Keeping Linux Users In A MySQL Database With libpam-mysql On Ubuntu August 27, 2010
Posted by idimmu in linux, ubuntu.I want to have a set of users on my Ubuntu 10.4 Lucid Lynx box managed by MySQL, rather than LDAP for a change which means delving in to the sexy world that is libpam-mysql!
As ever, the first thing that we need are packages! Remember when installing mysql-server to set a strong root MySQL password. As we're managing user accounts in MySQL we need to really make sure everything is locked down tight!
apt-get install mysql-server libpam-mysql libnss-mysql
Configuring MySQL
We then need to auth to MySQL as root
mysql -u root -p
and create a database and some tables!
CREATE DATABASE nss_mysql;
USE nss_mysql;
CREATE TABLE groups (
group_id int(11) NOT NULL auto_increment primary key,
group_name varchar(30) DEFAULT '' NOT NULL,
status char(1) DEFAULT 'A',
group_password varchar(64) DEFAULT 'x' NOT NULL,
gid int(11) NOT NULL
);
CREATE TABLE user (
user_id int(11) NOT NULL auto_increment primary key,
user_name varchar(50) DEFAULT '' NOT NULL,
realname varchar(32) DEFAULT '' NOT NULL,
shell varchar(20) DEFAULT '/bin/sh' NOT NULL,
password varchar(40) DEFAULT '' NOT NULL,
status char(1) DEFAULT 'N' NOT NULL,
uid int(11) NOT NULL,
gid int(11) DEFAULT '65534' NOT NULL,
homedir varchar(32) DEFAULT '/bin/sh' NOT NULL,
lastchange varchar(50) NOT NULL default '',
min int(11) NOT NULL default '0',
max int(11) NOT NULL default '0',
warn int(11) NOT NULL default '7',
inact int(11) NOT NULL default '-1',
expire int(11) NOT NULL default '-1'
);
CREATE TABLE user_group (
user_id int(11) DEFAULT '0' NOT NULL,
group_id int(11) DEFAULT '0' NOT NULL
);
And set up 2 MySQL accounts, one for reading and one for writing. The read only account will have a password exposed on the file system, so make sure it is locked down and unique. This isn't a security issue as all it will expose is as much as /etc/passwd does anyway.
GRANT select(user_name,user_id,uid,gid,realname,shell,homedir,status) on user to nss@localhost identified by 'buttercup';
GRANT select(group_name,group_id,gid,group_password,status) on groups to nss@localhost identified by 'ieopurASDF';
GRANT select(user_id,group_id) on user_group to nss@localhost identified by 'buttercup';
GRANT select(user_name,password,user_id,uid,gid,realname,shell,homedir,status,lastchange,min,max,warn,inact,expire) on user to 'nss-shadow'@localhost identified by 'bunnyface';
GRANT update(user_name,password,user_id,uid,gid,realname,shell,homedir,status,lastchange,min,max,warn,inact,expire) on user to 'nss-shadow'@localhost identified by 'bunnyface';
FLUSH PRIVILEGES;
Configuring NSS
NSS (Name Service Switch) provides a common method through which system database requests can be fed. Implementations of these operations can be extended via modules. By default Ubuntu is configured to use the compat (/etc/passwd & /etc/shadow) module, but we're going to tell it to also use the mysql module.
We are going to need to edit /etc/nsswitch.conf, look for the lines
passwd: compat
group: compat
shadow: compat
and reconfigure it to also use mysql like so
passwd: compat mysql
group: compat mysql
shadow: compat mysql
Now edit the two files with the relevant MySQL usernames and passwords. The first uses the nss user and the second uses the nss-shadow user.
/etc/nss-mysql.conf
/etc/nss-mysql-root.conf
Now we make the nss-shadow file only readable by root as this contains the really important credentials
chmod 600 /etc/nss-mysql-root.conf
Do not do that to nss-mysql.conf though.
Configuring PAM
PAM (Pluggable Authentication Modules) handles all the different ways you can authenticate to the system. We need to update it so it knows it can use MySQL to handle authantication!
In /etc/pam.d we must edit a series of files :
common-auth
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_mysql.so user=nss-shadow passwd=bunnyface db=nss_mysql usercolumn=user.user_name crypt=1 table=user
auth requisite pam_deny.so
auth required pam_permit.so
common-account
account sufficient pam_unix.so
account optional pam_mysql.so user=nss passwd=buttercup db=nss_mysql usercolumn=user_name table=user
account requisite pam_deny.so
account required pam_permit.so
common-session
session sufficient pam_unix.so
session required pam_mysql.so user=nss passwd=buttercup db=nss_mysql usercolumn=user_name table=user
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
common-password
password sufficient pam_unix.so nullok obscure min=5 max=12 md5 debug
password sufficient pam_mysql.so nullok user=nss-shadow passwd=bunnyface db=nss_mysql usercolumn=user_name crypt=1 table=user passwdcolumn=password statcolumn=status
password requisite pam_deny.so
password required pam_permit.so
Now lock the files down so they are only root readable
chmod 600 common-*
Creating A User
We're going to create a user and a group called minty! Create a minty.sql file for the user
INSERT INTO nss_mysql.groups VALUES (100,'minty','A','x',1002);
INSERT INTO nss_mysql.user VALUES (100,'minty','Minty','/bin/false','','A',1002,1002,'/home/minty', '041406', '', '','', '', '-1');
INSERT INTO nss_mysql.user_group VALUES (100,100);
Then import the sql file
mysql -u root -p < minty.sql
Create the home directory
root@crisps:~# cp -ax /etc/skel /home/minty
root@crisps:~# chown -R minty:minty /home/minty/
Set the password
passwd minty
(New) Password:
Retype (New) Password:
passwd: password updated successfully
SSH in to the server ;)
Chill:~ idimmu$ ssh minty@crisps
Warning: Permanently added 'crisps,192.168.0.111' (RSA) to the list of known hosts.
minty@crisps's password:
Last login: Fri Aug 27 10:14:05 2010 from 192.168.0.110
minty@crisps:~$
et voila, libpam-mysql based user management on a Linux Ubuntu box! Next up to write a web interface to manage all that :)
Disk Quotas On Ubuntu August 26, 2010
Posted by idimmu in linux, ubuntu.I've recently needed to add disk usage quotas to a server in order to limit how much data users can store so as not to affect the quality of service for other users.
Linux has a method called quota which can help you do this.
Ubuntu provides some packaged tools which let you manage quotas
apt-get install quotaTo enable quotas on a partition the first step is to edit the /etc/fstab entry for the partition and append usrquota to it so the kernel knows to manage that partition using quotas.
/dev/sda1 / ext4 defaults,usrquota 0 0We then need to create 2 files that manage the quota levels in the root of the partition in question
sudo touch /quota.user /quota.group
sudo chmod 600 /quota.*To make the setting take affect we then need to remount the partition, we can either do this with a reboot or
sudo mount -o remount /to check that it worked, investigate /etc/mtab, it should look similar to
/dev/sda1 / ext4 rw,usrquota,usrquota 0 0remounting didn't work for me, so i issued the reboot command!
When the disk is mounted to support quotas, the next step is to configure how the system is going to manage them!
I'm going to be managing quotas on a per user basis, each user is going to be allowed to store up to 5Gb of data! To configure a user we use the edquota command which will open up an editor
edquota -u idimmu -f /then edit the config like so
Disk quotas for user idimmu (uid 1000):
Filesystem blocks soft hard inodes soft hard
/dev/sda1 0 5242880 5242880 0 0 0
you can see how I've set the hard and soft limits to be 5Gb in bytes! (5 * 1024 * 1024)
We can confirm the change with the quota command
root@crisps:~# quota -u idimmu
Disk quotas for user idimmu (uid 1000):
Filesystem blocks quota limit grace files quota limit grace
/dev/sda1 5242872 5242880 5242880 20 0 0
You can see that it's also done some math to work out how many blocks to limit the user to as well!
Now we need to test it .. can the idimmu account create more than 5Gb in his home directory?
idimmu@crisps:~$ dd if=/dev/zero of=filename1 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 20.8073 s, 49.2 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename2 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 25.4285 s, 40.3 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename3 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 35.7829 s, 28.6 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename4 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 18.8164 s, 54.4 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename5 bs=1024 count=1000000
1000000+0 records in
1000000+0 records out
1024000000 bytes (1.0 GB) copied, 23.2641 s, 44.0 MB/s
idimmu@crisps:~$ dd if=/dev/zero of=filename6 bs=1024 count=1000000
dd: writing `filename6': Disk quota exceeded
242813+0 records in
242812+0 records out
248639488 bytes (249 MB) copied, 10.6704 s, 23.3 MB/s
apparently not :D
Unique Article Wizard needs strip slashes! August 3, 2010
Posted by idimmu in php.I'm playing about with the Unique Article Wizard plugin for Wordpress (for a friend, not for this site!!!) and there's an obvious problem where all of the articles need their slashes to be stripped. It looks like a serious case of magic quote paranoia!
A look at the plugin code makes article_mods.php the obvious candidate for tweaking:
Change lines 370 - 384 from
$uawarticle_id = wp_update_post(array (
'ID' => $pageposts[0]->post_id,
'post_author' => $uawuser_id,
'post_title' => stripslashes($title),
'post_content' => stripslashes($article . "nnnn" . $_REQUEST['resource_box']."nncategories: ".$_REQUEST['keywords']) ,
'post_excerpt' => stripslashes(stripslashes($description)),
'post_type' => 'post',
'post_status' => $uawstatus,
'post_modified_date' => date("Y-m-d H:i:s"),
'post_modified_date_gmt' => gmdate("Y-m-d H:i:s"),
'post_category' => array (
$uawcategory_id
),
to
$uawarticle_id = wp_update_post(array (
'ID' => $pageposts[0]->post_id,
'post_author' => $uawuser_id,
'post_title' => $title,
'post_content' => $article . "nnnn" . $_REQUEST['resource_box']."nncategories: ".$_REQUEST['keywords'] ,
'post_excerpt' => stripslashes(stripslashes($description)),
'post_type' => 'post',
'post_status' => $uawstatus,
'post_modified_date' => date("Y-m-d H:i:s"),
'post_modified_date_gmt' => gmdate("Y-m-d H:i:s"),
'post_category' => array (
$uawcategory_id
),
problem solved :D
Delete Linux MBR July 29, 2010
Posted by idimmu in linux.We run a build system using PXE and Puppet which lets us reliably and quickly set up production and development environments on our servers and maintain their consistency.
Every now and again we need to wipe the MBR of a Linux box in order to reboot it so it can PXE boot and reinstall itself. I like to use this command:
dd if=/dev/zero of=/dev/sda bs=446 count=1which fills up the start of the disk with 0s, a simple reboot will then kick the box and start the PXE cycle!
Canon EOS Utility On A Mac Without A CD April 16, 2010
Posted by idimmu in photography.Canon have a fantastic little app, which works on both Windows and Mac, called EOS Utility, which among other things allows you to do time lapse photography!
I lost my CD ages ago, because you know ... everyone knows that all responsible companies let you download support tools from their website ..
Unfortunately no one informed Canon of this amazing new way of thinking, and they only let you download an update for the EOS Utility application, which throws a massive hissy fit if you try to install it on a machine that doesn't already have it installed!
After a lot of Googling (that's now a verb .. get in line behind Hoover!) I found this awesome site :
Cracking Canons EOS Utility For Mac at the Hacker Blog!
With just a few mouse clicks you can tweak the Mac EOS Utility updater to act as an installer!
Thanks Hacker Blog!!
