#!/bin/bash ########################################################################### # # Copyright (c) 2023 Diality Inc. - All Rights Reserved. # # This is inpart based on scripts developed by Sunrise Labs Inc. # # THIS CODE MAY NOT BE COPIED OR REPRODUCED IN ANY FORM, IN PART OR IN # WHOLE, WITHOUT THE EXPLICIT PERMISSION OF THE COPYRIGHT OWNER. # # @file start.sh # # @author (last) Philip Braica # @date (last) 22-Mar-2023 # @author (original) Philip Braica # @date (original) 22-Mar-2023 # ############################################################################ # @details # This file sets up and verifies some of the SOM security. # Number of problems detected with security. NUM_PROBLEMS=0 ############################################################################ # Debug output (warn). # # Globals: # None # Arguments: # $1 Start text. # $2 The purple text. # Outputs: # Warning text. ############################################################################ function debug() { echo -en "\033[0;34mDbg: \033[0m${1}\n" } ############################################################################ # Green output (info). # # Globals: # None # Arguments: # $1 Start text. # $2 The green text. # Outputs: # Info text. ############################################################################ function info() { echo -en "\033[0;32mInfo: \033[0m${1}\n" } ############################################################################ # Purple output (warn). # # Globals: # None # Arguments: # $1 Start text. # $2 The purple text. # Outputs: # Warning text. ############################################################################ function warn() { echo -en "\033[0;35mWarn: \033[0m${1}\n" } ############################################################################ # Red output (error). # # Globals: # None # Arguments: # $1 Start text. # $2 The red text. # Outputs: # Error text. ############################################################################ function error() { echo -en "\033[0;31mError: \033[0m${1}\n" } ############################################################################ # Does the file contain a string? if # not, add a line at end. # If $1 not in $2 then append line $3 to end. # # Globals: # None # Arguments: # $1 What to look for. # $2 File name. # $3 What to add. # Outputs: # None ############################################################################ function appendIfMissing() { # q for quiet, F for regular string match, not -x because not full line. # Done as one command because this is done remotely. grep -qF $1 $2 || echo $3 >> $2 } ############################################################################ # Remove all lines that contain $1 in file $2 then append $3. # # Globals: # None # Arguments: # $1 What to look for. # $2 File name. # Outputs: # None ############################################################################ function removeIfFound() { sed -i /${1}/d $2 } ############################################################################ # Turn on some ssh security. # # Globals: # None # Arguments: # None # Outputs: # None ############################################################################ function secureSsh() { local fileTarget="/etc/ssh/sshd_config" # chown -R root.denali ${fileTarget} chmod -R g+rw ${fileTarget} # Remove add PermitRootLogin settings then add one to turn it off. removeIfFound "PermitRootLogin" ${fileTarget} appendIfMissing "PermitRootLogin" ${fileTarget} "PermitRootLogin no" # Restart service on remote. systemctl restart system-sshd.slice } ############################################################################ # Move the customers app files to the app users home directories, # changed the owner, and set the immutable attribute. # # Globals: # None # Arguments: # None # Outputs: # None ############################################################################ function moveCustomerAppFiles() { # Move the files mv ~/cloudsync /home/cloud/ mv ~/denali /home/denali/ mv ~/scripts /home/denali/ # Change the file owners. chown -R cloud.cloud /home/cloud chmod -R o-rwx /home/cloud chown -R denali.denali /home/denali chmod -R o-rwx /home/denali } ############################################################################ # Set all permissions for our users that # are not root. # # Globals: # None # Arguments: # None # Outputs: # None ############################################################################ function setPermissionsCustomerAppFiles() { # Make sure the the other users have no access to these directories. chmod -R o-rwx /home/cloud chmod -R o-rwx /home/denali chmod u+rx /home/denali/denali # Give read-only access to denali by making the group owner. mkdir -p /var/configuration/CloudSync chown -R cloud.denali /var/configuration/CloudSync chmod -R g-w,g+r,o-rwx /var/configuration/CloudSync # Give read-only access to denali by making the group owner. mkdir -p /media/sd-card/cloudsync chown -R cloud.denali /media/sd-card/cloudsync chmod -R u+rw,g+rw,o-rwx /media/sd-card/cloudsync # Give read-write access to denali by making it the owner. chown -R denali.denali /media/sd-card/log chown -R denali.denali /media/sd-card/service # Set the immutable attribute for all of the files. chattr -R +i /home/cloud/* chattr -R +i /home/denali/* # Add Denali and Cloud to other user groups as needed. usermod -a -G video denali usermod -a -G input denali usermod -a -G tty denali } function main() { # Move the App Files to their home directories and setup the file # permissions needed to make them work. moveCustomerAppFiles setPermissionsCustomerAppFiles # Turn off root login in by ssh. # secureSsh } # Running the main function main exit 0