Weekly Changes – 06/12/2021
This release constitutes 2 weeks of changes rather than the usual 1 so appears somewhat larger than normal. Having said that, there are no individual changes which we expect to have a particularly big impact. Here are all the details…
lightdm and trimspaces
The DICE desktop login manager – lightdm – on Ubuntu Focal now has the PAM trimspaces module enabled. This ensures that any whitespace characters in the username field are automatically removed, see the previous blog entry for more details.
RFE server
The RFE server, used in Informatics to allow remote edits of various configuration data, has gained support for a principal-to-username mapping file which allows authorisation of principals as usernames. The package has also gained support for Ubuntu but this has not yet been thoroughly tested.
apacheconf Ubuntu support
The expected user and group for the apache service on Ubuntu have been fixed and the systemd services are now correctly configured. Also, some resource defaults for the apacheconf component have been updated to support Ubuntu. At this stage various parts of the configuration remain incomplete, in particular the default list of modules is empty which prevents the daemon from starting. The component code still needs to be updated to support the configuration of the /etc/apache2/envvars
file, see bug#1289 for details.
apache and cron
By default on DICE web servers the apache user is now blocked from creating cron and atd jobs. This is for security reasons to prevent an attacker installing a crontab after a successful compromise of a web service. A local survey suggests that running cron jobs as the apache user is rare, when required it can be re-enabled by defining the DICE_OPTIONS_CRON_ALLOW_APACHE
macro prior to including the apacheconf headers in a profile. This strategy has been used by attackers for a long time, recently it has been abused in a new novel way known as CronRAT malware.
Systemd service presets
The systemd component on Ubuntu has gained support for configuring service presets. There is now also a macro – LCFG_SYSTEMD_PRESET
– which makes it easy to specify presets. An example of how to configure service presets is given in our Systemd cookbook.
resolv.conf and Ubuntu
The resolv.conf
file on Ubuntu has gained a default sortlist. This matches more closely with how we have it configured on SL7. This avoids addresses on certain local unrouted networks being sorted higher than routed addresses. This should fix some issues we have seen with accessing services, such as rfe, from Ubuntu client machines. We still need to consider tweaking this further to completely match with SL7.
avahi daemon
The avahi-daemon service will now only be enabled by default for desktop systems on Ubuntu. This matches with the avahi-daemon package only being included in the lcfg_ubu2004_desktop.pkgs package list by standard.
DICE KVM shutdown policy
It is now possible to simply configure the guest VM policy for shutdown of a DICE KVM server. The default policy remains as suspend but it can now be changed to shutdown by defining the DICE_OPTIONS_KVM_SERVER_GUEST_SHUTDOWN
macro ahead of including the dice/options/kvm-server.h
header in a profile.
Tartarus report
Enhanced the crontabs reports. Now reports on which files are managed or unmanaged and which might have been locally modified. Also reports on any which are for users which no longer exist or have expired accounts.
New Software
The a2ps and enscript packages have been added for DICE Ubuntu desktops.
An LCFG_OPTIONS_WORKRAVE
option has been added which can be used to include the workrave – Repetitive Strain Injury prevention tool – and all of its dependencies. That option can be enabled by adding the option name to the profile.pkgcppopts
resource, for example:
!profile.pkgcppopts mADD(LCFG_OPTIONS_WORKRAVE)
Recent comments