aboutsummaryrefslogtreecommitdiffstats
path: root/init-sh
diff options
context:
space:
mode:
Diffstat (limited to 'init-sh')
-rwxr-xr-xinit-sh/custom.sh1
-rwxr-xr-xinit-sh/level0.sh14
-rwxr-xr-xinit-sh/level1.sh15
-rwxr-xr-xinit-sh/level2.sh17
-rwxr-xr-xinit-sh/level3.sh12
-rwxr-xr-xinit-sh/level4.sh13
-rwxr-xr-xinit-sh/level5.sh13
-rw-r--r--init-sh/lib.sh88
-rw-r--r--init-sh/lib.sh.usermode385
9 files changed, 496 insertions, 62 deletions
diff --git a/init-sh/custom.sh b/init-sh/custom.sh
index d597255..aed9d57 100755
--- a/init-sh/custom.sh
+++ b/init-sh/custom.sh
@@ -184,6 +184,7 @@ echo "Do you want security report to be done by mail ?"
WaitAnswer; clear
if [[ ${answer} == yes ]]; then
AddRules "MAIL_WARN=yes" /etc/security/msec/security.conf
+ AddRules "MAIL_USER=root" /etc/security/msec/security.conf
else
AddRules "MAIL_WARN=no" /etc/security/msec/security.conf
fi
diff --git a/init-sh/level0.sh b/init-sh/level0.sh
index 9f4f4ee..4329773 100755
--- a/init-sh/level0.sh
+++ b/init-sh/level0.sh
@@ -72,19 +72,15 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Xserver
echo "Allowing users to connect X server from everywhere :"
-AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xdm/Xsession quiet
-AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost +" /etc/X11/xinit.d/msec quiet
# Group
echo "Adding system users to specific groups :"
/usr/share/msec/grpuser.sh --refresh
echo -e "done.\n"
+AllowAutologin
+
# Boot on a shell / authorize ctrl-alt-del
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+AllowReboot
+AllowUserList
diff --git a/init-sh/level1.sh b/init-sh/level1.sh
index 172c29b..ac72a91 100755
--- a/init-sh/level1.sh
+++ b/init-sh/level1.sh
@@ -72,8 +72,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Xserver
echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec
# Group
echo "Adding system users to specific groups :"
@@ -81,12 +80,8 @@ echo "Adding system users to specific groups :"
grpconv
echo -e "done.\n"
+AllowAutologin
+
# Do not boot on a shell
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+AllowReboot
+AllowUserList
diff --git a/init-sh/level2.sh b/init-sh/level2.sh
index eb2641a..3ffe407 100755
--- a/init-sh/level2.sh
+++ b/init-sh/level2.sh
@@ -73,8 +73,7 @@ AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Xserver
echo "Allowing users to connect X server from localhost :"
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xdm/Xsession
-AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit/xinitrc
+AddBegRules "/usr/X11R6/bin/xhost + localhost" /etc/X11/xinit.d/msec
# group
echo "Adding system users to specifics groups :"
@@ -82,14 +81,8 @@ echo "Adding system users to specifics groups :"
grpconv
echo -e "done.\n"
-# Do not boot on a shell
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
-
+AllowAutologin
+# Do not boot on a shell
+AllowReboot
+AllowUserList
diff --git a/init-sh/level3.sh b/init-sh/level3.sh
index 74f72a6..e2808f9 100755
--- a/init-sh/level3.sh
+++ b/init-sh/level3.sh
@@ -79,15 +79,11 @@ AddRules "PATH=\$PATH:/usr/X11R6/bin:/usr/games" /etc/zprofile quiet
AddRules "export PATH SECURE_LEVEL" /etc/zprofile
# Do not boot on a shell
-echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+AllowReboot
+ForbidAutologin
# Group were modified in lib.sh...
grpconv
+
+AllowUserList
diff --git a/init-sh/level4.sh b/init-sh/level4.sh
index c23d576..b0dded8 100755
--- a/init-sh/level4.sh
+++ b/init-sh/level4.sh
@@ -115,14 +115,9 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then
fi
# Do not boot on a shell
-echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
+ForbidReboot
+
+ForbidAutologin
# Group were modified in lib.sh...
grpconv
@@ -132,3 +127,5 @@ grpconv
+
+ForbidUserList
diff --git a/init-sh/level5.sh b/init-sh/level5.sh
index a58f2df..13b02bb 100755
--- a/init-sh/level5.sh
+++ b/init-sh/level5.sh
@@ -132,15 +132,8 @@ if [[ -f /lib/libsafe.so.1.3 ]]; then
fi
# Do not boot on a shell
-echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
-tmpfile=`mktemp /tmp/secure.XXXXXX`
-cp /etc/inittab ${tmpfile}
-cat ${tmpfile} | \
- sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
- sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
-rm -f ${tmpfile}
-echo "done."
-
+ForbidReboot
+ForbidAutologin
echo
echo "You are now running your system in security level 5,"
@@ -171,3 +164,5 @@ grpconv
+
+ForbidUserList
diff --git a/init-sh/lib.sh b/init-sh/lib.sh
index 2c7009c..1be738a 100644
--- a/init-sh/lib.sh
+++ b/init-sh/lib.sh
@@ -222,6 +222,81 @@ CleanLoaderRules() {
fi
}
+AllowAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ grep -v AUTOLOGIN < ${file} > ${file}.new
+ echo "AUTOLOGIN=yes" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ cat ${file} | grep -v AUTOLOGIN > ${file}.new
+ echo "AUTOLOGIN=no" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=false/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
+ fi
+}
+
+AllowUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=true/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
+ fi
+}
+
+ForbidReboot() {
+ echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+ echo -n "Forbid console users to reboot/shutdown : "
+ for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do
+ rm -f ${pamfile} 2>&1 > /dev/null
+ done
+ echo "done."
+}
+
+AllowReboot() {
+ echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+ echo -n "Allow console users to reboot/shutdown : "
+ for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do
+ touch -f ${pamfile}
+ done
+ echo "done."
+}
+
# If we are currently installing our
# system with DrakX, we don't ask anything to the user...
# Instead, DrakX do it and give us a file with some variable.
@@ -250,8 +325,13 @@ CleanRules /etc/logrotate.conf
CleanRules /etc/rc.d/rc.local
CleanRules /etc/rc.d/rc.firewall
CleanRules /etc/crontab
-CleanRules /etc/X11/xdm/Xsession
-CleanRules /etc/X11/xinit/xinitrc
+
+if [[ -f /etc/X11/xinit.d/msec ]]; then
+ CleanRules /etc/X11/xinit.d/msec
+else
+ touch /etc/X11/xinit.d/msec
+ chmod 755 /etc/X11/xinit.d/msec
+fi
echo -e "\nStarting to reconfigure the system : "
# For all secure level
@@ -266,10 +346,6 @@ groupadd xgrp >& /dev/null
groupadd ntools >& /dev/null
groupadd ctools >& /dev/null
-#Fix the big security hole introduced in cooker
-userdel mandrake >& /dev/null
-groupdel mandrake >& /dev/null
-
usermod -G xgrp xfs
/usr/share/msec/grpuser.sh --clean
diff --git a/init-sh/lib.sh.usermode b/init-sh/lib.sh.usermode
new file mode 100644
index 0000000..6f1f65e
--- /dev/null
+++ b/init-sh/lib.sh.usermode
@@ -0,0 +1,385 @@
+#
+# Security level implementation...
+# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com>
+#
+
+# Need root access
+if [[ ${UID} != 0 ]]; then
+ echo "You need to be root in order to change secure level."
+ exit 1
+fi
+
+export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too."
+
+WaitAnswer() {
+ answer="nothing"
+
+ while [[ ${answer} != yes && ${answer} != no ]]; do
+ echo -n "yes/no : "
+ read answer
+ done
+}
+
+AddRules() {
+ string=$1
+ file=$2
+ quiet=$3
+
+ if [[ -z ${string} ]]; then
+ return;
+ fi
+
+ if [[ -z ${quiet} ]]; then
+ echo "Modifying config in ${file}..."
+ fi
+
+ if ! grep -Eqx "^${string}" ${file}; then
+ echo -e "${COMMENT}" >> ${file};
+ echo -e "${string}" >> ${file};
+ fi
+
+ if [[ -z ${3} ]]; then
+ echo -e "done.\n"
+ fi
+}
+
+AddBegRules() {
+ echo "Modifying config in ${2}..."
+
+ if [[ ! -f ${file} ]]; then
+ return;
+ fi
+
+ export VAL=$1
+ perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2
+
+ echo -e "done.\n"
+}
+
+
+OLD_CleanRules() {
+ file=$1
+ ctrl=0
+
+ if [[ ! -f ${file} ]]; then
+ echo "${file} do not exist... can not clean."
+ return;
+ fi
+
+ echo -en "\t- Cleaning msec appended line in ${file} : "
+
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp ${file} ${tmpfile}
+
+ while read line; do
+ if [[ ${ctrl} == 1 ]]; then
+ ctrl=0
+ continue;
+ fi
+
+ if echo "${line}" | grep -qx "${COMMENT}"; then
+ ctrl=1
+ fi
+
+ if [[ ${ctrl} == 0 ]]; then
+ echo "${line}"
+ fi
+ done < ${tmpfile} > ${file}
+
+ rm -f ${tmpfile}
+
+ echo "done."
+}
+
+CleanRules() {
+ echo -en "\t- Cleaning msec appended line in $1 : "
+
+ perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1
+
+ echo "done."
+}
+
+CommentUserRules() {
+ file=$1
+
+ if [[ ! -f ${file} ]]; then
+ return;
+ fi
+
+ echo -en "\t- Cleaning user appended line in ${file} : "
+
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp -f ${file} ${tmpfile}
+
+ while read line; do
+ if ! echo "${line}" | grep -qE "^#"; then
+ echo "# ${line}"
+ else
+ echo "${line}"
+ fi
+ done < ${tmpfile} > ${file}
+
+ rm -f ${tmpfile}
+
+ echo "done."
+}
+
+Syslog() {
+ if [[ ${SYSLOG_WARN} == yes ]]; then
+ /sbin/initlog --string=${1}
+ fi
+}
+
+Ttylog() {
+ if [[ ${TTY_WARN} == yes ]]; then
+ w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do
+ echo -e ${1} > /dev/$i
+ done
+ fi
+}
+
+
+LoaderUpdate() {
+
+ # Ask only if we're not inside DrakX.
+ if [[ ! ${DRAKX_PASSWORD+set} ]]; then
+ echo "Do you want a password authentication at boot time ?"
+ echo "Be very carefull,"
+ echo "this will prevent your server to reboot without an operator to enter password".
+ WaitAnswer;
+ if [[ ${answer} == yes ]]; then
+ echo -n "Please enter the password which will be used at boot time : "
+ read password
+ else
+ password=""
+ fi
+
+ if [[ ! -z ${password} ]]; then
+ if [[ -f /etc/lilo.conf ]]; then
+ AddBegRules "password=$password" /etc/lilo.conf
+ chmod 600 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ AddBegRules "password $password" /boot/grub/menu.lst
+ chmod 600 /boot/grub/menu.lst
+ fi
+
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+ fi
+}
+
+# Do something only if DRAKX_PASSWORD set ( we're in DrakX )
+LoaderDrakX() {
+ if [[ -n "${DRAKX_PASSWORD}" ]]; then
+ if [[ -f /etc/lilo.conf ]]; then
+ AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf
+ chmod 600 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst
+ chmod 600 /boot/grub/menu.lst
+ fi
+
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+}
+
+
+CleanLoaderRules() {
+ if [[ -f /etc/lilo.conf ]]; then
+ CleanRules /etc/lilo.conf
+ chmod 644 /etc/lilo.conf
+ fi
+ if [[ -f /boot/grub/menu.lst ]]; then
+ CleanRules /boot/grub/menu.lst
+ chmod 644 /boot/grub/menu.lst
+ fi
+
+ if [[ -z ${DRAKX_PASSWORD} ]]; then
+ loader=`/usr/sbin/detectloader`
+ case "${loader}" in
+ "LILO")
+ /sbin/lilo
+ ;;
+ "GRUB")
+ ;;
+ esac
+ fi
+}
+
+AllowAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ grep -v AUTOLOGIN < ${file} > ${file}.new
+ echo "AUTOLOGIN=yes" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidAutologin() {
+ file=/etc/sysconfig/autologin
+ if [[ -f ${file} ]]; then
+ cat ${file} | grep -v AUTOLOGIN > ${file}.new
+ echo "AUTOLOGIN=no" >> ${file}.new
+ mv -f ${file}.new ${file}
+ fi
+}
+
+ForbidUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=false/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=0/' ${file}
+ fi
+}
+
+AllowUserList() {
+ file=/usr/share/config/kdmrc
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^UserView=.*$/UserView=true/' ${file}
+ fi
+
+ file=/etc/X11/gdm/gdm.conf
+ if [[ -f ${file} ]]; then
+ perl -pi -e 's/^Browser=.*$/Browser=1/' ${file}
+ fi
+}
+
+ForbidReboot() {
+ echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+}
+
+AllowReboot() {
+ echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : "
+ tmpfile=`mktemp /tmp/secure.XXXXXX`
+ cp /etc/inittab ${tmpfile}
+ cat ${tmpfile} | \
+ sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab
+ rm -f ${tmpfile}
+ [ -z "$DURING_INSTALL" ] && telinit u
+ echo "done."
+}
+
+# If we are currently installing our
+# system with DrakX, we don't ask anything to the user...
+# Instead, DrakX do it and give us a file with some variable.
+if [[ -f /etc/security/msec/security.conf ]]; then
+ . /etc/security/msec/security.conf
+fi
+
+clear
+echo "Preparing to run security script : "
+CleanRules /etc/syslog.conf
+CleanRules /etc/hosts.deny
+CommentUserRules /etc/hosts.deny
+CleanRules /etc/hosts.allow
+CommentUserRules /etc/hosts.allow
+CleanRules /etc/securetty
+CommentUserRules /etc/securetty
+CleanRules /etc/security/msec/security.conf
+CommentUserRules /etc/security/msec/security.conf
+CleanRules /etc/profile
+CleanRules /etc/ld.so.preload
+
+CleanLoaderRules
+LoaderDrakX
+
+CleanRules /etc/logrotate.conf
+CleanRules /etc/rc.d/rc.local
+CleanRules /etc/rc.d/rc.firewall
+CleanRules /etc/crontab
+
+if [[ -f /etc/X11/xinit.d/msec ]]; then
+ CleanRules /etc/X11/xinit.d/msec
+else
+ touch /etc/X11/xinit.d/msec
+ chmod 755 /etc/X11/xinit.d/msec
+fi
+
+echo -e "\nStarting to reconfigure the system : "
+# For all secure level
+echo "Setting spoofing protection : "
+AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall
+
+# default group which must exist on the system
+# groupadd already check for their existance...
+groupadd nogroup >& /dev/null
+groupadd audio >& /dev/null
+groupadd xgrp >& /dev/null
+groupadd ntools >& /dev/null
+groupadd ctools >& /dev/null
+
+usermod -G xgrp xfs
+
+/usr/share/msec/grpuser.sh --clean
+echo
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+