parent
31a4319541
commit
b5d4225b9e
@ -0,0 +1,54 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/save; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
PATH_CHANGES="/memory/changes"
|
||||||
|
NAME_ROOTCOPY="rootcopy"
|
||||||
|
|
||||||
|
exec_save_rootcopy(){
|
||||||
|
## При перезагрузке/выключении, сохранить/перезаписать указанные каталоги/файлы <SAVE_ROOTCOPY_INCLUDE>, кроме <SAVE_ROOTCOPY_EXCLUDE> в /ublinux-data/rootcopy/
|
||||||
|
if [[ -n ${SAVE_ROOTCOPY_INCLUDE} || -n ${SAVE_ROOTCOPY_CHANGES} ]]; then
|
||||||
|
PATH_ROOTCOPY=$(find ${ROOTFS}/memory/layer-base/*/ -maxdepth 1 -type d -name "${NAME_ROOTCOPY}" | head -1)
|
||||||
|
[[ -n ${PATH_ROOTCOPY} ]] || PATH_ROOTCOPY="$(find ${ROOTFS}/memory/layer-base/*/ -maxdepth 1 -type f -name "ublinux-data*.sgn" | head -1)"
|
||||||
|
[[ -n ${PATH_ROOTCOPY} ]] && PATH_ROOTCOPY="${PATH_ROOTCOPY%/*}/${NAME_ROOTCOPY}" || exit 0
|
||||||
|
|
||||||
|
[[ -e ${PATH_ROOTCOPY} ]] || install -dm0755 -o root -g root "${PATH_ROOTCOPY}"
|
||||||
|
if [[ -w ${PATH_ROOTCOPY} ]]; then
|
||||||
|
if [[ -n ${SAVE_ROOTCOPY_EXCLUDE} ]]; then
|
||||||
|
while read -r SELECT_EXCLUDE; do
|
||||||
|
ROOTCOPY_EXCLUDE+=",'${SELECT_EXCLUDE}'"
|
||||||
|
done <<< ${SAVE_ROOTCOPY_EXCLUDE//,/$'\n'}
|
||||||
|
fi
|
||||||
|
cd ${ROOTFS}/${PATH_CHANGES}
|
||||||
|
[[ -n ${SAVE_ROOTCOPY_CHANGES} ]] && while read -r SELECT_CHANGES; do
|
||||||
|
[[ -e ${SELECT_CHANGES#/*} ]] \
|
||||||
|
&& eval rsync --quiet --update --archive --recursive --acls --xattrs --relative --delete --delete-excluded --exclude={''${ROOTCOPY_EXCLUDE}} ${SELECT_CHANGES#/*} ${PATH_ROOTCOPY}
|
||||||
|
# --dry-run --verbose --quiet
|
||||||
|
done <<< ${SAVE_ROOTCOPY_CHANGES//,/$'\n'}
|
||||||
|
[[ -n ${SAVE_ROOTCOPY_INCLUDE} ]] && while read -r SELECT_INCLUDE; do
|
||||||
|
[[ -e ${ROOTFS}/${SELECT_INCLUDE} ]] \
|
||||||
|
&& eval rsync --quiet --update --archive --recursive --acls --xattrs --relative --delete --delete-excluded --exclude={''${ROOTCOPY_EXCLUDE}} ${ROOTFS}/${SELECT_INCLUDE} ${PATH_ROOTCOPY}
|
||||||
|
# --dry-run --verbose --quiet
|
||||||
|
done <<< ${SAVE_ROOTCOPY_INCLUDE//,/$'\n'}
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
[[ ${SYSTEMBOOT_STATEMODE} == "changes" ]] && exit 0
|
||||||
|
exec_save_rootcopy $@
|
||||||
@ -0,0 +1,60 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
SELF_NAME="42-access-suid-sgid"
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_access_allowed_suid(){
|
||||||
|
## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
|
||||||
|
if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
|
||||||
|
for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
|
||||||
|
EXCLUDE_SUID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
|
||||||
|
[[ ${PATH_WORK_SUID} == 0 ]] && PATH_WORK_SUID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
|
||||||
|
find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod --quiet u-s {} +
|
||||||
|
# find ${PATH_WORK_SUID} -type f -perm /u=s $(printf " -name %s " ${EXCLUDE_SUID})
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
exec_access_allowed_sgid(){
|
||||||
|
## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
|
||||||
|
if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
|
||||||
|
for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
|
||||||
|
EXCLUDE_SGID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
|
||||||
|
[[ ${PATH_WORK_SGID} == 0 ]] && PATH_WORK_SGID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
|
||||||
|
find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod --quiet g-s {} +
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
# Возможность подключить как source из любого скрипта и вызов встроенных функций
|
||||||
|
|
||||||
|
if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then
|
||||||
|
while read -r FUNCTION; do
|
||||||
|
$"${FUNCTION##* }"
|
||||||
|
done < <(declare -F | grep "declare -f exec_")
|
||||||
|
elif [[ ${0##*/} == ${SELF_NAME} ]]; then
|
||||||
|
# for FUNCTION in $@; do
|
||||||
|
# declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
|
||||||
|
# done
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" && shift || { FUNCTION+=" ${1}" && shift; }
|
||||||
|
done
|
||||||
|
eval ${FUNCTION#*; }
|
||||||
|
else
|
||||||
|
true
|
||||||
|
fi
|
||||||
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_access_denied_interpreter(){
|
||||||
|
## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме
|
||||||
|
if [[ -n ${ACCESS_DENIED_INTERPRETER[@]} ]]; then
|
||||||
|
for PATH_WORK_INTERPRETER in "${!ACCESS_DENIED_INTERPRETER[@]}"; do
|
||||||
|
DENIED_INTERPRETER=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_DENIED_INTERPRETER[${PATH_WORK_INTERPRETER}]})
|
||||||
|
[[ ${DENIED_INTERPRETER,,} == "all" ]] && DENIED_INTERPRETER="gbr3,python,python2,python3,perl,perl6,php,ruby,node,awk,gawk"
|
||||||
|
[[ ${PATH_WORK_INTERPRETER} == 0 ]] && PATH_WORK_INTERPRETER="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
|
||||||
|
LIST_INTERPRETER=$(printf " -name %s -o" ${DENIED_INTERPRETER})
|
||||||
|
find ${PATH_WORK_INTERPRETER} -type f -perm /g=x \( ${LIST_INTERPRETER%-o*} \) -exec chmod --quiet o-x {} +
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
exec_access_denied_interpreter $@
|
||||||
@ -0,0 +1,32 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_mount_attr(){
|
||||||
|
## Отключить пользовательские nosuid nodev noexec на смонтированные цели
|
||||||
|
if [[ -n ${MOUNT_ATTR[@]} ]]; then
|
||||||
|
for ALL_PATH_WORK_ATTR in "${!MOUNT_ATTR[@]}"; do
|
||||||
|
tr [[:space:]],\; $'\n' <<< ${ALL_PATH_WORK_ATTR} | while read PATH_WORK_ATTR; do
|
||||||
|
WORK_ATTR=$(tr \; , <<< ${MOUNT_ATTR[${ALL_PATH_WORK_ATTR}]})
|
||||||
|
mount -o remount,${WORK_ATTR} ${PATH_WORK_ATTR}
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
exec_mount_attr $@
|
||||||
@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_cgroup_quota(){
|
||||||
|
## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup
|
||||||
|
#systemctl set-property --runtime user-1001.slice MemoryHigh=200M MemorySwapMax=300M CPUQuota=100%
|
||||||
|
true
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
exec_cgroup_quota $@
|
||||||
@ -0,0 +1,46 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Initial script for Live operating system
|
||||||
|
# This script are launching before starting init from linux-live script.
|
||||||
|
# Current dir allways must be set to root (/)
|
||||||
|
# All system path must be relative, except initrd dirs
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_openssl_gost(){
|
||||||
|
## Настройка OpenSSL ГОСТ
|
||||||
|
FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf"
|
||||||
|
FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf"
|
||||||
|
TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")"
|
||||||
|
TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost"
|
||||||
|
|
||||||
|
if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then
|
||||||
|
# Enable GOST
|
||||||
|
grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}"
|
||||||
|
grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}"
|
||||||
|
elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then
|
||||||
|
## Disable GOST
|
||||||
|
sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}"
|
||||||
|
sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
exec_openssl_gost $@
|
||||||
|
|
||||||
@ -1,170 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
#
|
|
||||||
# Initial script for Live operating system
|
|
||||||
# This script are launching before starting init from linux-live script.
|
|
||||||
# Current dir allways must be set to root (/)
|
|
||||||
# All system path must be relative, except initrd dirs
|
|
||||||
|
|
||||||
ENABLED=yes
|
|
||||||
[ "$ENABLED" != "yes" ] && exit 0
|
|
||||||
DEBUGMODE=no
|
|
||||||
|
|
||||||
SELF_NAME="56-security"
|
|
||||||
PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
|
|
||||||
|
|
||||||
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
|
||||||
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
|
||||||
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
|
||||||
debug_mode "$0" "$@"
|
|
||||||
|
|
||||||
SYSCONF="${ROOTFS}/${SYSCONF}"
|
|
||||||
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
|
||||||
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
|
||||||
|
|
||||||
exec_openssl_gost(){
|
|
||||||
## Настройка OpenSSL ГОСТ
|
|
||||||
FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf"
|
|
||||||
FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf"
|
|
||||||
TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")"
|
|
||||||
TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost"
|
|
||||||
|
|
||||||
if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then
|
|
||||||
# Enable GOST
|
|
||||||
grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}"
|
|
||||||
grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}"
|
|
||||||
elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then
|
|
||||||
## Disable GOST
|
|
||||||
sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}"
|
|
||||||
sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
exec_access_denied_vtx11(){
|
|
||||||
FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf"
|
|
||||||
FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf"
|
|
||||||
FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf"
|
|
||||||
if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then
|
|
||||||
mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*}
|
|
||||||
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}"
|
|
||||||
Section "ServerFlags"
|
|
||||||
Option "DontVTSwitch" "true"
|
|
||||||
EndSection
|
|
||||||
EOF
|
|
||||||
if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then
|
|
||||||
mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*}
|
|
||||||
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}"
|
|
||||||
[Login]
|
|
||||||
NAutoVTs=0
|
|
||||||
ReserveVT=0
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
if [[ -d ${ROOTFS}/etc/lightdm ]]; then
|
|
||||||
mkdir -p ${FILE_LIGHTDM_CONF%/*}
|
|
||||||
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}"
|
|
||||||
[LightDM]
|
|
||||||
logind-check-graphical=true
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then
|
|
||||||
rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
exec_access_allowed_login(){
|
|
||||||
## Управление доступом в систему, правила разрешения
|
|
||||||
FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf"
|
|
||||||
rm -f "${FILE_ACCESS_CONF}"
|
|
||||||
if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then
|
|
||||||
[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
|
|
||||||
tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do
|
|
||||||
echo "+:${RULE}" >> "${FILE_ACCESS_CONF}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
exec_access_denied_login(){
|
|
||||||
## Управление доступом в систему, правила блокировки
|
|
||||||
FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf"
|
|
||||||
rm -f "${FILE_ACCESS_CONF}"
|
|
||||||
if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then
|
|
||||||
[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
|
|
||||||
tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do
|
|
||||||
echo "-:${RULE}" >> "${FILE_ACCESS_CONF}"
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
exec_access_allowed_suid(){
|
|
||||||
## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
|
|
||||||
if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
|
|
||||||
for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
|
|
||||||
EXCLUDE_SUID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
|
|
||||||
find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod u-s {} +
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
exec_access_allowed_sgid(){
|
|
||||||
## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
|
|
||||||
if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
|
|
||||||
for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
|
|
||||||
EXCLUDE_SGID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
|
|
||||||
find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod g-s {} +
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
exec_access_allowed_interpreter(){
|
|
||||||
## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме
|
|
||||||
true
|
|
||||||
}
|
|
||||||
exec_mount_attr(){
|
|
||||||
## Отключить пользовательские nosuid nodev noexec на смонтированные цели
|
|
||||||
true
|
|
||||||
}
|
|
||||||
exec_mount_quota(){
|
|
||||||
## Использовать дисковые квоты на файловые системы
|
|
||||||
true
|
|
||||||
}
|
|
||||||
exec_cgroup_quota(){
|
|
||||||
## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup
|
|
||||||
true
|
|
||||||
}
|
|
||||||
exec_polkit(){
|
|
||||||
## Настрока polkit правил
|
|
||||||
rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-*
|
|
||||||
if [[ -n ${POLKIT[@]} ]]; then
|
|
||||||
for RULES in "${!POLKIT[@]}"; do
|
|
||||||
RULES_GROUP=
|
|
||||||
RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules"
|
|
||||||
RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]})
|
|
||||||
for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do
|
|
||||||
RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") "
|
|
||||||
done
|
|
||||||
cat >> ${RULES_FILE} <<EOF
|
|
||||||
polkit.addRule(function(action, subject) {
|
|
||||||
if (action.id.indexOf("${RULES}") == 0
|
|
||||||
&& subject.active == true
|
|
||||||
&& subject.local == true
|
|
||||||
${RULES_GROUP}
|
|
||||||
)
|
|
||||||
{
|
|
||||||
return polkit.Result.${RULES_RESULT^^};
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
EOF
|
|
||||||
done
|
|
||||||
#touch ${ROOTFS}/etc/polkit-1/rules.d
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
################
|
|
||||||
##### MAIN #####
|
|
||||||
################
|
|
||||||
|
|
||||||
if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then
|
|
||||||
while read -r FUNCTION; do
|
|
||||||
$"${FUNCTION##* }"
|
|
||||||
done < <(declare -F | grep "declare -f exec_")
|
|
||||||
elif [[ ${0##*/} == ${SELF_NAME} ]]; then
|
|
||||||
for FUNCTION in $@; do
|
|
||||||
declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
|
|
||||||
done
|
|
||||||
else
|
|
||||||
true
|
|
||||||
fi
|
|
||||||
@ -0,0 +1,59 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Initial script for Live operating system
|
||||||
|
# This script are launching before starting init from linux-live script.
|
||||||
|
# Current dir allways must be set to root (/)
|
||||||
|
# All system path must be relative, except initrd dirs
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_access_denied_vtx11(){
|
||||||
|
## Отключить виртуальные терминалы и запретить переключение на них из X11
|
||||||
|
FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf"
|
||||||
|
FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf"
|
||||||
|
FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf"
|
||||||
|
if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then
|
||||||
|
mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*}
|
||||||
|
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}"
|
||||||
|
Section "ServerFlags"
|
||||||
|
Option "DontVTSwitch" "true"
|
||||||
|
EndSection
|
||||||
|
EOF
|
||||||
|
if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then
|
||||||
|
mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*}
|
||||||
|
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}"
|
||||||
|
[Login]
|
||||||
|
NAutoVTs=0
|
||||||
|
ReserveVT=0
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
if [[ -d ${ROOTFS}/etc/lightdm ]]; then
|
||||||
|
mkdir -p ${FILE_LIGHTDM_CONF%/*}
|
||||||
|
cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}"
|
||||||
|
[LightDM]
|
||||||
|
logind-check-graphical=true
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then
|
||||||
|
rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
exec_access_denied_vtx11 $@
|
||||||
@ -0,0 +1,62 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Initial script for Live operating system
|
||||||
|
# This script are launching before starting init from linux-live script.
|
||||||
|
# Current dir allways must be set to root (/)
|
||||||
|
# All system path must be relative, except initrd dirs
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_access_allowed_login(){
|
||||||
|
## Управление доступом в систему, правила разрешения
|
||||||
|
FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf"
|
||||||
|
rm -f "${FILE_ACCESS_CONF}"
|
||||||
|
if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then
|
||||||
|
[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
|
||||||
|
tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do
|
||||||
|
echo "+:${RULE}" >> "${FILE_ACCESS_CONF}"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
exec_access_denied_login(){
|
||||||
|
## Управление доступом в систему, правила блокировки
|
||||||
|
FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf"
|
||||||
|
rm -f "${FILE_ACCESS_CONF}"
|
||||||
|
if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then
|
||||||
|
[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
|
||||||
|
tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do
|
||||||
|
echo "-:${RULE}" >> "${FILE_ACCESS_CONF}"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
if [[ -z $@ ]]; then
|
||||||
|
while read -r FUNCTION; do
|
||||||
|
$"${FUNCTION##* }"
|
||||||
|
done < <(declare -F | grep "declare -f exec_")
|
||||||
|
else
|
||||||
|
# for FUNCTION in $@; do
|
||||||
|
# declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
|
||||||
|
# done
|
||||||
|
while [[ $# -gt 0 ]]; do
|
||||||
|
declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" && shift || { FUNCTION+=" ${1}" && shift; }
|
||||||
|
done
|
||||||
|
eval ${FUNCTION#*; }
|
||||||
|
fi
|
||||||
@ -0,0 +1,56 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Initial script for Live operating system
|
||||||
|
# This script are launching before starting init from linux-live script.
|
||||||
|
# Current dir allways must be set to root (/)
|
||||||
|
# All system path must be relative, except initrd dirs
|
||||||
|
|
||||||
|
ENABLED=yes
|
||||||
|
[ "$ENABLED" != "yes" ] && exit 0
|
||||||
|
DEBUGMODE=no
|
||||||
|
|
||||||
|
PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
|
||||||
|
debug_mode "$0" "$@"
|
||||||
|
|
||||||
|
SYSCONF="${ROOTFS}/${SYSCONF}"
|
||||||
|
SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
|
||||||
|
SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
|
||||||
|
|
||||||
|
exec_polkit(){
|
||||||
|
## Настрока polkit правил
|
||||||
|
rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-*
|
||||||
|
if [[ -n ${POLKIT[@]} ]]; then
|
||||||
|
for RULES in "${!POLKIT[@]}"; do
|
||||||
|
RULES_GROUP=
|
||||||
|
RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules"
|
||||||
|
RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]})
|
||||||
|
for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do
|
||||||
|
RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") "
|
||||||
|
done
|
||||||
|
cat >> ${RULES_FILE} <<EOF
|
||||||
|
polkit.addRule(function(action, subject) {
|
||||||
|
if (action.id.indexOf("${RULES}") == 0
|
||||||
|
&& subject.active == true
|
||||||
|
&& subject.local == true
|
||||||
|
${RULES_GROUP}
|
||||||
|
)
|
||||||
|
{
|
||||||
|
return polkit.Result.${RULES_RESULT^^};
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
EOF
|
||||||
|
done
|
||||||
|
#touch ${ROOTFS}/etc/polkit-1/rules.d
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
################
|
||||||
|
##### MAIN #####
|
||||||
|
################
|
||||||
|
|
||||||
|
exec_polkit $@
|
||||||
Loading…
Reference in new issue