ONLamp.com    
 Published on ONLamp.com (http://www.onlamp.com/)
 See this if you're having trouble printing code examples


FreeBSD Basics Interesting New Ports

by Dru Lavigne, author of BSD Hacks
03/25/2004

For those faithful readers who were starting to wonder when the next article in this column would appear, I'm back. BSD Hacks is finally finished.

In today's article, I'd like to demonstrate some useful utilities that recently arrived in the ports collection. I usually discover these from FreshPorts, which keeps statistics on which ports have been added in the last 24 hours, 48 hours, week, fortnight, and month.

Pruning Installed Ports

However, I first learned about sysutils/pkg_cutleaves from Richard Bejtlich's weblog. Richard has the uncanny ability of keeping abreast of my three favorite subjects: FreeBSD, the ports collection, and security.

If you use portupgrade to keep your ports up-to-date, consider adding pkg_cutleaves to your repertoire. This interactive Perl script searches your ports database for "leaves," or software that isn't a dependency of any other installed program. This gives you the opportunity to clean your drive of those orphaned programs you no longer use or were dependencies of software you've since uninstalled.

Once you've built the port from /usr/ports/sysutils/pkg_cutleaves, take a minute to read man pkg_cutleaves. Then, as the superuser:

# pkg_cutleaves
Package 1 of 73:
AbiWord2-2.0.5 - An open-source, cross-platform WYSIWYG word processor
AbiWord2-2.0.5 - [keep]/(d)elete/(f)lush marked pkgs/(a)bort? k
** Keeping AbiWord2-2.0.5.

On this particular system, I have 250 installed ports, of which 73 are entirely independent. pkg_cutleaves will show each of these and will pause while I decide to keep or remove the port. I've chosen to keep AbiWord2, as well as the next 6 XFree86 related ports.

Package 8 of 73:
apache-ant-1.6.1 - Java- and XML-based build tool, conceptually similar to make
apache-ant-1.6.1 - [keep]/(d)elete/(f)lush marked pkgs/(a)bort? d
** Marking apache-ant-1.6.1 for removal.

However, I've chosen to delete apache-ant since I have a vague memory of it being a dependency of some application I've long ago uninstalled. I'll carry on until I've made a decision on each of the 73 ports. Once I'm finished, pkg_delete will carry out the requested deletions. In this example, I've chosen to delete 25 ports:

Package 73 of 73:
zip-2.3_1 - Create/update ZIP files compatible with pkzip
zip-2.3_1 - [keep]/(d)elete/(f)lush marked pkgs/(a)bort? k
** Keeping zip-2.3_1.

Deleting apache-ant-1.6.1 (package 1 of 25).
--->  Deinstalling 'apache-ant-1.6.1'
[Updating the pkgdb <format:bdb1_btree> in /var/db/pkg ... - 250 
packages found (-1 +0) (...) done]

When these deletions complete, pkg_cutleaves reprocesses the ports database to see if any of those deletions resulted in new leaf packages:

Go on with new leaf packages ((y)es/[no])? y

This process will continue until I've dealt with all leaves. At that point it will provide a summary of the uninstalled packages:

Didn't find any new leaves, exiting.
** Deinstalled packages:
apache-ant-1.6.1
<snip>
** Number of deinstalled packages: 53

The next time you run pkg_cutleaves, it will ask you again about the ports you chose to keep. In my example, that would be AbiWord2 and those XFree86 ports. If you know you want to keep these and find it irritating to confirm this every time, create a file called /usr/local/etc/pkg_leaves.exclude containing the names of those ports you wish to keep:

AbiWord2
XFree86

Remember to include the x (exclude) switch:

# pkg_cutleaves -x

This tells pkg_cutleaves to read your exclude file. For those occasions when you don't want it to read your exclude file, don't include that switch.

BSD Hacks

Related Reading

BSD Hacks
100 Industrial Tip & Tools
By Dru Lavigne

Improving Your Fortunes

The next new port is for those of you who enjoy BOFH humor. If that strikes your funny bone, you can add BOFH-style fortunes to your system by installing /usr/ports/misc/fortune-mod-bofh.

Once installed, try a random fortune:

% fortune /usr/local/share/games/fortune/bofh
BOFH excuse #419:

overflow error in /dev/null

If you'd like these fortunes to appear randomly with the rest of your fortunes, copy them into the system fortune directory as the superuser:

# cp /usr/local/share/games/fortune/bofh* /usr/share/games/fortune/

Once you've copied over the BOFH files, you can specify you'd like a BOFH fortune by typing:

% fortune bofh

This is many keystrokes shorter than the previous incantation.

Finally, if you're a Futurama fan, repeat the above for the /usr/ports/misc/fortune-mod-futurama port:

# cd /usr/ports/misc/fortune-mod-futurama
# make install clean
# cp /usr/local/share/games/fortune/futurama* /usr/share/games/fortune/
# exit
% fortune futurama
Fry: I want to see the edge of the universe.
Amy: Ooh, that sounds cool.
Zoidberg: It's funny. You live in the universe but you
  never do these things 'til someone comes to visit.

It's funny that this fortune made me wistful for a Douglas Adams fortune. A quick Google search located that there is indeed a fortune-hitchhiker project. Download fortune-hitchhiker.tgz, then:

# tar xzvf fortune-hitchhiker.tgz
# cp fortune-hitchhiker/hitchhiker* /usr/share/games/fortune
# exit
% fortune hitchhiker
"'You know,' said Arthur, 'it's at times like this, when
I'm trapped in a Vogon airlock with a man from Betelgeuse,
and about to die from asphyxiation in deep space that I
really wish I'd listened to what my mother told me when I
was young.'
'Why, what did she tell you?'
'I don't know, I didn't listen.'"

  -- Arthur coping with certain death as best as he could.

Perhaps another Hitchhiker fan will add this to the ports collection so it will show up in the new section at FreshPorts.

Making Subjects and Verbs Agree

The next port intrigued me as it's named after one of my favorite childhood literary characters:

# cd /usr/ports/textproc/queequeg
# make install clean

This will install the qq Python script, which can run against any text, LaTeX, or HTML file, like so:

% qq filename

The Queequeg project is still in its beta stages. Its goal is to help the non-native English writer match a singular or plural noun to the correct verb conjugation. At this point, the project developers are still working on filtering out false positives so the resulting output may still be too frustrating for those who lack a solid command of English grammar. However, if English grammar is your forté and you have some time to donate, this project is looking for beta testers. If it matures, it will be an excellent tool for non-English developers to easily create manpages in natural English.

Hardening Your System's Security

The final port I'd like to demonstrate is found in /usr/ports/security/lockdown. I was originally skeptical since this port is a script designed to harden or increase the security of a FreeBSD system. I tend to shy away from such promises, as hardening a system definitely doesn't fit into the one-size-fits-all category.

However, Daniel Blankensteiner has done an excellent job in creating a totally configurable script that allows you to apply a set of custom configurations. An administrator could easily create a separate configuration file suited to each of his systems. Not only is the configuration file easy to apply, it supplies a concrete record of changes applied to a newly installed or upgraded system.

Once you've installed the port, familiarize yourself with man lockdown -- it summarizes the various configuration options contained within the script configuration file.

Then:

# cp /usr/local/etc/lockdown.conf.sample /usr/local/etc/lockdown.conf

Note: If you're planning on making configuration files for multiple systems, include the hostname of the system in the name of the copied over configuration file. This way, you can store multiple configuration files in a central location. When you actually use the lockdown utility, you can use the desired configuration file by specifying its name with the -f switch.

Open the copied-over file in your favorite editor. You'll find that this file is very well commented, with many sample hardening changes to get you started. For example, here's a section on tightening up /etc/fstab to mount your partitions securely:

####################
# Mounting options #
####################
# If the mount point exists, mount it with the specified options.
# Please remember that /tmp has to be executable to "make world"
# and if you need to jail a process in a partition, don't mount it with 
"nodev"

mount /tmp       rw,noexec,nosuid,nodev,nosymfollow
mount /var/tmp   rw,noexec,nosuid,nodev,nosymfollow
mount /home      rw,noexec,nosuid,nodev
mount /usr/home  rw,noexec,nosuid,nodev
mount /var       rw,nosuid,nodev
mount /var/mail  rw,noexec,nodev,nosuid

If these mount options are new to you, see the -o section of man mount. You'll also find the FreeBSD Security How-To very useful when determining which options are suited to your environment:

The next section allows you to set your /etc/rc.conf options and gives some ideas to get you started. See man rc.conf for each possible option.

########################
# /etc/rc.conf options #
########################
# This will just add some options to /etc/rc.conf
rc_conf enable_sendmail="NONE"
rc_conf kern_securelevel_enable="YES"
rc_conf portmap_enable="NO"
rc_conf inetd_enable="NO"
rc_conf kern_securelevel="3"
rc_conf clear_tmp_enable="YES"
#rc_conf update_motd="NO"
rc_conf syslogd_flags="-ss"          # Comment this if this is a 
                                     # log server (or change it)

The next section allows you to create a stealth server:

##################
# Stealth server #
##################
# If this is a log server, firewall or gateway you can put it into 
# stealth mode. 
# This is NOT recommended for normal server use.
# Note: For a stealthier server you should also block some icmp request
# like:
# Echo, Time and Netmask requests
#rc_conf tcp_drop_synfin="YES"
#sysctl net.inet.tcp.blackhole=2
#sysctl net.inet.udp.blackhole=1
#kern 	options	IPSTEALTH
#kern 	options	TCP_DROP_SYNFIN

Securing FreeBSD discussed these options and many of those that follow in greater detail.

The next section allows you to set various networking configurations:

######################
# Networking options #
######################
rc_conf icmp_drop_redirect="YES"
rc_conf icmp_log_redirect="YES"
rc_conf log_in_vain="YES"
kern 	options	RANDOM_IP_ID
openssh AllowGroups wheel
openssh Protocol 2

set_warning "
Warning
I blah blah blah blah
and then some"

Those last options configure SSH. See Configuring SSH for more details.

Next, you have the opportunity to customize /etc/login.conf:

#######################
# Login Class options #
#######################
login_class default minpasswordlen=8
login_class default mixpasswordcase=true
login_class default uname=077
# Encryption of passwords
auth_conf crypt_default=blf
login_class default passwd_format=blf

Then, /etc/ttys:

##############
# Root Login #
##############
allow_direct_root_login NO               # Set tty* in /etc/ttys to
                                         # insecure
password_protect_singleuser_mode YES     # Set console to insecure
                                         # in /etc/ttys

There are user-specific options:

#####################
# Restrict the user #
#####################
allow_cron NO
allow_at NO
sysctl security.bsd.see_other_uids=0     # Use kern.ps_showallprocs
                                         # for 4.X

As well as kernel options:

##################
# Kernel options #
##################
kern options	SC_NO_HISTORY           # Don't keep history, so
                                        # there can't be scrolled
kern options	SC_DISABLE_REBOOT       # Disable ctrl+alt+del
#kern options	SC_DISABLE_DDBKEY       # Uncomment if using the
                                        # kernel debugger

Finally, there is an entire section for permissions and file flags:

#################################
# Restrict access to suid files #
#################################
# If you want /somefile to have:
#	Permissions 0000
#	User root
#	Group wheel
#	Flags uappnd and schg
# Just write:
# file /somefile p: 0000 u: root g: wheel f: uappnd,schg
file /bin/rcp p: disable
file /sbin/mksnap_ffs p: noWorld 
file /sbin/ping p: noWorld
<snip long list of files>

################################
# Restrict access to gid files #
################################
file /usr/bin/fstat p: noWorld
file /usr/bin/netstat p: noWorld
file /usr/bin/vmstat p: noWorld
file /usr/bin/wall p: noWorld
file /usr/bin/write p: noWorld
file /usr/bin/lpq p: noWorld
file /usr/bin/lpr p: noWorld
file /usr/bin/lprm p: noWorld
file /usr/libexec/sendmail/sendmail p: noWorld
file /usr/sbin/trpt p: noWorld
file /usr/sbin/lpc p: noWorld

########################################
# Restrict access to information files #
########################################
# if you change permissions on files also listed in /etc/newsyslog.conf, 
# Lockdown will also adjust /etc/newsyslog.conf accordingly
file /sbin/sysctl p: noWorld
file /usr/bin/uname p: noWorld
file /sbin/kldstat p: noWorld
#file /usr/bin/netstat p: noWorld		#Uncomment if using 4.X
file /sbin/route p: noWorld
<snip long list of files>

I was very pleased with the comprehensiveness of the configuration file and how easy it is to make my own changes. If you wish to suggest additional sections to the file, Daniel is open to suggestions. See his site for contact information.

Conclusion

Also, I'm open to suggestions for future articles you'd like to see in this series. Drop me a line if there is a port or a feature of FreeBSD that you'd like to see demonstrated.

Finally, if you live in North America, mark May 13-16 on your calendar and see if you can find a way to make it to Ottawa, Ontario, Canada. Yes, BSDCan is fast approaching and there is an amazing lineup of presenters. Here's your chance to meet with other FreeBSD users and to put faces to those names you see at the FreeBSD site and on the mailing lists. I'll be manning the registration desk and look forward to seeing you there. We'll also try to have copies of BSD Hacks available.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Return to the BSD DevCenter.

Copyright © 2009 O'Reilly Media, Inc.