--- /dev/null
+# AIDE conf
+
+database=file:/var/lib/aide/aide.db
+database_out=file:/var/lib/aide/aide.db.new
+
+# Change this to "no" or remove it to not gzip output
+# (only useful on systems with few CPU cycles to spare)
+gzip_dbout=yes
+
+# Here are all the things we can check - these are the default rules
+#
+#p: permissions
+#i: inode
+#n: number of links
+#u: user
+#g: group
+#s: size
+#b: block count
+#m: mtime
+#a: atime
+#c: ctime
+#S: check for growing size
+#md5: md5 checksum
+#sha1: sha1 checksum
+#rmd160: rmd160 checksum
+#tiger: tiger checksum
+#R: p+i+n+u+g+s+m+c+md5
+#L: p+i+n+u+g
+#E: Empty group
+#>: Growing logfile p+u+g+i+n+S
+#haval: haval checksum
+#gost: gost checksum
+#crc32: crc32 checksum
+
+# Defines formerly set here have been moved to /etc/default/aide.
+
+# Custom rules
+Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
+ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
+Logs = p+i+n+u+g+S
+Devices = p+i+n+u+g+s+b+c+md5+sha1
+Databases = p+n+u+g
+StaticDir = p+i+n+u+g
+ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
+
+# Next decide what directories/files you want in the database
+
+# Kernel, system map, etc.
+=/boot$ Binlib
+# Binaries
+/bin Binlib
+/sbin Binlib
+/usr/bin Binlib
+/usr/sbin Binlib
+/usr/local/bin Binlib
+/usr/local/sbin Binlib
+/usr/games Binlib
+# Libraries
+/lib Binlib
+/usr/lib Binlib
+/usr/local/lib Binlib
+# Log files
+=/var/log$ StaticDir
+!/var/log/ksymoops
+/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
+/var/log/aide/error.log(.[0-9])?(.gz)? Databases
+/var/log/setuid.changes(.[0-9])?(.gz)? Databases
+!/var/log/aide
+/var/log Logs
+# Devices
+!/dev/pts
+# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
+# you may uncomment this to get rid of them. They're harmless but sometimes
+# annoying.
+#!/dev/cpu/mtrr
+!/dev/xconsole
+/dev Devices
+# Other miscellaneous files
+/var/run$ StaticDir
+!/var/run
+# Test only the directory when dealing with /proc
+/proc$ StaticDir
+!/proc
+
+# You can look through these examples to get further ideas
+
+# MD5 sum files - especially useful with debsums -g
+#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1
+
+# Check crontabs
+#/var/spool/anacron/cron.daily Databases
+#/var/spool/anacron/cron.monthly Databases
+#/var/spool/anacron/cron.weekly Databases
+#/var/spool/cron Databases
+#/var/spool/cron/crontabs Databases
+
+# manpages can be trojaned, especially depending on *roff implementation
+#/usr/man ManPages
+#/usr/share/man ManPages
+#/usr/local/man ManPages
+
+# docs
+#/usr/doc ManPages
+#/usr/share/doc ManPages
+
+# check users' home directories
+#/home Binlib
+
+# check sources for modifications
+#/usr/src L
+#/usr/local/src L
+
+# Check headers for same
+#/usr/include L
+#/usr/local/include L
--- /dev/null
+options {
+ directory "/var/cache/bind";
+
+ // If there is a firewall between you and nameservers you want
+ // to talk to, you might need to uncomment the query-source
+ // directive below. Previous versions of BIND always asked
+ // questions using port 53, but BIND 8.1 and later use an unprivileged
+ // port by default.
+
+ // query-source address * port 53;
+
+ // If your ISP provided one or more IP addresses for stable
+ // nameservers, you probably want to use them as forwarders.
+ // Uncomment the following block, and insert the addresses replacing
+ // the all-0's placeholder.
+
+ // forwarders {
+ // 0.0.0.0;
+ // };
+
+ auth-nxdomain no; # conform to RFC1035
+
+};
+
--- /dev/null
+#!/bin/bash
+
+PATH="/sbin:/usr/sbin:/bin:/usr/bin"
+LOGDIR="/var/log/aide"
+LOGFILE="aide.log"
+CONFFILE="/var/lib/aide/aide.conf.autogenerated"
+ERRORLOG="error.log"
+ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`
+
+[ -f /usr/bin/aide ] || exit 0
+
+if [ -f /etc/default/aide ]; then
+ . /etc/default/aide
+fi
+
+DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut --delimiter=: --fields=2`
+FQDN=`hostname -f`
+DATE=`date +"at %Y-%m-%d %H:%M"`
+
+# default values
+
+MAILTO="${MAILTO:-root}"
+DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
+LINES="${LINES:-1000}"
+COMMAND="${COMMAND:-check}"
+
+AIDEARGS="-V4"
+
+if [ ! -f $DATABASE ]; then
+ (
+ echo "Fatal error: The AIDE database does not exist!"
+ echo "This may mean you haven't created it, or it may mean that someone has removed it."
+ ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO
+ exit 0
+fi
+
+[ -f "$LOGDIR/$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
+[ -f "$LOGDIR/$ERRORLOG" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null
+
+aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
+RETVAL=$?
+
+if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
+ # Bail now because there was no output and QUIETREPORTS is set
+ exit 0
+fi
+
+(cat << EOF;
+This is an automated report generated by the Advanced Intrusion Detection
+Environment on $FQDN ${DATE}.
+
+EOF
+
+# include error log in daily report e-mail
+
+if [ "$RETVAL" != "0" ]; then
+ cat > "$LOGDIR/$ERRORLOG" << EOF;
+
+*****************************************************************************
+* aide returned a non-zero exit value *
+*****************************************************************************
+
+EOF
+ echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
+else
+ touch "$LOGDIR/$ERRORLOG"
+fi
+< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
+rm -f "$ERRORTMP"
+
+if [ -s "$LOGDIR/$ERRORLOG" ]; then
+ errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
+ if [ ${errorlines:=0} -gt $LINES ]; then
+ cat << EOF;
+
+****************************************************************************
+* aide has returned many errors. *
+* the error log output has been truncated in this mail *
+****************************************************************************
+
+EOF
+ echo "Error output is $errorlines lines, truncated to $LINES."
+ head -$LINES "$LOGDIR/$ERRORLOG"
+ echo "The full output can be found in $LOGDIR/$ERRORLOG."
+ else
+ echo "Errors produced ($errorlines lines):"
+ cat "$LOGDIR/$ERRORLOG"
+ fi
+else
+ echo "AIDE produced no errors."
+fi
+
+# include de-noised log
+
+if [ -n "$NOISE" ]; then
+ NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
+ NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
+ sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
+ grep '^\(changed\|removed\|added\):' | \
+ grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2
+
+ if [ -n "$NOISE" ]; then
+ < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
+ rm -f $NOISETMP2
+ echo "De-Noised output removes everything matching $NOISE."
+ else
+ mv $NOISETMP2 $NOISETMP
+ echo "No noise expression was given."
+ fi
+
+ if [ -s "$NOISETMP" ]; then
+ loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
+ if [ ${loglines:=0} -gt $LINES ]; then
+ cat << EOF;
+
+****************************************************************************
+* aide has returned long output which has been truncated in this mail *
+****************************************************************************
+
+EOF
+ echo "De-Noised output is $loglines lines, truncated to $LINES."
+ < $NOISETMP head -$LINES
+ echo "The full output can be found in $LOGDIR/$LOGFILE."
+ else
+ echo "De-Noised output of the daily AIDE run ($loglines lines):"
+ cat $NOISETMP
+ fi
+ else
+ echo "AIDE detected no changes after removing noise."
+ fi
+ rm -f $NOISETMP
+ echo "============================================================================"
+fi
+
+# include non-de-noised log
+
+if [ -s "$LOGDIR/$LOGFILE" ]; then
+ loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
+ if [ ${loglines:=0} -gt $LINES ]; then
+ cat << EOF;
+
+****************************************************************************
+* aide has returned long output which has been truncated in this mail *
+****************************************************************************
+
+EOF
+ echo "Output is $loglines lines, truncated to $LINES."
+ head -$LINES "$LOGDIR/$LOGFILE"
+ echo "The full output can be found in $LOGDIR/$LOGFILE."
+ else
+ echo "Output of the daily AIDE run ($loglines lines):"
+ cat "$LOGDIR/$LOGFILE"
+ fi
+else
+ echo "AIDE detected no changes."
+fi
+) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO
--- /dev/null
+# These settings are mainly for the wrapper scripts around aide,
+# such as aideinit and /etc/cron.daily/aide
+
+# This is the email address reports get mailed to
+MAILTO=root
+
+# Set this to suppress mailings when there's nothing to report
+#QUIETREPORTS=1
+
+# This parameter defines which aide command to run from the cron script.
+# Sensible values are "update" and "check".
+# Default is "check", ensuring backwards compatibility.
+# Since "update" does not take any longer, it is recommended to use "update",
+# so that a new database is created every day. The new database needs to be
+# manually copied over the current one, though.
+COMMAND=update
+
+# This parameter defines how many lines to return per e-mail. Output longer
+# than this value will be truncated in the e-mail sent out.
+LINES=1000
+
+# This parameter gives a grep regular expression. If given, all output lines
+# that _don't_ match the regexp are listed first in the script's output. This
+# allows to easily remove noise from the aide report.
+NOISE="(/var/cache/dwww|/var/backups|/var/lib/dwww/html)"
--- /dev/null
+# servers to check. (Separate multiple servers with spaces.)
+NTPSERVERS="pool.ntp.org"
+#
+# additional options for ntpdate
+#NTPOPTIONS="-v"
+NTPOPTIONS="-u"
--- /dev/null
+# options to use when starting oidentd as daemon:
+# -m lookup masquaraded connections in /etc/oidentd_masq.users
+# -f forward requests for masquaraded connections to real host
+# -q don't log connections to oidentd
+# see oidentd(8) for detailed list
+OIDENT_OPTIONS="-mf"
+
+# user / group
+OIDENT_USER=nobody
+OIDENT_GROUP=nogroup
+
+# Allow the default router to act as an oidentd proxy? (yes/no)
+# this is needed behind a masquarading router that runs oidentd -f
+# if your identd proxy is not the default router, you have to
+# manually specify it via -P
+OIDENT_BEHIND_PROXY=yes
+
--- /dev/null
+# postgrey startup options, created for Debian
+# (c)2004 Adrian von Bidder <avbidder@fortytwo.ch>
+# Distribute and/or modify at will.
+
+# you may want to set
+# --delay=N how long to greylist, seconds (default: 300)
+# --max-age=N delete old entries after N days (default: 30)
+# see also the postgrey(8) manpage
+
+POSTGREY_OPTS="--inet=127.0.0.1:60000"
--- /dev/null
+# This needs to be uncommented before saslauthd will be run automatically
+# START=yes
+
+# You must specify the authentication mechanisms you wish to use.
+# This defaults to "pam" for PAM support, but may also include
+# "shadow" or "sasldb", like this:
+# MECHANISMS="pam shadow"
+
+MECHANISMS="pam"
--- /dev/null
+# Default location of the slapd.conf file
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER=
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP=
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf)
+SLAPD_PIDFILE=
+
+# Configure if db_recover should be called before starting slapd
+TRY_BDB_RECOVERY=yes
+
+# Configure if the slurpd daemon should be started. Possible values:
+# - yes: Always start slurpd
+# - no: Never start slurpd
+# - auto: Start slurpd if a replica option is found in slapd.conf (default)
+SLURPD_START=auto
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+
+# Additional options to pass to slapd and slurpd
+SLAPD_OPTIONS=""
+SLURPD_OPTIONS=""
--- /dev/null
+## Dovecot 1.0 configuration file
+
+# Default values are shown after each value, it's not required to uncomment
+# any of the lines. Exception to this are paths, they're just examples
+# with real defaults being based on configure options. The paths listed here
+# are for configure --prefix=/usr --sysconfdir=/etc/dovecot
+# --localstatedir=/var --with-ssldir=/etc/ssl
+
+# Base directory where to store runtime data.
+#base_dir = /var/run/dovecot/
+
+# Protocols we want to be serving:
+# imap imaps pop3 pop3s
+protocols =
+
+# IP or host address where to listen in for connections. It's not currently
+# possible to specify multiple addresses. "*" listens in all IPv4 interfaces.
+# "[::]" listens in all IPv6 interfaces, but may also listen in all IPv4
+# interfaces depending on the operating system. You can specify ports with
+# "host:port".
+#imap_listen = *
+#pop3_listen = *
+
+# IP or host address where to listen in for SSL connections. Defaults
+# to above non-SSL equilevants if not specified.
+#imaps_listen =
+#pop3s_listen =
+
+# Disable SSL/TLS support.
+#ssl_disable = no
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root.
+#ssl_cert_file = /etc/ssl/certs/dovecot.pem
+#ssl_key_file = /etc/ssl/private/dovecot.pem
+
+# SSL parameter file. Master process generates this file for login processes.
+# It contains Diffie Hellman and RSA parameters.
+#ssl_parameters_file = /var/run/dovecot/ssl-parameters.dat
+
+# How often to regenerate the SSL parameters file. Generation is quite CPU
+# intensive operation. The value is in hours, 0 disables regeneration
+# entirely.
+#ssl_parameters_regenerate = 24
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that 127.*.*.* and
+# IPv6 ::1 addresses are considered secure, this setting has no effect if
+# you connect from those addresses.
+#disable_plaintext_auth = yes
+
+# Use this logfile instead of syslog(). /dev/stderr can be used if you want to
+# use stderr for logging (ONLY /dev/stderr - otherwise it is closed).
+#log_path =
+
+# For informational messages, use this logfile instead of the default
+#info_log_path =
+
+# Prefix for each line written to log file. % codes are in strftime(3)
+# format.
+#log_timestamp = "%b %d %H:%M:%S "
+
+##
+## Login processes
+##
+
+# Directory where authentication process places authentication UNIX sockets
+# which login needs to be able to connect to. The sockets are created when
+# running as root, so you don't have to worry about permissions. Note that
+# everything in this directory is deleted when Dovecot is started.
+#login_dir = /var/run/dovecot/login
+
+# chroot login process to the login_dir. Only reason not to do this is if you
+# wish to run the whole Dovecot without roots.
+# http://wiki.dovecot.org/Rootless
+#login_chroot = yes
+
+
+##
+## IMAP login process
+##
+
+login = imap
+
+# Executable location.
+#login_executable = /usr/lib/dovecot/imap-login
+
+# User to use for the login process. Create a completely new user for this,
+# and don't use it anywhere else. The user must also belong to a group where
+# only it has access, it's used to control access for authentication process.
+# Note that this user is NOT used to access mails.
+# http://wiki.dovecot.org/UserIds
+#login_user = dovecot
+
+# Set max. process size in megabytes. If you don't use
+# login_process_per_connection you might need to grow this.
+#login_process_size = 32
+
+# Should each login be processed in it's own process (yes), or should one
+# login process be allowed to process multiple connections (no)? Yes is more
+# secure, espcially with SSL/TLS enabled. No is faster since there's no need
+# to create processes all the time.
+#login_process_per_connection = yes
+
+# Number of login processes to create. If login_process_per_user is
+# yes, this is the number of extra processes waiting for users to log in.
+#login_processes_count = 3
+
+# Maximum number of extra login processes to create. The extra process count
+# usually stays at login_processes_count, but when multiple users start logging
+# in at the same time more extra processes are created. To prevent fork-bombing
+# we check only once in a second if new processes should be created - if all
+# of them are used at the time, we double their amount until limit set by this
+# setting is reached. This setting is used only if login_process_per_use is yes.
+#login_max_processes_count = 128
+
+# Maximum number of connections allowed in login state. When this limit is
+# reached, the oldest connections are dropped. If login_process_per_user
+# is no, this is a per-process value, so the absolute maximum number of users
+# logging in actually login_processes_count * max_logging_users.
+#login_max_logging_users = 256
+
+##
+## POP3 login process
+##
+
+# Settings default to same as above, so you don't have to set anything
+# unless you want to override them.
+
+login = pop3
+
+# Exception to above rule being the executable location.
+#login_executable = /usr/lib/dovecot/pop3-login
+
+##
+## Mail processes
+##
+
+# Maximum number of running mail processes. When this limit is reached,
+# new users aren't allowed to log in.
+#max_mail_processes = 1024
+
+# Show more verbose process titles (in ps). Currently shows user name and
+# IP address. Useful for seeing who are actually using the IMAP processes
+# (eg. shared mailboxes or if same uid is used for multiple accounts).
+#verbose_proctitle = no
+
+# Show protocol level SSL errors.
+#verbose_ssl = no
+
+# Valid UID range for users, defaults to 500 and above. This is mostly
+# to make sure that users can't log in as daemons or other system users.
+# Note that denying root logins is hardcoded to dovecot binary and can't
+# be done even if first_valid_uid is set to 0.
+#first_valid_uid = 500
+#last_valid_uid = 0
+
+# Valid GID range for users, defaults to non-root/wheel. Users having
+# non-valid GID as primary group ID aren't allowed to log in. If user
+# belongs to supplementary groups with non-valid GIDs, those groups are
+# not set.
+#first_valid_gid = 1
+#last_valid_gid = 0
+
+# Grant access to these extra groups for mail processes. Typical use would be
+# to give "mail" group write access to /var/mail to be able to create dotlocks.
+mail_extra_groups = mail
+
+# ':' separated list of directories under which chrooting is allowed for mail
+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
+# This setting doesn't affect login_chroot or auth_chroot variables.
+# WARNING: Never add directories here which local users can modify, that
+# may lead to root exploit. Usually this should be done only if you don't
+# allow shell access for users. See
+# /usr/share/doc/dovecot-common/configuration.txt for more information.
+#valid_chroot_dirs =
+
+# Default chroot directory for mail processes. This can be overridden by
+# giving /./ in user's home directory (eg. /home/./user chroots into /home).
+#mail_chroot =
+
+# Default MAIL environment to use when it's not set. By leaving this empty
+# dovecot tries to do some automatic detection as described in
+# /usr/share/doc/dovecot-common/mail-storages.txt. There's a few special
+# variables you can use:
+#
+# %u - username
+# %n - user part in user@domain, same as %u if there's no domain
+# %d - domain part in user@domain, empty if user there's no domain
+# %h - home directory
+#
+# You can also limit a width of string by giving the number of max. characters
+# after the '%' character. For example %1u gives the first character of
+# username. Some examples:
+#
+# default_mail_env = maildir:/var/mail/%1u/%u/Maildir
+# default_mail_env = mbox:~/mail/:INBOX=/var/mail/%u
+# default_mail_env = mbox:/var/mail/%d/%n/:INDEX=/var/indexes/%d/%n
+#
+#default_mail_env =
+
+# Space-separated list of fields to cache for all mails. Currently these
+# fields are allowed followed by a list of commands they speed up:
+#
+# Envelope - FETCH ENVELOPE and SEARCH FROM, TO, CC, BCC, SUBJECT,
+# SENTBEFORE, SENTON, SENTSINCE, HEADER MESSAGE-ID,
+# HEADER IN-REPLY-TO
+# Body - FETCH BODY
+# Bodystructure - FETCH BODY, BODYSTRUCTURE
+# MessagePart - FETCH BODY[1.2.3] (ie. body parts), RFC822.SIZE,
+# SEARCH SMALLER, LARGER, also speeds up BODY/BODYSTRUCTURE
+# generation. This is always set with mbox mailboxes, and
+# also default with Maildir.
+#
+# Different IMAP clients work in different ways, that's why Dovecot by default
+# only caches MessagePart which speeds up most operations. Whenever client
+# does something where caching could be used, the field is automatically marked
+# to be cached later. For example after FETCH BODY the BODY will be cached
+# for all new messages. Normally you should leave this alone, unless you know
+# what most of your IMAP clients are. Caching more fields than needed makes
+# the index files larger and generate useless I/O.
+#
+# With maildir there's one extra optimization - if nothing is cached, indexing
+# the maildir becomes much faster since it's not opening any of the mail files.
+# This could be useful if your IMAP clients access only new mails.
+
+#mail_cache_fields = MessagePart
+
+# Space-separated list of fields that Dovecot should never set to be cached.
+# Useful if you want to save disk space at the cost of more I/O when the fields
+# needed.
+#mail_never_cache_fields =
+
+# Workarounds for various client bugs:
+# oe6-fetch-no-newmail:
+# Never send EXISTS/RECENT when replying to FETCH command. Outlook Express
+# seems to think they are FETCH replies and gives user "Message no longer
+# in server" error. Note that OE6 still breaks even with this workaround
+# if synchronization is set to "Headers Only".
+# outlook-idle:
+# Outlook and Outlook Express never abort IDLE command, so if no mail
+# arrives in half a hour, Dovecot closes the connection. This is still
+# fine, except Outlook doesn't connect back so you don't see if new mail
+# arrives.
+# outlook-pop3-no-nuls:
+# Outlook and Outlook Express hang if mails contain NUL characters.
+# This setting replaces them with 0x80 character.
+#client_workarounds =
+
+# Dovecot can notify client of new mail in selected mailbox soon after it's
+# received. This setting specifies the minimum interval in seconds between
+# new mail notifications to client - internally they may be checked more or
+# less often. Setting this to 0 disables the checking.
+# NOTE: Evolution client breaks with this option when it's trying to APPEND.
+#mailbox_check_interval = 0
+
+# Like mailbox_check_interval, but used for IDLE command.
+#mailbox_idle_check_interval = 30
+
+# Allow full filesystem access to clients. There's no access checks other than
+# what the operating system does for the active UID/GID. It works with both
+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
+# or ~user/.
+#mail_full_filesystem_access = no
+
+# Maximum allowed length for custom flag name. It's only forced when trying
+# to create new flags.
+#mail_max_flag_length = 50
+
+# Save mails with CR+LF instead of plain LF. This makes sending those mails
+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
+# But it also creates a bit more disk I/O which may just make it slower.
+#mail_save_crlf = no
+
+# Use mmap() instead of read() to read mail files. read() seems to be a bit
+# faster with my Linux/x86 and it's better with NFS, so that's the default.
+#mail_read_mmaped = no
+
+# By default LIST command returns all entries in maildir beginning with dot.
+# Enabling this option makes Dovecot return only entries which are directories.
+# This is done by stat()ing each entry, so it causes more disk I/O.
+# (For systems setting struct dirent->d_type, this check is free and it's
+# done always regardless of this setting)
+#maildir_stat_dirs = no
+
+# Copy mail to another folders using hard links. This is much faster than
+# actually copying the file. This is problematic only if something modifies
+# the mail in one folder but doesn't want it modified in the others. I don't
+# know any MUA which would modify mail files directly. IMAP protocol also
+# requires that the mails don't change, so it would be problematic in any case.
+# If you care about performance, enable it.
+#maildir_copy_with_hardlinks = no
+
+# Check if mails' content has been changed by external programs. This slows
+# down things as extra stat() needs to be called for each file. If changes are
+# noticed, the message is treated as a new message, since IMAP protocol
+# specifies that existing messages are immutable.
+#maildir_check_content_changes = no
+
+# Which locking methods to use for locking mbox. There's three available:
+# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
+# solution. If you want to use /var/mail/ like directory, the users
+# will need write access to that directory.
+# fcntl : Use this if possible. Works with NFS too if lockd is used.
+# flock : May not exist in all systems. Doesn't work with NFS.
+#
+# You can use both fcntl and flock too; if you do the order they're declared
+# with is important to avoid deadlocks if other MTAs/MUAs are using both fcntl
+# and flock. Some operating systems don't allow using both of them
+# simultaneously, eg. BSDs. If dotlock is used, it's always created first.
+#mbox_locks = dotlock fcntl
+
+# Should we create dotlock file even when we want only a read-lock? Setting
+# this to yes hurts the performance when the mailbox is accessed simultaneously
+# by multiple processes, but it's needed for reliable reading if no other
+# locking methods are available.
+#mbox_read_dotlock = no
+
+# Maximum time in seconds to wait for lock (all of them) before aborting.
+#mbox_lock_timeout = 300
+
+# If dotlock exists but the mailbox isn't modified in any way, override the
+# lock file after this many seconds.
+#mbox_dotlock_change_timeout = 30
+
+# umask to use for mail files and directories
+#umask = 0077
+
+# Drop all privileges before exec()ing the mail process. This is mostly
+# meant for debugging, otherwise you don't get core dumps. Note that setting
+# this to yes means that log file is opened as the logged in user, which
+# might not work. It could also be a small security risk if you use single UID
+# for multiple users, as the users could ptrace() each others processes then.
+#mail_drop_priv_before_exec = no
+
+##
+## IMAP process
+##
+
+# Executable location
+#imap_executable = /usr/lib/dovecot/imap
+
+# Set max. process size in megabytes. Most of the memory goes to mmap()ing
+# files, so it shouldn't harm much even if this limit is set pretty high.
+#imap_process_size = 256
+
+# Support for dynamically loadable modules.
+#imap_use_modules = no
+#imap_modules = /usr/lib/dovecot/imap
+
+##
+## POP3 process
+##
+
+# Executable location
+#pop3_executable = /usr/lib/dovecot/pop3
+
+# Set max. process size in megabytes. Most of the memory goes to mmap()ing
+# files, so it shouldn't harm much even if this limit is set pretty high.
+#pop3_process_size = 256
+
+# Support for dynamically loadable modules.
+#pop3_use_modules = no
+#pop3_modules = /usr/lib/dovecot/pop3
+
+##
+## Authentication processes
+##
+
+# An Authentication process is a child process used by Dovecot that
+# handles the authentication steps. The steps cover an authentication
+# mechanism (auth_mechanisms, how the client authenticates in the IMAP or
+# POP3 protocol), which password database should be queried (auth_passdb),
+# and which user database should be queried (auth_userdb, to obtain
+# UID, GID, and location of the user's mailbox/home directory).
+#
+# You can have multiple processes, though a typical configuration will
+# have only one. Each time "auth = xx" is seen, a new process
+# definition is started. The point of multiple processes is to be able
+# to set stricter permissions. (See auth_user below.)
+#
+# Just remember that only one Authentication process is asked for the
+# password, so you can't have different passwords accessible through
+# different process definitions (unless they have different
+# auth_mechanisms, and you're ok with having different password for
+# each mechanisms).
+
+# Authentication process name.
+auth = default
+
+# Specifies how the client authenticates in the IMAP protocol.
+# Space separated list of permitted authentication mechanisms:
+# anonymous plain digest-md5 cram-md5
+#
+# anonymous - No authentication required.
+# plain - The password is sent as plain text. All IMAP/POP3 clients
+# support this, and the password can be encrypted by Dovecot to match
+# any of the encryption schemes used in password databases.
+# digest-md5 and cram-md5 - both encrypt the password so it is more
+# secure in transit, but are not well supported by clients, and
+# require that the password database use a matching encryption
+# scheme (or be in plaintext).
+#
+# See auth.txt for more details.
+#
+# If you are using SSL there is less benefit to digest-md5 and
+# cram-md5 as the communication is already encrypted.
+auth_mechanisms = plain
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm =
+
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static".
+# http://wiki.dovecot.org/Authentication
+# http://wiki.dovecot.org/VirtualUsers
+# passwd: /etc/passwd or similiar, using getpwnam()
+# passwd-file <path>: passwd-like file with specified location
+# static uid=<uid> gid=<gid> home=<dir template>: static settings
+# vpopmail: vpopmail library
+# ldap <config path>: LDAP, see /etc/dovecot/dovecot-ldap.conf
+# mysql <config path>: a MySQL database, see /etc/dovecot/dovecot-mysql.conf
+# pgsql <config path>: a PostgreSQL database, see
+# /etc/dovecot/dovecot-pgsql.conf
+auth_userdb = passwd
+
+# Password database specifies only the passwords for users.
+# http://wiki.dovecot.org/Authentication
+# passwd: /etc/passwd or similiar, using getpwnam()
+# shadow: /etc/shadow or similiar, using getspnam()
+# pam [<service> | *]: PAM authentication
+# passwd-file <path>: passwd-like file with specified location
+# vpopmail: vpopmail authentication
+# ldap <config path>: LDAP, see /etc/dovecot/dovecot-ldap.conf
+# mysql <config path>: a MySQL database, see /etc/dovecot/dovecot-mysql.conf
+# pgsql <config path>: a PostgreSQL database, see
+# /etc/dovecot/dovecot-pgsql.conf
+auth_passdb = pam
+
+#auth_executable = /usr/lib/dovecot/dovecot-auth
+
+# Set max. process size in megabytes.
+#auth_process_size = 256
+
+# User to use for the process. This user needs access to only user and
+# password databases, nothing else. Only shadow and pam authentication
+# requires roots, so use something else if possible. Note that passwd
+# authentication with BSDs internally accesses shadow files, which also
+# requires roots. Note that this user is NOT used to access mails.
+# That user is specified by auth_userdb above.
+auth_user = root
+
+# Directory where to chroot the process. Most authentication backends don't
+# work if this is set, and there's no point chrooting if auth_user is root.
+#auth_chroot =
+
+# Number of authentication processes to create
+#auth_count = 1
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# More verbose logging. Useful for figuring out why authentication isn't
+# working.
+#auth_verbose = no
+
+# Even more verbose logging for debugging purposes. Shows for example SQL
+# queries.
+#auth_debug = no
+
+# digest-md5 authentication process. It requires special MD5 passwords which
+# /etc/shadow and PAM doesn't support, so we never need roots to handle it.
+# Note that the passwd-file is opened before chrooting and dropping root
+# privileges, so it may be 0600-root owned file.
+
+#auth = digest_md5
+#auth_mechanisms = digest-md5
+#auth_realms =
+#auth_userdb = passwd-file /etc/passwd.imap
+#auth_passdb = passwd-file /etc/passwd.imap
+#auth_user = imapauth
+#auth_chroot =
+
+# if you plan to use only passwd-file, you don't need the two auth processes,
+# simply set "auth_methods = plain digest-md5"
--- /dev/null
+#!/bin/bash
+#
+# MySQL daemon start/stop script.
+#
+# Debian version. Based on the original by TcX.
+#
+set -e
+set -u
+${DEBIAN_SCRIPT_DEBUG:+ set -v -x}
+
+test -x /usr/sbin/mysqld || exit 0
+
+SELF=$(cd $(dirname $0); pwd -P)/$(basename $0)
+CONF=/etc/mysql/my.cnf
+MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
+RUNDIR=/var/run/mysqld/
+
+# priority can be overriden and "-s" adds output to stderr
+ERR_LOGGER="logger -p daemon.err -t /etc/init.d/mysql -i"
+
+# Safeguard (relative paths, core dumps..)
+cd /
+umask 077
+export PATH=/bin:/usr/bin
+
+# mysqladmin likes to read /root/.my.cnf. This is usually not what I want
+# as many admins e.g. only store a password without a username there and
+# so break my scripts.
+export HOME=/etc/mysql/
+
+## fetch a particular option from mysql's invocation
+#
+# usage: void mysqld_get_param option
+mysqld_get_param() {
+ /usr/sbin/mysqld --print-defaults \
+ | tr " " "\n" \
+ | grep -- "--$1" \
+ | tail -n 1 \
+ | cut -d= -f2
+}
+
+## Checks if there is a server running and if so if it is accessible.
+#
+# check_alive insists on a pingable server
+# check_dead also fails if there is a lost mysqld in the process list
+#
+# Usage: boolean mysqld_status [check_alive|check_dead] [warn|nowarn]
+mysqld_status () {
+ ping_output=`$MYADMIN ping 2>&1`; ping_alive=$(( ! $? ))
+
+ ps_alive=0
+ pidfile=`mysqld_get_param pid-file`
+ if [ -f "$pidfile" ]; then
+ if ps `cat $pidfile` >/dev/null 2>&1; then ps_alive=1; fi
+ fi
+
+ if [ "$1" = "check_alive" -a $ping_alive = 1 ] ||
+ [ "$1" = "check_dead" -a $ping_alive = 0 -a $ps_alive = 0 ]; then
+ return 0 # EXIT_SUCCESS
+ else
+ if [ "$2" = "warn" ]; then
+ /bin/echo -e "$ps_alive processes alive and '$MYADMIN ping' resulted in\n$ping_output\n" | $ERR_LOGGER -p daemon.debug
+ fi
+ return 1 # EXIT_FAILURE
+ fi
+}
+
+#
+# main()
+#
+
+case "${1:-''}" in
+ 'start')
+ # check for config file
+ if [ ! -r $CONF ]; then
+ /bin/echo -e "\nWARNING: $CONF cannot be read. See README.Debian."
+ fi
+ # check for /var/run/mysqld/ which maybe have only been on a tempfs
+ if [ ! -d $RUNDIR ]; then
+ install --directory --owner=mysql --mode=755 $RUNDIR
+ fi
+ # Start daemon
+ echo -n "Starting MySQL database server: mysqld"
+ if mysqld_status check_alive nowarn; then
+ echo "...already running."
+ else
+ /usr/bin/mysqld_safe > /dev/null 2>&1 &
+ for i in 1 2 3 4 5 6; do
+ sleep 1
+ if mysqld_status check_alive nowarn ; then break; fi
+ done
+ if mysqld_status check_alive warn; then
+ echo "."
+ # Now start mysqlcheck or whatever the admin wants.
+ /etc/mysql/debian-start
+ else
+ echo "...failed."
+ /bin/echo -e "\tPlease take a look at the syslog."
+ fi
+ fi
+
+ if $MYADMIN variables | egrep -q have_bdb.*YES; then
+ /bin/echo "BerkeleyDB is obsolete, see /usr/share/doc/mysql-server/README.Debian.gz" | $ERR_LOGGER -p daemon.info
+ fi
+
+ ;;
+
+ 'stop')
+ # * As a passwordless mysqladmin (e.g. via ~/.my.cnf) must be possible
+ # at least for cron, we can rely on it here, too. (although we have
+ # to specify it explicit as e.g. sudo environments points to the normal
+ # users home and not /root)
+ echo -n "Stopping MySQL database server: mysqld"
+ if ! mysqld_status check_dead nowarn; then
+ set +e
+ shutdown_out=`$MYADMIN shutdown 2>&1`; r=$?
+ set -e
+ if [ "$r" -ne 0 ]; then
+ /bin/echo -e -n "...failed.\n$shutdown_out\nKilling MySQL database server by signal: mysqld"
+ killall -15 mysqld
+ server_down=
+ for i in 1 2 3 4 5 6 7 8 9 10; do
+ sleep 1
+ if mysqld_status check_dead nowarn; then server_down=1; break; fi
+ done
+ if test -z "$server_down"; then killall -9 mysqld; fi
+ fi
+ fi
+
+ if ! mysqld_status check_dead warn; then
+ echo "...failed."
+ echo "Please stop MySQL manually and read /usr/share/doc/mysql-server/README.Debian!"
+ exit -1
+ else
+ echo "."
+ fi
+ ;;
+
+ 'restart')
+ set +e; $SELF stop; set -e
+ $SELF start
+ ;;
+
+ 'reload'|'force-reload')
+ echo -n "Reloading MySQL database server: mysqld"
+ $MYADMIN reload
+ echo "."
+ ;;
+
+ 'status')
+ if mysqld_status check_alive nowarn; then
+ $MYADMIN version
+ else
+ echo "MySQL is stopped."
+ fi
+ ;;
+
+ *)
+ echo "Usage: $SELF start|stop|restart|reload|force-reload"
+ exit 1
+ ;;
+esac
+
--- /dev/null
+#! /bin/sh
+
+# Kill me on all errors
+set -e
+
+# Stop processing if slapd is not there
+[ -x /usr/sbin/slapd ] || exit 0
+
+# Set default values
+DB_RECOVER_CMD=db4.2_recover
+
+# Source the init script configuration
+if [ -f "/etc/default/slapd" ]; then
+ . /etc/default/slapd
+fi
+
+# Load the default location of the slapd config file
+if [ -z "$SLAPD_CONF" ]; then
+ SLAPD_CONF="/etc/ldap/slapd.conf"
+else
+ SLAPD_OPTIONS="-f $SLAPD_CONF $SLAPD_OPTIONS"
+ SLURPD_OPTIONS="-f $SLAPD_CONF $SLURPD_OPTIONS"
+fi
+
+# Stop processing if the config file is not there
+if [ ! -r "$SLAPD_CONF" ]; then
+ cat <<EOF >&2
+No configuration file was found for slapd at $SLAPD_CONF.
+If you have moved the slapd configuration file please modify
+/etc/default/slapd to reflect this. If you chose to not
+configure slapd during installation then you need to do so
+prior to attempting to start slapd.
+An example slapd.conf is in /usr/share/slapd
+EOF
+ exit 0 # Should this be 1?
+fi
+
+# Figure out some default settings
+# Check wether slurpd should get started
+if [ "$SLURPD_START" != "yes" ] && [ "$SLURPD_START" != "no" ]; then
+ if grep -q '^replica' "$SLAPD_CONF" > /dev/null 2>&1 ; then
+ SLURPD_START=yes
+ else
+ SLURPD_START=no
+ fi
+fi
+
+# Find out the name of slapd's pid file
+if [ -z "$SLAPD_PIDFILE" ]; then
+ SLAPD_PIDFILE=`sed -ne 's/^pidfile[[:space:]]\+\(.\+\)/\1/p' \
+ "$SLAPD_CONF"`
+fi
+
+# XXX: Breaks upgrading if there is no pidfile (invoke-rc.d stop will fail)
+# -- Torsten
+if [ -z "$SLAPD_PIDFILE" ]; then
+ cat <<EOF >&2
+The pidfile for slapd is neither specified in "$SLAPD_CONF" nor
+in /etc/default/slapd. Consequently, slapd will not be started.
+EOF
+ exit 1
+fi
+
+# Pass the user and group to run under to slapd
+if [ "$SLAPD_USER" ]; then
+ SLAPD_OPTIONS="-u $SLAPD_USER $SLAPD_OPTIONS"
+fi
+
+if [ "$SLAPD_GROUP" ]; then
+ SLAPD_OPTIONS="-g $SLAPD_GROUP $SLAPD_OPTIONS"
+fi
+
+# Tell the user that something went wrong and give some hints for
+# resolving the problem.
+report_failure() {
+ if [ -n "$reason" ]; then
+ echo " - failed: "
+ echo "$reason"
+ else
+ echo " - failed."
+ cat <<EOF
+The operation failed but no output was produced. For hints on what went
+wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
+try running the daemon in Debug mode like via "slapd -d 16383" (warning:
+this will create copious output).
+EOF
+
+ if [ -n "$SLURPD_OPTIONS" -o \
+ -n "$SLAPD_OPTIONS" -o \
+ -n "$SLAPD_SERVICES" ]; then
+ cat << EOF
+
+Below, you can find the command line options used by this script to
+run slapd and slurpd. Do not forget to specify those options if you
+want to look to debugging output:
+EOF
+ if [ -z "$SLAPD_SERVICES" ]; then
+ if [ -n "$SLAPD_OPTIONS" ]; then
+ echo " slapd $SLAPD_OPTIONS"
+ fi
+ else
+ echo " slapd -h '$SLAPD_SERVICES' $SLAPD_OPTIONS"
+ fi
+
+ if [ "$SLURPD" = "yes" -a -n "$SLURPD_OPTIONS" ]; then
+ echo " slurpd $SLURPD_OPTIONS"
+ fi
+ fi
+ fi
+}
+
+# Try to recover slapd database
+try_fix_db() {
+ local dbdir failed bdb_envs
+
+ # db4.2-util is just recommended by slapd, so make sure it is
+ # available before trying to use it
+ if ! command -v $DB_RECOVER_CMD >/dev/null 2>&1; then
+ echo -n " ($DB_RECOVER_CMD not found), "
+ return 0
+ fi
+
+ bdb_envs=`find_bdb_envs`
+
+ # We care only about BDB environments
+ if [ -z "$bdb_envs" ]; then
+ return 0
+ fi
+
+ # Make sure there is no slapcat and no slapd running as we might
+ # break the DB in that case
+ if pidof /usr/lib/slapd >/dev/null; then
+ echo -n " (slapd running, no recovery), "
+ return 0
+ fi
+
+ echo -n " running BDB recovery"
+ for dbdir in $bdb_envs; do
+ reason="`$DB_RECOVER_CMD -eh $dbdir 2>&1`" || \
+ db_recover_failed $dbdir
+ done
+ echo -n ","
+}
+
+# Find bdb environment dirs
+find_bdb_envs() {
+ local d
+ for d in `sed -ne 's/^directory[[:space:]]\+"*\([^"]\+\).*/\1/p' \
+ < "$SLAPD_CONF"`; do
+ if [ -d "$d" -a -f "$d/objectClass.bdb" ]; then
+ echo $d
+ fi
+ done
+}
+
+# Inform the user that BDB recovery failed
+db_recover_failed() {
+ local dbdir
+ dbdir="$1"
+
+ reason="`cat <<EOF
+Automatic recovery of the OpenLDAP directory database in
+
+ $dbdir
+
+failed. You will need to perform a manual recovery, possibly from backup.
+The failed command was $DB_RECOVER_CMD -eh $dbdir. Output:
+
+$reason
+EOF`"
+ exit 1
+}
+
+# Start the slapd daemon and capture the error message if any to
+# $reason.
+start_slapd() {
+ echo -n " slapd"
+ if [ -z "$SLAPD_SERVICES" ]; then
+ reason="`start-stop-daemon --start --quiet --oknodo \
+ --pidfile "$SLAPD_PIDFILE" \
+ --exec /usr/sbin/slapd -- $SLAPD_OPTIONS 2>&1`"
+ else
+ reason="`start-stop-daemon --start --quiet --oknodo \
+ --pidfile "$SLAPD_PIDFILE" \
+ --exec /usr/sbin/slapd -- -h "$SLAPD_SERVICES" $SLAPD_OPTIONS 2>&1`"
+ fi
+}
+
+# Start the slurpd daemon and capture the error message if any to
+# $reason.
+start_slurpd() {
+ if [ "$SLURPD_START" != yes ]; then
+ return 0
+ fi
+ echo -n " slurpd"
+ reason="`start-stop-daemon --start --quiet --oknodo \
+ --exec /usr/sbin/slurpd -- $SLURPD_OPTIONS 2>&1`"
+}
+
+# Stop the slapd daemon and capture the error message (if any) to
+# $reason.
+stop_slapd() {
+ echo -n " slapd"
+ reason="`start-stop-daemon --stop --quiet --oknodo --retry 10 \
+ --pidfile "$SLAPD_PIDFILE" \
+ --exec /usr/sbin/slapd 2>&1`"
+}
+
+# Stop the slurpd daemon and capture the error message (if any) to
+# $reason.
+stop_slurpd() {
+ if [ "$SLURPD_START" != yes ]; then
+ return 0
+ fi
+ echo -n " slurpd"
+ reason="`start-stop-daemon --stop --quiet --oknodo --retry 10 \
+ --exec /usr/sbin/slurpd 2>&1`"
+}
+
+# Start the OpenLDAP daemons
+start() {
+ echo -n "Starting OpenLDAP:"
+ trap 'report_failure' 0
+ if [ "$TRY_BDB_RECOVERY" = "yes" ]; then
+ try_fix_db
+ fi
+ start_slapd
+ start_slurpd
+ trap "-" 0
+ echo .
+}
+
+# Stop the OpenLDAP daemons
+stop() {
+ echo -n "Stopping OpenLDAP:"
+ trap 'report_failure' 0
+ stop_slurpd
+ stop_slapd
+ trap "-" 0
+ echo .
+}
+
+case "$1" in
+ start)
+ start ;;
+ stop)
+ stop ;;
+ restart|force-reload)
+ stop
+ start
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|force-reload}"
+ exit 1
+ ;;
+esac
--- /dev/null
+Debian GNU/Linux 3.1 \n \l
+
--- /dev/null
+Debian GNU/Linux 3.1 %h
--- /dev/null
+#
+# - This script rotates the normal query-log and the slow-log files.
+# Binary-log rotation is configured in /etc/mysql/debian-log-rotate.conf
+# - All files should be in one block so that only one flush-logs is neccessary.
+# - The error log is obsolete, messages go to syslog now.
+/var/log/mysql.log /var/log/mysql/mysql.log /var/log/mysql.err /var/log/mysql/mysql.err /var/log/mysql/mysql-slow.log {
+ daily
+ rotate 7
+ missingok
+ create 640 mysql adm
+ compress
+ sharedscripts
+ postrotate
+ test -x /usr/bin/mysqladmin || exit 0
+
+ # If this fails, check debian.conf!
+ export HOME=/etc/mysql/my.cnf
+ MYADMIN="/usr/bin/mysqladmin --defaults-file=/etc/mysql/debian.cnf"
+ if [ -z "`$MYADMIN ping 2>/dev/null`" ]; then
+ # Really no mysqld or rather a missing debian-sys-maint user?
+ # If this occurs and is not a error please report a bug.
+ if ps cax | grep -q mysqld; then
+ exit 1
+ fi
+ else
+ $MYADMIN flush-logs
+ fi
+ errlogs=`ls /var/log/mysql.err* /var/log/mysql/mysql.err* 2>/dev/null`
+ if [ -n "$errlogs" ]; then
+ chown root:adm $errlogs
+ chmod 640 $errlogs
+ fi
+ endscript
+}
--- /dev/null
+# /etc/ntp.conf, configuration for ntpd
+
+# ntpd will use syslog() if logfile is not defined
+#logfile /var/log/ntpd
+
+driftfile /var/lib/ntp/ntp.drift
+statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to more than 100 low-stratum NTP servers.
+# Your server will pick a different set every time it starts up.
+# *** Please consider joining the pool! ***
+# *** <http://www.pool.ntp.org/#join> ***
+server pool.ntp.org
+#server pool.ntp.org
+## uncomment for extra reliability
+
+# ... and use the local system clock as a reference if all else fails
+# NOTE: in a local network, set the local stratum of *one* stable server
+# to 10; otherwise your clocks will drift apart if you lose connectivity.
+server 127.127.1.0
+fudge 127.127.1.0 stratum 13
+
+# By default, exchange time with everybody, but don't allow configuration.
+# See /usr/share/doc/ntp-doc/html/accopt.html for details.
+restrict default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1 nomodify
+
+# Clients from this (example!) subnet have unlimited access,
+# but only if cryptographically authenticated
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet,
+# de-comment the next lines. Please do this only if you trust everybody
+# on the network!
+#disable auth
+#broadcastclient
+
--- /dev/null
+#
+# The PAM configuration file for the Shadow `login' service
+#
+# NOTE: If you use a session module (such as kerberos or NIS+)
+# that retains persistent credentials (like key caches, etc), you
+# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
+# in order for login to stay around until after logout to call
+# pam_close_session() and cleanup.
+#
+
+# Outputs an issue file prior to each login prompt (Replaces the
+# ISSUE_FILE option from login.defs). Uncomment for use
+# auth required pam_issue.so issue=/etc/issue
+
+# Disallows root logins except on tty's listed in /etc/securetty
+# (Replaces the `CONSOLE' setting from login.defs)
+auth requisite pam_securetty.so
+
+# Disallows other than root logins when /etc/nologin exists
+# (Replaces the `NOLOGINS_FILE' option from login.defs)
+auth requisite pam_nologin.so
+
+# This module parses /etc/environment (the standard for setting
+# environ vars) and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+# (Replaces the `ENVIRON_FILE' setting from login.defs)
+auth required pam_env.so
+
+# Standard Un*x authentication. The "nullok" line allows passwordless
+# accounts.
+@include common-auth
+
+# This allows certain extra groups to be granted to a user
+# based on things like time of day, tty, service, and user.
+# Please uncomment and edit /etc/security/group.conf if you
+# wish to use this.
+# (Replaces the `CONSOLE_GROUPS' option in login.defs)
+# auth optional pam_group.so
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on logins.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account requisite pam_time.so
+
+# Uncomment and edit /etc/security/access.conf if you need to
+# set access limits.
+# (Replaces /etc/login.access file)
+# account required pam_access.so
+
+# Standard Un*x account and session
+@include common-account
+@include common-session
+
+# Sets up user limits, please uncomment and read /etc/security/limits.conf
+# to enable this functionality.
+# (Replaces the use of /etc/limits in old login)
+session required pam_limits.so
+
+# Prints the last login info upon succesful login
+# (Replaces the `LASTLOG_ENAB' option from login.defs)
+session optional pam_lastlog.so
+
+# Prints the motd upon succesful login
+# (Replaces the `MOTD_FILE' option in login.defs)
+session optional pam_motd.so
+
+# Prints the status of the user's mailbox upon succesful login
+# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
+# can also enable a MAIL environment variable from here, but it
+# is better handled by /etc/login.defs, since userdel also uses
+# it to make sure that removing a user, also removes their mail
+# spool file.
+session optional pam_mail.so standard noenv
+@include common-password
--- /dev/null
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain> <type> <item> <value>
+#
+#Where:
+#<domain> can be:
+# - an user name
+# - a group name, with @group syntax
+# - the wildcard *, for default entry
+# - the wildcard %, can be also used with %group syntax,
+# for maxlogin limit
+#
+#<type> can have the two values:
+# - "soft" for enforcing the soft limits
+# - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+# - core - limits the core file size (KB)
+# - data - max data size (KB)
+# - fsize - maximum filesize (KB)
+# - memlock - max locked-in-memory address space (KB)
+# - nofile - max number of open files
+# - rss - max resident set size (KB)
+# - stack - max stack size (KB)
+# - cpu - max CPU time (MIN)
+# - nproc - max number of processes
+# - as - address space limit
+# - maxlogins - max number of logins for this user
+# - priority - the priority to run user process with
+# - locks - max number of file locks the user can hold
+#
+#<domain> <type> <item> <value>
+#
+
+#* soft core 0
+#* hard rss 10000
+#@student hard nproc 20
+#@faculty soft nproc 20
+#@faculty hard nproc 50
+#ftp hard nproc 0
+#@student - maxlogins 4
+
+# End of file
--- /dev/null
+Alias /squirrelmail /usr/share/squirrelmail
+
+<Directory /usr/share/squirrelmail>
+ php_flag register_globals off
+ Options Indexes FollowSymLinks
+ <IfModule mod_dir.c>
+ DirectoryIndex index.php
+ </IfModule>
+
+ # access to configtest is limited by default to prevent information leak
+ <Files configtest.php>
+ order deny,allow
+ deny from all
+ allow from 127.0.0.1
+ </Files>
+</Directory>
+
+# users will prefer a simple URL like http://webmail.example.com
+#<VirtualHost 1.2.3.4>
+# DocumentRoot /usr/share/squirrelmail
+# ServerName webmail.example.com
+#</VirtualHost>
+
+# redirect to https when available (thanks omen@descolada.dartmouth.edu)
+#
+# Note: There are multiple ways to do this, and which one is suitable for
+# your site's configuration depends. Consult the apache documentation if
+# you're unsure, as this example might not work everywhere.
+#
+#<IfModule mod_rewrite.c>
+# <IfModule mod_ssl.c>
+# <Location /squirrelmail>
+# RewriteEngine on
+# RewriteCond %{HTTPS} !^on$ [NC]
+# RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
+# </Location>
+# </IfModule>
+#</IfModule>
+
--- /dev/null
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See sysctl.conf (5) for information.
+#
+#kernel.domainname = example.com
+#net/ipv4/icmp_echo_ignore_broadcasts=1
--- /dev/null
+# Example config file /etc/vsftpd.conf
+#
+# The default compiled in settings are fairly paranoid. This sample file
+# loosens things up a bit, to make the ftp daemon more usable.
+# Please see vsftpd.conf.5 for all compiled in defaults.
+#
+# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
+# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# capabilities.
+#
+#
+# Run standalone? vsftpd can run either from an inetd or as a standalone
+# daemon started from an initscript.
+listen=YES
+#
+# Run standalone with IPv6?
+# Like the listen parameter, except vsftpd will listen on an IPv6 socket
+# instead of an IPv4 one. This parameter and the listen parameter are mutually
+# exclusive.
+#listen_ipv6=YES
+#
+# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+anonymous_enable=YES
+#
+# Uncomment this to allow local users to log in.
+#local_enable=YES
+#
+# Uncomment this to enable any form of FTP write command.
+#write_enable=YES
+#
+# Default umask for local users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+#local_umask=022
+#
+# Uncomment this to allow the anonymous FTP user to upload files. This only
+# has an effect if the above global write enable is activated. Also, you will
+# obviously need to create a directory writable by the FTP user.
+#anon_upload_enable=YES
+#
+# Uncomment this if you want the anonymous FTP user to be able to create
+# new directories.
+#anon_mkdir_write_enable=YES
+#
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+dirmessage_enable=YES
+#
+# Activate logging of uploads/downloads.
+xferlog_enable=YES
+#
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+connect_from_port_20=YES
+#
+# If you want, you can arrange for uploaded anonymous files to be owned by
+# a different user. Note! Using "root" for uploaded files is not
+# recommended!
+#chown_uploads=YES
+#chown_username=whoever
+#
+# You may override where the log file goes if you like. The default is shown
+# below.
+#xferlog_file=/var/log/vsftpd.log
+#
+# If you want, you can have your log file in standard ftpd xferlog format
+#xferlog_std_format=YES
+#
+# You may change the default value for timing out an idle session.
+#idle_session_timeout=600
+#
+# You may change the default value for timing out a data connection.
+#data_connection_timeout=120
+#
+# It is recommended that you define on your system a unique user which the
+# ftp server can use as a totally isolated and unprivileged user.
+#nopriv_user=ftpsecure
+#
+# Enable this and the server will recognise asynchronous ABOR requests. Not
+# recommended for security (the code is non-trivial). Not enabling it,
+# however, may confuse older FTP clients.
+#async_abor_enable=YES
+#
+# By default the server will pretend to allow ASCII mode but in fact ignore
+# the request. Turn on the below options to have the server actually do ASCII
+# mangling on files when in ASCII mode.
+# Beware that turning on ascii_download_enable enables malicious remote parties
+# to consume your I/O resources, by issuing the command "SIZE /big/file" in
+# ASCII mode.
+# These ASCII options are split into upload and download because you may wish
+# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
+# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
+# on the client anyway..
+#ascii_upload_enable=YES
+#ascii_download_enable=YES
+#
+# You may fully customise the login banner string:
+#ftpd_banner=Welcome to blah FTP service.
+#
+# You may specify a file of disallowed anonymous e-mail addresses. Apparently
+# useful for combatting certain DoS attacks.
+#deny_email_enable=YES
+# (default follows)
+#banned_email_file=/etc/vsftpd.banned_emails
+#
+# You may restrict local users to their home directories. See the FAQ for
+# the possible risks in this before using chroot_local_user or
+# chroot_list_enable below.
+#chroot_local_user=YES
+#
+# You may specify an explicit list of local users to chroot() to their home
+# directory. If chroot_local_user is YES, then this list becomes a list of
+# users to NOT chroot().
+#chroot_list_enable=YES
+# (default follows)
+#chroot_list_file=/etc/vsftpd.chroot_list
+#
+# You may activate the "-R" option to the builtin ls. This is disabled by
+# default to avoid remote users being able to cause excessive I/O on large
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+# the presence of the "-R" option, so there is a strong case for enabling it.
+#ls_recurse_enable=YES
+#
+#
+# Debian customization
+#
+# Some of vsftpd's settings don't fit the Debian filesystem layout by
+# default. These settings are more Debian-friendly.
+#
+# This option should be the name of a directory which is empty. Also, the
+# directory should not be writable by the ftp user. This directory is used
+# as a secure chroot() jail at times vsftpd does not require filesystem
+# access.
+secure_chroot_dir=/var/run/vsftpd
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+#
+# This option specifies the location of the RSA certificate to use for SSL
+# encrypted connections.
+rsa_cert_file=/etc/ssl/certs/vsftpd.pem
--- /dev/null
+# Simple configuration file for xinetd
+#
+# Some defaults, and include /etc/xinetd.d/
+
+defaults
+{
+
+
+}
+
+includedir /etc/xinetd.d
projects / carnet-upgrade.git / commitdiff