I'm running out of ideas (and of forum threads to try), so here is my problem: I want to create a web page using perl to configure a router. The router is going to be used to limit bandwidth to some IPs and also to block some IPs. I'm using Centos 5.3 which comes with httpd and suexec pre-installed. The command I want to use are "route add -host ..." and "tc filter ...", these commands can only be run as root.
[Code]...
I have a problem when I want to use su I get this error:Code:su: pam_start: error 26I have googled it so I found this topic (http://www.linuxquestions.org/questi...r-26-a-615024/) but it didn't really help me. There was a reply on that topic and his question was what the output of this was:
Code:
ldd /usr/bin/passwd
and
[code]....
I made a mistake on my friend's Ubuntu system when trying to get hard drive permissions right. I wanted to add a user to a certain group with usermod -G, but without realising I should also use -a, with the result that the user is now not longer in the sudo group. This is the only (regular) user on the system, which means I can not sudo usermod again to get it right. So what to do? The only solution I can think of is using a live disc to restore the group belongings, but I want to know if there's a quicker way. Also, I don't know what more groups the user was in. Is there a history? Or else, what are the default groups?
View 5 Replies View RelatedI have joined the domain (server 2003) and can log in consistently now. Now I would like to give all the windows users in on specific group (domain power users) SUDO rights on the machines in question. I have found one way to add users on a pr. user basis, but adding 30 users will take some time.
View 4 Replies View RelatedI have a box with about 30-40 users on it, and I need to prevent a certain group of users from using sudo at all. Is this even possible.
View 4 Replies View RelatedI'm trying to allow a specific group on my machine to execute one command with sudo without requiring a password, so what I want to do is add something like this to sudoers:
%groupName ALL = (ALL) NOPASSWD: /bin/bash /path/to/shfile.sh argument1 argument2
argument1 needs to be a url : http://subdomain1.subdomain2.domain.com
argument2 needs to be a path of the form /var/www/demo/SomeFolder/application/config/config.php
How do I put in a regex form that sudoers will understand ? I tried reading the sudoers manual, but it didn't help a lot .
What would be the effect of setting ProFTPd's user and group to the same user and group that Apache use? Are there any security risks in doing this, or is this safe to do?
View 4 Replies View RelatedI have previously set up sudo via adding my name to the wheel group and then giving full privileges to the wheel group in the sudoers file. Now I choose to learn to limit that. Had noticed the most frequent use I have of sudo is to run yum update. This got me thinking, could I remove the wheel group privileges and add the following line in sudoers to limit the privilege to simply running yum, and furthermore, make it so I could run yum without a password:
## Allow root to run any commands anywhere
rootALL=(ALL) ALL
Troy ALL= NOPASSWD: /usr/bin/yum
I think that would in fact work (if I understood one of the pages here, it will work). However, upon further thinking I realized that in such a case then anyone sitting at my computer could then use yum, without a password, to install or remove any file on my system � probably not a good idea. As a result I have to ask, can I tighten the privilege even further such that the only privilege so given was to run �yum update� and nothing else? (for example if they ran �yum install� it would fail). If you can do it, how?
Last, I was going to limit the privilege, time wise and try wise, by adding the following to the sudoers file:
# Defaults specification
Defaults:Troy timestamp_timeout=0, passwd_tries=3
Will that really work to limit the elevated privilege so I don't have elevated privileges lingering about, or is there a better way to do so?
this costed me a whole day of trying and retrying. I set up a small home server with apache, php, and mysql.
System infos:
Linux 2.6.31-22-generic-pae
Ubuntu 9.10 Karmic Server edition
Apache/2.2.12 (Ubuntu)
Until now, it served happily a couple of sites, with no problems. But now, I wanted to set up my ftp server to point to the same directory as one of the sites, for me to be able to upload and manage files via ftp. As a server I normally use proftpd. With my usual config, proftpd runs with its own user and simulates the user ftpuser:ftpgroup when creating files. So I just changed all the files to be owned by this user and group. Permissions set to 770.
Everything works fine, and I'm able to access the data via ftp. BUT, when I try to browse my site the usual way (i.e. point firefox to its address) a 403 forbidden error is issued. Of course, you will say: you didn't allow access to apache. Well, I remembered that right away, and added the user www-data to the ftpgroup user. Now I espect apache to be able to read and serve the files.
Still same problem. 403. The apache error log is full with "permission denied" errors. After many attempts, I logged in as the user www-data, and tested access to the files. This way I'm able to cd into the directory, and read-write the files with nano. As a test, I tryed the other way around. Setting www-data:www-data as the owner of the files, and adding the ftpuser to the www-data group. This way apache works, but proftpd does not. Most probably it has something to do with a misunderstanding of groups permissions or the way this two deamons access the files.
Me and 2 others are working on a website (Bob, Mike, and Joe). We made a group called developers and each of us are in the developers group. The Apache server runs as www-data. When we upload files, the file owner is the users name and the group is "developers".
/etc/group has the following
Code:
www-data:x:33:
bob:x:1000:
mike:x:1001:
[Code]....
I have always just set everything to 775 and just called it good. Well I don't want to wake up to a Russian political message plastered all over the site. It's time I do things properly.
I want to ask a question maybe a stupid one Here what i understand saying linux user : i can create various users for example for me , for my brother and so on to log in to system. But what does it mean that apache runs under user wwwrun and group www by default . What kind of user is that ? It's explicitly not a user kind that one I know about .
View 6 Replies View RelatedI have setup a VPS server, created two accounts to two domains respectively, and in one account I built a tool to manage other accounts. I have been rigorously researching and found information, however not implemented yet, about granting apache sudo rights through an interface on one account, so that it can execute scripts as root to manage installations in other accounts. what I mean this is my tool will use 'rsync' to duplicate installations from any account into any account.
My question for security, is it secure to grant apache sudo rights? I have not resolved successfully granting it permissions, and I would not want to waste my time investigating more on it if it can compromise the system in any way.
In your experience, is it feasible to build such a tool like I described? I have the tool working to copy within account and to addon domains and it works great, but I want it to manage all accounts on the server.
What's the centos-approved way to handle group environment configuration? Let's say there are users in, oh, 4 different groups. Let's use the usual suspects:
accounting
warehouse
admin
netadmin
and I want to set up environment variables and maybe some pathing that are specific to a given group. So that when 'joeblow', who is a member of group 'warehouse', logs in, the pathing and environment variables (and whatever else) that is needed for users in the 'warehouse' group is set up and configured.
What I was initially looking for was an /etc/groups.d, and in /etc/groups.d is
/etc/groups.d
accounting.sh
warehouse.sh
admin.sh
netadmin.sh
As part of the login process, the group memberships for the login username would be examined, and for each hit the respective /etc/groups.d/ script would be run. I'm not seeing anything like that, so I'm assuming centos uses some other mechanism, but I'm obviously not using the proper keyword mojo. Can someone point me to where this mechanism is described?
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
Code:
AuthType Basic
AuthBasicProvider ldap anon
Order allow,deny
Allow from all
This part by itself works for the LDAP authentication:
Code:
AuthName "System Admins"
AuthLDAPURL "ldaps://example.com/ou=ldap,o=example.com?mail" SSL
Require ldap-group cn=SysAdmins,ou=memberlist,ou=groups,o=example.com
This part works by itself for guest access:
Code:
Anonymous guest
Anonymous_VerifyEmail Off
Anonymous_MustGiveEmail Off
Anonymous_LogEmail on
Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
I am installing Big Brother on a CentOS 5.2 running the default Apache 2.2.3. When I try to access any web page I get the following error: Forbidden You don't have permission to access /bb/ on this server. Apache/2.2.3 (CentOS) Server at fmsubbnix Port 80 So far I have:
1) Set the Directory options to FollowSymLinks
2) Verified all directory and file permissions are at 755
3) Set permissions temporarily to 777 and received same error so I am assuming the issue is in a config file somewhere
4) in hhtpd.conf verified <Files ~ "^.ht"> is correct
5) verified the "default" directory is correct (/var/www/html)
I have read and tried several ideas in posts listed on the web but to no avail and am at a loss as to what to look for next..
I am trying to solve a problem where Apache stats aren't displaying correctly in Munin. I've ran through quite a bit of checks and tests regarding Munin setup, but I think my issue is related to Apache, but my skill set there is lacking.
first, system info:
monitored server:
CentOS 5.3 2.6.18-128.1.1.el5
[code]....
A junior question: What is the use of /etc/passwd- & /etc/group-? Backups? I delete them, and they will come out again.
View 2 Replies View RelatedI'm used to setting up SGID on a directory
chmod -R g+s example and then
chmdo -R 750 example
And have the directory and all sub-directories preserve the set-group-ID. On CentOS SGID gets overridden by the second command.The OS is CentOS release 5.6 (Final)In theory, and like it says on this page, "if commands like chmod routinely cleared these bits on directories, the mechanisms would be less convenient..." and it's exactly whats happening. chmod -R 750 is effectivelly removing the SGID.How can I make g+s permanent?
Is there a way to allow other members of my group to access subfolders under my home directory, but not my home directory itself?I'm using CentOS 5.4
View 3 Replies View RelatedI have to set up a box which can manage all the logins in our company and has the feature to manage every possible permission with as much comfort as possible. We are using Linux and AIX therefore my Boss is willing to switch from our Windows DC to a Linux DC. And here lies the problem, I don't really know what is needed to set the Box up to manage the Unix, Samba and LDAP accounts with one tool maybe?
I would like to know which Software exactly is needed and how to manage to get the thing to work together with a security aspect. I configured a Samba DC with LDAP, Kerberos and TLS but it looks like I overdid it because Kerberos is not able to manage the things we need in a manner that the other Admins in my Company would get things done in a short time.
Therefore I would like to get listed all the Software needed and maybe some How Tos how to get thing working, because I am losing my nerves on this matter.
In the last 3 weeks I have set up several test boxes but every time something doesn't work. My biggest Problem is to get Samba and LDAP to work together with TLS or another security scenario.
Before creating this topic I googled a lot and found lots of forum topics and blog posts with similar problem. But that did not help me to fix it. So, I decided to describe it here. I have a virtual machine with CentOS 5.5 and it was working like a charm. But then I turned it off to make a backup copy of this virtual machine and after that it has a boot problem. If I just turn it on, it shows the following error message:
Activating logical volumes Volume group "VolGroup00" not found Trying to resume from /dev/VolGroup00/LogVol01 Unable to access resume device (/dev/VolGroup00/LogVol01) ... Kernel panic ...! During the reboot I can see 3 kernels and if I select the 2nd one the virtual machine starts fine, it founds the volume group etc. (But there is also a problem - it can not connect the network adapters.) So, it is not possible to boot it with the newest kernel (2.6.18-194.17.1.el5), but it is possible with an older one (2.6.18-194.11...)
I looked into GRUB's menu.lst and it seems to be fine. I also tried #mkinitrd /boot/initrd-2.6.18-92.el5.img 2.6.18-92.el5 no luck! Yes, I can insert DVD .iso and boot from it in "linux rescue" mode.
I'm trying to do a disk upgrade on some servers. They are using LVM with DRBD on top and each LVM volume contains a Xen image. I have already created identical volumes on another volume group, copied the data and pointed DRBD to the new source (Which seems to have worked).
What I am unsure of is how to safely remove the disks. The disks are an Areca Raid 1 array and support hotswap. Can I just pull them out of the machine or is some sort of command needed to tell LVM or the kernel to disconnect from the physical array device? Is removing the raid array from the Areca management GUI first a good idea?
i opened up my browser to surf the web and a page popped up i had never seen before.Apache 2 Test page powered by centos. Any address i put into my firefox browser won't come up and i'm stuck on this test page and,i can't locate it on my computer to remove it.How do i get rid of it and more importantly how did it get on my computer in the first place?
View 10 Replies View RelatedI have a PC connected by ethernet to a Galil motion controller card.I recently installed Centos 5.The Galil software for communicating with the card is reporting that it can't join a multicast socket group.The software used to work with another version of Linux.
View 6 Replies View RelatedI've installed Directory Server (LDAP). The setup has been done according to the tutorials online. Able to access the interface as well. So far so good. The issue I have is with permissions. I can assign file permissions to a user created in the Directory Server ( user not created on the local server). But the same can't be done for a group - alteast the way I currently see it. How could i assign file system rights to a group created in the directory server.
View 5 Replies View RelatedI've several servers (windows+linux) that authenticate to an LDAP server. There is one machine that I would like to allow only certain groups from LDAP server to have access and I am not sure where to start.
If that cannot be done, is it possible to disable LDAP root user to access these machines?
I have to create a script that will run only for a specific group. It is a very simple script, so to map the folder, it happens that only that group will be mapped folder. Look what I've done:
[Code]...
Corded that way, but can not be this way, the folder must be mapped to only one group, i have to do scripts for other users, groups, and a script for everyone.
How can I create a user group that restricts Internet privileges to only members in the group, then I will assigns certain applications to join the group for access to the Internet.
For example, I want only group net to have access to the Internet. Group net is then connected to:
Code:
So far, I am using the gnome group policy manager that is standard with ubuntu but Its not working. It is possible that im misdirected and that I should use a firewall instead?
I have a text file that currently has around 150 000 usernames in it. I need to somehow group them into smaller groups of 1000 and then add that value into the DB. for example user xzy group 1 (hopefully the groups will be digits incrementing)
[Code]....
how to search for 1000 then assign them group 1 and then 1001-1999 to group 2 etc.
i want secondary users can able to change the files permissions of primary group?user MAC is having www as a primary and httpd as secondary group. But he want to change the file permissions (chmod) httpd group files. Is it possible or not? I think its not possible. If it`s possible then let me know how?
View 3 Replies View Related