IRCNow

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
openbsd:shell [2019/11/26 17:39]
jrmu
openbsd:shell [2020/05/19 00:27] (current)
jrmu
Line 17: Line 17:
         }         }
 </​code>​ </​code>​
 +
 +Update: hiding logs was causing problems
 +
 +We also hide logs in /var/logs and /​var/​www/​logs
  
 Packages installed: Packages installed:
  
 <​code>​ <​code>​
 +ImageMagick-6.9.10.62 image processing tools
 +alpine-2.21p3 ​      UW e-mail client
 +anthy-9100hp2 ​      ​japanese input method
 +antiword-0.37p0 ​    ​converts MSWord Documents to ASCII Text and PostScript
 +apr-1.6.5p0 ​        ​Apache Portable Runtime
 +apr-util-1.6.1p2 ​   companion library to APR
 +argon2-20171227 ​    C implementation of Argon2 - password hashing function
 +aspell-0.60.6.1p10 ​ spell checker designed to eventually replace Ispell
 +bash-5.0.11 ​        GNU Bourne Again Shell
 +boehm-gc-7.6.0p3 ​   garbage collection and memory leak detection for C and C++
 +boost-1.66.0p7 ​     free peer-reviewed portable C++ source libraries
 +bzip2-1.0.8 ​        ​block-sorting file compressor, unencumbered
 +cmake-3.15.3v0 ​     portable build system
 +coreutils-8.31p1 ​   file, shell and text manipulation utilities
 curl-7.66.0 ​        get files from FTP, Gopher, HTTP or HTTPS servers curl-7.66.0 ​        get files from FTP, Gopher, HTTP or HTTPS servers
-intel-firmware-20191115v0 microcode ​update ​binaries ​for Intel CPUs+cvsps-2.1p2         ​generate patchsets from CVS repositories 
 +cyrus-sasl-2.1.27p1 RFC 2222 SASL (Simple Authentication and Security Layer) 
 +db-4.6.21p7v0 ​      ​Berkeley DB package, revision 4 
 +desktop-file-utils-0.24p0 utilities for dot.desktop entries 
 +djvulibre-3.5.27p6 ​ view, decode and encode DjVu files 
 +docx2txt-1.4p0 ​     command line converter from Microsoft docx to ASCII text 
 +elvis-2.2.0p5-no_x11 clone of the ex/vi text editor 
 +emacs-26.3-no_x11 ​  GNU editor: extensible, customizable,​ self-documenting 
 +fdm-2.0 ​            ​fetch,​ filter and deliver mail 
 +fetchmail-6.3.26p3 ​ mail retrieval utility for POP2, POP3, KPOP, IMAP and more 
 +fftw3-3.3.8p1 ​      C routines for computing the Discrete Fourier Transform 
 +fftw3-common-3.3.8p1 common files for the fftw3 packages 
 +figlet-2.2.5 ​       generates ASCII banner art 
 +gawk-5.0.0p0 ​       GNU awk 
 +gdk-pixbuf-2.38.2 ​  ​graphic library for gtk+2 
 +geomyidae-0.34 ​     Gopher protocol daemon 
 +gettext-runtime-0.20.1p0 GNU gettext runtime libraries and programs 
 +giflib-5.1.6 ​       tools and library routines for working with GIF images 
 +git-2.23.0 ​         GIT - Tree History Storage Tool 
 +glib2-2.60.7 ​       general-purpose utility library 
 +gmake-4.2.1p4 ​      GNU make 
 +gnupg-1.4.23p3 ​     GNU privacy guard - a free PGP replacement 
 +gnupg-2.2.12p0 ​     GNU privacy guard - a free PGP replacement 
 +got-0.17 ​           game of trees version control system 
 +groff-1.22.4p0 ​     GNU troff typesetter 
 +gtk-update-icon-cache-3.24.12 gtk+ icon theme caching utility 
 +hicolor-icon-theme-0.17 fallback theme of the icon theme specification 
 +icu4c-64.2p0 ​       International Components ​for Unicode 
 +ii-1.7p3 ​           minimalist IRC client
 irssi-1.2.2 ​        ​modular IRC client with many features irssi-1.2.2 ​        ​modular IRC client with many features
 +jasper-2.0.14 ​      ​reference implementation of JPEG-2000
 +jbigkit-2.1 ​        ​lossless image compression library, with lightweight version
 +jpeg-2.0.3v0 ​       SIMD-accelerated JPEG codec replacement of libjpeg
 +jq-1.6p0 ​           lightweight and flexible command-line JSON processor
 +jsoncpp-1.8.4p2 ​    JSON parsing C++ API
 +lcms2-2.9p0 ​        color management library
 +ledger-3.1.1p4 ​     command line double-entry accounting ledger
 +libarchive-3.4.0 ​   multi-format archive and compression library
 +libb2-0.98.1v0 ​     library providing BLAKE2b, BLAKE2s, BLAKE2bp, BLAKE2sp
 +libffi-3.2.1p5 ​     Foreign Function Interface
 +libiconv-1.16p0 ​    ​character set conversion library
 +libidn2-2.3.0 ​      ​implementation of IDNA2008 internationalized domain names
 +libraw-0.19.5 ​      ​library for reading RAW files
 +libtasn1-4.14 ​      ​Abstract Syntax Notation One structure parser library
 +libunbound-1.9.4 ​   validating DNS resolver library
 +libunistring-0.9.7 ​ manipulate Unicode strings
 +libuv-1.30.1 ​       multi-platform library for asynchronous I/O
 +libwebp-1.0.3 ​      ​Google WebP image format conversion tool
 +libxml-2.9.9 ​       XML parsing library
 +links-1.03p0 ​       text browser, displays while downloading
 +lua-5.3.5 ​          ​powerful,​ light-weight programming language (version 5.3.5)
 +lynx-2.8.9rel1p0 ​   text web browser
 +lz4-1.9.2 ​          fast BSD-licensed data compression
 +mariadb-client-10.3.20v1 multithreaded SQL database (client)
 +mariadb-server-10.3.20v1 multithreaded SQL database (server)
 +mawk-1.3.4.20171017 fast POSIX-compliant awk
 +mcabber-1.1.0p4 ​    ​console jabber client
 +mercurial-5.0.2 ​    fast, lightweight source control management
 +multitail-6.4.2p0 ​  ​multi-window tail(1) utility
 mutt-1.12.2v3-sasl ​ tty-based e-mail client mutt-1.12.2v3-sasl ​ tty-based e-mail client
 +nano-4.4 ​           simple editor, inspired by Pico
 +neovim-0.3.8 ​       continuation and extension of Vim
 +newsboat-2.15p0 ​    ​RSS/​Atom feed reader for text terminals
 +nghttp2-1.39.2 ​     library for HTTP/2
 +ngircd-25 ​          ​lightweight irc server
 +node-10.16.3 ​       V8 JavaScript for clients and servers
 nvi-2.1.3p2 ​        ex/vi text editor with wide character support nvi-2.1.3p2 ​        ex/vi text editor with wide character support
 +oath-toolkit-2.6.2p1 toolkit for OATH/HOTP and TOTP
 +openjp2-2.3.1 ​      ​open-source JPEG 2000 codec library
 +p11-kit-0.23.18.1 ​  ​library for loading and enumerating PKCS#11 modules
 +pcre-8.41p2 ​        ​perl-compatible regular expression library
 php-7.3.12 ​         server-side HTML-embedded scripting language php-7.3.12 ​         server-side HTML-embedded scripting language
 +pico-5.09p20 ​       UW text editor
 +pkglocatedb-1.5 ​    ​database of packages for use with locate(1)
 +png-1.6.37 ​         library for manipulating PNG images
 +profanity-0.7.1 ​    ​console based XMPP client
 +py-pip-19.1.1 ​      tool for installing Python packages
 +py3-neovim-0.3.2p0 ​ Python plugin support for Neovim
 +py3-pip-19.1.1 ​     tool for installing Python packages
 python-2.7.16p1 ​    ​interpreted object-oriented programming language python-2.7.16p1 ​    ​interpreted object-oriented programming language
 python-3.7.4 ​       interpreted object-oriented programming language python-3.7.4 ​       interpreted object-oriented programming language
 quirks-3.182 ​       exceptions to pkg_add rules quirks-3.182 ​       exceptions to pkg_add rules
 +rhash-1.3.5p0 ​      ​utility and library for computing hash sums
 +rsync-3.1.3 ​        ​mirroring/​synchronization over low bandwidth links
 +ruby-2.6.5 ​         object oriented script language with threads
 +rust-1.38.0 ​        ​compiler for Rust Language
 +sacc-1.00 ​          ​simple console gopher client
 +screen-4.6.2 ​       multi-screen window manager
 +shared-mime-info-1.10p5 shared mime database for desktops
 +sic-1.2p1 ​          ​simple irc client
 +slrn-1.0.2p2 ​       SLang-based newsreader
 +sqlite3-3.29.0 ​     embedded SQL implementation
 +subversion-1.12.2 ​  ​subversion revision control system
 +tcsh-6.20.00p1 ​     extended C-shell with many useful features
 +tiff-4.0.10 ​        tools and library routines for working with TIFF images
 +tree-0.62 ​          print ascii formatted tree of a directory structure
 +trn-4.0.77p2 ​       threaded newsreader
 +uim-1.8.8p0 ​        ​multilingual input method library
 +uim-chewing-0.1.0p2 chewing input method for uim
 +unzip-6.0p12 ​       extract, list & test files in a ZIP archive
 vim-8.1.2061-no_x11 vi clone, many additional features vim-8.1.2061-no_x11 vi clone, many additional features
 +w3m-0.5.3p8 ​        ​pager/​text-based web browser
 +weechat-2.6 ​        fast, light and extensible chat client
 +wget-1.20.3p1 ​      ​retrieve files from the web via HTTP, HTTPS and FTP
 +xlsx2csv-20150318p1 convert XLSX files to CSV
 +xz-5.2.4 ​           LZMA compression and decompression tools
 +zh-fonts-kc-1.05p2 ​ extra chinese fonts
 +zh-libchewing-0.5.1p0 intelligent phonetic input method library
 +zip-3.0p1 ​          ​create/​update ZIP files compatible with PKZip(tm)
 +zstd-1.4.3 ​         zstandard fast real-time compression algorithm
 +</​code>​
 +
 +To set the user's default prompt to  "​username$ ", stick this into /​etc/​profile:​
 +
 +<​code>​
 +export PS1="​`whoami`$ "
 +</​code>​
 +
 +<​code>​
 +             # chmod -R o-rx /var/log
 +             # chmod o-rx /​var/​run/​utmp
 +             # chmod o-r /​var/​log/​wtmp*
 </​code>​ </​code>​
  
Line 42: Line 173:
 # chmod 750 /var/log # chmod 750 /var/log
 # chmod o-rx /var/log/* # chmod o-rx /var/log/*
 +# chmod -R o-rx /etc/mail
 </​code>​ </​code>​
  
Line 57: Line 189:
 # ln -s /​var/​www/​htdocs/​username /​home/​username/​htdocs # ln -s /​var/​www/​htdocs/​username /​home/​username/​htdocs
 # chown username:​username /​var/​www/​htdocs/​username /​home/​username/​htdocs # chown username:​username /​var/​www/​htdocs/​username /​home/​username/​htdocs
 +# edquota username
 </​code>​ </​code>​
  
Line 66: Line 199:
                 request strip 1                  request strip 1 
         }         }
 +</​code>​
 +
 +In nsd zone files, create 1 subdomain per user so users get: username.shell.ircnow.org
 +
 +any new suid binary'​s with 
 +<​code>​
 +             # find / -perm -4000
 +</​code>​
 +
 +Check /etc/groups to make sure that no user is a member of wheel. This will prevent them from su to root even if they know the password.
 +
 +In /​etc/​ssh/​sshd_config,​ turn off X11 forwarding
 +
 +Create symlinks for users so they don't complain:
 +
 +<​code>​
 +ln -s /​usr/​local/​bin/​tclsh8.6 /​usr/​local/​bin/​tclsh
 +ln -s /​usr/​local/​bin/​python3.7 /​usr/​local/​bin/​python
 +</​code>​
 +
 +You will want to have /​var/​www/​etc/​resolv.conf to allow DNS lookup inside the chroot:
 +
 +<​code>​
 +# mkdir /​var/​www/​etc/​
 +# cp /​etc/​resolv.conf /​var/​www/​etc/​
 +# chown -R www:daemon /​var/​www/​etc
 </​code>​ </​code>​