Home » Work

All posts in Work

Require client-SSL certificate for certain content.

Posted on: | By: Comments Off

On a kind of “intranet” website, which is secured with username/password combinations and HTTPS I’ve implemented the next feature:

– Authorized users can read everything on the website

– Files with in their filename “classified” requires a valid SSL-Client certificate…

Here is the output of my apache config:

<Directory /usr/sites/ssl-site/intranet/htdocs>
  Options Indexes MultiViews
  AllowOverride Authconfig
  Order allow,deny
  Allow from all
  AuthName “intranet”
  AuthType “Basic”
  AuthUserFile /usr/sites/ssl-site/intranet/etc/users.pwl
  require valid-user
</Directory>

<LocationMatch .*(c|C)(l|L)(a|A)(s|S)(s|S)(i|I)(f|F)(i|I)(e|E)(d|D).+>
  SSLVerifyClient require
  SSLVerifyDepth 1
  SSLOptions +OptRenegotiate
</LocationMatch>

 

I still have to sort out some issues, like directories having a directory with the name “classified” in them.

Read More

Linux SUDO-hack

Posted on: | By: Comments Off

It can happen, you have sudo-access to another account (most of the time it will be access to the root account). But most of the time the NOPASSWD option is not used due to security reasons. But there are moments you want to have sudo-credentials available, think about a script or something else…. I had the same issue, so I found the next “hack” to get the timestamp refreshed every 60 seconds.

(Please note the script will use user “root” but it can be another user, please modify the scripts so it fits your needs).

Step 1)

Create a script in you $HOME/bin with the next content (I call it sudo-hack.sh):

#!/bin/bash 
while [ true ]; 
do 
  sudo -u root /bin/true > /dev/null 2> /dev/null 
  sleep 60 
done 




Step 2)


Get a valid sudo-timestamp:


$ sudo -u root /bin/true
Password:
$


Step 3)


Start sudo-hack.sh in the background:


$ $HOME/bin/sudo-hack.sh &
$


That’s all! 






Read More 


 







Passed – RH423 Red Hat Enterprise Directory Services and Authentication



Posted on:  | By: Comments Off






This week I had the “Red Hat Enterprise Directory Services and Authentication” course and exam in Amsterdam.


In the course we had some very nice stuff, like Red Hat DS and at the end Red Hat Enterprise IPA… all very cool… but today I had the exam (due to the RedHat NDA I am not allowed to say anything about the exam, so I won’t do it)… but a few hours after the exam I received my results… and I passed the exam :-D










Read More 


 







Why is the script slow…



Posted on:  | By: Comments Off








For a project I am working on migrating UNIX applications to Linux. Most of the scripting work supposed to be done in India, and that is where the issues came in. First you have a developer who knows how to work with M$ Technet and never worked with PERL before (at least 80% of the scripts is written in PERL).


First of all I introduced the user Net::LDAP within PERL, because they first did a ldapsearch, put the output into a ASCII file… and with a PERL script they structured the data… and loaded it into a Oracle database… so that was the first improvement.


Next there were several issues, like not good reading or understanding LDAP/PERL at all…


But at a certain moment, they start complaining about the fact that one of the scripts was slow… on the old system the script had a run time of 4 hours… and now it is up to 28 hours(!!!) :-( So they requested me to investigate this.


First I found a ‘main’ kornshell script doing the next thing:




for VAR in a b d e f g i j k m n o p q r s t u v w x y z
do
   for NAME in “‘” a b c d e f g h i j k l m n o p q r s t u v w x y z
   do
     ldap_script.pl $NAME $VAR
   done
done




The content of the ldap_script.pl was something like:




#!/usr/bin/perl
use Net::LDAP;
$ldap = Net::LDAP->new($LDAP_SERVER);
$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;
$LDAP_FILTER=”(&(sn=$ARGV[0]*)(OfficeName=$ARGV[1]*))”;
$mesg = $ldap->search(base=>$LDAP_BASE,
                      filter=>$LDAP_FILTER,
                     ) or die “Cannot connect”;
push(@ENTRIES,$mesg->entries);
$ldap->unbind;




I thought that this costs a lot… loading PERL script, connecting to server, binding to it… et cetera… :-( And this was done in the original script > 2000 times :-|


So… I removed the loop out of the mainscript… and implemented it into the PERL-script, like this:




#!/usr/bin/perl


use Net::LDAP;


$ldap = Net::LDAP->new($LDAP_SERVER);
@LOOP=(“a”,”b”,”c”,”d”,”e”,”f”,”g”,”h”,”i”,”j”,”k”,”l”,”m”,”n”,”o”,
       “p”,”q”,”r”,”s”,”t”,”u”,”v”,”w”,”x”,”y”,”z”, “‘”);



$ldap->bind($LDAP_DN, password=>$LDAP_PASSWD) or die “Cannot connect”;


foreach $LOOP1 (@LOOP)
{
  foreach $LOOP2 (@LOOP)
  {
     $LDAP_FILTER=”(&(sn=$LOOP1*)(OfficeName=$LOOP2*))”;
     $mesg = $ldap->search(base=>$LDAP_BASE,
                           filter=>$LDAP_FILTER,
                          ) or die “Cannot connect”;
     push(@ENTRIES,$mesg->entries);
  }
}


$ldap->unbind;




And this runs within 3 hours!!! And it is flying! :-D


There can be done more performance tuning… but that will be another project!












Read More 


 









Fedora directory server



Posted on:  | By: Comments Off






Yesterday evening I start playing with Fedora Directory Server


So first I setup Fedora Core 8 as a VMWare-instance… But after some playing around, I had the next message:


“Server failed to start !!! Please check errors log for problems”


And guess what… no information at all in the logs :-( So removed the packages and the next directories:


/etc/dirsrv
/etc/sysconfig/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv


So no information… then strace will be your best friend :-D


So I started:


[root@fedora-ds debug]# strace -o ~/debug/setup -ff /usr/sbin/setup-ds.pl


And guess what… I had the error again… So I went to the ~/debug folder on another terminal and did:


[root@fedora-ds debug]# grep “failed” *
setup.31676:read(4, “Server failed to start !!! Pleas”…, 4096) = 64
setup.31676:write(2, “Server failed to start !!! Pleas”…, 64) = 64
setup.31711:write(1, “Server failed to start !!! Pleas”…, 64) = 64
[root@fedora-ds debug]#


When I digged into setup.31711 I found:
read(255, “if test ! -f $STARTPIDFILE ; the”…, 2220) = 663
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
stat64(“/var/run/dirsrv/slapd-fedora-ds.startpid”, 0xbfcd8eb8) = -1 ENOENT (No such file or directory)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8-) = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, …}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f7c000
write(1, “Server failed to start !!! Pleas”…, 64) = 64


So this is a nice clue… /var/run/dirsrv… and guess what… the owner of this directory was fedora-ds (a user I set up initially for testing purposes for the Directory Server :-( ) With the comment chown I corrected the owner of this folder… and now service dirsrv start works :-P


Conclusion… strace is your best friend :-D






Read More 


 







Did pass ITIL, LPIC201 and LPIC202



Posted on:  | By: Comments Off







As I wrote before, I did pass RHCE, RHCT and LPIC1. After a few weeks of study I also passed LPIC2 and ITIL :-P


The results for ITIL:




Passing score: 65
Your score…: 67
Grade……..: PASSED


Section Title                          Score
————————————– —–
General                                 66
Service Desk                            66
Incident Management                     25
Problem Management                      80
Change Management                       80
Configuration Management                75
Release Management                     100
Service Level Management                66
Availability Management                  0
Capacity Management                     50
IT Service Continuity Management       100
Financial Management for IT Services   100
Other ITIL Topics                      100
Relationships                           50


During the exam I start mixing up ‘Availability management’ and ‘IT Service Continuity Management’, which resulted into a score of 0 for Availability management :-|


But I also passed LPIC 201 en LPIC 202.


LPIC 201 results:


Required score: 500
Your score….: 750
Status……..: PASS


Section                              Percent Correct
———————————— —————
Linux Kernel                               90%
System startup                             87%
Filesystem                                100%
Hardware                                   75%
File and Service Sharing                   87%
System Maintenance                         83%
System Customization & Automation          66%
Troubleshooting                            50%






LPIC 202 results:




Required score: 500
Your score….: 740
Status……..: PASS


Section                              Percent Correct


———————————— —————
Networking configuration                 85%
Mail & News                              92%
DNS                                      80%
Web Services                            100%
Network Client Management                66%
System Security                          80%
Network Troubleshooting                 100%














Read More 


 







Maintain config-files using subversion



Posted on:  | By: Comments Off








Every sysop might recognize this… I changed a config file some while ago… but what did I change and what is the history of that file. Besides of the changes, I want to have them in a backup :-)


So I decided to setup a config-file repository, where the servers can commit automaticly their changes using SVN over SSH. I use SSH to have no password prompts but certificates. Only the user svn-backup can commit files to the repository. On both server I only checked out the repository-part concerning them.


[root@tank] svn co 
svn+ssh://[email protected]/repos/config-files/tank 
/usr/data/svn-config


And in the crontab for the user root, we have the next entry:




45 * * * */usr/local/backup/svn-backup.sh


And in the svn-backup script we have the next lines:






#!/bin/bash
#
# Subversion script to backup configfiles
#
# Written by Pieter de Rijk <pieter -at- de-rijk.com>


SVN_BACKUP_PATH=”/usr/local/svn-backup”


cp -R /usr/local/etc/ $SVN_BACKUP_PATH/usr/local/etc/ > /dev/null 2> /dev/null
cp -R /etc/ $SVN_BACKUP_PATH/etc/ > /dev/null 2> /dev/null
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/errors
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/icons/*.jpg
rm -rf $SVN_BACKUP_PATH/usr/local/etc/squid/icons/*.gif
cd $SVN_BACKUP_PATH 
 /usr/local/bin/svn up > /dev/null 2> /dev/null
for files in “`/usr/local/bin/svn status $SVN_BACKUP_PATH | grep ^?`”;
do
   ADD_FILE=`echo $files | awk ‘{ print $2 }’`
   if [ ! -z $ADD_FILE ];
   then
     /usr/local/bin/svn add $ADD_FILE
   fi
done
/usr/local/bin/svn commit -m “[`hostname -s`] Config changes `date`”




And when something change I receive a message :-P


Only users in the wheel group can checkout the repositories, but are not allowed to commit :-D










Read More 


 







make -j 32 bzImage



Posted on:  | By: Comments Off






As I wrote before some vendor promissed me a 16-core machine…. and indeed we received it. Now I have my ‘toy’ placed in the basement. Besides of some trouble putting a modified version of RHEL 4.5 on it, it works fine. At this moment I’ve insta…






Read More