diff --git a/.java/.systemPrefs/.system.lock b/.java/.systemPrefs/.system.lock new file mode 100644 index 0000000..e69de29 diff --git a/.java/.systemPrefs/.systemRootModFile b/.java/.systemPrefs/.systemRootModFile new file mode 100644 index 0000000..e69de29 diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..d1bccae --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Hashbang Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..b113803 --- /dev/null +++ b/README.md @@ -0,0 +1,94 @@ +# shell-etc # + + + +## About ## + +This is the '/etc' directory of the #! shell servers. +Git management is handled via [etckeeper](http://etckeeper.branchable.com/) + +New servers added to the pool will also have this configuration to give users an equal experience. + +## Requirements ## + + * Debian 7+ + +## Contribution ## + +Making changes to this repo will require a running #! [shell server](https://github.com/hashbang/shell-server). + +An easy way to set this up locally is by running our latest shell-server +[Docker image](https://hub.docker.com/r/hashbang/shell-server/). + +A command like the following can get you going with a local development server: + +``` +docker run -d \ + -v /sys/fs/cgroup:/sys/fs/cgroup:ro \ + -v $PWD:/etc-git \ + -v $HOME/.gitconfig:/root/.gitconfig:ro \ + --name shell-server \ + --cap-add SYS_ADMIN \ + hashbang/shell-server +``` + +From here you can enter this environment with: + +``` +docker exec -it shell-server bash +``` + +In this environment you can make updates and install packages with ```apt-get```. +Changes will automatically be committed and pushed to your working shell-etc +checkout by etckeeper. Assuming you chose to mount your .gitconfig above, the +changes should be attributed correctly as you. + +Any changes made to /etc without apt-get will need to be committed/pushed in +place, which should be reflected in your local checkout as well. + +When you are ready to contribute your changes upstream, please push to a branch +or a fork and make a pull request. + +Note: the above workflow is only suitable for making very basic changes like +new package installations etc. If you want to do something more complex that +requires interaction with a user database, etc, please consider using our +end-to-end local development setup, documented here: [hashbang/hashbang](https://github.com/hashbang/hashbang) + +### GPG signing ### + +If you prefer to GPG sign your commits, a couple of options exist. + +#### Manual #### + +You can manually sign your most recent commit before pushing with: + +``` +git commit -S --amend +``` + +#### Automatic #### + +Assuming you use git auto-signing and have ssh-agents set up properly, +you can opt to expose your gpg/ssh sockets by adding the following arguments +to your docker run command: + +``` +... + -v $HOME/.gitconfig:/root/.gitconfig:ro \ + -v $HOME/.gnupg:/root/.gnupg \ + -v $SSH_AUTH_SOCK:/root/.ssh-agent \ + -e SSH_AUTH_SOCK=/root/.ssh-agent \ +... +``` + +## Notes ## + + Use at your own risk. You may be eaten by a grue. + + Questions/Comments? + + Talk to us via: + + [Email](mailto://team@hashbang.sh) | + [IRC](ircs://irc.hashbang.sh:6697/#!) | + [Github](http://github.com/hashbang/) diff --git a/aliases b/aliases new file mode 100644 index 0000000..92fa913 --- /dev/null +++ b/aliases @@ -0,0 +1,3 @@ +# See man 5 aliases for format +postmaster: root +root: root@hashbang.sh diff --git a/apt/apt.conf.d/00CDMountPoint b/apt/apt.conf.d/00CDMountPoint new file mode 100644 index 0000000..6a2c664 --- /dev/null +++ b/apt/apt.conf.d/00CDMountPoint @@ -0,0 +1,4 @@ +Acquire::cdrom { + mount "/media/cdrom"; +}; +Dir::Media::MountPath "/media/cdrom"; diff --git a/apt/apt.conf.d/00InstallRecommends b/apt/apt.conf.d/00InstallRecommends new file mode 100644 index 0000000..b781f7f --- /dev/null +++ b/apt/apt.conf.d/00InstallRecommends @@ -0,0 +1,3 @@ +APT::Install-Recommends "false"; +APT::Install-Suggests "false"; + diff --git a/apt/apt.conf.d/00trustcdrom b/apt/apt.conf.d/00trustcdrom new file mode 100644 index 0000000..c7588cb --- /dev/null +++ b/apt/apt.conf.d/00trustcdrom @@ -0,0 +1 @@ +APT::Authentication::TrustCDROM "true"; diff --git a/apt/apt.conf.d/05etckeeper b/apt/apt.conf.d/05etckeeper new file mode 100644 index 0000000..5e690a2 --- /dev/null +++ b/apt/apt.conf.d/05etckeeper @@ -0,0 +1,5 @@ +DPkg::Pre-Invoke { "if [ -x /usr/bin/etckeeper ]; then etckeeper pre-install; fi"; }; +DPkg::Post-Invoke { "if [ -x /usr/bin/etckeeper ]; then etckeeper post-install; fi"; }; + +RPM::Pre-Invoke { "if [ -x /usr/bin/etckeeper ]; then etckeeper pre-install; fi"; }; +RPM::Post-Invoke { "if [ -x /usr/bin/etckeeper ]; then etckeeper post-install; fi"; }; diff --git a/apt/preferences b/apt/preferences new file mode 100644 index 0000000..8086fdb --- /dev/null +++ b/apt/preferences @@ -0,0 +1,14 @@ +# Give jessie priority over everything +Package: * +Pin: release n=jessie +Pin-Priority: 900 + +# Give backports priority over stretch +Package: * +Pin: release n=jessie-backports +Pin-Priority: 800 + +# Never silently install from testing +Package: * +Pin: release n=stretch +Pin-Priority: -1 diff --git a/apt/preferences.d/.keep b/apt/preferences.d/.keep new file mode 100644 index 0000000..e69de29 diff --git a/apt/preferences.d/ansible b/apt/preferences.d/ansible new file mode 100644 index 0000000..e6f4d9a --- /dev/null +++ b/apt/preferences.d/ansible @@ -0,0 +1,3 @@ +Package: ansible ieee-data python-netaddr +Pin: release n=jessie-backports +Pin-Priority: 990 diff --git a/apt/preferences.d/firejail b/apt/preferences.d/firejail new file mode 100644 index 0000000..b3b8401 --- /dev/null +++ b/apt/preferences.d/firejail @@ -0,0 +1,3 @@ +Package: firejail +Pin: release n=stretch +Pin-Priority: 990 diff --git a/apt/preferences.d/gnupg b/apt/preferences.d/gnupg new file mode 100644 index 0000000..375e437 --- /dev/null +++ b/apt/preferences.d/gnupg @@ -0,0 +1,3 @@ +Package: gnupg gnupg2 gnupg-agent libassuan0 libgcrypt20 libgpg-error0 libksba8 libnpth0 signing-party +Pin: release n=stretch +Pin-Priority: 990 diff --git a/apt/preferences.d/kernel b/apt/preferences.d/kernel new file mode 100644 index 0000000..9e873db --- /dev/null +++ b/apt/preferences.d/kernel @@ -0,0 +1,3 @@ +Package: linux-base linux-image-amd64 linux-image-*-amd64 +Pin: release n=jessie-backports +Pin-Priority: 990 diff --git a/apt/preferences.d/mosh b/apt/preferences.d/mosh new file mode 100644 index 0000000..03a05c9 --- /dev/null +++ b/apt/preferences.d/mosh @@ -0,0 +1,4 @@ +# v1.2.5 (jessie-backports) is required for mouse support +Package: mosh +Pin: release n=jessie-backports +Pin-Priority: 990 diff --git a/apt/preferences.d/openntpd b/apt/preferences.d/openntpd new file mode 100644 index 0000000..9aa9510 --- /dev/null +++ b/apt/preferences.d/openntpd @@ -0,0 +1,3 @@ +Package: openntpd +Pin: release n=jessie-backports +Pin-Priority: 990 diff --git a/apt/preferences.d/unbound b/apt/preferences.d/unbound new file mode 100644 index 0000000..efb711f --- /dev/null +++ b/apt/preferences.d/unbound @@ -0,0 +1,3 @@ +Package: libunbound2 libunbound-dev unbound* python-unbound +Pin: release n=jessie-backports +Pin-Priority: 990 diff --git a/apt/sources.list b/apt/sources.list new file mode 100644 index 0000000..97c54de --- /dev/null +++ b/apt/sources.list @@ -0,0 +1,16 @@ +deb http://deb.debian.org/debian/ jessie main contrib non-free +deb-src http://deb.debian.org/debian/ jessie main contrib non-free + +deb http://deb.debian.org/debian-security/ jessie/updates main contrib non-free +deb-src http://deb.debian.org/debian-security/ jessie/updates main contrib non-free + +# Backports. Must be enabled per-package using a pin +deb http://deb.debian.org/debian/ jessie-backports main contrib non-free +deb-src http://deb.debian.org/debian/ jessie-backports main contrib non-free + +# Newer releases. Use with care and pin. +deb http://deb.debian.org/debian/ stretch main contrib non-free +deb-src http://deb.debian.org/debian/ stretch main contrib non-free + +deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free +deb-src http://deb.debian.org/debian-security/ stretch/updates main contrib non-free diff --git a/apt/sources.list.d/tor.list b/apt/sources.list.d/tor.list new file mode 100644 index 0000000..5b54fd7 --- /dev/null +++ b/apt/sources.list.d/tor.list @@ -0,0 +1 @@ +deb https://deb.torproject.org/torproject.org jessie main diff --git a/apt/sources.list.d/weechat.list b/apt/sources.list.d/weechat.list new file mode 100644 index 0000000..973a27b --- /dev/null +++ b/apt/sources.list.d/weechat.list @@ -0,0 +1,2 @@ +deb https://weechat.org/debian jessie main +deb-src https://weechat.org/debian jessie main diff --git a/apt/trusted.gpg b/apt/trusted.gpg new file mode 100644 index 0000000..e69de29 diff --git a/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg b/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg new file mode 100644 index 0000000..7f064b8 Binary files /dev/null and b/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg b/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg new file mode 100644 index 0000000..fa4047c Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg b/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg new file mode 100644 index 0000000..c454a76 Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg b/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg new file mode 100644 index 0000000..dcb5524 Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg b/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg new file mode 100644 index 0000000..7dc19c5 Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg b/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg new file mode 100644 index 0000000..79542e0 Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg b/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg new file mode 100644 index 0000000..2c3f78f Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg b/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg new file mode 100644 index 0000000..a23f2fe Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg differ diff --git a/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg b/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg new file mode 100644 index 0000000..b8699b3 Binary files /dev/null and b/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg differ diff --git a/apt/trusted.gpg.d/weechat.gpg b/apt/trusted.gpg.d/weechat.gpg new file mode 100644 index 0000000..32ea2bf Binary files /dev/null and b/apt/trusted.gpg.d/weechat.gpg differ diff --git a/cron.daily/clean-lurkers b/cron.daily/clean-lurkers new file mode 100755 index 0000000..c9107d5 --- /dev/null +++ b/cron.daily/clean-lurkers @@ -0,0 +1,13 @@ +#!/bin/sh +# See https://xkcd.com/686/ -- Admin mourning + +DAYS=30 + +for range in 1000-59999 65536-4294967293; do + for user in $(lastlog -b "$DAYS" -t "$((DAYS + 2))" -u "$range" | \ + tail -n +2 | cut -d' ' -f1); do + if [ ! -f "/home/${user}/.keep-account" ]; then + loginctl terminate-user "$user" + fi + done +done diff --git a/cron.daily/etckeeper b/cron.daily/etckeeper new file mode 100755 index 0000000..5255691 --- /dev/null +++ b/cron.daily/etckeeper @@ -0,0 +1,19 @@ +#!/bin/sh +set -e +if [ -x /usr/bin/etckeeper ] && [ -e /etc/etckeeper/etckeeper.conf ]; then + . /etc/etckeeper/etckeeper.conf + if [ "$AVOID_DAILY_AUTOCOMMITS" != "1" ]; then + # avoid autocommit if an install run is in progress + lockfile=/var/cache/etckeeper/packagelist.pre-install + if [ -e "$lockfile" ] && [ -n "$(find "$lockfile" -mtime +1)" ]; then + rm -f "$lockfile" # stale + fi + if [ ! -e "$lockfile" ]; then + AVOID_SPECIAL_FILE_WARNING=1 + export AVOID_SPECIAL_FILE_WARNING + if etckeeper unclean; then + etckeeper commit "daily autocommit" >/dev/null + fi + fi + fi +fi diff --git a/cron.daily/passwd b/cron.daily/passwd new file mode 100755 index 0000000..4778bf0 --- /dev/null +++ b/cron.daily/passwd @@ -0,0 +1,9 @@ +#!/bin/sh + +cd /var/backups || exit 0 + +for FILE in passwd group shadow gshadow; do + test -f /etc/$FILE || continue + cmp -s $FILE.bak /etc/$FILE && continue + cp -p /etc/$FILE $FILE.bak && chmod 600 $FILE.bak +done diff --git a/crontab b/crontab new file mode 100644 index 0000000..9d060fb --- /dev/null +++ b/crontab @@ -0,0 +1,18 @@ +# /etc/crontab: system-wide crontab +# Unlike any other crontab you don't have to run the `crontab' +# command to install the new version when you edit this file +# and files in /etc/cron.d. These files also have username fields, +# that none of the other crontabs do. + +SHELL=/bin/sh +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +# m h dom mon dow user command +17 * * * * root cd / && run-parts --report /etc/cron.hourly +25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) +47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) +52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) + +32 7 * * 7 root update-command-not-found +# +#*/3 * * * * root /etc/cron.hourly/udev.sh diff --git a/default/ferm b/default/ferm new file mode 100644 index 0000000..3b64bd1 --- /dev/null +++ b/default/ferm @@ -0,0 +1,13 @@ +# configuration for /etc/init.d/ferm + +# use iptables-restore for fast firewall initialization? +FAST=yes + +# cache the output of ferm --lines in /var/cache/ferm? +CACHE=yes + +# additional paramaters for ferm (like --def '=bar') +OPTIONS= + +# Enable the ferm init script? (i.e. run on bootup) +ENABLED="yes" diff --git a/default/haveged b/default/haveged new file mode 100644 index 0000000..000e38e --- /dev/null +++ b/default/haveged @@ -0,0 +1,5 @@ +# Configuration file for haveged + +# Options to pass to haveged: +# -w sets low entropy watermark (in bits) +DAEMON_ARGS="-w 2048" diff --git a/default/locale b/default/locale new file mode 100644 index 0000000..be3e730 --- /dev/null +++ b/default/locale @@ -0,0 +1,2 @@ +# Created by cloud-init v. 0.7.6 on Mon, 11 May 2015 19:43:00 +0000 +LANG="en_US.UTF-8" diff --git a/default/rcS b/default/rcS new file mode 100644 index 0000000..6508e99 --- /dev/null +++ b/default/rcS @@ -0,0 +1,24 @@ +# +# /etc/default/rcS +# +# Default settings for the scripts in /etc/rcS.d/ +# +# For information about these variables see the rcS(5) manual page. +# +# This file belongs to the "initscripts" package. + +# delete files in /tmp during boot older than x days. +# '0' means always, -1 or 'infinite' disables the feature +#TMPTIME=0 + +# spawn sulogin during boot, continue normal boot if not used in 30 seconds +#SULOGIN=no + +# do not allow users to log in until the boot has completed +#DELAYLOGIN=no + +# be more verbose during the boot process +#VERBOSE=no + +# automatically repair filesystems with inconsistencies during boot +FSCKFIX=yes diff --git a/default/useradd b/default/useradd new file mode 100644 index 0000000..4e27ca4 --- /dev/null +++ b/default/useradd @@ -0,0 +1,37 @@ +# Default values for useradd(8) +# +# The SHELL variable specifies the default login shell on your +# system. +# Similar to DHSELL in adduser. However, we use "sh" here because +# useradd is a low level utility and should be as general +# as possible +SHELL=/bin/bash +# +# The default group for users +# 100=users on Debian systems +# Same as USERS_GID in adduser +# This argument is used when the -n flag is specified. +# The default behavior (when -n and -g are not specified) is to create a +# primary user group with the same name as the user being added to the +# system. +# GROUP=100 +# +# The default home directory. Same as DHOME for adduser +# HOME=/home +# +# The number of days after a password expires until the account +# is permanently disabled +# INACTIVE=-1 +# +# The default expire date +# EXPIRE= +# +# The SKEL variable specifies the directory containing "skeletal" user +# files; in other words, files such as a sample .profile that will be +# copied to the new user's home directory when it is created. +# SKEL=/etc/skel +# +# Defines whether the mail spool should be created while +# creating the account +# CREATE_MAIL_SPOOL=yes + diff --git a/environment b/environment new file mode 100644 index 0000000..761bde9 --- /dev/null +++ b/environment @@ -0,0 +1 @@ +MAIL=~/Mail diff --git a/ferm/ferm.conf b/ferm/ferm.conf new file mode 100644 index 0000000..dcd3148 --- /dev/null +++ b/ferm/ferm.conf @@ -0,0 +1,29 @@ +# -*- shell-script -*- +# +# Configuration file for ferm(1). +# + +table filter { + chain INPUT { + policy ACCEPT; + + # connection tracking + mod state state INVALID DROP; + } + + chain OUTPUT { + policy ACCEPT; + + # connection tracking + mod state state INVALID DROP; + + # Feathercoin mining pool + daddr (176.31.126.191 188.165.223.132) REJECT; + + # bitcoinshell.mooo.com + daddr (92.222.41.125) REJECT; + + # Bitcoin-related protocols + proto (udp tcp) dport (8082 8332 8333 50002) REJECT; + } +} diff --git a/firejail/0ad.profile b/firejail/0ad.profile new file mode 100644 index 0000000..1e7c068 --- /dev/null +++ b/firejail/0ad.profile @@ -0,0 +1,31 @@ +# Firejail profile for 0ad. +noblacklist ~/.cache/0ad +noblacklist ~/.config/0ad +noblacklist ~/.local/share/0ad +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelists +mkdir ~/.cache/0ad +whitelist ~/.cache/0ad + +mkdir ~/.config/0ad +whitelist ~/.config/0ad + +mkdir ~/.local/share/0ad +whitelist ~/.local/share/0ad + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-dev +private-tmp diff --git a/firejail/7z.profile b/firejail/7z.profile new file mode 100644 index 0000000..3191265 --- /dev/null +++ b/firejail/7z.profile @@ -0,0 +1,14 @@ +# 7zip crompression tool profile +quiet +ignore noroot + +include /etc/firejail/default.profile + +blacklist /tmp/.X11-unix + +tracelog +net none +shell none +private-dev +nosound +no3d diff --git a/firejail/Cryptocat.profile b/firejail/Cryptocat.profile new file mode 100644 index 0000000..b61b88f --- /dev/null +++ b/firejail/Cryptocat.profile @@ -0,0 +1,20 @@ +# Firejail profile for Cryptocat +noblacklist ${HOME}/.config/Cryptocat + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp diff --git a/firejail/Cyberfox.profile b/firejail/Cyberfox.profile new file mode 100644 index 0000000..1f74606 --- /dev/null +++ b/firejail/Cyberfox.profile @@ -0,0 +1,3 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) + +include /etc/firejail/cyberfox.profile diff --git a/firejail/FossaMail.profile b/firejail/FossaMail.profile new file mode 100644 index 0000000..0da2354 --- /dev/null +++ b/firejail/FossaMail.profile @@ -0,0 +1,2 @@ +# Firejail profile for FossaMail +include /etc/firejail/fossamail.profile diff --git a/firejail/Mathematica.profile b/firejail/Mathematica.profile new file mode 100644 index 0000000..e719f07 --- /dev/null +++ b/firejail/Mathematica.profile @@ -0,0 +1,20 @@ +# Mathematica profile +noblacklist ${HOME}/.Mathematica +noblacklist ${HOME}/.Wolfram Research + +mkdir ~/.Mathematica +whitelist ~/.Mathematica +mkdir ~/.Wolfram Research +whitelist ~/.Wolfram Research +whitelist ~/Documents/Wolfram Mathematica +include /etc/firejail/whitelist-common.inc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +seccomp diff --git a/firejail/Telegram.profile b/firejail/Telegram.profile new file mode 100644 index 0000000..2e0f978 --- /dev/null +++ b/firejail/Telegram.profile @@ -0,0 +1,2 @@ +# Telegram IRC profile +include /etc/firejail/telegram.profile diff --git a/firejail/VirtualBox.profile b/firejail/VirtualBox.profile new file mode 100644 index 0000000..ff0a4b6 --- /dev/null +++ b/firejail/VirtualBox.profile @@ -0,0 +1 @@ +include /etc/firejail/virtualbox.profile diff --git a/firejail/Wire.profile b/firejail/Wire.profile new file mode 100644 index 0000000..bd9645c --- /dev/null +++ b/firejail/Wire.profile @@ -0,0 +1,3 @@ +# wire messenger profile + +include /etc/firejail/wire.profile diff --git a/firejail/abrowser.profile b/firejail/abrowser.profile new file mode 100644 index 0000000..f25bbd9 --- /dev/null +++ b/firejail/abrowser.profile @@ -0,0 +1,49 @@ +# Firejail profile for Abrowser +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/abrowser +whitelist ~/.cache/mozilla/abrowser +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/firejail/amarok.profile b/firejail/amarok.profile new file mode 100644 index 0000000..8d5b35d --- /dev/null +++ b/firejail/amarok.profile @@ -0,0 +1,19 @@ +# amarok profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +#seccomp +protocol unix,inet,inet6 + +#private-bin amarok +private-dev +private-tmp +#private-etc none diff --git a/firejail/ark.profile b/firejail/ark.profile new file mode 100644 index 0000000..61b4c6f --- /dev/null +++ b/firejail/ark.profile @@ -0,0 +1,23 @@ +# ark profile +noblacklist ~/.config/arkrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/firejail/atom-beta.profile b/firejail/atom-beta.profile new file mode 100644 index 0000000..fa0b316 --- /dev/null +++ b/firejail/atom-beta.profile @@ -0,0 +1,20 @@ +# Firejail profile for Atom Beta. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp diff --git a/firejail/atom.profile b/firejail/atom.profile new file mode 100644 index 0000000..61930d5 --- /dev/null +++ b/firejail/atom.profile @@ -0,0 +1,20 @@ +# Firejail profile for Atom. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp diff --git a/firejail/atool.profile b/firejail/atool.profile new file mode 100644 index 0000000..578a88f --- /dev/null +++ b/firejail/atool.profile @@ -0,0 +1,27 @@ +# atool profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin atool +private-tmp +private-dev +private-etc none + + diff --git a/firejail/atril.profile b/firejail/atril.profile new file mode 100644 index 0000000..fbcca0c --- /dev/null +++ b/firejail/atril.profile @@ -0,0 +1,21 @@ +# Atril profile +noblacklist ~/.config/atril +noblacklist ~/.local/share +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin atril, atril-previewer, atril-thumbnailer +private-dev +private-tmp diff --git a/firejail/audacious.profile b/firejail/audacious.profile new file mode 100644 index 0000000..e527521 --- /dev/null +++ b/firejail/audacious.profile @@ -0,0 +1,11 @@ +# Audacious media player profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/audacity.profile b/firejail/audacity.profile new file mode 100644 index 0000000..827fa43 --- /dev/null +++ b/firejail/audacity.profile @@ -0,0 +1,21 @@ +# Audacity profile +noblacklist ~/.audacity-data + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix +seccomp +shell none +tracelog + +private-bin audacity +private-dev +private-tmp diff --git a/firejail/aweather.profile b/firejail/aweather.profile new file mode 100644 index 0000000..fa8654f --- /dev/null +++ b/firejail/aweather.profile @@ -0,0 +1,25 @@ +# Firejail profile for aweather. +noblacklist ~/.config/aweather +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +mkdir ~/.config/aweather +whitelist ~/.config/aweather + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin aweather +private-dev +private-tmp diff --git a/firejail/bitlbee.profile b/firejail/bitlbee.profile new file mode 100644 index 0000000..87d2e84 --- /dev/null +++ b/firejail/bitlbee.profile @@ -0,0 +1,14 @@ +# BitlBee instant messaging profile +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter +nonewprivs +private +private-dev +protocol unix,inet,inet6 +seccomp +nosound +read-write /var/lib/bitlbee diff --git a/firejail/bleachbit.profile b/firejail/bleachbit.profile new file mode 100644 index 0000000..0a71db9 --- /dev/null +++ b/firejail/bleachbit.profile @@ -0,0 +1,21 @@ +# bleachbit profile +include /etc/firejail/disable-common.inc +# include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/firejail/bless.profile b/firejail/bless.profile new file mode 100644 index 0000000..752edad --- /dev/null +++ b/firejail/bless.profile @@ -0,0 +1,20 @@ +# +#Profile for bless +# + +#No Blacklist Paths +noblacklist ${HOME}/.config/bless + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/brasero.profile b/firejail/brasero.profile new file mode 100644 index 0000000..66de6fa --- /dev/null +++ b/firejail/brasero.profile @@ -0,0 +1,23 @@ +# brasero profile +noblacklist ~/.config/brasero + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin brasero +# private-tmp +# private-dev +# private-etc fonts diff --git a/firejail/brave.profile b/firejail/brave.profile new file mode 100644 index 0000000..21ea7f9 --- /dev/null +++ b/firejail/brave.profile @@ -0,0 +1,17 @@ +# Profile for Brave browser +noblacklist ~/.config/brave +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp + +whitelist ${DOWNLOADS} + +mkdir ~/.config/brave +whitelist ~/.config/brave diff --git a/firejail/cherrytree.profile b/firejail/cherrytree.profile new file mode 100644 index 0000000..139dec8 --- /dev/null +++ b/firejail/cherrytree.profile @@ -0,0 +1,18 @@ +# cherrytree note taking application +noblacklist /usr/bin/python2* +noblacklist /usr/lib/python3* +noblacklist ${HOME}/.config/cherrytree +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +seccomp +protocol unix,inet,inet6,netlink +tracelog diff --git a/firejail/chromium-browser.profile b/firejail/chromium-browser.profile new file mode 100644 index 0000000..d989b73 --- /dev/null +++ b/firejail/chromium-browser.profile @@ -0,0 +1,2 @@ +# Chromium browser profile +include /etc/firejail/chromium.profile diff --git a/firejail/chromium.profile b/firejail/chromium.profile new file mode 100644 index 0000000..7610d9b --- /dev/null +++ b/firejail/chromium.profile @@ -0,0 +1,32 @@ +# Chromium browser profile +noblacklist ~/.config/chromium +noblacklist ~/.cache/chromium +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/chromium +whitelist ~/.config/chromium +mkdir ~/.cache/chromium +whitelist ~/.cache/chromium +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +# specific to Arch +whitelist ~/.config/chromium-flags.conf + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/claws-mail.profile b/firejail/claws-mail.profile new file mode 100644 index 0000000..8921bb2 --- /dev/null +++ b/firejail/claws-mail.profile @@ -0,0 +1,23 @@ +# claws-mail profile +noblacklist ~/.claws-mail +noblacklist ~/.signature +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + diff --git a/firejail/clementine.profile b/firejail/clementine.profile new file mode 100644 index 0000000..5ce0853 --- /dev/null +++ b/firejail/clementine.profile @@ -0,0 +1,11 @@ +# Clementine media player profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/cmus.profile b/firejail/cmus.profile new file mode 100644 index 0000000..2e2a694 --- /dev/null +++ b/firejail/cmus.profile @@ -0,0 +1,18 @@ +# cmus profile +noblacklist ${HOME}/.config/cmus + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-bin cmus +private-etc group +shell none diff --git a/firejail/conkeror.profile b/firejail/conkeror.profile new file mode 100644 index 0000000..e82eeec --- /dev/null +++ b/firejail/conkeror.profile @@ -0,0 +1,24 @@ +# Firejail profile for Conkeror web browser profile +noblacklist ${HOME}/.conkeror.mozdev.org +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +whitelist ~/.conkeror.mozdev.org +whitelist ~/Downloads +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.lastpass +whitelist ~/.gtkrc-2.0 +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.conkerorrc +include /etc/firejail/whitelist-common.inc diff --git a/firejail/corebird.profile b/firejail/corebird.profile new file mode 100644 index 0000000..6fb8219 --- /dev/null +++ b/firejail/corebird.profile @@ -0,0 +1,11 @@ +# Firejail corebird profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/cpio.profile b/firejail/cpio.profile new file mode 100644 index 0000000..cf89acd --- /dev/null +++ b/firejail/cpio.profile @@ -0,0 +1,22 @@ +# cpio profile +# /sbin and /usr/sbin are visible inside the sandbox +# /boot is not visible and /var is heavily modified +quiet +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +private-dev +seccomp +caps.drop all +net none +shell none +tracelog +net none +nosound +no3d + +blacklist /tmp/.X11-unix + diff --git a/firejail/cryptocat.profile b/firejail/cryptocat.profile new file mode 100644 index 0000000..0d392b2 --- /dev/null +++ b/firejail/cryptocat.profile @@ -0,0 +1 @@ +include /etc/Cryptocat.profile diff --git a/firejail/cyberfox.profile b/firejail/cyberfox.profile new file mode 100644 index 0000000..f722915 --- /dev/null +++ b/firejail/cyberfox.profile @@ -0,0 +1,49 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) +noblacklist ~/.8pecxstudios +noblacklist ~/.cache/8pecxstudios +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.8pecxstudios +whitelist ~/.8pecxstudios +mkdir ~/.cache/8pecxstudios +whitelist ~/.cache/8pecxstudios +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/firejail/deadbeef.profile b/firejail/deadbeef.profile new file mode 100644 index 0000000..04abd0a --- /dev/null +++ b/firejail/deadbeef.profile @@ -0,0 +1,13 @@ +# DeaDBeeF media player profile +noblacklist ${HOME}/.config/deadbeef + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/default.profile b/firejail/default.profile new file mode 100644 index 0000000..6033213 --- /dev/null +++ b/firejail/default.profile @@ -0,0 +1,24 @@ +################################ +# Generic GUI application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# +# depending on you usage, you can enable some of the commands below: +# +# nogroups +# shell none +# private-bin program +# private-etc none +# private-dev +# private-tmp + diff --git a/firejail/deluge.profile b/firejail/deluge.profile new file mode 100644 index 0000000..c6ddec3 --- /dev/null +++ b/firejail/deluge.profile @@ -0,0 +1,20 @@ +# deluge bittorrernt client profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +# deluge is using python on Debian +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +shell none +#private-bin deluge,sh,python,uname +private-dev +private-tmp + diff --git a/firejail/dillo.profile b/firejail/dillo.profile new file mode 100644 index 0000000..1087879 --- /dev/null +++ b/firejail/dillo.profile @@ -0,0 +1,22 @@ +# Firejail profile for Dillo web browser +noblacklist ~/.dillo +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.dillo +whitelist ~/.dillo +mkdir ~/.fltk +whitelist ~/.fltk + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/disable-common.inc b/firejail/disable-common.inc new file mode 100644 index 0000000..5a281a9 --- /dev/null +++ b/firejail/disable-common.inc @@ -0,0 +1,225 @@ +# Local customizations come here +include /etc/firejail/disable-common.local + +# History files in $HOME +blacklist-nolog ${HOME}/.history +blacklist-nolog ${HOME}/.*_history +blacklist-nolog ${HOME}/.bash_history +blacklist ${HOME}/.local/share/systemd +blacklist-nolog ${HOME}/.adobe +blacklist-nolog ${HOME}/.macromedia +read-only ${HOME}/.local/share/applications + +# X11 session autostart +blacklist ${HOME}/.xinitrc +blacklist ${HOME}/.xprofile +blacklist ${HOME}/.config/autostart +blacklist /etc/xdg/autostart +blacklist ${HOME}/.kde4/Autostart +blacklist ${HOME}/.kde4/share/autostart +blacklist ${HOME}/.kde/Autostart +blacklist ${HOME}/.kde/share/autostart +blacklist ${HOME}/.config/plasma-workspace/shutdown +blacklist ${HOME}/.config/plasma-workspace/env +blacklist ${HOME}/.config/lxsession/LXDE/autostart +blacklist ${HOME}/.fluxbox/startup +blacklist ${HOME}/.config/openbox/autostart +blacklist ${HOME}/.config/openbox/environment +blacklist ${HOME}/.gnomerc +blacklist /etc/X11/Xsession.d/ +# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs + +# VirtualBox +blacklist ${HOME}/.VirtualBox +blacklist ${HOME}/VirtualBox VMs +blacklist ${HOME}/.config/VirtualBox + +# VeraCrypt +blacklist ${PATH}/veracrypt +blacklist ${PATH}/veracrypt-uninstall.sh +blacklist /usr/share/veracrypt +blacklist /usr/share/applications/veracrypt.* +blacklist /usr/share/pixmaps/veracrypt.* +blacklist ${HOME}/.VeraCrypt + +# TrueCrypt +blacklist ${PATH}/truecrypt +blacklist ${PATH}/truecrypt-uninstall.sh +blacklist /usr/share/truecrypt +blacklist /usr/share/applications/truecrypt.* +blacklist /usr/share/pixmaps/truecrypt.* +blacklist ${HOME}/.TrueCrypt + +# zuluCrypt +blacklist ${HOME}/.zuluCrypt +blacklist ${HOME}/.zuluCrypt-socket +blacklist ${PATH}/zuluCrypt-cli +blacklist ${PATH}/zuluMount-cli + +# var +blacklist /var/spool/cron +blacklist /var/spool/anacron +blacklist /var/mail +blacklist /var/run/acpid.socket +blacklist /var/run/minissdpd.sock +blacklist /var/run/rpcbind.sock +blacklist /var/run/mysqld/mysqld.sock +blacklist /var/run/mysql/mysqld.sock +blacklist /var/lib/mysqld/mysql.sock +blacklist /var/lib/mysql/mysql.sock +blacklist /var/run/docker.sock + +# etc +blacklist /etc/cron* +blacklist /etc/profile.d +blacklist /etc/rc.local +blacklist /etc/anacrontab + +# General startup files +read-only ${HOME}/.xinitrc +read-only ${HOME}/.xserverrc +read-only ${HOME}/.profile + +# Shell startup files +read-only ${HOME}/.antigen +read-only ${HOME}/.bash_login +read-only ${HOME}/.bashrc +read-only ${HOME}/.bash_aliases +read-only ${HOME}/.bash_profile +read-only ${HOME}/.bash_logout +read-only ${HOME}/.zsh.d +read-only ${HOME}/.zshenv +read-only ${HOME}/.zshrc +read-only ${HOME}/.zshrc.local +read-only ${HOME}/.zlogin +read-only ${HOME}/.zprofile +read-only ${HOME}/.zlogout +read-only ${HOME}/.zsh_files +read-only ${HOME}/.tcshrc +read-only ${HOME}/.cshrc +read-only ${HOME}/.csh_files +read-only ${HOME}/.profile + +# Initialization files that allow arbitrary command execution +read-only ${HOME}/.caffrc +read-only ${HOME}/.dotfiles +read-only ${HOME}/dotfiles +read-only ${HOME}/.mailcap +read-only ${HOME}/.muttrc +read-only ${HOME}/.mutt/muttrc +read-only ${HOME}/.msmtprc +read-only ${HOME}/.exrc +read-only ${HOME}/_exrc +read-only ${HOME}/.vimrc +read-only ${HOME}/_vimrc +read-only ${HOME}/.gvimrc +read-only ${HOME}/_gvimrc +read-only ${HOME}/.vim +read-only ${HOME}/.emacs +read-only ${HOME}/.emacs.d +read-only ${HOME}/.nano +read-only ${HOME}/.tmux.conf +read-only ${HOME}/.iscreenrc +read-only ${HOME}/.reportbugrc +read-only ${HOME}/.xmonad +read-only ${HOME}/.xscreensaver + +# The user ~/bin directory can override commands such as ls +read-only ${HOME}/bin + +# top secret +blacklist ${HOME}/.ecryptfs +blacklist ${HOME}/.Private +blacklist ${HOME}/.ssh +blacklist ${HOME}/.cert +blacklist ${HOME}/.gnome2/keyrings +blacklist ${HOME}/.kde4/share/apps/kwallet +blacklist ${HOME}/.kde/share/apps/kwallet +blacklist ${HOME}/.local/share/kwalletd +blacklist ${HOME}/.config/keybase +blacklist ${HOME}/.netrc +blacklist ${HOME}/.gnupg +blacklist ${HOME}/.caff +blacklist ${HOME}/.smbcredentials +blacklist ${HOME}/*.kdbx +blacklist ${HOME}/*.kdb +blacklist ${HOME}/*.key +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc +blacklist /etc/shadow +blacklist /etc/gshadow +blacklist /etc/passwd- +blacklist /etc/group- +blacklist /etc/shadow- +blacklist /etc/gshadow- +blacklist /etc/passwd+ +blacklist /etc/group+ +blacklist /etc/shadow+ +blacklist /etc/gshadow+ +blacklist /etc/ssh +blacklist /var/backup +blacklist /home/.ecryptfs + +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + +# system management +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/ntfs-3g +blacklist ${PATH}/at +blacklist ${PATH}/su +blacklist ${PATH}/sudo +blacklist ${PATH}/xinput +blacklist ${PATH}/evtest +blacklist ${PATH}/xev +blacklist ${PATH}/strace +blacklist ${PATH}/nc +blacklist ${PATH}/ncat +blacklist ${PATH}/gpasswd +blacklist ${PATH}/newgidmap +blacklist ${PATH}/newgrp +blacklist ${PATH}/newuidmap +blacklist ${PATH}/pkexec +blacklist ${PATH}/sg +blacklist ${PATH}/crontab +blacklist ${PATH}/ksu +blacklist ${PATH}/chsh +blacklist ${PATH}/chfn +blacklist ${PATH}/chage +blacklist ${PATH}/expiry +blacklist ${PATH}/unix_chkpwd +blacklist ${PATH}/procmail +blacklist ${PATH}/mount.ecryptfs_private + +# other SUID binaries +blacklist /usr/lib/virtualbox +blacklist /usr/lib64/virtualbox + +# prevent lxterminal connecting to an existing lxterminal session +blacklist /tmp/.lxterminal-socket* + +# disable terminals running as server resulting in sandbox escape +blacklist ${PATH}/gnome-terminal +blacklist ${PATH}/gnome-terminal.wrapper +blacklist ${PATH}/xfce4-terminal +blacklist ${PATH}/xfce4-terminal.wrapper +blacklist ${PATH}/mate-terminal +blacklist ${PATH}/mate-terminal.wrapper +blacklist ${PATH}/lilyterm +blacklist ${PATH}/pantheon-terminal +blacklist ${PATH}/roxterm +blacklist ${PATH}/roxterm-config +blacklist ${PATH}/terminix +blacklist ${PATH}/urxvtc +blacklist ${PATH}/urxvtcd +#konsole doesn't seem to have this problem - last tested on Ubuntu 16.04 +#blacklist ${PATH}/konsole + +# kernel files +blacklist /vmlinuz* +blacklist /initrd* diff --git a/firejail/disable-common.local b/firejail/disable-common.local new file mode 100644 index 0000000..2d50b34 --- /dev/null +++ b/firejail/disable-common.local @@ -0,0 +1,7 @@ +# This file is meant for local customizations of disable-common.inc + +# Make directories that can override $PATH or libs read-only +read-only ${HOME}/.gem +read-only ${HOME}/.local +read-only ${HOME}/.luarocks +read-only ${HOME}/.npm-packages diff --git a/firejail/disable-devel.local b/firejail/disable-devel.local new file mode 100644 index 0000000..580420b --- /dev/null +++ b/firejail/disable-devel.local @@ -0,0 +1 @@ +# This file is meant for local customizations of disable-devel.inc diff --git a/firejail/disable-passwdmgr.inc b/firejail/disable-passwdmgr.inc new file mode 100644 index 0000000..7d129b2 --- /dev/null +++ b/firejail/disable-passwdmgr.inc @@ -0,0 +1,13 @@ +# Local customizations come here +include /etc/firejail/disable-passwdmgr.local + +blacklist ${HOME}/.pki/nssdb +blacklist ${HOME}/.lastpass +blacklist ${HOME}/.keepassx +blacklist ${HOME}/.keepass +blacklist ${HOME}/.password-store +blacklist ${HOME}/keepassx.kdbx +blacklist ${HOME}/.config/keepassx +blacklist ${HOME}/.config/keepass +blacklist ${HOME}/.config/KeePass + diff --git a/firejail/disable-passwdmgr.local b/firejail/disable-passwdmgr.local new file mode 100644 index 0000000..b4dd1da --- /dev/null +++ b/firejail/disable-passwdmgr.local @@ -0,0 +1 @@ +# This file is meant for local customizations of disable-passwdmgr.inc diff --git a/firejail/disable-programs.inc b/firejail/disable-programs.inc new file mode 100644 index 0000000..96bf146 --- /dev/null +++ b/firejail/disable-programs.inc @@ -0,0 +1,274 @@ +# Local customizations come here +include /etc/firejail/disable-programs.local + +blacklist ${HOME}/.*coin +blacklist ${HOME}/.8pecxstudios +blacklist ${HOME}/.Atom +blacklist ${HOME}/.FBReader +blacklist ${HOME}/.LuminanceHDR +blacklist ${HOME}/.Mathematica +blacklist ${HOME}/.Natron +blacklist ${HOME}/.Skype +blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.VirtualBox +blacklist ${HOME}/.Wolfram Research +blacklist ${HOME}/.arduino15 +blacklist ${HOME}/.atom +blacklist ${HOME}/.audacity-data +blacklist ${HOME}/.bcast5 +blacklist ${HOME}/.cache/0ad +blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/Franz +blacklist ${HOME}/.cache/INRIA +blacklist ${HOME}/.cache/QuiteRss +blacklist ${HOME}/.cache/champlain +blacklist ${HOME}/.cache/chromium +blacklist ${HOME}/.cache/qupzilla +blacklist ${HOME}/.cache/chromium-dev +blacklist ${HOME}/.cache/darktable +blacklist ${HOME}/.cache/epiphany +blacklist ${HOME}/.cache/evolution +blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.cache/google-chrome +blacklist ${HOME}/.cache/google-chrome-beta +blacklist ${HOME}/.cache/google-chrome-unstable +blacklist ${HOME}/.cache/icedove +blacklist ${HOME}/.cache/inox +blacklist ${HOME}/.cache/libgweather +blacklist ${HOME}/.cache/midori +blacklist ${HOME}/.cache/mozilla +blacklist ${HOME}/.cache/mutt +blacklist ${HOME}/.cache/netsurf +blacklist ${HOME}/.cache/opera +blacklist ${HOME}/.cache/opera-beta +blacklist ${HOME}/.cache/org.gnome.Books +blacklist ${HOME}/.cache/qutebrowser +blacklist ${HOME}/.cache/simple-scan +blacklist ${HOME}/.cache/slimjet +blacklist ${HOME}/.cache/spotify +blacklist ${HOME}/.cache/telepathy +blacklist ${HOME}/.cache/thunderbird +blacklist ${HOME}/.cache/torbrowser +blacklist ${HOME}/.cache/transmission +blacklist ${HOME}/.cache/vivaldi +blacklist ${HOME}/.cache/wesnoth +blacklist ${HOME}/.cache/xreader +blacklist ${HOME}/.claws-mail +blacklist ${HOME}/.config/0ad +blacklist ${HOME}/.config/Atom +blacklist ${HOME}/.config/Brackets +blacklist ${HOME}/.config/Cryptocat +blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.config/Gitter +blacklist ${HOME}/.config/Google +blacklist ${HOME}/.config/Gpredict +blacklist ${HOME}/.config/INRIA +blacklist ${HOME}/.config/Luminance +blacklist ${HOME}/.config/Meltytech +blacklist ${HOME}/.config/Mumble +blacklist ${HOME}/.config/QuiteRss +blacklist ${HOME}/.config/QuiteRssrc +blacklist ${HOME}/.config/Slack +blacklist ${HOME}/.config/VirtualBox +blacklist ${HOME}/.config/Wire +blacklist ${HOME}/.config/ardour4 +blacklist ${HOME}/.config/ardour5 +blacklist ${HOME}/.config/arkrc +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/autostart +blacklist ${HOME}/.config/autostart/dropbox.desktop +blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/blender +blacklist ${HOME}/.config/bless +blacklist ${HOME}/.config/brasero +blacklist ${HOME}/.config/brave +blacklist ${HOME}/.config/cherrytree +blacklist ${HOME}/.config/chromium +blacklist ${HOME}/.config/qupzilla +blacklist ${HOME}/.config/chromium-dev +blacklist ${HOME}/.config/chromium-flags.conf +blacklist ${HOME}/.config/cmus +blacklist ${HOME}/.config/darktable +blacklist ${HOME}/.config/deadbeef +blacklist ${HOME}/.config/dolphinrc +blacklist ${HOME}/.config/dragonplayerrc +blacklist ${HOME}/.config/enchant +blacklist ${HOME}/.config/eog +blacklist ${HOME}/.config/epiphany +blacklist ${HOME}/.config/evince +blacklist ${HOME}/.config/evolution +blacklist ${HOME}/.config/filezilla +blacklist ${HOME}/.config/flowblade +blacklist ${HOME}/.config/gajim +blacklist ${HOME}/.config/gedit +blacklist ${HOME}/.config/google-chrome +blacklist ${HOME}/.config/google-chrome-beta +blacklist ${HOME}/.config/google-chrome-unstable +blacklist ${HOME}/.config/gthumb +blacklist ${HOME}/.config/hexchat +blacklist ${HOME}/.config/inox +blacklist ${HOME}/.config/jd-gui.cfg +blacklist ${HOME}/.config/katepartrc +blacklist ${HOME}/.config/katerc +blacklist ${HOME}/.config/kateschemarc +blacklist ${HOME}/.config/katesyntaxhighlightingrc +blacklist ${HOME}/.config/katevirc +blacklist ${HOME}/.config/libreoffice +blacklist ${HOME}/.config/mate/eom +blacklist ${HOME}/.config/midori +blacklist ${HOME}/.config/mpv +blacklist ${HOME}/.config/mupen64plus +blacklist ${HOME}/.config/nautilus +blacklist ${HOME}/.config/netsurf +blacklist ${HOME}/.config/opera +blacklist ${HOME}/.config/opera-beta +blacklist ${HOME}/.config/pix +blacklist ${HOME}/.config/pluma +blacklist ${HOME}/.config/psi+ +blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/qutebrowser +blacklist ${HOME}/.config/ranger +blacklist ${HOME}/.config/redshift.conf +blacklist ${HOME}/.config/skypeforlinux +blacklist ${HOME}/.config/slimjet +blacklist ${HOME}/.config/spotify +blacklist ${HOME}/.config/stellarium +blacklist ${HOME}/.config/synfig +blacklist ${HOME}/.config/telepathy-account-widgets +blacklist ${HOME}/.config/torbrowser +blacklist ${HOME}/.config/totem +blacklist ${HOME}/.config/tox +blacklist ${HOME}/.config/transmission +blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/vivaldi +blacklist ${HOME}/.config/vlc +blacklist ${HOME}/.config/wesnoth +blacklist ${HOME}/.config/wire +blacklist ${HOME}/.config/wireshark +blacklist ${HOME}/.config/xchat +blacklist ${HOME}/.config/xed +blacklist ${HOME}/.config/xfburn +blacklist ${HOME}/.config/xplayer +blacklist ${HOME}/.config/xreader +blacklist ${HOME}/.config/xviewer +blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/zoomus.conf +blacklist ${HOME}/.conkeror.mozdev.org +blacklist ${HOME}/.dillo +blacklist ${HOME}/.dosbox +blacklist ${HOME}/.dropbox-dist +blacklist ${HOME}/.electrum* +blacklist ${HOME}/.elinks +blacklist ${HOME}/.emacs +blacklist ${HOME}/.emacs.d +blacklist ${HOME}/.filezilla +blacklist ${HOME}/.flowblade +blacklist ${HOME}/.fltk +blacklist ${HOME}/.gimp* +blacklist ${HOME}/.git-credential-cache +blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.googleearth/Cache/ +blacklist ${HOME}/.googleearth/Temp/ +blacklist ${HOME}/.googleearth/myplaces.backup.kml +blacklist ${HOME}/.googleearth/myplaces.kml +blacklist ${HOME}/.guayadeque +blacklist ${HOME}/.hedgewars +blacklist ${HOME}/.icedove +blacklist ${HOME}/.inkscape +blacklist ${HOME}/.jitsi +blacklist ${HOME}/.kde/share/apps/gwenview +blacklist ${HOME}/.kde/share/apps/okular +blacklist ${HOME}/.kde/share/config/gwenviewrc +blacklist ${HOME}/.kde/share/config/okularpartrc +blacklist ${HOME}/.kde/share/config/okularrc +blacklist ${HOME}/.killingfloor +blacklist ${HOME}/.linphone-history.db +blacklist ${HOME}/.linphonerc +blacklist ${HOME}/.lmmsrc.xml +blacklist ${HOME}/.local/.share/maps-places.json +blacklist ${HOME}/.local/lib/python2.7/site-packages +blacklist ${HOME}/.local/share/0ad +blacklist ${HOME}/.local/share/3909/PapersPlease +blacklist ${HOME}/.local/share/Empathy +blacklist ${HOME}/.local/share/Mumble +blacklist ${HOME}/.local/share/QuiteRss +blacklist ${HOME}/.local/share/Ricochet +blacklist ${HOME}/.local/share/Steam +blacklist ${HOME}/.local/share/SuperHexagon +blacklist ${HOME}/.local/share/Terraria +blacklist ${HOME}/.local/share/TpLogger +blacklist ${HOME}/.local/share/aspyr-media +blacklist ${HOME}/.local/share/cdprojektred +blacklist ${HOME}/.local/share/data/Mumble +blacklist ${HOME}/.local/share/dolphin +blacklist ${HOME}/.local/share/epiphany +blacklist ${HOME}/.local/share/evolution +blacklist ${HOME}/.local/share/feral-interactive +blacklist ${HOME}/.local/share/gajim +blacklist ${HOME}/.local/share/gnome-2048 +blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/gnome-music +blacklist ${HOME}/.local/share/gnome-photos +blacklist ${HOME}/.local/share/kate +blacklist ${HOME}/.local/share/lollypop +blacklist ${HOME}/.local/share/multimc5 +blacklist ${HOME}/.local/share/mupen64plus +blacklist ${HOME}/.local/share/pix +blacklist ${HOME}/.local/share/psi+ +blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/spotify +blacklist ${HOME}/.local/share/steam +blacklist ${HOME}/.local/share/telepathy +blacklist ${HOME}/.local/share/torbrowser +blacklist ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/vpltd +blacklist ${HOME}/.local/share/vulkan +blacklist ${HOME}/.local/share/wesnoth +blacklist ${HOME}/.local/share/xplayer +blacklist ${HOME}/.local/share/xreader +blacklist ${HOME}/.local/share/zathura +blacklist ${HOME}/.lv2 +blacklist ${HOME}/.mcabber +blacklist ${HOME}/.mcabberrc +blacklist ${HOME}/.mozilla +blacklist ${HOME}/.mozilla/seamonkey +blacklist ${HOME}/.mpdconf +blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.multimc5 +blacklist ${HOME}/.mutt +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.nv +blacklist ${HOME}/.openshot +blacklist ${HOME}/.openshot_qt +blacklist ${HOME}/.opera +blacklist ${HOME}/.opera-beta +blacklist ${HOME}/.pki +blacklist ${HOME}/.purple +blacklist ${HOME}/.qemu-launcher +blacklist ${HOME}/.remmina +blacklist ${HOME}/.retroshare +blacklist ${HOME}/.scribus +blacklist ${HOME}/.steam +blacklist ${HOME}/.steampath +blacklist ${HOME}/.steampid +blacklist ${HOME}/.stellarium +blacklist ${HOME}/.subversion +blacklist ${HOME}/.sword +blacklist ${HOME}/.sylpheed-2.0 +blacklist ${HOME}/.synfig +blacklist ${HOME}/.tconn +blacklist ${HOME}/.thunderbird +blacklist ${HOME}/.ts3client +blacklist ${HOME}/.vst +blacklist ${HOME}/.w3m +blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.weechat +blacklist ${HOME}/.wine +blacklist ${HOME}/.wine64 +blacklist ${HOME}/.xiphos +blacklist ${HOME}/.xonotic +blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.zoom +blacklist ${HOME}/wallet.dat +blacklist /tmp/ssh-* diff --git a/firejail/disable-programs.local b/firejail/disable-programs.local new file mode 100644 index 0000000..12932c7 --- /dev/null +++ b/firejail/disable-programs.local @@ -0,0 +1 @@ +# This file is meant for local customizations of disable-programs.inc diff --git a/firejail/display.profile b/firejail/display.profile new file mode 100644 index 0000000..ec041bf --- /dev/null +++ b/firejail/display.profile @@ -0,0 +1,23 @@ +# display (ImageMagick tool) image viewer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix +netfilter +net none +nonewprivs +noroot +nogroups +nosound +shell none +x11 xorg + +private-bin display +private-tmp +private-dev +private-etc none + diff --git a/firejail/dnscrypt-proxy.profile b/firejail/dnscrypt-proxy.profile new file mode 100644 index 0000000..926b8bf --- /dev/null +++ b/firejail/dnscrypt-proxy.profile @@ -0,0 +1,14 @@ +# security profile for dnscrypt-proxy +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +private +private-dev +nosound +no3d +seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open + diff --git a/firejail/dnsmasq.profile b/firejail/dnsmasq.profile new file mode 100644 index 0000000..3bd43f1 --- /dev/null +++ b/firejail/dnsmasq.profile @@ -0,0 +1,17 @@ +# dnsmasq profile +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps +netfilter +nonewprivs +private +private-dev +nosound +no3d +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail/dolphin.profile b/firejail/dolphin.profile new file mode 100644 index 0000000..09a86f8 --- /dev/null +++ b/firejail/dolphin.profile @@ -0,0 +1,27 @@ +# dolphin profile + +# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 + +noblacklist ~/.config/dolphinrc +noblacklist ~/.local/share/dolphin + +include /etc/firejail/disable-common.inc +# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/firejail/dosbox.profile b/firejail/dosbox.profile new file mode 100644 index 0000000..45fbb71 --- /dev/null +++ b/firejail/dosbox.profile @@ -0,0 +1,21 @@ +# Firejail profile for dosbox +noblacklist ~/.dosbox + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin dosbox +private-dev +private-tmp diff --git a/firejail/dragon.profile b/firejail/dragon.profile new file mode 100644 index 0000000..09cb738 --- /dev/null +++ b/firejail/dragon.profile @@ -0,0 +1,22 @@ +# dragon player profile +noblacklist ~/.config/dragonplayerrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix,inet,inet6 + +private-bin dragon +private-dev +private-tmp +# private-etc + diff --git a/firejail/dropbox.profile b/firejail/dropbox.profile new file mode 100644 index 0000000..40efd62 --- /dev/null +++ b/firejail/dropbox.profile @@ -0,0 +1,21 @@ +# dropbox profile +noblacklist ~/.config/autostart +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +mkdir ~/Dropbox +whitelist ~/Dropbox +mkdir ~/.dropbox +whitelist ~/.dropbox +mkdir ~/.dropbox-dist +whitelist ~/.dropbox-dist + +mkfile ~/.config/autostart/dropbox.desktop +whitelist ~/.config/autostart/dropbox.desktop diff --git a/firejail/elinks.profile b/firejail/elinks.profile new file mode 100644 index 0000000..ade15f2 --- /dev/null +++ b/firejail/elinks.profile @@ -0,0 +1,27 @@ +# elinks profile +noblacklist ~/.elinks + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +no3d +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin elinks +private-tmp +private-dev +# private-etc none + diff --git a/firejail/emacs.profile b/firejail/emacs.profile new file mode 100644 index 0000000..2b9c580 --- /dev/null +++ b/firejail/emacs.profile @@ -0,0 +1,16 @@ +# emacs profile +noblacklist ~/.emacs +noblacklist ~/.emacs.d + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp diff --git a/firejail/empathy.profile b/firejail/empathy.profile new file mode 100644 index 0000000..2a0a638 --- /dev/null +++ b/firejail/empathy.profile @@ -0,0 +1,12 @@ +# Empathy instant messaging profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/enchant.profile b/firejail/enchant.profile new file mode 100644 index 0000000..cf82889 --- /dev/null +++ b/firejail/enchant.profile @@ -0,0 +1,23 @@ +# enchant profile +noblacklist ~/.config/enchant + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin enchant +# private-tmp +# private-dev +# private-etc fonts diff --git a/firejail/eog.profile b/firejail/eog.profile new file mode 100644 index 0000000..d463f3a --- /dev/null +++ b/firejail/eog.profile @@ -0,0 +1,22 @@ +# eog (gnome image viewer) profile +noblacklist ~/.config/eog + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none + +private-bin eog +private-dev +private-etc fonts +private-tmp diff --git a/firejail/eom.profile b/firejail/eom.profile new file mode 100644 index 0000000..dfcea82 --- /dev/null +++ b/firejail/eom.profile @@ -0,0 +1,21 @@ +# Firejail profile for Eye of Mate (eom) +noblacklist ~/.config/mate/eom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin eom +private-dev +private-tmp diff --git a/firejail/epiphany.profile b/firejail/epiphany.profile new file mode 100644 index 0000000..0e898f0 --- /dev/null +++ b/firejail/epiphany.profile @@ -0,0 +1,23 @@ +# Epiphany browser profile +noblacklist ${HOME}/.config/epiphany +noblacklist ${HOME}/.cache/epiphany +noblacklist ${HOME}/.local/share/epiphany + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +whitelist ${DOWNLOADS} +mkdir ${HOME}/.local/share/epiphany +whitelist ${HOME}/.local/share/epiphany +mkdir ${HOME}/.config/epiphany +whitelist ${HOME}/.config/epiphany +mkdir ${HOME}/.cache/epiphany +whitelist ${HOME}/.cache/epiphany +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/firejail/evince.profile b/firejail/evince.profile new file mode 100644 index 0000000..1ec3849 --- /dev/null +++ b/firejail/evince.profile @@ -0,0 +1,25 @@ +# evince pdf reader profile +noblacklist ~/.config/evince + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +#net none - creates some problems on some distributions +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin evince,evince-previewer,evince-thumbnailer +private-dev +private-etc fonts +# evince needs access to /tmp/mozilla* to work in firefox +# private-tmp diff --git a/firejail/evolution.profile b/firejail/evolution.profile new file mode 100644 index 0000000..1707e56 --- /dev/null +++ b/firejail/evolution.profile @@ -0,0 +1,28 @@ +# evolution profile +noblacklist ~/.config/evolution +noblacklist ~/.local/share/evolution +noblacklist ~/.cache/evolution +noblacklist ~/.pki +noblacklist ~/.pki/nssdb +noblacklist ~/.gnupg + +noblacklist /var/spool/mail +noblacklist /var/mail + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp diff --git a/firejail/exiftool.profile b/firejail/exiftool.profile new file mode 100644 index 0000000..1cae8c0 --- /dev/null +++ b/firejail/exiftool.profile @@ -0,0 +1,31 @@ +# exiftool profile +noblacklist /usr/bin/perl +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin exiftool,perl +private-tmp +private-dev +private-etc none + + diff --git a/firejail/fbreader.profile b/firejail/fbreader.profile new file mode 100644 index 0000000..ec098d5 --- /dev/null +++ b/firejail/fbreader.profile @@ -0,0 +1,20 @@ +# fbreader ebook reader profile +noblacklist ${HOME}/.FBReader + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +shell none +private-bin fbreader,FBReader +private-dev +private-tmp diff --git a/firejail/feh.profile b/firejail/feh.profile new file mode 100644 index 0000000..2812eff --- /dev/null +++ b/firejail/feh.profile @@ -0,0 +1,21 @@ +# feh image viewer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none + +private-bin feh +private-dev +private-etc feh +private-tmp \ No newline at end of file diff --git a/firejail/file-roller.profile b/firejail/file-roller.profile new file mode 100644 index 0000000..6116389 --- /dev/null +++ b/firejail/file-roller.profile @@ -0,0 +1,21 @@ +# file-roller profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin file-roller +# private-tmp +private-dev +# private-etc fonts diff --git a/firejail/file.profile b/firejail/file.profile new file mode 100644 index 0000000..d145fe1 --- /dev/null +++ b/firejail/file.profile @@ -0,0 +1,26 @@ +# file profile +quiet +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +hostname file +netfilter +net none +no3d +nogroups +nonewprivs +#noroot +nosound +protocol unix +seccomp +shell none +tracelog +x11 none + +blacklist /tmp/.X11-unix + +private-dev +private-bin file +private-etc magic.mgc,magic,localtime diff --git a/firejail/filezilla.profile b/firejail/filezilla.profile new file mode 100644 index 0000000..a40fcee --- /dev/null +++ b/firejail/filezilla.profile @@ -0,0 +1,20 @@ +# FileZilla ftp profile +noblacklist ${HOME}/.filezilla +noblacklist ${HOME}/.config/filezilla + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp +private-dev +private-tmp diff --git a/firejail/firefox-esr.profile b/firejail/firefox-esr.profile new file mode 100644 index 0000000..d2fde9a --- /dev/null +++ b/firejail/firefox-esr.profile @@ -0,0 +1,2 @@ +# Firejail profile for Mozilla Firefox ESR +include /etc/firejail/firefox.profile diff --git a/firejail/firefox.profile b/firejail/firefox.profile new file mode 100644 index 0000000..c3a9b2a --- /dev/null +++ b/firejail/firefox.profile @@ -0,0 +1,58 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +noblacklist ~/.config/qpdfview +noblacklist ~/.local/share/qpdfview +noblacklist ~/.kde/share/apps/okular +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/firefox +whitelist ~/.cache/mozilla/firefox +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki +whitelist ~/.config/qpdfview +whitelist ~/.local/share/qpdfview +whitelist ~/.kde/share/apps/okular + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-bin firefox,which,sh,dbus-launch,dbus-send,env +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +private-dev +private-tmp diff --git a/firejail/firejail-default b/firejail/firejail-default new file mode 100644 index 0000000..1b0eb76 --- /dev/null +++ b/firejail/firejail-default @@ -0,0 +1,154 @@ +######################################### +# Generic Firejail AppArmor profile +######################################### + +########## +# A simple PID declaration based on Ubuntu's @{pid} +# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. +# We don't know if this definition is available outside Debian and Ubuntu, so +# we declare our own here. +########## +@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} + +profile firejail-default { + +########## +# D-Bus is a huge security hole. Uncomment this line if you need D-Bus +# functionality. +########## +#dbus, + +########## +# Mask /proc and /sys information leakage. The configuration here is barely +# enough to run "top" or "ps aux". +########## +/ r, +/[^proc,^sys]** mrwlk, +/{,var/}run/ r, +/{,var/}run/** r, +/{,var/}run/user/**/dconf/ rw, +/{,var/}run/user/**/dconf/user rw, +/{,var/}run/user/**/pulse/ rw, +/{,var/}run/user/**/pulse/** rw, +/{,var/}run/firejail/mnt/fslogger r, +/{,var/}run/firejail/appimage r, +/{,var/}run/firejail/appimage/** r, +/{,var/}run/firejail/appimage/** ix, +/{run,dev}/shm/ r, +/{run,dev}/shm/** rmwk, + +/proc/ r, +/proc/meminfo r, +/proc/cpuinfo r, +/proc/filesystems r, +/proc/uptime r, +/proc/loadavg r, +/proc/stat r, + +/proc/@{PID}/ r, +/proc/@{PID}/fd/ r, +/proc/@{PID}/task/ r, +/proc/@{PID}/cmdline r, +/proc/@{PID}/comm r, +/proc/@{PID}/stat r, +/proc/@{PID}/statm r, +/proc/@{PID}/status r, +/proc/@{PID}/task/@{PID}/stat r, +/proc/sys/kernel/pid_max r, +/proc/sys/kernel/shmmax r, +/proc/sys/vm/overcommit_memory r, +/proc/sys/vm/overcommit_ratio r, + +/sys/ r, +/sys/bus/ r, +/sys/bus/** r, +/sys/class/ r, +/sys/class/** r, +/sys/devices/ r, +/sys/devices/** r, + +/proc/@{PID}/maps r, +/proc/@{PID}/mounts r, +/proc/@{PID}/mountinfo r, +/proc/@{PID}/oom_score_adj r, + +########## +# Allow running programs only from well-known system directories. If you need +# to run programs from your home directory, uncomment /home line. +########## +/lib/** ix, +/lib64/** ix, +/bin/** ix, +/sbin/** ix, +/usr/bin/** ix, +/usr/sbin/** ix, +/usr/local/** ix, +/usr/lib/** ix, +/usr/games/** ix, +/opt/ r, +/opt/** r, +/opt/** ix, +#/home/** ix, + +########## +# Allow all networking functionality, and control it from Firejail. +########## +network inet, +network inet6, +network unix, +network netlink, +network raw, + +########## +# There is no equivalent in Firejail for filtering signals. +########## +signal, + +########## +# We let Firejail deal with capabilities. +########## +capability chown, +capability dac_override, +capability dac_read_search, +capability fowner, +capability fsetid, +capability kill, +capability setgid, +capability setuid, +capability setpcap, +capability linux_immutable, +capability net_bind_service, +capability net_broadcast, +capability net_admin, +capability net_raw, +capability ipc_lock, +capability ipc_owner, +capability sys_module, +capability sys_rawio, +capability sys_chroot, +capability sys_ptrace, +capability sys_pacct, +capability sys_admin, +capability sys_boot, +capability sys_nice, +capability sys_resource, +capability sys_time, +capability sys_tty_config, +capability mknod, +capability lease, +capability audit_write, +capability audit_control, +capability setfcap, +capability mac_override, +capability mac_admin, + +########## +# We let Firejail deal with mount/umount functionality. +########## +mount, +remount, +umount, +pivot_root, + +} + diff --git a/firejail/firejail.config b/firejail/firejail.config new file mode 100644 index 0000000..993582a --- /dev/null +++ b/firejail/firejail.config @@ -0,0 +1,84 @@ +# This is Firejail system-wide configuration file, see firejail-config(5) for +# more information. The file contains keyword-argument pairs, one per line. +# Most features are enabled by default. Use 'yes' or 'no' as configuration +# values. + +# Enable or disable bind support, default enabled. +# bind yes + +# Enable or disable chroot support, default enabled. +# chroot yes + +# Use chroot for desktop programs, default enabled. The sandbox will have full +# access to system's /dev directory in order to allow video acceleration, +# and it will harden the rest of the chroot tree. +# chroot-desktop yes + +# Enable or disable file transfer support, default enabled. +# file-transfer yes + +# Enable Firejail green prompt in terminal, default disabled +# firejail-prompt no + +# Force use of nonewprivs. This mitigates the possibility of +# a user abusing firejail's features to trick a privileged (suid +# or file capabilities) process into loading code or configuration +# that is partially under their control. Default disabled. +force-nonewprivs yes + +# Enable or disable networking features, default enabled. +# network yes + +# Enable or disable overlayfs features, default enabled. +# overlayfs yes + +# Remove /usr/local directories from private-bin list, default disabled. +# private-bin-no-local no + +# Enable or disable private-home feature, default enabled +# private-home yes + +# Enable --quiet as default every time the sandbox is started. Default disabled. +# quiet-by-default no + +# Remount /proc and /sys inside the sandbox, default enabled. +# remount-proc-sys yes + +# Enable or disable restricted network support, default disabled. If enabled, +# networking features should also be enabled (network yes). +# Restricted networking grants access to --interface, --net=ethXXX and +# --netfilter only to root user. Regular users are only allowed --net=none. +restricted-network yes + +# Change default netfilter configuration. When using --netfilter option without +# a file argument, the default filter is hardcoded (see man 1 firejail). This +# configuration entry allows the user to change the default by specifying +# a file containing the filter configuration. The filter file format is the +# format of iptables-save and iptable-restore commands. Example: +# netfilter-default /etc/iptables.iptables.rules + +# Enable or disable seccomp support, default enabled. +# seccomp yes + +# Enable or disable user namespace support, default enabled. +# userns yes + +# Enable or disable whitelisting support, default enabled. +# whitelist yes + +# Enable or disable X11 sandboxing support, default enabled. +x11 no + +# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for +# a full list of resolutions available on your specific setup. +# xephyr-screen 640x480 +# xephyr-screen 800x600 +# xephyr-screen 1024x768 +# xephyr-screen 1280x1024 + +# Firejail window title in Xephyr, default enabled. +# xephyr-window-title yes + +# Xephyr command extra parameters. None by default, and the declaration is commented out. +# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev +# xephyr-extra-params -grayscale diff --git a/firejail/flashpeak-slimjet.profile b/firejail/flashpeak-slimjet.profile new file mode 100644 index 0000000..3c23ff6 --- /dev/null +++ b/firejail/flashpeak-slimjet.profile @@ -0,0 +1,40 @@ +# SlimJet browser profile +# This is a whitelisted profile, the internal browser sandbox +# is disabled because it requires sudo password. The command +# to run it is as follows: +# +# firejail flashpeak-slimjet --no-sandbox +# +noblacklist ~/.config/slimjet +noblacklist ~/.cache/slimjet +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp + +whitelist ${DOWNLOADS} +mkdir ~/.config/slimjet +whitelist ~/.config/slimjet +mkdir ~/.cache/slimjet +whitelist ~/.cache/slimjet +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/flowblade.profile b/firejail/flowblade.profile new file mode 100644 index 0000000..12afdb0 --- /dev/null +++ b/firejail/flowblade.profile @@ -0,0 +1,13 @@ +# FlowBlade profile +noblacklist ${HOME}/.flowblade +noblacklist ${HOME}/.config/flowblade +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail/fossamail.profile b/firejail/fossamail.profile new file mode 100644 index 0000000..a0dc8ae --- /dev/null +++ b/firejail/fossamail.profile @@ -0,0 +1,15 @@ +# Firejail profile for FossaMail + +noblacklist ~/.gnupg +mkdir ~/.gnupg +whitelist ~/.gnupg + +noblacklist ~/.fossamail +mkdir ~/.fossamail +whitelist ~/.fossamail + +noblacklist ~/.cache/fossamail +mkdir ~/.cache/fossamail +whitelist ~/.cache/fossamail + +include /etc/firejail/firefox.profile diff --git a/firejail/franz.profile b/firejail/franz.profile new file mode 100644 index 0000000..0b3be55 --- /dev/null +++ b/firejail/franz.profile @@ -0,0 +1,24 @@ +# Franz profile +noblacklist ~/.config/Franz +noblacklist ~/.cache/Franz +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +#tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.config/Franz +whitelist ~/.config/Franz +mkdir ~/.cache/Franz +whitelist ~/.cache/Franz +mkdir ~/.pki +whitelist ~/.pki + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/gajim.profile b/firejail/gajim.profile new file mode 100644 index 0000000..eb60f85 --- /dev/null +++ b/firejail/gajim.profile @@ -0,0 +1,38 @@ +# Firejail profile for Gajim +noblacklist ${HOME}/.cache/gajim +noblacklist ${HOME}/.local/share/gajim +noblacklist ${HOME}/.config/gajim + +mkdir ${HOME}/.cache/gajim +mkdir ${HOME}/.local/share/gajim +mkdir ${HOME}/.config/gajim +mkdir ${HOME}/Downloads + +# Allow the local python 2.7 site packages, in case any plugins are using these +mkdir ${HOME}/.local/lib/python2.7/site-packages/ +whitelist ${HOME}/.local/lib/python2.7/site-packages/ +read-only ${HOME}/.local/lib/python2.7/site-packages/ + +whitelist ${HOME}/.cache/gajim +whitelist ${HOME}/.local/share/gajim +whitelist ${HOME}/.config/gajim +whitelist ${HOME}/Downloads + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none + +#private-bin python2.7 gajim +#private-etc fonts +private-dev +#private-tmp diff --git a/firejail/gedit.profile b/firejail/gedit.profile new file mode 100644 index 0000000..a25286b --- /dev/null +++ b/firejail/gedit.profile @@ -0,0 +1,26 @@ +# gedit profile + +# when gedit is started via gnome-shell, firejail is not applied because systemd will start it + +noblacklist ~/.config/gedit + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gedit +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/gimp.profile b/firejail/gimp.profile new file mode 100644 index 0000000..cb441fc --- /dev/null +++ b/firejail/gimp.profile @@ -0,0 +1,20 @@ +# gimp +noblacklist ${HOME}/.gimp* +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp + +noexec ${HOME} +noexec /tmp + +private-dev +private-tmp diff --git a/firejail/git.profile b/firejail/git.profile new file mode 100644 index 0000000..80e534e --- /dev/null +++ b/firejail/git.profile @@ -0,0 +1,28 @@ +# git profile +quiet +noblacklist ~/.gitconfig +noblacklist ~/.ssh +noblacklist ~/.gnupg +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.viminfo +noblacklist ~/.vim + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +no3d +protocol unix,inet,inet6 +seccomp +shell none + +blacklist /tmp/.X11-unix + +private-dev diff --git a/firejail/gitter.profile b/firejail/gitter.profile new file mode 100644 index 0000000..f43f5f1 --- /dev/null +++ b/firejail/gitter.profile @@ -0,0 +1,20 @@ +# Firejail profile for Gitter +noblacklist ~/.config/Gitter +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin gitter +private-dev +private-tmp diff --git a/firejail/gjs.profile b/firejail/gjs.profile new file mode 100644 index 0000000..8d71728 --- /dev/null +++ b/firejail/gjs.profile @@ -0,0 +1,28 @@ +# gjs (gnome javascript bindings) profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books +noblacklist ~/.config/libreoffice +noblacklist ~/.local/share/gnome-photos +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/gnome-2048.profile b/firejail/gnome-2048.profile new file mode 100644 index 0000000..f9982da --- /dev/null +++ b/firejail/gnome-2048.profile @@ -0,0 +1,25 @@ +# +#Profile for gnome-2048 +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/gnome-2048 + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.local/share/gnome-2048 +whitelist ${HOME}/.local/share/gnome-2048 +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/gnome-books.profile b/firejail/gnome-books.profile new file mode 100644 index 0000000..10b06e1 --- /dev/null +++ b/firejail/gnome-books.profile @@ -0,0 +1,26 @@ +# gnome-books profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-books +private-tmp +private-dev +private-etc fonts diff --git a/firejail/gnome-calculator.profile b/firejail/gnome-calculator.profile new file mode 100644 index 0000000..49e0681 --- /dev/null +++ b/firejail/gnome-calculator.profile @@ -0,0 +1,19 @@ +# +#Profile for gnome-calculator +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/gnome-chess.profile b/firejail/gnome-chess.profile new file mode 100644 index 0000000..4db485e --- /dev/null +++ b/firejail/gnome-chess.profile @@ -0,0 +1,22 @@ +# Firejail profile for gnome-chess +noblacklist ~/.local/share/gnome-chess + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin fairymax,gnome-chess,hoichess +private-dev +private-etc fonts,gnome-chess +private-tmp diff --git a/firejail/gnome-clocks.profile b/firejail/gnome-clocks.profile new file mode 100644 index 0000000..6cccf9d --- /dev/null +++ b/firejail/gnome-clocks.profile @@ -0,0 +1,21 @@ +# gnome-clocks profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-clocks +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/gnome-contacts.profile b/firejail/gnome-contacts.profile new file mode 100644 index 0000000..9dc25b2 --- /dev/null +++ b/firejail/gnome-contacts.profile @@ -0,0 +1,19 @@ +# +#Profile for gnome-contacts +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/gnome-documents.profile b/firejail/gnome-documents.profile new file mode 100644 index 0000000..c5def7a --- /dev/null +++ b/firejail/gnome-documents.profile @@ -0,0 +1,24 @@ +# gnome-documents profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.config/libreoffice + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +private-tmp +private-dev diff --git a/firejail/gnome-maps.profile b/firejail/gnome-maps.profile new file mode 100644 index 0000000..f145150 --- /dev/null +++ b/firejail/gnome-maps.profile @@ -0,0 +1,24 @@ +# gnome-maps profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-maps +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/gnome-mplayer.profile b/firejail/gnome-mplayer.profile new file mode 100644 index 0000000..488c7e0 --- /dev/null +++ b/firejail/gnome-mplayer.profile @@ -0,0 +1,17 @@ +# GNOME MPlayer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none + +private-bin gnome-mplayer,mplayer +private-dev +private-tmp diff --git a/firejail/gnome-music.profile b/firejail/gnome-music.profile new file mode 100644 index 0000000..4a8adeb --- /dev/null +++ b/firejail/gnome-music.profile @@ -0,0 +1,22 @@ +# gnome-music profile +noblacklist ~/.local/share/gnome-music + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-music,python3 +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/gnome-photos.profile b/firejail/gnome-photos.profile new file mode 100644 index 0000000..8f9d60c --- /dev/null +++ b/firejail/gnome-photos.profile @@ -0,0 +1,26 @@ +# gnome-photos profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.local/share/gnome-photos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-photos +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/gnome-weather.profile b/firejail/gnome-weather.profile new file mode 100644 index 0000000..9f93b8f --- /dev/null +++ b/firejail/gnome-weather.profile @@ -0,0 +1,26 @@ +# gnome-weather profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/goobox.profile b/firejail/goobox.profile new file mode 100644 index 0000000..8990943 --- /dev/null +++ b/firejail/goobox.profile @@ -0,0 +1,20 @@ +# goobox profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin goobox +# private-tmp +# private-dev +# private-etc fonts diff --git a/firejail/google-chrome-beta.profile b/firejail/google-chrome-beta.profile new file mode 100644 index 0000000..3d48396 --- /dev/null +++ b/firejail/google-chrome-beta.profile @@ -0,0 +1,28 @@ +# Google Chrome beta browser profile +noblacklist ~/.config/google-chrome-beta +noblacklist ~/.cache/google-chrome-beta +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/google-chrome-beta +whitelist ~/.config/google-chrome-beta +mkdir ~/.cache/google-chrome-beta +whitelist ~/.cache/google-chrome-beta +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail/google-chrome-stable.profile b/firejail/google-chrome-stable.profile new file mode 100644 index 0000000..78c8ca6 --- /dev/null +++ b/firejail/google-chrome-stable.profile @@ -0,0 +1,2 @@ +# Google Chrome browser profile +include /etc/firejail/google-chrome.profile diff --git a/firejail/google-chrome-unstable.profile b/firejail/google-chrome-unstable.profile new file mode 100644 index 0000000..0189ce4 --- /dev/null +++ b/firejail/google-chrome-unstable.profile @@ -0,0 +1,28 @@ +# Google Chrome unstable browser profile +noblacklist ~/.config/google-chrome-unstable +noblacklist ~/.cache/google-chrome-unstable +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/google-chrome-unstable +whitelist ~/.config/google-chrome-unstable +mkdir ~/.cache/google-chrome-unstable +whitelist ~/.cache/google-chrome-unstable +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail/google-chrome.profile b/firejail/google-chrome.profile new file mode 100644 index 0000000..3083c2a --- /dev/null +++ b/firejail/google-chrome.profile @@ -0,0 +1,28 @@ +# Google Chrome browser profile +noblacklist ~/.config/google-chrome +noblacklist ~/.cache/google-chrome +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/google-chrome +whitelist ~/.config/google-chrome +mkdir ~/.cache/google-chrome +whitelist ~/.cache/google-chrome +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail/google-play-music-desktop-player.profile b/firejail/google-play-music-desktop-player.profile new file mode 100644 index 0000000..b4cf8d9 --- /dev/null +++ b/firejail/google-play-music-desktop-player.profile @@ -0,0 +1,18 @@ +# Google Play Music desktop player profile +noblacklist ~/.config/Google Play Music Desktop Player + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +netfilter +protocol unix,inet,inet6,netlink +seccomp + +#whitelist ~/.pulse +#whitelist ~/.config/pulse +whitelist ~/.config/Google Play Music Desktop Player diff --git a/firejail/gpa.profile b/firejail/gpa.profile new file mode 100644 index 0000000..9da750f --- /dev/null +++ b/firejail/gpa.profile @@ -0,0 +1,21 @@ +# gpa profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gpa,gpg +private-dev diff --git a/firejail/gpg-agent.profile b/firejail/gpg-agent.profile new file mode 100644 index 0000000..f587f0d --- /dev/null +++ b/firejail/gpg-agent.profile @@ -0,0 +1,24 @@ +# gpg-agent profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin gpg-agent,gpg +private-dev diff --git a/firejail/gpg.profile b/firejail/gpg.profile new file mode 100644 index 0000000..963ff5e --- /dev/null +++ b/firejail/gpg.profile @@ -0,0 +1,24 @@ +# gpg profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin gpg,gpg-agent +private-dev diff --git a/firejail/gpredict.profile b/firejail/gpredict.profile new file mode 100644 index 0000000..801304c --- /dev/null +++ b/firejail/gpredict.profile @@ -0,0 +1,25 @@ +# Firejail profile for gpredict. +noblacklist ~/.config/Gpredict +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +whitelist ~/.config/Gpredict + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin gpredict +private-etc fonts,resolv.conf +private-dev +private-tmp diff --git a/firejail/gtar.profile b/firejail/gtar.profile new file mode 100644 index 0000000..2f675cd --- /dev/null +++ b/firejail/gtar.profile @@ -0,0 +1,3 @@ +# gtar profile +quiet +include /etc/firejail/tar.profile diff --git a/firejail/gthumb.profile b/firejail/gthumb.profile new file mode 100644 index 0000000..055d789 --- /dev/null +++ b/firejail/gthumb.profile @@ -0,0 +1,21 @@ +# gthumb profile +noblacklist ${HOME}/.config/gthumb + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin gthumb +private-dev +private-tmp \ No newline at end of file diff --git a/firejail/guayadeque.profile b/firejail/guayadeque.profile new file mode 100644 index 0000000..0c6ad00 --- /dev/null +++ b/firejail/guayadeque.profile @@ -0,0 +1,19 @@ +noblacklist ${HOME}/.guayadeque + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin guayadeque +private-dev +private-tmp diff --git a/firejail/gwenview.profile b/firejail/gwenview.profile new file mode 100644 index 0000000..c866c9e --- /dev/null +++ b/firejail/gwenview.profile @@ -0,0 +1,22 @@ +# KDE gwenview profile +noblacklist ~/.kde/share/apps/gwenview +noblacklist ~/.kde/share/config/gwenviewrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +nosound + +private-dev + +#Experimental: +#shell none +#private-bin gwenview +#private-etc X11 diff --git a/firejail/gzip.profile b/firejail/gzip.profile new file mode 100644 index 0000000..feb27c1 --- /dev/null +++ b/firejail/gzip.profile @@ -0,0 +1,14 @@ +# gzip profile +quiet +ignore noroot +include /etc/firejail/default.profile + +blacklist /tmp/.X11-unix + +net none +no3d +nosound +shell none +tracelog + +private-dev diff --git a/firejail/hedgewars.profile b/firejail/hedgewars.profile new file mode 100644 index 0000000..7910b7e --- /dev/null +++ b/firejail/hedgewars.profile @@ -0,0 +1,22 @@ +# whitelist profile for Hedgewars (game) +noblacklist ${HOME}/.hedgewars + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +seccomp +tracelog + +private-dev +private-tmp + +mkdir ~/.hedgewars +whitelist ~/.hedgewars +include /etc/firejail/whitelist-common.inc diff --git a/firejail/hexchat.profile b/firejail/hexchat.profile new file mode 100644 index 0000000..5cefe45 --- /dev/null +++ b/firejail/hexchat.profile @@ -0,0 +1,28 @@ +# HexChat instant messaging profile +# Currently in testing (may not work for all users) +noblacklist ${HOME}/.config/hexchat +#noblacklist /usr/lib/python2* +#noblacklist /usr/lib/python3* +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +mkdir ~/.config/hexchat +whitelist ~/.config/hexchat +include /etc/firejail/whitelist-common.inc + +private-bin hexchat +#debug note: private-bin requires perl, python, etc on some systems +private-dev +private-tmp diff --git a/firejail/highlight.profile b/firejail/highlight.profile new file mode 100644 index 0000000..4bab183 --- /dev/null +++ b/firejail/highlight.profile @@ -0,0 +1,28 @@ +# highlight profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +private-bin highlight +# private-etc none +private-tmp +private-dev + + + diff --git a/firejail/icecat.profile b/firejail/icecat.profile new file mode 100644 index 0000000..038afc8 --- /dev/null +++ b/firejail/icecat.profile @@ -0,0 +1,50 @@ +# Firejail profile for GNU Icecat +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/icecat +whitelist ~/.cache/mozilla/icecat +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + diff --git a/firejail/icedove.profile b/firejail/icedove.profile new file mode 100644 index 0000000..310684b --- /dev/null +++ b/firejail/icedove.profile @@ -0,0 +1,21 @@ +# Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) +# Users have icedove set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories + +noblacklist ~/.gnupg +mkdir ~/.gnupg +whitelist ~/.gnupg + +noblacklist ~/.icedove +mkdir ~/.icedove +whitelist ~/.icedove + +noblacklist ~/.cache/icedove +mkdir ~/.cache/icedove +whitelist ~/.cache/icedove + +# allow browsers +ignore private-tmp +include /etc/firejail/firefox.profile +#include /etc/firejail/chromium.profile - chromium runs as suid! + diff --git a/firejail/iceweasel.profile b/firejail/iceweasel.profile new file mode 100644 index 0000000..e9b3284 --- /dev/null +++ b/firejail/iceweasel.profile @@ -0,0 +1,2 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) +include /etc/firejail/firefox.profile diff --git a/firejail/img2txt.profile b/firejail/img2txt.profile new file mode 100644 index 0000000..d55a31c --- /dev/null +++ b/firejail/img2txt.profile @@ -0,0 +1,24 @@ +# img2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +#private-bin img2txt +private-tmp +private-dev +#private-etc none + + diff --git a/firejail/inkscape.profile b/firejail/inkscape.profile new file mode 100644 index 0000000..a0e86b6 --- /dev/null +++ b/firejail/inkscape.profile @@ -0,0 +1,20 @@ +# inkscape +noblacklist ${HOME}/.inkscape +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp + +noexec ${HOME} +noexec /tmp + +private-dev +private-tmp diff --git a/firejail/inox.profile b/firejail/inox.profile new file mode 100644 index 0000000..6f6d140 --- /dev/null +++ b/firejail/inox.profile @@ -0,0 +1,25 @@ +# Inox browser profile +noblacklist ~/.config/inox +noblacklist ~/.cache/inox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/inox +whitelist ~/.config/inox +mkdir ~/.cache/inox +whitelist ~/.cache/inox +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/jd-gui.profile b/firejail/jd-gui.profile new file mode 100644 index 0000000..1d6eb41 --- /dev/null +++ b/firejail/jd-gui.profile @@ -0,0 +1,19 @@ +# +#Profile for jd-gui +# + +noblacklist ${HOME}/.config/jd-gui.cfg + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/jitsi.profile b/firejail/jitsi.profile new file mode 100644 index 0000000..046499a --- /dev/null +++ b/firejail/jitsi.profile @@ -0,0 +1,17 @@ +# Firejail profile for jitsi +noblacklist ~/.jitsi +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp diff --git a/firejail/k3b.profile b/firejail/k3b.profile new file mode 100644 index 0000000..8a5fff0 --- /dev/null +++ b/firejail/k3b.profile @@ -0,0 +1,21 @@ +# k3b profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/firejail/kate.profile b/firejail/kate.profile new file mode 100644 index 0000000..4b07ea6 --- /dev/null +++ b/firejail/kate.profile @@ -0,0 +1,28 @@ +# kate profile +noblacklist ~/.local/share/kate +noblacklist ~/.config/katerc +noblacklist ~/.config/katepartrc +noblacklist ~/.config/kateschemarc +noblacklist ~/.config/katesyntaxhighlightingrc +noblacklist ~/.config/katevirc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin kate +private-tmp +private-dev +# private-etc fonts diff --git a/firejail/keepass.profile b/firejail/keepass.profile new file mode 100644 index 0000000..18a5f4e --- /dev/null +++ b/firejail/keepass.profile @@ -0,0 +1,21 @@ +# keepass password manager profile +noblacklist ${HOME}/.config/keepass +noblacklist ${HOME}/.keepass + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/firejail/keepass2.profile b/firejail/keepass2.profile new file mode 100644 index 0000000..9daa014 --- /dev/null +++ b/firejail/keepass2.profile @@ -0,0 +1,5 @@ +# keepass password manager profile +#noblacklist ${HOME}/.config/KeePass +#noblacklist ${HOME}/.keepass + +include /etc/firejail/keepass.profile diff --git a/firejail/keepassx.profile b/firejail/keepassx.profile new file mode 100644 index 0000000..d862177 --- /dev/null +++ b/firejail/keepassx.profile @@ -0,0 +1,22 @@ +# keepassx password manager profile +noblacklist ${HOME}/.config/keepassx +noblacklist ${HOME}/.keepassx +noblacklist ${HOME}/keepassx.kdbx + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/firejail/keepassx2.profile b/firejail/keepassx2.profile new file mode 100644 index 0000000..d862177 --- /dev/null +++ b/firejail/keepassx2.profile @@ -0,0 +1,22 @@ +# keepassx password manager profile +noblacklist ${HOME}/.config/keepassx +noblacklist ${HOME}/.keepassx +noblacklist ${HOME}/keepassx.kdbx + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/firejail/kmail.profile b/firejail/kmail.profile new file mode 100644 index 0000000..410ff36 --- /dev/null +++ b/firejail/kmail.profile @@ -0,0 +1,19 @@ +# kmail profile +noblacklist ${HOME}/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +private-dev +# private-tmp diff --git a/firejail/konversation.profile b/firejail/konversation.profile new file mode 100644 index 0000000..c00b91c --- /dev/null +++ b/firejail/konversation.profile @@ -0,0 +1,14 @@ +# Firejail konversation profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +noroot +seccomp +protocol unix,inet,inet6 + +private-tmp diff --git a/firejail/less.profile b/firejail/less.profile new file mode 100644 index 0000000..c01dfc4 --- /dev/null +++ b/firejail/less.profile @@ -0,0 +1,14 @@ +# less profile +quiet +ignore noroot +include /etc/firejail/default.profile + +net none +nosound +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +private-dev diff --git a/firejail/libreoffice.profile b/firejail/libreoffice.profile new file mode 100644 index 0000000..d6aceb7 --- /dev/null +++ b/firejail/libreoffice.profile @@ -0,0 +1,19 @@ +# Firejail profile for LibreOffice +noblacklist ~/.config/libreoffice +noblacklist /usr/local/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +tracelog + +private-dev +# whitelist /tmp/.X11-unix/ diff --git a/firejail/localc.profile b/firejail/localc.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/localc.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/lodraw.profile b/firejail/lodraw.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/lodraw.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/loffice.profile b/firejail/loffice.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/loffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/lofromtemplate.profile b/firejail/lofromtemplate.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/lofromtemplate.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/loimpress.profile b/firejail/loimpress.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/loimpress.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/lollypop.profile b/firejail/lollypop.profile new file mode 100644 index 0000000..41a662b --- /dev/null +++ b/firejail/lollypop.profile @@ -0,0 +1,20 @@ +# +#Profile for lollypop +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/lollypop + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/lomath.profile b/firejail/lomath.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/lomath.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/loweb.profile b/firejail/loweb.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/loweb.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/lowriter.profile b/firejail/lowriter.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/lowriter.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/luminance-hdr.profile b/firejail/luminance-hdr.profile new file mode 100644 index 0000000..76e864e --- /dev/null +++ b/firejail/luminance-hdr.profile @@ -0,0 +1,23 @@ +# luminance-hdr +noblacklist ${HOME}/.config/Luminance +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +ipc-namespace +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +noexec ${HOME} +noexec /tmp + +private-tmp +private-dev diff --git a/firejail/lxterminal.profile b/firejail/lxterminal.profile new file mode 100644 index 0000000..12765c2 --- /dev/null +++ b/firejail/lxterminal.profile @@ -0,0 +1,10 @@ +# lxterminal (LXDE) profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +protocol unix,inet,inet6 +seccomp +#noroot - somehow this breaks on Debian Jessie! diff --git a/firejail/lynx.profile b/firejail/lynx.profile new file mode 100644 index 0000000..3e8d721 --- /dev/null +++ b/firejail/lynx.profile @@ -0,0 +1,25 @@ +# lynx profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +no3d +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin lynx +private-tmp +private-dev +# private-etc none + diff --git a/firejail/mathematica.profile b/firejail/mathematica.profile new file mode 100644 index 0000000..9410054 --- /dev/null +++ b/firejail/mathematica.profile @@ -0,0 +1,2 @@ +# Mathematica profile +include /etc/firejail/Mathematica.profile diff --git a/firejail/mcabber.profile b/firejail/mcabber.profile new file mode 100644 index 0000000..48b46db --- /dev/null +++ b/firejail/mcabber.profile @@ -0,0 +1,21 @@ +# mcabber profile +noblacklist ${HOME}/.mcabber +noblacklist ${HOME}/.mcabberrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol inet,inet6 +seccomp + +private-bin mcabber +private-etc null +private-dev +shell none +nosound diff --git a/firejail/mediainfo.profile b/firejail/mediainfo.profile new file mode 100644 index 0000000..65d12c4 --- /dev/null +++ b/firejail/mediainfo.profile @@ -0,0 +1,29 @@ +# mediainfo profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +no3d +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +blacklist /tmp/.X11-unix + +private-bin mediainfo +private-tmp +private-dev +private-etc none + + + + diff --git a/firejail/midori.profile b/firejail/midori.profile new file mode 100644 index 0000000..046c45d --- /dev/null +++ b/firejail/midori.profile @@ -0,0 +1,13 @@ +# Midori browser profile +noblacklist ${HOME}/.config/midori +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +# noroot - noroot break midori on Ubuntu 14.04 +protocol unix,inet,inet6 +seccomp + diff --git a/firejail/mpv.profile b/firejail/mpv.profile new file mode 100644 index 0000000..80f8de5 --- /dev/null +++ b/firejail/mpv.profile @@ -0,0 +1,18 @@ +# mpv media player profile +noblacklist ${HOME}/.config/mpv + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# to test +shell none +private-bin mpv,youtube-dl,python2.7 diff --git a/firejail/multimc5.profile b/firejail/multimc5.profile new file mode 100644 index 0000000..cc310f2 --- /dev/null +++ b/firejail/multimc5.profile @@ -0,0 +1,27 @@ +# +#Profile for multimc5 +# + +#No Blacklist Paths +noblacklist ${HOME}/.local/share/multimc5 +noblacklist ${HOME}/.multimc5 + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.local/share/multimc5 +whitelist ${HOME}/.local/share/multimc5 +mkdir ${HOME}/.multimc5 +whitelist ${HOME}/.multimc5 +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 diff --git a/firejail/mumble.profile b/firejail/mumble.profile new file mode 100644 index 0000000..ddd7082 --- /dev/null +++ b/firejail/mumble.profile @@ -0,0 +1,26 @@ +# mumble profile +noblacklist ${HOME}/.config/Mumble +noblacklist ${HOME}/.local/share/data/Mumble +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config/Mumble +mkdir ${HOME}/.local/share/data/Mumble +whitelist ${HOME}/.config/Mumble +whitelist ${HOME}/.local/share/data/Mumble +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin mumble +private-tmp diff --git a/firejail/mupdf.profile b/firejail/mupdf.profile new file mode 100644 index 0000000..7f9261d --- /dev/null +++ b/firejail/mupdf.profile @@ -0,0 +1,30 @@ +# mupdf reader profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-tmp +private-dev +private-etc fonts + +# mupdf will never write anything +read-only ${HOME} + +# +# Experimental: +# +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +# private-bin mupdf,sh,tempfile,rm diff --git a/firejail/mupen64plus.profile b/firejail/mupen64plus.profile new file mode 100644 index 0000000..acb13e6 --- /dev/null +++ b/firejail/mupen64plus.profile @@ -0,0 +1,20 @@ +# mupen64plus profile +# manually whitelist ROM files +noblacklist ${HOME}/.config/mupen64plus +noblacklist ${HOME}/.local/share/mupen64plus + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.local/share/mupen64plus +whitelist ${HOME}/.local/share/mupen64plus/ +mkdir ${HOME}/.config/mupen64plus +whitelist ${HOME}/.config/mupen64plus/ + +caps.drop all +net none +nonewprivs +noroot +seccomp diff --git a/firejail/mutt.profile b/firejail/mutt.profile new file mode 100644 index 0000000..34dd247 --- /dev/null +++ b/firejail/mutt.profile @@ -0,0 +1,56 @@ +# mutt email client profile +read-only ~/ + +# In case GnuPG is called +read-write ~/.gnupg + +# Allow write access to mailboxes +read-write ~/Mail +read-write ~/sent +read-write ~/postponed + +noblacklist ~/.muttrc +noblacklist ~/.mutt +noblacklist ~/.mutt/muttrc +noblacklist ~/.mailcap +noblacklist ~/.gnupg +noblacklist ~/.mail +noblacklist ~/.Mail +noblacklist ~/mail +noblacklist ~/Mail +noblacklist ~/sent +noblacklist ~/postponed +noblacklist ~/.cache/mutt +noblacklist ~/.w3m +noblacklist ~/.elinks +noblacklist ~/.vim +noblacklist ~/.vimrc +noblacklist ~/.viminfo +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.signature +noblacklist ~/.bogofilter +noblacklist ~/.msmtprc + +# Allow executing /usr/sbin/sendmail +noblacklist /usr/sbin + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +no3d +protocol unix,inet,inet6 +seccomp +shell none + +blacklist /tmp/.X11-unix + +private-dev diff --git a/firejail/nautilus.profile b/firejail/nautilus.profile new file mode 100644 index 0000000..264ee0b --- /dev/null +++ b/firejail/nautilus.profile @@ -0,0 +1,26 @@ +# nautilus profile + +# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. + +noblacklist ~/.config/nautilus + +include /etc/firejail/disable-common.inc +# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin nautilus +# private-tmp +# private-dev +# private-etc fonts diff --git a/firejail/netsurf.profile b/firejail/netsurf.profile new file mode 100644 index 0000000..644a160 --- /dev/null +++ b/firejail/netsurf.profile @@ -0,0 +1,30 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) +noblacklist ~/.config/netsurf +noblacklist ~/.cache/netsurf +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.config/netsurf +whitelist ~/.config/netsurf +mkdir ~/.cache/netsurf +whitelist ~/.cache/netsurf + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/odt2txt.profile b/firejail/odt2txt.profile new file mode 100644 index 0000000..c4e28f7 --- /dev/null +++ b/firejail/odt2txt.profile @@ -0,0 +1,27 @@ +# odt2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +private-bin odt2txt +private-tmp +private-dev +private-etc none + +read-only ${HOME} diff --git a/firejail/okular.profile b/firejail/okular.profile new file mode 100644 index 0000000..22e223c --- /dev/null +++ b/firejail/okular.profile @@ -0,0 +1,25 @@ +# KDE okular profile +noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde/share/config/okularpartrc +read-only ~/.kde/share/config/kdeglobals +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +# private-bin okular,kbuildsycoca4,kbuildsycoca5 +# private-etc X11 +private-dev +private-tmp diff --git a/firejail/openbox.profile b/firejail/openbox.profile new file mode 100644 index 0000000..f812768 --- /dev/null +++ b/firejail/openbox.profile @@ -0,0 +1,11 @@ +####################################### +# OpenBox window manager profile +# - all applications started in OpenBox will run in this profile +####################################### +include /etc/firejail/disable-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/openshot.profile b/firejail/openshot.profile new file mode 100644 index 0000000..f12bd7d --- /dev/null +++ b/firejail/openshot.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.openshot +noblacklist ${HOME}/.openshot_qt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail/opera-beta.profile b/firejail/opera-beta.profile new file mode 100644 index 0000000..4cdb0a9 --- /dev/null +++ b/firejail/opera-beta.profile @@ -0,0 +1,25 @@ +# Opera-beta browser profile +noblacklist ~/.config/opera-beta +noblacklist ~/.cache/opera-beta +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/opera-beta +whitelist ~/.config/opera-beta +mkdir ~/.cache/opera-beta +whitelist ~/.cache/opera-beta +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail/opera.profile b/firejail/opera.profile new file mode 100644 index 0000000..a337ccc --- /dev/null +++ b/firejail/opera.profile @@ -0,0 +1,28 @@ +# Opera browser profile +noblacklist ~/.config/opera +noblacklist ~/.cache/opera +noblacklist ~/.opera +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/opera +whitelist ~/.config/opera +mkdir ~/.cache/opera +whitelist ~/.cache/opera +mkdir ~/.opera +whitelist ~/.opera +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail/palemoon.profile b/firejail/palemoon.profile new file mode 100644 index 0000000..1476369 --- /dev/null +++ b/firejail/palemoon.profile @@ -0,0 +1,57 @@ +# Firejail profile for Pale Moon +noblacklist ~/.moonchild productions/pale moon +noblacklist ~/.cache/moonchild productions/pale moon +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/whitelist-common.inc + +whitelist ${DOWNLOADS} +mkdir ~/.moonchild productions +whitelist ~/.moonchild productions +mkdir ~/.cache/moonchild productions/pale moon +whitelist ~/.cache/moonchild productions/pale moon + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin palemoon +private-tmp + +# These are uncommented in the Firefox profile. If you run into trouble you may +# want to uncomment (some of) them. +#whitelist ~/dwhelper +#whitelist ~/.zotero +#whitelist ~/.vimperatorrc +#whitelist ~/.vimperator +#whitelist ~/.pentadactylrc +#whitelist ~/.pentadactyl +#whitelist ~/.keysnail.js +#whitelist ~/.config/gnome-mplayer +#whitelist ~/.cache/gnome-mplayer/plugin +#whitelist ~/.pki + +# For silverlight +#whitelist ~/.wine-pipelight +#whitelist ~/.wine-pipelight64 +#whitelist ~/.config/pipelight-widevine +#whitelist ~/.config/pipelight-silverlight5.1 + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +#private-dev (disabled for now as it will interfere with webcam use in palemoon) diff --git a/firejail/parole.profile b/firejail/parole.profile new file mode 100644 index 0000000..1440a9e --- /dev/null +++ b/firejail/parole.profile @@ -0,0 +1,16 @@ +# Profile for Parole, the default XFCE4 media player +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +private-etc passwd,group,fonts +private-bin parole,dbus-launch + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none diff --git a/firejail/pdfsam.profile b/firejail/pdfsam.profile new file mode 100644 index 0000000..6e50f37 --- /dev/null +++ b/firejail/pdfsam.profile @@ -0,0 +1,17 @@ +# +#Profile for pdfsam +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/pdftotext.profile b/firejail/pdftotext.profile new file mode 100644 index 0000000..fe9e9e3 --- /dev/null +++ b/firejail/pdftotext.profile @@ -0,0 +1,25 @@ +# pdftotext profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +no3d +shell none +tracelog + +blacklist /tmp/.X11-unix + +private-bin pdftotext +private-tmp +private-dev +private-etc none diff --git a/firejail/pidgin.profile b/firejail/pidgin.profile new file mode 100644 index 0000000..8507061 --- /dev/null +++ b/firejail/pidgin.profile @@ -0,0 +1,21 @@ +# Pidgin profile +noblacklist ${HOME}/.purple + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin pidgin +private-dev +private-tmp diff --git a/firejail/pithos.profile b/firejail/pithos.profile new file mode 100644 index 0000000..8270b8b --- /dev/null +++ b/firejail/pithos.profile @@ -0,0 +1,19 @@ +# +#Profile for pithos +# + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/pix.profile b/firejail/pix.profile new file mode 100644 index 0000000..dc8192b --- /dev/null +++ b/firejail/pix.profile @@ -0,0 +1,22 @@ +# Firejail profile for pix +noblacklist ${HOME}/.config/pix +noblacklist ${HOME}/.local/share/pix + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin pix +private-dev +private-tmp \ No newline at end of file diff --git a/firejail/pluma.profile b/firejail/pluma.profile new file mode 100644 index 0000000..895cc23 --- /dev/null +++ b/firejail/pluma.profile @@ -0,0 +1,21 @@ +# Firejail profile for Xed +noblacklist ${HOME}/.config/pluma + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin pluma +private-dev +private-tmp diff --git a/firejail/polari.profile b/firejail/polari.profile new file mode 100644 index 0000000..ac9530c --- /dev/null +++ b/firejail/polari.profile @@ -0,0 +1,25 @@ +# Polari IRC profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +mkdir ${HOME}/.local/share/Empathy +whitelist ${HOME}/.local/share/Empathy +mkdir ${HOME}/.local/share/telepathy +whitelist ${HOME}/.local/share/telepathy +mkdir ${HOME}/.local/share/TpLogger +whitelist ${HOME}/.local/share/TpLogger +mkdir ${HOME}/.config/telepathy-account-widgets +whitelist ${HOME}/.config/telepathy-account-widgets +mkdir ${HOME}/.cache/telepathy +whitelist ${HOME}/.cache/telepathy +mkdir ${HOME}/.purple +whitelist ${HOME}/.purple +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/psi-plus.profile b/firejail/psi-plus.profile new file mode 100644 index 0000000..e4e69b9 --- /dev/null +++ b/firejail/psi-plus.profile @@ -0,0 +1,22 @@ +# Firejail profile for Psi+ +noblacklist ${HOME}/.config/psi+ +noblacklist ${HOME}/.local/share/psi+ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ${DOWNLOADS} +mkdir ~/.config/psi+ +whitelist ~/.config/psi+ +mkdir ~/.local/share/psi+ +whitelist ~/.local/share/psi+ +mkdir ~/.cache/psi+ +whitelist ~/.cache/psi+ + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/qbittorrent.profile b/firejail/qbittorrent.profile new file mode 100644 index 0000000..89e0e4c --- /dev/null +++ b/firejail/qbittorrent.profile @@ -0,0 +1,19 @@ +# qbittorrent bittorrent profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +# there are some problems with "Open destination folder", see bug #536 +#shell none +#private-bin qbittorrent +private-dev +private-tmp diff --git a/firejail/qemu-launcher.profile b/firejail/qemu-launcher.profile new file mode 100644 index 0000000..f9c8e63 --- /dev/null +++ b/firejail/qemu-launcher.profile @@ -0,0 +1,19 @@ +# qemu-launcher profile +noblacklist ~/.qemu-launcher + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp + diff --git a/firejail/qemu-system-x86_64.profile b/firejail/qemu-system-x86_64.profile new file mode 100644 index 0000000..65e1e44 --- /dev/null +++ b/firejail/qemu-system-x86_64.profile @@ -0,0 +1,17 @@ +# qemu profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp + diff --git a/firejail/qpdfview.profile b/firejail/qpdfview.profile new file mode 100644 index 0000000..06c0db2 --- /dev/null +++ b/firejail/qpdfview.profile @@ -0,0 +1,22 @@ +# qpdfview profile +noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.local/share/qpdfview + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin qpdfview +private-dev +private-tmp diff --git a/firejail/qtox.profile b/firejail/qtox.profile new file mode 100644 index 0000000..81d8aa1 --- /dev/null +++ b/firejail/qtox.profile @@ -0,0 +1,23 @@ +# qTox instant messaging profile +noblacklist ${HOME}/.config/tox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config/tox +whitelist ${HOME}/.config/tox +whitelist ${DOWNLOADS} + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin qtox +private-tmp diff --git a/firejail/quassel.profile b/firejail/quassel.profile new file mode 100644 index 0000000..f92dfeb --- /dev/null +++ b/firejail/quassel.profile @@ -0,0 +1,11 @@ +# Quassel IRC profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +nonewprivs +noroot +netfilter +protocol unix,inet,inet6 +seccomp diff --git a/firejail/quiterss.profile b/firejail/quiterss.profile new file mode 100644 index 0000000..47ab776 --- /dev/null +++ b/firejail/quiterss.profile @@ -0,0 +1,36 @@ +noblacklist ${HOME}/.cache/QuiteRss +noblacklist ${HOME}/.config/QuiteRss +noblacklist ${HOME}/.config/QuiteRssrc +noblacklist ${HOME}/.local/share/QuiteRss + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +whitelist ${HOME}/quiterssfeeds.opml +mkdir ~/.config/QuiteRss +whitelist ${HOME}/.config/QuiteRss/ +whitelist ${HOME}/.config/QuiteRssrc +mkdir ~/.local/share/data +mkdir ~/.local/share/data/QuiteRss +whitelist ${HOME}/.local/share/data/QuiteRss +mkdir ~/.cache/QuiteRss +whitelist ${HOME}/.cache/QuiteRss + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin quiterss +private-dev +#private-etc X11,ssl + +include /etc/firejail/whitelist-common.inc diff --git a/firejail/qupzilla.profile b/firejail/qupzilla.profile new file mode 100644 index 0000000..387ddef --- /dev/null +++ b/firejail/qupzilla.profile @@ -0,0 +1,22 @@ +# Firejail profile for Qupzilla web browser +noblacklist ${HOME}/.config/qupzilla +noblacklist ${HOME}/.cache/qupzilla +include /etc/firejail/disable-mgmt.inc +include /etc/firejail/disable-secret.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +tracelog +noroot +whitelist ${DOWNLOADS} +whitelist ~/.config/qupzilla +whitelist ~/.cache/qupzilla +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + + diff --git a/firejail/qutebrowser.profile b/firejail/qutebrowser.profile new file mode 100644 index 0000000..dcacd4f --- /dev/null +++ b/firejail/qutebrowser.profile @@ -0,0 +1,23 @@ +# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser +noblacklist ~/.config/qutebrowser +noblacklist ~/.cache/qutebrowser +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.config/qutebrowser +whitelist ~/.config/qutebrowser +mkdir ~/.cache/qutebrowser +whitelist ~/.cache/qutebrowser +mkdir ~/.local/share/qutebrowser +whitelist ~/.local/share/qutebrowser +include /etc/firejail/whitelist-common.inc diff --git a/firejail/ranger.profile b/firejail/ranger.profile new file mode 100644 index 0000000..3538f3e --- /dev/null +++ b/firejail/ranger.profile @@ -0,0 +1,24 @@ +# ranger file manager profile +noblacklist /usr/bin/perl +#noblacklist /usr/bin/cpan* +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* +noblacklist ~/.config/ranger + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nogroups +nonewprivs +noroot +protocol unix +seccomp +nosound + +private-tmp +private-dev diff --git a/firejail/rhythmbox.profile b/firejail/rhythmbox.profile new file mode 100644 index 0000000..e5e1924 --- /dev/null +++ b/firejail/rhythmbox.profile @@ -0,0 +1,19 @@ +# Rhythmbox media player profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin rhythmbox +private-dev +private-tmp diff --git a/firejail/rtorrent.profile b/firejail/rtorrent.profile new file mode 100644 index 0000000..55bfcd7 --- /dev/null +++ b/firejail/rtorrent.profile @@ -0,0 +1,18 @@ +# rtorrent bittorrent profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +shell none +private-bin rtorrent +private-dev +private-tmp \ No newline at end of file diff --git a/firejail/seamonkey-bin.profile b/firejail/seamonkey-bin.profile new file mode 100644 index 0000000..fff8c12 --- /dev/null +++ b/firejail/seamonkey-bin.profile @@ -0,0 +1,3 @@ +# Firejail profile for Seamonkey based off Mozilla Firefox +include /etc/firejail/seamonkey.profile + diff --git a/firejail/seamonkey.profile b/firejail/seamonkey.profile new file mode 100644 index 0000000..5d817ac --- /dev/null +++ b/firejail/seamonkey.profile @@ -0,0 +1,49 @@ +# Firejail profile for Seamoneky based off Mozilla Firefox +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla/seamonkey +whitelist ~/.mozilla/seamonkey +mkdir ~/.cache/mozilla/seamonkey +whitelist ~/.cache/mozilla/seamonkey +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.lastpass +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/firejail/server.profile b/firejail/server.profile new file mode 100644 index 0000000..b8a34fe --- /dev/null +++ b/firejail/server.profile @@ -0,0 +1,17 @@ +# generic server profile +# it allows /sbin and /usr/sbin directories - this is where servers are installed +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +blacklist /tmp/.X11-unix + +no3d +nosound +seccomp + +private +private-dev +private-tmp diff --git a/firejail/simple-scan.profile b/firejail/simple-scan.profile new file mode 100644 index 0000000..0308948 --- /dev/null +++ b/firejail/simple-scan.profile @@ -0,0 +1,23 @@ +# simple-scan profile +noblacklist ~/.cache/simple-scan + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +#seccomp +netfilter +shell none +tracelog + +# private-bin simple-scan +# private-tmp +# private-dev +# private-etc fonts diff --git a/firejail/skanlite.profile b/firejail/skanlite.profile new file mode 100644 index 0000000..667b775 --- /dev/null +++ b/firejail/skanlite.profile @@ -0,0 +1,21 @@ +# skanlite profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +# protocol unix,inet,inet6 + +# private-bin skanlite +# private-dev +# private-tmp +# private-etc + diff --git a/firejail/skype.profile b/firejail/skype.profile new file mode 100644 index 0000000..9cbcd51 --- /dev/null +++ b/firejail/skype.profile @@ -0,0 +1,12 @@ +# Skype profile +noblacklist ${HOME}/.Skype +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/skypeforlinux.profile b/firejail/skypeforlinux.profile new file mode 100644 index 0000000..3f0a274 --- /dev/null +++ b/firejail/skypeforlinux.profile @@ -0,0 +1,11 @@ +# skypeforlinux profile +noblacklist ${HOME}/.config/skypeforlinux +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +noroot +seccomp +protocol unix,inet,inet6,netlink diff --git a/firejail/slack.profile b/firejail/slack.profile new file mode 100644 index 0000000..a85a28f --- /dev/null +++ b/firejail/slack.profile @@ -0,0 +1,31 @@ +# Firejail profile for Slack +noblacklist ${HOME}/.config/Slack +noblacklist ${HOME}/Downloads + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +blacklist /var + +caps.drop all +name slack +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin slack +private-dev +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime +private-tmp + +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ${HOME}/Downloads +include /etc/firejail/whitelist-common.inc diff --git a/firejail/snap.profile b/firejail/snap.profile new file mode 100644 index 0000000..e2ada3a --- /dev/null +++ b/firejail/snap.profile @@ -0,0 +1,12 @@ +################################ +# Generic Ubuntu snap application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ~/snap +whitelist ${DOWNLOADS} +include /etc/firejail/whitelist-common.inc + + diff --git a/firejail/soffice.profile b/firejail/soffice.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail/soffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail/spotify.profile b/firejail/spotify.profile new file mode 100644 index 0000000..6dbcc03 --- /dev/null +++ b/firejail/spotify.profile @@ -0,0 +1,43 @@ +# Spotify media player profile +noblacklist ${HOME}/.config/spotify +noblacklist ${HOME}/.cache/spotify +noblacklist ${HOME}/.local/share/spotify +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +# Whitelist the folders needed by Spotify +mkdir ${HOME}/.config/spotify +whitelist ${HOME}/.config/spotify +mkdir ${HOME}/.local/share/spotify +whitelist ${HOME}/.local/share/spotify +mkdir ${HOME}/.cache/spotify +whitelist ${HOME}/.cache/spotify + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin spotify +private-etc fonts,machine-id,pulse,resolv.conf +private-dev +private-tmp + +blacklist ${HOME}/.Xauthority +blacklist ${HOME}/.bashrc +blacklist /boot +blacklist /lost+found +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /root +blacklist /sbin +blacklist /srv +blacklist /sys +blacklist /var diff --git a/firejail/ssh-agent.profile b/firejail/ssh-agent.profile new file mode 100644 index 0000000..bea3a60 --- /dev/null +++ b/firejail/ssh-agent.profile @@ -0,0 +1,19 @@ +# ssh-agent +quiet +noblacklist ~/.ssh +noblacklist /tmp/ssh-* +noblacklist /etc/ssh + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +no3d +protocol unix,inet,inet6 +seccomp + +blacklist /tmp/.X11-unix diff --git a/firejail/ssh.profile b/firejail/ssh.profile new file mode 100644 index 0000000..b7a8ed2 --- /dev/null +++ b/firejail/ssh.profile @@ -0,0 +1,16 @@ +# ssh client +quiet +noblacklist ~/.ssh +noblacklist /tmp/ssh-* +noblacklist /etc/ssh + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/start-tor-browser.profile b/firejail/start-tor-browser.profile new file mode 100644 index 0000000..ee19cee --- /dev/null +++ b/firejail/start-tor-browser.profile @@ -0,0 +1,20 @@ +# Firejail profile for the Tor Brower Bundle +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-etc fonts +private-dev +private-tmp diff --git a/firejail/steam.profile b/firejail/steam.profile new file mode 100644 index 0000000..5dc5e80 --- /dev/null +++ b/firejail/steam.profile @@ -0,0 +1,14 @@ +# Steam profile (applies to games/apps launched from Steam as well) +noblacklist ${HOME}/.steam +noblacklist ${HOME}/.local/share/steam +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail/stellarium.profile b/firejail/stellarium.profile new file mode 100644 index 0000000..d57c9e5 --- /dev/null +++ b/firejail/stellarium.profile @@ -0,0 +1,28 @@ +# Firejail profile for Stellarium. +noblacklist ~/.stellarium +noblacklist ~/.config/stellarium +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +mkdir ~/.stellarium +whitelist ~/.stellarium +mkdir ~/.config/stellarium +whitelist ~/.config/stellarium + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin stellarium +private-dev +private-tmp diff --git a/firejail/strings.profile b/firejail/strings.profile new file mode 100644 index 0000000..2bbab13 --- /dev/null +++ b/firejail/strings.profile @@ -0,0 +1,12 @@ +# strings profile +quiet +ignore noroot +include /etc/firejail/default.profile + +net none +nosound +shell none +tracelog +private-dev +no3d +blacklist /tmp/.X11-unix diff --git a/firejail/synfigstudio.profile b/firejail/synfigstudio.profile new file mode 100644 index 0000000..69b2a0d --- /dev/null +++ b/firejail/synfigstudio.profile @@ -0,0 +1,19 @@ +# synfigstudio +noblacklist ${HOME}/.config/synfig +noblacklist ${HOME}/.synfig +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp + +noexec ${HOME} +noexec /tmp + +private-dev +private-tmp diff --git a/firejail/tar.profile b/firejail/tar.profile new file mode 100644 index 0000000..3addb02 --- /dev/null +++ b/firejail/tar.profile @@ -0,0 +1,18 @@ +# tar profile +quiet +ignore noroot +include /etc/firejail/default.profile + +blacklist /tmp/.X11-unix + +hostname tar +net none +no3d +nosound +shell none +tracelog + +# support compressed archives +private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-dev +private-etc passwd,group,localtime diff --git a/firejail/telegram.profile b/firejail/telegram.profile new file mode 100644 index 0000000..7615c8e --- /dev/null +++ b/firejail/telegram.profile @@ -0,0 +1,12 @@ +# Telegram IRC profile +noblacklist ${HOME}/.TelegramDesktop +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/thunderbird.profile b/firejail/thunderbird.profile new file mode 100644 index 0000000..568343b --- /dev/null +++ b/firejail/thunderbird.profile @@ -0,0 +1,21 @@ +# Firejail profile for Mozilla Thunderbird +# Users have thunderbird set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories + +noblacklist ~/.gnupg +mkdir ~/.gnupg +whitelist ~/.gnupg + +noblacklist ~/.thunderbird +mkdir ~/.thunderbird +whitelist ~/.thunderbird + +noblacklist ~/.cache/thunderbird +mkdir ~/.cache/thunderbird +whitelist ~/.cache/thunderbird + +# allow browsers +ignore private-tmp +include /etc/firejail/firefox.profile +#include /etc/firejail/chromium.profile - chromium runs as suid! + diff --git a/firejail/totem.profile b/firejail/totem.profile new file mode 100644 index 0000000..252b469 --- /dev/null +++ b/firejail/totem.profile @@ -0,0 +1,15 @@ +# Totem media player profile +noblacklist ~/.config/totem +noblacklist ~/.local/share/totem + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +netfilter +protocol unix,inet,inet6 +seccomp diff --git a/firejail/tracker.profile b/firejail/tracker.profile new file mode 100644 index 0000000..7f4f371 --- /dev/null +++ b/firejail/tracker.profile @@ -0,0 +1,27 @@ +# tracker profile + +# Tracker is started by systemd on most systems. Therefore it is not firejailed by default + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +no3d +protocol unix +seccomp +netfilter +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin tracker +# private-tmp +# private-dev +# private-etc fonts diff --git a/firejail/transmission-cli.profile b/firejail/transmission-cli.profile new file mode 100644 index 0000000..6cbc341 --- /dev/null +++ b/firejail/transmission-cli.profile @@ -0,0 +1,23 @@ +# transmission-cli bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +#private-bin transmission-cli +private-tmp +private-dev +private-etc none diff --git a/firejail/transmission-gtk.profile b/firejail/transmission-gtk.profile new file mode 100644 index 0000000..fa54ea8 --- /dev/null +++ b/firejail/transmission-gtk.profile @@ -0,0 +1,22 @@ +# transmission-gtk bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin transmission-gtk +private-dev +private-tmp diff --git a/firejail/transmission-qt.profile b/firejail/transmission-qt.profile new file mode 100644 index 0000000..100fadc --- /dev/null +++ b/firejail/transmission-qt.profile @@ -0,0 +1,22 @@ +# transmission-qt bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin transmission-qt +private-dev +private-tmp diff --git a/firejail/transmission-show.profile b/firejail/transmission-show.profile new file mode 100644 index 0000000..5e5284b --- /dev/null +++ b/firejail/transmission-show.profile @@ -0,0 +1,24 @@ +# transmission-show profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +# private-bin +private-tmp +private-dev +private-etc none diff --git a/firejail/uget-gtk.profile b/firejail/uget-gtk.profile new file mode 100644 index 0000000..3ba28f7 --- /dev/null +++ b/firejail/uget-gtk.profile @@ -0,0 +1,24 @@ +# uGet profile +noblacklist ${HOME}/.config/uGet + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-bin uget-gtk +private-dev +private-tmp + +whitelist ${DOWNLOADS} +mkdir ~/.config/uGet +whitelist ~/.config/uGet +include /etc/firejail/whitelist-common.inc diff --git a/firejail/unbound.profile b/firejail/unbound.profile new file mode 100644 index 0000000..5e2cb5f --- /dev/null +++ b/firejail/unbound.profile @@ -0,0 +1,13 @@ +# security profile for unbound (https://unbound.net) +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +private +private-dev +nosound +seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open + diff --git a/firejail/unrar.profile b/firejail/unrar.profile new file mode 100644 index 0000000..bde6f4e --- /dev/null +++ b/firejail/unrar.profile @@ -0,0 +1,18 @@ +# unrar profile +quiet +ignore noroot +include /etc/firejail/default.profile + +blacklist /tmp/.X11-unix + +hostname unrar +net none +no3d +nosound +shell none +tracelog + +private-bin unrar +private-dev +private-etc passwd,group,localtime +private-tmp diff --git a/firejail/unzip.profile b/firejail/unzip.profile new file mode 100644 index 0000000..8c10d11 --- /dev/null +++ b/firejail/unzip.profile @@ -0,0 +1,16 @@ +# unzip profile +quiet +ignore noroot +include /etc/firejail/default.profile +blacklist /tmp/.X11-unix + +hostname unzip +net none +no3d +nosound +shell none +tracelog + +private-bin unzip +private-dev +private-etc passwd,group,localtime diff --git a/firejail/uudeview.profile b/firejail/uudeview.profile new file mode 100644 index 0000000..d5b750a --- /dev/null +++ b/firejail/uudeview.profile @@ -0,0 +1,15 @@ +# uudeview profile +quiet +ignore noroot +include /etc/firejail/default.profile + +blacklist /etc + +hostname uudeview +net none +nosound +shell none +tracelog + +private-bin uudeview +private-dev diff --git a/firejail/vim.profile b/firejail/vim.profile new file mode 100644 index 0000000..b161fcb --- /dev/null +++ b/firejail/vim.profile @@ -0,0 +1,16 @@ +# vim profile +noblacklist ~/.vim +noblacklist ~/.vimrc +noblacklist ~/.viminfo + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/virtualbox.profile b/firejail/virtualbox.profile new file mode 100644 index 0000000..1e765b8 --- /dev/null +++ b/firejail/virtualbox.profile @@ -0,0 +1,22 @@ +# virtualbox profile +noblacklist ${HOME}/.VirtualBox +noblacklist ${HOME}/VirtualBox VMs +noblacklist ${HOME}/.config/VirtualBox + +mkdir ~/VirtualBox VMs +whitelist ~/VirtualBox VMs +mkdir ~/.config/VirtualBox +whitelist ~/.config/VirtualBox + +# noblacklist /usr/bin/virtualbox +noblacklist /usr/lib/virtualbox +noblacklist /usr/lib64/virtualbox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter + + diff --git a/firejail/vivaldi-beta.profile b/firejail/vivaldi-beta.profile new file mode 100644 index 0000000..5426c4a --- /dev/null +++ b/firejail/vivaldi-beta.profile @@ -0,0 +1,2 @@ +# Vivaldi Beta browser profile +include /etc/firejail/vivaldi.profile diff --git a/firejail/vivaldi.profile b/firejail/vivaldi.profile new file mode 100644 index 0000000..b3a0960 --- /dev/null +++ b/firejail/vivaldi.profile @@ -0,0 +1,23 @@ +# Vivaldi browser profile +noblacklist ~/.config/vivaldi +noblacklist ~/.cache/vivaldi +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/vivaldi +whitelist ~/.config/vivaldi +mkdir ~/.cache/vivaldi +whitelist ~/.cache/vivaldi +include /etc/firejail/whitelist-common.inc + +# lastpass, keepass +# for keepass we additionally need to whitelist our .kdbx password database +whitelist ~/.keepass +whitelist ~/.config/keepass +whitelist ~/.config/KeePass +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail/vlc.profile b/firejail/vlc.profile new file mode 100644 index 0000000..2fd763f --- /dev/null +++ b/firejail/vlc.profile @@ -0,0 +1,20 @@ +# VLC media player profile +noblacklist ${HOME}/.config/vlc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc +private-dev +private-tmp diff --git a/firejail/w3m.profile b/firejail/w3m.profile new file mode 100644 index 0000000..7ee91bb --- /dev/null +++ b/firejail/w3m.profile @@ -0,0 +1,26 @@ +# w3m profile +noblacklist ~/.w3m + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +no3d +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +blacklist /tmp/.X11-unix + +# private-bin w3m +private-tmp +private-dev +private-etc none diff --git a/firejail/warzone2100.profile b/firejail/warzone2100.profile new file mode 100644 index 0000000..7c7efad --- /dev/null +++ b/firejail/warzone2100.profile @@ -0,0 +1,26 @@ +# Firejail profile for warzone2100 +# Currently supports warzone2100-3.1 +noblacklist ~/.warzone2100-3.1 +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +mkdir ~/.warzone2100-3.1 +whitelist ~/.warzone2100-3.1 + +# Call these options +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin warzone2100 +private-dev +private-tmp diff --git a/firejail/weechat-curses.profile b/firejail/weechat-curses.profile new file mode 100644 index 0000000..4a92f0b --- /dev/null +++ b/firejail/weechat-curses.profile @@ -0,0 +1,2 @@ +# Weechat IRC profile (Debian) +include /etc/firejail/weechat.profile diff --git a/firejail/weechat.profile b/firejail/weechat.profile new file mode 100644 index 0000000..405151f --- /dev/null +++ b/firejail/weechat.profile @@ -0,0 +1,19 @@ +# Weechat IRC profile +whitelist ${HOME}/.dotfiles/weechat +noblacklist ${HOME}/.dotfiles/weechat +whitelist ${HOME}/.weechat +noblacklist ${HOME}/.weechat + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# no private-bin support for various reasons: +# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, +# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins diff --git a/firejail/wesnoth.profile b/firejail/wesnoth.profile new file mode 100644 index 0000000..bb489dd --- /dev/null +++ b/firejail/wesnoth.profile @@ -0,0 +1,26 @@ +# Whitelist-based profile for "Battle for Wesnoth" (game). +noblacklist ${HOME}/.config/wesnoth +noblacklist ${HOME}/.cache/wesnoth +noblacklist ${HOME}/.local/share/wesnoth + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-dev +private-tmp + +mkdir ${HOME}/.local/share/wesnoth +mkdir ${HOME}/.config/wesnoth +mkdir ${HOME}/.cache/wesnoth +whitelist ${HOME}/.local/share/wesnoth +whitelist ${HOME}/.config/wesnoth +whitelist ${HOME}/.cache/wesnoth +include /etc/firejail/whitelist-common.inc diff --git a/firejail/wget.profile b/firejail/wget.profile new file mode 100644 index 0000000..ff4b92b --- /dev/null +++ b/firejail/wget.profile @@ -0,0 +1,24 @@ +# wget profile +quiet +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +no3d +protocol unix,inet,inet6 +seccomp +shell none + +blacklist /tmp/.X11-unix + +# private-bin wget +# private-etc resolv.conf +private-dev +private-tmp + diff --git a/firejail/whitelist-common.inc b/firejail/whitelist-common.inc new file mode 100644 index 0000000..cf77971 --- /dev/null +++ b/firejail/whitelist-common.inc @@ -0,0 +1,41 @@ +# Local customizations come here +include /etc/firejail/whitelist-common.local + +# common whitelist for all profiles + +whitelist ~/.XCompose +whitelist ~/.config/mimeapps.list +whitelist ~/.icons +whitelist ~/.config/user-dirs.dirs +read-only ~/.config/user-dirs.dirs +whitelist ~/.asoundrc +whitelist ~/.config/Trolltech.conf + +# fonts +whitelist ~/.fonts +whitelist ~/.fonts.d +whitelist ~/.fontconfig +whitelist ~/.fonts.conf +whitelist ~/.fonts.conf.d +whitelist ~/.local/share/fonts +whitelist ~/.config/fontconfig +whitelist ~/.cache/fontconfig + +# gtk +whitelist ~/.gtkrc +whitelist ~/.gtkrc-2.0 +whitelist ~/.config/gtk-2.0 +whitelist ~/.config/gtk-3.0 +whitelist ~/.themes +whitelist ~/.kde/share/config/gtkrc +whitelist ~/.kde/share/config/gtkrc-2.0 + +# dconf +mkdir ~/.config/dconf +whitelist ~/.config/dconf + +# qt/kde +whitelist ~/.config/kdeglobals +whitelist ~/.kde/share/config/oxygenrc +whitelist ~/.kde/share/config/kdeglobals +whitelist ~/.kde/share/icons diff --git a/firejail/whitelist-common.local b/firejail/whitelist-common.local new file mode 100644 index 0000000..7194622 --- /dev/null +++ b/firejail/whitelist-common.local @@ -0,0 +1 @@ +# This file is meant for local customizations of whitelist-common.inc diff --git a/firejail/wine.profile b/firejail/wine.profile new file mode 100644 index 0000000..18e5346 --- /dev/null +++ b/firejail/wine.profile @@ -0,0 +1,14 @@ +# wine profile +noblacklist ${HOME}/.steam +noblacklist ${HOME}/.local/share/steam +noblacklist ${HOME}/.wine + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +seccomp diff --git a/firejail/wire.profile b/firejail/wire.profile new file mode 100644 index 0000000..ec8ed87 --- /dev/null +++ b/firejail/wire.profile @@ -0,0 +1,23 @@ +# wire messenger profile +noblacklist ~/.config/Wire +noblacklist ~/.config/wire + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-tmp +private-dev + +# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. +# To use wire with firejail run "firejail /opt/Wire/wire" diff --git a/firejail/wireshark.profile b/firejail/wireshark.profile new file mode 100644 index 0000000..898fc78 --- /dev/null +++ b/firejail/wireshark.profile @@ -0,0 +1,22 @@ +# Firejail profile for +noblacklist ${HOME}/.config/wireshark + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin wireshark +private-dev +private-tmp diff --git a/firejail/xchat.profile b/firejail/xchat.profile new file mode 100644 index 0000000..1f2865c --- /dev/null +++ b/firejail/xchat.profile @@ -0,0 +1,14 @@ +# XChat IRC profile +noblacklist ${HOME}/.config/xchat + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# private-bin requires perl, python, etc. diff --git a/firejail/xed.profile b/firejail/xed.profile new file mode 100644 index 0000000..051710a --- /dev/null +++ b/firejail/xed.profile @@ -0,0 +1,21 @@ +# Firejail profile for Xed +noblacklist ${HOME}/.config/xed + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nogroups +nonewprivs +noroot +nosound +seccomp +shell none +tracelog + +private-bin xed +private-dev +private-tmp diff --git a/firejail/xfburn.profile b/firejail/xfburn.profile new file mode 100644 index 0000000..1dd24aa --- /dev/null +++ b/firejail/xfburn.profile @@ -0,0 +1,23 @@ +# xfburn profile +noblacklist ~/.config/xfburn + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin xfburn +# private-tmp +# private-dev +# private-etc fonts diff --git a/firejail/xiphos.profile b/firejail/xiphos.profile new file mode 100644 index 0000000..b7fb6ec --- /dev/null +++ b/firejail/xiphos.profile @@ -0,0 +1,30 @@ +# Firejail profile for xiphos +noblacklist ~/.sword +noblacklist ~/.xiphos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +blacklist ~/.bashrc +blacklist ~/.Xauthority + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin xiphos +private-etc fonts,resolv.conf,sword +private-dev +private-tmp + +whitelist ${HOME}/.sword +whitelist ${HOME}/.xiphos diff --git a/firejail/xonotic-glx.profile b/firejail/xonotic-glx.profile new file mode 100644 index 0000000..b255ffd --- /dev/null +++ b/firejail/xonotic-glx.profile @@ -0,0 +1,5 @@ +# +#Profile for xonotic:xonotic-glx +# + +include /etc/firejail/xonotic.profile diff --git a/firejail/xonotic-sdl.profile b/firejail/xonotic-sdl.profile new file mode 100644 index 0000000..7836673 --- /dev/null +++ b/firejail/xonotic-sdl.profile @@ -0,0 +1,5 @@ +# +#Profile for xonotic:xonotic-sdl +# + +include /etc/firejail/xonotic.profile diff --git a/firejail/xonotic.profile b/firejail/xonotic.profile new file mode 100644 index 0000000..75d6496 --- /dev/null +++ b/firejail/xonotic.profile @@ -0,0 +1,25 @@ +# +#Profile for xonotic +# + +#No Blacklist Paths +noblacklist ${HOME}/.xonotic + +#Blacklist Paths +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +#Whitelist Paths +mkdir ${HOME}/.xonotic +whitelist ${HOME}/.xonotic +include /etc/firejail/whitelist-common.inc + +#Options +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail/xpdf.profile b/firejail/xpdf.profile new file mode 100644 index 0000000..7ea368b --- /dev/null +++ b/firejail/xpdf.profile @@ -0,0 +1,18 @@ +################################ +# xpdf application profile +################################ +noblacklist ${HOME}/.xpdfrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +net none +nonewprivs +noroot +protocol unix +shell none +seccomp + +private-dev +private-tmp diff --git a/firejail/xplayer.profile b/firejail/xplayer.profile new file mode 100644 index 0000000..191d2f6 --- /dev/null +++ b/firejail/xplayer.profile @@ -0,0 +1,22 @@ +# Xplayer profile +noblacklist ~/.config/xplayer +noblacklist ~/.local/share/xplayer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer +private-dev +private-tmp diff --git a/firejail/xpra.profile b/firejail/xpra.profile new file mode 100644 index 0000000..32be90b --- /dev/null +++ b/firejail/xpra.profile @@ -0,0 +1,23 @@ +# xpra profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix,inet,inet6 + +# blacklist /tmp/.X11-unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/firejail/xreader.profile b/firejail/xreader.profile new file mode 100644 index 0000000..d2a000b --- /dev/null +++ b/firejail/xreader.profile @@ -0,0 +1,23 @@ +# Xreader profile +noblacklist ~/.config/xreader +noblacklist ~/.cache/xreader +noblacklist ~/.local/share + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin xreader, xreader-previewer, xreader-thumbnailer +private-dev +private-tmp diff --git a/firejail/xviewer.profile b/firejail/xviewer.profile new file mode 100644 index 0000000..ca380b4 --- /dev/null +++ b/firejail/xviewer.profile @@ -0,0 +1,21 @@ +# xviewer profile +noblacklist ~/.config/xviewer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-dev +private-bin xviewer +private-tmp diff --git a/firejail/xz.profile b/firejail/xz.profile new file mode 100644 index 0000000..5b29f73 --- /dev/null +++ b/firejail/xz.profile @@ -0,0 +1,3 @@ +# xz profile +quiet +include /etc/firejail/cpio.profile diff --git a/firejail/xzdec.profile b/firejail/xzdec.profile new file mode 100644 index 0000000..6164e32 --- /dev/null +++ b/firejail/xzdec.profile @@ -0,0 +1,14 @@ +# xzdec profile +quiet +ignore noroot +include /etc/firejail/default.profile + +blacklist /tmp/.X11-unix + +net none +no3d +nosound +shell none +tracelog + +private-dev diff --git a/firejail/zathura.profile b/firejail/zathura.profile new file mode 100644 index 0000000..6c93a24 --- /dev/null +++ b/firejail/zathura.profile @@ -0,0 +1,26 @@ +# zathura document viewer profile +noblacklist ~/.config/zathura +noblacklist ~/.local/share/zathura +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +private-bin zathura +private-dev +private-etc fonts +private-tmp + +read-only ~/ +read-write ~/.local/share/zathura/ diff --git a/firejail/zoom.profile b/firejail/zoom.profile new file mode 100644 index 0000000..4c08868 --- /dev/null +++ b/firejail/zoom.profile @@ -0,0 +1,22 @@ +# Firejail profile for zoom.us +noblacklist ~/.config/zoomus.conf + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + + +# Whitelists + +mkdir ~/.zoom +whitelist ~/.zoom + + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-tmp diff --git a/fstab.sample b/fstab.sample new file mode 100644 index 0000000..9465498 --- /dev/null +++ b/fstab.sample @@ -0,0 +1,6 @@ +# +/dev/xvda1 / ext3 errors=remount-ro,noatime,barrier=0 0 1 +/dev/xvda2 /home ext4 defaults,nosuid,nodev,usrquota 0 2 +proc /proc proc defaults,hidepid=2 0 0 +udev /dev devtmpfs defaults,nosuid,noatime 0 0 +devpts /dev/pts devpts defaults,newinstance,ptmxmode=0666 0 0 diff --git a/gemrc b/gemrc new file mode 100644 index 0000000..e3c25e1 --- /dev/null +++ b/gemrc @@ -0,0 +1 @@ +gem: --user-install --bindir ~/.gem/bin diff --git a/gnupg/README.md b/gnupg/README.md new file mode 100644 index 0000000..5b1f640 --- /dev/null +++ b/gnupg/README.md @@ -0,0 +1,23 @@ +# #! role keyrings + +This folder contains OpenPGP keyrings that correspond to +roles in Hashbang. The only current role is “admins”, +and the keyring is used to check signatures on data that is +fetched from Git. + + + +## Creating and updating keyrings + +Each keyring is a OpenPGP binary file, and keys should be +exported with options `export-minimal` and `export-clean`. + +For instance, the `hashbang-admins.gpg` keyring can be +generated as follows, from the list of keys in the `pass(1)` +password database: + + export GNUPGHOME=$(mktemp -d); + cat ~/.password-store/Hashbang/.gpg-id | cut -d' ' -f1 | \ + xargs gpg --keyserver pgp.mit.edu --recv-key + gpg --export > hashbang-admins.gpg + unzer GNUPGHOME diff --git a/gnupg/hashbang-admins.gpg b/gnupg/hashbang-admins.gpg new file mode 100644 index 0000000..0556122 Binary files /dev/null and b/gnupg/hashbang-admins.gpg differ diff --git a/group b/group new file mode 100644 index 0000000..6522fd5 --- /dev/null +++ b/group @@ -0,0 +1,66 @@ +root:x:0: +daemon:x:1: +bin:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mail:x:8: +news:x:9: +uucp:x:10: +man:x:12: +proxy:x:13: +kmem:x:15: +dialout:x:20: +fax:x:21: +voice:x:22: +cdrom:x:24: +floppy:x:25: +tape:x:26: +sudo:x:27: +audio:x:29: +dip:x:30: +www-data:x:33: +backup:x:34: +operator:x:37: +list:x:38: +irc:x:39: +src:x:40: +gnats:x:41: +shadow:x:42: +utmp:x:43: +video:x:44: +sasl:x:45: +plugdev:x:46: +staff:x:50: +games:x:60: +users:x:100: +nogroup:x:65534: +input:x:101: +systemd-journal:x:102: +systemd-timesync:x:103: +systemd-network:x:104: +systemd-resolve:x:105: +systemd-bus-proxy:x:106: +crontab:x:107: +netdev:x:108: +Debian-exim:x:109: +messagebus:x:110: +mlocate:x:111: +ssh:x:112: +ssl-cert:x:114: +postfix:x:115: +postdrop:x:116: +nslcd:x:117: +utempter:x:118: +glances:x:119: +oident:x:113: +bitlbee:x:120: +_cvsadmin:x:121: +redis:x:122: +epmd:x:123: +kvm:x:124: +unbound:x:125: +debian-tor:x:127: +ntpd:x:126: diff --git a/hashbang/welcome b/hashbang/welcome new file mode 100755 index 0000000..41c54b8 --- /dev/null +++ b/hashbang/welcome @@ -0,0 +1,11 @@ +#!/bin/sh + +cat /etc/hashbang/welcome.pre + +if [ -n "$TMUX" ]; then + sed "s/\\\$USER/${USER}/" /etc/hashbang/welcome.tmux +else + sed "s/\\\$USER/${USER}/" /etc/hashbang/welcome.notmux +fi + +cat /etc/hashbang/welcome.post diff --git a/hashbang/welcome.notmux b/hashbang/welcome.notmux new file mode 100644 index 0000000..030e417 --- /dev/null +++ b/hashbang/welcome.notmux @@ -0,0 +1,11 @@ + Things to explore: + + * You can start 'tmux' to enter a tmux session. + Help will be displayed when tmux is started. + + * You can resume a detached tmux session at any time. + Use 'tmux attach' to resume your tmux session. + + * Your Hashbang email address is $USER@hashbang.sh + The `mutt` email client is preconfigured for you. + diff --git a/hashbang/welcome.post b/hashbang/welcome.post new file mode 100644 index 0000000..32ccd9c --- /dev/null +++ b/hashbang/welcome.post @@ -0,0 +1,8 @@ + * To learn more about us and our offerings type: man hashbang + + Like what we're doing? Consider donating to expand our efforts. + * Bitcoin - [ 1DtTvCLiUMhs21QcETQzLyiqxoopUjqBSU ] + * Google Wallet - [ donate@hashbang.sh ] + * PayPal - [ http://goo.gl/aSQWy0 ] + + Community shell servers generously sponsored by: (http://atlantic.net) diff --git a/hashbang/welcome.pre b/hashbang/welcome.pre new file mode 100644 index 0000000..bea2afd --- /dev/null +++ b/hashbang/welcome.pre @@ -0,0 +1,7 @@ + _ _ __ + _| || |_ | | Welcome to #!. This network has three rules: +|_ __ _|| | + _| || |_ | | 1. When people need help, teach. Don't do it for them +|_ __ _||__| 2. Don't use our resources for closed source projects + |_||_| (__) 3. Be excellent to each other + diff --git a/hashbang/welcome.tmux b/hashbang/welcome.tmux new file mode 100644 index 0000000..37b7e34 --- /dev/null +++ b/hashbang/welcome.tmux @@ -0,0 +1,14 @@ + Things to explore: + + * You are in a 'tmux' session. There are three tabs below. + Navigate with + a tab number. + + * You are already in our IRC channel in "tab 1" + Type + 1 to reach it and chat with us. + + * Your Hashbang email address is: $USER@hashbang.sh + Type + 2 to check your emails in mutt + + * You can detach from this tmux session with + + You can also re-attach outside of tmux with 'tmux attach' + diff --git a/locale.gen b/locale.gen new file mode 100644 index 0000000..e9dfebc --- /dev/null +++ b/locale.gen @@ -0,0 +1,478 @@ +# This file lists locales that you wish to have built. You can find a list +# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add +# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change +# this file, you need to rerun locale-gen. + + +# aa_DJ ISO-8859-1 +# aa_DJ.UTF-8 UTF-8 +# aa_ER UTF-8 +# aa_ER@saaho UTF-8 +# aa_ET UTF-8 +# af_ZA ISO-8859-1 +# af_ZA.UTF-8 UTF-8 +# am_ET UTF-8 +# an_ES ISO-8859-15 +# an_ES.UTF-8 UTF-8 +# ar_AE ISO-8859-6 +# ar_AE.UTF-8 UTF-8 +# ar_BH ISO-8859-6 +# ar_BH.UTF-8 UTF-8 +# ar_DZ ISO-8859-6 +# ar_DZ.UTF-8 UTF-8 +# ar_EG ISO-8859-6 +# ar_EG.UTF-8 UTF-8 +# ar_IN UTF-8 +# ar_IQ ISO-8859-6 +# ar_IQ.UTF-8 UTF-8 +# ar_JO ISO-8859-6 +# ar_JO.UTF-8 UTF-8 +# ar_KW ISO-8859-6 +# ar_KW.UTF-8 UTF-8 +# ar_LB ISO-8859-6 +# ar_LB.UTF-8 UTF-8 +# ar_LY ISO-8859-6 +# ar_LY.UTF-8 UTF-8 +# ar_MA ISO-8859-6 +# ar_MA.UTF-8 UTF-8 +# ar_OM ISO-8859-6 +# ar_OM.UTF-8 UTF-8 +# ar_QA ISO-8859-6 +# ar_QA.UTF-8 UTF-8 +# ar_SA ISO-8859-6 +# ar_SA.UTF-8 UTF-8 +# ar_SD ISO-8859-6 +# ar_SD.UTF-8 UTF-8 +# ar_SY ISO-8859-6 +# ar_SY.UTF-8 UTF-8 +# ar_TN ISO-8859-6 +# ar_TN.UTF-8 UTF-8 +# ar_YE ISO-8859-6 +# ar_YE.UTF-8 UTF-8 +# as_IN UTF-8 +# ast_ES ISO-8859-15 +# ast_ES.UTF-8 UTF-8 +# ayc_PE UTF-8 +# az_AZ UTF-8 +# be_BY CP1251 +# be_BY.UTF-8 UTF-8 +# be_BY@latin UTF-8 +# bem_ZM UTF-8 +# ber_DZ UTF-8 +# ber_MA UTF-8 +# bg_BG CP1251 +# bg_BG.UTF-8 UTF-8 +# bho_IN UTF-8 +# bn_BD UTF-8 +# bn_IN UTF-8 +# bo_CN UTF-8 +# bo_IN UTF-8 +# br_FR ISO-8859-1 +# br_FR.UTF-8 UTF-8 +# br_FR@euro ISO-8859-15 +# brx_IN UTF-8 +# bs_BA ISO-8859-2 +# bs_BA.UTF-8 UTF-8 +# byn_ER UTF-8 +# ca_AD ISO-8859-15 +# ca_AD.UTF-8 UTF-8 +# ca_ES ISO-8859-1 +# ca_ES.UTF-8 UTF-8 +# ca_ES.UTF-8@valencia UTF-8 +# ca_ES@euro ISO-8859-15 +# ca_ES@valencia ISO-8859-15 +# ca_FR ISO-8859-15 +# ca_FR.UTF-8 UTF-8 +# ca_IT ISO-8859-15 +# ca_IT.UTF-8 UTF-8 +# crh_UA UTF-8 +# cs_CZ ISO-8859-2 +# cs_CZ.UTF-8 UTF-8 +# csb_PL UTF-8 +# cv_RU UTF-8 +# cy_GB ISO-8859-14 +# cy_GB.UTF-8 UTF-8 +# da_DK ISO-8859-1 +# da_DK.UTF-8 UTF-8 +# de_AT ISO-8859-1 +# de_AT.UTF-8 UTF-8 +# de_AT@euro ISO-8859-15 +# de_BE ISO-8859-1 +# de_BE.UTF-8 UTF-8 +# de_BE@euro ISO-8859-15 +# de_CH ISO-8859-1 +# de_CH.UTF-8 UTF-8 +# de_DE ISO-8859-1 +# de_DE.UTF-8 UTF-8 +# de_DE@euro ISO-8859-15 +# de_LI.UTF-8 UTF-8 +# de_LU ISO-8859-1 +# de_LU.UTF-8 UTF-8 +# de_LU@euro ISO-8859-15 +# doi_IN UTF-8 +# dv_MV UTF-8 +# dz_BT UTF-8 +# el_CY ISO-8859-7 +# el_CY.UTF-8 UTF-8 +# el_GR ISO-8859-7 +# el_GR.UTF-8 UTF-8 +# en_AG UTF-8 +# en_AU ISO-8859-1 +# en_AU.UTF-8 UTF-8 +# en_BW ISO-8859-1 +# en_BW.UTF-8 UTF-8 +# en_CA ISO-8859-1 +# en_CA.UTF-8 UTF-8 +# en_DK ISO-8859-1 +# en_DK.ISO-8859-15 ISO-8859-15 +# en_DK.UTF-8 UTF-8 +# en_GB ISO-8859-1 +# en_GB.ISO-8859-15 ISO-8859-15 +# en_GB.UTF-8 UTF-8 +# en_HK ISO-8859-1 +# en_HK.UTF-8 UTF-8 +# en_IE ISO-8859-1 +# en_IE.UTF-8 UTF-8 +# en_IE@euro ISO-8859-15 +# en_IN UTF-8 +# en_NG UTF-8 +# en_NZ ISO-8859-1 +# en_NZ.UTF-8 UTF-8 +# en_PH ISO-8859-1 +# en_PH.UTF-8 UTF-8 +# en_SG ISO-8859-1 +# en_SG.UTF-8 UTF-8 +# en_US ISO-8859-1 +# en_US.ISO-8859-15 ISO-8859-15 +en_US.UTF-8 UTF-8 +# en_ZA ISO-8859-1 +# en_ZA.UTF-8 UTF-8 +# en_ZM UTF-8 +# en_ZW ISO-8859-1 +# en_ZW.UTF-8 UTF-8 +# eo ISO-8859-3 +# eo.UTF-8 UTF-8 +# es_AR ISO-8859-1 +# es_AR.UTF-8 UTF-8 +# es_BO ISO-8859-1 +# es_BO.UTF-8 UTF-8 +# es_CL ISO-8859-1 +# es_CL.UTF-8 UTF-8 +# es_CO ISO-8859-1 +# es_CO.UTF-8 UTF-8 +# es_CR ISO-8859-1 +# es_CR.UTF-8 UTF-8 +# es_CU UTF-8 +# es_DO ISO-8859-1 +# es_DO.UTF-8 UTF-8 +# es_EC ISO-8859-1 +# es_EC.UTF-8 UTF-8 +# es_ES ISO-8859-1 +# es_ES.UTF-8 UTF-8 +# es_ES@euro ISO-8859-15 +# es_GT ISO-8859-1 +# es_GT.UTF-8 UTF-8 +# es_HN ISO-8859-1 +# es_HN.UTF-8 UTF-8 +# es_MX ISO-8859-1 +# es_MX.UTF-8 UTF-8 +# es_NI ISO-8859-1 +# es_NI.UTF-8 UTF-8 +# es_PA ISO-8859-1 +# es_PA.UTF-8 UTF-8 +# es_PE ISO-8859-1 +# es_PE.UTF-8 UTF-8 +# es_PR ISO-8859-1 +# es_PR.UTF-8 UTF-8 +# es_PY ISO-8859-1 +# es_PY.UTF-8 UTF-8 +# es_SV ISO-8859-1 +# es_SV.UTF-8 UTF-8 +# es_US ISO-8859-1 +# es_US.UTF-8 UTF-8 +# es_UY ISO-8859-1 +# es_UY.UTF-8 UTF-8 +# es_VE ISO-8859-1 +# es_VE.UTF-8 UTF-8 +# et_EE ISO-8859-1 +# et_EE.ISO-8859-15 ISO-8859-15 +# et_EE.UTF-8 UTF-8 +# eu_ES ISO-8859-1 +# eu_ES.UTF-8 UTF-8 +# eu_ES@euro ISO-8859-15 +# eu_FR ISO-8859-1 +# eu_FR.UTF-8 UTF-8 +# eu_FR@euro ISO-8859-15 +# fa_IR UTF-8 +# ff_SN UTF-8 +# fi_FI ISO-8859-1 +# fi_FI.UTF-8 UTF-8 +# fi_FI@euro ISO-8859-15 +# fil_PH UTF-8 +# fo_FO ISO-8859-1 +# fo_FO.UTF-8 UTF-8 +# fr_BE ISO-8859-1 +# fr_BE.UTF-8 UTF-8 +# fr_BE@euro ISO-8859-15 +# fr_CA ISO-8859-1 +# fr_CA.UTF-8 UTF-8 +# fr_CH ISO-8859-1 +# fr_CH.UTF-8 UTF-8 +# fr_FR ISO-8859-1 +# fr_FR.UTF-8 UTF-8 +# fr_FR@euro ISO-8859-15 +# fr_LU ISO-8859-1 +# fr_LU.UTF-8 UTF-8 +# fr_LU@euro ISO-8859-15 +# fur_IT UTF-8 +# fy_DE UTF-8 +# fy_NL UTF-8 +# ga_IE ISO-8859-1 +# ga_IE.UTF-8 UTF-8 +# ga_IE@euro ISO-8859-15 +# gd_GB ISO-8859-15 +# gd_GB.UTF-8 UTF-8 +# gez_ER UTF-8 +# gez_ER@abegede UTF-8 +# gez_ET UTF-8 +# gez_ET@abegede UTF-8 +# gl_ES ISO-8859-1 +# gl_ES.UTF-8 UTF-8 +# gl_ES@euro ISO-8859-15 +# gu_IN UTF-8 +# gv_GB ISO-8859-1 +# gv_GB.UTF-8 UTF-8 +# ha_NG UTF-8 +# he_IL ISO-8859-8 +# he_IL.UTF-8 UTF-8 +# hi_IN UTF-8 +# hne_IN UTF-8 +# hr_HR ISO-8859-2 +# hr_HR.UTF-8 UTF-8 +# hsb_DE ISO-8859-2 +# hsb_DE.UTF-8 UTF-8 +# ht_HT UTF-8 +# hu_HU ISO-8859-2 +# hu_HU.UTF-8 UTF-8 +# hy_AM UTF-8 +# hy_AM.ARMSCII-8 ARMSCII-8 +# ia_FR UTF-8 +# id_ID ISO-8859-1 +# id_ID.UTF-8 UTF-8 +# ig_NG UTF-8 +# ik_CA UTF-8 +# is_IS ISO-8859-1 +# is_IS.UTF-8 UTF-8 +# it_CH ISO-8859-1 +# it_CH.UTF-8 UTF-8 +# it_IT ISO-8859-1 +# it_IT.UTF-8 UTF-8 +# it_IT@euro ISO-8859-15 +# iu_CA UTF-8 +# iw_IL ISO-8859-8 +# iw_IL.UTF-8 UTF-8 +# ja_JP.EUC-JP EUC-JP +# ja_JP.UTF-8 UTF-8 +# ka_GE GEORGIAN-PS +# ka_GE.UTF-8 UTF-8 +# kk_KZ PT154 +# kk_KZ RK1048 +# kk_KZ.UTF-8 UTF-8 +# kl_GL ISO-8859-1 +# kl_GL.UTF-8 UTF-8 +# km_KH UTF-8 +# kn_IN UTF-8 +# ko_KR.EUC-KR EUC-KR +# ko_KR.UTF-8 UTF-8 +# kok_IN UTF-8 +# ks_IN UTF-8 +# ks_IN@devanagari UTF-8 +# ku_TR ISO-8859-9 +# ku_TR.UTF-8 UTF-8 +# kw_GB ISO-8859-1 +# kw_GB.UTF-8 UTF-8 +# ky_KG UTF-8 +# lb_LU UTF-8 +# lg_UG ISO-8859-10 +# lg_UG.UTF-8 UTF-8 +# li_BE UTF-8 +# li_NL UTF-8 +# lij_IT UTF-8 +# lo_LA UTF-8 +# lt_LT ISO-8859-13 +# lt_LT.UTF-8 UTF-8 +# lv_LV ISO-8859-13 +# lv_LV.UTF-8 UTF-8 +# mag_IN UTF-8 +# mai_IN UTF-8 +# mg_MG ISO-8859-15 +# mg_MG.UTF-8 UTF-8 +# mhr_RU UTF-8 +# mi_NZ ISO-8859-13 +# mi_NZ.UTF-8 UTF-8 +# mk_MK ISO-8859-5 +# mk_MK.UTF-8 UTF-8 +# ml_IN UTF-8 +# mn_MN UTF-8 +# mni_IN UTF-8 +# mr_IN UTF-8 +# ms_MY ISO-8859-1 +# ms_MY.UTF-8 UTF-8 +# mt_MT ISO-8859-3 +# mt_MT.UTF-8 UTF-8 +# my_MM UTF-8 +# nan_TW@latin UTF-8 +# nb_NO ISO-8859-1 +# nb_NO.UTF-8 UTF-8 +# nds_DE UTF-8 +# nds_NL UTF-8 +# ne_NP UTF-8 +# nhn_MX UTF-8 +# niu_NU UTF-8 +# niu_NZ UTF-8 +# nl_AW UTF-8 +# nl_BE ISO-8859-1 +# nl_BE.UTF-8 UTF-8 +# nl_BE@euro ISO-8859-15 +# nl_NL ISO-8859-1 +# nl_NL.UTF-8 UTF-8 +# nl_NL@euro ISO-8859-15 +# nn_NO ISO-8859-1 +# nn_NO.UTF-8 UTF-8 +# nr_ZA UTF-8 +# nso_ZA UTF-8 +# oc_FR ISO-8859-1 +# oc_FR.UTF-8 UTF-8 +# om_ET UTF-8 +# om_KE ISO-8859-1 +# om_KE.UTF-8 UTF-8 +# or_IN UTF-8 +# os_RU UTF-8 +# pa_IN UTF-8 +# pa_PK UTF-8 +# pap_AN UTF-8 +# pl_PL ISO-8859-2 +# pl_PL.UTF-8 UTF-8 +# ps_AF UTF-8 +# pt_BR ISO-8859-1 +# pt_BR.UTF-8 UTF-8 +# pt_PT ISO-8859-1 +# pt_PT.UTF-8 UTF-8 +# pt_PT@euro ISO-8859-15 +# ro_RO ISO-8859-2 +# ro_RO.UTF-8 UTF-8 +# ru_RU ISO-8859-5 +# ru_RU.CP1251 CP1251 +# ru_RU.KOI8-R KOI8-R +# ru_RU.UTF-8 UTF-8 +# ru_UA KOI8-U +# ru_UA.UTF-8 UTF-8 +# rw_RW UTF-8 +# sa_IN UTF-8 +# sat_IN UTF-8 +# sc_IT UTF-8 +# sd_IN UTF-8 +# sd_IN@devanagari UTF-8 +# se_NO UTF-8 +# shs_CA UTF-8 +# si_LK UTF-8 +# sid_ET UTF-8 +# sk_SK ISO-8859-2 +# sk_SK.UTF-8 UTF-8 +# sl_SI ISO-8859-2 +# sl_SI.UTF-8 UTF-8 +# so_DJ ISO-8859-1 +# so_DJ.UTF-8 UTF-8 +# so_ET UTF-8 +# so_KE ISO-8859-1 +# so_KE.UTF-8 UTF-8 +# so_SO ISO-8859-1 +# so_SO.UTF-8 UTF-8 +# sq_AL ISO-8859-1 +# sq_AL.UTF-8 UTF-8 +# sq_MK UTF-8 +# sr_ME UTF-8 +# sr_RS UTF-8 +# sr_RS@latin UTF-8 +# ss_ZA UTF-8 +# st_ZA ISO-8859-1 +# st_ZA.UTF-8 UTF-8 +# sv_FI ISO-8859-1 +# sv_FI.UTF-8 UTF-8 +# sv_FI@euro ISO-8859-15 +# sv_SE ISO-8859-1 +# sv_SE.ISO-8859-15 ISO-8859-15 +# sv_SE.UTF-8 UTF-8 +# sw_KE UTF-8 +# sw_TZ UTF-8 +# szl_PL UTF-8 +# ta_IN UTF-8 +# ta_LK UTF-8 +# te_IN UTF-8 +# tg_TJ KOI8-T +# tg_TJ.UTF-8 UTF-8 +# th_TH TIS-620 +# th_TH.UTF-8 UTF-8 +# ti_ER UTF-8 +# ti_ET UTF-8 +# tig_ER UTF-8 +# tk_TM UTF-8 +# tl_PH ISO-8859-1 +# tl_PH.UTF-8 UTF-8 +# tn_ZA UTF-8 +# tr_CY ISO-8859-9 +# tr_CY.UTF-8 UTF-8 +# tr_TR ISO-8859-9 +# tr_TR.UTF-8 UTF-8 +# ts_ZA UTF-8 +# tt_RU UTF-8 +# tt_RU@iqtelif UTF-8 +# ug_CN UTF-8 +# uk_UA KOI8-U +# uk_UA.UTF-8 UTF-8 +# unm_US UTF-8 +# ur_IN UTF-8 +# ur_PK UTF-8 +# uz_UZ ISO-8859-1 +# uz_UZ.UTF-8 UTF-8 +# uz_UZ@cyrillic UTF-8 +# ve_ZA UTF-8 +# vi_VN UTF-8 +# wa_BE ISO-8859-1 +# wa_BE.UTF-8 UTF-8 +# wa_BE@euro ISO-8859-15 +# wae_CH UTF-8 +# wal_ET UTF-8 +# wo_SN UTF-8 +# xh_ZA ISO-8859-1 +# xh_ZA.UTF-8 UTF-8 +# yi_US CP1255 +# yi_US.UTF-8 UTF-8 +# yo_NG UTF-8 +# yue_HK UTF-8 +# zh_CN GB2312 +# zh_CN.GB18030 GB18030 +# zh_CN.GBK GBK +# zh_CN.UTF-8 UTF-8 +# zh_HK BIG5-HKSCS +# zh_HK.UTF-8 UTF-8 +# zh_SG GB2312 +# zh_SG.GBK GBK +# zh_SG.UTF-8 UTF-8 +# zh_TW BIG5 +# zh_TW.EUC-TW EUC-TW +# zh_TW.UTF-8 UTF-8 +# zu_ZA ISO-8859-1 +# zu_ZA.UTF-8 UTF-8 +# en_US.UTF-8 UTF-8 +# ak_GH UTF-8 +# anp_IN UTF-8 +# ar_SS UTF-8 +# cmn_TW UTF-8 +# hak_TW UTF-8 +# lzh_TW UTF-8 +# nan_TW UTF-8 +# pap_AW UTF-8 +# pap_CW UTF-8 +# quz_PE UTF-8 +# the_NP UTF-8 diff --git a/localtime b/localtime new file mode 100644 index 0000000..5583f5b Binary files /dev/null and b/localtime differ diff --git a/login.defs b/login.defs new file mode 100644 index 0000000..afef90a --- /dev/null +++ b/login.defs @@ -0,0 +1,340 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value +# for private user groups, i. e. the uid is the same as gid, and username is +# the same as the primary group name: for these, the user permissions will be +# used as group permissions, e. g. 022 will become 002. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 027 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user´s group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR + + + diff --git a/logrotate.conf b/logrotate.conf new file mode 100644 index 0000000..27630af --- /dev/null +++ b/logrotate.conf @@ -0,0 +1,32 @@ +# see "man logrotate" for details +# rotate log files weekly +weekly + +# keep 4 weeks worth of backlogs +rotate 4 + +# create new (empty) log files after rotating old ones +create + +# uncomment this if you want your log files compressed +#compress + +# packages drop log rotation information into this directory +include /etc/logrotate.d + +# no packages own wtmp, or btmp -- we'll rotate them here +/var/log/wtmp { + missingok + monthly + create 0660 root utmp + rotate 1 +} + +/var/log/btmp { + missingok + monthly + create 0660 root utmp + rotate 1 +} + +# system-specific logs may be configured here diff --git a/luarocks/config-5.1.lua b/luarocks/config-5.1.lua new file mode 100644 index 0000000..9a6fbb7 --- /dev/null +++ b/luarocks/config-5.1.lua @@ -0,0 +1,5 @@ +variables = { + LUA_INTERPRETER = "/usr/bin/lua5.1"; + LUA_INCDIR = "/usr/include/lua5.1"; +} +rocks_subdir = "/lib/luarocks/rocks-5.1" diff --git a/luarocks/config-5.2.lua b/luarocks/config-5.2.lua new file mode 100644 index 0000000..cbb0afa --- /dev/null +++ b/luarocks/config-5.2.lua @@ -0,0 +1,7 @@ +export_lua_path = "export LUA_PATH_5_2='%s'"; +export_lua_cpath = "export LUA_CPATH_5_2='%s'"; +variables = { + LUA_INTERPRETER = "/usr/bin/lua5.2"; + LUA_INCDIR = "/usr/include/lua5.2"; +} +rocks_subdir = "/lib/luarocks/rocks-5.2" diff --git a/luarocks/config-5.3.lua b/luarocks/config-5.3.lua new file mode 100644 index 0000000..0d4d15a --- /dev/null +++ b/luarocks/config-5.3.lua @@ -0,0 +1,7 @@ +export_lua_path = "export LUA_PATH_5_3='%s'"; +export_lua_cpath = "export LUA_CPATH_5_3='%s'"; +variables = { + LUA_INTERPRETER = "/usr/bin/lua5.3"; + LUA_INCDIR = "/usr/include/lua5.3"; +} +rocks_subdir = "/lib/luarocks/rocks-5.3" diff --git a/mailname b/mailname new file mode 100644 index 0000000..acd6707 --- /dev/null +++ b/mailname @@ -0,0 +1 @@ +hashbang.sh diff --git a/man/man7/hashbang.7 b/man/man7/hashbang.7 index 307ce43..acc2629 100644 --- a/man/man7/hashbang.7 +++ b/man/man7/hashbang.7 @@ -29,8 +29,10 @@ that has your private key. echo the foo file to the console .SH AVAILABLE SOFTWARE +.SS Account Management +hashbangctl - An account management program which can update your ssh keys, account name, and default shell. .SS Compilers / Interpreters / Programming Languages -perl - A high-level, general-purpose dynamic programming language. Commonly +perl - A high-level, general-purpose dynamic programming language. Commonly referred to as "the duct tape of the internet." python - A high-level, general-purpose programming language that emphasizes @@ -38,14 +40,14 @@ code readability. ruby - A dynamic, object-oriented general-purpose programming language. -haskell - A standardized, general-purpose programming language with non-strict +haskell [ghc] - A standardized, general-purpose programming language with non-strict semantics and strong static typing. lua - A lightweight multi-paradigm programming language designed as a scripting language. clojure - A general-purpose programming language with an emphasis on functional -programming. It is a dialect of the Lisp programming language. +programming. It is a dialect of the Lisp programming language. go - A statically-typed language developed at Google with syntax loosely derived from C with garbage collection. @@ -64,8 +66,6 @@ various other programming languages. smlnj -(Standard ML of New Jersey) a compiler and programming environment for Standard ML - -spidermonkey - JavaScript engine maintained by the Mozilla Foundation. .SS Text Editors vim - A popular vi clone and the IDE of choice of most of the #! regulars. Ships by default on all operating systems that matter. @@ -83,20 +83,9 @@ pico - (Pine Composer) a text editor originally integrated with the pine e-mail client and designed at the Office of Computing and Communications at the University of Washington. -e3 - A full-featured text editor with choosable syntax including Pico, Emacs, -and VI. - -ne - (nice editor) A text editor created at the University of Milan intended to -be an alternative to VI for beginners. - mcedit - Internal text editor for the Midnight Commander file manager. zile - An Emacs like text editor that is less resource intensive. - -mg - (originally MicroGnuEmacs) An editor similar to Emacs with a smaller -memory footprint and faster speed. - -jed - A text editor that makes use of the S-Lang library. .SS Password Management pass - A shell based password manager. .SS Cryptography / Hashing @@ -111,13 +100,7 @@ md5sum - Calculates and verifies 128-bit MD5 hashes as described in RFC 1321. shasum - Calculates and verifies SHA hashes. bcrypt - A key derivation function for passwords based on the Blowfish cipher. - -ccrypt - A utility for the secure encryption and decryption of files and -streams. .SS Time Management -calcurse - A calendar and scheduling application used to keep track of events, -appointments, and everyday tasks. - calendar - Checks current directory or CALENDAR_DIR environment variable for a file named calendar and displays appointments and reminders. @@ -125,15 +108,13 @@ remind - A sophisticated reminder service. wyrd - A text-based front-end to the Remind program. -taskwarrior - a CLI time and task management tool. - tudu - A command-line tool to manage TODO lists hierarchically. .SS Shells bash - (Bourne Again Shell) The standard shell on most Linux and unix-like -systems which is a GNU replacement for the Unix Bourne shell. A linux classic +systems which is a GNU replacement for the Unix Bourne shell. A linux classic brah. -zsh - (Z Shell) An extension of the Bourne shell extended with features from +zsh - (Z Shell) An extension of the Bourne shell extended with features from ksh and tcsh. fish - (Friendly Interactive Shell) An attempt to make a more interactive, @@ -142,35 +123,23 @@ user-friendly shell. ksh - (Korn Shell) A shell backwards compatible with the Bourne shell but also includes many features of the C shell. .SS Email -mutt - A text-based email client. "All mail clients suck. This one just sucks +mutt - A text-based email client. "All mail clients suck. This one just sucks less." - -alpine - (Alternatively Licensed Program for Internet News and Email) A -text-based email client developed at the University of Washington. - -slrn - A text-based news client that uses the S-Lang library. - -offlineimap - An IMAP synchronization utility software, capable of -synchronizing mail on IMAP server with local Maildir folder or another server. - -mu - A set of tools that enable you to quickly find e-mails you are looking -for in Maildir. .SS Math -ledger - A double-entry accounting system accessed from the command line. units - Unit conversion utility. + dc - A reverse-polish desk calculator which supports arbitrary-precision arithmetic. + qalc - A small simple to use command-line calculator. + bc - An arbitrary precision calculator language + .SS Chat / IM weechat-curses - Wee Enhanced Environment for Chat (Curses version) irssi - A text-based IRC client written in the C programming language. -centerim - A text based menu and window-driven instant messaging interface that -supports ICQ, Yahoo!, AIM, MSN, IRC, XMPP, LiveJournal, and Gadu-Gadu -protocols. - finch - A console-based instant messaging client based on the libpurple library. @@ -195,33 +164,7 @@ channel. If you are interested in using Google Talk follow this guide http://wiki.bitlbee.org/HowtoGtalk .RE -barnowl - A curses-based instant messaging client forked from the ktools owl -project that supports Zephyr, AIM, Jabber, IRC, and Twitter. - -pork - An ncurses-based AOL instant messenger and IRC client. - -scrollz - An advanced ircII-based IRC client. - -ii - A minimalistic FIFO and filesystem based IRC client. - -sic - A fast, simple IRC client that reads from standard input and prints -server output to standard output. - -erc - An IRC client integrated into GNU Emacs. -.SS News Reader -newsbeuter - A text-based news aggregator that supports RSS and Atom. - -rsstail - An RSS news reader which works similar to the tail command. - -canto - An ncurses RSS reader built to be flexible on top of python. - -rawdog - (RSS Aggregator Without Delusions Of Grandeur) An RSS aggregator that -uses the Python feedparser module to retrieve articles from feeds in RSS, Atom -and other formats. .SS Web Browsing -links - A menu-driven text mode web browser with ncurses interface supporting colors, table -rendering and background downloading. - elinks - Similar to links, but also supports Form Input, Password Management, and Tabbed Browsing @@ -231,19 +174,7 @@ w3m - A text based web browser and pager. html2text - Reads an HTML document and outputs plain text characters. .SS Database -sqlite3 - A relational database management system contained in a C programming -library. - -mariadb - A fork of the MySQL relational database management system led by the -original developer of MySQL. - -postgresql - An Object-relational database management system that emphasises -extensibility and standards-compliance. - -mongodb - A document-oriented NoSQL database that uses JSON-like documents with -dynamic schemas. - -redis - A networked, in-memory, key-value data store with optional durability +redis [redis-*] - A networked, in-memory, key-value data store with optional durability written in ANSI C. .SS File Management mc - (Midnight Commander) A text-based file manager similar to Norton @@ -255,20 +186,17 @@ transfer files between hosts. rsync - A file synchronization and file transfer program that minimizes network data transfer by using a form of delta encoding called the rsync algorithm. -rsynccrypto - A utility that encrypts a file or directory structure that is -rsync friendly. - duplicity - A software suite that provides encrypted, digitally signed, versioned, remote backups of files. -vifm - An ncurses based file manager with vi like keybindings. - ranger - A text-based file manager written in Python. du - (disc usage) Estimates file space usage on a filesystem. ncdu - A simple ncurses disk usage analyzer. +stow - A symlink manager. Helpful for managing several locally-installed things. + find - Used to search the filesystem for a particular file. locate - Searches a prebuilt database for files on a filesystem. @@ -286,45 +214,20 @@ p7zip - A program for compressing and uncompressing 7-zip compressed files. tar - Utility used for compressing and uncompressing tar files. -dar - (disc archive) A command-line archiving tool intended as a replacement -for tar. - gzip - An application used to create gzip compressed files. zpaq - A program for creating journaling or append-only compression files. .SS Network -iptraf - A console-based network statistics utility. - -nethogs - A tool for monitoring processes by bandwidth usage. - -slurm - (Simple Linux Utility for Resource Management) A job scheduler used on -supercomputers and computer clusters. +iperf - A bandwidth measurement utility. nmap - (Network Mapper) A security scanner used to discover hosts and services on a computer network. -ngrep - (Network Grep) A network packet analyzer that relies upon the pcap -library and GNU regex. - -tcpdump - A common packet analyzer that allows the user to intercept and -display TCP/IP and other packets being transmitted or received over the -network. - -trickle - A portable lightweight userspace bandwidth shaper. - -ifstat - A tool for reporting network interface bandwidth. - -iftop - Displays bandwidth usage on an interface. - mtr - (Matt's TraceRoute) Combines the functionality of the traceroute and ping programs in a single network diagnostic tool. telnet - Used to communicate with another host using the telnet protocol. -netpipes - (Network Protocol Independent Performance Evaluator) Uses a series -of ping-pong tests over a range of message sizes to provide a complete measure -of the performance of a network. - ssh - A client used to connect to a host using the Secure Shell protocol. siege - A multi-threaded http load testing and benchmarking utility. @@ -335,9 +238,7 @@ connections to other hosts. curl - A tool used to transfer data from or to a server using HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). -rtorrent - A BitTorrent client for ncurses using the libtorrent library. - -aria2 - A utility for downloading files via HTTP(S), FTP, BitTorrent, and +aria2 [aria2c] - A utility for downloading files via HTTP(S), FTP, BitTorrent, and Metalink. ipcalc - A program that calculates IP information for a host. @@ -350,27 +251,17 @@ the command line. ssh-copy-id - A script that uses SSH to copy a public key to a remote machine's authorized_keys. - -zeromq - A high-performance asynchronous messaging library aimed at use in a -scalable distributed or concurrent application. - -rabbitmq - A message broker that implements the Advanced Message Queuing -Protocol (AMQP) .SS Image Tools -optipng - Attempts to optimize PNG files by reducing their size to a minimum -without losing any information. +imagemagick [convert, mogrify, ...] - A software suits used to create, edit, and compose bitmap images. -imagemagick - A software suits used to create, edit, and compose bitmap images. - -gd - A perl interface for the gd graphics library. .SS Code Management cvs - (Concurrent Versions System) A revision control system using client-server architecture. -svn - (Subversion) A software versioning and revision control system +svn - (Subversion) A software versioning and revision control system maintained by apache and designed as a successor to CVS -mercurial - A distributed revision control system designed for high +mercurial [hg] - A distributed revision control system designed for high performance, scalability, and decentralization. git - A distributed version control system with an emphasis on speed, data @@ -384,15 +275,13 @@ diff - Compares files line by line. vimdiff - Edits 2 - 4 versions of a file with vim while showing differences. -vimpager - Allows vim to be used as a pager for things like man pages. - -hub - A command-line wrapper for git. - ctags - A programming tool that generates an index file of names found in source and header files of various programming languages. cmake - Software for managing the build process of software using a compiler-independent method. + +shellcheck - Linter for shell scripts .SS Games/Toys zangband - A dungeon-crawling roguelike game derived from Angband and based on @@ -403,55 +292,26 @@ nethack - A roguelike game descended from the game Hack and Rogue. slashem - (Super Lotsa Added Stuff Hack - Extended Magic) is a variant of the roguelike game NetHack that offers extra features, monsters, and items. -cmatrix - CMatrix simulates the display from "The Matrix". - frotz - An interpreter for Infocom games and other z-machine games. -bsdgames - A collection of text games from BSD systems. - -bb - An ASCII-art demo that uses AAlib - -sl - Displays a choo-choo when peopl mistype the 'ls' command. +bsdgames [adventure, ...] - A collection of text games from BSD systems. bastet - (Bastard Tetris) A Tetris clone. -greed - A puzzle game with numbers. - gnugo - Open source implementation of the game Go. gnuchess - Chess - -moon-buggy - Drive a buggy across the moon. - -typespeed - Tests typing speed and gets your fingers' CPS. -.SS MUSH/MOO/MUD Clients - -tinyfugue - A MUD client sucessor to TinyTalk. - -tintin++ - A mud client on unix that succeeds TINTIN (The kIckiN Ticking -dIkumud clieNt") - -kbtin - Another heavily extended clone of the TinTin++ MUD client. - -pennmush - A successor to TinyMud. .SS System Management Utilities -bonnie++ - A filesystem benchmarking tool aimed at performing a number of -simple tests of hard drive and file system performance. - htop - An interactive system-monitor process-viewer. -dstat - A versatile tool for generating system resource statistics. - -iotop - A simple top-like tool for monitoring I/O. - -sysdig - System-level exploration and troubleshooting tool. - strace - Application for tracing system calls and signals. -cpulimit - A program that attempts to limit the cpu usage of a process. - cgroups - (Control Groups) A kernel feature to limit, account, and isolate resource usage of process groups. + +command-not-found - (Debian) Suggest a package when the user calls a command +that could not be found. + .SS Window/Session Managers tmux - An Application used to multiplex several virtual consoles, allowing a @@ -460,18 +320,12 @@ user to access multiple separate terminal sessions inside a single terminal. screen - Application used to multiplex several virtual consoles, allowing a user to access multiple separate terminal sessions in a single terminal. -dtach - A program that emulates the detach feature of screen. - byobu - An enhancement for the terminal multiplexers Screen or Tmux that can be used to provide on screen notification or status as well as tabbed multi-window management. - .SS Misc. / Unsorted (Sort these!) pv - Monitors the progress of data through a pipe. -ttyrec - Records the TTY output of a text-mode program together with timestamps -and then replaying it. - tsung - Used to stress test HTTP, WebDAV, LDAP, MySQL, PostgreSQL, SOAP, and XMPP servers. @@ -480,15 +334,8 @@ xargs - Used to build and execute command lines from standard input. parallel - Shell tool for executing jobs in parallel using one or more computers. -tpp - (Text Presentation Program) an ncurses-based presentation tool. - -ack - A grep-like text finder. - ag - A significantly faster replacement to ACK with a built in VCS. -repl - Wraps a non-interactive command in an interactive read-eval-print-loop -prompt. - watch - Executes a program periodically, showing the output fullscreen. libev - A high-performance event loop for C. @@ -496,15 +343,12 @@ libev - A high-performance event loop for C. libevent - Provides a mechanism to execute a callback function when a specific event occurs on a file descriptor or after a timeout has been reached. -lame - An MP3 encoder. - cowsay - Generates ASCII pictures of a cow with a message. dos2unix - Converts line breaks in a text file from DOS format to Unix format. unix2dos - Converts line breaks in a text file from Unix format to DOS format. .SH HISTORY - 2004 - lrvick secured free-for-all usage of a dedicated server, hosted at "The Planet" datacenter in Austin, TX, in exchange for providing free system administration services to an educational web application provider. He @@ -578,10 +422,10 @@ expanding our free community offerings to the general public. .SH You can help! -Fork, make changes, and submit Github Pull Requests Here: +Fork, make changes, and submit Github Pull Requests here: -https://github.com/hashbang/shell-server +https://github.com/hashbang/shell-etc This man file can be updated here: -https://github.com/hashbang/shell-server/blob/master/usr/local/man/man7/hashbang.7 +https://github.com/hashbang/shell-etc/blob/master/man/man7/hashbang.7 diff --git a/manpath.config b/manpath.config new file mode 100644 index 0000000..5c067f9 --- /dev/null +++ b/manpath.config @@ -0,0 +1,133 @@ +# manpath.config +# +# This file is used by the man-db package to configure the man and cat paths. +# It is also used to provide a manpath for those without one by examining +# their PATH environment variable. For details see the manpath(5) man page. +# +# Lines beginning with `#' are comments and are ignored. Any combination of +# tabs or spaces may be used as `whitespace' separators. +# +# There are three mappings allowed in this file: +# -------------------------------------------------------- +# MANDATORY_MANPATH manpath_element +# MANPATH_MAP path_element manpath_element +# MANDB_MAP global_manpath [relative_catpath] +#--------------------------------------------------------- +# every automatically generated MANPATH includes these fields +# +#MANDATORY_MANPATH /usr/src/pvm3/man +# +MANDATORY_MANPATH /usr/man +MANDATORY_MANPATH /usr/share/man +MANDATORY_MANPATH /usr/local/share/man +MANDATORY_MANPATH /etc/man +#--------------------------------------------------------- +# set up PATH to MANPATH mapping +# ie. what man tree holds man pages for what binary directory. +# +# *PATH* -> *MANPATH* +# +MANPATH_MAP /bin /usr/share/man +MANPATH_MAP /usr/bin /usr/share/man +MANPATH_MAP /sbin /usr/share/man +MANPATH_MAP /usr/sbin /usr/share/man +MANPATH_MAP /usr/local/bin /usr/local/man +MANPATH_MAP /usr/local/bin /usr/local/share/man +MANPATH_MAP /usr/local/sbin /usr/local/man +MANPATH_MAP /usr/local/sbin /usr/local/share/man +MANPATH_MAP /usr/X11R6/bin /usr/X11R6/man +MANPATH_MAP /usr/bin/X11 /usr/X11R6/man +MANPATH_MAP /usr/games /usr/share/man +MANPATH_MAP /opt/bin /opt/man +MANPATH_MAP /opt/sbin /opt/man +#--------------------------------------------------------- +# For a manpath element to be treated as a system manpath (as most of those +# above should normally be), it must be mentioned below. Each line may have +# an optional extra string indicating the catpath associated with the +# manpath. If no catpath string is used, the catpath will default to the +# given manpath. +# +# You *must* provide all system manpaths, including manpaths for alternate +# operating systems, locale specific manpaths, and combinations of both, if +# they exist, otherwise the permissions of the user running man/mandb will +# be used to manipulate the manual pages. Also, mandb will not initialise +# the database cache for any manpaths not mentioned below unless explicitly +# requested to do so. +# +# In a per-user configuration file, this directive only controls the +# location of catpaths and the creation of database caches; it has no effect +# on privileges. +# +# Any manpaths that are subdirectories of other manpaths must be mentioned +# *before* the containing manpath. E.g. /usr/man/preformat must be listed +# before /usr/man. +# +# *MANPATH* -> *CATPATH* +# +MANDB_MAP /usr/man /var/cache/man/fsstnd +MANDB_MAP /usr/share/man /var/cache/man +MANDB_MAP /usr/local/man /var/cache/man/oldlocal +MANDB_MAP /usr/local/share/man /var/cache/man/local +MANDB_MAP /usr/X11R6/man /var/cache/man/X11R6 +MANDB_MAP /opt/man /var/cache/man/opt +MANDB_MAP /etc/man /var/cache/man/etc +# +#--------------------------------------------------------- +# Program definitions. These are commented out by default as the value +# of the definition is already the default. To change: uncomment a +# definition and modify it. +# +#DEFINE pager pager -s +#DEFINE cat cat +#DEFINE tr tr '\255\267\264\327' '\055\157\047\170' +#DEFINE grep grep +#DEFINE troff groff -mandoc +#DEFINE nroff nroff -mandoc +#DEFINE eqn eqn +#DEFINE neqn neqn +#DEFINE tbl tbl +#DEFINE col col +#DEFINE vgrind vgrind +#DEFINE refer refer +#DEFINE grap grap +#DEFINE pic pic -S +# +#DEFINE compressor gzip -c7 +#--------------------------------------------------------- +# Misc definitions: same as program definitions above. +# +#DEFINE whatis_grep_flags -i +#DEFINE apropos_grep_flags -iEw +#DEFINE apropos_regex_grep_flags -iE +#--------------------------------------------------------- +# Section names. Manual sections will be searched in the order listed here; +# the default is 1, n, l, 8, 3, 0, 2, 5, 4, 9, 6, 7. Multiple SECTION +# directives may be given for clarity, and will be concatenated together in +# the expected way. +# If a particular extension is not in this list (say, 1mh), it will be +# displayed with the rest of the section it belongs to. The effect of this +# is that you only need to explicitly list extensions if you want to force a +# particular order. Sections with extensions should usually be adjacent to +# their main section (e.g. "1 1mh 8 ..."). +# +SECTION 1 n l 8 3 2 3posix 3pm 3perl 5 4 9 6 7 +# +#--------------------------------------------------------- +# Range of terminal widths permitted when displaying cat pages. If the +# terminal falls outside this range, cat pages will not be created (if +# missing) or displayed. +# +#MINCATWIDTH 80 +#MAXCATWIDTH 80 +# +# If CATWIDTH is set to a non-zero number, cat pages will always be +# formatted for a terminal of the given width, regardless of the width of +# the terminal actually being used. This should generally be within the +# range set by MINCATWIDTH and MAXCATWIDTH. +# +#CATWIDTH 0 +# +#--------------------------------------------------------- +# Flags. +# NOCACHE keeps man from creating cat pages. +#NOCACHE diff --git a/msmtprc b/msmtprc new file mode 100644 index 0000000..ef8839b --- /dev/null +++ b/msmtprc @@ -0,0 +1,25 @@ +# Global defaults +defaults +aliases /etc/aliases +logfile ~/.msmtp.log + +# Hashbang account +# Required for msmtp to function as sendmail +account hashbang.sh +host mail.hashbang.sh + +# Sender address +auto_from on +maildomain hashbang.sh + +# TLS configuration +tls on +tls_trust_file /etc/ssl/certs/ca-certificates.crt + +# Syslog logging with facility LOG_MAIL instead of the default LOG_USER. +# Only applies to the #! account +syslog LOG_MAIL + + +# Make hashbang the default account +account default : hashbang.sh diff --git a/network/interfaces.example b/network/interfaces.example new file mode 100644 index 0000000..c562750 --- /dev/null +++ b/network/interfaces.example @@ -0,0 +1,37 @@ +# This file describes the network interfaces available on your system +# and how to activate them. For more information, see interfaces(5). + +source /etc/network/interfaces.d/* + +# The loopback network interface +auto lo +iface lo inet loopback + +# The primary network interface +# The networks 192.0.2.0/24 (TEST-NET-1) and 203.0.113.0/24 (TEST-NET-3) +# are reserved for documentation, per RFC5737 +auto eth0 +iface eth0 inet static + address 192.0.2.42 + netmask 255.255.255.0 + gateway 192.0.2.254 + +# Assuming that native IPv6 is available: +iface eth0 inet6 static + address 2001:DB8:f00d:b1a::10ca1 + netmask 64 + +# Otherwise, using a Hurricane Electrics tunnel: +auto he-ipv6 +iface he-ipv6 inet6 v4tunnel + # Our IPv6 address for routing + address 2001:DB8:f00d:b1a::2 + gateway 2001:DB8:f00d:b1a::1 + netmask 64 + # The tunnel endpoints + endpoint 203.0.113.226 + local 192.0.2.42 + ttl 255 + # Sad hack + up ip a add dev $IFACE 2001:DB8:f00:b1a::/64 + down ip a del dev $IFACE 2001:DB8:f00:b1a::/64 diff --git a/npmrc b/npmrc new file mode 100644 index 0000000..dc3f6fb --- /dev/null +++ b/npmrc @@ -0,0 +1 @@ +prefix = ${HOME}/.npm-packages diff --git a/nslcd.conf b/nslcd.conf new file mode 100644 index 0000000..8abbbaf --- /dev/null +++ b/nslcd.conf @@ -0,0 +1,32 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri ldaps://ldap.hashbang.sh/ + +# The search base that will be used for all queries. +base dc=hashbang,dc=sh + +# The LDAP protocol version to use. +#ldap_version 3 + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +tls_reqcert never +tls_cacertfile /etc/ssl/certs/ca-certificates.crt + +# The search scope. +#scope sub + diff --git a/nsswitch.conf b/nsswitch.conf new file mode 100644 index 0000000..9b5d09c --- /dev/null +++ b/nsswitch.conf @@ -0,0 +1,21 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: compat sss +group: compat sss +shadow: compat sss +gshadow: files + +hosts: files dns +networks: files + +protocols: db files +services: db files sss +ethers: db files +rpc: db files + +netgroup: nis sss +sudoers: files diff --git a/oidentd.conf b/oidentd.conf new file mode 100644 index 0000000..134f37f --- /dev/null +++ b/oidentd.conf @@ -0,0 +1,10 @@ +default { + default { + deny spoof_all + deny spoof_privport + deny hide + deny random + allow numeric + deny random_numeric + } +} diff --git a/packages.txt b/packages.txt new file mode 100644 index 0000000..552771b --- /dev/null +++ b/packages.txt @@ -0,0 +1,1222 @@ +acl install +acpi install +acpi-support-base install +acpid install +adduser install +aglfn install +ansible install +apt install +apt-file install +apt-transport-https install +apt-utils install +aptitude install +aptitude-common install +aria2 install +aspell install +aspell-en install +at install +atool install +auditd install +autoconf install +automake install +autopoint install +autotools-dev install +base-files install +base-passwd install +bash install +bash-completion install +bastet install +bc install +bcrypt install +bind9-host install +binfmt-support install +binutils install +bitlbee install +bitlbee-common install +bsdgames install +bsdmainutils install +bsdutils install +build-essential install +busybox install +byobu install +bzip2 install +ca-certificates install +cgroup-tools install +checkpolicy install +cloc install +cloud-initramfs-dyn-netconf install +cloud-initramfs-growroot install +cloud-utils install +cmake install +cmake-data install +command-not-found install +console-setup install +console-setup-linux install +coreutils install +cowsay install +cpio install +cpp install +cpp-4.9 install +cracklib-runtime install +cron install +curl install +cvs install +dash install +dbus install +dbus-x11 install +dc install +dconf-gsettings-backend:amd64 install +dconf-service install +dctrl-tools install +deb.torproject.org-keyring install +debconf install +debconf-i18n install +debconf-utils install +debhelper install +debian-archive-keyring install +debian-keyring install +debianutils install +debsums install +devscripts install +dh-lua install +dh-python install +dictionaries-common install +diffutils install +discover install +discover-data install +distro-info install +distro-info-data install +dmidecode install +dmsetup install +dns-root-data install +dnsutils install +docutils-common install +dos2unix install +dpkg install +dpkg-dev install +duplicity install +e2fslibs:amd64 install +e2fsprogs install +eject install +elinks install +elinks-data install +emacs-nox install +emacs24-bin-common install +emacs24-common install +emacs24-common-non-dfsg install +emacs24-nox install +emacsen-common install +encfs install +erlang-asn1 install +erlang-base install +erlang-crypto install +erlang-inets install +erlang-mnesia install +erlang-os-mon install +erlang-public-key install +erlang-runtime-tools install +erlang-snmp install +erlang-ssl install +etckeeper install +euca2ools install +exuberant-ctags install +fakeroot install +ferm install +figlet install +file install +findutils install +firejail install +fish install +fish-common install +fontconfig install +fontconfig-config install +fonts-dejavu-core install +fonts-droid install +fonts-lyx install +frotz install +fuse install +g++ install +g++-4.9 install +gawk install +gcc install +gcc-4.8-base:amd64 install +gcc-4.9 install +gcc-4.9-base:amd64 install +gcc-5-base:amd64 install +gcc-6-base:amd64 install +gconf-service install +gconf2 install +gconf2-common install +gdb install +geoip-database install +gettext install +gettext-base install +gforth install +gforth-common install +gforth-lib:amd64 install +ghc install +gir1.2-glib-2.0:amd64 install +git install +git-email install +git-man install +glances install +glib-networking:amd64 install +glib-networking-common install +glib-networking-services install +gnuchess install +gnugo install +gnupg install +gnupg-agent install +gnupg2 install +gnuplot-data install +gnuplot-nox install +gnuplot-tex install +golang-go install +golang-go-linux-amd64 install +golang-src install +gpgv install +grep install +groff-base install +grub-common install +grub-pc install +grub-pc-bin install +grub2-common install +gsettings-desktop-schemas install +gsfonts install +gstreamer0.10-gconf:amd64 install +gstreamer0.10-nice:amd64 install +gstreamer0.10-plugins-base:amd64 install +gstreamer0.10-plugins-good:amd64 install +guile-2.0 install +guile-2.0-dev install +guile-2.0-libs:amd64 install +gyp install +gzip install +haveged install +hddtemp install +hicolor-icon-theme install +hostname install +html2text install +htop install +httpie install +iamerican install +ibritish install +ieee-data install +ienglish-common install +ifupdown install +imagemagick install +imagemagick-6.q16 install +imagemagick-common install +info install +init install +init-system-helpers install +initramfs-tools install +initscripts install +insserv install +install-info install +installation-report install +intltool-debian install +iotop install +ipcalc install +iperf install +iproute install +iproute2 install +iptables install +iputils-ping install +ipxe-qemu install +irssi install +isc-dhcp-client install +isc-dhcp-common install +iso-codes install +ispell install +java-common install +javascript-common install +joe install +john install +john-data install +jq install +kbd install +kexec-tools install +keyboard-configuration install +klibc-utils install +kmod install +krb5-locales install +ksh install +laptop-detect install +ldap-utils install +ldnsutils install +less install +lftp install +libaa1:amd64 install +libacl1:amd64 install +libaio1:amd64 install +libalgorithm-diff-perl install +libalgorithm-diff-xs-perl install +libalgorithm-merge-perl install +libapol4:amd64 install +libapparmor1:amd64 install +libappconfig-perl install +libapr1:amd64 install +libaprutil1:amd64 install +libapt-inst1.5:amd64 install +libapt-pkg-perl install +libapt-pkg4.12:amd64 install +libarchive13:amd64 install +libasan1:amd64 install +libasm4-java install +libasn1-8-heimdal:amd64 install +libasound2:amd64 install +libasound2-data install +libaspell15:amd64 install +libasprintf-dev:amd64 install +libasprintf0c2:amd64 install +libass5:amd64 install +libassuan0:amd64 install +libasyncns0:amd64 install +libatk1.0-0:amd64 install +libatk1.0-data install +libatomic1:amd64 install +libattr1:amd64 install +libaudit-common install +libaudit1:amd64 install +libauparse0:amd64 install +libavahi-client3:amd64 install +libavahi-common-data:amd64 install +libavahi-common3:amd64 install +libavahi-glib1:amd64 install +libavc1394-0:amd64 install +libbasicobjects0:amd64 install +libbind9-90 install +libblas-common install +libblas3 install +libblkid1:amd64 install +libbluetooth3:amd64 install +libboost-filesystem1.55.0:amd64 install +libboost-iostreams1.55.0:amd64 install +libboost-program-options1.55.0:amd64 install +libboost-serialization1.55.0:amd64 install +libboost-system1.55.0:amd64 install +libboost-thread1.55.0:amd64 install +libbrlapi0.6:amd64 install +libbsd-dev:amd64 install +libbsd0:amd64 install +libbz2-1.0:amd64 install +libc-ares-dev:amd64 install +libc-ares2:amd64 install +libc-bin install +libc-dev-bin install +libc6:amd64 install +libc6-dev:amd64 install +libcaca0:amd64 install +libcairo-gobject2:amd64 install +libcairo2:amd64 install +libcap-ng-utils install +libcap-ng0:amd64 install +libcap2:amd64 install +libcap2-bin install +libcdaudio1 install +libcdparanoia0:amd64 install +libcgroup1:amd64 install +libcilkrts5:amd64 install +libclass-method-modifiers-perl install +libclass-methodmaker-perl install +libcln6 install +libcloog-isl4:amd64 install +libcollection4:amd64 install +libcomerr2:amd64 install +libconfig-file-perl install +libconvert-binhex-perl install +libcrack2:amd64 install +libcroco3:amd64 install +libcryptsetup4:amd64 install +libcups2:amd64 install +libcupsfilters1:amd64 install +libcupsimage2:amd64 install +libcurl3:amd64 install +libcurl3-gnutls:amd64 install +libcwidget3:amd64 install +libdata-perl-perl install +libdatrie1:amd64 install +libdb5.3:amd64 install +libdbus-1-3:amd64 install +libdbus-glib-1-2:amd64 install +libdc1394-22:amd64 install +libdca0:amd64 install +libdconf1:amd64 install +libdebconfclient0:amd64 install +libdevel-globaldestruction-perl install +libdevmapper1.02.1:amd64 install +libdhash1:amd64 install +libdigest-hmac-perl install +libdirac-encoder0:amd64 install +libdirectfb-1.2-9:amd64 install +libdiscover2 install +libdns-export100 install +libdns100 install +libdpkg-perl install +libdrm2:amd64 install +libdv4:amd64 install +libdvdnav4:amd64 install +libdvdread4:amd64 install +libedit2:amd64 install +libee0 install +libelfg0:amd64 install +libenca0:amd64 install +libept1.4.12:amd64 install +liberror-perl install +libestr0 install +libev4 install +libevent-2.0-5:amd64 install +libevent-core-2.0-5:amd64 install +libevent-extra-2.0-5:amd64 install +libevent-openssl-2.0-5:amd64 install +libevent-pthreads-2.0-5:amd64 install +libexpat1:amd64 install +libexpat1-dev:amd64 install +libexporter-tiny-perl install +libfaad2:amd64 install +libfakeroot:amd64 install +libfdt1:amd64 install +libffcall1 install +libffi-dev:amd64 install +libffi6:amd64 install +libfftw3-double3:amd64 install +libfile-fcntllock-perl install +libfile-find-rule-perl install +libfile-fnmatch-perl install +libflac8:amd64 install +libflite1:amd64 install +libfontconfig1:amd64 install +libfreetype6:amd64 install +libfribidi0:amd64 install +libfsplib0 install +libfuse2:amd64 install +libgadu3 install +libgc-dev:amd64 install +libgc1c2:amd64 install +libgcc-4.9-dev:amd64 install +libgcc1:amd64 install +libgconf-2-4:amd64 install +libgcrypt20:amd64 install +libgd3:amd64 install +libgdbm3:amd64 install +libgdk-pixbuf2.0-0:amd64 install +libgdk-pixbuf2.0-common install +libgeoip1:amd64 install +libgettextpo-dev:amd64 install +libgettextpo0:amd64 install +libgfortran3:amd64 install +libgirepository-1.0-1:amd64 install +libgl1-mesa-glx:amd64 install +libglapi-mesa:amd64 install +libglib2.0-0:amd64 install +libglib2.0-data install +libgme0 install +libgmp-dev:amd64 install +libgmp10:amd64 install +libgmpxx4ldbl:amd64 install +libgnupg-interface-perl install +libgnutls-deb0-28:amd64 install +libgnutls-openssl27:amd64 install +libgomp1:amd64 install +libgpg-error0:amd64 install +libgpgme11:amd64 install +libgpm2:amd64 install +libgraphite2-3:amd64 install +libgsasl7 install +libgsm1:amd64 install +libgssapi-krb5-2:amd64 install +libgssapi3-heimdal:amd64 install +libgssdp-1.0-3 install +libgstreamer-plugins-bad0.10-0:amd64 install +libgstreamer-plugins-base0.10-0:amd64 install +libgstreamer0.10-0:amd64 install +libgtk2.0-0:amd64 install +libgtk2.0-bin install +libgtk2.0-common install +libgudev-1.0-0:amd64 install +libgumbo-dev:amd64 install +libgumbo1:amd64 install +libgupnp-1.0-4 install +libgupnp-igd-1.0-4:amd64 install +libharfbuzz0b:amd64 install +libhavege1:amd64 install +libhcrypto4-heimdal:amd64 install +libheimbase1-heimdal:amd64 install +libheimntlm0-heimdal:amd64 install +libhogweed2:amd64 install +libhx509-5-heimdal:amd64 install +libicu52:amd64 install +libidn11:amd64 install +libiec61883-0:amd64 install +libijs-0.35:amd64 install +libilmbase6:amd64 install +libimage-exiftool-perl install +libimport-into-perl install +libini-config5:amd64 install +libio-socket-inet6-perl install +libio-socket-ssl-perl install +libipa-hbac0 install +libirs-export91 install +libisc-export95 install +libisc95 install +libisccc90 install +libisccfg-export90 install +libisccfg90 install +libiscsi2:amd64 install +libisl10:amd64 install +libitm1:amd64 install +libjack-jackd2-0:amd64 install +libjasper1:amd64 install +libjbig0:amd64 install +libjbig2dec0 install +libjemalloc1 install +libjpeg62-turbo:amd64 install +libjs-jquery install +libjs-jquery-ui install +libjs-node-uuid install +libjs-sphinxdoc install +libjs-underscore install +libjson-c2:amd64 install +libjsr166y-java install +libk5crypto3:amd64 install +libkate1 install +libkeyutils1:amd64 install +libklibc install +libkmod2:amd64 install +libkrb5-26-heimdal:amd64 install +libkrb5-3:amd64 install +libkrb5support0:amd64 install +libksba8:amd64 install +liblapack3 install +liblcms2-2:amd64 install +libldap-2.4-2:amd64 install +libldap2-dev:amd64 install +libldb1:amd64 install +libldns1 install +liblinear1:amd64 install +liblist-moreutils-perl install +liblocale-gettext-perl install +liblockfile-bin install +liblockfile1:amd64 install +liblogging-stdlog0:amd64 install +liblognorm1:amd64 install +liblqr-1-0:amd64 install +liblsan0:amd64 install +libltdl-dev:amd64 install +libltdl7:amd64 install +liblua5.1-0:amd64 install +liblua5.1-0-dev:amd64 install +liblua5.2-0:amd64 install +liblua5.2-dev:amd64 install +liblua5.3-0:amd64 install +liblua5.3-dev:amd64 install +libluajit-5.1-common install +liblwres90 install +liblzma5:amd64 install +liblzo2-2:amd64 install +libmagic1:amd64 install +libmagickcore-6.q16-2:amd64 install +libmagickwand-6.q16-2:amd64 install +libmail-sendmail-perl install +libmailtools-perl install +libmd0:amd64 install +libmeanwhile1 install +libmhash2:amd64 install +libmime-tools-perl install +libmimic0 install +libmms0:amd64 install +libmng1:amd64 install +libmnl0:amd64 install +libmodplug1 install +libmodule-runtime-perl install +libmoo-perl install +libmoox-handlesvia-perl install +libmoox-late-perl install +libmount1:amd64 install +libmpc3:amd64 install +libmpcdec6:amd64 install +libmpdec2:amd64 install +libmpfr4:amd64 install +libmysqlclient18:amd64 install +libncurses5:amd64 install +libncurses5-dev:amd64 install +libncursesw5:amd64 install +libncursesw5-dev:amd64 install +libnet-dns-perl install +libnet-idn-encode-perl install +libnet-ip-perl install +libnet-smtp-ssl-perl install +libnet-ssleay-perl install +libnetfilter-acct1:amd64 install +libnetpbm10 install +libnettle4:amd64 install +libnewt0.52:amd64 install +libnfnetlink0:amd64 install +libnice10:amd64 install +libnl-3-200:amd64 install +libnl-route-3-200:amd64 install +libnpth0:amd64 install +libnspr4:amd64 install +libnss-ldapd:amd64 install +libnss-sss:amd64 install +libnss3:amd64 install +libntdb1:amd64 install +libntlm0:amd64 install +libnumber-compare-perl install +libofa0 install +libogg0:amd64 install +libonig2:amd64 install +libopenal-data install +libopenal1:amd64 install +libopenexr6:amd64 install +libopus0:amd64 install +liborc-0.4-0:amd64 install +libp11-kit0:amd64 install +libpam-ldapd:amd64 install +libpam-modules:amd64 install +libpam-modules-bin install +libpam-pwquality:amd64 install +libpam-runtime install +libpam-sss:amd64 install +libpam-systemd:amd64 install +libpam0g:amd64 install +libpango-1.0-0:amd64 install +libpango1.0-0:amd64 install +libpangocairo-1.0-0:amd64 install +libpangoft2-1.0-0:amd64 install +libpangox-1.0-0:amd64 install +libpangoxft-1.0-0:amd64 install +libpaper1:amd64 install +libparams-classify-perl install +libparted2:amd64 install +libpath-utils1:amd64 install +libpcap0.8:amd64 install +libpci3:amd64 install +libpcre3:amd64 install +libpcre3-dev:amd64 install +libpcrecpp0:amd64 install +libpcsclite1:amd64 install +libperl4-corelibs-perl install +libperl5.20 install +libpipeline1:amd64 install +libpixman-1-0:amd64 install +libpng12-0:amd64 install +libpolkit-agent-1-0:amd64 install +libpolkit-backend-1-0:amd64 install +libpolkit-gobject-1-0:amd64 install +libpopt0:amd64 install +libprocps3:amd64 install +libprotobuf-c1 install +libprotobuf9:amd64 install +libproxy1:amd64 install +libpsl0:amd64 install +libpwquality-common install +libpwquality1:amd64 install +libpython-dev:amd64 install +libpython-stdlib:amd64 install +libpython2.7:amd64 install +libpython2.7-dev:amd64 install +libpython2.7-minimal:amd64 install +libpython2.7-stdlib:amd64 install +libpython3-dev:amd64 install +libpython3-stdlib:amd64 install +libpython3.4:amd64 install +libpython3.4-dev:amd64 install +libpython3.4-minimal:amd64 install +libpython3.4-stdlib:amd64 install +libqalculate5:amd64 install +libqalculate5-data install +libqdbm14 install +libqpol1:amd64 install +libqt4-network:amd64 install +libqt4-xml:amd64 install +libqtcore4:amd64 install +libqtdbus4:amd64 install +libquadmath0:amd64 install +librados2 install +libraptor2-0:amd64 install +librasqal3:amd64 install +libraw1394-11:amd64 install +librbd1 install +librdf0:amd64 install +libreadline-dev:amd64 install +libreadline6:amd64 install +libreadline6-dev:amd64 install +libref-array1:amd64 install +libregexp-assemble-perl install +libregexp-common-perl install +librlog5 install +libroken18-heimdal:amd64 install +librole-tiny-perl install +librsvg2-2:amd64 install +librsync1:amd64 install +librtmp1:amd64 install +libruby2.1:amd64 install +libsamplerate0:amd64 install +libsasl2-2:amd64 install +libsasl2-dev install +libsasl2-modules:amd64 install +libsasl2-modules-db:amd64 install +libsasl2-modules-gssapi-mit:amd64 install +libschroedinger-1.0-0:amd64 install +libsctp1:amd64 install +libseccomp2:amd64 install +libselinux1:amd64 install +libsemanage-common install +libsemanage1:amd64 install +libsensors4:amd64 install +libsepol1:amd64 install +libserf-1-1:amd64 install +libshout3:amd64 install +libsigc++-2.0-0c2a:amd64 install +libsigsegv2:amd64 install +libslang2:amd64 install +libslv2-9 install +libsmartcols1:amd64 install +libsndfile1:amd64 install +libsocket6-perl install +libsoundtouch0:amd64 install +libsoup-gnome2.4-1:amd64 install +libsoup2.4-1:amd64 install +libspandsp2:amd64 install +libspeex1:amd64 install +libspice-server1:amd64 install +libsqlite3-0:amd64 install +libss2:amd64 install +libssh2-1:amd64 install +libssl-dev:amd64 install +libssl-doc install +libssl1.0.0:amd64 install +libsss-idmap0 install +libsss-sudo install +libstdc++-4.9-dev:amd64 install +libstdc++6:amd64 install +libstrictures-perl install +libsub-exporter-progressive-perl install +libsvn1:amd64 install +libsys-hostname-long-perl install +libsystemd0:amd64 install +libtag1-vanilla:amd64 install +libtag1c2a:amd64 install +libtalloc2:amd64 install +libtasn1-6:amd64 install +libtcl8.5:amd64 install +libtcl8.6:amd64 install +libtdb1:amd64 install +libtemplate-perl install +libterm-readkey-perl install +libtevent0:amd64 install +libtext-charwidth-perl install +libtext-glob-perl install +libtext-iconv-perl install +libtext-template-perl install +libtext-wrapi18n-perl install +libthai-data install +libthai0:amd64 install +libtheora0:amd64 install +libtiff5:amd64 install +libtimedate-perl install +libtinfo-dev:amd64 install +libtinfo5:amd64 install +libtokyocabinet9:amd64 install +libtool install +libtool-bin install +libtorrent14:amd64 install +libtre5:amd64 install +libtsan0:amd64 install +libtype-tiny-perl install +libubsan0:amd64 install +libudev1:amd64 install +libunbound2:amd64 install +libunistring0:amd64 install +liburi-perl install +libusb-0.1-4:amd64 install +libusb-1.0-0:amd64 install +libusbredirparser1:amd64 install +libustr-1.0-1:amd64 install +libutempter0 install +libuuid1:amd64 install +libv4l-0:amd64 install +libv4lconvert0:amd64 install +libv8-3.14-dev install +libv8-3.14.5 install +libval14:amd64 install +libvdeplug2 install +libvisual-0.4-0:amd64 install +libvo-aacenc0:amd64 install +libvo-amrwbenc0:amd64 install +libvorbis0a:amd64 install +libvorbisenc2:amd64 install +libvpx1:amd64 install +libwavpack1:amd64 install +libwbclient0:amd64 install +libwildmidi-config install +libwildmidi1:amd64 install +libwind0-heimdal:amd64 install +libwmf0.2-7:amd64 install +libwrap0:amd64 install +libx11-6:amd64 install +libx11-data install +libx11-xcb1:amd64 install +libxapian22 install +libxau6:amd64 install +libxcb-dri2-0:amd64 install +libxcb-dri3-0:amd64 install +libxcb-glx0:amd64 install +libxcb-present0:amd64 install +libxcb-render0:amd64 install +libxcb-shm0:amd64 install +libxcb-sync1:amd64 install +libxcb1:amd64 install +libxcomposite1:amd64 install +libxcursor1:amd64 install +libxdamage1:amd64 install +libxdmcp6:amd64 install +libxen-4.4:amd64 install +libxenstore3.0:amd64 install +libxext6:amd64 install +libxfixes3:amd64 install +libxft2:amd64 install +libxi6:amd64 install +libxinerama1:amd64 install +libxml2:amd64 install +libxml2-dev:amd64 install +libxmlrpc-core-c3 install +libxmuu1:amd64 install +libxpm4:amd64 install +libxrandr2:amd64 install +libxrender1:amd64 install +libxshmfence1:amd64 install +libxslt1-dev:amd64 install +libxslt1.1:amd64 install +libxtables10 install +libxv1:amd64 install +libxvidcore4:amd64 install +libxxf86vm1:amd64 install +libyajl2:amd64 install +libyaml-0-2:amd64 install +libzephyr4:amd64 install +libzvbi-common install +libzvbi0:amd64 install +linux-base install +linux-image-3.16.0-4-amd64 install +linux-image-4.9.0-0.bpo.3-amd64 install +linux-image-amd64 install +linux-libc-dev:amd64 install +lm-sensors install +locales install +locales-all install +locate install +login install +logrotate install +lsb-base install +lsb-release install +lsof install +ltrace install +lua5.1 install +lua5.2 install +lua5.3 install +luajit install +luarocks install +lynx install +lynx-cur install +m4 install +make install +man-db install +manpages install +manpages-dev install +mat install +mawk install +mc install +mc-data install +mime-support install +mosh install +mount install +msmtp install +mtr install +multiarch-support install +mutt install +mutt-patched install +mysql-common install +nano install +ncdu install +ncurses-base install +ncurses-bin install +ncurses-doc install +ncurses-term install +net-tools install +netbase install +netcat-traditional install +nethack-common install +nethack-console install +nfacct install +nmap install +node-abbrev install +node-ansi install +node-ansi-color-table install +node-archy install +node-async install +node-block-stream install +node-combined-stream install +node-cookie-jar install +node-delayed-stream install +node-forever-agent install +node-form-data install +node-fstream install +node-fstream-ignore install +node-github-url-from-git install +node-glob install +node-graceful-fs install +node-gyp install +node-inherits install +node-ini install +node-json-stringify-safe install +node-lockfile install +node-lru-cache install +node-mime install +node-minimatch install +node-mkdirp install +node-mute-stream install +node-node-uuid install +node-nopt install +node-normalize-package-data install +node-npmlog install +node-once install +node-osenv install +node-qs install +node-read install +node-read-package-json install +node-request install +node-retry install +node-rimraf install +node-semver install +node-sha install +node-sigmund install +node-slide install +node-tar install +node-tunnel-agent install +node-underscore install +node-which install +nodejs install +nodejs-dev install +nodejs-legacy install +npm install +nscd install +nslcd install +nslcd-utils install +oidentd install +openbios-ppc install +openbios-sparc install +openhackware install +openntpd install +openssh-blacklist install +openssh-blacklist-extra install +openssh-client install +openssh-server install +openssh-sftp-server install +openssl install +os-prober install +p7zip install +pandoc install +pandoc-data install +parallel install +parted install +pass install +passwd install +patch install +pciutils install +pep8 install +perl install +perl-base install +perl-modules install +php5-cgi install +php5-cli install +php5-common install +php5-curl install +php5-fpm install +php5-json install +php5-mysql install +php5-sqlite install +pidgin-data install +pinentry-curses install +pkg-config install +po-debconf install +policykit-1 install +poppler-data install +postfix install +procmail install +procps install +psmisc install +pv install +pwgen install +pyflakes install +python install +python-apt install +python-apt-common install +python-audit install +python-backports.ssl-match-hostname install +python-boto install +python-cffi install +python-characteristic install +python-chardet install +python-chardet-whl install +python-cheetah install +python-colorama install +python-colorama-whl install +python-configobj install +python-crypto install +python-cryptography install +python-dateutil install +python-debian install +python-debianbts install +python-decorator install +python-defusedxml install +python-dev install +python-distlib install +python-distlib-whl install +python-distro-info install +python-docutils install +python-ecdsa install +python-flake8 install +python-gdbm install +python-geoip install +python-gi install +python-hachoir-core install +python-hachoir-parser install +python-html5lib install +python-html5lib-whl install +python-httplib2 install +python-ipy install +python-jinja2 install +python-json-pointer install +python-jsonpatch install +python-ldap install +python-lockfile install +python-lxml install +python-markupsafe install +python-matplotlib-data install +python-mccabe install +python-minimal install +python-mock install +python-mutagen install +python-ndg-httpsclient install +python-netaddr install +python-networkx install +python-newt install +python-nose install +python-numpy install +python-oauth install +python-openssl install +python-paramiko install +python-pdfrw install +python-pip install +python-pip-whl install +python-pkg-resources install +python-ply install +python-potr install +python-prettytable install +python-pyasn1 install +python-pyasn1-modules install +python-pycparser install +python-pygments install +python-pyparsing install +python-reportbug install +python-reportlab install +python-reportlab-accel:amd64 install +python-requestbuilder install +python-requests install +python-requests-whl install +python-roman install +python-serial install +python-service-identity install +python-setuptools install +python-setuptools-whl install +python-six install +python-six-whl install +python-soappy install +python-software-properties install +python-sss install +python-stevedore install +python-support install +python-talloc install +python-torctl install +python-tox install +python-twisted install +python-twisted-bin install +python-twisted-conch install +python-twisted-core install +python-twisted-lore install +python-twisted-mail install +python-twisted-names install +python-twisted-news install +python-twisted-runner install +python-twisted-web install +python-twisted-words install +python-tz install +python-urllib3 install +python-urllib3-whl install +python-virtualenv install +python-websocket install +python-wheel install +python-wstools install +python-yaml install +python-zope.interface install +python2.7 install +python2.7-dev install +python2.7-minimal install +python3 install +python3-apt install +python3-bottle install +python3-chardet install +python3-colorama install +python3-crypto install +python3-decorator install +python3-dev install +python3-distlib install +python3-html5lib install +python3-jinja2 install +python3-markupsafe install +python3-minimal install +python3-numpy install +python3-pip install +python3-pkg-resources install +python3-psutil install +python3-py install +python3-pyasn1 install +python3-pysnmp4 install +python3-requests install +python3-scipy install +python3-setuptools install +python3-six install +python3-urllib3 install +python3-venv install +python3-virtualenv install +python3-wheel install +python3.4 install +python3.4-dev install +python3.4-minimal install +python3.4-venv install +qalc install +qemu-slof install +qemu-system-common install +qemu-user install +qemu-utils install +qprint install +qtcore4-l10n install +ranger install +readline-common install +redis-server install +redis-tools install +remind install +reportbug install +reptyr install +resolvconf install +rsync install +rsyslog install +rtorrent install +ruby install +ruby2.1 install +rubygems-integration install +samba-libs:amd64 install +sbcl install +screen install +seabios install +sed install +sensible-utils install +sgml-base install +shared-mime-info install +shellcheck install +siege install +signing-party install +silversearcher-ag install +silversearcher-ag-el install +slashem install +slashem-common install +socat install +ssh install +ssl-cert install +sssd install +sssd-ad install +sssd-ad-common install +sssd-common install +sssd-ipa install +sssd-krb5 install +sssd-krb5-common install +sssd-ldap install +sssd-proxy install +sssd-tools install +startpar install +stow install +strace install +subversion install +sudo install +swaks install +sysstat install +systemd install +systemd-sysv install +sysv-rc install +sysvinit install +sysvinit-utils install +tar install +task-english install +tasksel install +tasksel-data install +tcl8.5 install +tcpd install +telnet install +tig install +tmux install +toilet install +toilet-fonts install +topgit install +tor install +tor-arm install +torsocks install +traceroute install +tree install +tudu install +tzdata install +tzdata-java install +ucf install +udev install +unattended-upgrades install +unbound install +unbound-anchor install +units install +unzip install +urlview install +usbutils install +util-linux install +util-linux-locales install +vim-common install +vim-nox install +vim-runtime install +vim-tiny install +virtualenv install +virtualenv-clone install +virtualenvwrapper install +w3m install +wamerican install +weechat install +weechat-core install +weechat-curses install +weechat-plugins install +wget install +whiptail install +whois install +wyrd install +xauth install +xdg-user-dirs install +xkb-data install +xml-core install +xz-utils install +zangband-data install +zile install +zip install +zlib1g:amd64 install +zlib1g-dev:amd64 install +znc install +zpaq install +zsh install +zsh-common install diff --git a/pam.d/atd b/pam.d/atd new file mode 100644 index 0000000..c1964f3 --- /dev/null +++ b/pam.d/atd @@ -0,0 +1,10 @@ +# +# The PAM configuration file for the at daemon +# + +auth required pam_env.so +@include common-auth +@include common-account +session required pam_loginuid.so +session substack common-session-noninteractive +session required pam_limits.so diff --git a/pam.d/chpasswd b/pam.d/chpasswd new file mode 100644 index 0000000..da2adcc --- /dev/null +++ b/pam.d/chpasswd @@ -0,0 +1,5 @@ +# The PAM configuration file for the Shadow 'chpasswd' service +# + +@include common-password + diff --git a/pam.d/chsh b/pam.d/chsh new file mode 100644 index 0000000..f2c2621 --- /dev/null +++ b/pam.d/chsh @@ -0,0 +1,3 @@ +# Allow anyone in the users group to chsh + +auth sufficient pam_wheel.so trust group=users use_uid \ No newline at end of file diff --git a/pam.d/common-account b/pam.d/common-account new file mode 100644 index 0000000..03df104 --- /dev/null +++ b/pam.d/common-account @@ -0,0 +1,22 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# Disallow non-root logins when /etc/nologin exists. +account required pam_nologin.so + +account sufficient pam_sss.so +account sufficient pam_unix.so +account sufficient pam_localuser.so +account required pam_deny.so diff --git a/pam.d/common-auth b/pam.d/common-auth new file mode 100644 index 0000000..76f2e92 --- /dev/null +++ b/pam.d/common-auth @@ -0,0 +1,13 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# + +auth sufficient pam_sss.so +auth sufficient pam_unix.so use_first_pass +auth required pam_deny.so diff --git a/pam.d/common-password b/pam.d/common-password new file mode 100644 index 0000000..a5528aa --- /dev/null +++ b/pam.d/common-password @@ -0,0 +1,21 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +password requisite pam_pwquality.so retry=3 +password sufficient pam_sss.so use_authtok +password sufficient pam_unix.so obscure use_authtok try_first_pass sha512 +password requisite pam_deny.so diff --git a/pam.d/common-session b/pam.d/common-session new file mode 100644 index 0000000..ec47e30 --- /dev/null +++ b/pam.d/common-session @@ -0,0 +1,14 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# + +session substack common-session-noninteractive + +session optional pam_mkhomedir.so +session optional pam_systemd.so +session optional pam_umask.so usergroups diff --git a/pam.d/common-session-noninteractive b/pam.d/common-session-noninteractive new file mode 100644 index 0000000..e7e76b6 --- /dev/null +++ b/pam.d/common-session-noninteractive @@ -0,0 +1,20 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# + +# Environment setup +session required pam_env.so + +# User restrictions +session required pam_namespace.so unmnt_remnt +session required pam_limits.so + +# Passwd database handling +session sufficient pam_sss.so +session sufficient pam_unix.so +session required pam_deny.so diff --git a/pam.d/cron b/pam.d/cron new file mode 100644 index 0000000..38b8c91 --- /dev/null +++ b/pam.d/cron @@ -0,0 +1,21 @@ +# The PAM configuration file for the cron daemon + +@include common-auth + +# Sets the loginuid process attribute +session required pam_loginuid.so + +# Read environment variables from pam_env's default files, /etc/environment +# and /etc/security/pam_env.conf. +session required pam_env.so + +# In addition, read system locale information +session required pam_env.so envfile=/etc/default/locale + +@include common-account +session substack common-session-noninteractive + +# Sets up user limits, please define limits for cron tasks +# through /etc/security/limits.conf +session required pam_limits.so + diff --git a/pam.d/login b/pam.d/login new file mode 100644 index 0000000..69009b0 --- /dev/null +++ b/pam.d/login @@ -0,0 +1,107 @@ +# +# The PAM configuration file for the Shadow `login' service +# + +# Enforce a minimal delay in case of failure (in microseconds). +# (Replaces the `FAIL_DELAY' setting from login.defs) +# Note that other modules may require another minimal delay. (for example, +# to disable any delay, you should add the nodelay option to pam_unix) +auth optional pam_faildelay.so delay=3000000 + +# Outputs an issue file prior to each login prompt (Replaces the +# ISSUE_FILE option from login.defs). Uncomment for use +# auth required pam_issue.so issue=/etc/issue + +# Disallows root logins except on tty's listed in /etc/securetty +# (Replaces the `CONSOLE' setting from login.defs) +# +# With the default control of this module: +# [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] +# root will not be prompted for a password on insecure lines. +# if an invalid username is entered, a password is prompted (but login +# will eventually be rejected) +# +# You can change it to a "requisite" module if you think root may mis-type +# her login and should not be prompted for a password in that case. But +# this will leave the system as vulnerable to user enumeration attacks. +# +# You can change it to a "required" module if you think it permits to +# guess valid user names of your system (invalid user names are considered +# as possibly being root on insecure lines), but root passwords may be +# communicated over insecure lines. +auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without out this it is possible +# that a module could execute code in the wrong domain. +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Standard Un*x authentication. +@include common-auth + +# This allows certain extra groups to be granted to a user +# based on things like time of day, tty, service, and user. +# Please edit /etc/security/group.conf to fit your needs +# (Replaces the `CONSOLE_GROUPS' option in login.defs) +auth optional pam_group.so + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on logins. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# Uncomment and edit /etc/security/access.conf if you need to +# set access limits. +# (Replaces /etc/login.access file) +# account required pam_access.so + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# Prints the last login info upon succesful login +# (Replaces the `LASTLOG_ENAB' option from login.defs) +session optional pam_lastlog.so + +# Prints the message of the day upon succesful login. +# (Replaces the `MOTD_FILE' option in login.defs) +session optional pam_exec.so type=open_session stdout /bin/uname -snrvm +session optional pam_motd.so + +# Prints the status of the user's mailbox upon succesful login +# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). +# +# This also defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +session optional pam_mail.so dir=~/Mail standard + +# Sets the loginuid process attribute +session required pam_loginuid.so + +# Standard Un*x account and session +@include common-account +@include common-session +@include common-password + +# SELinux needs to intervene at login time to ensure that the process +# starts in the proper default security context. Only sessions which are +# intended to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open +# When the module is present, "required" would be sufficient (When SELinux +# is disabled, this returns success.) diff --git a/pam.d/passwd b/pam.d/passwd new file mode 100644 index 0000000..5872e7b --- /dev/null +++ b/pam.d/passwd @@ -0,0 +1,6 @@ +# +# The PAM configuration file for the Shadow `passwd' service +# + +@include common-password + diff --git a/pam.d/sshd b/pam.d/sshd new file mode 100644 index 0000000..a58d3ab --- /dev/null +++ b/pam.d/sshd @@ -0,0 +1,52 @@ +# PAM configuration for the Secure Shell service + +# Standard Un*x authentication. +@include common-auth + +# Uncomment and edit /etc/security/access.conf if you need to set complex +# access limits that are hard to express in sshd_config. +# account required pam_access.so + +# Standard Un*x authorization. +@include common-account + +# SELinux needs to be the first session rule. This ensures that any +# lingering context has been cleared. Without this it is possible that a +# module could execute code in the wrong domain. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close + +# Set the loginuid process attribute. +session required pam_loginuid.so + +# Create a new session keyring. +session optional pam_keyinit.so force revoke + +# Standard Un*x session setup and teardown. +@include common-session + +# Print the message of the day upon successful login. +# This includes a dynamically generated part from /run/motd.dynamic +# and a static (admin-editable) part from /etc/motd. +session optional pam_motd.so motd=/run/motd.dynamic +session optional pam_motd.so noupdate + +# Print the status of the user's mailbox upon successful login. +session optional pam_mail.so dir=~/Mail standard noenv # [1] + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +# Read environment variables from /etc/environment and +# /etc/security/pam_env.conf. +session required pam_env.so # [1] +# In Debian 4.0 (etch), locale-related environment variables were moved to +# /etc/default/locale, so read that as well. +session required pam_env.so user_readenv=1 envfile=/etc/default/locale + +# SELinux needs to intervene at login time to ensure that the process starts +# in the proper default security context. Only sessions which are intended +# to run in the user's context should be run after this. +session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open + +# Standard Un*x password updating. +@include common-password diff --git a/pam.d/sudo b/pam.d/sudo new file mode 100644 index 0000000..a30da2c --- /dev/null +++ b/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 + +@include common-auth +@include common-account +session substack common-session-noninteractive diff --git a/pam.d/systemd-user b/pam.d/systemd-user new file mode 100644 index 0000000..88d4e0b --- /dev/null +++ b/pam.d/systemd-user @@ -0,0 +1,11 @@ +#%PAM-1.0 + +# Used by systemd when launching systemd user instances. + +@include common-account +session substack common-session-noninteractive + +session optional pam_systemd.so + +auth required pam_deny.so +password required pam_deny.so diff --git a/passwd b/passwd new file mode 100644 index 0000000..3c7bc3c --- /dev/null +++ b/passwd @@ -0,0 +1,36 @@ +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/usr/sbin/nologin +man:x:6:12:man:/var/cache/man:/usr/sbin/nologin +lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:8:mail:/var/mail:/usr/sbin/nologin +news:x:9:9:news:/var/spool/news:/usr/sbin/nologin +uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin +proxy:x:13:13:proxy:/bin:/usr/sbin/nologin +www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin +backup:x:34:34:backup:/var/backups:/usr/sbin/nologin +list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin +irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin +gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin +nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin +systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false +systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false +systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false +systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false +Debian-exim:x:104:109::/var/spool/exim4:/bin/false +messagebus:x:105:110::/var/run/dbus:/bin/false +statd:x:106:65534::/var/lib/nfs:/bin/false +sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin +postfix:x:109:115::/var/spool/postfix:/bin/false +nslcd:x:110:117:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false +glances:x:111:119::/var/lib/glances:/bin/false +oident:x:108:113::/:/bin/false +bitlbee:x:112:120::/var/lib/bitlbee/:/bin/false +redis:x:113:122::/var/lib/redis:/bin/false +epmd:x:114:123::/var/run/epmd:/bin/false +unbound:x:115:125::/var/lib/unbound:/bin/false +debian-tor:x:117:127::/var/lib/tor:/bin/false +ntpd:x:116:126::/var/run/openntpd:/bin/false diff --git a/postfix/dynamicmaps.cf b/postfix/dynamicmaps.cf new file mode 100644 index 0000000..d953c54 --- /dev/null +++ b/postfix/dynamicmaps.cf @@ -0,0 +1,7 @@ +# Postfix dynamic maps configuration file. +# +#type location of .so file open function (mkmap func) +#==== ================================ ============= ============ +tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open +sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open +ldap /usr/lib/postfix/dict_ldap.so dict_ldap_open diff --git a/postfix/main.cf b/postfix/main.cf new file mode 100644 index 0000000..e5982e8 --- /dev/null +++ b/postfix/main.cf @@ -0,0 +1,37 @@ +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) +biff = no +append_dot_mydomain = no +readme_directory = no + +# We serve mail for hashbang.sh only +mydomain = hashbang.sh +myorigin = $mydomain +mydestination = $myhostname +alias_maps = hash:/etc/aliases + +# Relay settings +relayhost = mail.$mydomain +smtp_tls_security_level = fingerprint +smtp_tls_fingerprint_digest = sha1 +smtp_tls_fingerprint_cert_match = 73:E7:EC:E1:53:7F:D6:09:C9:3A:B3:62:84:64:7B:1D:D3:85:DF:D6 +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 +smtp_tls_exclude_ciphers = NULL, MD5, DES, RC4 +smtp_tls_mandatory_ciphers = high + +# TLS Settings +smtpd_use_tls = yes +smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key + +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# Delivery configuration +mailbox_command = procmail -a "$EXTENSION" +mailbox_size_limit = 0 +message_size_limit = 52428800 +recipient_delimiter = + + +# Access restrictions +authorized_flush_users = root +authorized_mailq_users = root diff --git a/postfix/master.cf b/postfix/master.cf new file mode 100644 index 0000000..04cd2cf --- /dev/null +++ b/postfix/master.cf @@ -0,0 +1,124 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +#submission inet n - - - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup unix n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/profile b/profile new file mode 100644 index 0000000..7d37302 --- /dev/null +++ b/profile @@ -0,0 +1,36 @@ +# /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) +# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). + +if [ "`id -u`" -eq 0 ]; then + PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +else + PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games" +fi +export PATH + +if [ "$PS1" ]; then + if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then + # The file bash.bashrc already sets the default PS1. + # PS1='\h:\w\$ ' + if [ -f /etc/bash.bashrc ]; then + . /etc/bash.bashrc + fi + else + if [ "`id -u`" -eq 0 ]; then + PS1='# ' + else + PS1='$ ' + fi + fi +fi + +if [ -d /etc/profile.d ]; then + for i in /etc/profile.d/*.sh; do + if [ -r $i ]; then + . $i + fi + done + unset i +fi + +umask 077 diff --git a/profile.d/Z97-byobu.sh b/profile.d/Z97-byobu.sh new file mode 100644 index 0000000..cfb003e --- /dev/null +++ b/profile.d/Z97-byobu.sh @@ -0,0 +1,34 @@ +# Z97-byobu.sh - allow any user to opt into auto-launching byobu +# Copyright (C) 2011 Canonical Ltd. +# +# Authors: Dustin Kirkland +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Allow any user to opt into auto-launching byobu by setting LC_BYOBU=1 +# Apologies for borrowing the LC_BYOBU namespace, but: +# a) it's reasonable to assume that no one else is using LC_BYOBU +# b) LC_* is sent and receieved by most /etc/ssh/ssh*_config +if [ -n "$LC_BYOBU" ] && [ "$LC_BYOBU" -gt 0 ] && [ -r "/usr/bin/byobu-launch" ]; then + . /usr/bin/byobu-launch +elif [ "$LC_TERMTYPE" = "byobu" ] && [ -r "/usr/bin/byobu-launch" ]; then + . /usr/bin/byobu-launch +elif [ "$LC_TERMTYPE" = "byobu-screen" ] && [ -r "/usr/bin/byobu-launch" ]; then + export BYOBU_BACKEND="screen" + . /usr/bin/byobu-launch +elif [ "$LC_TERMTYPE" = "byobu-tmux" ] && [ -r "/usr/bin/byobu-launch" ]; then + export BYOBU_BACKEND="tmux" + . /usr/bin/byobu-launch +fi + +# vi: syntax=sh ts=4 noexpandtab diff --git a/profile.d/bash_completion.sh b/profile.d/bash_completion.sh new file mode 100644 index 0000000..0df14b5 --- /dev/null +++ b/profile.d/bash_completion.sh @@ -0,0 +1,16 @@ +# Check for interactive bash and that we haven't already been sourced. +if [ -n "$BASH_VERSION" -a -n "$PS1" -a -z "$BASH_COMPLETION_COMPAT_DIR" ]; then + +# Check for recent enough version of bash. +bash=${BASH_VERSION%.*}; bmajor=${bash%.*}; bminor=${bash#*.} +if [ $bmajor -gt 4 ] || [ $bmajor -eq 4 -a $bminor -ge 1 ]; then + [ -r "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" ] && \ + . "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" + if shopt -q progcomp && [ -r /usr/share/bash-completion/bash_completion ]; then + # Source completion code. + . /usr/share/bash-completion/bash_completion + fi +fi +unset bash bmajor bminor + +fi diff --git a/profile.d/dotfiles.sh b/profile.d/dotfiles.sh new file mode 100644 index 0000000..8108734 --- /dev/null +++ b/profile.d/dotfiles.sh @@ -0,0 +1,68 @@ +### +# check if the dotfiles must be recreated +### + +# Check both ~/.dotfiles and ~/.bash_profile as we +# don't want to run if the user has “old style” dotfiles. +if [ -d ~/.dotfiles ] || [ -f ~/.bash_profile ]; then + return +fi + +### +# pre-clone +### + +# Prepare GnuPG homedir +export GNUPGHOME=$(mktemp -d --tmpdir gpg.XXXXXX) +trap "rm -rf -- '${GNUPGHOME}'; unset GNUPGHOME" EXIT + +cat > "${GNUPGHOME}/gpg.conf" <&2 <&2 + rm -rf ~/.dotfiles + return +fi + +rm -rf -- "${GNUPGHOME}" +unset GNUPGHOME +trap - EXIT + +### +# stowing +### + +cd ~/.dotfiles +stow bash git gnupg hashbang ssh tmux weechat zsh +cd + +### +# Make sure a proper maildir is in place +### + +mkdir -p ~/Mail/{cur,new,tmp} + +### +# Edit the welcome message +### + +sed -i "s/{date}/$(date '+%a, %-d %b %Y %T %Z')/g" Mail/new/msg.welcome +sed -i "s/{username}/$(whoami)/g" Mail/new/msg.welcome diff --git a/profile.d/go.sh b/profile.d/go.sh new file mode 100644 index 0000000..5a83330 --- /dev/null +++ b/profile.d/go.sh @@ -0,0 +1,3 @@ +# https://github.com/golang/go/wiki/GOPATH +export GOPATH="/usr/share/gocode:$HOME/.local/gocode" +export PATH="$GOPATH/bin:$PATH" diff --git a/profile.d/local_path.sh b/profile.d/local_path.sh new file mode 100644 index 0000000..b65f405 --- /dev/null +++ b/profile.d/local_path.sh @@ -0,0 +1 @@ +export PATH="$HOME/.local/bin:$PATH" diff --git a/profile.d/luarocks_aliases.sh b/profile.d/luarocks_aliases.sh new file mode 100644 index 0000000..79147d5 --- /dev/null +++ b/profile.d/luarocks_aliases.sh @@ -0,0 +1,8 @@ +#!/bin/sh +alias luarocks-5.1="lua5.1 /usr/bin/luarocks --local" +alias luarocks-5.2="lua5.2 /usr/bin/luarocks --local" +alias luarocks-5.3="lua5.3 /usr/bin/luarocks --local" +# Need to do 5.1 last, as it adds to LUA_PATH, which would be picked up by the other commands +eval `lua5.3 /usr/bin/luarocks --bin path` +eval `lua5.2 /usr/bin/luarocks --bin path` +eval `lua5.1 /usr/bin/luarocks --bin path` diff --git a/profile.d/npm.sh b/profile.d/npm.sh new file mode 100644 index 0000000..094a07e --- /dev/null +++ b/profile.d/npm.sh @@ -0,0 +1,24 @@ +export PATH="$HOME/.npm-packages/bin:$PATH" # man 1 sh +export NODE_PATH="$HOME/.npm-packages/lib/node_modules" # man 1 node +export NPM_CONFIG_PREFIX="$HOME/.npm-packages" # man 7 npm-config + # NOT man 1 or man 3 +export N_PREFIX="$HOME/.npm-packages" # installs under ~/.npm-packages/n + +install_node_version() { + mv "$HOME/.npm-packages" "$HOME/.npm-packages-$(node -v)" + echo "The previous versions of your NPM packages have moved. They are now" + echo "accessible at: $HOME/.npm-packages-$(node -v)" + command npm install -g npm + command npm install -g n + n "$1" + command npm install yarn +} + +npm() { + echo "Use yarn instead!" >&2 + if ! command -v yarn >/dev/null; then + echo 'Run `install_node_version latest` to update Node and install Yarn' >&2 + echo 'You can also specify an alias, such as `lts`, `latest`, etc.' >&2 + fi + return 1 +} diff --git a/profile.d/nvm.sh b/profile.d/nvm.sh new file mode 100644 index 0000000..311809b --- /dev/null +++ b/profile.d/nvm.sh @@ -0,0 +1,9 @@ +export NVM_DIR="$HOME/.nvm" + +install_nvm() { + git clone https://github.com/creationix/nvm "$NVM_DIR" + git -C "$NVM_DIR" checkout $(git -C "$NVM_DIR" describe --abbrev=0 --tags --match "v[0-9]*" origin) + . "$NVM_DIR/nvm.sh" +} + +[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh" diff --git a/profile.d/user_ruby_bin_directory.sh b/profile.d/user_ruby_bin_directory.sh new file mode 100644 index 0000000..f189279 --- /dev/null +++ b/profile.d/user_ruby_bin_directory.sh @@ -0,0 +1 @@ +export PATH="$HOME/.gem/bin:$PATH" diff --git a/profile.d/wall.sh b/profile.d/wall.sh new file mode 100644 index 0000000..f6589cd --- /dev/null +++ b/profile.d/wall.sh @@ -0,0 +1,3 @@ +# By default, refuse to receive wall(1) messages from unprivileged users +# Set `mesg y` in your config if this is the desired behaviour. +mesg n diff --git a/profile.d/z_manpath.sh b/profile.d/z_manpath.sh new file mode 100644 index 0000000..2702b49 --- /dev/null +++ b/profile.d/z_manpath.sh @@ -0,0 +1 @@ +export MANPATH="${MANPATH:-$(manpath)}" diff --git a/rc2.d/K01nscd b/rc2.d/K01nscd new file mode 120000 index 0000000..721f15f --- /dev/null +++ b/rc2.d/K01nscd @@ -0,0 +1 @@ +../init.d/nscd \ No newline at end of file diff --git a/rc2.d/K01nslcd b/rc2.d/K01nslcd new file mode 120000 index 0000000..6e1cfb5 --- /dev/null +++ b/rc2.d/K01nslcd @@ -0,0 +1 @@ +../init.d/nslcd \ No newline at end of file diff --git a/rc2.d/S01motd b/rc2.d/S01motd new file mode 120000 index 0000000..7ebe0f5 --- /dev/null +++ b/rc2.d/S01motd @@ -0,0 +1 @@ +../init.d/motd \ No newline at end of file diff --git a/rc2.d/S02ssh b/rc2.d/S02ssh new file mode 120000 index 0000000..70e14ad --- /dev/null +++ b/rc2.d/S02ssh @@ -0,0 +1 @@ +../init.d/ssh \ No newline at end of file diff --git a/rc2.d/S03cron b/rc2.d/S03cron new file mode 120000 index 0000000..b7a1f29 --- /dev/null +++ b/rc2.d/S03cron @@ -0,0 +1 @@ +../init.d/cron \ No newline at end of file diff --git a/rc2.d/S03postfix b/rc2.d/S03postfix new file mode 120000 index 0000000..81e743c --- /dev/null +++ b/rc2.d/S03postfix @@ -0,0 +1 @@ +../init.d/postfix \ No newline at end of file diff --git a/rc2.d/S03rsync b/rc2.d/S03rsync new file mode 120000 index 0000000..3f11f90 --- /dev/null +++ b/rc2.d/S03rsync @@ -0,0 +1 @@ +../init.d/rsync \ No newline at end of file diff --git a/rc2.d/S03sssd b/rc2.d/S03sssd new file mode 120000 index 0000000..affe96e --- /dev/null +++ b/rc2.d/S03sssd @@ -0,0 +1 @@ +../init.d/sssd \ No newline at end of file diff --git a/rc2.d/S04rc.local b/rc2.d/S04rc.local new file mode 120000 index 0000000..fb4ee0a --- /dev/null +++ b/rc2.d/S04rc.local @@ -0,0 +1 @@ +../init.d/rc.local \ No newline at end of file diff --git a/rc3.d/K01nscd b/rc3.d/K01nscd new file mode 120000 index 0000000..721f15f --- /dev/null +++ b/rc3.d/K01nscd @@ -0,0 +1 @@ +../init.d/nscd \ No newline at end of file diff --git a/rc3.d/K01nslcd b/rc3.d/K01nslcd new file mode 120000 index 0000000..6e1cfb5 --- /dev/null +++ b/rc3.d/K01nslcd @@ -0,0 +1 @@ +../init.d/nslcd \ No newline at end of file diff --git a/rc3.d/S01motd b/rc3.d/S01motd new file mode 120000 index 0000000..7ebe0f5 --- /dev/null +++ b/rc3.d/S01motd @@ -0,0 +1 @@ +../init.d/motd \ No newline at end of file diff --git a/rc3.d/S02ssh b/rc3.d/S02ssh new file mode 120000 index 0000000..70e14ad --- /dev/null +++ b/rc3.d/S02ssh @@ -0,0 +1 @@ +../init.d/ssh \ No newline at end of file diff --git a/rc3.d/S03cron b/rc3.d/S03cron new file mode 120000 index 0000000..b7a1f29 --- /dev/null +++ b/rc3.d/S03cron @@ -0,0 +1 @@ +../init.d/cron \ No newline at end of file diff --git a/rc3.d/S03postfix b/rc3.d/S03postfix new file mode 120000 index 0000000..81e743c --- /dev/null +++ b/rc3.d/S03postfix @@ -0,0 +1 @@ +../init.d/postfix \ No newline at end of file diff --git a/rc3.d/S03rsync b/rc3.d/S03rsync new file mode 120000 index 0000000..3f11f90 --- /dev/null +++ b/rc3.d/S03rsync @@ -0,0 +1 @@ +../init.d/rsync \ No newline at end of file diff --git a/rc3.d/S03sssd b/rc3.d/S03sssd new file mode 120000 index 0000000..affe96e --- /dev/null +++ b/rc3.d/S03sssd @@ -0,0 +1 @@ +../init.d/sssd \ No newline at end of file diff --git a/rc3.d/S04rc.local b/rc3.d/S04rc.local new file mode 120000 index 0000000..fb4ee0a --- /dev/null +++ b/rc3.d/S04rc.local @@ -0,0 +1 @@ +../init.d/rc.local \ No newline at end of file diff --git a/rc4.d/K01nscd b/rc4.d/K01nscd new file mode 120000 index 0000000..721f15f --- /dev/null +++ b/rc4.d/K01nscd @@ -0,0 +1 @@ +../init.d/nscd \ No newline at end of file diff --git a/rc4.d/K01nslcd b/rc4.d/K01nslcd new file mode 120000 index 0000000..6e1cfb5 --- /dev/null +++ b/rc4.d/K01nslcd @@ -0,0 +1 @@ +../init.d/nslcd \ No newline at end of file diff --git a/rc4.d/S01motd b/rc4.d/S01motd new file mode 120000 index 0000000..7ebe0f5 --- /dev/null +++ b/rc4.d/S01motd @@ -0,0 +1 @@ +../init.d/motd \ No newline at end of file diff --git a/rc4.d/S02ssh b/rc4.d/S02ssh new file mode 120000 index 0000000..70e14ad --- /dev/null +++ b/rc4.d/S02ssh @@ -0,0 +1 @@ +../init.d/ssh \ No newline at end of file diff --git a/rc4.d/S03cron b/rc4.d/S03cron new file mode 120000 index 0000000..b7a1f29 --- /dev/null +++ b/rc4.d/S03cron @@ -0,0 +1 @@ +../init.d/cron \ No newline at end of file diff --git a/rc4.d/S03postfix b/rc4.d/S03postfix new file mode 120000 index 0000000..81e743c --- /dev/null +++ b/rc4.d/S03postfix @@ -0,0 +1 @@ +../init.d/postfix \ No newline at end of file diff --git a/rc4.d/S03rsync b/rc4.d/S03rsync new file mode 120000 index 0000000..3f11f90 --- /dev/null +++ b/rc4.d/S03rsync @@ -0,0 +1 @@ +../init.d/rsync \ No newline at end of file diff --git a/rc4.d/S03sssd b/rc4.d/S03sssd new file mode 120000 index 0000000..affe96e --- /dev/null +++ b/rc4.d/S03sssd @@ -0,0 +1 @@ +../init.d/sssd \ No newline at end of file diff --git a/rc4.d/S04rc.local b/rc4.d/S04rc.local new file mode 120000 index 0000000..fb4ee0a --- /dev/null +++ b/rc4.d/S04rc.local @@ -0,0 +1 @@ +../init.d/rc.local \ No newline at end of file diff --git a/rc5.d/K01nscd b/rc5.d/K01nscd new file mode 120000 index 0000000..721f15f --- /dev/null +++ b/rc5.d/K01nscd @@ -0,0 +1 @@ +../init.d/nscd \ No newline at end of file diff --git a/rc5.d/K01nslcd b/rc5.d/K01nslcd new file mode 120000 index 0000000..6e1cfb5 --- /dev/null +++ b/rc5.d/K01nslcd @@ -0,0 +1 @@ +../init.d/nslcd \ No newline at end of file diff --git a/rc5.d/S01motd b/rc5.d/S01motd new file mode 120000 index 0000000..7ebe0f5 --- /dev/null +++ b/rc5.d/S01motd @@ -0,0 +1 @@ +../init.d/motd \ No newline at end of file diff --git a/rc5.d/S02ssh b/rc5.d/S02ssh new file mode 120000 index 0000000..70e14ad --- /dev/null +++ b/rc5.d/S02ssh @@ -0,0 +1 @@ +../init.d/ssh \ No newline at end of file diff --git a/rc5.d/S03cron b/rc5.d/S03cron new file mode 120000 index 0000000..b7a1f29 --- /dev/null +++ b/rc5.d/S03cron @@ -0,0 +1 @@ +../init.d/cron \ No newline at end of file diff --git a/rc5.d/S03postfix b/rc5.d/S03postfix new file mode 120000 index 0000000..81e743c --- /dev/null +++ b/rc5.d/S03postfix @@ -0,0 +1 @@ +../init.d/postfix \ No newline at end of file diff --git a/rc5.d/S03rsync b/rc5.d/S03rsync new file mode 120000 index 0000000..3f11f90 --- /dev/null +++ b/rc5.d/S03rsync @@ -0,0 +1 @@ +../init.d/rsync \ No newline at end of file diff --git a/rc5.d/S03sssd b/rc5.d/S03sssd new file mode 120000 index 0000000..affe96e --- /dev/null +++ b/rc5.d/S03sssd @@ -0,0 +1 @@ +../init.d/sssd \ No newline at end of file diff --git a/rc5.d/S04rc.local b/rc5.d/S04rc.local new file mode 120000 index 0000000..fb4ee0a --- /dev/null +++ b/rc5.d/S04rc.local @@ -0,0 +1 @@ +../init.d/rc.local \ No newline at end of file diff --git a/resolvconf/resolv.conf.d/base b/resolvconf/resolv.conf.d/base new file mode 100644 index 0000000..bbc8559 --- /dev/null +++ b/resolvconf/resolv.conf.d/base @@ -0,0 +1 @@ +nameserver 127.0.0.1 diff --git a/resolvconf/resolv.conf.d/tail b/resolvconf/resolv.conf.d/tail new file mode 100644 index 0000000..6f6d913 --- /dev/null +++ b/resolvconf/resolv.conf.d/tail @@ -0,0 +1 @@ +domain hashbang.sh diff --git a/rsyslog.conf b/rsyslog.conf new file mode 100644 index 0000000..17ffe62 --- /dev/null +++ b/rsyslog.conf @@ -0,0 +1,121 @@ +# /etc/rsyslog.conf Configuration file for rsyslog. +# +# For more information see +# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html + + +################# +#### MODULES #### +################# + +$ModLoad imuxsock # provides support for local system logging +$ModLoad imklog # provides kernel logging support +#$ModLoad immark # provides --MARK-- message capability + +# provides UDP syslog reception +#$ModLoad imudp +#$UDPServerRun 514 + +# provides TCP syslog reception +#$ModLoad imtcp +#$InputTCPServerRun 514 + + +########################### +#### GLOBAL DIRECTIVES #### +########################### + +# +# Use traditional timestamp format. +# To enable high precision timestamps, comment out the following line. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + +# +# Set the default permissions for all log files. +# +$FileOwner root +$FileGroup adm +$FileCreateMode 0640 +$DirCreateMode 0755 +$Umask 0022 + +# +# Where to place spool and state files +# +$WorkDirectory /var/spool/rsyslog + +# +# Include all config files in /etc/rsyslog.d/ +# +$IncludeConfig /etc/rsyslog.d/*.conf + + +############### +#### RULES #### +############### + +# +# First some standard log files. Log by facility. +# +#auth,authpriv.* /var/log/auth.log +#*.*;auth,authpriv.none -/var/log/syslog +#cron.* /var/log/cron.log +#daemon.* -/var/log/daemon.log +#kern.* -/var/log/kern.log +#lpr.* -/var/log/lpr.log +#mail.* -/var/log/mail.log +#user.* -/var/log/user.log + +# +# Logging for the mail system. Split it up so that +# it is easy to write scripts to parse these files. +# +#mail.info -/var/log/mail.info +#mail.warn -/var/log/mail.warn +#mail.err /var/log/mail.err + +# +# Logging for INN news system. +# +#news.crit /var/log/news/news.crit +#news.err /var/log/news/news.err +#news.notice -/var/log/news/news.notice + +# +# Some "catch-all" log files. +# +#*.=debug;\ +# auth,authpriv.none;\ +# news.none;mail.none -/var/log/debug +#*.=info;*.=notice;*.=warn;\ +# auth,authpriv.none;\ +# cron,daemon.none;\ +# mail,news.none -/var/log/messages + +# +# Emergencies are sent to everybody logged in. +# +*.emerg :omusrmsg:* + +# +# I like to have messages displayed on the console, but only on a virtual +# console I usually leave idle. +# +#daemon,mail.*;\ +# news.=crit;news.=err;news.=notice;\ +# *.=debug;*.=info;\ +# *.=notice;*.=warn /dev/tty8 + +# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, +# you must invoke `xconsole' with the `-file' option: +# +# $ xconsole -file /dev/xconsole [...] +# +# NOTE: adjust the list below, or you'll go crazy if you have a reasonably +# busy site.. +# +daemon.*;mail.*;\ + news.err;\ + *.=debug;*.=info;\ + *.=notice;*.=warn |/dev/xconsole diff --git a/security/group.conf b/security/group.conf new file mode 100644 index 0000000..7c07a26 --- /dev/null +++ b/security/group.conf @@ -0,0 +1,106 @@ +# +# This is the configuration file for the pam_group module. +# + +# +# *** Please note that giving group membership on a session basis is +# *** NOT inherently secure. If a user can create an executable that +# *** is setgid a group that they are infrequently given membership +# *** of, they can basically obtain group membership any time they +# *** like. Example: games are allowed between the hours of 6pm and 6am +# *** user joe logs in at 7pm writes a small C-program toplay.c that +# *** invokes their favorite shell, compiles it and does +# *** "chgrp play toplay; chmod g+s toplay". They are basically able +# *** to play games any time... You have been warned. AGM +# + +# +# The syntax of the lines is as follows: +# +# services;ttys;users;times;groups +# +# white space is ignored and lines maybe extended with '\\n' (escaped +# newlines). From reading these comments, it is clear that +# text following a '#' is ignored to the end of the line. +# +# the combination of individual users/terminals etc is a logic list +# namely individual tokens that are optionally prefixed with '!' (logical +# not) and separated with '&' (logical and) and '|' (logical or). +# +# services +# is a logic list of PAM service names that the rule applies to. +# +# ttys +# is a logic list of terminal names that this rule applies to. +# +# users +# is a logic list of users or a netgroup of users to whom this +# rule applies. +# +# NB. For these items the simple wildcard '*' may be used only once. +# With netgroups no wildcards or logic operators are allowed. +# +# times +# It is used to indicate "when" these groups are to be given to the +# user. The format here is a logic list of day/time-range +# entries the days are specified by a sequence of two character +# entries, MoTuSa for example is Monday Tuesday and Saturday. Note +# that repeated days are unset MoMo = no day, and MoWk = all weekdays +# bar Monday. The two character combinations accepted are +# +# Mo Tu We Th Fr Sa Su Wk Wd Al +# +# the last two being week-end days and all 7 days of the week +# respectively. As a final example, AlFr means all days except Friday. +# +# Each day/time-range can be prefixed with a '!' to indicate "anything +# but" +# +# The time-range part is two 24-hour times HHMM separated by a hyphen +# indicating the start and finish time (if the finish time is smaller +# than the start time it is deemed to apply on the following day). +# +# groups +# The (comma or space separated) list of groups that the user +# inherits membership of. These groups are added if the previous +# fields are satisfied by the user's request +# +# For a rule to be active, ALL of service+ttys+users must be satisfied +# by the applying process. +# + +# +# Note, to get this to work as it is currently typed you need +# +# 1. to run an application as root +# 2. add the following groups to the /etc/group file: +# floppy, play, sound +# + +# +# Here is a simple example: running 'xsh' on tty* (any ttyXXX device), +# the user 'us' is given access to the floppy (through membership of +# the floppy group) +# + +#xsh;tty*&!ttyp*;us;Al0000-2400;floppy + +# +# another example: running 'xsh' on tty* (any ttyXXX device), +# the user 'sword' is given access to games (through membership of +# the sound and play group) after work hours. +# + +#xsh; tty* ;sword;!Wk0900-1800;sound, play +#xsh; tty* ;*;Al0900-1800;floppy + +# +# yet another example: any member of the group 'admin' running +# 'xsh' on tty*, is granted access (at any time) to the group 'plugdev' +# + +#xsh; tty* ;%admin;Al0000-2400;plugdev + +# +# End of group.conf file +# diff --git a/security/limits.conf b/security/limits.conf new file mode 100644 index 0000000..8fe6da9 --- /dev/null +++ b/security/limits.conf @@ -0,0 +1,48 @@ +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open files +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# +1000:65535 soft nproc 150 +1000:65535 hard nproc 200 +1000:65535 soft nofile 4096 +1000:65535 hard nofile 10240 diff --git a/security/namespace.conf b/security/namespace.conf new file mode 100644 index 0000000..d47e358 --- /dev/null +++ b/security/namespace.conf @@ -0,0 +1,26 @@ +# /etc/security/namespace.conf +# +# See /usr/share/doc/pam-*/txts/README.pam_namespace for more information. +# +# /tmp, /var/tmp and /run/lock are polyinstantiated on a per-user basis, +# resulting in each user having a different, private directory mounted +# at those locations. +# +# Note that instance directories do not have to reside inside the +# polyinstantiated directory. In the examples below, instances of /tmp +# will be created in /tmp-inst directory, where as instances of /var/tmp +# and users home directories will reside within the directories that +# are being polyinstantiated. +# +# Instance parent directories must exist for the polyinstantiation +# mechanism to work. By default, they should be created with the mode +# of 000. pam_namespace module will enforce this mode unless it +# is explicitly called with an argument to ignore the mode of the +# instance parent. System administrators should use this argument with +# caution, as it will reduce security and isolation achieved by +# polyinstantiation. +# +#/dev /dev/inst/ user root +/tmp /tmp/inst/ user root +/var/tmp /var/tmp/inst/ user root +/run/lock /run/lock/inst/ user root diff --git a/security/namespace.init b/security/namespace.init new file mode 100755 index 0000000..433a938 --- /dev/null +++ b/security/namespace.init @@ -0,0 +1,44 @@ +#!/bin/sh -e +# It receives polydir path as $1, the instance path as $2, +# a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3, +# and user name in $4. + +if [ "$1" = "/dev" ]; then + # If we are creating /dev + if [ "$3" = 1 ]; then + # Major and minor number for devices come from + # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/devices.txt + mknod -m 666 /dev/null char 1 3 + mknod -m 666 /dev/zero char 1 5 + mknod -m 666 /dev/full char 1 7 + mknod -m 666 /dev/random char 1 8 + mknod -m 666 /dev/urandom char 1 9 + mknod -m 666 /dev/fuse char 10 229 + + mknod -m 666 /dev/tty char 5 0 + chown root:tty /dev/tty + + # Create devpts mountpoint + mkdir -m 755 /dev/pts + + # Create the shm directory + mkdir -m 1777 /dev/shm + + # Mandatory symlinks + ln -s /proc/self/fd /dev/fd + ln -s fd/0 /dev/stdin + ln -s fd/1 /dev/stdout + ln -s fd/2 /dev/stderr + ln -s null /dev/X0R + + # Recommended symlinks + ln -s /run/systemd/journal/dev-log /dev/log + fi + + mount -o gid=5,mode=620,ptmxmode=0666 \ + -t devpts devpts /dev/pts + + ln -sf pts/ptmx /dev/ptmx +fi + +exit 0 diff --git a/security/opasswd b/security/opasswd new file mode 100644 index 0000000..e69de29 diff --git a/shells b/shells new file mode 100644 index 0000000..c710454 --- /dev/null +++ b/shells @@ -0,0 +1,11 @@ +# /etc/shells: valid login shells +/bin/sh +/bin/dash +/bin/bash +/bin/rbash +/usr/bin/tmux +/usr/bin/screen +/bin/zsh +/usr/bin/zsh +/bin/ksh93 +/usr/bin/fish diff --git a/skel/Mail/new/msg.welcome b/skel/Mail/new/msg.welcome new file mode 100644 index 0000000..0925b2c --- /dev/null +++ b/skel/Mail/new/msg.welcome @@ -0,0 +1,26 @@ +From: noreply@hashbang.sh +X-Original-To: {username}@hashbang.sh +Delivered-To: {username}@hashbang.sh +MIME-Version: 1.0 +From: The Local Bot +Date: {date} +Subject: Press Enter to open this! +To: {username} <{username}@hashbang.sh> +Content-Type: text/plain + +Hey! Welcome to #! + +Hashbang (The name of the #! symbol) is a community-run online "hackerspace" based off of the core principle of "Teach. Learn. Make things do." We are a community dedicated to helping, teaching, and providing people with resources for educational and productive services. With this in mind, Hashbang (while being called an online hackerspace) does not support nor does it encourage the engagement of illegal or otherwise disruptive activities that may have a negative impact on the resources of other users. + +The name of hashbang is based off of the symbol '#!', found at the start of a shell script. This symbol instructs the operating system what program is required to "do" something with the code. Hashbang runs the same way. We try to instruct our users on the tools and skills required to -do- whatever they want for themselves. Likewise if you want something done, -do- it yourself. Don't know how? Ask. We're here to help new people get used to a Linux/Unix environment and to start them off with making software, learning how the terminal and services work... or perhaps helping talk through a challenging work problem someone faces at a major tech company. We welcome all skill levels and backgrounds. + +Software is almost never complete, and there might always be something off. Being a community-run service, hashbang encourages users to find bugs within the software and attempt to fix them. Most of our repositories are stored online on GitHub (https://github.com/hashbang) and are easily accessible. If you have any questions about any of our offerings, or just want to chat, you can switch to the first window (ctrl-B then 1) and talk to a number of other users in real time. + +Thank you for taking the time to read this welcome message, and welcome to #! + +To find out more try 'man hashbang' on one of the terminal tabs [ c ] + +Currently, the ~/Public folder isn't exposed over HTTP by default; +however, users can use the `SimpleHTTPServer.service` systemd unit file (in `~/.config/systemd/user`, modify it to set port) or a `@reboot` crontab entry to run `python3 -m http.server ` to provide a webserver exposing it. + +This message will self-destruct in 10 seconds. diff --git a/skel/Public/index.html b/skel/Public/index.html new file mode 100644 index 0000000..3e101e0 --- /dev/null +++ b/skel/Public/index.html @@ -0,0 +1 @@ +Welcome to your #! personal site of things. Edit me! diff --git a/ssh/ssh_config b/ssh/ssh_config new file mode 100644 index 0000000..1ece023 --- /dev/null +++ b/ssh/ssh_config @@ -0,0 +1,56 @@ + +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for some commonly used options. For a comprehensive +# list of available options, their meanings and defaults, please see the +# ssh_config(5) man page. + +Host * +# ForwardAgent no +# ForwardX11 no +# ForwardX11Trusted yes +# RhostsRSAAuthentication no +# RSAAuthentication yes +# PasswordAuthentication yes +# HostbasedAuthentication no +# GSSAPIAuthentication no +# GSSAPIDelegateCredentials no +# GSSAPIKeyExchange no +# GSSAPITrustDNS no +# BatchMode no +# CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 +# StrictHostKeyChecking ask +# IdentityFile ~/.ssh/identity +# IdentityFile ~/.ssh/id_rsa +# IdentityFile ~/.ssh/id_dsa +# Port 22 +# Protocol 2,1 +# Cipher 3des +# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc +# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 +# EscapeChar ~ +# Tunnel no +# TunnelDevice any:any +# PermitLocalCommand no +# VisualHostKey no +# ProxyCommand ssh -q -W %h:%p gateway.example.com +# RekeyLimit 1G 1h + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no + +UseRoaming no diff --git a/ssh/sshd_config b/ssh/sshd_config new file mode 100644 index 0000000..b645b3e --- /dev/null +++ b/ssh/sshd_config @@ -0,0 +1,100 @@ +# Package generated configuration file +# See the sshd_config(5) manpage for details + +# What ports, IPs and protocols we listen for +Port 22 +# Use these options to restrict which interfaces/protocols sshd will bind to +#ListenAddress :: +#ListenAddress 0.0.0.0 +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation sandbox + +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 1024 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 120 +PermitRootLogin without-password +StrictModes yes + +RSAAuthentication yes +PubkeyAuthentication yes + +AuthorizedKeysFile none +AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys +AuthorizedKeysCommandUser nobody + +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no +# similar for protocol version 2 +HostbasedAuthentication no +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +PermitEmptyPasswords no + +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) +ChallengeResponseAuthentication no + +# Change to no to disable tunnelled clear text passwords +PasswordAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosGetAFSToken no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +X11Forwarding yes +X11DisplayOffset 10 +PrintMotd no +PrintLastLog yes +TCPKeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net + +# Allow client to pass locale environment variables +AcceptEnv LANG LC_* + +Subsystem sftp /usr/lib/openssh/sftp-server + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin yes". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +# When using -R with `ssh` client, allow binding to other interfaces when +# specified. Default is loopback only. +GatewayPorts clientspecified + + +# Honor authorized_keys and ignore LDAP for root. +Match User root + AuthorizedKeysFile .ssh/authorized_keys + AuthorizedKeysCommand /bin/true diff --git a/sssd/sssd.conf b/sssd/sssd.conf new file mode 100644 index 0000000..06dfdc2 --- /dev/null +++ b/sssd/sssd.conf @@ -0,0 +1,24 @@ +[sssd] +domains = HASHBANG +services = nss, pam, ssh +config_file_version = 2 + +[nss] + + +[domain/HASHBANG] +enumerate = TRUE +id_provider = ldap +access_provider = ldap +ldap_uri = ldaps://ldap.hashbang.sh +ldap_search_base = dc=hashbang,dc=sh +ldap_tls_reqcert = demand +ldap_user_search_base = ou=People,dc=hashbang,dc=sh +ldap_user_ssh_public_key = sshPublicKey +ldap_pwd_policy = none +ldap_access_order = host +ldap_user_authorized_host = host +cache_credentials = true + +[pam] +id_provider = proxy diff --git a/sudoers b/sudoers new file mode 100644 index 0000000..2e2e018 --- /dev/null +++ b/sudoers @@ -0,0 +1,29 @@ +# +# This file MUST be edited with the 'visudo' command as root. +# +# Please consider adding local content in /etc/sudoers.d/ instead of +# directly modifying this file. +# +# See the man page for details on how to write a sudoers file. +# +Defaults env_reset +Defaults mail_badpass +Defaults !requiretty +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +Defaults !tty_tickets + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# User privilege specification +root ALL=(ALL:ALL) ALL + +# Allow members of group sudo to execute any command +%sudo ALL=(ALL:ALL) ALL + +# See sudoers(5) for more information on "#include" directives: + +#includedir /etc/sudoers.d diff --git a/sudoers.d/README b/sudoers.d/README new file mode 100644 index 0000000..b5ed892 --- /dev/null +++ b/sudoers.d/README @@ -0,0 +1,21 @@ +# +# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on +# installation of the package now includes the directive: +# +# #includedir /etc/sudoers.d +# +# This will cause sudo to read and parse any files in the /etc/sudoers.d +# directory that do not end in '~' or contain a '.' character. +# +# Note that there must be at least one file in the sudoers.d directory (this +# one will do), and all files in this directory should be mode 0440. +# +# Note also, that because sudoers contents can vary widely, no attempt is +# made to add this directive to existing sudoers files on upgrade. Feel free +# to add the above directive to the end of your /etc/sudoers file to enable +# this functionality for existing installations if you wish! +# +# Finally, please note that using the visudo command is the recommended way +# to update sudoers content, since it protects against many failure modes. +# See the man page for visudo for more information. +# diff --git a/sudoers.d/hashbangctl b/sudoers.d/hashbangctl new file mode 100644 index 0000000..4f8918c --- /dev/null +++ b/sudoers.d/hashbangctl @@ -0,0 +1,3 @@ +# Allow all users to call hashbangctl(1) without +# password. +ALL ALL = NOEXEC: NOPASSWD: /usr/local/bin/hashbangctl diff --git a/sysctl.conf b/sysctl.conf new file mode 100644 index 0000000..3921cc5 --- /dev/null +++ b/sysctl.conf @@ -0,0 +1,69 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +#net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# +net.ipv4.conf.eth0.arp_notify = 1 +vm.swappiness = 60 + +# Use CoDel (controlled delay) to avoid bufferbloat +net.core.default_qdisc = fq_codel + +# Forbid unprivileged (~ CAP_SYS_ADMIN) processes to +# instrument the kernel with perf_event_open(2) +kernel.perf_event_paranoid = 2 diff --git a/sysctl.d/10-dmsg.conf b/sysctl.d/10-dmsg.conf new file mode 100644 index 0000000..fd707af --- /dev/null +++ b/sysctl.d/10-dmsg.conf @@ -0,0 +1 @@ +kernel.dmesg_restrict = 1 diff --git a/sysctl.d/99-sysctl.conf b/sysctl.d/99-sysctl.conf new file mode 120000 index 0000000..2b0036b --- /dev/null +++ b/sysctl.d/99-sysctl.conf @@ -0,0 +1 @@ +../sysctl.conf \ No newline at end of file diff --git a/systemd/journald.conf b/systemd/journald.conf new file mode 100644 index 0000000..f5381ac --- /dev/null +++ b/systemd/journald.conf @@ -0,0 +1,13 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. +# +# See journald.conf(5) for details + +[Journal] +MaxLevelStore=notice +MaxRetentionSec=1month +SystemMaxUse=1G diff --git a/systemd/system/crontab.target b/systemd/system/crontab.target new file mode 100644 index 0000000..fb03aab --- /dev/null +++ b/systemd/system/crontab.target @@ -0,0 +1,7 @@ +[Install] +WantedBy=multi-user.target + +[Unit] +Description=Simulates cron, limited to /etc/cron.* +Requires=crontab@hour.timer crontab@day.timer +Requires=crontab@week.timer crontab@month.timer diff --git a/systemd/system/crontab@.service b/systemd/system/crontab@.service new file mode 100644 index 0000000..0b42f9a --- /dev/null +++ b/systemd/system/crontab@.service @@ -0,0 +1,11 @@ +[Unit] +Description=%Ily job for /etc/cron.%Ily +RefuseManualStart=yes +RefuseManualStop=yes +ConditionDirectoryNotEmpty=/etc/cron.%Ily + +[Service] +Type=oneshot +IgnoreSIGPIPE=no +WorkingDirectory=/ +ExecStart=/bin/run-parts --report /etc/cron.%Ily diff --git a/systemd/system/crontab@.timer b/systemd/system/crontab@.timer new file mode 100644 index 0000000..a61c7f9 --- /dev/null +++ b/systemd/system/crontab@.timer @@ -0,0 +1,9 @@ +[Unit] +Description=%Ily timer simulating /etc/cron.%Ily +PartOf=crontab.target +RefuseManualStart=yes +RefuseManualStop=yes + +[Timer] +OnCalendar=1 %I +Persistent=yes diff --git a/systemd/system/crontab@day.service b/systemd/system/crontab@day.service new file mode 100644 index 0000000..d2fa350 --- /dev/null +++ b/systemd/system/crontab@day.service @@ -0,0 +1,11 @@ +[Unit] +Description=Daily job for /etc/cron.daily +RefuseManualStart=yes +RefuseManualStop=yes +ConditionDirectoryNotEmpty=/etc/cron.daily + +[Service] +Type=oneshot +IgnoreSIGPIPE=no +WorkingDirectory=/ +ExecStart=/bin/run-parts --report /etc/cron.daily diff --git a/systemd/system/multi-user.target.wants/crontab.target b/systemd/system/multi-user.target.wants/crontab.target new file mode 120000 index 0000000..b986a0a --- /dev/null +++ b/systemd/system/multi-user.target.wants/crontab.target @@ -0,0 +1 @@ +../crontab.target \ No newline at end of file diff --git a/timezone b/timezone new file mode 100644 index 0000000..7f39493 --- /dev/null +++ b/timezone @@ -0,0 +1 @@ +Etc/UTC diff --git a/tmpfiles.d/namespaces b/tmpfiles.d/namespaces new file mode 100644 index 0000000..ad3b4dd --- /dev/null +++ b/tmpfiles.d/namespaces @@ -0,0 +1,5 @@ +#Type Path Mode UID GID Age Argument +d /dev/inst 0000 root root - - +d /tmp/inst 0000 root root - - +d /var/tmp/inst 0000 root root - - +d /run/lock/inst 0000 root root - - diff --git a/tor/torsocks.conf b/tor/torsocks.conf new file mode 100644 index 0000000..016f0dd --- /dev/null +++ b/tor/torsocks.conf @@ -0,0 +1,30 @@ +# This is the configuration for libtorsocks (transparent socks) for use +# with tor, which is providing a socks server on port 9050 by default. +# +# Lines beginning with # and blank lines are ignored +# Much more documentation than provided in these comments can be found in +# +# torsocks.conf(5), torsocks(1) and torsocks(8) manpages. + +# Default Tor address and port. By default, Tor will listen on localhost for +# any SOCKS connection and relay the traffic on the Tor network. +TorAddress 127.0.0.1 +TorPort 9050 + +# Tor hidden sites do not have real IP addresses. This specifies what range of +# IP addresses will be handed to the application as "cookies" for .onion names. +# Of course, you should pick a block of addresses which you aren't going to +# ever need to actually connect to. This is similar to the MapAddress feature +# of the main tor daemon. +OnionAddrRange 127.42.42.0/24 + +# SOCKS5 Username and Password. This is used to isolate the torsocks connection +# circuit from other streams in Tor. Use with option IsolateSOCKSAuth (on by +# default) in tor(1). TORSOCKS_USERNAME and TORSOCKS_PASSWORD environment +# variable overrides these options. +#SOCKS5Username +#SOCKS5Password + +# Set Torsocks to accept inbound connections. If set to 1, listen() and +# accept() will be allowed to be used with non localhost address. (Default: 0) +AllowInbound 1 diff --git a/unbound/unbound.conf.d/debian.conf b/unbound/unbound.conf.d/debian.conf new file mode 100644 index 0000000..ab4c93e --- /dev/null +++ b/unbound/unbound.conf.d/debian.conf @@ -0,0 +1,3 @@ +server: + # Use DNS root hints from the dns-root-data Debian package + root-hints: "/usr/share/dns/root.hints" diff --git a/unbound/unbound.conf.d/harden.conf b/unbound/unbound.conf.d/harden.conf new file mode 100644 index 0000000..a52fead --- /dev/null +++ b/unbound/unbound.conf.d/harden.conf @@ -0,0 +1,23 @@ +server: + # Do not expose information about the running deamon + hide-identity: yes + hide-version: yes + + # Harden against ridiculously-short buffer sizes (potential DoS vector) + # This is against spec, but we aren't a public resolver. + harden-short-bufsize: yes + + # Harden against abnormaly large queries (same reasoning) + harden-large-queries: yes + + # Return NXDOMAIN for queries under a terminal known (and DNSSEC-validated) + # to be NXDOMAIN. Improves caching and avoids certain attacks + harden-below-nxdomain: yes + + # Use 0x20-encoded random nonces for authenticating queries. + # Implementation of draft-dns-0x20, makes DNS poisoning harder + use-caps-for-id: yes + + # Minimises queries sent upstream + # Avoids information disclosure to root/TLD DNS servers & improves caching + qname-minimisation: yes diff --git a/unbound/unbound.conf.d/prefetch.conf b/unbound/unbound.conf.d/prefetch.conf new file mode 100644 index 0000000..88725e4 --- /dev/null +++ b/unbound/unbound.conf.d/prefetch.conf @@ -0,0 +1,4 @@ +server: + # Prefetch popular domains before the cache expires + prefetch: yes + prefetch-key: yes \ No newline at end of file diff --git a/w3m/mailcap b/w3m/mailcap new file mode 100644 index 0000000..21603a6 --- /dev/null +++ b/w3m/mailcap @@ -0,0 +1 @@ +application/xhtml+xml; cat %s; x-htmloutput diff --git a/zsh/zprofile b/zsh/zprofile new file mode 100644 index 0000000..4fd82ad --- /dev/null +++ b/zsh/zprofile @@ -0,0 +1,9 @@ +# /etc/zsh/zprofile: system-wide .zprofile file for zsh(1). +# +# This file is sourced only for login shells (i.e. shells +# invoked with "-" as the first character of argv[0], and +# shells invoked with the -l flag.) +# +# Global Order: zshenv, zprofile, zshrc, zlogin +umask 077 +emulate sh -c 'source /etc/profile'