Difference between revisions of "IT/Internal"
(→password protect a directory on the web server) |
|||
(7 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Here are some things you might have to do on wangari. | + | ===Here are some things you might have to do on wangari.=== |
+ | |||
+ | ==Add a new web volunteer for a local== | ||
+ | Check ownership of the local's directory. Count the files in the directory, then search for files not belonging to the right group or with inadequate permissions. | ||
+ | ls -ld /w/cal/contracosta | ||
+ | find /w/cal/contracosta | wc -l | ||
+ | find /w/cal/contracosta \! -group contracosta | ||
+ | find /w/cal/contracosta -type d \! -perm -775 | wc -l | ||
+ | If the '-perm' search gives a non-zero line count, fix the offending plain file or directory. I'll use 'tail' to avoid flooding the terminal if there are hundreds. Use 'wc -l" to count lines instead. | ||
+ | find /w/cal/contracosta -type d \! -perm -775 | tail | ||
+ | chmod ug+w,o-w /w/cal/contracosta/foobar.shtml | ||
+ | chmod ug+w,o-w,a+x,g+s /w/cal/contracosta/foo/bar/baz/ | ||
+ | We're setting write for the user and group and clearing it for others. Setting "search" (x) for everyone. Setting "set group-ID". The "set group-ID" bit tells the kernel any new file here must be created with the same user-ID and group-ID as this directory has. It has the effect that three different people creating files in the directory will all be creating files that belong to the "contracosta" group. | ||
+ | |||
+ | Suppose you find dozens of non-conforming files. You can combine the "wrong group" search and the fix: | ||
+ | find /w/cal/contracosta -print0 \! -group contracosta | xargs -0 -l10 chgrp contracosta | ||
+ | Wrong permissions search+fix. One for dirs and one for plain files: | ||
+ | find /w/cal/contracosta -print0 -type d \! -perm -775 | xargs -0 -l10 chmod 2775 | ||
+ | find /w/cal/contracosta -print0 -type f \! -perm -644 | xargs -0 -l10 chmod 644 | ||
+ | |||
+ | Check new volunteer's groups and add her or him to the right one. | ||
+ | gpw bert | ||
+ | gpw bheurer | ||
+ | gpw contracosta | ||
+ | adduser bheurer contracosta | ||
==Be the mailman user and archive and remove an unwanted mailman list== | ==Be the mailman user and archive and remove an unwanted mailman list== | ||
Line 13: | Line 37: | ||
cp -a lists/$bye ~/oldlists/lists | cp -a lists/$bye ~/oldlists/lists | ||
cp -a archives/private/$bye* ~/oldlists/archives | cp -a archives/private/$bye* ~/oldlists/archives | ||
+ | ls -l data/al* | ||
ls bin | ls bin | ||
bin/rmlist -a $bye | bin/rmlist -a $bye | ||
− | Now it's gone. After a minute or two, Postfix will notice the change and forget about the former list's addresses. | + | ls -l data/al* |
+ | Now it's gone. After a minute or two, Postfix will notice the change and forget about the former list's addresses. You don't have to signal it. | ||
+ | exit | ||
+ | exit | ||
+ | |||
+ | ==password protect a directory on the web server== | ||
+ | Create (-c) a new password file with one username password pair in it. If you're adding a pair to an existing password file, skip the ''-c''. | ||
+ | htpasswd -c -b /home/jims/seekritstuff/.htpasswd-foobar userjoe joesseekritpasswerd | ||
+ | Create a web server config file in the directory you're protecting. If you don't like creating files with cat, use vi or nano. | ||
+ | cd /w/cal/seekritdir | ||
+ | cat <<enuf > .htaccess | ||
+ | AuthUserFile /home/jims/seekritstuff/.htpasswd-foobar | ||
+ | AuthGroupFile /dev/null | ||
+ | AuthName Internal | ||
+ | AuthType Basic | ||
+ | require valid-user | ||
+ | enuf | ||
+ | Hide the password file but make sure the web server can read it. | ||
+ | chmod 640 /home/jims/seekritstuff/.htpasswd-foobar | ||
+ | chmod 644 .htaccess | ||
+ | sudo chgrp www-data /home/jims/seekritstuff/.htpasswd-foobar |
Latest revision as of 02:27, 1 June 2011
Contents
Here are some things you might have to do on wangari.
Add a new web volunteer for a local
Check ownership of the local's directory. Count the files in the directory, then search for files not belonging to the right group or with inadequate permissions.
ls -ld /w/cal/contracosta find /w/cal/contracosta | wc -l find /w/cal/contracosta \! -group contracosta find /w/cal/contracosta -type d \! -perm -775 | wc -l
If the '-perm' search gives a non-zero line count, fix the offending plain file or directory. I'll use 'tail' to avoid flooding the terminal if there are hundreds. Use 'wc -l" to count lines instead.
find /w/cal/contracosta -type d \! -perm -775 | tail chmod ug+w,o-w /w/cal/contracosta/foobar.shtml chmod ug+w,o-w,a+x,g+s /w/cal/contracosta/foo/bar/baz/
We're setting write for the user and group and clearing it for others. Setting "search" (x) for everyone. Setting "set group-ID". The "set group-ID" bit tells the kernel any new file here must be created with the same user-ID and group-ID as this directory has. It has the effect that three different people creating files in the directory will all be creating files that belong to the "contracosta" group.
Suppose you find dozens of non-conforming files. You can combine the "wrong group" search and the fix:
find /w/cal/contracosta -print0 \! -group contracosta | xargs -0 -l10 chgrp contracosta
Wrong permissions search+fix. One for dirs and one for plain files:
find /w/cal/contracosta -print0 -type d \! -perm -775 | xargs -0 -l10 chmod 2775 find /w/cal/contracosta -print0 -type f \! -perm -644 | xargs -0 -l10 chmod 644
Check new volunteer's groups and add her or him to the right one.
gpw bert gpw bheurer gpw contracosta adduser bheurer contracosta
Be the mailman user and archive and remove an unwanted mailman list
As root,
su - list
which gives you a login shell as Mr. list. First remind yourself where Mailman is. Try the tab key instead of asterisk there.
egrep 'cgi-bin|piperm' /etc/apa*/sites-a*/wa* | grep -v '^#'
Then do stuff. Keep the name of the list in a shell variable to avoid typing it over and over.
cd /var/lib/mailman bye=humboldt-discuss file archives/private/$bye* cp -a lists/$bye ~/oldlists/lists cp -a archives/private/$bye* ~/oldlists/archives ls -l data/al* ls bin bin/rmlist -a $bye ls -l data/al*
Now it's gone. After a minute or two, Postfix will notice the change and forget about the former list's addresses. You don't have to signal it.
exit exit
password protect a directory on the web server
Create (-c) a new password file with one username password pair in it. If you're adding a pair to an existing password file, skip the -c.
htpasswd -c -b /home/jims/seekritstuff/.htpasswd-foobar userjoe joesseekritpasswerd
Create a web server config file in the directory you're protecting. If you don't like creating files with cat, use vi or nano.
cd /w/cal/seekritdir cat <<enuf > .htaccess AuthUserFile /home/jims/seekritstuff/.htpasswd-foobar AuthGroupFile /dev/null AuthName Internal AuthType Basic require valid-user enuf
Hide the password file but make sure the web server can read it.
chmod 640 /home/jims/seekritstuff/.htpasswd-foobar chmod 644 .htaccess sudo chgrp www-data /home/jims/seekritstuff/.htpasswd-foobar