blob: 90ff6d2dc736f570e1ea0cc2f1530b209e3de425 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=baselayout # base: alpine-baselayout, alpine-baselayout-data
pkgver=3.4.3
pkgrel=1 # base: 1
pkgdesc="Base dir structure and init scripts"
url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
arch="noarch"
license="GPL-2.0-only"
pkggroups="shadow"
options="!fhs !check"
install=
_nbver=6.4
source="crontab
20locale.sh
group
inittab
passwd
profile
protocols-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/protocols
services-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/services
"
builddir="$srcdir/build"
prepare() {
default_prepare
mkdir -p "$builddir"
mv "$srcdir"/protocols-$_nbver "$srcdir"/protocols
mv "$srcdir"/services-$_nbver "$srcdir"/services
}
build() {
# generate shadow
awk -F: '{
pw = ":!:"
if ($1 == "root") { pw = "::" }
print($1 pw ":0:::::")
}' "$srcdir"/passwd > shadow
}
package() {
mkdir -p "$pkgdir"
cd "$pkgdir"
install -m 0755 -d \
dev \
dev/pts \
dev/shm \
etc \
etc/conf.d \
etc/crontabs \
etc/init.d \
etc/modprobe.d \
etc/modules-load.d \
etc/network/if-down.d \
etc/network/if-post-down.d \
etc/network/if-pre-up.d \
etc/network/if-up.d \
etc/periodic/15min \
etc/periodic/daily \
etc/periodic/hourly \
etc/periodic/monthly \
etc/periodic/weekly \
etc/profile.d \
etc/sysctl.d \
lib/firmware \
lib/mdev \
lib/modules-load.d \
lib/sysctl.d \
media/etc \
proc \
run \
sbin \
sys \
usr/bin \
usr/lib/modules-load.d \
usr/local/bin \
usr/local/lib \
usr/local/share \
usr/sbin \
usr/share \
usr/share/man \
usr/share/misc \
var/cache \
var/cache/misc \
var/lib \
var/lib/misc \
var/local \
var/lock/subsys \
var/log \
var/opt \
var/spool \
var/spool/cron \
var/mail
ln -s /run var/run
install -d -m 0555 var/empty
install -d -m 0700 "$pkgdir"/root
install -d -m 1777 "$pkgdir"/tmp "$pkgdir"/var/tmp
install -m600 "$srcdir"/crontab "$pkgdir"/etc/crontabs/root
install -m644 \
"$srcdir"/20locale.sh \
"$pkgdir"/etc/profile.d/
cat > "$pkgdir"/etc/hosts <<-EOF
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain
EOF
cat > "$pkgdir"/etc/modules <<-EOF
af_packet
ipv6
EOF
cat > "$pkgdir"/etc/shells <<-EOF
/bin/sh
/bin/ash
EOF
cat > "$pkgdir"/etc/sysctl.conf <<-EOF
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 2
net.ipv6.conf.default.forwarding = 2
# Enable IPv6 Privacy Extensions
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.wlan0.use_tempaddr = 2
EOF
cat > "$pkgdir"/lib/sysctl.d/00-alpine.conf <<-EOF
# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
net.ipv4.tcp_syncookies = 1
# Prevents ip spoofing.
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Only groups within this id range can use ping.
net.ipv4.ping_group_range=999 59999
# Redirects can potentially be used to maliciously alter hosts
# routing tables.
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv6.conf.all.accept_redirects = 0
# The source routing feature includes some known vulnerabilities.
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# See RFC 1337
net.ipv4.tcp_rfc1337 = 1
## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
# Restarts computer after 120 seconds after kernel panic
kernel.panic = 120
# Users should not be able to create soft or hard links to files
# which they do not own. This mitigates several privilege
# escalation vulnerabilities.
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
EOF
cat > "$pkgdir"/etc/fstab <<-EOF
tmpfs /tmp tmpfs size=128K 0 0
config /media/etc 9p trans=virtio,ro,noatime,nodiratime,norelatime 0 0
var /var 9p trans=virtio,rw 0 0
EOF
cat > "$pkgdir"/etc/nsswitch.conf <<-EOF
# musl itself does not support NSS, however some third-party DNS
# implementations use the nsswitch.conf file to determine what
# policy to follow.
# Editing this file is not recommended.
hosts: files dns
EOF
install -m644 \
"$srcdir"/group \
"$srcdir"/passwd \
"$srcdir"/inittab \
"$srcdir"/profile \
"$srcdir"/protocols \
"$srcdir"/services \
"$pkgdir"/etc/
install -m640 -g shadow "$builddir"/shadow \
"$pkgdir"/etc/
# symlinks
ln -s /dev/null "$pkgdir"/root/.ash_history
ln -s /etc/crontabs "$pkgdir"/var/spool/cron/crontabs
ln -s /proc/mounts "$pkgdir"/etc/mtab
ln -s /var/mail "$pkgdir"/var/spool/mail
ln -s /tmp/resolv.conf "$pkgdir"/etc/resolv.conf
ln -s /media/etc/hostname "$pkgdir"/etc/hostname
}
sha512sums="
6e169c0975a1ad1ad871a863e8ee83f053de9ad0b58d94952efa4c28a8c221445d9e9732ad8b52832a50919c2f39aa965a929b3d5b3f9e62f169e2b2e0813d82 crontab
b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df3796380910971a41331e53e8cf0d304834e3da02cc135e5a 20locale.sh
0b786df3a610e84ae98cbef8dc74998404a048c4a48d7acf57eafb04fb481b4b7f8a80c065f1ca10cced22c89243cc6e81b0ad46d5ca4a194d63ce49969cce09 group
7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880 inittab
b3508f9dc77e7eeb761c2d72b5f1003d09dbeaef1cd2d6b7ac47fb5c770cad507c89713d70d5ab0b645378e486cab2e130e9862cbfd2eea783b1808d4ca075f5 passwd
4eb857ed59c2edb257636d2bf196989e514a273e9701e9f076c9ae8c1589b4898269180569960acf072c0981ec7ea54014fd230f014401d6bb92314285d1e6aa profile
3a00083bcdf5a9e884c9d07877d52311e3d99e79cbee656e236ba06e08ba0dddb7ba76494fdc9dd1a826c48e197a790a69e6bb458e9df64832d6b5e904e9fd15 protocols-6.4
47b0f3ee73af2d259bd206a026204be0ea25531a895a0b035a904b38fe5407bc3dd2beab7f8fcb3d760587e6159702ebdb9cbc4f508942befdf7f10c10c87888 services-6.4
"
|
