Modify A User

There are several ways to modify a user account:

• Change the user’s password
• Change the user’s home directory
• Change the user’s shell
• Change the user’s group

For the purpose of what we are teaching here, the most important items will probably be changing the user’s password or changing the user’s shell.

Why would a sys admin want to change the password?

Sometimes users request that their password be changed. Sometimes you want to reset the password for a user because they forgot their password, and you have to assign them a new password. My rule of thumb w/ passwords is that I assign passwords that are letters or numbers or a combination of both, more than 5 characters, and all lowercase.

To change the password of a user, you simple type:

# passwd username

The passwd command will ask you to retype the new password of the user, and if successful it will output a success message to you like this:

passwd: all authentication tokens updated successfully.

Why would a sys admin want to change a user’s shell?

When you first create a user, the default shell the user receives will be bash. That is the “Bourne Again Shell”, named after the man who created it, Bourne. If the user is just being created for the purpose of having an email account, the user does not need a bash and really shouldn’t have one for security reasons. So, to change the user’s shell you do this command:

# usermod -s /bin/fakeshell username

NOTE: You have to have the /bin/fakeshell installed on the system for this to work properly.

Remote Desktop

I’m a big fan of using windows remote desktop.  Having to support different locations, being able to remote in to the network and see what is going on saves a ton of time.

I have been playing with some command line stuff this week and hit on launching remote desktop from the command line. In your command box enter MSTSC.EXE. If you want it purely from the command line here are some extra parameters you can enter.
/v:
/f–full screen
/w:
/h:

lighttpd

This is a summary of what I went through to get the web server lighttpd up and running on my Fedora Core 5 Linux machine at work.

Since I am using Fedora Core 5 it was a simple process to get the basic software to get started.

# yum install lighttpd

Once it was downloaded and installed I simply had to turn it on.

# /etc/init.d/lighttpd start; chkconfig lighttpd on

That second part is there to make sure if the server reboots lighttpd will come back on.

At this point the lighttpd server can already serve out static html pages. The document root was located at /srv/www/lighttpd … by the way, I really like their simple, elegant logo.

Anyway, my first obvious task after installation was to configure this web server to handle PHP. I was a little intimidated when I discovered that I would have to install PHP from source with special flags so that PHP would use the lighttpd-fastcgi module. With this webserver, PHP works by using this special module. I spent some time at the fast-cgi module website , but found that installing on Fedora Core 5 was as simple as:

# yum install lighttpd-fastcgi

Once I had installed this module, I had to uncomment the section in the webserver config file so that the module would load. This is fairly simple. Just open the /etc/lighttpd/lighttpd.conf file in your favorite text editor (vim!), and uncomment the line where you find fast-cgi. Once this is uncommented you can write and quit the file, and then restart the lighttpd service, as shown:

# /etc/init.d/lighttpd restart

The next step is to compile PHP. Be careful that you have all the compilers and libraries installed on your machine before attempting to compile your own binary. On my machine, I didn’t even have gcc installed, so I had to make sure all those programming tools were downloaded and installed. I won’t get into all that detail here.

Installing the PHP is fairly straightforward.

# ./configure \
--enable-fastcgi \
--enable-discard-path \
--enable-force-redirect

Once the configuration is finished, then you have to make it.

# make

and finally…

# make install

Once the PHP was installed, and the /etc/lighttpd/lighttpd.conf configured to use the fast-cgi module, I was then able to serve out PHP pages.

My next project after getting the PHP to work was to make sure that I could host multiple domains with this web server. This required figuring out how to do virtual domains. It took me half a day to figure out how to do this in this lighttpd.conf file, but when I figured it out I found it to be a simple and elegant way of handling virtual hosts. In Apache every virtual host container has to be spelled out in the config file, but not in lighttpd. In lighttpd all you have to spell out is where to go if a request does not match a domain in the default document root folder. Here is the snippet of code that I used in my lighttpd.conf:

#all other reqs go here
simple-vhost.server-root = "/srv/www/"
simple-vhost.default-host = "scully.sunlitsurf.com"
simple-vhost.document-root = "pages"

If you notice there, the default virtual host server root is the path /srv/www. All you have to do to add new domains to this server is simply add directories that are domain names underneath there. For example, rather than adding my mikewriting.com domain into the config file, I simply created a folder or subdirectory underneath /srv/www of mikewriting.com. Now, whenever the server receives a request for that domain, it automatically serves out the pages in that folder. In order to accommodate those who type in the www sub-domain I simply created a symbolic link of www.mikewriting.com that pointed back to mikewriting.com. It was so simple! It took me a long time to understand it.

I hope this brief summary of my adventure into lighttpd has helped you on your way.

Holy Grail of Remote Backup

I think it has been a dream of mine for almost three years now to figure out how to perform remote system backups without any human intervention whatsoever. I’ve had pieces of the puzzle in my hands for a long time, but always ran into road blocks. One big road block has always been transferring data over a network with the ssh protocol without having to type in a password. I’ve finally unlocked the keys to this little mystery. The answers were found in the comments of an article posted on Mezzoblue (Just do a search on “webserver backup” on the mezzoblue.com website).

The first thing I had to learn was to write a well crafted command using “rsync”, with all the appropriate flags to pull down the data from a remote server and into the local backup directory. The command looks like the example that follows:

# rsync -aze ssh user@ip:/path/to/file /local/path/for/backup

I scooped this right off the article on Mezzoblue. There are man pages and documentation, but why go to college to learn how to make a backup, right? Anyway, that example shows the basic idea.

Now, you probably notice we are using the ssh protocol to transfer those backups across the network. The ssh protocol is good because of its security, but it can be a pain for this kind of task. However, the trick is to create encryption key pairs for the local and remote machines, so that a password becomes unnecessary. The way you do this is with another kind of ssh command:

# ssh-keygen -t rsa

This command will create the a keypair in your .ssh directory. You will need to copy the public key to the remote machine. You can do this using the scp command as follows:

# scp ~/.ssh/id_rsa.pub user@ip:/home/username/.ssh/authorized_keys

Note all the tiny dots and colons in that command. Its easy to forget the punctuation.

Once you have that keypair copied to the remote machine, you can now log into it without having to type in a password. This is perfect, because now you can run you rsync command without having to be sitting there to type in the password.

The next logical step is to put all of this into a bash shell script, which you can then execute on a schedule using a cronjob.

mysql

These notes are distilled from a more detailed guide on mysql from Linux Home Networking.
The /etc/my.cnf file is the main mysql config file.

mysql databases are usually located in the subdir of /var/lib/mysql/.

mysql stores usernames / passwords in database mysql. Add users to this database and specify the databases to which they will have access with the grant command.

The mysql root account used to create and delte databases is the exception. Use the mysqladmin command to set root password.

With mysqld started use the mysqladmin command to set the mysql root password.

# mysqladmin -u root password new-password

If you want to change root password later you can do a root password recovery.

To access the mysql command line, type:

# mysql -u root -p
Enter password:

After you are logged in you can type \h for help, \c to clear the buffer, or \q to quit.

Enter mysql commands with a semi colon — you know the “;” (without quotes).

To create a database:

mysql> create database example;

Sometimes you may have to physically delete a database underneath /var/lib/mysql. Make sure you stop the server first before you do this.

To grant all privileges to a user:

mysql> grant all privileges on database.* to username@"servername" identified by 'password';

The next step is to write the privilege changes to the mysql.sql database using the flush privileges command.

mysql> flush privileges;

To imported ready-made scripts that create database and tables, use this:

# mysql -u root -p example < create_mysql.script

To view your databases in mysql:

# mysql -u mysqluser-p example
mysql> show databases;

To list the tables in your database:

mysql> use databaseexample;
mysql> show tables;

To view the table structure of your database:

mysql> describe example;

RECOVERING, OR CHANGING ROOT PASSWORD

1. Stop mysql
2. Start mysql in safe mode, like so:

# safe_mysqld --skip-grant-tables

3. Reset the password:

# mysqladmin -u root flush-privileges password "newpassword";

4. Restart mysql normally.

mysql database backup and recovery

# mysqldump --add-drop-table -u mysqluser -ppasswd database > /tmp/database.sql

Note: make sure there are no spaces between the -p switch and the password. Always backup the database named “mysql” too, because it contains user access information.

The syntax for restoring a mysql database:

# mysql -u username -ppassword database < backedup-database

MYSQL SECURITY

# netstat -an

Your server will be listening on ip address 0.0.0.0 (all) on TCP port 3306.

The problem w/ this is that it exposes your database to mysql queries from the internet. If your sql database is going to be accessed only by applications running on the server itself, then you can force it to listen only to the equivalent of the loopback.

To do this: edit the /etc/my.conf file and use the bind-address directive in the [mysqld] section to define the specific ip address on which mysqld listens for connections.

[mysqld]
bind-address=127.0.0.1

Restart mysql.

The nestat -an command will show mysql listening on only the loopback address on TCP port 3306.

mysql errors are logged automatically in the /var/log/mysqld.log.

---

Starting, stopping, restarting, anc verifying mysqld daemon.

# chkconfig mysqld on
# service mysqld start
# service mysqld stop
# service mysqld restart
# pgrep mysqld

Bringing Clarity

Linkage from AGT 

FF Delicious plugin

No doubt you’ve heard of Firefox.  I highly recommend it.  It is my browser of choice at the moment (and has been for a while, even though Opera runs a close second… at least one of my friends swears by Opera).  Anyway,  I’m talking about Firefox because I just found a really cool plug in for this web browser that works really well with the del.icio.us social bookmarking service.  If you don’t have an account with del.icio.us head on over there now and start one.  The longer you use it, the more useful it becomes.  I have been using it for well over a year now, and have scads of bookmarks that I know I would have lost if I had been keeping them on some local machine.  As often as I switch between machines and reinstall operating systems, an online bookmark keeper is the only way I have found to preserve my bookmarks over a long period of time.  This service is also cool in that you can use it for interacting with the bookmark networks of other people and find out what is popular out there.  This takes some of what people use Digg for, or Technocrati. You get the idea.  Of all these services, I have found del.icio.us to be my favorite simply because of its simplicity.

The point of this post:

1. Use Firefox

2. Use del.icio.us

3. Check out this plugin for integrating the two.

Job Control

This is good for Mac OS X, Linux, Unix, et al. (I use the Bash Shell; your mileage may vary)

You can run more than one program at a time in a terminal window. You do this with job control.

Let’s use an example. Start up Lynx (a text based web browser) at your command prompt:

$ lynx www.google.com
After you start this program then put it to sleep (or suspend it) by holding down the Ctrl key and pressing down the letter “z”. Shorthand for this is “^Z”, without the quotes.

When you do this the program goes into the background, and you can now start another program or execute another command at the prompt. Go ahead and start up another instance of lynx the example above, except use www.yahoo.com

After you’ve started this, then put it to sleep also, with the ^Z keystroke.

Now you have two programs running in the background.

Type jobs at the prompt.

Here’s the output I got from my terminal after I suspended my vim session and two lynx sessions, and typed jobs.

[mack@:~/goodgrep]$ jobs
[1] Stopped vim job_control.html
[2]- Stopped lynx http://www.google.com
[3]+ Stopped lynx http://www.yahoo.com
[mack@:~/goodgrep]$
Notice the numbers at the beginning of each line. That is each job’s number. You can pick and choose which job you want to bring back to the foreground like this:

$ fg 1
In my example above, I am bringing job number 1 back into the foreground, to continue on with my vim editing of the job_control.html document. I could also have just typed fg and it would bring to the foreground what was the first job in the que.

Another way you can start up a program and have it go directly into the background is by using an ampersand “&”, without the quotes. Example:

$ vim newfile.html &
This command starts up the vim editor with the file “newfile.html”, and immediately puts it into the background so I can continue working at the command prompt.

Make A Fake Shell

For security purposes, you might not want new users on a server using a real shell if all they will be doing is ftp’ing files up to the machine. In this case, I’ve  learned how to create a fake shell for these users.

As root:

# touch /bin/fakeshell

# vim /etc/shells

Add the /bin/fakeshell line into the file, save it.

# usermod -s /bin/fakeshell username

To check your work, you can:

# grep username /etc/passwd