blob: 8b643f352005e99b909ec31c8da1009e73806a03 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
# Maintainer: Gabor Pali <pali.gabor@gmail.com>
pkgname=baselayout
pkgver=3.2.0
pkgrel=19 # base: 22
pkgdesc="Base dir structure and init scripts (Alpine Linux)"
url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
arch="all"
license="GPL-2.0-only"
pkggroups="shadow"
options="!fhs !check"
install=
_nbver=6.2
source="crontab
locale.sh
group
inittab
passwd
profile
protocols-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/protocols
services-$_nbver::https://salsa.debian.org/md/netbase/-/raw/v$_nbver/etc/services
"
builddir="$srcdir/build"
prepare() {
default_prepare
mkdir -p "$builddir"
mv "$srcdir"/protocols-$_nbver "$srcdir"/protocols
mv "$srcdir"/services-$_nbver "$srcdir"/services
}
build() {
# generate shadow
awk -F: '{
pw = ":!:"
if ($1 == "root") { pw = "::" }
print($1 pw ":0:::::")
}' "$srcdir"/passwd > shadow
}
package() {
mkdir -p "$pkgdir"
cd "$pkgdir"
install -m 0755 -d \
dev \
dev/pts \
dev/shm \
etc \
etc/conf.d \
etc/crontabs \
etc/init.d \
etc/modprobe.d \
etc/modules-load.d \
etc/network/if-down.d \
etc/network/if-post-down.d \
etc/network/if-pre-up.d \
etc/network/if-up.d \
etc/periodic/15min \
etc/periodic/daily \
etc/periodic/hourly \
etc/periodic/monthly \
etc/periodic/weekly \
etc/profile.d \
etc/sysctl.d \
lib/firmware \
lib/mdev \
lib/modules-load.d \
lib/sysctl.d \
media/etc \
proc \
run \
sbin \
sys \
usr/bin \
usr/lib/modules-load.d \
usr/local/bin \
usr/local/lib \
usr/local/share \
usr/sbin \
usr/share \
usr/share/man \
usr/share/misc \
var/cache \
var/cache/misc \
var/lib \
var/lib/misc \
var/local \
var/lock/subsys \
var/log \
var/opt \
var/spool \
var/spool/cron \
var/mail
ln -s /run var/run
install -d -m 0555 var/empty
install -d -m 0700 "$pkgdir"/root
install -d -m 1777 "$pkgdir"/tmp "$pkgdir"/var/tmp
install -m600 "$srcdir"/crontab "$pkgdir"/etc/crontabs/root
install -m644 \
"$srcdir"/locale.sh \
"$pkgdir"/etc/profile.d/
echo "wifibox" > "$pkgdir"/etc/hostname
cat > "$pkgdir"/etc/hosts <<-EOF
127.0.0.1 localhost localhost.localdomain
::1 localhost localhost.localdomain
EOF
cat > "$pkgdir"/etc/modules <<-EOF
af_packet
ipv6
EOF
cat > "$pkgdir"/etc/shells <<-EOF
/bin/sh
/bin/ash
EOF
cat > "$pkgdir"/etc/sysctl.conf <<-EOF
net.ipv4.ip_forward=1
EOF
cat > "$pkgdir"/lib/sysctl.d/00-alpine.conf <<-EOF
# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
net.ipv4.tcp_syncookies = 1
# Prevents ip spoofing.
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Only groups within this id range can use ping.
net.ipv4.ping_group_range=999 59999
# Redirects can potentially be used to maliciously alter hosts
# routing tables.
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv6.conf.all.accept_redirects = 0
# The source routing feature includes some known vulnerabilities.
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# See RFC 1337
net.ipv4.tcp_rfc1337 = 1
## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
# Restarts computer after 120 seconds after kernel panic
kernel.panic = 120
# Users should not be able to create soft or hard links to files
# which they do not own. This mitigates several privilege
# escalation vulnerabilities.
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
EOF
cat > "$pkgdir"/etc/fstab <<-EOF
tmpfs /tmp tmpfs size=128K 0 0
config /media/etc 9p trans=virtio,ro,noatime,nodiratime,norelatime 0 0
var /var 9p trans=virtio,rw 0 0
EOF
install -m644 \
"$srcdir"/group \
"$srcdir"/passwd \
"$srcdir"/inittab \
"$srcdir"/profile \
"$srcdir"/protocols \
"$srcdir"/services \
"$pkgdir"/etc/
install -m640 -g shadow "$builddir"/shadow \
"$pkgdir"/etc/
# symlinks
ln -s /dev/null "$pkgdir"/root/.ash_history
ln -s /etc/crontabs "$pkgdir"/var/spool/cron/crontabs
ln -s /proc/mounts "$pkgdir"/etc/mtab
ln -s /var/mail "$pkgdir"/var/spool/mail
}
sha512sums="
6e169c0975a1ad1ad871a863e8ee83f053de9ad0b58d94952efa4c28a8c221445d9e9732ad8b52832a50919c2f39aa965a929b3d5b3f9e62f169e2b2e0813d82 crontab
b2fc9b72846a43a45ba9a8749e581cef34d1915836833b51b7919dfbf4e275b7d55fec4dea7b23df3796380910971a41331e53e8cf0d304834e3da02cc135e5a locale.sh
806b8f23f823a9471846d12fa6b55690b95eedb4c613b82aefaba7ffef23f83e17552befd891a487864f72ef24e395d8611738933f684a85eb4c336cb20994f8 group
7cc3c23062c730ec7a1d7850423d9901047005520da5b347b7b24e5f33a9c9a9129b430557f7f41e565f143624b7f3c47e3f6e4a6a446e75f0ea245c03d70880 inittab
06d12a7b9ca14fe17e412d0f24814620b67d035ae859be7906cbf4782dd69e359a6a555dafb98060b7fb7e4714aaa676c88d9017cded36e6d8398e23369bb290 passwd
b14920eae431d1f15b066e264a94f804540c5dcbf91caef034019d95456c975c0c054672e53369082682dd9454a034f26bd45b312adfc0ab68a0311d97b037ac profile
eadc83e47fcc354ab83fd109bee452bda170886fb684e67faf615930c11480919505f4af60c685b124efc54af0ded9522663132f911eac6622144f8b4c8be695 protocols-6.2
adfae0d2f569c2a2f413b7e27683a007fc8ca689b8c3349672fe0dcb6208c192ede4402eff09c604b7e7b4fd9d8df93b875efa5bdaa6c14ff1d8022a7caad5cd services-6.2
"
|
