PSARC 2004/368 Secure By Default

4875624 *syslogd* turn off UDP listener by default 5004374 Ship with remote services disabled by default 5016956 By default rpcbind should not listen for remote requests 5016975 By default snmpd/dx should not be enabled. 5016998 By default inetd should not listen for remote connections. 5017041 By default sendmail should not listen for remote connections 5046450 Create a greenline profile for Secure by Default installation 6267741 RFE: One-touch knob for outbound-only sendmail 6414308 syslogd could use some lint soap
author: jjj <none@none> 2006-06-01 17:01:11 -0700
committer: jjj <none@none> 2006-06-01 17:01:11 -0700
commit: 0ea5e3a571e3da934507bdd32924d11659c70704 (patch)
tree: ba35ba32eeb100c1272139f7cfcc462bdc77e3a4 /usr/src/cmd/svc
parent: f4646a6c4cd95d2c0e0e22ab5aaf71e77cc8b2b3 (diff)
download: illumos-joyent-0ea5e3a571e3da934507bdd32924d11659c70704.tar.gz
7 files changed, 510 insertions, 116 deletions
diff --git a/usr/src/cmd/svc/profile/Makefile b/usr/src/cmd/svc/profile/Makefile
index 1c86ca7681..4ceafed84e 100644
--- a/usr/src/cmd/svc/profile/Makefile
+++ b/usr/src/cmd/svc/profile/Makefile
@@ -55,8 +55,6 @@ PROFILESRCS = \
 PROFILES = $(PROFILESRCS:%=$(ROOTPROFILE)/%)
 
 install: $(PROFILES)
-	$(RM) $(ROOTPROFILE)/generic.xml
-	$(LN) -s generic_open.xml $(ROOTPROFILE)/generic.xml
 	$(RM) $(ROOTPROFILE)/platform.xml
 	# SUNW,Sun-Fire-V890
 	$(RM) $(ROOTPROFILE)/platform_SUNW,Sun-Fire-V890.xml
diff --git a/usr/src/cmd/svc/profile/generic_limited_net.xml b/usr/src/cmd/svc/profile/generic_limited_net.xml
index faa6b56d05..509d46b4c7 100644
--- a/usr/src/cmd/svc/profile/generic_limited_net.xml
+++ b/usr/src/cmd/svc/profile/generic_limited_net.xml
@@ -1,37 +1,35 @@
 <?xml version='1.0'?>
 <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
 <!--
- Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
- Use is subject to license terms.
-
- CDDL HEADER START
-
- The contents of this file are subject to the terms of the
- Common Development and Distribution License, Version 1.0 only
- (the "License").  You may not use this file except in compliance
- with the License.
-
- You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- or http://www.opensolaris.org/os/licensing.
- See the License for the specific language governing permissions
- and limitations under the License.
-
- When distributing Covered Code, include this CDDL HEADER in each
- file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- If applicable, add the following below this CDDL HEADER, with the
- fields enclosed by brackets "[]" replaced with your own identifying
- information: Portions Copyright [yyyy] [name of copyright owner]
-
- CDDL HEADER END
+    CDDL HEADER START
+   
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+   
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+   
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+   
+    CDDL HEADER END
+   
+    Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+    Use is subject to license terms.
 
     ident	"%Z%%M%	%I%	%E% SMI"
 
-    The purpose of the limited_net profile is to provide a set of active
-    services that allow one to connect to the machine via ssh (requires
-    sshd,) to be authenticated (requires rpc,) and to access network
-    filesystems (requires nfs.)  The services which are deactivated here
-    are those that are at odds with this goal.  Those which are activated
-    are explicit requirements for the goal's satisfaction.
+    The purpose of the limited_net profile is to provide a set of
+    active services that allow one to connect to the machine via ssh
+    (requires sshd). The services which are deactivated here are those
+    that are at odds with this goal. Those which are activated are
+    explicit requirements for the goal's satisfaction.
 
     NOTE:  Service profiles delivered by this package are not editable,
     and their contents will be overwritten by package or patch
@@ -93,20 +91,27 @@
     <instance name='default' enabled='true'/>
   </service>
   <service name='network/nfs/status' version='1' type='service'>
-    <instance name='default' enabled='true'/>
+    <instance name='default' enabled='false'/>
   </service>
   <service name='network/nfs/nlockmgr' version='1' type='service'>
-    <instance name='default' enabled='true'/>
+    <instance name='default' enabled='false'/>
   </service>
   <service name='network/nfs/client' version='1' type='service'>
-    <instance name='default' enabled='true'/>
+    <instance name='default' enabled='false'/>
   </service>
   <service name='network/nfs/server' version='1' type='service'>
-    <instance name='default' enabled='true'/>
+    <instance name='default' enabled='false'/>
   </service>
   <service name='network/nfs/rquota' version='1' type='service'>
-    <instance name='default' enabled='true'/>
+    <instance name='default' enabled='false'/>
+  </service>
+  <service name='network/nfs/cbd' version='1' type='service'>
+    <instance name='default' enabled='false'/>
   </service>
+  <service name='network/nfs/mapid' version='1' type='service'>
+    <instance name='default' enabled='false'/>
+  </service>
+
   <service name='network/ssh' version='1' type='service'>
     <instance name='default' enabled='true'/>
   </service>
@@ -132,9 +137,6 @@
     <instance name='default' enabled='true' />
   </service>
 
-  <!--
-      non-default svc.startd(1M) services disabled
-  -->
   <service name='network/dhcp-server' version='1' type='service'>
     <instance name='default' enabled='false' />
   </service>
@@ -157,8 +159,27 @@
     <instance name='default' enabled='false' />
   </service>
 
+  <service name='application/management/sma' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='application/management/seaport' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='application/management/snmpdx' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='application/management/wbem' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+  <service name='application/print/rfc1179' version='1' type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+  <service name='application/print/ipp-listener' version='1' type='service'>
+    <instance name='default' enabled='false' />
+  </service>
+
   <!--
-	default inetd(1M) services disabled
+	default inetd(1M) services
   -->
   <service name='network/finger' version='1' type='service'>
     <instance name='default' enabled='false'/>
@@ -167,26 +188,20 @@
     <instance name='default' enabled='false'/>
   </service>
   <service name='network/login' version='1' type='service'>
-    <instance name='rlogin' enabled='false'/>
-    <!--
-	non-default inetd(1M) instances disabled
-    -->
-    <instance name='klogin' enabled='false'/>
+    <instance name='rlogin'  enabled='false'/>
+    <instance name='klogin'  enabled='false'/>
     <instance name='eklogin' enabled='false'/>
   </service>
   <service name='network/shell' version='1' type='service'>
     <instance name='default' enabled='false'/>
-    <!--
-	non-default inetd(1M) instance disabled
-    -->
-    <instance name='kshell' enabled='false'/>
+    <instance name='kshell'  enabled='false'/>
   </service>
   <service name='network/telnet' version='1' type='service'>
     <instance name='default' enabled='false'/>
   </service>
 
   <!--
-	non-default inetd(1M) services disabled
+	non-default inetd(1M) services
   -->
   <service name='network/tname' version='1' type='service'>
     <instance name='default' enabled='false'/>
@@ -223,6 +238,9 @@
   <service name='network/talk' version='1' type='service'>
     <instance name='default' enabled='false'/>
   </service>
+  <service name='application/x11/xfs' version='1' type='service'>
+    <instance name='default' enabled='false'/>
+  </service>
 
   <!--
 	default inetd(1M) RPC services enabled
@@ -231,16 +249,7 @@
     <instance name='default' enabled='true'/>
   </service>
   <service name='network/rpc/mdcomm' version='1' type='service'>
-    <instance name='default' enabled='true'/>
-  </service>
-  <service name='network/rpc/meta' version='1' type='service'>
-    <instance name='default' enabled='true'/>
-  </service>
-  <service name='network/rpc/metamed' version='1' type='service'>
-    <instance name='default' enabled='true'/>
-  </service>
-  <service name='network/rpc/metamh' version='1' type='service'>
-    <instance name='default' enabled='true'/>
+    <instance name='default' enabled='false'/>
   </service>
   <service name='network/rpc/smserver' version='1' type='service'>
     <instance name='default' enabled='true'/>
@@ -258,6 +267,15 @@
   <service name='network/rpc/rusers' version='1' type='service'>
     <instance name='default' enabled='false'/>
   </service>
+  <service name='network/rpc/meta' version='1' type='service'>
+    <instance name='default' enabled='false'/>
+  </service>
+  <service name='network/rpc/metamed' version='1' type='service'>
+    <instance name='default' enabled='false'/>
+  </service>
+  <service name='network/rpc/metamh' version='1' type='service'>
+    <instance name='default' enabled='false'/>
+  </service>
 
   <!--
 	non-default inetd(1M) RPC services disabled
@@ -275,4 +293,25 @@
     <instance name='default' enabled='false'/>
   </service>
 
+  <!--
+      Enable CDE services.
+  -->
+  <service name='application/cde-printinfo' version='1' type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+  <service name='application/graphical-login/cde-login' version='1'
+    type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+  <service name='network/rpc/cde-calendar-manager' version='1' type='service'>
+    <instance name='default' enabled='true'/>
+  </service>
+
+  <!--
+      Disabled CDE services.
+  -->
+  <service name='network/cde-spc' version='1' type='service'>
+     <instance name='default' enabled='false' />
+  </service>
+
 </service_bundle>
diff --git a/usr/src/cmd/svc/profile/generic_open.xml b/usr/src/cmd/svc/profile/generic_open.xml
index d2b826648b..cbd9df9c0f 100644
--- a/usr/src/cmd/svc/profile/generic_open.xml
+++ b/usr/src/cmd/svc/profile/generic_open.xml
@@ -1,28 +1,27 @@
 <?xml version='1.0'?>
 <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
 <!--
- Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
- Use is subject to license terms.
-
- CDDL HEADER START
-
- The contents of this file are subject to the terms of the
- Common Development and Distribution License, Version 1.0 only
- (the "License").  You may not use this file except in compliance
- with the License.
-
- You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- or http://www.opensolaris.org/os/licensing.
- See the License for the specific language governing permissions
- and limitations under the License.
-
- When distributing Covered Code, include this CDDL HEADER in each
- file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- If applicable, add the following below this CDDL HEADER, with the
- fields enclosed by brackets "[]" replaced with your own identifying
- information: Portions Copyright [yyyy] [name of copyright owner]
-
- CDDL HEADER END
+    CDDL HEADER START
+   
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+   
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+   
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+   
+    CDDL HEADER END
+   
+    Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+    Use is subject to license terms.
 
     ident	"%Z%%M%	%I%	%E% SMI"
 
@@ -100,6 +99,12 @@
   <service name='network/nfs/server' version='1' type='service'>
     <instance name='default' enabled='true'/>
   </service>
+  <service name='network/nfs/cbd' version='1' type='service'>
+    <instance name='default' enabled='true'/>
+  </service>
+  <service name='network/nfs/mapid' version='1' type='service'>
+    <instance name='default' enabled='true'/>
+  </service>
   <service name='network/ssh' version='1' type='service'>
     <instance name='default' enabled='true'/>
   </service>
@@ -122,6 +127,23 @@
     <instance name='default' enabled='true' />
   </service>
 
+  <service name='application/management/sma' version='1' type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+  <service name='application/management/seaport' version='1' type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+  <service name='application/management/snmpdx' version='1' type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+  <service name='application/management/wbem' version='1' type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+
+  <service name='application/print/ipp-listener' version='1' type='service'>
+    <instance name='default' enabled='true' />
+  </service>
+
   <!--
       Enable CDE services.
   -->
@@ -133,6 +155,10 @@
     <instance name='default' enabled='true' />
   </service>
 
+  <service name='application/x11/xfs' version='1' type='service'>
+    <instance name='default' enabled='true'/>
+  </service>
+
   <!--
       Include inetd(1M) services profile.
   -->
diff --git a/usr/src/cmd/svc/profile/inetd_generic.xml b/usr/src/cmd/svc/profile/inetd_generic.xml
index c667c3d3f5..b5ecbb85be 100644
--- a/usr/src/cmd/svc/profile/inetd_generic.xml
+++ b/usr/src/cmd/svc/profile/inetd_generic.xml
@@ -1,28 +1,27 @@
 <?xml version='1.0'?>
 <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
 <!--
- Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
- Use is subject to license terms.
-
- CDDL HEADER START
-
- The contents of this file are subject to the terms of the
- Common Development and Distribution License, Version 1.0 only
- (the "License").  You may not use this file except in compliance
- with the License.
-
- You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
- or http://www.opensolaris.org/os/licensing.
- See the License for the specific language governing permissions
- and limitations under the License.
-
- When distributing Covered Code, include this CDDL HEADER in each
- file and include the License file at usr/src/OPENSOLARIS.LICENSE.
- If applicable, add the following below this CDDL HEADER, with the
- fields enclosed by brackets "[]" replaced with your own identifying
- information: Portions Copyright [yyyy] [name of copyright owner]
-
- CDDL HEADER END
+    CDDL HEADER START
+   
+    The contents of this file are subject to the terms of the
+    Common Development and Distribution License (the "License").
+    You may not use this file except in compliance with the License.
+   
+    You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+    or http://www.opensolaris.org/os/licensing.
+    See the License for the specific language governing permissions
+    and limitations under the License.
+   
+    When distributing Covered Code, include this CDDL HEADER in each
+    file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+    If applicable, add the following below this CDDL HEADER, with the
+    fields enclosed by brackets "[]" replaced with your own identifying
+    information: Portions Copyright [yyyy] [name of copyright owner]
+   
+    CDDL HEADER END
+   
+    Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+    Use is subject to license terms.
 
     ident	"%Z%%M%	%I%	%E% SMI"
 
@@ -98,7 +97,7 @@
 	</service>
 	<service name='network/rpc/cde-calendar-manager' version='1'
 	 	type='service'>
-		<instance name='udp' enabled='true' />
+		<instance name='default' enabled='true' />
 	</service>
 
 </service_bundle>
diff --git a/usr/src/cmd/svc/seed/Makefile b/usr/src/cmd/svc/seed/Makefile
index 262a2c835c..5d6a2e5a04 100644
--- a/usr/src/cmd/svc/seed/Makefile
+++ b/usr/src/cmd/svc/seed/Makefile
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -19,8 +18,7 @@
 #
 # CDDL HEADER END
 #
-#
-# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -171,6 +169,22 @@ miniroot.db: common.db $(MINIROOT_DESCRIPTIONS) $(CONFIGD) $(SVCCFG)
 		SVCCFG_CONFIGD_PATH=$(CONFIGD) \
 		$(SVCCFG) import $$m; \
 	done
+	#
+	# Make sure the miniroot's syslogd and rpcbind do not respond
+	# to packets from outside the machine. Since we cannot set property
+	# values by applying a profile yet, we need to set them explicitly
+	# with svccfg commands.
+	#
+	SVCCFG_DTD=../dtd/service_bundle.dtd.1 \
+	SVCCFG_REPOSITORY=$(SRC)/cmd/svc/seed/miniroot.db \
+	SVCCFG_CONFIGD_PATH=$(CONFIGD) \
+	$(SVCCFG) -s svc:/system/system-log \
+	    setprop config/log_from_remote = false
+	#
+	SVCCFG_DTD=../dtd/service_bundle.dtd.1 \
+	SVCCFG_REPOSITORY=$(SRC)/cmd/svc/seed/miniroot.db \
+	SVCCFG_CONFIGD_PATH=$(CONFIGD) \
+	$(SVCCFG) -s svc:/network/rpc/bind setprop config/local_only = true
 
 install: install_global install_nonglobal install_miniroot
 
diff --git a/usr/src/cmd/svc/shell/Makefile b/usr/src/cmd/svc/shell/Makefile
index b127962cf5..b2ae130142 100644
--- a/usr/src/cmd/svc/shell/Makefile
+++ b/usr/src/cmd/svc/shell/Makefile
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -19,8 +18,7 @@
 #
 # CDDL HEADER END
 #
-#
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -39,9 +37,17 @@ SRCS = \
 
 SCRIPTS = $(SRCS:%=$(ROOT)/lib/svc/share/%)
 
-install: $(SCRIPTS)
+PROG = netservices
+$(ROOTUSRSBINPROG) := FILEMODE= 0555
+
+install: all $(SCRIPTS) $(ROOTUSRSBINPROG)
 
 $(ROOT)/lib/svc/share/%: %
 	$(INS.file)
 
-all lint clobber clean _msg:
+all: $(PROG)
+
+lint _msg:
+
+clobber clean:
+	$(RM) $(PROG)
diff --git a/usr/src/cmd/svc/shell/netservices.sh b/usr/src/cmd/svc/shell/netservices.sh
new file mode 100644
index 0000000000..162a282737
--- /dev/null
+++ b/usr/src/cmd/svc/shell/netservices.sh
@@ -0,0 +1,312 @@
+#!/bin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+# ident	"%Z%%M%	%I%	%E% SMI"
+
+DT_CHANGED=0
+
+LOG_FMRI=svc:/system/system-log
+CMSD_FMRI=svc:/network/rpc/cde-calendar-manager
+INETD_FMRI=svc:/network/inetd
+BIND_FMRI=svc:/network/rpc/bind
+XSERVER_FMRI=svc:/application/x11/x11-server
+SENDMAIL_FMRI=svc:/network/smtp:sendmail
+RFC1179_FMRI=svc:/application/print/rfc1179
+TTDB_FMRI=svc:/network/rpc/cde-ttdbserver
+DTLOGIN_FMRI=svc:/application/graphical-login/cde-login
+WEBCONSOLE_FMRI=svc:/system/webconsole
+SMCWBEM_FMRI=svc:/application/smcwbem
+
+usage()
+{
+	prog=`basename $0`
+	echo "$prog: usage: $prog [ open | limited ]" >&2
+	exit 2
+}
+
+#
+# set_property fmri group property value
+#
+# sets the specified property in the specified property-group, creating
+# the group and or property if necessary.
+#
+set_property()
+{
+	fmri=$1
+	group=$2
+	prop=$3
+	val=$4
+
+	if svcprop -qp $group $fmri; then :; else
+		if svccfg -s $fmri addpg $group application; then :; else
+			echo "Failed to create property group \"$group\" \c"
+			echo "for $fmri."
+			exit 1
+		fi
+	fi
+
+	if svccfg -s $fmri setprop $group/$prop = boolean: $val; then :; else
+		echo "Failed to set property $group/$prop for $fmri"
+		exit 1
+	fi
+}
+
+set_system_log()
+{
+	svcprop -q $LOG_FMRI || return 
+	if [ "$1" = "local" ]; then
+		val=false
+	else
+		val=true
+	fi
+
+	set_property $LOG_FMRI config log_from_remote $val
+	svcadm refresh $LOG_FMRI
+}
+
+set_cmsd()
+{
+	svcprop -q $CMSD_FMRI:default || return
+	if [ "$1" = "local" ]; then
+		proto="ticlts"
+	else
+		proto="udp"
+	fi
+
+	inetadm -m $CMSD_FMRI:default proto=$proto
+	svcadm refresh $CMSD_FMRI:default
+}
+
+set_rpcbind()
+{
+	svcprop -q $BIND_FMRI || return
+	if [ "$1" = "local" ]; then
+		val=true
+	else
+		val=false
+	fi
+
+	set_property $BIND_FMRI config local_only $val
+	svcadm refresh $BIND_FMRI
+}
+
+set_xserver() {
+	svcprop -q $XSERVER_FMRI || return
+	if [ "$1" = "local" ]; then
+		val=false
+	else
+		val=true
+	fi
+
+	set_property $XSERVER_FMRI options tcp_listen $val
+	# don't need refresh since x11-server is not an actual service
+}
+
+set_sendmail()
+{
+	svcprop -q $SENDMAIL_FMRI || return
+	if [ "$1" = "local" ]; then
+		val=true
+	else
+		val=false
+	fi
+
+	set_property $SENDMAIL_FMRI config local_only $val
+	svcadm refresh $SENDMAIL_FMRI
+}
+
+set_rfc1179()
+{
+	svcprop -q $RFC1179_FMRI:default || return
+	if [ "$1" = "local" ]; then
+		val=localhost
+	else
+		val=
+	fi
+	inetadm -m $RFC1179_FMRI:default bind_addr="$val" 2>/dev/null
+	svcadm refresh $RFC1179_FMRI:default
+}
+
+set_ttdbserver()
+{
+	svcprop -q $TTDB_FMRI:tcp || return
+	if [ "$1" = "local" ]; then
+		val=ticotsord
+	else
+		val=tcp
+	fi
+	inetadm -m $TTDB_FMRI:tcp proto="$val"
+	svcadm refresh $TTDB_FMRI:tcp
+}
+
+set_dtlogin()
+{
+	svcprop -q $DTLOGIN_FMRI || return
+
+	eval args=`svcprop -p dtlogin/args $DTLOGIN_FMRI`
+
+	if echo $args | egrep -s udpPort 
+	then
+		old_port=`echo $args |
+		    sed 's/.*-udpPort [ ]*\([0-9][0-9]*\).*/\1/'`
+		new_args=`echo $args |
+		    sed 's/\(.*\)-udpPort [0-9][0-9]*\(.*\)/\1\2/'`
+	else
+		old_port=-1
+		new_args=$args
+	fi
+
+	if [ "$1" = "local" ]; then
+		args="$new_args -udpPort 0"
+		DT_CHANGED=1
+	else
+		# remove '-udpPort 0' argument. Leave intact if port != 0.
+		if [ $old_port -eq 0 ]; then
+			args="$new_args"
+			DT_CHANGED=1
+		fi
+	fi
+
+	svccfg -s $DTLOGIN_FMRI setprop dtlogin/args = "\"$args\""
+	svcadm refresh $DTLOGIN_FMRI
+}
+
+set_webconsole() {
+	svcprop -q $WEBCONSOLE_FMRI:console || return
+	if [ "$1" = "local" ]; then
+		val=false
+	else
+		val=true
+	fi
+
+	set_property $WEBCONSOLE_FMRI options tcp_listen $val
+	svcadm refresh $WEBCONSOLE_FMRI
+}
+
+set_smcwbem() {
+	svcprop -q $SMCWBEM_FMRI:default || return
+	if [ "$1" = "local" ]; then
+		val=false
+	else
+		val=true
+	fi
+
+	set_property $SMCWBEM_FMRI options tcp_listen $val
+	svcadm refresh $SMCWBEM_FMRI
+}
+
+if [ $# -ne 1 ]; then
+	usage
+fi
+
+case $1 in
+	"open")
+		profile=generic_open.xml
+		keyword="open"
+		;;
+	"limited")
+		profile=generic_limited_net.xml
+		keyword="local"
+		;;
+	*)
+		usage
+		;;
+esac
+
+if [ ! -f /var/svc/profile/$profile ]; then
+	echo "/var/svc/profile/$profile nonexistent. Exiting."
+	exit 1
+fi
+
+#
+# set services
+#
+set_system_log $keyword
+set_cmsd $keyword
+set_rpcbind $keyword
+set_xserver $keyword
+set_sendmail $keyword
+set_rfc1179 $keyword
+set_ttdbserver $keyword
+set_dtlogin $keyword
+set_webconsole $keyword
+set_smcwbem $keyword
+
+#
+# put the new profile into place, and apply it
+#
+ln -sf ./$profile /var/svc/profile/generic.xml
+svccfg apply /var/svc/profile/generic.xml
+
+#
+# Make the services aware of the new property values
+#
+if [ "`svcprop -p restarter/state $LOG_FMRI:default`" = "online" ]
+then
+	# need restart since refresh won't reread properties
+	echo "restarting syslogd"
+	svcadm restart $LOG_FMRI:default
+fi
+
+if [ "`svcprop -p restarter/state $SENDMAIL_FMRI`" = "online" ]
+then
+	# need restart since refresh won't pick up new command-line
+	echo "restarting sendmail"
+	svcadm restart $SENDMAIL_FMRI
+fi
+
+if [ "`svcprop -p restarter/state $BIND_FMRI:default`" = "online" ]
+then
+	# since inetd won't successfully re-register RPC-services after
+	# rpcbind restarts, we need to stop/start inetd too (and serialize
+	# these state-transitions)
+	svcadm disable -s $INETD_FMRI:default
+	svcadm disable -s $BIND_FMRI:default
+	echo "restarting rpcbind"
+	svcadm enable -s $BIND_FMRI:default
+	echo "restarting inetd"
+	svcadm enable -s $INETD_FMRI:default
+fi
+
+if [ $DT_CHANGED -eq 1 ]; then
+	if [ "`svcprop -p restarter/state $DTLOGIN_FMRI:default`" = "online" ]
+	then
+		r="y"
+		if tty -s ; then
+			printf \
+			    "dtlogin needs to be restarted. Restart now? [Y] "
+			read r
+		fi
+		if [ "$r" = "" -o "$r" = "y" -o "$r" = "Y" ]; then
+			# Make sure we survive killing dtlogin...
+			trap "" 15
+			svcadm restart $DTLOGIN_FMRI 
+			echo "restarting dtlogin"
+		else
+			printf "dtlogin not restarted. "
+			printf "Restart it to put it in ${keyword}-mode.\n"
+		fi
+	fi
+fi
author	jjj <none@none>	2006-06-01 17:01:11 -0700
committer	jjj <none@none>	2006-06-01 17:01:11 -0700
commit	0ea5e3a571e3da934507bdd32924d11659c70704 (patch)
tree	ba35ba32eeb100c1272139f7cfcc462bdc77e3a4 /usr/src/cmd/svc
parent	f4646a6c4cd95d2c0e0e22ab5aaf71e77cc8b2b3 (diff)
download	illumos-joyent-0ea5e3a571e3da934507bdd32924d11659c70704.tar.gz