|
Wednesday, 27 January 2010 19:37 |
|
 If you are using your subversion server with ssh you normally use something like
1
|
svn co svn+ssh://
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
/var/myrepos/project_main
|
for checkout. If your ssh port is not default 22 you have to change a bit in the subversion configuration.
The subversion config file is normally located in the users application-data directory in ...\Subversion and is named config.
In the tunnels you have to add a ssh-client (i used TortoisePlink.exe because i already had TortoiseSVN installed), and configure that the ssh protocol uses a different port by default.
1
|
ssh = C:\\Program Files\\TortoiseSVN\\bin\\TortoisePlink.exe -P 2211
|
You could also define another port like
1
|
myssh = C:\\Program Files\\TortoiseSVN\\bin\\TortoisePlink.exe -P 2211
|
Your checkout would then look like
1
|
svn co svn+myssh://
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
/var/myrepos/project_main
|
That works fine on command line, but when i tried it with TortoiseSVN it failed.
I don't know if it is a bug, but you have to set in TortoiseSVN->Settings->Network->SSH client TortoisePlink again
1
|
"C:\Program Files\TortoiseSVN\bin\TortoisePlink.exe" -P 2211
|
Then it works without any problems.
This was an example for windows, if you want to use it on linux/unix you dont need TortoisePlink you can simply use the ssh binary, you also have to convert the backslashes to slashes.
|
|
Last Updated on Wednesday, 27 January 2010 20:01 |
|
Tuesday, 26 January 2010 20:16 |
|
 If you want to install Oracle Devleoper 10g on Vista or Windows 7 you need to follow the note 559067.1 from Oracle. The most important thing is that you need to install Patch 7047034 before you start using the Developer, else you get some nasty errors when opening or compiling forms.
|
|
|
Saturday, 23 January 2010 07:24 |
|
If you are using the RBASH and the user has rights for example to call vi, he has the possibility to exit the shell by vi, also a "su exampleuser" would do the job, there are also possibilities to copy /bin/sh...... In this case the only thing i wanted to restrict the user to allow him to become root. Yes i know, the pro and cons about that, i decided that connecting by ssh to a user that has NO rights except su the root user and getting root if i need to change something is a good way.
As described earlier i added (modified) a user
useradd example -m -d /home/example -s /bin/rbash
usermod -s /bin/rbash example
passwd example
Then i edited his bash-profile and set the PATH only to his homedirectory.
vi /home/example/.bash_profile
I changed the part where the path-variable is set, it looks like this now:
# set PATH so it includes user's private bin if it exists
PATH=/home/example
#if [ -d ~/bin ] ; then
# PATH=~/bin:"${PATH}"
#fi
So this user has absolutely NO rights... cool  Last step is to allow him to get root. That's done by creating a script, i named it suroot in /bin that contains the text "/bin/su root", of course you have to give it 755 rights afterwards. The very last step is to crate a link from the user home to the new script.
vi /bin/suroot
chmod 755 /bin/suroot
cd /home/example
ln -s /bin/suroot
I could not find a way to escape from this jailshell, sometimes i have overseen something, if so please let me know.
|
|
Last Updated on Saturday, 23 January 2010 16:44 |
|
Thursday, 21 January 2010 08:37 |
|
 Yesterday i decided to enable the mailing feature of bacula, to keep informed about backups that did not work.
Normally you can easily configure that in the bacula-dir.conf file, by uncommenting/setting the mailcommand and the email-address.
The default entries look similar to this:
1
|
mailcommand = "/usr/lib/bacula/bsmtp -h localhost -f \"\(Bacula\) \<%r\>\"
-s \"Bacula: %t %e of %c %l\" %r"
mail = root@localhost = all, !skipped
|
The mailcommand bsmtp is a bacula-builtin and the %r gets replaced with the email-address from "mail".
In this example all mails except the skipped ones get sent to root@localhost.
In my case i could not use bsmtp because i need authentication on the smtp server to send mails, like gmail also needs.
So i had to look for an alternative and i found sendEmail that is also available as Debian package.
sendEmail is a very powerful smtp-command-line tool. The installation on Debian is quite simple.
1
|
apt-get install sendemail
|
Now i changed the mailcommand to the following: (you have to put it in one line!)
1
|
mailcommand = "/usr/bin/sendEmail -f
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
-t
%r -u \"Bacula: %t %e of %c %l\" -m Intervention needed! -s
smtp.mymailserver.at -o tls=no -xu myusernamer -xp mypassword"
|
-f is the from address
-t is the target %r gets replaced by bacula with the mail-address defined
-u is the subject that will look like "Bacula: Backup ERROR of HostBacula Full" in the mail.
-m is the mail body, i really dont know how to put the errorlog for this one job in there...
-s is the mailserver
-o is the authentication, if you want it more secure you should use tls
-xu username
-xp password
I choose to use "MailOnError", because i check all jobs and logs on a regular base so i just want a quick inform if an error occured, if you use "mail" then you get also informed about succesfully terminated jobs.
|
|
Last Updated on Thursday, 21 January 2010 08:49 |
|
Thursday, 31 December 2009 16:16 |
 Today i was installing subversion on a 64Bit Windows 7 machine.
I chose the SlikSVN package to install Subversion, because i dont want to have
an Apache running on this computer, and it was the only 64 bit Subversion option.
Installed, out of the box and with installing svnserve as service with
1
2
3
|
sc create svnserve binpath= "c:\subversion\svnserve.exe --service
--root c:\repos" displayname= "Subversion" depend= tcpip
start= auto
|
it worked out of the box without any troubles.
The only thing that was not working was TortoiseSVN. So... it worked by command line but did not work with TortoiseSVN? Yes.
After trying for hours i uninstalled SlikSVN and tried the CollabNet package. With this package it worked without any troubles.
I really don't know what could be the reason for this. I also found some threads where people had the same problems.
Does anybody out there have hint, why it does not work with SlikSVN?
|
|
Thursday, 12 November 2009 20:52 |
|
Another good way to limit the rights of a remote user in linux is to use rbash (restricted bash). Although there are ways to bypass the restrictions it is in my opinion a nice way to protect a user from himself (and my system from this user....).
useradd example -m -d /home/example -s /bin/rbash
usermod -s /bin/rbash example
passwd example
|
|
Last Updated on Tuesday, 10 November 2009 11:41 |
|
Tuesday, 10 November 2009 19:46 |
|
Another nice way to create users on linux that have just rights for scp/ftp/cvs/rdist/rsync is RSSH (restricted ssh).
installation
apt-get install rssh
configure the rights by editing the config file (uncomment the things he should be able to do)
vi /etc/rssh.conf
add user or modify a already existing user
useradd -m -d /home/heinzi -s /usr/bin/rssh heinzi
usermod -s /usr/bin/rssh heinzi
Now the user can just access by the application you choose for him in rssh.conf.
|
|
Last Updated on Tuesday, 10 November 2009 11:41 |
|
Sunday, 08 November 2009 17:23 |
|
By default a user in user has a lot of rights, nothing really critical, but why allow him to peak in any config files if he doesn't really need to? So i was looking for a way to limit the rights of a remote user, without the need to chmod a lot of files. The first way i found was to create a jail shell. This is a pretty cool way to limit a user to a handful of commands and prevent him of leaving his home-directory. It works either with SFTP (easy) and SSH (bit more of configuration) and can either be applied to a user or a group. The user is named "heinzi" in this example:
changes in /etc/ssh/sshd_config
Match User heinzi
ChrootDirectory /home/heinzi
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
restart ssh
/etc/init.d/ssh restart
The user should now be limited to his homedirectory.
|
|
Last Updated on Tuesday, 10 November 2009 11:42 |
|
Sunday, 08 November 2009 17:23 |
|
Here the example for ssh:
apt-get install sudo debianutils coreutils
get the script that does a lot of configuration for us
cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.sh
take a look if the script contains all APPS you need
vi /usr/local/sbin/make_chroot_jail.sh
create symlink back to home
cd /home
ln -s . home
create jailshell
make_chroot_jail.sh heinzi /bin/bash /home
config /etc/ssh/sshd_config
vi /etc/ssh/sshd_config
add at end of file
Match User heinzi
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
restart ssh
/etc/init.d/ssh restart
|
|
Last Updated on Tuesday, 10 November 2009 11:42 |
|
Sunday, 18 October 2009 07:23 |
 When bacula jobs get the status "E" but the FileDaemon tells you that everything was ok, then you probably have to set the heartbeat interval in your bacula-configuration-files. It worked for me to set "Heartbeat Interval = 1 minutes" in the FileDaemon and StorageDaemon configuration files.
|
|
Last Updated on Tuesday, 19 January 2010 14:35 |
|
Wednesday, 23 September 2009 08:58 |
|
"java.lang.InstantiationException: jms.xml: port 9240 already in use"
This error can occur if you try to start the oc4j (startinst.bat on windows) and the oc4j was not shutdown with the shutdown script that is delivered by oracle. Just execute the shutdown script (stopinst.bat on Windows). That should solve your problem.
|
|
Last Updated on Wednesday, 23 September 2009 09:07 |
|
Tuesday, 22 September 2009 18:25 |
|
If you want to run XPlanner+ with the security-manager of tomcat turned on, you need to give following permissions, tested with tomcat5:
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission java.net.SocketPermission "127.0.0.1:3306","connect, resolve";
permission java.net.SocketPermission "localhost:9090","connect,resolve";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote";
permission java.lang.RuntimePermission "accessClassInPackage.javax.el";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.io.FilePermission
"/var/lib/tomcat5.5/webapps/xplanner-plus/xplanner-plus-activity.log", "read,write";
permission java.io.FilePermission "*","read";
permission java.io.FilePermission "/usr/share/tomcat5.5/common/-","read";
permission java.io.FilePermission "/usr/share/tomcat5.5/bin/bootstrap.jar", "read";
permission java.io.FilePermission "/usr/share/java/commons-daemon.jar", "read";
permission java.io.FilePermission
"/var/lib/tomcat5.5/webapps/xplanner-plus/WEB-INF/classes/logging.properties","read";
permission java.util.PropertyPermission "*","read,write";
permission java.net.SocketPermission "jakarta.apache.org:80","connect,resolve";
I tested this permissions on Debian Lenny. The xplanner-plus-activity.log is in this path because i changed it manually. Reason is that there seems to be a bug in the log4j configuration i already reported.
|
|
Last Updated on Wednesday, 14 October 2009 07:02 |
|
|
IT-Blog
