Núcleo de las distribuciones basadas en Metadistros

Autor: Sergio González González

HispaLinux, España

Resumen

Aspectos a tratar en el I encuentro de desarrolladores de Metadistros, en cuanto al núcleo de metadistros. Entendiendo como núcleo aquello que comprente el sistema base, el sistema extendido y los paquetes que conformarán la base del entorno de consola y/o gráfico.


Tabla de contenidos

1. Introducción
2. Kernel para metadistros
2.1. Diferencias en la configuración
2.2. Kernel para sistemas de escritorio
2.3. Kernel para servidores
2.4. Parches comunes
3. Divisiones del núcleo de metadistros
3.1. metadistros-nucleo-sb
3.2. metadistros-nucleo-se
3.3. metadistros-nucleo-i18n-es
4. Cambios propuestos a la configuración por defecto de Debian
4.1. Uso de shadow passwords y claves md5
4.2. Eurocastellanizar el sistema
4.3. Eliminar servicios no importantes de /etc/inetd.conf
4.4. Posibles opciones para el /etc/fstab
4.5. /etc/apt/apt.conf
4.6. /etc/console-tools/config
4.7. /etc/dpkg/dselect.cfg
4.8. /etc/network/
4.9. PAM
4.10. /etc/security/limits.conf
4.11. /etc/ssh/
4.12. /etc/group
4.13. /etc/hosts.allow
4.14. /etc/hosts.deny
4.15. /etc/inittab
4.16. /etc/issue, /etc/issue.net y /etc/motd
4.17. /etc/sysctl.conf
5. Propuestas de BlueSock
5.1. Particionador de BlueSock
5.2. Uso de XML para distintas partes de la distribución
6. Diferencias entre la instalación por Debootstrap y la tradicional
7. Sobre este documento

1. Introducción

Este documento muestra el estado del núcleo de metadistros a día 12 de abril de 2003 así como las propuestas para su desarrollo. Los objetivos no son otros que discutir y llegar a los acuerdos necesarios para continuar su desarrollo.

Antes de continuar, hemos de distinguir entre el núcleo de metadistros, como distribución, y el núcleo del sistema operativo, al cual llamaremos kernel:

[Note]Nota

El núcleo de metadistros está formado por un Sistema Base (SBM) (que coincide con el sistema base de Debian), por un Sistema Extendido (SEM) y por los paquetes que conformarán la base de un entorno basado en consola o en un sistema gráfico.

[Note]Nota

El núcleo del sistema operativo, a partir de ahora kernel, no es otro que Linux, a día de hoy. Esto no quita que en el futuro se integren otros kernels en metadistros, distintos a Linux. El kernel estaría integrado en el SBM.

Un esquema de todo lo descrito anteriormente se puede ver en la estructura propuesta para metaditros:

Estructura de metadistros

Estructura de metadistros

2. Kernel para metadistros

Actualmente hay disponibles dos kernels: uno destinado al sistema de escritorio y otro a servidores. Ambos se han basado en la versión 2.4.20 de Linux, lo que los diferencia son los parches aplicados y la configuración de los mismos. Veremos los detalles a continuación.

2.1. Diferencias en la configuración

La configuración del kernel varía dependiendo de si este está destinado a servidores o a entornos de escritorio. Las diferencias principales son: los sistemas de escritorio no poseeran soporte multiprocesador y la configuración de grsecurity es menos restrictiva que para los servidores.

A continuación veremos la salida del comando:

# diff -u 2.4.20.metadistros-servidor.conf 2.4.20.metadistros-usuario.conf
Siendo 2.4.20.metadistros-servidor.conf el archivo donde está guardada la configuración para los kernels destinados a servidores y 2.4.20.metadistros-usuario.conf la configuración para los kernels destinados a los sistemas de escritorio.


--- 2.4.20.metadistros-servidor.conf	2003-04-13 20:33:54.000000000 +0200
+++ 2.4.20.metadistros-usuario.conf	2003-04-13 20:38:44.000000000 +0200
@@ -20,6 +20,8 @@
 #
 # Processor type and features
 #
+CONFIG_LOLAT=y
+CONFIG_LOLAT_SYSCTL=y
 CONFIG_M386=y
 # CONFIG_M486 is not set
 # CONFIG_M586 is not set
@@ -55,16 +57,18 @@
 # CONFIG_HIGHMEM is not set
 CONFIG_MATH_EMULATION=y
 CONFIG_MTRR=y
-CONFIG_SMP=y
-# CONFIG_MULTIQUAD is not set
+# CONFIG_SMP is not set
+CONFIG_PREEMPT=y
+CONFIG_X86_UP_APIC=y
+# CONFIG_X86_UP_IOAPIC is not set
+CONFIG_X86_LOCAL_APIC=y
 # CONFIG_X86_TSC_DISABLE is not set
 
 #
 # General setup
 #
+CONFIG_HZ=500
 CONFIG_NET=y
-CONFIG_X86_IO_APIC=y
-CONFIG_X86_LOCAL_APIC=y
 CONFIG_PCI=y
 # CONFIG_PCI_GOBIOS is not set
 # CONFIG_PCI_GODIRECT is not set
@@ -92,7 +96,6 @@
 CONFIG_HOTPLUG_PCI=m
 CONFIG_HOTPLUG_PCI_COMPAQ=m
 # CONFIG_HOTPLUG_PCI_COMPAQ_NVRAM is not set
-CONFIG_HOTPLUG_PCI_IBM=m
 # CONFIG_HOTPLUG_PCI_ACPI is not set
 CONFIG_SYSVIPC=y
 CONFIG_BSD_PROCESS_ACCT=y
@@ -103,7 +106,6 @@
 CONFIG_BINFMT_ELF=y
 CONFIG_BINFMT_MISC=m
 CONFIG_PM=y
-# CONFIG_ACPI is not set
 CONFIG_APM=m
 # CONFIG_APM_IGNORE_USER_SUSPEND is not set
 CONFIG_APM_DO_ENABLE=y
@@ -114,6 +116,11 @@
 # CONFIG_APM_REAL_MODE_POWER_OFF is not set
 
 #
+# ACPI Support
+#
+# CONFIG_ACPI is not set
+
+#
 # Memory Technology Devices (MTD)
 #
 # CONFIG_MTD is not set
@@ -176,6 +183,7 @@
 CONFIG_CISS_SCSI_TAPE=y
 CONFIG_BLK_DEV_DAC960=m
 CONFIG_BLK_DEV_UMEM=m
+# CONFIG_CDROM_PKTCDVD is not set
 CONFIG_BLK_DEV_LOOP=m
 CONFIG_BLK_DEV_NBD=m
 CONFIG_BLK_DEV_RAM=y
@@ -406,7 +414,7 @@
 CONFIG_IPSEC_ALG_BLOWFISH=m
 CONFIG_IPSEC_ALG_CAST=m
 CONFIG_IPSEC_ALG_CRYPTOAPI=m
-# CONFIG_IPSEC_ALG_NON_LIBRE is not set
+CONFIG_IPSEC_ALG_NON_LIBRE=y
 CONFIG_IPSEC_ALG_NULL=m
 CONFIG_IPSEC_ALG_SERPENT=m
 CONFIG_IPSEC_ALG_TWOFISH=m
@@ -512,7 +520,6 @@
 CONFIG_BLK_DEV_SR_VENDOR=y
 CONFIG_SR_EXTRA_DEVS=2
 CONFIG_CHR_DEV_SG=m
-# CONFIG_SCSI_DEBUG_QUEUES is not set
 # CONFIG_SCSI_MULTI_LUN is not set
 CONFIG_SCSI_CONSTANTS=y
 # CONFIG_SCSI_LOGGING is not set
@@ -779,7 +786,7 @@
 CONFIG_NS83820=m
 CONFIG_HAMACHI=m
 CONFIG_YELLOWFIN=m
-CONFIG_SK98LIN=m
+# CONFIG_SK98LIN is not set
 CONFIG_TIGON3=m
 CONFIG_FDDI=y
 CONFIG_DEFXX=m
@@ -1266,7 +1273,7 @@
 CONFIG_INTEL_RNG=m
 CONFIG_AMD_PM768=m
 CONFIG_NVRAM=m
-CONFIG_RTC=y
+CONFIG_RTC=m
 CONFIG_DTLK=m
 CONFIG_R3964=m
 CONFIG_APPLICOM=m
@@ -1380,6 +1387,7 @@
 CONFIG_REISERFS_FS=y
 # CONFIG_REISERFS_CHECK is not set
 # CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_SUPERMOUNT is not set
 CONFIG_ADFS_FS=m
 CONFIG_ADFS_FS_RW=y
 CONFIG_AFFS_FS=m
@@ -1550,8 +1558,9 @@
 CONFIG_FB_PM3=m
 CONFIG_FB_CYBER2000=m
 CONFIG_FB_VESA=y
+CONFIG_LPP=y
 CONFIG_FB_VGA16=m
-CONFIG_FB_HGA=m
+# CONFIG_FB_HGA is not set
 CONFIG_VIDEO_SELECT=y
 CONFIG_FB_MATROX=m
 CONFIG_FB_MATROX_MILLENIUM=y
@@ -1574,6 +1583,7 @@
 CONFIG_FB_VOODOO1=m
 CONFIG_FB_TRIDENT=m
 # CONFIG_FB_VIRTUAL is not set
+# CONFIG_FBCON_SPLASHSCREEN is not set
 CONFIG_FBCON_ADVANCED=y
 CONFIG_FBCON_MFB=m
 CONFIG_FBCON_CFB2=y
@@ -1809,9 +1819,6 @@
 CONFIG_MAGIC_SYSRQ=y
 # CONFIG_DEBUG_SPINLOCK is not set
 # CONFIG_FRAME_POINTER is not set
-# CONFIG_KDB is not set
-# CONFIG_KDB_MODULES is not set
-# CONFIG_KALLSYMS is not set
 
 #
 # Library routines
@@ -1831,22 +1838,12 @@
 #
 # Address Space Protection
 #
-CONFIG_GRKERNSEC_PAX_NOEXEC=y
-CONFIG_GRKERNSEC_PAX_PAGEEXEC=y
-CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
-CONFIG_GRKERNSEC_PAX_EMUTRAMP=y
-CONFIG_GRKERNSEC_PAX_EMUSIGRT=y
-CONFIG_GRKERNSEC_PAX_MPROTECT=y
-CONFIG_GRKERNSEC_PAX_NOELFRELOCS=y
-CONFIG_GRKERNSEC_PAX_ASLR=y
-CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
-CONFIG_GRKERNSEC_PAX_RANDMMAP=y
-CONFIG_GRKERNSEC_PAX_RANDEXEC=y
-CONFIG_GRKERNSEC_KMEM=y
-CONFIG_GRKERNSEC_IO=y
-CONFIG_RTC=y
-CONFIG_GRKERNSEC_PROC_MEMMAP=y
-CONFIG_GRKERNSEC_HIDESYM=y
+# CONFIG_GRKERNSEC_PAX_NOEXEC is not set
+# CONFIG_GRKERNSEC_PAX_ASLR is not set
+# CONFIG_GRKERNSEC_KMEM is not set
+# CONFIG_GRKERNSEC_IO is not set
+# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
+# CONFIG_GRKERNSEC_HIDESYM is not set
 
 #
 # ACL options
@@ -1861,49 +1858,33 @@
 CONFIG_GRKERNSEC_PROC=y
 # CONFIG_GRKERNSEC_PROC_USER is not set
 CONFIG_GRKERNSEC_PROC_USERGROUP=y
-CONFIG_GRKERNSEC_PROC_GID=2000
+CONFIG_GRKERNSEC_PROC_GID=2001
 CONFIG_GRKERNSEC_PROC_ADD=y
 CONFIG_GRKERNSEC_LINK=y
 CONFIG_GRKERNSEC_FIFO=y
-CONFIG_GRKERNSEC_CHROOT=y
-CONFIG_GRKERNSEC_CHROOT_MOUNT=y
-CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
-CONFIG_GRKERNSEC_CHROOT_PIVOT=y
-CONFIG_GRKERNSEC_CHROOT_CHDIR=y
-CONFIG_GRKERNSEC_CHROOT_CHMOD=y
-CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
-CONFIG_GRKERNSEC_CHROOT_MKNOD=y
-CONFIG_GRKERNSEC_CHROOT_SHMAT=y
-CONFIG_GRKERNSEC_CHROOT_UNIX=y
-CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
-CONFIG_GRKERNSEC_CHROOT_NICE=y
-CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
-CONFIG_GRKERNSEC_CHROOT_CAPS=y
+# CONFIG_GRKERNSEC_CHROOT is not set
 
 #
 # Kernel Auditing
 #
-CONFIG_GRKERNSEC_AUDIT_GROUP=y
-CONFIG_GRKERNSEC_AUDIT_GID=2007
-CONFIG_GRKERNSEC_EXECLOG=y
-CONFIG_GRKERNSEC_RESLOG=y
-CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
-CONFIG_GRKERNSEC_AUDIT_CHDIR=y
-CONFIG_GRKERNSEC_AUDIT_MOUNT=y
-CONFIG_GRKERNSEC_AUDIT_IPC=y
-CONFIG_GRKERNSEC_SIGNAL=y
-CONFIG_GRKERNSEC_FORKFAIL=y
-CONFIG_GRKERNSEC_TIME=y
+# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
+# CONFIG_GRKERNSEC_EXECLOG is not set
+# CONFIG_GRKERNSEC_RESLOG is not set
+# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
+# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
+# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
+# CONFIG_GRKERNSEC_AUDIT_IPC is not set
+# CONFIG_GRKERNSEC_SIGNAL is not set
+# CONFIG_GRKERNSEC_FORKFAIL is not set
+# CONFIG_GRKERNSEC_TIME is not set
 
 #
 # Executable Protections
 #
-CONFIG_GRKERNSEC_EXECVE=y
+# CONFIG_GRKERNSEC_EXECVE is not set
 CONFIG_GRKERNSEC_DMESG=y
 CONFIG_GRKERNSEC_RANDPID=y
-CONFIG_GRKERNSEC_TPE=y
-CONFIG_GRKERNSEC_TPE_ALL=y
-CONFIG_GRKERNSEC_TPE_GID=2005
+# CONFIG_GRKERNSEC_TPE is not set
 
 #
 # Network Protections
@@ -1914,13 +1895,7 @@
 CONFIG_GRKERNSEC_RANDSRC=y
 CONFIG_GRKERNSEC_RANDRPC=y
 CONFIG_GRKERNSEC_RANDPING=y
-CONFIG_GRKERNSEC_SOCKET=y
-CONFIG_GRKERNSEC_SOCKET_ALL=y
-CONFIG_GRKERNSEC_SOCKET_ALL_GID=2004
-CONFIG_GRKERNSEC_SOCKET_CLIENT=y
-CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=2003
-CONFIG_GRKERNSEC_SOCKET_SERVER=y
-CONFIG_GRKERNSEC_SOCKET_SERVER_GID=2002
+# CONFIG_GRKERNSEC_SOCKET is not set
 
 #
 # Sysctl support

2.2. Kernel para sistemas de escritorio

Este kernel ha sido parcheado para mejorar la respuesta del sistema, haciendo énfasis en el sistema de escritorio. También se ha puesto especial cuidado en las características visuales del mismo, debido al público al que va destinado.

Para conseguir todo esto, se han utilizado los siguientes parches:

2.2.1. Parches de Con Kolivas

Estos parches tiene como fin mejorar la respuesta del sistema, sobre todo en sistemas de escritorio. La lista de parches, que se ha obtenido de la página destinada al kernel de Con Kolivas, se puede ver a continuación (si desea obtener más información sobre algún parche determinado, visite las página principal del mismo):

2.2.2. Boot Splash

Parche que provee un arranque gráfico durante la carga del núcleo Linux. Las características de este parche son:

  • Gráficos bonitos (JPEG)

  • Texto con antialias (TrueType)

  • Animaciones (MNG)

  • Barra de progreso

  • Muestra los mensajes de inicio encima o debajo del gráfico (modo “verbose” y “silent”.

  • Altamente configurable a nivel gráfico

Las siguientes imágenes muestran los dos modos de este parche: “verbose” y “silent”.

Modo verbose del parche bootsplash

Modo “verbose” del parche Boot Splash

Modo silent del parche bootsplash

Modo “silent” del parche Boot Splash

2.2.3. Linux Progress Patch

Este parche, muestra una imagen a pantalla completa en la cual se puede observar una barra de progreso de la carga del sistema, así como información adicional en forma de texto. LPP oculta los mensajes de inicio mostrados por el kernel, evitando confundir al usuario con este tipo de mensajes.

Un ejemplo de posibles imágenes, lo vemos a continuación:

Ejemplos de Linux Progress Patch

Ejemplos de Linux Progress Patch

2.3. Kernel para servidores

El kernel destinado a servidores no tiene ningún parche específico, por lo que le remito a la sección parches comunes.

2.4. Parches comunes

A parte de los parches ya mencionados anteriormente, ambos núcleos tiene los siguientes parches comunes:

2.4.1. Netfilter patch-o-matic-20030107

Publicado el 7 de enero de 2003, este parche contiene correcciones de fallos y nuevas características para netfilter (el nuevo subsistema de filtrado de paquetes incorporado a partir de la versión 2.4.* del núcleo Linux). Este parche está destinado a las versiones >= 2.4.18. Más información sobre el parche en la página de netfilter.

La lista que se muestra a continuación son los las correcciones aplicadas por este parche:

  • ipt_multiport-invfix.patch:

    fixes the multiport match, when it is used in combination with the invert (!) flag.

  • ipt_ULOG-mac_len-fix.patch:

    fixes the multiport match, when it is used in combination with the invert (!) flag.

  • 01_ip_conntrack_proto_tcp-lockfix.patch:

    Fix a locking bug in ip_conntrack_proto_tcp.

  • 02_newnat-udp-helper.patch:

    • make ip_nat_resize_packet() more generic (TCP and UDP)

    • add ip_nat_mangle_udp_packet() function similar to ip_nat_mangle_tcp_packet()

    This patch is necessarry for UDP nat helpers (like Amanda protocol)

  • 03_REJECT-fwspotting-phrack60-fix.patch:

    ipt_REJECT sends unreachables in response to UDP packets with invalid checksums, thereby exposing the existance of a firewall (as described in phrack #60, "broken crc firewall spotting" (or something like this), www.phrack.com).

    The patch makes ipt_REJECT verify UDP checksums if set.

  • 04_ftp-conntrack-msg-fix.patch:

    As 2.4.20 came out with newnat included, there were several reports on excessive logging of reused FTP expectations.

    A tcpdump (thanks to jpiszcz) proved that such log entries can easily be triggered when a client tries to download/list non-existent entries in active mode and then wants to download other files as well.

    The patch fixes the problem by separating the two possible cases: when the conntrack helper is registered with the reuse flag enabled, then the logging is converted to debugging (not enabled by default), otherwise the logging is kept to notify the admin on the violation of the givenprotocol.

  • 05_ECN-tcpchecksum-littleendian-fix.patch:

    The 2.4.20 kernel included the new iptables 'ECN' target, enabling a selective ECN disable mechanism. Unfortunately there was a bug in the incremental TCP checksum update, resulting in broken TCP checksums on little endian machines.

    This patch fixes the Bug.

2.4.2. Sistema de archivos XFS

Añade soporte para el sistema de archivos transaccional de SGI: XFS. Para más información, acuda a la página principal: http://linux-xfs.sgi.com/projects/xfs/

2.4.3. Grsecurity

Este parche aporta nuevas funcionalidades de seguridad al núcleo así como ACL's independientes del sistema de archivos utilizado. Un listado de las características de este parche se pueden ver aquí. Para más información visite la página principal del proyecto.

2.4.4. Linux System Hardware Monitoring

Parches que dan soporte para los sensores de temperatura repartidos por el ordenador. La página principal del proyecto posee más información.

2.4.5. Dispositivo loopback con soporte de encriptación

Parche necesario para añadir al dispositivo 'loopback' del núcleo Linux, el soporte de encriptación para el sistema de ficheros. El dispositivo 'loopback' modificado intercepta las peticioens de lectura/escritura del sistema de ficheros encriptado y los des/encripta.

El parche se puede obtener de http://www.kernel.org/pub/linux/kernel/people/hvr/testing/

2.4.6. GNU/Linux CryptoAPI

Parche que engloba el paquete 'CryptoAPI' y los paquetes que usan 'CryptoAPI', como son: 'cryptoloop' e 'IPsec'. El parche empleado se puede obtener de http://www.kernel.org/pub/linux/kernel/people/hvr/testing/

La versión de 'CryptoAPI' empleada en el núcleo de metadistros es la '0.1.0-pre4'.

Algunos usos de 'CryptoAPI' pueden ser:

  • Encriptación de todos los medios físicos de almacenamiento, como por ejemplo las distintas particiones, la memoria de intercambio (swap) y las imágenes de CD-ROMs.

  • Encriptación del tráfico de red, como por ejemplo IPsec u otro tipo de encriptación de red.

Para obtener más información sobre estos parches, pueden visitar la página principal del proyecto ' CryptoAPI'.

Si lo que desea ver es la implementación de IPsec utilizada, visite http://ringstrom.mine.nu/ipsec_tunnel/

[Note]Nota

España no posee limitaciones a la hora de distribuir y usar este parche, si pretende utilizar esta distribución en otros países, infórmese primero de las restricciones que pueda poseer su país. Para ello, visite http://www.kerneli.org/go/countryInfo.php

2.4.7. Linux FreeS/WAN

Implementación de IPSEC e IKE para Linux. El parche se ha obtenido del paquete 'kernel-patch-freeswan-ext' de la versión de desarrollo de Debian (Sid). Para obtener más información sobre el paquete 'deb', lea el README.Debian que acompaña al mismo.

La meta principal del proyecto FreeS/WAN es hacer Internet más seguro y privado. Para obtener más información sobre este proyecto y sus principales características y objetivos, visite http://www.freeswan.org/

2.4.8. Advanced Linux Sound Architecture - ALSA

ALSA pretende crear un sistema modular de sonido para Linux, a la vez que mantiene completa compatibiliadad con OSS/Lite. Alguna de sus características son:

  • Soporte eficiente para todo tipo de interfaces, desde tarjetas de sonido para el usuario doméstico hasta tarjetas profesionales con múltiples canales.

  • Controladores de sonido completamente modulares.

  • Diseño SMP e hilos seguros.

  • Librería en el espacio de usuario (alsa-lib), lo que simplifica la programación de aplicaciones y provee de un alto nivel de funcionalidad.

  • Soporte para el API OSS (provee compatibilidad binaria para la gran mayoría de los programas escritos para OSS).

Para más información, visite la página principal del proyecto: http://www.alsa-project.org/

2.4.9. Drivers de Nvidia

Controladores para las tarjetas gráficas con los chips: TNT, TNT2, TNT Ultra, la serie GeForce, nForce y Quadro. Para más información: http://www.nvidia.com/

2.4.10. Cloop

Loopback con compresión.

2.4.11. Extraversion

Añade, como versión extra del kernel, la palabra metadistros-servidor, si estamos tratando con este kernel, o la palabra metadistros-usuario en otro caso.

Otra de las características que añade este parche es la ampliación del tamaño de los datos pasados como parámetros al kernel en el arranque (de 256 a 512 caracteres). Este es necesario debido a la gran cantidad de parámetros que se le pueden pasar a una distribución como las que genera metadistros.

3. Divisiones del núcleo de metadistros

El siguiente listado muestra los metapaquetes propuestos para el núcleo de las distribuciones basadas en metadistros:

  • metadistros-nucleo-sb (metadistros-nucleo-kernel)

  • metadistros-nucleo-se

  • metadistros-nucleo-i18n (metadistros-nucleo-i18n-es)

  • metadistros-nucleo-extra

  • metadistros-nucleo-conf

  • metadistros-nucleo-console

  • metadistros-nucleo-x11

3.1. metadistros-nucleo-sb

Contenido del archivo debian/control.

Source: metadistros-nucleo-sb
Section: misc
Priority: optional
Maintainer: Sergio González González <sergio.gonzalez@hispalinux.es>
Standards-Version: 3.2.1

Package: metadistros-nucleo-sb
Architecture: any
Depends: ${shlibs:Depends}, metadistros-nucleo-kernel, adduser, apt, apt-utils, at,
base-config, base-files, base-passwd, bash, bsdmainutils, bsdutils, console-common,
 console-data, console-tools, console-tools-libs, cpio, cron, debconf, debianutils,
dhcp-client, diff, dpkg, e2fsprogs, ed, exim, fdutils, fileutils, findutils, gettext-base,
grep, groff-base, gzip, hostname, ifupdown, info, ipchains, iptables, klogd, libc6,
libcap1, libdb2, libdb3, libgdbmg1, libident, libldap2, liblockfile1, libncurses5,
libnewt0, libpam-modules, libpam-runtime, libpam0g, libpcap0, libpcre3, libpopt0,
libreadline4, libsasl7, libstdc++2.10-glibc2.2, libwrap0, lilo, login, logrotate,
mailx, makedev, man-db, manpages, mawk, mbr, modconf, modutils, mount, nano, ncurses-base,
ncurses-bin, net-tools, netbase, netkit-inetd, netkit-ping, nvi, passwd, pciutils,
pcmcia-cs, perl-base, ppp, pppconfig, pppoe, pppoeconf, procps, psmisc, sed, setserial,
shellutils, slang1, sysklogd, syslinux, sysvinit, tar, tasksel, tcpd,
textutils, util-linux, whiptail
Description: Sistema Base de Metadistros (SBM)
 Metapaquete que tiene como dependencias los archivos que
 conforman el sistema base de metadistros. Este coincide
 con el sistema base de Debian.
 .
 Metadistros es un proyecto de HispaLinux que pretende crear una
 infraestructura para poder crear distribuciones basadas en Debian
 personalizadas de una manera fácil. Para más información:
 .
 http://metadistros.hispalinux.es/

3.2. metadistros-nucleo-se

Contenido del archivo debian/control.

Source: metadistros-nucleo-se
Section: misc
Priority: optional
Maintainer: Sergio González González <sergio.gonzalez@hispalinux.es>
Standards-Version: 3.2.1

Package: metadistros-nucleo-se
Architecture: any
Depends: ${shlibs:Depends}, metadistros-nucleo-sb, metadistros-nucleo-i18n, bc,
biff, bind9-host, dc, dnsutils, doc-debian, doc-linux-text, file, finger,
gnupg, gnupg-doc, less, libdns5, libisc4, liblwres1, libssl0.9.6, lsof,
lynx-ssl, manpages-dev, mime-support, mpack, mtools, mutt, patch, procmail,
python, python-newt, python2.1, reportbug, sharutils, ssh, strace, texinfo,
time, util-linux-locales, vacation, whois, zlib1g, attr, binutils, bzip2,
 cloop-utils, dmapi, eject, ext2resize, gpart, hotplug, hotplug-utils, hwdata,
kudzu, kudzu-vesa, libattr1, libbz2-1.0, libparted1.4, lvm-common, lvm10,
mdadm, mdetect, nparted, parted, reiserfsprogs, sudo, usbutils, vim,
libgpmg1, xfsdump, xfsprogs, telnet-ssl, ftp-ssl, raidtools2, dvhtool, locales
Conflicts: ftp, telnet
Description: Sistema Extendido de Metadistros (SEM)
 Metapaquete que tiene como dependencias los archivos que
 conforman el sistema extendido de metadistros.
 .
 Metadistros es un proyecto de HispaLinux que pretende crear una
 infraestructura para poder crear distribuciones basadas en Debian
 personalizadas de una manera fácil. Para más información:
 .
 http://metadistros.hispalinux.es/

3.3. metadistros-nucleo-i18n-es

Contenido del archivo debian/control.

ource: metadistros-nucleo-i18n-es
Section: misc
Priority: optional
Maintainer: Sergio González González <sergio.gonzalez@hispalinux.es>
Standards-Version: 3.2.1

Package: metadistros-nucleo-i18n-es
Architecture: any
Provides: metadistros-nucleo-i18n
Depends: ${shlibs:Depends}, manpages-es, manpages-es-extra, user-euro-es
Description: Internacionalización (i18n) española (es) para metadistros
 Metapaquete que tiene como dependencias programas y
 documentación para usuarios hispano parlantes.
 .
 Metadistros es un proyecto de HispaLinux que pretende crear una
 infraestructura para poder crear distribuciones basadas en Debian
 personalizadas de una manera fácil. Para más información:
 .
 http://metadistros.hispalinux.es/

4. Cambios propuestos a la configuración por defecto de Debian

[Important]Importante

Los cambios que se muestran a continuación, han de ser discutidos y mejorados por los desarrolladores de metadistros:

4.1. Uso de shadow passwords y claves md5

Todo sistema basado en metadistros, debería llevar activas las shadow passwords y las claves con encriptación md5.

Para obtener las shadow passwords, si no se hace con la instalación oficial de Debian, se ha de ejecutar: pwconv, grpconv y finalmente shadowconfig on

Si queremos utilizar las claves md5, hemos de añadir a los archivos /etc/pam.d/login y /etc/pam.d/passwd, la palabra md5 en la siguiente línea:

password   required   pam_unix.so nullok obscure min=4 max=8

4.2. Eurocastellanizar el sistema

Si se trata de una distribución destinada a usuarios hispanoparlantes, ejecutar el script eurocastellanizar. Una vez realizado esto, añadir las siguientes locales al archivo '/etc/locales.gen' y ejecutar locale-gen.

ca_ES.ISO-8859-1
ca_ES.ISO-8859-15@euro
es_ES.ISO-8859-1
es_ES.ISO-8859-15@euro
eu_ES.ISO-8859-1
eu_ES.ISO-8859-15@euro
gl_ES.ISO-8859-1
gl_ES.ISO-8859-15@euro

4.3. Eliminar servicios no importantes de /etc/inetd.conf

Quitar los servicios “discard”, “daytime”, “time” del archivo de configuración del superservidor inetd (update-inetd) - si es necesario sustituirlo por xinetd.

4.4. Posibles opciones para el /etc/fstab

Algunas opciones que me parecen interesantes para el /etc/fstab

# /etc/fstab: Información estática del sistema de ficheros.
#
# <Sis. ficheros>               <Punto montaje>     <Tipo>      <Opciones>              <volcado> <pasada>
/dev/ide/host0/bus0/target0/lun0/part5  /           reiserfs    rw,nosuid,  dev,  exec,auto,nouser,async 0 0
/dev/ide/host0/bus0/target0/lun0/part1  /boot       reiserfs    ro,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/root                         /root       reiserfs    rw,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/home                         /home       reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/tmp                          /tmp        reiserfs    rw,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/usr                          /usr        reiserfs    ro,nosuid,nodev,  exec,auto,nouser,async 0 0
/dev/disco/var                          /var        reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/log                          /var/log    reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/disco/spool                        /var/spool  reiserfs    rw,nosuid,nodev,noexec,auto,nouser,async 0 0
/dev/sandisco/setuid                    /mnt/setuid reiserfs    ro,  suid,nodev,  exec,auto,nouser,async 0 0

/dev/ide/host0/bus0/target0/lun0/part2  none    swap            sw,pri=1                0       0

proc                                    /proc   proc            defaults                0       0
/dev/floppy/0                           /floppy auto            rw,nosuid,nodev,noexec,auto,  user,async 0 0
/dev/ide/host0/bus1/target0/lun0/cd     /cdrom  iso9660         ro,nosuid,nodev,noexec,auto,  user,async 0 0

4.5. /etc/apt/apt.conf

Si se han aplicado las opciones del archivo /etc/fstab, sería conveniente incluir estas en el archivo /etc/apt/apt.conf.

DPkg
{
    Pre-Invoke  { "mount /     -o remount,rw" };
    Pre-Invoke  { "mount /usr  -o remount,rw" };
    Pre-Invoke  { "mount /boot -o remount,rw" };
    Pre-Invoke  { "mount /tmp  -o remount,exec" };
    Pre-Invoke  { "mount /var  -o remount,exec" };
    Post-Invoke { "mount /     -o remount,ro" };
    Post-Invoke { "mount /usr  -o remount,ro" };
    Post-Invoke { "mount /boot -o remount,ro" };
    Post-Invoke { "mount /tmp  -o remount,noexec" };
    Post-Invoke { "mount /var  -o remount,noexec" };
};

4.6. /etc/console-tools/config

Añadimos soporte para el Euro en consola.

#
# Soporte para el Euro -> ¤
#
SCREEN_FONT=lat0-sun16
APP_CHARSET_MAP=iso15
#
#DO_VCSTIME=yes
#
# Forget this one unless you _know_ it is necessary for your font:
#
# Soporte para el Euro -> ¤
#
SCREEN_FONT_vc1=lat0-sun16
SCREEN_FONT_vc2=lat0-sun16
SCREEN_FONT_vc3=lat0-sun16
SCREEN_FONT_vc4=lat0-sun16
SCREEN_FONT_vc5=lat0-sun16
SCREEN_FONT_vc6=lat0-sun16

4.7. /etc/dpkg/dselect.cfg

Añadir la palabra 'expert' a /etc/dpkg/dselect.cfg.

4.8. /etc/network/

Añadir el archivo 'interfaces-secure', con el siguiente contenido:

# Script-name: /etc/network/interface-secure
# Modifies some default behaviour in order to secure against
# some TCP/IP spoofing & attacks
#
# Contributed by Dariusz Puchalak
#
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# broadcast echo protection enabled
  echo 0 > /proc/sys/net/ipv4/ip_forward     # ip forwarding disabled
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookie protection enabled

# Log packets with impossible addresses
# but be careful with this on heavy loaded web servers
  echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

#  defragging protection always enabled
  echo 1 > /proc/sys/net/ipv4/ip_always_defrag

# bad error message protection enabled
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# now ip spoofing protection
  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
  done

# and finally some more things:
# Disable ICMP Redirect Acceptance
  for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
  done

  for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
  done

# Disable Source Routed Packets
  for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
  done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
  for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 1 > $f
  done
[Note]Nota

Para interfaces que se configuran vía DHCP, hacer lo siguiente:

crear un nuevo archivo denominado '/etc/network/interfaces-arranque' en el cual se ha de añadir la siguiente línea a la configuración de la tarjeta de red de Internet, por ejemplo:

pre-up /etc/network/interface-secure

Una vez hecho esto, se edita el archivo '/etc/network/interfaces' y se añade lo siguiente a la definición de una interfaz de red:

pre-up /etc/network/interface-secure

up /etc/init.d/rc_firewall start

Siendo rc_firewall, el cortafuegos.

finalmente, modificar el archivo '/etc/init.d/networking' para que se llame al archivo /etc/network/interfaces-arranque en lugar de al /etc/network/interfaces, en al arranque.

[Note]Nota

Para interfaces con direcciones fijas, hacer lo siguiente:

Añadir la siguiente línea al archivo '/etc/network/interfaces':

pre-up /etc/network/interface-secure

4.9. PAM

Comentarios a la configuración por defecto de las PAM:

  • Añadir los grupos 'wheel' y 'nosu'. En el primero irán los usuarios a los que les está permitido hacer uso de 'su', y a los que no le está permitido, añadirlos a 'nosu'.

  • chfn, chsh y cron: quitar la entrada 'nullok'

  • login

    * Descomentar las líneas:
    
    		auth       required   pam_issue.so issue=/etc/issue
    		auth       optional   pam_group.so
    		account    requisite  pam_time.so
    		account  required       pam_access.so
    		session    required   pam_limits.so
    
    * Eliminar las entradas 'nullok'
    
    * Comentar la línea:
    
    		# password   required   pam_unix.so nullok obscure min=4 max=8 md5
    
    * Descomentar y modificar las líneas siguientes, para que queden:
    
    		password required       pam_cracklib.so retry=3 minlen=8 difok=4
    		password required       pam_unix.so use_authtok md5
  • other

    * Comentar o borrar las líneas por defecto y añadir las siguientes:
    
    auth     required       pam_securetty.so
    auth     required       pam_unix_auth.so
    auth     required       pam_warn.so
    auth     required       pam_deny.so
    account  required       pam_unix_acct.so
    account  required       pam_warn.so
    account  required       pam_deny.so
    password required       pam_unix_passwd.so
    password required       pam_warn.so
    password required       pam_deny.so
    session  required       pam_unix_session.so
    session  required       pam_warn.so
    session  required       pam_deny.so
  • passwd

    * Comentar la línea:
    
    		password   required   pam_unix.so nullok obscure min=4 max=8 md5
    
    * Descomentar y modificar las dos últimas líneas para que aparezcan como:
    
    		password required       pam_cracklib.so retry=3 minlen=8 difok=4
    		password required       pam_unix.so use_authtok md5
    
    * Eliminar las entradas 'nullok'
  • ssh

    * Comentar la línea:
    
    		password   required     pam_unix.so
    
    * Descomentar y modificar las dos últimas líneas para que aparezcan como:
    
    		password required       pam_cracklib.so retry=3 minlen=8 difok=4
    		password required       pam_unix.so use_authtok md5
  • su

    * Descomentar y modificar las líneas:
    
    		auth       required   pam_wheel.so group=wheel debug
    		auth       required   pam_wheel.so deny group=nosu
    		account    requisite  pam_time.so
    		session    required   pam_limits.so

4.10. /etc/security/limits.conf

Configuración propuesta:

*               hard    core            0
*               soft    nofile          100
*               hard    rss             10000
*               hard    nproc           150
*               soft    fsize           50000
www-data        soft    nofile          100000
@usuarios       hard    core            0
@usuarios       hard    rss             2000
@usuarios       hard    nproc           15
@usuarios       hard    cpu             2
@usuarios       hard    nofile          30
@usuarios       hard    fsize           10000
@usuarios       hard    memlock         5000
@usuarios       hard    data            1000
@usuarios       hard    maxlogins       4
@usuarios       hard    priority        17

Si en nuestro sistema tenemos un usuario, podríamos añadir:

#nombreusuario          soft    fsize           3000000
nombreusuario          hard    nofile          10000000

4.11. /etc/ssh/

Configuracion propuesta para estos archivos:

  • ssh_config: añadir lo siguiente:

    Host *
      Protocol 2
      Ciphers   blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
      Compression yes
      HostKeyAlgorithms ssh-dss,ssh-rsa
  • sshd_config: añadir lo siguiente:

    AllowGroups ssh
    Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour

4.12. /etc/group

Si tenemos instalado el parche de grsecurity, y utilizamos la configuración del los núcleos de metadistros, tendríamos que añadir los siguientes grupos:

privileged:x:2000:
trustedpath:x:2002:
socketall:x:2004:
socketclient:x:2005:
socketserver:x:2006:
auditar:x:2007:
[Warning]Aviso

El nombre de los grupos es orientativo, lo que es importate es hacer coincidir los “gid” con aquellos que se añadieron en la configuración de grsecurity cuando se compiló en kernel.

4.13. /etc/hosts.allow

Añadir “sshd: ALL” si es necesario.

4.14. /etc/hosts.deny

Lineas propuestas para incorporarlas a este archivo:

# Desautorizar a todos los hosts con nombre sospechoso
ALL: PARANOID

# Desautorizar a todos los hosts
ALL:ALL

4.15. /etc/inittab

Comentar la línea:

#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

4.16. /etc/issue, /etc/issue.net y /etc/motd

Añadir la información que se crea conveniente...

4.17. /etc/sysctl.conf

Opciones propuestas:

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#
#

##
# Activamos low-latency
#

# kernel.lowlatency=1



#############################################
# Mejorando el rendimiento del servidor web #
#############################################


#
# Máximo número de archivos abiertos
#

fs/file-max=150000


#
# Aumentamos el número de en la tabla de conexiones
#

net/ipv4/ip_conntrack_max=524288


#
# Aumentamos la cola de backlog
#

net/ipv4/tcp_max_syn_backlog=4096


##############################
# Buffer Overflow Protection #
##############################

# _______________________
# Read-only kernel memory
#
# 	root will not be able to modify the contents of
#	kernel memory.  If module support is removed in addition to enabling
#	this option, the ability of an attacker to insert foreign code into
#	a running kernel is removed.
#

# kernel/grsecurity/read_only_kmem=1


# _______________________
# Fixed mmap restrictions
#
#	If you say Y here, it will be impossible for an attacker to bypass the
#	PaX buffer overflow protection by mmaping an executable memory region
#	with a specific address set.
#

# kernel/grsecurity/mmap_fixed_restrict=1



##########################
# Filesystem protections #
##########################


# ____________________
# Linking restrictions
#
#	/tmp race exploits will be prevented, since users
#	will no longer be able to follow symlinks owned by other users in
#	world-writeable +t directories (i.e. /tmp), unless the owner of the
#	symlink is the owner of the directory. users will also not be
#	able to hardlink to files they do not own.
#

kernel/grsecurity/linking_restrictions=1


# _________________
# FIFO restrictions
#
#	Users will not be able to write to FIFOs they don't
#	own in world-writeable +t directories (i.e. /tmp), unless the owner of
#	the FIFO is the same owner of the directory it's held in.
#

kernel/grsecurity/fifo_restrictions=1


# _______________________
# Secure file descriptors
#
#	set*id binaries will be protected from data spoofing
#	attacks (eg. making a program read /etc/shadow).  The patches do this
#	by opening up /dev/null to any of the stdin, stdout, stderr file descriptors
#	for set*id binaries that are open and run by a user that is not the owner
#	of the file.
#

# kernel/grsecurity/secure_fds=1


# ________________________
# Chroot jail restrictions
#
#
#	* Restricted signals
#
#		Processes inside a chroot will not be able to send
#		signals outside of the chroot.  The only signals allowed are null
#		signals which perform no action, and the parent process sending
#		a certain signal to its child.
#

##kernel/grsecurity/chroot_restrict_sigs=1

#
#	* Deny mounts
#
#		Processes inside a chroot will not be able to
#		mount or remount filesystems.
#

kernel/grsecurity/chroot_deny_mount=1

#
#	* Deny double-chroots
#
#		Processes inside a chroot will not be able to chroot
#		again.  This is a widely used method of breaking out of a chroot jail
#		and should not be allowed.
#

kernel/grsecurity/chroot_deny_chroot=1

#
#	* Enforce chdir("/") on all chroots
#
#		The current working directory of all newly-chrooted
#		applications will be set to the the root directory of the chroot.
#		The man page on chroot(2) states:
#		Note that this call does not change  the  current  working
#		directory,  so  that `.' can be outside the tree rooted at
#		`/'.  In particular, the  super-user  can  escape  from  a
#		`chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
#
#		It is recommended that you say Y here, since it's not known to break
#		any software.
#

#kernel/grsecurity/chroot_deny_chdir=1

#
#	* Deny (f)chmod +s
#
#		Processes inside a chroot will not be able to chmod
#		or fchmod files to make them have suid or sgid bits.  This protects
#		against another published method of breaking a chroot.
#

kernel/grsecurity/chroot_deny_chmod=1

#
#	* Deny mknod
#
#		Processes inside a chroot will not be allowed to
#		mknod.  The problem with using mknod inside a chroot is that it
#		would allow an attacker to create a device entry that is the same
#		as one on the physical root of your system, which could range from
#		anyhing from the console device to a device for your harddrive (which
#		they could then use to wipe the drive or steal data).  It is recommended
#		that you say Y here, unless you run into software incompatibilities.
#

kernel/grsecurity/chroot_deny_mknod=1

#
#	* Deny ptraces
#
#		Processes inside a chroot will not be able to ptrace
#		other processes.  Ptracing a process allows one to attach and alter the
#		flow of execution for the process.  It is strongly recommended that you
#		say Y here.
#

##kernel/grsecurity/chroot_deny_ptrace=1

#
#	* Restrict priority changes
#
#		Processes inside a chroot will not be able to raise
#		the priority of processes in the chroot, or alter the priority of
#		processes outside the chroot.  This provides more security than simply
#		removing CAP_SYS_NICE from the process' capability set.
#

kernel/grsecurity/chroot_restrict_nice=1


# _____________________________________
# Capability restrictions within chroot
#
#	The capabilities on all root processes within a
#	chroot jail will be lowered to stop module insertion, raw i/o,
#	system and net admin tasks, transferring capabilities, and
#	tty configuration tasks.  This is left an option because it breaks
#	some apps.  Disable this if your chrooted apps are having
#	problems performing those kinds of tasks.
#

kernel/grsecurity/chroot_caps=1


# _____________________
# Secure keymap loading
#
#	KDSKBENT and KDSKBSENT ioctl calls being
#	called by unprivileged users will be denied. If you answer N,
#	everyone with access to the console will be able to modify keyboard
#	bindings.
#

# kernel/grsecurity/secure_kbmap=1



####################
# Security Logging #
####################


# _________________________
# Single group for auditing
#
#	the exec, chdir, (un)mount, and ipc logging features
#	will only operate on a group you specify.  This option is recommended
#	if you only want to watch certain users instead of having a large
#	amount of logs from the entire system.
#

kernel/grsecurity/audit_group=1



#
#	* GID for auditing
#			
#		Here you can choose the GID that will be the target of
#		kernel auditing. Remember to add the users you want to log
#		to the GID specified here. If the sysctl option is
#		enabled, whatever you choose here won't matter. You'll have to
#		specify the GID in your bootup script by echoing the GID to
#		the proper /proc entry.  View the help on the sysctl option for
#		more information.
#

kernel/grsecurity/audit_gid=2007


# ____________
# Exec logging
#
#	All execve() calls will be logged (since the
#	other exec*() calls are frontends to execve(), all execution
#	will be logged).  Useful for shell-servers that like to keep track
#	of their users.
#
#	WARNING: This option when enabled will produce a LOT of logs, especially
#	on an active system.
#

kernel/grsecurity/exec_logging=0


# _______________________
# Log execs within chroot
#
#	All executions inside a chroot jail will be logged
#	to syslog.
#

kernel/grsecurity/chroot_execlog=1


# _____________
# Chdir logging
#
#	All chdir() calls will be logged.
#

kernel/grsecurity/audit_chdir=0


# _________________
# (Un)Mount logging
#
#	All mounts and unmounts will be logged.
#

kernel/grsecurity/audit_mount=1


# ___________
# IPC logging
#
#	creation and removal of message queues, semaphores,
#	and shared memory will be logged.
#

kernel/grsecurity/audit_ipc=1


# ______________
# Ptrace logging
#
#	All successful ptraces will be logged. Ptraces are
#	special operations performed when programs like strace or gdb are run.
#	They have also been the focus of some kernel vulnerabilities.
#

###kernel/grsecurity/audit_ptrace=1


# ______________
# Signal logging
#
#	Certain important signals will be logged, such as
#	SIGSEGV, which will as a result inform you of when a error in a program
#	occurred, which in some cases could mean a possible exploit attempt.
#

kernel/grsecurity/signal_logging=0


# ____________________
# Fork failure logging
#
#	All failed fork() attempts will be logged.
#	This could suggest a fork bomb, or someone attempting to overstep
#	their process limit.
#

kernel/grsecurity/forkfail_logging=1


# ____________________________
# Set*id logging for all users
#
#	All set*id() calls will be logged.  Such information
#	could be useful when detecting a possible intrusion attempt.  This
#	option can produce a lot of logs on an active system.
#

# kernel/grsecurity/suid_logging=0


# ___________________
# Time change logging
#
#	Any changes of the system clock will be logged.
#

kernel/grsecurity/timechange_logging=0



##########################
# Executable Protections #
##########################


# _____________________
# Exec process limiting
#
#	Users with a resource limit on processes will
#	have the value checked during execve() calls.  The current system
#	only checks the system limit during fork() calls.
#

kernel/grsecurity/execve_limiting=1


# ___________________________
# Dmesg(8) restriction
#
#	Non-root users will not be able to use dmesg(8)
#	to view up to the last 4kb of messages in the kernel's log buffer.
#

kernel/grsecurity/dmesg=1


# _______________
# Randomized PIDs
#
#	All PIDs created on the system will be
#	pseudo-randomly generated.  This is extremely effective along
#	with the /proc restrictions to disallow an attacker from guessing
#	pids of daemons, etc.  PIDs are also used in some cases as part
#	of a naming system for temporary files, so this option would keep
#	those filenames from being predicted as well.  We also use code
#	to make sure that PID numbers aren't reused too soon.
#

kernel/grsecurity/rand_pids=1


# _____________________________
# Limit uid/gid changes to root
#
#	You will be able choose from three option that
#	will allow you to restrict access to the root account by console
#	type.  These options should only be enabled if you are sure of what
#	you're doing.  Also note that they only apply to processes that have
#	ttys, which generally involves some kind of user-interaction.  The
#	options are basically in place to keep users on a system who have a
#	(stolen) password for root from using it unless their console
#	credentials match.
#


#
#	* Deny physical consoles (tty)
#
#		Access to root from physical consoles will be
#		denied. This is only recommended for rare cases where you will
#		never need to be physically at the machine.
#

# kernel/grsecurity/deny_phys_root=0

#
#	* Deny serial consoles (ttyS)
#
#		Access to root from serial consoles will be
#		denied. Most people can say Y here, since most don't use serial
#		devices for their console access.  If you are unsure, say N.

# kernel/grsecurity/deny_serial_root=1

#
#	* Deny pseudo consoles (pty)
#
#		Access to root from pseudo consoles will be
#		denied. Pseudo consoles include consoles from telnet, ssh, or any other
#		kind of interactive shell initiated from the network.  Pseudo consoles
#		also include any terminals you use in XFree86.  If you will only be
#		accessing the machine for root access from the physical console, you
#		can say Y here.  Only say Y here if you're sure of what you're doing.

# kernel/grsecurity/deny_pseudo_root=0


# ____________________
# Fork-bomb protection
#
#	You will be able to configure a group to add to users
#	on your system that you want to be unable to fork-bomb the system.
#	You will be able to specify a maximum process limit for the user and
#	set a rate limit for all forks under their uid. (Fork-bombing is a
#	tactic used by attackers that can be enacted in two ways, (1) loading
#	up thousands of processes until the system can't take any more (this
#	method can be stopped outside of the kernel with PAM, however we place
#	protection for it in the kernel to be more complete and reduce overhead),
#	and (2), by forking processes at a rapid rate, and then killing them
#	off, which cannot be protected against in the same way at tactic 1)
#	The rate limit is specified in forks allowed per second.  Set this
#	limit low enough to stop tactic 2, but high enough to allow for
#	normal operation.  The protection will kill the offending process.
#

# kernel/grsecurity/fork_bomb_prot=1

#
#	* GID for restricted users
#
#		Here you can choose the GID to enable fork-bomb protection for.
#		Remember to add the users you want protection enabled for to the GID
#		specified here.  If the sysctl option is enabled, whatever you choose
#		here won't matter. You'll have to specify the GID in your bootup
#		script by echoing the GID to the proper /proc entry.  View the help
#		on the sysctl option for more information.
#

# kernel/grsecurity/fork_bomb_gid=2001

#
#	* Forks allowed per second
#
#		Here you can specify the maximum number of forks allowed per second.
#		You don't want to set this value too low, or else you'll hinder
#		normal operation of your system.  The default value should be fine for
#		most users.
#

# kernel/grsecurity/fork_bomb_sec=40

#
#	* Maximum processes allowed
#
#	Here you can configure the maximum number of processes users in the
#	fork-bomb protected group can run.  I would not recommend setting a
#	value lower than 8, since some programs like man(1) spawn up to 8
#	processes to run.  The default value should be fine for most purposes.
#

# kernel/grsecurity/fork_bomb_max=20


# ______________________
# Trusted path execution
#
#	You will be able to choose a gid to add to the
#	supplementary groups of users you want to mark as "untrusted."
#	These users will not be able to execute any files that are not in
#	root-owned directories writeable only by root.
#
kernel/grsecurity/tpe=1

#
#	* Glibc protection
#
#		All non-root users will not be able to execute
#		any files while glibc specific environment variables such as
#		LD_PRELOAD are set, which could be used to evade the trusted path
#		execution protection.  It also protects against evasion through
#		/lib/ld-2.*  It is recommended you say Y here also.
#

###kernel/grsecurity/tpe_glibc=1

#
#	* Partially restrict non-root users
#
#		All other non-root users will only be allowed to
#		execute files in directories they own that are not group or
#		world-writeable, or in directories owned by root and writeable only by
#		root.
#

kernel/grsecurity/tpe_restrict_all=1

#
#		- GID for untrusted users:
#
#			Here you can choose the GID to enable trusted path protection for.
#			Remember to add the users you want protection enabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/tpe_gid=2002


# _________________
# Restricted ptrace
#
#	No one but root will be able to ptrace processes.
#	Tracing syscalls inside the kernel will also be disabled.  All allowed
#	ptraces will be logged when this option is enabled.
#

# kernel/grsecurity/restrict_ptrace=1

#
#	* Allow ptrace for group
#
#	You will be able to choose a GID of whose users
#	will be able to ptrace.
#

# kernel/grsecurity/allow_ptrace_group=1

#
#		- GID for ptrace
#
#			Here you can choose the GID of whose users will be able to ptrace.
#			Remember to add the users you want ptrace enabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

# kernel/grsecurity/ptrace_gid=2003



#######################
# Network Protections #
#######################


# _________________
# Randomized IP IDs
#
#	All the id field on all outgoing packets
#	will be randomized.  This hinders os fingerprinters and
#	keeps your machine from being used as a bounce for an untraceable
#	portscan.  Ids are used for fragmented packets, fragments belonging
#	to the same packet have the same id.  By default linux only
#	increments the id value on each packet sent to an individual host.
#	We use a port of the OpenBSD random ip id code to achieve the
#	randomness, while keeping the possibility of id duplicates to
#	near none.
#

kernel/grsecurity/rand_ip_ids=1


# ___________________________
# Randomized TCP source ports
#
#	Situations where a source port is generated on the
#	fly for the TCP protocol (ie. with connect() ) will be altered so that
#	the source port is generated at random, instead of a simple incrementing
#	algorithm.
#

kernel/grsecurity/rand_tcp_src_ports=1

# ___________________________
# Randomized RPC XIDs
#
#	The method of determining XIDs for RPC requests will
#	be randomized, instead of using linux's default behavior of simply
#	incrementing the XID.
#

kernel/grsecurity/rand_rpc=1


# ________________
# Altered Ping IDs
#
#	The way Linux handles echo replies will be changed
#	so that the reply uses an ID equal to the ID of the echo request.
#	This will help in confusing OS detection.
#

kernel/grsecurity/altered_pings=1


# ______________
# Randomized TTL
#
#	Your TTL (time to live) for packets will be set at
#	random, with a base level you specify, to further confuse OS detection.
#

# kernel/grsecurity/rand_ttl=1


#
#	* TTL starting point:
#
#		Here you can choose a base TTL for the randomization.  The default value
#		for this setting is the Linux default TTL.  Most users will want to
#		leave this setting as-is.  The higher you set the base level (note that
#		you can't set it above 255) the more hops your packets will live.
#		If the sysctl option is enabled, whatever you choose here won't matter.
#		You'll have to specify the threshold in your bootup script by echoing
#		the threshold to the proper /proc entry.  View the help on the sysctl
#		option for more information.
#

#kernel/grsecurity/rand_ttl_thresh=64


# ___________________________
# Enhanced network randomness
#
#	The functions controlling the randomness
#	of the Linux IP stack will be enhanced to decrease the chances
#	of being able to predict certain packets that require some
#	amount of randomness.
#

### kernel/grsecurity/rand_net=1


# ___________________
# Socket restrictions
#
#	You will be able to choose from several options.
#	If you assign a GID on your system and add it to the supplementary
#	groups of users you want to restrict socket access to, this patch
#	will perform up to three things, based on the option(s) you choose.


#
#	* Deny any sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to connect to other hosts from your machine or run server
#		applications from your machine.
#

kernel/grsecurity/socket_all=1

#
#		- GID to deny all sockets for:
#
#			Here you can choose the GID to disable socket access for. Remember to
#			add the users you want socket access disabled for to the GID
#			specified here.  If the sysctl option is enabled, whatever you choose
#			here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_all_gid=2004

#
#	* Deny client sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to connect to other hosts from your machine, but will be
#		able to run servers.  If this option is enabled, all users in the group
#		you specify will have to use passive mode when initiating ftp transfers
#		from the shell on your machine.
#

kernel/grsecurity/socket_client=1

#
#		- GID to deny client sockets for:
#
#			Here you can choose the GID to disable client socket access for.
#			Remember to add the users you want client socket access disabled for to
#			the GID specified here.  If the sysctl option is enabled, whatever you
#			choose here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_client_gid=2005

#
#	* Deny server sockets to group
#
#		You will be able to choose a GID of whose users will
#		be unable to run server applications from your machine.
#

kernel/grsecurity/socket_server=1

#
#		- GID to deny server sockets for:
#
#			Here you can choose the GID to disable server socket access for.
#			Remember to add the users you want server socket access disabled for to
#			the GID specified here.  If the sysctl option is enabled, whatever you
#			choose here won't matter. You'll have to specify the GID in your bootup
#			script by echoing the GID to the proper /proc entry.  View the help
#			on the sysctl option for more information.
#

kernel/grsecurity/socket_server_gid=2006


# __________________
# Stealth networking
#
#	You will enable several enhancements that will
#	improve your system's protection against portscans.
#	Enabling these options and filtering all open ports should make
#	your machine very hard to detect, while not interfering with (most)
#	normal operation.  All the stealth options break RFC, so there's always the
#	possibility that it might affect how certain network applications react
#	to your system.

#
#	* Do not send RSTs on unserved TCP
#
#		Your machine will not send RSTs (connection resets)
#		on unserved TCP ports.  This will slow down portscanners a great deal,
#		since it has the same effect as dropping all packets to unserved TCP
#		ports.  It will also force clients connecting to a non-open port to
#		time out instead of immediately stating "connection refused."
#

# kernel/grsecurity/stealth_rst=0

#
#	* Do not reply to UDP with ICMP unreachables
#
#		Your machine will not reply with ICMP unreachable
#		packets (type 3) on UDP ports not waiting for data.  This hinders
#		portscanners from scanning your UDP ports.  Enabling the UDP stealth
#		options is known to slow down SSH connection times, and may also
#		interfere with other protocols as well.  Packets travelling across the
#		local loopback interface will not be tampered with.
#

# kernel/grsecurity/stealth_udp=0

#
#	* Do not process ICMP packets
#
#		Your machine will drop all ICMP packets but
#		echo-reply (Which allows you to ping from your machine, while not
#		allowing your machine to be pinged).  Since ICMP packets can be spoofed
#		and are commonly used in Denial of Service attacks, it is recommended
#		that you say Y here.  Theoretically, it is possible that this option
#		could hinder your ability to connect to certain hosts since it also
#		blocks "packet too large" icmp messages, though in reality this
#		occurance is rare.  Packets travelling across the local loopback
#		interface will not be tampered with.
#

# kernel/grsecurity/stealth_icmp=0

#
#	* Do not reply to IGMP requests
#
#		Your machine will drop all IGMP packets.  IGMP
#		stands for Internet Group Management Protocol.  Most users should
#		enable this option, unless you are actually connected to a multicast
#		network, which IGMP is used for.
#

# kernel/grsecurity/stealth_igmp=1

#
#	* Drop packets with illegitimate flags
#
#		Your machine will drop packets with TCP flags that
#		are never used in normal communication.  Such packets are used in
#		"stealth" scans, and should not be allowed.  It is recommended that
#		you say Y here.
#

# kernel/grsecurity/stealth_flags=0


###################
# Network Logging #
###################


# __________________________________
# Log requests to unserved TCP ports
#
#	Your machine will log requests to unserved TCP ports.
#

### kernel/grsecurity/stealth_rst_log=0

# __________________________________
# Log requests to unserved UDP ports
#
#	Your machine will log packets to UDP ports on your
#	system that are not waiting for data. Packets travelling across the
#	local loopback interface will not be logged.
#

### kernel/grsecurity/stealth_udp_log=0

# ________________
# Log ICMP packets
#
#	Your machine will log all ICMP packets but
#	echo-reply.  Packets travelling across the local loopback interface
#	will not be logged.
#

### kernel/grsecurity/stealth_icmp_log=0

# ___________________________________
# Log packets with illegitimate flags
#
#	Your machine will log packets with TCP flags that
#	are never used in normal communication.  Such packets are used in
#	"stealth" scans, and should not be allowed.
#

### kernel/grsecurity/stealth_flags_log=0



##############################
# Miscellaneous Enhancements #
##############################

# ___________________
# BSD-style coredumps
#
#	Linux will use a style similar to BSD for
#	coredumps, core.processname.  Not a security feature, just
#	a useful one.
#

# kernel/grsecurity/coredump=1



##################
# Sysctl support #
##################

# ______________
# Sysctl support
#
#	You will be able to change the options that
#	grsecurity runs with at bootup, without having to recompile your
#	kernel.  You can echo values to files in /proc/sys/kernel/grsecurity
#	to enable (1) or disable (0) various features.  All the sysctl entries
#	are mutable until the "grsec_lock" entry is set to a non-zero value.
#	All features are disabled by default. Please note that this option could
#	reduce the effectiveness of the added security of this patch if an ACL
#	system is not put in place.  Your init scripts should be read-only, and
#	root should not have access to adding modules or performing raw i/o
#	operations.  All options should be set at startup, and the grsec_lock
#	entry should be set to a non-zero value after all the options are set.
#	*THIS IS EXTREMELY IMPORTANT*
#

kernel/grsecurity/grsec_lock=0

5. Propuestas de BlueSock

BlueSock es una empresa española que está haciendo una distribución denominada BSLinux y basada en Debian GNU/Linux. Esta empresa ha desarrollado un sistema de instalación muy potente que, a bajo nivel, utiliza XML. Todo el desarrollo se está haciendo bajo la licencia GPL.

5.1. Particionador de BlueSock

La parte del desarrollo que interesa, a priori, a metadistros es su herramienta de particionado. Esta se basa en el programa parted y hace uso de XML internamente. Debido a como está diseñada la herramienta, se puede modificar la tabla de particiones de equipos vía red, no sólo aquellos en los cuales se esté ejecutando.

Las imágenes que se muestran a continuación, muestran el frontend basado en QT, que utiliza esta herramienta de particionado en la distribución BSLinux.

Particionador de BlueSock - imagen 1 -

Particionador de BlueSock - imagen 1 -

Particionador de BlueSock - imagen 2 -

Particionador de BlueSock - imagen 2 -

Particionador de BlueSock - imagen 3 -

Particionador de BlueSock - imagen 3 -

5.2. Uso de XML para distintas partes de la distribución

Otra de las características interesantes de esta distribución, es su uso del XML para distintas partes del sistema, como pueden ser: archivos de configuración, archivos del sistema de instalación, etc.

Los ejemplos que se muestran a continuación son archivos obtenidos de BSLinux 1.0 Personal del día 6 de febrero de 2003. De ellos se puede desprender como se puede aprovechar el XML para estas tareas.

5.2.1. installation_locate.xml

Configuración de la “localización” del sistema. El archivo se denomina installation_locate.xml.

<countries>

<!-- we order the country by language, but this is just a way, not mean
to be strict, just to look for the country name faster later -->
<!-- English speaking countries -->
<country>
	<name>England</name>
	<language>English</language>
	<keyboard-layout>U.S English</keyboard-layout>
	<GMT></GMT>
</country>

<country>
	<name>United States</name>
	<language>English</language>
	<keyboard-layout>U.S English</keyboard-layout>
	<GMT></GMT>
</country>

<country>
	<name>Spain</name>
	<language>Español</language>
	<keyboard-layout>Spain (es)</keyboard-layout>
	<GMT></GMT>
</country>

<country>
	<name>Japan</name>

	<language>日本語</language>
	<keyboard-layout>Japan (jp)</keyboard-layout>
	<GMT></GMT>
</country>

<language>
	<name>English</name>
	<encoding>iso-8859-1</encoding>
	<dir></dir>
</language>

<language>
	<name>Español</name>
	<encoding>iso-8859-1</encoding>
	<dir></dir>
</language>

<language>
	<name>日本語</name>
	<encoding>iso-2202</encoding>
	<dir></dir>
</language>

</countries>

5.2.2. configurerConfig.xml

Archivo generado por el configurer de CoolBlue. El archivo se denomina configurerConfig.xml.

<?xml version = '1.0' encoding = 'UTF-8' ?>
<AUTOMATICALLY_GENERATED_XML>
	<version>0.1</version>
	<global>
		<distro>
			<name>BSLinux</name>
			<version>1.0</version>
			<codenamed>kenny</codenamed>
			<date>??-??-2002</date>
		</distro>
		<paths>
			<source>
				<base>/target/</base>
				<lists>var/lib/apt/lists/</lists>
				<packages>var/cache/apt/archives/</packages>
			</source>
			<target>
				<base>/target/</base>
				<dpkg>var/lib/dpkg/</dpkg>
			</target>
		</paths>
		<architecture>i386</architecture>
		<suite>kenny/</suite>
	</global>
	<fstab>
		<header>#
# Automatically generated by configurer from CoolBlue.
#
# /etc/fstab: static file system information.
#
# &lt;file system&gt;	&lt;mount point&gt;	&lt;type&gt;	&lt;options&gt;		&lt;dump&gt;	&lt;pass&gt;</header>
		<filesystems>
			<filesystem>
				<name>reiserfs</name>
				<options>
					<option>defaults</option>
				</options>
			</filesystem>
			<filesystem>
				<name>ext3</name>
				<options>
					<option>errors=remount-ro</option>
				</options>
			</filesystem>
			<filesystem>
				<name>ext2</name>
				<options>
					<option>errors=remount-ro</option>
				</options>
			</filesystem>
			<filesystem>
				<name>linux-swap</name>
				<options>
					<option>pri=1</option>
				</options>
			</filesystem>
			<filesystem>
				<name>xfs</name>
				<options>
					<option>defaults</option>
				</options>
			</filesystem>
			<filesystem>
				<name>ntfs</name>
				<options>
					<option>ro</option>
					<option>noauto</option>
					<option>user</option>
					<option>umask=022</option>
				</options>
			</filesystem>
			<filesystem>
				<name>nfs</name>
				<options>
					<option>rw</option>
					<option>rsize=8192</option>
					<option>wsize=8192</option>
					<option>nolock</option>
				</options>
			</filesystem>
			<filesystem>
				<name>proc</name>
				<options>
					<option>defaults</option>
				</options>
			</filesystem>
			<filesystem>
				<name>devpts</name>
				<options>
					<option>defaults</option>
				</options>
			</filesystem>
			<filesystem>
				<name>usbdevfs</name>
				<options>
					<option>noauto</option>
				</options>
			</filesystem>
		</filesystems>
		<devices>
			<device>
				<name>cdrom</name>
				<options>
					<option>ro</option>
					<option>noauto</option>
					<option>user</option>
					<option>exec</option>
				</options>
			</device>
			<device>
				<name>dvd</name>
				<options>
					<option>ro</option>
					<option>noauto</option>
					<option>user</option>
					<option>exec</option>
				</options>
			</device>
			<device>
				<name>floppy</name>
				<options>
					<option>noauto</option>
					<option>user</option>
					<option>sync</option>
				</options>
			</device>
			<device>
				<name>tape</name>
			</device>
			<device>
				<name>zip</name>
			</device>
		</devices>
	</fstab>
	<lilo>
		<sections>
			<section name="header">
				<doc># /etc/lilo.conf - See: `lilo(8)&apos; and `lilo.conf(5)&apos;,
# ---------------       `install-mbr(8)&apos;, `/usr/share/doc/lilo/&apos;,
#                       and `/usr/share/doc/mbr/&apos;.

# +---------------------------------------------------------------+
# |                        !! Reminder !!                         |
# |                                                               |
# | Don&apos;t forget to run `lilo&apos; after you make changes to this     |
# | conffile, `/boot/bootmess.txt&apos;, or install a new kernel.  The |
# | computer will most likely fail to boot if a kernel-image      |
# | post-install script or you don&apos;t remember to run `lilo&apos;.      |
# |                                                               |
# +---------------------------------------------------------------+
</doc>
			</section>
			<section name="lba32">
				<doc># Support LBA for large hard disks.
#
</doc>
			</section>
			<section name="boot">
				<doc># Specifies the boot device.  This is where Lilo installs its boot
# block.  It can be either a partition, or the raw device, in which
# case it installs in the MBR, and will overwrite the current MBR.
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="message">
				<doc># You can put a customized boot message up if you like.  If you use
# `prompt&apos;, and this computer may need to reboot unattended, you
# must specify a `timeout&apos;, or it will sit there forever waiting
# for a keypress.  `single-key&apos; goes with the `alias&apos; lines in the
# `image&apos; configurations below.  eg: You can press `1&apos; to boot
# `Linux&apos;, `2&apos; to boot `LinuxOLD&apos;, if you uncomment the `alias&apos;.
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="root">
				<doc># Specifies the device that should be mounted as root. (`/&apos;)
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="compact">
				<doc># Enable map compaction:
# Tries to merge read requests for adjacent sectors into a single
# read request. This drastically reduces load time and keeps the
# map smaller.  Using `compact&apos; is especially recommended when
# booting from a floppy disk.  It is disabled here by default
# because it doesn&apos;t always work.
#
</doc>
			</section>
			<section name="install">
				<doc># Installs the specified file as the new boot sector
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="map">
				<doc># Specifies the location of the map file
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="password">
				<doc># You can set a password here, and uncomment the `restricted&apos; lines
# in the image definitions below to make it so that a password must
# be typed to boot anything but a default configuration.  If a
# command line is given, other than one specified by an `append&apos;
# statement in `lilo.conf&apos;, the password will be required, but a
# standard default boot will not require one.
#
# This will, for instance, prevent anyone with access to the
# console from booting with something like `Linux init=/bin/sh&apos;,
# and thus becoming `root&apos; without proper authorization.
#
# Note that if you really need this type of security, you will
# likely also want to use `install-mbr&apos; to reconfigure the MBR
# program, as well as set up your BIOS to disallow booting from
# removable disk or CD-ROM, then put a password on getting into the
# BIOS configuration as well.  Please RTFM `install-mbr(8)&apos;.
#
</doc>
				<value>tatercounter2000</value>
			</section>
			<section name="timeout">
				<doc># Specifies the number of deciseconds (0.1 seconds) LILO should
# wait before booting the first image.
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="vga">
				<doc># Specifies the VGA text mode at boot time. (normal, extended, ask, &lt;mode&gt;) p.e.:
#  vga=ask
#  vga=9
#  vga=normal
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="append">
				<doc># Kernel command line options that apply to all installed images go
# here.  See: The `boot-prompt-HOWTO&apos; and `kernel-parameters.txt&apos; in
# the Linux kernel `Documentation&apos; directory.
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="default">
				<doc># Boot up Linux by default.
#
</doc>
				<value>@BS@</value>
			</section>
			<section name="other">
				<doc># If you have another OS on this machine to boot, you can uncomment the
# following lines, changing the device name on the `other&apos; line to
# where your other OS&apos; partition is.
#
</doc>
			</section>
		</sections>
	</lilo>
	<initrd>
		<ram>
			<device>/dev/ram4</device>
			<size>5000</size>
			<bs>1024</bs>
			<nbpi>1024</nbpi>
			<path>/tmp/initrd</path>
		</ram>
		<bin>/usr/share/coolblue/resources/initrd/bin.tar.gz</bin>
		<devices>/usr/share/coolblue/resources/initrd/devices.tar.gz</devices>
	</initrd>
</AUTOMATICALLY_GENERATED_XML>

5.2.3. downloadConfig.xml

Este archivo muestra la forma de guardar la información relativa a las fuentes de Debian para APT-GET y los paquetes a instalar. Se denomina: downloadConfig.xml.

<?xml version = '1.0' encoding = 'UTF-8' ?>
<AUTOMATICALLY_GENERATED_XML>
	<version>0.1</version>
	<global>
		<distro>
			<name>BSLinux</name>
			<version>1.0</version>
			<codenamed>kenny</codenamed>
			<date>??-??-2002</date>
		</distro>
		<source useAllSources="yes" retriesNum="3">
			<dists>dists/</dists>
			<pool>pool/</pool>
			<mirrors>
				<mirror>file://mnt/cdrom/</mirror>
				<mirror>file://usr/BSLINUX/workstation/CD_0/</mirror>
				<mirror>file://mnt/floppy/</mirror>
				<mirror>http://www.bluesock.net/</mirror>
				<mirror>http://ftp.bluesock.net/</mirror>
				<mirror>ftp://ftp.bluesock.net/pub/</mirror>
				<mirror>http://www.debian.org/bslinuxFlavour/</mirror>
			</mirrors>
		</source>
		<target>
			<base>/target/</base>
			<lists>var/lib/apt/lists/</lists>
			<packages>var/cache/apt/archives/</packages>
		</target>
		<architecture>i386</architecture>
		<suite>kenny/</suite>
		<mainIndices>Release</mainIndices>
		<packages>
			<required>
				<package>
					<name>base-files</name>
				</package>
				<package>
					<name>base-passwd</name>
				</package>
				<package>
					<name>bash</name>
				</package>
				<package>
					<name>bsdutils</name>
				</package>
				<package>
					<name>debconf</name>
				</package>
				<package>
					<name>debianutils</name>
				</package>
				<package>
					<name>diff</name>
				</package>
				<package>
					<name>dpkg</name>
				</package>
				<package>
					<name>e2fsprogs</name>
				</package>
				<package>
					<name>fileutils</name>
				</package>
				<package>
					<name>findutils</name>
				</package>
				<package>
					<name>grep</name>
				</package>
				<package>
					<name>gzip</name>
				</package>
				<package>
					<name>hostname</name>
				</package>
				<package>
					<name>libcap1</name>
				</package>
				<package>
					<name>libc6</name>
				</package>
				<package>
					<name>libdb2</name>
				</package>
				<package>
					<name>libdb3</name>
				</package>
				<package>
					<name>libgdbmg1</name>
				</package>
				<package>
					<name>libncurses5</name>
				</package>
				<package>
					<name>libnewt0</name>
				</package>
				<package>
					<name>libpam-modules</name>
				</package>
				<package>
					<name>libpam-runtime</name>
				</package>
				<package>
					<name>libpam0g</name>
				</package>
				<package>
					<name>libperl5.6</name>
				</package>
				<package>
					<name>libpopt0</name>
				</package>
				<package>
					<name>libreadline4</name>
				</package>
				<package>
					<name>libstdc++2.10-glibc2.2</name>
				</package>
				<package>
					<name>login</name>
				</package>
				<package>
					<name>makedev</name>
				</package>
				<package>
					<name>mawk</name>
				</package>
				<package>
					<name>modutils</name>
				</package>
				<package>
					<name>mount</name>
				</package>
				<package>
					<name>ncurses-base</name>
				</package>
				<package>
					<name>ncurses-bin</name>
				</package>
				<package>
					<name>passwd</name>
				</package>
				<package>
					<name>perl-base</name>
				</package>
				<package>
					<name>procps</name>
				</package>
				<package>
					<name>sed</name>
				</package>
				<package>
					<name>shellutils</name>
				</package>
				<package>
					<name>slang1</name>
				</package>
				<package>
					<name>sysvinit</name>
				</package>
				<package>
					<name>tar</name>
				</package>
				<package>
					<name>textutils</name>
				</package>
				<package>
					<name>util-linux</name>
				</package>
				<package>
					<name>whiptail</name>
				</package>
			</required>
			<base>
				<package>
					<name>adduser</name>
				</package>
				<package>
					<name>apt</name>
				</package>
				<package>
					<name>apt-utils</name>
				</package>
				<package>
					<name>at</name>
				</package>
				<package>
					<name>base-config</name>
				</package>
				<package>
					<name>bsdmainutils</name>
				</package>
				<package>
					<name>console-common</name>
				</package>
				<package>
					<name>console-tools</name>
				</package>
				<package>
					<name>console-tools-libs</name>
				</package>
				<package>
					<name>console-data</name>
				</package>
				<package>
					<name>cpio</name>
				</package>
				<package>
					<name>cron</name>
				</package>
				<package>
					<name>dhcp-client</name>
				</package>
				<package>
					<name>ed</name>
				</package>
				<package>
					<name>exim</name>
				</package>
				<package>
					<name>fdutils</name>
				</package>
				<package>
					<name>gettext-base</name>
				</package>
				<package>
					<name>groff-base</name>
				</package>
				<package>
					<name>ifupdown</name>
				</package>
				<package>
					<name>info</name>
				</package>
				<package>
					<name>klogd</name>
				</package>
				<package>
					<name>libident</name>
				</package>
				<package>
					<name>libldap2</name>
				</package>
				<package>
					<name>liblockfile1</name>
				</package>
				<package>
					<name>libpcre3</name>
				</package>
				<package>
					<name>libsasl7</name>
				</package>
				<package>
					<name>libwrap0</name>
				</package>
				<package>
					<name>logrotate</name>
				</package>
				<package>
					<name>mailx</name>
				</package>
				<package>
					<name>man-db</name>
				</package>
				<package>
					<name>manpages</name>
				</package>
				<package>
					<name>modconf</name>
				</package>
				<package>
					<name>nano</name>
				</package>
				<package>
					<name>net-tools</name>
				</package>
				<package>
					<name>netbase</name>
				</package>
				<package>
					<name>netkit-inetd</name>
				</package>
				<package>
					<name>netkit-ping</name>
				</package>
				<package>
					<name>nvi</name>
				</package>
				<package>
					<name>ppp</name>
				</package>
				<package>
					<name>pppconfig</name>
				</package>
				<package>
					<name>pppoe</name>
				</package>
				<package>
					<name>pppoeconf</name>
				</package>
				<package>
					<name>libpcap0</name>
				</package>
				<package>
					<name>sysklogd</name>
				</package>
				<package>
					<name>tasksel</name>
				</package>
				<package>
					<name>tcpd</name>
				</package>
				<package>
					<name>telnet</name>
				</package>
			</base>
			<architectures>
				<alpha>
					<required>
						<without>
							<package>
								<name>libc6</name>
							</package>
						</without>
						<with>
							<package>
								<name>libc6.1</name>
							</package>
						</with>
					</required>
					<base>
						<with>
							<package>
								<name>setserial</name>
							</package>
							<package>
								<name>aboot</name>
							</package>
							<package>
								<name>pciutils</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<name>bslinux</name>
							<version>2.4.18</version>
						</kernel>
						<ipfwtools>
							<package>
								<name>ipchains</name>
							</package>
							<package>
								<name>iptables</name>
							</package>
						</ipfwtools>
						<additonal/>
					</bs>
				</alpha>
				<arm>
					<base>
						<with>
							<package>
								<name>setserial</name>
							</package>
							<package>
								<name>libgpmg1</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<name>bslinux</name>
							<version>2.4.18</version>
						</kernel>
						<ipfwtools>
							<package>
								<name>ipchains</name>
							</package>
							<package>
								<name>iptables</name>
							</package>
						</ipfwtools>
						<additonal/>
					</bs>
				</arm>
				<i386>
					<required>
						<without>
							<package>
								<name>libperl5.6</name>
							</package>
						</without>
						<with>
							<package>
								<name>mbr</name>
							</package>
						</with>
					</required>
					<base>
						<with>
							<package>
								<name>lilo</name>
							</package>
							<package>
								<name>pciutils</name>
							</package>
							<package>
								<name>setserial</name>
							</package>
							<package>
								<name>syslinux</name>
							</package>
							<package>
								<name>psmisc</name>
							</package>
							<package>
								<name>pcmcia-cs</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<name>bslinux</name>
							<version>2.4.18</version>
						</kernel>
						<with>
							<package>
								<name>ipchains</name>
							</package>
							<package>
								<name>iptables</name>
							</package>
						</with>
					</bs>
				</i386>
				<ia64>
					<required>
						<without>
							<package>
								<name>libc6</name>
							</package>
						</without>
						<with>
							<package>
								<name>libc6.1</name>
							</package>
							<package>
								<name>gcc-2.96-base</name>
							</package>
						</with>
					</required>
					<base>
						<with>
							<package>
								<name>elilo</name>
							</package>
							<package>
								<name>efibootmgr</name>
							</package>
							<package>
								<name>dosfstools</name>
							</package>
							<package>
								<name>libparted1.4</name>
							</package>
							<package>
								<name>parted</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-ia64-2.4.18</name>
							</package>
						</kernel>
					</bs>
				</ia64>
				<m68k>
					<base>
						<with>
							<package>
								<name>atari-bootstrap</name>
							</package>
							<package>
								<name>atari-fdisk</name>
							</package>
							<package>
								<name>amiga-fdisk</name>
							</package>
							<package>
								<name>eject</name>
							</package>
							<package>
								<name>mac-fdisk</name>
							</package>
							<package>
								<name>pmac-fdisk-cross</name>
							</package>
							<package>
								<name>setserial</name>
							</package>
							<package>
								<name>vmelilo</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-2.4.18</name>
							</package>
						</kernel>
						<ipfwtool>
							<package>
								<name>ipchains</name>
							</package>
						</ipfwtool>
					</bs>
				</m68k>
				<powerpc>
					<base>
						<with>
							<package>
								<name>quik</name>
							</package>
							<package>
								<name>mac-fdisk</name>
							</package>
							<package>
								<name>amiga-fdisk</name>
							</package>
							<package>
								<name>psmisc</name>
							</package>
							<package>
								<name>powerpc-utils</name>
							</package>
							<package>
								<name>setserial</name>
							</package>
							<package>
								<name>pciutils</name>
							</package>
							<package>
								<name>hfsutils</name>
							</package>
							<package>
								<name>yaboot</name>
							</package>
							<package>
								<name>pcmcia-cs</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-2.4.18</name>
							</package>
						</kernel>
						<ipfwtool>
							<package>
								<name>ipchains</name>
							</package>
							<package>
								<name>iptables</name>
							</package>
						</ipfwtool>
					</bs>
				</powerpc>
				<sparc>
					<base>
						<with>
							<package>
								<name>silo</name>
							</package>
							<package>
								<name>eject</name>
							</package>
							<package>
								<name>pciutils</name>
							</package>
							<package>
								<name>sparc-utils</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-2.4.18</name>
							</package>
						</kernel>
						<ipfwtool>
							<package>
								<name>ipchains</name>
							</package>
							<package>
								<name>iptables</name>
							</package>
						</ipfwtool>
					</bs>
				</sparc>
				<mips>
					<base>
						<with>
							<package>
								<name>dvhtool</name>
							</package>
							<package>
								<name>pciutils</name>
							</package>
							<package>
								<name>setserial</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-2.4.18</name>
							</package>
						</kernel>
					</bs>
				</mips>
				<mipsel>
					<base>
						<with>
							<package>
								<name>delo</name>
							</package>
							<package>
								<name>pciutils</name>
							</package>
							<package>
								<name>setserial</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-2.4.18</name>
							</package>
						</kernel>
					</bs>
				</mipsel>
				<hppa>
					<required>
						<without>
							<package>
								<name>libstdc++2.10-glibc2.2</name>
							</package>
						</without>
					</required>
					<base>
						<with>
							<package>
								<name>palo</name>
							</package>
							<package>
								<name>libstdc++3</name>
							</package>
							<package>
								<name>gcc-3.0-base</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-2.4.18</name>
							</package>
						</kernel>
					</bs>
				</hppa>
				<s390_s390x>
					<base>
						<without>
							<package>
								<name>console-tools</name>
							</package>
							<package>
								<name>console-tools-libs</name>
							</package>
							<package>
								<name>fdutils</name>
							</package>
							<package>
								<name>ppp</name>
							</package>
							<package>
								<name>pppconfig</name>
							</package>
							<package>
								<name>pppoe</name>
							</package>
							<package>
								<name>pppoeconf</name>
							</package>
						</without>
						<with>
							<package>
								<name>s390-tools</name>
							</package>
							<package>
								<name>telnetd</name>
							</package>
						</with>
					</base>
					<bs>
						<kernel>
							<package>
								<name>bslinux-2.4.18</name>
							</package>
						</kernel>
					</bs>
				</s390_s390x>
			</architectures>
		</packages>
	</global>
</AUTOMATICALLY_GENERATED_XML>

5.2.4. installConfig.xml

Otra muestra de como se puede utilizar el XML, esta vez el archivo se denomina installConfig.xml.

<?xml version = '1.0' encoding = 'UTF-8' ?>
<AUTOMATICALLY_GENERATED_XML>
	<version>0.1</version>
	<global>
		<distro>
			<name>BSLinux</name>
			<version>1.0</version>
			<codenamed>kenny</codenamed>
			<date>??-??-2002</date>
		</distro>
		<paths>
			<source>
				<base>/target/</base>
				<lists>var/lib/apt/lists/</lists>
				<packages>var/cache/apt/archives/</packages>
			</source>
			<target>
				<base>/target/</base>
				<dpkg>var/lib/dpkg/</dpkg>
			</target>
		</paths>
		<architecture>i386</architecture>
		<suite>kenny/</suite>
	</global>
	<process>
		<setup>
			<etc/>
			<proc/>
			<devices>/usr/lib/debootstrap/devices.tar.gz</devices>
		</setup>
	</process>
</AUTOMATICALLY_GENERATED_XML>

5.2.5. installation.xml

Archivo de configuración de la instalación. Su nombre es: installation.xml.

<?xml version = '1.0' encoding = 'UTF-8' ?>
<AUTOMATICALLY_GENERATED_XML>
	<version>0.1</version>
	<installation-type>install</installation-type>
	<language>English</language>
	<country>USA</country>
	<keyboard-layout>us</keyboard-layout>
	<GMT>Madrid</GMT>
	<licenses>
		<free>true</free>
		<non-free>true</non-free>
		<crypto>false</crypto>
		<bsl>true</bsl>
	</licenses>
	<modules>
		<section name="IDE">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/ide/</path>
			<module>ataraid.o</module>
		</section>
		<section name="scsi">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/scsi/</path>
			<module>*.o</module>
		</section>
		<section name="scsi">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/scsi/aacraid/</path>
			<module>*.o</module>
		</section>
		<section name="scsi">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/scsi/pcmcia/</path>
			<module>*.o</module>
		</section>
		<section name="scsi">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/scsi/qla2x00-emc/</path>
			<module>*.o</module>
		</section>
		<section name="scsi">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/scsi/sym53c8xx_2/</path>
			<module>*.o</module>
		</section>
		<section name="scsi">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/scsi/aic7xxx/</path>
			<module>*.o</module>
		</section>
		<section name="IDE">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/usb/</path>
			<module>usb-ohci.o</module>
		</section>
		<section name="IDE">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/usb/</path>
			<module>usb-uhci.o</module>
		</section>
		<section name="IDE">
			<path>/lib/modules/2.4.18-64GB-SMP/kernel/drivers/usb/</path>
			<module>*.o</module>
		</section>
	</modules>
</AUTOMATICALLY_GENERATED_XML>

6. Diferencias entre la instalación por Debootstrap y la tradicional

A continuación se muestra el resultado de ejecutar el siguiente comando:

# diff -urN woody-debootstrap woody-discos

[Note]Nota

woody-debootstrap es un directorio, bajo el cual, hay una instalación de Woody obtenída gracias a la aplicación deboostrap.

[Note]Nota

woody-discos es un directorio, bajo el cual, hay una instalación de Woody obtenida por el método tradicional, es decir, instalada vía disquetes.

diff -urN woody-debootstrap/boot/config-2.4.18-bf2.4 woody-discos/boot/config-2.4.18-bf2.4
--- woody-debootstrap/boot/config-2.4.18-bf2.4	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/boot/config-2.4.18-bf2.4	2003-04-07 05:54:30.000000000 +0200
@@ -0,0 +1,799 @@

diff -urN woody-debootstrap/boot/System.map-2.4.18-bf2.4 woody-discos/boot/System.map-2.4.18-bf2.4
--- woody-debootstrap/boot/System.map-2.4.18-bf2.4	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/boot/System.map-2.4.18-bf2.4	2003-04-07 05:54:30.000000000 +0200
@@ -0,0 +1,19371 @@

diff -urN woody-debootstrap/etc/adjtime woody-discos/etc/adjtime
--- woody-debootstrap/etc/adjtime	2003-04-13 04:39:00.000000000 +0200
+++ woody-discos/etc/adjtime	2003-04-07 04:39:20.000000000 +0200
@@ -1,3 +1,3 @@
-0.000000 1012000000 0.000000
-1012000000
-UTC
+0.000000 1049683160 0.000000
+1049683160
+LOCAL

diff -urN woody-debootstrap/etc/aliases woody-discos/etc/aliases
--- woody-debootstrap/etc/aliases	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/aliases	2003-04-07 04:39:11.000000000 +0200
@@ -0,0 +1,40 @@
+# This is the aliases file - it says who gets mail for whom.
+# It was originally generated by `eximconfig', part of the exim package
+# distributed with Debian, but it may edited by the mail system administrator.
+# This file originally generated by eximconfig at Mon Apr  7 04:39:10 CEST 2003
+# See exim info section for details of the things that can be configured here.
+
+postmaster: root
+root: metadistros
+
+daemon: root
+bin: root
+sys: root
+sync: root
+games: root
+man: root
+lp: root
+mail: root
+news: root
+uucp: root
+proxy: root
+postgres: root
+www-data: root
+backup: root
+operator: root
+list: root
+irc: root
+gnats: root
+nobody: root
+
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+
+mailer-daemon: postmaster
diff -urN woody-debootstrap/etc/default/rcS woody-discos/etc/default/rcS
--- woody-debootstrap/etc/default/rcS	2003-04-13 04:39:51.000000000 +0200
+++ woody-discos/etc/default/rcS	2003-04-07 06:37:33.000000000 +0200
@@ -10,7 +10,7 @@
 # before system startup is complete (as soon as inetd is started)
 DELAYLOGIN=yes
 # Set UTC=yes if your system clock is set to UTC (GMT), and UTC=no if not.
-UTC=yes
+UTC=no
 # Set VERBOSE to "no" if you would like a more quiet bootup.
 VERBOSE=yes
 # Set EDITMOTD to "no" if you don't want /etc/motd to be editted automatically
diff -urN woody-debootstrap/etc/exim/exim.conf woody-discos/etc/exim/exim.conf
--- woody-debootstrap/etc/exim/exim.conf	2003-04-13 04:40:05.000000000 +0200
+++ woody-discos/etc/exim/exim.conf	2003-04-07 04:39:11.000000000 +0200
@@ -0,0 +1,453 @@

             ***** con debootstrap no está configurado ****

diff -urN woody-debootstrap/etc/fstab woody-discos/etc/fstab
--- woody-debootstrap/etc/fstab	2003-04-13 04:38:56.000000000 +0200
+++ woody-discos/etc/fstab	2003-04-07 06:21:42.000000000 +0200
@@ -1 +1,8 @@
-# UNCONFIGURED FSTAB FOR BASE SYSTEM
+# /etc/fstab: Información estática del sistema de ficheros.
+#
+# <Sis. ficheros>	<Punto montaje>	<Tipo>	<Opciones>		<volcado>	<pasada>
+/dev/hda18	/		ext2	errors=remount-ro	0	1
+/dev/sda2	none		swap	sw			0	0
+proc		/proc		proc	defaults		0	0
+/dev/fd0	/floppy		auto	user,noauto		0	0
+/dev/cdrom	/cdrom		iso9660	ro,user,noauto		0	0
diff -urN woody-debootstrap/etc/group woody-discos/etc/group
--- woody-debootstrap/etc/group	2003-04-13 04:39:00.000000000 +0200
+++ woody-discos/etc/group	2003-04-07 04:38:29.000000000 +0200
@@ -1,37 +1,38 @@
-root:*:0:
-daemon:*:1:
-bin:*:2:
-sys:*:3:
-adm:*:4:
-tty:*:5:
-disk:*:6:
-lp:*:7:lp
-mail:*:8:
-news:*:9:
-uucp:*:10:
-proxy:*:13:
-kmem:*:15:
-dialout:*:20:
-fax:*:21:
-voice:*:22:
-cdrom:*:24:
-floppy:*:25:
-tape:*:26:
-sudo:*:27:
-audio:*:29:
-dip:*:30:
-postgres:*:32:
-www-data:*:33:
-backup:*:34:
-operator:*:37:
-list:*:38:
-irc:*:39:
-src:*:40:
-gnats:*:41:
-shadow:*:42:
-utmp:*:43:
-video:*:44:
-staff:*:50:
-games:*:60:
-users:*:100:
-nogroup:*:65534:
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:lp
+mail:x:8:
+news:x:9:
+uucp:x:10:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+postgres:x:32:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
+metadistros:x:1000:
diff -urN woody-debootstrap/etc/group- woody-discos/etc/group-
--- woody-debootstrap/etc/group-	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/group-	2003-04-07 04:37:49.000000000 +0200
@@ -0,0 +1,37 @@
+root:x:0:
+daemon:x:1:
+bin:x:2:
+sys:x:3:
+adm:x:4:
+tty:x:5:
+disk:x:6:
+lp:x:7:lp
+mail:x:8:
+news:x:9:
+uucp:x:10:
+proxy:x:13:
+kmem:x:15:
+dialout:x:20:
+fax:x:21:
+voice:x:22:
+cdrom:x:24:
+floppy:x:25:
+tape:x:26:
+sudo:x:27:
+audio:x:29:
+dip:x:30:
+postgres:x:32:
+www-data:x:33:
+backup:x:34:
+operator:x:37:
+list:x:38:
+irc:x:39:
+src:x:40:
+gnats:x:41:
+shadow:x:42:
+utmp:x:43:
+video:x:44:
+staff:x:50:
+games:x:60:
+users:x:100:
+nogroup:x:65534:
diff -urN woody-debootstrap/etc/gshadow woody-discos/etc/gshadow
--- woody-debootstrap/etc/gshadow	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/gshadow	2003-04-07 04:38:29.000000000 +0200
@@ -0,0 +1,38 @@
+root:*::
+daemon:*::
+bin:*::
+sys:*::
+adm:*::
+tty:*::
+disk:*::
+lp:*::lp
+mail:*::
+news:*::
+uucp:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::
+dip:*::
+postgres:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
+metadistros:!::
diff -urN woody-debootstrap/etc/gshadow- woody-discos/etc/gshadow-
--- woody-debootstrap/etc/gshadow-	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/gshadow-	2003-04-07 04:37:49.000000000 +0200
@@ -0,0 +1,37 @@
+root:*::
+daemon:*::
+bin:*::
+sys:*::
+adm:*::
+tty:*::
+disk:*::
+lp:*::lp
+mail:*::
+news:*::
+uucp:*::
+proxy:*::
+kmem:*::
+dialout:*::
+fax:*::
+voice:*::
+cdrom:*::
+floppy:*::
+tape:*::
+sudo:*::
+audio:*::
+dip:*::
+postgres:*::
+www-data:*::
+backup:*::
+operator:*::
+list:*::
+irc:*::
+src:*::
+gnats:*::
+shadow:*::
+utmp:*::
+video:*::
+staff:*::
+games:*::
+users:*::
+nogroup:*::
diff -urN woody-debootstrap/etc/hostname woody-discos/etc/hostname
--- woody-debootstrap/etc/hostname	2002-06-30 23:52:13.000000000 +0200
+++ woody-discos/etc/hostname	2003-04-07 06:02:29.000000000 +0200
@@ -1 +1 @@
-todoscsi
+debian
diff -urN woody-debootstrap/etc/hosts woody-discos/etc/hosts
--- woody-debootstrap/etc/hosts	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/hosts	2003-04-07 06:21:39.000000000 +0200
@@ -0,0 +1,11 @@
+127.0.0.1	debian	localhost
+
+# The following lines are desirable for IPv6 capable hosts
+# (added automatically by netbase upgrade)
+
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+ff02::3 ip6-allhosts
Los ficheros binarios woody-debootstrap/etc/ioctl.save y woody-discos/etc/ioctl.save son distintos
Los ficheros binarios woody-debootstrap/etc/localtime y woody-discos/etc/localtime son distintos
diff -urN woody-debootstrap/etc/mailname woody-discos/etc/mailname
--- woody-debootstrap/etc/mailname	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/mailname	2003-04-07 04:39:11.000000000 +0200
@@ -0,0 +1 @@
+debian
diff -urN woody-debootstrap/etc/modules woody-discos/etc/modules
--- woody-debootstrap/etc/modules	2003-04-13 04:40:02.000000000 +0200
+++ woody-discos/etc/modules	2003-04-07 06:01:55.000000000 +0200
@@ -4,3 +4,8 @@
 # to be loaded at boot time, one per line.  Comments begin with
 # a "#", and everything on the line after them are ignored.

+input
+usbkbd
+keybdev
+isa-pnp
+ne
diff -urN woody-debootstrap/etc/modules.conf woody-discos/etc/modules.conf
--- woody-debootstrap/etc/modules.conf	2003-04-13 04:41:05.000000000 +0200
+++ woody-discos/etc/modules.conf	2003-04-07 06:21:40.000000000 +0200
@@ -72,6 +72,11 @@
 
 ### update-modules: end processing /etc/modutils/aliases
 
+### update-modules: start processing /etc/modutils/ne
+options ne io=0x300
+
+### update-modules: end processing /etc/modutils/ne
+
 ### update-modules: start processing /etc/modutils/paths
 # This file contains a list of paths that modprobe should scan,
 # beside the once that are compiled into the modutils tools
diff -urN woody-debootstrap/etc/modules.conf.old woody-discos/etc/modules.conf.old
--- woody-debootstrap/etc/modules.conf.old	2003-04-13 04:41:05.000000000 +0200
+++ woody-discos/etc/modules.conf.old	2003-04-07 06:21:40.000000000 +0200
@@ -72,6 +72,11 @@
 
 ### update-modules: end processing /etc/modutils/aliases
 
+### update-modules: start processing /etc/modutils/ne
+options ne io=0x300
+
+### update-modules: end processing /etc/modutils/ne
+
 ### update-modules: start processing /etc/modutils/paths
 # This file contains a list of paths that modprobe should scan,
 # beside the once that are compiled into the modutils tools
diff -urN woody-debootstrap/etc/modutils/ne woody-discos/etc/modutils/ne
--- woody-debootstrap/etc/modutils/ne	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/modutils/ne	2003-04-07 06:01:54.000000000 +0200
@@ -0,0 +1 @@
+options ne io=0x300
diff -urN woody-debootstrap/etc/motd woody-discos/etc/motd
--- woody-debootstrap/etc/motd	2002-02-08 16:42:00.000000000 +0100
+++ woody-discos/etc/motd	2003-04-07 06:37:11.000000000 +0200
@@ -1,4 +1,4 @@
-
+Linux debian 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 unknown
 
 Most of the programs included with the Debian GNU/Linux system are
 freely redistributable; the exact distribution terms for each program
diff -urN woody-debootstrap/etc/mtab woody-discos/etc/mtab
--- woody-debootstrap/etc/mtab	2003-04-13 04:41:07.000000000 +0200
+++ woody-discos/etc/mtab	2003-04-07 04:39:26.000000000 +0200
@@ -1 +1,2 @@
+/dev/hda18 / ext2 rw,errors=remount-ro 0 0
 proc /proc proc rw 0 0
diff -urN woody-debootstrap/etc/network/interfaces woody-discos/etc/network/interfaces
--- woody-debootstrap/etc/network/interfaces	2003-04-13 04:40:59.000000000 +0200
+++ woody-discos/etc/network/interfaces	2003-04-07 06:02:29.000000000 +0200
@@ -1,2 +1,9 @@
-# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
-# /usr/share/doc/ifupdown/examples for more information.
+# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
+
+# The loopback interface
+auto lo
+iface lo inet loopback
+
+# The first network card - this entry was created during the Debian installation
+auto eth1
+iface eth1 inet dhcp
diff -urN woody-debootstrap/etc/network/interfaces.dpkg-old woody-discos/etc/network/interfaces.dpkg-old
--- woody-debootstrap/etc/network/interfaces.dpkg-old	2003-04-13 04:40:18.000000000 +0200
+++ woody-discos/etc/network/interfaces.dpkg-old	1970-01-01 01:00:00.000000000 +0100
@@ -1,2 +0,0 @@
-# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
-# /usr/share/doc/ifupdown/examples for more information.
diff -urN woody-debootstrap/etc/pam.d/login woody-discos/etc/pam.d/login
--- woody-debootstrap/etc/pam.d/login	2002-04-07 17:59:14.000000000 +0200
+++ woody-discos/etc/pam.d/login	2003-04-07 04:37:37.000000000 +0200
@@ -87,7 +87,7 @@
 # login.defs. Also the "min" and "max" options enforce the length of the
 # new password.
 
-password   required   pam_unix.so nullok obscure min=4 max=8
+password   required   pam_unix.so nullok obscure min=4 max=8 md5
 
 # Alternate strength checking for password. Note that this
 # requires the libpam-cracklib package to be installed.
diff -urN woody-debootstrap/etc/pam.d/other woody-discos/etc/pam.d/other
--- woody-debootstrap/etc/pam.d/other	2001-05-16 21:20:25.000000000 +0200
+++ woody-discos/etc/pam.d/other	2003-04-07 04:37:37.000000000 +0200
@@ -9,5 +9,5 @@
 
 auth     required       pam_unix.so
 account  required       pam_unix.so
-password required       pam_unix.so
+password required       pam_unix.so md5
 session  required       pam_unix.so
diff -urN woody-debootstrap/etc/pam.d/passwd woody-discos/etc/pam.d/passwd
--- woody-debootstrap/etc/pam.d/passwd	2002-04-07 17:59:12.000000000 +0200
+++ woody-discos/etc/pam.d/passwd	2003-04-07 04:37:37.000000000 +0200
@@ -16,7 +16,7 @@
 # login.defs. Also the "min" and "max" options enforce the length of the
 # new password.
 
-password   required   pam_unix.so nullok obscure min=4 max=8
+password   required   pam_unix.so nullok obscure min=4 max=8 md5
 
 # Alternate strength checking for password. Note that this
 # requires the libpam-cracklib package to be installed.
diff -urN woody-debootstrap/etc/passwd woody-discos/etc/passwd
--- woody-debootstrap/etc/passwd	2003-04-13 04:39:00.000000000 +0200
+++ woody-discos/etc/passwd	2003-04-07 04:38:29.000000000 +0200
@@ -1,20 +1,21 @@
-root::0:0:root:/root:/bin/bash
-daemon:*:1:1:daemon:/usr/sbin:/bin/sh
-bin:*:2:2:bin:/bin:/bin/sh
-sys:*:3:3:sys:/dev:/bin/sh
-sync:*:4:100:sync:/bin:/bin/sync
-games:*:5:100:games:/usr/games:/bin/sh
-man:*:6:100:man:/var/cache/man:/bin/sh
-lp:*:7:7:lp:/var/spool/lpd:/bin/sh
-mail:*:8:8:mail:/var/mail:/bin/sh
-news:*:9:9:news:/var/spool/news:/bin/sh
-uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
-proxy:*:13:13:proxy:/bin:/bin/sh
-postgres:*:31:32:postgres:/var/lib/postgres:/bin/sh
-www-data:*:33:33:www-data:/var/www:/bin/sh
-backup:*:34:34:backup:/var/backups:/bin/sh
-operator:*:37:37:Operator:/var:/bin/sh
-list:*:38:38:SmartList:/var/list:/bin/sh
-irc:*:39:39:ircd:/var:/bin/sh
-gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
-nobody:*:65534:65534:nobody:/home:/bin/sh
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:100:sync:/bin:/bin/sync
+games:x:5:100:games:/usr/games:/bin/sh
+man:x:6:100:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+postgres:x:31:32:postgres:/var/lib/postgres:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+operator:x:37:37:Operator:/var:/bin/sh
+list:x:38:38:SmartList:/var/list:/bin/sh
+irc:x:39:39:ircd:/var:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/home:/bin/sh
+metadistros:x:1000:1000:Usuario genérico para Metadistros,,,:/home/metadistros:/bin/bash
diff -urN woody-debootstrap/etc/passwd- woody-discos/etc/passwd-
--- woody-debootstrap/etc/passwd-	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/passwd-	2003-04-07 04:38:29.000000000 +0200
@@ -0,0 +1,21 @@
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+bin:x:2:2:bin:/bin:/bin/sh
+sys:x:3:3:sys:/dev:/bin/sh
+sync:x:4:100:sync:/bin:/bin/sync
+games:x:5:100:games:/usr/games:/bin/sh
+man:x:6:100:man:/var/cache/man:/bin/sh
+lp:x:7:7:lp:/var/spool/lpd:/bin/sh
+mail:x:8:8:mail:/var/mail:/bin/sh
+news:x:9:9:news:/var/spool/news:/bin/sh
+uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
+proxy:x:13:13:proxy:/bin:/bin/sh
+postgres:x:31:32:postgres:/var/lib/postgres:/bin/sh
+www-data:x:33:33:www-data:/var/www:/bin/sh
+backup:x:34:34:backup:/var/backups:/bin/sh
+operator:x:37:37:Operator:/var:/bin/sh
+list:x:38:38:SmartList:/var/list:/bin/sh
+irc:x:39:39:ircd:/var:/bin/sh
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
+nobody:x:65534:65534:nobody:/home:/bin/sh
+metadistros:x:1000:1000::/home/metadistros:/bin/bash
diff -urN woody-debootstrap/etc/ppp/options.ttyXX woody-discos/etc/ppp/options.ttyXX
--- woody-debootstrap/etc/ppp/options.ttyXX	2003-04-13 04:41:04.000000000 +0200
+++ woody-discos/etc/ppp/options.ttyXX	2003-04-07 06:21:39.000000000 +0200
@@ -8,7 +8,7 @@
 # the IP address or name of your host, while the second is the IP address
 # or name of the remote machine.
 
-todoscsi:remotepeername
+(none):remotepeername
 # 192.168.0.1:192.168.0.2
 
 # You may also put additional settings in each file, just like in the
diff -urN woody-debootstrap/etc/ppp/pap-secrets woody-discos/etc/ppp/pap-secrets
--- woody-debootstrap/etc/ppp/pap-secrets	2003-04-13 04:41:04.000000000 +0200
+++ woody-discos/etc/ppp/pap-secrets	2003-04-07 06:21:39.000000000 +0200
@@ -19,15 +19,15 @@
 # INBOUND connections
 
 # Every regular user can use PPP and has to use passwords from /etc/passwd
-*	todoscsi	""	*
+*	(none)	""	*
 
 # UserIDs that cannot use PPP at all. Check your /etc/passwd and add any
 # other accounts that should not be able to use pppd!
-guest	todoscsi	"*"	-
-master	todoscsi	"*"	-
-root	todoscsi	"*"	-
-support	todoscsi	"*"	-
-stats	todoscsi	"*"	-
+guest	(none)	"*"	-
+master	(none)	"*"	-
+root	(none)	"*"	-
+support	(none)	"*"	-
+stats	(none)	"*"	-
 
 # OUTBOUND connections
 
@@ -38,4 +38,4 @@
 # If you have different providers with different passwords then you better
 # remove the following line.
 
-todoscsi	*	password
+(none)	*	password
diff -urN woody-debootstrap/etc/resolv.conf woody-discos/etc/resolv.conf
--- woody-debootstrap/etc/resolv.conf	2003-04-13 00:39:20.000000000 +0200
+++ woody-discos/etc/resolv.conf	2003-04-07 06:37:10.000000000 +0200
@@ -2,3 +2,4 @@
 nameserver 192.168.3.2
 nameserver 212.22.34.7
 nameserver 212.22.34.2
+nameserver 212.22.34.68
diff -urN woody-debootstrap/etc/serial.conf woody-discos/etc/serial.conf
--- woody-debootstrap/etc/serial.conf	2001-11-07 14:47:36.000000000 +0100
+++ woody-discos/etc/serial.conf	2003-04-07 04:39:21.000000000 +0200
@@ -1,3 +1,4 @@
+###PORT STATE GENERATED USING AUTOSAVE-ONCE###

                  [...]

@@ -86,3 +78,5 @@
 #
 #/dev/ttyS16 set_multiport port1 0x107 mask1 0xff match1 0
 #/dev/ttyS16 set_multiport port2 0x147 mask2 0xff match2 0
+/dev/ttyS0 uart 16550A port 0x03f8 irq 4 baud_base 115200 spd_normal skip_test
+/dev/ttyS1 uart 16550A port 0x02f8 irq 3 baud_base 115200 spd_normal skip_test
diff -urN woody-debootstrap/etc/.serial.conf.old woody-discos/etc/.serial.conf.old
--- woody-debootstrap/etc/.serial.conf.old	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/.serial.conf.old	2001-11-07 14:47:36.000000000 +0100
@@ -0,0 +1,88 @@

            *** en la instalación por debootstrap, el archivo está vacío ***

diff -urN woody-debootstrap/etc/shadow woody-discos/etc/shadow
--- woody-debootstrap/etc/shadow	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/shadow	2003-04-07 04:38:29.000000000 +0200
@@ -0,0 +1,21 @@
+root:$1$TDro75Ks$4R.rAZ4eHtmw6/I1pFjpD.:12149:0:99999:7:::
+daemon:*:12149:0:99999:7:::
+bin:*:12149:0:99999:7:::
+sys:*:12149:0:99999:7:::
+sync:*:12149:0:99999:7:::
+games:*:12149:0:99999:7:::
+man:*:12149:0:99999:7:::
+lp:*:12149:0:99999:7:::
+mail:*:12149:0:99999:7:::
+news:*:12149:0:99999:7:::
+uucp:*:12149:0:99999:7:::
+proxy:*:12149:0:99999:7:::
+postgres:*:12149:0:99999:7:::
+www-data:*:12149:0:99999:7:::
+backup:*:12149:0:99999:7:::
+operator:*:12149:0:99999:7:::
+list:*:12149:0:99999:7:::
+irc:*:12149:0:99999:7:::
+gnats:*:12149:0:99999:7:::
+nobody:*:12149:0:99999:7:::
+metadistros:$1$1QyTrYp5$U9UBDKJ69/RLvq6EBkRTC.:12149:0:99999:7:::
diff -urN woody-debootstrap/etc/shadow- woody-discos/etc/shadow-
--- woody-debootstrap/etc/shadow-	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/shadow-	2003-04-07 04:38:29.000000000 +0200
@@ -0,0 +1,21 @@
+root:$1$TDro75Ks$4R.rAZ4eHtmw6/I1pFjpD.:12149:0:99999:7:::
+daemon:*:12149:0:99999:7:::
+bin:*:12149:0:99999:7:::
+sys:*:12149:0:99999:7:::
+sync:*:12149:0:99999:7:::
+games:*:12149:0:99999:7:::
+man:*:12149:0:99999:7:::
+lp:*:12149:0:99999:7:::
+mail:*:12149:0:99999:7:::
+news:*:12149:0:99999:7:::
+uucp:*:12149:0:99999:7:::
+proxy:*:12149:0:99999:7:::
+postgres:*:12149:0:99999:7:::
+www-data:*:12149:0:99999:7:::
+backup:*:12149:0:99999:7:::
+operator:*:12149:0:99999:7:::
+list:*:12149:0:99999:7:::
+irc:*:12149:0:99999:7:::
+gnats:*:12149:0:99999:7:::
+nobody:*:12149:0:99999:7:::
+metadistros:*:12149:0:99999:7:::
diff -urN woody-debootstrap/etc/timezone woody-discos/etc/timezone
--- woody-debootstrap/etc/timezone	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/etc/timezone	2003-04-07 06:37:33.000000000 +0200
@@ -0,0 +1 @@
+Europe/Madrid
diff -urN woody-debootstrap/home/metadistros/.bash_profile woody-discos/home/metadistros/.bash_profile
--- woody-debootstrap/home/metadistros/.bash_profile	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/home/metadistros/.bash_profile	2003-04-07 04:38:29.000000000 +0200
@@ -0,0 +1,23 @@

            ** en la instalación por debootstrap, no hay usuarios **

diff -urN woody-debootstrap/home/metadistros/.bashrc woody-discos/home/metadistros/.bashrc
--- woody-debootstrap/home/metadistros/.bashrc	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/home/metadistros/.bashrc	2003-04-07 04:38:29.000000000 +0200
@@ -0,0 +1,39 @@

            ** en la instalación por debootstrap, no hay usuarios **

diff -urN woody-debootstrap/lib/modules/2.4.18-bf2.4/modules.dep woody-discos/lib/modules/2.4.18-bf2.4/modules.dep
--- woody-debootstrap/lib/modules/2.4.18-bf2.4/modules.dep	1970-01-01 01:00:00.000000000 +0100
+++ woody-discos/lib/modules/2.4.18-bf2.4/modules.dep	2003-04-07 06:37:05.000000000 +0200
@@ -0,0 +1,1274 @@

                  ***** debootstrap no tiene núcleo ******

diff -urN woody-debootstrap/var/cache/debconf/config.dat woody-discos/var/cache/debconf/config.dat
--- woody-debootstrap/var/cache/debconf/config.dat	2003-04-13 04:41:03.000000000 +0200
+++ woody-discos/var/cache/debconf/config.dat	2003-04-07 04:39:13.000000000 +0200
@@ -5,7 +5,9 @@
 
 Name: apt-setup/another
 Template: apt-setup/another
+Value: false
 Owners: base-config
+Flags: seen

 Name: apt-setup/baddir
 Template: apt-setup/baddir
@@ -45,6 +47,7 @@
 
 Name: apt-setup/distribution
 Template: apt-setup/distribution
+Value: woody
 Owners: base-config
 
 Name: apt-setup/hostname
@@ -77,7 +80,9 @@
 
 Name: apt-setup/security-updates
 Template: apt-setup/security-updates
+Value: false
 Owners: base-config
+Flags: seen
 
 Name: apt-setup/security-updates-failed
 Template: apt-setup/security-updates-failed
@@ -85,7 +90,11 @@
 
 Name: apt-setup/uri_type
 Template: apt-setup/uri_type
+Value: edit sources list by hand
 Owners: base-config
+Flags: seen
+Variables:
+ note = 
 
 Name: base-config/install-problem
 Template: base-config/install-problem
@@ -93,7 +102,9 @@

 Name: base-config/intro
 Template: base-config/intro
+Value: 
 Owners: base-config
+Flags: seen
 
 Name: base-config/login
 Template: base-config/login
@@ -101,11 +112,15 @@
 
 Name: base-config/login-with-tty
 Template: base-config/login-with-tty
+Value: 
 Owners: base-config
+Flags: seen
 
 Name: base-config/remove-pcmcia
 Template: base-config/remove-pcmcia
+Value: false
 Owners: base-config
+Flags: seen
 
 Name: base-config/retry-ppp
 Template: base-config/retry-ppp
@@ -113,11 +128,15 @@
 
 Name: base-config/run-dselect
 Template: base-config/run-dselect
+Value: false
 Owners: base-config
+Flags: seen
 
 Name: base-config/run-tasksel
 Template: base-config/run-tasksel
+Value: false
 Owners: base-config
+Flags: seen
 
 Name: base-config/stop-ppp
 Template: base-config/stop-ppp
@@ -125,7 +144,9 @@
 
 Name: base-config/use-ppp
 Template: base-config/use-ppp
+Value: false
 Owners: base-config
+Flags: seen
 
 Name: bsdmainutils/calendar_config_moved
 Template: bsdmainutils/calendar_config_moved
@@ -1016,6 +1037,74 @@
 Template: netkit-inetd/inetd-dos-services
 Owners: netkit-inetd
 
+Name: passwd/make-user
+Template: passwd/make-user
+Value: true
+Owners: passwd
+Flags: seen
+
+Name: passwd/md5
+Template: passwd/md5
+Value: true
+Owners: passwd
+Flags: seen
+
+Name: passwd/password-empty
+Template: passwd/password-empty
+Owners: passwd
+
+Name: passwd/password-mismatch
+Template: passwd/password-mismatch
+Value: 
+Owners: passwd
+Flags: seen
+
+Name: passwd/root-password
+Template: passwd/root-password
+Value: 
+Owners: passwd
+Flags: seen
+
+Name: passwd/root-password-again
+Template: passwd/root-password-again
+Value: 
+Owners: passwd
+Flags: seen
+
+Name: passwd/shadow
+Template: passwd/shadow
+Value: true
+Owners: passwd
+Flags: seen
+
+Name: passwd/user-fullname
+Template: passwd/user-fullname
+Value: Usuario genérico para Metadistros
+Owners: passwd
+Flags: seen
+
+Name: passwd/user-password
+Template: passwd/user-password
+Value: 
+Owners: passwd
+Flags: seen
+
+Name: passwd/user-password-again
+Template: passwd/user-password-again
+Value: 
+Owners: passwd
+Flags: seen
+
+Name: passwd/username
+Template: passwd/username
+Value: metadistros
+Owners: passwd
+Flags: seen
+
+Name: passwd/username-bad
+Template: passwd/username-bad
+Owners: passwd
+
 Name: pcmcia-cs/abort_msg
 Template: pcmcia-cs/abort_msg
 Owners: pcmcia-cs
@@ -1090,20 +1179,39 @@
 Name: tzconfig/change_timezone
 Template: tzconfig/change_timezone
 Owners: base-config
+Variables:
+ timezone = UTC
 
 Name: tzconfig/geographic_area
 Template: tzconfig/geographic_area
+Value: Europe
 Owners: base-config
+Flags: seen
 
 Name: tzconfig/gmt
 Template: tzconfig/gmt
+Value: false
 Owners: base-config
+Flags: seen
+Variables:
+ hwtime = Mon Apr 7 04:37:21 2003
 
 Name: tzconfig/select_zone
 Template: tzconfig/select_zone
 Owners: base-config
 
+Name: tzconfig/select_zone/Europe
+Template: tzconfig/select_zone
+Value: Madrid
+Flags: seen
+Variables:
+ choices = Amsterdam, Andorra, Athens, Belfast, Belgrade, Berlin, Bratislava, Brussels, Bucharest, Budapest, Chisinau, Copenhagen, Dublin, Gibraltar, Helsinki, Istanbul, Kaliningrad, Kiev, Lisbon, Ljubljana, London, Luxembourg, Madrid, Malta, Minsk, Monaco, Moscow, Nicosia, Oslo, Paris, Prague, Riga, Rome, Samara, San_Marino, Sarajevo, Simferopol, Skopje, Sofia, Stockholm, Tallinn, Tirane, Tiraspol, Uzhgorod, Vaduz, Vatican, Vienna, Vilnius, Warsaw, Zagreb, Zaporozhye, Zurich
+
 Name: tzconfig/verify_choices
 Template: tzconfig/verify_choices
 Owners: base-config
+Variables:
+ timezone = Europe/Madrid
+ tzdate = Mon Apr 7 04:37:34 CEST 2003
+ utdate = Mon Apr 7 02:37:34 UTC 2003

diff -urN woody-debootstrap/var/cache/debconf/config.dat-old woody-discos/var/cache/debconf/config.dat-old
--- woody-debootstrap/var/cache/debconf/config.dat-old	2003-04-13 04:41:01.000000000 +0200
+++ woody-discos/var/cache/debconf/config.dat-old	2003-04-07 04:38:52.000000000 +0200
@@ -5,7 +5,9 @@
 
         [...]
 
diff -urN woody-debootstrap/var/cache/debconf/templates.dat woody-discos/var/cache/debconf/templates.dat
--- woody-debootstrap/var/cache/debconf/templates.dat	2003-04-13 04:41:04.000000000 +0200
+++ woody-discos/var/cache/debconf/templates.dat	2003-04-07 04:38:29.000000000 +0200
@@ -1653,6 +1653,82 @@
 Type: boolean
 Owners: netkit-inetd/inetd-dos-services
 
+Name: passwd/make-user
+Default: true
+Description: Shall I create a normal user account now?
+Extended_description: It's a bad idea to use the root account for normal day-to-day activities, such as the reading of electronic mail, because even a small mistake can result in disaster. Now you may create a normal user account to use for those day-to-day tasks.\n\nNote that you may create it later (as well as any additional account) by typing 'adduser <username>' as root, where <username> is an user name, like 'imurdock' or 'rms'.
+Type: boolean
+Owners: passwd/make-user
+
+Name: passwd/md5
+Default: false
+Description: Shall I enable md5 passwords?
+Extended_description: Md5 passwords are more secure and allow for passwords longer than 8 characters to be used. However, they can cause compatibility problems if you are using NIS or sharing password files with older systems.
+Type: boolean
+Owners: passwd/md5
+
+Name: passwd/password-empty
+Description: Empty password was entered.
+Extended_description: You seem to have entered nothing for the password. That is not secure! Please try again.
+Type: note
+Owners: passwd/password-empty
+
+Name: passwd/password-mismatch
+Description: Password input error.
+Extended_description: The two passwords you entered were not the same. Please try again.
+Type: note
+Owners: passwd/password-mismatch
+
+Name: passwd/root-password
+Description: Enter a password for root:
+Extended_description: Before proceeding, you need to set a password for 'root', the system administrative account. The root password shouldn't be easy to guess, and it shouldn't be a word found in the dictionary, or a word that could be easily associated with you, like your middle name. A good password will contain a mixture of letters, numbers and punctuation and will be changed at regular intervals. The root password is changed by running the 'passwd' program as root.\n\nWhy such caution? The root account doesn't have the restrictions that normal user accounts have. A malicious or unqualified user with root access can have disastrous results.\n\nNote that you will not be able to see the password as you type it.
+Type: password
+Owners: passwd/root-password
+
+Name: passwd/root-password-again
+Description: Re-enter password to verify:
+Extended_description: Please enter the same root password again to verify you have typed it correctly.
+Type: password
+Owners: passwd/root-password-again
+
+Name: passwd/shadow
+Default: true
+Description: Shall I enable shadow passwords?
+Extended_description: Shadow passwords make your system more secure because nobody is able to view even encrypted passwords. Passwords are stored in a separate file that can only be read by special programs. We recommend the use of shadow passwords. However, if you're going to use NIS you could run into trouble.
+Type: boolean
+Owners: passwd/shadow
+
+Name: passwd/user-fullname
+Default: Debian User
+Description: Enter a full name for the new user:
+Extended_description: Enter the full name of the new user. Your full name is a good choice.
+Type: string
+Owners: passwd/user-fullname
+
+Name: passwd/user-password
+Description: Enter a password for the new user:
+Extended_description: A good password will contain a mixture of letters, numbers and punctuation and will be changed at regular intervals.
+Type: password
+Owners: passwd/user-password
+
+Name: passwd/user-password-again
+Description: Re-enter password to verify:
+Extended_description: Please enter the same user password again to verify you have typed it correctly.
+Type: password
+Owners: passwd/user-password-again
+
+Name: passwd/username
+Description: Enter a username for your account:
+Extended_description: Select a username for the new account. Your first name is a reasonable choice.\n\nThe username should start with a lower-case letter, which can be followed by any combination of numbers and more lower-case letters.
+Type: string
+Owners: passwd/username
+
+Name: passwd/username-bad
+Description: Invalid username entered.
+Extended_description: The user name you entered is invalid. Note that usernames must start with a lower-case letter, which can be followed by any combination of numbers and more lower-case letters.
+Type: note
+Owners: passwd/username-bad
+
 Name: pcmcia-cs/abort_msg
 Description: PCMCIA support has not been stopped; aborting the installation.
 Description-da: PCMCIA-understttelsen er ikke stoppet. Afbryder installationen.
@@ -1985,7 +2061,7 @@
 Extended_description-pt_br: Cidades representam o fuso horário no qual estão localizadas, sendo assim você pode escolher qualquer cidade em seu fuso horário.
 Extended_description-sv: Städer representerar tidszonen i vilka de är belägna, så du kan välja vilken stad som helst i din tidszon.
 Type: select
-Owners: tzconfig/select_zone
+Owners: tzconfig/select_zone, tzconfig/select_zone/Europe

 Name: tzconfig/verify_choices
 Description: Are you happy with your choices?
diff -urN woody-debootstrap/var/cache/debconf/templates.dat-old woody-discos/var/cache/debconf/templates.dat-old
--- woody-debootstrap/var/cache/debconf/templates.dat-old	2003-04-13 04:41:01.000000000 +0200
+++ woody-discos/var/cache/debconf/templates.dat-old	2003-04-07 04:37:34.000000000 +0200
@@ -1524,6 +1524,116 @@

           [...]

diff -urN woody-debootstrap/var/lib/dpkg/available woody-discos/var/lib/dpkg/available
--- woody-debootstrap/var/lib/dpkg/available	2003-04-13 04:41:07.000000000 +0200
+++ woody-discos/var/lib/dpkg/available	2003-04-07 04:38:45.000000000 +0200
@@ -1,1951 +0,0 @@

diff -urN woody-debootstrap/var/lib/dpkg/available-old woody-discos/var/lib/dpkg/available-old
--- woody-debootstrap/var/lib/dpkg/available-old	2003-04-13 04:40:30.000000000 +0200
+++ woody-discos/var/lib/dpkg/available-old	2003-04-07 06:21:41.000000000 +0200
@@ -477,22 +477,6 @@

7. Sobre este documento

Se otorga permiso para copiar, distribuir y/o modificar este documento bajo los términos de la Licencia de Documentación Libre GNU, versión 1.1 o cualquier versión posterior publicada por la Free Software Foundation. Puedes consultar una copia de la licencia en http://www.gnu.org/copyleft/fdl.html