linux – Page 10 – OSTechnic

Access Control Lists – part 1 –

January 15, 2019December 9, 2017 by admin

Access Control List (ACL) in Linux provides an additional level of security. Traditionally we have the owner, the group and the other users permissions on a given resource; but what about giving the same owner permissions to an additional user?
Normally this is done by adding the user to the group set on that file or folder or giving more permissions to all other users; of course the second choice is not recommended for security reasons.

ACL answers precisely this need, giving additional privileges to specific users, without adding them to the same owner group which would grant also privileges to other resources. And again without giving more permissions to other.

So an Access Control List allows a system administrator a more granular control over users permissions than the classic ALL or NOTHING approach.

Some usage examples:

1) We want an application to write to a user subfolder, but without adding the application user id to the user group or setting other permissions.

2) A team needs to copy some data to a root home subfolder and we don`t want to add them to the root group or worse give them the root password.

3) There are several users belonging to a group and work on a common folder; however we want a specific subfolder in it to be writable and executable only by a specific user, not by all users in that group.

4) We have a database folder containing personal data and here we want to grant read and executable permissions to someone in the application team, but revoke all permissions for other . Also we want to decouple the application functional ID privileges from the user privileges; that means we won`t add the user to the same group as the application.
Then we will add a further ACL for a user in the application team with full permissions to the same resources.

In the above examples we can also make use of groups, as with ACL we can grant additional groups permissions as well.

Short guide on how to manually install Apache HTTP 2.4.x in CentOS 6.x

January 15, 2019April 22, 2017 by admin

Reason: the version 2.4.x is only available in the CentOS 7 repositories
So if we are using CentOS 6.8 we need to compile from sources! This is sometimes necessary as CentOS is a conservative distribution, not having generally the latest version of a software.

In this case the chosen version will be the Apache HTTP 2.4.25.

FIRST OF ALL SOME WARNINGS!!
I`m not responsible for any damage that you might incur while or after following these tutorial, as usual I strongly recommend to make a backup before proceeding. So please take a system snapshot or at least make a copy of the current Apache HTTPD configuration files and relative installation folder tree.
Also I`m not responsible for the information provided in the external websites here provided.
Use these instructions at your own risk!

The symbol # means the command must be run as root.
We will consider the working directory to be /root/apache
So we create the below path and chdir to it
#mkdir -p /root/apache && cd /root/apache

Then we need to download apr and apr-util

For more info on the “Apache Portable Runtime Library” please consult the website http://apr.apache.org/

#wget https://archive.apache.org/dist/apr/apr-1.4.2.tar.bz2
#wget https://archive.apache.org/dist/apr/apr-util-1.4.1.tar.gz

And most importantly we need to download Apache HTTP 2.4.25

#wget http://mirror.hosting90.cz/apache//httpd/httpd-2.4.25.tar.bz2

Higher versions of these sources might require updating the C runtime library, which will slightly complicate the process and would require a system reboot. In fact to be able to compile Apache HTTP 2.4.25 we need at least apr and apr-util in the version 1.4.0 and unfortunately they are not in the repositories (at least the default ones) in CentOS 6.8-7

We extract all archives..

tar -xjvf httpd-2.4.25.tar.bz2
tar -xjvf apr-1.4.2.tar.bz2
tar -xzvf apr-util-1.4.1.tar.gz

Move the apr extracted folders
mv apr-1.4.2 httpd-2.4.25/srclib && mv apr-1.4.1-util httpd-2.4.25/srclib

And we create some symbolic links before moving to the correct folder.

cd /root/apache/httpd-2.4.25/srclib
ln -s apr-util-1.4.1 apr-util
ln -s apr-1.4.2 apr
cd ..

We might also need to install any required library, for examples:
pcre-7.8-7.el6.x86_64
pcre-devel-7.8-7.el6.x86_64f

# yum install -y pcre pcre-devel

Containing the Perl compatible regular expression library

And we need also to have installed and updated openssl and openssl-devel

Otherwise the “pre-check” will fail.

After that we are ready to compile and specify our path to be /usr/local/apache2.4.25
What we want is installing all configuration files, libraries, modules and binaries in this path. This comes handy if we want to run another version or backup/remove this one.

So we chdir to /root/setups/apache/httpd/httpd-2.4.25 and run

./configure --prefix=/usr/local/apache2.4.25 --exec-prefix=/usr/local/apache2.4.25 --enable-ssl --enable-so --with-included-apr;make;make install

This will take some minutes depending on the system…

After the build process is successful we check that any library is copied from /root/apache/httpd-2.4.25/srclib/ to /usr/local/apache2.4.25/lib

Afterwards we can create a SysV init script in /etc/init.d called “httpd-2.4.25” or whatever we like. Note that In CentOS 6.x systemd is not yet the default init system.

Now before starting the web server, if we have the configuration files from a previous 2.2.x version, we need to make some modifications as there are changes in several Apache directives in the 2.4 version. These are described in the sites below:

https://www.digitalocean.com/community/tutorials/migrating-your-apache-configuration-from-2-2-to-2-4-syntax
https://httpd.apache.org/docs/2.4/upgrading.html

Note that if you want to run two different versions of the Apache web server, at least for a while, you don`t only need to specify a different HTTP or HTTPS port, but also to change the PID file, otherwise the new version will refuse to start stating that it is already started.

The directive to change is (in the httpd.conf file) PidFile
for instance
PidFile /var/run/httpd2.4.25.pid

That`s it! I hope you have found it useful.

References

How to Install Apache 2.4.2 from Source on CentOS 6.2 with SSL

https://www.digitalocean.com/community/tutorials/migrating-your-apache-configuration-from-2-2-to-2-4-syntax
https://wiki.apache.org/httpd/RewriteLog
https://httpd.apache.org/docs/2.4/upgrading.html

Transferring Data with BBCP

January 15, 2019December 11, 2016 by admin

Rsync is a quite known utility if we want synchronize data between two nodes or even between two folders in the same system, and of course also used for backup purposes. Its main peculiarity is that it sends only incremental changes; for instance, if you get a connection drop when using classic FTP you typically have to re-send the entire folder or file, but with this tool you re-run it again and it will start from where it left.

However Rsync is not so good if you want speed and it doesn`t have any multithreaded capability; so if you have GBs or even 1 TB of data to transfer it can be quite slow in the end.
To overcome these drawbacks you can use BBCP, which is a point-to-point network utility written by Andy Hanushevsky at SLAC with the goal to get close to the line speed in a LAN or WAN connection.

You don’t need any server listening or any SSH daemon, but you have to make sure bbcp is installed and in the PATH in BOTH systems.

Assuming GIT is installed, below are the steps to install it:

$ git clone http://www.slac.stanford.edu/~abh/bbcp/bbcp.git

$ cd bbcp/src
Linux
$ make

The pre-requisites are:

GNU C++ compiler
Zlib library
Pthreads library

Some examples of usage are:

bbcp -P 2 -V -w 8m -s 16 /local/path/bigfile.tar remotesystem:/remote/path/bigfile.tar

-V verbose output
-P 2 display progress every two seconds
-s 16 create 16 parallel network streams (or threads)
-w sets to 8 MB the size of the disk input/output (I/O) buffers

To transfer a directory just use the -r option (it stands for recursive of course).

bbcp -r -P 2 -V -w 8m -s 16 /local/path/* remotesystem:/remote/path

To resume files in case of a lost connection add the -a and -k switch.

bbcp -r -k -a -P 2 -V -w 8m -s 16 /local/path/* remotesystem:/remote/path

If a firewall is blocking the communication between source and destination, use the -z option

bbcp -P 2 -V -w 8m -a -k -z -s 16 /local/path/bigfile.tar remotesystem:/remote/path/bigfile.tar

I have tested BBCP only on Linux, but it should be possible to compile it and install it in all major UNIX systems. The Windows platform is not supported.

Resources:
http://www.slac.stanford.edu/~abh/bbcp/
http://pcbunn.cithep.caltech.edu/bbcp/using_bbcp.htm
https://www.olcf.ornl.gov/kb_articles/transferring-data-with-bbcp/