#!/bin/sh # $Id: postinstall,v 3.77 2000/11/17 17:24:40 chouanar Exp $ # # # Author: Jean Chouanard # # ******************************************************************************************* # # Copyright (c) 2000 Xerox Corporation. All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, # are permitted provided that the following conditions are met: # # Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # # Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # # Neither name of the Xerox, PARC, nor the names of its contributors may be # used to endorse or promote products derived from this software without # specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE XEROX CORPORATION OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # ******************************************************************************************* # # # # Read the packages Utilities # . /opt/local/sbin/cleanlib.sh # TEMPO=/tmp/SECclean-tmp.$$ OS=`uname -r` # # Get the value of SA SD RC defined by the preinstall script and stored # . $PKGSAV/.PROC_Init_Var ############################################################################ # # Now let's get real: The following lists of files are the files we want to # remove/disable/modify. Each list should be exhaustive : the procedure will # pass the files if it doesn't exist. # ############################################################################ echo "The postinstall script is silently running. It may take a while" echo "on slow machine. Just be patient" chmod 0700 /var/cron installf -c none SUNWcsr /var/cron d 0700 root sys LPKG="SUNWcsr" ############################################################################ # # Lets turn off the startup files # ############################################################################ echo "\nDisabling Startup files: \c" for i in $RC $NRC do echo "$i \c" Disable_Init $i done rm -f /var/SECclean_tmp/YASSP.conf echo "\n\nModifying Startup files to use /etc/yassp.conf: \c" for i in $RCCONF do echo "$i \c" RCconfized_Init /etc/init.d/$i done # # rpc is a special case as we do more # if [ -r /etc/init.d/rpc ] ; then echo "rpc \c" RCconfized_rpc /etc/init.d/rpc fi echo "\n\n\nCreating your default /etc/yassp.conf" Create_RCconf ############################################################################ # # Save the files we want to delete or replace # ############################################################################ echo "\n\nSaving files: \c" cp -p /etc/init.d/inetsvc /etc/init.d/inetsvc.SUN_Before_YASSP cp -p /etc/init.d/inetinit /etc/init.d/inetinit.SUN_Before_YASSP if [ -f /etc/init.d/network ] ; then cp -p /etc/init.d/network /etc/init.d/network.SUN_Before_YASSP fi for i in $SD $SA /etc/init.d/inetsvc /etc/init.d/inetinit /etc/init.d/network do echo "$i \c" Save_and_move_file $i done # # Specific for Solaris 8, as the file system changed, priority paging is not needed # in the /etc/system file and should be removed. # if [ ${OS} = "5.8" ] ; then echo "\n\nEnabling syslogd to run without listening to the network by default" RCconfized_syslogd /etc/init.d/syslog fi ############################################################################ # Now lets close the package we have touched ############################################################################ echo "\n\nClosing the package we touched: \c" for i in $LPKG do echo "$i \c" removef -f $i || exit 3 done ############################################################################ # /etc/passwd file has a special attention: we don't want # it to be missing! :-) ############################################################################ mkdir -p $PKGSAV/etc 1>/dev/null 2>&1 cp -p /etc/passwd $PKGSAV/etc/passwd chgrp sys $PKGSAV/etc/passwd # FILESAV="/etc/passwd $FILESAV" # # passwd must be manualy done # # cp ${BASEDIR}/etc/SECclean_passwd /etc/passwd # rm -f ${BASEDIR}/etc/SECclean_passwd # /usr/sbin/removef $PKGINST ${BASEDIR}/etc/SECclean_passwd 1>/dev/null 2>&1 # chown root /etc/passwd # chgrp sys /etc/passwd # chmod 0644 /etc/passwd # # Deal with the binaries, arch dependent # ARCH=`uname -p` echo "\n\nChoosing architecture dependent binaries:" for i in /usr/sbin/noshell /opt/local/bin/md5 do if [ -x ${i}_${ARCH} ] ; then mv ${i}_${ARCH} ${i} echo "${i}_${ARCH} -> $i " fi done ############################################################################ # We must now delete the files from the SECclean pkg # ############################################################################ echo "\n\nUpdating SECclean package DB: \c" for i in $SA /etc/shells do echo "$i \c" DIRN=`dirname $i` FILEN=`basename $i` MODE=`grep "^${DIRN}/${PKGINST}_${FILEN} " /var/sadm/install/contents | awk '{print $2 " " $4 " " $5 " " $6}'` echo "$i ${MODE}" >> $PKGSAV/.${PKGINST}_REC /usr/sbin/removef $PKGINST ${BASEDIR}${DIRN}/${PKGINST}_${FILEN} 1>/dev/null 2>&1 done echo "/etc/init.d/inetsvc_5.6 \c" /usr/sbin/removef $PKGINST ${BASEDIR}/etc/init.d/inetsvc_5.6 1>/dev/null 2>&1 echo "/etc/init.d/inetsvc_5.7 \c" /usr/sbin/removef $PKGINST ${BASEDIR}/etc/init.d/inetsvc_5.7 1>/dev/null 2>&1 echo "/etc/init.d/inetsvc_5.8 \c" /usr/sbin/removef $PKGINST ${BASEDIR}/etc/init.d/inetsvc_5.8 1>/dev/null 2>&1 echo "/etc/init.d/inetinit_5.6 \c" /usr/sbin/removef $PKGINST ${BASEDIR}/etc/init.d/inetinit_5.6 1>/dev/null 2>&1 echo "/etc/init.d/inetinit_5.7 \c" /usr/sbin/removef $PKGINST ${BASEDIR}/etc/init.d/inetinit_5.7 1>/dev/null 2>&1 echo "/etc/init.d/inetinit_5.8 \c" /usr/sbin/removef $PKGINST ${BASEDIR}/etc/init.d/inetinit_5.8 1>/dev/null 2>&1 echo "/etc/init.d/network_5.8 \c" /usr/sbin/removef $PKGINST ${BASEDIR}/etc/init.d/network_5.8 1>/dev/null 2>&1 # # Deal with the binaries, arch dependent # for i in /usr/sbin/noshell /opt/local/bin/md5 do rm -f ${BASEDIR}${i}_sparc 1>/dev/null 2>&1 rm -f ${BASEDIR}${i}_i386 1>/dev/null 2>&1 echo "${i}_sparc \c" /usr/sbin/removef $PKGINST ${i}_sparc 1>/dev/null 2>&1 echo "${i}_i386 \c" /usr/sbin/removef $PKGINST ${i}_i386 1>/dev/null 2>&1 done # echo "\n\nClosing SECclean DB" /usr/sbin/removef -f $PKGINST ############################################################################ # Now, we can overwrite the files with the SECclean distribution files. # We keep an original copy under the $PKGSAV directory so that postremove # will be able to see if any modif has been done to the files # if yes, it will backup them during the postremove phase # MUST correspond to the $SA variable # ############################################################################ echo "\nReplacing: \c" for i in $SA do echo "$i \c" Install_file $i done # # Special case for the /etc/shells file: we install it *only* # if it doesn't already exist # if [ -f /etc/shells ] ; then rm -f /etc/${PKGINST}_shells else echo "/etc/shells \c" Install_file /etc/shells fi echo "\n\nChoosing the right startup files: /etc/init.d/inetsvc /etc/init.d/inetinit \c" if [ -f /etc/init.d/network_${OS} ] ; then echo "/etc/init.d/network \c" fi echo "for your OS: Solaris $OS" mv /etc/init.d/inetinit_${OS} /etc/init.d/${PKGINST}_inetinit mv /etc/init.d/inetsvc_${OS} /etc/init.d/${PKGINST}_inetsvc if [ -f /etc/init.d/network_${OS} ] ; then mv /etc/init.d/network_${OS} /etc/init.d/${PKGINST}_network fi echo "\nReplacing Special startup files: /etc/init.d/inetsvc /etc/init.d/inetinit \c" if [ -f /etc/init.d/${PKGINST}_network ] ; then echo "/etc/init.d/network \c" fi echo "and creating the symlink" Install_RC_file etc/init.d/inetsvc /etc/rc0.d/K42inetsvc /etc/rc1.d/K42inetsvc /etc/rc2.d/S72inetsvc /etc/rcS.d/K42inetsvc Install_RC_file etc/init.d/inetinit /etc/rc0.d/K43inet /etc/rc1.d/K43inet /etc/rc2.d/S69inet /etc/rcS.d/K43inet if [ -f /etc/init.d/${PKGINST}_network ] ; then Install_RC_file etc/init.d/network /etc/rcS.d/S30network.sh fi rm -f /etc/init.d/inetinit_5.[678] /etc/init.d/inetsvc_5.[678] /etc/init.d/network_5.8 1>/dev/null 2>&1 # # Register the architecture dependent binaries # echo "\n\nRegistrating binaries : \c" if [ -x /usr/sbin/noshell ] ; then /usr/sbin/installf -c none $PKGINST /usr/sbin/noshell f 0755 root root 1>/dev/null 2>&1 echo "/usr/sbin/noshell \c" fi if [ -x /opt/local/bin/md5 ] ; then /usr/sbin/installf -c none $PKGINST /opt/local/bin/md5 f 0755 root root 1>/dev/null 2>&1 echo "/opt/local/bin/md5 \c" fi echo "for your architecture: $ARCH" # # And then, close # echo "\nClosing again SECclean DB" /usr/sbin/installf -f $PKGINST || exit 2 # # Specific for Solaris 8, as the file system changed, priority paging is not needed # in the /etc/system file and should be removed. # if [ ${OS} = "5.8" ] ; then echo "tuning /etc/system to comment out priority_paging" rm -f /var/SECclean_tmp/system sed -e 's/set priority_paging=1/* NOT NEEDED ON Solaris 8: set priority_paging=1/' /etc/system > /var/SECclean_tmp/system cat /var/SECclean_tmp/system > /etc/system rm -f /var/SECclean_tmp/system fi # # Create the logs files # touch /var/log/kernlog /var/log/userlog /var/log/maillog /var/log/daemonlog /var/log/lprlog /var/log/newslog /var/log/cronlog /var/log/local0log /var/log/local2log /var/log/local5log /var/log/alertlog echo "\n\n" /opt/local/sbin/clean_passwd doit # # Last part: doing the clean-up and fix-modes # umask 077 mv /var/sadm/install/.lockfile /var/sadm/install/.lockfile-SECclean if [ -x ${CLEANUPDIR}/install.sh -a -f ${CLEANUPDIR}/clean_up.log ] ; then echo "Skiping clean-up as it was already done" else # # Be sure the directory do not exist # timestamp="`date +%Y.%m.%d-%H.%M.%S`" mv -f ${CLEANUPDIR} ${CLEANUPDIR}.Before_${timestamp} 1>/dev/null 2>&1 if [ $? -eq 0 ] ; then echo "Renamed the old ${CLEANUPDIR} as ${CLEANUPDIR}.Before_${timestamp}" fi cp -rp /opt/local/bin/clean-up ${CLEANUPDIR} echo "Doing the OS Clean-up" /bin/sh ${CLEANUPDIR}/install.sh fi mv /var/sadm/install/.lockfile-SECclean /var/sadm/install/.lockfile if [ -x /usr/lib/makewhatis ] ; then echo "Running /usr/lib/makewhatis /opt/local/man" /usr/lib/makewhatis /opt/local/man fi echo "\n\n ======================================================" echo " SECclean installation has finished." echo " Changes to the file-system and package database are documented in:" echo " /var/sadm/clean-up/clean_up.log" echo " All changed or replaced files are archived in" echo " ${SECBCK}" echo " If crontabs for the users:" echo " lp adm uucp root" echo " exists, they have been deleted. Please, re-enable manually the entries needed" echo " Backup for the crontab files are under:" echo " ${SECBCK}/var/spool/cron/crontabs/" echo " To finish hardening, this host must be rebooted." echo " However, you should first check that /etc/yassp.conf is configured" echo " to your requirements. See also yassp(1) and yassp.conf(4)." echo "\n ======================================================" echo "" # ********************************************************** # $Log: postinstall,v $ # Revision 3.77 2000/11/17 17:24:40 chouanar # md5 moved from sbin to bin # # Revision 3.76 2000/11/17 16:33:50 chouanar # Grammar # # Revision 3.75 2000/11/17 07:32:28 chouanar # *** empty log message *** # # Revision 3.74 2000/11/17 06:42:53 chouanar # *** empty log message *** # # Revision 3.73 2000/11/16 23:05:46 chouanar # *** empty log message *** # # Revision 3.72 2000/11/16 23:05:02 chouanar # *** empty log message *** # # Revision 3.71 2000/11/16 20:56:03 chouanar # md5 binary was not registered correctly # # Revision 3.70 2000/11/16 20:20:55 chouanar # rpc startup script # # Revision 3.69 2000/11/14 23:34:15 chouanar # *** empty log message *** # # Revision 3.68 2000/11/14 23:25:26 chouanar # *** empty log message *** # # Revision 3.67 2000/11/14 17:38:49 chouanar # *** empty log message *** # # Revision 3.66 2000/11/12 00:47:51 chouanar # *** empty log message *** # # Revision 3.65 2000/11/11 01:22:32 chouanar # *** empty log message *** # # Revision 3.64 2000/11/10 22:26:55 chouanar # *** empty log message *** # # Revision 3.63 2000/11/10 21:31:37 chouanar # syslog startup script pkg unregistration # # Revision 3.62 2000/11/10 17:55:48 chouanar # syslog startup script again # # Revision 3.61 2000/11/10 00:47:47 chouanar # add save_and_move of syslog startup script # # Revision 3.60 2000/11/08 00:09:48 chouanar # add the special case for syslogd on Solaris 8 to run it without listening to the network by default # add binaries (noshell and md5) for i386 and sparc and handle it correctly # # Revision 3.59 2000/07/20 20:46:11 chouanar # typo # # Revision 3.58 2000/07/18 23:50:13 chouanar # license # # Revision 3.57 2000/07/18 23:05:16 chouanar # On Solaris 8, no priority_paging should be used in /etc/system # # Revision 3.56 2000/07/07 23:23:08 chouanar # corrected the bug reported by Paolo Pugliese for replaced files: # the type of the file was always 'f' (file) # We must save the pkg info associated with the file ${PKGINST}_file and use it when we do # the installf of the file. # # move the echo msg of what's needed to be done at the end of the installation # # Revision 3.55 2000/07/06 17:04:43 chouanar # corrected the /var/sadm/install/.lockfile move before running fix-mode # # Revision 3.54 2000/07/04 22:54:19 chouanar # typo # reported by Sweth Chandramouli # # Revision 3.53 2000/07/04 17:51:53 chouanar # license # # Revision 3.52 2000/06/26 18:39:19 chouanar # change the log message at the end # # Revision 3.51 2000/06/26 15:12:13 chouanar # test that makewhatis exist and is executable before running it # # Revision 3.50 2000/06/26 14:55:41 chouanar # always run the makewhatis # # Revision 3.49 2000/06/26 14:54:10 chouanar # add a makewhatis if the index exist # # Revision 3.48 2000/06/26 05:50:38 chouanar # typo in last checkin # # Revision 3.47 2000/06/26 05:18:43 chouanar # typo on the test to see if cleanup was already installed # do not be verbose about the files saved on the pkg save directory as the pre-install backed-up all of them in user space # # Revision 3.46 2000/06/26 03:27:48 chouanar # - copy in $CLEANUPDIR the OS clean-up (fix-modes + OS dependents # package DB correction) and execute them now that it is part of # SECclean # # Revision 3.45 2000/06/23 20:57:18 chouanar # We must treat /etc/shells as an exception as we don't want to overwrite it # It will be installed *only* if it doesn't already exist. # # Revision 3.44 2000/06/23 17:38:40 chouanar # Move the variable def (NRC RCCONF SD SA) to the preinstall script so it can do the pre-backup # # Revision 3.43 2000/06/14 05:37:16 chouanar # corrected /etc/default/passwd (Repported by Susan Ng ) # # Revision 3.42 2000/05/30 23:05:49 chouanar # add /etc/.login # # Revision 3.41 2000/05/25 17:01:23 chouanar # rc.conf -> yassp.conf # # Revision 3.40 2000/05/23 21:00:06 chouanar # Install_RC_file etc/init.d/network only if /etc/init.d/${PKGINST}_network exist! (i.e. SOlaris 8) # # Revision 3.39 2000/05/22 18:56:30 chouanar # corrected the installf for /usr/sbin/noshell # # Revision 3.38 2000/05/22 05:14:43 chouanar # add no_shell depending on the architecture # # Revision 3.37 2000/05/21 17:13:15 chouanar # We keep the sys crontab is it does exist # # Revision 3.36 2000/05/19 23:42:24 chouanar # init.wbem is the name of the startup script for cimomboot, not cimomboot # # Revision 3.35 2000/05/19 23:38:34 chouanar # add the 'touch' on the logs files used by the default syslog.conf # # Revision 3.34 2000/05/19 21:51:16 chouanar # add the replacement of /etc/syslog.conf # # Revision 3.33 2000/05/19 21:08:52 chouanar # Add Solaris 8 support # # Revision 3.32 2000/05/16 20:18:10 chouanar # Add the correct removal for the etc/init.d/inet[inet|svc]_5.[678] # # Revision 3.31 2000/05/10 00:06:53 chouanar # removed some duplicate on the startup script. # # Revision 3.30 2000/04/20 23:07:25 chouanar # add some 2.8 startup files to be disable # # Revision 3.29 2000/04/12 04:47:49 chouanar # *** empty log message *** # # Revision 3.28 2000/04/12 04:47:05 chouanar # y # # Revision 3.27 2000/04/12 04:43:37 chouanar # *** empty log message *** # # Revision 3.26 2000/04/12 03:59:18 chouanar # *** empty log message *** # # Revision 3.25 2000/04/11 22:47:36 chouanar # corrected the installf for /var/cron # # Revision 3.24 2000/04/11 22:16:07 chouanar # rpc is sed-ed only, as we need to modify the keyserv call too # # Revision 3.23 2000/04/11 20:32:46 chouanar # add the chmod of /var/cron # # Revision 3.22 2000/04/11 00:39:16 chouanar # *** empty log message *** # # Revision 3.21 2000/04/11 00:38:41 chouanar # *** empty log message *** # # Revision 3.20 2000/04/11 00:38:06 chouanar # add etc/skel/local.profile and etc/skel/local.cshrc # # Revision 3.19 2000/04/10 23:36:09 chouanar # add /etc/default/sys-suspend # # Revision 3.18 2000/03/16 02:56:40 chouanar # echo output correction (path missing) # # Revision 3.17 2000/03/16 02:25:35 chouanar # Move *all* startup file to be managed by yassp.conf # # Revision 3.16 2000/03/16 01:38:13 chouanar # typos # # Revision 3.15 2000/03/15 21:55:17 chouanar # unresgister properly the inet[svc|init]_5.[67] # # Revision 3.14 2000/03/15 21:51:19 chouanar # New inetsvc and inetinit which are system dependent # # Revision 3.13 2000/03/15 06:55:29 chouanar # add /etc/default/password wich will reset the required length to 8 chars for any passwords. # # Revision 3.12 2000/03/08 05:57:13 chouanar # autofs was in RC and RCCONF # # Revision 3.11 2000/03/07 00:20:33 chouanar # add the new scheme for managine the startup files through rc.conf and be much more verbose # # Revision 3.10 2000/03/05 20:52:25 chouanar # add /etc/motd replacement # # Revision 3.9 2000/02/19 18:42:29 chouanar # add devfsadm (new to 2.7 HW release) # # Revision 3.8 1999/12/23 01:52:53 chouanar # the installf for the passwd file was not correct # # Revision 3.7 1999/08/12 20:17:29 chouanar # echoing a warming to ask people to be patient :-) # # Revision 3.6 1999/07/30 15:52:17 chouanar # typo # # Revision 3.5 1999/07/19 18:17:06 chouanar # Various small correction and add /etc/dfs/dfstab to be removed # # Revision 3.4 1999/03/19 05:53:24 chouanar # /etc/SECclean_passwd was left behind # # Revision 3.3 1999/03/16 06:45:09 chouanar # correction for the restore of passwd and inet[svc|init] PKGinfo # # Revision 3.2 1999/03/15 21:20:21 chouanar # Correction for the SECclean RC files not removed from SECclean # # Revision 3.1 1999/03/15 05:28:57 chouanar # First version with the new PARCpkgu # # Revision 3.0 1999/03/14 23:16:04 chouanar # new SECclean, Compatible 2.[67], using the new PARCpkgu # # # # ############################################################################