Daemons now start up correctly on their own.
Volumes can now be mounted, unmounted, and accessed using CIFS, including encrypted volumes. Streamlined build customization capability, including addition of "scoreboard" file. Added live-helper scripts to the repository.
This commit is contained in:
frisco
parent
443dd1f163
commit
13e8c341a1
13 changed files with 584 additions and 40 deletions
182
config/chroot_local-hooks/50cnas-config-chroot.sh
Executable file
182
config/chroot_local-hooks/50cnas-config-chroot.sh
Executable file
|
|
@ -0,0 +1,182 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
||||
#
|
||||
# License: This script is distributed under the terms of version 2
|
||||
# of the GNU GPL. See the LICENSE file included with the package.
|
||||
#
|
||||
# $Id$
|
||||
#
|
||||
# this script is part of the building process of the cryptobox
|
||||
# the "normal" action is necessary for every cryptobox (development & release)
|
||||
# the "secure" action is mandatory for every release CD
|
||||
#
|
||||
# 2008-06-21 Adapted by James Crofts for use with "live-helper"
|
||||
#
|
||||
|
||||
set -eu
|
||||
|
||||
RUNTIMEDIR=/opt/dfsruntime/runtimerd
|
||||
TUNDEV=$RUNTIMEDIR/dev/net/tun
|
||||
|
||||
REMOVE_PACKAGES="strace
|
||||
nvi nano vim vim-common vim-tiny
|
||||
unzip zip aptitude tasksel locate
|
||||
ssh elinks curl wget netkit-inetd telnet
|
||||
exim4-daemon-light exim4-config exim4-base
|
||||
ppp pppconfig pppoe pppoeconf iptables
|
||||
subversion w3m wget lynx less screen
|
||||
info iptables man-db manpages
|
||||
openssh-server openssh-client"
|
||||
|
||||
# remove rc symlinks for these services
|
||||
SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
|
||||
|
||||
#We run in a chroot environment, so source files accordingly.
|
||||
. /usr/lib/cryptobox-cd/etc-scoreboard
|
||||
|
||||
function configure_normal()
|
||||
# the usual stuff - not optimized for security
|
||||
{
|
||||
##### cryptobox settings ######
|
||||
# start during bootup
|
||||
sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/cryptobox-server
|
||||
# listen to port 80 by default
|
||||
sed -i 's/^PORT=.*$/PORT=80/' /etc/default/cryptobox-server
|
||||
# use a separate configuration partition
|
||||
sed -i 's/^UseConfigPartition.*$/UseConfigPartition = 1/' /etc/cryptobox-server/cryptobox.conf
|
||||
# all plugins are enabled (especially: "encrypted_webinterface")
|
||||
sed -i 's#^DisabledPlugins.*$#DisabledPlugins = #' /etc/cryptobox-server/cryptobox.conf
|
||||
# change the selection of devices, that can be used as the crypto harddisk
|
||||
sed -i 's#^AllowedDevices.*$#AllowedDevices = /dev/#' /etc/cryptobox-server/cryptobox.conf
|
||||
|
||||
############ samba ############
|
||||
# enable samba startup (disabled before via cbox-build.sh)
|
||||
echo 'RUN_MODE="daemons"' >/etc/default/samba
|
||||
# install the samba hook script
|
||||
cp /usr/share/doc/cryptobox-server/event-scripts/samba /etc/cryptobox-server/events.d/samba
|
||||
chmod +x /etc/cryptobox-server/events.d/samba
|
||||
chown root:root /etc
|
||||
|
||||
|
||||
############ webdav ############
|
||||
#TODO: FIXME: add apache2 packages; configure port; add webdav link in web frontend
|
||||
# sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/apache2
|
||||
# cp /usr/share/doc/cryptobox-server/event-scripts/apache2_dav /etc/cryptobox-server/events.d/apache2_dav
|
||||
# chmod +x /etc/cryptobox-server/events.d/apache2_dav
|
||||
|
||||
|
||||
########### boot up ###########
|
||||
# turn off creation of "/etc/nologin" (read-only fs)
|
||||
sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
|
||||
# turn off modifying /etc/motd (read-only fs)
|
||||
sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS
|
||||
|
||||
######### shutdown #########
|
||||
# Remove the prompt to eject CD
|
||||
rm -r /etc/rc0.d/*casper
|
||||
rm -r /etc/rc6.d/*casper
|
||||
|
||||
######### devices ##########
|
||||
# create tun device for running under qemu
|
||||
if [ ! -e "$TUNDEV" ]
|
||||
then mkdir -p `dirname "$TUNDEV"`
|
||||
mknod "$TUNDEV" c 10 200
|
||||
fi
|
||||
|
||||
########## sshd ############
|
||||
if [ -e "/etc/ssh" ]; then
|
||||
# allow empty passwords for ssh
|
||||
# the daemon is NOT started automatically, so you have to start it
|
||||
# manually in case of need - as the root pw is empty and passwd is ro, you
|
||||
# have to allow empty passwords for this rare case
|
||||
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
|
||||
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
|
||||
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
|
||||
# allow input of password
|
||||
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
|
||||
fi
|
||||
|
||||
# remove symlinks for unwanted services
|
||||
for a in $SERVICES_OFF; do
|
||||
# echo "Turning off service $a ..."
|
||||
find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b
|
||||
do rm "$b"
|
||||
done
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
function configure_secure()
|
||||
# remove everything that could weaken security
|
||||
# configure_normal should be called too!
|
||||
{
|
||||
# disable keyboard login
|
||||
sed -i '/getty/d' /etc/inittab
|
||||
|
||||
# remove unnecessary packages
|
||||
dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true
|
||||
|
||||
# maybe an authorized_keys file was created - but it is not dangerous,
|
||||
# as the openssh package was removed anyway
|
||||
[ -d /root/.ssh ] && rm -rf /root/.ssh
|
||||
|
||||
# disable root account
|
||||
passwd -l root
|
||||
|
||||
############## clean up ################
|
||||
# remove deb-files, that were left by dfsbuild
|
||||
# remove packages and package lists
|
||||
# remove locale files
|
||||
# remove doc files
|
||||
# remove man pages
|
||||
# some vim files stay behind?
|
||||
rm -rf /opt/packages /var/cache/bootstrap /var/cache/apt/ /var/cache/locate
|
||||
rm -rf /usr/share/man /usr/share/vim /var/lib/apt /var/cache/debconf /var/cache/man
|
||||
# remove docs except for the cryptobox's
|
||||
ls /usr/share/doc | while read dname
|
||||
do test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname"
|
||||
done
|
||||
# remove all locale files and symlinks except for the cryptobox's
|
||||
(find /usr/share/locale -type f; find /usr/share/locale -type l) | grep -v "cryptobox-server" | while read fname
|
||||
do rm "$fname"
|
||||
done
|
||||
# remove all empty locale directories
|
||||
find /usr/share/locale -type d | while read dname
|
||||
do test -d "$dname" && rmdir --ignore-fail-on-non-empty --parents "$dname"
|
||||
done
|
||||
|
||||
# change some dir permissions
|
||||
chmod 660 /var/cache/cryptobox-server/settings/
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
################ main ####################
|
||||
# Allow this script to be run either manually by the
|
||||
# developer using live-helper's "interactive chroot"
|
||||
# mode or automatically by "lh_build".
|
||||
ACTION="$CNAS_HARDNESS"
|
||||
[ $# -gt 0 ] && ACTION=$1
|
||||
|
||||
case "$ACTION" in
|
||||
normal|devel)
|
||||
configure_normal
|
||||
;;
|
||||
secure|hard)
|
||||
configure_normal
|
||||
configure_secure
|
||||
;;
|
||||
* )
|
||||
echo "`basename $0`:warning: CryptoNAS security level\
|
||||
not specified; defaulting to \"secure\""
|
||||
configure_normal
|
||||
configure_secure
|
||||
;;
|
||||
esac
|
||||
|
||||
#FIXME: Not ideal to unconditionally return "SUCCESS"
|
||||
exit 0
|
||||
Loading…
Add table
Add a link
Reference in a new issue