kayahr's questions

This is my specific problem I need to solve (But my question is different, so please read on even if you don't know what fail2ban is):

I'm trying to use fail2ban on a linux server to ban brute force attacks on multiple services (ssh, dovecot, apache, postfix, ...). Now I stumbled over the problem that fail2ban seems to execute multiple iptables commands at the same time (with threads in Python) and this fails pretty often (Especially on startup) where iptables returns "Resource temporarily unavailable." errors.

I want to workaround these problems by "synchronizing" calls to iptables. I'm searching for a program which creates some mutex/lock file and only if this file could be created then it starts the real command and removes the mutex file after the command has finished. If the mutex file is already there then the program waits until the mutex file is gone and then tries to aquire it.

With such a command I could configure the iptables-actions in fail2ban to wait for each other so they don't execute at the same time.

I'm pretty sure there is already such a program out there so I don't have to write this on my own. But so far I haven't found it.

I want to create a mod_rewrite RewriteRule which is independent from the location where the web page is installed. I want to define the rewrite rule in a .htaccess file. Let's take this as an example:

RewriteEngine on
RewriteRule ^(.*)\.html html.php

With this rule I want to map all *.html requests to a html.php script which is located in the web root. The problem is, the public base url of the webroot can change. So the web root could be located on http://www.somewhere.tld/ or in some sub directory at http://www.somewhere.tld/foo/bar/.

But using a relative path in a rewrite rule doesn't work. So I have to write one of these:

/html.php (When web is located in root directory of the web)
/foo/bar/html.php (When web is located in foo/bar sub directory)

Alternatively I can set a RewriteBase but I simply don't want to configure this path at all. I want apache to automatically do the right thing so I can just copy the web to some directory and it just works without telling the rewrite rules where the web is located in. How can I do this.?

I have an USB stick which contains private stuff like the SSH key. I want to mount this stick to my own home directory with 0700 permissions. Currently I do this with this line in /etc/fstab:

LABEL=KAYSTICK /home/k/.kaystick auto rw,user,noauto,umask=077,fmask=177 0 0

This works great but there is one minor problem: In Nautilus (The Gnome file manager) the mount point ".kaystick" is displayed. I guess Nautilus simply scans the /etc/fstab file and displays everything it finds there. This mount point is pretty useless because it can't be clicked when the device is not present and it can't be clicked when the device is present (Because then it is already mounted). I know this is a really minor problem because I could simply ignore it but I'm a perfectionist and so I want to get rid of this useless mount point in Nautilus.

Is there another way to customize the mount point and mount options for a specific USB device? Maybe it can be configured in udev? If yes, how?

I have a directory which can be read and written by a couple of unix groups. This is achieved by using ACLs. Let's assume I did it like this:

mkdir /tmp/test
setfacl -d -m g:group1:rwx /tmp/test

Works great, the whole group (And other groups I add like this) can read/write to this directory. BUT there is one exception: When someone creates a subfolder by using mkdir -p then this directory is created with the unix permissions 0755 because the default umask is 022. This results in the problem that other users of the group can no longer write to this subfolder because the ACL now looks like this:

group:group1:rwx            #effective:r-x

For some reason this doesn't happen when using "mkdir" (Without -p argument). One solution is setting the umask to 002 but this is really a bad thing because this also affects files and directories created outside of the ACL-controlled directories and these files should not be group writable per default.

So I wonder if there is another possibility to solve this problem. It would be perfect to be able to completely disable/ignore the old unix-style permission stuff for a ACL-controlled directory. Or disable this "effective ACL" stuff. Is that possible? Or is there another way to solve the problem with unwritable directories caused by programs like "mkdir -p"? In the end I want a directory which is completely (and recursively) readable and writable according to the ACLs I have configured and this should never change (Only by modifying the ACLs itself).

Note: to reproduce the problem:

$ mkdir /tmp/test
$ setfacl -d -m g:group1:rwx /tmp/test
$ umask 0022
$ mkdir /tmp/test/aa
$ mkdir -p /tmp/test/bb
$ ls -log /tmp/test
drwxrwxr-x+ 2 4096 Mar  9 23:38  aa
drwxr-xr-x+ 2 4096 Mar  9 23:38  bb

$ getfacl /tmp/test/bb | grep ^group:group1
group:group1:rwx                     #effective:r-x