From: Valentin Vidic Date: Tue, 18 Dec 2007 14:05:24 +0000 (+0100) Subject: Added config files. Fixed packages lists. X-Git-Tag: debian/4.0.1~96 X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=commitdiff_plain;h=039bb4c83072ff6930f464a4ed00c1c97099a3ca;p=carnet-upgrade.git Added config files. Fixed packages lists. --- diff --git a/usr/share/carnet-upgrade/files/etc/aide/aide.conf b/usr/share/carnet-upgrade/files/etc/aide/aide.conf new file mode 100644 index 0000000..8316278 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/aide/aide.conf @@ -0,0 +1,115 @@ +# AIDE conf + +database=file:/var/lib/aide/aide.db +database_out=file:/var/lib/aide/aide.db.new + +# Change this to "no" or remove it to not gzip output +# (only useful on systems with few CPU cycles to spare) +gzip_dbout=yes + +# Here are all the things we can check - these are the default rules +# +#p: permissions +#i: inode +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#md5: md5 checksum +#sha1: sha1 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum +#R: p+i+n+u+g+s+m+c+md5 +#L: p+i+n+u+g +#E: Empty group +#>: Growing logfile p+u+g+i+n+S +#haval: haval checksum +#gost: gost checksum +#crc32: crc32 checksum + +# Defines formerly set here have been moved to /etc/default/aide. + +# Custom rules +Binlib = p+i+n+u+g+s+b+m+c+md5+sha1 +ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1 +Logs = p+i+n+u+g+S +Devices = p+i+n+u+g+s+b+c+md5+sha1 +Databases = p+n+u+g +StaticDir = p+i+n+u+g +ManPages = p+i+n+u+g+s+b+m+c+md5+sha1 + +# Next decide what directories/files you want in the database + +# Kernel, system map, etc. +=/boot$ Binlib +# Binaries +/bin Binlib +/sbin Binlib +/usr/bin Binlib +/usr/sbin Binlib +/usr/local/bin Binlib +/usr/local/sbin Binlib +/usr/games Binlib +# Libraries +/lib Binlib +/usr/lib Binlib +/usr/local/lib Binlib +# Log files +=/var/log$ StaticDir +!/var/log/ksymoops +/var/log/aide/aide.log(.[0-9])?(.gz)? Databases +/var/log/aide/error.log(.[0-9])?(.gz)? Databases +/var/log/setuid.changes(.[0-9])?(.gz)? Databases +!/var/log/aide +/var/log Logs +# Devices +!/dev/pts +# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, +# you may uncomment this to get rid of them. They're harmless but sometimes +# annoying. +#!/dev/cpu/mtrr +!/dev/xconsole +/dev Devices +# Other miscellaneous files +/var/run$ StaticDir +!/var/run +# Test only the directory when dealing with /proc +/proc$ StaticDir +!/proc + +# You can look through these examples to get further ideas + +# MD5 sum files - especially useful with debsums -g +#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1 + +# Check crontabs +#/var/spool/anacron/cron.daily Databases +#/var/spool/anacron/cron.monthly Databases +#/var/spool/anacron/cron.weekly Databases +#/var/spool/cron Databases +#/var/spool/cron/crontabs Databases + +# manpages can be trojaned, especially depending on *roff implementation +#/usr/man ManPages +#/usr/share/man ManPages +#/usr/local/man ManPages + +# docs +#/usr/doc ManPages +#/usr/share/doc ManPages + +# check users' home directories +#/home Binlib + +# check sources for modifications +#/usr/src L +#/usr/local/src L + +# Check headers for same +#/usr/include L +#/usr/local/include L diff --git a/usr/share/carnet-upgrade/files/etc/bind/named.conf.options b/usr/share/carnet-upgrade/files/etc/bind/named.conf.options new file mode 100644 index 0000000..813193d --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/bind/named.conf.options @@ -0,0 +1,24 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you might need to uncomment the query-source + // directive below. Previous versions of BIND always asked + // questions using port 53, but BIND 8.1 and later use an unprivileged + // port by default. + + // query-source address * port 53; + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + auth-nxdomain no; # conform to RFC1035 + +}; + diff --git a/usr/share/carnet-upgrade/files/etc/cron.daily/aide b/usr/share/carnet-upgrade/files/etc/cron.daily/aide new file mode 100755 index 0000000..e5fa178 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/cron.daily/aide @@ -0,0 +1,157 @@ +#!/bin/bash + +PATH="/sbin:/usr/sbin:/bin:/usr/bin" +LOGDIR="/var/log/aide" +LOGFILE="aide.log" +CONFFILE="/var/lib/aide/aide.conf.autogenerated" +ERRORLOG="error.log" +ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"` + +[ -f /usr/bin/aide ] || exit 0 + +if [ -f /etc/default/aide ]; then + . /etc/default/aide +fi + +DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut --delimiter=: --fields=2` +FQDN=`hostname -f` +DATE=`date +"at %Y-%m-%d %H:%M"` + +# default values + +MAILTO="${MAILTO:-root}" +DATABASE="${DATABASE:-/var/lib/aide/aide.db}" +LINES="${LINES:-1000}" +COMMAND="${COMMAND:-check}" + +AIDEARGS="-V4" + +if [ ! -f $DATABASE ]; then + ( + echo "Fatal error: The AIDE database does not exist!" + echo "This may mean you haven't created it, or it may mean that someone has removed it." + ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO + exit 0 +fi + +[ -f "$LOGDIR/$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null +[ -f "$LOGDIR/$ERRORLOG" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null + +aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP" +RETVAL=$? + +if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then + # Bail now because there was no output and QUIETREPORTS is set + exit 0 +fi + +(cat << EOF; +This is an automated report generated by the Advanced Intrusion Detection +Environment on $FQDN ${DATE}. + +EOF + +# include error log in daily report e-mail + +if [ "$RETVAL" != "0" ]; then + cat > "$LOGDIR/$ERRORLOG" << EOF; + +***************************************************************************** +* aide returned a non-zero exit value * +***************************************************************************** + +EOF + echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG" +else + touch "$LOGDIR/$ERRORLOG" +fi +< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG" +rm -f "$ERRORTMP" + +if [ -s "$LOGDIR/$ERRORLOG" ]; then + errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'` + if [ ${errorlines:=0} -gt $LINES ]; then + cat << EOF; + +**************************************************************************** +* aide has returned many errors. * +* the error log output has been truncated in this mail * +**************************************************************************** + +EOF + echo "Error output is $errorlines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$ERRORLOG" + echo "The full output can be found in $LOGDIR/$ERRORLOG." + else + echo "Errors produced ($errorlines lines):" + cat "$LOGDIR/$ERRORLOG" + fi +else + echo "AIDE produced no errors." +fi + +# include de-noised log + +if [ -n "$NOISE" ]; then + NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"` + NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"` + sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \ + grep '^\(changed\|removed\|added\):' | \ + grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2 + + if [ -n "$NOISE" ]; then + < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP + rm -f $NOISETMP2 + echo "De-Noised output removes everything matching $NOISE." + else + mv $NOISETMP2 $NOISETMP + echo "No noise expression was given." + fi + + if [ -s "$NOISETMP" ]; then + loglines=`< $NOISETMP wc -l | awk '{ print $1 }'` + if [ ${loglines:=0} -gt $LINES ]; then + cat << EOF; + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "De-Noised output is $loglines lines, truncated to $LINES." + < $NOISETMP head -$LINES + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "De-Noised output of the daily AIDE run ($loglines lines):" + cat $NOISETMP + fi + else + echo "AIDE detected no changes after removing noise." + fi + rm -f $NOISETMP + echo "============================================================================" +fi + +# include non-de-noised log + +if [ -s "$LOGDIR/$LOGFILE" ]; then + loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'` + if [ ${loglines:=0} -gt $LINES ]; then + cat << EOF; + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "Output is $loglines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$LOGFILE" + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "Output of the daily AIDE run ($loglines lines):" + cat "$LOGDIR/$LOGFILE" + fi +else + echo "AIDE detected no changes." +fi +) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO diff --git a/usr/share/carnet-upgrade/files/etc/default/aide b/usr/share/carnet-upgrade/files/etc/default/aide new file mode 100644 index 0000000..773751d --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/default/aide @@ -0,0 +1,25 @@ +# These settings are mainly for the wrapper scripts around aide, +# such as aideinit and /etc/cron.daily/aide + +# This is the email address reports get mailed to +MAILTO=root + +# Set this to suppress mailings when there's nothing to report +#QUIETREPORTS=1 + +# This parameter defines which aide command to run from the cron script. +# Sensible values are "update" and "check". +# Default is "check", ensuring backwards compatibility. +# Since "update" does not take any longer, it is recommended to use "update", +# so that a new database is created every day. The new database needs to be +# manually copied over the current one, though. +COMMAND=update + +# This parameter defines how many lines to return per e-mail. Output longer +# than this value will be truncated in the e-mail sent out. +LINES=1000 + +# This parameter gives a grep regular expression. If given, all output lines +# that _don't_ match the regexp are listed first in the script's output. This +# allows to easily remove noise from the aide report. +NOISE="(/var/cache/dwww|/var/backups|/var/lib/dwww/html)" diff --git a/usr/share/carnet-upgrade/files/etc/default/ntpdate b/usr/share/carnet-upgrade/files/etc/default/ntpdate new file mode 100644 index 0000000..80d8608 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/default/ntpdate @@ -0,0 +1,6 @@ +# servers to check. (Separate multiple servers with spaces.) +NTPSERVERS="pool.ntp.org" +# +# additional options for ntpdate +#NTPOPTIONS="-v" +NTPOPTIONS="-u" diff --git a/usr/share/carnet-upgrade/files/etc/default/oidentd b/usr/share/carnet-upgrade/files/etc/default/oidentd new file mode 100644 index 0000000..d0904de --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/default/oidentd @@ -0,0 +1,17 @@ +# options to use when starting oidentd as daemon: +# -m lookup masquaraded connections in /etc/oidentd_masq.users +# -f forward requests for masquaraded connections to real host +# -q don't log connections to oidentd +# see oidentd(8) for detailed list +OIDENT_OPTIONS="-mf" + +# user / group +OIDENT_USER=nobody +OIDENT_GROUP=nogroup + +# Allow the default router to act as an oidentd proxy? (yes/no) +# this is needed behind a masquarading router that runs oidentd -f +# if your identd proxy is not the default router, you have to +# manually specify it via -P +OIDENT_BEHIND_PROXY=yes + diff --git a/usr/share/carnet-upgrade/files/etc/default/postgrey b/usr/share/carnet-upgrade/files/etc/default/postgrey new file mode 100644 index 0000000..07ba6bc --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/default/postgrey @@ -0,0 +1,10 @@ +# postgrey startup options, created for Debian +# (c)2004 Adrian von Bidder +# Distribute and/or modify at will. + +# you may want to set +# --delay=N how long to greylist, seconds (default: 300) +# --max-age=N delete old entries after N days (default: 30) +# see also the postgrey(8) manpage + +POSTGREY_OPTS="--inet=127.0.0.1:60000" diff --git a/usr/share/carnet-upgrade/files/etc/default/saslauthd b/usr/share/carnet-upgrade/files/etc/default/saslauthd new file mode 100644 index 0000000..fb83a6c --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/default/saslauthd @@ -0,0 +1,9 @@ +# This needs to be uncommented before saslauthd will be run automatically +# START=yes + +# You must specify the authentication mechanisms you wish to use. +# This defaults to "pam" for PAM support, but may also include +# "shadow" or "sasldb", like this: +# MECHANISMS="pam shadow" + +MECHANISMS="pam" diff --git a/usr/share/carnet-upgrade/files/etc/default/slapd b/usr/share/carnet-upgrade/files/etc/default/slapd new file mode 100644 index 0000000..fe7568e --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/default/slapd @@ -0,0 +1,33 @@ +# Default location of the slapd.conf file +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER= + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP= + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf) +SLAPD_PIDFILE= + +# Configure if db_recover should be called before starting slapd +TRY_BDB_RECOVERY=yes + +# Configure if the slurpd daemon should be started. Possible values: +# - yes: Always start slurpd +# - no: Never start slurpd +# - auto: Start slurpd if a replica option is found in slapd.conf (default) +SLURPD_START=auto + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" + +# Additional options to pass to slapd and slurpd +SLAPD_OPTIONS="" +SLURPD_OPTIONS="" diff --git a/usr/share/carnet-upgrade/files/etc/dovecot/dovecot.conf b/usr/share/carnet-upgrade/files/etc/dovecot/dovecot.conf new file mode 100644 index 0000000..98a46f6 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/dovecot/dovecot.conf @@ -0,0 +1,500 @@ +## Dovecot 1.0 configuration file + +# Default values are shown after each value, it's not required to uncomment +# any of the lines. Exception to this are paths, they're just examples +# with real defaults being based on configure options. The paths listed here +# are for configure --prefix=/usr --sysconfdir=/etc/dovecot +# --localstatedir=/var --with-ssldir=/etc/ssl + +# Base directory where to store runtime data. +#base_dir = /var/run/dovecot/ + +# Protocols we want to be serving: +# imap imaps pop3 pop3s +protocols = + +# IP or host address where to listen in for connections. It's not currently +# possible to specify multiple addresses. "*" listens in all IPv4 interfaces. +# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4 +# interfaces depending on the operating system. You can specify ports with +# "host:port". +#imap_listen = * +#pop3_listen = * + +# IP or host address where to listen in for SSL connections. Defaults +# to above non-SSL equilevants if not specified. +#imaps_listen = +#pop3s_listen = + +# Disable SSL/TLS support. +#ssl_disable = no + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. +#ssl_cert_file = /etc/ssl/certs/dovecot.pem +#ssl_key_file = /etc/ssl/private/dovecot.pem + +# SSL parameter file. Master process generates this file for login processes. +# It contains Diffie Hellman and RSA parameters. +#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat + +# How often to regenerate the SSL parameters file. Generation is quite CPU +# intensive operation. The value is in hours, 0 disables regeneration +# entirely. +#ssl_parameters_regenerate = 24 + +# Disable LOGIN command and all other plaintext authentications unless +# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and +# IPv6 ::1 addresses are considered secure, this setting has no effect if +# you connect from those addresses. +#disable_plaintext_auth = yes + +# Use this logfile instead of syslog(). /dev/stderr can be used if you want to +# use stderr for logging (ONLY /dev/stderr - otherwise it is closed). +#log_path = + +# For informational messages, use this logfile instead of the default +#info_log_path = + +# Prefix for each line written to log file. % codes are in strftime(3) +# format. +#log_timestamp = "%b %d %H:%M:%S " + +## +## Login processes +## + +# Directory where authentication process places authentication UNIX sockets +# which login needs to be able to connect to. The sockets are created when +# running as root, so you don't have to worry about permissions. Note that +# everything in this directory is deleted when Dovecot is started. +#login_dir = /var/run/dovecot/login + +# chroot login process to the login_dir. Only reason not to do this is if you +# wish to run the whole Dovecot without roots. +# http://wiki.dovecot.org/Rootless +#login_chroot = yes + + +## +## IMAP login process +## + +login = imap + +# Executable location. +#login_executable = /usr/lib/dovecot/imap-login + +# User to use for the login process. Create a completely new user for this, +# and don't use it anywhere else. The user must also belong to a group where +# only it has access, it's used to control access for authentication process. +# Note that this user is NOT used to access mails. +# http://wiki.dovecot.org/UserIds +#login_user = dovecot + +# Set max. process size in megabytes. If you don't use +# login_process_per_connection you might need to grow this. +#login_process_size = 32 + +# Should each login be processed in it's own process (yes), or should one +# login process be allowed to process multiple connections (no)? Yes is more +# secure, espcially with SSL/TLS enabled. No is faster since there's no need +# to create processes all the time. +#login_process_per_connection = yes + +# Number of login processes to create. If login_process_per_user is +# yes, this is the number of extra processes waiting for users to log in. +#login_processes_count = 3 + +# Maximum number of extra login processes to create. The extra process count +# usually stays at login_processes_count, but when multiple users start logging +# in at the same time more extra processes are created. To prevent fork-bombing +# we check only once in a second if new processes should be created - if all +# of them are used at the time, we double their amount until limit set by this +# setting is reached. This setting is used only if login_process_per_use is yes. +#login_max_processes_count = 128 + +# Maximum number of connections allowed in login state. When this limit is +# reached, the oldest connections are dropped. If login_process_per_user +# is no, this is a per-process value, so the absolute maximum number of users +# logging in actually login_processes_count * max_logging_users. +#login_max_logging_users = 256 + +## +## POP3 login process +## + +# Settings default to same as above, so you don't have to set anything +# unless you want to override them. + +login = pop3 + +# Exception to above rule being the executable location. +#login_executable = /usr/lib/dovecot/pop3-login + +## +## Mail processes +## + +# Maximum number of running mail processes. When this limit is reached, +# new users aren't allowed to log in. +#max_mail_processes = 1024 + +# Show more verbose process titles (in ps). Currently shows user name and +# IP address. Useful for seeing who are actually using the IMAP processes +# (eg. shared mailboxes or if same uid is used for multiple accounts). +#verbose_proctitle = no + +# Show protocol level SSL errors. +#verbose_ssl = no + +# Valid UID range for users, defaults to 500 and above. This is mostly +# to make sure that users can't log in as daemons or other system users. +# Note that denying root logins is hardcoded to dovecot binary and can't +# be done even if first_valid_uid is set to 0. +#first_valid_uid = 500 +#last_valid_uid = 0 + +# Valid GID range for users, defaults to non-root/wheel. Users having +# non-valid GID as primary group ID aren't allowed to log in. If user +# belongs to supplementary groups with non-valid GIDs, those groups are +# not set. +#first_valid_gid = 1 +#last_valid_gid = 0 + +# Grant access to these extra groups for mail processes. Typical use would be +# to give "mail" group write access to /var/mail to be able to create dotlocks. +mail_extra_groups = mail + +# ':' separated list of directories under which chrooting is allowed for mail +# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). +# This setting doesn't affect login_chroot or auth_chroot variables. +# WARNING: Never add directories here which local users can modify, that +# may lead to root exploit. Usually this should be done only if you don't +# allow shell access for users. See +# /usr/share/doc/dovecot-common/configuration.txt for more information. +#valid_chroot_dirs = + +# Default chroot directory for mail processes. This can be overridden by +# giving /./ in user's home directory (eg. /home/./user chroots into /home). +#mail_chroot = + +# Default MAIL environment to use when it's not set. By leaving this empty +# dovecot tries to do some automatic detection as described in +# /usr/share/doc/dovecot-common/mail-storages.txt. There's a few special +# variables you can use: +# +# %u - username +# %n - user part in user@domain, same as %u if there's no domain +# %d - domain part in user@domain, empty if user there's no domain +# %h - home directory +# +# You can also limit a width of string by giving the number of max. characters +# after the '%' character. For example %1u gives the first character of +# username. Some examples: +# +# default_mail_env = maildir:/var/mail/%1u/%u/Maildir +# default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u +# default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n +# +#default_mail_env = + +# Space-separated list of fields to cache for all mails. Currently these +# fields are allowed followed by a list of commands they speed up: +# +# Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT, +# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID, +# HEADER IN-REPLY-TO +# Body - FETCH BODY +# Bodystructure - FETCH BODY, BODYSTRUCTURE +# MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE, +# SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE +# generation. This is always set with mbox mailboxes, and +# also default with Maildir. +# +# Different IMAP clients work in different ways, that's why Dovecot by default +# only caches MessagePart which speeds up most operations. Whenever client +# does something where caching could be used, the field is automatically marked +# to be cached later. For example after FETCH BODY the BODY will be cached +# for all new messages. Normally you should leave this alone, unless you know +# what most of your IMAP clients are. Caching more fields than needed makes +# the index files larger and generate useless I/O. +# +# With maildir there's one extra optimization - if nothing is cached, indexing +# the maildir becomes much faster since it's not opening any of the mail files. +# This could be useful if your IMAP clients access only new mails. + +#mail_cache_fields = MessagePart + +# Space-separated list of fields that Dovecot should never set to be cached. +# Useful if you want to save disk space at the cost of more I/O when the fields +# needed. +#mail_never_cache_fields = + +# Workarounds for various client bugs: +# oe6-fetch-no-newmail: +# Never send EXISTS/RECENT when replying to FETCH command. Outlook Express +# seems to think they are FETCH replies and gives user "Message no longer +# in server" error. Note that OE6 still breaks even with this workaround +# if synchronization is set to "Headers Only". +# outlook-idle: +# Outlook and Outlook Express never abort IDLE command, so if no mail +# arrives in half a hour, Dovecot closes the connection. This is still +# fine, except Outlook doesn't connect back so you don't see if new mail +# arrives. +# outlook-pop3-no-nuls: +# Outlook and Outlook Express hang if mails contain NUL characters. +# This setting replaces them with 0x80 character. +#client_workarounds = + +# Dovecot can notify client of new mail in selected mailbox soon after it's +# received. This setting specifies the minimum interval in seconds between +# new mail notifications to client - internally they may be checked more or +# less often. Setting this to 0 disables the checking. +# NOTE: Evolution client breaks with this option when it's trying to APPEND. +#mailbox_check_interval = 0 + +# Like mailbox_check_interval, but used for IDLE command. +#mailbox_idle_check_interval = 30 + +# Allow full filesystem access to clients. There's no access checks other than +# what the operating system does for the active UID/GID. It works with both +# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ +# or ~user/. +#mail_full_filesystem_access = no + +# Maximum allowed length for custom flag name. It's only forced when trying +# to create new flags. +#mail_max_flag_length = 50 + +# Save mails with CR+LF instead of plain LF. This makes sending those mails +# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. +# But it also creates a bit more disk I/O which may just make it slower. +#mail_save_crlf = no + +# Use mmap() instead of read() to read mail files. read() seems to be a bit +# faster with my Linux/x86 and it's better with NFS, so that's the default. +#mail_read_mmaped = no + +# By default LIST command returns all entries in maildir beginning with dot. +# Enabling this option makes Dovecot return only entries which are directories. +# This is done by stat()ing each entry, so it causes more disk I/O. +# (For systems setting struct dirent->d_type, this check is free and it's +# done always regardless of this setting) +#maildir_stat_dirs = no + +# Copy mail to another folders using hard links. This is much faster than +# actually copying the file. This is problematic only if something modifies +# the mail in one folder but doesn't want it modified in the others. I don't +# know any MUA which would modify mail files directly. IMAP protocol also +# requires that the mails don't change, so it would be problematic in any case. +# If you care about performance, enable it. +#maildir_copy_with_hardlinks = no + +# Check if mails' content has been changed by external programs. This slows +# down things as extra stat() needs to be called for each file. If changes are +# noticed, the message is treated as a new message, since IMAP protocol +# specifies that existing messages are immutable. +#maildir_check_content_changes = no + +# Which locking methods to use for locking mbox. There's three available: +# dotlock: Create .lock file. This is the oldest and most NFS-safe +# solution. If you want to use /var/mail/ like directory, the users +# will need write access to that directory. +# fcntl : Use this if possible. Works with NFS too if lockd is used. +# flock : May not exist in all systems. Doesn't work with NFS. +# +# You can use both fcntl and flock too; if you do the order they're declared +# with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl +# and flock. Some operating systems don't allow using both of them +# simultaneously, eg. BSDs. If dotlock is used, it's always created first. +#mbox_locks = dotlock fcntl + +# Should we create dotlock file even when we want only a read-lock? Setting +# this to yes hurts the performance when the mailbox is accessed simultaneously +# by multiple processes, but it's needed for reliable reading if no other +# locking methods are available. +#mbox_read_dotlock = no + +# Maximum time in seconds to wait for lock (all of them) before aborting. +#mbox_lock_timeout = 300 + +# If dotlock exists but the mailbox isn't modified in any way, override the +# lock file after this many seconds. +#mbox_dotlock_change_timeout = 30 + +# umask to use for mail files and directories +#umask = 0077 + +# Drop all privileges before exec()ing the mail process. This is mostly +# meant for debugging, otherwise you don't get core dumps. Note that setting +# this to yes means that log file is opened as the logged in user, which +# might not work. It could also be a small security risk if you use single UID +# for multiple users, as the users could ptrace() each others processes then. +#mail_drop_priv_before_exec = no + +## +## IMAP process +## + +# Executable location +#imap_executable = /usr/lib/dovecot/imap + +# Set max. process size in megabytes. Most of the memory goes to mmap()ing +# files, so it shouldn't harm much even if this limit is set pretty high. +#imap_process_size = 256 + +# Support for dynamically loadable modules. +#imap_use_modules = no +#imap_modules = /usr/lib/dovecot/imap + +## +## POP3 process +## + +# Executable location +#pop3_executable = /usr/lib/dovecot/pop3 + +# Set max. process size in megabytes. Most of the memory goes to mmap()ing +# files, so it shouldn't harm much even if this limit is set pretty high. +#pop3_process_size = 256 + +# Support for dynamically loadable modules. +#pop3_use_modules = no +#pop3_modules = /usr/lib/dovecot/pop3 + +## +## Authentication processes +## + +# An Authentication process is a child process used by Dovecot that +# handles the authentication steps. The steps cover an authentication +# mechanism (auth_mechanisms, how the client authenticates in the IMAP or +# POP3 protocol), which password database should be queried (auth_passdb), +# and which user database should be queried (auth_userdb, to obtain +# UID, GID, and location of the user's mailbox/home directory). +# +# You can have multiple processes, though a typical configuration will +# have only one. Each time "auth = xx" is seen, a new process +# definition is started. The point of multiple processes is to be able +# to set stricter permissions. (See auth_user below.) +# +# Just remember that only one Authentication process is asked for the +# password, so you can't have different passwords accessible through +# different process definitions (unless they have different +# auth_mechanisms, and you're ok with having different password for +# each mechanisms). + +# Authentication process name. +auth = default + +# Specifies how the client authenticates in the IMAP protocol. +# Space separated list of permitted authentication mechanisms: +# anonymous plain digest-md5 cram-md5 +# +# anonymous - No authentication required. +# plain - The password is sent as plain text. All IMAP/POP3 clients +# support this, and the password can be encrypted by Dovecot to match +# any of the encryption schemes used in password databases. +# digest-md5 and cram-md5 - both encrypt the password so it is more +# secure in transit, but are not well supported by clients, and +# require that the password database use a matching encryption +# scheme (or be in plaintext). +# +# See auth.txt for more details. +# +# If you are using SSL there is less benefit to digest-md5 and +# cram-md5 as the communication is already encrypted. +auth_mechanisms = plain + +# Space separated list of realms for SASL authentication mechanisms that need +# them. You can leave it empty if you don't want to support multiple realms. +# Many clients simply use the first one listed here, so keep the default realm +# first. +#auth_realms = + +# Default realm/domain to use if none was specified. This is used for both +# SASL realms and appending @domain to username in plaintext logins. +#auth_default_realm = + +# User database specifies where mails are located and what user/group IDs +# own them. For single-UID configuration use "static". +# http://wiki.dovecot.org/Authentication +# http://wiki.dovecot.org/VirtualUsers +# passwd: /etc/passwd or similiar, using getpwnam() +# passwd-file : passwd-like file with specified location +# static uid= gid= home=: static settings +# vpopmail: vpopmail library +# ldap : LDAP, see /etc/dovecot/dovecot-ldap.conf +# mysql : a MySQL database, see /etc/dovecot/dovecot-mysql.conf +# pgsql : a PostgreSQL database, see +# /etc/dovecot/dovecot-pgsql.conf +auth_userdb = passwd + +# Password database specifies only the passwords for users. +# http://wiki.dovecot.org/Authentication +# passwd: /etc/passwd or similiar, using getpwnam() +# shadow: /etc/shadow or similiar, using getspnam() +# pam [ | *]: PAM authentication +# passwd-file : passwd-like file with specified location +# vpopmail: vpopmail authentication +# ldap : LDAP, see /etc/dovecot/dovecot-ldap.conf +# mysql : a MySQL database, see /etc/dovecot/dovecot-mysql.conf +# pgsql : a PostgreSQL database, see +# /etc/dovecot/dovecot-pgsql.conf +auth_passdb = pam + +#auth_executable = /usr/lib/dovecot/dovecot-auth + +# Set max. process size in megabytes. +#auth_process_size = 256 + +# User to use for the process. This user needs access to only user and +# password databases, nothing else. Only shadow and pam authentication +# requires roots, so use something else if possible. Note that passwd +# authentication with BSDs internally accesses shadow files, which also +# requires roots. Note that this user is NOT used to access mails. +# That user is specified by auth_userdb above. +auth_user = root + +# Directory where to chroot the process. Most authentication backends don't +# work if this is set, and there's no point chrooting if auth_user is root. +#auth_chroot = + +# Number of authentication processes to create +#auth_count = 1 + +# List of allowed characters in username. If the user-given username contains +# a character not listed in here, the login automatically fails. This is just +# an extra check to make sure user can't exploit any potential quote escaping +# vulnerabilities with SQL/LDAP databases. If you want to allow all characters, +# set this value to empty. +#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ + +# Username to use for users logging in with ANONYMOUS SASL mechanism +#auth_anonymous_username = anonymous + +# More verbose logging. Useful for figuring out why authentication isn't +# working. +#auth_verbose = no + +# Even more verbose logging for debugging purposes. Shows for example SQL +# queries. +#auth_debug = no + +# digest-md5 authentication process. It requires special MD5 passwords which +# /etc/shadow and PAM doesn't support, so we never need roots to handle it. +# Note that the passwd-file is opened before chrooting and dropping root +# privileges, so it may be 0600-root owned file. + +#auth = digest_md5 +#auth_mechanisms = digest-md5 +#auth_realms = +#auth_userdb = passwd-file /etc/passwd.imap +#auth_passdb = passwd-file /etc/passwd.imap +#auth_user = imapauth +#auth_chroot = + +# if you plan to use only passwd-file, you don't need the two auth processes, +# simply set "auth_methods = plain digest-md5" diff --git a/usr/share/carnet-upgrade/files/etc/init.d/mysql b/usr/share/carnet-upgrade/files/etc/init.d/mysql new file mode 100755 index 0000000..3f41118 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/init.d/mysql @@ -0,0 +1,163 @@ +#!/bin/bash +# +# MySQL daemon start/stop script. +# +# Debian version. Based on the original by TcX. +# +set -e +set -u +${DEBIAN_SCRIPT_DEBUG:+ set -v -x} + +test -x /usr/sbin/mysqld || exit 0 + +SELF=$(cd $(dirname $0); pwd -P)/$(basename $0) +CONF=/etc/mysql/my.cnf +MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf" +RUNDIR=/var/run/mysqld/ + +# priority can be overriden and "-s" adds output to stderr +ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mysql -i" + +# Safeguard (relative paths, core dumps..) +cd / +umask 077 +export PATH=/bin:/usr/bin + +# mysqladmin likes to read /root/.my.cnf. This is usually not what I want +# as many admins e.g. only store a password without a username there and +# so break my scripts. +export HOME=/etc/mysql/ + +## fetch a particular option from mysql's invocation +# +# usage: void mysqld_get_param option +mysqld_get_param() { + /usr/sbin/mysqld --print-defaults \ + | tr " " "\n" \ + | grep -- "--$1" \ + | tail -n 1 \ + | cut -d= -f2 +} + +## Checks if there is a server running and if so if it is accessible. +# +# check_alive insists on a pingable server +# check_dead also fails if there is a lost mysqld in the process list +# +# Usage: boolean mysqld_status [check_alive|check_dead] [warn|nowarn] +mysqld_status () { + ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? )) + + ps_alive=0 + pidfile=`mysqld_get_param pid-file` + if [ -f "$pidfile" ]; then + if ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi + fi + + if [ "$1" = "check_alive" -a $ping_alive = 1 ] || + [ "$1" = "check_dead" -a $ping_alive = 0 -a $ps_alive = 0 ]; then + return 0 # EXIT_SUCCESS + else + if [ "$2" = "warn" ]; then + /bin/echo -e "$ps_alive processes alive and '$MYADMIN ping' resulted in\n$ping_output\n" | $ERR_LOGGER -p daemon.debug + fi + return 1 # EXIT_FAILURE + fi +} + +# +# main() +# + +case "${1:-''}" in + 'start') + # check for config file + if [ ! -r $CONF ]; then + /bin/echo -e "\nWARNING: $CONF cannot be read. See README.Debian." + fi + # check for /var/run/mysqld/ which maybe have only been on a tempfs + if [ ! -d $RUNDIR ]; then + install --directory --owner=mysql --mode=755 $RUNDIR + fi + # Start daemon + echo -n "Starting MySQL database server: mysqld" + if mysqld_status check_alive nowarn; then + echo "...already running." + else + /usr/bin/mysqld_safe > /dev/null 2>&1 & + for i in 1 2 3 4 5 6; do + sleep 1 + if mysqld_status check_alive nowarn ; then break; fi + done + if mysqld_status check_alive warn; then + echo "." + # Now start mysqlcheck or whatever the admin wants. + /etc/mysql/debian-start + else + echo "...failed." + /bin/echo -e "\tPlease take a look at the syslog." + fi + fi + + if $MYADMIN variables | egrep -q have_bdb.*YES; then + /bin/echo "BerkeleyDB is obsolete, see /usr/share/doc/mysql-server/README.Debian.gz" | $ERR_LOGGER -p daemon.info + fi + + ;; + + 'stop') + # * As a passwordless mysqladmin (e.g. via ~/.my.cnf) must be possible + # at least for cron, we can rely on it here, too. (although we have + # to specify it explicit as e.g. sudo environments points to the normal + # users home and not /root) + echo -n "Stopping MySQL database server: mysqld" + if ! mysqld_status check_dead nowarn; then + set +e + shutdown_out=`$MYADMIN shutdown 2>&1`; r=$? + set -e + if [ "$r" -ne 0 ]; then + /bin/echo -e -n "...failed.\n$shutdown_out\nKilling MySQL database server by signal: mysqld" + killall -15 mysqld + server_down= + for i in 1 2 3 4 5 6 7 8 9 10; do + sleep 1 + if mysqld_status check_dead nowarn; then server_down=1; break; fi + done + if test -z "$server_down"; then killall -9 mysqld; fi + fi + fi + + if ! mysqld_status check_dead warn; then + echo "...failed." + echo "Please stop MySQL manually and read /usr/share/doc/mysql-server/README.Debian!" + exit -1 + else + echo "." + fi + ;; + + 'restart') + set +e; $SELF stop; set -e + $SELF start + ;; + + 'reload'|'force-reload') + echo -n "Reloading MySQL database server: mysqld" + $MYADMIN reload + echo "." + ;; + + 'status') + if mysqld_status check_alive nowarn; then + $MYADMIN version + else + echo "MySQL is stopped." + fi + ;; + + *) + echo "Usage: $SELF start|stop|restart|reload|force-reload" + exit 1 + ;; +esac + diff --git a/usr/share/carnet-upgrade/files/etc/init.d/slapd b/usr/share/carnet-upgrade/files/etc/init.d/slapd new file mode 100755 index 0000000..53b18fc --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/init.d/slapd @@ -0,0 +1,256 @@ +#! /bin/sh + +# Kill me on all errors +set -e + +# Stop processing if slapd is not there +[ -x /usr/sbin/slapd ] || exit 0 + +# Set default values +DB_RECOVER_CMD=db4.2_recover + +# Source the init script configuration +if [ -f "/etc/default/slapd" ]; then + . /etc/default/slapd +fi + +# Load the default location of the slapd config file +if [ -z "$SLAPD_CONF" ]; then + SLAPD_CONF="/etc/ldap/slapd.conf" +else + SLAPD_OPTIONS="-f $SLAPD_CONF $SLAPD_OPTIONS" + SLURPD_OPTIONS="-f $SLAPD_CONF $SLURPD_OPTIONS" +fi + +# Stop processing if the config file is not there +if [ ! -r "$SLAPD_CONF" ]; then + cat <&2 +No configuration file was found for slapd at $SLAPD_CONF. +If you have moved the slapd configuration file please modify +/etc/default/slapd to reflect this. If you chose to not +configure slapd during installation then you need to do so +prior to attempting to start slapd. +An example slapd.conf is in /usr/share/slapd +EOF + exit 0 # Should this be 1? +fi + +# Figure out some default settings +# Check wether slurpd should get started +if [ "$SLURPD_START" != "yes" ] && [ "$SLURPD_START" != "no" ]; then + if grep -q '^replica' "$SLAPD_CONF" > /dev/null 2>&1 ; then + SLURPD_START=yes + else + SLURPD_START=no + fi +fi + +# Find out the name of slapd's pid file +if [ -z "$SLAPD_PIDFILE" ]; then + SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \ + "$SLAPD_CONF"` +fi + +# XXX: Breaks upgrading if there is no pidfile (invoke-rc.d stop will fail) +# -- Torsten +if [ -z "$SLAPD_PIDFILE" ]; then + cat <&2 +The pidfile for slapd is neither specified in "$SLAPD_CONF" nor +in /etc/default/slapd. Consequently, slapd will not be started. +EOF + exit 1 +fi + +# Pass the user and group to run under to slapd +if [ "$SLAPD_USER" ]; then + SLAPD_OPTIONS="-u $SLAPD_USER $SLAPD_OPTIONS" +fi + +if [ "$SLAPD_GROUP" ]; then + SLAPD_OPTIONS="-g $SLAPD_GROUP $SLAPD_OPTIONS" +fi + +# Tell the user that something went wrong and give some hints for +# resolving the problem. +report_failure() { + if [ -n "$reason" ]; then + echo " - failed: " + echo "$reason" + else + echo " - failed." + cat </dev/null 2>&1; then + echo -n " ($DB_RECOVER_CMD not found), " + return 0 + fi + + bdb_envs=`find_bdb_envs` + + # We care only about BDB environments + if [ -z "$bdb_envs" ]; then + return 0 + fi + + # Make sure there is no slapcat and no slapd running as we might + # break the DB in that case + if pidof /usr/lib/slapd >/dev/null; then + echo -n " (slapd running, no recovery), " + return 0 + fi + + echo -n " running BDB recovery" + for dbdir in $bdb_envs; do + reason="`$DB_RECOVER_CMD -eh $dbdir 2>&1`" || \ + db_recover_failed $dbdir + done + echo -n "," +} + +# Find bdb environment dirs +find_bdb_envs() { + local d + for d in `sed -ne 's/^directory[[:space:]]\+"*\([^"]\+\).*/\1/p' \ + < "$SLAPD_CONF"`; do + if [ -d "$d" -a -f "$d/objectClass.bdb" ]; then + echo $d + fi + done +} + +# Inform the user that BDB recovery failed +db_recover_failed() { + local dbdir + dbdir="$1" + + reason="`cat <&1`" + else + reason="`start-stop-daemon --start --quiet --oknodo \ + --pidfile "$SLAPD_PIDFILE" \ + --exec /usr/sbin/slapd -- -h "$SLAPD_SERVICES" $SLAPD_OPTIONS 2>&1`" + fi +} + +# Start the slurpd daemon and capture the error message if any to +# $reason. +start_slurpd() { + if [ "$SLURPD_START" != yes ]; then + return 0 + fi + echo -n " slurpd" + reason="`start-stop-daemon --start --quiet --oknodo \ + --exec /usr/sbin/slurpd -- $SLURPD_OPTIONS 2>&1`" +} + +# Stop the slapd daemon and capture the error message (if any) to +# $reason. +stop_slapd() { + echo -n " slapd" + reason="`start-stop-daemon --stop --quiet --oknodo --retry 10 \ + --pidfile "$SLAPD_PIDFILE" \ + --exec /usr/sbin/slapd 2>&1`" +} + +# Stop the slurpd daemon and capture the error message (if any) to +# $reason. +stop_slurpd() { + if [ "$SLURPD_START" != yes ]; then + return 0 + fi + echo -n " slurpd" + reason="`start-stop-daemon --stop --quiet --oknodo --retry 10 \ + --exec /usr/sbin/slurpd 2>&1`" +} + +# Start the OpenLDAP daemons +start() { + echo -n "Starting OpenLDAP:" + trap 'report_failure' 0 + if [ "$TRY_BDB_RECOVERY" = "yes" ]; then + try_fix_db + fi + start_slapd + start_slurpd + trap "-" 0 + echo . +} + +# Stop the OpenLDAP daemons +stop() { + echo -n "Stopping OpenLDAP:" + trap 'report_failure' 0 + stop_slurpd + stop_slapd + trap "-" 0 + echo . +} + +case "$1" in + start) + start ;; + stop) + stop ;; + restart|force-reload) + stop + start + ;; + *) + echo "Usage: $0 {start|stop|restart|force-reload}" + exit 1 + ;; +esac diff --git a/usr/share/carnet-upgrade/files/etc/issue b/usr/share/carnet-upgrade/files/etc/issue new file mode 100644 index 0000000..0117bcc --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/issue @@ -0,0 +1,2 @@ +Debian GNU/Linux 3.1 \n \l + diff --git a/usr/share/carnet-upgrade/files/etc/issue.net b/usr/share/carnet-upgrade/files/etc/issue.net new file mode 100644 index 0000000..fb3f9e3 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/issue.net @@ -0,0 +1 @@ +Debian GNU/Linux 3.1 %h diff --git a/usr/share/carnet-upgrade/files/etc/logrotate.d/mysql-server b/usr/share/carnet-upgrade/files/etc/logrotate.d/mysql-server new file mode 100644 index 0000000..6d0f02d --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/logrotate.d/mysql-server @@ -0,0 +1,34 @@ +# +# - This script rotates the normal query-log and the slow-log files. +# Binary-log rotation is configured in /etc/mysql/debian-log-rotate.conf +# - All files should be in one block so that only one flush-logs is neccessary. +# - The error log is obsolete, messages go to syslog now. +/var/log/mysql.log /var/log/mysql/mysql.log /var/log/mysql.err /var/log/mysql/mysql.err /var/log/mysql/mysql-slow.log { + daily + rotate 7 + missingok + create 640 mysql adm + compress + sharedscripts + postrotate + test -x /usr/bin/mysqladmin || exit 0 + + # If this fails, check debian.conf! + export HOME=/etc/mysql/my.cnf + MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf" + if [ -z "`$MYADMIN ping 2>/dev/null`" ]; then + # Really no mysqld or rather a missing debian-sys-maint user? + # If this occurs and is not a error please report a bug. + if ps cax | grep -q mysqld; then + exit 1 + fi + else + $MYADMIN flush-logs + fi + errlogs=`ls /var/log/mysql.err* /var/log/mysql/mysql.err* 2>/dev/null` + if [ -n "$errlogs" ]; then + chown root:adm $errlogs + chmod 640 $errlogs + fi + endscript +} diff --git a/usr/share/carnet-upgrade/files/etc/ntp.conf b/usr/share/carnet-upgrade/files/etc/ntp.conf new file mode 100644 index 0000000..de35125 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/ntp.conf @@ -0,0 +1,52 @@ +# /etc/ntp.conf, configuration for ntpd + +# ntpd will use syslog() if logfile is not defined +#logfile /var/log/ntpd + +driftfile /var/lib/ntp/ntp.drift +statsdir /var/log/ntpstats/ + +statistics loopstats peerstats clockstats +filegen loopstats file loopstats type day enable +filegen peerstats file peerstats type day enable +filegen clockstats file clockstats type day enable + + +# You do need to talk to an NTP server or two (or three). +#server ntp.your-provider.example + +# pool.ntp.org maps to more than 100 low-stratum NTP servers. +# Your server will pick a different set every time it starts up. +# *** Please consider joining the pool! *** +# *** *** +server pool.ntp.org +#server pool.ntp.org +## uncomment for extra reliability + +# ... and use the local system clock as a reference if all else fails +# NOTE: in a local network, set the local stratum of *one* stable server +# to 10; otherwise your clocks will drift apart if you lose connectivity. +server 127.127.1.0 +fudge 127.127.1.0 stratum 13 + +# By default, exchange time with everybody, but don't allow configuration. +# See /usr/share/doc/ntp-doc/html/accopt.html for details. +restrict default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 nomodify + +# Clients from this (example!) subnet have unlimited access, +# but only if cryptographically authenticated +#restrict 192.168.123.0 mask 255.255.255.0 notrust + +# If you want to provide time to your local subnet, change the next line. +# (Again, the address is an example only.) +#broadcast 192.168.123.255 + +# If you want to listen to time broadcasts on your local subnet, +# de-comment the next lines. Please do this only if you trust everybody +# on the network! +#disable auth +#broadcastclient + diff --git a/usr/share/carnet-upgrade/files/etc/pam.d/login b/usr/share/carnet-upgrade/files/etc/pam.d/login new file mode 100644 index 0000000..95e049d --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/pam.d/login @@ -0,0 +1,75 @@ +# +# The PAM configuration file for the Shadow `login' service +# +# NOTE: If you use a session module (such as kerberos or NIS+) +# that retains persistent credentials (like key caches, etc), you +# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs +# in order for login to stay around until after logout to call +# pam_close_session() and cleanup. +# + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +auth requisite pam_securetty.so + +# Disallows other than root logins when /etc/nologin exists +# (Replaces the `NOLOGINS_FILE' option from login.defs) +auth requisite pam_nologin.so + +# This module parses /etc/environment (the standard for setting +# environ vars) and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# (Replaces the `ENVIRON_FILE' setting from login.defs) +auth required pam_env.so + +# Standard Un*x authentication. The "nullok" line allows passwordless +# accounts. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please uncomment and edit /etc/security/group.conf if you +# wish to use this. +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +# auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Standard Un*x account and session +@include common-account +@include common-session + +# Sets up user limits, please uncomment and read /etc/security/limits.conf +# to enable this functionality. +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the motd upon succesful login +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You +# can also enable a MAIL environment variable from here, but it +# is better handled by /etc/login.defs, since userdel also uses +# it to make sure that removing a user, also removes their mail +# spool file. +session optional pam_mail.so standard noenv +@include common-password diff --git a/usr/share/carnet-upgrade/files/etc/security/limits.conf b/usr/share/carnet-upgrade/files/etc/security/limits.conf new file mode 100644 index 0000000..ccb4e10 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/security/limits.conf @@ -0,0 +1,45 @@ +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - an user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open files +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit +# - maxlogins - max number of logins for this user +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# +# +# + +#* soft core 0 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#@student - maxlogins 4 + +# End of file diff --git a/usr/share/carnet-upgrade/files/etc/squirrelmail/apache.conf b/usr/share/carnet-upgrade/files/etc/squirrelmail/apache.conf new file mode 100644 index 0000000..6c055b1 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/squirrelmail/apache.conf @@ -0,0 +1,39 @@ +Alias /squirrelmail /usr/share/squirrelmail + + + php_flag register_globals off + Options Indexes FollowSymLinks + + DirectoryIndex index.php + + + # access to configtest is limited by default to prevent information leak + + order deny,allow + deny from all + allow from 127.0.0.1 + + + +# users will prefer a simple URL like http://webmail.example.com +# +# DocumentRoot /usr/share/squirrelmail +# ServerName webmail.example.com +# + +# redirect to https when available (thanks omen@descolada.dartmouth.edu) +# +# Note: There are multiple ways to do this, and which one is suitable for +# your site's configuration depends. Consult the apache documentation if +# you're unsure, as this example might not work everywhere. +# +# +# +# +# RewriteEngine on +# RewriteCond %{HTTPS} !^on$ [NC] +# RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L] +# +# +# + diff --git a/usr/share/carnet-upgrade/files/etc/sysctl.conf b/usr/share/carnet-upgrade/files/etc/sysctl.conf new file mode 100644 index 0000000..3ee7e4d --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/sysctl.conf @@ -0,0 +1,6 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See sysctl.conf (5) for information. +# +#kernel.domainname = example.com +#net/ipv4/icmp_echo_ignore_broadcasts=1 diff --git a/usr/share/carnet-upgrade/files/etc/vsftpd.conf b/usr/share/carnet-upgrade/files/etc/vsftpd.conf new file mode 100644 index 0000000..ad86434 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/vsftpd.conf @@ -0,0 +1,139 @@ +# Example config file /etc/vsftpd.conf +# +# The default compiled in settings are fairly paranoid. This sample file +# loosens things up a bit, to make the ftp daemon more usable. +# Please see vsftpd.conf.5 for all compiled in defaults. +# +# READ THIS: This example file is NOT an exhaustive list of vsftpd options. +# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's +# capabilities. +# +# +# Run standalone? vsftpd can run either from an inetd or as a standalone +# daemon started from an initscript. +listen=YES +# +# Run standalone with IPv6? +# Like the listen parameter, except vsftpd will listen on an IPv6 socket +# instead of an IPv4 one. This parameter and the listen parameter are mutually +# exclusive. +#listen_ipv6=YES +# +# Allow anonymous FTP? (Beware - allowed by default if you comment this out). +anonymous_enable=YES +# +# Uncomment this to allow local users to log in. +#local_enable=YES +# +# Uncomment this to enable any form of FTP write command. +#write_enable=YES +# +# Default umask for local users is 077. You may wish to change this to 022, +# if your users expect that (022 is used by most other ftpd's) +#local_umask=022 +# +# Uncomment this to allow the anonymous FTP user to upload files. This only +# has an effect if the above global write enable is activated. Also, you will +# obviously need to create a directory writable by the FTP user. +#anon_upload_enable=YES +# +# Uncomment this if you want the anonymous FTP user to be able to create +# new directories. +#anon_mkdir_write_enable=YES +# +# Activate directory messages - messages given to remote users when they +# go into a certain directory. +dirmessage_enable=YES +# +# Activate logging of uploads/downloads. +xferlog_enable=YES +# +# Make sure PORT transfer connections originate from port 20 (ftp-data). +connect_from_port_20=YES +# +# If you want, you can arrange for uploaded anonymous files to be owned by +# a different user. Note! Using "root" for uploaded files is not +# recommended! +#chown_uploads=YES +#chown_username=whoever +# +# You may override where the log file goes if you like. The default is shown +# below. +#xferlog_file=/var/log/vsftpd.log +# +# If you want, you can have your log file in standard ftpd xferlog format +#xferlog_std_format=YES +# +# You may change the default value for timing out an idle session. +#idle_session_timeout=600 +# +# You may change the default value for timing out a data connection. +#data_connection_timeout=120 +# +# It is recommended that you define on your system a unique user which the +# ftp server can use as a totally isolated and unprivileged user. +#nopriv_user=ftpsecure +# +# Enable this and the server will recognise asynchronous ABOR requests. Not +# recommended for security (the code is non-trivial). Not enabling it, +# however, may confuse older FTP clients. +#async_abor_enable=YES +# +# By default the server will pretend to allow ASCII mode but in fact ignore +# the request. Turn on the below options to have the server actually do ASCII +# mangling on files when in ASCII mode. +# Beware that turning on ascii_download_enable enables malicious remote parties +# to consume your I/O resources, by issuing the command "SIZE /big/file" in +# ASCII mode. +# These ASCII options are split into upload and download because you may wish +# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking), +# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be +# on the client anyway.. +#ascii_upload_enable=YES +#ascii_download_enable=YES +# +# You may fully customise the login banner string: +#ftpd_banner=Welcome to blah FTP service. +# +# You may specify a file of disallowed anonymous e-mail addresses. Apparently +# useful for combatting certain DoS attacks. +#deny_email_enable=YES +# (default follows) +#banned_email_file=/etc/vsftpd.banned_emails +# +# You may restrict local users to their home directories. See the FAQ for +# the possible risks in this before using chroot_local_user or +# chroot_list_enable below. +#chroot_local_user=YES +# +# You may specify an explicit list of local users to chroot() to their home +# directory. If chroot_local_user is YES, then this list becomes a list of +# users to NOT chroot(). +#chroot_list_enable=YES +# (default follows) +#chroot_list_file=/etc/vsftpd.chroot_list +# +# You may activate the "-R" option to the builtin ls. This is disabled by +# default to avoid remote users being able to cause excessive I/O on large +# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume +# the presence of the "-R" option, so there is a strong case for enabling it. +#ls_recurse_enable=YES +# +# +# Debian customization +# +# Some of vsftpd's settings don't fit the Debian filesystem layout by +# default. These settings are more Debian-friendly. +# +# This option should be the name of a directory which is empty. Also, the +# directory should not be writable by the ftp user. This directory is used +# as a secure chroot() jail at times vsftpd does not require filesystem +# access. +secure_chroot_dir=/var/run/vsftpd +# +# This string is the name of the PAM service vsftpd will use. +pam_service_name=vsftpd +# +# This option specifies the location of the RSA certificate to use for SSL +# encrypted connections. +rsa_cert_file=/etc/ssl/certs/vsftpd.pem diff --git a/usr/share/carnet-upgrade/files/etc/xinetd.conf b/usr/share/carnet-upgrade/files/etc/xinetd.conf new file mode 100644 index 0000000..9e6ea25 --- /dev/null +++ b/usr/share/carnet-upgrade/files/etc/xinetd.conf @@ -0,0 +1,11 @@ +# Simple configuration file for xinetd +# +# Some defaults, and include /etc/xinetd.d/ + +defaults +{ + + +} + +includedir /etc/xinetd.d