Initial parts of the OpenWRT subsystem skeleton

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/capabilities/ntpd.json

@@ -0,0 +1,22 @@
+{
+	"bounding": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"effective": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"ambient": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"permitted": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	],
+	"inheritable": [
+		"CAP_NET_BIND_SERVICE",
+		"CAP_SYS_TIME"
+	]
+}

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/init.d/cron

@@ -0,0 +1,41 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2011 OpenWrt.org
+
+START=50
+
+USE_PROCD=1
+PROG=/usr/sbin/crond
+
+validate_cron_section() {
+	uci_validate_section system system "${1}" \
+		'cronloglevel:uinteger'
+}
+
+start_service() {
+	[ -z "$(ls /etc/crontabs/)" ] && return 1
+
+	loglevel="$(uci_get "system.@system[0].cronloglevel")"
+
+	[ -z "${loglevel}" ] || {
+		/sbin/validate_data uinteger "${loglevel}" 2>/dev/null
+		[ "$?" -eq 0 ] || {
+			echo "validation failed"
+			return 1
+		}
+	}
+
+	mkdir -p /var/spool/cron
+	ln -s /etc/crontabs /var/spool/cron/ 2>/dev/null
+
+	procd_open_instance
+	procd_set_param command "$PROG" -f -c /etc/crontabs -l "${loglevel:-5}"
+	for crontab in /etc/crontabs/*; do
+		 procd_set_param file "$crontab"
+	done
+	procd_set_param respawn
+	procd_close_instance
+}
+
+service_triggers() {
+	procd_add_validation validate_cron_section
+}

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/init.d/sysntpd

@@ -0,0 +1,130 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2011 OpenWrt.org
+
+START=98
+
+USE_PROCD=1
+PROG=/usr/sbin/ntpd
+HOTPLUG_SCRIPT=/usr/sbin/ntpd-hotplug
+
+get_dhcp_ntp_servers() {
+	local interfaces="$1"
+	local filter="*"
+	local interface ntpservers ntpserver
+
+	for interface in $interfaces; do
+		[ "$filter" = "*" ] && filter="@.interface='$interface'" || filter="$filter,@.interface='$interface'"
+	done
+
+	ntpservers=$(ubus call network.interface dump | jsonfilter -e "@.interface[$filter]['data']['ntpserver']")
+
+	for ntpserver in $ntpservers; do
+		local duplicate=0
+		local entry
+		for entry in $server; do
+			[ "$ntpserver" = "$entry" ] && duplicate=1
+		done
+		[ "$duplicate" = 0 ] && server="$server $ntpserver"
+	done
+}
+
+validate_ntp_section() {
+	uci_load_validate system timeserver "$1" "$2" \
+		'dhcp_interface:list(string)' \
+		'enable_server:bool:0' \
+		'enabled:bool:1' \
+		'interface:string' \
+		'server:list(host)' \
+		'use_dhcp:bool:1'
+}
+
+start_ntpd_instance() {
+	local peer
+
+	[ "$2" = 0 ] || {
+		echo "validation failed"
+		return 1
+	}
+
+	[ $enabled = 0 ] && return
+
+	[ $use_dhcp = 1 ] && get_dhcp_ntp_servers "$dhcp_interface"
+
+	[ -z "$server" -a "$enable_server" = "0" ] && return
+
+	procd_open_instance
+	procd_set_param command "$PROG" -n -N
+	if [ "$enable_server" = "1" ]; then
+		procd_append_param command -l
+		[ -n "$interface" ] && {
+			local ifname
+
+			network_get_device ifname "$interface" || \
+				ifname="$interface"
+			procd_append_param command -I "$ifname"
+			procd_append_param netdev "$ifname"
+		}
+	fi
+	[ -x "$HOTPLUG_SCRIPT" ] && procd_append_param command -S "$HOTPLUG_SCRIPT"
+	for peer in $server; do
+		procd_append_param command -p $peer
+	done
+	procd_set_param respawn
+	#[ -x /sbin/ujail -a -e /etc/capabilities/ntpd.json ] && {
+	#	procd_add_jail ntpd ubus
+	#	procd_add_jail_mount "$HOTPLUG_SCRIPT"
+	#	procd_add_jail_mount "/usr/share/libubox/jshn.sh"
+	#	procd_add_jail_mount "/usr/bin/env"
+	#	procd_add_jail_mount "/usr/bin/jshn"
+	#	procd_add_jail_mount "/bin/ubus"
+	#	procd_set_param capabilities /etc/capabilities/ntpd.json
+	#	procd_set_param user ntp
+	#	procd_set_param group ntp
+	#	procd_set_param no_new_privs 1
+	#}
+	procd_close_instance
+}
+
+start_service() {
+	. /lib/functions/network.sh
+	validate_ntp_section ntp start_ntpd_instance
+}
+
+service_triggers() {
+	local script name use_dhcp enable_server interface
+
+	script=$(readlink -f "$initscript")
+	name=$(basename ${script:-$initscript})
+
+	procd_add_config_trigger "config.change" "system" /etc/init.d/$name reload
+
+	config_load system
+	config_get use_dhcp ntp use_dhcp 1
+
+	[ $use_dhcp = 1 ] && {
+		local dhcp_interface
+		config_get dhcp_interface ntp dhcp_interface
+
+		if [ -n "$dhcp_interface" ]; then
+			for n in $dhcp_interface; do
+				procd_add_interface_trigger "interface.*" $n /etc/init.d/$name reload
+			done
+		else
+			procd_add_raw_trigger "interface.*" 1000 /etc/init.d/$name reload
+		fi
+	}
+
+	config_get_bool enable_server ntp enable_server 0
+	config_get interface ntp interface
+
+	[ $enable_server -eq 1 ] && [ -n "$interface" ] && {
+		local ifname
+
+		network_get_device ifname "$interface" || \
+			ifname="$interface"
+		procd_add_interface_trigger "interface.*" "$ifname" \
+			/etc/init.d/"$name" reload
+	}
+
+	procd_add_validation validate_ntp_section
+}

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/opkg.conf

@@ -0,0 +1,5 @@
+dest root /
+dest ram /tmp
+lists_dir ext /var/opkg-lists
+option overlay_root /overlay
+option check_signature

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/opkg/customfeeds.conf

@@ -0,0 +1,3 @@
+# add your custom package feeds here
+#
+# src/gz example_feed_name http://www.example.com/path/to/files

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/pam.conf

@@ -0,0 +1,15 @@
+# ---------------------------------------------------------------------------#
+# /etc/pam.conf								     #
+# ---------------------------------------------------------------------------#
+#
+# NOTE
+# ----
+#
+# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
+# PAM service modules. This file is used only if that directory does not exist.
+# ---------------------------------------------------------------------------#
+
+# Format:
+# serv.	module	   ctrl	      module [path]	...[args..]		     #
+# name	type	   flag							     #
+

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/pam.d/common-account

@@ -0,0 +1,20 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+
+# here are the per-package modules (the "Primary" block)
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
+# here's the fallback if no module succeeds
+account	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+
+# end of pam-auth-update config

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/pam.d/common-auth

@@ -0,0 +1,21 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+
+# here are the per-package modules (the "Primary" block)
+auth	[success=1 default=ignore]	login_pw.so
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+
+# end of pam-auth-update config

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/pam.d/common-password

@@ -0,0 +1,28 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# here are the per-package modules (the "Primary" block)
+password	[success=1 default=ignore]	pam_unix.so obscure sha512
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+
+# end of pam-auth-update config

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/pam.d/common-session

@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required			pam_unix.so 
+# end of pam-auth-update config

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/pam.d/common-session-noninteractive

@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required			pam_unix.so 
+# end of pam-auth-update config

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/pam.d/other

@@ -0,0 +1,16 @@
+#
+# /etc/pam.d/other - specify the PAM fallback behaviour
+#
+# Note that this file is used for any unspecified service; for example
+#if /etc/pam.d/cron  specifies no session modules but cron calls
+#pam_open_session, the session module out of /etc/pam.d/other is
+#used.  If you really want nothing to happen then use pam_permit.so or
+#pam_deny.so as appropriate.
+
+# We fall back to the system default in /etc/pam.d/common-*
+# 
+
+auth       include      common-auth
+account    include      common-account
+password   include      common-password
+session    include      common-session

opkg-feed/installer/openwrt-sdxlemur-skel/data/etc/uci-defaults/20_migrate-feeds

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+[ -f /etc/opkg.conf ] && grep -q "src\/" /etc/opkg.conf || exit 0
+
+echo -e "# Old feeds from previous image\n# Uncomment to reenable\n" >> /etc/opkg/customfeeds.conf
+sed -n "s/.*\(src\/.*\)/# \1/p" /etc/opkg.conf >> /etc/opkg/customfeeds.conf
+sed -i "/.*src\/.*/d" /etc/opkg.conf
+
+exit 0