diff options
Diffstat (limited to 'init-sh/lib.sh')
| -rw-r--r-- | init-sh/lib.sh | 410 |
1 files changed, 0 insertions, 410 deletions
diff --git a/init-sh/lib.sh b/init-sh/lib.sh deleted file mode 100644 index 17b007f..0000000 --- a/init-sh/lib.sh +++ /dev/null @@ -1,410 +0,0 @@ -# -# Security level implementation... -# Writen by Vandoorselaere Yoann <yoann@mandrakesoft.com> -# - -# Need root access -if [[ ${UID} != 0 ]]; then - echo "You need to be root in order to change secure level." - exit 1 -fi - -export COMMENT="# Mandrake-Security : if you remove this comment, remove the next line too." - -WaitAnswer() { - answer="nothing" - - while [[ ${answer} != yes && ${answer} != no ]]; do - echo -n "yes/no : " - read answer - done -} - -AddRules() { - string=$1 - file=$2 - quiet=$3 - - if [[ -z ${string} ]]; then - return; - fi - - if [[ -z ${quiet} ]]; then - echo "Modifying config in ${file}..." - fi - - if ! grep -qEx "^${string}" ${file}; then - echo -e "${COMMENT}" >> ${file}; - echo -e "${string}" >> ${file}; - fi - - if [[ -z ${3} ]]; then - echo -e "done.\n" - fi -} - -AddBegRules() { - echo "Modifying config in ${2}..." - - if [[ ! -f ${file} ]]; then - return; - fi - - export VAL=$1 - perl -pi -e '/^#/ or /^$/ or $m++ or print "$ENV{COMMENT}\n$ENV{VAL}\n"' $2 - - echo -e "done.\n" -} - - -OLD_CleanRules() { - file=$1 - ctrl=0 - - if [[ ! -f ${file} ]]; then - echo "${file} do not exist... can not clean." - return; - fi - - echo -en "\t- Cleaning msec appended line in ${file} : " - - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp ${file} ${tmpfile} - - while read line; do - if [[ ${ctrl} == 1 ]]; then - ctrl=0 - continue; - fi - - if echo "${line}" | grep -qx "${COMMENT}"; then - ctrl=1 - fi - - if [[ ${ctrl} == 0 ]]; then - echo "${line}" - fi - done < ${tmpfile} > ${file} - - rm -f ${tmpfile} - - echo "done." -} - -CleanRules() { - echo -en "\t- Cleaning msec appended line in $1 : " - - perl -ni -e '$_ eq "$ENV{COMMENT}\n" ... // or print' $1 - - echo "done." -} - -CommentUserRules() { - file=$1 - - if [[ ! -f ${file} ]]; then - return; - fi - - echo -en "\t- Cleaning user appended line in ${file} : " - - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp -f ${file} ${tmpfile} - - while read line; do - if ! echo "${line}" | grep -qE "^#"; then - echo "# ${line}" - else - echo "${line}" - fi - done < ${tmpfile} > ${file} - - rm -f ${tmpfile} - - echo "done." -} - -Syslog() { - if [[ ${SYSLOG_WARN} == yes ]]; then - /sbin/initlog --string=${1} - fi -} - -Ttylog() { - if [[ ${TTY_WARN} == yes ]]; then - w | grep -v "load\|TTY" | awk '{print $2}' | while read line; do - echo -e ${1} > /dev/$i - done - fi -} - - -LoaderUpdate() { - - # Ask only if we're not inside DrakX. - if [[ ! ${DRAKX_PASSWORD+set} ]]; then - echo "Do you want a password authentication at boot time ?" - echo "Be very carefull," - echo "this will prevent your server to reboot without an operator to enter password". - WaitAnswer; - if [[ ${answer} == yes ]]; then - echo -n "Please enter the password which will be used at boot time : " - read password - else - password="" - fi - - if [[ ! -z ${password} ]]; then - if [[ -f /etc/lilo.conf ]]; then - AddBegRules "password=$password" /etc/lilo.conf - chmod 600 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - AddBegRules "password $password" /boot/grub/menu.lst - chmod 600 /boot/grub/menu.lst - fi - - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi - fi -} - -# Do something only if DRAKX_PASSWORD set ( we're in DrakX ) -LoaderDrakX() { - if [[ -n "${DRAKX_PASSWORD}" ]]; then - if [[ -f /etc/lilo.conf ]]; then - AddBegRules "password=$DRAKX_PASSWORD" /etc/lilo.conf - chmod 600 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - AddBegRules "password $DRAKX_PASSWORD" /boot/grub/menu.lst - chmod 600 /boot/grub/menu.lst - fi - - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi -} - - -CleanLoaderRules() { - if [[ -f /etc/lilo.conf ]]; then - CleanRules /etc/lilo.conf - chmod 644 /etc/lilo.conf - fi - if [[ -f /boot/grub/menu.lst ]]; then - CleanRules /boot/grub/menu.lst - chmod 644 /boot/grub/menu.lst - fi - - if [[ -z ${DRAKX_PASSWORD} ]]; then - loader=`/usr/sbin/detectloader` - case "${loader}" in - "LILO") - /sbin/lilo - ;; - "GRUB") - ;; - esac - fi -} - -AllowAutologin() { - file=/etc/sysconfig/autologin - if [[ -f ${file} ]]; then - grep -v AUTOLOGIN < ${file} > ${file}.new - echo "AUTOLOGIN=yes" >> ${file}.new - mv -f ${file}.new ${file} - fi -} - -ForbidAutologin() { - file=/etc/sysconfig/autologin - if [[ -f ${file} ]]; then - cat ${file} | grep -v AUTOLOGIN > ${file}.new - echo "AUTOLOGIN=no" >> ${file}.new - mv -f ${file}.new ${file} - fi -} - -ForbidUserList() { - file=/usr/share/config/kdm/kdmrc - if [[ -f ${file} ]]; then - perl -pi -e 's/^ShowUsers=.*$/ShowUsers=None/' ${file} - fi - - file=/etc/X11/gdm/gdm.conf - if [[ -f ${file} ]]; then - perl -pi -e 's/^Browser=.*$/Browser=0/' ${file} - fi -} - -AllowUserList() { - file=/usr/share/config/kdm/kdmrc - if [[ -f ${file} ]]; then - perl -pi -e 's/^ShowUsers=.*$/ShowUsers=All/' ${file} - fi - - file=/etc/X11/gdm/gdm.conf - if [[ -f ${file} ]]; then - perl -pi -e 's/^Browser=.*$/Browser=1/' ${file} - fi -} - -ForbidReboot() { - echo -n "Setting up inittab to deny any user to issue ctrl-alt-del : " - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp /etc/inittab ${tmpfile} - cat ${tmpfile} | \ - sed s'/\/bin\/bash --login/\/sbin\/mingetty tty1/' | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/' > /etc/inittab - rm -f ${tmpfile} - [ -z "$DURING_INSTALL" ] && telinit u - echo "done." - echo -n "Forbid console users to reboot/shutdown : " - for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do - rm -f ${pamfile} 2>&1 > /dev/null - done - echo "done." -} - -AllowReboot() { - echo -n "Setting up inittab to authorize any user to issue ctrl-alt-del : " - tmpfile=`mktemp /tmp/secure.XXXXXX` - cp /etc/inittab ${tmpfile} - cat ${tmpfile} | \ - sed s'/ca::ctrlaltdel:\/sbin\/shutdown -a -t3 -r now/ca::ctrlaltdel:\/sbin\/shutdown -t3 -r now/' > /etc/inittab - rm -f ${tmpfile} - [ -z "$DURING_INSTALL" ] && telinit u - echo "done." - echo -n "Allow console users to reboot/shutdown : " - for pamfile in /etc/security/console.apps/{shutdown,poweroff,reboot,halt} ; do - touch -f ${pamfile} - done - echo "done." -} - -RootSshLogin () { - echo -n "Setting up the root ssh login : " - if [[ $1 == 4 || $1 == 5 || $1 == snf ]]; then - /bin/sed 's/PermitRootLogin yes/PermitRootLogin no/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new - mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config - chmod 0600 /etc/ssh/sshd_config - else - sed 's/PermitRootLogin no/PermitRootLogin yes/' < /etc/ssh/sshd_config > /etc/ssh/sshd_config.new - mv /etc/ssh/sshd_config.new /etc/ssh/sshd_config - chmod 0600 /etc/ssh/sshd_config - fi -} - -LoadSysctl () { - /sbin/sysctl -e -p /etc/sysctl.conf - service network restart -} - -RemoveIssue () { - if [ -f /etc/issue ]; then - mv -f /etc/issue /etc/issue.msec - fi -} - -RemoveIssueNet () { - if [ -f /etc/issue.net ]; then - mv -f /etc/issue.net /etc/issue.net.msec - fi -} - -RestoreIssues () { - if [ ! -f /etc/issue.net -a -f /etc/issue.net.msec ]; then - mv -f /etc/issue.net.msec /etc/issue.net - fi - - if [ ! -f /etc/issue -a -f /etc/issue.msec ]; then - mv -f /etc/issue.msec /etc/issue - fi -} - -# If we are currently installing our -# system with DrakX, we don't ask anything to the user... -# Instead, DrakX does it and gives us a file with some variables. -if [[ -f /etc/security/msec/security.conf ]]; then - . /etc/security/msec/security.conf -fi - -clear -echo "Preparing to run security script : " -CleanRules /etc/syslog.conf -CleanRules /etc/hosts.deny -CommentUserRules /etc/hosts.deny -CleanRules /etc/hosts.allow -CommentUserRules /etc/hosts.allow -CleanRules /etc/securetty -CommentUserRules /etc/securetty -CleanRules /etc/security/msec/security.conf -CommentUserRules /etc/security/msec/security.conf -touch /etc/ld.so.preload -CleanRules /etc/ld.so.preload -CleanRules /etc/host.conf -CleanRules /etc/sysctl.conf - -CleanLoaderRules -LoaderDrakX - -CleanRules /etc/logrotate.conf -CleanRules /etc/rc.d/rc.local -CleanRules /etc/rc.d/rc.firewall -CleanRules /etc/crontab -CleanRules /etc/profile -CleanRules /etc/zprofile - -RestoreIssues - -if [[ -f /etc/X11/xinit.d/msec ]]; then - CleanRules /etc/X11/xinit.d/msec -else - touch /etc/X11/xinit.d/msec - chmod 755 /etc/X11/xinit.d/msec -fi - -if [[ -f /etc/sysconfig/msec ]]; then - CleanRules /etc/sysconfig/msec -fi - -if [[ -f /etc/profile.d/msec.sh && -f /etc/profile.d/msec.csh ]]; then - CleanRules /etc/profile.d/msec.sh - CleanRules /etc/profile.d/msec.csh -else - chmod 755 /etc/profile.d/msec.sh - chmod 755 /etc/profile.d/msec.csh -fi - -echo -e "\nStarting to reconfigure the system : " -# For all secure level -echo "Setting spoofing protection : " -AddRules "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter" /etc/rc.d/rc.firewall - -# default groups which must exist on the system -# groupadd already checks for their existance... -groupadd nogroup >& /dev/null -groupadd -g 26 xgrp >& /dev/null -groupadd -g 33 ntools >& /dev/null -groupadd -g 34 ctools >& /dev/null -groupadd -g 81 audio >& /dev/null - -usermod -G xgrp xfs - -/usr/share/msec/grpuser.sh --clean -echo |