Linux

From BarikWiki
Jump to: navigation, search

Red Hat Enterprise Linux

  • Please, please, please stop prompting me when I do an rm command. You can tack on a -f (force / don't ask) as a temporary measure.

SSH

  • You can use ssh-copy-id to copy keys to remote machines. If the key is refused, it's usually a permissions problem. You can use ssh -vvv to diagnose further, where each v adds a debug1 level.

Yum and RPM

List installed packages with:

yum list installed
rpm -qa

There's a Red Hat Knowledgebase with plenty of common Yum operations.

  • Released Notes for RHEL 5.6 and PHP 5.3. Be careful about doing this upgrade. Currently, PHP 5.3 doesn't include php52-pear.
  • In CentOS 6, I believe that I simply started using pear install and associated commands to add pear packages instead.
  • On old versions, such as RHEL 4, use up2date.

Deployment

  • Don't forget to enable backup on Linode instance.
  • For PuTTY, SSH keys can be set under Connection / SSH Auth / Private key file for authentication.
  • Some packages that are needed on installation: httpd, php.
  • Add a user called barik using useradd.
  • Easiest way to support sudo is visudo. Uncomment %wheel ALL=(ALL) ALL.
  • You can add a user to a group with usermod -G {group-name} username.
  • Use system-config-network to set the host name.

Transferring Files

To transfer files easily between Linux virtual machines and Windows, you can use Tftpd32. You can first zip them (the built-in help is useless here):

zip -r example.zip foo/

Using tar and preserving permissions:

tar --preserve-permissions --create --verbose --file barik.tar barik

Irssi

I started using irssi after needing to maintain sessions even after turning off my PC.

  • Use /quit to close irssi entirely.
  • Use /connect instead of /server to connect to other IRC networks.
  • If you connect to the wrong network, irssi will keep trying to reconnect. Use /rmreconns to remove these networks.
  • A guide to split windows in irssi.
  • You shouldn't need to touch the configuration file by hand at all. Instead, you can use the server command: /server add irc.oftc.net 6697. As long as you specify the server address and port name, any changes will be made to the existing server in the server list.
  • You can use SSL with OFTC.

IRC bouncers with ZNC. After using ZNC, I need to figure out how to get the time stamps to be correct. I use mIRC under Windows.

Reverse DNS

host ip
nslookup ip

mod_fcgid

PHP is actually quite annoying to secure. This is probably the reason why most people run the default mod_php, which doesn't provide any privilege separation whatsoever between different web applications.

It seems that mod_fcgid (or, go directly to the mod_fastcgi reference page) is preferred over mod_fastcgi. But this only part of the picture. We also need suEXEC support. Here are a few links with explanations at various, but incomplete levels:

There are actually two different ways to use FastCGI under Apache. You can use the Action directive, or the FcgidWrapper directive. In this thread, we're told that both setups offer the same functionality. I use FcgidWrapper because that's what the official document recommends, and also because all the changes can be cleanly localized to the vhost.conf.

  1. Install EPEL. How can I install the packages from the EPEL software repository?
  2. Install yum install mod_fcgid. This will also place a fcgid.conf under the conf.d directory.
  3. Using mod_fcgid examples, create a PHP wrapper script as shown in the document.
  4. But where should this wrapper script eventually be located? Check with sudo suexec -V and note the AP_DOC_ROOT parameter. For me, this directory is /var/www.
  5. Create a folder called /var/www/fcgi-bin. This will host your (and others) PHP wrapper scripts. If you plan on using suEXEC, it's very important to create a separate folder for each user (this is requirement 14 of 20 in the suEXEC documentation). So your wrapper script would eventually end up as /var/www/fcgi-bin/barik/php-wrapper.
  6. Note: The given example uses Location directive for Apache, but that's only because they are using alias. If you are pointing to an actual directory, replace Location with Directory.

Tangentially:

  1. The documentation for mod_fcgid has example Perl script. To run this script, you need yum install perl-CGI perl-FCGI. This wasn't at all obvious to me. Don't forget to chmod a+x foo.pl the file either. You can use this file as a test before playing with PHP handlers.
  2. Note: While you can use this as a test script, it's pretty useless you want to run CGI scripts from the fcgi-bin folder directly. Remember that PHP indirectly uses the PHP wrapper script through FcgidWrapper, and that's my approach as well.

Also, see documentation on AddHandler and SetHandler.

  • To verify that your PHP scripts are actually running under mod_fcgi, have a script containing a call to phpinfo(). Check Server API. It should say CGI/FastCGI instead of Apache 2.0 Handler.

Now, proceed to adding suEXEC with SuexecUserGroup. Unfortunately, there are 20 different ways in which suEXEC can go wrong, and all of them will give you the very generic error of "Premature end of script headers".

  • Who are you running under? Write a script that calls something like system("id");.

In summary, all changes are made to vhost.conf:

<VirtualHost *:80>
        ServerName www.barik.net
        DocumentRoot /home/barik/public_html
        SuexecUserGroup barik barik
        <Directory /home/barik/public_html>
           Options +ExecCGI
           AddHandler fcgid-script .php
           FcgidWrapper /var/www/fcgi-bin/barik/php5-wrapper .php
        </Directory>
</VirtualHost>

Doh! Unfortunately, you still aren't done. You will likely no longer be able to access the session folder, and thus will be unable to use cookies. Therefore, you must copy the global /etc/php.ini to the same directory as your PHP wrapper script. Then, edit the file and change the session.save_path to point to something under your user, such as /home/barik/tmp.

Your PHP wrapper will use the php.ini that is in the same directory first, and ignore the global INI file. If you don't do this, you'll get errors such as:

Unknown: Failed to write session data (files). 
Please verify that the current setting of 
session.save_path is correct (/var/lib/php/session)

I haven't found a great solution to this yet. One can obviously perform chmod a+rwx /var/lib/php/session/, or create a custom directory for each user.

mod_fcgid and WordPress

When running WordPress under mod_fcgid, I've found that the MaxRequestLen is causing issues with file uploads:

mod_fcgid: HTTP request length 131580 (so far) exceeds MaxRequestLen (131072)

Also, this message won't go away without recompilation:

[warn] mod_fcgid: cleanup zombie process 2246

Dropbox on CentOS

This happens because CentOS (RHEL) isn't Fedora, but Dropbox treats it as such due to the way the installer works:

 Error: Cannot retrieve repository metadata (repomd.xml) for repository: 
   Dropbox.  
 Please verify its path and try again

Fedora Core 4

Fedora Core 4 is end-of-life (EOL), but it's still useful as a platform for testing introductory security exploits. Unfortunately, the yum repositories have gone stale, and you will now receive the following error messages when trying to perform a yum update:

 Cannot find a valid baseurl for repo: updates-released

To fix this, you will need use the archives from the Fedora Project. Edit the following under /etc/yum.repos.d:

If successful, yum update will pull of the latest packages for this EOL product.

The kernel with Fedora Core 4 is not compiled with CONFIG_CC_STACKPROTECTOR. However, it doesn't have commit_creds (credential records) either.

The CONFIG_CC_STACKPROTECTOR feature can be found under Processor type and features.

Compiling a Custom Kernel

  make-kpkg --initrd kernel_image

Debian Quick Kernel How-To

  1. Download the linux kernel source.
  2. Extract to /usr/src.
  3. Make symlink with ln -s kernel-source-2.4.18 linux.
  4. Run make-kpkg --initrd --append-to-version .barik kernel_image.
  5. (without initrd it will kernel panic).

These days, grub will be updated automatically. To remove a kernel:

Sysctl

  • /sbin/sysctl -w kernel.exec-shield=0; /sbin/sysctl -w kernel.randomize_va_space=0.

Audit

First, make sure that the auditd service is actually running.

Your audit commands in Linux come from the family of auditctl, ausearch, and aureport. If want to add a rule, do the following:

  • auditctl -w filename -p rwxa -k test-key.

To list the rules:

  • auditctl -l.