Custom Search



Notes for installation of server software
For use on a //www.linuxfromscratch.org/ 6.x PC





==============tcp_wrapper=================
# tcp_wrapper install:
patch -Np1 -i ../tcp_wrappers-7.6-shared_lib_plus_plus-1.patch
sed -i -e "s,^extern char \*malloc();,/* & */," scaffold.c 
make REAL_DAEMON_DIR=/usr/sbin STYLE=-DPROCESS_OPTIONS linux
make install

##old school:
the fix for dsys_errlist_defined in Makefile:
# at 'linux', make it say:
NETGROUP= TLI= EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DBROKEN_SO_LINGER" all
$make REAL_DAEMON_DIR=/usr/sbin linux
$install --strip tcpd[etc] /usr/sbin/
$cp *.8 /usr/man/man8 [*.5 *.3]
$cp -i *.h /usr/include/
$cp libwrap.a /usr/lib/




==============================openssl===================================
# openssl:
  ./config --prefix=/usr --openssldir=/etc/ssl shared &&
make MANDIR=/usr/share/man
make MANDIR=/usr/share/man install

cp -r -v -i certs /etc/ssl
 # file: /etc/ssl/openssl.cnf 





==============================openssh=============================
privsep:
	# mkdir /var/empty
	# chown root:sys /var/empty
	# chmod 755 /var/empty
	# groupadd sshd
	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
/var/empty should not contain any files.
configure supports the following options to change the default
privsep user and chroot directory:
  --with-privsep-path=xxx Path for privilege separation chroot
  --with-privsep-user=user Specify non-privileged user for privilege separation

To link against the static library, execute the following command: 
sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-privsep-path=/etc/ssh/privsep 
--with-tcp-wrappers --with-md5-passwords --with-ipv4-default --libexecdir=/usr/sbin 
    make &&
    make install

To generate a host key, run "make host-key". Alternately you can do so
	manually using the following commands: 
    		ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
   		 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
    		ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
copy/save the key fingerprints:
$> ssh-keygen -l
>/etc/ssh/ssh_host_[rsa|dsa]_key







=========================bind==============================
must have a user named bin
 useradd -g named -c 'Named' -d /bind -s /bin/false named

make: clean depend all install
----
named-named-bootconf-named-xfer-ndc
install --strip to /bind/usr/sbin/

-----
chrooted: /bind/
----mkdir dev etc lib sbin usr/sbin usr/local var/named var/run var/log var/lock
----Copy named.conf && localtime from /etc.
----add user & group named && chroot him in the passwd file- shell=/bin/false
		named:x:501:501::/bind/./:/bin/false
	useradd -m -g named -c 'Named' -s /bin/false named
----Create the /bind/etc/group file with named GID as the only entry && chmod 444 /bind/etc/group
----Copy all zone databases and files from /var/named/ to /bind/var/named/
----cd  /bind/dev && mknod ./null c 1 3 && chmod 666 null
----ldd /usr/sbin/named & ndc & named-xfer && copy named + libs to chrooted directory
			linux-gate.so.1 | //www.uwsg.iu.edu/hypermail/linux/kernel/0306.2/0674.html
?------------# cp -p /lib/libc*.so /bind/lib
?------------# cp -p /lib/ld*.so /bind/lib
----copy /usr/local/bind /bind/usr/local/ || mkdir /bind/usr/local/bind/ && copy src/{include,lib} there
----cp /etc/ld.so.conf to /bind/etc/ && add /usr/local/bind/lib to it ;
  cp /sbin/ldconfig to /bind/sbin && run:$ chroot /bind /sbin/ldconfig
---add -a /bind/dev/log to the syslog startup line in init.d : loadproc syslogd -m 10 -a /bind/dev/log
------
permissions: 

	----chmod 1770 named/ && named/pz;              
	----chown root.named named/ && named/pz
	slave files owned by named.named, master files by root.root


	----chmod 550 named/ && named/pz
	----chmod 444 zonefiles
	----chown root.named named/ && named/pz

root name servers file(root.hints)must be world-readable or bind-8.3.1 goes into an endless(?) loop
>$dig @a.root-servers.net. . ns > root.hints
startup:
----/bind/usr/sbin/named -u named -g named -t /named/
# ndc -c /bind/var/run/ndc [options] [command] 
*or patch the source *or use S22Bind
---------upgrade--------
make: clean depend all install
chattr -i /bin/* && so forth
make install && 
cp ndc && named* to /bind/usr/sbin/
--copy /usr/local/bind /bind/usr/local/
--$dig @a.root-servers.net. . ns > root.hints
S22bind start
------------------- TSIG -----------
$dnskeygen -H 128 -h -n kevinstsig.
--/etc/named.conf:
allow-transfer { 192.168.0.88 ; } ;
key kevinstsig. {
	algorithm hmac-md5 ;
	secret "jhdfIuYFNFJKkhkkdsfUuM==" ;
} ;
server 192.168.0.88 {
keys { "kevinstsig." ;
} ;
} ;





========= net-tools ===================
patch -Np1 -i ../net-tools-1.60-gcc34-3.patch &&
patch -Np1 -i ../net-tools-1.60-kernel_headers-2.patch &&
patch -Np1 -i ../net-tools-1.60-mii_ioctl-1.patch &&
yes "" | make config &&
sed -i -e 's|HAVE_IP_TOOLS 0|HAVE_IP_TOOLS 1|g' \
       -e 's|HAVE_MII 0|HAVE_MII 1|g' config.h &&
sed -i -e 's|# HAVE_IP_TOOLS=0|HAVE_IP_TOOLS=1|g' \
       -e 's|# HAVE_MII=0|HAVE_MII=1|g' config.make &&
make &&
make update

ifconfig eth0:1 216.146.10.14 netmask 255.255.254.0
route add -host 216.146.10.14 dev eth0:1




============************* mail *************==============

------------Procmail--------------
groupadd mail
 useradd -g mail -c 'Mail' -d /var/spool/mail -s /bin/false mail
    touch /usr/sbin/sendmail
    make LOCKINGTEST=/tmp install
    make install-suid
$> cp /oldroot/bin/mail /bin/mail
$> chmod 755 /bin/mail
$> chown root.mail /bin/mail


==================== berkeleyDB ====================
change to the build_unix directory: 
../dist/configure --prefix=/usr --enable-compat185 --enable-cxx 
make LIBSO_LIBS="-lpthread" LIBXSO_LIBS="-lpthread"
make docdir=/usr/share/doc/db-4.3.28 install
chown -R root:root /usr/share/doc/db-4.3.27
find /usr/share/doc/db-4.3.28/ -type d -exec chmod 555 {} \;

====================sendmail==============================
1.	edit sendmail/srvrsmtp.c
2.	cd sendmail/ -> sh Build
3.	mkdir/var/spool/mqueue; mkdir /etc/mail; -> cd cf/cf -> sh Build sendmail.cf
4.	cd ../../sendmail - > sh Build install-set-user-id
5.	cd ../ -> {makemap vacation} && $sh Build install-strip {makemap vacation}
6.	cd smrsh -> notes below
--------------------
sendmail/srvrsmtp.c :
		    MAXBADCOMMANDS	25	unknown commands
		    MAXNOOPCOMMANDS	20	NOOP, VERB, ONEX, XUSR
		    MAXHELOCOMMANDS	3	HELO, EHLO
		    MAXVRFYCOMMANDS	6	VRFY, EXPN
		    MAXETRNCOMMANDS	8	ETRN
		Setting a value to 0 disables the check.  
------------------------
#   sendmail.mc:
FEATURE(access_db)dnl
FEATURE(virtusertable)dnl
FEATURE(genericstable)dnl
FEATURE(always_add_domain)dnl
FEATURE(blacklist_recipients)dnl
FEATURE(smrsh)dnl
FEATURE(`nouucp',`reject')dnl
HACK(use_ip)dnl
HACK(check_rcpt4)dnl
MAILER(local)dnl
MAILER(smtp)dnl
--------------------------
 touch: /etc/mail/local-host-names - add all of our domains
 touch: /etc/mail/    :   relay-domains - access - virtusertable - genericstable - LocalIP
 mkdir /var/spool/mqueue/.hoststat   
----------
SMRSH:
$sh Build LDOPTS=-static install-strip
$chmod 511 /usr/sbin/smrsh
search for Mprog in sendmail.cf, make sure it says /usr/sbin/smrsh and not /bin/sh
 ----mkdir /usr/adm/sm.bin && ln -s /usr/bin/procmail &&  ln -s /usr/bin/vacation
------------
recompile any makemap files (makemap hash /etc/mail/access < /etc/mail/access)
chmod 775 /var/spool/mail
chmod 755 /var/spool/mqueue
chmod 755 /var/spool/mqueue/.hoststat
chown root.mail mail & mqueue

cat >> /etc/mail/service.switch
hosts: files dns
aliases: files
----
$>/usr/sbin/sendmail -bd -q45m




=========================qpop======================
default installs to /usr/local/sbin/popper
.configure --prefix=/usr 
 --disable-check-pw-max  /* password expiration check */
--disable-old-spool-loc		/* check for way old spools */
--enable-auth-file=/etc/mail/popallow
--enable-log-login
--enable-nonauth-file=/etc/mail/popdeny
--enable-shy
--enable-server-mode [ or -S in inetd.conf ]
--enable-uw-kludge  for UW imap
--enable-specialauth   /* for shadow passwords */
--without-pam
--enable-auto-delete -- automatically and unconditionally deletes messages that 
	have been downloaded using the RETR command (the normal command for accessing messages).
  #edit config.h after running./configure.
#define POP_MAILDIR "/var/spool/mail"

make
make install
edit /etc/inetd.conf -- /usr/sbin/popper popper -s
add pop3 to /etc/services
mkdir /var/spool/popauth
touch /etc/mail/ -- popauthk pophash.tmp accesshash popdeny popallow ipchain hosts
echo "local0.debug /var/log/pop" >>  /etc/syslog.conf 

[inetd.conf]
 -F When updating the spool at the end of a session, this option instructs 
Qpopper to rename the temporary file to the spool instead of copying it. This reduces I/O 
at session end by a third, but is likely to break programs such as biff or the shell's mail 
check feature. It is safest to only enable this option when users do not have shell access to the mail server.
-s = Enables statistics logging.
-S = Enables server mode by default.
-c = downcase user name
-R = Disables the reverse lookups on client IP addresses.
pop3 stream tcp nowait root    /usr/local/sbin/popper qpopper -R -s -f /etc/qpopper.config










======================wu-ftpd===========================
patch -p0 -i ../connect-dos.patch && etc
	wu-ftpd won't work with newer Bison; install bison-1.35.tar.bz2  --- or ---
	edit src/ftpcmd.y and replace all instances of ={ with {, i.e. in vi:
:%s/=.{/   {/gc    /* the space there is a TAB on your keyboard, Skippy */
		(http://lists.gnu.org/archive/html/help-bison/2004-04/msg00020.html)
mkdir /etc/ftpd/
mv ftpstuff.tar.gz to /etc/ftpd/; fix perms and etc.
./configure --with-etc-dir=/etc/ftpd --enable-numericuid --enable-pam --disable-anonymous
make && make install
chmod 555 /usr/sbin/{in.ftpd,ftpshut,ckconfig,ftprestart,privatepw}
chmod 555 /usr/bin/{ftpwho,ftpcount}
---------
add -a to wu-ftpd in inetd.conf and add to ftpaccess: guestgroup  chrooteduser  
copy ftpd message files to /apache/htdocs/etc/ftpd/ && chmod 444 *.msg
apache chrooted perms:
chmod -R 111 etc/ && chmod 444 etc/*.msg    ==    group passwd ld.so.cache [*.msg]
chmod -R 111 bin/                                       ==     ls
chmod -R 555 lib/ 					==     ld-linux.so.2 libc.so.6  (ldd /bin/ls)
 * make sure all are chattr'ed senseless and marked noretrieve in ftpaccess *
$cat >> /etc/shells
/bin/bash
/bin/ftponly
EOF
johnny:x:1065:1065::/apache/htdocs/phonybaloneyplasticbanana.com/./:/bin/ftponly







============================inetutils=======================
./configure --prefix=/usr --libexecdir=/usr/sbin --sysconfdir=/etc
make
$cp -i inetd /usr/sbin/
$chmod 555 /usr/sbin/inetd
//www.linuxfromscratch.org/blfs/view/stable/basicnet/inetutils.html






============================apache=======================
http://httpd.apache.org/docs/2.0/programs/configure.html
2.0:configure --prefix=/apache && make && make install
	*** ldd /apache/bin/httpd and make sure all libs are found ***
 edit include/httpd.h && DYNAMIC_MODULE_LIMIT 0
 --enable-speling=shared --enable-rewrite=shared 
------------
/* HARD_SERVER_LIMIT define in src/include/httpd.h. */
./configure --enable-module=speling --enable-module=setenvif --disable-module=all

conf:
ServerSignature Whatever
ServerTokens Prod == restrict info for HEAD requests
chmod 511 /apache/bin/httpd
---

     AllowOverride None
     Order Deny,Allow
     Deny from all
 
---
UserDir disabled root 
----

Order allow,deny
Deny from all
Satisfy All

---
http://httpd.apache.org/docs/2.0/misc/perf-tuning.html
control the MaxClients setting so that your server does not spawn so many children it starts 
swapping. This procedure for doing this is simple: determine the size of your average Apache 
process, by looking at your process list via a tool such as top, and divide this into your total 
available memory, leaving some room for other processes
For highest performance, and no symlink protection, set FollowSymLinks everywhere, and 
never set SymLinksIfOwnerMatch
----
If you have no intention of using dynamically loaded modules (if you're tuning your server for 
every last ounce of performance) then you should add -DDYNAMIC_MODULE_LIMIT=0 when 
building your server. This will save RAM that's allocated only for supporting dynamically loaded modules.
/*none=include/httpd.h && DYNAMIC_MODULE_LIMIT 0*/
---
simulate 10 users concurrently. Each simulated user makes 10 requests.
  % ./ab -n 10000 -c 1000 server.brent.com/index.html
------
UseCanonicalName DNS, which is intended for use with mass IP-based virtual hosting 
IndexOptions IgnoreClient == This option causes mod_autoindex to ignore all query variables 
from the client, including sort order 
----------------------------------------------------
!  /apache/bin/httpd -l		 /* Statically compiled modules */
Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  mod_include.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  prefork.c			/* MPM default */
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c
http://httpd.apache.org/docs-2.0/mod/
----------------------------------------------------
# apache mod_ssl
# in mod_ssl configure, since openssl is already installed, use --with-ssl with no path
unzip mod_ssl*gz and apache*gz 
cd mod* && ./configure --with-apache=../apache* --with-ssl --prefix=/apache
cd ../apache* && ./configure --enable-modules=ssl --prefix=/apache 
make && make certificate TYPE=test && make install
$> /apache/bin/httpd -DSSL
--------------
   Try out Apache without SSL (only HTTP protocol possible)
     $ /path/to/apache/bin/apachectl start                                 ALL
     $ netscape http:///                                  ALL
     $ /path/to/apache/bin/apachectl stop                                  ALL
   Try out Apache with SSL (both HTTP and HTTPS protocol possible):
     $ /path/to/apache/bin/apachectl startssl                              ALL
     $ netscape http:///                       ALL
     $ netscape https:///                     ALL
     $ /path/to/apache/bin/apachectl stop                                  ALL








====================== iptables========================
edit Makefile for everything
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install
make install-devel
$chown root.root /usr/src/iptables-1.3.1
$ cd /usr/src/iptables-1.3.1
$ cp include/iptables.h /usr/include
$ cp include/iptables_common.h /usr/include
$ mkdir /usr/include/libiptc
$ cp include/libiptc/libiptc.h /usr/include/libiptc
$ cp include/libiptc/ipt_kernel_headers.h /usr/include/libiptc
$ cp iptables.o /usr/local/lib
iptables.o is needed above to compile programs to get rule information from netfilter. 
---
# ipchains
the docs say:
You should be able to simply type "make all", then (as root) "make
install"; this will put the ipchains binary in /sbin/ipchains
--
#define LOG_EMERG       0       /* system is unusable */
#define LOG_ALERT       1       /* action must be taken immediately */
#define LOG_CRIT        2       /* critical conditions */
#define LOG_ERR         3       /* error conditions */
#define LOG_WARNING     4       /* warning conditions */
#define LOG_NOTICE      5       /* normal but significant condition */
#define LOG_INFO        6       /* informational */
#define LOG_DEBUG       7       /* debug-level messages */
sysklogd.conf : loadproc klogd -c 4









==========================kernel==========================
/* default color: drivers/char/console.c , line 2427, def_color to the bold_white code */
2.5.5 == drivers/char/vt.c -- line 2422
2.6.11.7 == drivers/char/vt.c -- line 2526
white on blue 
        def_color       = 0x17;  
        ulcolor         = 0x1f;   
        halfcolor       = 0x18;   
make mrproper
make menuconfig
		/* Allocate 3rd-level pagetables = yes */
		/* Enable seccomp to safely compute untrusted bytecode = no */
		/* timer frequency = 100HZ */
		/* deadline I/O is the only scheduler for you, Ace */
		/* no legacy (BSD) PTY support */
		/* CONFIG_AUDIT - not for LIDS */
		/* http://kernel.xc.net/ */
make bzImage
make modules
make modules_install
depmod -a
/* When you rebuild your kernel, depmod can be critical, as well. Using the depmod -a command
 after the make modules_install task will create the above-mentioned information file. This is then
 available to the depmod -A command in /etc/rc.d/rc.sysinit. It's a good way to assure that 
everything necessary for your loadable modules is available. It's an equally good way to avoid 
module errors at boot.*/
/*  kernel 2.6.8 will freeze if you [ $>grep -r sometext / ] unless you do "Backward-compatible /proc/pci" */
---------------
# patch order: lids - openwall
	/* the reject is openwall's "Restricted proc" option, not enabled by default */
       /* no rejects using 2.4.21 */
bzcat ../patch-2.4.18-pre8-mjc.bz2 | patch -p1 -E --dry-run
-------------------------------------lids---------------------------------------------
*read the docs before compiling a kernel*
*/ mismatched kernel? edit linux/include/linux/version.h */
$ lidsconf -P to set the password

**** change something, sport? ************************************
# lidsconf -U to update the ACLs to correct the inode value
# lidsconf -C will compile all the acls
# lidsadm -S -- +RELOAD_CONF
**************************************************************************
When a LIDS enabled kernel boots the system is in BOOT state. After the system has finished 
booting you need to switch the system to POSTBOOT state using 'lidsadm -I'.

install a lidsboot.sh, or at minimum do: lidsconf -Z to clear the current rules
you must reconfigurate lids.conf, lids.cap (with lidsconf)
      and lids.pw (with lidsconf -P) *before* you reboot the system!

nail down the lid as the last thing before you get a prompt
in /etc/init.d/syslog: loadproc /usr/sbin/klogd -c 4 (man 8 klogd)
boot a lids kernel without lids being active:  lilo: linux security=0



----------------
#openwall
	cd /usr/src/linux
	patch -p1 < PATCH-FILE
where PATCH-FILE is the full path and name of the linux-*-ow*.diff file.
If desired, edit /etc/fstab to specify the group id for accessing /proc ( default gid is 0 0
Also, make sure you have no extra procfs mount commands in the startup
scripts, as these might override your fstab settings





===============ext3===============
tune2fs -j /dev/





====================logcheck================================
edit systems/linux/logcheck.sh & Makefile for paths
'make linux'
----
edit systems/linux/logcheck.sh 
files   =   /usr/local/etc/logcheck.*   /usr/local/bin/logtail   lids-secured rm
01 * * * * /bin/sh /usr/local/etc/logcheck.sh
logcheck.hacking:
attackalert
Oversized
cookies
Null
interrupt
reset
suspect
short
permitted
invalid
broadcast






=====================portsentry===========================
edit portsentry_config.h - change log facility to LOG_LOCAL1
make linux
make install
syslog.conf:            local1.*    \t\t\t   /var/log/portsentry && add LOCAL1.none
cd /var/log && touch portsentry && lsattr +a portsentry
conf files: /usr/local/psionic/portsentry
start: /usr/local/psionic/portsentry/portsentry -atcp










============================quota=========================
3.07 don't compile,bubba
1. re-enable /etc/mtab = init.d/mountfs -n flags
2. edit warnquota.c for default email text
$ ./configure --prefix=/usr --enable-rpc=no --enable-rpcsetquota=no
  $ make
  $ make install

#in startup scripts after the fs's are mounted:
                 echo "Checking quotas. This may take some time."
                 /sbin/quotacheck -F vfsold -vna
                 echo " Done."
                  echo "Turning on quota."
                  /sbin/quotaon -avm
# add a quotaoff in...oh, lets say init.d/sendsignals

#fstab:
  /dev/hda2       /usr    ext2    defaults,usrquota       1       1

#LIDS just refuses to accept quotacheck trying to mount  on /var, so...
# in startup use /sbin/quotacheck -avM or -avm
# -M -- force checking in read-write mode
# -m -- don't try to remount filesystem read-only

#add a twice-daily crontab check:
07 05,17 * * * /usr/sbin/warnquota -F vfsold

$edquota -t -- grace period
$repquota -a
$setquota -F vfsold kevin 5 5 5 5 /var
#5's = block-soft&hard && inode-soft&hard

$warnquota -F vfsold
/etc/quotatab for warnquota
# colon ':' is used to specify the start of the substituted text
# pipe  '|' is used to specify a line break
# For instance if you would like to have warnquota tell the user their
# 'mailspool' is full instead of '/dev/hdb1' is full, use the following
# example.
# /dev/hdb1:mailspool






==========================tripwire==============================
ln -s /usr/sbin/sendmail /usr/lib/sendmail
ln -s /usr/bin/vi /bin/vi
./install-sh
--
/etc/tripwire
/var/lib/tripwire
'a clear-text version of the configuration file is 
       in /etc/tripwire/twcfg.txt...burn before reading









============================gpm==============================
./configure --prefix=/usr --sysconfdir=/etc
open special.c and change  OPEN_MAX to FOPEN_MAX
open Makefile and search for "SUBDIRS". Remove "doc" from the subdirs so this line looks like:
SUBDIRS = contrib
make
make install
install manpages manually
# *or*
copy /usr/sbin/gpm && /etc/sysconfig/mouse && mknod








===============================gnupg===============================
./configure --prefix=/usr --sysconfdir=/etc --disable-nls
make
make install
-
The ~/.gnupg directory will be created if it does not exist.  Your first
action should be to create a key pair: "gpg --gen-key".
To avoid swapping out of sensitive data, you can install "gpg" as
       suid root.  If you don't do so, you may want to add the option
       "no-secmem-warning" to ~/.gnupg/options




================================man-info-pod================================
The Info system can sometimes get out of step with the Info manuals installed on the 
system. If the /usr/share/info/dir file ever needs to be recreated: 
cd /usr/share/info
rm dir
for f in *
do install-info $f dir 2>/dev/null
done

$ for f in /usr/share/man/man1/*.1; do /usr/bin/man2html -r -p -M /www.fiveanddime.net/ $f > $f.html ; done 
-r = relative links
-p set path separator to / from ?mark

 $ pod2html --htmlroot= --outfile= --recurse
/usr/lib/perl5/5.8.6/pod/*.pod

Note 
To disable Select Graphic Rendition (SGR) escape sequences, edit the man.conf file and 
add the -c switch to the NROFF variable. 





================================cron================================
minutes (0-59)
hour (0-23)
day of the month (1-31)
month (1-12)
day of the week (0-6), starting with 0 as Sunday




===========================boot floppy===========================
GRUB boot floppy
[root@mydesk root]# mkfs -t ext2 -c /dev/fd0u1440
[root@mydesk root]# umount /dev/fd0
[root@mydesk root]# umount /dev/fd0u1440
[root@mydesk root]# mkdir /mnt/test
[root@mydesk root]# mount /dev/fd0u1440 /mnt/test
[root@mydesk root]# mkdir -p /mnt/test/boot/grub
[root@mydesk root]# cp /boot/grub/stage1 /mnt/test/boot/grub
[root@mydesk root]# cp /boot/grub/stage2 /mnt/test/boot/grub
[root@mydesk root]# chmod a-w /mnt/test/boot/grub/stage2umount /dev/fd0u1440
[root@mydesk root]# grub
grub> root (fd0)
grub> setup (fd0)
grub> quit

dd if=/boot/grub/stage1 of=/dev/fd0 bs=512 count=1
dd if=/boot/grub/stage2 of=/dev/fd0 bs=512 seek=1

menu.1st:
root (hd0,0) kernel /lfs4 root=/dev/hda5 vga=5

GRUB boot floppy with the menu interface:
$ mke2fs /dev/fd0
$ mount /mnt/floppy 
$ cp /boot/grub/stage1 stage2 menu.1st /mnt/floppy/boot/grub/
$ umount /mnt/floppy 

/usr/sbin/grub --batch --device-map=/dev/null < root (hd0,0)
grub> kernel /lids1
grub> boot

grub setup:
grub> root (hd0,0)
grub> setup (hd0)
grub> quit

If you want to view the menu without rebooting:
grub --config-file \(hd0,0\)/boot/grub/menu.lst

SATA:
root (hd0,0)
kernel /boot/lfs1b root=/dev/sda1





===========================stripping================================
Before performing the stripping, take special care to ensure that none of the binaries that 
are about to be stripped are running. If unsure whether the user entered chroot with the 
command given in Section 6.3, "Entering the Chroot Environment," first exit from chroot: 

logout      Then reenter it with: 

chroot $LFS /tools/bin/env -i \
    HOME=/root TERM=$TERM PS1='\u:\w\$ ' \
    PATH=/bin:/usr/bin:/sbin:/usr/sbin \
    /tools/bin/bash --login      Now the binaries and libraries can be safely stripped: 

/tools/bin/find /{,usr/}{bin,lib,sbin} -type f \
   -exec /tools/bin/strip --strip-debug '{}' ';'







===========================squirrelmail= OUT OF DATE ===============================
------------------ imapd:-----------------
edit src/osdep/unix/env_unix.c for LOG_LOCAL2 && edit /etc/syslog.conf
make slx  #linux mit shadowpw's
/* you can edit src/osdep/unix/Makefile for the ssldir, but it doesn't seem to help...nor does 'make sslnone slx'...this is for RC7
$install --strip imapd/imapd /usr/sbin/imapd
imap	stream	tcp	nowait	root	/usr/local/etc/imapd	imapd
imap		143/tcp    #/etc/services
lids: CAP_SETGID
------------------ php:-----------------
default path: /usr/local/lib/php/
1) ./configure --enable-track-vars --enable-force-cgi-redirect --with-gettext --with-config-file-path=/etc --with-layout=GNU --with-gnu-ld
2) make
3) make install-pear
4) cp php.ini-recommended to /etc/php.ini
5) copy php to /apache/cgi-bin/
6) useradd phpu && chown /apache/cgi-bin/php
7) apache:
    AddType application/php4script .php
    Action application/php4script /cgi-bin/php
       DirectoryIndex index.php
touch /apache/logs/php_log
should not work in the DocumentRoot: 
php.ini changes:
safe_mode = On
open_basedir = /apache
expose_php = Off
error_log = /apache/logs/php_log /* && chown nobody.nobody */
register_globals = On
%%%%doc_root = /apache
%%%%safe_mode_exec_dir = /apache
upload_tmp_dir = /apache/tmp
%%%%untested!  allow_url_fopen = Off (default is On)
session.save_path = /apache/tmp
$>chattr +i /etc/php.ini
------------------squirrelmail:-----------------
unpack in /apache/htdocs/mail
    mkdir && chown nobody.nobody && chmod 700 /apache/tmp
mv sm's data/ to /apache/data
$chown nobody.nobody /apache/data
$chmod -R 730 /apache/data
    $ mkdir /apache/attachments
    $ chgrp -R nobody /apache/attachments
    $ chmod 730 /apache/attachments
cd /apache/htdocs/mail/config && conf.pl
---
when it's working:
	chmod -R 400 /apache/htdocs/mail
	chmod -R u+X /apache/htdocs/mail
>$groupadd newaccount && useradd newaccount
>$mkdir -p && chmod 700 /home/newaccount/webmail 










============================syslog===============================
LOG_EMERG 
system is unusable 
LOG_ALERT 
action must be taken immediately 
LOG_CRIT 
critical conditions 
LOG_ERR 
error conditions 
LOG_WARNING 
warning conditions 
LOG_NOTICE 
normal, but significant, condition 
LOG_INFO 
informational message 
LOG_DEBUG 
debug-level message




============================mounts===============================
   ** check noatime **
defaults: rw,suid,dev,exec,auto,nouser,async 
/boot		defaults,nodev,noexec,nosuid,ro
/lib			defaults,nodev,nosuid,ro
/usr                  defaults,ro,nodev   
/var                  defaults,nodev,nosuid,noexec
/tmp                 defaults,nodev,nosuid,noexec  
/home              defaults,nosuid,nodev,noexec 
/mnt/floppy      defaults,users,nodev,nosuid,noexec     
/mnt/cdrom      iso9660 ro,users,nodev,nosuid,noexec  

$ mount -o remount /boot



============================ntpdate===============================
ntpdate -s tick.greyware.com ntp5.tamu.edu
---
$>date 072307142002 (month-day-hour-minute-year)
$>hwclock --adjust
$>hwclock --systohc == system time to cmos   



=============================user and group add==============================
cd /etc && touch gshadow && chmod 600 gshadow
1. groupadd newname
2. useradd -m -g newname -c 'Name Here' -s /bin/false newname
3. passwd newname
4. /etc/mail/popallow::/etc/mail/virtuser&&genericstable::mailboxbackup
5. lidsconf -U
6. $setquota -F vfsold kevin 6000 12500 500 1100 /home && /var



===========================LIDS after a change================================
# lidsconf -U to update the ACLs to correct the inode value
# lidsconf -C will compile all the acls
# lidsadm -S -- +RELOAD_CONF



==========================file editing and system management in bash=================================
chattr +i /bin      /sbin        /usr/bin         /usr/sbin          /etc
dos2unix $cat dosfile|tr -d "\015" > unixfile
find /usr/lib/whatever -type f -name '*.ext' -exec chmod 444 {} \;
find /usr/include/{asm,linux} -type d -exec chmod 755 {} \;
find /usr/include/{asm,linux} -type f -exec chmod 644 {} \;
ln -sf System.map-lids1 System.map
perl -p -i -e 's/text/replacementtext/g' file
sed -i 's@"BINDIR"@/bin@g' gzexe.in
sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" configure
grep "R:PASS" check.log | wc -l
bzip2 -1c < /dev/hde > tivo.img.bz2
bzip2 -dc < tivo.img.bz2 > /dev/hde
cat file |grep -v remove this > file
tar cjf /tmp/rfc.tar.bz2 /hdc7/htdocs/fad/pod/
cat access_log |awk '{print $1}' |sort |uniq -c |sort -rn > awked.txt [hits by domain]
sed -i '/^TARGETS/s@arpd@@g' misc/Makefile
sed -i 's@Sending processes@& started by init@g' src/init.c
	for i in man? man??; do \
		install -d -m 755 /usr/share/man/"$i"; \
		install -m 644 "$i"/* /usr/share/man/"$i"; \
	done
//www.linuxfromscratch.org/blfs/view/svn
find directory/ -name "*.html" |wc -l

----------------------
host name changes:
resolv
bind {etc/named.conf, pz}
hosts
apache conf
sysconfig/network-devices
ifc.sh


===========================================================
Thanks for registering brent kevin krkosska, your LFS ID is: 315
//www.linuxfromscratch.org/cgi-bin/lfscounter.cgi
===========================================================







www.fiveanddime.net








Custom Search