Archive for July, 2010

Favorite poem – 17

July 27, 2010

It is the hour when from the boughs
The nightingale’s high note is heard;
It is the hour when lovers’ vows
Seem sweet in every whisper’d word;
And gentle winds, and waters near,
Make music to the lonely ear,
Each flower the dews have lightly wet,
And in the sky the stars are met,
And on the wave is deeper blue,
And on the leaf a browner hue
And in the heaven that clear obscure,
So softly dark, and darkly pure,
Which follows the decline of day,
As twilight melts beneath the moon away.

– G. G. BYRON.

Advertisements

sftp without shell access

July 15, 2010

OpenSSH was the first version of the famous daemon that came with an built-in chroot functionality. Chrooting the sshd and restricting the shell access to a few commands can be a great solution to grant a few users secure access to exchange files.

1.vi /etc/ssh/sshd_config

Replace the line – “Subsystem sftp /usr/lib/openssh/sftp-server”  with –

Subsystem sftp internal-sftp

UsePAM yes

Match user user1
# The following two directives force user1 to become chrooted
# and only have sftp available.  No other chroot setup is required.
ChrootDirectory /sftp-upload
ForceCommand internal-sftp
# For additional paranoia, disallow all types of port forwardings.
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

2.  Now add a user as follows –

useradd -d /user1 -s /bin/false user1
3.

cd /sftp-upload

mkdir user1

chown -R user1:user1 user1/

4. Restart your sshd daemon ( kill -HUP <sshd pid>

Non – standard only restrict shell access –

You want to allow a user to place files or folder on his/her home directory through sft client or winscp client but you don want to any kind of shell access. Here is a simple tricks to restrict this.

Just change his login shell to /usr/local/libexec/sftp-server (Solaris) or /usr/lib/openssh/sftp-server ( Linux).
Moreover if you want to restrict access over your sensitive data just disable the others read (r) and execute (x) perm of that files and folder.

Redirecting port 80 traffic to port 8080

July 15, 2010

I open ports 80 and port 433 on my firewall.My Tomcat installation is listening at port 8080 and 8443 but to run tomcat on port 443 need root privilege. So simple solution to these is to redirect any request coming on port 80 to port 8080. Here is the trick.

iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

Adding new HDD on Solaris

July 4, 2010

Solaris 10 x86 Disk Controller Table

IDE

/dev/rdsk/c0d0s0~7Primary IDE Master
/dev/rdsk/c0d1s0~7Primary IDE Slave
/dev/rdsk/c1d0s0~7Secondary IDE Master
/dev/rdsk/c1d1s0~7Secondary IDE Slave

SCSI

/dev/rdsk/c0t0d0s0~7First SCSI ?No 0 ? Disk Drive
/dev/rdsk/c0t1d0s0~7First SCSI ?No 1 ? Disk Drive
/dev/rdsk/c0t2d0s0~7First SCSI ?No 2 ? Disk Drive
/dev/rdsk/c0t3d0s0~7First SCSI ?No 3 ? Disk Drive
/dev/rdsk/c0t4d0s0~7First SCSI ?No 4 ? Disk Drive
/dev/rdsk/c0t5d0s0~7First SCSI ?No 5 ? Disk Drive
/dev/rdsk/c0t6d0s0~7First SCSI ?No 6 ? Disk Drive
/dev/rdsk/c0t7d0s0~7First SCSI ?No 7 ? Disk Drive

After Putting In New HDD Login as root.

# drvconfig ( configure the /devices directory )
# disks ( creates /dev entries for hard disks attached to the system )
# format
Searching for disks…done

AVAILABLE DISK SELECTIONS:
0. c0d0
/pci@0,0/pci-ide@7,1/ide@0/cmdk@0,0
1. c1t6d0
/pci@0,0/pci9004,8178@f/sd@6,0
Specify disk (enter its number): ** Select Your New Drive (0/1/n) **

AVAILABLE DRIVE TYPES:
0. other
1. default
Specify disk type (enter its number): **Select One **

format>fdisk
No fdisk table exists. The default partition for the disk is:

a 100% “SOLARIS System” partition

Type “y” to accept the default partition, otherwise type “n” to edit the
partition table.
y

WARNING: Solaris fdisk partition changed – Please relabel the disk
format>fdisk

Select the partition type to create:
1=SOLARIS2=UNIX3=PCIXOS4=Other
5=DOS126=DOS167=DOSEXT8=DOSBIG
9=DOS16LBAA=x86 BootB=DiagnosticC=FAT32
D=FAT32LBAE=DOSEXTLBA0=Exit? 1

Specify the percentage of disk to use for this partition
(or type “c” to specify the size in cylinders). 100

Should this become the active partition? If yes, it will be activated
each time the computer is reset or turned on.
Please type “y” or “n”. n

WARNING: Solaris fdisk partition changed – Please relabel the disk

format> partition

PARTITION MENU:
0 – change `0′ partition
1 – change `1′ partition
2 – change `2′ partition
3 – change `3′ partition
4 – change `4′ partition
5 – change `5′ partition
6 – change `6′ partition
7 – change `7′ partition
select – select a predefined table
modify – modify a predefined partition table
name – name the current table
print – display the current table
label – write partition map and label to the disk
! – execute , then return
quit
partition> print
Current partition table (cyl):
Total disk cylinders available: 25229 + 2 (reserved cylinders)
partition> **Edit Part 0**

partition> print

partition> label
Ready to label disk, continue? y

partition> quit
format> label

Ready to label disk, continue? y
format> quit

# newfs /dev/rdsk/c0t1d0s2
# mkdir /new-disk1

Now manually mount it also add the entry on vfstab file.

# echo “/dev/dsk/c0t1d0s2 /dev/rdsk/c0t1d0s2 /new-disk1 ufs 1 yes -” >> vfstab
# touch /reconfigure

expressions in shell scripting

July 4, 2010

Testing exit status

The ? variable holds the exit status of the previously executed command (the most recently completed foreground process).

The following example shows a simple test:

myhome ~> if [ $? -eq 0 ]
More input> then echo ‘That was a good job!’
More input> fi
That was a good job!

myhome ~>

The following example demonstrates that TEST-COMMANDS might be any UNIX command that returns an exit status, and that if again returns an exit status of zero:

myhome ~> if ! grep $USER /etc/passwd
More input> then echo “your user account is not managed locally”; fi
your user account is not managed locally

myhome > echo $?
0

myhome >

The same result can be obtained as follows:

myhome > grep $USER /etc/passwd

myhome > if [ $? -ne 0 ] ; then echo “not a local account” ; fi
not a local account

myhome >

Numeric comparisons

The examples below use numerical comparisons:

myhome > num=`wc -l work.txt`

myhome > echo $num
201

myhome > if [ “$num” -gt “150” ]
More input> then echo ; echo “you’ve worked hard enough for today.”
More input> echo ; fi

you’ve worked hard enough for today.

myhome >

This script is executed by cron every Sunday. If the week number is even, it reminds you to put out the garbage cans:

#!/bin/bash

# Calculate the week number using the date command:

WEEKOFFSET=$[ $(date +”%V”) % 2 ]

# Test if we have a remainder. If not, this is an even week so send a message.
# Else, do nothing.

if [ $WEEKOFFSET -eq “0” ]; then
echo “Sunday evening, put out the garbage cans.” | mail -s “Garbage cans out” your@your_domain.org
fi

String comparisons

An example of comparing strings for testing the user ID:

if [ “$(whoami)” != ‘root’ ]; then
echo “You have no permission to run $0 as non-root user.”
exit 1;
fi

With Bash, you can shorten this type of construct. The compact equivalent of the above test is as follows:

[ “$(whoami)” != ‘root’ ] && ( echo you are using a non-privileged account; exit 1 )

Similar to the “&&” expression which indicates what to do if the test proves true, “||” specifies what to do if the test is false.

Regular expressions may also be used in comparisons:

myhome > gender=”female”

myhome > if [[ “$gender” == f* ]]
More input> then echo “Pleasure to meet you, Madame.”; fi
Pleasure to meet you, Madame.

myhome >