Ensure that there is a security repo

This commit is contained in:
Bob Mottram 2014-09-22 14:48:38 +01:00
parent aa340480e9
commit 04e4d301eb
1 changed files with 31 additions and 18 deletions

View File

@ -52,6 +52,11 @@ SSH_PORT=2222
KERNEL_VERSION="v3.15.10-bone7" KERNEL_VERSION="v3.15.10-bone7"
USE_HWRNG="yes" USE_HWRNG="yes"
# The Debian package repository to use.
DEBIAN_REPO="ftp.de.debian.org"
DEBIAN_VERSION="jessie"
# Directory where source code is downloaded and compiled # Directory where source code is downloaded and compiled
INSTALL_DIR=/root/build INSTALL_DIR=/root/build
@ -98,21 +103,29 @@ function remove_proprietary_repos {
echo 'remove_proprietary_repos' >> $COMPLETION_FILE echo 'remove_proprietary_repos' >> $COMPLETION_FILE
} }
function https_repos { function change_debian_repos {
# The lack of https repos by default is I think a significant security if grep -Fxq "change_debian_repos" $COMPLETION_FILE; then
# problem, potentially allowing an adversary to modify package downloads,
# checksums or gpg public keys in transit and also to know what is installed
# on your system
# See http://forums.debian.net/viewtopic.php?f=10&t=74444
# https://wiki.debian.org/SecureApt
if grep -Fxq "https_repos" $COMPLETION_FILE; then
return return
fi fi
apt-get -y update rm -rf /var/lib/apt/lists/*
# Since at the present time this does not work it's commented out apt-get clean
#apt-get -y --force-yes install apt-transport-https sed -i "s/ftp.us.debian.org/$DEBIAN_REPO/g" /etc/apt/sources.list
#sed -i 's/http:/https:/g' /etc/apt/sources.list
echo 'https_repos' >> $COMPLETION_FILE # ensure that there is a security repo
if ! grep -q "security" /etc/apt/sources.list; then
if grep -q "jessie" /etc/apt/sources.list; then
echo "deb http://security.debian.org/ jessie/updates main contrib" >> /etc/apt/sources.list
echo "#deb-src http://security.debian.org/ jessie/updates main contrib" >> /etc/apt/sources.list
else
if grep -q "wheezy" /etc/apt/sources.list; then
echo "deb http://security.debian.org/ wheezy/updates main contrib" >> /etc/apt/sources.list
echo "#deb-src http://security.debian.org/ wheezy/updates main contrib" >> /etc/apt/sources.list
fi
fi
fi
apt-get update
echo 'change_debian_repos' >> $COMPLETION_FILE
} }
function initial_setup { function initial_setup {
@ -137,8 +150,8 @@ function enable_backports {
if grep -Fxq "enable_backports" $COMPLETION_FILE; then if grep -Fxq "enable_backports" $COMPLETION_FILE; then
return return
fi fi
if ! grep -Fxq "deb http://ftp.us.debian.org/debian jessie-backports main" /etc/apt/sources.list; then if ! grep -Fxq "deb https://$DEBIAN_REPO/debian jessie-backports main" /etc/apt/sources.list; then
echo "deb http://ftp.us.debian.org/debian jessie-backports main" >> /etc/apt/sources.list echo "deb https://$DEBIAN_REPO/debian jessie-backports main" >> /etc/apt/sources.list
fi fi
echo 'enable_backports' >> $COMPLETION_FILE echo 'enable_backports' >> $COMPLETION_FILE
} }
@ -573,7 +586,7 @@ function configure_email {
return return
fi fi
apt-get -y remove postfix apt-get -y remove postfix
apt-get -y install exim4-daemon-heavy sasl2-bin swaks libnet-ssleay-perl procmail apt-get -y install exim4 sasl2-bin swaks libnet-ssleay-perl procmail
echo 'dc_eximconfig_configtype="internet"' > /etc/exim4/update-exim4.conf.conf echo 'dc_eximconfig_configtype="internet"' > /etc/exim4/update-exim4.conf.conf
echo "dc_other_hostnames='$DOMAIN_NAME'" >> /etc/exim4/update-exim4.conf.conf echo "dc_other_hostnames='$DOMAIN_NAME'" >> /etc/exim4/update-exim4.conf.conf
echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf echo "dc_local_interfaces=''" >> /etc/exim4/update-exim4.conf.conf
@ -965,12 +978,12 @@ configure_firewall_for_dns
configure_firewall_for_ftp configure_firewall_for_ftp
configure_firewall_for_web configure_firewall_for_web
remove_proprietary_repos remove_proprietary_repos
https_repos change_debian_repos
enable_backports
configure_dns configure_dns
initial_setup initial_setup
install_editor install_editor
change_login_message change_login_message
enable_backports
update_the_kernel update_the_kernel
enable_zram enable_zram
random_number_generator random_number_generator