#!/bin/sh # # Copyright (c) 02005 sense.lab # # License: This script is distributed under the terms of version 2 # of the GNU GPL. See the LICENSE file included with the package. # # $Id$ # # this script is part of the building process of the cryptobox # the "normal" action is necessary for every cryptobox (development & release) # the "secure" action is mandatory for every release CD # # 2008-06-21 Adapted by James Crofts for use with "live-helper" # set -eu #this script runs in chroot, so RUNTIMEDIR is the null string RUNTIMEDIR="" TUNDEV=$RUNTIMEDIR/dev/net/tun REMOVE_PACKAGES="strace nvi nano vim vim-common vim-tiny unzip zip locate ssh elinks curl netkit-inetd telnet exim4-daemon-light exim4-config exim4-base ppp pppconfig pppoe pppoeconf subversion w3m wget lynx less screen info man-db manpages openssh-server openssh-client" # Removing these packages would be better for security, but # breaks the build: #aptitude tasksel wget iptables #TODO: evaluate whether to remove other packages under Debian Live # remove rc symlinks for these services SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate" #We run in a chroot environment, so source files accordingly. . /usr/share/cryptonas-live/etc-scoreboard function configure_normal() # the usual stuff - not optimized for security { ##### cryptobox settings ###### # start during bootup sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/cryptobox-server # listen to port 80 by default sed -i 's/^PORT=.*$/PORT=80/' /etc/default/cryptobox-server # use a separate configuration partition sed -i 's/^UseConfigPartition.*$/UseConfigPartition = 1/' /etc/cryptobox-server/cryptobox.conf # all plugins are enabled (especially: "encrypted_webinterface") sed -i 's#^DisabledPlugins.*$#DisabledPlugins = #' /etc/cryptobox-server/cryptobox.conf # change the selection of devices, that can be used as the crypto harddisk sed -i 's#^AllowedDevices.*$#AllowedDevices = /dev/#' /etc/cryptobox-server/cryptobox.conf ############ samba ############ # enable samba startup (disabled before via cbox-build.sh) echo 'RUN_MODE="daemons"' >/etc/default/samba # install the samba hook script cp /usr/share/doc/cryptobox-server/event-scripts/samba /etc/cryptobox-server/events.d/samba chmod +x /etc/cryptobox-server/events.d/samba ############ dir perms ######## # For security reasons, many CryptoNAS scripts will refuse # to run if their parent directories have unsafe permissions. # The files in config/chroot_local-includes are, by default, # owned by the user who did the SVN checkout. Therefore # reset the important directories there to being owned by root. # Debian Policy specifies that local users and package-created # users have different uid ranges, so the set of files with # unrecognized uid's should be the same as the set of files added # by "config/chroot_local-includes/". # Note that we are doing this at build time, not run time! # Only fix files that are neither setuid nor setgid: find / -xdev -nouser ! -perm -4000 ! -perm -2000 -execdir chown root:root '{}' \+ ############ webdav ############ #TODO: FIXME: configure port; add webdav link in web frontend #this mkdir may be redundant with the DAV event script (TODO) #mkdir -p /var/cache/cryptobox-server/settings/misc/apache2_dav.conf.d #sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/apache2 #cp /usr/share/doc/cryptobox-server/event-scripts/apache2_dav /etc/cryptobox-server/events.d/apache2_dav #chmod +x /etc/cryptobox-server/events.d/apache2_dav # CryptoNAS's apache2_dav.conf should already be in /etc/apache2/conf.d # in SVN. #Tell apache2 NOT to listen on non-DAV ports #echo "#Leave 80 and 443 open for CryptoNAS's use" > /etc/apache2/ports.conf #echo "Listen 8080" >> /etc/apache2/ports.conf ########### boot up ########### # turn off creation of "/etc/nologin" (read-only fs) sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS # turn off modifying /etc/motd (read-only fs) sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS ######### shutdown ######### # Remove the prompt to eject CD rm -f /etc/rc0.d/*casper rm -f /etc/rc6.d/*casper ######### devices ########## # create tun device for running under qemu if [ ! -e "$TUNDEV" ] then mkdir -p `dirname "$TUNDEV"` mknod "$TUNDEV" c 10 200 fi ########## sshd ############ if [ -e "/etc/ssh" ]; then # allow empty passwords for ssh # the daemon is NOT started automatically, so you have to start it # manually in case of need - as the root pw is empty and passwd is ro, you # have to allow empty passwords for this rare case sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config # turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour) sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config # allow input of password sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config fi # remove symlinks for unwanted services for a in $SERVICES_OFF; do # echo "Turning off service $a ..." find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b do rm "$b" done done return 0 } function configure_secure() # remove everything that could weaken security # configure_normal should be called too! { # disable keyboard login sed -i '/getty/d' /etc/inittab # remove unnecessary packages dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true # maybe an authorized_keys file was created - but it is not dangerous, # as the openssh package was removed anyway [ -d /root/.ssh ] && rm -rf /root/.ssh # disable root account passwd -l root ############## clean up ################ # remove deb-files, that were left by dfsbuild # remove packages and package lists # remove locale files # remove doc files # remove man pages # some vim files stay behind? # Need to keep these files for live-helper to complete successfully # rm -rf /var/cache/apt /var/lib/apt /var/cache/debconf /opt/packages rm -rf /var/cache/bootstrap /var/cache/locate rm -rf /usr/share/man /usr/share/vim /var/cache/man # remove docs except for the cryptobox's ls /usr/share/doc | while read dname do test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname" done # remove all locale files and symlinks except for the cryptobox's (find /usr/share/locale -type f; find /usr/share/locale -type l) | grep -v "cryptobox-server" | while read fname do rm "$fname" done # remove all empty locale directories find /usr/share/locale -type d | while read dname do test -d "$dname" && rmdir --ignore-fail-on-non-empty --parents "$dname" done # change some dir permissions chmod 770 /var/cache/cryptobox-server/settings/ # remove developer-specific script(s) rm -f /usr/share/cryptonas-live/devel-features.sh rm -f /etc/init.d/*devel-features rm -f /etc/rcS.d/*devel-features rm -f /etc/rc3.d/*devel-features return 0 } ################ main #################### # Allow this script to be run either manually by the # developer using live-helper's "interactive chroot" # mode or automatically by "lh_build". ACTION="$CNAS_HARDNESS" [ $# -gt 0 ] && ACTION=$1 case "$ACTION" in normal|devel) configure_normal ;; secure|hard) configure_normal configure_secure ;; * ) echo "`basename $0`:warning: CryptoNAS security level\ not specified; defaulting to \"secure\"" configure_normal configure_secure ;; esac #FIXME: Not ideal to unconditionally return "SUCCESS" exit 0