--- doc/install/linux/install.pl 2011/03/21 13:32:44 1.4 +++ doc/install/linux/install.pl 2011/03/23 15:01:34 1.5 @@ -72,7 +72,7 @@ if (!open(LOG,">>loncapa_install.log")) &mt('Stopping execution.')."\n"; exit; } else { - print LOG '$Id: install.pl,v 1.4 2011/03/21 13:32:44 raeburn Exp $'."\n"; + print LOG '$Id: install.pl,v 1.5 2011/03/23 15:01:34 raeburn Exp $'."\n"; } # @@ -316,7 +316,7 @@ sub check_required { return ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow); } my ($mysqlon,$mysqlsetup,$dbh,$has_pass,$has_lcdb,%recommended,$downloadstatus, - $filetouse,$production,$testing); + $filetouse,$production,$testing,$apachefw,$tostop); my $wwwuid = &uid_of_www(); my $wwwgid = getgrnam('www'); if (($wwwuid eq '') || ($wwwgid eq '')) { @@ -344,8 +344,7 @@ sub check_required { $recommended{'mysql'} = 1; } } - my $tostop; - $recommended{'firewall'} = &chkfirewall($distro); + ($recommended{'firewall'},$apachefw) = &chkfirewall($distro); ($recommended{'runlevels'},$tostop) = &chkconfig($distro); $recommended{'apache'} = &chkapache($distro,$instdir); $recommended{'stopsrvcs'} = &chksrvcs($distro,$tostop); @@ -353,7 +352,7 @@ sub check_required { = &need_download(); return ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow, \%recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus, - $filetouse,$production,$testing); + $filetouse,$production,$testing,$apachefw); } sub check_mysql_running { @@ -400,6 +399,7 @@ sub chkconfig { my $mysqldaemon ='mysqld'; my $webserver = 'httpd'; my $cupsdaemon = 'cups'; + my $ntpdaemon = 'ntpd'; my @runlevels = qw/3 4 5/; my @norunlevels = qw/0 1 6/; if ($distro =~ /^(suse|sles)/) { @@ -416,6 +416,7 @@ sub chkconfig { $checker_bin = '/usr/sbin/sysv-rc-conf'; $mysqldaemon = 'mysql'; $webserver = 'apache2'; + $ntpdaemon = 'ntp'; } if (! -x $checker_bin) { print &mt('Could not check runlevel status for MySQL or Apache.')."\n"; @@ -423,7 +424,7 @@ sub chkconfig { } my $rlstr = join('',@runlevels); my $nrlstr = join('',@norunlevels); - foreach my $type ('apache','mysql','cups') { + foreach my $type ('apache','mysql','ntp','cups') { my $service; if ($type eq 'apache') { $service = $webserver; @@ -431,6 +432,8 @@ sub chkconfig { $service = $mysqldaemon; } elsif ($type eq 'cups') { $service = $cupsdaemon; + } elsif ($type eq 'ntp') { + $service = $ntpdaemon; } my $command = $checker_bin.' --list '.$service; my $results = `$command`; @@ -448,7 +451,7 @@ sub chkconfig { for (my $rl=0; $rl<=6; $rl++) { if ($results =~ /$rl:on/) { $curr_runlevels{$rl}++; } } - if (($type eq 'apache') || ($type eq 'mysql')) { + if (($type eq 'apache') || ($type eq 'mysql') || ($type eq 'ntp')) { my $warning; foreach my $rl (@runlevels) { if (!exists($curr_runlevels{$rl})) { @@ -464,7 +467,7 @@ sub chkconfig { } if ($tofix) { $needfix{$type} = $tofix; - } + } } if ($distro =~ /^(suse|sles)([\d\.]+)$/) { my $name = $1; @@ -483,19 +486,20 @@ sub chkconfig { } sub chkfirewall { + my ($distro) = @_; my $configfirewall = 1; my %ports = ( http => 80, https => 443, ); + my %activefw; if (&firewall_is_active()) { my $iptables = &get_pathto_iptables(); if ($iptables eq '') { print &mt('Firewall not checked as path to iptables not determined.')."\n"; } else { - my @fwchains = &get_fw_chains($iptables); + my @fwchains = &get_fw_chains($iptables,$distro); if (@fwchains) { - my %activefw; foreach my $service ('http','https') { foreach my $fwchain (@fwchains) { if (&firewall_is_port_open($iptables,$fwchain,$ports{$service})) { @@ -514,7 +518,7 @@ sub chkfirewall { } else { print &mt('Firewall not enabled.')."\n"; } - return $configfirewall; + return ($configfirewall,\%activefw); } sub chkapache { @@ -561,7 +565,6 @@ sub chkapache { my $diffres = ; close(PIPE); chomp($diffres); - print "Diff is ||$diffres||\n"; unless ($diffres) { $fixapache = 0; } @@ -774,7 +777,7 @@ sub firewall_is_active { } sub get_fw_chains { - my ($iptables) = @_; + my ($iptables,$distro) = @_; my @fw_chains; my $suse_config = "/etc/sysconfig/SuSEfirewall2"; my $ubuntu_config = "/etc/ufw/ufw.conf"; @@ -784,6 +787,8 @@ sub get_fw_chains { my @posschains; if (-e $ubuntu_config) { @posschains = ('ufw-user-input','INPUT'); + } elsif ($distro =~ /^debian5/) { + @posschains = ('INPUT'); } else { @posschains = ('RH-Firewall-1-INPUT','INPUT'); if (!-e '/etc/sysconfig/iptables') { @@ -978,7 +983,7 @@ print "\n".&mt('Checking system status . my $dsn = "DBI:mysql:database=mysql"; my ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow,$recommended, $dbh,$has_pass,$has_lcdb,$downloadstatus,$filetouse,$production, - $testing) = &check_required($instdir,$dsn); + $testing,$apachefw) = &check_required($instdir,$dsn); if ($distro eq '') { print "\n".&mt('Linux distribution could not be verified as a supported distribution.')."\n". &mt('The following are supported: [_1].', @@ -1008,7 +1013,8 @@ if (!$gotprereqs) { } else { ($distro,$gotprereqs,$packagecmd,$updatecmd,$installnow, $recommended,$dbh,$has_pass,$has_lcdb,$downloadstatus, - $filetouse) = &check_required($instdir,$dsn); + $filetouse,$production,$testing,$apachefw) = + &check_required($instdir,$dsn); } } else { print &mt('Failed to run command to install LONCAPA-prequisites')."\n"; @@ -1166,22 +1172,38 @@ if ($callsub{'runlevels'}) { if ($callsub{'firewall'}) { if ($distro =~ /^(suse|sles)/) { - print &mt('Use [_1].','yast')."\n"; - } elsif ($distro =~ /^(debian|ubuntu)/) { - print &mt('Use [_1].','ufw')."\n"; + print &mt('Use [_1] to configure the firewall to allow access for [_2].', + 'yast -- Security and Users -> Firewall -> Interfaces', + 'ssh, http, https')."\n"; + } elsif ($distro =~ /^(debian|ubuntu)(\d+)/) { + if (($1 eq 'ubuntu') || ($2 > 5)) { + print &mt('Use [_1] to configure the firewall to allow access for [_2].', + 'ufw','ssh, http, https')."\n"; + } else { + my $fwadded = &get_iptables_rules($distro,$instdir,$apachefw); + if ($fwadded) { + print &mt('Enable firewall? ~[Y/n~]'); + my $enable_iptables = &get_user_selection(1); + if ($enable_iptables) { + system('/etc/network/if-pre-up.d/iptables'); + print &mt('Firewall enabled using rules defined in [_1].', + '/etc/iptables.loncapa.rules'); + } + } + } } else { - print &mt('Use [_1].','setup')."\n"; + print &mt('Use [_1] to configure the firewall to allow access for [_2].', + 'setup -- Firewall confiuration -> Customize', + 'ssh, http, https')."\n"; } } else { - if ($distro =~ /^(suse|sles)/) { - &print_and_log(&mt('Skipping Firewall configuration.')."\n"); - } + &print_and_log(&mt('Skipping Firewall configuration.')."\n"); } if ($callsub{'stopsrvcs'}) { &kill_extra_services($distro,$recommended->{'stopsrvcs'}); } else { - &print_and_log(&mt('Skipping stopping unnecessary services ([_1] and [_2] daemons).',"'cups'","'sendmail'")."\n"); + &print_and_log(&mt('Skipping stopping unnecessary service ([_1] daemon).',"'cups'")."\n"); } my ($have_tarball,$updateshown); @@ -1345,7 +1367,7 @@ END # Install patched pwauth print_and_log(&mt('Copying pwauth to [_1]',' /usr/local/sbin')."\n"); if (copy "$dir/pwauth","/usr/local/sbin/pwauth") { - if (chmod (06755, "/usr/local/sbin/pwauth")) { + if (chmod(06755, "/usr/local/sbin/pwauth")) { print_and_log(&mt('[_1] copied successfully',"'pwauth'"). "\n"); } else { @@ -1536,7 +1558,7 @@ sub copy_httpd_conf { "'/etc/httpd/conf/httpd.conf'")."\n"); copy "/etc/httpd/conf/httpd.conf","/etc/httpd/conf/httpd.conf.original"; copy "$instdir/httpd.conf","/etc/httpd/conf/httpd.conf"; - chmod 0444,"/etc/httpd/conf/httpd.conf"; + chmod(0444,"/etc/httpd/conf/httpd.conf"); print_and_log("\n"); } @@ -1581,7 +1603,7 @@ sub copy_apache2_suseconf { copy "/etc/apache2/default-server.conf","/etc/apache2/default-server.conf.original"; } copy "$instdir/default-server.conf","/etc/apache2/default-server.conf"; - chmod 0444,"/etc/apache2/default-server.conf"; + chmod(0444,"/etc/apache2/default-server.conf"); # Make symlink for conf directory (included in loncapa_apache.conf) my $can_symlink = (eval { symlink('/etc/apache2','/srv/www/conf'); }, $@ eq ''); if ($can_symlink) { @@ -1608,7 +1630,7 @@ sub copy_apache2_conf_files { copy "/etc/apache2/uid.conf","/etc/apache2/uid.conf.original"; } copy "$instdir/uid.conf","/etc/apache2/uid.conf"; - chmod 0444,"/etc/apache2/uid.conf"; + chmod(0444,"/etc/apache2/uid.conf"); } ############################################### @@ -1623,7 +1645,7 @@ sub copy_sysconfig_apache2_file { copy "/etc/sysconfig/apache2","/etc/sysconfig/apache2.original"; } copy "$instdir/sysconfig_apache2","/etc/sysconfig/apache2"; - chmod 0444,"/etc/sysconfig/apache2"; + chmod(0444,"/etc/sysconfig/apache2"); } ############################################### @@ -1646,7 +1668,68 @@ sub update_SuSEfirewall2_setup { copy "/etc/insserv/overrides/SuSEfirewall2_setup","/etc/insserv/overrides/SuSEfirewall2_setup.original" } copy "$instdir/SuSEfirewall2_setup","/etc/insserv/overrides/SuSEfirewall2_setup"; - chmod 0444,"/etc/insserv/overrides/SuSEfirewall2_setup"; + chmod(0444,"/etc/insserv/overrides/SuSEfirewall2_setup"); +} + +sub get_iptables_rules { + my ($distro,$instdir,$apachefw) = @_; + my (@fwchains,@ports); + if (&firewall_is_active()) { + my $iptables = &get_pathto_iptables(); + if ($iptables ne '') { + @fwchains = &get_fw_chains($iptables,$distro); + } + } + if (ref($apachefw) eq 'HASH') { + foreach my $service ('http','https') { + unless ($apachefw->{$service}) { + push (@ports,$service); + } + } + } else { + @ports = ('http','https'); + } + if (@ports == 0) { + return; + } + my $ask_to_enable; + if (-e "/etc/iptables.loncapa.rules") { + if (open(PIPE, "diff --brief $instdir/debian/iptables.loncapa.rules /etc/iptables.loncapa.rules |")) { + my $diffres = ; + close(PIPE); + chomp($diffres); + if ($diffres) { + print &mt('Warning: [_1] exists but differs from LON-CAPA supplied file.','/etc/iptables.loncapa.rules')."\n"; + } + } else { + print &mt('Error: unable to open [_1] to compare contents with LON-CAPA supplied file.','/etc/iptables.loncapa.rules')."\n"; + } + } else { + if (-e "$instdir/debian/iptables.loncapa.rules") { + copy "$instdir/debian/iptables.loncapa.rules","/etc/iptables.loncapa.rules"; + chmod(0600,"/etc/iptables.loncapa.rules"); + } + } + if (-e "/etc/iptables.loncapa.rules") { + if (-e "/etc/network/if-pre-up.d/iptables") { + if (open(PIPE, "diff --brief $instdir/debian/iptables /etc/network/if-pre-up/iptables |")) { + my $diffres = ; + close(PIPE); + chomp($diffres); + if ($diffres) { + print &mt('Warning: [_1] exists but differs from LON-CAPA supplied file.','/etc/network/if-pre-up.d/iptables')."\n"; + } + } else { + print &mt('Error: unable to open [_1] to compare contents with LON-CAPA supplied file.','/etc/network/if-pre-up.d/iptables')."\n"; + } + } else { + copy "$instdir/debian/iptables","/etc/network/if-pre-up.d/iptables"; + chmod(0755,"/etc/network/if-pre-up.d/iptables"); + print_and_log(&mt('Installed script "[_1]" to add iptables rules to block all ports except 22, 80, and 443 when network is enabled during boot.','/etc/network/if-pre-up.d/iptables')); + $ask_to_enable = 1; + } + } + return $ask_to_enable; } sub download_loncapa {