Gray Race's questions

I have a security advisor that is telling me that we can't use wildcard SSL certs for security reasons. To be clear I much prefer using single certs or multi-domain certs (SAN). However we have a need for the server (plesk) to server 100s of subdomains.

Based on my research the main reason people site for not using wildcard is the following which appears to come from verisign:

• Security: If one server or sub-domain is compromised, all sub-domains may be compromised.
• Management: If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate.
• Compatibility: Wildcard certificates may not work seamlessly with
  older server-client configurations.
• Protection: VeriSign Wildcard SSL Certificates are not protected by NetSure extended warranty.

Since the private key, cert, and subdomain will all exist on the same server... replacement would be as simple as replacing this one cert and effect the same amount of users. Therefore is there another reason not to use a wildcard cert?

We have a nagios setup that uses inheritance to a larger degree than I am used to. I’ve read the documentation at:

http://nagios.sourceforge.net/docs/3_0/objectinheritance.html

But I still can’t get my head around how to accomplish my goal.

I have server/host that has notified for procs warning. I investigated this and it is a known bug and safely ignored for this specific server. Ideally I’d like to increase the warning/critical points for the service definition for just this host; but I’m also comfortable just not using this service check until a patch for the current problem is issued. Disabling via the web interface is not an acceptable option for my mangers.

Service definition:

define service{
            use                             unix-agent-service
            hostgroup_name                  linux-servers
            service_description             Agent: Total Processes
            check_command                   check_nrpe!check_total_procs
    }

The host definition:

define host{
        use                     linux-server
        host_name               unixlab
        alias                   Unix Lab
        address                 PRIVATE
        }

Group/server Definition:

define host{
        name                            linux-server
        use                             generic-host
        alias                           Linux server
        hostgroups                      linux-servers
        register                        0
        }

The host inherits all the services defined in the hostgroup linux-servers. I’ve tried giving the service check a name and then setting that name to null in the host definition, but I think this syntax is wrong and/or I’m not understanding that part of inheritance:

define service{
        **name                                            agent-total-processes** 
       use                                             unix-agent-service
        hostgroup_name                  linux-servers
        service_description             Agent: Total Processes
        check_command                   check_nrpe!check_total_procs
}

The host definition:

define host{
        use                     linux-server
        host_name               unixlab
        alias                   Unix Lab
        address                 PRIVATE
        **agent-total-processes    null**
}

I’m sure I’m missing something obvious… based on my reading of inheritance this should be possible but I’m not able to wrap my head around it.

Thoughts?

I've got a Red Hat 5.1 server 64-bit Dell 2950 with a PERC 5/i controller that until recently was working fine.

On it I have an NRPE command check_openmange that started returning errors:

/usr/local/nagios/libexec/check_openmanage
Storage Error! No controllers found
Problem running 'omreport chassis memory': Error: Memory object not found
Problem running 'omreport chassis fans': Error! No fan probes found on this system.
Problem running 'omreport chassis temps': Error! No temperature probes found on this system.
Problem running 'omreport chassis volts': Error! No voltage probes found on this system.

Obviously these components exist as the system is up and running. I can access the web interface for Dell Open Manage and it reports everything is green.

Check openmange uses the omreport tool and this generates the above error directly:

[root@lynx tmp]# omreport storage controller
No controllers found

I've found a number of threads online relating to issues with OMSA and 64-bit RHEL 5 and CentOS 5 where they suggest running the 32-bit software on 64-bit systems:

• http://en.community.dell.com/support-forums/servers/f/177/t/19356718.aspx
• http://stevejenkins.com/blog/2011/01/no-controllers-found-fix-set-up-dell-omsa-6-4-32-bit-on-rhel-centos-5-5-64-bit/

However I'm already running the 32-bit software:

Installed Packages
Name   : srvadmin-storage
Arch   : i386
Version: 6.5.0
Release: 1.201.2.el5
Size   : 8.4 M
Repo   : installed
Summary: Storage Management accessors package, 3.5.0

Moreover most of these posts seem related to a PERC 4 and mine is a PERC 5. This check and report was stable until recently and has had production load on it for a number of months which makes me hesitant to take these steps. I have not however found any good indication of why this behavior changed.

Has anyone experienced this issue with PERC 5?

Does anyone have further thoughts on diagnosis steps or solutions?

I'm developing a shared linux server for a few Unix/Linux classes. Anywhere from 100 to 500 students will be using this system but expect a concurrency of no more than 50. I'm trying to set ulimits (best way?) to ensure that no one user can crash the system. This doesn't need to be ironclad security just enough to prevent a random forkbomb or intentional overload.

The system itself is moderate powerful with two sockets and 16 GB of ram. The student work won't be anything high performance mostly learning shell scripting, web application development, database interactions and so on.

This is what I have so far. I'm really shooting just form the hip here:

#Test settings for  lab
@student        hard    nproc           20
@student        hard    memlock         50000
@student        hard    locks           20
@student        hard    cpu             10

Too low? Too high? I know there are many other options but also don't want to over think this but open to other suggestions or other obvious settings missing.

I've inherited a system that has both telnet and ftp enabled. As both these send passwords in cleartext I want to disable them. But many users have never changed their ways to use sftp or ssh. And before I make the change I need to contact them.

What is a good way to see either the number of users or ideally the usernames people are using to login on these services? The best idea I've come up with so far is to grep /var/log/secure. But I'm not sure of what/how to grep this and the high activity has made finding examples difficult. The system is running RHEL 5 if that helps.

Thoughts?

I'm struggling with running the following command:

 ssh someuser@lab-test "sudo /usr/local/scripts/user.sh add tstt7777 177700007 \"Test User 06\" "

Long story short I need to run the user.sh script with ROOT privlages as someuser from a remote machine. However I do not want someuser to be able to run ANY other commands, open a shell or otherwise have access to the system. The user needs only to run that script with multiple dynamic arguments.

I've handled the public key exchange already, and I've added privlages in sudo:

#Sudo
someuser  ALL = NOPASSWD: /usr/local/scripts/user.sh

But I get the following error:

sudo: sorry, you must have a tty to run sudo

I've looked at the "Command=" function in ssh but my understanding is that this will only run the command specified and won't allow arguments to be passed as indicated in my invocation.

Is there something I'm missing to make my method work via sudo?

Is there a better method that I haven't considered in SSH or BASH?

I'm playing around with the UserDir function in apache: http://httpd.apache.org/docs/2.0/mod/mod_userdir.html

Here is my configuration:

<IfModule mod_userdir.c>

        UserDir enabled user
        UserDir public_html

</IfModule>

<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes 
    Allow from all
    Order deny,allow

</Directory

It kept generating a 403 errror access denied. It wasn't until I added executable on /home/user directory:

chmod 711 /home/user

The public_html already had o+r which was logical for the apache user to read the contents, but why would executable need to be added on the base folder?

It's all working. I'm just curious as to why this is the case.

I'm working on a project that will teach linux to youth. Knowing they will have a tendency to delete or corrupt items in their home directories we are looking for a good snapshot option. We will not have access to fancy tools available from major storage vendors and are hoping to find a solution at the file system level.

I've read a lot about btrfs but have little experience. I have some experience with LVM but I'm unfamiliar with its snapshoting feature. Do either filesystem or another have the option to create snapshots either on demand or scheduled? Then make these snapshot always available without root in like a .snapshot folder in each home folder?

Idealy this solutions allows a user to self-restore backups on demand within say a 24 to 48 hour window. We will have another backup process for the system and more global backups. But we do not want this process to be used by students who just make 'mistakes'.

I'm learning mrepo. I've got it generating repos based on ISOs. But is there a way I can add an RPM (package I built) quickly/easily to one of these repos?

Do I just add the RPM to the srcdir?

My srcdir currently has subfolders for various distributions and ISOs. I want my package to be available only in specifics distros.

Do I need to re-run the generation command?

Other thoughts or missing information.

I have winbind up and running and it is working well for authentication.

When a user is prompted at logon to provide credentials what AD attribute is username checked against? Is it name? sAMAccountName? CN?

The follow-up to this is can I make a change to winbind either via authconfig or smb.conf to allow two possible matches? E.g., I want to have user be able to provide at logon either ID number (currently working) and/or email username (attribute is mailnickname in AD)

EDIT: Is this not possible?

It could be that I am missing something simple. But I can’t determine why users authenticated via AD are not getting home directories. I’ve looked at the documentation and tried to discover an error log but can’t find anything. Here is what I know.

OS: RedHat 6 Software: Likewise 6.0 (RPM Install) Successfully bound to an Active Directory domain… authentication via console and SSH works.

However when I login via the domain no home directory is created and subsequently BASH doesn’t have a profile:

-sh-4.1$

Looking at some variables via lwconfig it appears to be setup properly.

]# ./lwconfig --show CreateHomeDir 
boolean 
true 
local policy

# ./lwconfig --show HomeDirPrefix 
string 
/home 
local policy

Thoughts? Happy to provide further information but can’t find anything telling in /var/log/messages or other sources.

As part of troubleshooting this. Does anyone know if the home directory is checked/created on each login of a user or only first? If it occurs only on first login how can I reset/remove a user so it will attempt this process again?

Per Madden's comment: There needs to be a sub 'likewise-open' directory in /home?

my /home directory currently:

4.0K drwxr-xr-x.  9 root root 4.0K Aug  8 10:17 home

In there currently all that exists are local user home directories.

I just noticed a 'local' directory in /home that I hadn't noticed before. This is where the home directories are being stored. Thank you to Maden for helping me notice this

Cheers.

Is likewise available via RHN?

I've used likewise-open a few times in ubuntu on small projects but looking at it again for a larger project. I have seen press releases regarding the support of likewise and redhat but can't find it in RHN.

The likewise enterprise site offers 'free downloads' of the open version in RPM format but I'd prefer to have something manged via RHN as that is the general policy here.

I'm giving a hands on presentation in a couple weeks. Part of this demo is for basic mysql trouble shooting including use of the slow query log. I've generated a database and installed our app but its a clean database and therefore difficult to generate enough problems.

I've tried the following to get queries in the slow query log:

Set slow query time to 1 second.

Deleted multiple indexes.

Stressed the system:

stress --cpu 100 --io 100 --vm 2 --vm-bytes 128M --timeout 1m

Scripted some basic webpage calls using wget.

None of this has generated slow queries. Is there another way of artificially stressing the database to generate problems? I don't have enough skills to write a complex Jmeter or other load generator. I'm hoping perhaps for something built into mysql or another linux trick beyond stress.

I want to install ffmpeg from mediubuntu. I've installed the repository per the instructions on:

http://medibuntu.org/repository.php

My conf.d repository listing:

/etc/apt/sources.list.d# less medibuntu.list  
## Please report any bug on https://bugs.launchpad.net/medibuntu/
deb http://packages.medibuntu.org/ lucid free non-free #Medibuntu - Ubuntu 10.04 "lucid lynx"
#deb-src http://packages.medibuntu.org/ lucid free non-free #Medibuntu (source) - Ubuntu 10.04 "lucid lynx"

Yet when I install ffmpeg I still get it installed via the main ubuntu library.

/etc/apt/sources.list.d# apt-cache policy ffmpeg
ffmpeg:
 Installed: (none)
 Candidate: 4:0.5.1-1ubuntu1
 Version table:
   4:0.5.1-1ubuntu1 0
     500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages

(Ignore the installed: none; I've installed/purged multiple times trying to get the medibuntu one)

Is there a way I can force it to use the medibuntu repository? Perferably at run-time rather than in a config file.

We're evaluating helpdesk/ticketing/inventory management software. Does anyone have a list or a clean way of getting a list of all machine attribute types? I'm not looking to get the actual values, but rather a list of types. Such as processor, video card, mac address, IP, ect formulated for my working group.

I'm getting the error: bash: ./fw_utils: /bin/ksh: bad interpreter: No such file or directory

If i apt-get install ksh does it replace the default show or only install it as an interpreter?

If it does install it as the default how do I switch the default back to bash?