Sindbad~EG File Manager
| Current Path : /var/lib/dpkg/info/ |
|
|
| Current File : /var/lib/dpkg/info/omi.postinst |
#!/bin/sh
cnffile=/etc/opt/omi/ssl/ssl.cnf
keyfile=/etc/opt/omi/ssl/omikey.pem
certfile=/etc/opt/omi/ssl/omi.pem
omicertmarkerfile=/etc/opt/omi/ssl/.omi_cert_marker
OPENSSL_PATH="openssl"
is_suse11_platform_with_openssl1(){
if [ -f /etc/SuSE-release ];then
VERSION=`cat /etc/SuSE-release|grep "VERSION = 11"|awk 'FS=":"{print $3}'`
if [ ! -z "$VERSION" ];then
which openssl1>/dev/null 2>&1
if [ $? -eq 0 -a $VERSION -eq 11 ];then
return 0
fi
fi
fi
return 1
}
is_suse11_platform_with_openssl1
if [ $? -eq 0 ];then
OPENSSL_PATH="openssl1"
fi
WriteSSLconfig() {
# Generate ssl.cnf
cat > $cnffile <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN = $1
CN = $2
EOF
}
GenerateKeyCert() {
$OPENSSL_PATH req -x509 -sha1 -newkey rsa:2048 -days 3650 -nodes -config $cnffile -keyout $keyfile -out $certfile
}
HandleConfigFiles() {
grep -i "sslciphersuite" /etc/opt/omi/conf/omiserver.conf 1> /dev/null 2> /dev/null
# if there is no sslCipherSuite defined in omiserver.conf, check the previous omiserver/cimserver OM conf files for an sslCipherSuite defined
if [ $? -ne 0 ]; then
if [ -f /etc/opt/omi/conf/omiserver.conf.rpmsave ]; then
echo `grep sslciphersuite /etc/opt/omi/conf/omiserver.conf.rpmsave` >> /etc/opt/omi/conf/omiserver.conf
elif [ -f /etc/opt/omi/conf/omiserver.conf.pkgsave ]; then
echo `grep sslciphersuite /etc/opt/omi/conf/omiserver.conf.pkgsave` >> /etc/opt/omi/conf/omiserver.conf
elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave ]; then
echo `grep sslciphersuite /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave` >> /etc/opt/omi/conf/omiserver.conf
elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf ]; then
echo `grep sslciphersuite /etc/opt/microsoft/scx/conf/omiserver.conf` >> /etc/opt/omi/conf/omiserver.conf
elif [ -f /etc/opt/microsoft/scx/conf/cimserver_current.conf ]; then
echo `grep sslCipherSuite /etc/opt/microsoft/scx/conf/cimserver_current.conf` | sed "s@sslCipherSuite@sslciphersuite@" >> /etc/opt/omi/conf/omiserver.conf
fi
fi
grep -q '^httpsport=0$' /etc/opt/omi/conf/omiserver.conf 1> /dev/null 2> /dev/null
# If there is no httpsport defined in omiserver.conf, check the previous files
if [ $? -eq 0 ]; then
HTTPSPORT=""
if [ -f /etc/opt/omi/conf/omiserver.conf.rpmsave ]; then
HTTPSPORT=`grep '^httpsport=' /etc/opt/omi/conf/omiserver.conf.rpmsave | cut -d= -f2`
elif [ -f /etc/opt/omi/conf/omiserver.conf.pkgsave ]; then
HTTPSPORT=`grep '^httpsport=' /etc/opt/omi/conf/omiserver.conf.pkgsave | cut -d= -f2`
elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave ]; then
HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave | cut -d= -f2`
elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf ]; then
HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/omiserver.conf | cut -d= -f2`
elif [ -f /etc/opt/microsoft/scx/conf/cimserver_current.conf ]; then
HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/cimserver_current.conf | cut -d= -f2`
fi
# If we found an HTTSPORT from previous configuration, then restore it now
if [ -n "$HTTPSPORT" ]; then
# omiconfigeditor requires SSL linkage to be set up properly on Linux
# If the file to set these up exists, run it
if [ -f /opt/omi/bin/support/installssllinks ]; then
/opt/omi/bin/support/installssllinks
fi
echo "Restoring OMI HTTPSPORT to $HTTPSPORT ..."
/opt/omi/bin/omiconfigeditor httpsport -s $HTTPSPORT < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp
mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf
fi
fi
}
# Handle upgrade from older SCX configurations. This needs to be in OMI since
# certain installers (Debian) will delete unused configuration files before
# %Pre / %Post see the light of day. For OMI config, do it before SCX install.
HandleConfigFiles
if [ -f "$keyfile" -a -f "$certfile" ]; then
echo
echo "************************************************************"
echo "* Warning: The certificate and keyfile were not generated *"
echo "* since they already exist. *"
echo "************************************************************"
else
hostname=`hostname`
longhostname=""
# Try to get the FQDN with fallbacks:
##
## First try hostname -f (this will fail on some Linux systems)
##
hn=`hostname -f 2> /dev/null`
if [ "$?" = "0" ]; then
longhostname=$hn
fi
##
## Attempt to obtain the domain name from /etc/resolve.conf
##
if [ -z "$longhostname" -a -f "/etc/resolv.conf" ]; then
domain=`cat /etc/resolv.conf | grep '^domain' | awk '{print $2}'`
if [ -n "$domain" ]; then
longhostname="$hostname.$domain"
fi
fi
##
## Attempt to obtain long hostname with 'nslookup' command
##
if [ -z "$longhostname" -a -n "`which nslookup`" ]; then
lhs=`nslookup $hostname | grep '^Name:' | awk '{print $2}' | grep $hostname`
if [ -n "$lhs" ]; then
longhostname=$lhs
fi
fi
if [ -z "$longhostname" ]; then
longhostname="$hostname"
fi
WriteSSLconfig "$hostname" "$longhostname"
# When the FQDN is not RFC compliant, openssl fails to generate a cerificate.
# We will try a fallback for the FQDN.
GenerateKeyCert
if [ $? -ne 0 ]; then
echo "Error generating ssl keys. Now trying fallback FQDN : localhost.local" 1>&2
WriteSSLconfig localhost localhost.local
GenerateKeyCert
fi
if [ -f "$keyfile" -a -f "$certfile" ]; then
chmod 600 $keyfile
chmod 644 $certfile
else
echo "Unexpected error : $keyfile or $certfile were not generated by $OPENSSL_PATH" 1>&2
echo "Fully qualified domain name likely not RFC compliant" 1>&2
exit 1
fi
# Generate a marker that exists to prove that the cert in this directory
# was generated by omi (as opposed to OM's cert which will overwrite OMI's
# cert when OM is installed)
touch $omicertmarkerfile
fi
GetNewPAMConfig_file() {
#
# See if we have special marker file to use for PAM
# For ease in customer debugging, return bad config if file is bad
#
if [ -f /etc/opt/omi/conf/pam.conf ]; then
# PAM configuration file found; use that
omi_conf=`cat /etc/opt/omi/conf/pam.conf`
if [ $? -ne 0 ]; then
# We had some sort of problem reading file
# STDERR should have output; just return failure
return 1
fi
echo "Used custom PAM configuration from /etc/opt/omi/conf/pam.conf"
return 0
fi
#
# Get configuration for sshd, service modules types auth and account
#
sshd_conf=`egrep "^[# ]*sshd[ ]+(auth|account)" /etc/pam.conf`
if [ $? -ne 0 ]; then
# No match found
# sshd not explicitly configured.
# Check to see if "other" is configured
other_conf=`egrep "^[# ]*other[ ]+(auth|account)" /etc/pam.conf`
if [ $? -eq 0 ]; then
# "other" was found - use that (do not write any sort of new PAM configuraton)
return 0
fi
# Use passwd
if [ -e "/etc/debian_version" ]; then
sshd_conf=`printf "omi auth required pam_env.so\nomi auth required pam_unix.so nullok_secure\nomi account required pam_unix.so\nomi session required pam_limits.so"`
elif [ ! -e "/etc/sysconfig/networking" ] && [ ! -e"/etc/sysconfig/network-scripts"]; then
sshd_conf=`printf "omi auth include common-auth\nomi auth required pam_nologin.so\nomi account include common-account"`
else
sshd_conf=`printf "omi auth include system-auth\nomi account required pam_nologin.so\nomi account include system-auth"`
fi
fi
#
# Substitute sshd with omi.
#
omi_conf=`echo "$sshd_conf" | sed "s/sshd/omi/g"`
if [ $? -ne 0 ]; then
echo "can't parse /etc/pam.conf"
return 1
fi
}
GetNewPAMConfig_dir() {
#
# See if we have special marker file to use for PAM
# For ease in customer debugging, return bad config if file is bad
#
if [ -f /etc/opt/omi/conf/pam.conf ]; then
# PAM configuration file found; use that
omi_conf=`cat /etc/opt/omi/conf/pam.conf`
if [ $? -ne 0 ]; then
# We had some sort of problem reading file
# STDERR should have output; just return failure
return 1
fi
echo "Used custom PAM configuration from /etc/opt/omi/conf/pam.conf"
return 0
fi
#
# Get configuration for sshd, service modules types auth and account
#
sshd_conf=`egrep "(auth|account)" /etc/pam.d/sshd 2> /dev/null`
if [ $? -ne 0 ]; then
# No match found
# sshd not explicitly configured.
# Use passwd
if [ -e "/etc/debian_version" ]; then
sshd_conf=`printf "auth required pam_env.so\n auth required pam_unix.so nullok_secure\n account required pam_unix.so\n session required pam_limits.so"`
elif [ ! -e "/etc/sysconfig/networking" ] && [ ! -e"/etc/sysconfig/network-scripts"]; then
sshd_conf=`printf "auth include common-auth\n auth required pam_nologin.so\n account include common-account"`
else
sshd_conf=`printf "auth include system-auth\n account required pam_nologin.so\n account include system-auth"`
fi
fi
omi_conf=$sshd_conf
}
#
#
# ConfigurePAM
#
#
ConfigurePAM_file() {
#
# First check if omi is already configured in pam.conf
#
grep -s "^[# ]*omi" /etc/pam.conf > /dev/null 2>&1
if [ $? -eq 0 ]; then
# Match found
# Looks like omi is already configured
echo "omi already configured"
return 0
fi
GetNewPAMConfig_file
#
# Only update pam.conf if we are returning some new configuration
if [ "$omi_conf" ]; then
# Write the final configuration to pam.conf
#
# copy file first and modify this copy, so in case of low disk space we preserve the original file
cp /etc/pam.conf /etc/pam.conf.omi-copy && printf "# The configuration of omi is generated by the omi installer.\n$omi_conf\n# End of section generated by the omi installer.\n" >> /etc/pam.conf.omi-copy
if [ $? -ne 0 ]; then
echo "can't update file /etc/pam.conf.omi-copy"
rm -f /etc/pam.conf.omi-copy
return 1
fi
# verify that complete file was written
grep "# End of section generated by the omi installer." /etc/pam.conf.omi-copy > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "can't update file /etc/pam.conf.omi-copy"
rm -f /etc/pam.conf.omi-copy
return 1
fi
# use move to substitute original file with verified copy
mv /etc/pam.conf.omi-copy /etc/pam.conf
if [ $? -ne 0 ]; then
echo "can't replace /etc/pam.conf"
return 1
fi
fi
}
ConfigurePAM_dir() {
#
# First check if omi is already configured
#
if [ -f /etc/pam.d/omi ]; then
# Match found
# Looks like omi is already configured
echo "omi already configured"
return 0
fi
GetNewPAMConfig_dir
echo "#%%PAM-1.0
# The configuration of omi is generated by the omi installer.
$omi_conf" > /etc/pam.d/omi
if [ $? -ne 0 ]; then
echo "can't create /etc/pam.d/omi"
return 1
fi
}
ConfigurePAM() {
#
# Check if pam is configured with single
# configuration file or with configuration
# directory.
#
if [ -s /etc/pam.conf ]; then
ConfigurePAM_file
elif [ -d /etc/pam.d ]; then
ConfigurePAM_dir
else
# No pam configuration.
echo "PAM does not seem to be configured."
echo "Checked both /etc/pam.conf and /etc/pam.d."
return 1
fi
return 0
}
GetCurrentPAMConfig_file() {
omi_current_conf=`grep "^[#\t]*omi" /etc/pam.conf`
}
GetCurrentPAMConfig_dir() {
omi_current_conf=`cat /etc/pam.d/omi | grep -v "#%%PAM-1.0" | grep -v "# The configuration of omi is generated by the omi installer."`
}
#
#
# UnconfigurePAM
#
#
UnconfigurePAM_file() {
# Configured with single file
#
# Get all lines except omi configuration
#
pam_configuration=`grep -v "^[# ]*omi" /etc/pam.conf | grep -v "# The configuration of omi is generated by the omi installer." | grep -v "# End of section generated by the omi installer."`
if [ $? -ne 0 ]; then
# omi not configured in PAM
return 0
fi
#
# Write it back (to the copy first)
#
cp -p /etc/pam.conf /etc/pam.conf.tmp
echo "$pam_configuration" > /etc/pam.conf.tmp
if [ $? -ne 0 ]; then
echo "can't write to /etc/pam.conf.tmp"
return 1
fi
mv /etc/pam.conf.tmp /etc/pam.conf
if [ $? -ne 0 ]; then
echo "can't replace /etc/pam.conf"
return 1
fi
}
UnconfigurePAM_dir() {
# Configured with directory
if [ -f /etc/pam.d/omi ]; then
rm -f /etc/pam.d/omi
return 0
fi
}
UnconfigurePAM() {
#
# Check if pam is configured with single
# configuration file or with configuration
# directory.
#
if [ -s /etc/pam.conf ]; then
UnconfigurePAM_file
elif [ -d /etc/pam.d ]; then
UnconfigurePAM_dir
fi
}
ConfigurePAM
chown omi:omi /var/opt/omi/log
chown omi:omi /var/opt/omi/run
chown omi:omi /etc/opt/omi/ssl/omikey.pem
chown omi:omi /etc/opt/omi/creds
chmod 500 /etc/opt/omi/creds
chown omi:omi /etc/opt/omi/creds/omi.keytab >/dev/null 2>&1
chown omi:omi /etc/opt/omi/.creds >/dev/null 2>&1
chown omi:omi /etc/opt/omi/.creds/ntlm >/dev/null 2>&1
chown omi:omi /etc/opt/omi/conf/sockets
chmod 700 /etc/opt/omi/conf/sockets
# Fix potential permissons issue on /etc/opt/omi directory
chown root:root /etc/opt/omi
# Various distributions have different paths for systemd unit files ...
SYSTEMD_UNIT_DIR=""
ResolveSystemdPaths()
{
local UNIT_DIR_LIST="/usr/lib/systemd/system /lib/systemd/system"
if [ -d /run/systemd/system ]; then
# Find systemd unit directory
for i in ${UNIT_DIR_LIST}; do
if [ -d $i ]; then
SYSTEMD_UNIT_DIR=${i}
return 0
fi
done
# Didn't fine unit directory, that's fatal
echo "FATAL: Unable to resolve systemd unit directory!" 1>&2
exit 1
else
return 1
fi
}
RemoveGenericService() {
if [ -f /etc/.omi_disable_service_control ]; then
return 0
fi
SERVICE=$1
if [ -z "$SERVICE" ]; then
echo "FATAL: RemoveGenericService requires parameter (service name)" 1>&2
exit 1
fi
# Stop the service in case it's running
ResolveSystemdPaths
# Does systemd install on this system
if [ -d /run/systemd/system ]; then
# Do we have a systemd unit file?
if [ -f ${SYSTEMD_UNIT_DIR}/${SERVICE}.service ]; then
/bin/systemctl stop ${SERVICE}
fi
fi
if [ -f /etc/init/${SERVICE}.conf ]; then
initctl stop omid
fi
if [ -f /etc/init.d/${SERVICE} ]; then
if [ -x /bin/systemctl ]; then
/bin/systemctl stop ${SERVICE}
elif [ -x /sbin/service ]; then
/sbin/service ${SERVICE} stop
elif [ -x /usr/sbin/service ]; then
/usr/sbin/service ${SERVICE} stop
elif [ -x /usr/sbin/invoke-rc.d ]; then
/usr/sbin/invoke-rc.d ${SERVICE} stop
else
echo "Unrecognized service controller to stop ${SERVICE} service" 1>&2
exit 1
fi
fi
# Registered as a systemd service?
#
# Note: We've never deployed systemd unit files automatically in the %Files
# section. Thus, for systemd services, it's safe to remove the file.
if [ -f ${SYSTEMD_UNIT_DIR}/${SERVICE}.service ]; then
echo "Unconfiguring ${SERVICE} (systemd) service ..."
/bin/systemctl disable ${SERVICE}
rm -f ${SYSTEMD_UNIT_DIR}/${SERVICE}.service
/bin/systemctl daemon-reload
fi
if [ -f /etc/init/omid.conf ]; then
echo "Unconfiguring omid (upstart) service ..."
rm -f /usr/init/omid.conf
initctl reload-configuration
fi
if [ -f /etc/init.d/${SERVICE} ]; then
echo "Unconfiguring ${SERVICE} service ..."
if [ -f /usr/sbin/update-rc.d ]; then
/usr/sbin/update-rc.d -f ${SERVICE} remove
elif [ -x /usr/lib/lsb/remove_initd ]; then
/usr/lib/lsb/remove_initd /etc/init.d/${SERVICE}
elif [ -x /sbin/chkconfig ]; then
chkconfig --del ${SERVICE} > /dev/null
else
echo "Unrecognized Service Controller to unregister ${SERVICE} Service."
exit 1
fi
fi
}
StopOmiService() {
/opt/omi/bin/service_control stop
}
RemoveOmiService() {
if [ -f /etc/.omi_disable_service_control ]; then
return 0
fi
RemoveGenericService omid
[ -f /etc/init.d/omid ] && rm /etc/init.d/omid
[ -f /etc/init/omid.conf ] && rm /etc/init/omid.conf
}
ConfigureOmiService() {
# If the marker file /etc/.omi_disable_service_control exists,
# OMI will not be configured with service manager. This may be used in a container
# environment, where service manager does not work reliably.
if [ ! -f /etc/.omi_disable_service_control ]; then
echo "Configuring OMI service ..."
if [ -d /run/systemd/system ]; then
# systemd
ResolveSystemdPaths
cp /opt/omi/bin/support/omid.systemd ${SYSTEMD_UNIT_DIR}/omid.service
/bin/systemctl daemon-reload
/bin/systemctl enable omid
elif [ -x /sbin/initctl -a -f /etc/init/networking.conf -a ! -z "$(/sbin/initctl list >/dev/null 2>&1 && echo $?)" ]; then
# If we have /sbin/initctl, we have upstart.
# Note that the upstart script requires networking,
# so only use upstart if networking is controlled by upstart (not the case in RedHat 6)
cp /opt/omi/bin/support/omid.upstart /etc/init/omid.conf
# initctl registers it with upstart
initctl reload-configuration
else
cp /opt/omi/bin/support/omid.initd /etc/init.d/omid
if [ -x /usr/sbin/update-rc.d ]; then
update-rc.d omid defaults > /dev/null
elif [ -x /usr/lib/lsb/install_initd ]; then
/usr/lib/lsb/install_initd /etc/init.d/omid
elif [ -x /sbin/chkconfig ]; then
chkconfig --add omid > /dev/null
else
echo "Unrecognized Service Controller to configure OMI Service."
exit 1
fi
fi
fi
/opt/omi/bin/service_control start
}
ConfigureCronForLogRotate()
{
echo "Checking if cron is installed..."
# warn user that he need to install cron if cron doesn't install
which cron >/dev/null 2>&1
if [ $? -ne 0 ]; then
which crond >/dev/null 2>&1
if [ $? -ne 0 ]; then
echo "WARNING: LogRotate can't be enabled, please install cron at first!"
return
fi
fi
echo "Checking if cron/crond service is started..."
# warn user that he need to start cron/crond service if cron doesn't start
cronid=$(pidof cron > /dev/null 2>&1)
crondid=$(pidof crond > /dev/null 2>&1)
if [ ! -z "$cronid" -a ! -z "$crondid" ]; then
echo "WARNING: LogRotate can be enabled, but please start cron/crond service!"
fi
echo "Set up a cron job to OMI logrotate every 15 minutes"
# create the cron file if it doesn't exist
if [ ! -f /etc/cron.d/omilogrotate ]; then
(echo "*/15 * * * * root /usr/sbin/logrotate /etc/logrotate.d/omi --state /var/opt/omi/log/omi-logrotate.status >/dev/null 2>&1" > /etc/cron.d/omilogrotate) > /dev/null 2>&1
fi
}
# Fix permissions for new directories
chgrp omiusers /opt/omi/lib /etc/opt/omi/conf/omiregister /var/opt/omi/omiusers
chmod 775 /opt/omi/lib /etc/opt/omi/conf/omiregister /var/opt/omi/omiusers
chmod 500 /opt/omi/bin/support/ktstrip
chmod 500 /opt/omi/bin/support/config_keytab_update.sh
# Be certain that SSL linkages exist for OMI utilities
/opt/omi/bin/support/installssllinks
# Set up the cron job to update the omi.keytab
/opt/omi/bin/support/config_keytab_update.sh --unconfigure
/opt/omi/bin/support/config_keytab_update.sh --configure
ConfigureCronForLogRotate
# Special handling for Red Hat 5 don't have open selinux permission
# return 0, means is redhat 5; 1 means others.
is_redhat5(){
if [ -e /usr/bin/lsb_release ];then
distro=`lsb_release -i | grep RedHat`
if [ ! -z "${distro}" ]; then
distro_version=`lsb_release -r | awk 'FS=":"{print $2}'`
if [ "${distro_version}" = "5" ]; then
return 0
fi
fi
fi
return 1
}
if [ -e /usr/sbin/semodule ]; then
echo "System appears to have SELinux installed, attempting to install selinux policy module for logrotate"
echo " Trying /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp ..."
sestatus=`sestatus|grep status|awk '{print $3}'`
if [ -e /usr/bin/dpkg-deb -a "$sestatus" = "disabled" ]; then
echo "INFO: omi-logrotate selinux policy module has not yet installed due to selinux is disabled."
echo "When enabling selinux, load omi-logrotate module manually with following commands for logrotate feature to work properly for omi logs."
echo "/usr/sbin/semodule -i $SEPKG_DIR_OMI/omi-logrotate.pp >/dev/null 2>&1"
echo "/sbin/restorecon -R /var/opt/omi/log/ > /dev/null 2>&1"
else
/usr/sbin/semodule -i /usr/share/selinux/packages/omi-selinux/omi-logrotate.pp >/dev/null 2>&1
if [ $? -ne 0 ]; then
echo "ERROR: omi-logrotate selinux policy module versions could not be installed"
exit 0
fi
is_redhat5
if [ $? -eq 0 ];then
echo " Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.el5.pp ..."
/usr/sbin/semodule -i /usr/share/selinux/packages/omi-selinux/omi-selinux.el5.pp >/dev/null 2>&1
else
echo " Trying /usr/share/selinux/packages/omi-selinux/omi-selinux.pp ..."
/usr/sbin/semodule -i /usr/share/selinux/packages/omi-selinux/omi-selinux.pp >/dev/null 2>&1
fi
if [ $? -ne 0 ]; then
echo "ERROR: omi-selinux selinux policy module versions could not be installed"
exit 0
fi
echo " Labeling omi log files ..."
/sbin/restorecon -R /var/opt/omi/log/ > /dev/null 2>&1
fi
fi
ConfigureOmiService
exit 0
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists