This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

All versions prior to those listed as updates for this issue are vulnerable to some degree.

My infected OS version is CentOS-6 and bash version 4.1.2

[root@host75 ~]# lsb_release -a
lsb_release -a
LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: CentOS
Description: CentOS release 6.4 (Final)
Release: 6.4
Codename: Final

[root@host75 ~]# bash --version
bash --version
GNU bash, version 4.1.2(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Diagnostic Steps:

To test if your version of Bash is vulnerable to this issue, run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

hmm, I got infected!

[root@host75 ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

You are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If your system is vulnerable, update to the most recent version of the Bash package by running the following command:

$yum update bash

This fix my bash ??????

[root@host75 ~]# yum update bash
Loaded plugins: fastestmirror, security, tmprepo
Loading mirror speeds from cached hostfile
epel/metalink | 15 kB 00:00
* base: centos.eecs.wsu.edu
* epel: mirrors.kernel.org
* extras: centos.chi.host-engine.com
* updates: mirror.raystedman.net
base | 3.7 kB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 6.3 MB 00:05
extras | 3.3 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 5.3 MB 00:04
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-14.el6 will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================
Updating:
bash x86_64 4.1.2-15.el6_5.1 updates 905 k

Transaction Summary
================================================================================================================================================
Upgrade 1 Package(s)

Total download size: 905 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.1.x86_64.rpm | 905 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : bash-4.1.2-15.el6_5.1.x86_64 1/2
Cleanup : bash-4.1.2-14.el6.x86_64 2/2
Verifying : bash-4.1.2-15.el6_5.1.x86_64 1/2
Verifying : bash-4.1.2-14.el6.x86_64 2/2

Updated:
bash.x86_64 0:4.1.2-15.el6_5.1

Complete!

Test if update fixed to patch your bash

[root@host75 ~]# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

How does this impact systems:
This issue affects all products which use the Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

All versions prior to those listed as updates for this issue are vulnerable to some degree.

See the appropriate remediation article for specifics.

Functions written in Bash itself do not need to be changed, even if they are exported with “export -f”. Bash will transparently apply the appropriate naming when exporting, and reverse the process when importing function definitions.

Ref:
http://www.bbc.com/news/technology-29361794
https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability
https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://lists.gnu.org/archive/html/bug-bash/2014-09/threads.html
https://rhn.redhat.com/errata/RHSA-2014-1306.html

(0) Comments    Read More   

Introduction-
To access virtual disks, a virtual machine uses virtual SCSI controllers. Each virtual disk that a virtual machine can access through one of the virtual SCSI controllers resides in the VMFS datastore, NFS-based datastore, or on a raw disk. The choice of SCSI controller does not affect whether your virtual disk is an IDE or SCSI disk.

Following virtual SCSI controllers commonly used…

A) BusLogic
– This was one of the first emulated vSCSI controllers available in the VMware platform.
– No updates and considered as legacy or for backward compatibility…

B) LSI Logic Parallel
– This was the other emulated vSCSI controller available originally in the VMware platform.
– Most operating systems had a driver that supported a queue depth of 32 and it became a very common choice, if not the default
– Default for Windows 2003/Vista and Linux

C) LSI Logic SAS
– This is an evolution of the parallel driver to support a new future facing standard.
– It began to grown popularity when Microsoft required its use for MCSC within Windows 2008 ore newer.
– Default for Windows 2008 or newer
– Linux guests SCSI disk hotplug works better with LSI Logic SAS
– Personally I use this
D) VMware Paravirtual (aka PVSCSI)
– This vSCSI controller is virtualization aware and was been designed to support very high throughput with minimal processing cost and is therefore the most efficient driver.
– In the past, there were issues if it was used with virtual machines that didn’t do a lot of IOPS, but that was resolved in vSphere 4.1.

* PVSCSI and LSI Logic Parallel/SAS are essentially the same when it comes to overall performance capability.
* Total of 4 vSCSI adapters are supported per virtual machine.  To provide the best performance, one should also distribute virtual disk across as many vSCSI adapters as possible
* Why not IDE? – IDE adapter completes one command at a time while SCSI can queue commands. So SCSI adapter is better optimized for parallel performance. Also Maximum of 4 IDE Devices per VM (includes CDROM) but SCSI allows 60 devices.

Thank You,
Arun

(0) Comments    Read More   

Difference between (Extended) ext2/3 and ext4 File System

* Ext2
-It was introduced in 1993. Developed by Remy Card.
-ext2 stands for second extended file system.
-This was developed to overcome the limitation of the original ext file system.
-ext2 does not have journaling feature.
-ext2 is recommended for flash drives, usb drives etc
-Maximum individual file size can be from 16GB to 2TB (depends on block size)
-Overall ext2 FS size can be from 2TB to 32TB

* Ext3
-It was introduced in 2001. Developed by Stephen Tweedie.
-ext3 stands for third extended file system.
    -The main benefit of ext3 is that it allows journaling.
-Journaling has a dedicated area in the file system, where all the changes are tracked. When the system crashes,file system
corruption chances are less because of journaling.
-Maximum individual file size can be from 16GB to 2TB
-Overall ext3 FS size can be from 2TB to 32TB
-There are three types of journaling available in ext3 file system.
1) Journal – both Metadata and Content are saved in the journal.
2) Ordered – Only metadata is saved in the journal. Metadata are journaled only after writing the content to disk. This is the default.
3) Writeback – Only metadata is saved in the journal. Metadata might be journaled either before or after the
content is written to the disk.
    -You can convert a ext2 file system to ext3 file system directly (without backup/restore).

* Ext4
-It was introduced in 2008.
-Ext4 stands for fourth extended file system.
-Starting from Linux Kernel 2.6.19 ext4 was available.
-Maximum individual file size can be from 16 GB to 16TB
-Overall maximum ext4 FS size is 1024PB (petabyte), 1PB = 1024TB (terabyte)
-Directory can contain a maximum of 64,000 subdirectories (as opposed to 32,000 in ext3)
-You can also mount an existing ext3 FS as ext4 fs (without having to upgrade it)
    -ext4 default inode size is 256 bytes.(in ext3 inode size is 128 bytes)
-Several other new features are introduced in ext4: multiblock allocation, delayed allocation, journal checksum. fast fsck, etc. All you need to know is that these new features have improved the performance and reliability of the filesystem when compared to ext3
-In ext4, you also have the option of turning the journaling feature “off”.
-Faster file system checking as Unallocated blocks are skipped during FS checking
-Improved timestamps- Up to the nanosecond. Which will defer the year 2038 problem
-Online Defragmentation

What is Extents?
-Ext3 uses a block mapping scheme (block 4Kb), the bigger the file needs huge block mapping will lead to slower handling.
-Ext4 introduces the concept of Extents. An extent is basically a “Bunch of blocks”.
Basically it say “write the data is in the next N blocks ie extent” instead of mapping each individual block separately.
-Ext4 will support up to 128Mb extents,This improve performance and also help in reducing fragmentation.

Multiblock Allocation-
-Ext3 uses a block allocator that decides which free blocks will be used to write the data. But this allocator
can only allocate one block at a time.
-Ext4 will support multi-block allocation, which allocates many blocks in a single call and avoids a lot of overhead.

Thank you,
Arun Bagul

(1) Comment    Read More   
Jan
23
Posted on 23-01-2013
Filed Under (Debian & Ubuntu, Nagios Monitoring, Redhat & Fedora) by Arun Bagul

Introduction-

Nagios Check_mk Multisite (plugin) allow user to view/manage distributed nagios using single Web based Interface. However by default
it doesn’t support pnp4nagios graphs (hosts/services from remote nagios) access using (single) Multisite URL.

* To access PNP4nagios graphs of hosts/services from remote nagios using (single) Multisite URL, we need to Add Apache Proxy redirect setting.

1] multisite.mk Conf file-

This is my “check_mk/multisite.mk” conf file. (from Primary multisite Server (prod), SITE1 and SITE2 are two remote nagios)

OMD[prod]:~$ cat etc/check_mk/multisite.mk

….
sites = {
#Primary site
“local” : {
“alias” : “PROD”
},
# Remote site
“SITE1”: {
“alias”: “SITE1”,
“socket”: “tcp:192.168.1.10:6557”,
“url_prefix”: “/SITE1/”,
“nagios_url”: “/SITE1/nagios”,
“nagios_cgi_url”: “/SITE1/nagios/cgi-bin”,
“pnp_url”: “/SITE1/pnp4nagios”,
},
# Remote site
“SITE2”: {
“alias”: “SITE2”,
“socket”: “tcp:192.168.2.10:6557”,
“url_prefix”: “/SITE2/”,
“nagios_url”: “/SITE2/nagios”,
“nagios_cgi_url”: “/SITE2/nagios/cgi-bin”,
“pnp_url”: “/SITE2/pnp4nagios”,
},
}
….
…..
OMD[prod]:~$

2] Apache Proxy Redirect for PNP4nagios –

OMD[prod]:~# cat /etc/httpd/conf.d/multisite_proxy.conf
#SITE1
<Location /SITE1/>
RewriteEngine On
RewriteRule ^/.+/SITE1/(.*) http://192.168.1.10/SITE1/$1 [P]
</Location>

#SITE2
<Location /SITE2/>
RewriteEngine On
RewriteRule ^/.+/SITE2/(.*) http://192.168.2.10/SITE2/$1 [P]
</Location>

OMD[prod]:~#

That’s it! Now you can access pnp4nagios graphs form remote nagios hosts/services using single Multisite URL.

Thank you,
Arun Bagul

(0) Comments    Read More   
Feb
13
Posted on 13-02-2012
Filed Under (Debian & Ubuntu, UNIX/Linux) by Arun Bagul

Introduction –
Packages generally contain all of the files necessary to implement a set of related commands or features. There are two types of Debian packages:
1) Binary packages, which contain executables, configuration files, man/info pages, copyright information, and other documentation.
These packages are distributed in a Debian-specific archive format they are usually distinguished by having a ‘.deb’ file extension.
Binary packages can be unpacked using the Debian utility dpkg (possibly via a frontend like aptitude).

2) Source packages, which consist of a .dsc file describing the source package (including the names of the following files), a .orig.tar.gz file that contains the original unmodified source in gzip-compressed tar format and usually a .diff.gz file that contains the Debian-specific changes to the original source. The utility dpkg-source packs and unpacks Debian source archives.
Installation of software by the package system uses “dependencies” which are carefully designed by the package maintainers.  These dependencies are documented in the control file associated with each package.

Step 1) Please install few deb packages as pre-requirement –

arunb@laptop:~# apt-get install fakeroot build-essential

Step 2) Create directory where you will be putting your build data –

arunb@laptop:~# mkdir /var/create-deb-pkg/
arunb@laptop:~# chown arunb:arunb /var/create-deb-pkg/

Step 3) extract source and manually compile your software –

I compiled my software ie openlsm as shown below…

# cd /var/src/
tar xvfz openlsm-0.99-r51.tar.gz
cd openlsm-0.99-r51/
./configure –prefix=/usr/local/openlsm –with-mysql=/usr/bin/mysql_config –enable-internal-pcre –with-geoip=/usr –with-ldap=/usr
make
make install

Step 4) Create directory structure for creating deb package and copy build code/data –

arunb@laptop:~$ cd  /var/create-deb-pkg/

arunb@laptop:/var/create-deb-pkg$ mkdir openlsm-0.99-r51
arunb@laptop:/var/create-deb-pkg$ mkdir -p openlsm-0.99-r51/usr/local/
arunb@laptop:/var/create-deb-pkg$ mkdir openlsm-0.99-r51/DEBIAN/

** copying my build code here

arunb@laptop:/var/create-deb-pkg$ cp -fr /usr/local/openlsm/  openlsm-0.99-r51/usr/local/

arunb@laptop:/var/create-deb-pkg$ ll openlsm-0.99-r51/
drwxr-xr-x 2 arunb arunb 4096 2012-01-19 16:34 DEBIAN/
drwxr-xr-x 3 arunb arunb 4096 2012-01-19 16:31 usr/

Step 5) Define/Create deb package control files in DEBIAN directory –

arunb@laptop:/var/create-deb-pkg$ ll openlsm-0.99-r51/DEBIAN/
-rw-r–r– 1 arunb arunb   179 2012-01-19 16:34 changelog
-rw-r–r– 1 arunb arunb   139 2012-01-19 16:34 conffiles
-rw-r–r– 1 arunb arunb   419 2012-01-19 16:34 control
-rw-r–r– 1 arunb arunb 17696 2012-01-19 16:34 md5sums
-rwxr-xr-x 1 arunb arunb   535 2012-01-19 16:34 postinst
-rwxr-xr-x 1 arunb arunb   227 2012-01-19 16:34 postrm
-rwxr-xr-x 1 arunb arunb   303 2012-01-19 16:34 preinst
-rw-r–r– 1 arunb arunb     0 2012-01-19 16:34 rules

* DEBIAN/rules – file is empty

* DEBIAN/changelog file –

arunb@laptop:/var/create-deb-pkg$ cat openlsm-0.99-r51/DEBIAN/changelog
openlsm (0.99) stable; urgency=low

* openlsm web server for admin panel
+ 0.99 released – Jun 2009

— Arun Bagul <arunbagul@indiangnu.org>  Tue, 01 Jun 2009 01:31:52 -0530
arunb@laptop:/var/create-deb-pkg$

* DEBIAN/control file –

arunb@laptop:/var/create-deb-pkg$ cat openlsm-0.99-r51/DEBIAN/control
Package: openlsm
Version: 0.99-r51
Architecture: i386
Maintainer: Arun Bagul <arunbagul@indiangnu.org>
Provides: httpd, httpd-cgi
Section: httpd
Priority: optional
Homepage: http://openlsm.sourceforge.net/
Description: openlsm is web-based control panel for Unix/Linux systems
openlsm is web-based control panel for Unix/Linux systems
and Web Hosting! openlsm handles all aspects of administration in its interface.

* DEBIAN/postinst file (perform after installing package) –

arunb@laptop:/var/create-deb-pkg$
arunb@laptop:/var/create-deb-pkg$ cat openlsm-0.99-r51/DEBIAN/postinst
#!/bin/sh

set -e
SOFT=”openlsm”
echo “Copying pam.d/openlsm and init.d/openlsm file”
cp -fv /usr/local/${SOFT}/etc/pam.d/openlsm   /etc/pam.d/openlsm
cp -fv /usr/local/${SOFT}/etc/init.d/openlsm  /etc/init.d/openlsm
test -f /etc/init.d/openlsm && chmod 755 /etc/init.d/openlsm

update-rc.d openlsm defaults

echo “Changing permission of ‘/usr/local/openlsm/'”
chown openlsm:openlsm -R /usr/local/openlsm/
echo “Please run this cmd to generate Certificate for openlsm ~ ‘/usr/local/openlsm/bin/openlsm-create-certificate'”
exit 0

* DEBIAN/postrm file (take action before removing package) –

arunb@laptop:/var/create-deb-pkg$ cat openlsm-0.99-r51/DEBIAN/postrm
#! /bin/sh

set -e

echo “postrm step -”

update-rc.d -f openlsm remove
rm -vf /etc/init.d/openlsm /etc/pam.d/openlsm
echo “Deleting user & group – ‘openlsm’…”
userdel openlsm
getent group openlsm && groupdel openlsm

exit 0
arunb@laptop:/var/create-deb-pkg$

* DEBIAN/md5sums –

arunb@laptop:/var/create-deb-pkg$ head openlsm-0.99-r51/DEBIAN/md5sums
2129ba0e98dd77e8879e0912abe432a3  /usr/local/openlsm/sbin/openlsm-worker
a1dbdafadefd74bac29c8fd229dd1c01  /usr/local/openlsm/bin/openlsm-panic
e57e75853b52caf9569c922b7c404129  /usr/local/openlsm/bin/openlsm-tweak
..

arunb@laptop:/var/create-deb-pkg$

* DEBIAN/conffiles file –

arunb@laptop:/var/create-deb-pkg$ cat openlsm-0.99-r51/DEBIAN/conffiles
/usr/local/openlsm/etc/openlsm/openlsm.conf
/usr/local/openlsm/etc/openlsm/openlsm.conf.perf_sample
arunb@laptop:/var/create-deb-pkg$

Step 6) Create deb package now –

arunb@techops-i-arunb:/var/create-deb-pkg$ ls -l
drwxr-xr-x 4 arunb arunb 4096 2012-01-19 16:43 openlsm-0.99-r51

* creating deb package now…

arunb@techops-i-arunb:/var/create-deb-pkg$ fakeroot dpkg-deb –build openlsm-0.99-r51/
dpkg-deb: building package `openlsm’ in `openlsm-0.99-r51.deb’.

arunb@techops-i-arunb:/var/create-deb-pkg$ ls -l
drwxr-xr-x 4 arunb arunb    4096 2012-01-19 16:43 openlsm-0.99-r51
-rw-r–r– 1 arunb arunb 3491738 2012-01-19 16:52 openlsm-0.99-r51.deb

* rename your package if required like arch etc

arunb@techops-i-arunb:/var/create-deb-pkg$ mv openlsm-0.99-r51.deb openlsm-0.99-r51_i386.deb

arunb@techops-i-arunb:/var/create-deb-pkg$ ls -l
drwxr-xr-x  4 arunb arunb    4096 2012-01-19 16:43 openlsm-0.99-r51/
-rw-r–r–  1 arunb arunb 3491738 2012-01-19 16:52 openlsm-0.99-r51_i386.deb
arunb@techops-i-arunb:/var/create-deb-pkg$

* That’s it, enjoy Debian/Ubuntu!

Thank you,
Arun Bagul

(1) Comment    Read More   

Introduction –

For some people (like me) the new default Unity desktop in Ubuntu doesn’t look easy to opertate.  However the Ubuntu is trying to differentiate itself with a distinctive to improve user experience (Ubuntu is rocking!!). Ubuntu 11.04, is using Unity as its default desktop interface instead of the classic GNOME.

If you’re running Ubuntu 11.4 and don’t like to use Unity, you can switch back to the old classic GNOME interface as shown below.

It’s actually pretty simple  to choose between Unity and the classic GNOME user interface…

[1] During login time, Go to your logon screen, select the user you want to log in as.
– At the bottom task bar you can choose between different modes. Select “Ubuntu Classic”.
– Log in as normal.

* Another way to change theme is..

[2] Go to your (click on) “logout” button on top panel, select the “System Settings”..

– This will open “Control Center” then click on “Login Screen” setting tool.
– Where you can choose different themes. Select “Ubuntu Classic”.
NOTE- Please unlock before changing the setting ie provide your password

That’s it.

Regards,
Arun

(0) Comments    Read More   

Hello Everyone,
In day to day System Admin activities many times, you stuck to connect to any remote server, due to non-supporting timeout setting, here is the perfect solution for that ‘hatools’ – Thanks ‘MARKUS WINAND’, You can find this tool at http://www.fatalmind.com/software/hatools/

This tool will help you to manage your application and code with the specific timeout and lock, and you will be assure and go for sleep  😀

Download hatools from www.fatalmind.com (http://www.fatalmind.com/software/hatools/hatools-2.14.tar.bz2)

[root@testbed ~]# wget http://www.fatalmind.com/software/hatools/hatools-2.14.tar.bz2

[root@testbed ~]# tar xjvf hatools-2.14.tar.bz2 && cd hatools-2.14

The installation should be very seamless by just doing (Find the doc ‘README’)

[root@testbed hatools-2.14]# ./configure
[root@testbed hatools-2.14]#  make && make install

Now test the hatimerun command

[root@testbed ~]# hatimerun -h
usage: hatimerun [-a] [-e exitcode] [-k signame] -t secs command [args]
hatimerun [-l|-h|-?]
Options:
-a           Async mode. Starts hatimerun in the background
-e exitcode  Changes the exitcode returned by hatimerun on fail
-k signame   Specifies the signal witch will be sent to the process group
if a timeout occures
-t secs      Specifies the timeout in seconds
-l           Print list of available signals on this platform and exit.

Version:
V2.00
Copyright (c) 2001,2003,2005-2007 by Markus Winand <mws@fatalmind.com>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

[root@testbed ~]# hatimerun -k TERM -t 15 -t 1 ssh testbed140 uptime
04:36:23 up  3:24,  0 users,  load average: 0.51, 0.40, 0.31

Check with wrong or any ssh port blocked server and get timeout watch. 🙂

Here I am written small script for testing purpose, you can change and use as you want.

#!/bin/bash

# if you want to check and debug , run this script in following way
# bash -x script name <servername> <cmd>

server=$1  # server name or IP
cmd=$2   # command
sec=15      #Timeout seconds change as per your need

test -z $server && echo “server not found ” && echo “Usage: $0 {servername} {command}” && exit 1
test -z $cmd &&  echo “command not found ” && echo “Usage: $0 {servername} {command}” && exit 1
echo “connecting to $server, timewait set for connection is $sec Sec…….”

hatimerun -k TERM -t $sec -t 1 ssh $server $cmd
if [ $? != 0 ] ; then
echo “$server connection timeout …”
fi

 

 

-Ravi

(0) Comments    Read More   
Aug
18

Introduction –

In this article we will setup SFTP using rssh with chroot ….

A] How to configure rssh + chroot for SFTP

Step 1) Install RSSH Shell ~

* Ubuntu –

root@me:/home/arunb# apt-get install scponly rssh coreutils17

* Redhat/CentOS

[root@arun.me chroot]# yum install  rssh
[root@arun.me chroot]# rpm -qa | grep rssh
rssh-2.3.2-1.2.el5.rf
[root@arun.me chroot]#

Step 2) Your Chroot Setting –

[root@arun.me ~]# cat /etc/rssh.conf
# This is the default rssh config file

logfacility = LOG_USER
###### arun ########
allowsftp
# set the default umask
umask = 022
chrootpath =”/home/chroot”
###### end ########

Step 3) Create user ~

[root@arun.me ~]# mkdir /home/chroot/
[root@arun.me ~]# useradd -d /home/chroot/home/sftp_test -s /usr/bin/rssh sftp_test
[root@arun.me ~]# passwd sftp_test

* Now add following line in “/etc/rssh.conf” file…

user =”sftp_test:022:00010:/home/chroot/sftp_test”

*** [root@arun.me ~]# tail /etc/passwd

sftp_test:x:503:503::/home/chroot/home/sftp_test:/usr/bin/rssh

Step 4) Chroot allow to log via syslogd ~

add following entry in file “/etc/sysconfig/syslog” and restart syslogd

SYSLOGD_OPTIONS=”-m 0 -a /home/chroot/dev/log -a /dev/log”

root@arun.me ~]# /etc/init.d/syslog restart

Step 5) Now setup Chroot ENV –

[root@arun.me ~]# /var/src/arun_rssh_mkchroot.sh /home/chroot/

[root@arun.me ~]# cd /home/chroot/

[root@arun.me chroot]# mknod –mode=600 dev/console c 5 1
[root@arun.me chroot]# mknod –mode=666 dev/null c 1 3

[root@arun.me chroot]# /var/src/arun_shared_lib.sh  usr/libexec/openssh/sftp-server

[root@arun.me chroot]# cp /lib/libnss_files.so.2 lib/libnss_files.so.2
[root@arun.me chroot]# cp /lib64/libnss_files.so.2 lib64/libnss_files.so.2

Step 6) Test now ~

arunb@me:~$ sftp sftp_test@192.168.0.1
Connecting to 192.168.0.1…
sftp_test@192.168.0.1’s password:
sftp> pwd
Remote working directory: /home/sftp_test
sftp> ls
arun manoj mayur ravi
sftp>

sftp> ls /
/dev /etc /home /lib /lib64 /usr
sftp>

Step 7) Process for New user ~

a) [root@arun.me chroot]# useradd -d /home/chroot/home/sftp_tmp -s /usr/bin/rssh sftp_tmp
[root@arun.me chroot]# passwd sftp_tmp

b) Add line in file “/etc/rssh.conf”

user =”sftp_tmp:022:00010:/home/chroot”

c) Copy user entry from /etc/{passwd,group,shadow} files TO CHROOT {passwd,group,shadow} files ~

NOTE ~ be careful…

[root@arun.me chroot]# grep sftp_tmp /etc/passwd >> /home/chroot/etc/passwd
[root@arun.me chroot]# grep sftp_tmp /etc/group >> /home/chroot/etc/group
[root@arun.me chroot]# grep sftp_tmp /etc/shadow >> /home/chroot/etc/shadow

[root@arun.me ~]# cat /home/chroot/etc/{passwd,group,shadow}

sftp_tmp:x:504:504::/home/chroot/home/sftp_tmp:/usr/bin/rssh
bin:x:1:bin,daemon
daemon:x:2:bin,daemon
sftp_test:x:503:
sftp_tmp:x:504:
bin:*:14797:0:99999:7:::
daemon:*:14797:0:99999:7:::
sftp_test:$1$Ei5oj.yu$P5FDHHI1POxIIv5562BIm/:14798:0:99999:7:::
sftp_tmp:$1$wZ6Qk3R/$ANRx5MkBA91pjzE/Dr3vK.:14798:0:99999:7:::
[root@arun.me chroot]#

Step 8) Test it now from other linux host

bagul@me:~$ sftp sftp_tmp@192.168.0.1
Connecting to 192.168.0.1…
sftp_tmp@192.168.0.1’s password:
sftp> pwd
Remote working directory: /home/sftp_tmp
sftp>
sftp> ls
sftp> ls
1 2 3 a b c
sftp> pwd
Remote working directory: /home/sftp_tmp
sftp>
sftp>
sftp> ls /
/dev /etc /home /lib /lib64 /usr
sftp> cd /etc
sftp> pwd
Remote working directory: /etc
sftp> ls
group ld.so.cache ld.so.conf localtime nsswitch.conf passwd shadow
sftp>
sftp> get 1
Fetching /home/sftp_tmp/1 to 1
/home/sftp_tmp/1 100% 14 0.0KB/s 00:00
sftp> mkdir arun
sftp> ls
1 2 3 a arun b c
sftp> version
SFTP protocol version 3
sftp> rm c
Removing /home/sftp_tmp/c
sftp>

Step 9) What is required for CHROOT ~

[root@arun.me chroot]# pwd
/home/chroot
[root@arun.me chroot]# ll
drwxr-xr-x 2 root root 4096 Jul 8 07:50 dev
drwxr-xr-x 2 root root 4096 Jul 8 07:50 etc
drwxr-xr-x 4 root root 4096 Jul 8 07:51 home
drwxr-xr-x 2 root root 4096 Jul 8 07:05 lib
drwxr-xr-x 2 root root 4096 Jul 8 07:28 lib64
drwxr-xr-x 5 root root 4096 Jul 8 07:05 usr
[root@arun.me chroot]# ll -ld /home/
drwxr-xr-x 6 root root 4096 Jul 8 08:00 /home/
[root@arun.me chroot]# ll dev/
crw——- 1 root root 5, 1 Jul 8 07:13 console
srw-rw-rw- 1 root root 0 Jul 8 07:50 log
crw-rw-rw- 1 root root 1, 3 Jul 8 07:14 null
[root@arun.me chroot]# ll etc/
-rw-r–r– 1 root root 74 Jul 8 07:55 group
-rw-r–r– 1 root root 81321 Jul 8 07:05 ld.so.cache
-rw-r–r– 1 root root 28 Jul 8 07:05 ld.so.conf
-rw-r–r– 1 root root 3519 Jul 8 07:16 localtime
-rw-r–r– 1 root root 1696 Jul 8 07:16 nsswitch.conf
-rw-r–r– 1 root root 192 Jul 8 07:55 passwd
-r——– 1 root root 180 Jul 8 07:55 shadow
[root@arun.me chroot]# ll lib
-rwxr-xr-x 1 root root 46680 Jul 8 07:28 libnss_files-2.5.so
lrwxrwxrwx 1 root root 19 Jul 8 07:05 libnss_files.so.2 -> libnss_files-2.5.so
[root@arun.me chroot]# ll lib64
-rwxr-xr-x 1 root root 139416 Jul 8 07:10 ld-linux-x86-64.so.2
-rwxr-xr-x 1 root root 10000 Jul 8 07:18 libcom_err.so.2
-rwxr-xr-x 1 root root 1366176 Jul 8 07:18 libcrypto.so.6
-rwxr-xr-x 1 root root 48600 Jul 8 07:18 libcrypt.so.1
-rwxr-xr-x 1 root root 1717800 Jul 8 07:18 libc.so.6
-rwxr-xr-x 1 root root 23360 Jul 8 07:18 libdl.so.2
-rwxr-xr-x 1 root root 9472 Jul 8 07:18 libkeyutils.so.1
-rwxr-xr-x 1 root root 114352 Jul 8 07:18 libnsl.so.1
-rwxr-xr-x 1 root root 53880 Jul 8 07:28 libnss_files.so.2
-rwxr-xr-x 1 root root 145824 Jul 8 07:18 libpthread.so.0
-rwxr-xr-x 1 root root 92736 Jul 8 07:18 libresolv.so.2
-rwxr-xr-x 1 root root 95464 Jul 8 07:18 libselinux.so.1
-rwxr-xr-x 1 root root 247496 Jul 8 07:18 libsepol.so.1
-rwxr-xr-x 1 root root 18152 Jul 8 07:18 libutil.so.1
[root@arun.me chroot]# ll usr/
drwxr-xr-x 2 root root 4096 Jul 8 07:05 bin
drwxr-xr-x 2 root root 4096 Jul 8 07:05 lib64
drwxr-xr-x 3 root root 4096 Jul 8 07:05 libexec
[root@arun.me chroot]# ll usr/bin
-rwxr-xr-x 1 root root 33265 Jul 8 07:05 rssh
-rwxr-xr-x 1 root root 53384 Jul 8 07:05 scp
[root@arun.me chroot]# ll usr/lib64
-rwxr-xr-x 1 root root 190976 Jul 8 07:18 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 153464 Jul 8 07:18 libk5crypto.so.3
-rwxr-xr-x 1 root root 613896 Jul 8 07:18 libkrb5.so.3
-rwxr-xr-x 1 root root 35728 Jul 8 07:18 libkrb5support.so.0
-rwxr-xr-x 1 root root 229272 Jul 8 07:18 libnspr4.so
-rwxr-xr-x 1 root root 1221496 Jul 8 07:18 libnss3.so
-rwxr-xr-x 1 root root 119696 Jul 8 07:18 libnssutil3.so
-rwxr-xr-x 1 root root 17736 Jul 8 07:18 libplc4.so
-rwxr-xr-x 1 root root 13800 Jul 8 07:18 libplds4.so
-rwxr-xr-x 1 root root 85608 Jul 8 07:18 libz.so.1
[root@arun.me chroot]# ll usr/libexec
drwxr-xr-x 2 root root 4096 Jul 8 07:05 openssh
-rwsr-xr-x 1 root root 69892 Jul 8 07:05 rssh_chroot_helper
[root@arun.me chroot]# ll usr/libexec/openssh
total 56
-rwxr-xr-x 1 root root 53080 Jul 8 07:05 sftp-server
[root@arun.me chroot]#

Thank you,
Arun Bagul

(0) Comments    Read More   
May
20
Posted on 20-05-2010
Filed Under (Debian & Ubuntu, General information) by Arun Bagul

Introduction –

Xsplash is the theme which you will see during ubuntu booting process!

Step 1] Go to the directory – “/usr/share/images/xsplash”

root@me:~# cd /usr/share/images/xsplash
root@me:/usr/share/images/xsplash#

*** Take backup of original theme –

root@me:/usr/share/images/xsplash# cp -fr /usr/share/images/xsplash/ /usr/share/images/xsplash-original

Step 2] Download Xsplash themes –

URL – “http://gnome-look.org/content/show.php/Fusion-GX-v00+%5B200911-21%5D?content=115833” OR “http://espiralx.org/05-Compartir/09-Gnome.html

Step 3] Copy this theme files to /usr/share/images/xsplash/ directory and check the xsplash using ‘xsplash’ command.

root@me:~# xsplash

Thank you,
Arun Bagul

(0) Comments    Read More   
Apr
19
Posted on 19-04-2010

Introduction ~ GRUB is perfect boot loader for Linux/Unix system! GRUB-2 supports several features that are important for every system admin.

* Platform support – GRUB 2 is intended to work across a wider range of architectures.
* Partition tables – GRUB-2 supports MBR partitioning scheme and GUID Partition Table (GPT).
* RAID and LVM – Now GRUB is supports both redundant array of independent disks (RAID) and Logical Volume Manager (LVM).
* File system support – GRUB 2 supports some additional non-Linux file systems, such as Apple’s Hierarchical File System Plus, NTFS  and  ZFS file systems…

* Configuring GRUB 2 –

GRUB 2 configuration file is different from legacy GRUB….

The default location for the GRUB 2 configuration file is /boot/grub/grub.cfg

* Sample GRUB 2 configuration file

root@me:~# cat /boot/grub/grub.cfg

set timeout=10
set default=0

menuentry “Ubuntu, Linux 2.6.31-20-generic” {
set quiet=1
insmod ext2
set root=(hd0,6)
search –no-floppy –fs-uuid –set 7699852c-2a04-4da2-82e8-a69969f16bf2
linux /boot/vmlinuz-2.6.31-20-generic root=UUID=7699852c-2a04-4da2-82e8-a69969f16bf2 ro quiet splash
initrd /boot/initrd.img-2.6.31-20-generic
}

Thanks,
Arun Bagul

(0) Comments    Read More   

www.flickr.com
arunbagul's photos More of arunbagul's photos
Get Adobe Flash player
-->