Browse Source

rc.{local,securelevel,shutdown} become examples. If versions of them

are created in /etc, they are executed (they used to be sourced) to
avoid polluting the rc variable space.  The powerdown= and securelevel=
features are removed; they are likely only used by 2 people.  the
secureleve is now always raised; this is the only sensible default.
ok ajacoutot
OPENBSD_5_6
deraadt 10 years ago
parent
commit
68f7c0883b
7 changed files with 37 additions and 56 deletions
  1. +12
    -13
      src/etc/Makefile
  2. +4
    -4
      src/etc/changelist
  3. +1
    -1
      src/etc/examples/rc.local
  4. +14
    -0
      src/etc/examples/rc.securelevel
  5. +1
    -5
      src/etc/examples/rc.shutdown
  6. +5
    -11
      src/etc/rc
  7. +0
    -22
      src/etc/rc.securelevel

+ 12
- 13
src/etc/Makefile View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.370 2014/07/13 13:53:36 rpe Exp $
# $OpenBSD: Makefile,v 1.371 2014/07/14 09:04:02 deraadt Exp $
TZDIR= /usr/share/zoneinfo TZDIR= /usr/share/zoneinfo
LOCALTIME= Canada/Mountain LOCALTIME= Canada/Mountain
@ -30,25 +30,24 @@ kernels: bootblocks ${ALL_KERNELS}
# -rw-r--r-- # -rw-r--r--
BINOWN= root BINOWN= root
BINGRP= wheel BINGRP= wheel
BIN1= changelist csh.cshrc csh.login csh.logout daily \
BIN1= changelist csh.cshrc csh.login csh.logout daily dhclient.conf \
etc.${MACHINE}/disktab etc.${MACHINE}/login.conf \
ftpusers gettytab group hosts ksh.kshrc locate.rc \ ftpusers gettytab group hosts ksh.kshrc locate.rc \
man.conf monthly motd myname netstart networks \
newsyslog.conf protocols rc rc.conf rc.local \
rc.securelevel rc.shutdown rpc services shells syslog.conf \
weekly etc.${MACHINE}/login.conf etc.${MACHINE}/disktab \
dhclient.conf mailer.conf moduli pf.os mixerctl.conf
mailer.conf man.conf mixerctl.conf moduli monthly motd \
myname netstart networks newsyslog.conf pf.os protocols \
rc rc.conf rpc services shells syslog.conf weekly
.if ${MACHINE} != "aviion"
BIN1+= wsconsctl.conf
.endif
EXAMPLES=chio.conf dhcpd.conf exports ftpchroot hosts.lpd ifstated.conf \ EXAMPLES=chio.conf dhcpd.conf exports ftpchroot hosts.lpd ifstated.conf \
inetd.conf mrouted.conf ntpd.conf printcap rbootd.conf remote \ inetd.conf mrouted.conf ntpd.conf printcap rbootd.conf remote \
sensorsd.conf sensorsd.conf
EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \ EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \
ldapd.conf ldpd.conf ospf6d.conf ospfd.conf relayd.conf ripd.conf \
sasyncd.conf snmpd.conf ypldap.conf
.if ${MACHINE} != "aviion"
BIN1+= wsconsctl.conf
.endif
ldapd.conf ldpd.conf ospf6d.conf ospfd.conf rc.local \
rc.securelevel rc.shutdown relayd.conf ripd.conf \
sasyncd.conf snmpd.conf ypldap.conf
# -rw-rw-r-- # -rw-rw-r--
BIN2= motd BIN2= motd


+ 4
- 4
src/etc/changelist View File

@ -1,4 +1,4 @@
# $OpenBSD: changelist,v 1.92 2014/07/13 13:53:36 rpe Exp $
# $OpenBSD: changelist,v 1.93 2014/07/14 09:04:02 deraadt Exp $
# #
# List of files which the security script backs up and checks # List of files which the security script backs up and checks
# for modifications. # for modifications.
@ -110,9 +110,9 @@
/etc/rc.conf /etc/rc.conf
/etc/rc.conf.local /etc/rc.conf.local
/etc/rc.d/rc.subr /etc/rc.d/rc.subr
/etc/rc.local
/etc/rc.securelevel
/etc/rc.shutdown
+/etc/rc.local
+/etc/rc.securelevel
+/etc/rc.shutdown
+/etc/relayd.conf +/etc/relayd.conf
+/etc/remote +/etc/remote
/etc/resolv.conf /etc/resolv.conf


src/etc/rc.local → src/etc/examples/rc.local View File

@ -1,4 +1,4 @@
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# $OpenBSD: rc.local,v 1.1 2014/07/14 09:04:02 deraadt Exp $
# Site-specific startup actions, daemons, and other things which # Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions # can be done AFTER your system goes into securemode. For actions

+ 14
- 0
src/etc/examples/rc.securelevel View File

@ -0,0 +1,14 @@
# $OpenBSD: rc.securelevel,v 1.1 2014/07/14 09:04:02 deraadt Exp $
#
# site-specific startup actions, daemons, and other things which
# can be done BEFORE your system goes into securemode. For actions
# which should be done AFTER your system has gone into securemode
# please see /etc/rc.local
echo -n 'starting pre-securelevel daemons:'
#
# Place local actions here.
#
echo '.'

src/etc/rc.shutdown → src/etc/examples/rc.shutdown View File

@ -1,10 +1,6 @@
# $OpenBSD: rc.shutdown,v 1.12 2011/04/22 06:08:14 ajacoutot Exp $
# $OpenBSD: rc.shutdown,v 1.1 2014/07/14 09:04:02 deraadt Exp $
# #
# If it exists, this script is run at system-shutdown by reboot(8), # If it exists, this script is run at system-shutdown by reboot(8),
# halt(8). If the architecture supports keyboard requested halting, # halt(8). If the architecture supports keyboard requested halting,
# it is also run by init(8) when such an event happens. # it is also run by init(8) when such an event happens.
# #
powerdown=NO # set to YES for powerdown
# Add your local shutdown actions here.

+ 5
- 11
src/etc/rc View File

@ -1,4 +1,4 @@
# $OpenBSD: rc,v 1.430 2014/07/14 03:45:55 deraadt Exp $
# $OpenBSD: rc,v 1.431 2014/07/14 09:04:02 deraadt Exp $
# System startup script run by init on autoboot # System startup script run by init on autoboot
# or after single-user. # or after single-user.
@ -283,7 +283,7 @@ if [ X"$1" = X"shutdown" ]; then
fi fi
echo /etc/rc.shutdown in progress... echo /etc/rc.shutdown in progress...
[ -f /etc/rc.shutdown ] && . /etc/rc.shutdown
[ -f /etc/rc.shutdown ] && sh /etc/rc.shutdown
echo /etc/rc.shutdown complete. echo /etc/rc.shutdown complete.
else else
echo single user: not running shutdown scripts echo single user: not running shutdown scripts
@ -296,9 +296,6 @@ if [ X"$1" = X"shutdown" ]; then
esac esac
done done
if [ X"${powerdown}" = X"YES" ]; then
exit 2
fi
exit 0 exit 0
fi fi
@ -460,11 +457,8 @@ echo clearing /tmp
setup_X_sockets setup_X_sockets
[ -f /etc/rc.securelevel ] && . /etc/rc.securelevel
if [ X"${securelevel}" != X"" ]; then
echo -n 'setting kernel security level: '
sysctl kern.securelevel=${securelevel}
fi
[ -f /etc/rc.securelevel ] && sh /etc/rc.securelevel
sysctl kern.securelevel=1
# patch /etc/motd # patch /etc/motd
if [ ! -f /etc/motd ]; then if [ ! -f /etc/motd ]; then
@ -537,7 +531,7 @@ if [ -n "${pkg_scripts}" ]; then
echo '.' echo '.'
fi fi
[ -f /etc/rc.local ] && . /etc/rc.local
[ -f /etc/rc.local ] && sh /etc/rc.local
ifconfig -g carp -carpdemote 128 # disable carp interlock ifconfig -g carp -carpdemote 128 # disable carp interlock


+ 0
- 22
src/etc/rc.securelevel View File

@ -1,22 +0,0 @@
# $OpenBSD: rc.securelevel,v 1.16 2004/07/06 04:05:03 deraadt Exp $
#
# site-specific startup actions, daemons, and other things which
# can be done BEFORE your system goes into securemode. For actions
# which should be done AFTER your system has gone into securemode
# please see /etc/rc.local
# This is the desired security level
# XXX
# XXX it is not really acceptable to put this value in a configuration
# XXX file, because locking it down requires immutability on about
# XXX 5 files instead of 2 (the kernel and init)
# XXX
securelevel=1
echo -n 'starting pre-securelevel daemons:'
#
# Place local actions here.
#
echo '.'

Loading…
Cancel
Save