system: tighten serial handling around /etc/ttys

845b96d4 · Franco Fichtner · 0273d265 · 845b96d4 · 845b96d4 · 845b96d4
Commit 845b96d4 authored Jun 22, 2016 by Franco Fichtner
5 changed files
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1782,11 +1782,6 @@ function system_reboot($sync = false)
    }
 }
-function system_console_configure()
-{
-    setup_serial_port();
-}
 function system_setup_sysctl()
 {
    activate_sysctls();
@@ -1926,7 +1921,7 @@ function load_thermal_module()
    }
 }
-function setup_serial_port($sync = true)
+function system_console_configure()
 {
    global $config;
@@ -1936,8 +1931,8 @@ function setup_serial_port($sync = true)
    // ** serial console - write out /boot.config
    if ($serial_enabled) {
        file_put_contents('/boot.config', "-S{$serialspeed} -D\n");
-    } elseif (file_exists('/boot.config')) {
+    } else {
-        unlink('/boot.config');
+        @unlink('/boot.config');
    }
    // ** console settings in /boot/loader.conf
@@ -1970,14 +1965,10 @@ function setup_serial_port($sync = true)
    @file_put_contents('/boot/loader.conf', $new_loader_conf);
    // ** setup /etc/ttys
+    $etc_ttys_lines = explode("\n", file_get_contents('/etc/ttys'));
-    // minimize chances of /etc/ttys corruption, keep a copy of the original ttys file
+    $fd = fopen('/etc/ttys', 'w');
-    if (!file_exists('/etc/ttys.opnsense') || filesize('/etc/ttys.opnsense') < 100) {
+    $on_off_secure = $serial_enabled ? 'onifconsole secure' : 'off secure';
-        copy('/etc/ttys', '/etc/ttys.opnsense');
+    $terminal_type = 'cons25'; /* XXX standard is 'xterm' for virtual, 'vt100' for serial */
-    }
-    $fd = fopen("/etc/ttys", "w");
-    $on_off = $serial_enabled ? 'on' : 'off';
    if (isset($config['system']['disableconsolemenu'])) {
        $console_type = 'Pc';
        $serial_type = 'std.' . $serialspeed;
@@ -1985,24 +1976,28 @@ function setup_serial_port($sync = true)
        $console_type = 'al.Pc';
        $serial_type = 'al.' . $serialspeed;
    }
-    foreach(explode("\n", file_get_contents("/etc/ttys.opnsense")) as $tty) {
+    foreach ($etc_ttys_lines as $tty) {
-        if (stristr($tty, "ttyv0")) {
+        if (strpos($tty, 'ttyv0') === 0) {
-            fwrite($fd, "ttyv0  \"/usr/libexec/getty {$console_type}\"  cons25  on  secure\n");
+            /* first virtual terminal */
-        } elseif (stristr($tty, "ttyu0")) {
+            fwrite($fd, "ttyv0\t\"/usr/libexec/getty {$console_type}\"\t\t{$terminal_type}\ton  secure\n");
-            fwrite($fd, "ttyu0  \"/usr/libexec/getty {$serial_type}\"  cons25  {$on_off}  secure\n");
+            continue;
-        } elseif (!empty($tty)) {
+        }
+        foreach (array('ttyu0', 'ttyu1', 'ttyu2', 'ttyu3') as $serialport) {
+            if (strpos($tty, $serialport) === 0) {
+                /* each serial terminal */
+                fwrite($fd, "{$serialport}\t\"/usr/libexec/getty {$serial_type}\"\t{$terminal_type}\t{$on_off_secure}\n");
+                /* skip to next line in outer loop */
+                continue 2;
+            }
+        }
+        if (!empty($tty)) {
+            /* all other lines stay the same */
            fwrite($fd, $tty . "\n");
        }
    }
    fclose($fd);
-    if ($sync) {
-        reload_ttys();
-    }
-}
-function reload_ttys()
-{
    /* force init(8) to reload /etc/ttys */
    exec('/bin/kill -HUP 1');
 }
@@ -2015,7 +2010,6 @@ function reset_factory_defaults($sync = true)
 {
    mwexec('/bin/rm -r /conf/*');
    disable_security_checks();
-    setup_serial_port(false);
    /* as we go through a special case directly reboot */
    $shutdown_cmd = '/sbin/shutdown -or now';

--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -153,6 +153,9 @@ set_device_perms();
 unmute_kernel_msgs();
 echo "done.\n";
+/* configure console menu */
+system_console_configure();
 /* Display live system's early boot options */
 if (is_install_media()) {
    rescue_detect_keypress();
@@ -275,9 +278,6 @@ echo "done.\n";
 /* start load balancer daemon */
 relayd_configure();
-/* configure console menu */
-system_console_configure();
 /* start DHCP service */
 services_dhcpd_configure();
@@ -305,9 +305,6 @@ $ipsec_dynamic_hosts = ipsec_configure();
 /* start SNMP service */
 services_snmpd_configure();
-/* lock down console if necessary */
-reload_ttys();
 /* load graphing functions */
 enable_rrd_graphing();

--- a/src/etc/rc.recover
+++ b/src/etc/rc.recover
@@ -109,6 +109,59 @@ $etc_shells = <<<EOF
 EOF;
+$etc_ttys = <<<EOF
+#
+# \$FreeBSD$
+#	@(#)ttys	5.1 (Berkeley) 4/17/89
+#
+# This file specifies various information about terminals on the system.
+# It is used by several different programs.  Common entries for the
+# various columns include:
+#
+# name  The name of the terminal device.
+#
+# getty The program to start running on the terminal.  Typically a
+#       getty program, as the name implies.  Other common entries
+#       include none, when no getty is needed, and xdm, to start the
+#       X Window System.
+#
+# type The initial terminal type for this port.  For hardwired
+#      terminal lines, this will contain the type of terminal used.
+#      For virtual consoles, the correct type is typically xterm.
+#      Other common values include dialup for incoming modem ports, and
+#      unknown when the terminal type cannot be predetermined.
+#
+# status Must be on or off.  If on, init will run the getty program on
+#        the specified port.  If the word "secure" appears, this tty
+#        allows root login.
+#
+# name	getty				type	status		comments
+#
+# If console is marked "insecure", then init will ask for the root password
+# when going to single-user mode.
+console	none				unknown	off secure
+#
+ttyv0	"/usr/libexec/getty Pc"		xterm	on  secure
+# Virtual terminals
+ttyv1	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv2	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv3	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv4	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv5	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv6	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv7	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv8	"/usr/local/bin/xdm -nodaemon"	xterm	off secure
+# Serial terminals
+# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
+ttyu0	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu1	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu2	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu3	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+# Dumb console
+dcons	"/usr/libexec/getty std.9600"	vt100	off secure
+EOF;
 function recover_ports()
 {
 	$actions = array(
@@ -151,7 +204,7 @@ function recover_rebuild()
 	passthru('/bin/sync');
 }
-function recover_base($etc_group, $etc_master_passwd, $etc_shells)
+function recover_base($etc_group, $etc_master_passwd, $etc_shells, $etc_ttys)
 {
 	echo "===> Restoring /etc/group\n";
 	file_put_contents('/etc/group', $etc_group);
@@ -162,6 +215,9 @@ function recover_base($etc_group, $etc_master_passwd, $etc_shells)
 	echo "===> Restoring /etc/shells\n";
 	file_put_contents('/etc/shells', $etc_shells);
+	echo "===> Restoring /etc/ttys\n";
+	file_put_contents('/etc/ttys', $etc_ttys);
 	recover_rebuild();
 }
@@ -175,13 +231,13 @@ $stage = isset($argv[1]) ? $argv[1] : 'both';
 switch ($stage) {
 	case 'base':
-		recover_base($etc_group, $etc_master_passwd, $etc_shells);
+		recover_base($etc_group, $etc_master_passwd, $etc_shells, $etc_ttys);
 		break;
 	case 'pkg':
 		recover_pkg();
 		break;
 	default:
-		recover_base($etc_group, $etc_master_passwd, $etc_shells);
+		recover_base($etc_group, $etc_master_passwd, $etc_shells, $etc_ttys);
 		recover_pkg();
 		break;
 }
--- a/src/www/diag_backup.php
+++ b/src/www/diag_backup.php
@@ -442,7 +442,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                        convert_config();
                        $savemsg = gettext("The m0n0wall configuration has been restored and upgraded to OPNsense.");
                    }
-                    setup_serial_port();
                } else {
                    $input_errors[] = gettext("The configuration could not be restored.");
                }

--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -231,7 +231,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $savemsg .= sprintf("<br />" . gettext("One moment...redirecting to %s in 20 seconds."), $url);
        }
-        setup_serial_port();
+        system_console_configure();
        system_hosts_generate();
        // Restart DNS in case dns rebinding toggled
@@ -506,7 +506,7 @@ include("head.inc");
                  <td><a id="help_for_enableserial" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Serial Terminal"); ?></td>
                  <td width="78%">
                    <input name="enableserial" type="checkbox" id="enableserial" value="yes" <?=!empty($pconfig['enableserial']) ? "checked=\"checked\"" : "";?> />
-                    <strong><?=gettext("Enables the first serial port with 115200/8/N/1 by default, or another speed selectable below."); ?></strong>
+                    <strong><?=gettext("Enable serial ports with 115200/8/N/1 by default, or another speed selectable below."); ?></strong>
                    <div class="hidden" for="help_for_enableserial">
                      <?=gettext("Note: This will redirect the console output and messages to the serial port. You can still access the console menu from the internal video card/keyboard. A null modem serial cable or adapter is required to use the serial console."); ?>
                    </div>