Difference between revisions of "IT/Internal"

From CA Greens wiki
Jump to: navigation, search
(Be the mailman user and archive and remove an unwanted mailman list)
(password protect a directory on the web server)
 
(4 intermediate revisions by 2 users not shown)
Line 4: Line 4:
 
Check ownership of the local's directory.  Count the files in the directory, then search for files not belonging to the right group or with inadequate permissions.
 
Check ownership of the local's directory.  Count the files in the directory, then search for files not belonging to the right group or with inadequate permissions.
 
   ls -ld /w/cal/contracosta
 
   ls -ld /w/cal/contracosta
   find /w/cal/contracosta  -group  contracosta | wc -l
+
   find /w/cal/contracosta  | wc -l
 
   find /w/cal/contracosta \! -group  contracosta
 
   find /w/cal/contracosta \! -group  contracosta
 
   find /w/cal/contracosta  -type d \! -perm -775 | wc -l
 
   find /w/cal/contracosta  -type d \! -perm -775 | wc -l
If the '-perm' test gives a non-zero answer, fix the offending plain file or directory
+
If the '-perm' search gives a non-zero line count, fix the offending plain file or directory.  I'll use 'tail' to avoid flooding the terminal if there are hundreds.  Use 'wc -l" to count lines instead.
 
   find /w/cal/contracosta  -type d \! -perm -775 | tail
 
   find /w/cal/contracosta  -type d \! -perm -775 | tail
 
   chmod ug+w,o-w /w/cal/contracosta/foobar.shtml
 
   chmod ug+w,o-w /w/cal/contracosta/foobar.shtml
 
   chmod ug+w,o-w,a+x,g+s /w/cal/contracosta/foo/bar/baz/
 
   chmod ug+w,o-w,a+x,g+s /w/cal/contracosta/foo/bar/baz/
 
We're setting write for the user and group and clearing it for others.  Setting "search" (x) for everyone.  Setting "set group-ID".  The "set group-ID" bit tells the kernel any new file here must be created with the same user-ID and group-ID as this directory has.  It has the effect that three different people creating files in the directory will all be creating files that belong to the "contracosta" group.
 
We're setting write for the user and group and clearing it for others.  Setting "search" (x) for everyone.  Setting "set group-ID".  The "set group-ID" bit tells the kernel any new file here must be created with the same user-ID and group-ID as this directory has.  It has the effect that three different people creating files in the directory will all be creating files that belong to the "contracosta" group.
 +
 +
Suppose you find dozens of non-conforming files.  You can combine the "wrong group" search and the fix:
 +
  find /w/cal/contracosta -print0 \! -group  contracosta | xargs -0 -l10 chgrp contracosta
 +
Wrong permissions search+fix.  One for dirs and one for plain files:
 +
  find /w/cal/contracosta -print0  -type d \! -perm -775 | xargs -0 -l10 chmod 2775
 +
  find /w/cal/contracosta -print0  -type f \! -perm -644 | xargs -0 -l10 chmod 644
 
    
 
    
 
Check new volunteer's groups and add her or him to the right one.
 
Check new volunteer's groups and add her or him to the right one.
Line 18: Line 24:
 
   gpw contracosta
 
   gpw contracosta
 
   adduser bheurer contracosta
 
   adduser bheurer contracosta
 
 
 
  
 
==Be the mailman user and archive and remove an unwanted mailman list==
 
==Be the mailman user and archive and remove an unwanted mailman list==
Line 41: Line 44:
 
   exit
 
   exit
 
   exit
 
   exit
 +
 +
==password protect a directory on the web server==
 +
Create (-c) a new password file with one username password pair in it.  If you're adding a pair to an existing password file, skip the ''-c''.
 +
  htpasswd -c -b /home/jims/seekritstuff/.htpasswd-foobar userjoe joesseekritpasswerd
 +
Create a web server config file in the directory you're protecting.  If you don't like creating files with cat, use vi or nano.
 +
  cd /w/cal/seekritdir
 +
  cat <<enuf > .htaccess
 +
  AuthUserFile /home/jims/seekritstuff/.htpasswd-foobar
 +
  AuthGroupFile /dev/null
 +
  AuthName Internal
 +
  AuthType Basic
 +
  require valid-user
 +
  enuf
 +
Hide the password file but make sure the web server can read it.
 +
  chmod 640 /home/jims/seekritstuff/.htpasswd-foobar
 +
  chmod 644  .htaccess
 +
  sudo chgrp www-data /home/jims/seekritstuff/.htpasswd-foobar

Latest revision as of 02:27, 1 June 2011

Here are some things you might have to do on wangari.

Add a new web volunteer for a local

Check ownership of the local's directory. Count the files in the directory, then search for files not belonging to the right group or with inadequate permissions.

 ls -ld /w/cal/contracosta
 find /w/cal/contracosta  | wc -l
 find /w/cal/contracosta \! -group  contracosta
 find /w/cal/contracosta  -type d \! -perm -775 | wc -l

If the '-perm' search gives a non-zero line count, fix the offending plain file or directory. I'll use 'tail' to avoid flooding the terminal if there are hundreds. Use 'wc -l" to count lines instead.

 find /w/cal/contracosta  -type d \! -perm -775 | tail
 chmod ug+w,o-w /w/cal/contracosta/foobar.shtml
 chmod ug+w,o-w,a+x,g+s /w/cal/contracosta/foo/bar/baz/

We're setting write for the user and group and clearing it for others. Setting "search" (x) for everyone. Setting "set group-ID". The "set group-ID" bit tells the kernel any new file here must be created with the same user-ID and group-ID as this directory has. It has the effect that three different people creating files in the directory will all be creating files that belong to the "contracosta" group.

Suppose you find dozens of non-conforming files. You can combine the "wrong group" search and the fix:

 find /w/cal/contracosta -print0 \! -group  contracosta | xargs -0 -l10 chgrp contracosta

Wrong permissions search+fix. One for dirs and one for plain files:

 find /w/cal/contracosta -print0  -type d \! -perm -775 | xargs -0 -l10 chmod 2775
 find /w/cal/contracosta -print0  -type f \! -perm -644 | xargs -0 -l10 chmod 644
 

Check new volunteer's groups and add her or him to the right one.

 gpw bert
 gpw bheurer
 gpw contracosta
 adduser bheurer contracosta

Be the mailman user and archive and remove an unwanted mailman list

As root,

 su - list

which gives you a login shell as Mr. list. First remind yourself where Mailman is. Try the tab key instead of asterisk there.

 egrep 'cgi-bin|piperm' /etc/apa*/sites-a*/wa* | grep -v '^#'

Then do stuff. Keep the name of the list in a shell variable to avoid typing it over and over.

 cd /var/lib/mailman
 bye=humboldt-discuss
 file  archives/private/$bye*
 cp -a lists/$bye ~/oldlists/lists
 cp -a archives/private/$bye* ~/oldlists/archives
 ls -l data/al*
 ls bin
 bin/rmlist -a $bye
 ls -l data/al*

Now it's gone. After a minute or two, Postfix will notice the change and forget about the former list's addresses. You don't have to signal it.

 exit
 exit

password protect a directory on the web server

Create (-c) a new password file with one username password pair in it. If you're adding a pair to an existing password file, skip the -c.

 htpasswd -c -b /home/jims/seekritstuff/.htpasswd-foobar userjoe joesseekritpasswerd

Create a web server config file in the directory you're protecting. If you don't like creating files with cat, use vi or nano.

 cd /w/cal/seekritdir
 cat <<enuf > .htaccess
 AuthUserFile /home/jims/seekritstuff/.htpasswd-foobar
 AuthGroupFile /dev/null
 AuthName Internal
 AuthType Basic
 require valid-user
 enuf

Hide the password file but make sure the web server can read it.

 chmod 640 /home/jims/seekritstuff/.htpasswd-foobar
 chmod 644  .htaccess
 sudo chgrp www-data /home/jims/seekritstuff/.htpasswd-foobar