|
|
|
@ -14,34 +14,76 @@ set -eu
|
|
|
|
|
RUNTIMEDIR=/opt/dfsruntime/runtimerd
|
|
|
|
|
TUNDEV=$RUNTIMEDIR/dev/net/tun
|
|
|
|
|
|
|
|
|
|
[ ! -e "/proc/mounts" ] && mount -t proc proc /proc
|
|
|
|
|
|
|
|
|
|
######### devices ##########
|
|
|
|
|
# create tun device for running under qemu
|
|
|
|
|
if [ ! -e "$TUNDEV" ]
|
|
|
|
|
then mkdir -p `dirname "$TUNDEV"`
|
|
|
|
|
mknod "$TUNDEV" c 10 200
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
######### thttpd ###########
|
|
|
|
|
# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
|
|
|
|
|
sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
|
|
|
|
|
# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
|
|
|
|
|
sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
|
|
|
|
|
|
|
|
|
|
######### bashrc ###########
|
|
|
|
|
# remove dfshints from bashrc
|
|
|
|
|
sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
|
|
|
|
|
|
|
|
|
|
########## sshd ############
|
|
|
|
|
# allow empty passwords for ssh
|
|
|
|
|
# the daemon is NOT started automatically, so you have to start it
|
|
|
|
|
# manually in case of need - as the root pw is empty and passwd is ro, you
|
|
|
|
|
# have to allow empty passwords for this rare case
|
|
|
|
|
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
|
|
|
|
|
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
|
|
|
|
|
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
|
|
|
|
|
# allow nput of password
|
|
|
|
|
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
|
|
|
|
|
|
|
|
|
|
umount /proc
|
|
|
|
|
SECURITY_REMOVE_PACKAGES="ssh strace telnet unzip tar zip wget ppp pppconfig nvi nano gzip curl bzip2 aptitude tasksel pppoe pppoeconf"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function configure_normal()
|
|
|
|
|
# the usual stuff - not optimized for security
|
|
|
|
|
{
|
|
|
|
|
######### devices ##########
|
|
|
|
|
# create tun device for running under qemu
|
|
|
|
|
if [ ! -e "$TUNDEV" ]
|
|
|
|
|
then mkdir -p `dirname "$TUNDEV"`
|
|
|
|
|
mknod "$TUNDEV" c 10 200
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
######### thttpd ###########
|
|
|
|
|
# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
|
|
|
|
|
sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
|
|
|
|
|
# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
|
|
|
|
|
sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
|
|
|
|
|
|
|
|
|
|
######### bashrc ###########
|
|
|
|
|
# remove dfshints from bashrc
|
|
|
|
|
sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
|
|
|
|
|
|
|
|
|
|
if [ -e "/etc/ssh" ]; then
|
|
|
|
|
########## sshd ############
|
|
|
|
|
# allow empty passwords for ssh
|
|
|
|
|
# the daemon is NOT started automatically, so you have to start it
|
|
|
|
|
# manually in case of need - as the root pw is empty and passwd is ro, you
|
|
|
|
|
# have to allow empty passwords for this rare case
|
|
|
|
|
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
|
|
|
|
|
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
|
|
|
|
|
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
|
|
|
|
|
# allow nput of password
|
|
|
|
|
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function configure_secure()
|
|
|
|
|
# remove everything that could weaken security
|
|
|
|
|
# configure_normal should be called too!
|
|
|
|
|
{
|
|
|
|
|
# disable keyboard login
|
|
|
|
|
sed -i '/getty/d' /etc/inittab
|
|
|
|
|
|
|
|
|
|
# remove unnecessary packages
|
|
|
|
|
dpkg --force-all -P $SECURITY_REMOVE_PACKAGES
|
|
|
|
|
|
|
|
|
|
# remove development files
|
|
|
|
|
rm -f "$DEVELOPMENT_MARKER"
|
|
|
|
|
rm -f "$DEV_FEATURES_SCRIPT"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
################ main ####################
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ACTION=help
|
|
|
|
|
[ $# -gt 0 ] && ACTION=$1
|
|
|
|
|
|
|
|
|
|
case "$ACTION" in
|
|
|
|
|
normal )
|
|
|
|
|
configure_normal
|
|
|
|
|
;;
|
|
|
|
|
secure )
|
|
|
|
|
configure_secure
|
|
|
|
|
;;
|
|
|
|
|
* )
|
|
|
|
|
echo "Syntax: `basename $0` { normal | secure }"
|
|
|
|
|
echo
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
|