From: deraadt Date: Mon, 14 Jul 2014 09:04:02 +0000 (+0000) Subject: rc.{local,securelevel,shutdown} become examples. If versions of them X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e6e1e0799a3fc0c129c95f72dfc955a50f57d021;p=openbsd rc.{local,securelevel,shutdown} become examples. If versions of them are created in /etc, they are executed (they used to be sourced) to avoid polluting the rc variable space. The powerdown= and securelevel= features are removed; they are likely only used by 2 people. the secureleve is now always raised; this is the only sensible default. ok ajacoutot --- diff --git a/etc/Makefile b/etc/Makefile index 2b070cc78d9..66099feca34 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.370 2014/07/13 13:53:36 rpe Exp $ +# $OpenBSD: Makefile,v 1.371 2014/07/14 09:04:02 deraadt Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -30,25 +30,24 @@ kernels: bootblocks ${ALL_KERNELS} # -rw-r--r-- BINOWN= root BINGRP= wheel -BIN1= changelist csh.cshrc csh.login csh.logout daily \ +BIN1= changelist csh.cshrc csh.login csh.logout daily dhclient.conf \ + etc.${MACHINE}/disktab etc.${MACHINE}/login.conf \ ftpusers gettytab group hosts ksh.kshrc locate.rc \ - man.conf monthly motd myname netstart networks \ - newsyslog.conf protocols rc rc.conf rc.local \ - rc.securelevel rc.shutdown rpc services shells syslog.conf \ - weekly etc.${MACHINE}/login.conf etc.${MACHINE}/disktab \ - dhclient.conf mailer.conf moduli pf.os mixerctl.conf + mailer.conf man.conf mixerctl.conf moduli monthly motd \ + myname netstart networks newsyslog.conf pf.os protocols \ + rc rc.conf rpc services shells syslog.conf weekly +.if ${MACHINE} != "aviion" +BIN1+= wsconsctl.conf +.endif EXAMPLES=chio.conf dhcpd.conf exports ftpchroot hosts.lpd ifstated.conf \ inetd.conf mrouted.conf ntpd.conf printcap rbootd.conf remote \ sensorsd.conf EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \ - ldapd.conf ldpd.conf ospf6d.conf ospfd.conf relayd.conf ripd.conf \ - sasyncd.conf snmpd.conf ypldap.conf - -.if ${MACHINE} != "aviion" -BIN1+= wsconsctl.conf -.endif + ldapd.conf ldpd.conf ospf6d.conf ospfd.conf rc.local \ + rc.securelevel rc.shutdown relayd.conf ripd.conf \ + sasyncd.conf snmpd.conf ypldap.conf # -rw-rw-r-- BIN2= motd diff --git a/etc/changelist b/etc/changelist index d6b7afd6db9..32330e93ee6 100644 --- a/etc/changelist +++ b/etc/changelist @@ -1,4 +1,4 @@ -# $OpenBSD: changelist,v 1.92 2014/07/13 13:53:36 rpe Exp $ +# $OpenBSD: changelist,v 1.93 2014/07/14 09:04:02 deraadt Exp $ # # List of files which the security script backs up and checks # for modifications. @@ -110,9 +110,9 @@ /etc/rc.conf /etc/rc.conf.local /etc/rc.d/rc.subr -/etc/rc.local -/etc/rc.securelevel -/etc/rc.shutdown ++/etc/rc.local ++/etc/rc.securelevel ++/etc/rc.shutdown +/etc/relayd.conf +/etc/remote /etc/resolv.conf diff --git a/etc/examples/rc.local b/etc/examples/rc.local new file mode 100644 index 00000000000..5da81e278e7 --- /dev/null +++ b/etc/examples/rc.local @@ -0,0 +1,6 @@ +# $OpenBSD: rc.local,v 1.1 2014/07/14 09:04:02 deraadt Exp $ + +# Site-specific startup actions, daemons, and other things which +# can be done AFTER your system goes into securemode. For actions +# which should be done BEFORE your system has gone into securemode +# please see /etc/rc.securelevel. diff --git a/etc/examples/rc.securelevel b/etc/examples/rc.securelevel new file mode 100644 index 00000000000..70e678a857c --- /dev/null +++ b/etc/examples/rc.securelevel @@ -0,0 +1,14 @@ +# $OpenBSD: rc.securelevel,v 1.1 2014/07/14 09:04:02 deraadt Exp $ +# +# site-specific startup actions, daemons, and other things which +# can be done BEFORE your system goes into securemode. For actions +# which should be done AFTER your system has gone into securemode +# please see /etc/rc.local + +echo -n 'starting pre-securelevel daemons:' + +# +# Place local actions here. +# + +echo '.' diff --git a/etc/examples/rc.shutdown b/etc/examples/rc.shutdown new file mode 100644 index 00000000000..fb615f89423 --- /dev/null +++ b/etc/examples/rc.shutdown @@ -0,0 +1,6 @@ +# $OpenBSD: rc.shutdown,v 1.1 2014/07/14 09:04:02 deraadt Exp $ +# +# If it exists, this script is run at system-shutdown by reboot(8), +# halt(8). If the architecture supports keyboard requested halting, +# it is also run by init(8) when such an event happens. +# diff --git a/etc/rc b/etc/rc index e65e9fa56ca..20be0ffba2a 100644 --- a/etc/rc +++ b/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.430 2014/07/14 03:45:55 deraadt Exp $ +# $OpenBSD: rc,v 1.431 2014/07/14 09:04:02 deraadt Exp $ # System startup script run by init on autoboot # or after single-user. @@ -283,7 +283,7 @@ if [ X"$1" = X"shutdown" ]; then fi echo /etc/rc.shutdown in progress... - [ -f /etc/rc.shutdown ] && . /etc/rc.shutdown + [ -f /etc/rc.shutdown ] && sh /etc/rc.shutdown echo /etc/rc.shutdown complete. else echo single user: not running shutdown scripts @@ -296,9 +296,6 @@ if [ X"$1" = X"shutdown" ]; then esac done - if [ X"${powerdown}" = X"YES" ]; then - exit 2 - fi exit 0 fi @@ -460,11 +457,8 @@ echo clearing /tmp setup_X_sockets -[ -f /etc/rc.securelevel ] && . /etc/rc.securelevel -if [ X"${securelevel}" != X"" ]; then - echo -n 'setting kernel security level: ' - sysctl kern.securelevel=${securelevel} -fi +[ -f /etc/rc.securelevel ] && sh /etc/rc.securelevel +sysctl kern.securelevel=1 # patch /etc/motd if [ ! -f /etc/motd ]; then @@ -537,7 +531,7 @@ if [ -n "${pkg_scripts}" ]; then echo '.' fi -[ -f /etc/rc.local ] && . /etc/rc.local +[ -f /etc/rc.local ] && sh /etc/rc.local ifconfig -g carp -carpdemote 128 # disable carp interlock diff --git a/etc/rc.local b/etc/rc.local deleted file mode 100644 index 944b7b4e023..00000000000 --- a/etc/rc.local +++ /dev/null @@ -1,6 +0,0 @@ -# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $ - -# Site-specific startup actions, daemons, and other things which -# can be done AFTER your system goes into securemode. For actions -# which should be done BEFORE your system has gone into securemode -# please see /etc/rc.securelevel. diff --git a/etc/rc.securelevel b/etc/rc.securelevel deleted file mode 100644 index fa3ce362ad3..00000000000 --- a/etc/rc.securelevel +++ /dev/null @@ -1,22 +0,0 @@ -# $OpenBSD: rc.securelevel,v 1.16 2004/07/06 04:05:03 deraadt Exp $ -# -# site-specific startup actions, daemons, and other things which -# can be done BEFORE your system goes into securemode. For actions -# which should be done AFTER your system has gone into securemode -# please see /etc/rc.local - -# This is the desired security level -# XXX -# XXX it is not really acceptable to put this value in a configuration -# XXX file, because locking it down requires immutability on about -# XXX 5 files instead of 2 (the kernel and init) -# XXX -securelevel=1 - -echo -n 'starting pre-securelevel daemons:' - -# -# Place local actions here. -# - -echo '.' diff --git a/etc/rc.shutdown b/etc/rc.shutdown deleted file mode 100644 index 9976eb04e26..00000000000 --- a/etc/rc.shutdown +++ /dev/null @@ -1,10 +0,0 @@ -# $OpenBSD: rc.shutdown,v 1.12 2011/04/22 06:08:14 ajacoutot Exp $ -# -# If it exists, this script is run at system-shutdown by reboot(8), -# halt(8). If the architecture supports keyboard requested halting, -# it is also run by init(8) when such an event happens. -# - -powerdown=NO # set to YES for powerdown - -# Add your local shutdown actions here.