From 4401e2458f8fb3fd61aa350653fac524cc9efeaa Mon Sep 17 00:00:00 2001 From: asmeron Date: Wed, 14 May 2025 16:40:09 +0600 Subject: [PATCH] Fix and rewrite AUDITD --- ublinux/functions | 14 +- ublinux/rc.desktop/all/autoexec | 12 +- ublinux/rc.halt.pre/20-grub | 4 +- ublinux/rc.halt.pre/25-accounts-sync | 18 +- ublinux/rc.local.d/20-pwgr-check | 4 +- ublinux/rc.local.d/43-repository | 4 +- ublinux/rc.local.d/98-ubpile | 18 +- ublinux/rc.network.d/10-network | 4 +- ublinux/rc.pamsession.d/01-placeondesktop | 14 +- ublinux/rc.post.d/10-brand-backgrounds | 6 +- ublinux/rc.post.d/42-access-suid-sgid | 4 +- ublinux/rc.post.d/45-disk-quota | 16 +- ublinux/rc.post.d/46-cgroup-quota | 11 +- ublinux/rc.preinit.d/10-system | 2 +- ublinux/rc.preinit.d/20-services | 169 +++++++++++------- ublinux/rc.preinit.d/23-realmd | 8 +- ublinux/rc.preinit.d/24-logging | 135 +++++++++----- ublinux/rc.preinit.d/40-authpam | 3 +- ublinux/rc.preinit.d/58-access-login | 2 +- ublinux/rc.preinit.d/60-lightdm-settings | 10 +- .../rc.preinit.d/80-server-containers-storage | 2 +- ublinux/rc.preinit/10-accounts | 66 +++---- ublinux/scripts/grub-functions | 11 +- ublinux/templates/ublinux-data.ini | 41 +++-- 24 files changed, 350 insertions(+), 228 deletions(-) diff --git a/ublinux/functions b/ublinux/functions index 1f90c93..8029b39 100755 --- a/ublinux/functions +++ b/ublinux/functions @@ -135,7 +135,7 @@ globalconf_convert_pass_plain_to_hash(){ [[ -n ${HASHPASSWD} ]] || HASHPASSWD=$(/usr/bin/ubconfig --raw --default get users HASHPASSWD) [[ -n ${HASHPASSWD} && ${HASHPASSWD} != "(null)" ]] || HASHPASSWD='yescrypt' if [[ -n ${PARAM} ]]; then - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval ${PARAM%%=*}=${PARAM#*=} + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" else SOURCE=${SYSCONF}/users; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null SOURCE=${SYSCONF}/.users_credential; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null @@ -1546,11 +1546,13 @@ ubconfig_exec_system(){ ;; "[${SYSCONF}/logging]"|"[logging]") case "${NAME_VAR}" in - AUDITD\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_auditd "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" + AUDITD) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_auditd "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" setsid ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_auditd_live & ;; - JOURNALD\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_journald "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" + AUDITD\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_auditd "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" + setsid ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_auditd_live & ;; + JOURNALD\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_journald "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" setsid ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_journald_live & ;; - LOGROTATE\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_logrotate "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" + LOGROTATE\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_logrotate "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" setsid ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_logrotate_live "${NAME_VAR}" & ;; SYSTEMD_COREDUMP\[*\]) ${ROOTFS}/usr/lib/ublinux/rc.preinit.d/24-logging exec_systemd_coredump "${COMMAND_MODE_VAR}" "${NAME_VAR}=${VALUE_VAR}" ;; *) NO_FIND_EXCUTE=1 ;; @@ -1662,8 +1664,8 @@ ubconfig_exec_system(){ done < <(declare -F | grep "declare -f exec_") else while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.desktop/all/autoexec b/ublinux/rc.desktop/all/autoexec index 3f7061e..06edda6 100755 --- a/ublinux/rc.desktop/all/autoexec +++ b/ublinux/rc.desktop/all/autoexec @@ -12,7 +12,11 @@ SOURCE=${SYSCONF}/desktop; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null # ARG1: AUTOEXEC[user-1,@wheel]="xbindkeys;kde:yakuake;gnome:guake;xfce:plank.desktop,xterm;lxde:guake" exec_autoexec_set(){ local PARAM="$@" - [[ -n ${PARAM} ]] && declare -A AUTOEXEC && eval "${PARAM%%=*}='${PARAM#*=}'" + if [[ -n ${PARAM} ]]; then + local AUTOEXEC= + declare -A AUTOEXEC=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" + fi [[ -n ${AUTOEXEC[@]} ]] || return CURRENT_DE=$(detectDE) for ITEM_UNIT in "${!AUTOEXEC[@]}"; do @@ -27,8 +31,8 @@ exec_autoexec_set(){ if [[ -n ${IS_EXEC} ]]; then while read DE_CMD; do FIND_DE=${DE_CMD%%:*} - FIND_CMD=${DE_CMD#*:} - [[ ${FIND_DE} != ${FIND_CMD} && ${FIND_DE} != ${CURRENT_DE} ]] && continue + FIND_CMD=${DE_CMD#*:} + [[ ${FIND_DE} != ${FIND_CMD} && ${FIND_DE} != ${CURRENT_DE} ]] && continue [[ -z ${FIND_CMD} ]] || while read EXEC_CMD; do cd ${HOME} if [[ ${EXEC_CMD} =~ ".desktop"$ ]]; then @@ -40,7 +44,7 @@ exec_autoexec_set(){ fi done < <(echo "${FIND_CMD}" | tr ',' \\n) done < <(echo "${AUTOEXEC[${ITEM_UNIT}]}" | tr ';' \\n) - fi + fi done } diff --git a/ublinux/rc.halt.pre/20-grub b/ublinux/rc.halt.pre/20-grub index 7019419..821a799 100755 --- a/ublinux/rc.halt.pre/20-grub +++ b/ublinux/rc.halt.pre/20-grub @@ -218,8 +218,8 @@ exec_grub_kernel_boot(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.halt.pre/25-accounts-sync b/ublinux/rc.halt.pre/25-accounts-sync index 3818866..4411cfb 100755 --- a/ublinux/rc.halt.pre/25-accounts-sync +++ b/ublinux/rc.halt.pre/25-accounts-sync @@ -99,9 +99,9 @@ exec_useradd_sync(){ [[ -n ${COMMAND} ]] || COMMAND="set=" local PARAM="$@" if [[ -n ${PARAM} ]]; then - unset USERADD_SYNC - declare -A USERADD_SYNC - [[ ${PARAM%%=*} =~ [!\$%\&()*+,./:\;\<\=\>?\@\^\{|\}~-] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + local USERADD_SYNC= + declare -A USERADD_SYNC=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi while IFS= read -u3 SELECT_USERADD_SYNC; do if [[ ${SELECT_USERADD_SYNC} == 'shutdown@all' ]]; then @@ -161,9 +161,9 @@ exec_groupadd_sync(){ [[ -n ${COMMAND} ]] || COMMAND="set=" local PARAM="$@" if [[ -n ${PARAM} ]]; then - unset GROUPADD_SYNC - declare -A GROUPADD_SYNC - [[ ${PARAM%%=*} =~ [!\$%\&()*+,./:\;\<\=\>?\@\^\{|\}~-] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + local GROUPADD_SYNC= + declare -A GROUPADD_SYNC=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi # Если синхронизируем группы по шаблону, то удалим все группы из глобальной конфигурации if [[ ${USERADD_SYNC} =~ 'shutdown' ]]; then @@ -185,7 +185,7 @@ exec_groupadd_sync(){ if [[ "$(declare -p GROUPADD_SYNC 2>/dev/null)" == "declare -A"* ]]; then while IFS= read -u3 SELECT_GROUP; do # В массиве 0 запись игнорируем, т.к. это параметр не ассоциативного массива - if [[ ${SELECT_GROUP} != 0 && ${GROUPADD_SYNC[${SELECT_GROUP}]} =~ 'shutdown' ]]; then + if [[ ${SELECT_GROUP} != 0 && ${GROUPADD_SYNC[${SELECT_GROUP}]} =~ 'shutdown' ]]; then set_ubconfig "${SELECT_GROUP}" fi done 3< <(printf "%s\n" "${!GROUPADD_SYNC[@]}") @@ -206,8 +206,8 @@ exec_groupadd_sync(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.local.d/20-pwgr-check b/ublinux/rc.local.d/20-pwgr-check index 5dda413..2d9c4c2 100755 --- a/ublinux/rc.local.d/20-pwgr-check +++ b/ublinux/rc.local.d/20-pwgr-check @@ -52,8 +52,8 @@ exec_check_user_group(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.local.d/43-repository b/ublinux/rc.local.d/43-repository index 51d5d05..4cecca8 100755 --- a/ublinux/rc.local.d/43-repository +++ b/ublinux/rc.local.d/43-repository @@ -616,8 +616,8 @@ exec_remove_duplicated_pacman(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.local.d/98-ubpile b/ublinux/rc.local.d/98-ubpile index 882a263..8bf1d06 100755 --- a/ublinux/rc.local.d/98-ubpile +++ b/ublinux/rc.local.d/98-ubpile @@ -49,8 +49,8 @@ exec_01_ubpile_db(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local UBPILE= - declare -A UBPILE - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A UBPILE=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi [[ -n ${UBPILE_DB[0]} ]] && case ${UBPILE_DB[0]} in fs) FILE_STORAGE_DB_TAMPLATE=${PATH_STORAGE_DB_TAMPLATE}/storage.fs.json ;; @@ -126,7 +126,7 @@ exec_02_ubpile(){ clean_db(){ [[ -n ${UBPILE_DB[0]} ]] || local UBPILE_DB="fs" case ${UBPILE_DB[0]} in - fs) + fs) [[ -d ${PATH_UBPILE}/data ]] && rm -rdf ${PATH_UBPILE}/data ;; sqlite) @@ -160,8 +160,8 @@ exec_02_ubpile(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local UBPILE= - declare -A UBPILE - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A UBPILE=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ ${#UBPILE[@]} != 0 ]]; then local STRING_ARG_CONF= @@ -254,7 +254,7 @@ exec_03_ubpile_reverse_proxy(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local UBPILE_REVERSE_PROXY= - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ -n ${UBPILE_REVERSE_PROXY} ]]; then if [[ ${UBPILE_REVERSE_PROXY} == @(disable|no) ]]; then @@ -276,7 +276,7 @@ exec_03_ubpile_reverse_proxy(){ elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then [[ -f ${UBPILE_CONF_JSON} ]] && UBPILE_PORT=$(jq '.WebServer.http_port' ${UBPILE_CONF_JSON}) [[ $(declare -p UBPILE 2>/dev/null) =~ "declare -A" && -n ${UBPILE[web_direct_connect]} ]] && { ubconfig remove [server] UBPILE[web_direct_connect]; RESTART_UBPILE=yes; } - [[ $(declare -p UBPILE 2>/dev/null) =~ "declare -A" && -n ${UBPILE[base_app_url]} ]] && { ubconfig remove [server] UBPILE[base_app_url]; RESTART_UBPILE=yes; } + [[ $(declare -p UBPILE 2>/dev/null) =~ "declare -A" && -n ${UBPILE[base_app_url]} ]] && { ubconfig remove [server] UBPILE[base_app_url]; RESTART_UBPILE=yes; } stop_haproxy fi [[ -n ${RESTART_UBPILE} && -n ${APP_UBPILE} ]] && { systemctl --quiet is-active ubpile.service &>/dev/null && systemctl --quiet restart ubpile.service &>/dev/null; message_motd; } @@ -312,8 +312,8 @@ message_motd(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.network.d/10-network b/ublinux/rc.network.d/10-network index a85d179..5e80251 100755 --- a/ublinux/rc.network.d/10-network +++ b/ublinux/rc.network.d/10-network @@ -108,8 +108,8 @@ exec_network(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.pamsession.d/01-placeondesktop b/ublinux/rc.pamsession.d/01-placeondesktop index 48fac89..c26c166 100755 --- a/ublinux/rc.pamsession.d/01-placeondesktop +++ b/ublinux/rc.pamsession.d/01-placeondesktop @@ -69,9 +69,9 @@ exec_02_place_on_desktop_init(){ [[ $(declare -p APPDESKTOP_PLACEONDESKTOP_INIT 2>/dev/null) =~ ^"declare -A" ]] || declare -gA APPDESKTOP_PLACEONDESKTOP_INIT local PARAM="$@" if [[ -n ${PARAM} ]]; then - local APPDESKTOP_PLACEONDESKTOP_INIT - declare -A APPDESKTOP_PLACEONDESKTOP_INIT - [[ ${PARAM%%=*} =~ [!\$%\&()*+/\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + local APPDESKTOP_PLACEONDESKTOP_INIT= + declare -A APPDESKTOP_PLACEONDESKTOP_INIT=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ ${#APPDESKTOP_PLACEONDESKTOP_INIT[@]} -ne 0 ]]; then local ID_GROUPS= SELECT_USER_HOME= @@ -170,9 +170,9 @@ exec_03_place_on_desktop(){ [[ $(declare -p APPDESKTOP_PLACEONDESKTOP 2>/dev/null) =~ ^"declare -A" ]] || declare -gA APPDESKTOP_PLACEONDESKTOP local PARAM="$@" if [[ -n ${PARAM} ]]; then - local APPDESKTOP_PLACEONDESKTOP - declare -A APPDESKTOP_PLACEONDESKTOP - [[ ${PARAM%%=*} =~ [!\$%\&()*+/\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + local APPDESKTOP_PLACEONDESKTOP= + declare -A APPDESKTOP_PLACEONDESKTOP=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ ${#APPDESKTOP_PLACEONDESKTOP[@]} -ne 0 ]]; then local ID_GROUPS= SELECT_USER_HOME= @@ -392,7 +392,7 @@ remove_desktop(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/rc.post.d/10-brand-backgrounds b/ublinux/rc.post.d/10-brand-backgrounds index 4854e18..0b96159 100755 --- a/ublinux/rc.post.d/10-brand-backgrounds +++ b/ublinux/rc.post.d/10-brand-backgrounds @@ -100,11 +100,11 @@ SOURCE=${SYSCONF}/video; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null shadow_level="175" # Степень затенения обоев рабочего стола в %, где 100 - исходная яркость, <100 - светлее, >100 - темнее declare -A MONITORS RESOLUTION= - + # Функция получения всех видеовыходов с максимальными разрешениями -# В теле основном: +# В теле основном: # declare -A MONITORS -# Входной параметр: имя переменной массива +# Входной параметр: имя переменной массива # get_max_resolution "MONITORS" # Выходной параметр: заполненный массив, вида # card0-HDMI-A-1:1920x2000 diff --git a/ublinux/rc.post.d/42-access-suid-sgid b/ublinux/rc.post.d/42-access-suid-sgid index 764d82f..deae2ed 100755 --- a/ublinux/rc.post.d/42-access-suid-sgid +++ b/ublinux/rc.post.d/42-access-suid-sgid @@ -53,8 +53,8 @@ exec_access_allowed_sgid(){ # declare -f ${FUNCTION} &>/dev/null && ${FUNCTION} # done while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.post.d/45-disk-quota b/ublinux/rc.post.d/45-disk-quota index 9f8e44d..6213776 100755 --- a/ublinux/rc.post.d/45-disk-quota +++ b/ublinux/rc.post.d/45-disk-quota @@ -39,8 +39,8 @@ SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null #DISK_QUOTA[quota:/dev/sda4]=clean ## Назначение квот на дисковые ресурсы -## Может принимать входящий параметр: -## exec_disk_quota DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:5M:6M:0:0 DISK_QUOTA[usrquota:/dev/sdc2]=enable +## Может принимать входящий параметр: +## exec_disk_quota DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:5M:6M:0:0 DISK_QUOTA[usrquota:/dev/sdc2]=enable exec_disk_quota(){ ## Использовать дисковые квоты на файловые системы enable_quota(){ @@ -58,7 +58,7 @@ exec_disk_quota(){ ## jqfmt=vfsv1 # Включить журналирование. Использовать БД для журналируемых квот V2 #cat /proc/mounts | grep -q "^${PATH_DEVICE}.,*${ATTR_QUOTA}" && return 0 local MOUNT_DEVICE=$(cat /proc/mounts | grep "^${PATH_DEVICE}" | head -1) - if [[ -n ${MOUNT_DEVICE} ]]; then + if [[ -n ${MOUNT_DEVICE} ]]; then if [[ ${ISFS_EXT234_FEATURES} == yes ]]; then if [[ ${MOUNT_DEVICE} =~ ^${PATH_DEVICE}.*,${ATTR_QUOTA} ]]; then return 0 @@ -182,7 +182,7 @@ exec_disk_quota(){ fi else [[ ${MOUNT_DEVICE} =~ ^${PATH_DEVICE}.*,${ATTR_QUOTA} ]] && mount -o remount,noquota ${PATH_DEVICE} &>/dev/null - rm -f ${MOUNT_POINT}/{aquota.user,aquota.group,quota.user,quota.group} + rm -f ${MOUNT_POINT}/{aquota.user,aquota.group,quota.user,quota.group} fi fi else @@ -212,7 +212,7 @@ exec_disk_quota(){ KNOW_LSBLK=$("${ROOTFS}"/usr/bin/lsblk --raw --fs --output PATH,FSTYPE,LABEL,PARTLABEL,UUID,PARTUUID,MOUNTPOINT,MOUNTPOINTS --exclude 11,253) # Построить массив всех из указанных устройств со всеми аттрибутами монтирования для которых существуют квоты for SELECT_DISK_QUOTA in "${!DISK_QUOTA[@]}"; do - ATTR_QUOTA=${SELECT_DISK_QUOTA%%:*} + ATTR_QUOTA=${SELECT_DISK_QUOTA%%:*} IDENT_DEVICE=${SELECT_DISK_QUOTA#*:}; IDENT_DEVICE=${IDENT_DEVICE%:*} [[ ${IDENT_DEVICE} == quota ]] && continue if [[ ${ATTR_QUOTA} == @(usrquota|grpquota|quota) && -n ${IDENT_DEVICE} ]]; then @@ -247,7 +247,7 @@ exec_disk_quota(){ [[ ${IDENT_DEVICE} == ${UGP_QUOTA} ]] && unset UGP_QUOTA #[[ ${IDENT_DEVICE} == quota ]] && unset IDENT_DEVICE if [[ ${ATTR_QUOTA} == quota && ${IDENT_DEVICE} == quota ]]; then - unset IDENT_DEVICE + unset IDENT_DEVICE elif [[ ${ATTR_QUOTA} == @(usrquota|grpquota|quota) && -n ${IDENT_DEVICE} ]]; then KNOW_LSBLK=$("${ROOTFS}"/usr/bin/lsblk --raw --fs --output PATH,FSTYPE,LABEL,PARTLABEL,UUID,PARTUUID,MOUNTPOINT,MOUNTPOINTS --exclude 11,253) PATH_DEVICE_LSBLK=$(grep "${IDENT_DEVICE}" <<< ${KNOW_LSBLK} | cut -d' ' -f1) @@ -264,12 +264,12 @@ exec_disk_quota(){ [[ -n ${KNOW_LSBLK} ]] && ISFS_EXT234=$(grep -oE "${PATH_DEVICE} (ext2|ext3|ext4)" <<< ${KNOW_LSBLK}) #" [[ -n ${KNOW_LSBLK} && -z ${ISFS_EXT234} ]] && ISFS_XFS=$(grep -oE "${PATH_DEVICE} xfs" <<< ${KNOW_LSBLK}) # Проверить ФС на поддержку SW|HW режимов квот - [[ -n ${ISFS_EXT234} ]] && { ${ROOTFS}/usr/bin/tune2fs -l ${PATH_DEVICE} | grep -q "${ARG_TUNE2FS}" && ISFS_EXT234_FEATURES=yes || ISFS_EXT234_FEATURES=no; } + [[ -n ${ISFS_EXT234} ]] && { ${ROOTFS}/usr/bin/tune2fs -l ${PATH_DEVICE} | grep -q "${ARG_TUNE2FS}" && ISFS_EXT234_FEATURES=yes || ISFS_EXT234_FEATURES=no; } # TODO: Уточнить получение атрибутов у ФС XFS [[ -n ${ISFS_XFS} ]] && { ${ROOTFS}/usr/bin/tune2fs -l ${PATH_DEVICE} | grep -q "${ARG_TUNE2FS}" && ISFS_XFS_FEATURES=yes || ISFS_XFS_FEATURES=no; } #debug #continue - if [[ ${ALL_VALUE_QUOTA,,} == enable ]]; then + if [[ ${ALL_VALUE_QUOTA,,} == enable ]]; then if [[ -n ${PATH_DEVICE} ]]; then enable_quota ${ROOTFS}/usr/bin/quotaon -${ARG_CMD}vp ${PATH_DEVICE} | grep -qi 'is on (enforced)' || ${ROOTFS}/usr/bin/quotaon -${ARG_CMD} ${PATH_DEVICE} diff --git a/ublinux/rc.post.d/46-cgroup-quota b/ublinux/rc.post.d/46-cgroup-quota index 0e0c7d4..b9f93bb 100755 --- a/ublinux/rc.post.d/46-cgroup-quota +++ b/ublinux/rc.post.d/46-cgroup-quota @@ -25,8 +25,12 @@ get_compat_unit(){ # ARG1: CGROUP_QUOTA[superadmin]=MemoryHigh=500M,MemorySwapMax=100M,CPUQuota=400% exec_cgroup_quota_set(){ ## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup - PARAM="$@" - [[ -n $@ ]] && declare -A CGROUP_QUOTA && eval "${PARAM%%=*}='${PARAM#*=}'" + local PARAM="$@" + if [[ -n ${PARAM} ]]; then + local CGROUP_QUOTA= + declare -A CGROUP_QUOTA=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" + fi if [[ -n ${CGROUP_QUOTA[@]} ]]; then for ITEM_UNIT in "${!CGROUP_QUOTA[@]}"; do get_compat_unit @@ -44,7 +48,7 @@ exec_cgroup_quota_set(){ # ARG1: CGROUP_QUOTA[superadmin]= exec_cgroup_quota_remove(){ ## Очистить квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup - PARAM="$@" + local PARAM="$@" [[ -n ${PARAM} ]] && ITEM_UNIT=${PARAM#*[} && ITEM_UNIT=${ITEM_UNIT%%]*} || return 0 [[ -n ${ITEM_UNIT} ]] || return 0 get_compat_unit @@ -53,6 +57,7 @@ exec_cgroup_quota_remove(){ #systemctl revert ${COMPAT_UNIT} /usr/bin/systemctl daemon-reload else + # Напрямую cgroup true fi } diff --git a/ublinux/rc.preinit.d/10-system b/ublinux/rc.preinit.d/10-system index b663812..49f3e83 100755 --- a/ublinux/rc.preinit.d/10-system +++ b/ublinux/rc.preinit.d/10-system @@ -118,7 +118,7 @@ exec_environment(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/rc.preinit.d/20-services b/ublinux/rc.preinit.d/20-services index 5ce0e74..609f008 100755 --- a/ublinux/rc.preinit.d/20-services +++ b/ublinux/rc.preinit.d/20-services @@ -38,12 +38,13 @@ exec_services_enabledisable(){ # $2 Параметр со значением, пример: SERVICES_ENABLE=pcscd.service,nmb,smb # null Если отсутствует $@, то применяем из системной конфигурации SERVICESSTART SERVICESNOSTART SERVICESMASK SERVICESUNMASK ISSYSTEMD=$(readlink -fq ${ROOTFS}/usr/bin/init | grep "lib/systemd/systemd$") - [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && shift + [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && COMMAND=$1 && shift + [[ -n ${COMMAND} ]] || COMMAND="set=" local PARAM="$@" if [[ -n ${PARAM} ]]; then - unset SERVICESSTART SERVICESNOSTART SERVICESMASK SERVICESUNMASK - unset SERVICES_ENABLE SERVICES_DISABLE SERVICES_MASK SERVICES_UNMASK - eval "${PARAM%%=*}=\${PARAM#*=}" + local SERVICESSTART= SERVICESNOSTART= SERVICESMASK= SERVICESUNMASK= + local SERVICES_ENABLE= SERVICES_DISABLE= SERVICES_MASK= SERVICES_UNMASK= + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" else SERVICESSTART_KERNEL=$(cmdline_value servicesstart) SERVICES_ENABLE_KERNEL=$(cmdline_value services_enable) @@ -59,32 +60,59 @@ exec_services_enabledisable(){ mkdir -p proc mount -o rbind /proc proc fi - while IFS= read -ru3 SELECT_SERVICE; do - [[ -n ${SELECT_SERVICE} ]] || continue - if [[ -n ${ISSYSTEMD} ]]; then - ${CMD_CHROOT} /usr/bin/systemctl --quiet unmask ${SELECT_SERVICE} - fi - done 3< <(tr ',; ' '\n' <<< "${SERVICESUNMASK},${SERVICESSTART},${SERVICES_UNMASK},${SERVICES_ENABLE}" | tr -s '\n') - while IFS= read -ru3 SELECT_SERVICE; do - [[ -n ${SELECT_SERVICE} ]] || continue - if [[ -n ${ISSYSTEMD} ]]; then - ${CMD_CHROOT} /usr/bin/systemctl --quiet enable ${SELECT_SERVICE} - fi - done 3< <(tr ',; ' '\n' <<< "${SERVICESSTART},${SERVICES_ENABLE}" | tr -s '\n') - while IFS= read -ru3 SELECT_SERVICE; do - [[ -n ${SELECT_SERVICE} ]] || continue - if [[ -n ${ISSYSTEMD} ]]; then - ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} - fi - done 3< <(tr ',; ' '\n' <<< "${SERVICESNOSTART},${SERVICES_DISABLE}" | tr -s '\n') - while IFS= read -ru3 SELECT_SERVICE; do - [[ -n ${SELECT_SERVICE} ]] || continue - if [[ -n ${ISSYSTEMD} ]]; then - ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} - ${CMD_CHROOT} /usr/bin/systemctl --quiet mask ${SELECT_SERVICE} - fi - done 3< <(tr ',; ' '\n' <<< "${SERVICESMASK},${SERVICES_MASK}" | tr -s '\n') - [[ -n ${ROOTFS} ]] && umount proc + if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + ${CMD_CHROOT} /usr/bin/systemctl --quiet unmask ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESUNMASK},${SERVICESSTART},${SERVICES_UNMASK},${SERVICES_ENABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + ${CMD_CHROOT} /usr/bin/systemctl --quiet enable ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESSTART},${SERVICES_ENABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESNOSTART},${SERVICES_DISABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} + ${CMD_CHROOT} /usr/bin/systemctl --quiet mask ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESMASK},${SERVICES_MASK}" | tr -s '\n') + elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + true + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESUNMASK},${SERVICESSTART},${SERVICES_UNMASK},${SERVICES_ENABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESSTART},${SERVICES_ENABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + true + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESNOSTART},${SERVICES_DISABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + ${CMD_CHROOT} /usr/bin/systemctl --quiet unmask ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESMASK},${SERVICES_MASK}" | tr -s '\n') + fi + [[ -z ${ROOTFS} ]] || umount proc fi } @@ -100,30 +128,49 @@ exec_services_startstop_live(){ [[ -n ${COMMAND} ]] || COMMAND="set=" local PARAM="$@" if [[ -n ${PARAM} ]]; then - unset SERVICESSTART SERVICESNOSTART SERVICESMASK SERVICESUNMASK - unset SERVICES_ENABLE SERVICES_DISABLE SERVICES_MASK SERVICES_UNMASK - [[ ${PARAM%%=*} =~ [!\$%\&()*+,./:\;\<\=\>?\@\^\{|\}~-] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + local SERVICESSTART= SERVICESNOSTART= SERVICESMASK= SERVICESUNMASK= + local SERVICES_ENABLE= SERVICES_DISABLE= SERVICES_MASK= SERVICES_UNMASK= + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi - while IFS= read -ru3 SELECT_SERVICE; do - [[ -n ${SELECT_SERVICE} ]] || continue - if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then + if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue if [[ -n ${ISSYSTEMD} ]]; then - systemctl --quiet start ${SELECT_SERVICE} + systemctl --quiet start ${SELECT_SERVICE} fi - elif [[ ${COMMAND} == @("set-="|"set--=") ]]; then + done 3< <(tr ',; ' '\n' <<< "${SERVICESSTART},${SERVICES_ENABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue if [[ -n ${ISSYSTEMD} ]]; then - systemctl --quiet stop ${SELECT_SERVICE} + systemctl --quiet stop ${SELECT_SERVICE} fi - fi - done 3< <(tr ',; ' '\n' <<< "${SERVICESSTART},${SERVICES_ENABLE}" | tr -s '\n') - while IFS= read -ru3 SELECT_SERVICE; do - [[ -n ${SELECT_SERVICE} ]] || continue - if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then + done 3< <(tr ',; ' '\n' <<< "${SERVICESNOSTART},${SERVICES_DISABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue if [[ -n ${ISSYSTEMD} ]]; then - systemctl --quiet stop ${SELECT_SERVICE} + systemctl --quiet stop ${SELECT_SERVICE} fi - fi - done 3< <(tr ',; ' '\n' <<< "${SERVICESNOSTART},${SERVICESMASK},${SERVICES_DISABLE},${SERVICES_MASK}" | tr -s '\n') + done 3< <(tr ',; ' '\n' <<< "${SERVICESMASK},${SERVICES_MASK}" | tr -s '\n') + elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + systemctl --quiet stop ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESSTART},${SERVICES_ENABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + true + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESNOSTART},${SERVICES_DISABLE}" | tr -s '\n') + while IFS= read -ru3 SELECT_SERVICE; do + [[ -n ${SELECT_SERVICE} ]] || continue + if [[ -n ${ISSYSTEMD} ]]; then + systemctl --quiet unmask ${SELECT_SERVICE} + fi + done 3< <(tr ',; ' '\n' <<< "${SERVICESMASK},${SERVICES_MASK}" | tr -s '\n') + fi } #Выключил, т.к. не перезапишет параметры по умолчанию @@ -137,9 +184,9 @@ exec_services_startstop_live(){ # [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && shift # local PARAM="$@" # if [[ -n ${PARAM} ]]; then -# unset SERVICE -# declare -A SERVICE -# eval "${PARAM%%=*}=\${PARAM#*=}" +# local SERVICE= +# declare -A SERVICE=() +# [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" # else # SERVICES_ENABLE_KERNEL=$(cmdline_value services_enable) # [[ -z ${SERVICES_ENABLE_KERNEL} ]] || while read -u3 SELECT_SERVICE; do @@ -162,21 +209,21 @@ exec_services_startstop_live(){ # [[ -n ${SELECT_SERVICE} ]] || continue # if [[ ${SERVICE[${SELECT_SERVICE}]} == @(start|enable|on) ]]; then # if [[ -n ${ISSYSTEMD} ]]; then -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet unmask ${SELECT_SERVICE} -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet enable ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet unmask ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet enable ${SELECT_SERVICE} # fi # elif [[ ${SERVICE[${SELECT_SERVICE}]} == @(stop|disable|off) ]]; then # if [[ -n ${ISSYSTEMD} ]]; then -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} # fi # elif [[ ${SERVICE[${SELECT_SERVICE}]} == @(mask) ]]; then # if [[ -n ${ISSYSTEMD} ]]; then -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet mask ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet disable ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet mask ${SELECT_SERVICE} # fi # elif [[ ${SERVICE[${SELECT_SERVICE}]} == @(unmask) ]]; then # if [[ -n ${ISSYSTEMD} ]]; then -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet unmask ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet unmask ${SELECT_SERVICE} # fi # fi # done 3< <(printf "%s\n" "${!SERVICE[@]}") @@ -198,17 +245,17 @@ exec_services_startstop_live(){ # local PARAM="$@" # if [[ -n ${PARAM} ]]; then # local SERVICE= -# declare -A SERVICE -# [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~-] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" +# declare -A SERVICE=() +# [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" # fi # while read -u3 SELECT_SERVICE; do # if [[ ${SERVICE[${SELECT_SERVICE}]} == @(start|enable|on) ]]; then # if [[ -n ${ISSYSTEMD} ]]; then -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet start ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet start ${SELECT_SERVICE} # fi # elif [[ ${SERVICE[${SELECT_SERVICE}]} == @(stop|disable|off) ]]; then # if [[ -n ${ISSYSTEMD} ]]; then -# echo ${CMD_CHROOT} /usr/bin/systemctl --quiet stop ${SELECT_SERVICE} +# ${CMD_CHROOT} /usr/bin/systemctl --quiet stop ${SELECT_SERVICE} # fi # fi # done 3< <(printf "%s\n" "${!SERVICE[@]}") @@ -227,7 +274,7 @@ exec_services_startstop_live(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/rc.preinit.d/23-realmd b/ublinux/rc.preinit.d/23-realmd index bf6d607..11e47e7 100755 --- a/ublinux/rc.preinit.d/23-realmd +++ b/ublinux/rc.preinit.d/23-realmd @@ -47,9 +47,9 @@ exec_domain(){ local PARAM="$@" [[ $(declare -p DOMAIN 2>/dev/null) =~ "declare -A" ]] || declare -A DOMAIN if [[ -n ${PARAM} ]]; then - unset DOMAIN - declare -A DOMAIN - [[ ${PARAM%%=*} =~ [!\$%\&()*+,./:\;\<\=\>?\@\^\{|\}~-] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + local DOMAIN= + declare -A DOMAIN=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then if [[ -n ${DOMAIN} && ${DOMAIN[client]} == "realmd_sssd" ]]; then @@ -99,7 +99,7 @@ domain_configure_live(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/rc.preinit.d/24-logging b/ublinux/rc.preinit.d/24-logging index 705bb91..e21a2f2 100755 --- a/ublinux/rc.preinit.d/24-logging +++ b/ublinux/rc.preinit.d/24-logging @@ -24,55 +24,106 @@ SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null SOURCE=${SYSCONF}/logging; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null ## Настройка мониторинга и сбора системных событий и записи их в журналы для аудита -## AUDITD=disable|no|none|off # Отключить все созданные правила из конфигурации -## AUDITD[]= -## # Уникальное имя правила -## # Правило +## AUDITD=disable|no|none|off<-># Отключить все созданные правила из конфигурации +## AUDITD[[:]]=[#] +## # Уникальное имя правила +## # Статус правила, модет принимать значения: отсутствовать,enable,disable +## Отстутствует # Правило выключено или только комментарий +## enable # Правило включено +## disable # Правило выключено +## # Правило, без использование символа # +## # Описание правила, начинается с символа # +#AUDITD[comment_1]="#Global settings" +#AUDITD[conf-d:enable]="-D #Remove any existing rules" +#AUDITD[conf-b:enable]="-b 8192 #Buffer Size. Feel free to increase this if the machine panic's" +#AUDITD[conf-f:enable]="-f 1 #Failure Mode. Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)" +#AUDITD[conf-i:disable]="-i #Ignore errors. e.g. caused by users or files not found in the local environment" +#AUDITD[comment_1221]="#Self Auditing ---------------------------------------------------------------------" +#AUDITD[comment_32423]="#Audit the audit logs" +#AUDITD[comment_23423]="#Successful and unsuccessful attempts to read information from the audit records" +#AUDITD[fs_auditlog_1]="-w /var/log/audit/ -p wra -k auditlog" +#AUDITD[fs_auditlog_2:disable]="-w /var/audit/ -p wra -k auditlog" #AUDITD[event_chmod]="-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=event_chmod" #AUDITD[passwd_changes]="-w /etc/passwd -p wa -k passwd_changes" exec_auditd(){ [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && COMMAND=$1 && shift [[ -n ${COMMAND} ]] || COMMAND="set=" - FILE_PATTERN_AUDITD_CONF="${ROOTFS}/etc/audit/rules.d/00-ubconfig.rules" local PARAM="$@" - if [[ -n ${PARAM} ]]; then - AUDITD_NAME=${PARAM%%=*} - AUDITD_VAR=${PARAM#*=} + local SERVICE_AUDITD="auditd.service" + local FILE_PATTERN_AUDITD_CONF="${ROOTFS}/etc/audit/rules.d/00-ubconfig.rules" + local SEPARATE_RULES_NAME_COMMENT=": " + local PREFIX_RULES_DISABLE="## " + if [[ ${AUDITD} == @(enable|yes|on) ]]; then + # Только для init + [[ -n ${ROOTFS} ]] && [[ -f ${ROOTFS}/lib/systemd/system/${SERVICE_AUDITD} ]] && [[ ! -e ${ROOTFS}/etc/systemd/system/multi-user.target.wants/${SERVICE_AUDITD} ]] \ + && ln -sf /usr/lib/systemd/system/${SERVICE_AUDITD} ${ROOTFS}/etc/systemd/system/multi-user.target.wants/${SERVICE_AUDITD} + elif [[ ${AUDITD} == @(disable|no|none|off) ]]; then + rm -f "${FILE_PATTERN_AUDITD_CONF}" + [[ -n ${ROOTFS} ]] && [[ -e ${ROOTFS}/etc/systemd/system/multi-user.target.wants/${SERVICE_AUDITD} ]] && rm -f "${ROOTFS}/etc/systemd/system/multi-user.target.wants/${SERVICE_AUDITD}" + return 0 fi [[ -d ${FILE_PATTERN_AUDITD_CONF%/*} ]] || mkdir -p ${FILE_PATTERN_AUDITD_CONF%/*} [[ -f ${FILE_PATTERN_AUDITD_CONF} ]] || true > "${FILE_PATTERN_AUDITD_CONF}" - if [[ -z ${PARAM} ]]; then + if [[ -n ${PARAM} && ! ${PARAM} =~ ^"AUDITD="('enable'|'yes'|'on')?$ ]]; then + local SOURCE_AUDITD_RULES="${PARAM}" + elif [[ -n ${PARAM} && ${PARAM} =~ ^"AUDITD="('disable'|'no'|'none'|'off')?$ ]]; then + return 0 + else + # Полное перезаполнение правил из конфигурации + SOURCE_AUDITD_RULES=$(grep -E "^[[:blank:]]*AUDITD\[" ${SYSCONF}/logging 2>/dev/null) true > "${FILE_PATTERN_AUDITD_CONF}" - while IFS='=' read -u3 AUDITD_NAME AUDITD_VAR; do - [[ ${AUDITD_NAME} =~ ^.*'['(.*)']' ]] && AUDITD_NAME=${BASH_REMATCH[1]} - [[ ${AUDITD_VAR} =~ ^\"(.*)\"$ ]] && AUDITD_VAR=${BASH_REMATCH[1]} - echo "${AUDITD_VAR}" >> "${FILE_PATTERN_AUDITD_CONF}" - done 3< <(grep -E "^[[:space:]]*AUDITD\[" ${SYSCONF}/logging 2>/dev/null) - elif [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then - [[ ${AUDITD_NAME} =~ ^.*'['(.*)']' ]] && AUDITD_NAME=${BASH_REMATCH[1]} - [[ ${AUDITD_VAR} =~ ^\"(.*)\"$ ]] && AUDITD_VAR=${BASH_REMATCH[1]} - echo "${AUDITD_VAR}" >> "${FILE_PATTERN_AUDITD_CONF}" + fi + if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then + # т.к. важен порядок, то считываем последовательно из конфигурации + while IFS='=' read -u3 AUDITD_RULE_NAME AUDITD_RULE_VAR; do + [[ ${AUDITD_RULE_NAME} =~ ^[[:blank:]]*'AUDITD['([^:]+)':'?('enable'|'disable'|'yes'|'no'|'none'|'on'|'off')?']' ]] && AUDITD_RULE_NAME=${BASH_REMATCH[1]} && AUDITD_RULE_STATUS=${BASH_REMATCH[2]} + [[ ${AUDITD_RULE_NAME} == @("AUDITD"|"") ]] && return 0 + [[ ${AUDITD_RULE_STATUS} == @(""|disable|no|none|off) ]] && AUDITD_RULE_STATUS="#" || AUDITD_RULE_STATUS= + [[ ${AUDITD_RULE_VAR} =~ ^[\"\']?([^#]*)'#'?([^\"]*)[\'\"]?$ ]] && AUDITD_RULE_VAR=${BASH_REMATCH[1]} && AUDITD_RULE_COMMENT=${BASH_REMATCH[2]} + [[ ${AUDITD_RULE_VAR} =~ ^[[:blank:]]*([^[:blank:]$]*)[[:blank:]]*$ ]] && AUDITD_RULE_VAR=${BASH_REMATCH[1]} + [[ -n ${AUDITD_RULE_COMMENT} ]] && echo "${PREFIX_RULES_DISABLE}${AUDITD_RULE_NAME}${SEPARATE_RULES_NAME_COMMENT}${AUDITD_RULE_COMMENT}" >> "${FILE_PATTERN_AUDITD_CONF}" \ + || echo "${PREFIX_RULES_DISABLE}${AUDITD_RULE_NAME}" >> "${FILE_PATTERN_AUDITD_CONF}" + [[ -n ${AUDITD_RULE_VAR} ]] && echo "${AUDITD_RULE_STATUS}${AUDITD_RULE_VAR}" >> "${FILE_PATTERN_AUDITD_CONF}" + done 3<<<${SOURCE_AUDITD_RULES} elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then - if [[ -n ${AUDITD_NAME} && ${AUDITD_VAR} != "" ]]; then - [[ ${AUDITD_NAME} =~ ^.*'['(.*)']' ]] && AUDITD_NAME=${BASH_REMATCH[1]} - AUDITD_VAR=${AUDITD[${AUDITD_NAME}]} - fi - [[ ${AUDITD_VAR} =~ ^\"(.*)\"$ ]] && AUDITD_VAR=${BASH_REMATCH[1]} - ESC_AUDITD_VAR=$(sed 's/[^a-zA-Z0-9=",_@#%&<> -]/\\&/g' <<< "${AUDITD_VAR}") - sed "/^${ESC_AUDITD_VAR}$/d" -i "${FILE_PATTERN_AUDITD_CONF}" + [[ -f ${FILE_PATTERN_AUDITD_CONF} ]] && while IFS='=' read -u3 AUDITD_RULE_NAME AUDITD_RULE_VAR; do + [[ ${AUDITD_RULE_NAME} =~ ^[[:blank:]]*'AUDITD['([^:]+)':'?('enable'|'disable'|'yes'|'no'|'none'|'on'|'off')?']' ]] && AUDITD_RULE_NAME=${BASH_REMATCH[1]} && AUDITD_RULE_STATUS=${BASH_REMATCH[2]} + # Уазан параметр не массив: AUDITD= + [[ ${AUDITD_RULE_NAME} == @("AUDITD"|"") ]] && return 0 + [[ ${AUDITD_RULE_STATUS} == @(""|disable|no|none|off) ]] && AUDITD_RULE_STATUS="#" || AUDITD_RULE_STATUS= + [[ ${AUDITD_RULE_VAR} =~ ^[\"\']?([^#]*)'#'?([^\"]*)[\'\"]?$ ]] && AUDITD_RULE_VAR=${BASH_REMATCH[1]} && AUDITD_RULE_COMMENT=${BASH_REMATCH[2]} + [[ ${AUDITD_RULE_VAR} =~ ^[[:blank:]]*([^[:blank:]$]*)[[:blank:]]*$ ]] && AUDITD_RULE_VAR=${BASH_REMATCH[1]} + if [[ -n ${AUDITD_RULE_COMMENT} ]]; then + sed -E "/^$(ere_quote_sed "${PREFIX_RULES_DISABLE}${AUDITD_RULE_NAME}${SEPARATE_RULES_NAME_COMMENT}${AUDITD_RULE_COMMENT}")[[:blank:]]*$/d" -i "${FILE_PATTERN_AUDITD_CONF}" + else + sed -E "/^$(ere_quote_sed "${PREFIX_RULES_DISABLE}${AUDITD_RULE_NAME}")[[:blank:]]*$/d" -i "${FILE_PATTERN_AUDITD_CONF}" + fi + [[ -n ${AUDITD_RULE_VAR} ]] && sed -E "/^$(ere_quote_sed "${AUDITD_RULE_STATUS}${AUDITD_RULE_VAR}")[[:blank:]]*$/d" -i "${FILE_PATTERN_AUDITD_CONF}" + done 3<<<${SOURCE_AUDITD_RULES} fi } exec_auditd_live(){ [[ -z ${ROOTFS} ]] || return 0 - SERVICE_NAME="auditd.service" - if [[ $(pgrep -fc "exec_audit_live") == 1 ]]; then - if systemctl --quiet is-enabled ${SERVICE_NAME} 2>/dev/null; then - sleep 5 - systemctl --quiet reset-failed ${SERVICE_NAME} - systemctl --quiet restart ${SERVICE_NAME} 2>/dev/null + local SERVICE_AUDIT_RULES="audit-rules.service" + local SERVICE_AUDITD="auditd.service" + if [[ -n ${AUDITD} ]]; then + # Если получен параметр AUDITD на включение или выключение, не массив, то + if [[ ${AUDITD} == @(enable|yes|on) ]]; then + if [[ $(pgrep -fc "exec_auditd_live") == 1 ]]; then + sleep 5 + if systemctl --quiet is-active ${SERVICE_AUDITD} 2>/dev/null; then + systemctl --quiet reset-failed ${SERVICE_AUDITD} 2>/dev/null + systemctl --quiet restart ${SERVICE_AUDITD} 2>/dev/null + fi + ubconfig --quiet --target system set [system] SERVICES_ENABLE++="${SERVICE_AUDITD}" + fi + elif [[ ${AUDITD} == @(disable|no|none|off) ]]; then + pkill ${SERVICE_AUDITD%%.*} + ubconfig --quiet --target system set [system] SERVICES_ENABLE--="${SERVICE_AUDITD}" 2>/dev/null fi fi + return 0 } ## Настройка журналов @@ -109,8 +160,8 @@ exec_journald(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local JOURNALD= - declare -A JOURNALD - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A JOURNALD=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi [[ ! -f ${FILE_JOURNALD_CONF} ]] && mkdir -p "${FILE_JOURNALD_CONF%/*}" && touch ${FILE_JOURNALD_CONF} [[ $(cat ${FILE_JOURNALD_CONF}) =~ "[Journal]" ]] || echo "[Journal]" > ${FILE_JOURNALD_CONF} @@ -135,8 +186,8 @@ exec_journald_live(){ SERVICE_NAME="systemd-journald.service" if [[ $(pgrep -fc "exec_journald_live") == 1 ]]; then sleep 5 - systemctl reset-failed ${SERVICE_NAME} - systemctl --quiet restart ${SERVICE_NAME} + systemctl reset-failed ${SERVICE_NAME} 2>/dev/null + systemctl --quiet restart ${SERVICE_NAME} 2>/dev/null fi } @@ -167,8 +218,8 @@ exec_systemd_coredump(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local SYSTEMD_COREDUMP= - declare -A SYSTEMD_COREDUMP - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A SYSTEMD_COREDUMP=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi [[ ! -f ${FILE_SYSTEMD_COREDUMP_CONF} ]] && mkdir -p "${FILE_SYSTEMD_COREDUMP_CONF%/*}" && touch ${FILE_SYSTEMD_COREDUMP_CONF} [[ $(cat ${FILE_SYSTEMD_COREDUMP_CONF}) =~ "[Coredump]" ]] || echo "[Coredump]" > ${FILE_SYSTEMD_COREDUMP_CONF} @@ -201,8 +252,8 @@ exec_logrotate(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local LOGROTATE= - declare -A LOGROTATE - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A LOGROTATE=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi [[ -d ${FILE_PATTERN_LOGROTATE_CONF%/*} ]] || mkdir -p ${PATH_LOGROTATE_CONF%/*} if [[ ${COMMAND} == "set=" ]] && [[ ${#LOGROTATE[@]} != 0 ]]; then @@ -211,7 +262,7 @@ exec_logrotate(){ RULES_LOG="${LOGROTATE[${NAME_FILE}]#*:}" TAB_COUNT='\t' # Вставляем список файлов логов - echo "${FILES_LOG} {" > "${FILE_PATTERN_LOGROTATE_CONF}${NAME_FILE}" + echo "${FILES_LOG} {" > "${FILE_PATTERN_LOGROTATE_CONF}${NAME_FILE}" # Вставляем правила для вращения логов while IFS= read -r SELECT_RULES_LOG; do [[ ${SELECT_RULES_LOG} == "endscript" ]] && TAB_COUNT='\t' @@ -285,8 +336,8 @@ exec_logrotate_live(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/rc.preinit.d/40-authpam b/ublinux/rc.preinit.d/40-authpam index 6ce29fa..7729626 100755 --- a/ublinux/rc.preinit.d/40-authpam +++ b/ublinux/rc.preinit.d/40-authpam @@ -27,7 +27,7 @@ exec_authpam(){ [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && COMMAND=$1 && shift [[ -n ${COMMAND} ]] || COMMAND="set=" [[ $(declare -p AUTHPAM 2>/dev/null) =~ "declare -A" ]] || declare -A AUTHPAM - local PARAM="$@" +# local PARAM="$@" # AUTHSELECT_LIST_ALL=$(${CMD_CHROOT} /usr/bin/authselect list) AUTHPAM_FEATURE=${AUTHPAM[${AUTHPAM[0]}]//,/ }; AUTHPAM_FEATURE=${AUTHPAM_FEATURE//;/ } if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then @@ -41,7 +41,6 @@ exec_authpam(){ ${CMD_CHROOT} /usr/bin/authselect select ${AUTHPAM[0]} ${AUTHPAM_FEATURE} --force --nobackup --quiet fi fi - } diff --git a/ublinux/rc.preinit.d/58-access-login b/ublinux/rc.preinit.d/58-access-login index d963e90..27e347a 100755 --- a/ublinux/rc.preinit.d/58-access-login +++ b/ublinux/rc.preinit.d/58-access-login @@ -59,7 +59,7 @@ exec_access_denied_login(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/rc.preinit.d/60-lightdm-settings b/ublinux/rc.preinit.d/60-lightdm-settings index 0605a91..11b1811 100755 --- a/ublinux/rc.preinit.d/60-lightdm-settings +++ b/ublinux/rc.preinit.d/60-lightdm-settings @@ -41,8 +41,8 @@ exec_lightdm_xdmcp(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local LIGHTDM_XDMCP= - declare -A LIGHTDM_XDMCP - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A LIGHTDM_XDMCP=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf" FILE_LIGHTDM_XDMCP_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/99-xdmcp-ubconfig.conf" @@ -84,8 +84,8 @@ exec_lightdm_greeter(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local LIGHTDM_GREETER= - declare -A LIGHTDM_GREETER - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A LIGHTDM_GREETER=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf" FILE_LIGHTDM_GREETER_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/99-greeter-ubconfig.conf" @@ -127,7 +127,7 @@ EOF else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/rc.preinit.d/80-server-containers-storage b/ublinux/rc.preinit.d/80-server-containers-storage index ac64615..e7b21c2 100755 --- a/ublinux/rc.preinit.d/80-server-containers-storage +++ b/ublinux/rc.preinit.d/80-server-containers-storage @@ -142,7 +142,7 @@ EOF else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/rc.preinit/10-accounts b/ublinux/rc.preinit/10-accounts index c56c5f6..1213949 100755 --- a/ublinux/rc.preinit/10-accounts +++ b/ublinux/rc.preinit/10-accounts @@ -117,21 +117,24 @@ exec_01_defaultrootpasswd(){ [[ -n ${COMMAND} ]] || local COMMAND="set=" local PARAM="$@" if [[ -n ${PARAM} ]]; then - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi - if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ -n ${DEFAULTROOTPASSWD} && ! ${DEFAULTROOTPASSWD,,} == @(no|none|disable) ]]; then + if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then + [[ ${DEFAULTROOTPASSWD,,} == @(no|none|disable|" ") ]] && DEFAULTROOTPASSWD=" " # Добавить параметр в ${FILE_ROOT_USERS}=.users_credential и удалить параметр DEFAULTROOTPASSWD из '/etc/ublinux/users if [[ -f ${FILE_ROOT_USERS} ]]; then sed "/DEFAULTROOTPASSWD=/d" -i "${FILE_ROOT_USERS}" - echo "DEFAULTROOTPASSWD='${DEFAULTROOTPASSWD}'" >> ${FILE_ROOT_USERS} + [[ -n ${DEFAULTROOTPASSWD} ]] && echo "DEFAULTROOTPASSWD='${DEFAULTROOTPASSWD}'" >> ${FILE_ROOT_USERS} fi [[ -f "${SYSCONF}/users" ]] && sed "/DEFAULTROOTPASSWD=/d" -i "${SYSCONF}/users" - DEFAULTROOTPASSWD=$(return_hash_password hash ${HASHPASSWD} ${DEFAULTROOTPASSWD}) + [[ -n ${DEFAULTROOTPASSWD} ]] && DEFAULTROOTPASSWD=$(return_hash_password hash ${HASHPASSWD} ${DEFAULTROOTPASSWD}) #set_passwd root "${DEFAULTROOTPASSWD}" user_add "root:+:+:+:${DEFAULTROOTPASSWD}:+:+:+:+:+:+:+:+" elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then [[ -f ${FILE_ROOT_USERS} ]] && sed "/DEFAULTROOTPASSWD=/d" -i "${FILE_ROOT_USERS}" [[ -f "${SYSCONF}/users" ]] && sed "/DEFAULTROOTPASSWD=/d" -i "${SYSCONF}/users" + # Если пробел " " пробел, то пароль не будет установлен + user_add "root:+:+:+: :+:+:+:+:+:+:+:+" fi } @@ -142,13 +145,13 @@ exec_02_defaultpasswd(){ [[ -n ${COMMAND} ]] || local COMMAND="set=" local PARAM="$@" if [[ -n ${PARAM} ]]; then - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi - if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ -n ${DEFAULTPASSWD} ]]; then + if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]]; then # Добавить параметр в ${FILE_ROOT_USERS}=.users_credential и удалить параметр DEFAULTROOTPASSWD из '/etc/ublinux/users if [[ -f ${FILE_ROOT_USERS} ]]; then sed "/DEFAULTPASSWD=/d" -i "${FILE_ROOT_USERS}" - echo "DEFAULTPASSWD='${DEFAULTPASSWD}'" >> ${FILE_ROOT_USERS} + [[ -n ${DEFAULTPASSWD} ]] && echo "DEFAULTPASSWD='${DEFAULTPASSWD}'" >> ${FILE_ROOT_USERS} fi [[ -f "${SYSCONF}/users" ]] && sed "/DEFAULTPASSWD=/d" -i "${SYSCONF}/users" elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]]; then @@ -238,8 +241,8 @@ exec_04_groupadd(){ local DATA_SYSUSERS=$(cat ${ROOTFS}/usr/lib/sysusers.d/*.conf ${ROOTFS}/usr/share/ublinux-sysusers/*.sysusers) if [[ -n ${PARAM} ]]; then local GROUPADD= - declare -A GROUPADD - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A GROUPADD=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ ${#GROUPADD[@]} != 0 ]]; then groupadd_local(){ @@ -272,8 +275,8 @@ exec_04_groupadd(){ [[ ${SELECT_OPTIONAL} == 'x' ]] && SELECT_OPTIONAL= [[ ${SELECT_OPTIONAL} =~ ('-r'|'--system') ]] && SELECT_GID="system" #[[ ! ${SELECT_OPTIONAL} =~ ('-o'|'--non-unique') && ${DATA_FILE_GROUP} =~ ($'\n'|^)+[^:]*:[^:]*:"${SELECT_GID}": ]] && { >&2 echo "ERROR: '${SELECT_GROUP}' non unique a group ID (GID)"; return 1; } - [[ ${SELECT_PASSWORD} == @(""|"x") ]] && SELECT_PASSWORD= - [[ ${SELECT_PASSWORD} != @(""|'!*'|'!'|'*') ]] && SELECT_PASSWORD=$(return_hash_password hash ${HASHPASSWD} ${SELECT_PASSWORD}) + [[ ${SELECT_PASSWORD} == @(""|" "|"x") ]] && SELECT_PASSWORD= + [[ ${SELECT_PASSWORD} != @(""|" "|'!*'|'!'|'*') ]] && SELECT_PASSWORD=$(return_hash_password hash ${HASHPASSWD} ${SELECT_PASSWORD}) #echo "==> exec_04_groupadd: ${SELECT_GROUP}:${SELECT_USERS}:${SELECT_GID}:${SELECT_OPTIONAL}:${SELECT_ADMINISTRATORS}:${SELECT_PASSWORD}" group_add "${SELECT_GROUP}:${SELECT_GID}:${SELECT_USERS}:${SELECT_PASSWORD}:${SELECT_ADMINISTRATORS}" if [[ -n ${PARAM} && -z ${ROOTFS} ]]; then @@ -322,10 +325,10 @@ exec_05_neededusers(){ [[ $1 == @("set="|"set+="|"set++="|"set-="|"set--="|"remove") ]] && local COMMAND=$1 && shift [[ -n ${COMMAND} ]] || local COMMAND="set=" local PARAM="$@" - local SELECT_USERNAME SELECT_UID SELECT_PASSWORD SELECT_GECOS NULL ADDGROUPS - local ARG_DEFAULTGROUP ARG_SELECT_UID ARG_SELECT_GECOS + local SELECT_USERNAME= SELECT_UID= SELECT_PASSWORD= SELECT_GECOS= NULL= ADDGROUPS= + local ARG_DEFAULTGROUP= ARG_SELECT_UID= ARG_SELECT_GECOS= if [[ -n ${PARAM} ]]; then - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi # Если по умолчанию нет ни одного пользователя, то создаём администратора #[[ -z ${NEEDEDUSERS} ]] && NEEDEDUSERS="${DEFAULTUSER}:${ADMUID}:${DEFAULTPASSWD}:Administrator" @@ -411,9 +414,10 @@ exec_05_neededusers(){ ## -N, --no-user-group # Не создавать группу с тем же именем что и у пользователя ## -o, --non-unique # Разрешить создание пользователей с повторяющимися (не уникальными) UID, использовать только совместно с параметром ## --badnames # Не проверять имя на несоответствие правилам использования символов -## # Хеш пароля пользователя, если 'x', то 'password=${DEFAULTPASSWD}' +## # Хеш пароля пользователя +## # Если пароль пустой или состоит из символа 'x', то 'password=${DEFAULTPASSWD}' ## # Если user_name=root, то пароль не применяется, а используется password=${DEFAULTROOTPASSWD} -## # Если пароль не задан, поле пустое, то вход без пароля +## # Если пароль состоит из символов ' ' (пробел), то вход без пароля ## # Если пароль состоит из символов '!*' или '!' или '*' или '!!', то аутентификация запрещена ## # Если первый символ '!' , то аутентификация по паролю заблокирована, ## # но другие методы входа, такие как аутентификация на основе ключей или переключение на пользователя, по-прежнему разрешены. @@ -446,8 +450,8 @@ exec_06_useradd(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local USERADD= - declare -A USERADD - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A USERADD=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi # Если в GRUB указан параметр useradd, то создать пользователя [[ -n ${ROOTFS} ]] && while IFS=':' read -u3 SELECT_USERNAME SELECT_UID SELECT_GROUP SELECT_EXTRAGROUP SELECT_PASSWORD NULL; do @@ -479,9 +483,9 @@ exec_06_useradd(){ [[ ${SELECT_OPTIONAL} =~ ("--shell "|"-s ")([^' ']*)(' '|$) ]] && SELECT_SHELL="${BASH_REMATCH[2]}" || SELECT_SHELL="+" [[ ${SELECT_OPTIONAL} =~ ("--no-create-home"|"-M") ]] && SELECT_MKHOME= || SELECT_MKHOME="yes" # ----------- - [[ ${SELECT_PASSWORD} == "x" && ${SELECT_USERNAME} != "root" ]] && SELECT_PASSWORD="${DEFAULTPASSWD}" + [[ ${SELECT_PASSWORD} == @(""|"x") && ${SELECT_USERNAME} != "root" ]] && SELECT_PASSWORD="${DEFAULTPASSWD}" [[ ${SELECT_USERNAME} == "root" ]] && SELECT_PASSWORD="${DEFAULTROOTPASSWD}" - [[ ${SELECT_PASSWORD} != @(""|'!*'|'!'|'!!'|'*') ]] && SELECT_PASSWORD="$(return_hash_password hash ${HASHPASSWD} ${SELECT_PASSWORD})" + [[ ${SELECT_PASSWORD} != @(""|" "|'!*'|'!'|'!!'|'*') ]] && SELECT_PASSWORD="$(return_hash_password hash ${HASHPASSWD} ${SELECT_PASSWORD})" # ----------- [[ ${SELECT_GECOS,,} == "x" ]] && SELECT_GECOS= # ----------- @@ -517,7 +521,7 @@ exec_06_useradd(){ elif [[ ${SELECT_OPTIONAL} =~ ("--system"|"-r") ]]; then # Если указан параметр создавать системную группу SELECT_GROUP="system" - else + else if [[ -n ${SELECT_GROUP} && -n ${GROUPADD[${SELECT_GROUP}]} ]]; then # Если группа указана и присутствует в списке групп GROUPADD[.] exec_04_groupadd "GROUPADD[${SELECT_GROUP}]=${GROUPADD[${SELECT_GROUP}]}" @@ -595,7 +599,7 @@ exec_06_useradd(){ eval "${LIST_USERADD_NOUID}" elif [[ ${COMMAND} == @("set-="|"set--="|"remove") ]] && [[ ${#USERADD[@]} -ne 0 ]]; then if [[ ${PARAM%%=*} =~ ^.*'['(.*)']' ]]; then - # Удалим пользователей + # Удалим пользователей local SELECT_USERNAME=${BASH_REMATCH[1]} delete_select_username(){ local SELECT_USERNAME=$1 @@ -643,9 +647,9 @@ exec_07_usershadow(){ local PARAM="$@" local DATA_FILE_SHADOW=$(< ${FILE_SHADOW}) if [[ -n ${PARAM} ]]; then - local USERSHADOW - declare -A USERSHADOW - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + local USERSHADOW= + declare -A USERSHADOW=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ ${COMMAND} == @("set="|"set+="|"set++=") ]] && [[ ${#USERSHADOW[@]} -ne 0 ]]; then while IFS= read -ru3 SELECT_USERNAME; do @@ -695,10 +699,10 @@ exec_08_user_members(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local USERADD= - declare -A USERADD + declare -A USERADD=() local GROUPADD= - declare -A GROUPADD - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + declare -A GROUPADD=() + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi local SELECT_USERNAME= SELECT_UID= SELECT_GROUP= SELECT_EXTRAGROUP= SELECT_PASSWORD= NULL= # Если в GRUB указан параметр useradd, то создать пользователя @@ -775,7 +779,7 @@ exec_99_dm_hint_password(){ local PARAM="$@" if [[ -n ${PARAM} ]]; then local DM_HINT_PASSWORD= - [[ ${PARAM%%=*} =~ [!\$%\&()*+,/\;\<\=\>?\^\{|\}~] ]] || eval "${PARAM%%=*}=\${PARAM#*=}" + [[ ${PARAM} =~ ^[[:alnum:]_]+("="|"[".*"]=") ]] && eval "${PARAM%%=*}=\${PARAM#*=}" fi if [[ -n ${ROOTFS} ]]; then if grep -q "^$(grep ".*:x:${ADMUID}:" ${ROOTFS}/etc/passwd | cut -d: -f1):${NOSECUREROOTPASSWD}:" ${ROOTFS}/etc/shadow; then @@ -793,7 +797,7 @@ exec_99_dm_hint_password(){ ################ ##### MAIN ##### ################ - + # Если файл подключен как ресурс с функциями, то выйти return 0 2>/dev/null && return 0 #rm -f "${FILE_ROOT_USERS}" @@ -804,7 +808,7 @@ exec_99_dm_hint_password(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } shift done eval ${FUNCTION#*; } diff --git a/ublinux/scripts/grub-functions b/ublinux/scripts/grub-functions index 8458d76..62cf04b 100755 --- a/ublinux/scripts/grub-functions +++ b/ublinux/scripts/grub-functions @@ -27,7 +27,7 @@ exec_get_all_menuentry(){ FILE_GRUB_ADDON="${PATH_GRUB}/ublinux/grub_${LANG%_*}_addon.cfg" - if [[ -f ${FILE_GRUB_ADDON} ]]; then + if [[ -f ${FILE_GRUB_ADDON} ]]; then NAME_MENU_GRUB_ADDON=$(sed -En "/${FILE_GRUB_ADDON##*/}/{x;{s/menuentry \"(.*)\" .*/\1/p};d;}; x" ${FILE_GRUB_MAIN}) sed -En "/menuentry/{ /(ISO|Install|Установка)/!{ @@ -37,8 +37,9 @@ exec_get_all_menuentry(){ s/menuentry \"(.*${NAME_DISTRIB}.*${VER_DISTRIB}.*)\" .*/\1/p } }" ${FILE_GRUB_ADDON} + #" fi - + FILE_GRUB_BOOTHDD="${PATH_GRUB}/ublinux/grub_${LANG%_*}_boothdd.cfg" if [[ -f ${FILE_GRUB_BOOTHDD} ]]; then NAME_MENU_GRUB_BOOTHDD=$(sed -En "/${FILE_GRUB_BOOTHDD##*/}/{x;{s/menuentry \"(.*)\" .*/\1/p};d;}; x" ${FILE_GRUB_MAIN}) @@ -49,6 +50,7 @@ exec_get_all_menuentry(){ s/menuentry \"(.*)\" .*/\1/p } }" ${FILE_GRUB_BOOTHDD} + #" fi FILE_GRUB_LOCAL="${PATH_GRUB}/ublinux/grub_local.cfg" @@ -61,6 +63,7 @@ exec_get_all_menuentry(){ s/menuentry \"(.*)\" .*/\1/p } }" ${FILE_GRUB_LOCAL} + #" fi } @@ -84,8 +87,8 @@ exec_get_last_menuentry(){ else FUNCTION= while [[ $# -gt 0 ]]; do - [[ -z ${1} ]] || { declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1}'"; } - shift + [[ -z ${1} ]] || { declare -f "${1}" &>/dev/null && FUNCTION+="; ${1}" || FUNCTION+=" '${1//\'/}'"; } + shift done eval ${FUNCTION#*; } fi diff --git a/ublinux/templates/ublinux-data.ini b/ublinux/templates/ublinux-data.ini index c581aba..f8c0d37 100644 --- a/ublinux/templates/ublinux-data.ini +++ b/ublinux/templates/ublinux-data.ini @@ -196,15 +196,19 @@ VERSION= ## Чтобы получить хэш "openssl passwd -6 " | "mkpasswd2 -m sha256crypt " | "mkpasswd2 -m help" ## Пароль для пользователей без паролей или "x" в переменных USERADD или NEEDUSERS, по умолчанию: ublinux ## DEFAULTPASSWD= -## password # Хеш пароля или если первые символы (%%), то пароль хранится в нешифрованном виде -## # Если пароль состоит из символов '!*', то аутентификация запрещена +## # Хеш пароля +## # Если первые символы (%%), то пароль хранится в нешифрованном виде +## # Если пароль состоит из символов '!*', то аутентификация запрещена +## # Если пароль состоит из символов ' ' (пробел), то не использовать пароль ## # Если пароль =DEFAULTROOTPASSWD, то включен первый запуск для настройки системы, ## # отображается подсказка пароля на фоне рабочего стола Lightdm и "[config] firstboot=yes" #DEFAULTPASSWD='$6$E7stRhRS8fCKk7UU$Qoqw62AUaUa5uLIc2KC7WV3MUThhrR8kjXtCODmnKCzKe2zHu1/wmsiWBHZEIk/IQnk/aELQYbUK93OUtrwg60' ## Хеш пароля для пользователя root, по умолчанию: ublinux ## DEFAULTROOTPASSWD= -## password # Хеш пароля или если первые символы (%%), то пароль хранится в нешифрованном виде +## # Хеш пароля +## # Если первые символы (%%), то пароль хранится в нешифрованном виде +## # Если пароль состоит из символов ' ' (пробел), то не использовать пароль #DEFAULTROOTPASSWD='$6$E7stRhRS8fCKk7UU$Qoqw62AUaUa5uLIc2KC7WV3MUThhrR8kjXtCODmnKCzKe2zHu1/wmsiWBHZEIk/IQnk/aELQYbUK93OUtrwg60' ## Default user name is 'superadmin' @@ -241,9 +245,10 @@ VERSION= ## -N, --no-user-group # Не создавать группу с тем же именем что и у пользователя ## -o, --non-unique # Разрешить создание пользователей с повторяющимися (не уникальными) UID, использовать только совместно с параметром ## --badnames # Не проверять имя на несоответствие правилам использования символов -## # Хеш пароля пользователя, если 'x', то 'password=${DEFAULTPASSWD}' +## # Хеш пароля пользователя +## # Если пароль пустой или состоит из символа 'x', то 'password=${DEFAULTPASSWD}' ## # Если user_name=root, то пароль не применяется, а используется password=${DEFAULTROOTPASSWD} -## # Если пароль не задан, поле пустое, то вход без пароля +## # Если пароль состоит из символов ' ' (пробел), то вход без пароля ## # Если пароль состоит из символов '!*' или '!' или '*' или '!!', то аутентификация запрещена ## # Если первый символ '!' , то аутентификация по паролю заблокирована, ## # но другие методы входа, такие как аутентификация на основе ключей или переключение на пользователя, по-прежнему разрешены. @@ -288,16 +293,17 @@ VERSION= ## USERADD_SYNC[superadmin]=boot,shutdown ## Группы системы /etc/group. Создаст или изменит существующие группы -## GROUPADD[group_name]='group_users:gid:optional:administrators:password|x' -## group_name # Имя группы -## group_users # Пользователи группы, перечисление через запятую, если выбрано 'x' то пусто. Может быть пусто. -## gid # GID группы, если необходимо автоматически рассчитывать, то оставить пустым или 'x' +## GROUPADD[]='::::' +## # Имя группы +## # Пользователи группы, перечисление через запятую, если выбрано 'x' то пусто. Может быть пусто. +## # GID группы, если необходимо автоматически рассчитывать, то оставить пустым или 'x' ## # Если указано 's' или 'system', то свободный gid системной группы -## optional # Дополнительные параметры, например: '--system --non-unique', если выбрано 'x' то пусто +## # Дополнительные параметры, например: '--system --non-unique', если выбрано 'x' то пусто ## -o, --non-unique # Разрешить создание групп с повторяющимися (не уникальными) GID, использовать только совместно с параметром ## -r, --system # Cоздавать системную группу -## administrators # Администраторы группы которые могут менять пароль группы и добавлять членов. Список с разделителем запятая -## password|x # Хеш пароля группа, если выбрано 'x' или пусто, то группа без пароля +## # Администраторы группы которые могут менять пароль группы и добавлять членов. Список с разделителем запятая +## # Хеш пароля группа +## # Если состоит из символа 'x' или пусто, то группа без пароля ## # Если первые символы (%%), то пароль хранится в нешифрованном виде ## # Если первые символы (!*), то аутентификация запрещена ## # Если первый символ (*) или (!), то аутентификация по паролю заблокирована. Но другие методы входа, такие как аутентификация на основе ключей или переключение на пользователя, по-прежнему разрешены @@ -314,8 +320,8 @@ VERSION= ## shutdown@ # При завершении работы системы синхронизировать GID группы в системе с глобальной конфигурацией ## GROUPADD_SYNC=shutdown ## -## GROUPADD_SYNC[group_name]='shutdown' -## group_name # Имя группы, необязательное поле. Если не указано, то применяется для всех групп +## GROUPADD_SYNC[]='shutdown' +## # Имя группы, необязательное поле. Если не указано, то применяется для всех групп ## shutdown # При завершении работы системы синхронизировать указанную группу в системе с глобальной конфигурацией ## GROUPADD_SYNC[users]='shutdown' @@ -591,7 +597,9 @@ VERSION= ## Настройка аудита и логгирования ################################################################################ ## Настройка мониторинга и сбора системных событий и записи их в журналы для аудита -## AUDITD=disable|no|none|off # Отключить все созданные правила из конфигурации +## AUDITD=enable|yes|on|disable|no|none|off +## enable|yes|on # Включить управление сервисом auditd.service +## disable|no|none|off # Отключить все созданные правила из конфигурации и не запускать сервис auditd.service ## AUDITD[[:]]=[#] ## # Уникальное имя правила ## # Статус правила, модет принимать значения: отсутствовать,enable,disable @@ -599,7 +607,7 @@ VERSION= ## enable # Правило включено ## disable # Правило выключено ## # Правило, без использование символа # -## # Описание правила, начинается с символа # +## # Описание правила, начинается с символа '#' #AUDITD[comment_1]="#Global settings" #AUDITD[conf-d:enable]="-D #Remove any existing rules" #AUDITD[conf-b:enable]="-b 8192 #Buffer Size. Feel free to increase this if the machine panic's" @@ -613,7 +621,6 @@ VERSION= #AUDITD[event_chmod]="-a always,exit -F arch=x86_64 -S chmod,fchmod,fchmodat -F key=event_chmod" #AUDITD[passwd_changes]="-w /etc/passwd -p wa -k passwd_changes" - ## Настройка журналов ## https://www.freedesktop.org/software/systemd/man/latest/journald.conf.html ## JOURNALD[]=