![]()
Custom Search
|
==============tcp_wrapper================= # tcp_wrapper install: patch -Np1 -i ../tcp_wrappers-7.6-shared_lib_plus_plus-1.patch sed -i -e "s,^extern char \*malloc();,/* & */," scaffold.c make REAL_DAEMON_DIR=/usr/sbin STYLE=-DPROCESS_OPTIONS linux make install ##old school: the fix for dsys_errlist_defined in Makefile: # at 'linux', make it say: NETGROUP= TLI= EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DBROKEN_SO_LINGER" all $make REAL_DAEMON_DIR=/usr/sbin linux $install --strip tcpd[etc] /usr/sbin/ $cp *.8 /usr/man/man8 [*.5 *.3] $cp -i *.h /usr/include/ $cp libwrap.a /usr/lib/ ==============================openssl=================================== # openssl: ./config --prefix=/usr --openssldir=/etc/ssl shared && make MANDIR=/usr/share/man make MANDIR=/usr/share/man install cp -r -v -i certs /etc/ssl # file: /etc/ssl/openssl.cnf ==============================openssh============================= privsep: # mkdir /var/empty # chown root:sys /var/empty # chmod 755 /var/empty # groupadd sshd # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd /var/empty should not contain any files. configure supports the following options to change the default privsep user and chroot directory: --with-privsep-path=xxx Path for privilege separation chroot --with-privsep-user=user Specify non-privileged user for privilege separation To link against the static library, execute the following command: sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-privsep-path=/etc/ssh/privsep --with-tcp-wrappers --with-md5-passwords --with-ipv4-default --libexecdir=/usr/sbin make && make install To generate a host key, run "make host-key". Alternately you can do so manually using the following commands: ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" copy/save the key fingerprints: $> ssh-keygen -l >/etc/ssh/ssh_host_[rsa|dsa]_key =========================bind============================== must have a user named bin useradd -g named -c 'Named' -d /bind -s /bin/false named make: clean depend all install ---- named-named-bootconf-named-xfer-ndc install --strip to /bind/usr/sbin/ ----- chrooted: /bind/ ----mkdir dev etc lib sbin usr/sbin usr/local var/named var/run var/log var/lock ----Copy named.conf && localtime from /etc. ----add user & group named && chroot him in the passwd file- shell=/bin/false named:x:501:501::/bind/./:/bin/false useradd -m -g named -c 'Named' -s /bin/false named ----Create the /bind/etc/group file with named GID as the only entry && chmod 444 /bind/etc/group ----Copy all zone databases and files from /var/named/ to /bind/var/named/ ----cd /bind/dev && mknod ./null c 1 3 && chmod 666 null ----ldd /usr/sbin/named & ndc & named-xfer && copy named + libs to chrooted directory linux-gate.so.1 | //www.uwsg.iu.edu/hypermail/linux/kernel/0306.2/0674.html ?------------# cp -p /lib/libc*.so /bind/lib ?------------# cp -p /lib/ld*.so /bind/lib ----copy /usr/local/bind /bind/usr/local/ || mkdir /bind/usr/local/bind/ && copy src/{include,lib} there ----cp /etc/ld.so.conf to /bind/etc/ && add /usr/local/bind/lib to it ; cp /sbin/ldconfig to /bind/sbin && run:$ chroot /bind /sbin/ldconfig ---add -a /bind/dev/log to the syslog startup line in init.d : loadproc syslogd -m 10 -a /bind/dev/log ------ permissions:----chmod 1770 named/ && named/pz; ----chown root.named named/ && named/pz slave files owned by named.named, master files by root.root ----chmod 550 named/ && named/pz ----chmod 444 zonefiles ----chown root.named named/ && named/pz root name servers file(root.hints)must be world-readable or bind-8.3.1 goes into an endless(?) loop >$dig @a.root-servers.net. . ns > root.hints startup: ----/bind/usr/sbin/named -u named -g named -t /named/ # ndc -c /bind/var/run/ndc [options] [command] *or patch the source *or use S22Bind ---------upgrade-------- make: clean depend all install chattr -i /bin/* && so forth make install && cp ndc && named* to /bind/usr/sbin/ --copy /usr/local/bind /bind/usr/local/ --$dig @a.root-servers.net. . ns > root.hints S22bind start ------------------- TSIG ----------- $dnskeygen -H 128 -h -n kevinstsig. --/etc/named.conf: allow-transfer { 192.168.0.88 ; } ; key kevinstsig. { algorithm hmac-md5 ; secret "jhdfIuYFNFJKkhkkdsfUuM==" ; } ; server 192.168.0.88 { keys { "kevinstsig." ; } ; } ; ========= net-tools =================== patch -Np1 -i ../net-tools-1.60-gcc34-3.patch && patch -Np1 -i ../net-tools-1.60-kernel_headers-2.patch && patch -Np1 -i ../net-tools-1.60-mii_ioctl-1.patch && yes "" | make config && sed -i -e 's|HAVE_IP_TOOLS 0|HAVE_IP_TOOLS 1|g' \ -e 's|HAVE_MII 0|HAVE_MII 1|g' config.h && sed -i -e 's|# HAVE_IP_TOOLS=0|HAVE_IP_TOOLS=1|g' \ -e 's|# HAVE_MII=0|HAVE_MII=1|g' config.make && make && make update ifconfig eth0:1 216.146.10.14 netmask 255.255.254.0 route add -host 216.146.10.14 dev eth0:1 ============************* mail *************============== ------------Procmail-------------- groupadd mail useradd -g mail -c 'Mail' -d /var/spool/mail -s /bin/false mail touch /usr/sbin/sendmail make LOCKINGTEST=/tmp install make install-suid $> cp /oldroot/bin/mail /bin/mail $> chmod 755 /bin/mail $> chown root.mail /bin/mail ==================== berkeleyDB ==================== change to the build_unix directory: ../dist/configure --prefix=/usr --enable-compat185 --enable-cxx make LIBSO_LIBS="-lpthread" LIBXSO_LIBS="-lpthread" make docdir=/usr/share/doc/db-4.3.28 install chown -R root:root /usr/share/doc/db-4.3.27 find /usr/share/doc/db-4.3.28/ -type d -exec chmod 555 {} \; ====================sendmail============================== 1. edit sendmail/srvrsmtp.c 2. cd sendmail/ -> sh Build 3. mkdir/var/spool/mqueue; mkdir /etc/mail; -> cd cf/cf -> sh Build sendmail.cf 4. cd ../../sendmail - > sh Build install-set-user-id 5. cd ../ -> {makemap vacation} && $sh Build install-strip {makemap vacation} 6. cd smrsh -> notes below -------------------- sendmail/srvrsmtp.c : MAXBADCOMMANDS 25 unknown commands MAXNOOPCOMMANDS 20 NOOP, VERB, ONEX, XUSR MAXHELOCOMMANDS 3 HELO, EHLO MAXVRFYCOMMANDS 6 VRFY, EXPN MAXETRNCOMMANDS 8 ETRN Setting a value to 0 disables the check. ------------------------ # sendmail.mc: FEATURE(access_db)dnl FEATURE(virtusertable)dnl FEATURE(genericstable)dnl FEATURE(always_add_domain)dnl FEATURE(blacklist_recipients)dnl FEATURE(smrsh)dnl FEATURE(`nouucp',`reject')dnl HACK(use_ip)dnl HACK(check_rcpt4)dnl MAILER(local)dnl MAILER(smtp)dnl -------------------------- touch: /etc/mail/local-host-names - add all of our domains touch: /etc/mail/ : relay-domains - access - virtusertable - genericstable - LocalIP mkdir /var/spool/mqueue/.hoststat ---------- SMRSH: $sh Build LDOPTS=-static install-strip $chmod 511 /usr/sbin/smrsh search for Mprog in sendmail.cf, make sure it says /usr/sbin/smrsh and not /bin/sh ----mkdir /usr/adm/sm.bin && ln -s /usr/bin/procmail && ln -s /usr/bin/vacation ------------ recompile any makemap files (makemap hash /etc/mail/access < /etc/mail/access) chmod 775 /var/spool/mail chmod 755 /var/spool/mqueue chmod 755 /var/spool/mqueue/.hoststat chown root.mail mail & mqueue cat >> /etc/mail/service.switch hosts: files dns aliases: files ---- $>/usr/sbin/sendmail -bd -q45m =========================qpop====================== default installs to /usr/local/sbin/popper .configure --prefix=/usr --disable-check-pw-max /* password expiration check */ --disable-old-spool-loc /* check for way old spools */ --enable-auth-file=/etc/mail/popallow --enable-log-login --enable-nonauth-file=/etc/mail/popdeny --enable-shy --enable-server-mode [ or -S in inetd.conf ] --enable-uw-kludge for UW imap --enable-specialauth /* for shadow passwords */ --without-pam --enable-auto-delete -- automatically and unconditionally deletes messages that have been downloaded using the RETR command (the normal command for accessing messages). #edit config.h after running./configure. #define POP_MAILDIR "/var/spool/mail" make make install edit /etc/inetd.conf -- /usr/sbin/popper popper -s add pop3 to /etc/services mkdir /var/spool/popauth touch /etc/mail/ -- popauthk pophash.tmp accesshash popdeny popallow ipchain hosts echo "local0.debug /var/log/pop" >> /etc/syslog.conf [inetd.conf] -F When updating the spool at the end of a session, this option instructs Qpopper to rename the temporary file to the spool instead of copying it. This reduces I/O at session end by a third, but is likely to break programs such as biff or the shell's mail check feature. It is safest to only enable this option when users do not have shell access to the mail server. -s = Enables statistics logging. -S = Enables server mode by default. -c = downcase user name -R = Disables the reverse lookups on client IP addresses. pop3 stream tcp nowait root /usr/local/sbin/popper qpopper -R -s -f /etc/qpopper.config ======================wu-ftpd=========================== patch -p0 -i ../connect-dos.patch && etc wu-ftpd won't work with newer Bison; install bison-1.35.tar.bz2 --- or --- edit src/ftpcmd.y and replace all instances of ={ with {, i.e. in vi: :%s/=.{/ {/gc /* the space there is a TAB on your keyboard, Skippy */ (http://lists.gnu.org/archive/html/help-bison/2004-04/msg00020.html) mkdir /etc/ftpd/ mv ftpstuff.tar.gz to /etc/ftpd/; fix perms and etc. ./configure --with-etc-dir=/etc/ftpd --enable-numericuid --enable-pam --disable-anonymous make && make install chmod 555 /usr/sbin/{in.ftpd,ftpshut,ckconfig,ftprestart,privatepw} chmod 555 /usr/bin/{ftpwho,ftpcount} --------- add -a to wu-ftpd in inetd.conf and add to ftpaccess: guestgroup chrooteduser copy ftpd message files to /apache/htdocs/etc/ftpd/ && chmod 444 *.msg apache chrooted perms: chmod -R 111 etc/ && chmod 444 etc/*.msg == group passwd ld.so.cache [*.msg] chmod -R 111 bin/ == ls chmod -R 555 lib/ == ld-linux.so.2 libc.so.6 (ldd /bin/ls) * make sure all are chattr'ed senseless and marked noretrieve in ftpaccess * $cat >> /etc/shells /bin/bash /bin/ftponly EOF johnny:x:1065:1065::/apache/htdocs/phonybaloneyplasticbanana.com/./:/bin/ftponly ============================inetutils======================= ./configure --prefix=/usr --libexecdir=/usr/sbin --sysconfdir=/etc make $cp -i inetd /usr/sbin/ $chmod 555 /usr/sbin/inetd //www.linuxfromscratch.org/blfs/view/stable/basicnet/inetutils.html ============================apache======================= http://httpd.apache.org/docs/2.0/programs/configure.html 2.0:configure --prefix=/apache && make && make install *** ldd /apache/bin/httpd and make sure all libs are found *** edit include/httpd.h && DYNAMIC_MODULE_LIMIT 0 --enable-speling=shared --enable-rewrite=shared ------------ /* HARD_SERVER_LIMIT define in src/include/httpd.h. */ ./configure --enable-module=speling --enable-module=setenvif --disable-module=all conf: ServerSignature Whatever ServerTokens Prod == restrict info for HEAD requests chmod 511 /apache/bin/httpd --- AllowOverride None Order Deny,Allow Deny from all --- UserDir disabled root ---- Order allow,deny Deny from all Satisfy All --- http://httpd.apache.org/docs/2.0/misc/perf-tuning.html control the MaxClients setting so that your server does not spawn so many children it starts swapping. This procedure for doing this is simple: determine the size of your average Apache process, by looking at your process list via a tool such as top, and divide this into your total available memory, leaving some room for other processes For highest performance, and no symlink protection, set FollowSymLinks everywhere, and never set SymLinksIfOwnerMatch ---- If you have no intention of using dynamically loaded modules (if you're tuning your server for every last ounce of performance) then you should add -DDYNAMIC_MODULE_LIMIT=0 when building your server. This will save RAM that's allocated only for supporting dynamically loaded modules. /*none=include/httpd.h && DYNAMIC_MODULE_LIMIT 0*/ --- simulate 10 users concurrently. Each simulated user makes 10 requests. % ./ab -n 10000 -c 1000 server.brent.com/index.html ------ UseCanonicalName DNS, which is intended for use with mass IP-based virtual hosting IndexOptions IgnoreClient == This option causes mod_autoindex to ignore all query variables from the client, including sort order ---------------------------------------------------- ! /apache/bin/httpd -l /* Statically compiled modules */ Compiled in modules: core.c mod_access.c mod_auth.c mod_include.c mod_log_config.c mod_env.c mod_setenvif.c prefork.c /* MPM default */ http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_cgi.c mod_negotiation.c mod_dir.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c http://httpd.apache.org/docs-2.0/mod/ ---------------------------------------------------- # apache mod_ssl # in mod_ssl configure, since openssl is already installed, use --with-ssl with no path unzip mod_ssl*gz and apache*gz cd mod* && ./configure --with-apache=../apache* --with-ssl --prefix=/apache cd ../apache* && ./configure --enable-modules=ssl --prefix=/apache make && make certificate TYPE=test && make install $> /apache/bin/httpd -DSSL -------------- Try out Apache without SSL (only HTTP protocol possible) $ /path/to/apache/bin/apachectl start ALL $ netscape http:/// ALL $ /path/to/apache/bin/apachectl stop ALL Try out Apache with SSL (both HTTP and HTTPS protocol possible): $ /path/to/apache/bin/apachectl startssl ALL $ netscape http:// / ALL $ netscape https:// / ALL $ /path/to/apache/bin/apachectl stop ALL ====================== iptables======================== edit Makefile for everything make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install make install-devel $chown root.root /usr/src/iptables-1.3.1 $ cd /usr/src/iptables-1.3.1 $ cp include/iptables.h /usr/include $ cp include/iptables_common.h /usr/include $ mkdir /usr/include/libiptc $ cp include/libiptc/libiptc.h /usr/include/libiptc $ cp include/libiptc/ipt_kernel_headers.h /usr/include/libiptc $ cp iptables.o /usr/local/lib iptables.o is needed above to compile programs to get rule information from netfilter. --- # ipchains the docs say: You should be able to simply type "make all", then (as root) "make install"; this will put the ipchains binary in /sbin/ipchains -- #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but significant condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ sysklogd.conf : loadproc klogd -c 4 ==========================kernel========================== /* default color: drivers/char/console.c , line 2427, def_color to the bold_white code */ 2.5.5 == drivers/char/vt.c -- line 2422 2.6.11.7 == drivers/char/vt.c -- line 2526 white on blue def_color = 0x17; ulcolor = 0x1f; halfcolor = 0x18; make mrproper make menuconfig /* Allocate 3rd-level pagetables = yes */ /* Enable seccomp to safely compute untrusted bytecode = no */ /* timer frequency = 100HZ */ /* deadline I/O is the only scheduler for you, Ace */ /* no legacy (BSD) PTY support */ /* CONFIG_AUDIT - not for LIDS */ /* http://kernel.xc.net/ */ make bzImage make modules make modules_install depmod -a /* When you rebuild your kernel, depmod can be critical, as well. Using the depmod -a command after the make modules_install task will create the above-mentioned information file. This is then available to the depmod -A command in /etc/rc.d/rc.sysinit. It's a good way to assure that everything necessary for your loadable modules is available. It's an equally good way to avoid module errors at boot.*/ /* kernel 2.6.8 will freeze if you [ $>grep -r sometext / ] unless you do "Backward-compatible /proc/pci" */ --------------- # patch order: lids - openwall /* the reject is openwall's "Restricted proc" option, not enabled by default */ /* no rejects using 2.4.21 */ bzcat ../patch-2.4.18-pre8-mjc.bz2 | patch -p1 -E --dry-run -------------------------------------lids--------------------------------------------- *read the docs before compiling a kernel* */ mismatched kernel? edit linux/include/linux/version.h */ $ lidsconf -P to set the password **** change something, sport? ************************************ # lidsconf -U to update the ACLs to correct the inode value # lidsconf -C will compile all the acls # lidsadm -S -- +RELOAD_CONF ************************************************************************** When a LIDS enabled kernel boots the system is in BOOT state. After the system has finished booting you need to switch the system to POSTBOOT state using 'lidsadm -I'. install a lidsboot.sh, or at minimum do: lidsconf -Z to clear the current rules you must reconfigurate lids.conf, lids.cap (with lidsconf) and lids.pw (with lidsconf -P) *before* you reboot the system! nail down the lid as the last thing before you get a prompt in /etc/init.d/syslog: loadproc /usr/sbin/klogd -c 4 (man 8 klogd) boot a lids kernel without lids being active: lilo: linux security=0 ---------------- #openwall cd /usr/src/linux patch -p1 < PATCH-FILE where PATCH-FILE is the full path and name of the linux-*-ow*.diff file. If desired, edit /etc/fstab to specify the group id for accessing /proc ( default gid is 0 0 Also, make sure you have no extra procfs mount commands in the startup scripts, as these might override your fstab settings ===============ext3=============== tune2fs -j /dev/ ====================logcheck================================ edit systems/linux/logcheck.sh & Makefile for paths 'make linux' ---- edit systems/linux/logcheck.sh files = /usr/local/etc/logcheck.* /usr/local/bin/logtail lids-secured rm 01 * * * * /bin/sh /usr/local/etc/logcheck.sh logcheck.hacking: attackalert Oversized cookies Null interrupt reset suspect short permitted invalid broadcast =====================portsentry=========================== edit portsentry_config.h - change log facility to LOG_LOCAL1 make linux make install syslog.conf: local1.* \t\t\t /var/log/portsentry && add LOCAL1.none cd /var/log && touch portsentry && lsattr +a portsentry conf files: /usr/local/psionic/portsentry start: /usr/local/psionic/portsentry/portsentry -atcp ============================quota========================= 3.07 don't compile,bubba 1. re-enable /etc/mtab = init.d/mountfs -n flags 2. edit warnquota.c for default email text $ ./configure --prefix=/usr --enable-rpc=no --enable-rpcsetquota=no $ make $ make install #in startup scripts after the fs's are mounted: echo "Checking quotas. This may take some time." /sbin/quotacheck -F vfsold -vna echo " Done." echo "Turning on quota." /sbin/quotaon -avm # add a quotaoff in...oh, lets say init.d/sendsignals #fstab: /dev/hda2 /usr ext2 defaults,usrquota 1 1 #LIDS just refuses to accept quotacheck trying to mount on /var, so... # in startup use /sbin/quotacheck -avM or -avm # -M -- force checking in read-write mode # -m -- don't try to remount filesystem read-only #add a twice-daily crontab check: 07 05,17 * * * /usr/sbin/warnquota -F vfsold $edquota -t -- grace period $repquota -a $setquota -F vfsold kevin 5 5 5 5 /var #5's = block-soft&hard && inode-soft&hard $warnquota -F vfsold /etc/quotatab for warnquota # colon ':' is used to specify the start of the substituted text # pipe '|' is used to specify a line break # For instance if you would like to have warnquota tell the user their # 'mailspool' is full instead of '/dev/hdb1' is full, use the following # example. # /dev/hdb1:mailspool ==========================tripwire============================== ln -s /usr/sbin/sendmail /usr/lib/sendmail ln -s /usr/bin/vi /bin/vi ./install-sh -- /etc/tripwire /var/lib/tripwire 'a clear-text version of the configuration file is in /etc/tripwire/twcfg.txt...burn before reading ============================gpm============================== ./configure --prefix=/usr --sysconfdir=/etc open special.c and change OPEN_MAX to FOPEN_MAX open Makefile and search for "SUBDIRS". Remove "doc" from the subdirs so this line looks like: SUBDIRS = contrib make make install install manpages manually # *or* copy /usr/sbin/gpm && /etc/sysconfig/mouse && mknod ===============================gnupg=============================== ./configure --prefix=/usr --sysconfdir=/etc --disable-nls make make install - The ~/.gnupg directory will be created if it does not exist. Your first action should be to create a key pair: "gpg --gen-key". To avoid swapping out of sensitive data, you can install "gpg" as suid root. If you don't do so, you may want to add the option "no-secmem-warning" to ~/.gnupg/options ================================man-info-pod================================ The Info system can sometimes get out of step with the Info manuals installed on the system. If the /usr/share/info/dir file ever needs to be recreated: cd /usr/share/info rm dir for f in * do install-info $f dir 2>/dev/null done $ for f in /usr/share/man/man1/*.1; do /usr/bin/man2html -r -p -M /www.fiveanddime.net/ $f > $f.html ; done -r = relative links -p set path separator to / from ?mark $ pod2html --htmlroot= --outfile= --recurse /usr/lib/perl5/5.8.6/pod/*.pod Note To disable Select Graphic Rendition (SGR) escape sequences, edit the man.conf file and add the -c switch to the NROFF variable. ================================cron================================ minutes (0-59) hour (0-23) day of the month (1-31) month (1-12) day of the week (0-6), starting with 0 as Sunday ===========================boot floppy=========================== GRUB boot floppy [root@mydesk root]# mkfs -t ext2 -c /dev/fd0u1440 [root@mydesk root]# umount /dev/fd0 [root@mydesk root]# umount /dev/fd0u1440 [root@mydesk root]# mkdir /mnt/test [root@mydesk root]# mount /dev/fd0u1440 /mnt/test [root@mydesk root]# mkdir -p /mnt/test/boot/grub [root@mydesk root]# cp /boot/grub/stage1 /mnt/test/boot/grub [root@mydesk root]# cp /boot/grub/stage2 /mnt/test/boot/grub [root@mydesk root]# chmod a-w /mnt/test/boot/grub/stage2umount /dev/fd0u1440 [root@mydesk root]# grub grub> root (fd0) grub> setup (fd0) grub> quit dd if=/boot/grub/stage1 of=/dev/fd0 bs=512 count=1 dd if=/boot/grub/stage2 of=/dev/fd0 bs=512 seek=1 menu.1st: root (hd0,0) kernel /lfs4 root=/dev/hda5 vga=5 GRUB boot floppy with the menu interface: $ mke2fs /dev/fd0 $ mount /mnt/floppy $ cp /boot/grub/stage1 stage2 menu.1st /mnt/floppy/boot/grub/ $ umount /mnt/floppy /usr/sbin/grub --batch --device-map=/dev/null < root (hd0,0) grub> kernel /lids1 grub> boot grub setup: grub> root (hd0,0) grub> setup (hd0) grub> quit If you want to view the menu without rebooting: grub --config-file \(hd0,0\)/boot/grub/menu.lst SATA: root (hd0,0) kernel /boot/lfs1b root=/dev/sda1 ===========================stripping================================ Before performing the stripping, take special care to ensure that none of the binaries that are about to be stripped are running. If unsure whether the user entered chroot with the command given in Section 6.3, "Entering the Chroot Environment," first exit from chroot: logout Then reenter it with: chroot $LFS /tools/bin/env -i \ HOME=/root TERM=$TERM PS1='\u:\w\$ ' \ PATH=/bin:/usr/bin:/sbin:/usr/sbin \ /tools/bin/bash --login Now the binaries and libraries can be safely stripped: /tools/bin/find /{,usr/}{bin,lib,sbin} -type f \ -exec /tools/bin/strip --strip-debug '{}' ';' ===========================squirrelmail= OUT OF DATE =============================== ------------------ imapd:----------------- edit src/osdep/unix/env_unix.c for LOG_LOCAL2 && edit /etc/syslog.conf make slx #linux mit shadowpw's /* you can edit src/osdep/unix/Makefile for the ssldir, but it doesn't seem to help...nor does 'make sslnone slx'...this is for RC7 $install --strip imapd/imapd /usr/sbin/imapd imap stream tcp nowait root /usr/local/etc/imapd imapd imap 143/tcp #/etc/services lids: CAP_SETGID ------------------ php:----------------- default path: /usr/local/lib/php/ 1) ./configure --enable-track-vars --enable-force-cgi-redirect --with-gettext --with-config-file-path=/etc --with-layout=GNU --with-gnu-ld 2) make 3) make install-pear 4) cp php.ini-recommended to /etc/php.ini 5) copy php to /apache/cgi-bin/ 6) useradd phpu && chown /apache/cgi-bin/php 7) apache: AddType application/php4script .php Action application/php4script /cgi-bin/php DirectoryIndex index.php touch /apache/logs/php_log should not work in the DocumentRoot: php.ini changes: safe_mode = On open_basedir = /apache expose_php = Off error_log = /apache/logs/php_log /* && chown nobody.nobody */ register_globals = On %%%%doc_root = /apache %%%%safe_mode_exec_dir = /apache upload_tmp_dir = /apache/tmp %%%%untested! allow_url_fopen = Off (default is On) session.save_path = /apache/tmp $>chattr +i /etc/php.ini ------------------squirrelmail:----------------- unpack in /apache/htdocs/mail mkdir && chown nobody.nobody && chmod 700 /apache/tmp mv sm's data/ to /apache/data $chown nobody.nobody /apache/data $chmod -R 730 /apache/data $ mkdir /apache/attachments $ chgrp -R nobody /apache/attachments $ chmod 730 /apache/attachments cd /apache/htdocs/mail/config && conf.pl --- when it's working: chmod -R 400 /apache/htdocs/mail chmod -R u+X /apache/htdocs/mail >$groupadd newaccount && useradd newaccount >$mkdir -p && chmod 700 /home/newaccount/webmail ============================syslog=============================== LOG_EMERG system is unusable LOG_ALERT action must be taken immediately LOG_CRIT critical conditions LOG_ERR error conditions LOG_WARNING warning conditions LOG_NOTICE normal, but significant, condition LOG_INFO informational message LOG_DEBUG debug-level message ============================mounts=============================== ** check noatime ** defaults: rw,suid,dev,exec,auto,nouser,async /boot defaults,nodev,noexec,nosuid,ro /lib defaults,nodev,nosuid,ro /usr defaults,ro,nodev /var defaults,nodev,nosuid,noexec /tmp defaults,nodev,nosuid,noexec /home defaults,nosuid,nodev,noexec /mnt/floppy defaults,users,nodev,nosuid,noexec /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec $ mount -o remount /boot ============================ntpdate=============================== ntpdate -s tick.greyware.com ntp5.tamu.edu --- $>date 072307142002 (month-day-hour-minute-year) $>hwclock --adjust $>hwclock --systohc == system time to cmos =============================user and group add============================== cd /etc && touch gshadow && chmod 600 gshadow 1. groupadd newname 2. useradd -m -g newname -c 'Name Here' -s /bin/false newname 3. passwd newname 4. /etc/mail/popallow::/etc/mail/virtuser&&genericstable::mailboxbackup 5. lidsconf -U 6. $setquota -F vfsold kevin 6000 12500 500 1100 /home && /var ===========================LIDS after a change================================ # lidsconf -U to update the ACLs to correct the inode value # lidsconf -C will compile all the acls # lidsadm -S -- +RELOAD_CONF ==========================file editing and system management in bash================================= chattr +i /bin /sbin /usr/bin /usr/sbin /etc dos2unix $cat dosfile|tr -d "\015" > unixfile find /usr/lib/whatever -type f -name '*.ext' -exec chmod 444 {} \; find /usr/include/{asm,linux} -type d -exec chmod 755 {} \; find /usr/include/{asm,linux} -type f -exec chmod 644 {} \; ln -sf System.map-lids1 System.map perl -p -i -e 's/text/replacementtext/g' file sed -i 's@"BINDIR"@/bin@g' gzexe.in sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure grep "R:PASS" check.log | wc -l bzip2 -1c < /dev/hde > tivo.img.bz2 bzip2 -dc < tivo.img.bz2 > /dev/hde cat file |grep -v remove this > file tar cjf /tmp/rfc.tar.bz2 /hdc7/htdocs/fad/pod/ cat access_log |awk '{print $1}' |sort |uniq -c |sort -rn > awked.txt [hits by domain] sed -i '/^TARGETS/s@arpd@@g' misc/Makefile sed -i 's@Sending processes@& started by init@g' src/init.c for i in man? man??; do \ install -d -m 755 /usr/share/man/"$i"; \ install -m 644 "$i"/* /usr/share/man/"$i"; \ done //www.linuxfromscratch.org/blfs/view/svn find directory/ -name "*.html" |wc -l ---------------------- host name changes: resolv bind {etc/named.conf, pz} hosts apache conf sysconfig/network-devices ifc.sh =========================================================== Thanks for registering brent kevin krkosska, your LFS ID is: 315 //www.linuxfromscratch.org/cgi-bin/lfscounter.cgi ===========================================================
![]()
Custom Search
|