Alright, so you grab the latest patch and follow the instructions. I'm
not going to repeat stuff. ;) On to debian implementation specifics.

lidsadm has changed from the howto's though, and the whole package
suffers from english-is-my-second-languagitis. :P Maybe I should
volunteer to fix that. ;) To make a directory/file read only you use:

lidsadm -A -o /path/or/file -j READ

Looks a bit like ipchains... Protect these paths:

/boot  (I put vmlinuz in /boot. If you've got it in root, protect
/vmlinuz. Heck, protecting / might not be a bad idea...)
/lib
/sbin
/bin
/usr/sbin
/usr/bin
/usr/lib
/etc/init.d

The docs say to protect /etc itself, but debian puts stuff in subdirs so
you should probably protect all them too, I haven't seen anything for
making all subdirs inherit. I was slapping this up late at night so was
too lazy to mess with it, but anyway protecting /etc/init.d makes lids
happily let your init scripts run during startup because they're
protected. Now, debian doesn't have an rc.local. I have to write a sysv
init script, whee. Put a script in /etc/init.d that looks something like
this:

#!/bin/bash
# Remove subsys lock file when stopping
if [ "$1" = "stop" ]
then
    rm -f /var/run/local
    exit 0
fi
if [ "$1" = "start" ]
then
        if [ -f /var/run/local ]
        then
                exit 0
        fi
# Create lock file
touch /var/run/local

/usr/bin/setterm -blank 0 >/dev/console

echo "Starting distributed.net client..." >/dev/console
cd /usr/local/sbin/dnetc/
./dnetc >/dev/tty9 2>&1 &
cd /

echo Waiting a bit before we seal the lid...
# Stupid race conditions
sleep 10
echo -n Sealing the lid
/sbin/lidsadm -I
echo .

fi

The last bit is the interesting bit that seals the lid. I was getting a
kernel oops without the sleep. Go fig. ;P

Add this local script to the end of startup with:

update-rc.d local defaults 99

Now with any luck it'll start up with no complaints from lids. If you
look how I have dnetc installed, I also had to protect
/usr/local/sbin/dnetc/dnetc to make lids happy...

I don't understand how APPEND works on directorys, it doesn't seem to
inherit to the files in the dir, basically doesn't seem to do anything.
What would be nice is if you could set /var/log APPEND, then give write
access only to logrotate... Right now my logs are unprotected. I suppose
you have to add a rule for every file, which is icky. ;P

It also appears I'm not logging the new 'security' loglevel added by
lids/openwall. Have to fix that...

Also had a problem with something trying to load the serial module. Now
that I think of it I have a getty running null modem for PPP to my
Atari. Triggering the loading of serial after the lid had been shut,
which disables module loading. I fixed it by adding serial to
/etc/modules. Should probably protect that file...

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org