diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-07-08 01:41:26 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2011-07-08 01:41:26 +0000 |
commit | 6c058775e6ba954c0b3d060c5093b065f9ce9bd3 (patch) | |
tree | ae766d21dc824d5e178506773e96c383e73560fd | |
parent | 62712b29ab9f059a0abe54994957896da2316375 (diff) |
Move various bits of key generation in rc into one function, which we
can run surprisingly early. Move the X socket directory creation code
into a function too.
robert liked it
-rw-r--r-- | etc/rc | 69 |
1 files changed, 68 insertions, 1 deletions
@@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.372 2011/07/08 00:54:04 ajacoutot Exp $ +# $OpenBSD: rc,v 1.373 2011/07/08 01:41:25 deraadt Exp $ # System startup script run by init on autoboot # or after single-user. @@ -153,6 +153,69 @@ start_daemon() done } +make_keys() +{ + if [ X"${named_flags}" != X"NO" ]; then + if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then + echo -n "rndc-confgen: generating shared secret... " + if rndc-confgen -a -t /var/named >/dev/null 2>&1; then + chmod 0640 /var/named/etc/rndc.key \ + >/dev/null 2>&1 + echo done. + else + echo failed. + fi + fi + fi + + if [ ! -f /etc/isakmpd/private/local.key ]; then + echo -n "openssl: generating isakmpd/iked RSA key... " + if openssl genrsa -out /etc/isakmpd/private/local.key 2048 \ + >/dev/null 2>&1; then + chmod 600 /etc/isakmpd/private/local.key + openssl rsa -out /etc/isakmpd/local.pub -in \ + /etc/isakmpd/private/local.key -pubout \ + >/dev/null 2>&1 + echo done. + else + echo failed. + fi + fi + + if [ ! -f /etc/iked/private/local.key ]; then + # Just copy the generated isakmpd key + cp /etc/isakmpd/private/local.key /etc/iked/private/local.key + chmod 600 /etc/iked/private/local.key + cp /etc/isakmpd/local.pub /etc/iked/local.pub + fi + + ssh-keygen -A +} + +# create Unix sockets directories for X if needed and make sure they have +# correct permissions +setup_X_sockets() +{ + if [ -d /usr/X11R6/lib ]; then + for d in /tmp/.X11-unix /tmp/.ICE-unix ; do + if [ -d $d ]; then + if [ `ls -ld $d | cut -d' ' -f4` \ + != root ]; then + chown root $d + fi + if [ `ls -ld $d | cut -d' ' -f1` \ + != drwxrwxrwt ]; then + chmod 1777 $d + fi + elif [ -e $d ]; then + echo "Error: $d exists and isn't a directory." + else + mkdir -m 1777 $d + fi + done + fi +} + # End subroutines stty status '^T' @@ -351,6 +414,8 @@ rm -f /var/spool/uucp/STST/* # save a copy of the boot messages dmesg >/var/run/dmesg.boot +make_keys + echo -n 'starting system logger: ' start_daemon syslogd echo '.' @@ -490,6 +555,8 @@ if [ -d /usr/X11R6/lib ]; then done fi +setup_X_sockets + [ -f /etc/rc.securelevel ] && . /etc/rc.securelevel if [ X"${securelevel}" != X"" ]; then echo -n 'setting kernel security level: ' |