217 lines
7.5 KiB
Bash
Executable file
217 lines
7.5 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
#
|
|
# License: This script is distributed under the terms of version 2
|
|
# of the GNU GPL. See the LICENSE file included with the package.
|
|
#
|
|
# $Id$
|
|
#
|
|
# this script is part of the building process of the cryptobox
|
|
# the "normal" action is necessary for every cryptobox (development & release)
|
|
# the "secure" action is mandatory for every release CD
|
|
#
|
|
# 2008-06-21 Adapted by James Crofts for use with "live-helper"
|
|
#
|
|
|
|
set -eu
|
|
|
|
#this script runs in chroot, so RUNTIMEDIR is the null string
|
|
RUNTIMEDIR=""
|
|
TUNDEV=$RUNTIMEDIR/dev/net/tun
|
|
|
|
REMOVE_PACKAGES="strace
|
|
nvi nano vim vim-common vim-tiny
|
|
unzip zip locate
|
|
ssh elinks curl netkit-inetd telnet
|
|
exim4-daemon-light exim4-config exim4-base
|
|
ppp pppconfig pppoe pppoeconf
|
|
subversion w3m wget lynx less screen
|
|
info man-db manpages
|
|
openssh-server openssh-client"
|
|
|
|
# Removing these packages would be better for security, but
|
|
# breaks the build:
|
|
#aptitude tasksel wget iptables
|
|
#TODO: evaluate whether to remove other packages under Debian Live
|
|
|
|
# remove rc symlinks for these services
|
|
SERVICES_OFF="ssh setserial nviboot mountnfs ntpdate"
|
|
|
|
#We run in a chroot environment, so source files accordingly.
|
|
. /usr/share/cryptonas-live/etc-scoreboard
|
|
|
|
function configure_normal()
|
|
# the usual stuff - not optimized for security
|
|
{
|
|
##### cryptobox settings ######
|
|
# start during bootup
|
|
sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/cryptobox-server
|
|
# listen to port 80 by default
|
|
sed -i 's/^PORT=.*$/PORT=80/' /etc/default/cryptobox-server
|
|
# use a separate configuration partition
|
|
sed -i 's/^UseConfigPartition.*$/UseConfigPartition = 1/' /etc/cryptobox-server/cryptobox.conf
|
|
# all plugins are enabled (especially: "encrypted_webinterface")
|
|
sed -i 's#^DisabledPlugins.*$#DisabledPlugins = #' /etc/cryptobox-server/cryptobox.conf
|
|
# change the selection of devices, that can be used as the crypto harddisk
|
|
sed -i 's#^AllowedDevices.*$#AllowedDevices = /dev/#' /etc/cryptobox-server/cryptobox.conf
|
|
|
|
############ samba ############
|
|
# enable samba startup (disabled before via cbox-build.sh)
|
|
echo 'RUN_MODE="daemons"' >/etc/default/samba
|
|
# install the samba hook script
|
|
cp /usr/share/doc/cryptobox-server/event-scripts/samba /etc/cryptobox-server/events.d/samba
|
|
chmod +x /etc/cryptobox-server/events.d/samba
|
|
|
|
############ dir perms ########
|
|
# For security reasons, many CryptoNAS scripts will refuse
|
|
# to run if their parent directories have unsafe permissions.
|
|
# The files in config/chroot_local-includes are, by default,
|
|
# owned by the user who did the SVN checkout. Therefore
|
|
# reset the important directories there to being owned by root.
|
|
# Debian Policy specifies that local users and package-created
|
|
# users have different uid ranges, so the set of files with
|
|
# unrecognized uid's should be the same as the set of files added
|
|
# by "config/chroot_local-includes/".
|
|
# Note that we are doing this at build time, not run time!
|
|
# Only fix files that are neither setuid nor setgid:
|
|
find / -xdev -nouser ! -perm -4000 ! -perm -2000 -execdir chown root:root '{}' \+
|
|
|
|
############ webdav ############
|
|
#TODO: FIXME: configure port; add webdav link in web frontend
|
|
#this mkdir may be redundant with the DAV event script (TODO)
|
|
mkdir -p /var/cache/cryptobox-server/settings/misc/apache2_dav.conf.d
|
|
sed -i 's/^NO_START=.*$/NO_START=0/' /etc/default/apache2
|
|
cp /usr/share/doc/cryptobox-server/event-scripts/apache2_dav /etc/cryptobox-server/events.d/apache2_dav
|
|
chmod +x /etc/cryptobox-server/events.d/apache2_dav
|
|
# CryptoNAS's apache2_dav.conf should already be in /etc/apache2/conf.d
|
|
# in SVN.
|
|
|
|
#Tell apache2 NOT to listen on non-DAV ports
|
|
echo "#Leave 80 and 443 open for CryptoNAS's use" > /etc/apache2/ports.conf
|
|
echo "Listen 8080" >> /etc/apache2/ports.conf
|
|
|
|
########### boot up ###########
|
|
# turn off creation of "/etc/nologin" (read-only fs)
|
|
sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS
|
|
# turn off modifying /etc/motd (read-only fs)
|
|
sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS
|
|
|
|
######### shutdown #########
|
|
# Remove the prompt to eject CD
|
|
rm -f /etc/rc0.d/*casper
|
|
rm -f /etc/rc6.d/*casper
|
|
|
|
######### devices ##########
|
|
# create tun device for running under qemu
|
|
if [ ! -e "$TUNDEV" ]
|
|
then mkdir -p `dirname "$TUNDEV"`
|
|
mknod "$TUNDEV" c 10 200
|
|
fi
|
|
|
|
########## sshd ############
|
|
if [ -e "/etc/ssh" ]; then
|
|
# allow empty passwords for ssh
|
|
# the daemon is NOT started automatically, so you have to start it
|
|
# manually in case of need - as the root pw is empty and passwd is ro, you
|
|
# have to allow empty passwords for this rare case
|
|
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
|
|
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
|
|
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
|
|
# allow input of password
|
|
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
|
|
fi
|
|
|
|
# remove symlinks for unwanted services
|
|
for a in $SERVICES_OFF; do
|
|
# echo "Turning off service $a ..."
|
|
find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b
|
|
do rm "$b"
|
|
done
|
|
done
|
|
|
|
return 0
|
|
}
|
|
|
|
|
|
function configure_secure()
|
|
# remove everything that could weaken security
|
|
# configure_normal should be called too!
|
|
{
|
|
# disable keyboard login
|
|
sed -i '/getty/d' /etc/inittab
|
|
|
|
# remove unnecessary packages
|
|
dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true
|
|
|
|
# maybe an authorized_keys file was created - but it is not dangerous,
|
|
# as the openssh package was removed anyway
|
|
[ -d /root/.ssh ] && rm -rf /root/.ssh
|
|
|
|
# disable root account
|
|
passwd -l root
|
|
|
|
############## clean up ################
|
|
# remove deb-files, that were left by dfsbuild
|
|
# remove packages and package lists
|
|
# remove locale files
|
|
# remove doc files
|
|
# remove man pages
|
|
# some vim files stay behind?
|
|
|
|
# Need to keep these files for live-helper to complete successfully
|
|
# rm -rf /var/cache/apt /var/lib/apt /var/cache/debconf /opt/packages
|
|
|
|
rm -rf /var/cache/bootstrap /var/cache/locate
|
|
rm -rf /usr/share/man /usr/share/vim /var/cache/man
|
|
# remove docs except for the cryptobox's
|
|
ls /usr/share/doc | while read dname
|
|
do test "$dname" == "cryptobox-server" || rm -rf "/usr/share/doc/$dname"
|
|
done
|
|
# remove all locale files and symlinks except for the cryptobox's
|
|
(find /usr/share/locale -type f; find /usr/share/locale -type l) | grep -v "cryptobox-server" | while read fname
|
|
do rm "$fname"
|
|
done
|
|
# remove all empty locale directories
|
|
find /usr/share/locale -type d | while read dname
|
|
do test -d "$dname" && rmdir --ignore-fail-on-non-empty --parents "$dname"
|
|
done
|
|
|
|
# change some dir permissions
|
|
chmod 770 /var/cache/cryptobox-server/settings/
|
|
|
|
# remove developer-specific script(s)
|
|
rm -f /usr/share/cryptonas-live/devel-features.sh
|
|
rm -f /etc/init.d/*devel-features
|
|
rm -f /etc/rcS.d/*devel-features
|
|
rm -f /etc/rc3.d/*devel-features
|
|
|
|
return 0
|
|
}
|
|
|
|
|
|
################ main ####################
|
|
# Allow this script to be run either manually by the
|
|
# developer using live-helper's "interactive chroot"
|
|
# mode or automatically by "lh_build".
|
|
ACTION="$CNAS_HARDNESS"
|
|
[ $# -gt 0 ] && ACTION=$1
|
|
|
|
case "$ACTION" in
|
|
normal|devel)
|
|
configure_normal
|
|
;;
|
|
secure|hard)
|
|
configure_normal
|
|
configure_secure
|
|
;;
|
|
* )
|
|
echo "`basename $0`:warning: CryptoNAS security level\
|
|
not specified; defaulting to \"secure\""
|
|
configure_normal
|
|
configure_secure
|
|
;;
|
|
esac
|
|
|
|
#FIXME: Not ideal to unconditionally return "SUCCESS"
|
|
exit 0
|