From 845b96d41fbb764334411c2b52bd33fb7d0d14d0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 22 Jun 2016 17:47:03 +0200
Subject: [PATCH] system: tighten serial handling around /etc/ttys

---
 src/etc/inc/system.inc            | 54 ++++++++++++---------------
 src/etc/rc.bootup                 |  9 ++---
 src/etc/rc.recover                | 62 +++++++++++++++++++++++++++++--
 src/www/diag_backup.php           |  1 -
 src/www/system_advanced_admin.php |  4 +-
 5 files changed, 88 insertions(+), 42 deletions(-)

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index e9a8a7d75..a0dde6218 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1782,11 +1782,6 @@ function system_reboot($sync = false)
     }
 }
 
-function system_console_configure()
-{
-    setup_serial_port();
-}
-
 function system_setup_sysctl()
 {
     activate_sysctls();
@@ -1926,7 +1921,7 @@ function load_thermal_module()
     }
 }
 
-function setup_serial_port($sync = true)
+function system_console_configure()
 {
     global $config;
 
@@ -1936,8 +1931,8 @@ function setup_serial_port($sync = true)
     // ** serial console - write out /boot.config
     if ($serial_enabled) {
         file_put_contents('/boot.config', "-S{$serialspeed} -D\n");
-    } elseif (file_exists('/boot.config')) {
-        unlink('/boot.config');
+    } else {
+        @unlink('/boot.config');
     }
 
     // ** console settings in /boot/loader.conf
@@ -1970,14 +1965,10 @@ function setup_serial_port($sync = true)
     @file_put_contents('/boot/loader.conf', $new_loader_conf);
 
     // ** setup /etc/ttys
-
-    // minimize chances of /etc/ttys corruption, keep a copy of the original ttys file
-    if (!file_exists('/etc/ttys.opnsense') || filesize('/etc/ttys.opnsense') < 100) {
-        copy('/etc/ttys', '/etc/ttys.opnsense');
-    }
-
-    $fd = fopen("/etc/ttys", "w");
-    $on_off = $serial_enabled ? 'on' : 'off';
+    $etc_ttys_lines = explode("\n", file_get_contents('/etc/ttys'));
+    $fd = fopen('/etc/ttys', 'w');
+    $on_off_secure = $serial_enabled ? 'onifconsole secure' : 'off secure';
+    $terminal_type = 'cons25'; /* XXX standard is 'xterm' for virtual, 'vt100' for serial */
     if (isset($config['system']['disableconsolemenu'])) {
         $console_type = 'Pc';
         $serial_type = 'std.' . $serialspeed;
@@ -1985,24 +1976,28 @@ function setup_serial_port($sync = true)
         $console_type = 'al.Pc';
         $serial_type = 'al.' . $serialspeed;
     }
-    foreach(explode("\n", file_get_contents("/etc/ttys.opnsense")) as $tty) {
-        if (stristr($tty, "ttyv0")) {
-            fwrite($fd, "ttyv0  \"/usr/libexec/getty {$console_type}\"  cons25  on  secure\n");
-        } elseif (stristr($tty, "ttyu0")) {
-            fwrite($fd, "ttyu0  \"/usr/libexec/getty {$serial_type}\"  cons25  {$on_off}  secure\n");
-        } elseif (!empty($tty)) {
+    foreach ($etc_ttys_lines as $tty) {
+        if (strpos($tty, 'ttyv0') === 0) {
+            /* first virtual terminal */
+            fwrite($fd, "ttyv0\t\"/usr/libexec/getty {$console_type}\"\t\t{$terminal_type}\ton  secure\n");
+            continue;
+        }
+        foreach (array('ttyu0', 'ttyu1', 'ttyu2', 'ttyu3') as $serialport) {
+            if (strpos($tty, $serialport) === 0) {
+                /* each serial terminal */
+                fwrite($fd, "{$serialport}\t\"/usr/libexec/getty {$serial_type}\"\t{$terminal_type}\t{$on_off_secure}\n");
+                /* skip to next line in outer loop */
+                continue 2;
+            }
+        }
+
+        if (!empty($tty)) {
+            /* all other lines stay the same */
             fwrite($fd, $tty . "\n");
         }
     }
     fclose($fd);
 
-    if ($sync) {
-        reload_ttys();
-    }
-}
-
-function reload_ttys()
-{
     /* force init(8) to reload /etc/ttys */
     exec('/bin/kill -HUP 1');
 }
@@ -2015,7 +2010,6 @@ function reset_factory_defaults($sync = true)
 {
     mwexec('/bin/rm -r /conf/*');
     disable_security_checks();
-    setup_serial_port(false);
 
     /* as we go through a special case directly reboot */
     $shutdown_cmd = '/sbin/shutdown -or now';
diff --git a/src/etc/rc.bootup b/src/etc/rc.bootup
index b767e2508..012ca5d4f 100755
--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -153,6 +153,9 @@ set_device_perms();
 unmute_kernel_msgs();
 echo "done.\n";
 
+/* configure console menu */
+system_console_configure();
+
 /* Display live system's early boot options */
 if (is_install_media()) {
     rescue_detect_keypress();
@@ -275,9 +278,6 @@ echo "done.\n";
 /* start load balancer daemon */
 relayd_configure();
 
-/* configure console menu */
-system_console_configure();
-
 /* start DHCP service */
 services_dhcpd_configure();
 
@@ -305,9 +305,6 @@ $ipsec_dynamic_hosts = ipsec_configure();
 /* start SNMP service */
 services_snmpd_configure();
 
-/* lock down console if necessary */
-reload_ttys();
-
 /* load graphing functions */
 enable_rrd_graphing();
 
diff --git a/src/etc/rc.recover b/src/etc/rc.recover
index f4fbd5710..519f74066 100755
--- a/src/etc/rc.recover
+++ b/src/etc/rc.recover
@@ -109,6 +109,59 @@ $etc_shells = <<<EOF
 
 EOF;
 
+$etc_ttys = <<<EOF
+#
+# \$FreeBSD$
+#	@(#)ttys	5.1 (Berkeley) 4/17/89
+#
+# This file specifies various information about terminals on the system.
+# It is used by several different programs.  Common entries for the
+# various columns include:
+#
+# name  The name of the terminal device.
+#
+# getty The program to start running on the terminal.  Typically a
+#       getty program, as the name implies.  Other common entries
+#       include none, when no getty is needed, and xdm, to start the
+#       X Window System.
+#
+# type The initial terminal type for this port.  For hardwired
+#      terminal lines, this will contain the type of terminal used.
+#      For virtual consoles, the correct type is typically xterm.
+#      Other common values include dialup for incoming modem ports, and
+#      unknown when the terminal type cannot be predetermined.
+#
+# status Must be on or off.  If on, init will run the getty program on
+#        the specified port.  If the word "secure" appears, this tty
+#        allows root login.
+#
+# name	getty				type	status		comments
+#
+# If console is marked "insecure", then init will ask for the root password
+# when going to single-user mode.
+console	none				unknown	off secure
+#
+ttyv0	"/usr/libexec/getty Pc"		xterm	on  secure
+# Virtual terminals
+ttyv1	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv2	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv3	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv4	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv5	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv6	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv7	"/usr/libexec/getty Pc"		xterm	on  secure
+ttyv8	"/usr/local/bin/xdm -nodaemon"	xterm	off secure
+# Serial terminals
+# The 'dialup' keyword identifies dialin lines to login, fingerd etc.
+ttyu0	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu1	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu2	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+ttyu3	"/usr/libexec/getty 3wire"	vt100	onifconsole secure
+# Dumb console
+dcons	"/usr/libexec/getty std.9600"	vt100	off secure
+
+EOF;
+
 function recover_ports()
 {
 	$actions = array(
@@ -151,7 +204,7 @@ function recover_rebuild()
 	passthru('/bin/sync');
 }
 
-function recover_base($etc_group, $etc_master_passwd, $etc_shells)
+function recover_base($etc_group, $etc_master_passwd, $etc_shells, $etc_ttys)
 {
 	echo "===> Restoring /etc/group\n";
 	file_put_contents('/etc/group', $etc_group);
@@ -162,6 +215,9 @@ function recover_base($etc_group, $etc_master_passwd, $etc_shells)
 	echo "===> Restoring /etc/shells\n";
 	file_put_contents('/etc/shells', $etc_shells);
 
+	echo "===> Restoring /etc/ttys\n";
+	file_put_contents('/etc/ttys', $etc_ttys);
+
 	recover_rebuild();
 }
 
@@ -175,13 +231,13 @@ $stage = isset($argv[1]) ? $argv[1] : 'both';
 
 switch ($stage) {
 	case 'base':
-		recover_base($etc_group, $etc_master_passwd, $etc_shells);
+		recover_base($etc_group, $etc_master_passwd, $etc_shells, $etc_ttys);
 		break;
 	case 'pkg':
 		recover_pkg();
 		break;
 	default:
-		recover_base($etc_group, $etc_master_passwd, $etc_shells);
+		recover_base($etc_group, $etc_master_passwd, $etc_shells, $etc_ttys);
 		recover_pkg();
 		break;
 }
diff --git a/src/www/diag_backup.php b/src/www/diag_backup.php
index f5d168703..63f3a9699 100644
--- a/src/www/diag_backup.php
+++ b/src/www/diag_backup.php
@@ -442,7 +442,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                         convert_config();
                         $savemsg = gettext("The m0n0wall configuration has been restored and upgraded to OPNsense.");
                     }
-                    setup_serial_port();
                 } else {
                     $input_errors[] = gettext("The configuration could not be restored.");
                 }
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index f83911f47..63fcfbb57 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -231,7 +231,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $savemsg .= sprintf("<br />" . gettext("One moment...redirecting to %s in 20 seconds."), $url);
         }
 
-        setup_serial_port();
+        system_console_configure();
         system_hosts_generate();
 
         // Restart DNS in case dns rebinding toggled
@@ -506,7 +506,7 @@ include("head.inc");
                   <td><a id="help_for_enableserial" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Serial Terminal"); ?></td>
                   <td width="78%">
                     <input name="enableserial" type="checkbox" id="enableserial" value="yes" <?=!empty($pconfig['enableserial']) ? "checked=\"checked\"" : "";?> />
-                    <strong><?=gettext("Enables the first serial port with 115200/8/N/1 by default, or another speed selectable below."); ?></strong>
+                    <strong><?=gettext("Enable serial ports with 115200/8/N/1 by default, or another speed selectable below."); ?></strong>
                     <div class="hidden" for="help_for_enableserial">
                       <?=gettext("Note: This will redirect the console output and messages to the serial port. You can still access the console menu from the internal video card/keyboard. A null modem serial cable or adapter is required to use the serial console."); ?>
                     </div>