Replace getdate by ntpd

diff --git a/config/dependencies b/config/dependencies
index 7bc403c..cfb9e96 100644 (file)
--- a/config/dependencies
+++ b/config/dependencies
@@ -80,7 +80,7 @@ ${GIT}: ${OPENSSL} ${EXPAT} ${ZLIB} ${PERL} ${CURL}
 
 ${NMAP}: ${OPENSSL} ${PCRE} ${LIBPCAP}
 
-${GETDATE}: ${FCRON}
+${NTP}: ${FCRON} ${LIBCAP}
 
 ${SGML_DTD3}: ${SGML_COMMON}
 ${SGML_DTD4}: ${SGML_COMMON} ${UNZIP}

diff --git a/config/packages-list b/config/packages-list
index c57f2e9..94d156a 100644 (file)
--- a/config/packages-list
+++ b/config/packages-list
@@ -118,7 +118,6 @@ GDBM="gdbm-1.11"
 GDK_PIXBUF="gdk-pixbuf-2.31.1"
 GEDA_GAF="geda-gaf-1.8.2"
 GEGL="gegl-0.2.0"
-GETDATE="getdate_rfc868-1.2"
 GETTEXT="gettext-0.18.2.1"
 GHOSTSCRIPT="ghostscript-9.15"
 GHOSTSCRIPT_FONTS_STD="ghostscript-fonts-std-8.11"
@@ -245,6 +244,7 @@ LIBNOTIFY="libnotify-0.5.2"
 LIBOGG="libogg-1.3.2"
 LIBOIL="liboil-0.3.17"
 LIBOPENJPEG="openjpeg-1.5.2"
+LIBCAP="libcap-2.24"
 LIBPCAP="libpcap-1.3.0"
 LIBPIPELINE="libpipeline-1.4.0"
 LIBPNG="libpng-1.6.15"
@@ -309,6 +309,7 @@ NFS_UTILS="nfs-utils-1.3.1"
 NMAP="nmap-6.01"
 NSPR="nspr-4.10.7"
 NSS="nss-3.17.3"
+NTP="ntp-4.2.8p3"
 
 OPENJADE="openjade-1.3.2"
 OPENLDAP="openldap-2.4.23"

diff --git a/stage3/hv-install-1 b/stage3/hv-install-1
index 063a340..098db0c 100755 (executable)
--- a/stage3/hv-install-1
+++ b/stage3/hv-install-1
@@ -69,7 +69,8 @@ ipkg ${BIND} "--localstatedir=/var \
 ipkg ${IPTABLES}
 ipkg ${CURL}
 ipkg ${RSYNC}
-ipkg -m noac ${GETDATE}
+ipkg -m noac ${LIBCAP}
+ipkg ${NTP}
 
 ipkg -m acnb ${LIBARCHIVE} "--disable-static"
 ipkg -m acnb ${CMAKE}

diff --git a/stage3/misc/hvgetdate b/stage3/misc/hvgetdate
deleted file mode 100644 (file)
index ebefa04..0000000
--- a/stage3/misc/hvgetdate
+++ /dev/null
@@ -1,2 +0,0 @@
-# Run after five minutes of execution the first time, then run every hours
-@mail(false),first(5) 6h /usr/local/bin/hvgetdate

diff --git a/stage3/misc/ntpd b/stage3/misc/ntpd
new file mode 100644 (file)
index 0000000..ea74f42
--- /dev/null
+++ b/stage3/misc/ntpd
@@ -0,0 +1,2 @@
+# Run after 5 minutes of execution the first time, then every day
+@mail(false),first(15) 24h /usr/sbin/ntpd

diff --git a/stage3/misc/ntpd-update-leap b/stage3/misc/ntpd-update-leap
new file mode 100644 (file)
index 0000000..f7cf84b
--- /dev/null
+++ b/stage3/misc/ntpd-update-leap
@@ -0,0 +1,2 @@
+# Run after 15 minutes of execution the first time, then run every 3 weeks
+@mail(false),first(15) 3w /usr/sbin/update-leap

diff --git a/stage3/packages-update b/stage3/packages-update
index 8275cdf..6c06894 100755 (executable)
--- a/stage3/packages-update
+++ b/stage3/packages-update
@@ -48,7 +48,8 @@ fpkg -e "tar.gz" -v 0 ${BIND} "ftp://ftp.isc.org/isc/bind9"
 fpkg ${IPTABLES} "http://www.netfilter.org/projects/iptables/files"
 fpkg ${CURL} "http://curl.haxx.se/download"
 fpkg -e "tar.gz" ${RSYNC} "http://samba.org/ftp/rsync/src"
-fpkg -m hv ${GETDATE}
+fpkg -e "tar.xz" ${LIBCAP} "https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2"
+fpkg -e "tar.gz" ${NTP} "https://www.eecis.udel.edu/~ntp/ntp_spool/ntp$(get_pkg_ver1 ${NTP})/ntp-$(get_pkg_ver2 ${NTP})"
 
 fpkg -e "tar.gz" ${LIBARCHIVE} "http://www.libarchive.org/downloads"
 fpkg -e "tar.gz" -s "v" -v 2 ${CMAKE} "http://www.cmake.org/files"

diff --git a/stage3/patches/common/libcap-2.24-fix-pam-location.patch b/stage3/patches/common/libcap-2.24-fix-pam-location.patch
new file mode 100644 (file)
index 0000000..c2c9193
--- /dev/null
+++ b/stage3/patches/common/libcap-2.24-fix-pam-location.patch
@@ -0,0 +1,14 @@
+diff -Naur libcap-2.24.orig/pam_cap/Makefile libcap-2.24.new1/pam_cap/Makefile
+--- libcap-2.24.orig/pam_cap/Makefile  2013-12-15 23:46:28.000000000 -0500
++++ libcap-2.24.new1/pam_cap/Makefile  2015-08-14 13:01:09.814055382 -0400
+@@ -13,8 +13,8 @@
+       $(MAKE) testcompile
+ 
+ install: all
+-      mkdir -p -m 0755 $(LIBDIR)/security
+-      install -m 0755 pam_cap.so $(LIBDIR)/security
++      mkdir -p -m 0755 $(PAM_LIBDIR)/security
++      install -m 0755 pam_cap.so $(PAM_LIBDIR)/security
+ 
+ pam_cap.so: pam_cap.o
+       $(LD) $(LDFLAGS) -o pam_cap.so $< $(LDLIBS)

diff --git a/stage3/patches/common/libcap-2.24-no-libattr.patch b/stage3/patches/common/libcap-2.24-no-libattr.patch
new file mode 100644 (file)
index 0000000..ea95fd7
--- /dev/null
+++ b/stage3/patches/common/libcap-2.24-no-libattr.patch
@@ -0,0 +1,12 @@
+diff -Naur libcap-2.24.orig/Make.Rules libcap-2.24.new3/Make.Rules
+--- libcap-2.24.orig/Make.Rules        2014-01-05 20:16:21.000000000 -0500
++++ libcap-2.24.new3/Make.Rules        2015-08-14 13:20:32.908143950 -0400
+@@ -69,7 +69,7 @@
+ PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi)
+ INDENT := $(shell if [ -n "$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi)
+ DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi)
+-LIBATTR := yes
++LIBATTR := no
+ 
+ # When installing setcap, set its inheritable bit to be able to place
+ # capabilities on files. It can be used in conjunction with pam_cap

diff --git a/stage3/patches/common/libcap-2.24-no-static.patch b/stage3/patches/common/libcap-2.24-no-static.patch
new file mode 100644 (file)
index 0000000..56f3c31
--- /dev/null
+++ b/stage3/patches/common/libcap-2.24-no-static.patch
@@ -0,0 +1,12 @@
+diff -Naur libcap-2.24.orig/libcap/Makefile libcap-2.24.new2/libcap/Makefile
+--- libcap-2.24.orig/libcap/Makefile   2014-01-05 19:55:03.000000000 -0500
++++ libcap-2.24.new2/libcap/Makefile   2015-08-14 13:05:13.663073951 -0400
+@@ -74,7 +74,7 @@
+       mkdir -p -m 0755 $(INCDIR)/sys
+       install -m 0644 include/sys/capability.h $(INCDIR)/sys
+       mkdir -p -m 0755 $(LIBDIR)
+-      install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME)
++#     install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME)
+       install -m 0644 $(MINLIBNAME) $(LIBDIR)/$(MINLIBNAME)
+       ln -sf $(MINLIBNAME) $(LIBDIR)/$(MAJLIBNAME)
+       ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME)

diff --git a/stage3/pkg/getdate_rfc868 b/stage3/pkg/getdate_rfc868
deleted file mode 100644 (file)
index 9731327..0000000
--- a/stage3/pkg/getdate_rfc868
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-hvbuild_post()
-{
-    make installman
-
-    cat > /usr/local/bin/hvgetdate << EOF
-#!/bin/sh
-
-# Time server informations:
-# US VA: nist1.aol-va.truetime.com (205.188.185.33)
-# Location: AOL Time Warner facility, Dulles, Virginia
-# Synchronization: Lockclock Algorithm and ACTS dial-up, GPS-stabilized oscillator for short-term stabilization
-# Service Area: Eastern US
-# Access Policy: Open access for up to 20 queries per hour (one-day average) from any one address, others by arrangement
-# Contact: Judah Levine, jlevine@boulder.nist.gov, 303 492 7785
-NTP_HOST1=205.188.185.33
-
-#CA time.nrc.ca (132.246.168.148)
-#Location: National Research Council of Canada, Ottawa, Ontario, Canada
-#Geographic Coordinates: 45:27N, 75:37W
-#Synchronization: NTP V3 secondary (stratum 2), PC/Linux
-#Service Area: Canada
-#Access Policy: open access
-#Contact: time@nrc.ca
-#Note: time is an alias and the IP address may change; please use DNS.
-NTP_HOST2=132.246.168.148
-
-echo -n "Synchronizing kernel time via NTP server:"
-getdate -adjust 1 600 \${NTP_HOST1} \${NTP_HOST2}
-exit 0
-EOF
-    chmod 755 /usr/local/bin/hvgetdate
-
-    # Adding fcrontab entry
-    install -v -m644 ${SCRDIR}/misc/hvgetdate /etc/fcron/fcron.d
-}

diff --git a/stage3/pkg/libcap b/stage3/pkg/libcap
new file mode 100644 (file)
index 0000000..7b7b42b
--- /dev/null
+++ b/stage3/pkg/libcap
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+hvbuild()
+{
+    ${HVMAKE}
+
+    # RAISE_SETFCAP=no:
+    #   This parameter skips trying to use setcap on itself. This avoids an
+    #   installation error if the kernel or file system do not support extended
+    #   capabilities.
+    ${HVMAKE} prefix=/usr \
+              SBINDIR=/sbin \
+              PAM_LIBDIR=/lib \
+              RAISE_SETFCAP=no install
+
+    chmod -v 755 /usr/lib/libcap.so
+    mv -v /usr/lib/libcap.so.* /lib
+    ln -sfv ../../lib/libcap.so.2 /usr/lib/libcap.so
+}

diff --git a/stage3/pkg/ntp b/stage3/pkg/ntp
new file mode 100644 (file)
index 0000000..f7b9384
--- /dev/null
+++ b/stage3/pkg/ntp
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+hvconfig_pre()
+{
+    groupadd --system -f ntp
+    hv_useradd --system -c Network_Time_Protocol -g ntp -s /bin/false \
+               -d /var/lib/ntp ntp
+
+    CONFIGURE_OPTS+=" \
+        --bindir=/usr/sbin \
+        --enable-linuxcaps \
+        --with-lineeditlibs=readline"
+}
+
+hvbuild_post()
+{
+    install -v -o ntp -g ntp -d /var/lib/ntp
+
+cat > /etc/ntp.conf << "EOF"
+# Local router
+server 192.168.1.1
+
+# North America
+#server 0.north-america.pool.ntp.org
+
+driftfile /var/lib/ntp/ntp.drift
+pidfile   /var/run/ntpd.pid
+
+leapfile  /etc/ntp.leapseconds
+
+# Security session
+restrict    default nomodify notrap nopeer noquery
+restrict -6 default nomodify notrap nopeer noquery
+
+restrict 127.0.0.1
+restrict ::1
+
+# Denying access to NTP's monlist functionality, used for querying traffic
+# stats but also exploited in a denial-of-service attack.
+disable monitor
+
+EOF
+
+    # Adding fcrontab entries to run ntpd and leap seconds update script
+    # periodically:
+    install -v -m644 ${SCRDIR}/misc/ntpd* /etc/fcron/fcron.d
+}