#!/bin/sh # # Copyright (c) 02005 sense.lab # # License: This script is distributed under the terms of version 2 # of the GNU GPL. See the LICENSE file included with the package. # # $Id$ # # this script is part of the building process of the cryptobox # the "normal" action is necessary for every cryptobox (development & release) # the "secure" action is mandatory for every release CD # # called by: # - cbox-build.sh after copying custom files and before creating the iso image # set -eu # read the default setting file, if it exists [ -e /etc/default/cryptobox ] && . /etc/default/cryptobox # set CONF_FILE to default value, if not configured in /etc/default/cryptobox CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf} # parse config file . "$CONF_FILE" RUNTIMEDIR=/opt/dfsruntime/runtimerd TUNDEV=$RUNTIMEDIR/dev/net/tun REMOVE_PACKAGES="strace nvi nano vim vim-common unzip tar zip gzip bzip2 aptitude tasksel ssh elinks curl wget netkit-inetd telnet exim4-daemon-light exim4-config exim4-base ppp pppconfig pppoe pppoeconf" # remove rc symlinks for these services SERVICES_OFF="ssh samba setserial nviboot mountnfs ntpdate" function configure_normal() # the usual stuff - not optimized for security { ##### cryptobox settings ###### sed -i '/^NO_START=.*$/NO_START=0/' sed -i '/^SKIP_NETWORK_CONFIG=.*$/SKIP_NETWORK_CONFIG=0/' sed -i '/^EXEC_FIREWALL_RULES=.*$/EXEC_FIREWALL_RULES=1/' sed -i '/^USE_STUNNEL=.*$/USE_STUNNEL=1/' ########### boot up ########### # turn off creation of "/etc/nologin" (read-only fs) sed -i '/^DELAYLOGIN=/s/^DELAYLOGIN=.*$/DELAYLOGIN=no/' /etc/default/rcS # turn off modifying /etc/motd (read-only fs) sed -i '/^EDITMOTD=/s/^EDITMOTD=.*$/EDITMOTD=no/' /etc/default/rcS ######### devices ########## # create tun device for running under qemu if [ ! -e "$TUNDEV" ] then mkdir -p `dirname "$TUNDEV"` mknod "$TUNDEV" c 10 200 fi ######### thttpd ########### # change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf # change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...) sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf # the thttpd documentations says "nosymlinkcheck" instead of # "nosymlink" - TODO: "nosymlink" breaks "/cryptobox" URL!!! #sed -i "/symlink/d" /etc/thttpd/thttpd.conf #echo "nosymlink" >>/etc/thttpd/thttpd.conf ########## sshd ############ if [ -e "/etc/ssh" ]; then # allow empty passwords for ssh # the daemon is NOT started automatically, so you have to start it # manually in case of need - as the root pw is empty and passwd is ro, you # have to allow empty passwords for this rare case sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config # turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour) sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config # allow nput of password sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config fi # remove symlinks for unwanted services for a in $SERVICES_OFF; do # echo "Turning off service $a ..." find /etc/rc?.d/ -type l -name "[SK][0-9][0-9]$a" | while read b do rm "$b" done done return 0 } function configure_secure() # remove everything that could weaken security # configure_normal should be called too! { # disable keyboard login sed -i '/getty/d' /etc/inittab # remove unnecessary packages dpkg --force-all -P $REMOVE_PACKAGES 2>&1 | grep -v "which isn't installed." || true # remove the development features script [ -e "$DEV_FEATURES_SCRIPT" ] && rm -f "$DEV_FEATURES_SCRIPT" # maybe an authorized_keys file was created - but it is not dangerous, # as the openssh package was removed anyway [ -d /root/.ssh ] && rm -rf /root/.ssh ############## clean up ################ # remove deb-files, that were left by dfsbuild test -d /opt/packages && rm -r /opt/packages # remove packages and package lists rm -fr /var/cache/apt/ return 0 } ################ main #################### ACTION=help [ $# -gt 0 ] && ACTION=$1 case "$ACTION" in normal ) configure_normal ;; secure ) configure_secure ;; * ) echo "Syntax: `basename $0` { normal | secure }" echo ;; esac