1 #!/bin/ksh -p
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License, Version 1.0 only
7 # (the "License"). You may not use this file except in compliance
8 # with the License.
9 #
10 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
11 # or http://www.opensolaris.org/os/licensing.
12 # See the License for the specific language governing permissions
13 # and limitations under the License.
14 #
15 # When distributing Covered Code, include this CDDL HEADER in each
16 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
17 # If applicable, add the following below this CDDL HEADER, with the
18 # fields enclosed by brackets "[]" replaced with your own identifying
19 # information: Portions Copyright [yyyy] [name of copyright owner]
20 #
21 # CDDL HEADER END
22 #
23 #
24 # Copyright 2011-2012 OmniTI Computer Consulting, Inc. All rights reserved.
25 # Use is subject to license terms.
26 # Copyright 2015 Nexenta Systems, Inc. All rights reserved.
27
28 # system-unconfigure: removes system-specific configuration, preparing the
29 # newly-cloned zone for use. It is similar to sys-unconfig, but designed
30 # only for use with zone cloning.
31
32 SED=/usr/bin/sed
33
34 bomb() {
35 echo ======================================================
36 echo "$*"
37 echo ======================================================
38 exit 1
39 }
40
41 while getopts "R:" opt; do
42 case $opt in
43 R)
44 ALTROOT=$OPTARG
45 if [[ -z "$ALTROOT" ]]; then
46 bomb "Missing argument to option -R"
47 exit 254
48 fi
49 ;;
50 esac
51 done
52
53 blank_root_pw() {
54 echo "--- Setting root's password to blank"
55 cat $ALTROOT/etc/shadow | $SED -e 's%^root:[^:]*:%root:$5$kr1VgdIt$OUiUAyZCDogH/uaxH71rMeQxvpDEY2yX.x0ZQRnmeb9:%' > $ALTROOT/etc/shadow.blankroot
56 mv $ALTROOT/etc/shadow.blankroot $ALTROOT/etc/shadow || \
57 bomb "Failed to place modified $ALTROOT/etc/shadow"
58 }
59
60 clear_logs() {
61 echo "--- Emptying log files"
62 rm -f $ALTROOT/var/adm/messages.*
63 rm -f $ALTROOT/var/log/syslog.*
64 cat /dev/null > $ALTROOT/var/adm/messages
65 cat /dev/null > $ALTROOT/var/log/syslog
66 }
67
68 disable_ldap() {
69 echo "--- Disabling any LDAP configuration"
70 rm -f $ALTROOT/var/ldap/ldap_client_cache
71 rm -f $ALTROOT/var/ldap/ldap_client_cred
72 rm -f $ALTROOT/var/ldap/ldap_client_file
73 rm -f $ALTROOT/var/ldap/cachemgr.log
74 # Trickery to twiddle service configs in the altroot
75 # This was helpful: http://alexeremin.blogspot.com/2008/12/preparing-small-miniroot-with-zfs-and.html
76 ROOTDIR=$ALTROOT
77 SVCCFG_DTD=${ROOTDIR}/usr/share/lib/xml/dtd/service_bundle.dtd.1
78 SVCCFG_REPOSITORY=${ROOTDIR}/etc/svc/repository.db
79 SVCCFG=${ROOTDIR}/usr/sbin/svccfg
80 export ROOTDIR SVCCFG_DTD SVCCFG_REPOSITORY SVCCFG
81 $SVCCFG -s "network/ldap/client:default" setprop general/enabled=false
82 return 0
83 }
84
85 reset_hosts() {
86 if [[ -f $ALTROOT/etc/inet/hosts ]]; then
87 echo "--- Resetting hosts file"
88 cat > $ALTROOT/etc/inet/hosts.reset <<'EOF'
89 # CDDL HEADER START
90 #
91 # The contents of this file are subject to the terms of the
92 # Common Development and Distribution License (the "License").
93 # You may not use this file except in compliance with the License.
94 #
95 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
96 # or http://www.opensolaris.org/os/licensing.
97 # See the License for the specific language governing permissions
98 # and limitations under the License.
99 #
100 # When distributing Covered Code, include this CDDL HEADER in each
101 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
102 # If applicable, add the following below this CDDL HEADER, with the
103 # fields enclosed by brackets "[]" replaced with your own identifying
104 # information: Portions Copyright [yyyy] [name of copyright owner]
105 #
106 # CDDL HEADER END
107 #
108 # Copyright 2009 Sun Microsystems, Inc. All rights reserved.
109 # Use is subject to license terms.
110 #
111 # Internet host table
112 #
113 ::1 localhost
114 127.0.0.1 localhost loghost
115 EOF
116 chmod 0644 $ALTROOT/etc/inet/hosts.reset
117 mv $ALTROOT/etc/inet/hosts.reset $ALTROOT/etc/inet/hosts || \
118 bomb "Failed to reset $ALTROOT/etc/inet/hosts"
119 fi
120 }
121
122 reset_init_default() {
123 echo "--- Resetting init defaults"
124 $SED -e 's/^TZ.*/TZ=UTC/' -i $ALTROOT/etc/default/init || \
125 bomb "Failed to reset TZ in $ALTROOT/etc/default/init"
126 }
127
128 reset_networking() {
129 echo "--- Removing network configuration files"
130 rm -f $ALTROOT/etc/hostname.*
131 rm -f $ALTROOT/etc/defaultdomain
132 rm -f $ALTROOT/etc/defaultrouter
133 rm -f $ALTROOT/etc/nodename
134 rm -f $ALTROOT/etc/resolv.conf
135 rm -f $ALTROOT/etc/inet/netmasks
136 rm -f $ALTROOT/etc/inet/static_routes
137 for file in $ALTROOT/etc/ipadm/*\.conf $ALTROOT/etc/dladm/*\.conf ; do
138 if [ -f "$file" ]; then
139 cp /dev/null "$file" || \
140 bomb "Failed to blank $ALTROOT/$file"
141 fi
142 done
143 }
144
145 reset_nsswitch() {
146 echo "--- Resetting nsswitch.conf"
147 cat > $ALTROOT/etc/nsswitch.conf.reset <<'EOF'
148 # CDDL HEADER START
149 #
150 # The contents of this file are subject to the terms of the
151 # Common Development and Distribution License (the "License").
152 # You may not use this file except in compliance with the License.
153 #
154 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
155 # or http://www.opensolaris.org/os/licensing.
156 # See the License for the specific language governing permissions
157 # and limitations under the License.
158 #
159 # When distributing Covered Code, include this CDDL HEADER in each
160 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
161 # If applicable, add the following below this CDDL HEADER, with the
162 # fields enclosed by brackets "[]" replaced with your own identifying
163 # information: Portions Copyright [yyyy] [name of copyright owner]
164 #
165 # CDDL HEADER END
166 #
167 # Copyright 2009 Sun Microsystems, Inc. All rights reserved.
168 # Use is subject to license terms.
169 #
170
171 #
172 # /etc/nsswitch.conf:
173 #
174 # "hosts:" and "services:" in this file are used only if the
175 # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
176
177 passwd: files
178 group: files
179 hosts: files
180 ipnodes: files
181 networks: files
182 protocols: files
183 rpc: files
184 ethers: files
185 netmasks: files
186 bootparams: files
187 publickey: files
188 # At present there isn't a 'files' backend for netgroup; the system will
189 # figure it out pretty quickly, and won't use netgroups at all.
190 netgroup: files
191 automount: files
192 aliases: files
193 services: files
194 printers: user files
195
196 auth_attr: files
197 prof_attr: files
198 project: files
199
200 tnrhtp: files
201 tnrhdb: files
202 EOF
203 chmod 0644 $ALTROOT/etc/nsswitch.conf.reset
204 mv $ALTROOT/etc/nsswitch.conf.reset $ALTROOT/etc/nsswitch.conf || \
205 bomb "Failed to reset $ALTROOT/etc/nsswitch.conf"
206 }
207
208 reset_ssh_config() {
209 echo "--- Resetting ssh configs"
210 echo "------ Resetting PermitRootLogin to no"
211 $SED -i -e 's%^PermitRootLogin.*$%PermitRootLogin no%' $ALTROOT/etc/ssh/sshd_config || \
212 bomb "Failed to update PermitRootLogin in $ALTROOT/etc/ssh/sshd_config"
213 echo "------ Generating new ssh host keys"
214 for algo in rsa dsa; do
215 mv $ALTROOT/etc/ssh/ssh_host_${algo}_key $ALTROOT/etc/ssh/ssh_host_${algo}_key.old
216 mv $ALTROOT/etc/ssh/ssh_host_${algo}_key.pub $ALTROOT/etc/ssh/ssh_host_${algo}_key.pub.old
217 done
218 /usr/bin/ssh-keygen -q -t rsa -b 2048 -N '' -C root@unknown -f $ALTROOT/etc/ssh/ssh_host_rsa_key || \
219 bomb "Failed to create new RSA host key $ALTROOT/etc/ssh/ssh_host_rsa_key"
220 /usr/bin/ssh-keygen -q -t dsa -N '' -C root@unknown -f $ALTROOT/etc/ssh/ssh_host_dsa_key || \
221 bomb "Failed to create new DSA host key $ALTROOT/etc/ssh/ssh_host_dsa_key"
222 rm -f $ALTROOT/etc/ssh/ssh_host_*.old || \
223 bomb "Failed to remove old key files"
224 }
225
226 reset_vfstab() {
227 echo "--- Resetting vfstab"
228 cat > $ALTROOT/etc/vfstab.reset <<'EOF'
229 #device device mount FS fsck mount mount
230 #to mount to fsck point type pass at boot options
231 #
232 /devices - /devices devfs - no -
233 /proc - /proc proc - no -
234 ctfs - /system/contract ctfs - no -
235 objfs - /system/object objfs - no -
236 sharefs - /etc/dfs/sharetab sharefs - no -
237 fd - /dev/fd fd - no -
238 swap - /tmp tmpfs - yes -
239 EOF
240 chmod 0644 $ALTROOT/etc/vfstab.reset
241 mv $ALTROOT/etc/vfstab.reset $ALTROOT/etc/vfstab || \
242 bomb "Failed to reset $ALTROOT/etc/vfstab"
243 }
244
245 # Do the things
246 reset_hosts
247 reset_vfstab
248 reset_networking
249 reset_init_default
250 blank_root_pw
251 clear_logs
252 disable_ldap
253 reset_ssh_config