Category: Linux

Posted on

iptables Personal PC Firewalls

The average personal PC has need to be able to reach out into the internet and communicate but no need for people to reach from the internet to your PC.  This set of rules takes advantage of the stateful nature of iptables to allow incomming messages on ESTABLISHED (prevously set by OUTPUT) connections.

iptables -A input -m state –state ESTABLISHED -j ACCEPT

iptables -A input -j REJECT

Posted on

Quick Script to identify WWID on New Lun’s in Linux when using MPIO

Well the other day I had to add a lot of LUN’s to a new system and one of the key elements is writting down the SCSI WWID when I add a LUN so I can tie that back to the storage.   So i wrote a simple script to scan the SCSI bus identify new lun’s and provide their WWID via multipath.   This will only work with some HBA’s and if your using Linux MPIO.

#!/bin/bash
echo "- - -" > /sys/class/scsi_host/host0/scan
echo "- - -" > /sys/class/scsi_host/host1/scan
echo "- - -" > /sys/class/scsi_host/host2/scan
echo "- - -" > /sys/class/scsi_host/host3/scan
ls -altr /dev/sd* | tail -n1 | awk '{ print $10 }' \
| sed 's/\/dev\///g' | awk '{print "/sbin/multipath -v3 \
| grep " $1 " | grep undef"}' > out
chmod 755 out
./out 
rm -f out
Posted on

MythTV Automatic Email of new Pilots Report

Over the years I have written a ton of reports for MythTV.  This particular report sends an email using an smtp email account with all the new shows with pilot as a subtitle.  This allows me to quickly scan new shows for things I want to record.  I wrote it in php since most Myth systems are running php for MythWeb.    I know it’s not the cleanest code but it works for me.  I have bolded items that you need to customize for your environment.  I load it in as a weekly cron job and it’s good to go:

new_pilot.php

Posted on

MythTV Automatic Email of TV pilots

Over the years I have written a ton of reports for MythTV.  This particular report sends an email using an smtp email account with all the Shows with pilot as a subtitle.  This allows me to quickly scan new shows for things I want to record.  I wrote it in php since most Myth systems are running php for MythWeb.    I know it’s not the cleanest code but it works for me.  I have bolded items that you need to customize for your environment.  I load it in as a weekly cron job and it’s good to go:

all_pilots.php

Posted on

iptables allow ssh and http

Allow web and ssh connections SSH and web both require out going messages on established tcp connections.

iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

Then you need to allow incomming connections on port 80 and 22 and possibly 443

iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 443 –sport 1024:65535 -m state –state NEW -j ACCEPT

Posted on

Linux File Permissions

Linux file permissions are based upon three actions:

  • Read – read a file, on directories grants permission to read names of files in the directory (but not find any additional information size owner etc..)
  • Write – modify, delete rename a file, on directories it gives permission to modify entries inside the directory including create, delete and rename files
  • Execute – execute a file, on directories is grants permission to go into the directory and subdirectories it goes not grant read access to the directory

Linux also supports three additional permissions:

  • SUID – Set user ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the owner.
  • SGID – Set group ID – when a file with this bit is set and it is executable it will be executed with the effective permissions of the group, directories with the SGID new files and directories created under the original directory will inhert it’s group from the SGID group.
  • sticky –  when a file with this bit is set and it is executable it encourages the kernel to  retain the resulting process beyond termination, when set upon a directory it prevents users who are not the owner from renaming, deleting or moving files or subdirectories.

Each file can be owned by a single user, group and everyone else.     Other is everyone who is not the user or a member of the group.  All directories are really just files in linux.   Linux filenames can be up to 256 characters long.  Linux permissions are not inherited except SGID and SUID.  Since the 2.6 Kernel linux also support acl based file permissions giving you better control on your file system.  You can see the permission user and group on a file by performing a long listing of a file:

ls -al

drwxr-xr-x  3 root       root  4096 Nov 10 21:25 .
drwx—— 46 root       root  4096 Nov 10 21:12 ..
drwxr-xr-x  2 jgriffiths users 4096 Nov 10 21:25 cheese
-rw-r–r–  1 root       root     0 Nov 10 21:12 donkey.doc
-rw-r–r–  1 jgriffiths video    0 Nov 10 21:12 myfile.txt

This listing displays hidden files because we issued ls with the -a command line switch.   The sections are divided as follows:

Sample Field Description
drwxr_xr_x Permissions Permissions on the directory or file
2 Directories Amount of links (files and directories) inside the directory including itself
jgriffiths User Owner of this files username
users Group Group this file is owner by
4096 Size Size of file in k-bytes
Nov 10 21:25 Modification time Time of last change
cheese Name Name of directory or file

The permissions field is 11 characters broken down into four sections: type, owner permissions, group permissions and other permissions.

Characters #’s
 Section Description
1 type This defines a directory vs a file or special type
2-4 owner permissions This defines users permissions
5-7 group permissions This defines group permissions
8-11 other permissions This defines world permissions

There can be the following types:

Type Description
d Directory
l Symbolic link
s Socket
p Named pipe
Normal file
c Character device or special file
b Block device or special file

Each of the user, group and other permissions files contain either a r,w,x or an -.  They are always displayed in the order of rwx.

Type Description
Not set not allowed to take action
r Read permission
w Write permission
x Execute permission

For example the following listing:

drwxr-xr-x  2 root       root  4096 Nov 10 21:25 cheese

Is a directory (d) with owner (root) read (r), write (w), execute (x), group (root) read (r), no-write (-), execute (x), other, read (r), no-write (-),  and execute (x).

Additional Permissions

The additional permissions show up by replacing the execute bit with a character:

Permission Class Non-Executable Executable
setuid User S s
setgid Group S s
Sticky bit Others T t

Changing Permissions

In Linux you use the chmod command to change permissions of a file or directory.  chmod can be used with an octal set of permissions or individually using characters to represent user (u), group (g), other (o), and an add (+), subtract (-).  I will cover Octal permissions using numbers to represent combination permissions.  When using octal permissions you seperate out permission in the following order user:group:other.  Each permission type adds an amount to zero:

  • Read – Adds 4 to the total
  • Write – Adds 2 to the total
  • Execute – Adds 1 to the total

So permission 744 would be User: read,write, execute; Group read; Other read.  The command to set a file to 744 would be:

chmod 744 filename

Changing Additional Permissions

Additional permissions take the first bit a hidden bit of the permissions:

  • The setuid bit adds 4 to the total.
  • The setgid bit adds 2 to the total.
  • The sticky bit adds 1 to the total.

If I wanted to set the permissions to 744 with the sticky bit set I would run this command:

chmod 1744 filename

Default Permissions – Umask

The umask defines the default permissions assigned to any file created by a user or system.   You can assign your umask at any time by executing:

umask permissions

The permissions on umasks can be tricky.  You need to take the permissions of 777 and subtract the umask.  For example a user has the umask of 022 when he / she creates a file the default permissions are: 644.

Finding Files with Special Permissions

Since special permissions break the authentication method for Linux they can be very dangerous.  There are some simple ways to locate suid and sgid files.

Find all SetGID files on your system:

find / -xdev -type f -perm +g=s -print’

Find all SetUID files on your system:

find / -xdev -type f -perm +u=s -print

Find all world writable files on a system:

find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -printtype f -perm +u=s -print

ACL File Permissions on 2.6 Kernel

The 2.6 Linux kernel added ACL’s to file permissions (access control lists)  it allows you to have unlimited number of users with individual permissions on a file.  It also adds a level of complexity to your file system.  Before you can work with ACL’s you need to enable them on a mount point basis.  Enabling ACL’s requires adding the option acl to the /etc/fstab and remounting the mount point.  For example take a look at this root partition:

/dev/hda5            /                    ext3       acl,user_xattr        1 1

This shows acl’s enabled and ready to work.  ACL can only be used on the following file systems: ext2/3, XFS, JFS and ReiserFS.  The primary method for manipulating acl’s is using the getfacl and setfacl commands. getfact allows you to display acl lists on a file or directory.  setfacl allows you to set the current acl on a file or directory.  In order to explain acl’s lets assume that I have a unix system with four users jack,jill,bob and myself (jgriffiths).   I want to create a file called test.txt and give jack and jill read and write permission to this file while bob can only read the file.  I created the file and started with the following permissions:

ls -al test.txt
-rw——- 1 jgriffiths users 0 2007-11-16 23:37 test.txt

The permissions are clearly set to allow jgriffiths as the only person who can manipulate this file in anyway.  setfacl allows you to set permissions for more than one user at a time.  To create my acl permissions I would use the following command:

setfacl -m u:bob:r–,u:jack,jill:rw- tester.txt

I can use the getfacl to view the current effective permissions on the file:

getfacl test.txt
# file: test.txt
# owner: jgriffiths
# group: users
user:jill:rw-
user:jack:rwx

user:bob:r–
group::—
mask::r-x
other::—

So jack and jill can read and write while bob can only read.  Everyone else but jgriffiths cannot do anything with this file.  You will also notice an entry called mask.  The mask sets the effective permissions for all acl groups and users.  This allows you to limit acl’s control maxium on a file or directory.  Assume my mask looks like this in the above entry:  mask::r–  then no one would be able to do more than read this file unless they are the owner.  You can set the mask using:

setfacl -m mask::rw- tester.txt

Viewing the rights of our file now produces an effective rights listing:

getfacl tester.txt
# file: tester.txt
# owner: jgriffiths
# group: users
user::rw-
user:jack:rw-                 #effective:r–
user:bob:r–
group::—
mask::r–
other::—

If we perform an ls -al on the file it produces the following confusing results:

-rw-rw—-+ 1 jgriffiths users 0 2007-11-17 00:01 test.txt

As you can see it seems the users group has read and write access to test.txt when in reality they do not.  Also linux has added a + to the permission list to help us know there is a acl on this file.

ACL’s can be added based upon Linux groups using the same setfacl command:

setfacl -m g:groupname:rw-,g:groupname_two:r test.txt

Removing acl based permission can be done using the -x command line parameter:

setfacl -x u:bob,u:jack tester.txt

Now only Jill can access the tester.txt file.  Or we can removal all acl’s on a file with the –remove-all:

setfacl –remove-all tester.txt

If you would like to recursively assign an acl to a directory and all files add an -R to the command use the following command:

setfacl -R -m g:users:r-x /data/webroot

ACL’s viewed by the getfacl command can be piped into a file and used to generate the same acl on any other file using the setfacl command:

# getfacl -omit tester.txt
# setfacl -M myacl test*
# getfacl -omit test.txt
user:jill:rw-
user:jack:r-x
user:bob:r–
group::—
mask::r-x
other::—

You can also use gid’s and uid’s instead of names as long as you provide the -numeric switch to setfacl.

ACL’s and Directories the Default ACL

ACL’s created inherited permissions that allow subdirectories and file to get the permissions of their parent.  This type of inheritance is easy to manage but can be a security concern make sure to consider carefully how you set acl’s on directories because those same permissions will exist on the lower levels.

Posted on

CD ISO’s in linux

Every so often I need to mount an ISO image on linux.

To mount an ISO you first have to create a mount point for example /mnt/iso then type the following command:

mount iso_name.iso /mnt/iso/ -t iso9660 -o loop=/dev/loop0

On some systems you need to avoid the loop= part of the command and issue:

mount -o loop -t iso9660 iso_name.iso /mnt/iso

To create an ISO from a directory use the following command consult the man page if any switches give you trouble.

mkisofs -rdlJ -allow-leading-dots -hide-rr-moved -dir-mode 555 -p “preparer”

-publisher “publisher” -A “Disc name” -V VOLNAME -o output.iso -b isolinux/isolinux.bin

-c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table /mnt/iso

Posted on

Quick Search and Replace inside a file with perl

Almost every day I need to search and replace inside a file.   This is done very easily with vi but a little harder on multiple files.  Take this example I want to search all the files in the current directory ending in .conf and find the word jgriffiths.org and replace it with jgriffiths.com.    Perl to the rescue with this simple one line fix

perl -pi -e 's/jgriffiths.org/jgriffiths.com/g' *.conf

Yes it’s that simple.

Posted on

Check Pagesize in Linux

Recently my DBA’s were asking me what the page size was in linux.  A page size is a logical block of your physical, or virtual memory.  Each type of memory is divided into same size blocks or pages.  To find your system pagesize in linux type:

getconf PAGESIZE

or

getconf PAGE_SIZE