cryptonas-livecd/config/chroot_local-includes/usr/lib/cryptobox-cd/configure-cryptobox.sh

180 lines
5.9 KiB
Bash
Raw Normal View History

#!/bin/sh
#
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
#
# License: This script is distributed under the terms of version 2
# of the GNU GPL. See the LICENSE file included with the package.
#
# $Id$
#
# this script is part of the building process of the cryptobox
# the "normal" action is necessary for every cryptobox (development & release)
# the "secure" action is mandatory for every release CD
#
# called by:
# - cbox-build.sh after copying custom files and before creating the iso image
#
set -eu
RUNTIMEDIR=/opt/dfsruntime/runtimerd
TUNDEV=$RUNTIMEDIR/dev/net/tun
ADD_GROUPS="floppy cdrom tape video plugdev"
REMOVE_PACKAGES="strace
nvi nano vim vim-common vim-tiny
unzip zip aptitude tasksel locate
ssh elinks curl wget netkit-inetd telnet
exim4-daemon-light exim4-config exim4-base
ppp pppconfig pppoe pppoeconf iptables
subversion w3m wget lynx less screen
info iptables man-db manpages
openssh-server openssh-client"
# remove rc symlinks for these services
SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
function configure_normal()
# the usual stuff - not optimized for security
{
##### cryptobox settings ######
# start during bootup
sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/cryptobox-server
# listen to port 80 by default
sed -i 's/^PORT=.*$/PORT=80/' /etc/default/cryptobox-server
# use a separate configuration partition
sed -i 's/^UseConfigPartition.*$/UseConfigPartition = 1/' /etc/cryptobox-server/cryptobox.conf
# all plugins are enabled (especially: "encrypted_webinterface")
sed -i 's#^DisabledPlugins.*$#DisabledPlugins = #' /etc/cryptobox-server/cryptobox.conf
# change the selection of devices, that can be used as the crypto harddisk
sed -i 's#^AllowedDevices.*$#AllowedDevices = /dev/#' /etc/cryptobox-server/cryptobox.conf
# add the cryptobox user to some more groups
for new_group in $ADD_GROUPS
do adduser cryptobox "$new_group"
done
############ samba ############
# enable samba startup (disabled before via cbox-build.sh)
echo 'RUN_MODE="daemons"' >/etc/default/samba
# install the samba hook script
cp /usr/share/doc/cryptobox-server/event-scripts/samba /etc/cryptobox-server/events.d/samba
chmod +x /etc/cryptobox-server/events.d/samba
############ webdav ############
#TODO: add apache2 packages; configure port; add webdav link in web frontend
sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/apache2
cp /usr/share/doc/cryptobox-server/event-scripts/apache2_dav /etc/cryptobox-server/events.d/apache2_dav
chmod +x /etc/cryptobox-server/events.d/apache2_dav
########### boot up ###########
# turn off creation of "/etc/nologin" (read-only fs)
sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
# turn off modifying /etc/motd (read-only fs)
sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS
# default runlevel (out of some strange reason, runlevel 2 is not working)
sed -i 's/^id:.*$/id:3:initdefault:/' /etc/inittab
# add tmpfs entry for mount parent
# remove old line, if fstab exists
test -e /etc/fstab && sed -i '#/var/cache/cryptobox-server/mnt#d' /etc/fstab
# add new line
echo "tmpfs /var/cache/cryptobox-server/mnt tmpfs defaults 0 0" >>/etc/fstab
######### devices ##########
# create tun device for running under qemu
if [ ! -e "$TUNDEV" ]
then mkdir -p `dirname "$TUNDEV"`
mknod "$TUNDEV" c 10 200
fi
########## sshd ############
if [ -e "/etc/ssh" ]; then
# allow empty passwords for ssh
# the daemon is NOT started automatically, so you have to start it
# manually in case of need - as the root pw is empty and passwd is ro, you
# have to allow empty passwords for this rare case
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
# allow input of password
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
fi
# remove symlinks for unwanted services
for a in $SERVICES_OFF; do
# echo "Turning off service $a ..."
find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b
do rm "$b"
done
done
return 0
}
function configure_secure()
# remove everything that could weaken security
# configure_normal should be called too!
{
# disable keyboard login
sed -i '/getty/d' /etc/inittab
# remove unnecessary packages
dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true
# maybe an authorized_keys file was created - but it is not dangerous,
# as the openssh package was removed anyway
[ -d /root/.ssh ] && rm -rf /root/.ssh
# disable root account
passwd -l root
############## clean up ################
# remove deb-files, that were left by dfsbuild
# remove packages and package lists
# remove locale files
# remove doc files
# remove man pages
# some vim files stay behind?
rm -rf /opt/packages /var/cache/bootstrap /var/cache/apt/ /var/cache/locate
rm -rf /usr/share/man /usr/share/vim /var/lib/apt /var/cache/debconf /var/cache/man
# remove docs except for the cryptobox's
ls /usr/share/doc | while read dname
do test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname"
done
# remove all locale files and symlinks except for the cryptobox's
(find /usr/share/locale -type f; find /usr/share/locale -type l) | grep -v "cryptobox-server" | while read fname
do rm "$fname"
done
# remove all empty locale directories
find /usr/share/locale -type d | while read dname
do test -d "$dname" && rmdir --ignore-fail-on-non-empty --parents "$dname"
done
# change some dir permissions
chmod 660 /var/cache/cryptobox-server/settings/
return 0
}
################ main ####################
ACTION=help
[ $# -gt 0 ] && ACTION=$1
case "$ACTION" in
normal )
configure_normal
;;
secure )
configure_secure
;;
* )
echo "Syntax: `basename $0` { normal | secure }"
echo
;;
esac