diff --git a/.etckeeper b/.etckeeper index 62361b13..c8c76e07 100755 --- a/.etckeeper +++ b/.etckeeper @@ -2,6 +2,7 @@ mkdir -p './X11/xkb' mkdir -p './apparmor.d/force-complain' +mkdir -p './apt/auth.conf.d' mkdir -p './apt/preferences.d' mkdir -p './apt/trusted.gpg.d' mkdir -p './avahi/services' @@ -110,6 +111,7 @@ maybe chmod 0644 'apt/apt.conf.d/05etckeeper' maybe chmod 0644 'apt/apt.conf.d/20listchanges' maybe chmod 0644 'apt/apt.conf.d/50raspi' maybe chmod 0644 'apt/apt.conf.d/70debconf' +maybe chmod 0755 'apt/auth.conf.d' maybe chmod 0644 'apt/listchanges.conf' maybe chmod 0755 'apt/preferences.d' maybe chmod 0644 'apt/sources.list' @@ -481,6 +483,8 @@ maybe chmod 0644 'emacs/site-start.d/50cmake-data.el' maybe chmod 0644 'emacs/site-start.d/50figlet.el' maybe chmod 0644 'email-addresses' maybe chmod 0644 'environment' +maybe chmod 0755 'environment.d' +maybe chmod 0644 'environment.d/90qt-a11y.conf' maybe chmod 0755 'etckeeper' maybe chmod 0755 'etckeeper/commit.d' maybe chmod 0755 'etckeeper/commit.d/10vcs-test' @@ -4024,6 +4028,7 @@ maybe chmod 0644 'systemd/logind.conf' maybe chmod 0755 'systemd/network' maybe chmod 0644 'systemd/networkd.conf' maybe chmod 0644 'systemd/resolved.conf' +maybe chmod 0644 'systemd/sleep.conf' maybe chmod 0755 'systemd/system' maybe chmod 0644 'systemd/system.conf' maybe chmod 0644 'systemd/system/autologin@.service' @@ -4097,6 +4102,7 @@ maybe chmod 0755 'wpa_supplicant/action_wpa.sh' maybe chmod 0755 'wpa_supplicant/functions.sh' maybe chmod 0755 'wpa_supplicant/ifupdown.sh' maybe chmod 0600 'wpa_supplicant/wpa_supplicant.conf' +maybe chmod 0644 'xattr.conf' maybe chmod 0755 'xdg' maybe chmod 0755 'xdg/autostart' maybe chmod 0644 'xdg/autostart/at-spi-dbus-bus.desktop' diff --git a/apparmor.d/usr.sbin.named b/apparmor.d/usr.sbin.named index 87d528fa..9e6deb84 100644 --- a/apparmor.d/usr.sbin.named +++ b/apparmor.d/usr.sbin.named @@ -22,6 +22,9 @@ /var/cache/bind/** lrw, /var/cache/bind/ rw, + # Database file used by allow-new-zones + /var/cache/bind/_default.nzd-lock rwk, + # gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr, @@ -68,6 +71,15 @@ # dynamic updates /var/tmp/DNS_* rw, + # dyndb backends + /usr/lib/bind/*.so rm, + + # Samba DLZ + /var/lib/samba/private/dns.keytab r, + /var/lib/samba/private/named.conf r, + /var/lib/samba/private/dns/** rwk, + /etc/smb.conf r, + # Site-specific additions and overrides. See local/README for details. #include } diff --git a/apt/apt.conf.d/01autoremove-kernels b/apt/apt.conf.d/01autoremove-kernels index 233625a3..e939c0ab 100644 --- a/apt/apt.conf.d/01autoremove-kernels +++ b/apt/apt.conf.d/01autoremove-kernels @@ -1,35 +1,20 @@ // DO NOT EDIT! File autogenerated by /etc/kernel/postinst.d/apt-auto-removal APT::NeverAutoRemove { - "^linux-image-4\.14\.79-v7\+$"; "^linux-image-4\.14\.98-v7\+$"; - "^linux-headers-4\.14\.79-v7\+$"; "^linux-headers-4\.14\.98-v7\+$"; - "^linux-image-extra-4\.14\.79-v7\+$"; "^linux-image-extra-4\.14\.98-v7\+$"; - "^linux-modules-4\.14\.79-v7\+$"; "^linux-modules-4\.14\.98-v7\+$"; - "^linux-modules-extra-4\.14\.79-v7\+$"; "^linux-modules-extra-4\.14\.98-v7\+$"; - "^linux-signed-image-4\.14\.79-v7\+$"; "^linux-signed-image-4\.14\.98-v7\+$"; - "^kfreebsd-image-4\.14\.79-v7\+$"; "^kfreebsd-image-4\.14\.98-v7\+$"; - "^kfreebsd-headers-4\.14\.79-v7\+$"; "^kfreebsd-headers-4\.14\.98-v7\+$"; - "^gnumach-image-4\.14\.79-v7\+$"; "^gnumach-image-4\.14\.98-v7\+$"; - "^.*-modules-4\.14\.79-v7\+$"; "^.*-modules-4\.14\.98-v7\+$"; - "^.*-kernel-4\.14\.79-v7\+$"; "^.*-kernel-4\.14\.98-v7\+$"; - "^linux-backports-modules-.*-4\.14\.79-v7\+$"; "^linux-backports-modules-.*-4\.14\.98-v7\+$"; - "^linux-modules-.*-4\.14\.79-v7\+$"; "^linux-modules-.*-4\.14\.98-v7\+$"; - "^linux-tools-4\.14\.79-v7\+$"; "^linux-tools-4\.14\.98-v7\+$"; - "^linux-cloud-tools-4\.14\.79-v7\+$"; "^linux-cloud-tools-4\.14\.98-v7\+$"; }; /* Debug information: @@ -39,12 +24,11 @@ APT::NeverAutoRemove # list of different kernel versions: # Installing kernel: (4.14.98-v7+) -# Running kernel: ignored (4.14.79-v7+) +# Running kernel: ignored (4.14.98-v7+) # Last kernel: # Previous kernel: # Kernel versions list to keep: # Kernel packages (version part) to protect: -4\.14\.79-v7\+ 4\.14\.98-v7\+ */ diff --git a/console-setup/cached_UTF-8_del.kmap.gz b/console-setup/cached_UTF-8_del.kmap.gz index d56272d1..311fca37 100644 Binary files a/console-setup/cached_UTF-8_del.kmap.gz and b/console-setup/cached_UTF-8_del.kmap.gz differ diff --git a/cron.daily/dpkg b/cron.daily/dpkg index 0a6b05e1..62da8172 100755 --- a/cron.daily/dpkg +++ b/cron.daily/dpkg @@ -9,16 +9,16 @@ if cd /var/backups ; then dbchanged=no dbfiles="arch status diversions statoverride" for db in $dbfiles ; do - if ! cmp -s dpkg.${db}.0 $dbdir/$db ; then + if ! cmp -s "dpkg.${db}.0" "$dbdir/$db"; then dbchanged=yes break; fi done if [ "$dbchanged" = "yes" ] ; then for db in $dbfiles ; do - [ -e $dbdir/$db ] || continue - cp -p $dbdir/$db dpkg.$db - savelog -c 7 dpkg.$db >/dev/null + [ -e "$dbdir/$db" ] || continue + cp -p "$dbdir/$db" "dpkg.$db" + savelog -c 7 "dpkg.$db" >/dev/null done fi diff --git a/cron.daily/man-db b/cron.daily/man-db index 942a22ce..1342bc68 100755 --- a/cron.daily/man-db +++ b/cron.daily/man-db @@ -22,7 +22,7 @@ if ! [ -d /var/cache/man ]; then fi # expunge old catman pages which have not been read in a week -if [ ! -d /run/systemd/system ] && [ -d /var/cache/man ]; then +if [ -d /var/cache/man ]; then cd / start-stop-daemon --start --pidfile /dev/null --startas /bin/sh \ --oknodo --chuid man $iosched_idle -- -c \ diff --git a/environment.d/90qt-a11y.conf b/environment.d/90qt-a11y.conf new file mode 100644 index 00000000..46a63b29 --- /dev/null +++ b/environment.d/90qt-a11y.conf @@ -0,0 +1 @@ +QT_ACCESSIBILITY=1 diff --git a/init.d/ssh b/init.d/ssh index f2500088..620af70e 100755 --- a/init.d/ssh +++ b/init.d/ssh @@ -80,7 +80,7 @@ case "$1" in check_for_no_start check_dev_null log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true - if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 || true else log_end_msg 1 || true @@ -88,7 +88,7 @@ case "$1" in ;; stop) log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true - if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid; then + if start-stop-daemon --stop --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd; then log_end_msg 0 || true else log_end_msg 1 || true @@ -110,10 +110,10 @@ case "$1" in check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true - start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid + start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd check_for_no_start log_end_msg check_dev_null log_end_msg - if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 || true else log_end_msg 1 || true @@ -125,13 +125,13 @@ case "$1" in check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true RET=0 - start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid || RET="$?" + start-stop-daemon --stop --quiet --retry 30 --pidfile /run/sshd.pid --exec /usr/sbin/sshd || RET="$?" case $RET in 0) # old daemon stopped check_for_no_start log_end_msg check_dev_null log_end_msg - if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then + if start-stop-daemon --start --quiet --oknodo --chuid 0:0 --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then log_end_msg 0 || true else log_end_msg 1 || true diff --git a/init.d/sysstat b/init.d/sysstat index a4a9fabc..34209a54 100755 --- a/init.d/sysstat +++ b/init.d/sysstat @@ -20,6 +20,15 @@ DESC="the system activity data collector" test -f "$DAEMON" || exit 0 umask 022 +# our configuration file +DEFAULT=/etc/default/sysstat + +# default setting... +ENABLED="false" + +# ...overridden in the configuration file +test -r "$DEFAULT" && . "$DEFAULT" + set -e status=0 diff --git a/rsyslog.conf b/rsyslog.conf index cc009195..655d7029 100644 --- a/rsyslog.conf +++ b/rsyslog.conf @@ -1,7 +1,7 @@ -# /etc/rsyslog.conf Configuration file for rsyslog. +# /etc/rsyslog.conf configuration file for rsyslog # -# For more information see -# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html +# For more information install rsyslog-doc and see +# /usr/share/doc/rsyslog-doc/html/configuration/index.html ################# diff --git a/security/access.conf b/security/access.conf index 74c5fbe8..47b6b84c 100644 --- a/security/access.conf +++ b/security/access.conf @@ -18,7 +18,7 @@ # pam_access with X applications that provide PAM_TTY values that are # the display variable like "host:0".] # -# permission : users : origins +# permission:users:origins # # The first field should be a "+" (access granted) or "-" (access denied) # character. @@ -79,44 +79,44 @@ ############################################################################## # # User "root" should be allowed to get access via cron .. tty5 tty6. -#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +#+:root:cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 # # User "root" should be allowed to get access from hosts with ip addresses. -#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 -#+ : root : 127.0.0.1 +#+:root:192.168.200.1 192.168.200.4 192.168.200.9 +#+:root:127.0.0.1 # # User "root" should get access from network 192.168.201. # This term will be evaluated by string matching. # comment: It might be better to use network/netmask instead. # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 -#+ : root : 192.168.201. +#+:root:192.168.201. # # User "root" should be able to have access from domain. # Uses string matching also. -#+ : root : .foo.bar.org +#+:root:.foo.bar.org # # User "root" should be denied to get access from all other sources. -#- : root : ALL +#-:root:ALL # # User "foo" and members of netgroup "nis_group" should be # allowed to get access from all sources. # This will only work if netgroup service is available. -#+ : @nis_group foo : ALL +#+:@nis_group foo:ALL # # User "john" should get access from ipv4 net/mask -#+ : john : 127.0.0.0/24 +#+:john:127.0.0.0/24 # # User "john" should get access from ipv4 as ipv6 net/mask -#+ : john : ::ffff:127.0.0.0/127 +#+:john:::ffff:127.0.0.0/127 # # User "john" should get access from ipv6 host address -#+ : john : 2001:4ca0:0:101::1 +#+:john:2001:4ca0:0:101::1 # # User "john" should get access from ipv6 host address (same as above) -#+ : john : 2001:4ca0:0:101:0:0:0:1 +#+:john:2001:4ca0:0:101:0:0:0:1 # # User "john" should get access from ipv6 net/mask -#+ : john : 2001:4ca0:0:101::/64 +#+:john:2001:4ca0:0:101::/64 # # All other users should be denied to get access from all sources. -#- : ALL : ALL +#-:ALL:ALL diff --git a/security/limits.conf b/security/limits.conf index 7ced0530..1aec6525 100644 --- a/security/limits.conf +++ b/security/limits.conf @@ -24,7 +24,7 @@ # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) -# - nofile - max number of open files +# - nofile - max number of open file descriptors # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) diff --git a/services b/services index ded48c29..fa7ae245 100644 --- a/services +++ b/services @@ -37,15 +37,9 @@ nameserver 42/tcp name # IEN 116 whois 43/tcp nicname tacacs 49/tcp # Login Host Protocol (TACACS) tacacs 49/udp -re-mail-ck 50/tcp # Remote Mail Checking Protocol -re-mail-ck 50/udp domain 53/tcp # Domain Name Server domain 53/udp -tacacs-ds 65/tcp # TACACS-Database Service -tacacs-ds 65/udp -bootps 67/tcp # BOOTP server bootps 67/udp -bootpc 68/tcp # BOOTP client bootpc 68/udp tftp 69/udp gopher 70/tcp # Internet Gopher @@ -54,27 +48,17 @@ http 80/tcp www # WorldWideWeb HTTP link 87/tcp ttylink kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5 kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5 -supdup 95/tcp -hostnames 101/tcp hostname # usually from sri-nic iso-tsap 102/tcp tsap # part of ISODE acr-nema 104/tcp dicom # Digital Imag. & Comm. 300 -acr-nema 104/udp dicom -csnet-ns 105/tcp cso-ns # also used by CSO name server -csnet-ns 105/udp cso-ns -rtelnet 107/tcp # Remote Telnet -rtelnet 107/udp pop3 110/tcp pop-3 # POP version 3 sunrpc 111/tcp portmapper # RPC 4.0 portmapper sunrpc 111/udp portmapper auth 113/tcp authentication tap ident sftp 115/tcp nntp 119/tcp readnews untp # USENET News Transfer Protocol -ntp 123/tcp ntp 123/udp # Network Time Protocol -pwdgen 129/tcp # PWDGEN service -pwdgen 129/udp -loc-srv 135/tcp epmap # Location Service -loc-srv 135/udp epmap +epmap 135/tcp loc-srv # DCE endpoint resolution +epmap 135/udp loc-srv netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service @@ -144,7 +128,7 @@ microsoft-ds 445/tcp # Microsoft Naked CIFS microsoft-ds 445/udp kpasswd 464/tcp kpasswd 464/udp -urd 465/tcp ssmtp smtps # URL Rendesvous Directory for SSM +submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] saft 487/tcp # Simple Asynchronous File Transfer saft 487/udp isakmp 500/tcp # IPsec - Internet Security Association @@ -209,6 +193,8 @@ kerberos-adm 749/tcp # Kerberos `kadmin' (v5) # webster 765/tcp # Network dictionary webster 765/udp +domain-s 853/tcp # DNS over TLS [RFC7858] +domain-s 853/udp # DNS over DTLS [RFC8094] rsync 873/tcp ftps-data 989/tcp # FTP over SSL (data) ftps 990/tcp @@ -500,7 +486,6 @@ supfiledbg 1127/tcp # SUP debugging # # Services added for the Debian GNU/Linux distribution # -linuxconf 98/tcp # LinuxConf poppassd 106/tcp # Eudora poppassd 106/udp moira-db 775/tcp moira_db # Moira database diff --git a/ssl/openssl.cnf b/ssl/openssl.cnf index d155d1ed..a6fed92a 100644 --- a/ssl/openssl.cnf +++ b/ssl/openssl.cnf @@ -21,7 +21,7 @@ openssl_conf = default_conf # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: -# extensions = +# extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) @@ -118,7 +118,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert # input_password = secret # output_password = secret -# This sets a mask for permitted string types. There are several options. +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString (PKIX recommendation before 2004) # utf8only: only UTF8Strings (PKIX recommendation after 2004). diff --git a/systemd/sleep.conf b/systemd/sleep.conf new file mode 100644 index 00000000..dc2ed37f --- /dev/null +++ b/systemd/sleep.conf @@ -0,0 +1,25 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# Entries in this file show the compile time defaults. +# You can change settings by editing this file. +# Defaults can be restored by simply deleting this file. +# +# See systemd-sleep.conf(5) for details + +[Sleep] +#AllowSuspend=yes +#AllowHibernation=yes +#AllowSuspendThenHibernate=yes +#AllowHybridSleep=yes +#SuspendMode= +#SuspendState=mem standby freeze +#HibernateMode=platform shutdown +#HibernateState=disk +#HybridSleepMode=suspend platform shutdown +#HybridSleepState=disk +#HibernateDelaySec=180min diff --git a/xattr.conf b/xattr.conf new file mode 100644 index 00000000..dcbc12c2 --- /dev/null +++ b/xattr.conf @@ -0,0 +1,21 @@ +# /etc/xattr.conf +# +# Format: +# +# +# Actions: +# permissions - copy when trying to preserve permissions. +# skip - do not copy. + +system.nfs4_acl permissions +system.nfs4acl permissions +system.posix_acl_access permissions +system.posix_acl_default permissions +trusted.SGI_ACL_DEFAULT skip # xfs specific +trusted.SGI_ACL_FILE skip # xfs specific +trusted.SGI_CAP_FILE skip # xfs specific +trusted.SGI_DMI_* skip # xfs specific +trusted.SGI_MAC_FILE skip # xfs specific +xfsroot.* skip # xfs specific; obsolete +user.Beagle.* skip # ignore Beagle index data +security.evm skip # may only be written by kernel