Shabbyrobe's questions

I have an NFS tree exported from a file server that is secured using Kerberos and uses LDAP for authentication and uid/gid management. Everything works swimmingly for each client machine and each individual user, but I'm not sure how to grant access to parts of the share to daemons.

The daemons typically run with a setuid to a local system account, so there aren't any specific credentials for them on the server. If I can get in and muck around with the source I can usually get them to call kinit with a keytab file for a user that exists in kerberos when they start, but this is not always possible.

Our environment prohibits me from cracking things wide open by making them world readable, or from removing Kerberos from the NFS entirely.

I fiddled with adding a subtree to /etc/exports with all_squash, anonuid=... and anongid=... set, but that just made it world-readable to every client machine. It needs to be accessible only to a certain machine.

I've tried using samba but we have some daemons that have an "NFS or bust" approach to working with shares (anything involving mercurial, for example).

Most of our servers run Ubuntu 10.04 LTS, though the problem also affects a 12.04 LTS client we have.

Is there a way I can grant an entire system a system-wide ticket for a particular Kerberos user so any user on that system can always access the share? Or is there some other method of achieving this kind of access that I can investigate?

I'm about to start setting up some KVM-based virtual machines that will be used in a production system on an Ubuntu 10.04 LTS server and I'm not sure which user to run them as. In my tests, I ran them as the user I set up during the Ubuntu installation, but would I be better off running them as root or under a separate user account, like how slapd runs as user openldap?

We have a PHP web application we are deploying to a LAMP server running CentOS 5.5 using Capistrano. Capistrano manages switching to the latest version (and rolling back) using a symlink, so our document root has to point to that symlink.

Unfortunately, we have been seeing that web requests to the PHP application still point to the previous target of the document root's symlink for exactly 60 seconds after the symlink is updated.

The only setting in the PHP config I could find that might relate to this is the realpath_cache_ttl setting, however this is set to 120 seconds. I couldn't find anything in apache's configuration.

We are not using APC.

Am I even looking in the right place?

I have an Ubuntu server running Apache. I have a web application that writes files to a folder. Apache is running as www-data:www-data, so all the files get created using that user and group.

I also have a user shabbyrobe that I use to log in to the box and make non-root changes. If I want to change stuff that has been touched by www-data though, I'm finding myself cracking it and just doing sudo -i, then before I know it I'm doing everything at an elevated privilege level and it really does feel like I shouldn't need to be root at all.

I added shabbyrobe to the www-data group and ran chmod -R 2775 on the folder full of files written by my web application, but new files were still being created as 755, so user shabbyrobe had no access.

Basically, I'm just wondering if it's safe for me to change the umask in /etc/profile from 022 (which seems to be the default) to 002 without compromising the security of my server. I guess I'm just figuring there must be a reason why it's 022 by default, and I don't want to just blithely change it without understanding what that reason is.

Update: in response to Caleb's suggestion, I thought more about it and it doesn't feel like it would be a great idea to set the umask system wide considering it is possible to set it for apache only. So if I change the umask to 002 in /etc/apache2/envvars instead of /etc/profile, what security considerations remain?

I'm in Australia and I'm looking at US hosting options because the prices here are embarrassingly extortionate. Are there any good, free online tools I can use to find out which location in the US has the fastest performance - in terms of latency and download speed - for connections from Australia?

I'm having trouble finding concrete, up-to-date information for how to set up strongswan or openswan to be used by the iphone's VPN client. My server is behind a budget linksys NAT router.

I found this, but it mentions a whole bunch of .pem files with no reference for how to create them. Unfortunately, the "fine" manuals for both packages were quite inscrutable and unfriendly to a novice. I've set up OpenVPN before and managed to get serviceable results very quickly, but after a day and a half of reading out of date docs, I barely even know where to start.

Any help would be greatly appreciated!

I'm having trouble getting php-gtk installed with php 5.3 on os x. I'm currently using macports to do it and when I try to install php-gtk, it spews 'duplicate static' errors:

Error: Target org.macports.build returned: shell command " cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_php_php5-gtk/work/php-gtk-2.0.1" && /usr/bin/make -j2 all " returned error 2
Command output: ext/gtk+/gen_pango.c:2951: error: duplicate 'static'
ext/gtk+/gen_pango.c:2957: error: duplicate 'static'
ext/gtk+/gen_pango.c:3097: error: duplicate 'static'
ext/gtk+/gen_pango.c:3103: error: duplicate 'static'

Is there a way to coerce it into building, or an alternative way to install it?

Is there a way to throttle only file uploads (not downloads) using Apache 2 on a per-directory basis?

I've tried using mod_bw and looked at mod_throttle, but neither seem to support upload throttling, only downloads.