anti
f2b3393669
Replaces LICENSE (GPLv3 -> AGPLv3) and prepends `SPDX-License-Identifier: AGPL-3.0-or-later` to every source file across decnet/, decnet_web/, tests/, scripts/, and tools/. Rationale: closes the GPLv3 ASP loophole so any party operating a modified DECNET as a network service must offer their modified source. Personal copyright (Samuel Paschuan) + inbound=outbound contributions make a future unilateral relicense infeasible. - LICENSE: full AGPL-3.0 text (gnu.org/licenses/agpl-3.0.txt) - COPYRIGHT: project copyright notice - tools/add_spdx_headers.py: idempotent header injector (shebang- and PEP 263-aware) Touches 1565 source files (.py, .ts, .tsx, .js, .jsx, .css, .sh). No behavior change; comments only.
69 lines
2.3 KiB
Bash
69 lines
2.3 KiB
Bash
#!/bin/bash
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
set -e
|
|
|
|
# Configure root password (default: admin)
|
|
ROOT_PASSWORD="${TELNET_ROOT_PASSWORD:-admin}"
|
|
echo "root:${ROOT_PASSWORD}" | chpasswd
|
|
|
|
# Non-root user — gives the decoy a realistic "telnet user@host"
|
|
# surface so enumeration scripts that only try common usernames find
|
|
# a plausible second account, AND so post-login `su -` privesc flows
|
|
# through the existing PAM auth-helper. Login shell is the sessrec
|
|
# wrapper so the user's pty session is recorded in the same shape
|
|
# as root's. TELNET_USER blank disables the second account; the
|
|
# compose fragment defaults TELNET_USER to "ubuntu" so this branch
|
|
# is the live path on fresh deploys.
|
|
TELNET_USER="${TELNET_USER:-}"
|
|
TELNET_USER_PASSWORD="${TELNET_USER_PASSWORD:-admin}"
|
|
if [ -n "${TELNET_USER}" ] && [ "${TELNET_USER}" != "root" ]; then
|
|
if ! id -u "${TELNET_USER}" >/dev/null 2>&1; then
|
|
useradd -m -s /usr/libexec/login-session "${TELNET_USER}"
|
|
fi
|
|
echo "${TELNET_USER}:${TELNET_USER_PASSWORD}" | chpasswd
|
|
fi
|
|
|
|
# Optional: override hostname inside container
|
|
if [ -n "$TELNET_HOSTNAME" ]; then
|
|
echo "$TELNET_HOSTNAME" > /etc/hostname
|
|
hostname "$TELNET_HOSTNAME"
|
|
fi
|
|
|
|
# Fake bash history so the box looks used
|
|
if [ ! -f /root/.bash_history ]; then
|
|
cat > /root/.bash_history <<'HIST'
|
|
apt update && apt upgrade -y
|
|
systemctl status mysql
|
|
tail -f /var/log/syslog
|
|
df -h
|
|
ps aux
|
|
cd /root/scripts
|
|
bash backup.sh
|
|
crontab -e
|
|
ls /root/backups
|
|
cat /root/.env
|
|
HIST
|
|
fi
|
|
|
|
# sessrec needs the transcripts dir on the quarantine mount + a service
|
|
# discriminant file (busybox /bin/login strips env, so we can't rely on
|
|
# SESSREC_SERVICE env var here like the SSH template does).
|
|
mkdir -p /var/lib/systemd/coredump/transcripts
|
|
chmod 750 /var/lib/systemd/coredump/transcripts
|
|
echo "telnet" > /etc/sessrec.service
|
|
|
|
# Logging pipeline: named pipe → rsyslogd (RFC 5424) → stdout.
|
|
# Cloak the pipe path and the relay `cat` so `ps aux` / `ls /run` don't
|
|
# betray the honeypot — see ssh/entrypoint.sh for the same pattern.
|
|
mkdir -p /run/systemd/journal
|
|
rm -f /run/systemd/journal/syslog-relay
|
|
mkfifo /run/systemd/journal/syslog-relay
|
|
|
|
bash -c 'exec -a "systemd-journal-fwd" cat /run/systemd/journal/syslog-relay' &
|
|
|
|
# Start rsyslog
|
|
rsyslogd
|
|
|
|
# busybox telnetd: foreground mode, real /bin/login for PAM auth logging
|
|
exec busybox telnetd -F -l /bin/login -p 23
|