diff options
author | Eugeni Dodonov <eugeni@mandriva.org> | 2010-02-08 14:06:58 +0000 |
---|---|---|
committer | Eugeni Dodonov <eugeni@mandriva.org> | 2010-02-08 14:06:58 +0000 |
commit | 066ecb8ae35048888b2b6e54fc97f68b8462aff7 (patch) | |
tree | d7c185ef832bd036d96201660a2597aa36e36a54 /init-sh | |
parent | d8b966e8f70b17cb1ec2eb3943416653f3e6c121 (diff) | |
download | msec-066ecb8ae35048888b2b6e54fc97f68b8462aff7.tar msec-066ecb8ae35048888b2b6e54fc97f68b8462aff7.tar.gz msec-066ecb8ae35048888b2b6e54fc97f68b8462aff7.tar.bz2 msec-066ecb8ae35048888b2b6e54fc97f68b8462aff7.tar.xz msec-066ecb8ae35048888b2b6e54fc97f68b8462aff7.zip |
moved upgrade script to the right place
Diffstat (limited to 'init-sh')
-rwxr-xr-x | init-sh/upgrade.sh | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/init-sh/upgrade.sh b/init-sh/upgrade.sh new file mode 100755 index 0000000..065174d --- /dev/null +++ b/init-sh/upgrade.sh @@ -0,0 +1,98 @@ +#!/bin/bash +# +# This script upgrades msec configuration files from previous versions +# to the up-to-date format +# + +if [ "`whoami`" != "root" ]; then + echo 'msec: sorry, you must be root !' + exit 1 +fi + +# upgrade from 2009.0 or previous versions + +# manage spelling change + for i in /etc/security/msec/level.local /etc/security/msec/security.conf /var/lib/msec/security.conf; do + if [ -f $i ]; then + perl -pi -e 's/CHECK_WRITEABLE/CHECK_WRITABLE/g;s/CHECK_SUID_GROUP/CHECK_SGID/g' $i + fi +done +for ext in today yesterday diff; do + if [ -f /var/log/security/writeable.$ext ]; then + mv -f /var/log/security/writeable.$ext /var/log/security/writable.$ext + fi + if [ -f /var/log/security/suid_group.$ext ]; then + mv -f /var/log/security/suid_group.$ext /var/log/security/sgid.$ext + fi +done + +# find secure level +SL=$SECURE_LEVEL +[ ! -r /etc/sysconfig/msec ] || SL=`sed -n 's/SECURE_LEVEL=//p' < /etc/sysconfig/msec` || : + +# upgrade from old style msec or rerun the new msec +if grep -q "# Mandrake-Security : if you remove this comment" /etc/profile; then + [ -z "$SL" -a -r /etc/profile.d/msec.sh ] && SL=`sed -n 's/.*SECURE_LEVEL=//p' < /etc/profile.d/msec.sh` || : + /usr/share/msec/cleanold.sh || : +fi + +# remove the old way of doing the daily cron +rm -f /etc/cron.d/msec + +# upgrading old config files +if [ -n "$SL" ]; then + # old msec installation, pre 2009.1 + # grab old configuration + OLDCONFIG=`mktemp /etc/security/msec/upgrade.XXXXXX` + [ -s /var/lib/msec/security.conf ] && cat /var/lib/msec/security.conf >> $OLDCONFIG + [ -s /etc/security/msec/security.conf ] && cat /etc/security/msec/security.conf >> $OLDCONFIG + if [ "$SL" -gt 3 ]; then + NEWLEVEL="secure" + elif [ "$SL" -gt 1 ]; then + NEWLEVEL="standard" + else + NEWLEVEL="none" + fi + if [ ! -s /etc/security/msec/security.conf ]; then + cp -f /etc/security/msec/level.$NEWLEVEL /etc/security/msec/security.conf + fi + if [ ! -s /etc/security/msec/perms.conf ]; then + cp -f /etc/security/msec/perm.$NEWLEVEL /etc/security/msec/perms.conf + fi + + if [ -f /etc/sysconfig/msec ]; then + cat /etc/sysconfig/msec | grep -v SECURE_LEVEL > /etc/security/shell + fi + + # upgrading old configuration + if [ -s "$OLDCONFIG" ]; then + cat ${OLDCONFIG} | sort | uniq >> /etc/security/msec/security.conf + fi + rm -f $OLDCONFIG +fi + +# fixing spelling +if [ -f /etc/security/msec/security.conf ]; then + # without-password config setting + sed -i -e 's/without_password/without-password/g' /etc/security/msec/security.conf + # level name changes + sed -i -e 's/=default$/=standard/g' /etc/security/msec/security.conf + # variable name changes + sed -i -e 's/RPM_CHECK=/CHECK_RPM=/g' -e 's/CHKROOTKIT_CHECK=/CHECK_CHKROOTKIT=/g' /etc/security/msec/security.conf + # fixing WIN_PARTS_UMASK upgrade parameters + sed -i -e 's/\(WIN_PARTS_UMASK\)=no/\1=0/g' /etc/security/msec/security.conf + # serverlink changes + sed -i -e 's/\(CREATE_SERVER_LINK\)=standard/\1=no/g' \ + -e 's/\(CREATE_SERVER_LINK\)=secure/\1=remote/g' \ + /etc/security/msec/security.conf + # CHECK_RPM split into CHECK_RPM_PACKAGES and CHECK_RPM_INTEGRITY + sed -i -e 's/CHECK_RPM=\(.*\)/CHECK_RPM_PACKAGES=\1\nCHECK_RPM_INTEGRITY=\1/g' /etc/security/msec/security.conf + # starting with 2010.1, each check can have a different periodicity + # therefore, for the enabled tests we define their periodicity to 'daily' + # to have the same behavior as on previous versions + sed -i -e 's/\(CHECK_.*\)=yes/\1=daily/g' /etc/security/msec/security.conf + # removing duplicated entries + TEMPFILE=`mktemp /etc/security/msec/upgrade.XXXXXX` + cat /etc/security/msec/security.conf | sort | uniq > $TEMPFILE 2>/dev/null && mv -f $TEMPFILE /etc/security/msec/security.conf + test -f $TEMPFILE && rm -f $TEMPFILE +fi |