Home » Linux/Unix/BSD

All posts in Linux/Unix/BSD

Require client-SSL certificate for certain content.

Posted on: | By: Comments Off

On a kind of “intranet” website, which is secured with username/password combinations and HTTPS I’ve implemented the next feature:

– Authorized users can read everything on the website

– Files with in their filename “classified” requires a valid SSL-Client certificate…

Here is the output of my apache config:

<Directory /usr/sites/ssl-site/intranet/htdocs>
  Options Indexes MultiViews
  AllowOverride Authconfig
  Order allow,deny
  Allow from all
  AuthName “intranet”
  AuthType “Basic”
  AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
  require valid-user
</Directory>

<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
  SSLVerifyClient require
  SSLVerifyDepth 1
  SSLOptions +OptRenegotiate
</LocationMatch>

 

I still have to sort out some issues, like directories having a directory with the name “classified” in them.

Read More

“Easy share” IMAP folders with Courier-imap

Posted on: | By: Comments Off

Recently I got a iPhone, but I have multiple mails coming into my mailbox (private/business/sysop). I use maildrop to put them into the right folders. I want share my business (sub)folder(s) with my special iPhone-account… but how could we do that… (please note you should have admin-privileges)

Step 1 – Create new user and put the “source” mailbox user in the right group

Create a iPhone user on your server (in my case user is iphone) and add the user (in my case pieter) to the iphone group (created during the creation of the iphone user).

Step 2 – Set permissions correct of the source mailbox

Make sure the world can access ~pieter/Maildir, set this by entering:

[ root@server ~]# chmod o+x ~pieter/Maildir

New we also have to set the grouppermissions correct of the source sub-folders:

[ root@server ~]# chown -R pieter:iphone ~pieter/Maildir/.Business*

Set groupbit and grouppermissions on the folders you want to share:

[ root@server ~]# find ~pieter/Maildir/.Business* -type d -exec chmod 2770 {} ;

Set the grouppermissions on the current messages”

[ root@server ~]# find ~pieter/Maildir/.Business* -type f -exec chmod  0660 {} ;

Step 3 – Setup the functional account and mailstructure

Become that user (can be done via sudo).
[ pieter@server ~]$ sudo su – iphone
Password: ****
[ iphone@server ~]$

Create the maildir structure:

[ iphone@server ~]$ maildirmake ~/Maildir

Remove the cur, new and tmp folders:

[ iphone@server ~]$ rm -rf ~/Maildir/[cnt]*

Now link them to the source:

[ iphone@server ~]$ for x in cur new tmp; do ln -s /home/pieter/Maildir/.Business/$x ~iphone/Maildir/$x; done

Step 4 – Share the subfolders as well

[ iphone@server ~]$ cd ~/Maildir
[ iphone@server Maildir]$ maildirmake .Archive
[ iphone@server Maildir]$ rm -rf ~/.Archive/[cnt]*
[ iphone@server Maildir]$ for x in cur new tmp; do ln -s /home/pieter/Maildir/.Business.Archive/$x ~iphone/Maildir/.Archive/$x; done

Perform step 4 for al the other subfolders you would like to share ;-) (Please note that you’ve to set the permissions in step 2 as well). This was done on a FreeBSD6.3 system, I don’t know what the impact might be on Linux systems with SELinux… nor I don’t know what the impact might be of the chmod o+x on Maildir… we wil investigate. Initially I did a chown pieter:iphone on the source maildir… but my imap-server refused connection due to wrong gid.

Also keep in mind to put in your procmail/maildrop filter a umask of 007!

But… conclusion… it works cool.

Read More

I guess I did something wrong…

Posted on: | By: Comments Off

Last Friday I was playing around with one of my FreeBSD production servers. On that server I’ve a number of users for e-mail and other services.I was playing around as root, because I wanted to update/install some new stuff. But at a certain momen…

Read More

Linux SUDO-hack

Posted on: | By: Comments Off

It can happen, you have sudo-access to another account (most of the time it will be access to the root account). But most of the time the NOPASSWD option is not used due to security reasons. But there are moments you want to have sudo-credentials available, think about a script or something else…. I had the same issue, so I found the next “hack” to get the timestamp refreshed every 60 seconds.

(Please note the script will use user “root” but it can be another user, please modify the scripts so it fits your needs).

Step 1)

Create a script in you $HOME/bin with the next content (I call it sudo-hack.sh):

#!/bin/bash 
while [ true ]; 
do 
  sudo -u root /bin/true > /dev/null 2> /dev/null 
  sleep 60 
done 




Step 2)


Get a valid sudo-timestamp:


$ sudo -u root /bin/true
Password:
$


Step 3)


Start sudo-hack.sh in the background:


$ $HOME/bin/sudo-hack.sh &
$


That’s all! 

		

		
	

		
			Read More		
	


	 






	

		
Passed – RH423 Red Hat Enterprise Directory Services and Authentication
		


	Posted on:  | By: Comments Off

	


	
			

			
This week I had the “Red Hat Enterprise Directory Services and Authentication” course and exam in Amsterdam.


In the course we had some very nice stuff, like Red Hat DS and at the end Red Hat Enterprise IPA… all very cool… but today I had the exam (due to the RedHat NDA I am not allowed to say anything about the exam, so I won’t do it)… but a few hours after the exam I received my results… and I passed the exam :-D





		

		
	

		
			Read More		
	


	 






	

		
Why is the script slow…
		


	Posted on:  | By: Comments Off

	


	
			

			


For a project I am working on migrating UNIX applications to Linux. Most of the scripting work supposed to be done in India, and that is where the issues came in. First you have a developer who knows how to work with M$ Technet and never worked with PERL before (at least 80% of the scripts is written in PERL).


First of all I introduced the user Net::LDAP within PERL, because they first did a ldapsearch, put the output into a ASCII file… and with a PERL script they structured the data… and loaded it into a Oracle database… so that was the first improvement.


Next there were several issues, like not good reading or understanding LDAP/PERL at all…


But at a certain moment, they start complaining about the fact that one of the scripts was slow… on the old system the script had a run time of 4 hours… and now it is up to 28 hours(!!!) :-( So they requested me to investigate this.


First I found a ‘main’ kornshell script doing the next thing:




for VAR in a b d e f g i j k m n o p q r s t u v w x y z
do
   for NAME in “‘” a b c d e f g h i j k l m n o p q r s t u v w x y z
   do
     ldap_script.pl $NAME $VAR
   done
done




The content of the ldap_script.pl was something like:




#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new($LDAP_SERVER);
$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;
$LDAP_FILTER=”(&(sn=$ARGV[0]*)(OfficeName=$ARGV[1]*))”;
$mesg = $ldap->search(base=>$LDAP_BASE,
                                               filter=>$LDAP_FILTER,
                     ) or die “Cannot connect”;
push(@ENTRIES,$mesg->entries);
$ldap->unbind;




I thought that this costs a lot… loading PERL script, connecting to server, binding to it… et cetera… :-( And this was done in the original script > 2000 times :-|


So… I removed the loop out of the mainscript… and implemented it into the PERL-script, like this:




#!/usr/bin/perl


use Net::LDAP;


$ldap = Net::LDAP->new($LDAP_SERVER);
@LOOP=(“a”,”b”,”c”,”d”,”e”,”f”,”g”,”h”,”i”,”j”,”k”,”l”,”m”,”n”,”o”,
       “p”,”q”,”r”,”s”,”t”,”u”,”v”,”w”,”x”,”y”,”z”, “‘”);



$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;


foreach $LOOP1 (@LOOP)
{
  foreach $LOOP2 (@LOOP)
  {
        $LDAP_FILTER=”(&(sn=$LOOP1*)(OfficeName=$LOOP2*))”;
     $mesg = $ldap->search(base=>$LDAP_BASE,
                           filter=>$LDAP_FILTER,
                          ) or die “Cannot connect”;
     push(@ENTRIES,$mesg->entries);
  }
}


$ldap->unbind;




And this runs within 3 hours!!! And it is flying! :-D


There can be done more performance tuning… but that will be another project!







		

		
	

		
			Read More		
	


	 










	

		
Fedora directory server
		


	Posted on:  | By: Comments Off

	


	
			

			
Yesterday evening I start playing with Fedora Directory Server


So first I setup Fedora Core 8 as a VMWare-instance… But after some playing around, I had the next message:


“Server failed to start !!! Please check errors log for problems”


And guess what… no information at all in the logs :-( So removed the packages and the next directories:


/etc/dirsrv
/etc/sysconfig/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv


So no information… then strace will be your best friend :-D


So I started:


[root@fedora-ds debug]# strace -o ~/debug/setup -ff /usr/sbin/setup-ds.pl


And guess what… I had the error again… So I went to the ~/debug folder on another terminal and did:


[root@fedora-ds debug]# grep “failed” *
setup.31676:read(4, “Server failed to start !!! Pleas”…, 4096) = 64
setup.31676:write(2, “Server failed to start !!! Pleas”…, 64) = 64
setup.31711:write(1, “Server failed to start !!! Pleas”…, 64) = 64
[root@fedora-ds debug]#


When I digged into setup.31711 I found:
read(255, “if test ! -f $STARTPIDFILE ; the”…, 2220) = 663
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
stat64(“/var/run/dirsrv/slapd-fedora-ds.startpid”, 0xbfcd8eb8) = -1 ENOENT (No such file or directory)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8-) = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, …}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f7c000
write(1, “Server failed to start !!! Pleas”…, 64) = 64


So this is a nice clue… /var/run/dirsrv… and guess what… the owner of this directory was fedora-ds (a user I set up initially for testing purposes for the Directory Server :-( ) With the comment chown I corrected the owner of this folder… and now service dirsrv start works :-P


Conclusion… strace is your best friend :-D

		

		
	

		
			Read More		
	


	 






	

		
Gentoo Firefox phones home
		


	Posted on:  | By: Comments Off

	


	
			

			


Some while ago, I submitted a bug to the Gentoo Bug-trac. I had trouble with Firefox 2.0.0.2 when switching from non-proxy to a proxy-network.


http://bugs.gentoo.org/show_bug.cgi?id=169155


I found that when starting firefox (note: not firefox-bin) the proces wants to connect to www.gentoo.org :-(


Now someone found the issue:




I have the same problem with mozilla-firefox-2.0.0.13.
Firefox tries to connect to the page mentioned in
/usr/lib/mozilla-firefox/defaults/pref/all-gentoo.js:
pref("browser.startup.homepage",           "http://www.gentoo.org/");
If DNS or the page itself is unreachable firefox waits until the request
timeouts.


I haven’t test it yet… but it might solve the issue… ;-)

		

		
	

		
			Read More