summaryrefslogtreecommitdiff
path: root/debian/vyos-1x.postinst
blob: 837fcf995fd07fc78f942c77525922b0887ef6ce (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#!/bin/bash

# Turn off Debian default for %sudo
sed -i -e '/^%sudo/d' /etc/sudoers || true

# Add minion user for salt-minion
if ! grep -q '^minion' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
        --gecos "salt minion user" --shell /bin/vbash minion
    adduser --quiet minion frrvty
    adduser --quiet minion sudo
    adduser --quiet minion adm
    adduser --quiet minion dip
    adduser --quiet minion disk
    adduser --quiet minion users
    adduser --quiet minion frr
fi

# OpenVPN should get its own user
if ! grep -q '^openvpn' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
fi

# Enable 2FA/MFA support for SSH and local logins
for file in /etc/pam.d/sshd /etc/pam.d/login
do
    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
    grep -qF -- "pam_google_authenticator.so" $file || \
    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
done

# We need to have a group for RADIUS service users to use it inside PAM rules
if ! grep -q '^radius' /etc/group; then
    addgroup --firstgid 1000 --quiet radius
fi

# Remove TACACS user added by base package - we use our own UID range and group
# assignments - see below
if grep -q '^tacacs' /etc/passwd; then
    if [ $(id -u tacacs0) -ge 1000 ]; then
        level=0
        vyos_group=vyattaop
        while [ $level -lt 16 ]; do
            userdel tacacs${level} || true
            rm -rf /home/tacacs${level} || true
            level=$(( level+1 ))
        done 2>&1
    fi
fi

# Add TACACS system users required for TACACS based system authentication
if ! grep -q '^tacacs' /etc/passwd; then
    # Add the tacacs group and all 16 possible tacacs privilege-level users to
    # the password file, home directories, etc. The accounts are not enabled
    # for local login, since they are only used to provide uid/gid/homedir for
    # the mapped TACACS+ logins (and lookups against them). The tacacs15 user
    # is also added to the sudo group, and vyattacfg group rather than vyattaop
    # (used for tacacs0-14).
    level=0
    vyos_group=vyattaop
    while [ $level -lt 16 ]; do
        adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
            --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
            --shell /bin/vbash tacacs${level}
        adduser --quiet tacacs${level} frrvty
        adduser --quiet tacacs${level} adm
        adduser --quiet tacacs${level} dip
        adduser --quiet tacacs${level} users
        adduser --quiet tacacs${level} aaa
        if [ $level -lt 15 ]; then
            adduser --quiet tacacs${level} vyattaop
            adduser --quiet tacacs${level} operator
        else
            adduser --quiet tacacs${level} vyattacfg
            adduser --quiet tacacs${level} sudo
            adduser --quiet tacacs${level} disk
            adduser --quiet tacacs${level} frr
        fi
        level=$(( level+1 ))
    done 2>&1 | grep -v 'User tacacs${level} already exists'
fi

# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
        --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
        --shell /sbin/radius_shell radius_user
    adduser --quiet radius_user frrvty
    adduser --quiet radius_user vyattaop
    adduser --quiet radius_user operator
    adduser --quiet radius_user adm
    adduser --quiet radius_user dip
    adduser --quiet radius_user users
fi

# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
        --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
        --shell /sbin/radius_shell radius_priv_user
    adduser --quiet radius_priv_user frrvty
    adduser --quiet radius_priv_user vyattacfg
    adduser --quiet radius_priv_user sudo
    adduser --quiet radius_priv_user adm
    adduser --quiet radius_priv_user dip
    adduser --quiet radius_priv_user disk
    adduser --quiet radius_priv_user users
    adduser --quiet radius_priv_user frr
fi

# add hostsd group for vyos-hostsd
if ! grep -q '^hostsd' /etc/group; then
    addgroup --quiet --system hostsd
fi

# add dhcpd user for dhcp-server
if ! grep -q '^dhcpd' /etc/passwd; then
    adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
    adduser --quiet dhcpd hostsd
fi

# ensure the proxy user has a proper shell
chsh -s /bin/sh proxy

# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
if [ ! -x $PRECONFIG_SCRIPT ]; then
    mkdir -p $(dirname $PRECONFIG_SCRIPT)
    touch $PRECONFIG_SCRIPT
    chmod 755 $PRECONFIG_SCRIPT
    cat <<EOF >>$PRECONFIG_SCRIPT
#!/bin/sh
# This script is executed at boot time before VyOS configuration is applied.
# Any modifications required to work around unfixed bugs or use
# services not available through the VyOS CLI system can be placed here.

EOF
fi

# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
if [ ! -x $POSTCONFIG_SCRIPT ]; then
    mkdir -p $(dirname $POSTCONFIG_SCRIPT)
    touch $POSTCONFIG_SCRIPT
    chmod 755 $POSTCONFIG_SCRIPT
    cat <<EOF >>$POSTCONFIG_SCRIPT
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.

EOF
fi

# symlink destination is deleted during ISO assembly - this generates some noise
# when the system boots: systemd-sysv-generator[1881]: stat() failed on
# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop
# the file.
if [ -L /etc/init.d/README ]; then
    rm -f /etc/init.d/README
fi

# Remove unwanted daemon files from /etc
# conntackd
# pmacct
# fastnetmon
# ntp
DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
        /etc/default/pmacctd /etc/pmacct
        /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
        /etc/ntp.conf /etc/default/ssh
        /etc/powerdns /etc/default/pdns-recursor
        /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
for tmp in $DELETE; do
    if [ -e ${tmp} ]; then
        rm -rf ${tmp}
    fi
done

# Remove logrotate items controlled via CLI and VyOS defaults
sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog

# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
if test -f /etc/pam.d/frr; then
    if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
        sed -i -re 's/rootok/permit/' /etc/pam.d/frr
    fi
fi

# Enable Cloud-init pre-configuration service
systemctl enable vyos-config-cloud-init.service

# Generate API GraphQL schema
/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py

# Update XML cache
python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py