diff options
Diffstat (limited to 'init-sh/lib.sh.usermode')
| -rw-r--r-- | init-sh/lib.sh.usermode | 385 |
1 files changed, 385 insertions, 0 deletions
diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode new file mode 100644 index 0000000..6f1f65e --- /dev/null +++ b/init-sh/lib.sh.usermode @@ -0,0 +1,385 @@ +# +# Security level implementation... +# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> +# + +# Need root access +if [[ ${UID} != 0 ]]; then + echo "You need to be root in order to change secure level." + exit 1 +fi + +export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." + +WaitAnswer() { + answer="nothing" + + while [[ ${answer} != yes && ${answer} != no ]]; do + echo -n "yes/no : " + read answer + done +} + +AddRules() { + string=$1 + file=$2 + quiet=$3 + + if [[ -z ${string} ]]; then + return; + fi + + if [[ -z ${quiet} ]]; then + echo "Modifying config in ${file}..." + fi + + if ! grep -Eqx "^${string}" ${file}; then + echo -e "${COMMENT}" >> ${file}; + echo -e "${string}" >> ${file}; + fi + + if [[ -z ${3} ]]; then + echo -e "done.\n" + fi +} + +AddBegRules() { + echo "Modifying config in ${2}..." + + if [[ ! -f ${file} ]]; then + return; + fi + + export VAL=$1 + perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2 + + echo -e "done.\n" +} + + +OLD_CleanRules() { + file=$1 + ctrl=0 + + if [[ ! -f ${file} ]]; then + echo "${file} do not exist... can not clean." + return; + fi + + echo -en "\t- Cleaning msec appended line in ${file} : " + + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp ${file} ${tmpfile} + + while read line; do + if [[ ${ctrl} == 1 ]]; then + ctrl=0 + continue; + fi + + if echo "${line}" | grep -qx "${COMMENT}"; then + ctrl=1 + fi + + if [[ ${ctrl} == 0 ]]; then + echo "${line}" + fi + done < ${tmpfile} > ${file} + + rm -f ${tmpfile} + + echo "done." +} + +CleanRules() { + echo -en "\t- Cleaning msec appended line in $1 : " + + perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1 + + echo "done." +} + +CommentUserRules() { + file=$1 + + if [[ ! -f ${file} ]]; then + return; + fi + + echo -en "\t- Cleaning user appended line in ${file} : " + + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp -f ${file} ${tmpfile} + + while read line; do + if ! echo "${line}" | grep -qE "^#"; then + echo "# ${line}" + else + echo "${line}" + fi + done < ${tmpfile} > ${file} + + rm -f ${tmpfile} + + echo "done." +} + +Syslog() { + if [[ ${SYSLOG_WARN} == yes ]]; then + /sbin/initlog --string=${1} + fi +} + +Ttylog() { + if [[ ${TTY_WARN} == yes ]]; then + w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do + echo -e ${1} > /dev/$i + done + fi +} + + +LoaderUpdate() { + + # Ask only if we're not inside DrakX. + if [[ ! ${DRAKX_PASSWORD+set} ]]; then + echo "Do you want a password authentication at boot time ?" + echo "Be very carefull," + echo "this will prevent your server to reboot without an operator to enter password". + WaitAnswer; + if [[ ${answer} == yes ]]; then + echo -n "Please enter the password which will be used at boot time : " + read password + else + password="" + fi + + if [[ ! -z ${password} ]]; then + if [[ -f /etc/lilo.conf ]]; then + AddBegRules "password=$password" /etc/lilo.conf + chmod 600 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + AddBegRules "password $password" /boot/grub/menu.lst + chmod 600 /boot/grub/menu.lst + fi + + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi + fi +} + +# Do something only if DRAKX_PASSWORD set ( we're in DrakX ) +LoaderDrakX() { + if [[ -n "${DRAKX_PASSWORD}" ]]; then + if [[ -f /etc/lilo.conf ]]; then + AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf + chmod 600 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst + chmod 600 /boot/grub/menu.lst + fi + + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi +} + + +CleanLoaderRules() { + if [[ -f /etc/lilo.conf ]]; then + CleanRules /etc/lilo.conf + chmod 644 /etc/lilo.conf + fi + if [[ -f /boot/grub/menu.lst ]]; then + CleanRules /boot/grub/menu.lst + chmod 644 /boot/grub/menu.lst + fi + + if [[ -z ${DRAKX_PASSWORD} ]]; then + loader=`/usr/sbin/detectloader` + case "${loader}" in + "LILO") + /sbin/lilo + ;; + "GRUB") + ;; + esac + fi +} + +AllowAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + grep -v AUTOLOGIN < ${file} > ${file}.new + echo "AUTOLOGIN=yes" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidAutologin() { + file=/etc/sysconfig/autologin + if [[ -f ${file} ]]; then + cat ${file} | grep -v AUTOLOGIN > ${file}.new + echo "AUTOLOGIN=no" >> ${file}.new + mv -f ${file}.new ${file} + fi +} + +ForbidUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=false/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} + fi +} + +AllowUserList() { + file=/usr/share/config/kdmrc + if [[ -f ${file} ]]; then + perl -pi -e 's/^UserView=.*$/UserView=true/' ${file} + fi + + file=/etc/X11/gdm/gdm.conf + if [[ -f ${file} ]]; then + perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} + fi +} + +ForbidReboot() { + echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." +} + +AllowReboot() { + echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " + tmpfile=`mktemp /tmp/secure.XXXXXX` + cp /etc/inittab ${tmpfile} + cat ${tmpfile} | \ + sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab + rm -f ${tmpfile} + [ -z "$DURING_INSTALL" ] && telinit u + echo "done." +} + +# If we are currently installing our +# system with DrakX, we don't ask anything to the user... +# Instead, DrakX do it and give us a file with some variable. +if [[ -f /etc/security/msec/security.conf ]]; then + . /etc/security/msec/security.conf +fi + +clear +echo "Preparing to run security script : " +CleanRules /etc/syslog.conf +CleanRules /etc/hosts.deny +CommentUserRules /etc/hosts.deny +CleanRules /etc/hosts.allow +CommentUserRules /etc/hosts.allow +CleanRules /etc/securetty +CommentUserRules /etc/securetty +CleanRules /etc/security/msec/security.conf +CommentUserRules /etc/security/msec/security.conf +CleanRules /etc/profile +CleanRules /etc/ld.so.preload + +CleanLoaderRules +LoaderDrakX + +CleanRules /etc/logrotate.conf +CleanRules /etc/rc.d/rc.local +CleanRules /etc/rc.d/rc.firewall +CleanRules /etc/crontab + +if [[ -f /etc/X11/xinit.d/msec ]]; then + CleanRules /etc/X11/xinit.d/msec +else + touch /etc/X11/xinit.d/msec + chmod 755 /etc/X11/xinit.d/msec +fi + +echo -e "\nStarting to reconfigure the system : " +# For all secure level +echo "Setting spoofing protection : " +AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall + +# default group which must exist on the system +# groupadd already check for their existance... +groupadd nogroup >& /dev/null +groupadd audio >& /dev/null +groupadd xgrp >& /dev/null +groupadd ntools >& /dev/null +groupadd ctools >& /dev/null + +usermod -G xgrp xfs + +/usr/share/msec/grpuser.sh --clean +echo + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + |