diff options
Diffstat (limited to 'debian/vyatta-cfg-system.postinst.in')
| -rw-r--r-- | debian/vyatta-cfg-system.postinst.in | 269 |
1 files changed, 269 insertions, 0 deletions
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in new file mode 100644 index 0000000..4e07288 --- /dev/null +++ b/debian/vyatta-cfg-system.postinst.in @@ -0,0 +1,269 @@ +#!/bin/bash + +prefix=@prefix@ +exec_prefix=@exec_prefix@ +sysconfdir=@sysconfdir@ +bindir=@bindir@ +sbindir=@sbindir@ + +# remove init of daemons that are controlled by Vyatta configuration process +for init in ntp ssh snmpd openhpid logd \ + ipvsadm dnsmasq ddclient radvd hostapd conntrackd +do + update-rc.d -f ${init} remove >/dev/null +done + +# remove extra call to clock setup only need one. this speeds up boot +# Mystery: why does Debian do it twice? +if [ -L /etc/rcS.d/S*hwclockfirst.sh -a -L /etc/rcS.d/S*hwclock.sh ]; then + rm /etc/rcS.d/S*hwclock.sh +fi + +# Udev package asks for user 'tss' early in boot process. +# Want to avoid going out to remote services to look for this local user +if ! grep -q '^tss' /etc/passwd; then + adduser --system --group --shell /usr/sbin/nologin --home /var/lib/tpm tss +fi + +# Remove leftover udev files from earlier release +if [ -d /etc/udev/rules.d/ ]; then + rm -f /etc/udev/rules.d/*vyatta-net.rules +fi + +# Remove rsyslog logrotate since it has hardcoded assumptions about syslog files +rm -f /etc/logrotate.d/rsyslog + +# Force screenblanker to be off, it can be enabled later if desired +if [ -f /etc/console-tools/config ]; then + sed -i -e '/^POWERDOWN/s/=.*$/=0/' \ + -e '/^BLANK_TIME/s/=.*$/=0/' \ + -e '/^BLANK_DPMS/s/=.*$/=off/' /etc/console-tools/config +fi + +if [ "$sysconfdir" != "/etc" ]; then + touch /etc/sudoers + cp -p /etc/sudoers /etc/sudoers.bak + + # enable ssh banner + sed -i 's/^#Banner/Banner/' /etc/ssh/sshd_config + # make sure PermitRoot is off + sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config + # make sure PasswordAuthentication is on + sed -i 's/^#PasswordAuthentication/PasswordAuthentication/' /etc/ssh/sshd_config + sed -i '/^PasswordAuthentication/s/no/yes/' /etc/ssh/sshd_config + + # add HostKeys for protocol version 1 + if ! grep -q '^HostKey /etc/ssh/ssh_host_key' /etc/ssh/sshd_config; then + echo '# HostKey for protocol version 1' >> /etc/ssh/sshd_config + echo 'HostKey /etc/ssh/ssh_host_key' >> /etc/ssh/sshd_config + fi + + # add UseDNS line + sed -i '/^UseDNS/d' /etc/ssh/sshd_config + echo 'UseDNS yes' >>/etc/ssh/sshd_config + + # for "admin" level + sed -i 's/^# %sudo ALL=NOPASSWD: ALL/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers + if ! grep -q '^%sudo ALL=NOPASSWD: ALL' /etc/sudoers; then + echo -e "\n%sudo ALL=NOPASSWD: ALL" >> /etc/sudoers + fi + + # cleanup any old entries from previous versions + sed -i /etc/sudoers \ + -e '/### BEGIN VYATTA/,/### END VYATTA/d' \ + -e '/Cmnd_Alias IPTABLE/,/PPPOE_CMDS/d' \ + -e '/sudo-users/d' \ + -e '/env_keep+=VYATTA/d' || true + + # Add Vyatta entries + cat <<"EOF" >>/etc/sudoers +### BEGIN VYATTA +Defaults syslog_goodpri=info +Defaults env_keep+=VYATTA_* + +Cmnd_Alias IPTABLES = /sbin/iptables --list -n,\ + /sbin/iptables -L -vn,\ + /sbin/iptables -L * -vn,\ + /sbin/iptables -t * -L *, \ + /sbin/iptables -Z *,\ + /sbin/iptables -Z -t nat, \ + /sbin/iptables -t * -Z * +Cmnd_Alias IP6TABLES = /sbin/ip6tables -t * -Z *, \ + /sbin/ip6tables -t * -L * +Cmnd_Alias CONNTRACK = /usr/sbin/conntrack -L *, \ + /usr/sbin/conntrack -G *, \ + /usr/sbin/conntrack -E * +Cmnd_Alias IPFLUSH = /sbin/ip route flush cache, \ + /sbin/ip route flush cache *,\ + /sbin/ip neigh flush to *, \ + /sbin/ip neigh flush dev *, \ + /sbin/ip -f inet6 route flush cache, \ + /sbin/ip -f inet6 route flush cache *,\ + /sbin/ip -f inet6 neigh flush to *, \ + /sbin/ip -f inet6 neigh flush dev * +Cmnd_Alias ETHTOOL = /sbin/ethtool -p *, \ + /sbin/ethtool -S *, \ + /sbin/ethtool -a *, \ + /sbin/ethtool -c *, \ + /sbin/ethtool -i * +Cmnd_Alias DISK = /usr/bin/lsof, /sbin/fdisk -l *, /sbin/sfdisk -d * +Cmnd_Alias DATE = /bin/date, /usr/sbin/ntpdate +Cmnd_Alias PPPOE_CMDS = /sbin/pppd, /sbin/poff, /usr/sbin/pppstats +Cmnd_Alias PCAPTURE = /usr/bin/tshark, /usr/bin/tcpdump +Cmnd_Alias HWINFO = /usr/bin/lspci +%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \ + PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \ + DISK, CONNTRACK, IP6TABLES +EOF + cat <<EOF >>/etc/sudoers +%users ALL=NOPASSWD: ${bindir}/sudo-users/ +### END VYATTA +EOF + + # set up blacklists + for f in blacklist.DSA-1024 blacklist.RSA-2048; do + if [ -r "/etc/ssh/$f" ]; then + l=$(head -1 $sysconfdir/$f) + if ! grep -q "$l" /etc/ssh/$f; then + tmp=$(mktemp /tmp/bl.XXXXXXXXXX) + cat /etc/ssh/$f $sysconfdir/$f | sort >$tmp + mv $tmp /etc/ssh/$f + fi + else + cp $sysconfdir/$f /etc/ssh/$f + fi + done + + # purge off ancient devfs stuff from /etc/securetty + cp $sysconfdir/securetty /etc/securetty + + for f in issue issue.net; do + if [ ! -e /etc/$f.old ]; then + cp $sysconfdir/$f /etc/$f + fi + done + + cp $sysconfdir/vyatta-sysctl.conf /etc/sysctl.d/30-vyatta-router.conf + + # Set file capabilities + sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' < $sysconfdir/filecaps | \ + while read capability path; do + touch -c $path + setcap $capability $path + done + + # Install pam_cap config + cp $sysconfdir/capability.conf /etc/security/capability.conf + + # Install our own version of rsyslog.conf without + # default targets + mv /etc/rsyslog.conf /etc/rsyslog.conf.orig + cp $sysconfdir/rsyslog.conf /etc/rsyslog.conf + + # Install own version of cpufrequtils config + cp $sysconfdir/cpufrequtils /etc/default/cpufrequtils +fi + +# create needed directories +mkdir -p /var/log/user +mkdir -p /var/core +mkdir -p /opt/vyatta/etc/config/auth +mkdir -p /opt/vyatta/etc/config/scripts +mkdir -p /opt/vyatta/etc/config/user-data +mkdir -p /opt/vyatta/etc/config/support +chown -R root.vyattacfg /opt/vyatta/etc/config +chmod -R 775 /opt/vyatta/etc/config + +# create /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script +# this should be after 'mkdir -p /opt/vyatta/etc/config/scripts' above +if [ ! -x /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script ]; then + touch /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script + chmod 755 /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script + cat <<EOF >>/opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script +#!/bin/sh +# This script is called from /etc/rc.local on boot after the Vyatta +# configuration is fully applied. Any modifications done to work around +# unfixed bugs and implement enhancements which are not complete in the Vyatta +# system can be placed here. +EOF +fi + +# call vyatta-postconfig-bootup.script from /etc/rc.local +if ! grep -q /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script \ + /etc/rc.local +then + cat <<EOF >>/etc/rc.local +# Do not remove the following call to vyatta-postconfig-bootup.script. +# Any boot time workarounds should be put in script below so that they +# get preserved for the new image during image upgrade. +sudo /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script +EOF + sh -c "sed -i -e '/exit 0/d' /etc/rc.local" + cat <<EOF >>/etc/rc.local +exit 0 +EOF +fi + +touch /etc/environment + +if [ ! -f /etc/bash_completion ]; then + echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion + echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion +fi + +sed -i 's/^set /builtin set /' /etc/bash_completion + +dpkg-reconfigure -f noninteractive openssh-server +rm -f /etc/ssh/*.broken +update-rc.d -f ssh remove >/dev/null + +# Fix up PAM configuration for login so that invalid users are prompted +# for password +sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login + +# Change default shell for new accounts +sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf + +# Do not allow users to change full name field (controlled by Vyatta config) +sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs + +# Only allow root to use passwd command +if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then + sed -i -e '/^@include/i \ +password requisite pam_succeed_if.so user = root +' /etc/pam.d/passwd +fi + +# +# Ask mdadm to call our own event handling daemon +# +if [ -e /etc/default/mdadm ]; then + sed -i 's+^DAEMON_OPTIONS=.*$+DAEMON_OPTIONS="--syslog --program /opt/vyatta/sbin/vyatta-raid-event"+' /etc/default/mdadm +fi + +# remove unnecessary ddclient script in /etc/ppp/ip-up.d/ +# this logs unnecessary messages trying to start ddclient +rm -f /etc/ppp/ip-up.d/ddclient + +# remove old init that should have been cleaned up during upgrade but isn't +if [ -f /etc/init.d/vyatta-ofr ]; then + update-rc.d -f /etc/init.d/vyatta-ofr remove + rm -f /etc/init.d/vyatta-ofr +fi + +# comply with Squeeze version of modprobe +# remove old versions of files during upgrade +for modprobe in vyatta_blacklist_ipv6 vyatta_disable_ipv6 +do + if [ -f /etc/modprobe.d/${modprobe} ]; then + mv -f /etc/modprobe.d/${modprobe} /etc/modprobe.d/${modprobe}.conf + fi +done + +# add vyatta-config-reboot-params to start at boot up +update-rc.d vyatta-config-reboot-params defaults + +# Local Variables: +# mode: shell-script +# sh-indentation: 4 +# End: |