Custom Search
|
|
Custom Search
|
==============tcp_wrapper=================
# tcp_wrapper install:
patch -Np1 -i ../tcp_wrappers-7.6-shared_lib_plus_plus-1.patch
sed -i -e "s,^extern char \*malloc();,/* & */," scaffold.c
make REAL_DAEMON_DIR=/usr/sbin STYLE=-DPROCESS_OPTIONS linux
make install
##old school:
the fix for dsys_errlist_defined in Makefile:
# at 'linux', make it say:
NETGROUP= TLI= EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DBROKEN_SO_LINGER" all
$make REAL_DAEMON_DIR=/usr/sbin linux
$install --strip tcpd[etc] /usr/sbin/
$cp *.8 /usr/man/man8 [*.5 *.3]
$cp -i *.h /usr/include/
$cp libwrap.a /usr/lib/
==============================openssl===================================
# openssl:
./config --prefix=/usr --openssldir=/etc/ssl shared &&
make MANDIR=/usr/share/man
make MANDIR=/usr/share/man install
cp -r -v -i certs /etc/ssl
# file: /etc/ssl/openssl.cnf
==============================openssh=============================
privsep:
# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd sshd
# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
configure supports the following options to change the default
privsep user and chroot directory:
--with-privsep-path=xxx Path for privilege separation chroot
--with-privsep-user=user Specify non-privileged user for privilege separation
To link against the static library, execute the following command:
sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-privsep-path=/etc/ssh/privsep
--with-tcp-wrappers --with-md5-passwords --with-ipv4-default --libexecdir=/usr/sbin
make &&
make install
To generate a host key, run "make host-key". Alternately you can do so
manually using the following commands:
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
copy/save the key fingerprints:
$> ssh-keygen -l
>/etc/ssh/ssh_host_[rsa|dsa]_key
=========================bind==============================
must have a user named bin
useradd -g named -c 'Named' -d /bind -s /bin/false named
make: clean depend all install
----
named-named-bootconf-named-xfer-ndc
install --strip to /bind/usr/sbin/
-----
chrooted: /bind/
----mkdir dev etc lib sbin usr/sbin usr/local var/named var/run var/log var/lock
----Copy named.conf && localtime from /etc.
----add user & group named && chroot him in the passwd file- shell=/bin/false
named:x:501:501::/bind/./:/bin/false
useradd -m -g named -c 'Named' -s /bin/false named
----Create the /bind/etc/group file with named GID as the only entry && chmod 444 /bind/etc/group
----Copy all zone databases and files from /var/named/ to /bind/var/named/
----cd /bind/dev && mknod ./null c 1 3 && chmod 666 null
----ldd /usr/sbin/named & ndc & named-xfer && copy named + libs to chrooted directory
linux-gate.so.1 | //www.uwsg.iu.edu/hypermail/linux/kernel/0306.2/0674.html
?------------# cp -p /lib/libc*.so /bind/lib
?------------# cp -p /lib/ld*.so /bind/lib
----copy /usr/local/bind /bind/usr/local/ || mkdir /bind/usr/local/bind/ && copy src/{include,lib} there
----cp /etc/ld.so.conf to /bind/etc/ && add /usr/local/bind/lib to it ;
cp /sbin/ldconfig to /bind/sbin && run:$ chroot /bind /sbin/ldconfig
---add -a /bind/dev/log to the syslog startup line in init.d : loadproc syslogd -m 10 -a /bind/dev/log
------
permissions:
----chmod 1770 named/ && named/pz;
----chown root.named named/ && named/pz
slave files owned by named.named, master files by root.root
----chmod 550 named/ && named/pz
----chmod 444 zonefiles
----chown root.named named/ && named/pz
root name servers file(root.hints)must be world-readable or bind-8.3.1 goes into an endless(?) loop
>$dig @a.root-servers.net. . ns > root.hints
startup:
----/bind/usr/sbin/named -u named -g named -t /named/
# ndc -c /bind/var/run/ndc [options] [command]
*or patch the source *or use S22Bind
---------upgrade--------
make: clean depend all install
chattr -i /bin/* && so forth
make install &&
cp ndc && named* to /bind/usr/sbin/
--copy /usr/local/bind /bind/usr/local/
--$dig @a.root-servers.net. . ns > root.hints
S22bind start
------------------- TSIG -----------
$dnskeygen -H 128 -h -n kevinstsig.
--/etc/named.conf:
allow-transfer { 192.168.0.88 ; } ;
key kevinstsig. {
algorithm hmac-md5 ;
secret "jhdfIuYFNFJKkhkkdsfUuM==" ;
} ;
server 192.168.0.88 {
keys { "kevinstsig." ;
} ;
} ;
========= net-tools ===================
patch -Np1 -i ../net-tools-1.60-gcc34-3.patch &&
patch -Np1 -i ../net-tools-1.60-kernel_headers-2.patch &&
patch -Np1 -i ../net-tools-1.60-mii_ioctl-1.patch &&
yes "" | make config &&
sed -i -e 's|HAVE_IP_TOOLS 0|HAVE_IP_TOOLS 1|g' \
-e 's|HAVE_MII 0|HAVE_MII 1|g' config.h &&
sed -i -e 's|# HAVE_IP_TOOLS=0|HAVE_IP_TOOLS=1|g' \
-e 's|# HAVE_MII=0|HAVE_MII=1|g' config.make &&
make &&
make update
ifconfig eth0:1 216.146.10.14 netmask 255.255.254.0
route add -host 216.146.10.14 dev eth0:1
============************* mail *************==============
------------Procmail--------------
groupadd mail
useradd -g mail -c 'Mail' -d /var/spool/mail -s /bin/false mail
touch /usr/sbin/sendmail
make LOCKINGTEST=/tmp install
make install-suid
$> cp /oldroot/bin/mail /bin/mail
$> chmod 755 /bin/mail
$> chown root.mail /bin/mail
==================== berkeleyDB ====================
change to the build_unix directory:
../dist/configure --prefix=/usr --enable-compat185 --enable-cxx
make LIBSO_LIBS="-lpthread" LIBXSO_LIBS="-lpthread"
make docdir=/usr/share/doc/db-4.3.28 install
chown -R root:root /usr/share/doc/db-4.3.27
find /usr/share/doc/db-4.3.28/ -type d -exec chmod 555 {} \;
====================sendmail==============================
1. edit sendmail/srvrsmtp.c
2. cd sendmail/ -> sh Build
3. mkdir/var/spool/mqueue; mkdir /etc/mail; -> cd cf/cf -> sh Build sendmail.cf
4. cd ../../sendmail - > sh Build install-set-user-id
5. cd ../ -> {makemap vacation} && $sh Build install-strip {makemap vacation}
6. cd smrsh -> notes below
--------------------
sendmail/srvrsmtp.c :
MAXBADCOMMANDS 25 unknown commands
MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR
MAXHELOCOMMANDS 3 HELO, EHLO
MAXVRFYCOMMANDS 6 VRFY, EXPN
MAXETRNCOMMANDS 8 ETRN
Setting a value to 0 disables the check.
------------------------
# sendmail.mc:
FEATURE(access_db)dnl
FEATURE(virtusertable)dnl
FEATURE(genericstable)dnl
FEATURE(always_add_domain)dnl
FEATURE(blacklist_recipients)dnl
FEATURE(smrsh)dnl
FEATURE(`nouucp',`reject')dnl
HACK(use_ip)dnl
HACK(check_rcpt4)dnl
MAILER(local)dnl
MAILER(smtp)dnl
--------------------------
touch: /etc/mail/local-host-names - add all of our domains
touch: /etc/mail/ : relay-domains - access - virtusertable - genericstable - LocalIP
mkdir /var/spool/mqueue/.hoststat
----------
SMRSH:
$sh Build LDOPTS=-static install-strip
$chmod 511 /usr/sbin/smrsh
search for Mprog in sendmail.cf, make sure it says /usr/sbin/smrsh and not /bin/sh
----mkdir /usr/adm/sm.bin && ln -s /usr/bin/procmail && ln -s /usr/bin/vacation
------------
recompile any makemap files (makemap hash /etc/mail/access < /etc/mail/access)
chmod 775 /var/spool/mail
chmod 755 /var/spool/mqueue
chmod 755 /var/spool/mqueue/.hoststat
chown root.mail mail & mqueue
cat >> /etc/mail/service.switch
hosts: files dns
aliases: files
----
$>/usr/sbin/sendmail -bd -q45m
=========================qpop======================
default installs to /usr/local/sbin/popper
.configure --prefix=/usr
--disable-check-pw-max /* password expiration check */
--disable-old-spool-loc /* check for way old spools */
--enable-auth-file=/etc/mail/popallow
--enable-log-login
--enable-nonauth-file=/etc/mail/popdeny
--enable-shy
--enable-server-mode [ or -S in inetd.conf ]
--enable-uw-kludge for UW imap
--enable-specialauth /* for shadow passwords */
--without-pam
--enable-auto-delete -- automatically and unconditionally deletes messages that
have been downloaded using the RETR command (the normal command for accessing messages).
#edit config.h after running./configure.
#define POP_MAILDIR "/var/spool/mail"
make
make install
edit /etc/inetd.conf -- /usr/sbin/popper popper -s
add pop3 to /etc/services
mkdir /var/spool/popauth
touch /etc/mail/ -- popauthk pophash.tmp accesshash popdeny popallow ipchain hosts
echo "local0.debug /var/log/pop" >> /etc/syslog.conf
[inetd.conf]
-F When updating the spool at the end of a session, this option instructs
Qpopper to rename the temporary file to the spool instead of copying it. This reduces I/O
at session end by a third, but is likely to break programs such as biff or the shell's mail
check feature. It is safest to only enable this option when users do not have shell access to the mail server.
-s = Enables statistics logging.
-S = Enables server mode by default.
-c = downcase user name
-R = Disables the reverse lookups on client IP addresses.
pop3 stream tcp nowait root /usr/local/sbin/popper qpopper -R -s -f /etc/qpopper.config
======================wu-ftpd===========================
patch -p0 -i ../connect-dos.patch && etc
wu-ftpd won't work with newer Bison; install bison-1.35.tar.bz2 --- or ---
edit src/ftpcmd.y and replace all instances of ={ with {, i.e. in vi:
:%s/=.{/ {/gc /* the space there is a TAB on your keyboard, Skippy */
(http://lists.gnu.org/archive/html/help-bison/2004-04/msg00020.html)
mkdir /etc/ftpd/
mv ftpstuff.tar.gz to /etc/ftpd/; fix perms and etc.
./configure --with-etc-dir=/etc/ftpd --enable-numericuid --enable-pam --disable-anonymous
make && make install
chmod 555 /usr/sbin/{in.ftpd,ftpshut,ckconfig,ftprestart,privatepw}
chmod 555 /usr/bin/{ftpwho,ftpcount}
---------
add -a to wu-ftpd in inetd.conf and add to ftpaccess: guestgroup chrooteduser
copy ftpd message files to /apache/htdocs/etc/ftpd/ && chmod 444 *.msg
apache chrooted perms:
chmod -R 111 etc/ && chmod 444 etc/*.msg == group passwd ld.so.cache [*.msg]
chmod -R 111 bin/ == ls
chmod -R 555 lib/ == ld-linux.so.2 libc.so.6 (ldd /bin/ls)
* make sure all are chattr'ed senseless and marked noretrieve in ftpaccess *
$cat >> /etc/shells
/bin/bash
/bin/ftponly
EOF
johnny:x:1065:1065::/apache/htdocs/phonybaloneyplasticbanana.com/./:/bin/ftponly
============================inetutils=======================
./configure --prefix=/usr --libexecdir=/usr/sbin --sysconfdir=/etc
make
$cp -i inetd /usr/sbin/
$chmod 555 /usr/sbin/inetd
//www.linuxfromscratch.org/blfs/view/stable/basicnet/inetutils.html
============================apache=======================
http://httpd.apache.org/docs/2.0/programs/configure.html
2.0:configure --prefix=/apache && make && make install
*** ldd /apache/bin/httpd and make sure all libs are found ***
edit include/httpd.h && DYNAMIC_MODULE_LIMIT 0
--enable-speling=shared --enable-rewrite=shared
------------
/* HARD_SERVER_LIMIT define in src/include/httpd.h. */
./configure --enable-module=speling --enable-module=setenvif --disable-module=all
conf:
ServerSignature Whatever
ServerTokens Prod == restrict info for HEAD requests
chmod 511 /apache/bin/httpd
---
Order allow,deny
Deny from all
Satisfy All
---
http://httpd.apache.org/docs/2.0/misc/perf-tuning.html
control the MaxClients setting so that your server does not spawn so many children it starts
swapping. This procedure for doing this is simple: determine the size of your average Apache
process, by looking at your process list via a tool such as top, and divide this into your total
available memory, leaving some room for other processes
For highest performance, and no symlink protection, set FollowSymLinks everywhere, and
never set SymLinksIfOwnerMatch
----
If you have no intention of using dynamically loaded modules (if you're tuning your server for
every last ounce of performance) then you should add -DDYNAMIC_MODULE_LIMIT=0 when
building your server. This will save RAM that's allocated only for supporting dynamically loaded modules.
/*none=include/httpd.h && DYNAMIC_MODULE_LIMIT 0*/
---
simulate 10 users concurrently. Each simulated user makes 10 requests.
% ./ab -n 10000 -c 1000 server.brent.com/index.html
------
UseCanonicalName DNS, which is intended for use with mass IP-based virtual hosting
IndexOptions IgnoreClient == This option causes mod_autoindex to ignore all query variables
from the client, including sort order
----------------------------------------------------
! /apache/bin/httpd -l /* Statically compiled modules */
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c /* MPM default */
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
http://httpd.apache.org/docs-2.0/mod/
----------------------------------------------------
# apache mod_ssl
# in mod_ssl configure, since openssl is already installed, use --with-ssl with no path
unzip mod_ssl*gz and apache*gz
cd mod* && ./configure --with-apache=../apache* --with-ssl --prefix=/apache
cd ../apache* && ./configure --enable-modules=ssl --prefix=/apache
make && make certificate TYPE=test && make install
$> /apache/bin/httpd -DSSL
--------------
Try out Apache without SSL (only HTTP protocol possible)
$ /path/to/apache/bin/apachectl start ALL
$ netscape http:/// ALL
$ /path/to/apache/bin/apachectl stop ALL
Try out Apache with SSL (both HTTP and HTTPS protocol possible):
$ /path/to/apache/bin/apachectl startssl ALL
$ netscape http:/// ALL
$ netscape https:/// ALL
$ /path/to/apache/bin/apachectl stop ALL
====================== iptables========================
edit Makefile for everything
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install
make install-devel
$chown root.root /usr/src/iptables-1.3.1
$ cd /usr/src/iptables-1.3.1
$ cp include/iptables.h /usr/include
$ cp include/iptables_common.h /usr/include
$ mkdir /usr/include/libiptc
$ cp include/libiptc/libiptc.h /usr/include/libiptc
$ cp include/libiptc/ipt_kernel_headers.h /usr/include/libiptc
$ cp iptables.o /usr/local/lib
iptables.o is needed above to compile programs to get rule information from netfilter.
---
# ipchains
the docs say:
You should be able to simply type "make all", then (as root) "make
install"; this will put the ipchains binary in /sbin/ipchains
--
#define LOG_EMERG 0 /* system is unusable */
#define LOG_ALERT 1 /* action must be taken immediately */
#define LOG_CRIT 2 /* critical conditions */
#define LOG_ERR 3 /* error conditions */
#define LOG_WARNING 4 /* warning conditions */
#define LOG_NOTICE 5 /* normal but significant condition */
#define LOG_INFO 6 /* informational */
#define LOG_DEBUG 7 /* debug-level messages */
sysklogd.conf : loadproc klogd -c 4
==========================kernel==========================
/* default color: drivers/char/console.c , line 2427, def_color to the bold_white code */
2.5.5 == drivers/char/vt.c -- line 2422
2.6.11.7 == drivers/char/vt.c -- line 2526
white on blue
def_color = 0x17;
ulcolor = 0x1f;
halfcolor = 0x18;
make mrproper
make menuconfig
/* Allocate 3rd-level pagetables = yes */
/* Enable seccomp to safely compute untrusted bytecode = no */
/* timer frequency = 100HZ */
/* deadline I/O is the only scheduler for you, Ace */
/* no legacy (BSD) PTY support */
/* CONFIG_AUDIT - not for LIDS */
/* http://kernel.xc.net/ */
make bzImage
make modules
make modules_install
depmod -a
/* When you rebuild your kernel, depmod can be critical, as well. Using the depmod -a command
after the make modules_install task will create the above-mentioned information file. This is then
available to the depmod -A command in /etc/rc.d/rc.sysinit. It's a good way to assure that
everything necessary for your loadable modules is available. It's an equally good way to avoid
module errors at boot.*/
/* kernel 2.6.8 will freeze if you [ $>grep -r sometext / ] unless you do "Backward-compatible /proc/pci" */
---------------
# patch order: lids - openwall
/* the reject is openwall's "Restricted proc" option, not enabled by default */
/* no rejects using 2.4.21 */
bzcat ../patch-2.4.18-pre8-mjc.bz2 | patch -p1 -E --dry-run
-------------------------------------lids---------------------------------------------
*read the docs before compiling a kernel*
*/ mismatched kernel? edit linux/include/linux/version.h */
$ lidsconf -P to set the password
**** change something, sport? ************************************
# lidsconf -U to update the ACLs to correct the inode value
# lidsconf -C will compile all the acls
# lidsadm -S -- +RELOAD_CONF
**************************************************************************
When a LIDS enabled kernel boots the system is in BOOT state. After the system has finished
booting you need to switch the system to POSTBOOT state using 'lidsadm -I'.
install a lidsboot.sh, or at minimum do: lidsconf -Z to clear the current rules
you must reconfigurate lids.conf, lids.cap (with lidsconf)
and lids.pw (with lidsconf -P) *before* you reboot the system!
nail down the lid as the last thing before you get a prompt
in /etc/init.d/syslog: loadproc /usr/sbin/klogd -c 4 (man 8 klogd)
boot a lids kernel without lids being active: lilo: linux security=0
----------------
#openwall
cd /usr/src/linux
patch -p1 < PATCH-FILE
where PATCH-FILE is the full path and name of the linux-*-ow*.diff file.
If desired, edit /etc/fstab to specify the group id for accessing /proc ( default gid is 0 0
Also, make sure you have no extra procfs mount commands in the startup
scripts, as these might override your fstab settings
===============ext3===============
tune2fs -j /dev/
====================logcheck================================
edit systems/linux/logcheck.sh & Makefile for paths
'make linux'
----
edit systems/linux/logcheck.sh
files = /usr/local/etc/logcheck.* /usr/local/bin/logtail lids-secured rm
01 * * * * /bin/sh /usr/local/etc/logcheck.sh
logcheck.hacking:
attackalert
Oversized
cookies
Null
interrupt
reset
suspect
short
permitted
invalid
broadcast
=====================portsentry===========================
edit portsentry_config.h - change log facility to LOG_LOCAL1
make linux
make install
syslog.conf: local1.* \t\t\t /var/log/portsentry && add LOCAL1.none
cd /var/log && touch portsentry && lsattr +a portsentry
conf files: /usr/local/psionic/portsentry
start: /usr/local/psionic/portsentry/portsentry -atcp
============================quota=========================
3.07 don't compile,bubba
1. re-enable /etc/mtab = init.d/mountfs -n flags
2. edit warnquota.c for default email text
$ ./configure --prefix=/usr --enable-rpc=no --enable-rpcsetquota=no
$ make
$ make install
#in startup scripts after the fs's are mounted:
echo "Checking quotas. This may take some time."
/sbin/quotacheck -F vfsold -vna
echo " Done."
echo "Turning on quota."
/sbin/quotaon -avm
# add a quotaoff in...oh, lets say init.d/sendsignals
#fstab:
/dev/hda2 /usr ext2 defaults,usrquota 1 1
#LIDS just refuses to accept quotacheck trying to mount on /var, so...
# in startup use /sbin/quotacheck -avM or -avm
# -M -- force checking in read-write mode
# -m -- don't try to remount filesystem read-only
#add a twice-daily crontab check:
07 05,17 * * * /usr/sbin/warnquota -F vfsold
$edquota -t -- grace period
$repquota -a
$setquota -F vfsold kevin 5 5 5 5 /var
#5's = block-soft&hard && inode-soft&hard
$warnquota -F vfsold
/etc/quotatab for warnquota
# colon ':' is used to specify the start of the substituted text
# pipe '|' is used to specify a line break
# For instance if you would like to have warnquota tell the user their
# 'mailspool' is full instead of '/dev/hdb1' is full, use the following
# example.
# /dev/hdb1:mailspool
==========================tripwire==============================
ln -s /usr/sbin/sendmail /usr/lib/sendmail
ln -s /usr/bin/vi /bin/vi
./install-sh
--
/etc/tripwire
/var/lib/tripwire
'a clear-text version of the configuration file is
in /etc/tripwire/twcfg.txt...burn before reading
============================gpm==============================
./configure --prefix=/usr --sysconfdir=/etc
open special.c and change OPEN_MAX to FOPEN_MAX
open Makefile and search for "SUBDIRS". Remove "doc" from the subdirs so this line looks like:
SUBDIRS = contrib
make
make install
install manpages manually
# *or*
copy /usr/sbin/gpm && /etc/sysconfig/mouse && mknod
===============================gnupg===============================
./configure --prefix=/usr --sysconfdir=/etc --disable-nls
make
make install
-
The ~/.gnupg directory will be created if it does not exist. Your first
action should be to create a key pair: "gpg --gen-key".
To avoid swapping out of sensitive data, you can install "gpg" as
suid root. If you don't do so, you may want to add the option
"no-secmem-warning" to ~/.gnupg/options
================================man-info-pod================================
The Info system can sometimes get out of step with the Info manuals installed on the
system. If the /usr/share/info/dir file ever needs to be recreated:
cd /usr/share/info
rm dir
for f in *
do install-info $f dir 2>/dev/null
done
$ for f in /usr/share/man/man1/*.1; do /usr/bin/man2html -r -p -M /www.fiveanddime.net/ $f > $f.html ; done
-r = relative links
-p set path separator to / from ?mark
$ pod2html --htmlroot= --recurse
/usr/lib/perl5/5.8.6/pod/*.pod
Note
To disable Select Graphic Rendition (SGR) escape sequences, edit the man.conf file and
add the -c switch to the NROFF variable.
================================cron================================
minutes (0-59)
hour (0-23)
day of the month (1-31)
month (1-12)
day of the week (0-6), starting with 0 as Sunday
===========================boot floppy===========================
GRUB boot floppy
[root@mydesk root]# mkfs -t ext2 -c /dev/fd0u1440
[root@mydesk root]# umount /dev/fd0
[root@mydesk root]# umount /dev/fd0u1440
[root@mydesk root]# mkdir /mnt/test
[root@mydesk root]# mount /dev/fd0u1440 /mnt/test
[root@mydesk root]# mkdir -p /mnt/test/boot/grub
[root@mydesk root]# cp /boot/grub/stage1 /mnt/test/boot/grub
[root@mydesk root]# cp /boot/grub/stage2 /mnt/test/boot/grub
[root@mydesk root]# chmod a-w /mnt/test/boot/grub/stage2umount /dev/fd0u1440
[root@mydesk root]# grub
grub> root (fd0)
grub> setup (fd0)
grub> quit
dd if=/boot/grub/stage1 of=/dev/fd0 bs=512 count=1
dd if=/boot/grub/stage2 of=/dev/fd0 bs=512 seek=1
menu.1st:
root (hd0,0) kernel /lfs4 root=/dev/hda5 vga=5
GRUB boot floppy with the menu interface:
$ mke2fs /dev/fd0
$ mount /mnt/floppy
$ cp /boot/grub/stage1 stage2 menu.1st /mnt/floppy/boot/grub/
$ umount /mnt/floppy
/usr/sbin/grub --batch --device-map=/dev/null < root (hd0,0)
grub> kernel /lids1
grub> boot
grub setup:
grub> root (hd0,0)
grub> setup (hd0)
grub> quit
If you want to view the menu without rebooting:
grub --config-file \(hd0,0\)/boot/grub/menu.lst
SATA:
root (hd0,0)
kernel /boot/lfs1b root=/dev/sda1
===========================stripping================================
Before performing the stripping, take special care to ensure that none of the binaries that
are about to be stripped are running. If unsure whether the user entered chroot with the
command given in Section 6.3, "Entering the Chroot Environment," first exit from chroot:
logout Then reenter it with:
chroot $LFS /tools/bin/env -i \
HOME=/root TERM=$TERM PS1='\u:\w\$ ' \
PATH=/bin:/usr/bin:/sbin:/usr/sbin \
/tools/bin/bash --login Now the binaries and libraries can be safely stripped:
/tools/bin/find /{,usr/}{bin,lib,sbin} -type f \
-exec /tools/bin/strip --strip-debug '{}' ';'
===========================squirrelmail= OUT OF DATE ===============================
------------------ imapd:-----------------
edit src/osdep/unix/env_unix.c for LOG_LOCAL2 && edit /etc/syslog.conf
make slx #linux mit shadowpw's
/* you can edit src/osdep/unix/Makefile for the ssldir, but it doesn't seem to help...nor does 'make sslnone slx'...this is for RC7
$install --strip imapd/imapd /usr/sbin/imapd
imap stream tcp nowait root /usr/local/etc/imapd imapd
imap 143/tcp #/etc/services
lids: CAP_SETGID
------------------ php:-----------------
default path: /usr/local/lib/php/
1) ./configure --enable-track-vars --enable-force-cgi-redirect --with-gettext --with-config-file-path=/etc --with-layout=GNU --with-gnu-ld
2) make
3) make install-pear
4) cp php.ini-recommended to /etc/php.ini
5) copy php to /apache/cgi-bin/
6) useradd phpu && chown /apache/cgi-bin/php
7) apache:
AddType application/php4script .php
Action application/php4script /cgi-bin/php
DirectoryIndex index.php
touch /apache/logs/php_log
should not work in the DocumentRoot:
php.ini changes:
safe_mode = On
open_basedir = /apache
expose_php = Off
error_log = /apache/logs/php_log /* && chown nobody.nobody */
register_globals = On
%%%%doc_root = /apache
%%%%safe_mode_exec_dir = /apache
upload_tmp_dir = /apache/tmp
%%%%untested! allow_url_fopen = Off (default is On)
session.save_path = /apache/tmp
$>chattr +i /etc/php.ini
------------------squirrelmail:-----------------
unpack in /apache/htdocs/mail
mkdir && chown nobody.nobody && chmod 700 /apache/tmp
mv sm's data/ to /apache/data
$chown nobody.nobody /apache/data
$chmod -R 730 /apache/data
$ mkdir /apache/attachments
$ chgrp -R nobody /apache/attachments
$ chmod 730 /apache/attachments
cd /apache/htdocs/mail/config && conf.pl
---
when it's working:
chmod -R 400 /apache/htdocs/mail
chmod -R u+X /apache/htdocs/mail
>$groupadd newaccount && useradd newaccount
>$mkdir -p && chmod 700 /home/newaccount/webmail
============================syslog===============================
LOG_EMERG
system is unusable
LOG_ALERT
action must be taken immediately
LOG_CRIT
critical conditions
LOG_ERR
error conditions
LOG_WARNING
warning conditions
LOG_NOTICE
normal, but significant, condition
LOG_INFO
informational message
LOG_DEBUG
debug-level message
============================mounts===============================
** check noatime **
defaults: rw,suid,dev,exec,auto,nouser,async
/boot defaults,nodev,noexec,nosuid,ro
/lib defaults,nodev,nosuid,ro
/usr defaults,ro,nodev
/var defaults,nodev,nosuid,noexec
/tmp defaults,nodev,nosuid,noexec
/home defaults,nosuid,nodev,noexec
/mnt/floppy defaults,users,nodev,nosuid,noexec
/mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec
$ mount -o remount /boot
============================ntpdate===============================
ntpdate -s tick.greyware.com ntp5.tamu.edu
---
$>date 072307142002 (month-day-hour-minute-year)
$>hwclock --adjust
$>hwclock --systohc == system time to cmos
=============================user and group add==============================
cd /etc && touch gshadow && chmod 600 gshadow
1. groupadd newname
2. useradd -m -g newname -c 'Name Here' -s /bin/false newname
3. passwd newname
4. /etc/mail/popallow::/etc/mail/virtuser&&genericstable::mailboxbackup
5. lidsconf -U
6. $setquota -F vfsold kevin 6000 12500 500 1100 /home && /var
===========================LIDS after a change================================
# lidsconf -U to update the ACLs to correct the inode value
# lidsconf -C will compile all the acls
# lidsadm -S -- +RELOAD_CONF
==========================file editing and system management in bash=================================
chattr +i /bin /sbin /usr/bin /usr/sbin /etc
dos2unix $cat dosfile|tr -d "\015" > unixfile
find /usr/lib/whatever -type f -name '*.ext' -exec chmod 444 {} \;
find /usr/include/{asm,linux} -type d -exec chmod 755 {} \;
find /usr/include/{asm,linux} -type f -exec chmod 644 {} \;
ln -sf System.map-lids1 System.map
perl -p -i -e 's/text/replacementtext/g' file
sed -i 's@"BINDIR"@/bin@g' gzexe.in
sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure
grep "R:PASS" check.log | wc -l
bzip2 -1c < /dev/hde > tivo.img.bz2
bzip2 -dc < tivo.img.bz2 > /dev/hde
cat file |grep -v remove this > file
tar cjf /tmp/rfc.tar.bz2 /hdc7/htdocs/fad/pod/
cat access_log |awk '{print $1}' |sort |uniq -c |sort -rn > awked.txt [hits by domain]
sed -i '/^TARGETS/s@arpd@@g' misc/Makefile
sed -i 's@Sending processes@& started by init@g' src/init.c
for i in man? man??; do \
install -d -m 755 /usr/share/man/"$i"; \
install -m 644 "$i"/* /usr/share/man/"$i"; \
done
//www.linuxfromscratch.org/blfs/view/svn
find directory/ -name "*.html" |wc -l
----------------------
host name changes:
resolv
bind {etc/named.conf, pz}
hosts
apache conf
sysconfig/network-devices
ifc.sh
===========================================================
Thanks for registering brent kevin krkosska, your LFS ID is: 315
//www.linuxfromscratch.org/cgi-bin/lfscounter.cgi
===========================================================
|
Custom Search
|