diff options
Diffstat (limited to 'setup2hd')
| -rw-r--r-- | setup2hd/SeTfirewall.tpl | 704 | ||||
| -rw-r--r-- | setup2hd/SeTpasswd.tpl | 51 | ||||
| -rw-r--r-- | setup2hd/SeTuacct.tpl | 96 | ||||
| -rw-r--r-- | setup2hd/SeTudiskpart.tpl | 65 | ||||
| -rw-r--r-- | setup2hd/SeTumedia.tpl | 38 | ||||
| -rw-r--r-- | setup2hd/SeTupass.tpl | 55 | ||||
| -rw-r--r-- | setup2hd/rc.firewall.tpl | 141 | ||||
| -rw-r--r-- | setup2hd/setup.liveslak.tpl | 282 | ||||
| -rw-r--r-- | setup2hd/setup.slackware.tpl | 164 |
9 files changed, 1596 insertions, 0 deletions
diff --git a/setup2hd/SeTfirewall.tpl b/setup2hd/SeTfirewall.tpl new file mode 100644 index 0000000..e2e2687 --- /dev/null +++ b/setup2hd/SeTfirewall.tpl @@ -0,0 +1,704 @@ +#!/bin/bash + +# ------------------------------------------------------------------------------ +# Configure a basic firewall, +# by generating a set of iptables rules (ipv4 and ipv6), +# and saving those to /etc/firewall/ipv4 and /etc/firewall/ipv6 . +# The accompanying script /etc/rc.d/rc.firewall will restore these configs. +# +# This script and rc.firewall are part of liveslak, +# a project by Eric Hameleers, see https://download.liveslak.org/ +# +# Iptables ruleset handling courtesy of Easy Firewall Generator for IPTables, +# Copyright 2002 Timothy Scott Morizot +# ------------------------------------------------------------------------------ + +# The script accepts one parameter: the target filesystem: +DESTDIR="$1" + +# This tmp directory is only writable by root: +TMP=${TMP:-"/var/log/setup/tmp"} +if [ ! -d $TMP ]; then + mkdir -p $TMP +fi + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + +# The iptables tools we use: +IPT="/usr/sbin/iptables" +IP6T="/usr/sbin/ip6tables" +IPTS="/usr/sbin/iptables-save" +IP6TS="/usr/sbin/ip6tables-save" +IPTR="/usr/sbin/iptables-restore" +IP6TR="/usr/sbin/ip6tables-restore" + +# Localhost Interface +LO_IFACE="lo" +LO_IP="127.0.0.1" +LO_IP6="::1" + +# The default gateway device will be our primary candidate to firewall: +GWDEV=$(/sbin/ip route show |grep ^default |cut -d' ' -f5) + +# Generate a list of network devices, minus the default gateway and loopback: +AVAILDEV=$(ls --indicator-style=none /sys/class/net/ |sed -e "s/${GWDEV}//" -e "s/lo//") + +# Store all network interfaces in an associative array: +declare -A NETDEVARR +NETDEVARR=( [$GWDEV]=on ) +for INDEV in $AVAILDEV ; do NETDEVARR+=( [$INDEV]=off ) ; done +unset INDEV + +# Store network services in another array: +declare -A SERVARR=( + ['SSH']=off + ['RSYNC']=off + ['GIT']=off + ['HTTP']=off + ['HTTPS']=off + ['SMTP']=off + ['SMPTS']=off + ['IMAP']=off + ['IMAPS']=off + ['NTP']=off +) + +# Store the list of custom ports/port ranges: +CUSTOM_TCP_LIST="" +CUSTOM_UDP_LIST="" + +# Will we auto-configure a restrictive firewall? +AUTOCONFIG="YES" + +# User pressing ESC will change the default choice in the 1st dialog: +DEFAULTNO="" + +# Loop over the configuration until the user is done: +MAINSELECT="start" +while [ "$MAINSELECT" != "done" ]; do + if [ "$MAINSELECT" = "start" ]; then + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "CONFIGURE FIREWALL" ${DEFAULTNO} \ + --yesno "Would you like to protect the system with a basic firewall?\n\n\ +You can either block all external connections, +or you can expose specific TCP/UDP ports.\n\n\ +DHCP will never be blocked." 11 68 + if [ $? != 0 ]; then + # Not needed. + exit 0 + else + DEFAULTNO="" + fi + MAINSELECT="devices" + fi + + if [ "$MAINSELECT" = "devices" ]; then + # Populate the network device checklist for the dialog: + NETDEVLIST="$(for I in ${!NETDEVARR[@]};do echo $I ${NETDEVARR[$I]};done)" + unset I + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "PICK INTERFACES" \ + --stdout --separate-output \ + --no-items \ + --ok-label "Next" --no-cancel --extra-button --extra-label "Previous" \ + --checklist "\ +Select the network interface(s) exposed to the outside world.\n\ +Your default gateway is pre-selected.\n\ +Un-selected interfaces will accept all incoming traffic." 13 68 5 $NETDEVLIST \ + > $TMP/SeTnics + RETVAL=$? + # Zero out the array values and re-enable only the ones we got returned: + for INDEV in ${!NETDEVARR[@]} ; do NETDEVARR[$INDEV]=off ; done + for INDEV in $(cat $TMP/SeTnics) ; do NETDEVARR[$INDEV]=on ; done + unset INDEV + case "$RETVAL" in + 0) MAINSELECT="autoselect" ;; + 3) MAINSELECT="start" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + rm -f $TMP/SeTnics + fi + + if [ "$MAINSELECT" = "autoselect" ]; then + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "ALL CLOSED?" \ + --yesno "Do you want to block all incoming external connections?\n\ +If 'no', then you will be able to specify ports that need to be open." 7 68 + RETVAL=$? + case "$RETVAL" in + 0) AUTOCONFIG="YES" + MAINSELECT="done" ;; + 1) AUTOCONFIG="NO" + MAINSELECT="services" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + fi + + if [ "$MAINSELECT" = "services" ]; then + # Populate the services checklist for the dialog: + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "OPEN PORTS" \ + --stdout --separate-output \ + --ok-label "Next" --no-cancel --extra-button --extra-label "Previous" \ + --checklist "\ +Select the service ports you want to remain open for the outside world.\n\ +You can enter more ports or portranges in the next dialog." 19 68 13 \ +SSH 'SSH (port 22)' ${SERVARR['SSH']} \ +RSYNC 'RSYNC (port 873)' ${SERVARR['RSYNC']} \ +GIT 'GIT (port 9418)' ${SERVARR['GIT']} \ +HTTP 'Web Server (HTTP port 80)' ${SERVARR['HTTP']} \ +HTTPS 'Secure Web Server (HTTPS port 443)' ${SERVARR['HTTPS']} \ +SMTP 'Receiving Email (SMTP port 25)' ${SERVARR['SMTP']} \ +SMTPS 'Secure Receiving Email (SMPTS port 587)' ${SERVARR['SMPTS']} \ +IMAP 'IMAP Email Server (IMAP port 143)' ${SERVARR['IMAP']} \ +IMAPS 'Secure IMAP Email Server (IMAPS port 993)' ${SERVARR['IMAPS']} \ +NTP 'Time Server (NTP port 123)' ${SERVARR['NTP']} \ + > $TMP/SeTservices + RETVAL=$? + # Zero out the array values and re-enable only the ones we got returned: + for INSRV in ${!SERVARR[@]} ; do SERVARR[$INSRV]=off ; done + for INSRV in $(cat $TMP/SeTservices) ; do SERVARR[$INSRV]=on ; done + unset INSRV + case $RETVAL in + 0) MAINSELECT="customports" ;; + 3) MAINSELECT="autoselect" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + rm -f $TMP/SeTservices + fi + + if [ "$MAINSELECT" = "customports" ]; then + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "CUSTOM PORTS" \ + --stdout \ + --ok-label "Next" --no-cancel --extra-button --extra-label "Previous" \ + --form "\ +Enter additional ports or port ranges.\n\ +Port ranges consist of two numbers separated by a colon (example: 3000:3011).\n\ +Separate multiple entries with commas,\n\ +for example: 22,465,3000:3011,6660:6669,7000" \ +13 68 2 \ +"TCP ports/portranges:" 1 1 "$CUSTOM_TCP_LIST" 1 25 40 0 \ +"UDP ports/portranges:" 2 1 "$CUSTOM_UDP_LIST" 2 25 40 0 \ + > $TMP/SeTcustomports + RETVAL=$? + CUSTOM_TCP_LIST=$(head -1 $TMP/SeTcustomports) + CUSTOM_UDP_LIST=$(tail -1 $TMP/SeTcustomports) + case $RETVAL in + 0) MAINSELECT="confirm" ;; + 3) MAINSELECT="services" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + rm -f $TMP/SeTcustomports + fi + + if [ "$MAINSELECT" = "confirm" ]; then + # Collect all service ports that need to be remotely accessible. + # TCP: + TCP_LIST="" + if [ "${SERVARR['HTTP']}" = "on" ]; then + TCP_LIST="$TCP_LIST 80" + fi + if [ "${SERVARR['HTTPS']}" = "on" ]; then + TCP_LIST="$TCP_LIST 443" + fi + if [ "${SERVARR['SMTP']}" = "on" ]; then + TCP_LIST="$TCP_LIST 25" + fi + if [ "${SERVARR['SMTPS']}" = "on" ]; then + TCP_LIST="$TCP_LIST 587" + fi + if [ "${SERVARR['IMAP']}" = "on" ]; then + TCP_LIST="$TCP_LIST 143" + fi + if [ "${SERVARR['IMAPS']}" = "on" ]; then + TCP_LIST="$TCP_LIST 993" + fi + if [ "${SERVARR['SSH']}" = "on" ]; then + TCP_LIST="$TCP_LIST 22" + fi + if [ "${SERVARR['GIT']}" = "on" ]; then + TCP_LIST="$TCP_LIST 9418" + fi + if [ "${SERVARR['RSYNC']}" = "on" ]; then + TCP_LIST="$TCP_LIST 873" + fi + TCP_LIST=$(echo $TCP_LIST | sed 's/^ *//g' | tr ' ' ',') + # UDP: + UDP_LIST="" + if [ "${SERVARR['NTP']}" = "on" ]; then + UDP_LIST="$UDP_LIST 123" + fi + if [ "${SERVARR['RSYNC']}" = "on" ]; then + UDP_LIST="$UDP_LIST 873" + fi + UDP_LIST=$(echo $UDP_LIST | sed 's/^ *//g' | tr ' ' ',') + + TCP_LIST=$(echo $TCP_LIST $CUSTOM_TCP_LIST | sed 's/^ *//g' | tr ' ' ',') + UDP_LIST=$(echo $UDP_LIST $CUSTOM_UDP_LIST | sed 's/^ *//g' | tr ' ' ',') + DEV_LIST=$(for INDEV in ${!NETDEVARR[@]} ; do if [ "${NETDEVARR[$INDEV]}" = "on" ]; then echo -n $INDEV" " ; fi ; done) + + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "CONFIRM CONFIGURATION" \ + --yes-label "Generate" --no-label "Redo" \ + --yesno "These are the ports you configured. Are you OK with them?\n\n\ +Press 'Generate' to generate the firewall configuration.\n\ +Else press 'Redo' to re-do the setup.\n\n\ +Firewalled interface(s): $DEV_LIST \n\ +TCP Ports: $TCP_LIST \n\ +UDP Ports: $UDP_LIST" 12 68 + RETVAL=$? + case $RETVAL in + 0) MAINSELECT="done" ;; + 1) MAINSELECT="devices" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + fi + +done + +# ------------------------------------------------------------------------------ +# End of configuration, let's get to work. +# ------------------------------------------------------------------------------ + +# +# Flush Any Existing Rules or Chains +# + +${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --infobox "Configuring your firewall ..." 4 68 + +# Reset Default Policies +$IPT -P INPUT ACCEPT +$IPT -P FORWARD ACCEPT +$IPT -P OUTPUT ACCEPT +$IPT -t nat -P PREROUTING ACCEPT +$IPT -t nat -P POSTROUTING ACCEPT +$IPT -t nat -P OUTPUT ACCEPT +$IPT -t mangle -P PREROUTING ACCEPT +$IPT -t mangle -P OUTPUT ACCEPT +# +$IP6T -P INPUT ACCEPT +$IP6T -P FORWARD ACCEPT +$IP6T -P OUTPUT ACCEPT +$IP6T -t mangle -P PREROUTING ACCEPT +$IP6T -t mangle -P OUTPUT ACCEPT + +# Flush all rules +$IPT -F +$IPT -t nat -F +$IPT -t mangle -F +# +$IP6T -F +$IP6T -t mangle -F + +# Erase all non-default chains +$IPT -X +$IPT -t nat -X +$IPT -t mangle -X +# +$IP6T -X +$IP6T -t mangle -X + +# +# Rules Configuration +# +# Filter Table +# + +# Set Policies +$IPT -P INPUT DROP +$IPT -P OUTPUT DROP +$IPT -P FORWARD DROP +# +$IP6T -P INPUT DROP +$IP6T -P OUTPUT DROP +$IP6T -P FORWARD DROP + +# +# User-Specified Chains +# +# Create user chains to reduce the number of rules each packet must traverse. +# + +# Create a chain to filter INVALID packets +$IPT -N bad_packets +$IP6T -N bad_packets + +# Create another chain to filter bad tcp packets +$IPT -N bad_tcp_packets +$IP6T -N bad_tcp_packets + +# Create separate chains for icmp, tcp (incoming and outgoing), +# and incoming udp packets. +$IPT -N icmp_packets +$IP6T -N icmp_packets + +# Used for UDP packets inbound from the Internet +$IPT -N udp_inbound +$IP6T -N udp_inbound + +# Used to block outbound UDP services from internal network +# Default to allow all +$IPT -N udp_outbound +$IP6T -N udp_outbound + +# Used to allow inbound services if desired +# Default fail except for established sessions +$IPT -N tcp_inbound +$IP6T -N tcp_inbound + +# Used to block outbound services from internal network +# Default to allow all +$IPT -N tcp_outbound +$IP6T -N tcp_outbound + +# +# Populate User Chains +# +# bad_packets chain +# + +# Drop INVALID packets immediately +$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP +$IP6T -A bad_packets -p ALL -m state --state INVALID -j DROP + +# Then check the tcp packets for additional problems +$IPT -A bad_packets -p tcp -j bad_tcp_packets +$IP6T -A bad_packets -p tcp -j bad_tcp_packets + +# All good, so return +$IPT -A bad_packets -p ALL -j RETURN +$IP6T -A bad_packets -p ALL -j RETURN + +# bad_tcp_packets chain +# +# All tcp packets will traverse this chain. +# Every new connection attempt should begin with +# a syn packet. If it doesn't, it is likely a +# port scan. This drops packets in state +# NEW that are not flagged as syn packets. +$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP +$IP6T -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + +# All good, so return +$IPT -A bad_tcp_packets -p tcp -j RETURN +$IP6T -A bad_tcp_packets -p tcp -j RETURN + +# icmp_packets chain +# +# This chain is for inbound (from the Internet) icmp packets only. +# Type 8 (Echo Request) is not accepted by default +# Enable it if you want remote hosts to be able to reach you. +# 11 (Time Exceeded) is the only one accepted +# that would not already be covered by the established +# connection rule. Applied to INPUT on the external interface. +# +# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html +# for more info on ICMP types. +# +# Note that the stateful settings allow replies to ICMP packets. +# These rules allow new packets of the specified types. + +# ICMP packets should fit in a Layer 2 frame, thus they should +# never be fragmented. Fragmented ICMP packets are a typical sign +# of a denial of service attack. +$IPT -A icmp_packets --fragment -p icmp -j DROP +$IP6T -A icmp_packets -p ipv6-icmp -m ipv6header --header frag --soft -j DROP + +# Echo - uncomment to allow your system to be pinged. +# $IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT +# $IP6T -A icmp_packets -p ipv6-icmp -s 0/0 --icmpv6-type 8 -j ACCEPT + +# By default, however, drop pings without logging. Blaster +# and other worms have infected systems blasting pings. +# Comment the line below if you want pings logged, but it +# will likely fill your logs. +$IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j DROP +$IP6T -A icmp_packets -p ipv6-icmp -s 0/0 --icmpv6-type 8 -j DROP + +# Time Exceeded +$IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT +$IP6T -A icmp_packets -p ipv6-icmp -s 0/0 --icmpv6-type 11 -j ACCEPT + +# Not matched, so return so it will be logged +$IPT -A icmp_packets -p icmp -j RETURN +$IP6T -A icmp_packets -p ipv6-icmp -j RETURN + +# TCP & UDP +# Identify ports at: +# http://www.chebucto.ns.ca/~rakerman/port-table.html +# http://www.iana.org/assignments/port-numbers + +# udp_inbound chain +# +# This chain describes the inbound UDP packets it will accept. +# It's applied to INPUT on the external or Internet interface. +# Note that the stateful settings allow replies. +# These rules are for new requests. +# It drops netbios packets (windows) immediately without logging. + +# Drop netbios calls +# Please note that these rules do not really change the way the firewall +# treats netbios connections. Connections from the localhost and +# internal interface (if one exists) are accepted by default. +# Responses from the Internet to requests initiated by or through +# the firewall are also accepted by default. To get here, the +# packets would have to be part of a new request received by the +# Internet interface. You would have to manually add rules to +# accept these. I added these rules because some network connections, +# such as those via cable modems, tend to be filled with noise from +# unprotected Windows machines. These rules drop those packets +# quickly and without logging them. This prevents them from traversing +# the whole chain and keeps the log from getting cluttered with +# chatter from Windows systems. +$IPT -A udp_inbound -p udp -s 0/0 --dport 137 -j DROP +$IPT -A udp_inbound -p udp -s 0/0 --dport 138 -j DROP +$IP6T -A udp_inbound -p udp -s 0/0 --dport 137 -j DROP +$IP6T -A udp_inbound -p udp -s 0/0 --dport 138 -j DROP + +# Ident requests (Port 113) must have a REJECT rule rather than the +# default DROP rule. This is the minimum requirement to avoid +# long delays while connecting. Also see the tcp_inbound rule. +$IPT -A udp_inbound -p udp -s 0/0 --dport 113 -j REJECT +$IP6T -A udp_inbound -p udp -s 0/0 --dport 113 -j REJECT + +# A more sophisticated configuration could accept the ident requests. +# $IPT -A udp_inbound -p udp -s 0/0 --dport 113 -j ACCEPT +# $IP6T -A udp_inbound -p udp -s 0/0 --dport 113 -j ACCEPT + +# IPv4 only: +# Allow DHCP client request packets inbound from external network +$IPT -A udp_inbound -p udp -s 0/0 --source-port 68 --dport 67 \ + -j ACCEPT +# Dynamic Address +# If DHCP, the initial request is a broadcast. The response +# doesn't exactly match the outbound packet. This explicitly +# allow the DHCP ports to alleviate this problem. +# If you receive your dynamic address by a different means, you +# can probably comment this line. +$IPT -A udp_inbound -p udp -s 0/0 --source-port 67 --dport 68 \ + -j ACCEPT + +# Open the custom UDP ports if they have been configured: +if [ -n "$UDP_LIST" ]; then + $IPT -A INPUT -p udp -m multiport --dport $UDP_LIST -j ACCEPT + $IP6T -A INPUT -p udp -m multiport --dport $UDP_LIST -j ACCEPT +fi + +# Not matched, so return for logging +$IPT -A udp_inbound -p udp -j RETURN +$IP6T -A udp_inbound -p udp -j RETURN + +# udp_outbound chain +# +# This chain is used with a private network to prevent forwarding for +# UDP requests on specific protocols. Applied to the FORWARD rule from +# the internal network. Ends with an ACCEPT + + +# No match, so ACCEPT +$IPT -A udp_outbound -p udp -s 0/0 -j ACCEPT +$IP6T -A udp_outbound -p udp -s 0/0 -j ACCEPT + +# tcp_inbound chain +# +# This chain is used to allow inbound connections to the +# system/gateway. Use with care. It defaults to none. +# It's applied on INPUT from the external or Internet interface. + +# Ident requests (Port 113) must have a REJECT rule rather than the +# default DROP rule. This is the minimum requirement to avoid +# long delays while connecting. Also see the tcp_inbound rule. +$IPT -A tcp_inbound -p tcp -s 0/0 --dport 113 -j REJECT +$IP6T -A tcp_inbound -p tcp -s 0/0 --dport 113 -j REJECT + +# A more sophisticated configuration could accept the ident requests. +# $IPT -A tcp_inbound -p tcp -s 0/0 --dport 113 -j ACCEPT +# $IP6T -A tcp_inbound -p tcp -s 0/0 --dport 113 -j ACCEPT + +# Open the requested TCP service ports if they have been configured: +if [ -n "$TCP_LIST" ]; then + $IPT -A INPUT -p tcp -m multiport --dport $TCP_LIST -j ACCEPT + $IP6T -A INPUT -p tcp -m multiport --dport $TCP_LIST -j ACCEPT +fi + +# Not matched, so return so it will be logged +$IPT -A tcp_inbound -p tcp -j RETURN +$IP6T -A tcp_inbound -p tcp -j RETURN + +# tcp_outbound chain +# +# This chain is used with a private network to prevent forwarding for +# requests on specific protocols. Applied to the FORWARD rule from +# the internal network. Ends with an ACCEPT + +# No match, so ACCEPT +$IPT -A tcp_outbound -p tcp -s 0/0 -j ACCEPT +$IP6T -A tcp_outbound -p tcp -s 0/0 -j ACCEPT + +# +# INPUT Chain +# +# Allow all on localhost interface +$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT +$IP6T -A INPUT -p ALL -i $LO_IFACE -j ACCEPT + +# Allow all on other internal interfaces: +for INDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$INDEV]}" = "off" ] ; then + $IPT -A INPUT -p ALL -i $INDEV -j ACCEPT + $IP6T -A INPUT -p ALL -i $INDEV -j ACCEPT + fi +done +unset INDEV + +# Drop bad packets +$IPT -A INPUT -p ALL -j bad_packets +$IP6T -A INPUT -p ALL -j bad_packets + +# DOCSIS compliant cable modems +# Some DOCSIS compliant cable modems send IGMP multicasts to find +# connected PCs. The multicast packets have the destination address +# 224.0.0.1. You can accept them. If you choose to do so, +# Uncomment the rule to ACCEPT them and comment the rule to DROP +# them The firewall will drop them here by default to avoid +# cluttering the log. The firewall will drop all multicasts +# to the entire subnet (224.0.0.1) by default. To only affect +# IGMP multicasts, change '-p ALL' to '-p 2'. Of course, +# if they aren't accepted elsewhere, it will only ensure that +# multicasts on other protocols are logged. +# Drop them without logging. +$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP +# The rule to accept the packets. +# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT + +# Inbound Internet Packet Rules + +for INDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$INDEV]}" = "on" ] ; then + # Accept Established Connections + $IPT -A INPUT -p ALL -i $INDEV -m state --state ESTABLISHED,RELATED \ + -j ACCEPT + $IP6T -A INPUT -p ALL -i $INDEV -m state --state ESTABLISHED,RELATED \ + -j ACCEPT + + # Route the rest to the appropriate user chain + $IPT -A INPUT -p tcp -i $INDEV -j tcp_inbound + $IP6T -A INPUT -p tcp -i $INDEV -j tcp_inbound + $IPT -A INPUT -p udp -i $INDEV -j udp_inbound + $IP6T -A INPUT -p udp -i $INDEV -j udp_inbound + $IPT -A INPUT -p icmp -i $INDEV -j icmp_packets + $IP6T -A INPUT -p ipv6-icmp -i $INDEV -j icmp_packets + fi +done +unset INDEV + +# Drop without logging broadcasts that get this far. +# Cuts down on log clutter. +# Comment this line if testing new rules that impact +# broadcast protocols. +$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP +$IP6T -A INPUT -m pkttype --pkt-type broadcast -j DROP + +# Log packets that still don't match +$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "INPUT packet died: " +$IP6T -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "INPUT packet ipv6 died: " + +# +# FORWARD Chain +# +# Used if forwarding for a private network + +# +# OUTPUT Chain +# +# Generally trust the firewall on output + +# However, invalid icmp packets need to be dropped +# to prevent a possible exploit. +$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP +$IP6T -A OUTPUT -m state -p ipv6-icmp --state INVALID -j DROP + +# Localhost +$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT +$IP6T -A OUTPUT -p ALL -s $LO_IP6 -j ACCEPT +$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT +$IP6T -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT + +# Allow all on other internal interfaces: +for OUTDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$OUTDEV]}" = "off" ] ; then + $IPT -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + $IP6T -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + fi +done +unset OUTDEV + +# To internet +for OUTDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$OUTDEV]}" = "on" ] ; then + $IPT -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + $IP6T -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + fi +done + +# Log packets that still don't match +$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "OUTPUT packet died: " +$IP6T -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "OUTPUT packet ipv6 died: " + +# +# nat table +# +# The nat table is where network address translation occurs if there +# is a private network. If the gateway is connected to the Internet +# with a static IP, snat is used. If the gateway has a dynamic address, +# masquerade must be used instead. There is more overhead associated +# with masquerade, so snat is better when it can be used. +# The nat table has a builtin chain, PREROUTING, for dnat and redirects. +# Another, POSTROUTING, handles snat and masquerade. + +# +# PREROUTING chain +# + +# +# POSTROUTING chain +# + + +# +# mangle table +# +# The mangle table is used to alter packets. It can alter or mangle them in +# several ways. For the purposes of this generator, we only use its ability +# to alter the TTL in packets. However, it can be used to set netfilter +# mark values on specific packets. Those marks could then be used in another +# table like filter, to limit activities associated with a specific host, for +# instance. The TOS target can be used to set the Type of Service field in +# the IP header. Note that the TTL target might not be included in the +# distribution on your system. If it is not and you require it, you will +# have to add it. That may require that you build from source. + +# Save the firewall configuration so that 'rc.firewall' can load it: +mkdir -p $DESTDIR/etc/firewall +${IPTS} > $DESTDIR/etc/firewall/ipv4 +${IP6TS} > $DESTDIR/etc/firewall/ipv6 + diff --git a/setup2hd/SeTpasswd.tpl b/setup2hd/SeTpasswd.tpl new file mode 100644 index 0000000..29d9943 --- /dev/null +++ b/setup2hd/SeTpasswd.tpl @@ -0,0 +1,51 @@ +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + +#!/bin/sh +# Liveslak replacement for Slackware's SeTpassword script. + +TMP=/var/log/setup/tmp +if [ ! -d $TMP ]; then + mkdir -p $TMP +fi +T_PX="$(cat $TMP/SeTT_PX)" + +# Check for root password: +if [ "$(cat $T_PX/etc/shadow | grep 'root:' | cut -f 2 -d :)" != "" ]; then + # Root password has been set, nothing further to be done. + exit 0 +fi + +# No root password has been set yet, which means no user was created either. + +# Set up a user account, +if [ -r $TMP/SeTlive ]; then + # We will only configgure su access when installing a Live OS: + SUTEXT="\nYour account will be added to sudoers and suauth." +else + SUTEXT="" +fi +${DIALOG} --title "@UDISTRO@ (@LIVEDE@) USER CREATION" \ + --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --msgbox "You will first get the chance to create your user account, \ +and set its password.${SUTEXT}\n\n\ +After that, you will be asked to set the root password." 11 55 +# This will set UFULLNAME, UACCOUNT and USHELL variables: +SeTuacct 2>&1 1> $TMP/temppasswd +if [ $? = 0 ]; then + # User filled out the form, so let's get the results for + # UFULLNAME, UACCOUNT, UACCTNR and USHELL: + source $TMP/temppasswd + rm -f $TMP/temppasswd + # Set a password for the new account: + UPASS=$(SeTupass $UACCOUNT) + # Create the account and set the password: + chroot ${T_PX} /usr/sbin/useradd -c "$UFULLNAME" -g users -G wheel,audio,cdrom,floppy,plugdev,video,power,netdev,lp,scanner,dialout,games,disk,input -u ${UACCTNR} -d /home/${UACCOUNT} -m -s ${USHELL} ${UACCOUNT} + echo "${UACCOUNT}:${UPASS}" | chroot ${T_PX} /usr/sbin/chpasswd + unset UPASS +fi # End user creation + +# Finally, set the root password: +UPASS=$(SeTupass root) +echo "root:${UPASS}" | chroot ${T_PX} /usr/sbin/chpasswd +unset UPASS diff --git a/setup2hd/SeTuacct.tpl b/setup2hd/SeTuacct.tpl new file mode 100644 index 0000000..f6d6464 --- /dev/null +++ b/setup2hd/SeTuacct.tpl @@ -0,0 +1,96 @@ +#!/bin/sh + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + +TMP=/var/log/setup/tmp +if [ ! -d $TMP ]; then + mkdir -p $TMP +fi +T_PX="$(cat $TMP/SeTT_PX)" + +freeuid() { + # Get the first free UIDNumber after 999: + local LUIDS=$( cat ${T_PX}/etc/passwd | cut -d: -f3 | sort -n ) + local LUID=999 + while true; do + LUID=$(( $LUID + 1)) + if ! echo $LUIDS | grep -F -q -w "$LUID"; then + break; + fi + done + echo $LUID +} +FREEUID="$(freeuid)" + +UFULLNAME="" +UACCOUNT="" +UACCTNR="$FREEUID" +USHELL="/bin/bash" +UFORM="Fill out your user details:" +while [ 0 ]; do + ${DIALOG} --stdout --ok-label "Submit" --no-cancel \ + --title "@UDISTRO@ (@LIVEDE@) USER CREATION" \ + --form "$UFORM" \ + 11 64 0 \ + "Full Name:" 1 1 "$UFULLNAME" 1 14 40 0 \ + "Logonname:" 2 1 "$UACCOUNT" 2 14 32 0 \ + "UIDNumber:" 3 1 "$UACCTNR" 3 14 12 0 \ + "Login Shell:" 4 1 "$USHELL" 4 14 12 0 \ + 2>&1 1> $TMP/tempuacct + iii=0 + declare -a USERATTR + while read LINE ; do + USERATTR[$iii]="$LINE" + iii=$(expr $iii + 1) + done < $TMP/tempuacct + rm -f $TMP/tempuacct + UFULLNAME="${USERATTR[0]}" + UACCOUNT="${USERATTR[1]}" + UACCTNR="${USERATTR[2]}" + USHELL="${USERATTR[3]}" + unset USERATTR + UINPUT=0 + # Validate the input: + UACC_INVALID1="$(echo ${UACCOUNT:0:1} |tr -d 'a-z_')" + UACC_INVALID="$(echo ${UACCOUNT:1} |tr -d 'a-z0-9_-')" + if [ -n "$UACC_INVALID1" -o -n "$UACC_INVALID" ]; then + # User account contains invalid characters, let's remove them all: + UINPUT=1 + UACCOUNT="$(echo ${UACCOUNT} |tr -cd 'a-z_')" + fi + if [ -z "$UACCOUNT" -o -z "$UFULLNAME" ]; then + # User account or fullname is empty, let's try again: + UINPUT=$(expr $UINPUT + 2) + fi + if chroot ${T_PX} /usr/bin/id -u ${UACCTNR} 1>/dev/null 2>/dev/null ; then + # UidNumber is already in use, fall back to sane default: + UINPUT=$(expr $UINPUT + 4) + UACCTNR=$FREEUID + fi + if ! grep -q ${USHELL} ${T_PX}/etc/shells ; then + # Login shell is invalid, suggest the bash shell again: + UINPUT=$(expr $UINPUT + 8) + USHELL=/bin/bash + fi + if [ $UINPUT -eq 0 ]; then + break + elif [ $UINPUT -eq 1 ]; then + UFORM="Please only use valid characters for logonname" + elif [ $UINPUT -eq 2 ]; then + UFORM="Please enter your logon and full name" + elif [ $UINPUT -eq 3 ]; then + UFORM="Use valid characters for logonname, and enter full name" + elif [ $UINPUT -eq 4 ]; then + UFORM="Enter unused number for your account, $FREEUID is a good default" + elif [ $UINPUT -eq 8 ]; then + UFORM="Please enter a valid shell" + else + UFORM="Fill all fields, using valid logonname/uidnumber values" + fi +done + +echo "UACCOUNT=$UACCOUNT" +echo "UFULLNAME='$UFULLNAME'" +echo "UACCTNR=$UACCTNR" +echo "USHELL=$USHELL" diff --git a/setup2hd/SeTudiskpart.tpl b/setup2hd/SeTudiskpart.tpl new file mode 100644 index 0000000..de671f4 --- /dev/null +++ b/setup2hd/SeTudiskpart.tpl @@ -0,0 +1,65 @@ +#!/bin/sh + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + +TMP=/var/log/setup/tmp +if [ ! -d $TMP ]; then + mkdir -p $TMP +fi + + # If we do not find any useful disks at all, we must bail: + if [ -z "$(lsblk -a -o NAME,SIZE,RM,RO,TYPE,MODEL |tr -s '[:blank:]' ' ' |grep '0 *0 *disk' | grep -v '^ram')" ]; then + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "NO HARD DRIVE DETECTED" \ + --msgbox "This machine appears not to have any hard drives installed.\ +This setup will not work. Please add a hard drive to the computer first." 10 64 + exit 1 + fi + + # Generate a list of local hard drives we can write to: + rm -f $TMP/tempscript + cat <<EOT > $TMP/tempscript +${DIALOG} --stdout \\ + --title "SELECT DISK DRIVES" \\ + --backtitle "Creating Linux, swap and EFI partitions" \\ + --checklist "Select from available drives.\nA disk partitioning utility \\ +will be presented for any drive you select here:" \\ + 19 0 9 \\ +EOT + lsblk -a -o NAME,SIZE,RM,RO,TYPE,MODEL | \ + tr -s '[:blank:]' ' ' | grep '0 *0 *disk' | grep -v '^ram' | \ + while read LINE ; do + DISKATTR=($LINE) + DISKVENDOR="${DISKATTR[@]:5}" + if [ -z "${DISKVENDOR}" ]; then + DISKVENDOR="UnknownVendor" + fi + echo "\"/dev/${DISKATTR[0]}\" \"${DISKATTR[1]}: ${DISKVENDOR}\" off \\" >> $TMP/tempscript + done + echo '2>&1 1>$TMP/availdisks' >> $TMP/tempscript + + # Loop until the user makes a choice: + while [ 0 ]; do + source $TMP/tempscript + if [ ! $? = 0 ] || [ ! -s $TMP/availdisks ]; then + # Canceled the dialog, or did not select anything: + rm -f $TMP/availdisks + else + # We got an answer: + for DISKDRIVE in $(cat $TMP/availdisks) ; do + # Determine which disk partitioning tool to use: + if gdisk -l $DISKDRIVE |tr -s '[:blank:]' ' ' |grep -q "MBR: MBR only" ; then + PARTTOOL=cfdisk + else + PARTTOOL=cgdisk + fi + # Now let the user create her partitions: + $PARTTOOL $DISKDRIVE + done + break + fi + done + # We should have partitions now, so re-run probe and collect that list: + probe -l 2> /dev/null | grep -E 'Linux$' | sort 1> $TMP/SeTplist 2> /dev/null + diff --git a/setup2hd/SeTumedia.tpl b/setup2hd/SeTumedia.tpl new file mode 100644 index 0000000..7035fcc --- /dev/null +++ b/setup2hd/SeTumedia.tpl @@ -0,0 +1,38 @@ +#!/bin/sh + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + +TMP=/var/log/setup/tmp +if [ ! -d $TMP ]; then + mkdir -p $TMP +fi + +${DIALOG} --backtitle "Select Slackware installation source." \ +--title "SOURCE MEDIA SELECTION" \ +--default-item '4' --menu \ +"Please select the media from which to install Slackware Linux:" \ +11 70 4 \ +"1" "Install Slackware from NFS (Network File System)" \ +"2" "Install Slackware from FTP/HTTP server" \ +"3" "Install Slackware from Samba share" \ +"4" "Install @UDISTRO@ (@LIVEDE@) Live OS to disk" \ +2> $TMP/media +if [ ! $? = 0 ]; then + rm $TMP/media + exit +fi + +SOURCE_MEDIA="`cat $TMP/media`" +rm -f $TMP/media +if [ "$SOURCE_MEDIA" = "1" ]; then + INSNFS +elif [ "$SOURCE_MEDIA" = "2" ]; then + INSURL +elif [ "$SOURCE_MEDIA" = "3" ]; then + INSSMB +elif [ "$SOURCE_MEDIA" = "4" ]; then + touch $TMP/SeTlive + touch $TMP/SeTsource +fi + diff --git a/setup2hd/SeTupass.tpl b/setup2hd/SeTupass.tpl new file mode 100644 index 0000000..fcc7523 --- /dev/null +++ b/setup2hd/SeTupass.tpl @@ -0,0 +1,55 @@ +#!/bin/sh + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + +TMP=/var/log/setup/tmp +if [ ! -d $TMP ]; then + mkdir -p $TMP +fi + +UACCOUNT="$1" + +UPASS1="" +UPASS2="" +UFORM="Define a new password for user '$UACCOUNT'" + + while [ 0 ]; do + if [ "${DIALOG}" == "Xdialog" ]; then + ${DIALOG} --stdout --ok-label "Submit" --no-cancel \ + --title "@UDISTRO@ (@LIVEDE@) USER CREATION" \ + --left --separator="\n" --password --password \ + --2inputsbox "$UFORM" 20 40 \ + "Password: " "$UPASS1" "Repeat password: " "$UPASS2" \ + 2>&1 1> $TMP/tempupass + else + ${DIALOG} --stdout --ok-label "Submit" --no-cancel \ + --title "@UDISTRO@ (@LIVEDE@) USER CREATION" \ + --insecure --passwordform "$UFORM" 9 64 0 "Password:" \ + 1 1 "$UPASS1" 1 18 40 0 "Repeat password:" 2 1 "$UPASS2" 2 18 40 0 \ + 2>&1 1> $TMP/tempupass + fi + + iii=0 + declare -a USERATTR + while read LINE ; do + USERATTR[$iii]="$LINE" + iii=$(expr $iii + 1) + done < $TMP/tempupass + rm -f $TMP/tempupass + UPASS1="${USERATTR[0]}" + UPASS2="${USERATTR[1]}" + unset USERATTR + if [ -z "$UPASS1" ]; then + UFORM="Password must not be empty, try again for user '$UACCOUNT'" + elif [ "$UPASS1" == "$UPASS2" ]; then + break + else + UFORM="Passwords do not match, try again for user '$UACCOUNT'" + fi + done + echo "${UPASS1}" + unset UPASS1 + unset UPASS2 + unset USERATTR + diff --git a/setup2hd/rc.firewall.tpl b/setup2hd/rc.firewall.tpl new file mode 100644 index 0000000..4019b1a --- /dev/null +++ b/setup2hd/rc.firewall.tpl @@ -0,0 +1,141 @@ +#!/bin/bash + +# --------------------------------------------------------------------------- +# Slackware init script for iptables firewall: +# /etc/rc.d/rc.firewall +# Written by Eric Hameleers <alien@slackware.com> for the liveslak project. +# --------------------------------------------------------------------------- + +# Specify path to the iptables binaries: +IPT_PATH="/usr/sbin" + +# Save location for firewall rules: +[ ! -d /etc/firewall ] && mkdir /etc/firewall + +# Is ipv6 supported on this computer? +if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then + HAVE_IPV6=0 +else + HAVE_IPV6=1 +fi + +fwflush() { + local IPT=${1:-iptables} + # Accept all traffic first: + ${IPT_PATH}/${IPT} -P INPUT ACCEPT + ${IPT_PATH}/${IPT} -P FORWARD ACCEPT + ${IPT_PATH}/${IPT} -P OUTPUT ACCEPT + # Flush all iptables chains and rules: + ${IPT_PATH}/${IPT} -F + # Delete all iptables chains: + ${IPT_PATH}/${IPT} -X + # Flush all counters: + ${IPT_PATH}/${IPT} -Z + # Flush/delete all nat and mangle rules: + if [ "$IPT" != "ip6tables" ]; then + ${IPT_PATH}/${IPT} -t nat -F + ${IPT_PATH}/${IPT} -t nat -X + fi + ${IPT_PATH}/${IPT} -t mangle -F + ${IPT_PATH}/${IPT} -t mangle -X + ${IPT_PATH}/${IPT} -t raw -F + ${IPT_PATH}//${IPT} -t raw -X +} + +basic_protection() { + # Basic measures to applied on first start: + + # Turn off packet forwarding in the kernel + echo 0 > /proc/sys/net/ipv4/ip_forward + # Enable TCP SYN Cookie Protection + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + # Disable ICMP Redirect Acceptance + echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects + # Accept only from gateways in the default gateways list + echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects + # Do not send Redirect Messages + echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects + # Enable bad error message protection + echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + # Enable broadcast echo protection + echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + # Disable source-routed packets + echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route + # Do not log spoofed packets, source-routed packets, and redirect packets + echo 0 > /proc/sys/net/ipv4/conf/all/log_martians +} + +fw_start() { + echo "Loading firewall rules..." + # Apply basic protection in the kernel: + basic_protection + # Restore firewall rules: + if [ -f /etc/firewall/ipv4 ]; then + ${IPT_PATH}/iptables-restore < /etc/firewall/ipv4 + else + echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first." + fi + if [ $HAVE_IPV6 -eq 1 ]; then + if [ -f /etc/firewall/ipv6 ]; then + ${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6 + else + echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first." + fi + fi +} + +fw_reload() { + fw_flush + fw_start +} + +fw_save() { + # Save firewall rules: + echo "Saving firewall rules..." + ${IPT_PATH}/iptables -Ln 2>/dev/null + [ $? -eq 0 ] && ${IPT_PATH}/iptables-save > /etc/firewall/ipv4 + ${IPT_PATH}/ip6tables -Ln 2>/dev/null + [ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6 +} + +fw_flush() { + # Flush firewall rules, delete all custom chains and reset counters: + # also resetting all policies to ACCEPT: + echo "Flushing firewall rules..." + fwflush iptables + if [ $HAVE_IPV6 -eq 1 ]; then + fwflush ip6tables + fi +} + +fw_status() { + ${IPT_PATH}/iptables -L -n 2>/dev/null + [ $? -ne 0 ] && echo "** No ipv4 support in the kernel!" + ${IPT_PATH}/ip6tables -L -n 2>/dev/null + [ $? -ne 0 ] && echo "** No ipv6 support in the kernel!" +} + +case "$1" in + start) + fw_start + ;; + stop|flush) + fw_flush + ;; + reload) + fw_reload + ;; + save) + fw_save + ;; + status) + fw_status + ;; + *) + echo "Usage: $0 start|stop|reload|save|flush|status" + exit 1 + ;; +esac + +exit 0 + diff --git a/setup2hd/setup.liveslak.tpl b/setup2hd/setup.liveslak.tpl new file mode 100644 index 0000000..fb6e03e --- /dev/null +++ b/setup2hd/setup.liveslak.tpl @@ -0,0 +1,282 @@ +# This script is sourced from setup2hd. + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + + # Liveslak installation routine: + if [ "$MAINSELECT" = "INSTALL" ]; then + if [ ! -r $TMP/SeTnative ]; then + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "CANNOT INSTALL SOFTWARE YET" --msgbox "\ +\n\ +Before you can install software, complete the following tasks:\n\ +\n\ +1. Set up your target Linux partition(s).\n\ +\n\ +You may also optionally remap your keyboard and set up your\n\ +swap partition(s). \n\ +\n\ +Press ENTER to return to the main menu." 16 68 + continue + fi + + # --------------------------------------------- # + # Slackware Live Edition - install to disk: # + # --------------------------------------------- # + + # Buy us some time while we are calculating disk usage: + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "WELCOME TO @UDISTRO@ LIVE (@LIVEDE@)" --infobox \ + "\nCalculating disk usage, please be patient ..." 5 65 + + ACT_MODS=$(ls -rt --indicator-style=none /mnt/live/modules/ |wc -l) + TOT_MODS=$(find /mnt/livemedia/@LIVEMAIN@/ -type f -name "*.sxz" |wc -l) + DU_LIVE=$(du -s /mnt/live/modules/ 2>/dev/null |tr -s '\t' ' ' |cut -f1 -d' ') + PARTFREE=$(df -P -BM $T_PX |tail -1 |tr -s '\t' ' ' |cut -d' ' -f4) + PARTFREE=${PARTFREE%M} + + # Warn when it looks we have insufficient room: + if [ $PARTFREE -lt $(($DU_LIVE/1024)) ]; then + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "WELCOME TO @UDISTRO@ LIVE (@LIVEDE@)" --yesno \ + "\nAvailable space: $PARTFREE MB\nRequired space: $(($DU_LIVE/1024))\nIt looks like your hard drive partition is too small.\nDo you want to continue?" 10 65 + retval=$? + if [ $retval = 1 ]; then + umount $T_PX + exit 1 + fi + else + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "WELCOME TO @UDISTRO@ LIVE (@LIVEDE@)" --msgbox \ + "\nAvailable space: $PARTFREE MB\nRequired space: $(($DU_LIVE/1024)) MB\nIt looks like you're good to go!" 10 65 + fi + + # Install the Live OS by rsyncing the readonly overlay to the harddisk: + if [ "${DIALOG}" == "Xdialog" ]; then + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "INSTALLING @UDISTRO@ LIVE (@LIVEDE@) TO DISK" --infobox \ + "\nProcessing ${TOT_MODS} @CDISTRO@ Live modules ($(( $DU_LIVE/1024 )) MB)" 8 80 5000 + ( + rsync -HAXa --whole-file --checksum-choice=none --inplace \ + --info=progress2 --no-inc-recursive \ + /mnt/liveslakfs/ $T_PX/ ; echo DONE \ + ) | ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "INSTALLING @UDISTRO@ LIVE (@LIVEDE@) TO DISK" --tailbox \ + - 8 80 + else + ( + rsync -HAXa --whole-file --checksum-choice=none --inplace \ + --info=progress2 --no-inc-recursive \ + /mnt/liveslakfs/ $T_PX/ ; echo DONE \ + ) | ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "INSTALLING @UDISTRO@ LIVE (@LIVEDE@) TO DISK" --programbox \ + "\nProcessing ${TOT_MODS} @CDISTRO@ Live modules ($(( $DU_LIVE/1024 )) MB)" 8 80 + fi + + # + # Live OS Post Install routine. If you want, you can override this routine + # by (re-)defining this function "live_post_install()" in a file called + # "/usr/share/@LIVEMAIN@/setup2hd.@DISTRO@". + # + + live_post_install () { + # --------------------- + # Set up a user account, + ${DIALOG} --title "@UDISTRO@ (@LIVEDE@) USER CREATION" \ + --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --msgbox "You will first get the chance to create your user account, \ +and set its password.\nYour account will be added to 'sudoers'.\n\n\ +After that, you will be asked to set the root password." 11 55 + # This will set UFULLNAME, UACCOUNT, UACCTNR and USHELL variables: + SeTuacct 2>&1 1> $TMP/uacctresult + if [ $? = 0 ]; then + # User filled out the form, so let's get the results for + # UFULLNAME, UACCOUNT, UACCTNR and USHELL: + source $TMP/uacctresult + rm -f $TMP/uacctresult + # Set a password for the new account: + UPASS=$(SeTupass $UACCOUNT) + # Create the account and set the password: + chroot ${T_PX} /usr/sbin/useradd -c "$UFULLNAME" -g users -G wheel,audio,cdrom,floppy,plugdev,video,power,netdev,lp,scanner,dialout,games,disk,input -u ${UACCTNR} -d /home/${UACCOUNT} -m -s ${USHELL} ${UACCOUNT} + echo "${UACCOUNT}:${UPASS}" | chroot ${T_PX} /usr/sbin/chpasswd + unset UPASS + + # Configure suauth if we are not on a PAM system + # (where this does not work): + if [ ! -L ${T_PX}/lib@DIRSUFFIX@/libpam.so.? ]; then + cat <<EOT >${T_PX}/etc/suauth +root:${UACCOUNT}:OWNPASS +root:ALL EXCEPT GROUP wheel:DENY +EOT + chmod 600 ${T_PX}/etc/suauth + fi + + # Configure sudoers: + chmod 640 ${T_PX}/etc/sudoers + sed -i ${T_PX}/etc/sudoers -e 's/# *\(%wheel\sALL=(ALL)\sALL\)/\1/' + chmod 440 ${T_PX}/etc/sudoers + fi # End user creation + # --------------------------- + + if [ "$(cat $T_PX/etc/shadow | grep 'root:' | cut -f 2 -d :)" = "" ]; then + # There is no root password yet: + UPASS=$(SeTupass root) + echo "root:${UPASS}" | chroot ${T_PX} /usr/sbin/chpasswd + unset UPASS + fi + + # Add a rc.firewall script: + install -D -m0775 -t ${T_PX}/etc/rc.d/ /usr/share/@LIVEMAIN@/rc.firewall + # Install a firewall configuration script: + install -D -m755 /usr/share/@LIVEMAIN@/SeTfirewall ${T_PX}/usr/sbin/myfwconf + # Add a Slackware setup script invoking that 'myfwconf' script: + cat <<EOT >${T_PX}/var/log/setup/setup.firewall +#!/bin/sh +#BLURB="Configure a basic firewall." +chroot . usr/sbin/myfwconf +EOT + chmod 0775 ${T_PX}/var/log/setup/setup.firewall + + # Re-use some of the custom configuration from 0099-@DISTRO@_zzzconf-*.sxz + # (some of these may not be present but the command will not fail): + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "POST-INSTALL @UDISTRO@ LIVE (@LIVEDE@) DATA" --infobox \ + "\nCopying Live modifications to hard disk ..." 5 65 + sleep 1 # It's too fast... + # Do not overwrite a custom keymap: + if [ ! -f $T_PX/etc/rc.d/rc.keymap ]; then + unsquashfs -n -f -dest $T_PX \ + /mnt/livemedia/@LIVEMAIN@/system/0099*zzzconf*.sxz \ + /etc/rc.d/rc.keymap + fi + unsquashfs -n -f -dest $T_PX \ + /mnt/livemedia/@LIVEMAIN@/system/0099*zzzconf*.sxz \ + /etc/X11/xinit/xinitrc \ + /etc/X11/xdm/liveslak-xdm \ + /etc/X11/xorg.conf.d/30-keyboard.conf \ + /etc/inittab \ + /etc/skel \ + /etc/profile.d/lang.sh \ + /etc/rc.d/rc.font \ + /etc/rc.d/rc.gpm \ + /etc/slackpkg \ + /etc/vconsole.conf \ + /var/lib/sddm/state.conf \ + /var/lib/slackpkg + # Point xdm to the custom /etc/X11/xdm/liveslak-xdm/xdm-config: + sed -i ${T_PX}/etc/rc.d/rc.4 -e 's,bin/xdm -nodaemon,& -config /etc/X11/xdm/liveslak-xdm/xdm-config,' + # If gcc was not installed, create a symlink to cpp pointing to mcpp; + # liveslak's XDM theme needs a C preprocessor to calculate screen positions: + if [ ! -x ${T_PX}/usr/bin/cpp ]; then + ln -s mcpp ${T_PX}/usr/bin/cpp + fi + # If nvi was not installed, do not use it as a default selection: + if [ ! -x ${T_PX}/usr/bin/nvi ] && [ -e ${T_PX}/var/log/setup/setup.vi-ex ]; + then + sed -e 's/default-item "nvi/default-item "elvis/' -i ${T_PX}/var/log/setup/setup.vi-ex + fi + # Prevent SeTconfig from asking redundant questions later on: + sed -i /usr/share/@LIVEMAIN@/SeTconfig \ + -e '/.\/var\/log\/setup\/$SCRIPT $T_PX $ROOT_DEVICE/i # Skip stuff that was taken care of by liveslak\nif echo $SCRIPT |grep -E "(make-bootdisk|mouse|setconsolefont|xwmconfig)"; then continue; fi' + + # If a user account was created, we restore some of the user customization: + if [ -n "${UACCOUNT}" ] && [ -d "${T_PX}/home/${UACCOUNT}" ]; then + unsquashfs -n -f -dest $T_PX \ + /mnt/livemedia/@LIVEMAIN@/system/0099*zzzconf*.sxz \ + /home/@LIVEUID@/.face \ + /home/@LIVEUID@/.face.icon \ + /home/@LIVEUID@/.bashrc \ + /home/@LIVEUID@/.profile \ + /home/@LIVEUID@/.screenrc \ + /home/@LIVEUID@/.xprofile \ + /home/@LIVEUID@/.xscreensaver + fi + + # If the Live OS is real-time capable we need to apply that to the install: + if [ "@LIVEDE@" = "DAW" -o "@LIVEDE@" = "STUDIOWARE" ]; then + unsquashfs -n -f -dest $T_PX \ + /mnt/livemedia/@LIVEMAIN@/system/0099*zzzconf*.sxz \ + /etc/security/limits.d/rt_audio.conf \ + /etc/initscript \ + /etc/udev/rules.d/40-timer-permissions.rules \ + /etc/sysctl.d/daw.conf + fi + + # Copy relevant settings for Live DAW: + if [ "@LIVEDE@" = "DAW" ]; then + LCLIVEDE=$(echo @LIVEDE@ |tr 'A-Z' 'a-z') + unsquashfs -n -f -dest $T_PX \ + /mnt/livemedia/@LIVEMAIN@/system/0099*zzzconf*.sxz \ + /etc/pulse/daemon.conf \ + /etc/xdg/menus/applications-merged/liveslak-daw.menu \ + /usr/share/desktop-directories/liveslak-daw.directory \ + /usr/share/icons/hicolor/256x256/apps/liveslak-daw.png \ + /usr/share/applications \ + /usr/share/wallpapers/${LCLIVEDE} \ + /usr/share/@LIVEMAIN@/${LCLIVEDE}/background.jpg \ + /usr/share/sddm/themes/breeze/${LCLIVEDE}_background.jpg \ + /usr/share/sddm/themes/breeze/theme.conf.user + + # If a user account was created, we restore DAW user customization: + if [ -n "${UACCOUNT}" ] && [ -d "${T_PX}/home/${UACCOUNT}" ]; then + unsquashfs -n -f -dest $T_PX \ + /mnt/livemedia/@LIVEMAIN@/system/0099*zzzconf*.sxz \ + /home/@LIVEUID@/.jackdrc \ + /home/@LIVEUID@/.config/autostart/qjackctl.desktop \ + /home/@LIVEUID@/.config/rncbc.org/QjackCtl.conf \ + /home/@LIVEUID@/.config/kscreenlockerrc \ + /home/@LIVEUID@/.config/plasmarc + fi + fi + + # If we restored user customizations and the new user account is + # not the same as the live user, sync the files over: + if [ "@LIVEUID@" != ${UACCOUNT} ]; then + rsync -a $T_PX/home/@LIVEUID@/ $T_PX/home/${UACCOUNT}/ + rm -rf $T_PX/home/@LIVEUID@ + # Also change SDDM default user: + sed -i ${T_PX}/var/lib/sddm/state.conf -e "s/User=@LIVEUID@/User=${UACCOUNT}/g" + fi + # Let's ensure the proper ownership: + chroot ${T_PX} /usr/bin/chown -R ${UACCTNR} /home/${UACCOUNT} + + # Remove the marker file from the filesystem root: + rm -f ${T_PX}/@MARKER@ + + cat << EOF > $TMP/tempmsg + + @CDISTRO@ Live Edition (@LIVEDE@) has been installed to your hard drive! + We installed the ${ACT_MODS} active modules (out of ${TOT_MODS} available). + The following configuration was copied from the Live OS to your harddisk: + - console font + - default runlevel + - keyboard layout + - language setting + - slackpkg/slackpkg+ + +EOF + ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ + --title "POST INSTALL HINTS AND TIPS" --msgbox "`cat $TMP/tempmsg`" \ + 19 65 + rm $TMP/tempmsg + + MAINSELECT="CONFIGURE" + } # END live_post_install() function + + + if [ -f /usr/share/@LIVEMAIN@/setup2hd.@DISTRO@ ]; then + # If the setup2hd post-configuration file exists, source it. + # The file should re-define the live_post_install() function. + . /usr/share/@LIVEMAIN@/setup2hd.@DISTRO@ + fi + + # Now, execute the function - either our own built-in version + # or the re-defined function from the custom setup2hd.@DISTRO@ file. + live_post_install + + # --------------------------------------------- # + # Slackware Live Edition - end install to disk: # + # --------------------------------------------- # + + fi + # End liveslak installation routine. diff --git a/setup2hd/setup.slackware.tpl b/setup2hd/setup.slackware.tpl new file mode 100644 index 0000000..e1b9fa1 --- /dev/null +++ b/setup2hd/setup.slackware.tpl @@ -0,0 +1,164 @@ +# This script is sourced from setup2hd. + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + + # Slackware installation routine as taken from original 'setup': + if [ "$MAINSELECT" = "INSTALL" ]; then + if [ ! -r $TMP/SeTSERIES -o ! -r $TMP/SeTsource -o ! -r $TMP/SeTnative ]; then + ${DIALOG} --title "CANNOT INSTALL SOFTWARE YET" --msgbox "\ +\n\ +Before you can install software, complete the following tasks:\n\ +\n\ +1. Select your source media.\n\ +2. Set up your target Linux partition(s).\n\ +3. Select which software categories to install.\n\ +\n\ +You may also optionally remap your keyboard and set up your\n\ +swap partition(s). \n\ +\n\ +Press ENTER to return to the main menu." 16 68 + continue + fi + SERIES="`cat $TMP/SeTSERIES`" + SOURCE_DEVICE="`cat $TMP/SeTsource`" + IGNORE_TAGFILES="" + while [ 0 ]; do + ${DIALOG} --title "SELECT PROMPTING MODE" --default-item "terse" --menu \ + "Now you must select the type of prompts you'd like to see during the \ +installation process. If you have the drive space, the 'full' option \ +is quick, easy, and by far the most foolproof choice. The 'newbie' \ +mode provides the most information but is much more time-consuming \ +(presenting the packages one by one) than the menu-based choices. \ +Otherwise, you can pick packages from menus \ +using 'expert' or 'menu' mode. Which type of prompting would you like \ +to use?" \ + 20 76 7 \ + "full" "Install everything (9+ GB of software, RECOMMENDED!)" \ + "terse" "Like 'full', but display one line per package during install" \ + "menu" "Choose individual packages from interactive menus" \ + "expert" "This is actually the same as the \"menu\" option" \ + "newbie" "Use verbose prompting (the X series takes one year)" \ + "custom" "Use custom tagfiles in the package directories" \ + "tagpath" "Use tagfiles in the subdirectories of a custom path" \ + "help" "Read the prompt mode help file" 2> $TMP/SeTpmode + if [ ! $? = 0 ]; then + rm -f $TMP/SeTpmode + exit + fi + MODE="`cat $TMP/SeTpmode`" + rm -f $TMP/SeTtagext + if [ "$MODE" = "help" ]; then + ${DIALOG} --title "PROMPT MODE HELP" --exit-label OK --textbox "/usr/lib/setup/PROMPThelp" 19 65 + fi + if [ "$MODE" = "tagpath" ]; then + ${DIALOG} --title "PROVIDE A CUSTOM PATH TO YOUR TAGFILES" --inputbox \ + "If you're installing from CD or DVD, it's impossible to edit the \ +tagfiles that are in the package directories. In this case, you might \ +want to provide a path to your custom tagfiles. As an example, you \ +could create a /tagfiles directory and mount a floppy disk containing \ +the tagfiles on that directory. Then you'd enter '/tagfiles' at the \ +prompt below. The setup program will look for your tagfile in \ +SUBDIRECTORIES of the path you provide, such as /tagfiles/a, \ +/tagfiles/ap, /tagfiles/d, and so on. You only need to provide a \ +subdirectory and tagfile for the first disk of each series to be \ +installed. If a custom tagfile is not found at the path you provide, \ +setup will revert to the default tagfiles. Please enter the path to your \ +custom tagfiles:" \ + 19 71 2> $TMP/SeTtagpath + if [ ! $? = 0 ]; then + continue + fi + if [ -r $TMP/SeTtagpath ]; then + if [ "`cat $TMP/SeTtagpath`" = "" ]; then + rm -f $TMP/SeTtagpath + elif [ ! -d "$(cat $TMP/SeTtagpath)" ]; then + ${DIALOG} --title "NOT A VALID DIRECTORY" --msgbox \ +"Sorry, but the $(cat $TMP/SeTtagpath) directory could not be located. \ +Press ENTER to go back to the SELECT PROMPTING MODE menu." \ +7 65 + rm -f $TMP/SeTtagpath + continue + fi + fi + break; + fi + if [ "$MODE" = "newbie" ]; then + ${DIALOG} --infobox "'newbie' prompt mode selected. Using default tagfiles \ +and verbose package prompting." 4 50 + break; + fi + if [ "$MODE" = "custom" ]; then + ${DIALOG} --title "ENTER CUSTOM EXTENSION" --inputbox "Now, enter the custom \ +extension you have used for your tagfiles. This must be a valid MS-DOS format \ +file extension consisting of a period followed by three characters. For \ +example, I use '.pat'. You might see my tagfiles on your disks. :^)" \ +12 60 2> $TMP/SeTtagext + if [ ! $? = 0 ]; then + continue + fi + if [ -r $TMP/SeTtagext ]; then + if [ "`cat $TMP/SeTtagext`" = "" ]; then + rm -f $TMP/SeTtagext + fi + fi + ${DIALOG} --infobox "'custom' prompt mode selected. Using prompting defaults \ +found in custom tagfiles." 4 50 + break; + fi + if [ "$MODE" = "full" ]; then + IGNORE_TAGFILES="-ignore_tagfiles" + ${DIALOG} --infobox "Full installation mode. Installing all software \ +packages without prompting." 4 45 + break; + fi + if [ "$MODE" = "terse" ]; then + setterm -background cyan -foreground black -blank 0 + clear + IGNORE_TAGFILES="-ignore_tagfiles" + echo + echo + echo "Full (terse display) installation mode." + echo + echo "A one-line description will be displayed as each package is installed." + echo + break; + fi + if [ "$MODE" = "menu" ]; then + ${DIALOG} --infobox "'menu' prompt mode selected. Using interactive menus \ +to choose subsystems of related packages." 4 60 + break; + fi + if [ "$MODE" = "expert" ]; then + ${DIALOG} --infobox "'expert' prompt mode selected. Using interactive menus \ +to choose packages individually." 4 60 + break; + fi + done + export MAKETAG; + sleep 1 + # On a new system, make /etc/mtab a symlink to /proc/mounts: + if [ ! -r $T_PX/etc/mtab ]; then + mkdir -p $T_PX/etc + ( cd $T_PX/etc ; ln -sf /proc/mounts mtab ) + fi + # Do the package install: + if [ -r $TMP/SeTCDdev ]; then # only try to remount media if it's a CD/DVD + slackinstall --device `cat $TMP/SeTCDdev` --promptmode $MODE --srcpath `cat $TMP/SeTDS` --mountpoint /var/log/mount --target $T_PX --series $SERIES + elif [ -r $TMP/SeTremotesvr ]; then + slackinstall --device noremount --promptmode $MODE --srcpath `cat $TMP/SeTDS` --mountpoint /var/log/mount --target $T_PX --series $SERIES --net `cat $TMP/SeTremotesvr` + else + slackinstall --device noremount --promptmode $MODE --srcpath `cat $TMP/SeTDS` --mountpoint /var/log/mount --target $T_PX --series $SERIES + fi + # Run ldconfig on the newly installed system: + if [ -x $T_PX/sbin/ldconfig ]; then + $T_PX/sbin/ldconfig -r $T_PX + fi + if [ $MODE = terse ]; then + # Let's pause a moment and then restore the terminal settings + sleep 1 + setterm -background black -foreground white -blank 0 + fi + MAINSELECT="CONFIGURE" + fi + # End Slackware installation routine. |