From ea7e1179bc78209f4c4d67612f3262e4001a45c8 Mon Sep 17 00:00:00 2001 From: Hugo Villeneuve Date: Fri, 14 Aug 2015 14:13:01 -0400 Subject: [PATCH] Replace getdate by ntpd --- config/dependencies | 2 +- config/packages-list | 3 +- stage3/hv-install-1 | 3 +- stage3/misc/hvgetdate | 2 - stage3/misc/ntpd | 2 + stage3/misc/ntpd-update-leap | 2 + stage3/packages-update | 3 +- .../common/libcap-2.24-fix-pam-location.patch | 14 ++++++ .../common/libcap-2.24-no-libattr.patch | 12 +++++ .../common/libcap-2.24-no-static.patch | 12 +++++ stage3/pkg/getdate_rfc868 | 37 --------------- stage3/pkg/libcap | 19 ++++++++ stage3/pkg/ntp | 47 +++++++++++++++++++ 13 files changed, 115 insertions(+), 43 deletions(-) delete mode 100644 stage3/misc/hvgetdate create mode 100644 stage3/misc/ntpd create mode 100644 stage3/misc/ntpd-update-leap create mode 100644 stage3/patches/common/libcap-2.24-fix-pam-location.patch create mode 100644 stage3/patches/common/libcap-2.24-no-libattr.patch create mode 100644 stage3/patches/common/libcap-2.24-no-static.patch delete mode 100644 stage3/pkg/getdate_rfc868 create mode 100644 stage3/pkg/libcap create mode 100644 stage3/pkg/ntp diff --git a/config/dependencies b/config/dependencies index 7bc403c..cfb9e96 100644 --- a/config/dependencies +++ b/config/dependencies @@ -80,7 +80,7 @@ ${GIT}: ${OPENSSL} ${EXPAT} ${ZLIB} ${PERL} ${CURL} ${NMAP}: ${OPENSSL} ${PCRE} ${LIBPCAP} -${GETDATE}: ${FCRON} +${NTP}: ${FCRON} ${LIBCAP} ${SGML_DTD3}: ${SGML_COMMON} ${SGML_DTD4}: ${SGML_COMMON} ${UNZIP} diff --git a/config/packages-list b/config/packages-list index c57f2e9..94d156a 100644 --- a/config/packages-list +++ b/config/packages-list @@ -118,7 +118,6 @@ GDBM="gdbm-1.11" GDK_PIXBUF="gdk-pixbuf-2.31.1" GEDA_GAF="geda-gaf-1.8.2" GEGL="gegl-0.2.0" -GETDATE="getdate_rfc868-1.2" GETTEXT="gettext-0.18.2.1" GHOSTSCRIPT="ghostscript-9.15" GHOSTSCRIPT_FONTS_STD="ghostscript-fonts-std-8.11" @@ -245,6 +244,7 @@ LIBNOTIFY="libnotify-0.5.2" LIBOGG="libogg-1.3.2" LIBOIL="liboil-0.3.17" LIBOPENJPEG="openjpeg-1.5.2" +LIBCAP="libcap-2.24" LIBPCAP="libpcap-1.3.0" LIBPIPELINE="libpipeline-1.4.0" LIBPNG="libpng-1.6.15" @@ -309,6 +309,7 @@ NFS_UTILS="nfs-utils-1.3.1" NMAP="nmap-6.01" NSPR="nspr-4.10.7" NSS="nss-3.17.3" +NTP="ntp-4.2.8p3" OPENJADE="openjade-1.3.2" OPENLDAP="openldap-2.4.23" diff --git a/stage3/hv-install-1 b/stage3/hv-install-1 index 063a340..098db0c 100755 --- a/stage3/hv-install-1 +++ b/stage3/hv-install-1 @@ -69,7 +69,8 @@ ipkg ${BIND} "--localstatedir=/var \ ipkg ${IPTABLES} ipkg ${CURL} ipkg ${RSYNC} -ipkg -m noac ${GETDATE} +ipkg -m noac ${LIBCAP} +ipkg ${NTP} ipkg -m acnb ${LIBARCHIVE} "--disable-static" ipkg -m acnb ${CMAKE} diff --git a/stage3/misc/hvgetdate b/stage3/misc/hvgetdate deleted file mode 100644 index ebefa04..0000000 --- a/stage3/misc/hvgetdate +++ /dev/null @@ -1,2 +0,0 @@ -# Run after five minutes of execution the first time, then run every hours -@mail(false),first(5) 6h /usr/local/bin/hvgetdate diff --git a/stage3/misc/ntpd b/stage3/misc/ntpd new file mode 100644 index 0000000..ea74f42 --- /dev/null +++ b/stage3/misc/ntpd @@ -0,0 +1,2 @@ +# Run after 5 minutes of execution the first time, then every day +@mail(false),first(15) 24h /usr/sbin/ntpd diff --git a/stage3/misc/ntpd-update-leap b/stage3/misc/ntpd-update-leap new file mode 100644 index 0000000..f7cf84b --- /dev/null +++ b/stage3/misc/ntpd-update-leap @@ -0,0 +1,2 @@ +# Run after 15 minutes of execution the first time, then run every 3 weeks +@mail(false),first(15) 3w /usr/sbin/update-leap diff --git a/stage3/packages-update b/stage3/packages-update index 8275cdf..6c06894 100755 --- a/stage3/packages-update +++ b/stage3/packages-update @@ -48,7 +48,8 @@ fpkg -e "tar.gz" -v 0 ${BIND} "ftp://ftp.isc.org/isc/bind9" fpkg ${IPTABLES} "http://www.netfilter.org/projects/iptables/files" fpkg ${CURL} "http://curl.haxx.se/download" fpkg -e "tar.gz" ${RSYNC} "http://samba.org/ftp/rsync/src" -fpkg -m hv ${GETDATE} +fpkg -e "tar.xz" ${LIBCAP} "https://www.kernel.org/pub/linux/libs/security/linux-privs/libcap2" +fpkg -e "tar.gz" ${NTP} "https://www.eecis.udel.edu/~ntp/ntp_spool/ntp$(get_pkg_ver1 ${NTP})/ntp-$(get_pkg_ver2 ${NTP})" fpkg -e "tar.gz" ${LIBARCHIVE} "http://www.libarchive.org/downloads" fpkg -e "tar.gz" -s "v" -v 2 ${CMAKE} "http://www.cmake.org/files" diff --git a/stage3/patches/common/libcap-2.24-fix-pam-location.patch b/stage3/patches/common/libcap-2.24-fix-pam-location.patch new file mode 100644 index 0000000..c2c9193 --- /dev/null +++ b/stage3/patches/common/libcap-2.24-fix-pam-location.patch @@ -0,0 +1,14 @@ +diff -Naur libcap-2.24.orig/pam_cap/Makefile libcap-2.24.new1/pam_cap/Makefile +--- libcap-2.24.orig/pam_cap/Makefile 2013-12-15 23:46:28.000000000 -0500 ++++ libcap-2.24.new1/pam_cap/Makefile 2015-08-14 13:01:09.814055382 -0400 +@@ -13,8 +13,8 @@ + $(MAKE) testcompile + + install: all +- mkdir -p -m 0755 $(LIBDIR)/security +- install -m 0755 pam_cap.so $(LIBDIR)/security ++ mkdir -p -m 0755 $(PAM_LIBDIR)/security ++ install -m 0755 pam_cap.so $(PAM_LIBDIR)/security + + pam_cap.so: pam_cap.o + $(LD) $(LDFLAGS) -o pam_cap.so $< $(LDLIBS) diff --git a/stage3/patches/common/libcap-2.24-no-libattr.patch b/stage3/patches/common/libcap-2.24-no-libattr.patch new file mode 100644 index 0000000..ea95fd7 --- /dev/null +++ b/stage3/patches/common/libcap-2.24-no-libattr.patch @@ -0,0 +1,12 @@ +diff -Naur libcap-2.24.orig/Make.Rules libcap-2.24.new3/Make.Rules +--- libcap-2.24.orig/Make.Rules 2014-01-05 20:16:21.000000000 -0500 ++++ libcap-2.24.new3/Make.Rules 2015-08-14 13:20:32.908143950 -0400 +@@ -69,7 +69,7 @@ + PAM_CAP := $(shell if [ -f /usr/include/security/pam_modules.h ]; then echo yes ; else echo no ; fi) + INDENT := $(shell if [ -n "$(which indent 2>/dev/null)" ]; then echo "| indent -kr" ; fi) + DYNAMIC := $(shell if [ ! -d "$(topdir)/.git" ]; then echo yes; fi) +-LIBATTR := yes ++LIBATTR := no + + # When installing setcap, set its inheritable bit to be able to place + # capabilities on files. It can be used in conjunction with pam_cap diff --git a/stage3/patches/common/libcap-2.24-no-static.patch b/stage3/patches/common/libcap-2.24-no-static.patch new file mode 100644 index 0000000..56f3c31 --- /dev/null +++ b/stage3/patches/common/libcap-2.24-no-static.patch @@ -0,0 +1,12 @@ +diff -Naur libcap-2.24.orig/libcap/Makefile libcap-2.24.new2/libcap/Makefile +--- libcap-2.24.orig/libcap/Makefile 2014-01-05 19:55:03.000000000 -0500 ++++ libcap-2.24.new2/libcap/Makefile 2015-08-14 13:05:13.663073951 -0400 +@@ -74,7 +74,7 @@ + mkdir -p -m 0755 $(INCDIR)/sys + install -m 0644 include/sys/capability.h $(INCDIR)/sys + mkdir -p -m 0755 $(LIBDIR) +- install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME) ++# install -m 0644 $(STALIBNAME) $(LIBDIR)/$(STALIBNAME) + install -m 0644 $(MINLIBNAME) $(LIBDIR)/$(MINLIBNAME) + ln -sf $(MINLIBNAME) $(LIBDIR)/$(MAJLIBNAME) + ln -sf $(MAJLIBNAME) $(LIBDIR)/$(LIBNAME) diff --git a/stage3/pkg/getdate_rfc868 b/stage3/pkg/getdate_rfc868 deleted file mode 100644 index 9731327..0000000 --- a/stage3/pkg/getdate_rfc868 +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -hvbuild_post() -{ - make installman - - cat > /usr/local/bin/hvgetdate << EOF -#!/bin/sh - -# Time server informations: -# US VA: nist1.aol-va.truetime.com (205.188.185.33) -# Location: AOL Time Warner facility, Dulles, Virginia -# Synchronization: Lockclock Algorithm and ACTS dial-up, GPS-stabilized oscillator for short-term stabilization -# Service Area: Eastern US -# Access Policy: Open access for up to 20 queries per hour (one-day average) from any one address, others by arrangement -# Contact: Judah Levine, jlevine@boulder.nist.gov, 303 492 7785 -NTP_HOST1=205.188.185.33 - -#CA time.nrc.ca (132.246.168.148) -#Location: National Research Council of Canada, Ottawa, Ontario, Canada -#Geographic Coordinates: 45:27N, 75:37W -#Synchronization: NTP V3 secondary (stratum 2), PC/Linux -#Service Area: Canada -#Access Policy: open access -#Contact: time@nrc.ca -#Note: time is an alias and the IP address may change; please use DNS. -NTP_HOST2=132.246.168.148 - -echo -n "Synchronizing kernel time via NTP server:" -getdate -adjust 1 600 \${NTP_HOST1} \${NTP_HOST2} -exit 0 -EOF - chmod 755 /usr/local/bin/hvgetdate - - # Adding fcrontab entry - install -v -m644 ${SCRDIR}/misc/hvgetdate /etc/fcron/fcron.d -} diff --git a/stage3/pkg/libcap b/stage3/pkg/libcap new file mode 100644 index 0000000..7b7b42b --- /dev/null +++ b/stage3/pkg/libcap @@ -0,0 +1,19 @@ +#!/bin/bash + +hvbuild() +{ + ${HVMAKE} + + # RAISE_SETFCAP=no: + # This parameter skips trying to use setcap on itself. This avoids an + # installation error if the kernel or file system do not support extended + # capabilities. + ${HVMAKE} prefix=/usr \ + SBINDIR=/sbin \ + PAM_LIBDIR=/lib \ + RAISE_SETFCAP=no install + + chmod -v 755 /usr/lib/libcap.so + mv -v /usr/lib/libcap.so.* /lib + ln -sfv ../../lib/libcap.so.2 /usr/lib/libcap.so +} diff --git a/stage3/pkg/ntp b/stage3/pkg/ntp new file mode 100644 index 0000000..f7b9384 --- /dev/null +++ b/stage3/pkg/ntp @@ -0,0 +1,47 @@ +#!/bin/bash + +hvconfig_pre() +{ + groupadd --system -f ntp + hv_useradd --system -c Network_Time_Protocol -g ntp -s /bin/false \ + -d /var/lib/ntp ntp + + CONFIGURE_OPTS+=" \ + --bindir=/usr/sbin \ + --enable-linuxcaps \ + --with-lineeditlibs=readline" +} + +hvbuild_post() +{ + install -v -o ntp -g ntp -d /var/lib/ntp + +cat > /etc/ntp.conf << "EOF" +# Local router +server 192.168.1.1 + +# North America +#server 0.north-america.pool.ntp.org + +driftfile /var/lib/ntp/ntp.drift +pidfile /var/run/ntpd.pid + +leapfile /etc/ntp.leapseconds + +# Security session +restrict default nomodify notrap nopeer noquery +restrict -6 default nomodify notrap nopeer noquery + +restrict 127.0.0.1 +restrict ::1 + +# Denying access to NTP's monlist functionality, used for querying traffic +# stats but also exploited in a denial-of-service attack. +disable monitor + +EOF + + # Adding fcrontab entries to run ntpd and leap seconds update script + # periodically: + install -v -m644 ${SCRDIR}/misc/ntpd* /etc/fcron/fcron.d +} -- 2.20.1