Archives

All posts for the month May, 2012

Run cron script faster than one minute

Posted by phatdee on May 31, 2012
Posted in: Cronjobs. Tagged: , , . Leave a Comment

Sure, while running anything faster than one minute probably isn’t needed as it’s probably a bandaid related item that probably should be fixed correctly. But I just ran into a situation today where I said fuck it, I need a bandaid.

Needed a quick solution to basically chmod -R 777 a particular directory used for log shipping. But had to be far faster than every one minute which is the fastest that cron offers with * * * * * . Again this is not the most elegant solution and really don’t recommend chmod -R 777 in most situations, but there are those times..and well this was one of those times… 😉

create new file called bandaid.sh
#!/bin/bash

while [ 1 -eq 1 ]; do chmod -fR 777 /logsfromhell ; sleep 1; done

chmod 755 the bandaid.sh; ./bandaid.sh &

OR add a little insurance to the deal..add this script to cron

#!/bin/bash

CHECKME=ps -ef | grep -v grep |grep '[b]andaid\.sh'
if [ “$CHECKME” ]
then
echo “bandaid hasn’t lost it’s sticky..”
else
/root/scripts/bandaid.sh
fi

chmod 755 checker.sh
* * * * * /root/scripts/checker.sh > /dev/null 2>&1

Moving CVS to a new machine

Posted by phatdee on May 23, 2012
Posted in: CVS. Tagged: , . Leave a Comment

Moving a CVS repository to a new machine
thursday, 09 april 2009 14:03
Firstly, thanks to Hannes for his help with this. Without him I would have had to do a whole lot more reading and make a whole lot more mistakes.

Background to this is that the server Nevada was getting old and we wanted to shift it to the new server, Taormina. Note: The methods outlined below require each user to have an account created on the new machine, which is fine for me cos there were only 4 of us. If its a large scale deployment hunt out Hannes and pay him to do it, and while you are at it switch to svn.

Firstly create the directory on the new machine & rsync all the existing content across. The -p flag in rsync is important cos it pulls the permissions across.
TAORMINA:/var/lib # mkdir cvsroot
TAORMINA:/var/lib # cd cvsroot
TAORMINA:/var/lib/cvsroot # rsync -rp 192.168.0.54:/var/lib/cvsroot .
root@ 192.168.0.54’s password:
TAORMINA:/var/lib/cvsroot #
Next make the contents of the directory writeable by the people who should have CVS access. Following the advice of cvsbook.redbean.com I created a cvs group and added the relevant users to it. Following the advice of Hannes I set the contents of the directory setgid cvs so that any new files created in that directory will be owned by the same group that owns the directory (ok rsync -p should have done this but it can’t hurt to make sure).
TAORMINA:/var/lib/cvsroot # chgrp -R cvs .
TAORMINA:/var/lib/cvsroot # find -type d -print0 | xargs -0 chmod g+s
TAORMINA:/var/lib/cvsroot # ls -ld .
drwxrwsr-x 52 root cvs 1456 2009-04-09 10:58 .
TAORMINA:/var/lib/cvsroot #
Now edit the .bashrc of each user to add/alter the CVSROOT and CVS_RSH directories.
export CVSROOT=:ext:cianer@taormina:/var/lib/cvsroot
export CVS_RSH=ssh
Finally try to write to the cvs directory to ensure the permissions are set up properly. If so do a test checkout:
cianer@TAORMINA:/var/lib/cvsroot> touch testfile
cianer@TAORMINA:/var/lib/cvsroot> rm testfile
cianer@TAORMINA:/var/lib/cvsroot> exit
logout
Connection to taormina closed.
cianer@Feegle:~/cvs_test$ cvs co ixp400_xscale_sw
Password:
cvs checkout: Updating ixp400_xscale_sw
U ixp400_xscale_sw/Makefile
U ixp400_xscale_sw/ixp425_eth.c
…….

Other things that might be useful:

To prevent having to type your password each time create trusted keys for the server.
To switch your checkout to the new CVS repository run a variant of this script from the high-level checkout directory (the example below is designed to switch me from the local repository at /var/lib/cvsroot to the remote repository created on taormina at /var/lib/cvsroot):
find * | grep Root | xargs sed -i ‘s/\/var/:ext:cianer\@taormina:\/var/’
Note: After you run the above script you will need to make sure your CVSROOT is updated, otherwise will you get the following error:
cianer@Feegle:~/temp$ cvs status
cvs [status aborted]: cannot exec : No such file or directory
cvs [status aborted]: end of file from server (consult above messages if any)

CVS AD authentication

Posted by phatdee on May 21, 2012
Posted in: Authentication. Tagged: , , , , , . Leave a Comment

4
down vote
This is going to be rather long, but let’s do it anyway. First of all, yes this can be done. I can’t supply much in the way of configuring CVS, but I can provide all you need to make a linux server authenticate users against Active Directory.
It all starts with /etc/nsswitch.conf. Here is the relevant section:
passwd: files ldap compat
shadow: files ldap compat
group: files ldap compat

Now, depending on what distro you are using, you will need to install some ldap packages. Under Redhat/Fedora/CentOS this would be nss_ldap, under Debian/Ubuntu and the likes, you will need libnss-ldap and libpam-ldap. I would also recommend some ldap-utils for debugging.

With the above your name services will attempt to use LDAP, so now you need to configure the various LDAP packages to use your AD server. The search base should be base cn=Users,dc=aminocom,dc=com and the bind DN should be binddn cn=LDAPsearch,cn=Users,dc=aminocom,dc=com. You will need to define a specific User to allow browsing of the AD. We have created a user named LDAPSearch, and put its credentials into a separate file named .secret. Read the documentation of these packages for more detail. Furthermore I would recommend a soft bind policy and the following attribute mappings:

# Services for UNIX 3.5 mappings
nss_base_passwd cn=Users,dc=aminocom,dc=com?sub
nss_base_shadow cn=Users,dc=aminocom,dc=com?sub
nss_base_group cn=Users,dc=aminocom,dc=com?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos name
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_groupdn cn=nixUsers,cn=Users,dc=aminocom,dc=com
pam_password ad
All of this assumes that you have the Windows Services for Unix installed on your domain controller. In AD you will need to configure a primary Unix group (in our case called nixUsers) and add every CVS user into that group.
You should probably be able to use AD directly (i.e. without the Windows Services for Unix), but that will require different attribute mappings. You might have to experiment a bit there.

Now we get to the PAM configuration. Under Debian there are basically 4 files that need modifications:

1.) common-account:

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid

2.) common-auth:

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >=500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

3.) common-session:

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

4.) common-password

password sufficient pam_unix.so md5 shadow nullok try_first_pass
password sufficient pam_ldap.so
password required pam_deny.so
Under Redhat (and derivatives) all the necessary changes should go into the relevant sections in /etc/pam.d/system-auth and /etc/pam.d/system-auth-ac.

The above will allow users to log in with AD credentials. However, this does NOT automatically create a home directory for them (unless you do some more scripting around that) and it does not allow them to change their passwords through linux. This can be done, too, but it requires modification of their workstations (if they use Linux). Any more questions re the above, just ask.

We use this on many of our servers, works like a charm.

link|improve this answer

CVS and LDAP authentication howto

Posted by phatdee on May 21, 2012
Posted in: Authentication. Tagged: , , , . 5 comments

2.9.4.1 Setting up the server for password authentication

First of all, you probably want to tighten the permissions on the $CVSROOT and $CVSROOT/CVSROOT directories. See Password authentication security, for more details.

On the server side, the file /etc/inetd.conf needs to be edited so inetd knows to run the command cvs pserver when it receives a connection on the right port. By default, the port number is 2401; it would be different if your client were compiled with CVS_AUTH_PORT defined to something else, though. This can also be specified in the CVSROOT variable (see Remote repositories) or overridden with the CVS_CLIENT_PORT environment variable (see Environment variables).

If your inetd allows raw port numbers in /etc/inetd.conf, then the following (all on a single line in inetd.conf) should be sufficient:

2401 stream tcp nowait root /usr/local/bin/cvs
cvs -f –allow-root=/usr/cvsroot pserver
(You could also use the -T' option to specify a temporary directory.)

The –allow-root’ option specifies the allowable cvsroot directory. Clients which attempt to use a different cvsroot directory will not be allowed to connect. If there is more than one cvsroot directory which you want to allow, repeat the option. (Unfortunately, many versions of inetd have very small limits on the number of arguments and/or the total length of the command. The usual solution to this problem is to have inetd run a shell script which then invokes cvs with the necessary arguments.)

If your inetd wants a symbolic service name instead of a raw port number, then put this in /etc/services:

cvspserver 2401/tcp
and put cvspserver instead of 2401 in inetd.conf.

If your system uses xinetd instead of inetd, the procedure is slightly different. Create a file called /etc/xinetd.d/cvspserver containing the following:

service cvspserver
{
port = 2401
socket_type = stream
protocol = tcp
wait = no
user = root
passenv = PATH
server = /usr/local/bin/cvs
server_args = -f –allow-root=/usr/cvsroot pserver
}
(If cvspserver is defined in /etc/services, you can omit the port line.)

Once the above is taken care of, restart your inetd, or do whatever is necessary to force it to reread its initialization files.

If you are having trouble setting this up, see Connection.

Because the client stores and transmits passwords in cleartext (almost—see Password authentication security, for details), a separate cvs password file is generally used, so people don’t compromise their regular passwords when they access the repository. This file is $CVSROOT/CVSROOT/passwd (see Intro administrative files). It uses a colon-separated format, similar to /etc/passwd on Unix systems, except that it has fewer fields: cvs username, optional password, and an optional system username for cvs to run as if authentication succeeds. Here is an example passwd file with five entries:

anonymous:
bach:ULtgRLXo7NRxs
spwang:1sOp854gDF3DY
melissa:tGX1fS8sun6rY:pubcvs
qproj:XR4EZcEs0szik:pubcvs
(The passwords are encrypted according to the standard Unix crypt() function, so it is possible to paste in passwords directly from regular Unix /etc/passwd files.)

The first line in the example will grant access to any cvs client attempting to authenticate as user anonymous, no matter what password they use, including an empty password. (This is typical for sites granting anonymous read-only access; for information on how to do the “read-only” part, see Read-only access.)

The second and third lines will grant access to bach and spwang if they supply their respective plaintext passwords.

The fourth line will grant access to melissa, if she supplies the correct password, but her cvs operations will actually run on the server side under the system user pubcvs. Thus, there need not be any system user named melissa, but there must be one named pubcvs.

The fifth line shows that system user identities can be shared: any client who successfully authenticates as qproj will actually run as pubcvs, just as melissa does. That way you could create a single, shared system user for each project in your repository, and give each developer their own line in the $CVSROOT/CVSROOT/passwd file. The cvs username on each line would be different, but the system username would be the same. The reason to have different cvs usernames is that cvs will log their actions under those names: when melissa commits a change to a project, the checkin is recorded in the project’s history under the name melissa, not pubcvs. And the reason to have them share a system username is so that you can arrange permissions in the relevant area of the repository such that only that account has write-permission there.

If the system-user field is present, all password-authenticated cvs commands run as that user; if no system user is specified, cvs simply takes the cvs username as the system username and runs commands as that user. In either case, if there is no such user on the system, then the cvs operation will fail (regardless of whether the client supplied a valid password).

The password and system-user fields can both be omitted (and if the system-user field is omitted, then also omit the colon that would have separated it from the encrypted password). For example, this would be a valid $CVSROOT/CVSROOT/passwd file:

anonymous::pubcvs
fish:rKa5jzULzmhOo:kfogel
sussman:1sOp854gDF3DY
When the password field is omitted or empty, then the client’s authentication attempt will succeed with any password, including the empty string. However, the colon after the cvs username is always necessary, even if the password is empty.

cvs can also fall back to use system authentication. When authenticating a password, the server first checks for the user in the $CVSROOT/CVSROOT/passwd file. If it finds the user, it will use that entry for authentication as described above. But if it does not find the user, or if the cvs passwd file does not exist, then the server can try to authenticate the username and password using the operating system’s user-lookup routines (this “fallback” behavior can be disabled by setting SystemAuth=no in the cvs config file, see config).

The default fallback behavior is to look in /etc/passwd for this system user unless your system has PAM (Pluggable Authentication Modules) and your cvs server executable was configured to use it at compile time (using ./configure –enable-pam – see the INSTALL file for more). In this case, PAM will be consulted instead. This means that cvs can be configured to use any password authentication source PAM can be configured to use (possibilities include a simple UNIX password, NIS, LDAP, and others) in its global configuration file (usually /etc/pam.conf or possibly /etc/pam.d/cvs). See your PAM documentation for more details on PAM configuration.

Note that PAM is an experimental feature in cvs and feedback is encouraged. Please send a mail to one of the cvs mailing lists (info-cvs@gnu.org or bug-cvs@gnu.org) if you use the cvs PAM support.

WARNING: Using PAM gives the system administrator much more flexibility about how cvs users are authenticated but no more security than other methods. See below for more.

CVS needs an “auth”, “account” and “session” module in the PAM configuration file. A typical PAM configuration would therefore have the following lines in /etc/pam.conf to emulate the standard cvs system /etc/passwd authentication:

cvs auth required pam_unix.so
cvs account required pam_unix.so
cvs session required pam_unix.so
The the equivalent /etc/pam.d/cvs would contain

auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
Some systems require a full path to the module so that pam_unix.so (Linux) would become something like /usr/lib/security/$ISA/pam_unix.so.1 (Sun Solaris). See the contrib/pam subdirectory of the cvs source distribution for further example configurations.

The PAM service name given above as “cvs” is just the service name in the default configuration and can be set using ./configure –with-hardcoded-pam-service-name= before compiling. cvs can also be configured to use whatever name it is invoked as as its PAM service name using ./configure –without-hardcoded-pam-service-name, but this feature should not be used if you may not have control of the name cvs will be invoked as.

Be aware, also, that falling back to system authentication might be a security risk: cvs operations would then be authenticated with that user’s regular login password, and the password flies across the network in plaintext. See Password authentication security for more on this. This may be more of a problem with PAM authentication because it is likely that the source of the system password is some central authentication service like LDAP which is also used to authenticate other services.

On the other hand, PAM makes it very easy to change your password regularly. If they are given the option of a one-password system for all of their activities, users are often more willing to change their password on a regular basis.

In the non-PAM configuration where the password is stored in the CVSROOT/passwd file, it is difficult to change passwords on a regular basis since only administrative users (or in some cases processes that act as an administrative user) are typically given access to modify this file. Either there needs to be some hand-crafted web page or set-uid program to update the file, or the update needs to be done by submitting a request to an administrator to perform the duty by hand. In the first case, having to remember to update a separate password on a periodic basis can be difficult. In the second case, the manual nature of the change will typically mean that the password will not be changed unless it is absolutely necessary.

Note that PAM administrators should probably avoid configuring one-time-passwords (OTP) for cvs authentication/authorization. If OTPs are desired, the administrator may wish to encourage the use of one of the other Client/Server access methods. See the section on see Remote repositories for a list of other methods.

Right now, the only way to put a password in the cvs passwd file is to paste it there from somewhere else. Someday, there may be a cvs passwd command.

Unlike many of the files in $CVSROOT/CVSROOT, it is normal to edit the passwd file in-place, rather than via cvs. This is because of the possible security risks of having the passwd file checked out to people’s working copies. If you do want to include the passwd file in checkouts of $CVSROOT/CVSROOT, see checkoutlist.

Howto migrate CVS without losing HISTORY file

Posted by phatdee on May 21, 2012
Posted in: CVS. Tagged: . Leave a Comment

How to move CVS repository without losing history?
Log into the CVS repository server
Go to the cvs root dir
tar the whole cvs root dir using the following command tar -zcvf tarfileName .
copy this tar file to the new cvs repository server under the appropriate directory

BEFORE YOU UN-TAR..

On the new server, what I did was just created a new directory on where you wanted  cvs repo to live…then performed a cvs -d init in that directory.  This was of course, after I updated (if needed) inet.d cvs server_args to this location.

Once it inits, you will have a new CVSROOT directory.  Just move this CVSROOT directory to say /tmp.   Then you can either just delete everything again in this directory.  Then un-tar from the previous box…delete the OLD CVSROOT directory or rename/move it.   Move the new CVSROOT directory back.  If you wanted to also keep the old history file, then you can move that from the old CVSROOT to the new one.    Restarted inetd.    That’s it…