TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:22116] Sealing the lid.
Alright, so you grab the latest patch and follow the instructions. I'm
not going to repeat stuff. ;) On to debian implementation specifics.
lidsadm has changed from the howto's though, and the whole package
suffers from english-is-my-second-languagitis. :P Maybe I should
volunteer to fix that. ;) To make a directory/file read only you use:
lidsadm -A -o /path/or/file -j READ
Looks a bit like ipchains... Protect these paths:
/boot (I put vmlinuz in /boot. If you've got it in root, protect
/vmlinuz. Heck, protecting / might not be a bad idea...)
/lib
/sbin
/bin
/usr/sbin
/usr/bin
/usr/lib
/etc/init.d
The docs say to protect /etc itself, but debian puts stuff in subdirs so
you should probably protect all them too, I haven't seen anything for
making all subdirs inherit. I was slapping this up late at night so was
too lazy to mess with it, but anyway protecting /etc/init.d makes lids
happily let your init scripts run during startup because they're
protected. Now, debian doesn't have an rc.local. I have to write a sysv
init script, whee. Put a script in /etc/init.d that looks something like
this:
#!/bin/bash
# Remove subsys lock file when stopping
if [ "$1" = "stop" ]
then
rm -f /var/run/local
exit 0
fi
if [ "$1" = "start" ]
then
if [ -f /var/run/local ]
then
exit 0
fi
# Create lock file
touch /var/run/local
/usr/bin/setterm -blank 0 >/dev/console
echo "Starting distributed.net client..." >/dev/console
cd /usr/local/sbin/dnetc/
./dnetc >/dev/tty9 2>&1 &
cd /
echo Waiting a bit before we seal the lid...
# Stupid race conditions
sleep 10
echo -n Sealing the lid
/sbin/lidsadm -I
echo .
fi
The last bit is the interesting bit that seals the lid. I was getting a
kernel oops without the sleep. Go fig. ;P
Add this local script to the end of startup with:
update-rc.d local defaults 99
Now with any luck it'll start up with no complaints from lids. If you
look how I have dnetc installed, I also had to protect
/usr/local/sbin/dnetc/dnetc to make lids happy...
I don't understand how APPEND works on directorys, it doesn't seem to
inherit to the files in the dir, basically doesn't seem to do anything.
What would be nice is if you could set /var/log APPEND, then give write
access only to logrotate... Right now my logs are unprotected. I suppose
you have to add a rule for every file, which is icky. ;P
It also appears I'm not logging the new 'security' loglevel added by
lids/openwall. Have to fix that...
Also had a problem with something trying to load the serial module. Now
that I think of it I have a getty running null modem for PPP to my
Atari. Triggering the loading of serial after the lid had been shut,
which disables module loading. I fixed it by adding serial to
/etc/modules. Should probably protect that file...