diff options
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 269 | ||||
| -rw-r--r-- | debian/vyatta-cfg-system.postrm | 12 |
2 files changed, 0 insertions, 281 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in deleted file mode 100644 index 4e07288..0000000 --- a/debian/vyatta-cfg-system.postinst.in +++ /dev/null @@ -1,269 +0,0 @@ -#!/bin/bash - -prefix=@prefix@ -exec_prefix=@exec_prefix@ -sysconfdir=@sysconfdir@ -bindir=@bindir@ -sbindir=@sbindir@ - -# remove init of daemons that are controlled by Vyatta configuration process -for init in ntp ssh snmpd openhpid logd \ - ipvsadm dnsmasq ddclient radvd hostapd conntrackd -do - update-rc.d -f ${init} remove >/dev/null -done - -# remove extra call to clock setup only need one. this speeds up boot -# Mystery: why does Debian do it twice? -if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then - rm /etc/rcS.d/S*hwclock.sh -fi - -# Udev package asks for user 'tss' early in boot process. -# Want to avoid going out to remote services to look for this local user -if ! grep -q '^tss' /etc/passwd; then - adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss -fi - -# Remove leftover udev files from earlier release -if [ -d /etc/udev/rules.d/ ]; then - rm -f /etc/udev/rules.d/*vyatta-net.rules -fi - -# Remove rsyslog logrotate since it has hardcoded assumptions about syslog files -rm -f /etc/logrotate.d/rsyslog - -# Force screenblanker to be off, it can be enabled later if desired -if [ -f /etc/console-tools/config ]; then - sed -i -e '/^POWERDOWN/s/=.*$/=0/' \ - -e '/^BLANK_TIME/s/=.*$/=0/' \ - -e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config -fi - -if [ "$sysconfdir" != "/etc" ]; then - touch /etc/sudoers - cp -p /etc/sudoers /etc/sudoers.bak - - # enable ssh banner - sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config - # make sure PermitRoot is off - sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config - # make sure PasswordAuthentication is on - sed -i 's/^#PasswordAuthentication/PasswordAuthentication/' /etc/ssh/sshd_config - sed -i '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config - - # add HostKeys for protocol version 1 - if ! grep -q '^HostKey /etc/ssh/ssh_host_key' /etc/ssh/sshd_config; then - echo '# HostKey for protocol version 1' >> /etc/ssh/sshd_config - echo 'HostKey /etc/ssh/ssh_host_key' >> /etc/ssh/sshd_config - fi - - # add UseDNS line - sed -i '/^UseDNS/d' /etc/ssh/sshd_config - echo 'UseDNS yes' >>/etc/ssh/sshd_config - - # for "admin" level - sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers - if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then - echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers - fi - - # cleanup any old entries from previous versions - sed -i /etc/sudoers \ - -e '/### BEGIN VYATTA/,/### END VYATTA/d' \ - -e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \ - -e '/sudo-users/d' \ - -e '/env_keep+=VYATTA/d' || true - - # Add Vyatta entries - cat <<"EOF" >>/etc/sudoers -### BEGIN VYATTA -Defaults syslog_goodpri=info -Defaults env_keep+=VYATTA_* - -Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ - /sbin/iptables -L -vn,\ - /sbin/iptables -L * -vn,\ - /sbin/iptables -t * -L *, \ - /sbin/iptables -Z *,\ - /sbin/iptables -Z -t nat, \ - /sbin/iptables -t * -Z * -Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ - /sbin/ip6tables -t * -L * -Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ - /usr/sbin/conntrack -G *, \ - /usr/sbin/conntrack -E * -Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ - /sbin/ip route flush cache *,\ - /sbin/ip neigh flush to *, \ - /sbin/ip neigh flush dev *, \ - /sbin/ip -f inet6 route flush cache, \ - /sbin/ip -f inet6 route flush cache *,\ - /sbin/ip -f inet6 neigh flush to *, \ - /sbin/ip -f inet6 neigh flush dev * -Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ - /sbin/ethtool -S *, \ - /sbin/ethtool -a *, \ - /sbin/ethtool -c *, \ - /sbin/ethtool -i * -Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * -Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate -Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats -Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump -Cmnd_Alias HWINFO = /usr/bin/lspci -%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ - PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ - DISK, CONNTRACK, IP6TABLES -EOF - cat <<EOF >>/etc/sudoers -%users ALL=NOPASSWD: ${bindir}/sudo-users/ -### END VYATTA -EOF - - # set up blacklists - for f in blacklist.DSA-1024 blacklist.RSA-2048; do - if [ -r "/etc/ssh/$f" ]; then - l=$(head -1 $sysconfdir/$f) - if ! grep -q "$l" /etc/ssh/$f; then - tmp=$(mktemp /tmp/bl.XXXXXXXXXX) - cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp - mv $tmp /etc/ssh/$f - fi - else - cp $sysconfdir/$f /etc/ssh/$f - fi - done - - # purge off ancient devfs stuff from /etc/securetty - cp $sysconfdir/securetty /etc/securetty - - for f in issue issue.net; do - if [ ! -e /etc/$f.old ]; then - cp $sysconfdir/$f /etc/$f - fi - done - - cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf - - # Set file capabilities - sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \ - while read capability path; do - touch -c $path - setcap $capability $path - done - - # Install pam_cap config - cp $sysconfdir/capability.conf /etc/security/capability.conf - - # Install our own version of rsyslog.conf without - # default targets - mv /etc/rsyslog.conf /etc/rsyslog.conf.orig - cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf - - # Install own version of cpufrequtils config - cp $sysconfdir/cpufrequtils /etc/default/cpufrequtils -fi - -# create needed directories -mkdir -p /var/log/user -mkdir -p /var/core -mkdir -p /opt/vyatta/etc/config/auth -mkdir -p /opt/vyatta/etc/config/scripts -mkdir -p /opt/vyatta/etc/config/user-data -mkdir -p /opt/vyatta/etc/config/support -chown -R root.vyattacfg /opt/vyatta/etc/config -chmod -R 775 /opt/vyatta/etc/config - -# create /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script -# this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above -if [ ! -x /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script ]; then - touch /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script - chmod 755 /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script - cat <<EOF >>/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script -#!/bin/sh -# This script is called from /etc/rc.local on boot after the Vyatta -# configuration is fully applied. Any modifications done to work around -# unfixed bugs and implement enhancements which are not complete in the Vyatta -# system can be placed here. -EOF -fi - -# call vyatta-postconfig-bootup.script from /etc/rc.local -if ! grep -q /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script \ - /etc/rc.local -then - cat <<EOF >>/etc/rc.local -# Do not remove the following call to vyatta-postconfig-bootup.script. -# Any boot time workarounds should be put in script below so that they -# get preserved for the new image during image upgrade. -sudo /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script -EOF - sh -c "sed -i -e '/exit 0/d' /etc/rc.local" - cat <<EOF >>/etc/rc.local -exit 0 -EOF -fi - -touch /etc/environment - -if [ ! -f /etc/bash_completion ]; then - echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion - echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion -fi - -sed -i 's/^set /builtin set /' /etc/bash_completion - -dpkg-reconfigure -f noninteractive openssh-server -rm -f /etc/ssh/*.broken -update-rc.d -f ssh remove >/dev/null - -# Fix up PAM configuration for login so that invalid users are prompted -# for password -sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login - -# Change default shell for new accounts -sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf - -# Do not allow users to change full name field (controlled by Vyatta config) -sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs - -# Only allow root to use passwd command -if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then - sed -i -e '/^@include/i \ -password requisite pam_succeed_if.so user = root -' /etc/pam.d/passwd -fi - -# -# Ask mdadm to call our own event handling daemon -# -if [ -e /etc/default/mdadm ]; then - sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm -fi - -# remove unnecessary ddclient script in /etc/ppp/ip-up.d/ -# this logs unnecessary messages trying to start ddclient -rm -f /etc/ppp/ip-up.d/ddclient - -# remove old init that should have been cleaned up during upgrade but isn't -if [ -f /etc/init.d/vyatta-ofr ]; then - update-rc.d -f /etc/init.d/vyatta-ofr remove - rm -f /etc/init.d/vyatta-ofr -fi - -# comply with Squeeze version of modprobe -# remove old versions of files during upgrade -for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6 -do - if [ -f /etc/modprobe.d/${modprobe} ]; then - mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf - fi -done - -# add vyatta-config-reboot-params to start at boot up -update-rc.d vyatta-config-reboot-params defaults - -# Local Variables: -# mode: shell-script -# sh-indentation: 4 -# End: diff --git a/debian/vyatta-cfg-system.postrm b/debian/vyatta-cfg-system.postrm deleted file mode 100644 index 413780b..0000000 --- a/debian/vyatta-cfg-system.postrm +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -if [ "$1" = "purge" ]; then - sed -i -e '/### BEGIN VYATTA/,/### END VYATTA/d' /etc/sudoers - sed -i -e 'g/^password/d' /etc/pam.d/password - update-rc.d vyatta-config-reboot-params remove -fi - -# Local Variables: -# mode: shell-script -# sh-indentation: 4 -# End: |