diff --git a/ublinux/rc.halt.pre/76-save-rootcopy b/ublinux/rc.halt.pre/76-save-rootcopy new file mode 100755 index 0000000..5b0525f --- /dev/null +++ b/ublinux/rc.halt.pre/76-save-rootcopy @@ -0,0 +1,54 @@ +#!/usr/bin/env bash + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/save; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +PATH_CHANGES="/memory/changes" +NAME_ROOTCOPY="rootcopy" + +exec_save_rootcopy(){ +## При перезагрузке/выключении, сохранить/перезаписать указанные каталоги/файлы , кроме в /ublinux-data/rootcopy/ + if [[ -n ${SAVE_ROOTCOPY_INCLUDE} || -n ${SAVE_ROOTCOPY_CHANGES} ]]; then + PATH_ROOTCOPY=$(find ${ROOTFS}/memory/layer-base/*/ -maxdepth 1 -type d -name "${NAME_ROOTCOPY}" | head -1) + [[ -n ${PATH_ROOTCOPY} ]] || PATH_ROOTCOPY="$(find ${ROOTFS}/memory/layer-base/*/ -maxdepth 1 -type f -name "ublinux-data*.sgn" | head -1)" + [[ -n ${PATH_ROOTCOPY} ]] && PATH_ROOTCOPY="${PATH_ROOTCOPY%/*}/${NAME_ROOTCOPY}" || exit 0 + + [[ -e ${PATH_ROOTCOPY} ]] || install -dm0755 -o root -g root "${PATH_ROOTCOPY}" + if [[ -w ${PATH_ROOTCOPY} ]]; then + if [[ -n ${SAVE_ROOTCOPY_EXCLUDE} ]]; then + while read -r SELECT_EXCLUDE; do + ROOTCOPY_EXCLUDE+=",'${SELECT_EXCLUDE}'" + done <<< ${SAVE_ROOTCOPY_EXCLUDE//,/$'\n'} + fi + cd ${ROOTFS}/${PATH_CHANGES} + [[ -n ${SAVE_ROOTCOPY_CHANGES} ]] && while read -r SELECT_CHANGES; do + [[ -e ${SELECT_CHANGES#/*} ]] \ + && eval rsync --quiet --update --archive --recursive --acls --xattrs --relative --delete --delete-excluded --exclude={''${ROOTCOPY_EXCLUDE}} ${SELECT_CHANGES#/*} ${PATH_ROOTCOPY} + # --dry-run --verbose --quiet + done <<< ${SAVE_ROOTCOPY_CHANGES//,/$'\n'} + [[ -n ${SAVE_ROOTCOPY_INCLUDE} ]] && while read -r SELECT_INCLUDE; do + [[ -e ${ROOTFS}/${SELECT_INCLUDE} ]] \ + && eval rsync --quiet --update --archive --recursive --acls --xattrs --relative --delete --delete-excluded --exclude={''${ROOTCOPY_EXCLUDE}} ${ROOTFS}/${SELECT_INCLUDE} ${PATH_ROOTCOPY} + # --dry-run --verbose --quiet + done <<< ${SAVE_ROOTCOPY_INCLUDE//,/$'\n'} + fi + + fi +} + +################ +##### MAIN ##### +################ + + [[ ${SYSTEMBOOT_STATEMODE} == "changes" ]] && exit 0 + exec_save_rootcopy $@ diff --git a/ublinux/rc.post.d/23-publicdir b/ublinux/rc.post.d/23-publicdir index 08cc7ce..b28816d 100755 --- a/ublinux/rc.post.d/23-publicdir +++ b/ublinux/rc.post.d/23-publicdir @@ -1,14 +1,8 @@ #!/bin/bash -# -# Initial script for Live operating system -# This script are launching before starting init from linux-live script. -# Current dir allways must be set to root (/) -# All system path must be relative, except initrd dirs ENABLED=yes [ "$ENABLED" != "yes" ] && exit 0 -#PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin DEBUGMODE=no . /usr/lib/ublinux/functions diff --git a/ublinux/rc.post.d/42-access-suid-sgid b/ublinux/rc.post.d/42-access-suid-sgid new file mode 100755 index 0000000..e66317c --- /dev/null +++ b/ublinux/rc.post.d/42-access-suid-sgid @@ -0,0 +1,60 @@ +#!/bin/bash + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +SELF_NAME="42-access-suid-sgid" + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_access_allowed_suid(){ +## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID + if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then + for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do + EXCLUDE_SUID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]}) + [[ ${PATH_WORK_SUID} == 0 ]] && PATH_WORK_SUID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home" + find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod --quiet u-s {} + +# find ${PATH_WORK_SUID} -type f -perm /u=s $(printf " -name %s " ${EXCLUDE_SUID}) + done + fi +} +exec_access_allowed_sgid(){ +## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID + if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then + for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do + EXCLUDE_SGID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]}) + [[ ${PATH_WORK_SGID} == 0 ]] && PATH_WORK_SGID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home" + find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod --quiet g-s {} + + done + fi +} + +################ +##### MAIN ##### +################ + +# Возможность подключить как source из любого скрипта и вызов встроенных функций + + if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then + while read -r FUNCTION; do + $"${FUNCTION##* }" + done < <(declare -F | grep "declare -f exec_") + elif [[ ${0##*/} == ${SELF_NAME} ]]; then +# for FUNCTION in $@; do +# declare -f ${FUNCTION} &>/dev/null && ${FUNCTION} +# done + while [[ $# -gt 0 ]]; do + declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" && shift || { FUNCTION+=" ${1}" && shift; } + done + eval ${FUNCTION#*; } + else + true + fi diff --git a/ublinux/rc.post.d/43-access-interpreter b/ublinux/rc.post.d/43-access-interpreter new file mode 100755 index 0000000..5860c8f --- /dev/null +++ b/ublinux/rc.post.d/43-access-interpreter @@ -0,0 +1,33 @@ +#!/bin/bash + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_access_denied_interpreter(){ +## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме + if [[ -n ${ACCESS_DENIED_INTERPRETER[@]} ]]; then + for PATH_WORK_INTERPRETER in "${!ACCESS_DENIED_INTERPRETER[@]}"; do + DENIED_INTERPRETER=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_DENIED_INTERPRETER[${PATH_WORK_INTERPRETER}]}) + [[ ${DENIED_INTERPRETER,,} == "all" ]] && DENIED_INTERPRETER="gbr3,python,python2,python3,perl,perl6,php,ruby,node,awk,gawk" + [[ ${PATH_WORK_INTERPRETER} == 0 ]] && PATH_WORK_INTERPRETER="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home" + LIST_INTERPRETER=$(printf " -name %s -o" ${DENIED_INTERPRETER}) + find ${PATH_WORK_INTERPRETER} -type f -perm /g=x \( ${LIST_INTERPRETER%-o*} \) -exec chmod --quiet o-x {} + + done + fi +} + +################ +##### MAIN ##### +################ + + exec_access_denied_interpreter $@ \ No newline at end of file diff --git a/ublinux/rc.post.d/44-mountattr b/ublinux/rc.post.d/44-mountattr new file mode 100755 index 0000000..ed59bca --- /dev/null +++ b/ublinux/rc.post.d/44-mountattr @@ -0,0 +1,32 @@ +#!/bin/bash + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_mount_attr(){ +## Отключить пользовательские nosuid nodev noexec на смонтированные цели + if [[ -n ${MOUNT_ATTR[@]} ]]; then + for ALL_PATH_WORK_ATTR in "${!MOUNT_ATTR[@]}"; do + tr [[:space:]],\; $'\n' <<< ${ALL_PATH_WORK_ATTR} | while read PATH_WORK_ATTR; do + WORK_ATTR=$(tr \; , <<< ${MOUNT_ATTR[${ALL_PATH_WORK_ATTR}]}) + mount -o remount,${WORK_ATTR} ${PATH_WORK_ATTR} + done + done + fi +} + +################ +##### MAIN ##### +################ + + exec_mount_attr $@ \ No newline at end of file diff --git a/ublinux/rc.post.d/45-disk-quota b/ublinux/rc.post.d/45-disk-quota new file mode 100755 index 0000000..682f67e --- /dev/null +++ b/ublinux/rc.post.d/45-disk-quota @@ -0,0 +1,242 @@ +#!/bin/bash + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +#declare -A DISK_QUOTA +#DISK_QUOTA[usrquota:/dev/sdc1]=enable +#DISK_QUOTA[usrquota:/dev/sdc1]=disable +#DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:7M:8M:0:0:86400:86400 +#DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:5M:6M:0:0 +#DISK_QUOTA[usrquota:/mnt/MyExt4]=user-1,user-2:5M:6M:0:0 +#DISK_QUOTA[usrquota:/dev/sdc1]=:0:0:0:0:604800:604800 +#DISK_QUOTA[grpquota:/dev/sdc1]=enable +#DISK_QUOTA[grpquota:/dev/sdc1]=users:5M:6M:0:0:604800:604800 +#DISK_QUOTA[grpquota:/mnt/MyExt4]=users:5M:6M:0:0:604800:604800 +#DISK_QUOTA[prjquota:/tmp/5/dir23]=3,MyPN-3:3M:4M:10:20:3600:3600 +#DISK_QUOTA[prjquota:/mnt/MyExt4/test1]=1,PN-1:2M:3M:0:0:3600:3600 +#DISK_QUOTA[prjquota:/mnt/MyExt4/test2]=2,PN-2:3M:4M:10:12:3600:3600 +#DISK_QUOTA[quota]=disable +#DISK_QUOTA[quota]=enable + +## Назначение квот на дисковые ресурсы +## Может принимать входящий параметр: +## exec_disk_quota DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:5M:6M:0:0 DISK_QUOTA[usrquota:/dev/sdc2]=enable +exec_disk_quota(){ +## Использовать дисковые квоты на файловые системы + enable_quota(){ + # Включить поддержку квоты + ## Варианты опций mount для квотирования: + ## noquota # Отключить простые квоты на пользователя и группу + ## quota # Включить простые квоты на пользователя и группу + ## usrquota # Включить простые квоты на пользователя + ## grpquota # Включить простые квоты на группу + ## prjquota # Включить квоты на проект + ## usrjquota=aquota.user # Включить журналируемые квоты на пользователя + ## grpjquota=aquota.group # Включить журналируемые квоты на группу + ## jqfmt=vfsold # Использовать БД для простых квот V1 + ## jqfmt=vfsv0 # Выключить журналирование. Использовать БД для журналируемых квот V2 + ## jqfmt=vfsv1 # Включить журналирование. Использовать БД для журналируемых квот V2 + cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" && return 0 + MOUNT_DISK_ATTR[${PATH_DEVICE}]=${MOUNT_DISK_ATTR[${PATH_DEVICE}]#,*} + if cat /proc/mounts | grep -q "${PATH_DEVICE}"; then + if [[ ${ISFS_EXT234_FEATURES} == no && ! ${PATH_DEVICE} =~ ^/dev/loop* ]] && umount --quiet ${PATH_DEVICE} 2>/dev/null; then + ${ROOTFS}/usr/bin/tune2fs -Q ${MOUNT_DISK_ATTR[${PATH_DEVICE}]} ${PATH_DEVICE} && ISFS_EXT234_FEATURES=yes + mount --all + mount -o ${MOUNT_DISK_ATTR[${PATH_DEVICE}]} ${PATH_DEVICE} ${MOUNT_POINT} + rm -f ${MOUNT_POINT}/{aquota.user,aquota.group,quota.user,quota.group} + elif [[ ${ISFS_EXT234_FEATURES} == yes ]]; then + mount -o remount,${ATTR_QUOTA} ${PATH_DEVICE} + [[ ${ATTR_QUOTA} == usrquota ]] && rm -f ${MOUNT_POINT}/{aquota.user,quota.user} + [[ ${ATTR_QUOTA} == grpquota ]] && rm -f ${MOUNT_POINT}/{aquota.group,quota.group} + elif [[ ${ISFS_EXT234_FEATURES} == no && ${ATTR_QUOTA} != prjquota ]]; then + mount -o remount,${ATTR_QUOTA} ${PATH_DEVICE} + #${ROOTFS}/usr/bin/quotaoff -${ARG_CMD} ${PATH_DEVICE} 2>/dev/null + [[ ${ATTR_QUOTA} == @(usrquota|quota) && ! -f ${MOUNT_POINT}/aquota.user ]] && quotacheck -${ARG_CMD}cm ${PATH_DEVICE} + [[ ${ATTR_QUOTA} == grpquota && ! -f ${MOUNT_POINT}/aquota.group ]] && quotacheck -${ARG_CMD}cm ${PATH_DEVICE} + ${ROOTFS}/usr/bin/quotacheck -${ARG_CMD} ${PATH_DEVICE} + fi + else + [[ -n ${ISFS_EXT234} && ${ISFS_EXT234_FEATURES} == no ]] && ${ROOTFS}/usr/bin/tune2fs -Q ${MOUNT_DISK_ATTR[${PATH_DEVICE}]} ${PATH_DEVICE} #2>/dev/null + echo "ERROR: Device '${PATH_DEVICE}' not mounted." + fi + [[ -z ${ROOTFS} ]] && ubconfig --target system set config SERVICESSTART+=,systemd-quotacheck \ + || chroot . ubconfig --target system set config SERVICESSTART+=,systemd-quotacheck + } + disable_quota(){ + # Отключить поддержку квот + cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" || return 0 + ${ROOTFS}/usr/bin/quotaoff -${ARG_CMD} ${PATH_DEVICE} 2>/dev/null + if [[ ${ATTR_QUOTA} == quota ]]; then + [[ -z ${ROOTFS} ]] && ubconfig --target system set config SERVICESSTART-=,systemd-quotacheck \ + || chroot . ubconfig --target system set config SERVICESSTART-=,systemd-quotacheck + cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" && mount -o remount,noquota ${PATH_DEVICE} + fi + } + set_quota(){ + # Установить квоту + QUOTA_LIMITS=$(cut -d: -f1,2,3,4 <<< ${ALL_VALUE_QUOTA} | tr : ' ') + QUOTA_GRACE=$(cut -d: -f5,6 <<< ${ALL_VALUE_QUOTA} | tr : ' ') + #${ROOTFS}/usr/bin/quotaoff -${ARG_CMD} ${PATH_DEVICE} #2>/dev/null + [[ -n ${QUOTA_GRACE} ]] && setquota -${ARG_CMD}t ${QUOTA_GRACE} ${MOUNT_POINT} + if [[ ${ATTR_QUOTA} == @(usrquota|grpquota) && -n ${UGP_QUOTA} ]]; then + tr , '\n' <<< ${UGP_QUOTA} | while read SELECT_UG_QUOTA; do + ${ROOTFS}/usr/bin/setquota -${ARG_CMD} ${SELECT_UG_QUOTA} ${QUOTA_LIMITS} ${PATH_DEVICE} + done + elif [[ ${ATTR_QUOTA} == prjquota && -n ${UGP_QUOTA} ]]; then + ID_PROJECT=${UGP_QUOTA%%,*} + NAME_PROJECT=${UGP_QUOTA#*,} + [[ ${ID_PROJECT,,} == auto ]] && ID_PROJECT=${RANDOM} + sed "\|^${ID_PROJECT}:.*|d; \|.*:${PATH_PRJ}$|d" -i /etc/projects + echo "${ID_PROJECT}:${PATH_PRJ}" >> /etc/projects + sed "/.*:${ID_PROJECT}$/d" -i /etc/projid + if [[ -n ${NAME_PROJECT} ]]; then + sed "/^${NAME_PROJECT}:.*/d" -i /etc/projid + echo "${NAME_PROJECT}:${ID_PROJECT}" >> /etc/projid + fi + if [[ -n ${ISFS_EXT234} || -n ${ISFS_XFS} || -n ${ISFS_BTRFS} ]]; then + ${ROOTFS}/usr/bin/chattr -p ${ID_PROJECT} ${PATH_PRJ} + ${ROOTFS}/usr/bin/chattr +P ${PATH_PRJ} + fi + ${ROOTFS}/usr/bin/setquota -${ARG_CMD} ${ID_PROJECT} ${QUOTA_LIMITS} ${PATH_DEVICE} + fi + } + clean_quota(){ + # Очистить данные квот + #disable_quota + if cat /proc/mounts | grep -q ${PATH_DEVICE}; then + ${ROOTFS}/usr/bin/quotaoff -ugP ${PATH_DEVICE} 2>/dev/null + cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" && mount -o remount,noquota ${PATH_DEVICE} + rm -f ${MOUNT_POINT}/{aquota.user,aquota.group,quota.user,quota.group} + if [[ ${ISFS_EXT234_FEATURES} == yes ]] && umount --quiet ${PATH_DEVICE} 2>/dev/null; then + ${ROOTFS}/usr/bin/tune2fs -Q ^usrquota,^grpquota,^prjquota ${PATH_DEVICE} 2>/dev/null + #${ROOTFS}/usr/bin/tune2fs -Q quota,project ${PATH_DEVICE} 2>/dev/null + mount --all + mount ${PATH_DEVICE} ${MOUNT_POINT} + fi + else + if [[ ${ISFS_EXT234_FEATURES} == yes ]]; then + ${ROOTFS}/usr/bin/tune2fs -Q ^quota,^project ${PATH_DEVICE} 2>/dev/null + #${ROOTFS}/usr/bin/tune2fs -Q quota,project ${PATH_DEVICE} 2>/dev/null + fi + fi + } + debug(){ + echo "--------------------------" + echo "ATTR_QUOTA=${ATTR_QUOTA}" + echo "UGP_QUOTA=${UGP_QUOTA}" + echo "ALL_VALUE_QUOTA=${ALL_VALUE_QUOTA}" + echo "IDENT_DEVICE=${IDENT_DEVICE}" + echo "PATH_DEVICE_LSBLK=${PATH_DEVICE_LSBLK}" + echo "PATH_DEVICE=${PATH_DEVICE}" + echo "MOUNT_POINT=${MOUNT_POINT}" + echo "PATH_PRJ=${PATH_PRJ}" + echo "ISFS_EXT234=${ISFS_EXT234}" + echo "ISFS_EXT234_FEATURES=${ISFS_EXT234_FEATURES}" + } + # Если заданы входящие параметр имя переменной со значением, то применяются параметры как основной DISK_QUOTA + [[ -n $@ ]] && declare -A DISK_QUOTA && eval $@ + if [[ -n ${DISK_QUOTA[@]} ]]; then + local -A MOUNT_DISK_ATTR + KNOW_LSBLK=$("${ROOTFS}"/usr/bin/lsblk --raw --fs --output PATH,FSTYPE,LABEL,PARTLABEL,UUID,PARTUUID,MOUNTPOINT,MOUNTPOINTS --exclude 11,253) + for SELECT_DISK_QUOTA in "${!DISK_QUOTA[@]}"; do + ATTR_QUOTA=${SELECT_DISK_QUOTA%%:*} + IDENT_DEVICE=${SELECT_DISK_QUOTA#*:} + [[ ${IDENT_DEVICE} == quota ]] && continue + if [[ ${ATTR_QUOTA} == @(usrquota|grpquota|quota) && -n ${IDENT_DEVICE} ]]; then + PATH_DEVICE_LSBLK=$(grep "${IDENT_DEVICE}" <<< ${KNOW_LSBLK} | cut -d' ' -f1) + [[ -n ${PATH_DEVICE_LSBLK} ]] && PATH_DEVICE=${PATH_DEVICE_LSBLK} || PATH_DEVICE=${IDENT_DEVICE} + elif [[ ${ATTR_QUOTA} == prjquota && -n ${IDENT_DEVICE} ]]; then + PATH_PRJ=${SELECT_DISK_QUOTA#*:} + [[ -d ${PATH_PRJ} ]] || continue + PATH_DEVICE=$("${ROOTFS}"/usr/bin/findmnt -n -o SOURCE --target ${PATH_PRJ}) + [[ -n ${PATH_DEVICE} ]] || PATH_DEVICE=${IDENT_DEVICE} + fi + MOUNT_DISK_ATTR[${PATH_DEVICE}]+=",${ATTR_QUOTA}" + done + for SELECT_DISK_QUOTA in "${!DISK_QUOTA[@]}"; do + local ISFS_EXT234 MOUNT_POINT PATH_PRJ + local ISFS_EXT234_FEATURES # Данные квот храняться в служебных данных файловой системы + ATTR_QUOTA=${SELECT_DISK_QUOTA%%:*} + case ${ATTR_QUOTA} in + quota) ARG_CMD="ugP"; ARG_TUNE2FS=" quota inode:" ;; + usrquota) ARG_CMD="u"; ARG_TUNE2FS="User quota inode:" ;; + grpquota) ARG_CMD="g"; ARG_TUNE2FS="Group quota inode:" ;; + prjquota) ARG_CMD="P"; ARG_TUNE2FS="Project quota inode:" ;; + *) exit 1 ;; + esac + UGP_QUOTA=${DISK_QUOTA[${SELECT_DISK_QUOTA}]%%:*} + ALL_VALUE_QUOTA="${DISK_QUOTA[${SELECT_DISK_QUOTA}]#*:}" + IDENT_DEVICE=${SELECT_DISK_QUOTA#*:} + [[ ${IDENT_DEVICE} == quota ]] && unset IDENT_DEVICE + if [[ ${ATTR_QUOTA} == @(usrquota|grpquota|quota) && -n ${IDENT_DEVICE} ]]; then + KNOW_LSBLK=$("${ROOTFS}"/usr/bin/lsblk --raw --fs --output PATH,FSTYPE,LABEL,PARTLABEL,UUID,PARTUUID,MOUNTPOINT,MOUNTPOINTS --exclude 11,253) + PATH_DEVICE_LSBLK=$(grep "${IDENT_DEVICE}" <<< ${KNOW_LSBLK} | cut -d' ' -f1) + [[ -n ${PATH_DEVICE_LSBLK} ]] && PATH_DEVICE=${PATH_DEVICE_LSBLK} || PATH_DEVICE=${IDENT_DEVICE} + MOUNT_POINT=$(grep "${PATH_DEVICE}" <<< ${KNOW_LSBLK} | cut -d' ' -f7) + elif [[ ${ATTR_QUOTA} == prjquota && -n ${IDENT_DEVICE} ]]; then + PATH_PRJ=${SELECT_DISK_QUOTA#*:} + [[ -d ${PATH_PRJ} ]] || { echo "ERROR: The specified project directory '${PATH_PRJ}' does not exist." && continue; } + KNOW_LSBLK=$("${ROOTFS}"/usr/bin/findmnt -n -o SOURCE,FSTYPE,TARGET --target ${PATH_PRJ} | xargs) + PATH_DEVICE=$("${ROOTFS}"/usr/bin/findmnt -n -o SOURCE --target ${PATH_PRJ}) + [[ -n ${PATH_DEVICE} ]] || PATH_DEVICE=${IDENT_DEVICE} + MOUNT_POINT=$("${ROOTFS}"/usr/bin/findmnt -n -o TARGET --target ${PATH_PRJ}) + fi + [[ -n ${KNOW_LSBLK} ]] && ISFS_EXT234=$(grep -oE "${PATH_DEVICE} (ext2|ext3|ext4)" <<< ${KNOW_LSBLK}) #" + [[ -n ${KNOW_LSBLK} && -z ${ISFS_EXT234} ]] && ISFS_XFS=$(grep -oE "${PATH_DEVICE} xfs" <<< ${KNOW_LSBLK}) + # Проверить ФС на поддержку SW|HW режимов квот + [[ -n ${ISFS_EXT234} ]] && { ${ROOTFS}/usr/bin/tune2fs -l ${PATH_DEVICE} | grep -q "${ARG_TUNE2FS}" && ISFS_EXT234_FEATURES=yes || ISFS_EXT234_FEATURES=no; } + # TODO: Уточнить получение атрибутов у ФС XFS + [[ -n ${ISFS_XFS} ]] && { ${ROOTFS}/usr/bin/tune2fs -l ${PATH_DEVICE} | grep -q "${ARG_TUNE2FS}" && ISFS_XFS_FEATURES=yes || ISFS_XFS_FEATURES=no; } +#debug + if [[ ${UGP_QUOTA,,} == enable ]]; then + if [[ -n ${PATH_DEVICE} ]]; then + enable_quota + ${ROOTFS}/usr/bin/quotaon -${ARG_CMD}vp ${PATH_DEVICE} | grep -qi 'is on (enforced)' || ${ROOTFS}/usr/bin/quotaon -${ARG_CMD} ${PATH_DEVICE} + else + ${ROOTFS}/usr/bin/quotaoff -augP 2>/dev/null + ${ROOTFS}/usr/bin/quotacheck -aug 2>/dev/null + ${ROOTFS}/usr/bin/quotaon -augP 2>/dev/null + #${ROOTFS}/usr/bin/ubconfig set config SERVICESSTART+=,quotaon.service + fi + + elif [[ ${UGP_QUOTA,,} == disable ]]; then + if [[ -n ${PATH_DEVICE} ]]; then + disable_quota + else + disable_quota + ${ROOTFS}/usr/bin/quotaoff -augP 2>/dev/null + #${ROOTFS}/usr/bin/ubconfig set config SERVICESSTART-=,quotaon.service + fi + elif [[ ${UGP_QUOTA,,} == clean ]]; then + [[ -n ${PATH_DEVICE} ]] && clean_quota + elif [[ ${ALL_VALUE_QUOTA} =~ .*:.*:.*:.* ]]; then + if [[ -n ${PATH_DEVICE} ]]; then + enable_quota + [[ ${ATTR_QUOTA} == prjquota && ${ISFS_EXT234_FEATURES} == no ]] && { echo "ERROR: Project '${UGP_QUOTA}' quota feature not enabled. Cannot enable project quota enforcement." && continue; } + [[ ${ATTR_QUOTA} == prjquota && ${ISFS_XFS_FEATURES} == no ]] && { echo "ERROR: Project '${UGP_QUOTA}' quota feature not enabled. Cannot enable project quota enforcement." && continue; } + if [[ -n ${MOUNT_POINT} ]]; then + set_quota + ${ROOTFS}/usr/bin/quotaon -${ARG_CMD}vp ${PATH_DEVICE} | grep -qi 'is on (enforced)' || ${ROOTFS}/usr/bin/quotaon -${ARG_CMD} ${PATH_DEVICE} 2>/dev/null || echo "ERROR: Quota '${ATTR_QUOTA}' not enabled on device '${PATH_DEVICE}'" + fi + fi + fi + done + fi +} + +################ +##### MAIN ##### +################ + + exec_disk_quota $@ diff --git a/ublinux/rc.post.d/46-cgroup-quota b/ublinux/rc.post.d/46-cgroup-quota new file mode 100755 index 0000000..f2cd7ba --- /dev/null +++ b/ublinux/rc.post.d/46-cgroup-quota @@ -0,0 +1,26 @@ +#!/bin/bash + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_cgroup_quota(){ +## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup + #systemctl set-property --runtime user-1001.slice MemoryHigh=200M MemorySwapMax=300M CPUQuota=100% + true +} + +################ +##### MAIN ##### +################ + + exec_cgroup_quota $@ diff --git a/ublinux/rc.preinit.d/56-openssl-gost b/ublinux/rc.preinit.d/56-openssl-gost new file mode 100755 index 0000000..d6fb74d --- /dev/null +++ b/ublinux/rc.preinit.d/56-openssl-gost @@ -0,0 +1,46 @@ +#!/bin/bash +# +# Initial script for Live operating system +# This script are launching before starting init from linux-live script. +# Current dir allways must be set to root (/) +# All system path must be relative, except initrd dirs + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_openssl_gost(){ +## Настройка OpenSSL ГОСТ + FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf" + FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf" + TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")" + TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost" + + if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then + # Enable GOST + grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}" + grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}" + elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then + ## Disable GOST + sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}" + sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}" + fi +} + +################ +##### MAIN ##### +################ + + exec_openssl_gost $@ + \ No newline at end of file diff --git a/ublinux/rc.preinit.d/56-security b/ublinux/rc.preinit.d/56-security deleted file mode 100755 index 9c91d7b..0000000 --- a/ublinux/rc.preinit.d/56-security +++ /dev/null @@ -1,170 +0,0 @@ -#!/bin/bash -# -# Initial script for Live operating system -# This script are launching before starting init from linux-live script. -# Current dir allways must be set to root (/) -# All system path must be relative, except initrd dirs - -ENABLED=yes -[ "$ENABLED" != "yes" ] && exit 0 -DEBUGMODE=no - -SELF_NAME="56-security" -PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin - -unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. -SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 -SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 -debug_mode "$0" "$@" - -SYSCONF="${ROOTFS}/${SYSCONF}" -SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null -SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null - -exec_openssl_gost(){ -## Настройка OpenSSL ГОСТ - FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf" - FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf" - TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")" - TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost" - - if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then - # Enable GOST - grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}" - grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}" - elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then - ## Disable GOST - sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}" - sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}" - fi -} -exec_access_denied_vtx11(){ - FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf" - FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf" - FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf" - if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then - mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*} - cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}" - Section "ServerFlags" - Option "DontVTSwitch" "true" - EndSection -EOF - if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then - mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*} - cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}" - [Login] - NAutoVTs=0 - ReserveVT=0 -EOF - fi - if [[ -d ${ROOTFS}/etc/lightdm ]]; then - mkdir -p ${FILE_LIGHTDM_CONF%/*} - cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}" - [LightDM] - logind-check-graphical=true -EOF - fi - elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then - rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}" - fi -} -exec_access_allowed_login(){ -## Управление доступом в систему, правила разрешения - FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf" - rm -f "${FILE_ACCESS_CONF}" - if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then - [[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*} - tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do - echo "+:${RULE}" >> "${FILE_ACCESS_CONF}" - done - fi -} -exec_access_denied_login(){ -## Управление доступом в систему, правила блокировки - FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf" - rm -f "${FILE_ACCESS_CONF}" - if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then - [[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*} - tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do - echo "-:${RULE}" >> "${FILE_ACCESS_CONF}" - done - fi -} -exec_access_allowed_suid(){ -## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID - if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then - for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do - EXCLUDE_SUID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]}) - find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod u-s {} + - done - fi -} -exec_access_allowed_sgid(){ -## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID - if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then - for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do - EXCLUDE_SGID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]}) - find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod g-s {} + - done - fi -} -exec_access_allowed_interpreter(){ -## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме - true -} -exec_mount_attr(){ -## Отключить пользовательские nosuid nodev noexec на смонтированные цели - true -} -exec_mount_quota(){ -## Использовать дисковые квоты на файловые системы - true -} -exec_cgroup_quota(){ -## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup - true -} -exec_polkit(){ -## Настрока polkit правил - rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-* - if [[ -n ${POLKIT[@]} ]]; then - for RULES in "${!POLKIT[@]}"; do - RULES_GROUP= - RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules" - RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]}) - for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do - RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") " - done - cat >> ${RULES_FILE} </dev/null && ${FUNCTION} - done - else - true - fi diff --git a/ublinux/rc.preinit.d/57-access-denied-vtx11 b/ublinux/rc.preinit.d/57-access-denied-vtx11 new file mode 100755 index 0000000..3052bc1 --- /dev/null +++ b/ublinux/rc.preinit.d/57-access-denied-vtx11 @@ -0,0 +1,59 @@ +#!/bin/bash +# +# Initial script for Live operating system +# This script are launching before starting init from linux-live script. +# Current dir allways must be set to root (/) +# All system path must be relative, except initrd dirs + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_access_denied_vtx11(){ +## Отключить виртуальные терминалы и запретить переключение на них из X11 + FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf" + FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf" + FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf" + if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then + mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*} + cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}" + Section "ServerFlags" + Option "DontVTSwitch" "true" + EndSection +EOF + if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then + mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*} + cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}" + [Login] + NAutoVTs=0 + ReserveVT=0 +EOF + fi + if [[ -d ${ROOTFS}/etc/lightdm ]]; then + mkdir -p ${FILE_LIGHTDM_CONF%/*} + cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}" + [LightDM] + logind-check-graphical=true +EOF + fi + elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then + rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}" + fi +} + +################ +##### MAIN ##### +################ + + exec_access_denied_vtx11 $@ diff --git a/ublinux/rc.preinit.d/58-access-login b/ublinux/rc.preinit.d/58-access-login new file mode 100755 index 0000000..6c71a04 --- /dev/null +++ b/ublinux/rc.preinit.d/58-access-login @@ -0,0 +1,62 @@ +#!/bin/bash +# +# Initial script for Live operating system +# This script are launching before starting init from linux-live script. +# Current dir allways must be set to root (/) +# All system path must be relative, except initrd dirs + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_access_allowed_login(){ +## Управление доступом в систему, правила разрешения + FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf" + rm -f "${FILE_ACCESS_CONF}" + if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then + [[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*} + tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do + echo "+:${RULE}" >> "${FILE_ACCESS_CONF}" + done + fi +} +exec_access_denied_login(){ +## Управление доступом в систему, правила блокировки + FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf" + rm -f "${FILE_ACCESS_CONF}" + if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then + [[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*} + tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do + echo "-:${RULE}" >> "${FILE_ACCESS_CONF}" + done + fi +} + +################ +##### MAIN ##### +################ + + if [[ -z $@ ]]; then + while read -r FUNCTION; do + $"${FUNCTION##* }" + done < <(declare -F | grep "declare -f exec_") + else +# for FUNCTION in $@; do +# declare -f ${FUNCTION} &>/dev/null && ${FUNCTION} +# done + while [[ $# -gt 0 ]]; do + declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" && shift || { FUNCTION+=" ${1}" && shift; } + done + eval ${FUNCTION#*; } + fi diff --git a/ublinux/rc.preinit.d/59-polkit b/ublinux/rc.preinit.d/59-polkit new file mode 100755 index 0000000..737edee --- /dev/null +++ b/ublinux/rc.preinit.d/59-polkit @@ -0,0 +1,56 @@ +#!/bin/bash +# +# Initial script for Live operating system +# This script are launching before starting init from linux-live script. +# Current dir allways must be set to root (/) +# All system path must be relative, except initrd dirs + +ENABLED=yes +[ "$ENABLED" != "yes" ] && exit 0 +DEBUGMODE=no + +PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin + +unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=. +SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0 +debug_mode "$0" "$@" + +SYSCONF="${ROOTFS}/${SYSCONF}" +SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null +SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null + +exec_polkit(){ +## Настрока polkit правил + rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-* + if [[ -n ${POLKIT[@]} ]]; then + for RULES in "${!POLKIT[@]}"; do + RULES_GROUP= + RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules" + RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]}) + for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do + RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") " + done + cat >> ${RULES_FILE} < и , кроме в /ublinux-data/rootcopy/ +## Примечание: При загрузке весь каталог /ublinux-data/rootcopy копируется в корень. В режиме песочницы потребляет свободное ОЗУ. В режиме сохранения заменяет файлы в корне. +## SAVE_ROOTCOPY_INCLUDE= # Каталоги и файлы которые будут сохранены в rootcopy +## SAVE_ROOTCOPY_CHANGES= # Каталоги и файлы изменений которые будут сохранены в rootcopy +## SAVE_ROOTCOPY_EXCLUDE= # Каталоги и файлы которые будут исключены из сохраенния в rootcopy +#SAVE_ROOTCOPY_CHANGES="/etc" +#SAVE_ROOTCOPY_INCLUDE="/etc/pacman.d/gnupg,/etc/NetworkManager/system-connections" +#SAVE_ROOTCOPY_EXCLUDE="/etc/ublinux" + ## TODO -#SELECT_SAVE_ROOTCOPY_WHITELIST="" -#SELECT_SAVE_ROOTCOPY_BLACKLIST="" -#SELECT_SAVE_MODULE_WHITELIST="" -#SELECT_SAVE_MODULE_BLACKLIST="" +## Работает только в режимах песочницы. Не работает в режиме полного сохранения. +## При перезагрузке/выключении, сохранять указанные каталоги/файлы и , кроме в модуль /ublinux-data/modules/zz-save-module.ubm +## Примечание: При загрузке подключается последним модулем. Не потребляет свободное ОЗУ. Требует больше времени при перезагрузки/выключении, т.к. создаёт модуль. +#SAVE_MODULE_CHANGES="/etc" +#SAVE_MODULE_INCLUDE="/etc/pacman.d/gnupg,/etc/NetworkManager/system-connections" +#SAVE_MODULE_EXCLUDE="/etc/ublinux" ################################################################################ ## Настройка сети @@ -491,15 +503,21 @@ NSSWITCHWINBIND=yes ## MOUNT_ATTR[/tmp,/dev/shm]=nosuid,nodev,noexec ## Использовать дисковые квоты на файловые системы ext2,ext3,ext4,jfs,xfs,vfs,nfs,... +## Внимание: для квот на группу, необходимо что-бы указанная группа была основной у пользователей. +## Альтернатива для проектов, через дополнительную группу projgrp: groupadd projgrp; mkdir /home/projects; chgrp projgrp /home/projects; chmod g+s /home/projects ## DISK_QUOTA[:]= +## DISK_QUOTA[:]=:0:0:0:0:: ## DISK_QUOTA[:]=::::[::] ## DISK_QUOTA[:]=::::[::] ## DISK_QUOTA[prjquota:]=,::::[::] +## DISK_QUOTA[quota:]=clean +## DISK_QUOTA[quota]= ## # Тип квоты, может принимать значения: ## usrquota # Квоты на пользователя ## grpquota # Квоты на группу ## prjquota # Квоты на проект/каталог -## # Простое включение/отключение дисковой квоты, без указания дополнительных условий +## # Простое включение/отключение дисковой квоты, без указания дополнительных условий, +## # если не указан , то для всех устройств ## # Уникальный идентификатор устройства, из возможных представленных: ## PATH # Путь до устройства /dev/device ## LABEL # МЕТКА файловой системы @@ -507,6 +525,7 @@ NSSWITCHWINBIND=yes ## UUID # UUID файловой системы ## PARTUUID # UUID раздела ## MOUNTPOINT # Путь куда примонтировано устройство +## clean # Очистить базу данных квот, отключить поддержку ^quota ^project у EXT234 ## # Путь до каталога ## # Перечень пользователей разделённых , ## # Перечень групп разделённых , @@ -523,10 +542,12 @@ NSSWITCHWINBIND=yes ## DISK_QUOTA[usrquota:/dev/sda3]=enable ## DISK_QUOTA[usrquota:/dev/sda3]=disable ## DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:100M:150M:100:150 +## DISK_QUOTA[usrquota:/dev/sdc1]=:0:0:0:0:86400:86400 ## DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:100M:150M:100:150:86400:86400 ## DISK_QUOTA[grpquota:/dev/sdc1]=users,users@domain.com:1G:1500M:0:0:604800:604800 ## DISK_QUOTA[prjquota:/mnt/data/project1]=AUTO:5G:6G:0:0:604800:604800 ## DISK_QUOTA[prjquota:/mnt/data/project2]=1,MyProjectName:500M:600M:0:0:604800:604800 +## DISK_QUOTA[quota]=enable ## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup. man 5 systemd.resource-control ## CGROUP_QUOTA[unit|user]=property_1=value,property_2=value,property_n=value