Pārlūkot izejas kodu

Merge branch 'stretch' of https://github.com/bashrc/freedombone

Bob Mottram 7 gadus atpakaļ
vecāks
revīzija
85e9e38dc5

+ 0
- 1
Makefile Parādīt failu

@@ -27,7 +27,6 @@ install:
27 27
 	cp img/backgrounds/${APP}_*.png ${DESTDIR}${PREFIX}/share
28 28
 	cp img/avatars/* ${DESTDIR}/usr/share/${APP}/avatars
29 29
 	cp src/* ${DESTDIR}${PREFIX}/bin
30
-#	cp src/${APP}-controlpanel ${DESTDIR}${PREFIX}/bin/control
31 30
 	cp src/${APP}-mesh-batman ${DESTDIR}${PREFIX}/bin/batman
32 31
 	cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup
33 32
 	cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup2friends

+ 6
- 0
src/freedombone-app-ghost Parādīt failu

@@ -200,6 +200,9 @@ function upgrade_ghost {
200 200
     ghost_replace_services
201 201
     ghost_remove_offsite_links
202 202
 
203
+    if [ -f /usr/local/bin/ghost ]; then
204
+        chown root:root /usr/local/bin/ghost
205
+    fi
203 206
     chown -R ghost: /var/www/${GHOST_DOMAIN_NAME}/htdocs
204 207
     systemctl restart ghost
205 208
 }
@@ -526,6 +529,9 @@ function install_ghost {
526 529
     function_check add_ddns_domain
527 530
     add_ddns_domain $GHOST_DOMAIN_NAME
528 531
 
532
+    if [ -f /usr/local/bin/ghost ]; then
533
+        chown root:root /usr/local/bin/ghost
534
+    fi
529 535
     chown -R ghost: /var/www/${GHOST_DOMAIN_NAME}/htdocs
530 536
     set_completion_param "ghost domain" "$GHOST_DOMAIN_NAME"
531 537
     if ! grep -q "ghost version:" ${COMPLETION_FILE}; then

+ 3
- 1
src/freedombone-app-gnusocial Parādīt failu

@@ -570,7 +570,9 @@ function remove_gnusocial {
570 570
     sed -i '/gnusocial/d' $COMPLETION_FILE
571 571
     remove_backup_database_local gnusocial
572 572
 
573
-    sed -i '/gnusocial-firewall/d' /etc/crontab
573
+    if grep -q 'gnusocial-firewall' /etc/crontab; then
574
+        sed -i '/gnusocial-firewall/d' /etc/crontab
575
+    fi
574 576
 
575 577
     function_check remove_ddns_domain
576 578
     remove_ddns_domain $GNUSOCIAL_DOMAIN_NAME

+ 14
- 4
src/freedombone-app-kanboard Parādīt failu

@@ -48,13 +48,23 @@ kanboard_variables=(ONION_ONLY
48 48
                     MY_USERNAME)
49 49
 
50 50
 function logging_on_kanboard {
51
-    kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php
52
-    sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');|g" $kanboard_configfile
51
+    read_config_param KANBOARD_DOMAIN_NAME
52
+    if [ $KANBOARD_DOMAIN_NAME ]; then
53
+        kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php
54
+        if [ -f $kanboard_configfile ]; then
55
+            sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');|g" $kanboard_configfile
56
+        fi
57
+    fi
53 58
 }
54 59
 
55 60
 function logging_off_kanboard {
56
-    kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php
57
-    sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', '/dev/null');|g" $kanboard_configfile
61
+    read_config_param KANBOARD_DOMAIN_NAME
62
+    if [ $KANBOARD_DOMAIN_NAME ]; then
63
+        kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php
64
+        if [ -f $kanboard_configfile ]; then
65
+            sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', '/dev/null');|g" $kanboard_configfile
66
+        fi
67
+    fi
58 68
 }
59 69
 
60 70
 function remove_user_kanboard {

+ 12
- 2
src/freedombone-app-keyserver Parādīt failu

@@ -66,7 +66,7 @@ function keyserver_watchdog {
66 66
     read_config_param KEYSERVER_DOMAIN_NAME
67 67
 
68 68
     # check database size hourly
69
-    keyserver_watchdog_script=/etc/cron.hourly/keyserver-watchdog
69
+    keyserver_watchdog_script=/tmp/keyserver-watchdog
70 70
     echo '#!/bin/bash' > $keyserver_watchdog_script
71 71
     echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script
72 72
     echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script
@@ -80,8 +80,18 @@ function keyserver_watchdog {
80 80
     echo "    echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
81 81
     echo '  fi' >> $keyserver_watchdog_script
82 82
     echo 'fi' >> $keyserver_watchdog_script
83
-
84 83
     chmod +x $keyserver_watchdog_script
84
+
85
+    if [ ! -f /etc/cron.hourly/keyserver-watchdog ]; then
86
+        cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
87
+    else
88
+        HASH1=$(sha256sum $keyserver_watchdog_script | awk -F ' ' '{print $1}')
89
+        HASH2=$(sha256sum /etc/cron.hourly/keyserver-watchdog | awk -F ' ' '{print $1}')
90
+        if [[ "$HASH1" != "$HASH2" ]]; then
91
+            cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
92
+        fi
93
+    fi
94
+    rm $keyserver_watchdog_script
85 95
 }
86 96
 
87 97
 

+ 0
- 5
src/freedombone-app-koel Parādīt failu

@@ -466,16 +466,11 @@ function remove_koel {
466 466
     drop_database koel
467 467
     function_check remove_onion_service
468 468
     remove_onion_service koel ${KOEL_ONION_PORT}
469
-    if grep -q "koel" /etc/crontab; then
470
-        sed -i "/koel/d" /etc/crontab
471
-    fi
472 469
     remove_app koel
473 470
     remove_completion_param install_koel
474 471
     sed -i '/koel/d' $COMPLETION_FILE
475 472
     remove_backup_database_local koel
476 473
 
477
-    sed -i '/koel-firewall/d' /etc/crontab
478
-
479 474
     function_check remove_ddns_domain
480 475
     remove_ddns_domain $KOEL_DOMAIN_NAME
481 476
 }

+ 12
- 17
src/freedombone-app-nextcloud Parādīt failu

@@ -183,16 +183,20 @@ function configure_interactive_nextcloud {
183 183
     echo -n ''
184 184
 }
185 185
 
186
+function upgrade_nextcloud_base {
187
+    chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
188
+    chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data
189
+    cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
190
+    sudo -u www-data ./occ maintenance:repair
191
+    sudo -u www-data ./occ files:cleanup
192
+    sudo -u www-data ./occ files:scan --all
193
+    sudo -u www-data ./occ maintenance:mode --off
194
+}
195
+
186 196
 function upgrade_nextcloud {
187 197
     CURR_NEXTCLOUD_COMMIT=$(get_completion_param "nextcloud commit")
188 198
     if [[ "$CURR_NEXTCLOUD_COMMIT" == "$NEXTCLOUD_COMMIT" ]]; then
189
-        chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
190
-        chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data
191
-        cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
192
-        sudo -u www-data ./occ maintenance:repair
193
-        sudo -u www-data ./occ files:cleanup
194
-        sudo -u www-data ./occ files:scan --all
195
-        sudo -u www-data ./occ maintenance:mode --off
199
+        upgrade_nextcloud_base
196 200
         return
197 201
     fi
198 202
 
@@ -204,13 +208,7 @@ function upgrade_nextcloud {
204 208
     function_check set_repo_commit
205 209
     set_repo_commit /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs "nextcloud commit" "$NEXTCLOUD_COMMIT" $NEXTCLOUD_REPO
206 210
 
207
-    chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
208
-    chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data
209
-    cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
210
-    sudo -u www-data ./occ maintenance:repair
211
-    sudo -u www-data ./occ files:cleanup
212
-    sudo -u www-data ./occ files:scan --all
213
-    sudo -u www-data ./occ maintenance:mode --off
211
+    upgrade_nextcloud_base
214 212
 }
215 213
 
216 214
 
@@ -374,9 +372,6 @@ function remove_nextcloud {
374 372
     drop_database nextcloud
375 373
     function_check remove_onion_service
376 374
     remove_onion_service nextcloud ${NEXTCLOUD_ONION_PORT}
377
-    if grep -q "nextcloud" /etc/crontab; then
378
-        sed -i "/nextcloud/d" /etc/crontab
379
-    fi
380 375
     remove_app nextcloud
381 376
     remove_completion_param install_nextcloud
382 377
     sed -i '/nextcloud/d' $COMPLETION_FILE

+ 29
- 25
src/freedombone-app-xmpp Parādīt failu

@@ -65,19 +65,23 @@ function logging_on_xmpp {
65 65
             mkdir /var/log/prosody
66 66
             chown root:adm /var/log/prosody
67 67
         fi
68
-        sed -i 's|info = "/dev/null";|info = "/var/log/prosody/prosody.log";|g' /etc/prosody/prosody.cfg.lua
69
-        sed -i 's|error = "/dev/null";|error = "/var/log/prosody/prosody.err";|g' /etc/prosody/prosody.cfg.lua
70
-        sed -i 's|levels = { "error" }; to = "/dev/null";|levels = { "error" }; to = "syslog";|g' /etc/prosody/prosody.cfg.lua
68
+        if ! grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then
69
+            sed -i 's|info = "/dev/null";|info = "/var/log/prosody/prosody.log";|g' /etc/prosody/prosody.cfg.lua
70
+            sed -i 's|error = "/dev/null";|error = "/var/log/prosody/prosody.err";|g' /etc/prosody/prosody.cfg.lua
71
+            sed -i 's|levels = { "error" }; to = "/dev/null";|levels = { "error" }; to = "syslog";|g' /etc/prosody/prosody.cfg.lua
72
+        fi
71 73
     fi
72 74
 }
73 75
 
74 76
 function logging_off_xmpp {
75 77
     if [ -d /etc/prosody ]; then
76
-        sed -i 's|info = "/var/log/prosody/prosody.log";|info = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
77
-        sed -i 's|error = "/var/log/prosody/prosody.err";|error = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
78
-        sed -i 's|levels = { "error" }; to = "syslog";|levels = { "error" }; to = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
79
-        $REMOVE_FILES_COMMAND /var/log/prosody/*
80
-        rm -rf /var/log/prosody
78
+        if grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then
79
+            sed -i 's|info = "/var/log/prosody/prosody.log";|info = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
80
+            sed -i 's|error = "/var/log/prosody/prosody.err";|error = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
81
+            sed -i 's|levels = { "error" }; to = "syslog";|levels = { "error" }; to = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
82
+            $REMOVE_FILES_COMMAND /var/log/prosody/*
83
+            rm -rf /var/log/prosody
84
+        fi
81 85
     fi
82 86
 }
83 87
 
@@ -90,12 +94,14 @@ function xmpp_add_onion_address {
90 94
     if [ ${#onion_address} -eq 0 ]; then
91 95
         return
92 96
     fi
93
-    if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then
94
-        sed -i "s|[\"${domain_name}\"].*|[\"${domain_name}\"] = \"${onion_address}\";|g" /etc/prosody/prosody.cfg.lua
95
-    else
96
-        sed -i "/onions_map = {/a  [\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua
97
+    if ! grep "${onion_address}" /etc/prosody/prosody.cfg.lua; then
98
+        if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then
99
+            sed -i "s|[\"${domain_name}\"].*|[\"${domain_name}\"] = \"${onion_address}\";|g" /etc/prosody/prosody.cfg.lua
100
+        else
101
+            sed -i "/onions_map = {/a  [\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua
102
+        fi
103
+        systemctl restart prosody
97 104
     fi
98
-    systemctl restart prosody
99 105
 }
100 106
 
101 107
 function xmpp_add_onion_address_interactive {
@@ -132,14 +138,19 @@ function xmpp_remove_onion_address {
132 138
     if [ ${#domain_name} -eq 0 ]; then
133 139
         return
134 140
     fi
141
+    xmpp_changed=
135 142
     if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then
136 143
         sed -i "/[\"${domain_name}\"]/d" /etc/prosody/prosody.cfg.lua
144
+        xmpp_changed=1
137 145
     fi
138 146
 
139 147
     if grep -q "= \"${domain_name}\";" /etc/prosody/prosody.cfg.lua; then
140 148
         sed -i "/= \"${domain_name}\";/d" /etc/prosody/prosody.cfg.lua
149
+        xmpp_changed=1
150
+    fi
151
+    if [ $xmpp_changed ]; then
152
+        systemctl restart prosody
141 153
     fi
142
-    systemctl restart prosody
143 154
 }
144 155
 
145 156
 function xmpp_remove_onion_address_interactive {
@@ -355,16 +366,6 @@ function update_prosody_modules {
355 366
         fi
356 367
     fi
357 368
 
358
-    # change to using pep rather than profile modules
359
-    if grep -q '"pep"' /etc/prosody/prosody.cfg.lua; then
360
-        # This strange dance seems to fix occasional breakage of PEP
361
-        # Is there a better solution?
362
-        sed -i 's|"pep"|"profile"|g' /etc/prosody/prosody.cfg.lua
363
-        systemctl restart prosody
364
-        sleep 4
365
-        sed -i 's|"profile"|"pep"|g' /etc/prosody/prosody.cfg.lua
366
-        systemctl restart prosody
367
-    fi
368 369
     if ! grep -q '"vcard"' /etc/prosody/prosody.cfg.lua; then
369 370
         systemctl stop prosody
370 371
         sed -i '/"pep"/a "vcard";' /etc/prosody/prosody.cfg.lua
@@ -374,7 +375,10 @@ function update_prosody_modules {
374 375
 
375 376
 function upgrade_xmpp {
376 377
     if [ -d /etc/letsencrypt ]; then
377
-        usermod -a -G ssl-cert prosody
378
+        prosody_groups=$(groups prosody)
379
+        if [[ "$prosody_groups" != *'ssl-cert'* ]]; then
380
+            usermod -a -G ssl-cert prosody
381
+        fi
378 382
     fi
379 383
     function_check update_prosody_modules
380 384
     update_prosody_modules

+ 65
- 9
src/freedombone-base-email Parādīt failu

@@ -326,11 +326,26 @@ function encrypt_all_email {
326 326
     fi
327 327
 
328 328
     if [ -f /usr/local/bin/${PROJECT_NAME}-encrypt-mail ]; then
329
-        cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
329
+        if [ ! -f /usr/bin/encmaildir ]; then
330
+            cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
331
+        else
332
+            HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-encrypt-mail | awk -F ' ' '{print $1}')
333
+            HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}')
334
+            if [[ "$HASH1" != "$HASH2" ]]; then
335
+                cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
336
+            fi
337
+        fi
330 338
     else
331
-        cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
339
+        if [ ! -f /usr/bin/encmaildir ]; then
340
+            cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
341
+        else
342
+            HASH1=$(sha256sum /usr/bin/${PROJECT_NAME}-encrypt-mail | awk -F ' ' '{print $1}')
343
+            HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}')
344
+            if [[ "$HASH1" != "$HASH2" ]]; then
345
+                cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
346
+            fi
347
+        fi
332 348
     fi
333
-    chmod +x /usr/bin/encmaildir
334 349
 
335 350
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
336 351
         return
@@ -497,16 +512,35 @@ function email_archiving {
497 512
 
498 513
     # ensure that the mail archive script is up to date
499 514
     if [ -f /usr/local/bin/${PROJECT_NAME}-archive-mail ]; then
500
-        cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
515
+        if [ ! -f /etc/cron.daily/archivemail ]; then
516
+            cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
517
+            chmod +x /etc/cron.daily/archivemail
518
+        else
519
+            HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-archive-mail | awk -F ' ' '{print $1}')
520
+            HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}')
521
+            if [[ "$HASH1" != "$HASH2" ]]; then
522
+                cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
523
+                chmod +x /etc/cron.daily/archivemail
524
+            fi
525
+        fi
501 526
     else
502 527
         if [ -f /usr/bin/${PROJECT_NAME}-archive-mail ]; then
503
-            cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
528
+            if [ ! -f /etc/cron.daily/archivemail ]; then
529
+                cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
530
+                chmod +x /etc/cron.daily/archivemail
531
+            else
532
+                HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-archive-mail | awk -F ' ' '{print $1}')
533
+                HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}')
534
+                if [[ "$HASH1" != "$HASH2" ]]; then
535
+                    cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
536
+                    chmod +x /etc/cron.daily/archivemail
537
+                fi
538
+            fi
504 539
         else
505 540
             echo "/usr/bin/${PROJECT_NAME}-archive-mail was not found. ${PROJECT_NAME} might not have fully installed."
506 541
             exit 62379
507 542
         fi
508 543
     fi
509
-    chmod +x /etc/cron.daily/archivemail
510 544
 
511 545
     # update to the next commit
512 546
     function_check set_repo_commit
@@ -526,7 +560,15 @@ function email_archiving {
526 560
     git checkout $CLEANUP_MAILDIR_COMMIT -b $CLEANUP_MAILDIR_COMMIT
527 561
     set_completion_param "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT"
528 562
 
529
-    cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
563
+    if [ ! -f /usr/bin/cleanup-maildir ]; then
564
+        cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
565
+    else
566
+        HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}')
567
+        HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}')
568
+        if [[ "$HASH1" != "$HASH2" ]]; then
569
+            cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
570
+        fi
571
+    fi
530 572
 
531 573
     mark_completed $FUNCNAME
532 574
 }
@@ -1621,7 +1663,7 @@ function configure_gpg {
1621 1663
 }
1622 1664
 
1623 1665
 function refresh_gpg_keys {
1624
-    REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys
1666
+    REFRESH_GPG_KEYS_SCRIPT=/tmp/update-gpg-keys
1625 1667
     echo '#!/bin/bash' > $REFRESH_GPG_KEYS_SCRIPT
1626 1668
     echo "if [ -f /usr/local/bin/${PROJECT_NAME}-sec ]; then" >> $REFRESH_GPG_KEYS_SCRIPT
1627 1669
     echo "    /usr/bin/timeout 600 /usr/local/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT
@@ -1631,6 +1673,18 @@ function refresh_gpg_keys {
1631 1673
     echo 'exit 0' >> $REFRESH_GPG_KEYS_SCRIPT
1632 1674
     chmod +x $REFRESH_GPG_KEYS_SCRIPT
1633 1675
 
1676
+    if [ ! -f /usr/bin/update-gpg-keys ]; then
1677
+        cp $REFRESH_GPG_KEYS_SCRIPT /usr/bin/update-gpg-keys
1678
+    else
1679
+        HASH1=$(sha256sum $REFRESH_GPG_KEYS_SCRIPT | awk -F ' ' '{print $1}')
1680
+        HASH2=$(sha256sum /usr/bin/update-gpg-keys | awk -F ' ' '{print $1}')
1681
+        if [[ "$HASH1" != "$HASH2" ]]; then
1682
+            cp $REFRESH_GPG_KEYS_SCRIPT /usr/bin/update-gpg-keys
1683
+        fi
1684
+        rm $REFRESH_GPG_KEYS_SCRIPT
1685
+    fi
1686
+
1687
+    REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys
1634 1688
     if grep -q "${PROJECT_NAME}-sec" /etc/crontab; then
1635 1689
         sed -i "/${PROJECT_NAME}-sec /d" /etc/crontab
1636 1690
     fi
@@ -1639,7 +1693,9 @@ function refresh_gpg_keys {
1639 1693
         echo "$GPG_REFRESH_TIME            */$REFRESH_GPG_KEYS_HOURS *   *   *   root cronic $REFRESH_GPG_KEYS_SCRIPT" >> /etc/crontab
1640 1694
         systemctl restart cron
1641 1695
     else
1642
-        sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab
1696
+        if ! grep "root cronic $REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then
1697
+            sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab
1698
+        fi
1643 1699
     fi
1644 1700
 }
1645 1701
 

+ 15
- 1
src/freedombone-base-tripwire Parādīt failu

@@ -58,7 +58,7 @@ function install_tripwire {
58 58
     debconf-set-selections <<< "tripwire tripwire/use-sitekey boolean false"
59 59
     debconf-set-selections <<< "tripwire tripwire/use-localkey boolean false"
60 60
 
61
-    apt-get -yq install tripwire
61
+    apt-get -yq install tripwire qrencode
62 62
     apt-get -yq autoremove
63 63
     cd /etc/tripwire
64 64
 
@@ -105,6 +105,11 @@ function install_tripwire {
105 105
     if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then
106 106
         sed -i '\|/etc\t\t->.*|a\    !/etc/tripwire ;' /etc/tripwire/twpol.txt
107 107
     fi
108
+    # Ignore /etc/freedombone
109
+    if ! grep -q '!/etc/freedombone' /etc/tripwire/twpol.txt; then
110
+        sed -i '\|/etc\t\t->.*|a\    !/etc/freedombone ;' /etc/tripwire/twpol.txt
111
+    fi
112
+    # Ignore /etc/pihole
108 113
     if ! grep -q '!/etc/pihole' /etc/tripwire/twpol.txt; then
109 114
         sed -i '\|/etc\t\t->.*|a\    !/etc/pihole ;' /etc/tripwire/twpol.txt
110 115
     fi
@@ -115,6 +120,15 @@ function install_tripwire {
115 120
     if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then
116 121
         sed -i '\|/etc\t\t->.*|a\    !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt
117 122
     fi
123
+    # ignore global node modules
124
+    if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then
125
+        sed -i '\|/etc\t\t->.*|a\    !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt
126
+    fi
127
+
128
+    # Not much is in /usr/local/bin other than project commands and avoiding it removes
129
+    # problems with updates. This is a tradeoff, but not by much.
130
+    sed -i '/\/usr\/local\/bin/d' /etc/tripwire/twpol.txt
131
+
118 132
     # Avoid logging the changed database
119 133
     sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt
120 134
     # site key name

+ 1
- 1
src/freedombone-client Parādīt failu

@@ -96,7 +96,7 @@ function refresh_gpg_keys {
96 96
     fi
97 97
     sudo cp /etc/crontab ~/temp_crontab
98 98
     sudo chown $CURR_USER:$CURR_GROUP ~/temp_crontab
99
-    if ! grep -q "gpg --refresh-keys" ~/temp_crontab; then
99
+    if ! grep -q 'gpg --refresh-keys' ~/temp_crontab; then
100 100
         echo "0            */$REFRESH_GPG_KEYS_HOURS *   *   *   $CURR_USER /usr/bin/gpg --refresh-keys > /dev/null" >> ~/temp_crontab
101 101
         sudo cp ~/temp_crontab /etc/crontab
102 102
         sudo chown root:root /etc/crontab

+ 63
- 34
src/freedombone-controlpanel Parādīt failu

@@ -1268,6 +1268,21 @@ function security_settings {
1268 1268
     any_key
1269 1269
 }
1270 1270
 
1271
+function show_tripwire_verification_code {
1272
+    if [ ! -f /var/lib/tripwire/${HOSTNAME}.twd ]; then
1273
+        return
1274
+    fi
1275
+    clear
1276
+    echo ''
1277
+    echo $'Tripwire Verification Code'
1278
+    echo ''
1279
+    DBHASH=$(sha512sum  /var/lib/tripwire/${HOSTNAME}.twd)
1280
+    echo "$DBHASH" | qrencode -t UTF8
1281
+    echo ''
1282
+    echo "$DBHASH"
1283
+    echo ''
1284
+}
1285
+
1271 1286
 function reset_tripwire {
1272 1287
     if [ ! -f /usr/bin/reset-tripwire ]; then
1273 1288
         echo $'Missing /usr/bin/reset-tripwire'
@@ -1280,6 +1295,10 @@ function reset_tripwire {
1280 1295
         return
1281 1296
     fi
1282 1297
     clear
1298
+    echo $'Turing off logging...'
1299
+    ${PROJECT_NAME}-logging off
1300
+    echo $'Locking down permissions...'
1301
+    lockdown_permissions
1283 1302
     echo $'Creating configuration...'
1284 1303
     echo '
1285 1304
 
@@ -1298,7 +1317,14 @@ function reset_tripwire {
1298 1317
 
1299 1318
                 ' | reset-tripwire
1300 1319
     echo ''
1301
-    echo $'Tripwire is now reset'
1320
+    if [ -f /var/lib/tripwire/${HOSTNAME}.twd ]; then
1321
+        show_tripwire_verification_code
1322
+        echo $'Tripwire is now reset. Take a note of the above hash, or record'
1323
+        echo $'the QR code using a mobile device. This will enable you to independently'
1324
+        echo $'verify the integrity of the tripwire.'
1325
+    else
1326
+        echo $'ERROR: tripwire database was not created'
1327
+    fi
1302 1328
     any_key
1303 1329
 }
1304 1330
 
@@ -2122,27 +2148,28 @@ function menu_top_level {
2122 2148
         trap "rm -f $data" 0 1 2 5 15
2123 2149
         dialog --backtitle $"Freedombone Control Panel" \
2124 2150
                --title $"Control Panel" \
2125
-               --radiolist $"Choose an operation:" 28 70 20 \
2151
+               --radiolist $"Choose an operation:" 29 70 21 \
2126 2152
                1 $"About this system" off \
2127 2153
                2 $"Passwords" off \
2128 2154
                3 $"Backup and Restore" off \
2129 2155
                4 $"Show Firewall" off \
2130
-               5 $"Reset Tripwire" off \
2131
-               6 $"App Settings" off \
2132
-               7 $"Add/Remove Apps" off \
2133
-               8 $"Logging on/off" off \
2134
-               9 $"Ping enable/disable" off \
2135
-               10 $"Manage Users" off \
2136
-               11 $"Email Menu" off \
2137
-               12 $"Domain or User Blocking" off \
2138
-               13 $"Security Settings" off \
2139
-               14 $"Change the name of this system" off \
2140
-               15 $"Set a static local IP address" off \
2141
-               16 $"Wifi menu" off \
2142
-               17 $"Check for updates" off \
2143
-               18 $"Power off the system" off \
2144
-               19 $"Restart the system" off \
2145
-               20 $"Exit" on 2> $data
2156
+               5 $"Verify Tripwire Code" off \
2157
+               6 $"Reset Tripwire" off \
2158
+               7 $"App Settings" off \
2159
+               8 $"Add/Remove Apps" off \
2160
+               9 $"Logging on/off" off \
2161
+               10 $"Ping enable/disable" off \
2162
+               11 $"Manage Users" off \
2163
+               12 $"Email Menu" off \
2164
+               13 $"Domain or User Blocking" off \
2165
+               14 $"Security Settings" off \
2166
+               15 $"Change the name of this system" off \
2167
+               16 $"Set a static local IP address" off \
2168
+               17 $"Wifi menu" off \
2169
+               18 $"Check for updates" off \
2170
+               19 $"Power off the system" off \
2171
+               20 $"Restart the system" off \
2172
+               21 $"Exit" on 2> $data
2146 2173
         sel=$?
2147 2174
         case $sel in
2148 2175
             1) exit 1;;
@@ -2154,26 +2181,28 @@ function menu_top_level {
2154 2181
             2) view_or_change_passwords;;
2155 2182
             3) menu_backup_restore;;
2156 2183
             4) show_firewall;;
2157
-            5) reset_tripwire;;
2158
-            6) menu_app_settings;;
2159
-            7) /usr/local/bin/addremove
2184
+            5) show_tripwire_verification_code
2185
+               any_key;;
2186
+            6) reset_tripwire;;
2187
+            7) menu_app_settings;;
2188
+            8) /usr/local/bin/addremove
2160 2189
                if [ ! "$?" = "0" ]; then
2161 2190
                    any_key
2162 2191
                fi
2163 2192
                ;;
2164
-            8) logging_on_off;;
2165
-            9) ping_enable_disable;;
2166
-            10) menu_users;;
2167
-            11) menu_email;;
2168
-            12) domain_blocking;;
2169
-            13) security_settings;;
2170
-            14) change_system_name;;
2171
-            15) set_static_IP;;
2172
-            16) menu_wifi;;
2173
-            17) check_for_updates;;
2174
-            18) shut_down_system;;
2175
-            19) restart_system;;
2176
-            20) break;;
2193
+            9) logging_on_off;;
2194
+            10) ping_enable_disable;;
2195
+            11) menu_users;;
2196
+            12) menu_email;;
2197
+            13) domain_blocking;;
2198
+            14) security_settings;;
2199
+            15) change_system_name;;
2200
+            16) set_static_IP;;
2201
+            17) menu_wifi;;
2202
+            18) check_for_updates;;
2203
+            19) shut_down_system;;
2204
+            20) restart_system;;
2205
+            21) break;;
2177 2206
         esac
2178 2207
     done
2179 2208
 }

+ 1
- 1
src/freedombone-image-customise Parādīt failu

@@ -1074,7 +1074,7 @@ function image_setup_utils {
1074 1074
     chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
1075 1075
     chroot "$rootdir" apt-get -yq install pinentry-curses eatmydata iotop bc hostapd haveged
1076 1076
     chroot "$rootdir" apt-get -yq install cpulimit screen elinks libpam-cracklib
1077
-    chroot "$rootdir" apt-get -yq install fail2ban vim-common python3 unattended-upgrades
1077
+    chroot "$rootdir" apt-get -yq install vim-common python3 unattended-upgrades
1078 1078
 
1079 1079
     # Tor and ssh over tor
1080 1080
     chroot "$rootdir" apt-get -yq install tor connect-proxy

+ 14
- 12
src/freedombone-logging Parādīt failu

@@ -40,6 +40,14 @@ WEBSERVER_LOG_LEVEL='warn'
40 40
 # Also the shred command can be very slow on Beaglebone Black
41 41
 REMOVE_FILES_COMMAND='rm -rf'
42 42
 
43
+source /usr/local/bin/${PROJECT_NAME}-vars
44
+
45
+UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
46
+for f in $UTILS_FILES
47
+do
48
+    source $f
49
+done
50
+
43 51
 APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
44 52
 for f in $APP_FILES
45 53
 do
@@ -83,6 +91,9 @@ function turn_logging_off {
83 91
 }
84 92
 
85 93
 function turn_off_rsys_logging {
94
+    if ! grep -q '/var/log/auth.log' /etc/rsyslog.conf; then
95
+        return
96
+    fi
86 97
     sed -i 's|mail,news.none.*|mail,news.none      /dev/null|g' /etc/rsyslog.conf
87 98
     sed -i 's|auth,authpriv.\*.*|auth,authpriv.\*         /dev/null|g' /etc/rsyslog.conf
88 99
     sed -i 's|mail.info.*|mail.info            /dev/null|g' /etc/rsyslog.conf
@@ -106,6 +117,9 @@ function turn_off_rsys_logging {
106 117
 }
107 118
 
108 119
 function turn_on_rsys_logging {
120
+    if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then
121
+        return
122
+    fi
109 123
     sed -i 's|mail,news.none.*|mail,news.none      -/var/log/messages|g' /etc/rsyslog.conf
110 124
     sed -i 's|auth,authpriv.\*.*|auth,authpriv.\*         /var/log/auth.log|g' /etc/rsyslog.conf
111 125
     sed -i 's|mail.info.*|mail.info            -/var/log/mail.info|g' /etc/rsyslog.conf
@@ -127,10 +141,6 @@ fi
127 141
 if [[ "$1" == "on" || "$1" == "On" || "$1" == "ON" ]]; then
128 142
     turn_logging_on
129 143
 
130
-    if [ -f /etc/fail2ban/fail2ban.conf ]; then
131
-        sed -i 's|loglevel.*|loglevel = 3|g' /etc/fail2ban/fail2ban.conf
132
-        sed -i 's|logtarget.*|logtarget = /var/log/fail2ban.log|g' /etc/fail2ban/fail2ban.conf
133
-    fi
134 144
     if [ -d /etc/tor ]; then
135 145
         if [ ! -d /var/log/tor ]; then
136 146
             mkdir /var/log/tor
@@ -238,11 +248,6 @@ else
238 248
             sed -i 's|log_error =.*|log_error = /dev/null|g' /etc/mysql/my.cnf
239 249
         fi
240 250
     fi
241
-    if [ -f /etc/fail2ban/fail2ban.conf ]; then
242
-        sed -i 's|loglevel.*|loglevel = 1|g' /etc/fail2ban/fail2ban.conf
243
-        sed -i 's|logtarget.*|logtarget = /dev/null|g' /etc/fail2ban/fail2ban.conf
244
-        $REMOVE_FILES_COMMAND /var/log/fail2ban.*
245
-    fi
246 251
     turn_off_rsys_logging
247 252
 fi
248 253
 
@@ -286,9 +291,6 @@ fi
286 291
 if [ -d /var/www/radicale ]; then
287 292
     systemctl restart radicale
288 293
 fi
289
-if [ -d /etc/fail2ban ]; then
290
-    systemctl restart fail2ban
291
-fi
292 294
 if [ -d /etc/matrix ]; then
293 295
     systemctl restart matrix
294 296
 fi

+ 2
- 18
src/freedombone-upgrade Parādīt failu

@@ -13,7 +13,7 @@
13 13
 # License
14 14
 # =======
15 15
 #
16
-# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
16
+# Copyright (C) 2015-2017 Bob Mottram <bob@freedombone.net>
17 17
 #
18 18
 # This program is free software: you can redistribute it and/or modify
19 19
 # it under the terms of the GNU Affero General Public License as published by
@@ -65,15 +65,7 @@ if grep -q "cat /root/dbpass" /usr/bin/backupdatabases; then
65 65
     sed -i "s|cat /root/dbpass|freedombone-pass -u root -a mariadb|g" /usr/bin/backupdatabases
66 66
 fi
67 67
 
68
-update-ca-certificates
69
-
70
-# remove any keyserver log files
71
-if [ -d /var/lib/sks/DB ]; then
72
-    cd /var/lib/sks/DB
73
-    systemctl stop sks
74
-    db_archive -d
75
-    systemctl start sks
76
-fi
68
+#update-ca-certificates
77 69
 
78 70
 if [ ! -d $PROJECT_DIR ]; then
79 71
     git_clone $PROJECT_REPO $PROJECT_DIR
@@ -97,11 +89,9 @@ if [ -d $PROJECT_DIR ]; then
97 89
 
98 90
         ${PROJECT_NAME} -c $CONFIGURATION_FILE
99 91
         if [ ! "$?" = "0" ]; then
100
-            lockdown_permissions
101 92
             exit 453536
102 93
         fi
103 94
 
104
-        lockdown_permissions
105 95
         defrag_filesystem
106 96
     fi
107 97
 fi
@@ -109,10 +99,4 @@ fi
109 99
 # If logging was left on then turn it off
110 100
 ${PROJECT_NAME}-logging off
111 101
 
112
-if [ -f /usr/bin/reset-tripwire ]; then
113
-    echo '
114
-
115
-' | reset-tripwire
116
-fi
117
-
118 102
 # deliberately there is no 'exit 0' here

+ 24
- 12
src/freedombone-utils-cron Parādīt failu

@@ -78,18 +78,30 @@ function randomize_cron {
78 78
 }
79 79
 
80 80
 function schedule_stig_tests {
81
-    echo '#!/bin/bash' > /etc/cron.daily/stig_tests
82
-    echo "ADMIN_EMAIL_ADDRESS=${MY_USERNAME}@\${HOSTNAME}" >> /etc/cron.daily/stig_tests
83
-    echo "pkill ${PROJECT_NAME}-tests" >> /etc/cron.daily/stig_tests
84
-    echo 'rm -rf /tmp/*' >> /etc/cron.daily/stig_tests
85
-    echo "${PROJECT_NAME}-tests --stig yes > /tmp/daily-stig-tests" >> /etc/cron.daily/stig_tests
86
-    echo 'if [ ! "$?" = "0" ]; then' >> /etc/cron.daily/stig_tests
87
-    echo "    echo \"\$(cat /tmp/daily-stig-tests)\" | mail -s \"${PROJECT_NAME} STIG test failures\" \$ADMIN_EMAIL_ADDRESS" >> /etc/cron.daily/stig_tests
88
-    echo 'fi' >> /etc/cron.daily/stig_tests
89
-    echo 'if [ -f /tmp/daily-stig-tests ]; then' >> /etc/cron.daily/stig_tests
90
-    echo '  rm /tmp/daily-stig-tests' >> /etc/cron.daily/stig_tests
91
-    echo 'fi' >> /etc/cron.daily/stig_tests
92
-    chmod +x /etc/cron.daily/stig_tests
81
+    stig_tests_script=/tmp/stig_tests_script
82
+    echo '#!/bin/bash' > $stig_tests_script
83
+    echo "ADMIN_EMAIL_ADDRESS=${MY_USERNAME}@\${HOSTNAME}" >> $stig_tests_script
84
+    echo "pkill ${PROJECT_NAME}-tests" >> $stig_tests_script
85
+    echo 'rm -rf /tmp/*' >> $stig_tests_script
86
+    echo "${PROJECT_NAME}-tests --stig yes > /tmp/daily-stig-tests" >> $stig_tests_script
87
+    echo 'if [ ! "$?" = "0" ]; then' >> $stig_tests_script
88
+    echo "    echo \"\$(cat /tmp/daily-stig-tests)\" | mail -s \"${PROJECT_NAME} STIG test failures\" \$ADMIN_EMAIL_ADDRESS" >> $stig_tests_script
89
+    echo 'fi' >> $stig_tests_script
90
+    echo 'if [ -f /tmp/daily-stig-tests ]; then' >> $stig_tests_script
91
+    echo '  rm /tmp/daily-stig-tests' >> $stig_tests_script
92
+    echo 'fi' >> $stig_tests_script
93
+    chmod +x $stig_tests_script
94
+
95
+    if [ ! -f /etc/cron.daily/stig_tests ]; then
96
+        cp $stig_tests_script /etc/cron.daily/stig_tests
97
+    else
98
+        HASH1=$(sha256sum $stig_tests_script | awk -F ' ' '{print $1}')
99
+        HASH2=$(sha256sum /etc/cron.daily/stig_tests | awk -F ' ' '{print $1}')
100
+        if [[ "$HASH1" != "$HASH2" ]]; then
101
+            cp $stig_tests_script /etc/cron.daily/stig_tests
102
+        fi
103
+    fi
104
+    rm $stig_tests_script
93 105
 }
94 106
 
95 107
 # NOTE: deliberately there is no "exit 0"

+ 5
- 1
src/freedombone-utils-filesystem Parādīt failu

@@ -124,7 +124,11 @@ function defrag_filesystem {
124 124
 }
125 125
 
126 126
 function optimise_filesystem {
127
-    sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' /etc/fstab
127
+    if grep -q "btrfs" /etc/fstab; then
128
+        if ! grep -q "btrfs defaults,subvol=@,compress=lzo,ssd" /etc/fstab; then
129
+            sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' /etc/fstab
130
+        fi
131
+    fi
128 132
 }
129 133
 
130 134
 # NOTE: deliberately no exit 0

+ 5
- 2
src/freedombone-utils-firewall Parādīt failu

@@ -90,10 +90,13 @@ function firewall_block_bad_ip_ranges {
90 90
 function global_rate_limit {
91 91
     if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
92 92
         echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
93
+        sysctl -p -q
93 94
     else
94
-        sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
95
+        if ! grep -q "net.ipv4.tcp_challenge_ack_limit = 999999999" /etc/sysctl.conf; then
96
+            sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
97
+            sysctl -p -q
98
+        fi
95 99
     fi
96
-    sysctl -p -q
97 100
 }
98 101
 
99 102
 function enable_ipv6 {

+ 21
- 3
src/freedombone-utils-git Parādīt failu

@@ -95,13 +95,31 @@ function set_repo_commit {
95 95
             chown -R www-data:www-data $repo_dir
96 96
         fi
97 97
         if [[ $repo_dir == *"gpgit" ]]; then
98
-            cp gpgit.pl /usr/bin/gpgit.pl
98
+            if [ ! -f /usr/bin/gpgit.pl ]; then
99
+                cp gpgit.pl /usr/bin/gpgit.pl
100
+            else
101
+                HASH1=$(sha256sum gpgit.pl | awk -F ' ' '{print $1}')
102
+                HASH2=$(sha256sum /usr/bin/gpgit.pl | awk -F ' ' '{print $1}')
103
+                if [[ "$HASH1" != "$HASH2" ]]; then
104
+                    cp gpgit.pl /usr/bin/gpgit.pl
105
+                fi
106
+            fi
99 107
         fi
100 108
         if [[ $repo_dir == *"cleanup-maildir" ]]; then
101
-            cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
109
+            if [ ! -f /usr/bin/cleanup-maildir ]; then
110
+                cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
111
+            else
112
+                HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}')
113
+                HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}')
114
+                if [[ "$HASH1" != "$HASH2" ]]; then
115
+                    cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
116
+                fi
117
+            fi
102 118
         fi
103 119
         if [[ $repo_dir == *"nginx_ensite" ]]; then
104
-            make install
120
+            if [ ! -f /usr/local/bin/nginx_ensite ]; then
121
+                make install
122
+            fi
105 123
         fi
106 124
         if [[ $repo_dir == *"inadyn" ]]; then
107 125
             ./configure

+ 100
- 26
src/freedombone-utils-setup Parādīt failu

@@ -145,30 +145,47 @@ function separate_tmp_filesystem {
145 145
 }
146 146
 
147 147
 function proc_filesystem_settings {
148
-    sed -i 's|proc /proc proc defaults |proc /proc proc defaults,nodev,nosuid |g' /etc/fstab
148
+    if ! grep -q "proc proc defaults,nodev,nosuid " /etc/fstab; then
149
+       sed -i 's|proc /proc proc defaults |proc /proc proc defaults,nodev,nosuid |g' /etc/fstab
150
+    fi
149 151
 }
150 152
 
151 153
 function remove_bluetooth {
152
-    rmmod -f bnep
153
-    rmmod -f bluetooth
154
+    bluetooth_changed=
155
+    bnep_exists=$(lsmod | grep bnep)
156
+    if [[ "$bnep_exists" == "bnep"* ]]; then
157
+        rmmod -f bnep
158
+        bluetooth_changed=1
159
+    fi
160
+    bluetooth_exists=$(lsmod | grep bluetooth)
161
+    if [[ "$bluetooth_exists" == "bluetooth"* ]]; then
162
+        rmmod -f bluetooth
163
+        bluetooth_changed=1
164
+    fi
154 165
     if [ -f /etc/default/bluetooth ]; then
155 166
         if grep -q "BLUETOOTH_ENABLED=" /etc/default/bluetooth; then
156 167
             sed -i 's|BLUETOOTH_ENABLED=.*|BLUETOOTH_ENABLED=0|g' /etc/default/bluetooth
157 168
         else
158 169
             echo "BLUETOOTH_ENABLED=0" >> /etc/default/bluetooth
159 170
         fi
171
+        bluetooth_changed=1
160 172
     fi
161 173
     if ! grep -q 'blacklist bnep' /etc/modprobe.d/bluetooth.conf; then
162 174
         echo 'blacklist bnep' >> /etc/modprobe.d/bluetooth.conf
175
+        bluetooth_changed=1
163 176
     fi
164 177
     if ! grep -q 'blacklist btusb' /etc/modprobe.d/bluetooth.conf; then
165 178
         echo 'blacklist btusb' >> /etc/modprobe.d/bluetooth.conf
179
+        bluetooth_changed=1
166 180
     fi
167 181
     if ! grep -q 'blacklist bluetooth' /etc/modprobe.d/bluetooth.conf; then
168 182
         echo 'blacklist bluetooth' >> /etc/modprobe.d/bluetooth.conf
183
+        bluetooth_changed=1
184
+    fi
185
+    if [ $bluetooth_changed ]; then
186
+        update-initramfs -u -k `uname -r` -v
187
+        update-rc.d bluetooth remove
169 188
     fi
170
-    update-initramfs -u -k `uname -r` -v
171
-    update-rc.d bluetooth remove
172 189
 }
173 190
 
174 191
 function running_as_root {
@@ -201,11 +218,17 @@ function install_backports_kernel {
201 218
     architecture_type=$(uname -a)
202 219
 
203 220
     if [[ "$architecture_type" == *"amd64"* ]]; then
204
-        apt-get -yq install linux-image-amd64
221
+        package_installed=$(dpkg-query -W -f='${Package}\n' linux-image-amd64 2>/dev/null)
222
+        if [ ! $package_installed ]; then
223
+            apt-get -yq install linux-image-amd64
224
+        fi
205 225
     fi
206 226
 }
207 227
 
208 228
 function turn_off_rsys_logging {
229
+    if grep -q '/dev/null' /etc/rsyslog.conf; then
230
+        return
231
+    fi
209 232
     sed -i 's|mail,news.none.*|mail,news.none      /dev/null|g' /etc/rsyslog.conf
210 233
     sed -i 's|auth,authpriv.\*.*|auth,authpriv.\*         /dev/null|g' /etc/rsyslog.conf
211 234
     sed -i 's|mail.info.*|mail.info            /dev/null|g' /etc/rsyslog.conf
@@ -265,7 +288,7 @@ function initial_setup {
265 288
 
266 289
 function setup_grub {
267 290
     if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
268
-        if ! grep -q 'iframes=0' /etc/default/grub; then
291
+        if ! grep -q 'ifnames=0' /etc/default/grub; then
269 292
             sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1"|g' /etc/default/grub
270 293
             update-grub
271 294
         fi
@@ -377,7 +400,9 @@ function mark_admin_user_account {
377 400
 }
378 401
 
379 402
 function remove_instructions_from_motd {
380
-    sed -i '/## /d' /etc/motd
403
+    if grep -q "## " /etc/motd; then
404
+        sed -i '/## /d' /etc/motd
405
+    fi
381 406
 }
382 407
 
383 408
 function remove_default_user {
@@ -430,7 +455,10 @@ function remove_management_engine_interface {
430 455
 }
431 456
 
432 457
 function set_login_umask {
433
-    sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
458
+    logindefs_umask=$(cat /etc/login.defs | grep UMASK | grep -v '#')
459
+    if [[ "$logindefs_umask" != *'077' ]]; then
460
+        sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
461
+    fi
434 462
 }
435 463
 
436 464
 function disable_deferred_execution {
@@ -451,13 +479,13 @@ function set_max_login_tries {
451 479
     if ! grep -q ' deny=' /etc/pam.d/common-auth; then
452 480
         sed -i "/pam_deny.so/a auth    required\t\t\tpam_tally.so    onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
453 481
     else
454
-        sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
482
+        if ! grep -q " deny=$max_tries" /etc/pam.d/common-auth; then
483
+            sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
484
+        fi
455 485
     fi
456 486
 
457
-    if ! grep -q ' deny=' /etc/pam.d/common-account; then
487
+    if ! grep -q 'pam_tally.so' /etc/pam.d/common-account; then
458 488
         sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account
459
-    else
460
-        sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-account
461 489
     fi
462 490
 }
463 491
 
@@ -466,14 +494,18 @@ function limit_user_logins {
466 494
     if ! grep -q '* hard maxsyslogins' /etc/security/limits.conf; then
467 495
         echo '* hard maxsyslogins 10' >> /etc/security/limits.conf
468 496
     else
469
-        sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
497
+        if ! grep -q '* hard maxsyslogins 10' /etc/security/limits.conf; then
498
+            sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
499
+        fi
470 500
     fi
471 501
 
472 502
     # Max logins for each user
473 503
     if ! grep -q '* hard maxlogins' /etc/security/limits.conf; then
474 504
         echo '* hard maxlogins 2' >> /etc/security/limits.conf
475 505
     else
476
-        sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
506
+        if ! grep -q '* hard maxlogins 2' /etc/security/limits.conf; then
507
+            sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
508
+        fi
477 509
     fi
478 510
 }
479 511
 
@@ -493,7 +525,10 @@ function set_sticky_bits {
493 525
 }
494 526
 
495 527
 function disable_ctrl_alt_del {
496
-    ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
528
+    ctrl_alt_del=$(ls -l /etc/systemd/system/ctrl-alt-del.target)
529
+    if [[ "$ctrl_alt_del" !=  *'/dev/null' ]]; then
530
+        ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
531
+    fi
497 532
 }
498 533
 
499 534
 function lockdown_permissions {
@@ -599,10 +634,12 @@ function lockdown_permissions {
599 634
 }
600 635
 
601 636
 function disable_core_dumps {
602
-    if ! grep -q '* hard core 0' /etc/security/limits.conf; then
637
+    if ! grep -q '* hard core' /etc/security/limits.conf; then
603 638
         echo '* hard core 0' >> /etc/security/limits.conf
604 639
     else
605
-        sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
640
+        if ! grep -q '* hard core 0' /etc/security/limits.conf; then
641
+            sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
642
+        fi
606 643
     fi
607 644
 }
608 645
 
@@ -614,7 +651,9 @@ function dummy_nologin_command {
614 651
 }
615 652
 
616 653
 function disable_null_passwords {
617
-    sed -i 's| nullok_secure||g' /etc/pam.d/common-auth
654
+    if grep -q ' nullok_secure' /etc/pam.d/common-auth; then
655
+        sed -i 's| nullok_secure||g' /etc/pam.d/common-auth
656
+    fi
618 657
 }
619 658
 
620 659
 function create_usb_canary {
@@ -665,12 +704,45 @@ function setup_firewall {
665 704
 
666 705
 function setup_powerline {
667 706
     if [ -f ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
668
-        cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
669
-        cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
707
+        if [ ! -f ~/.powerline.bash ]; then
708
+            cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
709
+        else
710
+            HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
711
+            HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
712
+            if [[ "$HASH1" != "$HASH2" ]]; then
713
+                cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
714
+            fi
715
+        fi
716
+        if [ ! -f /etc/skel/.powerline.bash ]; then
717
+            cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
718
+        else
719
+            HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
720
+            HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
721
+            if [[ "$HASH1" != "$HASH2" ]]; then
722
+                cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
723
+            fi
724
+        fi
670 725
     else
671 726
         if [ -f /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
672
-            cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
673
-            cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
727
+            if [ ! -f ~/.powerline.bash ]; then
728
+                cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
729
+            else
730
+                HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
731
+                HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
732
+                if [[ "$HASH1" != "$HASH2" ]]; then
733
+                    cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
734
+                fi
735
+            fi
736
+
737
+            if [ ! -f /etc/skel/.powerline.bash ]; then
738
+                cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
739
+            else
740
+                HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
741
+                HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
742
+                if [[ "$HASH1" != "$HASH2" ]]; then
743
+                    cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
744
+                fi
745
+            fi
674 746
         fi
675 747
     fi
676 748
     if ! grep -q "powerline" ~/.bashrc; then
@@ -687,9 +759,11 @@ function setup_powerline {
687 759
 
688 760
 function congestion_control {
689 761
     # see /proc/sys/net/ipv4/tcp_congestion_control
690
-    echo 'net.core.default_qdisc=fq' > /etc/sysctl.d/10-custom-kernel-bbr.conf
691
-    echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/10-custom-kernel-bbr.conf
692
-    sysctl --system
762
+    if [ ! -f /etc/sysctl.d/10-custom-kernel-bbr.conf ]; then
763
+        echo 'net.core.default_qdisc=fq' > /etc/sysctl.d/10-custom-kernel-bbr.conf
764
+        echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/10-custom-kernel-bbr.conf
765
+        sysctl --system
766
+    fi
693 767
 }
694 768
 
695 769
 function setup_utils {

+ 1
- 1
src/freedombone-utils-ssh Parādīt failu

@@ -121,7 +121,7 @@ function configure_ssh {
121 121
     sed -i 's|#UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config
122 122
     sed -i 's|UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config
123 123
 
124
-    apt-get -yq install fail2ban vim-common
124
+    apt-get -yq install vim-common
125 125
 
126 126
     function_check configure_firewall_for_ssh
127 127
     configure_firewall_for_ssh

+ 10
- 1
src/freedombone-utils-upgrade Parādīt failu

@@ -32,7 +32,16 @@
32 32
 UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade"
33 33
 
34 34
 function create_upgrade_script {
35
-    cp $(which ${PROJECT_NAME}-upgrade) /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
35
+    upgrade_command_file=$(which ${PROJECT_NAME}-upgrade)
36
+    if [ ! -f /etc/cron.weekly/$UPGRADE_SCRIPT_NAME ]; then
37
+        cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
38
+    else
39
+        HASH1=$(sha256sum $upgrade_command_file | awk -F ' ' '{print $1}')
40
+        HASH2=$(sha256sum /etc/cron.weekly/$UPGRADE_SCRIPT_NAME | awk -F ' ' '{print $1}')
41
+        if [[ "$HASH1" != "$HASH2" ]]; then
42
+            cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
43
+        fi
44
+    fi
36 45
 
37 46
     if [[ $(is_completed $FUNCNAME) == "1" ]]; then
38 47
         return

+ 41
- 6
src/freedombone-utils-web Parādīt failu

@@ -318,8 +318,8 @@ function letsencrypt_renewals {
318 318
         return
319 319
     fi
320 320
 
321
-    renewals_script=/etc/cron.monthly/letsencrypt
322
-    renewals_retry_script=/etc/cron.daily/letsencrypt
321
+    renewals_script=/tmp/renewals_letsencrypt
322
+    renewals_retry_script=/tmp/renewals_retry_letsencrypt
323 323
     renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'
324 324
     renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
325 325
 
@@ -361,6 +361,17 @@ function letsencrypt_renewals {
361 361
     echo 'fi' >> $renewals_script
362 362
     chmod +x $renewals_script
363 363
 
364
+    if [ ! -f /etc/cron.monthly/letsencrypt ]; then
365
+        cp $renewals_script /etc/cron.monthly/letsencrypt
366
+    else
367
+        HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')
368
+        HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')
369
+        if [[ "$HASH1" != "$HASH2" ]]; then
370
+            cp $renewals_script /etc/cron.monthly/letsencrypt
371
+        fi
372
+    fi
373
+    rm $renewals_script
374
+
364 375
     # a secondary script keeps trying to renew after a failure
365 376
     echo '#!/bin/bash' > $renewals_retry_script
366 377
     echo '' >> $renewals_retry_script
@@ -398,6 +409,17 @@ function letsencrypt_renewals {
398 409
     echo '    fi' >> $renewals_retry_script
399 410
     echo 'fi' >> $renewals_retry_script
400 411
     chmod +x $renewals_retry_script
412
+
413
+    if [ ! -f /etc/cron.daily/letsencrypt ]; then
414
+        cp $renewals_retry_script /etc/cron.daily/letsencrypt
415
+    else
416
+        HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')
417
+        HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')
418
+        if [[ "$HASH1" != "$HASH2" ]]; then
419
+            cp $renewals_retry_script /etc/cron.daily/letsencrypt
420
+        fi
421
+    fi
422
+    rm $renewals_retry_script
401 423
 }
402 424
 
403 425
 function configure_php {
@@ -425,6 +447,11 @@ function install_dynamicdns {
425 447
         return
426 448
     fi
427 449
 
450
+    CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")
451
+    if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then
452
+        return
453
+    fi
454
+
428 455
     # update to the next commit
429 456
     function_check set_repo_commit
430 457
     set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
@@ -762,11 +789,19 @@ function update_default_domain {
762 789
             cp /etc/ssl/certs/xmpp* /etc/prosody/certs
763 790
             if [ /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
764 791
                 usermod -a -G ssl-cert prosody
765
-                sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua
766
-                sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
792
+                if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then
793
+                    sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua
794
+                fi
795
+                if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then
796
+                    sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
797
+                fi
767 798
 
768
-                sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua
769
-                sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua
799
+                if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then
800
+                    sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua
801
+                fi
802
+                if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then
803
+                    sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua
804
+                fi
770 805
             fi
771 806
 
772 807
             if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then

+ 5
- 2
src/freedombone-utils-wifi Parādīt failu

@@ -49,8 +49,11 @@ function default_network_config {
49 49
 # device names get assigned random names. This is a hacky workaround.
50 50
 # Also adding net.ifnames=0 to kernel options on bootloader may work.
51 51
 function enable_predictable_device_names {
52
-    ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
53
-    update-initramfs -u
52
+    test_predictable=$(ls -la /etc/udev/rules.d/80-net-setup-link.rules)
53
+    if [[ "$test_predictable" != *"/dev/null" ]]; then
54
+        ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
55
+        update-initramfs -u
56
+    fi
54 57
 }
55 58
 
56 59
 function wifi_is_running {

+ 36
- 36
tests/check-cmd-owner.sh Parādīt failu

@@ -2,61 +2,61 @@
2 2
 
3 3
 if [ -d "/bin" ];then
4 4
 
5
-        COUNT=$(find -L /bin  \! -user root  -exec ls -l {} \; |wc -l)
5
+    COUNT=$(find -L /bin  \! -user root  -exec ls -l {} \; |wc -l)
6 6
 
7
-        if [ $COUNT -eq 0 ];then
8
-                :
9
-        else
10
-                exit 1
11
-        fi
7
+    if [ $COUNT -eq 0 ];then
8
+        :
9
+    else
10
+        exit 1
11
+    fi
12 12
 fi
13 13
 if [ -d "/usr/bin" ];then
14 14
 
15
-        COUNT=$(find -L /usr/bin  \! -user root  -exec ls -l {} \; |wc -l)
15
+    COUNT=$(find -L /usr/bin  \! -user root  -exec ls -l {} \; |wc -l)
16 16
 
17
-        if [ $COUNT -eq 0 ];then
18
-                :
19
-        else
20
-                exit 1
21
-        fi
17
+    if [ $COUNT -eq 0 ];then
18
+        :
19
+    else
20
+        exit 1
21
+    fi
22 22
 fi
23 23
 if [ -d "/usr/local/bin" ];then
24 24
 
25
-        COUNT=$(find -L /usr/local/bin  \! -user root  -exec ls -l {} \; |wc -l)
25
+    COUNT=$(find -L /usr/local/bin  \! -user root  -exec ls -l {} \; |wc -l)
26 26
 
27
-        if [ $COUNT -eq 0 ];then
28
-                :
29
-        else
30
-                exit 1
31
-        fi
27
+    if [ $COUNT -eq 0 ];then
28
+        :
29
+    else
30
+        exit 1
31
+    fi
32 32
 fi
33 33
 if [ -d "/sbin" ];then
34 34
 
35
-        COUNT=$(find -L /sbin  \! -user root  -exec ls -l {} \; |wc -l)
35
+    COUNT=$(find -L /sbin  \! -user root  -exec ls -l {} \; |wc -l)
36 36
 
37
-        if [ $COUNT -eq 0 ];then
38
-                :
39
-        else
40
-                exit 1
41
-        fi
37
+    if [ $COUNT -eq 0 ];then
38
+        :
39
+    else
40
+        exit 1
41
+    fi
42 42
 fi
43 43
 if [ -d "/usr/sbin" ];then
44 44
 
45
-        COUNT=$(find -L /usr/sbin  \! -user root  -exec ls -l {} \; |wc -l)
45
+    COUNT=$(find -L /usr/sbin  \! -user root  -exec ls -l {} \; |wc -l)
46 46
 
47
-        if [ $COUNT -eq 0 ];then
48
-                :
49
-        else
50
-                exit 1
51
-        fi
47
+    if [ $COUNT -eq 0 ];then
48
+        :
49
+    else
50
+        exit 1
51
+    fi
52 52
 fi
53 53
 if [ -d "/usr/local/sbin" ];then
54 54
 
55
-        COUNT=$(find -L /usr/local/sbin  \! -user root  -exec ls -l {} \; |wc -l)
55
+    COUNT=$(find -L /usr/local/sbin  \! -user root  -exec ls -l {} \; |wc -l)
56 56
 
57
-        if [ $COUNT -eq 0 ];then
58
-                :
59
-        else
60
-                exit 1
61
-        fi
57
+    if [ $COUNT -eq 0 ];then
58
+        :
59
+    else
60
+        exit 1
61
+    fi
62 62
 fi

+ 7
- 1
tests/output.sh Parādīt failu

@@ -495,7 +495,13 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/
495 495
                   printf '\n######################\n\nSTIG-ID:RHEL-06-000047\n\nVulnerability Discussion: System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.\n\nFix text: System executables are stored in the following directories by default:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:\n\n#chmod go-w [FILE]\n\n######################\n\n' >> $LOG
496 496
               fi
497 497
               ;;
498
-    V-38472)  if [ "$3" = "en" ]; then
498
+    V-38472)  find -L /bin  \! -user root  -exec ls -l {} \;
499
+              find -L /usr/bin  \! -user root  -exec ls -l {} \;
500
+              find -L /usr/local/bin  \! -user root  -exec ls -l {} \;
501
+              find -L /sbin  \! -user root  -exec ls -l {} \;
502
+              find -L /usr/sbin  \! -user root  -exec ls -l {} \;
503
+              find -L /usr/local/sbin  \! -user root  -exec ls -l {} \;
504
+              if [ "$3" = "en" ]; then
499 505
                   log_msg $2 'All system command files must be owned by root.'
500 506
               else
501 507
                   log_msg $2 '所有系统命令文件的属主必须为root用户。'