aboutsummaryrefslogtreecommitdiffstats
path: root/init-sh/lib.sh.usermode
diff options
context:
space:
mode:
Diffstat (limited to 'init-sh/lib.sh.usermode')
-rw-r--r--init-sh/lib.sh.usermode385
1 files changed, 385 insertions, 0 deletions
diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode
new file mode 100644
index 0000000..6f1f65e
--- /dev/null
+++ b/init-sh/lib.sh.usermode
@@ -0,0 +1,385 @@
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+# Need root access
+if [[ ${UID} != 0 ]]; then
+ echo "You need to be root in order to change secure level."
+ exit 1
+fi
+
+export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
+
+WaitAnswer() {
+ answer="nothing"
+
+ while [[ ${answer} != yes && ${answer} != no ]]; do
+ echo -n "yes/no : "
+ read answer
+ done
+}
+
+AddRules() {
+ string=$1
+ file=$2
+ quiet=$3
+
+ if [[ -z ${string} ]]; then
+ return;
+ fi
+
+ if [[ -z ${quiet} ]]; then
+ echo "Modifying config in ${file}..."
+ fi
+
+ if ! grep -Eqx "^${string}" ${file}; then
+ echo -e "${COMMENT}" >> ${file};
+ echo -e "${string}" >> ${file};
+ fi
+
+ if [[ -z ${3} ]]; then
+ echo -e "done.\n"
+ fi
+}
+
+AddBegRules() {
+ echo "Modifying config in ${2}..."
+
+ if [[ ! -f ${file} ]]; then
+ return;
+ fi
+
+ export VAL=$1
+ perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2
+
+ echo -e "done.\n"
+}
+
+
+OLD_CleanRules() {
+ file=$1
+ ctrl=0
+
+ if [[ ! -f ${file} ]]; then
+ echo "${file} do not exist... can not clean."
+ return;
+ fi
+
+ echo -en "\t- Cleaning msec appended line in ${file} : "
+
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp ${file} ${tmpfile}
+
+ while read line; do
+ if [[ ${ctrl} == 1 ]]; then
+ ctrl=0
+ continue;
+ fi
+
+ if echo "${line}" | grep -qx "${COMMENT}"; then
+ ctrl=1
+ fi
+
+ if [[ ${ctrl} == 0 ]]; then
+ echo "${line}"
+ fi
+ done < ${tmpfile} > ${file}
+
+ rm -f ${tmpfile}
+
+ echo "done."
+}
+
+CleanRules() {
+ echo -en "\t- Cleaning msec appended line in $1 : "
+
+ perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1
+
+ echo "done."
+}
+
+CommentUserRules() {
+ file=$1
+
+ if [[ ! -f ${file} ]]; then
+ return;
+ fi
+
+ echo -en "\t- Cleaning user appended line in ${file} : "
+
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp -f ${file} ${tmpfile}
+
+ while read line; do
+ if ! echo "${line}" | grep -qE "^#"; then
+ echo "# ${line}"
+ else
+ echo "${line}"
+ fi
+ done < ${tmpfile} > ${file}
+
+ rm -f ${tmpfile}
+
+ echo "done."
+}
+
+Syslog() {
+ if [[ ${SYSLOG_WARN} == yes ]]; then
+ /sbin/initlog --string=${1}
+ fi
+}
+
+Ttylog() {
+ if [[ ${TTY_WARN} == yes ]]; then
+ w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
+ echo -e ${1} > /dev/$i
+ done
+ fi
+}
+
+
+LoaderUpdate() {
+
+ # Ask only if we're not inside DrakX.
+ if [[ ! ${DRAKX_PASSWORD+set} ]]; then
+ echo "Do you want a password authentication at boot time ?"
+ echo "Be very carefull,"
+ echo "this will prevent your server to reboot without an operator to enter password".
+ WaitAnswer;
+ if [[ ${answer} == yes ]]; then
+ echo -n "Please enter the password which will be used at boot time : "
+ read password
+ else
+ password=""
+ fi
+
+ if [[ ! -z ${password} ]]; then
+ if [[ -f /etc/lilo.conf ]]; then
+ AddBegRules "password=$password" /etc/lilo.conf
+ chmod 600 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ AddBegRules "password $password" /boot/grub/menu.lst
+ chmod 600 /boot/grub/menu.lst
+ fi
+
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+ fi
+}
+
+# Do something only if DRAKX_PASSWORD set ( we're in DrakX )
+LoaderDrakX() {
+ if [[ -n "${DRAKX_PASSWORD}" ]]; then
+ if [[ -f /etc/lilo.conf ]]; then
+ AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf
+ chmod 600 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst
+ chmod 600 /boot/grub/menu.lst
+ fi
+
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+}
+
+
+CleanLoaderRules() {
+ if [[ -f /etc/lilo.conf ]]; then
+ CleanRules /etc/lilo.conf
+ chmod 644 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ CleanRules /boot/grub/menu.lst
+ chmod 644 /boot/grub/menu.lst
+ fi
+
+ if [[ -z ${DRAKX_PASSWORD} ]]; then
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+}
+
+AllowAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ grep -v AUTOLOGIN < ${file} > ${file}.new
+ echo "AUTOLOGIN=yes" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ cat ${file} | grep -v AUTOLOGIN > ${file}.new
+ echo "AUTOLOGIN=no" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=false/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
+ fi
+}
+
+AllowUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=true/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
+ fi
+}
+
+ForbidReboot() {
+ echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+}
+
+AllowReboot() {
+ echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+}
+
+# If we are currently installing our
+# system with DrakX, we don't ask anything to the user...
+# Instead, DrakX do it and give us a file with some variable.
+if [[ -f /etc/security/msec/security.conf ]]; then
+ . /etc/security/msec/security.conf
+fi
+
+clear
+echo "Preparing to run security script : "
+CleanRules /etc/syslog.conf
+CleanRules /etc/hosts.deny
+CommentUserRules /etc/hosts.deny
+CleanRules /etc/hosts.allow
+CommentUserRules /etc/hosts.allow
+CleanRules /etc/securetty
+CommentUserRules /etc/securetty
+CleanRules /etc/security/msec/security.conf
+CommentUserRules /etc/security/msec/security.conf
+CleanRules /etc/profile
+CleanRules /etc/ld.so.preload
+
+CleanLoaderRules
+LoaderDrakX
+
+CleanRules /etc/logrotate.conf
+CleanRules /etc/rc.d/rc.local
+CleanRules /etc/rc.d/rc.firewall
+CleanRules /etc/crontab
+
+if [[ -f /etc/X11/xinit.d/msec ]]; then
+ CleanRules /etc/X11/xinit.d/msec
+else
+ touch /etc/X11/xinit.d/msec
+ chmod 755 /etc/X11/xinit.d/msec
+fi
+
+echo -e "\nStarting to reconfigure the system : "
+# For all secure level
+echo "Setting spoofing protection : "
+AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
+
+# default group which must exist on the system
+# groupadd already check for their existance...
+groupadd nogroup >& /dev/null
+groupadd audio >& /dev/null
+groupadd xgrp >& /dev/null
+groupadd ntools >& /dev/null
+groupadd ctools >& /dev/null
+
+usermod -G xgrp xfs
+
+/usr/share/msec/grpuser.sh --clean
+echo
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+