mirror of
https://github.com/FirebirdSQL/firebird.git
synced 2025-01-24 10:43:03 +01:00
384 lines
9.6 KiB
Bash
384 lines
9.6 KiB
Bash
#! /bin/sh
|
|
|
|
|
|
#------------------------------------------------------------------------
|
|
# Prompt for response, store result in Answer
|
|
|
|
Answer=""
|
|
|
|
AskQuestion() {
|
|
Test=$1
|
|
DefaultAns=$2
|
|
echo -n "${1}"
|
|
Answer="$DefaultAns"
|
|
read Answer
|
|
}
|
|
|
|
#------------------------------------------------------------------------
|
|
# add a service line in the (usually) /etc/services or /etc/inetd.conf file
|
|
# Here there are three cases, not found => add service line,
|
|
# found & different => ask user to check
|
|
# found & same => do nothing
|
|
#
|
|
|
|
replaceLineInFile() {
|
|
FileName=$1
|
|
newLine=$2
|
|
oldLine=$3
|
|
|
|
if [ -z "$oldLine" ]
|
|
then
|
|
echo "$newLine" >> $FileName
|
|
|
|
elif [ "$oldLine" != "$newLine" ]
|
|
then
|
|
echo ""
|
|
echo "--- Warning ----------------------------------------------"
|
|
echo ""
|
|
echo " In file $FileName found line: "
|
|
echo " $oldLine"
|
|
echo " Which differs from the expected line:"
|
|
echo " $newLine"
|
|
echo ""
|
|
|
|
# AskQuestion "Press return to update file or ^C to abort install"
|
|
|
|
cat $FileName | grep -v "$oldLine" > ${FileName}.tmp
|
|
mv ${FileName}.tmp $FileName
|
|
echo "$newLine" >> $FileName
|
|
echo "Updated."
|
|
|
|
fi
|
|
}
|
|
|
|
#------------------------------------------------------------------------
|
|
# remove line from config file if it exists in it.
|
|
|
|
removeLineFromFile() {
|
|
FileName=$1
|
|
oldLine=$2
|
|
|
|
if [ -f $FileName ]
|
|
then
|
|
if [ ! -z "$oldLine" ]
|
|
then
|
|
cat $FileName | grep -v "$oldLine" > ${FileName}.tmp
|
|
mv ${FileName}.tmp $FileName
|
|
echo "Updated."
|
|
fi
|
|
fi
|
|
}
|
|
|
|
|
|
|
|
#------------------------------------------------------------------------
|
|
# changeInitPassword
|
|
|
|
|
|
changeInitPassword() {
|
|
|
|
NewPasswd=$1
|
|
|
|
InitFile=/etc/rc.d/init.d/firebird
|
|
if [ -f $InitFile ]
|
|
then
|
|
ed $InitFile <<EOF
|
|
/ISC_PASSWORD/s/ISC_PASSWORD:=.*\}/ISC_PASSWORD:=$NewPasswd\}/g
|
|
w
|
|
q
|
|
EOF
|
|
chmod u=rwx,g=rx,o= $InitFile
|
|
|
|
fi
|
|
}
|
|
|
|
#------------------------------------------------------------------------
|
|
# Unable to generate the password for the rpm, so put out a message
|
|
# instead
|
|
|
|
|
|
keepOrigDBAPassword() {
|
|
|
|
NewPasswd='masterkey'
|
|
echo "Firebird initial install password " > $DBAPasswordFile
|
|
echo "for user SYSDBA is : $NewPasswd" >> $DBAPasswordFile
|
|
|
|
echo "for install on `hostname` at time `date`" >> $DBAPasswordFile
|
|
echo "You should change this password at the earliest oportunity" >> $DBAPasswordFile
|
|
echo ""
|
|
|
|
echo "(For superserver you will also want to check the password in the" >> $DBAPasswordFile
|
|
echo "daemon init routine in the file /etc/rc.d/init.d/firebird)" >> $DBAPasswordFile
|
|
echo "" >> $DBAPasswordFile
|
|
echo "Your should password can be changed to a more suitable one using the" >> $DBAPasswordFile
|
|
echo "/usr/local/firebird/bin/gsec program as show below:" >> $DBAPasswordFile
|
|
echo "" >> $DBAPasswordFile
|
|
echo ">cd /usr/local/firebird" >> $DBAPasswordFile
|
|
echo ">bin/gsec -user sysdba -password <password>" >> $DBAPasswordFile
|
|
echo "GSEC>modify sysdba -pw <newpassword>" >> $DBAPasswordFile
|
|
echo "GSEC>quit" >> $DBAPasswordFile
|
|
|
|
chmod u=r,go= $DBAPasswordFile
|
|
|
|
}
|
|
|
|
#------------------------------------------------------------------------
|
|
# Generate new sysdba password
|
|
|
|
generateNewDBAPassword() {
|
|
|
|
# openssl generates random data.
|
|
if [ -f /usr/bin/openssl ]
|
|
then
|
|
NewPasswd=`openssl rand -base64 10 | cut -c1-8`
|
|
fi
|
|
|
|
# mkpasswd is a bit of a hassle, but check to see if it's there
|
|
if [ -z "$NewPasswd" ]
|
|
then
|
|
if [ -f /usr/bin/mkpasswd ]
|
|
then
|
|
NewPasswd=`/usr/bin/mkpasswd -l 8`
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$NewPasswd" ]
|
|
then
|
|
keepOrigDBAPassword
|
|
return
|
|
fi
|
|
|
|
NewPasswd=`echo $NewPasswd | awk '{ for(i=1; i<=8; i++) {x = substr($1, i, 1); if (x == "/") x = "_"; printf "%c", x }; print ""}'`
|
|
|
|
echo "Firebird generated password " > $DBAPasswordFile
|
|
echo "for user SYSDBA is : $NewPasswd" >> $DBAPasswordFile
|
|
echo "generated on `hostname` at time `date`" >> $DBAPasswordFile
|
|
echo "(For superserver you will also want to check the password in the" >> $DBAPasswordFile
|
|
echo "daemon init routine in the file /etc/rc.d/init.d/firebird)" >> $DBAPasswordFile
|
|
echo "" >> $DBAPasswordFile
|
|
echo "Your password can be changed to a more suitable one using the" >> $DBAPasswordFile
|
|
echo "@prefix@/bin/changeDBAPassword.sh script" >> $DBAPasswordFile
|
|
echo "" >> $DBAPasswordFile
|
|
chmod u=r,go= $DBAPasswordFile
|
|
|
|
echo ""
|
|
echo Running gsec to modify SYSDBA password
|
|
$IBBin/gsec -user sysdba -password masterkey <<EOF
|
|
modify sysdba -pw $NewPasswd
|
|
EOF
|
|
echo ""
|
|
echo Running ed to modify /etc/init.d/firebird
|
|
|
|
changeInitPassword "$NewPasswd"
|
|
}
|
|
|
|
|
|
|
|
#------------------------------------------------------------------------
|
|
# Change sysdba password - this routine is interactive and is only
|
|
# used in the install shell script not the rpm one.
|
|
|
|
|
|
askUserForNewDBAPassword() {
|
|
|
|
NewPasswd=""
|
|
|
|
echo ""
|
|
while [ -z "$NewPasswd" ]
|
|
do
|
|
AskQuestion "Please enter new password for SYSDBA user: "
|
|
NewPasswd=$Answer
|
|
if [ ! -z "$NewPasswd" ]
|
|
then
|
|
$IBBin/gsec -user sysdba -password masterkey <<EOF
|
|
modify sysdba -pw $NewPasswd
|
|
EOF
|
|
echo ""
|
|
|
|
changeInitPassword "$NewPasswd"
|
|
|
|
fi
|
|
|
|
done
|
|
}
|
|
|
|
|
|
#------------------------------------------------------------------------
|
|
# Change sysdba password - this routine is interactive and is only
|
|
# used in the install shell script not the rpm one.
|
|
|
|
# On some systems the mkpasswd program doesn't appear and on others
|
|
# there is another mkpasswd which does a different operation. So if
|
|
# the specific one isn't available then keep the original password.
|
|
|
|
|
|
changeDBAPassword() {
|
|
|
|
if [ -z "$InteractiveInstall" ]
|
|
then
|
|
generateNewDBAPassword
|
|
else
|
|
askUserForNewDBAPassword
|
|
fi
|
|
}
|
|
|
|
#------------------------------------------------------------------------
|
|
# For security reasons most files in firebird installation are
|
|
# root-owned and world-readable(executable) only (including firebird).
|
|
|
|
# For some files RunUser (firebird) must have write access -
|
|
# lock and log are such.
|
|
|
|
|
|
MakeFileFirebirdWritable() {
|
|
FileName=$1
|
|
chown $RunUser.$RunUser $FileName
|
|
chmod 0644 $FileName
|
|
}
|
|
|
|
|
|
#------------------------------------------------------------------------
|
|
# Add new user and group
|
|
|
|
|
|
addFirebirdUser() {
|
|
|
|
testStr=`grep firebird /etc/group`
|
|
|
|
if [ -z "$testStr" ]
|
|
then
|
|
groupadd -g 84 -o -r firebird
|
|
fi
|
|
|
|
testStr=`grep firebird /etc/passwd`
|
|
if [ -z "$testStr" ]
|
|
then
|
|
useradd -o -r -M -d $IBRootDir -s /bin/false \
|
|
-c "Firebird Database Administrator" -g firebird -u 84 firebird
|
|
|
|
# >/dev/null 2>&1
|
|
fi
|
|
}
|
|
|
|
|
|
#= Main Post ===============================================================
|
|
|
|
# Make sure the links are in place
|
|
if [ ! -L /usr/local/firebird -a ! -d /usr/local/firebird ]
|
|
then
|
|
# Main link and...
|
|
ln -s $RPM_INSTALL_PREFIX/interbase /usr/local/firebird
|
|
fi
|
|
|
|
|
|
IBRootDir=/usr/local/firebird
|
|
export IBRootDir
|
|
IBBin=$IBRootDir/bin
|
|
export IBBin
|
|
# RunUser=root
|
|
RunUser=firebird
|
|
export RunUser
|
|
DBAPasswordFile=$IBRootDir/SYSDBA.password
|
|
export DBAPasswordFile
|
|
|
|
|
|
# Update /etc/services
|
|
FileName=/etc/services
|
|
newLine="gds_db 3050/tcp # InterBase Database Remote Protocol"
|
|
oldLine=`grep "^gds_db" $FileName`
|
|
|
|
replaceLineInFile "$FileName" "$newLine" "$oldLine"
|
|
|
|
|
|
|
|
|
|
# remove any gds_db line in the /etc/inetd.conf
|
|
FileName=/etc/inetd.conf
|
|
if [ -f $FileName ]
|
|
then
|
|
oldLine=`grep "^gds_db" $FileName`
|
|
|
|
removeLineFromFile "$FileName" "$oldLine"
|
|
fi
|
|
|
|
|
|
# Get inetd to reread new init files.
|
|
|
|
if [ -f /var/run/inetd.pid ]
|
|
then
|
|
kill -HUP `cat /var/run/inetd.pid`
|
|
fi
|
|
|
|
|
|
# Update ownership of files
|
|
if [ $RunUser = firebird ]
|
|
then
|
|
# Prepare firebird user
|
|
addFirebirdUser
|
|
fi
|
|
|
|
# For security reasons initially force all root:root non-writable
|
|
chown -R root.root $IBRootDir
|
|
chmod -R uga-w $IBRootDir
|
|
|
|
# Prepare bin
|
|
cd $IBBin
|
|
|
|
# Create the fbmgr shell script.
|
|
cat > fbmgr <<EOF
|
|
#!/bin/sh
|
|
INTERBASE=$IBRootDir
|
|
export INTERBASE
|
|
exec \$INTERBASE/bin/fbmgr.bin \$@
|
|
EOF
|
|
|
|
# Everyone may execute clients
|
|
chmod 0555 *
|
|
|
|
# Shell scripts changing security attributes are for root only
|
|
chmod 0500 *.sh
|
|
|
|
# These two should only be executed by firebird user.
|
|
#fbservices=fbguard fbserver
|
|
#chown $RunUser.$RunUser $fbservices
|
|
#chmod 0544 $fbservices
|
|
|
|
|
|
# Lock files
|
|
|
|
cd $IBRootDir
|
|
|
|
for i in isc_init1 isc_lock1 isc_event1 isc_guard1
|
|
do
|
|
FileName=$i.`hostname`
|
|
touch $FileName
|
|
MakeFileFirebirdWritable $FileName
|
|
done
|
|
|
|
touch firebird.log
|
|
MakeFileFirebirdWritable firebird.log
|
|
|
|
# Security database
|
|
# Nobody besides firebird permitted to even read this file
|
|
chown $RunUser.$RunUser security.fdb
|
|
chmod 0600 security.fdb
|
|
|
|
# make examples writable by firebird
|
|
for i in examples/*.fdb
|
|
do
|
|
MakeFileFirebirdWritable $i
|
|
done
|
|
|
|
|
|
# prepair to chkconfig ...
|
|
chmod ug+rx,o= /etc/rc.d/init.d/firebird
|
|
|
|
# This will start it at runlevel defined within the firebird file itself.
|
|
/sbin/chkconfig --add firebird
|
|
|
|
# start the db server so we can change the password
|
|
(cd /etc/rc.d/init.d; ./firebird start; sleep 1)
|
|
|
|
# Change sysdba password
|
|
changeDBAPassword
|