed_if.so user = root
' /etc/pam.d/passwd
fi

# Ask mdadm to call our own event handling daemon
# Don't start mdadm daemon when running on livecd
if [ -e /etc/default/mdadm ]; then
    sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm
    sed -i 's/^START_DAEMON.*$/START_DAEMON=false/' /etc/default/mdadm
fi

# Disable reboot on ctrl-alt-delete
sed -i -e '/^ca/s/\/sbin\/shutdown .*$/\/bin\/echo "Ctrl\-Alt\-Del disabled."/' /etc/inittab

# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
# this logs unnecessary messages trying to start ddclient
rm -f /etc/ppp/ip-up.d/ddclient

# remove old init that should have been cleaned up during upgrade but isn't
if [ -f /etc/init.d/vyatta-ofr ]; then
    update-rc.d -f /etc/init.d/vyatta-ofr remove
    rm -f /etc/init.d/vyatta-ofr
fi

# comply with Squeeze version of modprobe
# remove old versions of files during upgrade
for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6
do
  if [ -f /etc/modprobe.d/${modprobe} ]; then
      mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf
  fi
done

# add vyatta-config-reboot-params to start at boot up
update-rc.d vyatta-config-reboot-params start 20 S

# Local Variables:
# mode: shell-script
# sh-indentation: 4
# End: