Bug#973401: initscripts: TMPTIME=0 should mkfs for separate filesystem
Nigel Horne
njh at bandsman.co.uk
Thu Oct 29 12:58:35 GMT 2020
Package: initscripts
Version: 2.96-5
Severity: wishlist
Dear Maintainer,
If TMPTIME is set to 0 (remove all files are removed regardless of age)
and /tmp is mounted as a separate filesystem on disk, why not simply
run mkfs on the filesystem before mounting it? As well as clearing out
fluff more quickly, it'll also put the filesystem into a pristeen state.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.8.0-1-amd64 (SMP w/8 CPU threads)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages initscripts depends on:
ii lsb-base 11.1.0
ii sysv-rc 2.96-5
Versions of packages initscripts recommends:
ii e2fsprogs 1.45.6-1
ii psmisc 23.3-1
initscripts suggests no packages.
-- Configuration Files:
/etc/default/rcS changed:
TMPTIME=14
FSCKFIX=yes
/etc/init.d/rc.local changed:
PATH=/sbin:/usr/sbin:/bin:/usr/bin
. /lib/init/vars.sh
. /lib/lsb/init-functions
do_start() {
if [ -x /etc/rc.local ]; then
[ "$VERBOSE" != no ] && log_begin_msg "Running local boot scripts (/etc/rc.local)"
/etc/rc.local start
ES=$?
[ "$VERBOSE" != no ] && log_end_msg $ES
return $ES
fi
}
do_stop() {
if [ -x /etc/rc.local ]; then
[ "$VERBOSE" != no ] && log_begin_msg "Stopping local boot scripts (/etc/rc.local)"
/etc/rc.local stop
ES=$?
[ "$VERBOSE" != no ] && log_end_msg $ES
return $ES
fi
}
case "$1" in
start)
do_start
;;
restart|reload|force-reload)
echo "Error: argument '$1' not supported" >&2
exit 3
;;
stop)
do_stop
;;
*)
echo "Usage: $0 start|stop" >&2
exit 3
;;
esac
/etc/rc.local changed:
if [ $# -eq 0 ]
then
arg=start
else
arg="$1"
fi
export http_proxy=http://127.0.0.1:3128
export no_proxy=localhost
export ftp_proxy=http://127.0.0.1:3128
case "$arg" in
start|"")
echo "Starting local services..."
mount -o remount,rw,hidepid=2 /proc
if [ ! -d /var/run/clamav ]; then
mkdir /var/run/clamav
chown -R clamav:clamav /var/run/clamav
fi
# LD_LIBRARY_PATH=/usr/local/lib /usr/local/sbin/clamd&
# LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/freshclam --quiet&
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# http://lists.netfilter.org/pipermail/netfilter/2002-May/034048.html
# eth1 is connected to the modem, eth0 to the internal network
## SYN-FLOODING PROTECTION
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j DROP
# Limit max connections per IP address
iptables -A INPUT -i eth1 -p tcp --syn -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
# Allow 160 new connections per second before limit of 150 new
# connects per second is applied
iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
## FRAGMENTS
# Log fragments just to see if we get any, and deny them too.
# iptables -A INPUT -i eth1 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
# iptables -A INPUT -i eth1 -f -j DROP
## SPOOFING
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
# Refuse packets claiming to be from a Class C private network.
# iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source
# address.
# iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i eth1 -s 240.0.0.0/4 -j DROP
# Refuse packets claiming to be to the loopback interface.
iptables -A INPUT -i eth1 -d 127.0.0.1/27 -j DROP
# Refuse broadcast address packets.
# iptables -A INPUT -i eth1 -d 192.168.1.31 -j DROP
# Block spoofed traffic on LAN
iptables -A INPUT -i eth0 ! -s 192.168.1.0/24 -j LOG --log-prefix "SPOOFED PKT "
iptables -A INPUT -i eth0 ! -s 192.168.1.0/24 -j DROP
# Allow LAN traffic
# iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
# Allow all loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Known attackers
iptables -A INPUT -s 115.239.228.14 -j DROP
iptables -A INPUT -s 62.210.113.184 -j DROP
iptables -A INPUT -s 60.173.14.210 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -i eth1 -s 130.14.0.0/16 -j ACCEPT
iptables -A INPUT -i eth1 -s 108.28.231.36 -j ACCEPT
iptables -A INPUT -i eth1 -s 72.83.250.144 -j ACCEPT
iptables -A -i eth1 -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
# Log dropped packets
# iptables -N LOGGING
# iptables -A INPUT -j LOGGING
# iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix 'IPTables packet dropped: ' --log-level 7
# iptables -A LOGGING -j DROP
# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix 'iptables denied: ' --log-level 6 -i eth1
# ip6tables -A INPUT -j LOG --log-prefix "IPv6 "
# ip6tables -A FORWARD -j LOG --log-prefix "IPv6 "
# ip6tables -A FORWARD -j LOG ! -i lo
rm -rf ~root/.cpan/build/* ~root/.cpan/sources/authors/id/?&
rm -rf ~njh/.cpan/build/* ~njh/.cpan/sources/authors/id/?&
rm /usr/local/test-smoke/*.lck
# /etc/init.d/spf-milter-python stop
# killall /usr/bin/spfmilter.py
mkdir /tmp/unofficial-dbs
# LD_LIBRARY_PATH=/usr/local/lib /usr/local/sbin/update_sanesecurity</dev/null>/dev/null 2>&1&
rm /usr/unofficial-dbs/configs/last*
# /usr/local/sbin/clamav-unofficial-sigs.sh -c /usr/local/etc/clamav-unofficial-sigs.conf</dev/null>/dev/null 2>&1 &
sa-update&
nikto -update&
# /usr/sbin/fwsnort --update-rules
# /usr/sbin/fwsnort
# /var/lib/fwsnort/fwsnort.sh&
# These are needed for psad
/sbin/iptables -A INPUT -j LOG -i eth1 \! -s 173.79.63.100
/sbin/iptables -A FORWARD -j LOG -i eth1 \! -s 173.79.63.100
# Drop incoming traffic from AWS
/sbin/iptables -I INPUT -s 54.184.0.0/14 -j DROP
/sbin/iptables -I INPUT -s 54.216.0.0/14 -j DROP
/sbin/iptables -I INPUT -s 54.220.0.0/15 -j DROP
/sbin/iptables -I INPUT -s 54.208.0.0/13 -j DROP
/sbin/iptables -I INPUT -s 54.176.0.0/12 -j DROP
(psad -sig-update && psad -H)>/dev/null 2>&1 &
# [ -d /tmp/cpan ] || (mkdir /tmp/cpan && chmod 777 /tmp/cpan)
[ -d /tmp/viruses ] || (mkdir /tmp/viruses && chmod 777 /tmp/viruses)
[ -d /tmp/descriptions-cache ] || (mkdir /tmp/descriptions-cache && chmod 777 /tmp/descriptions-cache)
[ -d /var/tmp/descriptions-cache ] || (mkdir /var/tmp/descriptions-cache && chmod 777 /var/tmp/descriptions-cache)
>/tmp/phishes && chmod 666 /tmp/phishes
rm -f /var/run/tomek /var/run/cpan /var/run/blacklist /var/run/spf-milter-python/spfmilter.pid /var/run/mailermailer.sock
rm -f /var/cache/http-cache-transparent/*.tmp*&
# /usr/local/etc/cpan /tmp/cpan local:/var/run/cpan&
/usr/local/etc/tomek local:/var/run/tomek&
# /usr/local/etc/mailermailermilter&
# /usr/local/etc/blacklist -f /var/log/syslog/local/mail/mail.info local:/var/run/blacklist&
# /usr/local/etc/usermilter local:/var/run/usermilter&
# /usr/local/etc/cmilter local:/var/run/cmilter&
# /usr/local/etc/dupmilter local:/var/run/dupmilter&
# /usr/local/sbin/sshmonitor>>/var/log/auth.log 2>&1&
# /etc/init.d/breakinguard start 2>&1&
# ~njh/bin/pop3-clear>/dev/null 2>&1&
pyzord&
# ~njh/bin/phpbb_albanian 2>&1>/dev/null&
~njh/bin/travellite&
# ~njh/bin/spamcop_remove_unreported 2>&1 | mail -s remove_unreported njh 2> /dev/null&
# Spamassassin load balance
if [ ! -d /var/run/pen ]; then
mkdir /var/run/pen
fi
pen 10782 -r -p /var/run/pen/spamass-milter localhost:10783 packard:10783&
# curl -o /usr/local/share/clamav/mbl.ndb http://www.malware.com.br/cgi/submit?action=list_clamav_ext&
# chown -R clamav:clamav /tmp/unofficial-dbs /usr/unofficial-dbs&
> /tmp/spambot.db
chown www-data:www-data /tmp/spambot*
chmod 666 /tmp/spambot*
# mkdir -p /var/run/clamav /var/run/spf-milter-python
mkdir -p /var/run/clamav /var/run/spf-milter-python
chown -R clamav:clamav /var/run/clamav
# chown -R spf-milter-python /var/run/spf-milter-python
# /etc/init.d/spf-milter-python start&
sync
sleep 5
# LD_LIBRARY_PATH=/usr/local/lib /usr/local/sbin/clamav-milter --max-children=2 --broadcast=eth1 -eq --server=packard:localhost -P --pidfile=/var/run/clamav/clamav-milter.pid --blacklist-time=60 --dont-blacklist=212.159.0.0/19,84.92.0.0/15,217.154.105.2,212.159.7.187,217.157.23.243,212.159.7.186,212.159.14.131 --black-hole-mode local:/var/run/clamav/clamav.sock -W /usr/local/share/clamav/milter-whitelist --report-phish-false-positive=nigel_horne at hotmail.com&
# LD_LIBRARY_PATH=/usr/local/lib /usr/local/sbin/Oclamav-milter --max-children=2 --broadcast=eth1 -eq --server=packard:localhost -P --pidfile=/var/run/clamav/clamav-milter.pid --blacklist-time=60 --dont-blacklist=212.159.0.0/19,84.92.0.0/15,217.154.105.2,212.159.7.187,217.157.23.243,212.159.7.186,212.159.14.131 local:/var/run/clamav/clamav.sock -W /usr/local/share/clamav/milter-whitelist --report-phish-false-positive=nigel_horne at hotmail.com&
# LD_LIBRARY_PATH=/usr/local/lib /usr/local/sbin/clamav-milter&
# finger postmaster at autoturn.force9.net 2>&1>>/var/log/ppp/autoturn&
# nice ionice -c 3 /usr/local/bin/usbbackup&
nice /usr/local/sbin/fetchyahoo --username=nigel_horne --password=handsoff --spool=/var/mail/spam --folder=Spam --allmsgs --delete&
puppet agent --server gateway.bandsman.co.uk --no-daemonize --verbose --onetime&
# watchdog -s does this
# /usr/local/etc/update&
service dovecot stop
service puppetmaster stop
service apache2 stop
service portsentry stop
sync
service dovecot start&
service apache2 start&
service portsentry start&
service dupmilter restart&
service blacklist-milter restart&
export HARNESS_OPTIONS=j3:c
export TEST_JOBS=3
# nice su - njh -c /usr/local/bin/minismokeboxd&
# su - njh -c /usr/local/bin/smokeboxd&
# See /etc/init.d/metabase-relayd
# http_proxy= nice /usr/local/bin/metabase-relayd >>/var/log/metabase-relay.log 2>&1 &
;;
stop)
echo "Stopping local services..."
~spam/bin/spam-bounce&
/usr/local/bin/li -r0l /var/spool/mqueue>/dev/null&
find /var/spool/mqueue -mtime +3|xargs rm -f&
# ~njh/bin/sendcpan&
/usr/local/bin/freshclam --submit-stats --quiet -l /var/log/clamav/freshclam.log>/dev/null 2>&1&
pkill sendmail && /etc/init.d/sendmail restart
# ~njh/bin/pop3-bounce>>/tmp/pop3log 2>&1 &
# killall finger 2>&1>/dev/null
# finger postmaster at autoturn.force9.net 2>&1>>/var/log/ppp/autoturn&
# njh/bin/spamcop>/dev/null 2>&1 &
# ~njh/bin/phpbb_albanian 2>&1>/dev/null&
# /usr/local/sbin/sortoutrc>/dev/null 2>&1&
sync
sleep 5
killall clsniffer&
# ~njh/bin/pop3-clear>/dev/null 2>&1&
# perl /usr/local/sbin/sendmail-milter-spf.pl -k
;;
restart)
$0 stop
$0 start
;;
reload)
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}" 1>&2
logger "$0: bad args $1"
exit 1
esac
exit 0
-- no debconf information
More information about the Debian-init-diversity
mailing list