Category Archives: Linux

The Linux Category actually encompasses *BSD, RH, Fedora, Ubuntu, and the like.

Prevent Direct Access To PHP

Not sure if this is the correct way of doing things (as I’m still “learning” PHP), but it worked for me.
Basically I wanted to include a php file, but not allow the user to be able to directly go to that same file.

Example: index.php calls upload.php. Blocking the end user from going straight to upload.php (or even viewing the contents) would have been a bad idea.
This is running on a debian server with LAMP.

nano index.php

$including = true;

nano upload.php

if (!$including) exit(“Direct access is not permitted.”);

That’s it. Now navigate to upload.php and you’ll see it doesn’t allow it to work. Navigate to index.php and you’ll see the call still works. Great? Probably not, but it still works. Hopefully it doesn’t introduce any other bugs – but it’s a purely testing system anyway. So hack away.

Secure PHP Upload Directory

I was given the task to setup, configure, and manage an external facing apache web server.

So I turned to my trusty Ubuntu Server 9.10 x86 CD, installed it and then ran the updates. Yes, I put LAMP on there.

After all was said and done, I grabbed my trusty internal-only php uploader script. Unfortunately it’s not fully secure – I actually had someone attack my “honeypot” site successfully by exploiting this script and a lax apache install. What makes this script so bad for use on the outside is it’s need for chmod 777 privileges. Yuck.

A good way to stop people from finding bad things to run is to hide indexing from the site (directory listing). Another is to stop executables from running in that directory.

Open up the sites-enabled configuration of apache
nano /etc/apache2/sites-enabled/000-default

Under the first virtualhost area, edit for your directory:

<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

<Directory /var/www/upload_files/>
AllowOverride None
Options IncludesNOEXEC
Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi .gif .pdf .jpg .png .tif .tiff .wmv .mpg .mp3 .mp4 .avi .txt .html .exe .xml .*
</Directory>


Then restart apache
apache2ctl restart

Split Giant ISO Into Smaller Files

OK, so I uploaded a 3GB ISO file to my site for future downloads. Unfortunately for me, whenever I attempted to download the file I was met by:

Forbidden

You don’t have permission to access /path/to/file/nameoffile.iso on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Dumb. Good thing I have access to the log files. The error from apache stated:

value too large for defined data type

More dumb. As this is from my hosting company I can’t just go ahead and update the kernel or replace any config files I need. So I just needed to be able to compress the file and make multiple archives. Thanks to some command line tar I can do just that:

tar cvzf - nameofyourfile.iso | split -d -b 700m - nameyouwantyourfiletobe.iso.tar.gz.
Notice the trailing ‘.’ – this is used to create filename.iso.tar.gz.01, filename.iso.tar.gz.02 etc.

Now I just have to play the waiting game for it to finish.

AND if you want to restore it later to ISO format:
cat filename.iso.tar.gz.* | tar xvzf -

VMWare Server Ubuntu 9.10

OK, I had to install VMWare Server 2.0.2-203138 onto a 9.10 fully-up-to-date 32bit server. 9.04 and before it was easy, but there’s something added onto 9.10 to make it a little more difficult to install.

What we’ll be doing:
Update your server
I first downloaded the vmware-server from vmware.com.
Create a script called vmware-server-2.0.x-kernel-2.6.31-14-install.sh
Run the script

Really? 4 steps? Yes.

Download VMWare Server from Vmware.com

apt-get update
apt-get upgrade
apt-get dist-upgrade

nano vmware-server-2.0.x-kernel-2.6.31-14-install.sh
The file you should copy is quoted at the bottom of this post. It’s large. I didn’t write it, but it works quite well.
Save this file

chmod +x vmware-server-2.0.x-kernel-2.6.31-14-install.sh
./vmware-server-2.0.x-kernel-2.6.31-14-install.sh

#!/bin/bash

###############################################################################
# @author Radu Cotescu #
# @version 1.1 Mon Jan 18 15:24:39 EET 2010 #
# #
# For further details visit: #
# http://radu.cotescu.com/?p=1095 #
# #
# This script will help you install VMWare Server 2.0.x on Ubuntu 9.10. #
# Based on a script from http://communities.vmware.com/thread/215985 #
# #
# This script must be run with super-user privileges. #
# Usage: #
# ./vmware-server-2.0.x-kernel-2.6.31-14-install.sh [PATH TO VMWARE ARCHIVE] #
# If you do not specify the PATH the script will scan the current folder for #
# VMware server archive and if doesn’t find anything it will exit. #
###############################################################################

VMWARE_HOME=$1
PATCH=”vmware-server-2.0.2-203138-update.patch”

display_usage() {
echo “This script must be run with super-user privileges.”
echo -e “\nUsage:\n./vmware-server-2.0.x-kernel-2.6.31-14-install.sh [PATH TO VMWARE ARCHIVE]\n”
echo “If you do not specify the PATH the script will scan the current folder”
echo “for VMware server archive and if doesn’t find anything it will exit.”
exit 1
}

check_usage() {
if [ ! $params -le 1 ]
then
display_usage
fi
if [[ ($param == “–help”) || $param == “-h” ]]
then
display_usage
fi
}

check_user() {
if [[ $USER != “root” ]]; then
echo “This script must be run as root!”
exit 1
fi
}

set_workspace() {
if [[ -z $VMWARE_HOME ]]; then
VMWARE_HOME=”`pwd`”
fi
VMWARE_ARCHIVE=`ls “$VMWARE_HOME” 2> /dev/null | egrep “^(VMware-server-2.0.[0-9]-)[0-9]*.[A-Za-z0-9_]*.tar.gz”`
MODULES_DIR=”$VMWARE_HOME/vmware-server-distrib/lib/modules”
MODULES_SOURCE=”$MODULES_DIR/source”
}

check_archive() {
if [[ -z $VMWARE_ARCHIVE ]]; then
echo -e “There is no archive containing VMware Server in the path you indicated!\n”
exit 1
else
echo -e “You have VMware Server archive: \n\t$VMWARE_ARCHIVE”
fi
}

check_distro() {
ubuntu=`cat /etc/*-release | grep Ubuntu`
fedora=`cat /etc/*-release | grep Fedora`
suse=`cat /etc/*-release | grep SUSE`
if [[ ! -z $ubuntu ]] ; then
distro=”ubuntu”
elif [[ ! -z $fedora ]] ; then
distro=”fedora”
elif [[ ! -z $suse ]] ; then
distro=”suse”
fi
}

packageError() {
if [[ $1 -ne 0 ]]; then
echo “I am unable to install the before mentioned package…”
echo “Please install the required package and rerun the script…”
exit 1
fi
}

resolveDepsUbuntu() {
echo “Checking for needed packages on Ubuntu”
check_wget=`dpkg-query -W -f=’${Status} ${Version}\n’ wget 2> /dev/null | egrep “^install”`
if [[ -z $check_wget ]]; then
echo “Installing wget package…”
apt-get -y install wget
packageError $?
else echo “You do have the wget package…”
fi
LINUX_HEADERS=”linux-headers-`uname -r`”
check_headers=`dpkg-query -W -f=’${Status} ${Version}\n’ $LINUX_HEADERS 2> /dev/null | egrep “^install”`
if [[ -z $check_headers ]]; then
echo “Installing linux-headers-`uname -r` package…”
apt-get -y install linux-headers-`uname -r`
packageError $?
else echo “You do have the $LINUX_HEADERS package…”
fi
check_build=`dpkg-query -W -f=’${Status} ${Version}\n’ build-essential 2> /dev/null | egrep “^install”`
if [[ -z $check_build ]]; then
echo “Installing build-essential package…”
apt-get -y install build-essential
packageError $?
else echo “You do have the build-essential package…”
fi
check_patch=`dpkg-query -W -f=’${Status} ${Version}\n’ “patch” 2> /dev/null | egrep “^install”`
if [[ -z $check_patch ]]; then
echo “Installing patch package…”
apt-get -y install patch
packageError $?
else echo “You do have the patch package…”
fi
}

resolveDepsFedora() {
echo “Checking for needed packages on Fedora”
if [[ -z `rpm -qa wget` ]]; then
echo “Installing wget…”
yum -y install wget
packageError $?
else echo “You do have the wget package…”
fi
if [[ -z `rpm -qa xinetd` ]]; then
echo “Installing xinetd…”
yum -y install xinetd
packageError $?
else echo “You do have the xinetd package…”
fi
if [[ -z `rpm -qa kernel-headers` ]]; then
echo “Installing kernel-headers…”
yum -y install kernel-headers
packageError $?
else echo “You do have the kernel-headers package…”
fi
if [[ -z `rpm -qa kernel-devel` ]]; then
echo “Installing kernel-devel…”
yum -y install kernel-devel
packageError $?
else echo “You do have the kernel-devel package…”
fi
if [[ -z `rpm -qa gcc` ]]; then
echo “Installing gcc…”
yum -y install gcc
packageError $?
else echo “You do have the gcc package…”
fi
if [[ -z `rpm -qa patch` ]]; then
echo “Installing patch…”
yum -y install patch
packageError $?
else echo “You do have the patch package…”
fi
if [[ -z `rpm -qa make` ]]; then
echo “Installing make…”
yum -y install make
packageError $?
else echo “You do have the make package…”
fi
}

resolveDepsSuse() {
echo “Checking for needed packages on SUSE”
if [[ -z `rpm -qa wget` ]]; then
echo “Installing wget…”
zypper –non-interactive install wget
packageError $?
else echo “You do have the wget package…”
fi
if [[ -z `rpm -qa linux-kernel-headers` ]]; then
echo “Installing linux-kernel-headers…”
zypper –non-interactive install linux-kernel-headers
packageError $?
else echo “You do have the linux-kernel-headers package…”
fi
if [[ -z `rpm -qa kernel-source` ]]; then
echo “Installing kernel-source…”
zypper –non-interactive install kernel-source
packageError $?
else echo “You do have the kernel-source package…”
fi
kernel_type=`uname -r | awk ‘BEGIN { FS = “-” } ; { print $3 }’`
if [[ -z `rpm -qa kernel-$kernel_type-devel` ]]; then
echo “Installing kernel-$kernel_type-devel…”
zypper –non-interactive install kernel-$kernel_type-devel
packageError $?
else echo “You do have the kernel-$kernel_type-devel package…”
fi
if [[ -z `rpm -qa gcc` ]]; then
echo “Installing gcc…”
zypper –non-interactive install gcc
packageError $?
else echo “You do have the gcc package…”
fi
if [[ -z `rpm -qa patch` ]]; then
echo “Installing patch…”
zypper –non-interactive install patch
packageError $?
else echo “You do have the patch package…”
fi
if [[ -z `rpm -qa make` ]]; then
echo “Installing make…”
zypper –non-interactive install make
packageError $?
else echo “You do have the make package…”
fi
}

install() {
case $distro in
“ubuntu”)
resolveDepsUbuntu
;;

“fedora”)
resolveDepsFedora
;;

“suse”)
resolveDepsSuse
esac
echo “Downloading patch file…”
wget http://codebin.cotescu.com/vmware/$PATCH -O “$VMWARE_HOME/$PATCH”
if [[ ! -e “$VMWARE_HOME/vmware-server-distrib” ]]; then
echo Extracting the contents of $VMWARE_ARCHIVE
tar zxf “$VMWARE_HOME/$VMWARE_ARCHIVE” -C “$VMWARE_HOME”
fi
echo “Checking patch download and archives from the extracted folders…”
if [ ! -r “$VMWARE_HOME/$PATCH” ]; then
echo “The download of $PATCH from http://codebin.cotescu.com/vmware/ failed!”
echo “Check your internet connection. :(”
exit 1
fi
TARS=`find “$MODULES_SOURCE” -maxdepth 1 -name ‘*.tar’`
if [ ! “$TARS” ]; then
echo “.tar files from $MODULES_SOURCE appear to be missing!”
echo “Cannot continue process. :(”
exit 1
fi
BASES=””
for TARFILE in $TARS
do
BASE=`basename “$TARFILE” | rev | cut -c5- | rev`
BASES=”$BASES $BASE”
echo “Found .tar file for $BASE module”
done
echo “Extracting .tar files in order to apply the patch…”
for BASE in $BASES
do
TARFILE=”${BASE}.tar”
MODDIR=”${BASE}-only”
echo “Untarring $MODULES_SOURCE/$TARFILE”
tar -xf “$MODULES_SOURCE/$TARFILE” -C “$MODULES_SOURCE”
if [ ! -d “$MODULES_SOURCE/$MODDIR” ]; then
echo “$TARFILE tarball failed to extract in the directory $MODDIR. :(”
exit 1
fi
done
echo “Testing patch…”
patch –dry-run -N -p1 –directory=”$VMWARE_HOME/vmware-server-distrib” -s < "$VMWARE_HOME/$PATCH" RESULT=$? if [ "0" != "$RESULT" ]; then echo "The patch cannot be applied. :(" exit 1 fi echo "Applying patch..." patch -N -p1 --directory="$VMWARE_HOME/vmware-server-distrib" -s < "$VMWARE_HOME/$PATCH" RESULT=$? if [ "0" != "$RESULT" ]; then echo "A problem occured with the patch while it was being applied. :(" exit 1 fi for BASE in $BASES do TEMPFILE="${BASE}-temp.tar" MODDIR="${BASE}-only" echo "Preparing new tar file for $BASE module" rm -f "$MODULES_SOURCE/$TEMPFILE" tar -cf "$MODULES_SOURCE/$TEMPFILE" -C "$MODULES_SOURCE" "$MODDIR" done echo "Checking that the compiling will succeed..." for BASE in $BASES do # Skip checking vmppuser module because it's badly broken dead code if [ "vmppuser" != "$BASE" ]; then MODDIR="${BASE}-only" echo "Trying to compile $BASE module to see if it works" echo "Performing make in $MODULES_SOURCE/$MODDIR" make -s -C "$MODULES_SOURCE/$MODDIR" RESULT=$? if [ "0" != "$RESULT" ]; then echo "There is a problem compiling the $BASE module after it was patched. :(" exit 1 fi fi done echo "Rebuilding tar files..." for BASE in $BASES do TEMPFILE="${BASE}-temp.tar" TARFILE="${BASE}.tar" OFILE="${BASE}.o" MODDIR="${BASE}-only" echo "Replacing original file $TARFILE with patched file..." rm -rf "$MODULES_SOURCE/$TARFILE" "$MODULES_SOURCE/$OFILE" "$MODULES_SOURCE/$MODDIR" mv -f "$MODULES_SOURCE/$TEMPFILE" "$MODULES_SOURCE/$TARFILE" done echo "Removing binaries directory..." rm -rf "$MODULES_DIR/binary" echo "Starting VMware Server original install script..." $VMWARE_HOME/vmware-server-distrib/vmware-install.pl } clean() { echo "Housekeeping..." rm -rf $VMWARE_HOME/vmware-server-distrib "$VMWARE_HOME/$PATCH" echo "Thank you for using the script!" echo -e "Patch provided by: \n\tRamon de Carvalho Valle" echo -e "\thttp://risesecurity.org" echo -e "Script author: \n\tRadu Cotescu" echo -e "\thttp://radu.cotescu.com" } params=$# param=$1 check_usage params param check_user set_workspace check_archive check_distro install if [[ $distro == "fedora" ]]; then echo "On Fedora you must follow these steps in order to make VMware Server to work properly:" echo -e "\t1. edit /etc/services and replace the entry located on TCP/902 port with vmware-authd" echo -e "\t2. set SELinux to permissive or even disable it by editing the /etc/selinux/config file" echo -e "\t3. reboot your system" fi clean exit 0

Purple Pidgin Plugin Pack

That’s a lot of P’s!

After months of using (and really liking) the purple plugin pack for pidgin on my Windows machine, I wanted to get it working on my Linux machine as well.

HP Laptop running Ubuntu 9.10 x64 fully up-to-date (2.6.31-17-generic)
Pidgin version 2.6.2

All I did was:
sudo apt-get install pidgin-plugin-pack

Then all of the plugins were installed – I just had to activate them.

FreeNAS Slow File Copy

I recently built a fairly nice NAS system for a customer:
0.7 Khasadar (revision 4919)
2.5GHz Dual Core Pentium
4GB DDR2 PC1066
5x hot swap 2TB SATA
10/100/1000 Intel Pro NIC
10/100/1000 Full duplex switch connection

After formatting the drives in SoftRAID 5 (1.8TB x 4 = 7.2TB – 5% for defragmentation = 6.84TB available), I started to backup many of their ISOs and daily computer backups and other logs. Everything was going smoothly using Windows File Sharing (Samba) until I got to the larger files.

Initially the files would copy at 80+MB/sec, but then they’d slow down to 50… 30… 20… even down to 8 or so MB/sec. Ouchies when you’re talking about a 40+GB file to transfer. FTP yielded the same results. I noticed that sometimes the drives on the NAS wouldn’t even be blinking, so it had to be another issue.

If you login on the web panel of the FreeNAS, under Services you will find CIFS/SMB.
Check under Advanced Settings
You’ll see Send and Receive buffer sizes – by default they are 16MB (16*1024 = 16384)
I changed the buffer size to 128MB (128*1024 = 131072) and checked the results

120MB/sec, slow down to 80… 70… 60… So 60MB/sec. That’s over 6 times faster at a cost of 8 times the RAM. I can live with that.

So just for jollies I increased it to 512MB and then to 1024MB. Both stopped around 70MB/sec. Then, as a final test, I dropped it down to 256MB (256*1024 = 262144), which seemed to be OK.

Issue Copying Startup Files To USB Flash FreeNAS

I wanted to try out FreeNAS (based on FreeBSD but with quite a few awesome ‘NAS-like’ features) on a system at a jobsite:
System has 5x 2TB drives in RAID5 (6.7TB usable for storage) hotswappable, 2.5GHz Dual Core Pentium, 4GB DDR2 1066 RAM, 3x 10/100/100 NIC, FreeNAS .7 stable.

I got everything up and running without a problem (it is quite easy), running it off a 1GB USB Flash drive I had lying around. But I wanted to continue using my flash drive for other things and found an unused 128MB flash drive that no one would ever use again. I’d rather waste 128MB than 1024MB…

Formated the 128MB into FAT
Plugged the 128MB flash into the FreeNAS server while it was off
Booted the FreeNAS server using the FreeNAS .7 CD
Pressed 9 to install embedded onto the flash drive

Mount CDROM.
Installing system image on device da0.
gzip: stdout: broken pipe
Error: Failed to dd image on ‘/dev/da0’!
Unmount CDROM.
There was a problem while copying files.
Press ENTER to continue.

Argh. So I checked the flash drive on the main PC again – FreeNAS had written a config file and folder to the device!

It looks like if you boot up the system with a USB flash drive installed, the config file will always be written and you can’t format the device. So just plug the drive in AFTER everything is booted up.

Wiped 128MB again and formatted FAT
Plugged 128MB into FreeNAS - Auto mounted the device as da0
Try 9, 1 again

Mount CDROM.
Installing system image on device da0.
GEOM_LABEL: Label for provider da0a is ufsid/************.
Unmount CDROM.
FreeNAS has been installed on da0.
You can now remove the CDROM and reboot the PC.

So I did just that.