diff --git a/clone-master-clean-up.1 b/clone-master-clean-up.1 index 30be74a..e6e7700 100644 --- a/clone-master-clean-up.1 +++ b/clone-master-clean-up.1 @@ -14,7 +14,7 @@ .\" * GNU General Public License for more details. .\" */ .\" -.TH clone-master-clean-up "1" "May 2017" "" "Clean-Up For Cloning Preparation" +.TH clone-master-clean-up "1" "September 2022" "" "Clean-Up For Cloning Preparation" .SH NAME clone\-master\-clean\-up - Clean up a system for cloning preparation. @@ -77,7 +77,7 @@ The program asks for confirmation before proceeding with cleanup. If you proceed .IP \[bu] SUSE registration, all software repositories. .IP \[bu] -SSH host keys, user SSH keys, user authorized keys, user shell history. +SSH host keys, root user SSH keys, root user authorized keys, root user shell history. .IP \[bu] User mails and user cron jobs. .IP \[bu] diff --git a/clone-master-clean-up.changes b/clone-master-clean-up.changes index c6c23e4..2ce7f3d 100644 --- a/clone-master-clean-up.changes +++ b/clone-master-clean-up.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Tue Feb 7 12:26:43 UTC 2023 - Peter Varkoly + +- Bump version to 1.11 +- clone-master-clean-up fails when /etc/iscsi/initiatorname.iscsi doesn't exist + The entire section is wrapped in a test for the existence of this file. + (bsc#1207993) + +------------------------------------------------------------------- +Fri Oct 28 11:41:37 UTC 2022 - Peter Varkoly + +- Bump version to 1.10 +- clone-master-clean-up fails if postfix is not installed (bsc#1204835) + Check if the directory does exists. + +------------------------------------------------------------------- +Fri Sep 23 14:49:49 UTC 2022 - Peter Varkoly + +- Bump version to 1.9 +- [clone-master-clean-up] Cleannup initiatorname.iscsi + Remove all no comment files + (bsc#1203024) + +------------------------------------------------------------------- +Thu Sep 22 09:08:16 UTC 2022 - Peter Varkoly + +- Bump version to 1.8 +- clone-master-clean-up fails to remove btrfs snapshots + (bsc#1203651) + +------------------------------------------------------------------- +Tue Aug 30 15:02:45 UTC 2022 - abriel@suse.com + +- Bump version to 1.7 +- CVE-2021-32000: fix some potentially dangerous file system + operations + (bsc#1181050) + ------------------------------------------------------------------- Wed Aug 12 15:44:30 UTC 2020 - abriel@suse.com diff --git a/clone-master-clean-up.sh b/clone-master-clean-up.sh index 6e46e81..d96e5b7 100644 --- a/clone-master-clean-up.sh +++ b/clone-master-clean-up.sh @@ -4,6 +4,7 @@ # Author: Howard Guo set -e +shopt -s nullglob # bsc#1092378 DROP_IN_FILE=/etc/clone-master-clean-up/custom_remove SYSCONF_FILE=/etc/sysconfig/clone-master-clean-up @@ -16,10 +17,21 @@ trap 'err_exit $LINENO' ERR [ "$UID" != "0" ] && echo 'Please run this program as root user.' && exit 1 -echo 'The script will delete all SSH keys, log data, and more. Type YES and enter to proceed.' +echo -e 'The script will delete root SSH keys, log data, and more.\n' \ + 'WARNING: This should only be used on a pristine system\n' \ + 'WARNING: with no populated /home directories!\n' \ + 'Type YES and enter to proceed.' read -r answer [ "$answer" != "YES" ] && exit 1 +if [ -n "$(echo /home/*/.ssh/* /home/*/.*_history)" ]; then + echo -e 'There seem to be populated /home directories on this system\n' \ + 'Cloning such systems is not recommended.\n' \ + 'Type YES if you still would like to proceed.' + read answer + [ "$answer" != "YES" ] && exit 1 +fi + # source config file if [ -r "$SYSCONF_FILE" ]; then . "$SYSCONF_FILE" @@ -45,22 +57,33 @@ find /etc/zypp \( -iname 'suse*' -o -iname 'scc*' \) -delete echo "Removing zypper anonymous ID" rm -rf /var/lib/zypp/AnonymousUniqueId -echo 'Removing SSH host keys, user SSH keys, authorized keys, and shell history' -rm -rf /etc/ssh/ssh_host*key* /root/.ssh/* /home/*/.ssh/* /home/*/.*_history &> /dev/null +echo 'Removing SSH host keys, root user SSH keys, authorized keys, and shell history' +rm -rf /etc/ssh/ssh_host*key* /root/.ssh/* &> /dev/null echo 'Removing all mails and cron-jobs' rm -rf /var/spool/mail/* rm -rf /var/spool/cron/{lastrun,tabs}/* echo "Clean up postfix" -rm -rf /var/spool/postfix/{active,corrupt,deferred,hold,maildrop,saved,bounce,defer,flush,incoming,trace}/* +for i in /var/spool/postfix/{active,corrupt,deferred,hold,maildrop,saved,bounce,defer,flush,incoming,trace}; do + if [ -d "$i" ]; then + # descend following symlink and check if it was symlink, if not, recursively delete entries in this directory. 'rm -rf' doesn't follow symlinks. + cd -P "$i" + [ "$i" != "$PWD" ] && continue + info=( $(stat --printf="%u %g" ".") ) + owner=${info[0]} + group=${info[1]} + setpriv --clear-groups --reuid "$owner" --regid "$group" rm -rf ./* + fi +done echo 'Removing all temporary files' rm -rf /tmp/* /tmp/.* /var/tmp/* /var/tmp/.* &> /dev/null || true -echo 'Clearing log files and removing log archives' -find /var/log -type f -exec truncate -s 0 {} \; +echo 'Removing log archives' find /var/log \( -iname '*.old' -o -iname '*.xz' -o -iname '*.gz' \) -delete +echo 'Clearing log files' +find /var/log -type f -exec truncate -s 0 {} \; echo 'Clearing HANA firewall script' rm -rf /etc/hana-firewall.d/generated_hana_firewall_script @@ -119,55 +142,51 @@ echo 'Enabling YaST Firstboot if necessary' if [ "$CMCU_RSNAP" = "yes" ]; then -SNAPPER_CMD="snapper delete" - if [ -d /.snapshots ]; then - echo "Removing all pre/post btrfs snapshots from /.snapshot" - snapshots=$(dbus-send --type=method_call --system --print-reply \ - --dest=org.opensuse.Snapper \ - /org/opensuse/Snapper \ - org.opensuse.Snapper.ListSnapshots string:root \ - 2>/dev/null | awk -- " + if [ -d /.snapshots ]; then + echo "Removing all pre/post btrfs snapshots from /.snapshot" + presnapshots=$(dbus-send --type=method_call --system --print-reply \ + --dest=org.opensuse.Snapper \ + /org/opensuse/Snapper \ + org.opensuse.Snapper.ListSnapshots string:root \ + 2>/dev/null | awk -- " BEGIN {arr=0; cnt=0; u2=0; u4=0; del=0} /array \[/ {arr++} /struct {/ {if (arr==1) cnt++} -/}/ {if(arr==1&&--cnt==0){if(del==1) print id \"|\" lst;del=0;u4=0;u2=0}} +/}/ {if(arr==1&&--cnt==0){if(del==1) print id ;del=0;u4=0;u2=0}} /\]/ {arr--} # Don't delete current snapshot /string "current"/ {if (arr==1 && cnt==1) del=0} # ID: 1st uint32 value of each top struct in top array /uint32/ {if (arr==1 && cnt==1) if (++u4==1)id=\$2; else if (u4==2)lst=\$2} # Type: 1st uint16 value of each top struct in top array -/uint16/ {if (arr==1 && cnt==1){if (++u2==1) {if (\$2==1 || \$2==2){del=1}}}} +/uint16/ {if (arr==1 && cnt==1){if (++u2==1) {if (\$2==1 ){del=1}}}} ") - - # Create chains - OFS=$IFS - IFS=" " - while read line; do - [[ $line =~ ([^\|]+)\|(.*) ]] - last[${BASH_REMATCH[1]}]=${BASH_REMATCH[2]}; - [ -z "${next[${BASH_REMATCH[1]}]}" ] && next[${BASH_REMATCH[1]}]=0 - next[${BASH_REMATCH[2]}]=${BASH_REMATCH[1]} - done <<< $snapshots - IFS=$OFS - # Find end of each chain and work backwards - for i in ${!next[@]}; do - [ -n "${next[$i]}" ] || continue # unpopulated - a=${next[$i]}; unset next[$i]; b=$i - while true; do - if [ $a -eq 0 ] - then - while true; do - unset next[$b]; $SNAPPER_CMD $b - b=${last[$b]} - [ $b -eq 0 ] && break 2 - done - else - b=$a; a=${next[$a]}; unset next[$b] - fi - done - done - fi + for i in $presnapshots + do + /usr/bin/snapper delete --sync $i + done + postsnapshots=$(dbus-send --type=method_call --system --print-reply \ + --dest=org.opensuse.Snapper \ + /org/opensuse/Snapper \ + org.opensuse.Snapper.ListSnapshots string:root \ + 2>/dev/null | awk -- " +BEGIN {arr=0; cnt=0; u2=0; u4=0; del=0} +/array \[/ {arr++} +/struct {/ {if (arr==1) cnt++} +/}/ {if(arr==1&&--cnt==0){if(del==1) print id ;del=0;u4=0;u2=0}} +/\]/ {arr--} +# Don't delete current snapshot +/string "current"/ {if (arr==1 && cnt==1) del=0} +# ID: 1st uint32 value of each top struct in top array +/uint32/ {if (arr==1 && cnt==1) if (++u4==1)id=\$2; else if (u4==2)lst=\$2} +# Type: 1st uint16 value of each top struct in top array +/uint16/ {if (arr==1 && cnt==1){if (++u2==1) {if (\$2==2 ){del=1}}}} +") + for i in $postsnapshots + do + /usr/bin/snapper delete --sync $i + done + fi fi if [ "$CMCU_ZYPP_REPOS" = "yes" ]; then @@ -234,7 +253,7 @@ fi rm -rf /tmp/fstab.tmp echo "Clean up network files (except interfaces using dhcp boot protocol)" -# additional files like bondig interfaces or vlans can be found in +# additional files like bondig interfaces or vlans can be found in # /usr/share/clone-master-clean-up/custom_remove.template for intf in /etc/sysconfig/network/ifcfg-eth*; do bprot=$(grep "^BOOTPROTO=" "$intf" | sed "s/^BOOTPROTO=//") @@ -271,5 +290,10 @@ if [ -r "$DROP_IN_FILE" ]; then done < $DROP_IN_FILE fi +if [ -e /etc/iscsi/initiatorname.iscsi ]; then + echo 'Clean up initiatorname.iscsi' + sed -i '/^[^#]/d' /etc/iscsi/initiatorname.iscsi +fi + echo 'Finished. The system is now sparkling clean. Feel free to shut it down and image it.' diff --git a/clone-master-clean-up.spec b/clone-master-clean-up.spec index 38e5863..913e058 100644 --- a/clone-master-clean-up.spec +++ b/clone-master-clean-up.spec @@ -1,7 +1,7 @@ # # spec file for package clone-master-clean-up # -# Copyright (c) 2017-2020 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: clone-master-clean-up -Version: 1.6 +Version: 1.11 Release: 0 Summary: Tool to clean up a system for cloning preparation License: GPL-2.0-or-later