#!/bin/sh
#
# this script is part of the building process of the cryptobox
#
# called by:
#	- cbox-build.sh after copying custom files and before creating the iso image
#

set -eu

# parse config file
. /etc/cryptobox/cryptobox.conf

RUNTIMEDIR=/opt/dfsruntime/runtimerd
TUNDEV=$RUNTIMEDIR/dev/net/tun

SECURITY_REMOVE_PACKAGES="ssh strace telnet unzip tar zip wget ppp pppconfig nvi nano gzip curl bzip2 aptitude tasksel pppoe pppoeconf elinks"


function configure_normal()
# the usual stuff - not optimized for security
{
	######### devices ##########
	# create tun device for running under qemu
	if [ ! -e "$TUNDEV" ]
		then	mkdir -p `dirname "$TUNDEV"`
			mknod "$TUNDEV" c 10 200
	  fi

	######### thttpd ###########
	# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
	sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
	# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
	sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf

	######### bashrc ###########
	# remove dfshints from bashrc
	sed -i "/^dfshints$/d" "$RUNTIMEDIR/root/.bashrc"

	########### TERM ###########
	# set a usable default
	sed -i '/^export TERM=/d' "$RUNTIMEDIR/root/.profile"
	echo 'export TERM=vt100' >>"$RUNTIMEDIR/root/.profile"

	########## sshd ############
	if [ -e "/etc/ssh" ]; then
	    # allow empty passwords for ssh
	    #  the daemon is NOT started automatically, so you have to start it
	    #  manually in case of need - as the root pw is empty and passwd is ro, you
	    #  have to allow empty passwords for this rare case
	    sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
	    # turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
	    sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
	    # allow nput of password
	    sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
	  fi
}


function configure_secure()
# remove everything that could weaken security
# configure_normal should be called too!
{
	# disable keyboard login
	sed -i '/getty/d' /etc/inittab
	
	# remove unnecessary packages
	dpkg --force-all -P $SECURITY_REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed."

	# remove the development features script
	rm -f "$DEV_FEATURES_SCRIPT"

	# maybe an authorized_keys file was created - but it is not dangerous,
	# as the openssh package was removed anyway
	rm -rf /root/.ssh
}


################ main ####################


ACTION=help
[ $# -gt 0 ] && ACTION=$1

case "$ACTION" in
	normal )
		configure_normal
		;;
	secure )
		configure_secure
		;;
	* )
		echo "Syntax: `basename $0` { normal | secure }"
		echo
		;;
  esac