Attachment #7456 for bug #39700





		# Don't change it on a configured system
		if [ ! -e /var/univention-join/joined ]; then
			/usr/sbin/univention-system-activation restrict-root
			ucr set --force auth/gdm/user/root=no \
							auth/kdm/user/root=no \
							auth/login/user/root=no \
							auth/other/user/root=no \
							auth/sshd/user/root=no

			# disallow su
			ucr set --force auth/su/restrict=yes \
							auth/su/user/root=no
		fi
		;;


Lines 1-5 Link Here

(-)debian/univention-system-activation.install (-1 / +1 lines)
1	scripts/univention-system-activation usr/sbin	1	scripts/univention-system-activation usr/sbin
2	src/* usr/share/pyshared/univention/system_activation	2	src/* usr/share/pyshared/univention/system_activation
3	www usr/share/univention-system-activation	3	www usr/share/univention-system-activation
4	conffiles/etc/sudoers.d/univention-system-activation etc/sudoers.d	4	conffiles/etc/sudoers.d/univention-system-activation etc/sudoers.d
5	conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation usr/lib/univention-system-setup/appliance-hooks.d	5	conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation usr/lib/univention-system-setup/appliance-hooks.d




# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.

function allow_root_login() {
	ucr unset --force auth/gdm/user/root \
		auth/kdm/user/root \
		auth/login/user/root \
		auth/other/user/root \
		auth/sshd/user/root

	# reset su restrictions
	ucr unset --force auth/su/restrict \
		auth/su/user/root

	# set to the default values, these values are not set
	# during the pam installation, because they were set
	# in the force layer
	ucr set auth/gdm/user/root?yes \
		auth/kdm/user/root?yes \
		auth/login/user/root?yes \
		auth/other/user/root?yes \
		auth/sshd/user/root?yes
}

function restrict_root_login() {
	# disallow root login
	ucr set --force auth/gdm/user/root=no \
		auth/kdm/user/root=no \
		auth/login/user/root=no \
		auth/other/user/root=no \
		auth/sshd/user/root=no

	# disallow su
	ucr set --force auth/su/restrict=yes \
		auth/su/user/root=no
}

if [ $# -eq 0 -o "$1" = "-h" -o "$1" = "--help" ]; then
	echo
	echo "When started, deactivates all access to the UCS and enforces the"

	# disable sites
	a2dissite ${active_sites[@]}

	restrict_root_login

	# enable system activation site configuration and reload apache
	a2ensite univention-system-activation
	/etc/init.d/apache2 reload

	# unset previously stored sites
	ucr unset apache2/system_activation/sites

	allow_root_login
	ucr unset --force auth/gdm/user/root \
					auth/kdm/user/root \
					auth/login/user/root \
					auth/other/user/root \
					auth/sshd/user/root

	# reset su restrictions
	ucr unset --force auth/su/restrict \
					auth/su/user/root

	# set to the default values, these values are not set
	# during the pam installation, because they were set
	# in the force layer
	ucr set auth/gdm/user/root?yes \
				auth/kdm/user/root?yes \
				auth/login/user/root?yes \
				auth/other/user/root?yes \
				auth/sshd/user/root?yes

	# apache reload as last step
	/etc/init.d/apache2 reload
elif [ "$ACTION" == "allow-root" ]; then
	allow_root_login
elif [ "$ACTION" == "restrict-root" ]; then
	restrict_root_login
else
	echo
	echo "ERROR: Unknown action given"
	echo
	exit 1
fi


Lines 33-40 Link Here

(-)conffiles/usr/lib/univention-system-setup/appliance-hooks.d/96_enable_system_activation (-2 / +9 lines)
33	/usr/bin/univention-ldapsearch -LLL '(&(objectClass=univentionLicense)(univentionLicenseKeyID=*))' dn \| grep -q 'dn:'	33	/usr/bin/univention-ldapsearch -LLL '(&(objectClass=univentionLicense)(univentionLicenseKeyID=*))' dn \| grep -q 'dn:'
34	}	34	}
35		35
36	if ! has_activated_license; then	36	role="$(ucr get server/role)"
		37	if [ "$role" == "domaincontroller_master" ]; then
37	/usr/sbin/univention-system-activation start	38	/usr/sbin/univention-system-activation start
		39	elif has_activated_license; then
		40	# Installing an App Appliance as non DC Master without activated license in the domain
		41	# is restricted by system-setup and not handled here
		42
		43	# lift root restrictions set by univention-system-activation.postinst on non DC Master
		44	# roles because system-activation is not started there
		45	/usr/sbin/univention-system-activation allow-root
38	fi	46	fi
39
40	exit 0	47	exit 0

Return to bug 39700

Lines 39-54 Link Here

(-)debian/univention-system-activation.postinst (-10 / +1 lines)
39		39
40	# Don't change it on a configured system	40	# Don't change it on a configured system
41	if [ ! -e /var/univention-join/joined ]; then	41	if [ ! -e /var/univention-join/joined ]; then
42	# disallow root login	42	/usr/sbin/univention-system-activation restrict-root
43	ucr set --force auth/gdm/user/root=no \
44	auth/kdm/user/root=no \
45	auth/login/user/root=no \
46	auth/other/user/root=no \
47	auth/sshd/user/root=no
48
49	# disallow su
50	ucr set --force auth/su/restrict=yes \
51	auth/su/user/root=no
52	fi	43	fi
53	;;	44	;;
54		45

Lines 29-34 Link Here

(-)scripts/univention-system-activation (-20 / +41 lines)
29	# /usr/share/common-licenses/AGPL-3; if not, see	29	# /usr/share/common-licenses/AGPL-3; if not, see
30	# <http://www.gnu.org/licenses/>.	30	# <http://www.gnu.org/licenses/>.
31		31
		32	function allow_root_login() {
		33	ucr unset --force auth/gdm/user/root \
		34	auth/kdm/user/root \
		35	auth/login/user/root \
		36	auth/other/user/root \
		37	auth/sshd/user/root
		38
		39	# reset su restrictions
		40	ucr unset --force auth/su/restrict \
		41	auth/su/user/root
		42
		43	# set to the default values, these values are not set
		44	# during the pam installation, because they were set
		45	# in the force layer
		46	ucr set auth/gdm/user/root?yes \
		47	auth/kdm/user/root?yes \
		48	auth/login/user/root?yes \
		49	auth/other/user/root?yes \
		50	auth/sshd/user/root?yes
		51	}
		52
		53	function restrict_root_login() {
		54	# disallow root login
		55	ucr set --force auth/gdm/user/root=no \
		56	auth/kdm/user/root=no \
		57	auth/login/user/root=no \
		58	auth/other/user/root=no \
		59	auth/sshd/user/root=no
		60
		61	# disallow su
		62	ucr set --force auth/su/restrict=yes \
		63	auth/su/user/root=no
		64	}
		65
32	if [ $# -eq 0 -o "$1" = "-h" -o "$1" = "--help" ]; then	66	if [ $# -eq 0 -o "$1" = "-h" -o "$1" = "--help" ]; then
33	echo	67	echo
34	echo "When started, deactivates all access to the UCS and enforces the"	68	echo "When started, deactivates all access to the UCS and enforces the"
Lines 62-67 Link Here
62	# disable sites	96	# disable sites
63	a2dissite ${active_sites[@]}	97	a2dissite ${active_sites[@]}
64		98
		99	restrict_root_login
		100
65	# enable system activation site configuration and reload apache	101	# enable system activation site configuration and reload apache
66	a2ensite univention-system-activation	102	a2ensite univention-system-activation
67	/etc/init.d/apache2 reload	103	/etc/init.d/apache2 reload
Lines 84-115 Link Here
84	# unset previously stored sites	120	# unset previously stored sites
85	ucr unset apache2/system_activation/sites	121	ucr unset apache2/system_activation/sites
86		122
87	# allow root login again	123	allow_root_login
88	ucr unset --force auth/gdm/user/root \
89	auth/kdm/user/root \
90	auth/login/user/root \
91	auth/other/user/root \
92	auth/sshd/user/root
93		124
94	# reset su restrictions
95	ucr unset --force auth/su/restrict \
96	auth/su/user/root
97
98	# set to the default values, these values are not set
99	# during the pam installation, because they were set
100	# in the force layer
101	ucr set auth/gdm/user/root?yes \
102	auth/kdm/user/root?yes \
103	auth/login/user/root?yes \
104	auth/other/user/root?yes \
105	auth/sshd/user/root?yes
106
107	# apache reload as last step	125	# apache reload as last step
108	/etc/init.d/apache2 reload	126	/etc/init.d/apache2 reload
		127	elif [ "$ACTION" == "allow-root" ]; then
		128	allow_root_login
		129	elif [ "$ACTION" == "restrict-root" ]; then
		130	restrict_root_login
109	else	131	else
110	echo	132	echo
111	echo "ERROR: Unknown action given"	133	echo "ERROR: Unknown action given"
112	echo	134	echo
113	exit 1	135	exit 1
114	fi	136	fi
115