Changeset a4acd463
- Timestamp:
- 10/14/2003 04:25:20 PM (21 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 9dc71fc
- Parents:
- 27d830e
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
basicnet/netprogs/ncpfs/ncpfs-inst.xml
r27d830e ra4acd463 4 4 <para>Install <application><acronym>NCPFS</acronym></application> by running the following commands:</para> 5 5 6 < para><screen><userinput>./configure --prefix=/usr --includedir=/usr/include \6 <screen><userinput>./configure --prefix=/usr --includedir=/usr/include \ 7 7 --mandir=/usr/share/man --datadir=/usr/share && 8 8 make && 9 9 make install && 10 make install-dev</userinput></screen> </para>10 make install-dev</userinput></screen> 11 11 12 12 </sect2> -
basicnet/netprogs/tcpwrappers/tcpwrappers-config.xml
r27d830e ra4acd463 12 12 13 13 <para>Then perform the following edits on the 14 <filename>/etc/inetd.conf</filename> configuration file: 14 <filename>/etc/inetd.conf</filename> configuration file:</para> 15 15 <screen><userinput>finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd</userinput></screen> 16 becomes: 17 <screen><userinput>finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd</userinput></screen> </para>16 <para>becomes:</para> 17 <screen><userinput>finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd</userinput></screen> 18 18 19 19 <note><para>The finger server is used as an example here.</para></note> -
basicnet/netutils/traceroute/traceroute-exp.xml
r27d830e ra4acd463 11 11 possible for all users to execute <command>traceroute</command>. For absolute 12 12 security, turn off the <acronym>SUID</acronym> bit in <command>traceroute</command>'s file 13 permissions with the command: 14 <screen><command>chmod 0755 /usr/sbin/traceroute</command></screen> </para>13 permissions with the command:</para> 14 <screen><command>chmod 0755 /usr/sbin/traceroute</command></screen> 15 15 16 16 <para>The risk is that if a security problem such as a buffer overflow were … … 26 26 <acronym>SUID</acronym> root, then you 27 27 should move <filename>traceroute</filename> to <filename>/usr/bin</filename> 28 with the following command: 29 <screen><command>mv /usr/sbin/traceroute /usr/bin</command></screen> </para>28 with the following command:</para> 29 <screen><command>mv /usr/sbin/traceroute /usr/bin</command></screen> 30 30 31 31 <para>This ensures that the binary is in the path for non-root users.</para> -
basicnet/textweb/w3m/w3m-inst.xml
r27d830e ra4acd463 5 5 menu, mouse, cookie, and <acronym>SSL</acronym> support. Other models include:</para> 6 6 7 < para><literallayout>baby - bare minimum7 <literallayout>baby - bare minimum 8 8 little - color and menu support 9 9 mouse - color, menu, and mouse support 10 cookie - color, menu, mouse, and cookie support</literallayout> </para>10 cookie - color, menu, mouse, and cookie support</literallayout> 11 11 12 12 <para>Install <application>w3m</application> by running the following commands:</para> -
gnome/config/config-core.xml
r27d830e ra4acd463 5 5 6 6 <para>Create an <filename>.xinitrc</filename> file to start 7 <application><acronym>GNOME</acronym></application>: 7 <application><acronym>GNOME</acronym></application>:</para> 8 8 <screen><userinput><command>echo "exec gnome-session" >> 9 9 ~/.xinitrc</command></userinput></screen> 10 and ensure all libraries can be found with: 10 <para>and ensure all libraries can be found with:</para> 11 11 <screen><userinput><command>ldconfig</command></userinput></screen> 12 </para>13 12 14 13 <para>At this point you can bring up -
multimedia/cdwriteutils/kernel.xml
r27d830e ra4acd463 29 29 your hardware.</para> 30 30 31 <para>If necessary, recompile the kernel with 31 <para>If necessary, recompile the kernel with</para> 32 32 <screen>make CC=/opt/gcc-2.95.3/bin/gcc dep && 33 33 make CC=/opt/gcc-2.95.3/bin/gcc bzImage && 34 34 make CC=/opt/gcc-2.95.3/bin/gcc modules && 35 35 make CC=/opt/gcc-2.95.3/bin/gcc modules_install</screen> 36 </para>37 36 <para> 38 37 Copy <filename>/usr/src/linux/arch/i386/boot/bzImage</filename> and -
multimedia/cdwriteutils/udftools/udftools-kernel-inst.xml
r27d830e ra4acd463 16 16 UDF write support (DANGEROUS) Y</screen> 17 17 18 <para>If necessary, recompile the kernel with 18 <para>If necessary, recompile the kernel with</para> 19 19 <screen><userinput><command>make CC=/opt/gcc-2.95.3/bin/gcc dep && 20 20 make CC=/opt/gcc-2.95.3/bin/gcc bzImage && 21 21 make CC=/opt/gcc-2.95.3/bin/gcc modules && 22 22 make CC=/opt/gcc-2.95.3/bin/gcc modules_install</command></userinput></screen> 23 </para>24 23 <para> 25 24 Copy <filename>/usr/src/linux/arch/i386/boot/bzImage</filename> and … … 31 30 32 31 <para>If you build packet writer as a module, add the following to 33 <filename>/etc/modules.conf</filename>: 34 <screen><userinput>alias block-major-97 pktcdvd</userinput></screen> </para>32 <filename>/etc/modules.conf</filename>:</para> 33 <screen><userinput>alias block-major-97 pktcdvd</userinput></screen> 35 34 36 35 <para>Finally, create the packet driver device nodes in <filename -
postlfs/config/bootdisk.xml
r27d830e ra4acd463 95 95 instead in any commands that include "rescueimage".</para> 96 96 97 <para>If you can not get your kerneldown to the size needed to allow97 <para>If you can not get your rescueimage down to the size needed to allow 98 98 all you need on the ramdisk image, don't fret. You can always build a 99 99 two diskette set, one boot and one root diskette. The kernel will prompt 100 100 you to insert the root file system diskette. This will allow room for a 101 compressed ramdisk image of 1440 blocks and a kernelof the same101 compressed ramdisk image of 1440 blocks and a rescueimage of the same 102 102 size.</para> 103 103 104 <para>The kernelsize limits given above are likely to vary as104 <para>The rescueimage size limits given above are likely to vary as 105 105 local system-specific configurations change. Use them only as a 106 guideline and not as gospel. The size of the kernelimage as shown by106 guideline and not as gospel. The size of rescueimage as shown by 107 107 <command>ls -sk</command> is only an approximation because of some 108 108 "overhead". On the system used to develop this version of these … … 124 124 <listitem><para>add components to the file system</para></listitem> 125 125 <listitem><para>make the compressed initrd</para></listitem> 126 <listitem><para>join a kernelimage and initrd onto a diskette</para></listitem>126 <listitem><para>join rescueimage and initrd onto a diskette</para></listitem> 127 127 </itemizedlist> 128 128 … … 238 238 to minimize wasting space with unneeded inodes.</para> 239 239 240 <para><emphasis>You must modify this to suit your kernelconfiguration and240 <para><emphasis>You must modify this to suit your rescueimage configuration and 241 241 other needs.</emphasis> For example, you may need 242 242 <acronym>SCSI</acronym> devices and may not need … … 376 376 basic utilities. A file system package, like <application><ulink 377 377 url="http://freshmeat.net/projects/e2fsprogs/">e2fsprogs</ulink></application>, or 378 a package for the file system you are using will provide a minimal378 a package for the file system you are using, will provide a minimal 379 379 set of utilities for file system checking and reconstruction. The whole 380 380 package will not be installed, but only certain needed components.</para> … … 438 438 439 439 <para>There are two very useful utilities that any rescue disk should 440 have to help in faster and more accurate recovery. The first is a440 have, to help in faster and more accurate recovery. The first is a 441 441 partitioning utility. The <command>sfdisk</command> program is 442 442 used here because of its small size and great power. Be warned though - … … 523 523 ls -l /tmp/rootfs.gz</command></userinput></screen> 524 524 525 <para><emphasis>Join a kernelimage and initrd onto a diskette</emphasis></para>526 527 <para>Now the kernelimage and initial ramdisk image will be written to525 <para><emphasis>Join rescueimage and initrd onto a diskette</emphasis></para> 526 527 <para>Now the rescueimage and initial ramdisk image will be written to 528 528 the boot diskette. Before doing this, calculate the number of blocks 529 needed for the kernel and for the initrd, individually, by dividing each 529 needed for rescueimage and for <filename>/tmp/rootfs.gz</filename> 530 (the initial ramdisk), individually, by dividing each 530 531 size by 1024 and adding one if there is any remainder. Add these two 531 532 results together. They must total 1,440 or fewer blocks. If they total 532 533 more than this, don't worry too much. Changes to make a two-diskette 533 534 set are presented later. Of course, you could reexamine your choices and 534 try to shrink either the kernelor the initial ramdisk image.</para>535 try to shrink either the rescueimage or the initial ramdisk image.</para> 535 536 536 537 <para>To make a single-floppy rescue, using devfs, use the following … … 572 573 Make sure that this number, which may be different for you, matches your 573 574 calculations from above. You need to calculate a "magic number" now 574 that will be inserted into the kernelimage. The value consists of three575 that will be inserted into rescueimage. The value consists of three 575 576 significant parts. Two are discussed here. The third is touched upon 576 577 later.</para> 577 578 578 <para>Bits 0 - 10 will contain the size of the kernelimage, in blocks,579 <para>Bits 0 - 10 will contain the size of rescueimage, in blocks, 579 580 that you calculated above, and which should match the results from the 580 581 dd above. Bit 14 (the 15th bit, which is 2 to the 14th power, or 16,384) 581 582 is a flag that, when set to 1, tells the kernel an initial ramdisk is to 582 583 be loaded. So for the single-floppy rescue diskette, the two numbers 583 16,384 and 481 (or whatever number is right for your kernelsize) are584 16,384 and 481 (or whatever number is right for your rescueimage size) are 584 585 added together to produce a decimal value, like 16865. This value is 585 inserted into the proper place in the kernelimage by the586 inserted into the proper place in rescueimage by the 586 587 <command>rdev</command> command done next.</para> 587 588 588 <para>Insert the "magic number" into the kernelimage and then write the589 root file system right after the kernelon the floppy by executing the589 <para>Insert the "magic number" into rescueimage and then write the 590 root file system right after rescueimage on the floppy by executing the 590 591 following commands, with the proper numbers inserted. Notice that the 591 592 <command>seek</command> parameter's number must be the size, in blocks, 592 of your kernelimage. If you use the static <filename class="directory">/dev</filename>593 of your rescueimage. If you use the static <filename class="directory">/dev</filename> 593 594 setup, use <filename>/dev/fd0</filename> in the commands below, instead 594 595 of <filename>/dev/floppy/0</filename>.</para> … … 598 599 599 600 <para>In this command, <command>seek</command> was used to position to 600 the block following the end of the kernel(480+1) and begin writing the601 the block following the end of the rescueimage (480+1) and begin writing the 601 602 root file system to the floppy.</para> 602 603 </sect3> … … 615 616 <para>Modify the above instructions as follows. First a different magic 616 617 number is needed. The 15th bit (bit 14) still needs to be set, but the 617 size of the kernelimage, in blocks, is replaced with a zero. The third618 size of the rescueimage, in blocks, is replaced with a zero. The third 618 619 component, which was not discussed above, is now used. This is the 16th 619 620 bit (bit 15) of the "magic number". When set, it tells the kernel to ask 620 621 the user to insert the "root" floppy. It then loads the initrd image 621 from that diskette. Because the size of the kernelimage was replaced622 from that diskette. Because the size of the rescueimage was replaced 622 623 by zero, the kernel starts loading from the "zero'th" block (the first 623 624 one) on the second diskette.</para> … … 627 628 value tells the kernel to prompt for, and then load, an initial ramdisk 628 629 image from the first block on the inserted floppy. So your first 629 modification is to the command to write the "magic number" to the kernel630 modification is to the command to write the "magic number" to the rescueimage 630 631 image on the diskette.</para> 631 632 -
postlfs/config/compressdoc.xml
r27d830e ra4acd463 457 457 file <filename>/etc/man.conf</filename>, as a 458 458 <envar>MANPATH</envar>=<replaceable>/path</replaceable> section.</para> 459 <para> Example:< screen><userinput>459 <para> Example:</para><screen><userinput> 460 460 ... 461 461 MANPATH=/usr/share/man … … 463 463 MANPATH=/usr/X11R6/man 464 464 MANPATH=/opt/qt/doc/man 465 ...</userinput></screen> </para>465 ...</userinput></screen> 466 466 467 467 <para>Generally, package installation systems do not compress man/info pages, -
postlfs/security/firewalling/busybox.xml
r27d830e ra4acd463 20 20 simple and should still be acceptable from a security standpoint. 21 21 Just add the following lines <emphasis>before</emphasis> the logging-rules 22 into the script. 22 into the script.</para> 23 23 24 24 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 25 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> </para>25 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> 26 26 27 27 <para>If your daemons have to access the web themselves, like squid would need 28 to, you could open OUTPUT generally and restrict INPUT. 28 to, you could open OUTPUT generally and restrict INPUT.</para> 29 29 30 30 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 31 iptables -A OUTPUT -j ACCEPT</screen> </para>31 iptables -A OUTPUT -j ACCEPT</screen> 32 32 33 33 <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose … … 44 44 <title>Have a look at the following examples:</title> 45 45 46 <listitem><para>Squid is caching the web: 46 <listitem><para>Squid is caching the web:</para> 47 47 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></ para></listitem>48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 49 49 50 50 <listitem><para>Your caching name server (e.g., dnscache) does its 51 lookups via udp: 51 lookups via udp:</para> 52 52 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 53 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></ para></listitem>53 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 54 54 55 55 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 56 it's still alive: 56 it's still alive:</para> 57 57 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></ para></listitem>58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem> 59 59 60 60 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are … … 66 66 67 67 <para>To avoid these delays you could reject the requests 68 with a 'tcp-reset': 68 with a 'tcp-reset':</para> 69 69 70 70 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></ para></listitem>71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem> 72 72 73 73 <listitem><para>To log and drop invalid packets, mostly harmless packets 74 that came in after netfilter's timeout, sometimes scans: 74 that came in after netfilter's timeout, sometimes scans:</para> 75 75 76 76 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 77 77 "FIREWALL:INVALID" 78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></ para></listitem>78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem> 79 79 80 80 <listitem><para>Anything coming from the outside should not have a 81 private address, this is a common attack called IP-spoofing: 81 private address, this is a common attack called IP-spoofing:</para> 82 82 83 83 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 84 84 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></ para></listitem>85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem> 86 86 87 87 <listitem><para>To simplify debugging and be fair to anyone who'd like to … … 90 90 91 91 <para>Obviously this must be done directly after logging as the very 92 last lines before the packets are dropped by policy: 92 last lines before the packets are dropped by policy:</para> 93 93 94 94 <screen>iptables -A INPUT -j REJECT 95 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></ para></listitem>95 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem> 96 96 </itemizedlist> 97 97 <!--</orderedlist>--> -
pst/sgml/docbook-dsssl/docbook-dsssl-config.xml
r27d830e ra4acd463 6 6 <para>The following configuration is necessary in order to utilize 7 7 <application>OpenJade</application> to convert the <acronym>BLFS</acronym> 8 Book from <acronym>XML</acronym> to <acronym>HTML</acronym>: 8 Book from <acronym>XML</acronym> to <acronym>HTML</acronym>:</para> 9 9 <screen><userinput><command>ln -sf <replaceable>[your home directory]</replaceable>/BLFS/BOOK/blfs.dsl \ 10 10 /usr/share/sgml/docbook/dsssl-stylesheets-&docbook-dsssl-version;/html/</command></userinput></screen> 11 </para>12 11 13 12 <para>If you would like to test <application>Docbook <acronym>XML</acronym> -
server/other/cvsserver/cvsserver-inst.xml
r27d830e ra4acd463 39 39 <para>Test access to the <acronym>CVS</acronym> repository from a remote 40 40 machine using a user account that has <command>ssh</command> access to the 41 <acronym>CVS</acronym> server with the following commands: 41 <acronym>CVS</acronym> server with the following commands:</para> 42 42 <note><para>Replace <replaceable>[servername]</replaceable> with the 43 43 <acronym>IP</acronym> address or host name of the <acronym>CVS</acronym> 44 44 repository machine. You will be prompted for the user's shell account password 45 before <acronym>CVS</acronym> checkout can continue.</para></note> </para>45 before <acronym>CVS</acronym> checkout can continue.</para></note> 46 46 47 47
Note:
See TracChangeset
for help on using the changeset viewer.