Archive for the ‘ Linux ’ Category

Using Access Control List for web-development

Who doesn’t know that situation? You’re implementing a feature (e.g.: a file upload :-P) in whatever language you like and when you test it it fails because the web server has no permissions whatsoever to write to that directory. Bummer!

There are quite a few different ways to handle that: chmod 777, chown -R webServer, run the web server as you, suEXEC… but they all bring their own bunch of problems with them (which I won’t pursue in-depth now). The imho most elegant solution are Access Control Lists. With ACLs you get everything you need and when done properly, will render permission problems a thing of the past.

The following commands do basically the same just on two different operating systems. They grant the web-server user (_www/www-data) and me (pubmem) all rights in the directory foo and it’s subdirectories and set default ACL rights that future files/directories will inherit. The last commands (ls and getfacl respectively) allow you to review the ACLs set. For further information regarding the flags RTM. πŸ˜‰
OS X (10.6):

chmod -R +a 'pubmem allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' foo
chmod -R +a '_www allow read,write,delete,add_file,add_subdirectory,file_inherit,directory_inherit' foo
ls -led foo

Ubuntu 10.04:

setfacl -R -m u:www-data:rwx,d:u:www-data:rwx,u:pubmem:rwx,d:u:pubmem:rwx foo
getfacl foo

References

Advertisements

Setting up Gitweb with Gitolite on Ubuntu 10.04 (Lucid Lynx)

As gitosis’s development seems to be no more (last release almost 3 years ago, last commit 1,5 years ago), I switched to gitolite for my repository and user management some time ago (maybe I’ll cover the switch in another post later on). But until yesterday, something was missing for me: I forgot to reconfigure gitweb! πŸ˜›

The reconfiguration was pretty straightforward. First add the apache user to the git group that is part of the ownership of the gitolite repositories:

sudo usermod -G git www-data

Restart apache so that change is applied.

Then change gitolite’s default umaks to 0027 in .gitolite.rc:

# $REPO_UMASK = 0077;         # gets you 'rwx------'
$REPO_UMASK = 0027;       # gets you 'rwxr-x---'
# $REPO_UMASK = 0022;       # gets you 'rwxr-xr-x'

For existing repositories you need to change the rights to 750 (740 should do it as well) (740 can’t obviously work with a umask of 0027! Thx Dude! ;)) from 700, so gitweb can read the repositories as well:

sudo chmod -R 750 /path/to/repositories/

And the final step is to change the gitweb configuration to point to the gitolite installation:

# path to git projects (.git)
$projectroot = "/srv/git/repositories";

# directory to use for temp files
$git_temp = "/tmp";

# target of the home link on top of all pages
#$home_link = $my_uri || "/";

# html text to include at home page
$home_text = "indextext.html";

# file with project list; by default, simply scan the projectroot dir.
#$projects_list = $projectroot;
$projects_list = "/srv/git/projects.list";

# By default, gitweb will happily let people browse any repository
# they guess the name of. This may or may not be what you want.
# I prefer to set these, to allow exactly the repositories in
# projects.list to be browsed.
$export_ok = "";
$strict_export = "true";

# stylesheet to use
$stylesheet = "/gitweb/gitweb.css";

# logo to use
$logo = "/gitweb/git-logo.png";

# the 'favicon'
$favicon = "/gitweb/git-favicon.png";

You need to make sure that gitwebs $projects_list variable has the same value as the $PROJECTS_LIST variable in gitolite.rc!

And all that’s missing now is a gitweb’bed repository! For this you need to grant the gitweb user readable rights by gitolite to the repository you want to show up in gitolite.conf.

repo foo
  R = gitweb

Save the change, commit it and push it! That’s all folks!

References

Setup Samba Shares on Ubuntu Server 10.04

First install Samba (all commands should be preceded with sudo, but for the sake of readability it is ommitted):

johndoe@server:~$ apt-get install samba

Then modify the config file in /etc/samba/smb.conf by changing the workgroup to yours (workgroup = YOUR_WORKGROUP) and uncommenting security = user.

Now create a share:

[SHARE_NAME]
comment = A comment about this share
path = /PATH/TO/SHARE
valid users = USER
hide files = /lost+found/
read only = No
browsable = Yes
writable = Yes

All options are explained in the smb.conf man(5) page.

I think a samba user does not necessarily need a UNIX account, but I usually create one to chown dedicated shares.

johndoe@server:~$ adduser --no-create-home --disabled-login USER
johndoe@server:~$ usermod -p PASS USER

According to Google UNIX Samba passwords should stay in sync, but that didn’t work out for me. So set the user password again:

johndoe@server:~$ smbpasswd -a USER

Now restart the server (service smbd restart) and point the Explorer to your machines IP. That’s all folks. πŸ˜‰

References

Append apache to www user on Mac OS X 10.6

As a vivid user of Gentoo Prefix I normally don’t mind getting my hands dirty. πŸ˜‰
But from time to time, when I install or update apache, I forget to change Gentoo’s default “apache” user to OS X’s “www”. And then I wonder why apache does not start anymore. 😦

But thanks to a colleague of mine and dscl, the Directory Service (aka Apple’s LDAP implementation) command line utility integrated in 10.6, this will come to an end:

# Add apache to the system default web-server user
sudo dscl . -append /Users/www RecordName apache

# And don't forget the group
sudo dscl . -append /Groups/www RecordName apache

# It succeeds without feedback, so better check it ^^
sudo dscl . -read /Users/www
sudo dscl . -read /Groups/www

Awesome! Now I don’t have to alter httpd.conf, watch dispatch-conf closely after upgrading apache or alter some obscure webapp-config files anymore because they can’t find the apache user! πŸ˜‰

References

  • man(8) dscl

How to resize LVM logical volumes with ext4 as filesystem

Ever been in the situation where you needed to save some important files to a server and your greeted with “Not enough space left on device”-kind messages? No? Well, as that happened too often too me for my liking, I decided to do it right this time when I set up my home server and use logical volume manager (LVM) straight from the start. So basically, all I had to do was to shrink a filesystem that had free space in it and its partition (logical volume (LV) to be precisely) afterwards and then to resize the logical volume/filesystem where I needed the space.

As all the necessary tools are available normally on a system with LVM support, I could dive right in: Follow me…

Add uptime to Ubuntu Server 10.04 MotD

Imho, uptime is as important as the usual information provided by the default motd:
System load, Memory usage, Swap usage, Processes, Users logged in.

To have it included create the following file and save it as /etc/update-motd.d/60-uptime-info:

#!/bin/bash

###
# Appends the uptime to the motd
###

echo
echo -n "  Uptime: "
/usr/bin/uptime

On your next login uptime will be seamlessly integrated in the motd. πŸ˜‰

Upgrade Ubuntu 10.04 (Lucid) Server Kernel to 2.6.35

I really wanted to stay on the LTS side of life lucid, but Linux 2.6.35 got release two days ago and damned, it brings some good stuff with it, above all “Transparent spreading of incoming network traffic load across CPUs” and some power improvements. Perfect for an environmental-friendly low-power home server… πŸ˜‰

The installation procedure is as simple as well-known[1]:

sudo add-apt-repository ppa:kernel-ppa/ppa
sudo apt-get update
sudo apt-get install linux-lts-backport-maverick

And that’s that…
As usual, GRUB2 gets updated at the end, so a reboot is all that is between you and this shiny new kernel full of awesomeness.

[UPDATE-292125Bsep10]
Fixed the package name to reflect the package name change. πŸ˜‰

[UPDATE-301526Bjul11]
No need for the ppa anymore, the package is in the main lucid/lucid-updates repository.
All there is left to install it is

sudo apt-get install linux-image-server-lts-backport-maverick

Back to post: add-apt-repository is not installed by default on lucid, you find it in the python-software-properties package.

References