datenwolf's questions

I'm currently dealing with a VPN which connection endpoint lies within the subnet which prefix shall be tunneled via that specific VPN.

Essentially the problem thus boils down to match against a (larger) set of destination addresses (/16 mask), except for a wholly contained (small) subset of specific destinations that shall not routed that way (and instead go via the default route).

If the problem was about filtering, in Linux using this could be implemented using a ipset set up like

ipset create MyVPN hash:net
ipset add MyVPN $MYVPNNET/$MYVPNMASK
ipset add MyVPN $MYVPNENDPOINT nomatch

However such ipsets can only be used inside netfilter.

Now my question is, how I could set up something equivalent using Linux Advanced IP Routing, i.e. the ip route family of commands?

Assume two sites A and B with file server at either end. The contents of /storage should be synchronized between the sites, preserving ownership and permissions. There's no all encompassing group that group-owns all of the files in /storage. If running Unison or rsync pid=0 it is trivial to do the synchronization. However SSH is to be used as transport and for obvious reasons SSH root login has been disabled on both ends.

How can I keep A and B synchronized with all permissions preserved in that situation. Two methods I can think of:

• Running a secondary SSH that permits root logins yet may only connect over a VPN between A and B.
• adding a special synchronization user which sshd configuration forcibly executes a
  • SUID wrapper to Unison or rsync (dangerous to get right).
  • sudo wrapper to Unison or rsync

The answers given to the Question Remotely use root over ssh for unison suggest enabling password-less pubkey root login over SSH – I'm not very keen of that solution.

Any other ideas?

Suppose I have a htdocs directory tree served by lighttpd

htdocs
htdocs/foo
htdocs/foo/spam
htdocs/foo/eggs
htdocs/foo/eggs/stirred
htdocs/foo/eggs/fried
htdocs/bar
htdocs/bar/bacon

Now I'd like to protect individual subtrees depending on, if there's a htpassw file somewhere up the hierachy, using that htpasswd of course to contain the credentials of the permitted users. For example a htpasswd file at

htdocs/foo/eggs/.htpasswd

which would mandate authentification for the whole eggs subdirectory tree.

htdocs/foo/eggs
htdocs/foo/eggs/stirred
htdocs/foo/eggs/fried

I know how to configure lighttpd to use a certain htpasswd file at a specific location to operate on a given URL pattern. But configuring something like this seems a bit odd.

My best idea so far was to use extract the relevant part of the URL to construct a path into the filesystem for the htpasswd file. But then this causes problems if there are certain URL rewriting rules applied earlier or later.

Essentially what I'm looking for is that upon the actual file access the traversal up the directory tree is made to locate a possibly present hwpasswd file. How can I do that?