Changeset f586237


Ignore:
Timestamp:
06/05/2016 05:57:10 AM (5 years ago)
Author:
DJ Lucas <dj@…>
Branches:
10.0, 10.1, 11.0, 7.10, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, ken/refactor-virt, lazarus, nosym, perl-modules, qt5new, trunk, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
422bd2c
Parents:
eb3dbe3
Message:

[Systemd merge] - Complete changes for Chapter 4.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17446 af4574ff-66df-0310-9fd7-8a98e5e911e0

Files:
2 deleted
20 edited

Legend:

Unmodified
Added
Removed
  • general.ent

    reb3dbe3 rf586237  
    11<!-- $LastChangedBy$ $Date$ -->
    22
    3 <!ENTITY day          "04">                   <!-- Always 2 digits -->
     3<!ENTITY day          "05">                   <!-- Always 2 digits -->
    44<!ENTITY month        "06">                   <!-- Always 2 digits -->
    55<!ENTITY year         "2016">
     
    77<!ENTITY copyholder   "The BLFS Development Team">
    88<!ENTITY version      "&year;-&month;-&day;">
    9 <!ENTITY releasedate  "June 4th &year;">
     9<!ENTITY releasedate  "June 5th &year;">
    1010<!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
    1111<!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
    12 <!ENTITY lfs-version  "development">          <!-- x.y|development] -->
     12<!ENTITY lfs-version  "development">          <!-- x.y|development -->
     13<!ENTITY lfs-versiond "systemd">              <!-- x.y-systemd|systemd -->
    1314<!ENTITY last-commit  "$Date$"> <!-- Automatic update -->
    1415<!ENTITY lfs-domainname       "linuxfromscratch.org">
     
    3536
    3637<!ENTITY lfs-root             "../../../../lfs/view/&lfs-version;">
     38<!ENTITY lfs-rootd            "../../../../lfs/view/&lfs-versiond;">
    3739<!ENTITY lfs-dev              "../../../../lfs/view/development">
    3840<!ENTITY kernel               "http://www.kernel.org/pub/">
  • general/genlib/genlib.xml

    reb3dbe3 rf586237  
    6363  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gmime.xml"/>
    6464  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gobject-introspection.xml"/>
    65 
    66   <!-- systemd only -->
    67   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="grantlee.xml"/>
    68 
    6965  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="gsl.xml"/>
    7066  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="icu.xml"/>
  • general/sysutils/dbus.xml

    reb3dbe3 rf586237  
    668668        A list of the installed files, along with their short
    669669        descriptions can be found at
    670         <ulink url="&lfs-root;/chapter06/dbus.html#contents-dbus"/>.
     670        <phrase revision="sysv">
     671        <ulink url="&lfs-root;/chapter06/dbus.html#contents-dbus"/></phrase>
     672        <phrase revision="systemd">
     673        <ulink url="&lfs-rootd;/chapter06/dbus.html#contents-dbus"/></phrase>.
    671674      </para>
    672675
  • general/sysutils/sysutils.xml

    reb3dbe3 rf586237  
    5454  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="redland.xml"/>
    5555  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sg3_utils.xml"/>
    56 
    57   <!-- systemd only --> 
    58   <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="strigi.xml"/>
    59 
    6056  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="sysstat.xml"/>
    6157
  • introduction/welcome/changelog.xml

    reb3dbe3 rf586237  
    4444
    4545-->
     46    <listitem>
     47      <para>June 5th, 2016</para>
     48      <itemizedlist>
     49        <listitem revision="systemd">
     50          <para>[dj] - Removed grantlee and strigi packages.</para>
     51        </listitem>
     52        <listitem revision="sysv">
     53          <para>[dj] - Only install the Linux-PAM module when rebuilding
     54          libcap for Linux-PAM.</para>
     55        </listitem>
     56      </itemizedlist>
     57    </listitem>
     58
    4659    <listitem>
    4760      <para>June 4th, 2016</para>
  • postlfs/security/cyrus-sasl.xml

    reb3dbe3 rf586237  
    269269
    270270    <sect3 id="cyrus-sasl-init">
    271       <title>Init Script</title>
    272 
    273       <para>
     271      <title><phrase revision="sysv">Init Script</phrase>
     272             <phrase revision="systemd">Systemd Unit</phrase></title>
     273
     274      <para revision="sysv">
    274275        If you need to run the <command>saslauthd</command> daemon at system
    275276        startup, install the <filename>/etc/rc.d/init.d/saslauthd</filename>
    276         init script included in the <xref linkend="bootscripts" revision="sysv"/>
    277         <xref linkend="systemd-units" revision="systemd"/>
    278         package using the following command:
     277        init script included in the
     278        <xref linkend="bootscripts"/> package using the following command:
     279      </para>
     280
     281      <para revision="systemd">
     282        If you need to run the <command>saslauthd</command> daemon at system
     283        startup, install the <filename>saslauthd.service</filename> unit
     284        included in the <xref linkend="systemd-units"/> package using the
     285        following command:
    279286      </para>
    280287
     
    287294      <note>
    288295        <para>
    289           You'll need to modify /etc/sysconfig/saslauthd and replace the
    290           <option><replaceable>AUTHMECH</replaceable></option> parameter
    291           with your desired authentication mechanism.
     296          You'll need to modify
     297          <filename revision="sysv">/etc/sysconfig/saslauthd</filename>
     298          <filename revision="systemd">/etc/default/saslauthd</filename>
     299          and modify the
     300          <option revision="sysv">AUTHMECH</option>
     301          <option revision="systemd">MECHANISM</option>
     302          parameter with your desired authentication mechanism.
    292303        </para>
    293304      </note>
  • postlfs/security/firewalling.xml

    reb3dbe3 rf586237  
    141141    </caution>
    142142
    143     <para>The firewall configuration script installed in the iptables section
    144     differs from the standard configuration script. It only has two of
    145     the standard targets: start and status. The other targets are clear
    146     and lock. For instance if you issue:</para>
    147 
    148 <screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
    149 
    150     <para>the firewall will be restarted just as it is upon system startup.
    151     The status target will present a list of all currently implemented
    152     rules. The clear target turns off all firewall rules and the lock
    153     target will block all packets in and out of the computer with the
     143    <para revision="sysv">The firewall configuration script installed in the
     144    iptables section differs from the standard configuration script. It only
     145    has two of the standard targets: start and status. The other targets are
     146    clear and lock. For instance if you issue:</para>
     147
     148<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
     149
     150    <para revision="sysv">the firewall will be restarted just as it is upon
     151    system startup. The status target will present a list of all currently
     152    implemented rules. The clear target turns off all firewall rules and the
     153    lock target will block all packets in and out of the computer with the
    154154    exception of the loopback interface.</para>
    155155
    156     <para>The main startup firewall is located in the file
     156    <para revision="sysv">The main startup firewall is located in the file
    157157    <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
    158158    three different approaches that can be used for a system.</para>
     159
     160    <para revision="systemd">The main startup firewall is located in the file
     161    <filename>/etc/systemd/scripts/iptables</filename>. The sections below
     162    provide three different approaches that can be used for a system.</para>
    159163
    160164    <note>
     
    178182      to the Linux 2.6 kernels.</para>
    179183
    180 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
     184<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
    181185<literal>#!/bin/sh
    182186
     
    253257EOF
    254258chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
     259
     260
     261<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
     262
     263cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
     264<literal>#!/bin/sh
     265
     266# Begin /etc/systemd/scripts/iptables
     267
     268# Insert connection-tracking modules
     269# (not needed if built into the kernel)
     270modprobe nf_conntrack
     271modprobe xt_LOG
     272
     273# Enable broadcast echo Protection
     274echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     275
     276# Disable Source Routed Packets
     277echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     278echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
     279
     280# Enable TCP SYN Cookie Protection
     281echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     282
     283# Disable ICMP Redirect Acceptance
     284echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
     285
     286# Do not send Redirect Messages
     287echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
     288echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
     289
     290# Drop Spoofed Packets coming in on an interface, where responses
     291# would result in the reply going out a different interface.
     292echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
     293echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
     294
     295# Log packets with impossible addresses.
     296echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     297echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
     298
     299# be verbose on dynamic ip-addresses  (not needed in case of static IP)
     300echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     301
     302# disable Explicit Congestion Notification
     303# too many routers are still ignorant
     304echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     305
     306# Set a known state
     307iptables -P INPUT   DROP
     308iptables -P FORWARD DROP
     309iptables -P OUTPUT  DROP
     310
     311# These lines are here in case rules are already in place and the
     312# script is ever rerun on the fly. We want to remove all rules and
     313# pre-existing user defined chains before we implement new rules.
     314iptables -F
     315iptables -X
     316iptables -Z
     317
     318iptables -t nat -F
     319
     320# Allow local-only connections
     321iptables -A INPUT  -i lo -j ACCEPT
     322
     323# Free output on any interface to any ip for any service
     324# (equal to -P ACCEPT)
     325iptables -A OUTPUT -j ACCEPT
     326
     327# Permit answers on already established connections
     328# and permit new connections related to established ones
     329# (e.g. port mode ftp)
     330iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     331
     332# Log everything else. What's Windows' latest exploitable vulnerability?
     333iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
     334
     335# End /etc/systemd/scripts/iptables</literal>
     336EOF
     337chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
    255338
    256339      <para>This script is quite simple, it drops all traffic coming
     
    284367      a worm via a buffer-overflow).</para>
    285368
    286 <screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
     369<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
    287370<literal>#!/bin/sh
    288371
     
    374457EOF
    375458chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
     459
     460<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
     461
     462cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
     463<literal>#!/bin/sh
     464
     465# Begin /etc/systemd/scripts/iptables
     466
     467echo
     468echo "You're using the example configuration for a setup of a firewall"
     469echo "from Beyond Linux From Scratch."
     470echo "This example is far from being complete, it is only meant"
     471echo "to be a reference."
     472echo "Firewall security is a complex issue, that exceeds the scope"
     473echo "of the configuration rules below."
     474
     475echo "You can find additional information"
     476echo "about firewalls in Chapter 4 of the BLFS book."
     477echo "http://www.&lfs-domainname;/blfs"
     478echo
     479
     480# Insert iptables modules (not needed if built into the kernel).
     481
     482modprobe nf_conntrack
     483modprobe nf_conntrack_ftp
     484modprobe xt_conntrack
     485modprobe xt_LOG
     486modprobe xt_state
     487
     488# Enable broadcast echo Protection
     489echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
     490
     491# Disable Source Routed Packets
     492echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
     493
     494# Enable TCP SYN Cookie Protection
     495echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
     496
     497# Disable ICMP Redirect Acceptance
     498echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
     499
     500# Don't send Redirect Messages
     501echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
     502
     503# Drop Spoofed Packets coming in on an interface where responses
     504# would result in the reply going out a different interface.
     505echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
     506
     507# Log packets with impossible addresses.
     508echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
     509
     510# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
     511echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
     512
     513# Disable Explicit Congestion Notification
     514# Too many routers are still ignorant
     515echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
     516
     517# Set a known state
     518iptables -P INPUT   DROP
     519iptables -P FORWARD DROP
     520iptables -P OUTPUT  DROP
     521
     522# These lines are here in case rules are already in place and the
     523# script is ever rerun on the fly. We want to remove all rules and
     524# pre-existing user defined chains before we implement new rules.
     525iptables -F
     526iptables -X
     527iptables -Z
     528
     529iptables -t nat -F
     530
     531# Allow local connections
     532iptables -A INPUT  -i lo -j ACCEPT
     533iptables -A OUTPUT -o lo -j ACCEPT
     534
     535# Allow forwarding if the initiated on the intranet
     536iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
     537iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT
     538
     539# Do masquerading
     540# (not needed if intranet is not using private ip-addresses)
     541iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
     542
     543# Log everything for debugging
     544# (last of all rules, but before policy rules)
     545iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
     546iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
     547iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
     548
     549# Enable IP Forwarding
     550echo 1 &gt; /proc/sys/net/ipv4/ip_forward
     551
     552# End /etc/systemd/scripts/iptables</literal>
     553EOF
     554chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
    376555
    377556      <para>With this script your intranet should be reasonably secure
  • postlfs/security/gnutls.xml

    reb3dbe3 rf586237  
    147147      To test the results, issue: <command>make check</command>.  If a prior
    148148      version of <application>GnuTLS</application> (or the same version but
    149       without all the recommended dependencies) has been installed, some
     149      without all of the recommended dependencies) has been installed, some
    150150      tests may fail. If <filename>/usr/lib/libgnutls.so</filename> and the
    151151      target of that symlink are moved or renamed so that they cannot be found,
  • postlfs/security/haveged.xml

    reb3dbe3 rf586237  
    105105
    106106    <sect3  id="haveged-init">
    107       <title>Boot Script</title>
     107      <title><phrase revision="sysv">Boot Script</phrase>
     108             <phrase revision="systemd">Systemd Unit</phrase></title>
    108109
    109       <para>
     110      <para revision="sysv">
    110111        If you want the <application>Haveged</application> daemon to
    111112        start automatically when the system is booted, install the
    112113        <filename>/etc/rc.d/init.d/haveged</filename> init script included
    113         in the <xref linkend="bootscripts" revision="sysv"/>
    114         <xref linkend="systemd-units" revision="systemd"/> package.
     114        in the <xref linkend="bootscripts"/> package (as the
     115        <systemitem class="username">root</systemitem> user):
     116      </para>
     117
     118      <para revision="systemd">
     119        If you want the <application>Haveged</application> daemon to
     120        start automatically when the system is booted, install the
     121        <filename>haveged.service</filename> unit included in the
     122        <xref linkend="systemd-units"/> package (as the
     123        <systemitem class="username">root</systemitem> user):
    115124      </para>
    116125
  • postlfs/security/iptables.xml

    reb3dbe3 rf586237  
    163163    <para>
    164164      <parameter>--disable-nftables</parameter>: This switch disables building
    165       nftables compat.
     165      nftables compat. Omit this switch if you have installed nftables.
    166166    </para>
    167167
     
    199199
    200200    <sect3  id="iptables-init">
    201       <title>Boot Script</title>
    202 
    203       <para>
     201      <title><phrase revision="sysv">Boot Script</phrase>
     202             <phrase revision="systemd">Systemd Unit</phrase></title>
     203
     204      <para revision="sysv">
    204205        To set up the iptables firewall at boot, install the
    205206        <filename>/etc/rc.d/init.d/iptables</filename> init script included
    206         in the <xref linkend="bootscripts" revision="sysv"/>
    207         <xref linkend="systemd-units" revision="systemd"/> package.
     207        in the <xref linkend="bootscripts"/> package.
     208      </para>
     209
     210      <para revision="systemd">
     211        To set up the iptables firewall at boot, install the
     212        <filename>iptables.service</filename> unit included in the
     213        <xref linkend="systemd-units"/> package.
    208214      </para>
    209215
  • postlfs/security/libcap.xml

    reb3dbe3 rf586237  
    3030    <title>Introduction to libcap with PAM</title>
    3131
    32     <para>The <application>libcap</application> package was installed in
    33     LFS, but if PAM support is desired, it needs to be reinstalled after
    34     PAM is built.</para>
     32    <para>The <application>libcap</application> package was installed in
     33    LFS, but if <application>Linux-PAM</application> support is desired,
     34    the PAM module must be built (after installation of
     35    <application>Linux-PAM</application>).</para>
    3536
    3637    &lfs79_checked;&gcc6_checked;
     
    6162
    6263    <bridgehead renderas="sect4">Required</bridgehead>
    63     <para role="required"><xref linkend="linux-pam"/></para>
     64    <para role="required">
     65      <xref linkend="linux-pam"/>
     66    </para>
    6467
    6568    <para condition="html" role="usernotes">User Notes:
     
    7477    commands:</para>
    7578
    76 <screen><userinput>sed -i 's:LIBDIR:PAM_&amp;:g' pam_cap/Makefile &amp;&amp;
    77 make</userinput></screen>
     79<screen><userinput>make -C pam_cap</userinput></screen>
    7880
    7981    <para>This package does not come with a test suite.</para>
    8082
    81     <para>
    82       If you want to disable installing the static library, use this sed:
    83     </para>
    84 
    85 <screen><userinput>sed -i '/install.*STALIBNAME/ s/^/#/' libcap/Makefile</userinput></screen>
    86 
    8783    <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
    8884
    89 <screen role="root"><userinput>make prefix=/usr \
    90      SBINDIR=/sbin \
    91      PAM_LIBDIR=/lib \
    92      RAISE_SETFCAP=no install</userinput></screen>
    93 
    94    <para>
    95      Still as the <systemitem class="username">root</systemitem> user,
    96      clean up some library locations and permissions:
    97    </para>
    98 
    99 <screen role="root"><userinput>chmod -v 755 /usr/lib/libcap.so &amp;&amp;
    100 mv -v /usr/lib/libcap.so.* /lib &amp;&amp;
    101 ln -sfv ../../lib/libcap.so.2 /usr/lib/libcap.so</userinput></screen>
    102 
    103   </sect2>
    104 
    105   <sect2 role="commands">
    106     <title>Command Explanations</title>
    107 
    108     <para>
    109       <command>sed -i '...'</command>, <parameter>PAM_LIBDIR=/lib</parameter>:
    110       These correct PAM module install location.
    111     </para>
    112 
    113     <para><parameter>RAISE_SETFCAP=no</parameter>: This parameter skips trying
    114     to use <application>setcap</application> on itself.  This avoids an installation
    115     error if the kernel or file system do not support extended capabilities.</para>
     85<screen role="root"><userinput>install -v -m755 pam_cap/pam_cap.so /lib/security &amp;&amp;
     86install -v -m644 pam_cap/capability.conf /etc/security</userinput></screen>
    11687
    11788  </sect2>
     
    12293    <segmentedlist>
    12394      <segtitle>Installed Programs</segtitle>
    124       <segtitle>Installed Libraries</segtitle>
     95      <segtitle>Installed Library</segtitle>
    12596      <segtitle>Installed Directories</segtitle>
    12697
    12798      <seglistitem>
    128         <seg>capsh, getcap, getpcaps, and setcap</seg>
    129         <seg>libcap.{so,a} and pam_cap.so</seg>
     99        <seg>None</seg>
     100        <seg>pam_cap.so</seg>
    130101        <seg>None</seg>
    131102      </seglistitem>
    132103    </segmentedlist>
    133104
    134     <variablelist>
    135       <bridgehead renderas="sect3">Short Descriptions</bridgehead>
    136       <?dbfo list-presentation="list"?>
    137       <?dbhtml list-presentation="table"?>
    138 
    139       <varlistentry id="capsh">
    140         <term><command>capsh</command></term>
    141         <listitem>
    142           <para>is a shell wrapper to explore and constrain capability support.</para>
    143           <indexterm zone="libcap-pam capsh">
    144             <primary sortas="b-capsh">capsh</primary>
    145           </indexterm>
    146         </listitem>
    147       </varlistentry>
    148 
    149       <varlistentry id="getcap">
    150         <term><command>getcap</command></term>
    151         <listitem>
    152           <para>examines file capabilities.</para>
    153           <indexterm zone="libcap-pam getcap">
    154             <primary sortas="b-getcap">getcap</primary>
    155           </indexterm>
    156         </listitem>
    157       </varlistentry>
    158 
    159       <varlistentry id="getpcaps">
    160         <term><command>getpcaps</command></term>
    161         <listitem>
    162           <para>displays the capabilities on the queried process(es).</para>
    163           <indexterm zone="libcap-pam getpcaps">
    164             <primary sortas="b-getpcaps">getpcaps</primary>
    165           </indexterm>
    166         </listitem>
    167       </varlistentry>
    168 
    169       <varlistentry id="setcap">
    170         <term><command>setcap</command></term>
    171         <listitem>
    172           <para>sets file file capabilities.</para>
    173           <indexterm zone="libcap-pam setcap">
    174             <primary sortas="b-setcap">setcap</primary>
    175           </indexterm>
    176         </listitem>
    177       </varlistentry>
    178 
    179       <varlistentry id="libcap-lib">
    180         <term><filename class='libraryfile'>libcap.{so,a}</filename></term>
    181         <listitem>
    182           <para>contains the <application>libcap</application> API functions.</para>
    183           <indexterm zone="libcap-pam libcap-lib">
    184             <primary sortas="c-libcap">libcap.{so,a}</primary>
    185           </indexterm>
    186         </listitem>
    187       </varlistentry>
    188 
    189     </variablelist>
    190 
    191105  </sect2>
    192106
  • postlfs/security/linux-pam.xml

    reb3dbe3 rf586237  
    377377        <para>
    378378          You should now reinstall the <xref linkend="shadow"/>
    379           package.
     379          <phrase revision="sysv">package.</phrase>
     380          <phrase revision="systemd"> and <xref linkend="systemd"/>
     381          packages.</phrase>
    380382        </para>
    381383      </important>
  • postlfs/security/mitkrb.xml

    reb3dbe3 rf586237  
    445445
    446446    <sect3 id="mitkrb-init">
    447       <title>Init Script</title>
    448 
    449       <para>
     447      <title><phrase revision="sysv">Init Script</phrase>
     448             <phrase revision="systemd">Systemd Unit</phrase></title>
     449
     450      <para revision="sysv">
    450451        If you want to start <application>Kerberos</application> services
    451452        at boot, install the <filename>/etc/rc.d/init.d/krb5</filename> init
    452         script included in the <xref linkend="bootscripts" revision="sysv"/>
    453         <xref linkend="systemd-units" revision="systemd"/> package using
     453        script included in the <xref linkend="bootscripts"/> package using
    454454        the following command:
     455      </para>
     456
     457      <para revision="systemd">
     458        If you want to start <application>Kerberos</application> services
     459        at boot, install the <filename>krb5.service</filename> unit included in
     460        the <xref linkend="systemd-units"/> package using the following command:
    455461      </para>
    456462
  • postlfs/security/openssh.xml

    reb3dbe3 rf586237  
    111111    <title>Installation of OpenSSH</title>
    112112
     113    <warning revision="systemd">
     114    <para>
     115      If reinstalling over an <application>SSH</application> connection to
     116      enable <xref linkend="linux-pam"/> support, be certain to temporarily set
     117      <option>PermitRootLogin</option> to <parameter>yes</parameter> in
     118      <filename>/etc/ssh/sshd_config</filename> until you complete
     119      reinstallation of <xref linkend="systemd"/>, or you may find that you are
     120      unable to login to the system remotely.
     121    </para>
     122    </warning>
     123
    113124    <para>
    114125      <application>OpenSSH</application> runs as two processes when connecting
     
    289300
    290301      <para>
    291         If you added <application>LinuxPAM</application> support and you want
     302        If you added <application>Linux-PAM</application> support and you want
    292303        ssh to use it then you will need to add a configuration file for
    293304        <application>sshd</application> and enable use of
    294305        <application>LinuxPAM</application>. Note, ssh only uses PAM to check
    295306        passwords, if you've disabled password logins these commands are not
    296         needed. If you want to use PAM issue the following commands as the
     307        needed. If you want to use PAM, issue the following commands as the
    297308        <systemitem class='username'>root</systemitem> user:
    298309      </para>
     
    310321
    311322    <sect3  id="openssh-init">
    312       <title>Boot Script</title>
    313 
    314       <para>
     323      <title><phrase revision="sysv">Boot Script</phrase>
     324             <phrase revision="systemd">Systemd Unit</phrase></title>
     325
     326      <para revision="sysv">
    315327        To start the SSH server at system boot, install the
    316328        <filename>/etc/rc.d/init.d/sshd</filename> init script included
    317         in the <xref linkend="bootscripts" revision="sysv"/>
    318         <xref linkend="systemd-units" revision="systemd"/> package.
     329        in the <xref linkend="bootscripts"/> package.
     330      </para>
     331
     332      <para revision="systemd">
     333        To start the SSH server at system boot, install the
     334        <filename>sshd.service</filename> unit included in the
     335        <xref linkend="systemd-units"/> package.
    319336      </para>
    320337
  • postlfs/security/openssl.xml

    reb3dbe3 rf586237  
    207207        providing functions to other programs such as
    208208        <application>OpenSSH</application> and web browsers do not need to worry
    209         about additional configuration. This is an advanced topic and so those
     209        about additional configuration. This is an advanced topic and those
    210210        who do need it would normally be expected to either know how to properly
    211211        update <filename>/etc/ssl/openssl.cnf</filename> or be able to find out
  • postlfs/security/p11-kit.xml

    reb3dbe3 rf586237  
    120120    <para>
    121121      <option>--with-hash-impl=freebl</option>: Use this switch if you want to
    122       use Freebl library from <application>NSS</application> for SHA1 and MD5
    123       hashing.
     122      use the Freebl library from <application>NSS</application> for SHA1 and
     123      MD5 hashing.
    124124    </para>
    125125
  • postlfs/security/polkit.xml

    reb3dbe3 rf586237  
    8181    </para>
    8282
     83    <bridgehead renderas="sect4" revision="systemd">Recommended</bridgehead>
     84    <para role="recommended" revision="systemd">
     85      <xref linkend="linux-pam"/>
     86    </para>
     87
     88    <note revision="systemd">
     89      <para>
     90        Since <command>systemd-logind</command> uses PAM to register user
     91        sessions, it is a good idea to build <application>Polkit</application>
     92        with PAM support so <command>systemd-logind</command> can track
     93        <application>Polkit</application> sessions.
     94      </para>
     95    </note>
     96
     97
    8398    <bridgehead renderas="sect4">Optional (Required if building GNOME)</bridgehead>
    8499    <para role="optional">
     
    90105      <xref linkend="DocBook"/>,
    91106      <xref linkend="docbook-xsl"/>,
    92       <xref linkend="gtk-doc"/>,
    93       <xref linkend="libxslt"/> and
    94       <xref linkend="linux-pam"/>
     107      <xref linkend="gtk-doc"/>, <phrase revision="systemd">and </phrase>
     108      <xref linkend="libxslt"/><phrase revision="sysv">, and
     109      <xref linkend="linux-pam"/></phrase>
     110    </para>
     111
     112    <bridgehead renderas="sect4" revision="systemd">Required Runtime Dependencies</bridgehead>
     113    <para role="required" revision="systemd">
     114      <xref linkend="systemd"/>
    95115    </para>
    96116
    97117    <note>
    98118      <para>
    99         If <xref linkend="libxslt"/> is installed, then <xref linkend="DocBook"/>
    100         and <xref linkend="docbook-xsl"/> are required. If you have installed
    101         <xref linkend="libxslt"/>, but you do not want to install any of the
    102         DocBook packages mentioned, you will need to use
    103         <option>--disable-man-pages</option> in the instructions below.
     119        If <xref linkend="libxslt"/> is installed,
     120        then <xref linkend="DocBook"/> and <xref linkend="docbook-xsl"/> are
     121        required. If you have installed <xref linkend="libxslt"/>, but you do
     122        not want to install any of the DocBook packages mentioned, you will
     123        need to use <option>--disable-man-pages</option> in the instructions
     124        below.
    104125      </para>
    105126    </note>
     
    124145        -g polkitd -s /bin/false polkitd</userinput></screen>
    125146
     147    <note revision="systemd">
     148      <para>
     149        When building <application>Polkit</application> with
     150        <application>systemd</application> logind support, the
     151        <command>configure</command> script explicitly checks if
     152        system is booted using <application>systemd</application>.
     153        This can cause problems if building the package in chroot,
     154        where the <command>configure</command> would fail to
     155        detect <application>systemd</application>. To workaround
     156        the problem, simply run the following command:
     157      </para>
     158
     159<screen><userinput>sed -i "s:/sys/fs/cgroup/systemd/:/sys:g" configure</userinput></screen>
     160    </note>
     161
    126162    <para>
    127163      Install <application>Polkit</application> by running the following
     
    129165    </para>
    130166
    131 <screen><userinput>./configure --prefix=/usr                \
     167<screen revision="sysv"><userinput>./configure --prefix=/usr                \
    132168            --sysconfdir=/etc            \
    133169            --localstatedir=/var         \
     
    137173make</userinput></screen>
    138174
     175<screen revision="systemd"><userinput>./configure --prefix=/usr        \
     176            --sysconfdir=/etc    \
     177            --localstatedir=/var \
     178            --disable-static     &amp;&amp;
     179make</userinput></screen>
     180
    139181    <para>
    140182      To test the results, issue: <command>make check</command>.
     
    156198    <title>Command Explanations</title>
    157199
    158     <para>
     200    <para revision="sysv">
    159201      <parameter>--enable-libsystemd-login=no</parameter>: This parameter fixes
    160202      building without <application>systemd</application>, which is not part
     
    163205    </para>
    164206
    165     <para>
     207    <para revision="sysv">
    166208      <parameter>--with-authfw=shadow</parameter>: This parameter configures the
    167209      package to use the <application>Shadow</application> rather than the
    168       <application>Linux PAM</application> Authentication framework. Remove it
    169       if you would like to use <application>Linux PAM</application>.
     210      <application>Linux-PAM</application> Authentication framework. Remove it
     211      if you would like to use <application>Linux-PAM</application>.
     212    </para>
     213
     214    <para revision="systemd">
     215      <option>--with-authfw=shadow</option>: This switch enables the
     216      package to use the <application>Shadow</application> rather than the
     217      <application>Linux PAM</application> Authentication framework. Use it
     218      if you have not installed <application>Linux PAM</application>.
    170219    </para>
    171220
  • postlfs/security/shadow.xml

    reb3dbe3 rf586237  
    459459done</userinput></screen>
    460460
     461        <para revision="systemd">Because the installation of
     462        <application>systemd</application> is not yet complete, you will need
     463        to remove the <filename>/run/nologin</filename> file before testing the
     464        installation. Execute the following command as the
     465        <systemitem class="username">root</systemitem> user:</para>
     466
     467<screen role="root" revision="systemd"><userinput>rm -f /run/nologin</userinput></screen>
     468
    461469        <warning>
    462470          <para>
     
    532540    <para>
    533541      A list of the installed files, along with their short descriptions can be
    534       found at <ulink url="http://www.linuxfromscratch.org/lfs/view/&lfs-version;/chapter06/shadow.html#contents-shadow"/>.
     542      found at
     543      <phrase revision="sysv">
     544      <ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/></phrase>
     545      <phrase revision="systemd">
     546      <ulink url="&lfs-rootd;/chapter06/shadow.html#contents-shadow"/></phrase>.
    535547    </para>
    536548
  • postlfs/security/stunnel.xml

    reb3dbe3 rf586237  
    150150<screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen>
    151151
     152    <para revision="systemd">
     153      Install the included systemd unit by running the following command as the
     154      <systemitem class="username">root</systemitem> user:
     155    </para>
     156
     157<screen role="root" revision="systemd"><userinput>install -v -m644 tools/stunnel.service /lib/systemd/system</userinput></screen>
     158
    152159    <para>If you do not already have a signed SSL Certificate and Private Key,
    153160    create the <filename>stunnel.pem</filename> file in the
     
    255262
    256263    <sect3  id="stunnel-init">
    257       <title>Boot Script</title>
    258 
    259       <para>To automatically start the <command>stunnel</command> daemon
    260       when the system is booted, install the
     264      <title><phrase revision="sysv">Boot Script</phrase>
     265             <phrase revision="systemd">Systemd Unit</phrase></title>
     266
     267      <para revision="sysv">To automatically start the
     268      <command>stunnel</command> daemon when the system is booted, install the
    261269      <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
    262       <xref linkend="bootscripts" revision="sysv"/>
    263       <xref linkend="systemd-units" revision="systemd"/> package.</para>
     270      <xref linkend="bootscripts"/> package.</para>
     271
     272      <para revision="systemd">To start the <command>stunnel</command>
     273      daemon at boot, enalbe the previously installed
     274      <application>systemd</application> unit by running the following command
     275     as the <systemitem class="username">root</systemitem> user:</para>
    264276
    265277      <indexterm zone="stunnel stunnel-init">
     
    267279      </indexterm>
    268280
    269 <screen role="root"><userinput>make install-stunnel</userinput></screen>
     281<screen role="root" revision="sysv"><userinput>make install-stunnel</userinput></screen>
     282
     283<screen role="root" revision="systemd"><userinput>systemctl enable stunnel</userinput></screen>
    270284
    271285    </sect3>
  • postlfs/security/sudo.xml

    reb3dbe3 rf586237  
    159159
    160160    <para>
    161       <option>--without-pam</option>: Avoids building <application>PAM</application>
    162       support when <application>PAM</application> is installed on the system.
     161      <option>--without-pam</option>: This switch avoids building
     162      <application>Linux-PAM</application> support when
     163      <application>Linux-PAM</application> is installed on the system.
    163164    </para>
    164165
     
    175176
    176177    <para>
    177       <command>ln -sfv libsudo_util...</command>: works around a bug in the
     178      <command>ln -sfv libsudo_util...</command>: Works around a bug in the
    178179      installation process, which links to the previously installed
    179180      version (if there is one) instead of the new one.
Note: See TracChangeset for help on using the changeset viewer.