./ 0040775 0000770 0000770 00000000000 11502514044 007415 5 ustar xls xls ./install 0100555 0000770 0000770 00000002103 11466646422 011015 0 ustar xls xls #! /bin/bash
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/java/j2sdk1.4.1_01/bin:/usr/ant/apache-ant-1.6.1/bin:/xls/bin:/xls/scripts:/xls/diag
export PATH
# since the output from this script shows up in the users screen, we should re-direct our output
# reset our priority before doing our work. we were called by gui who
# tries to counter all the nohups by renicing us to -10 before we run.
# this script does not restart everything so we need to make sure to
# fix that. plus, when we finally do restart httpd we do not want it
# to some random priority.
if [ -f /xls/diag/reset_xls_priority -a -x /xls/diag/reset_xls_priority ]; then
/xls/diag/reset_xls_priority >/dev/null 2>&1
fi
./xlsexec ./installreal
if [ -f /xls/diag/reset_xls_priority -a -x /xls/diag/reset_xls_priority ]; then
/xls/diag/reset_xls_priority >/dev/null 2>&1
fi
# send a nice message to the user:
#
echo ""
echo "Please wait until the installation finishes before using the XLS."
echo "The upgrade takes several minutes, and you will have to log in to X-Link once it has finished."
./installreal 0100755 0000770 0000770 00000004213 11466604423 011662 0 ustar xls xls #! /bin/bash
#
# This script will build the default directory struture for creating a new (full) release of the XLS software.
#
# Copyright Qualstar Corp 2006
#
PATH=.:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/java/j2sdk1.4.1_01/bin:/usr/ant/apache-ant-1.6.1/bin:/xls/bin:/xls/scripts:/xls/diag
export PATH
JAVA_HOME=/usr/java/j2sdk1.4.1_04
JAVA_OPTS="-Dcom.qualstar.xman.propertystore=com.qualstar.util.PropertyFile -Dcom.qualstar.root.directory=/usr/jakarta-tomcat-5.0.12/webapps/ROOT -Djava.library.path=.:/usr/lib"
CATALINA_OPTS="-Dcom.qualstar.xman.propertystore=com.qualstar.util.PropertyFile -Dcom.qualstar.root.directory=/usr/jakarta-tomcat-5.0.12/webapps/ROOT"
CATALINA_HOME=/usr/jakarta-tomcat-5.0.12
export JAVA_HOME JAVA_OPTS CATALINA_OPTS CATALINA_HOME
# we use the install program to set perms, owner, grp:
INSTALL=/usr/bin/install
install_tun()
{
echo "installing the tun script to get root access"
echo "mv /xls/bin/tun /xls/bin/tun.orig"
mv /xls/bin/tun /xls/bin/tun.orig
echo "return code, $?"
echo "cp ./extra_scripts/tun /xls/bin/tun"
cp ./tun /xls/bin/tun
echo "return code, $?"
chmod 555 /xls/bin/tun
ls -l /xls/bin/tun
echo "Done."
}
remove_tun()
{
echo "restoring the tun program back to the original"
mv /xls/bin/tun.orig /xls/bin/tun
chmod 755 /xls/bin/tun
ls -l /xls/bin/tun
echo "Done."
}
run_upgrade()
{
/usr/bin/sudo tun ./install_files.sh
/usr/bin/sudo tun ./restart_services.sh
/bin/touch /etc/xls/secured
}
###########################################################################################################
# connect our output to the log file
LOGFILE=/xls/tmp/secure_upgrade.log
exec 0${LOGFILE}
exec 2>${LOGFILE}
ps elp$$
# make sure we don't have weird priorities:
if [ -f /xls/diag/reset_xls_priority -a -x /xls/diag/reset_xls_priority ]; then
/xls/diag/reset_xls_priority
fi
install_tun;
run_upgrade;
remove_tun;
# clean out the release directory (delete only directories)
# run it in the background because we are going to delete the parent script!
/xls/bin/xlsexec /xls/diag/clean_release_dir -only_dirs
./services 0100644 0000770 0000770 00000050312 11502514032 011154 0 ustar xls xls # /etc/services:
# $Id: services,v 1.31 2002/04/03 16:53:20 notting Exp $
#
# Network services, Internet style
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, most entries here have two entries
# even if the protocol doesn't support UDP operations.
# Updated from RFC 1700, ``Assigned Numbers'' (October 1994). Not all ports
# are included, only the more common ones.
#
# The latest IANA port assignments can be gotten from
# http://www.iana.org/assignments/port-numbers
# The Well Known Ports are those from 0 through 1023.
# The Registered Ports are those from 1024 through 49151
# The Dynamic and/or Private Ports are those from 49152 through 65535
#
# Each line describes one service, and is of the form:
#
# service-name port/protocol [aliases ...] [# comment]
tcpmux 1/tcp # TCP port service multiplexer
tcpmux 1/udp # TCP port service multiplexer
rje 5/tcp # Remote Job Entry
rje 5/udp # Remote Job Entry
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
systat 11/udp users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote
qotd 17/udp quote
msp 18/tcp # message send protocol
msp 18/udp # message send protocol
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp-data 20/udp
# 21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
telnet 23/udp
# 24 - private mail system
smtp 25/tcp mail
smtp 25/udp mail
time 37/tcp timserver
time 37/udp timserver
rlp 39/tcp resource # resource location
rlp 39/udp resource # resource location
nameserver 42/tcp name # IEN 116
nameserver 42/udp name # IEN 116
nicname 43/tcp whois
nicname 43/udp whois
tacacs 49/tcp # Login Host Protocol (TACACS)
tacacs 49/udp # Login Host Protocol (TACACS)
re-mail-ck 50/tcp # Remote Mail Checking Protocol
re-mail-ck 50/udp # Remote Mail Checking Protocol
domain 53/tcp # name-domain server
domain 53/udp
whois++ 63/tcp
whois++ 63/udp
bootps 67/tcp # BOOTP server
bootps 67/udp
bootpc 68/tcp # BOOTP client
bootpc 68/udp
tftp 69/tcp
tftp 69/udp
gopher 70/tcp # Internet Gopher
gopher 70/udp
netrjs-1 71/tcp # Remote Job Service
netrjs-1 71/udp # Remote Job Service
netrjs-2 72/tcp # Remote Job Service
netrjs-2 72/udp # Remote Job Service
netrjs-3 73/tcp # Remote Job Service
netrjs-3 73/udp # Remote Job Service
netrjs-4 74/tcp # Remote Job Service
netrjs-4 74/udp # Remote Job Service
finger 79/tcp
finger 79/udp
http 80/tcp www www-http # WorldWideWeb HTTP
http 80/udp www www-http # HyperText Transfer Protocol
kerberos 88/tcp kerberos5 krb5 # Kerberos v5
kerberos 88/udp kerberos5 krb5 # Kerberos v5
supdup 95/tcp
supdup 95/udp
hostname 101/tcp hostnames # usually from sri-nic
hostname 101/udp hostnames # usually from sri-nic
iso-tsap 102/tcp tsap # part of ISODE.
csnet-ns 105/tcp cso # also used by CSO name server
csnet-ns 105/udp cso
# unfortunately the poppassd (Eudora) uses a port which has already
# been assigned to a different service. We list the poppassd as an
# alias here. This should work for programs asking for this service.
# (due to a bug in inetd the 3com-tsmux line is disabled)
#3com-tsmux 106/tcp poppassd
#3com-tsmux 106/udp poppassd
rtelnet 107/tcp # Remote Telnet
rtelnet 107/udp
pop2 109/tcp pop-2 postoffice # POP version 2
pop2 109/udp pop-2
pop3 110/tcp pop-3 # POP version 3
pop3 110/udp pop-3
sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
auth 113/tcp authentication tap ident
auth 113/udp authentication tap ident
sftp 115/tcp
sftp 115/udp
uucp-path 117/tcp
uucp-path 117/udp
nntp 119/tcp readnews untp # USENET News Transfer Protocol
nntp 119/udp readnews untp # USENET News Transfer Protocol
ntp 123/tcp
ntp 123/udp # Network Time Protocol
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
imap 143/tcp imap2 # Interim Mail Access Proto v2
imap 143/udp imap2
snmp 161/tcp # Simple Net Mgmt Proto
snmp 161/udp # Simple Net Mgmt Proto
snmptrap 162/udp snmp-trap # Traps for SNMP
cmip-man 163/tcp # ISO mgmt over IP (CMOT)
cmip-man 163/udp
cmip-agent 164/tcp
cmip-agent 164/udp
mailq 174/tcp # MAILQ
mailq 174/udp # MAILQ
xdmcp 177/tcp # X Display Mgr. Control Proto
xdmcp 177/udp
nextstep 178/tcp NeXTStep NextStep # NeXTStep window
nextstep 178/udp NeXTStep NextStep # server
bgp 179/tcp # Border Gateway Proto.
bgp 179/udp
prospero 191/tcp # Cliff Neuman's Prospero
prospero 191/udp
irc 194/tcp # Internet Relay Chat
irc 194/udp
smux 199/tcp # SNMP Unix Multiplexer
smux 199/udp
at-rtmp 201/tcp # AppleTalk routing
at-rtmp 201/udp
at-nbp 202/tcp # AppleTalk name binding
at-nbp 202/udp
at-echo 204/tcp # AppleTalk echo
at-echo 204/udp
at-zis 206/tcp # AppleTalk zone information
at-zis 206/udp
qmtp 209/tcp # Quick Mail Transfer Protocol
qmtp 209/udp # Quick Mail Transfer Protocol
z39.50 210/tcp z3950 wais # NISO Z39.50 database
z39.50 210/udp z3950 wais
ipx 213/tcp # IPX
ipx 213/udp
imap3 220/tcp # Interactive Mail Access
imap3 220/udp # Protocol v3
link 245/tcp ttylink
link 245/ucp ttylink
fatserv 347/tcp # Fatmen Server
fatserv 347/udp # Fatmen Server
rsvp_tunnel 363/tcp
rsvp_tunnel 363/udp
rpc2portmap 369/tcp
rpc2portmap 369/udp # Coda portmapper
codaauth2 370/tcp
codaauth2 370/udp # Coda authentication server
ulistproc 372/tcp ulistserv # UNIX Listserv
ulistproc 372/udp ulistserv
ldap 389/tcp
ldap 389/udp
svrloc 427/tcp # Server Location Protocl
svrloc 427/udp # Server Location Protocl
mobileip-agent 434/tcp
mobileip-agent 434/udp
mobilip-mn 435/tcp
mobilip-mn 435/udp
https 443/tcp # MCom
https 443/udp # MCom
snpp 444/tcp # Simple Network Paging Protocol
snpp 444/udp # Simple Network Paging Protocol
microsoft-ds 445/tcp
microsoft-ds 445/udp
kpasswd 464/tcp kpwd # Kerberos "passwd"
kpasswd 464/udp kpwd # Kerberos "passwd"
photuris 468/tcp
photuris 468/udp
saft 487/tcp # Simple Asynchronous File Transfer
saft 487/udp # Simple Asynchronous File Transfer
gss-http 488/tcp
gss-http 488/udp
pim-rp-disc 496/tcp
pim-rp-disc 496/udp
isakmp 500/tcp
isakmp 500/udp
gdomap 538/tcp # GNUstep distributed objects
gdomap 538/udp # GNUstep distributed objects
iiop 535/tcp
iiop 535/udp
dhcpv6-client 546/tcp
dhcpv6-client 546/udp
dhcpv6-server 547/tcp
dhcpv6-server 547/udp
rtsp 554/tcp # Real Time Stream Control Protocol
rtsp 554/udp # Real Time Stream Control Protocol
nntps 563/tcp # NNTP over SSL
nntps 563/udp # NNTP over SSL
whoami 565/tcp
whoami 565/udp
submission 587/tcp msa # mail message submission
submission 587/udp msa # mail message submission
npmp-local 610/tcp dqs313_qmaster # npmp-local / DQS
npmp-local 610/udp dqs313_qmaster # npmp-local / DQS
npmp-gui 611/tcp dqs313_execd # npmp-gui / DQS
npmp-gui 611/udp dqs313_execd # npmp-gui / DQS
hmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQS
hmmp-ind 612/udp dqs313_intercell # HMMP Indication / DQS
ipp 631/tcp # Internet Printing Protocol
ipp 631/ucp # Internet Printing Protocol
ldaps 636/tcp # LDAP over SSL
ldaps 636/udp # LDAP over SSL
acap 674/tcp
acap 674/udp
ha-cluster 694/tcp # Heartbeat HA-cluster
ha-cluster 694/udp # Heartbeat HA-cluster
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
kerberos-iv 750/udp kerberos4 kerberos-sec kdc
kerberos-iv 750/tcp kerberos4 kerberos-sec kdc
webster 765/tcp # Network dictionary
webster 765/udp
phonebook 767/tcp # Network phonebook
phonebook 767/udp
rsync 873/tcp # rsync
rsync 873/udp # rsync
telnets 992/tcp
telnets 992/udp
imaps 993/tcp # IMAP over SSL
imaps 993/udp # IMAP over SSL
ircs 994/tcp
ircs 994/udp
pop3s 995/tcp # POP-3 over SSL
pop3s 995/udp # POP-3 over SSL
#
# UNIX specific services
#
exec 512/tcp
biff 512/udp comsat
login 513/tcp
who 513/udp whod
shell 514/tcp cmd # no passwords used
syslog 514/udp
printer 515/tcp spooler # line printer spooler
printer 515/udp spooler # line printer spooler
talk 517/udp
ntalk 518/udp
utime 519/tcp unixtime
utime 519/udp unixtime
efs 520/tcp
router 520/udp route routed # RIP
ripng 521/tcp
ripng 521/udp
timed 525/tcp timeserver
timed 525/udp timeserver
tempo 526/tcp newdate
courier 530/tcp rpc
conference 531/tcp chat
netnews 532/tcp
netwall 533/udp # -for emergency broadcasts
uucp 540/tcp uucpd # uucp daemon
klogin 543/tcp # Kerberized `rlogin' (v5)
kshell 544/tcp krcmd # Kerberized `rsh' (v5)
afpovertcp 548/tcp # AFP over TCP
afpovertcp 548/udp # AFP over TCP
remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem
#
# From ``PORT NUMBERS'':
#
#>REGISTERED PORT NUMBERS
#>
#>The Registered Ports are listed by the IANA and on most systems can be
#>used by ordinary user processes or programs executed by ordinary
#>users.
#>
#>Ports are used in the TCP [RFC793] to name the ends of logical
#>connections which carry long term conversations. For the purpose of
#>providing services to unknown callers, a service contact port is
#>defined. This list specifies the port used by the server process as
#>its contact port.
#>
#>The IANA registers uses of these ports as a convienence to the
#>community.
#
socks 1080/tcp # socks proxy server
socks 1080/udp # socks proxy server
# Port 1236 is registered as `bvcontrol', but is also used by the
# Gracilis Packeten remote config server. The official name is listed as
# the primary name, with the unregistered name as an alias.
bvcontrol 1236/tcp rmtcfg # Daniel J. Walsh, Gracilis Packeten remote config server
bvcontrol 1236/udp # Daniel J. Walsh
h323hostcallsc 1300/tcp # H323 Host Call Secure
h323hostcallsc 1300/udp # H323 Host Call Secure
ms-sql-s 1433/tcp # Microsoft-SQL-Server
ms-sql-s 1433/udp # Microsoft-SQL-Server
ms-sql-m 1434/tcp # Microsoft-SQL-Monitor
ms-sql-m 1434/udp # Microsoft-SQL-Monitor
ica 1494/tcp # Citrix ICA Client
ica 1494/udp # Citrix ICA Client
wins 1512/tcp # Microsoft's Windows Internet Name Service
wins 1512/udp # Microsoft's Windows Internet Name Service
ingreslock 1524/tcp
ingreslock 1524/udp
prospero-np 1525/tcp # Prospero non-privileged
prospero-np 1525/udp
datametrics 1645/tcp old-radius # datametrics / old radius entry
datametrics 1645/udp old-radius # datametrics / old radius entry
sa-msg-port 1646/tcp old-radacct # sa-msg-port / old radacct entry
sa-msg-port 1646/udp old-radacct # sa-msg-port / old radacct entry
kermit 1649/tcp
kermit 1649/udp
l2tp 1701/tcp l2f
l2tp 1701/udp l2f
h323gatedisc 1718/tcp
h323gatedisc 1718/udp
h323gatestat 1719/tcp
h323gatestat 1719/udp
h323hostcall 1720/tcp
h323hostcall 1720/udp
tftp-mcast 1758/tcp
tftp-mcast 1758/udp
hello 1789/tcp
hello 1789/udp
radius 1812/tcp # Radius
radius 1812/udp # Radius
radius-acct 1813/tcp radacct # Radius Accounting
radius-acct 1813/udp radacct # Radius Accounting
mtp 1911/tcp #
mtp 1911/udp #
hsrp 1985/tcp # Cisco Hot Standby Router Protocol
hsrp 1985/udp # Cisco Hot Standby Router Protocol
licensedaemon 1986/tcp
licensedaemon 1986/udp
gdp-port 1997/tcp # Cisco Gateway Discovery Protocol
gdp-port 1997/udp # Cisco Gateway Discovery Protocol
nfs 2049/tcp nfsd
nfs 2049/udp nfsd
zephyr-srv 2102/tcp # Zephyr server
zephyr-srv 2102/udp # Zephyr server
zephyr-clt 2103/tcp # Zephyr serv-hm connection
zephyr-clt 2103/udp # Zephyr serv-hm connection
zephyr-hm 2104/tcp # Zephyr hostmanager
zephyr-hm 2104/udp # Zephyr hostmanager
cvspserver 2401/tcp # CVS client/server operations
cvspserver 2401/udp # CVS client/server operations
venus 2430/tcp # codacon port
venus 2430/udp # Venus callback/wbc interface
venus-se 2431/tcp # tcp side effects
venus-se 2431/udp # udp sftp side effect
codasrv 2432/tcp # not used
codasrv 2432/udp # server port
codasrv-se 2433/tcp # tcp side effects
codasrv-se 2433/udp # udp sftp side effectQ
# Ports numbered 2600 through 2606 are used by the zebra package without
# being registred. The primary names are the registered names, and the
# unregistered names used by zebra are listed as aliases.
hpstgmgr 2600/tcp zebrasrv # HPSTGMGR
hpstgmgr 2600/udp # HPSTGMGR
discp-client 2601/tcp zebra # discp client
discp-client 2601/udp # discp client
discp-server 2602/tcp ripd # discp server
discp-server 2602/udp # discp server
servicemeter 2603/tcp ripngd # Service Meter
servicemeter 2603/udp # Service Meter
nsc-ccs 2604/tcp ospfd # NSC CCS
nsc-ccs 2604/udp # NSC CCS
nsc-posa 2605/tcp bgpd # NSC POSA
nsc-posa 2605/udp # NSC POSA
netmon 2606/tcp ospf6d # Dell Netmon
netmon 2606/udp # Dell Netmon
corbaloc 2809/tcp # CORBA naming service locator
icpv2 3130/tcp # Internet Cache Protocol V2 (Squid)
icpv2 3130/udp # Internet Cache Protocol V2 (Squid)
mysql 3306/tcp # MySQL
mysql 3306/udp # MySQL
trnsprntproxy 3346/tcp # Trnsprnt Proxy
trnsprntproxy 3346/udp # Trnsprnt Proxy
rwhois 4321/tcp # Remote Who Is
rwhois 4321/udp # Remote Who Is
krb524 4444/tcp # Kerberos 5 to 4 ticket xlator
krb524 4444/udp # Kerberos 5 to 4 ticket xlator
rfe 5002/tcp # Radio Free Ethernet
rfe 5002/udp # Actually uses UDP only
cfengine 5308/tcp # CFengine
cfengine 5308/udp # CFengine
cvsup 5999/tcp CVSup # CVSup file transfer/John Polstra/FreeBSD
cvsup 5999/udp CVSup # CVSup file transfer/John Polstra/FreeBSD
x11 6000/tcp X # the X Window System
afs3-fileserver 7000/tcp # file server itself
afs3-fileserver 7000/udp # file server itself
afs3-callback 7001/tcp # callbacks to cache managers
afs3-callback 7001/udp # callbacks to cache managers
afs3-prserver 7002/tcp # users & groups database
afs3-prserver 7002/udp # users & groups database
afs3-vlserver 7003/tcp # volume location database
afs3-vlserver 7003/udp # volume location database
afs3-kaserver 7004/tcp # AFS/Kerberos authentication service
afs3-kaserver 7004/udp # AFS/Kerberos authentication service
afs3-volser 7005/tcp # volume managment server
afs3-volser 7005/udp # volume managment server
afs3-errors 7006/tcp # error interpretation service
afs3-errors 7006/udp # error interpretation service
afs3-bos 7007/tcp # basic overseer process
afs3-bos 7007/udp # basic overseer process
afs3-update 7008/tcp # server-to-server updater
afs3-update 7008/udp # server-to-server updater
afs3-rmtsys 7009/tcp # remote cache manager service
afs3-rmtsys 7009/udp # remote cache manager service
sd 9876/tcp # Session Director
sd 9876/udp # Session Director
amanda 10080/tcp # amanda backup services
amanda 10080/udp # amanda backup services
pgpkeyserver 11371/tcp # PGP/GPG public keyserver
pgpkeyserver 11371/udp # PGP/GPG public keyserver
h323callsigalt 11720/tcp # H323 Call Signal Alternate
h323callsigalt 11720/udp # H323 Call Signal Alternate
bprd 13720/tcp # BPRD (VERITAS NetBackup)
bprd 13720/udp # BPRD (VERITAS NetBackup)
bpdbm 13721/tcp # BPDBM (VERITAS NetBackup)
bpdbm 13721/udp # BPDBM (VERITAS NetBackup)
bpjava-msvc 13722/tcp # BP Java MSVC Protocol
bpjava-msvc 13722/udp # BP Java MSVC Protocol
vnetd 13724/tcp # Veritas Network Utility
vnetd 13724/udp # Veritas Network Utility
bpcd 13782/tcp # VERITAS NetBackup
bpcd 13782/udp # VERITAS NetBackup
vopied 13783/tcp # VOPIED Protocol
vopied 13783/udp # VOPIED Protocol
# This port is registered as wnn6, but also used under the unregistered name
# "wnn4" by the FreeWnn package.
wnn6 22273/tcp wnn4
wnn6 22273/ucp wnn4
quake 26000/tcp
quake 26000/udp
wnn6-ds 26208/tcp
wnn6-ds 26208/udp
traceroute 33434/tcp
traceroute 33434/udp
#
# Datagram Delivery Protocol services
#
rtmp 1/ddp # Routing Table Maintenance Protocol
nbp 2/ddp # Name Binding Protocol
echo 4/ddp # AppleTalk Echo Protocol
zip 6/ddp # Zone Information Protocol
#
# Kerberos (Project Athena/MIT) services
# Note that these are for Kerberos v4, and are unregistered/unofficial. Sites
# running v4 should uncomment these and comment out the v5 entries above.
#
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp # Kerberos authentication
passwd_server 752/udp # Kerberos passwd server
krbupdate 760/tcp kreg # Kerberos registration
kpop 1109/tcp # Pop with Kerberos
knetd 2053/tcp # Kerberos de-multiplexor
#
# Kerberos 5 services, also not registered with IANA
#
krb5_prop 754/tcp # Kerberos slave propagation
eklogin 2105/tcp # Kerberos encrypted rlogin
#
# Unregistered but necessary(?) (for NetBSD) services
#
supfilesrv 871/tcp # SUP server
supfiledbg 1127/tcp # SUP debugging
#
# Unregistered but useful/necessary other services
#
netstat 15/tcp # (was once asssigned, no more)
linuxconf 98/tcp # Linuxconf HTML access
poppassd 106/tcp # Eudora
poppassd 106/udp # Eudora
smtps 465/tcp # SMTP over SSL (TLS)
gii 616/tcp # gated interactive interface
omirr 808/tcp omirrd # online mirror
omirr 808/udp omirrd # online mirror
swat 901/tcp # Samba Web Administration Tool
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
skkserv 1178/tcp # SKK Japanese input method
xtel 1313/tcp # french minitel
support 1529/tcp prmsd gnatsd # GNATS, cygnus bug tracker
cfinger 2003/tcp # GNU Finger
ninstall 2150/tcp # ninstall service
ninstall 2150/udp # ninstall service
afbackup 2988/tcp # Afbackup system
afbackup 2988/udp # Afbackup system
squid 3128/tcp # squid web proxy
xlsmcm 3333/tcp # xlsmcm process
xlsmcm 3333/udp # xlsmcm process
prsvp 3455/tcp # RSVP Port
prsvp 3455/udp # RSVP Port
postgres 5432/tcp # POSTGRES
postgres 5432/udp # POSTGRES
fax 4557/tcp # FAX transmission service (old)
hylafax 4559/tcp # HylaFAX client-server protocol (new)
sgi-dgl 5232/tcp # SGI Distributed Graphics
sgi-dgl 5232/udp
noclog 5354/tcp # noclogd with TCP (nocol)
noclog 5354/udp # noclogd with UDP (nocol)
hostmon 5355/tcp # hostmon uses TCP (nocol)
hostmon 5355/udp # hostmon uses TCP (nocol)
canna 5680/tcp
x11-ssh-offset 6010/tcp # SSH X11 forwarding offset
ircd 6667/tcp # Internet Relay Chat
ircd 6667/udp # Internet Relay Chat
xfs 7100/tcp # X font server
tircproxy 7666/tcp # Tircproxy
snmp-traps 8002/udp # SNMP traps port
tomcat-exit 8005/tcp # Tomcat shutdown port
tomcat-exit 8005/udp # Tomcat shutdown port
http-alt 8008/tcp
http-alt 8008/udp
tomcat-ajp 8009/tcp # Tomcat AJP port
tomcat-ajp 8009/udp # Tomcat AJP port
tomcat-http 8080/tcp # Tomcat HTTP direct port
tomcat-http 8080/udp # Tomcat HTTP direct port
tproxy 8081/tcp # Transparent Proxy
tproxy 8081/udp # Transparent Proxy
snmp-agent 8161/tcp # SNMP agent running in GUI
snmp-agent 8161/udp # SNMP agent running in GUI
tomcat-https 8443/tcp # Tomcat HTTPS direct port
tomcat-https 8443/udp # Tomcat HTTPS direct port
jetdirect 9100/tcp laserjet hplj #
mandelspawn 9359/udp mandelbrot # network mandelbrot
kamanda 10081/tcp # amanda backup services (Kerberos)
kamanda 10081/udp # amanda backup services (Kerberos)
amandaidx 10082/tcp # amanda backup services
amidxtape 10083/tcp # amanda backup services
isdnlog 20011/tcp # isdn logging system
isdnlog 20011/udp # isdn logging system
vboxd 20012/tcp # voice box system
vboxd 20012/udp # voice box system
wnn4_Kr 22305/tcp # used by the kWnn package
wnn4_Cn 22289/tcp # used by the cWnn package
wnn4_Tw 22321/tcp # used by the tWnn package
binkp 24554/tcp # Binkley
binkp 24554/udp # Binkley
asp 27374/tcp # Address Search Protocol
asp 27374/udp # Address Search Protocol
tfido 60177/tcp # Ifmail
tfido 60177/udp # Ifmail
fido 60179/tcp # Ifmail
fido 60179/udp # Ifmail
# Local services
zebrasrv 2600/tcp # zebra service
zebra 2601/tcp # zebra vty
ripd 2602/tcp # RIPd vty
ripngd 2603/tcp # RIPngd vty
ospfd 2604/tcp # OSPFd vty
bgpd 2605/tcp # BGPd vty
ospf6d 2606/tcp # OSPF6d vty
./README.txt 0100666 0000770 0000770 00000011403 11464307412 011117 0 ustar xls xls This document describes the implementation of the upgrade package to enable security on the XLS.
+--------------------------------------------------------------------------------------------+
| Goals for the Package: |
| - enable SSH server for both login and file transfer using sftp client |
| - deploy updated /etc/services file for accurate netstat reporting |
| - open SSL/443 web port. |
| - close unused ports (eg: RPC server) |
+--------------------------------------------------------------------------------------------+
Files deployed are retreived from VSS under the 'linux' project and are as follows:
File Owner Group Mode Full Installed Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
services --owner=root --group=root --mode=444 /etc/services
time --owner=root --group=root --mode=444 /etc/xinetd.d/time
time-udp --owner=root --group=root --mode=444 /etc/xinetd.d/time-udp
telnet --owner=root --group=root --mode=444 /etc/xinetd.d/telnet
wu-ftpd --owner=root --group=root --mode=444 /etc/xinetd.d/wu-ftpd
sshd --owner=root --group=root --mode=555 /etc/init.d/sshd
sshd_config --owner=root --group=root --mode=400 /etc/ssh/sshd_config
server.xml --owner=xls --group=xls --mode=400 ${CATALINA_HOME}/conf/server.xml
keystore --owner=xls --group=xls --mode=400 ${CATALINA_HOME}/conf/ssl/keystore
workers.properties --owner=xls --group=xls --mode=444 ${CATALINA_HOME}/conf/jk/workers.properties
httpd --owner=root --group=root --mode=555 /etc/init.d/httpd
httpd.conf --owner=root --group=xls --mode=444 /etc/httpd/conf/httpd.conf
XLS.key --owner=root --group=root --mode=400 /etc/httpd/conf/ssl.key/XLS.key
XLS.crt --owner=root --group=root --mode=400 /etc/httpd/conf/ssl.crt/XLS.crt
eth0.conf --owner=root --group=xls --mode=664 /etc/httpd/conf/vhosts/eth0.conf
eth1.conf --owner=root --group=xls --mode=664 /etc/httpd/conf/vhosts/eth1.conf
localhost.conf --owner=root --group=xls --mode=664 /etc/httpd/conf/vhosts/localhost.conf
servername.conf --owner=root --group=xls --mode=664 /etc/httpd/conf/servername.conf
updateHttpServername --owner=xls --group=xls --mode=755 /xls/bin/updateHttpServername
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
With the above files, we should no longer be providing telnet or ftp services, only SSH. The file upload/download functionality can be accessed with a secure ftp client
such as filezilla or by the command line sftp. Also, the web server will be capable of doing SSL but until a new version of the webapp is
deployed (with a new web.xml deployment descriptor) the web application will not use secure connections.
+ Limitations
- We have decided to leave the telnet and ftp services on. Users can
- we use a UDP port to do interbox communication among XLS processes. This UDP ftp port has to remain open to facilitate multicabinet XLS's for the time being. The TCP port will be off.
- we use Apache httpd version 1.3.23, a quick google search reveals that this version is known to have many security holes that could be exploited.
- we use openssl 0.9.6b. This also has known issues, google will show code examples of programs that exploit this version.
- we use an older version of linux (redhat 7.3) that may also have security issues. This version is end-of-life (and has been for a number of years).
- we use apache tomcat 5.0.12. This was a beta version of tomcat, never officially released and has many known bugs/problems. See e.g. http://tomcat.apache.org/security-5.html
+ Services that are turned off by this release:
- lpd
- ntpd
- netfs
- nfslock
- portmap
./sshd 0100644 0000770 0000770 00000005127 11502514032 010276 0 ustar xls xls #!/bin/bash
#
# Init file for OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen
echo -n $"Starting $prog:"
initlog -c "$SSHD $OPTIONS" && success || failure
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
echo
}
stop()
{
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
echo
}
reload()
{
echo -n $"Reloading $prog:"
killproc $SSHD -HUP
RETVAL=$?
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
stop
# avoid race
sleep 3
start
fi
fi
;;
status)
status $SSHD
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL
./telnet 0100644 0000770 0000770 00000000461 11502514032 010624 0 ustar xls xls # default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
./gather_files.sh 0100775 0000770 0000770 00000003707 11502513562 012420 0 ustar xls xls #!/bin/bash
# This script only gets called to copy the files into the release package, IE does NOT get
# called during the actual installation. Just a little convenience helper for me to
# re-gather all the files I need and undos them
XINETD_FILES="telnet.on telnet.off wu-ftpd.on wu-ftpd.off telnet wu-ftpd time time-udp"
HTTPD_FILES="httpd.conf eth0.conf eth1.conf localhost.conf servername.conf httpd XLS.key XLS.crt"
SSH_FILES="sshd sshd_config"
TOMCAT_FILES="server.xml workers.properties"
MISC_FILES="services resolv.conf"
# files to be gathered up:
FILES="${XINETD_FILES} ${HTTPD_FILES} ${SSH_FILES} ${TOMCAT_FILES} ${MISC_FILES}"
SANDBOX=/home/xls/sandbox
LINUX_DIR=${SANDBOX}/linux
PACKAGE_DIR=/home/xls/release/SecureXLS
INSTALL=/usr/bin/install
INSTALL_OPTS="-v -v"
echo "Gathering files..."
for file in ${FILES}
do
${INSTALL} ${INSTALL_OPTS} --mode=644 ${LINUX_DIR}/${file} ${PACKAGE_DIR}
undos -s ${PACKAGE_DIR}/${file} > /dev/null 2>&1
touch ${PACKAGE_DIR}/${file}
done;
${INSTALL} ${INSTALL_OPTS} --mode=644 ${LINUX_DIR}/keystore ${PACKAGE_DIR}
${INSTALL} ${INSTALL_OPTS} --mode=755 ${LINUX_DIR}/libssl.so ${PACKAGE_DIR}
${INSTALL} ${INSTALL_OPTS} --mode=555 /home/xls/sandbox/Build/release/xlsexec ${PACKAGE_DIR}
${INSTALL} ${INSTALL_OPTS} --mode=555 /home/xls/sandbox/LibraryController/scripts/upgrade ${PACKAGE_DIR}; undos -s ./upgrade
${INSTALL} ${INSTALL_OPTS} --mode=555 /home/xls/sandbox/LibraryController/install/extra_scripts/tun ${PACKAGE_DIR}; undos -s ./tun
${INSTALL} ${INSTALL_OPTS} --mode=555 /home/xls/sandbox/LibraryController/scripts/updateHttpServername ${PACKAGE_DIR}; undos -s ./updateHttpServername
${INSTALL} ${INSTALL_OPTS} --mode=555 /home/xls/sandbox/LibraryController/scripts/diag/telnet_enable ${PACKAGE_DIR}; undos -s ./telnet_enable
${INSTALL} ${INSTALL_OPTS} --mode=555 /home/xls/sandbox/LibraryController/scripts/diag/telnet_disable ${PACKAGE_DIR}; undos -s ./telnet_disable
./wu-ftpd 0100644 0000770 0000770 00000000630 11502514032 010715 0 ustar xls xls # default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses \
# normal, unencrypted usernames and passwords for authentication.
# disable to help make the XLS epsilon more secure. yes - that is a math joke
service ftp
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION
nice = 10
disable = no
}
./httpd.conf 0100644 0000770 0000770 00000147550 11502514032 011413 0 ustar xls xls # Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# After this file is processed, the server will look for and process
# /etc/httpd/conf/srm.conf and then /etc/httpd/conf/access.conf
# unless you have overridden these with ResourceConfig and/or
# AccessConfig directives here.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "/usr/local/apache" will be interpreted by the
# server as "/usr/local/apache/logs/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# ServerType is either inetd, or standalone. Inetd mode is only supported on
# Unix platforms.
#
ServerType standalone
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at );
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/httpd"
#
# The LockFile directive sets the path to the lockfile used when Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
# its default value. The main reason for changing it is if the logs
# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
# DISK. The PID of the main server process is automatically appended to
# the filename.
#
LockFile /var/run/httpd.lock
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile /var/run/httpd.pid
#
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this. But if yours does (you'll know because
# this file will be created when you run Apache) then you *must* ensure that
# no two invocations of Apache share the same scoreboard file.
#
ScoreBoardFile logs/apache_runtime_status
#
# In the standard configuration, the server will process httpd.conf (this
# file, specified by the -f command line option), srm.conf, and access.conf
# in that order. The latter two files are now distributed empty, as it is
# recommended that all directives be kept in a single file for simplicity.
# The commented-out values below are the built-in defaults. You can have the
# server ignore these files altogether by using "/dev/null" (for Unix) or
# "nul" (for Win32) for the arguments to the directives.
#
#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
#
# Server-pool size regulation. Rather than making you guess how many
# server processes you need, Apache dynamically adapts to the load it
# sees --- that is, it tries to maintain enough server processes to
# handle the current load, plus a few spare servers to handle transient
# load spikes (e.g., multiple simultaneous requests from a single
# Netscape browser).
#
# It does this by periodically checking how many servers are waiting
# for a request. If there are fewer than MinSpareServers, it creates
# a new spare. If there are more than MaxSpareServers, some of the
# spares die off. The default values are probably OK for most sites.
#
MinSpareServers 5
MaxSpareServers 20
#
# Number of servers to start initially --- should be a reasonable ballpark
# figure.
#
StartServers 8
#
# Limit on total number of servers running, i.e., limit on the number
# of clients who can simultaneously connect --- if this limit is ever
# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
# It is intended mainly as a brake to keep a runaway server from taking
# the system with it as it spirals down...
#
MaxClients 150
#
# MaxRequestsPerChild: the number of requests each child process is
# allowed to process before the child dies. The child will exit so
# as to avoid problems after prolonged use when Apache (and maybe the
# libraries it uses) leak memory or other resources. On most systems, this
# isn't really needed, but a few (such as Solaris) do have notable leaks
# in the libraries. For these platforms, set to something like 10000
# or so; a setting of 0 means unlimited.
#
# NOTE: This value does not include keepalive requests after the initial
# request per connection. For example, if a child process handles
# an initial request and 10 subsequent "keptalive" requests, it
# would only count as 1 request towards this limit.
#
MaxRequestsPerChild 1000
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the
# directive.
#
Listen 80
#
# BindAddress: You can support virtual hosts with this option. This directive
# is used to tell the server which IP address to listen to. It can either
# contain "*", an IP address, or a fully qualified Internet domain name.
# See also the and Listen directives.
#
#BindAddress *
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Please read the file http://httpd.apache.org/docs/dso.html for more
# details about the DSO mechanism and run `httpd -l' for the list of already
# built-in (statically linked and thus always available) modules in your httpd
# binary.
#
# Note: The order in which modules are loaded is important. Don't change
# the order below without expert advice.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#LoadModule mmap_static_module modules/mod_mmap_static.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule bandwidth_module modules/mod_bandwidth.so
LoadModule throttle_module modules/mod_throttle.so
LoadModule env_module modules/mod_env.so
LoadModule config_log_module modules/mod_log_config.so
LoadModule agent_log_module modules/mod_log_agent.so
LoadModule referer_log_module modules/mod_log_referer.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule status_module modules/mod_status.so
LoadModule info_module modules/mod_info.so
LoadModule includes_module modules/mod_include.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule asis_module modules/mod_asis.so
LoadModule imap_module modules/mod_imap.so
LoadModule action_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule anon_auth_module modules/mod_auth_anon.so
LoadModule db_auth_module modules/mod_auth_db.so
#LoadModule auth_any_module modules/mod_auth_any.so
#LoadModule dbm_auth_module modules/mod_auth_dbm.so
#LoadModule auth_ldap_module modules/mod_auth_ldap.so
#LoadModule mysql_auth_module modules/mod_auth_mysql.so
#LoadModule auth_pgsql_module modules/mod_auth_pgsql.so
#LoadModule digest_module modules/mod_digest.so
#LoadModule proxy_module modules/libproxy.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule example_module modules/mod_example.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
# Do not load perl, we don't need it.
#LoadModule perl_module modules/libperl.so
#LoadModule php_module modules/mod_php.so
#LoadModule php3_module modules/libphp3.so
#LoadModule php4_module modules/libphp4.so
#LoadModule dav_module modules/libdav.so
#LoadModule roaming_module modules/mod_roaming.so
LoadModule ssl_module modules/libssl.so
#LoadModule put_module modules/mod_put.so
#LoadModule python_module modules/mod_python.so
# The jk_module we need for XLS. This is the module that allows
# httpd to forward requests along to Tomcat:
LoadModule jk_module modules/mod_jk.so
# Reconstruction of the complete module list from all available modules
# (static and shared ones) to achieve correct module execution order.
# [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]
ClearModuleList
#AddModule mod_mmap_static.c
AddModule mod_vhost_alias.c
AddModule mod_bandwidth.c
AddModule mod_throttle.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_log_agent.c
AddModule mod_log_referer.c
#AddModule mod_mime_magic.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_info.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
#AddModule mod_speling.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_auth_anon.c
AddModule mod_auth_db.c
#AddModule mod_auth_any.c
#AddModule mod_auth_dbm.c
#AddModule auth_ldap.c
#AddModule mod_auth_mysql.c
#AddModule mod_auth_pgsql.c
#AddModule mod_digest.c
#AddModule mod_proxy.c
#AddModule mod_cern_meta.c
AddModule mod_expires.c
AddModule mod_headers.c
#AddModule mod_usertrack.c
#AddModule mod_example.c
#AddModule mod_unique_id.c
AddModule mod_so.c
AddModule mod_setenvif.c
#AddModule mod_perl.c
#AddModule mod_php.c
#AddModule mod_php3.c
#AddModule mod_php4.c
#AddModule mod_dav.c
#AddModule mod_roaming.c
AddModule mod_ssl.c
#AddModule mod_put.c
#AddModule mod_python.c
AddModule mod_jk.c
JkWorkersFile "/usr/jakarta-tomcat-5.0.12/conf/jk/workers.properties"
#JkLogFile "/etc/httpd/logs/mod_jk.log"
#JkLogLevel info
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
JkMount /* ajp13
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
#ExtendedStatus On
### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# definition. These values also provide defaults for
# any containers you may define later in the file.
#
# All of these directives may appear inside containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# If your ServerType directive (set earlier in the 'Global Environment'
# section) is set to "inetd", the next few directives don't have any
# effect since their settings are defined by the inetd configuration.
# Skip ahead to the ServerAdmin directive.
#
#
# Port: The port to which the standalone server listens. For
# ports < 1023, you will need httpd to be run as root initially.
#
Port 80
##
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##
Listen 443
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group "#-1" on these systems!
#
User apache
Group apache
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents.
#
ServerAdmin root@localhost
#
# ServerName allows you to set a host name which is sent back to clients for
# your server if it's different than the one the program would get (i.e., use
# "www" instead of the host's real name).
#
# Note: You cannot just invent host names and hope they work. The name you
# define here must be a valid DNS name for your host. If you don't understand
# this, ask your network administrator.
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address (e.g., http://123.45.67.89/)
# anyway, and this will make redirections work in a sensible way.
#
# 127.0.0.1 is the TCP/IP local loop-back address, often named localhost. Your
# machine always knows itself by this address. If you use Apache strictly for
# local testing and development, you may use 127.0.0.1 as the server name.
Include /etc/httpd/conf/servername.conf
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
#
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# permissions.
#
Options FollowSymLinks
AllowOverride None
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# This should be changed to whatever you set DocumentRoot to.
#
#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
Options Indexes FollowSymLinks
#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
#
# UserDir: The name of the directory which is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
#
# UserDir public_html
#
#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#
# Order allow,deny
# Allow from all
#
#
# Order deny,allow
# Deny from all
#
#
#
# DirectoryIndex: Name of the file or files to use as a pre-written HTML
# directory index. Separate multiple entries with spaces.
#
DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.phtml index.cgi
#
# AccessFileName: The name of the file to look for in each directory
# for access control information.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess files from being viewed by
# Web clients. Since .htaccess files often contain authorization
# information, access is disallowed for security reasons. Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files. If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
#
# Also, folks tend to use names such as .htpasswd for password
# files, so this will protect those as well.
#
Order allow,deny
Deny from all
Satisfy All
#
# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
# document that was negotiated on the basis of content. This asks proxy
# servers not to cache the document. Uncommenting the following line disables
# this behavior, and proxies will be allowed to cache the documents.
#
#CacheNegotiatedDocs
#
# UseCanonicalName: (new for 1.3) With this setting turned on, whenever
# Apache needs to construct a self-referencing URL (a URL that refers back
# to the server the response is coming from) it will use ServerName and
# Port to form a "canonical" name. With this setting off, Apache will
# use the hostname:port that the client supplied, when possible. This
# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
#
UseCanonicalName Off
#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
# mod_mime_magic is not part of the default server (you have to add
# it yourself with a LoadModule [see the DSO paragraph in the 'Global
# Environment' section], or recompile the server and include mod_mime_magic
# as part of the configuration), so it's enclosed in an container.
# This means that the MIMEMagicFile directive will only be processed if the
# module is part of the server.
#
# MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
#ErrorLog logs/error_log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel info
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a
# container, they will be logged here. Contrariwise, if you *do*
# define per- access logfiles, transactions will be
# logged therein and *not* in this file.
#
# CustomLog /var/log/httpd/access_log common
CustomLog logs/access_log combined
#
# If you would like to have agent and referer logfiles, uncomment the
# following directives.
#
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent
#
# If you prefer a single logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog logs/access_log combined
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature On
# do not advertise our version, only apache:
#ServerTokens Full
ServerTokens Prod
# EBCDIC configuration:
# (only for mainframes using the EBCDIC codeset, currently one of:
# Fujitsu-Siemens' BS2000/OSD, IBM's OS/390 and IBM's TPF)!!
# The following default configuration assumes that "text files"
# are stored in EBCDIC (so that you can operate on them using the
# normal POSIX tools like grep and sort) while "binary files" are
# stored with identical octets as on an ASCII machine.
#
# The directives are evaluated in configuration file order, with
# the EBCDICConvert directives applied before EBCDICConvertByType.
#
# If you want to have ASCII HTML documents and EBCDIC HTML documents
# at the same time, you can use the file extension to force
# conversion off for the ASCII documents:
# > AddType text/html .ahtml
# > EBCDICConvert Off=InOut .ahtml
#
# EBCDICConvertByType On=InOut text/* message/* multipart/*
# EBCDICConvertByType On=In application/x-www-form-urlencoded
# EBCDICConvertByType On=InOut application/postscript model/vrml
# EBCDICConvertByType Off=InOut */*
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
#
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/". If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
Alias /icons/ "/var/www/icons/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
# This Alias will project the on-line documentation tree under /manual/
# even if you change the DocumentRoot. Comment it if you don't want to
# provide access to the on-line documentation.
#
# Alias /manual/ "/etc/httpd/htdocs/manual/"
#
#
# Options Indexes FollowSymlinks MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
#
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
AllowOverride None
Options None
Order allow,deny
Allow from all
# End of aliases.
#
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
#
RewriteEngine Off
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
#
# Directives controlling the display of server-generated directory listings.
#
#
# FancyIndexing is whether you want fancy directory indexing or standard
#
IndexOptions FancyIndexing NameWidth=*
#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions. These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /icons/unknown.gif
#
# AddDescription allows you to place a short description after a file in
# server-generated indexes. These are only displayed for FancyIndexed
# directories.
# Format: AddDescription "description" filename
#
#AddDescription "GZIP compressed document" .gz
#AddDescription "tar archive" .tar
#AddDescription "GZIP compressed tar archive" .tgz
#
# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
#
# If MultiViews are amongst the Options in effect, the server will
# first look for name.html and include it if found. If name.html
# doesn't exist, the server will then look for name.txt and include
# it as plaintext if found.
#
ReadmeName README
HeaderName HEADER
#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
# End of indexing directives.
#
# Document types.
#
#
# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
#
# AddLanguage allows you to specify the language of a document. You can
# then use content negotiation to give a browser a file in a language
# it can understand.
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#
# Note 2: The example entries below illustrate that in quite
# some cases the two character 'Language' abbreviation is not
# identical to the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. But there is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#
# Danish (da) - Dutch (nl) - English (en) - Estonian (ee)
# French (fr) - German (de) - Greek-Modern (el)
# Italian (it) - Korean (kr) - Norwegian (no) - Norwegian Nynorsk (nn)
# Portugese (pt) - Luxembourgeois* (ltz)
# Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz)
# Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja)
# Russian (ru)
#
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .ee
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage he .he
AddCharset ISO-8859-8 .iso8859-8
AddLanguage it .it
AddLanguage ja .ja
AddCharset ISO-2022-JP .jis
AddLanguage kr .kr
AddCharset ISO-2022-KR .iso-kr
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddCharset ISO-8859-2 .iso-pl
AddLanguage pt .pt
AddLanguage pt-br .pt-br
AddLanguage ltz .lu
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .se
AddLanguage cz .cz
AddLanguage ru .ru
AddLanguage zh-tw .tw
AddLanguage tw .tw
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251
AddCharset CP866 .cp866
AddCharset ISO-8859-5 .iso-ru
AddCharset KOI8-R .koi8-r
AddCharset UCS-2 .ucs2
AddCharset UCS-4 .ucs4
AddCharset UTF-8 .utf8
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
#
# AddType allows you to tweak mime.types without actually editing it, or to
# make certain files to be certain types.
#
AddType application/x-tar .tgz
#
# These types cause httpd to let the PHP interpreter handle files with
# the specified extensions.
#
AddType application/x-httpd-php .php .php4 .php3 .phtml
AddType application/x-httpd-php-source .phps
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps
AddType application/x-httpd-php .phtml
#
# AddHandler allows you to map certain file extensions to "handlers",
# actions unrelated to filetype. These can be either built into the server
# or added with the Action command (see below)
#
# If you want to use server side includes, or CGI outside
# ScriptAliased directories, uncomment the following lines.
#
# To use CGI scripts:
#
#AddHandler cgi-script .cgi
#
# To use server-parsed HTML files
#
AddType text/html .shtml
AddHandler server-parsed .shtml
#
# Uncomment the following line to enable Apache's send-asis HTTP file
# feature
#
#AddHandler send-as-is asis
#
# If you wish to use server-parsed imagemap files, use
#
AddHandler imap-file map
#
# To enable type maps, you might want to use
#
#AddHandler type-map var
# End of document types.
#
# Action lets you define media types that will execute a script whenever
# a matching file is called. This eliminates the need for repeated URL
# pathnames for oft-used CGI file processors.
# Format: Action media/type /cgi-script/location
# Format: Action handler-name /cgi-script/location
#
#
# MetaDir: specifies the name of the directory in which Apache can find
# meta information files. These files contain additional HTTP headers
# to include when sending the document
#
#MetaDir .web
#
# MetaSuffix: specifies the file name suffix for the file containing the
# meta information.
#
#MetaSuffix .meta
#
# Customizable error response (Apache style)
# these come in three flavors
#
# 1) plain text
#ErrorDocument 500 "The server made a boo boo.
# n.b. the single leading (") marks it as text, it does not get output
#
# 2) local redirects
#ErrorDocument 404 /missing.html
# to redirect to local URL /missing.html
#ErrorDocument 404 /cgi-bin/missing_handler.pl
# N.B.: You can redirect to a script or a document using server-side-includes.
#
# 3) external redirects
#ErrorDocument 402 http://some.other-server.com/subscription_info.html
# N.B.: Many of the environment variables associated with the original
# request will *not* be available to such a script.
#
# Customize behaviour based on the browser
#
Alias /errordocs /usr/local/apache/errordocs
AllowOverride none
Options MultiViews IncludesNoExec FollowSymLinks
AddType text/html .shtml
AddHandler server-parsed .shtml
# "500 Internal Server Error",
ErrorDocument 500 /errordocs/500
#
# The following directives modify normal HTTP response behavior.
# The first directive disables keepalive for Netscape 2.x and browsers that
# spoof it. There are known problems with these browser implementations.
# The second directive is for Microsoft Internet Explorer 4.0b2
# which has a broken HTTP/1.1 implementation and does not properly
# support keepalive when it is used on 301 or 302 (redirect) responses.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
#
# The following directive disables HTTP/1.1 responses to browsers which
# are in violation of the HTTP/1.0 spec by not being able to grok a
# basic 1.1 response.
#
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# End of browser customization directives
#
# If the perl module is installed, this will allow execution of mod_perl
# to compile your scripts to subroutines which it will execute directly,
# avoiding the costly compile process for most requests.
#
#
# Alias /perl /var/www/perl
#
# SetHandler perl-script
# PerlHandler Apache::Registry
# Options +ExecCGI
#
#
#
# Allow http put (such as Netscape Gold's publish feature)
# Use htpasswd to generate /etc/httpd/conf/passwd.
#
#
# Alias /upload /tmp
#
# EnablePut On
# AuthType Basic
# AuthName Temporary
# AuthUserFile /etc/httpd/conf/passwd
# EnableDelete Off
# umask 007
#
# require valid-user
#
#
#
#
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your-domain.com" to match your domain to enable.
#
#
# SetHandler server-status
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
#
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
# Change the ".your-domain.com" to match your domain to enable.
#
#
# SetHandler server-info
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
#
#
# Allow access to local system documentation from localhost
#
Alias /doc/ /usr/share/doc/
order deny,allow
deny from all
allow from localhost .localdomain
Options Indexes FollowSymLinks
#
# There have been reports of people trying to abuse an old bug from pre-1.1
# days. This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org. Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#
#
# Deny from all
# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#
# ProxyRequests On
#
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
#
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
# ProxyVia On
#
# To enable the cache as well, edit and uncomment the following lines:
# (no caching without CacheRoot)
#
# CacheRoot "/var/cache/httpd"
# CacheSize 5
# CacheGcInterval 4
# CacheMaxExpire 24
# CacheLastModifiedFactor 0.1
# CacheDefaultExpire 1
# NoCache a-domain.com another-domain.edu joes.garage-sale.com
#
# End of proxy directives.
### Section 3: Virtual Hosts
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
# Use name-based virtual hosting.
#
#NameVirtualHost *
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
#
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
#
#
#
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:logs/ssl_scache(512000)
#SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:logs/ssl_mutex
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
# Logging:
# The home of the dedicated SSL protocol logfile. Errors are
# additionally duplicated in the general error log file. Put
# this somewhere where it cannot be used for symlink attacks on
# a real server (i.e. somewhere where only root can write).
# Log levels are (ascending order: higher ones include lower ones):
# none, error, warn, info, trace, debug.
SSLLog logs/ssl_engine_log
SSLLogLevel error
##
## SSL Virtual Host Context
##
# General setup for the virtual host
#DocumentRoot "/etc/httpd/htdocs"
#ServerName new.host.name
#ServerAdmin you@your.address
#ErrorLog logs/error_log
#TransferLog logs/access_log
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
JkMount /* ajp13
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
#SSLCertificateFile /etc/httpd/conf/ssl.crt/XLS.pem
SSLCertificateFile /etc/httpd/conf/ssl.crt/XLS.crt
#SSLCertificateFile /etc/httpd/conf/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/XLS.key
#SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/httpd/conf/ssl.crt
#SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/httpd/conf/ssl.crl
#SSLCARevocationFile /etc/httpd/conf/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o CompatEnvVars:
# This exports obsolete environment variables for backward compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
# to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars +ExportCertData
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# This next group of IfDefines allow us to
# configure interfaces separate from this
# main file. The defines should get set in
# /etc/init.d/httpd with lines like -DHAVE_ETH0_CONFIG
# similar to how that same file loads the
# various modules. The idea is that we might not have
# those files for some reason and we shouldn't try including them
# if they aren't there.
Include /etc/httpd/conf/vhosts/eth0.conf
Include /etc/httpd/conf/vhosts/eth1.conf
Include /etc/httpd/conf/vhosts/localhost.conf
./server.xml 0100644 0000770 0000770 00000014322 11502514032 011437 0 ustar xls xls
factory
org.apache.catalina.users.MemoryUserDatabaseFactory
pathname
conf/tomcat-users.xml
./sshd_config 0100644 0000770 0000770 00000004740 11502514032 011623 0 ustar xls xls # $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $
# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
./workers.properties 0100644 0000770 0000770 00000000135 11502514032 013216 0 ustar xls xls worker.list=ajp13
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
./tun 0100555 0000770 0000770 00000002150 11502514032 010135 0 ustar xls xls # this script provides Qualstar a way to gain root access to a box in the field.
# The idea is that /xls/bin/tun was a process that needed
# to be run as root, and as such the system was configured to allow sudo to run
# the command /xls/bin/tun as root. Since we don't actually use tun anymore,
# we can put a script called tun (this one) in it's place, and give it an argument.
# so basically this script runs a command you give it as root
#
# Example usage: sudo tun ./somescriptthatneedstoberunasroot
#
# this will simply call somescriptthatneedstoberunasroot, but as root!
if [ $# -ne 1 ]
then
echo "***ERROR****** You must supply exactly 1 argument. Aborting."
exit 1
fi
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "***********************************************************************"
echo "Starting the tun script."
script=$1
if [ -x $script ]
then
echo "Executing command: $script "
$script
else
echo "NOT Executing command: $script - not a executable file"
fi
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
./httpd 0100644 0000770 0000770 00000005227 11502514032 010461 0 ustar xls xls #!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /etc/httpd/conf/access.conf
# config: /etc/httpd/conf/httpd.conf
# config: /etc/httpd/conf/srm.conf
# Source function library.
. /etc/rc.d/init.d/functions
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/sbin/apachectl
httpd=/usr/sbin/httpd
prog=httpd
RETVAL=0
# Find the installed modules and convert their names into arguments httpd
# can use.
moduleargs() {
moduledir=/usr/lib/apache
moduleargs=`
/usr/bin/find ${moduledir} -type f -perm -0100 -name "*.so" | env -i tr '[:lower:]' '[:upper:]' | awk '{\
gsub(/.*\//,"");\
gsub(/^MOD_/,"");\
gsub(/^LIB/,"");\
gsub(/\.SO$/,"");\
print "-DHAVE_" $0}'`
echo ${moduleargs}
}
xlsconfigargs() {
XLSARGS=""
if [ -f /etc/httpd/conf/vhosts/eth0.conf ]; then
XLSARGS="${XLSARGS} -DHAVE_ETH0_CONFIG "
fi
if [ -f /etc/httpd/conf/vhosts/eth1.conf ]; then
XLSARGS="${XLSARGS} -DHAVE_ETH1_CONFIG "
fi
if [ -f /etc/httpd/conf/vhosts/localhost.conf ]; then
XLSARGS="${XLSARGS} -DHAVE_LOCALHOST_CONFIG "
fi
if [ -f /etc/httpd/conf/servername.conf ]; then
XLSARGS="${XLSARGS} -DHAVE_SERVERNAME_CONFIG "
fi
echo ${XLSARGS}
}
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
daemon $httpd `moduleargs` `xlsconfigargs` $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/httpd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd /var/run/httpd.pid
}
reload() {
echo -n $"Reloading $prog: "
killproc $httpd -HUP
RETVAL=$?
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f /var/run/httpd.pid ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
./time 0100644 0000770 0000770 00000000501 11502514032 010262 0 ustar xls xls # default: off
# description: An RFC 868 time server. This is the tcp \
# version, which is used by rdate.
service time
{
type = INTERNAL
id = time-stream
socket_type = stream
protocol = tcp
user = root
wait = no
disable = yes
}
./time-udp 0100644 0000770 0000770 00000000475 11502514032 011062 0 ustar xls xls # default: off
# description: An RFC 868 time server. This is the udp \
# version.
service time
{
type = INTERNAL UNLISTED
id = time-dgram
socket_type = dgram
protocol = udp
user = root
wait = yes
disable = yes
port = 37
}
./localhost.conf 0100644 0000770 0000770 00000000217 11502514032 012244 0 ustar xls xls # This config file sets the virtual host for httpd and is the default one
ServerName 127.0.0.1
./restart_services.sh 0100755 0000770 0000770 00000002062 11466625706 013357 0 ustar xls xls #!/bin/bash
##########################################################################################
# Use chkconfig to enable/disable various daemons/services on the XLS:
CHKCONFIG=/sbin/chkconfig
${CHKCONFIG} --levels 0123456 lpd off
${CHKCONFIG} --levels 0123456 ntpd off
${CHKCONFIG} --levels 0123456 netfs off
${CHKCONFIG} --levels 0123456 nfslock off
${CHKCONFIG} --levels 0123456 portmap off
${CHKCONFIG} --levels 2345 sshd on
${CHKCONFIG} --list
##########################################################################################
# Now we should restart anything that might have changed (or stop things that need to be stopped)
SERVICE=/sbin/service
${SERVICE} xinetd reload
${SERVICE} sshd restart
${SERVICE} httpd restart
${SERVICE} lpd stop
${SERVICE} ntpd stop
${SERVICE} netfs stop
${SERVICE} nfslock stop
${SERVICE} portmap stop
# note: need a restart, not just reload, for httpd for SSL settings to work
# We also need to restart tomcat here...
su - xls -c "/xls/bin/xlsinit -verbose 5 -restart luip"
./install_files.sh 0100755 0000770 0000770 00000011215 11502514026 012577 0 ustar xls xls #!/bin/bash
########################################################
# #
# Install the various files we need in our system! #
# #
########################################################
CATALINA_HOME=/usr/jakarta-tomcat-5.0.12
INSTALL=/usr/bin/install
INSTALL_OPTS="-v -v -D"
SUDO=/usr/bin/sudo
#####################################################################################################################
# services file:
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=444 ./services /etc/services
# xinetd configs
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=444 ./time /etc/xinetd.d/time
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=444 ./time-udp /etc/xinetd.d/time-udp
${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=664 ./telnet /etc/xinetd.d/telnet
${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=664 ./wu-ftpd /etc/xinetd.d/wu-ftpd
# SSHD config files/scripts
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=555 ./sshd /etc/init.d/sshd
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=400 ./sshd_config /etc/ssh/sshd_config
# Tomcat configuration files
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=400 ./server.xml ${CATALINA_HOME}/conf/server.xml
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=400 ./keystore ${CATALINA_HOME}/conf/ssl/keystore
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=444 ./workers.properties ${CATALINA_HOME}/conf/jk/workers.properties
# HTTPD configuration files
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=555 ./httpd /etc/init.d/httpd
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=755 -C ./libssl.so /etc/httpd/modules/libssl.so
${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=444 ./httpd.conf /etc/httpd/conf/httpd.conf
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=400 ./XLS.key /etc/httpd/conf/ssl.key/XLS.key
${INSTALL} ${INSTALL_OPTS} --owner=root --group=root --mode=400 ./XLS.crt /etc/httpd/conf/ssl.crt/XLS.crt
${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=444 ./eth0.conf /etc/httpd/conf/vhosts/eth0.conf.orig
${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=444 ./eth1.conf /etc/httpd/conf/vhosts/eth1.conf.orig
${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=444 ./localhost.conf /etc/httpd/conf/vhosts/localhost.conf.orig
${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=444 ./servername.conf /etc/httpd/conf/servername.conf.orig
[ ! -f /etc/httpd/conf/vhosts/eth0.conf ] && ${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=664 ./eth0.conf /etc/httpd/conf/vhosts/eth0.conf
[ ! -f /etc/httpd/conf/vhosts/eth1.conf ] && ${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=664 ./eth1.conf /etc/httpd/conf/vhosts/eth1.conf
[ ! -f /etc/httpd/conf/vhosts/localhost.conf ] && ${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=664 ./localhost.conf /etc/httpd/conf/vhosts/localhost.conf
[ ! -f /etc/httpd/conf/servername.conf ] && ${INSTALL} ${INSTALL_OPTS} --owner=root --group=xls --mode=664 ./servername.conf /etc/httpd/conf/servername.conf
# XLS scripts/files:
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=555 ./telnet_enable /xls/diag/telnet_enable
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=555 ./telnet_disable /xls/diag/telnet_disable
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=555 ./updateHttpServername /xls/bin/updateHttpServername
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=555 ./upgrade /xls/bin/upgrade
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=555 ./xlsexec /xls/bin/xlsexec
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=444 ./telnet.on /etc/xls/conf/telnet.on
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=444 ./telnet.off /etc/xls/conf/telnet.off
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=444 ./wu-ftpd.on /etc/xls/conf/wu-ftpd.on
${INSTALL} ${INSTALL_OPTS} --owner=xls --group=xls --mode=444 ./wu-ftpd.off /etc/xls/conf/wu-ftpd.off
/bin/chmod 555 /etc/httpd/conf/vhosts
/bin/chmod 770 /etc/xls/conf
/bin/chown xls:xls /etc/xls/conf
./keystore 0100644 0000770 0000770 00000002614 11502514032 011200 0 ustar xls xls qualstar +Q 00
+* {E4ٳSyuH)A*mF{ǓD92Ɠ/X*(ׇSfv|"'51f6FÕϔ ݥp:3~?$R?֤XdKۊu;Ons."2ş/iv]]Kmy%.\<2҂L5P7;@#4Á;7,W^B&Jt+[I['Q,79v],.o!a0ղHHD3