In one of my previous posts http://www.binpipe.com/2012/11/restrict-users-to-home-directory-chroot.html , we had discussed the steps to get an user chrooted to her home directory. For that we need to install open SSH 5.x and above. But as per feedback from some readers I found that most people are having issues upgrading to the latest OpenSSH 5.2 in CentOS 5.x versions. So, here are the steps for installing OpenSSH 5.2 in CentOS 5.x.
Centos 5.x yum doesn’t seem to support latest OpenSSH 5.2 which supports many new features. (The default Openssh version present in Centos 5.x is around 4.2)
# # Postfix master process configuration file. For details on the format # of the file, see the Postfix master(5) manual page. # # ***** Unused items removed ***** # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd -o content_filter=smtp-amavis:127.0.0.1:10024 (comment bold text if you are not using amavis/spam filertin) -o receive_override_options=no_address_mappings pickup fifo n - n 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # ==================================================================== maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender – $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # # spam/virus section # smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o receive_override_options=no_header_body_checks -o smtpd_bind_address=127.0.0.1 -o smtpd_helo_required=no -o smtpd_client_restrictions= -o smtpd_restriction_classes= -o disable_vrfy_command=no -o strict_rfc821_envelopes=yes # # Dovecot LDA dovecot unix - n n - - pipe flags=DRhu user=vmail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient} # # Vacation mail vacation unix - n n - - pipe flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} — ${recipient}
Define the Allowed networks(Change the networks required)
/etc/postfix/mynetworks
# This specifies the list of subnets that Postfix considers as # “trusted” SMTP clients that have more privileges than “strangers”. # # In particular, “trusted” SMTP clients are allowed to relay mail # through Postfix. # # Be sure to add your public ip address block if needed. # 192.168.0.0/16 10.0.0.0/8 127.0.0.0/8
Add the following file for the postfix mysql proxy maps(Change user,password,dbname)
/etc/postfix/mysql-virtual_alias_maps.cf
hosts = localhost user = root password = hahaha dbname = postfix query = SELECT goto FROM alias WHERE address=’%s’ AND active = ’1′
/etc/postfix/mysql-virtual_domains_maps.cf
hosts = localhost user = root password = hahaha dbname = postfix query = SELECT domain FROM domain WHERE domain=’%s’ AND backupmx = ’0′ AND active = ’1′
/etc/postfix/mysql-relay_domains_maps.cf
hosts = localhost user = root password = hahaha dbname = postfix query = SELECT domain FROM domain WHERE domain=’%s’ and backupmx = ’1′
/etc/postfix/mysql-virtual_mailbox_maps.cf
hosts = localhost user = root password = hahaha dbname = postfix query = SELECT maildir FROM mailbox WHERE username=’%s’ AND active = ’1′
/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
hosts = localhost user = root password = hahaha dbname = postfix query = SELECT quota FROM mailbox WHERE username=’%s’ AND active = ’1′
create the regular exp file and postmap the transport
1 Spam # Uncomment if you want trash as well # 2 Trash
Create a file for mysql and dovecot connection
/etc/dovecot/dovecot-mysql.conf
driver = mysql connect = host=localhost dbname=postfix user=admin password=hahaha default_pass_scheme = MD5-CRYPT
# following should all be on one line. password_query = SELECT username as user, password, concat(‘/home/vmail/’, maildir) as userdb_home,concat(‘maildir:/home/vmail/’, maildir) as userdb_mail, 101 as userdb_uid, 12 as userdb_gid FROM mailbox WHERE username = ‘%u’ AND active = ’1′
# following should all be on one line user_query = SELECT concat(‘/home/vmail/’, maildir) as home, concat(‘maildir:/home/vmail/’, maildir) as mail, 101 AS uid, 12 AS gid, CONCAT(‘*:messages=10000:bytes=’, quota) as quota_rule FROM mailbox WHERE username = ‘%u’ AND active = ’1′
mkdir /home/sieve vi /home/sieve/globalfilter.sieve chown -R vmail:mail /home/sieve
require “fileinto”; if exists “X-Spam-Flag” { if header :contains “X-Spam-Flag” “NO” { } else { fileinto “Spam”; stop; } } if header :contains “subject” ["***SPAM***"] { fileinto “Spam”; stop; }
ROUNDCUBE
vi /etc/httpd/conf.d/roundcubemail.conf
Alias /roundcubemail /usr/share/roundcubemail Alias /webmail /usr/share/roundcubemail
<Directory /usr/share/roundcubemail/> Order Deny,Allow Allow from all </Directory>
Setup Database
mysql -u root -p -e “CREATE DATABASE roundcubemail;”
mysql -u admin -p roundcubemail < /usr/share/doc/roundcubemail-0.7.3/SQL/mysql.initial.sql
razor-admin -register -user=some_user -pass=somepas
Update and restart clamav: freshclam service clamd restart
Configuring Amavisd-new
vi /etc/amavisd.conf Here is a list of items you should change. just scroll through the file to find each item.
$mydomain = ‘example.com’; # set to your domain name $log_level = 1; # set the log leve to one $sa_tag_level_deflt = -99; # i want to see the headers so change to -99 $sa_tag2_level_deflt = 5.0; # start with 5 $sa_kill_level_deflt = 9; # change to 9 $sa_dsn_cutoff_level = 9; # change to 9 $sa_quarantine_cutoff_level = 50; # remove the starting # and change to 50 $myhostname = ‘lightning.campworld.net’; # remove the starting # and enter your host name $notify_method = ‘smtp:[127.0.0.1]:10025′; # uncomment the line $forward_method = ‘smtp:[127.0.0.1]:10025′; # uncomment the line $final_banned_destiny = D_DISCARD; # change to D_DISCARD
Be sure to set amavisd-new to start at boot. Telling Postfix to Start Filtering SPAM
To get postfix going we need to un-comment a couple lines in /etc/postfix/master.cf Find:
smtp inet n - n - - smtpd # -o content_filter=smtp-amavis:127.0.0.1:10024 # -o receive_override_options=no_address_mappings
Change to:
smtp inet n - n - - smtpd -o content_filter=smtp-amavis:127.0.0.1:10024 -o receive_override_options=no_address_mappings
Restart services and start at bootup. you’re done.
service dovecot restart service postfix restart service mysql restart service clamd.amavisd restart service clamd restart service amavisd restart chkconfig <services> on
Hostfile Setup
vi /etc/hosts (mail server) (replace 192.168.1.140 with your mail server IP)
192.168.1.140 mail.noc.com
vi /etc/hosts (MyLocalComputer) (replace 192.168.1.140 with your mail server IP)
We often need to restrict users to their home directories. Here we discuss an easy way to setup jailed SFTP users on CentOS 5.x. Haven't yet tried this on CentOS 6.0, but this should work there too. The only thing is to ensure that the OpenSSH Version is 5.x and not 4.x.
So, the most important step is the first step – upgrading OpenSSH to version 5.x. Version 4.x of OpenSSH which is included in CentOS is missing the necessary functions to “chroot” the users (i.e. set their root directory when they login) so that they can only view files that are under their virtual root directory. Once upgraded, it’s just a few lines of config changes and some basic user setup and you’re good to go. Feel free to ask in comments for help if you get stuck.
Subversion is an open-source version control system. Subversion manages files and directories, and the changes made to them, over time. This allows you to recover older versions of your data, or examine the history of how your data changed.
The installation steps for SVN server with security modules in place are as follows:
# yum install mod_dav_svn subversion
If you don't have Apache installed already, it'll go ahead and drag that down as well so we don’t need to worry about getting apache installed here prior to SVN.
When you install from yum, there's a longer list than the two packages above that will automatically resolve themselves. Some other things will be installed automatically.
First thing is make sure you open up /etc/httpd/conf/httpd.conf and at least change the ServerName directive.
# vim /etc/httpd/conf/httpd.conf -- Edit what you need and save the file
# service httpd start
# chkconfig httpd on
Browse to your machine on the network and see if you get your test page, which you should: http://serverIP. It should show up the Apache page.
Subversion's Apache configs
The next step is to setup some settings within Apache so Subversion and Apache play nice together. Get yourself to the example configuration file Subversion installed for you.
# cd /etc/httpd/conf.d/
# vim subversion.conf
# Make sure you uncomment the following if they are commented out
# Add the following to allow a basic authentication and point Apache to where the actual
# repository resides.
<Location /repos>
DAV svn
SVNPath /var/www/svn/repos
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
The location is what Apache will pass in the URL bar. For instance: http://yourmachine/repos points to the SVNPath that you have specified. My examples are just that, so feel free to put things where you want. Make sure you save the file when you are finished editing.
Next we have to actually create the password file that you specified in the previous step. Initially you'll use the -cm arguments. This creates the file and also encrypts the password with MD5. If you need to add users make sure you simply use the -m flag, and not the -c after the initial creation.
# htpasswd -cm /etc/svn-auth-conf yourusername
New password:
Re-type new password:
Adding password for user yourusername
# htpasswd -m /etc/svn-auth-conf anotherusername
New password:
Re-type new password:
Adding password for user anotherusername
Configure your repository
The next thing you need to do is to create the actual repository from which you will check in and out your files. This is simple to do with some of the included svn tools.
# cd /var/www/ -- Or wherever you placed your path above
# mkdir svn
# cd svn
# svnadmin create repos
# chown -R apache.apache repos
# service httpd restart
Go test out whether or not you can access your repository from a web browser: http://yourmachine/repos. You should get a popup box asking for a username and password. If so, type in your credentials and you should be displayed with a Revision 0:/ page. If so, that's it for setting up a repo. If you want multiple repos, check out the docs from the links provides above. This sets up one repository and shows you how to start using them. Speaking of, let's move on to just that.
Using Subversion
Layout the Repo
If all went well above, you're now ready to start using the repository that you created. Subversions svn tool is the command line client that you will use to talk to the database. To see the use of the tool:
# svn --help
The most common arguments you will most likely be using are: svn import, svn commit (ci), and svn checkout (co). With these you will initially import files into your repository with import, you'll check them out to work on them with checkout, and you'll commit the changes back into the database with commit. It's pretty simple once you see them in use a few times.
Almost all of the documentation talks about creating a certain layout for your directories. They specifically mention about making sure you have a branches, tags, and trunk underneath the root directory structure, where trunk holds all your files. For instance:
.
|-- project1
||-- branches
||-- tags
|`-- trunk
`-- project2
|-- branches
|-- tags
`-- trunk
As an example, I'm going to just create some dummy directories and throw some files in them. This is from the actual SVN server.
# cd /tmp
# mkdir mytestproj
# cd mytestproj
# mkdir configurations options main
# vim configurations/testconf1.cfg -- Add whatever you want to these files.
# vim options/testopts1.cfg
# vim main/mainfile1.cfg
Keep in mind that you can layout anything anyway you'd like. Once you have the initial layout of what you want, let's go ahead and import this up to Subversion.
Now, just to check it out across the web browser: http://serverIP/repos. You'll get whatever you have imported showing up to peruse. Once you upload your original layout from the local SVN server, you're now free to use it remotely on another machine. As long as you are connecting to the Subversion server with the user account(s) that you created earlier. Let's give it a shot.
As you can see, you've checked out revision 1 from the Subversion server. Now you can edit some things and commit the changes back to the Subversion server.
# cd mytestproj
# vim configurations/testconf1.cfg -- Add or delete something and save.
# svn commit -m "Added a line to testconf1.cfg."
Sendingconfigurations/testconf1.cfg
Transmitting file data .
Committed revision 2.
The nice thing about this then, is that you can delete all of the directories that you just checked out on your machine. The only reason you checked them out, was to edit them, and then send them back up the line. Web browse to your server to check out the different files.
Adding/Deleting Items
Now this is all fine and dandy, but how do you add more files to an already existing repo directory? Easy, with the add argument. Go ahead and checkout your latest and greatest, copy a file over to a directory, add, then commit the changes.
To delete items simply use delete instead of add. Commit your changes back up, and you're good to go. It's as simple as that. Go back over to your web browser again and you'll notice the revision number should say 3. You'll be able to click through the files to pick our your differences as well.
Reverting Back
Ok, this is all great but how do I revert back to an older revision...isn't this the point of Subversion? Yep, it's easy. If you're not sure as to what revision you're at...check out the log command. This is why you put a message in every commit. Short and to the point, but enough information to ring a bell that you perhaps forgot about.
You'll get a nice complete list of revision numbers along with the comments, like I mentioned above. This allows you to pick which revision you want to check back out now.
Usually, you don't want to give every user access to every repository. You can restrict repository access per user by using ACLs. ACLs can be enabled with the AuthzSVNAccessFile file option, which takes a file name as its parameter. For instance:
AuthzSVNAccessFile /etc/svn-acl-conf
You can add this to the relevant Location section:
<Location /repos>
DAV svn
SVNParentPath /var/www/svn/repos
AuthzSVNAccessFile /etc/svn-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
You can then create /etc/svn-acl-conf. This file consist of sections of the following form:
[reponame:repopath]
user = access
Where access can be r (read), rw (read-write), or empty (no access at all). The default ACL is to give users no access to a repository. Suppose that there is a repository named framework to which you would like to give john read access, and joe read and write access. You could then add the following section:
[framework:/]
john =r
joe = rw
It is also possible to create groups in a section named groups, groups are then prefixed with the 'at' sign (@) in the access control lists. For instance:
[groups]
staff = joe, george
[framework:/]
john =r
@staff = rw
If you would like to make all repositories readable to all users, you can add a section for the root directory of every repository:
[/]
* = r
Finally, to make things work properly throughout the network we will have to setup the iptables as below:
# Generated by iptables-save v1.3.5 on Sun Mar 11 10:11:08 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [241701:28893896]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 10.173.20.0/255.255.255.0 -d 10.173.20.60 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
Download and install and after a restart (bummer) we are ready to start working!
The Tortoise SVN adds its functionality in the Windows Explorer Context Menu.
Verifying the connection to the SVN Server
Before we start working we will have to Verify the connection to the SVN Server. Right click on any folder in the Windows Explorer and select TortoiseSVN -> Repo-browser
you will be asked for a path to the repository enter : file:///C:/<The location of the repositories>/<The repository name you selected> in my case I will enter :
If you got this it means that you can connect to the SVN Server.
If you are trying to connect to a remote server you will have to enter the following when asked for the URL of the repository:
https://<The ip of the Server>/svn/<The Repository Name>
You should get the same results.
Getting the files from the repository
To get the files from the repository we created earlier (in the previous article) we will have to create a new folder, which I presume everyone knows how to do :).
After you have created the folder, right click on it and select the "SVN Checkout…" option from the context menu. You will see the following screen:
If you followed all the steps the address of the repository should be already written here. All you have to do is click "OK"
This means we have checked out the files successfully and we can start working!
The directory should look like this:
The Green V marks mean that nothing has changed inside the directory. Lets add a new file to the trunk (main branch) directory. We will then Right Click on the trunk and select "Commit"
The SVN Server has detected that you have added a new file and you will have to check the Checkbox next to it in order for it to be inserted to the repository.
Lets try and edit the file and add some text in it. Both the file and the Directory will get a red exclamation mark saying they have been changed:
To send the Changes to the Server you can right click any of them and select "SVN Commit…" from the context menu. Doing it on the Folder will make the Commit recursive to all the files inside it.
SUBVERSION COMMANDS SUMMARY
The following part of the document is an excerpt from the SVN commandline-guide which will help commandline users to take care of the SVN related activities:
1.) Checkout the code and do an update in case of any changes made since your last update (We assume that you are using apache dav server to access your code and not svnserve):
$svn update (update from current) $svn update -r BASE server_code (update foo from base revision) $svn update -r 1200 server_code (update foo from revision number 1200)
2.) Make changes:
$svn add eg svn add new_directory (add a new directory foo) $svn delete $svn copy directory1 directory2 (copy directory directory1 to directory2) $svn move directory2 renamed_directory (rename?)
3.) Examine your changes (Can be done even with no network access to the subversion repository):
$svn status (To get an overview of all your changes) eg A stuff/loot/bloo.h # file is scheduled for addition C stuff/loot/lump.c # file has textual conflicts from an update D stuff/fish.c # file is scheduled for deletion M bar.c # the content in bar.c has local modifications
$svn diff (to show changes between current working directory and the same directory in the repository)
4.) Possibly undo some changes (Can also be done even with no network access to the subversion repository):
$svn revert After running svn revert as a way to resolve local conflict with the repository copy, Run:
$svn resolve To inform svn that the conflict has been resolved. You will now be able to successfully run svn update in case of previous conflicts.
5.) Resolve Conflicts (Merge Others’ Changes):
$svn update $svn resolved
6.) Commit your changes:
$svn commit eg $svn commit -m “Removed out of mem errors.” or $svn commit -F comment.txt or $svn commit –file comment.txt
6. Logs:
$svn log (use current working directory as the default target) $svn log server_code (current working directory/file is server_code) $svn log -r 5:19 (shows logs 5 through 19 in chronological order of working directory) $svn log -r 19:5 (shows logs 5 through 19 in reverse order of working directory) $svn log -r 8 (shows log for revision 8 of working directory) $svn log -r 8 -v (shows verbose? log for revision 8 of working directory)
7. Diffs (Changes):
$svn diff $svn diff -r 3 rules.txt (or svn diff –revision 3 rules.txt) $svn diff -r 2:3 rules.txt (revisions 2 and 3 are directly compared) $svn diff -c 3 rules.txt (compare changes between current revision and revision 2)
8. Browse a file directly:
svn cat -r 2 rules.txt svn cat -r 2 rules.txt > rules.txt.v2 (send cat output directly to a file)
$svn checkout -r 1729 (Checks out a new working copy at r1729) $svn update -r 1729 (Updates an existing working copy to r1729)
11. If you’re building a release and wish to bundle up your files from Subversion but don’t want those pesky .svn directories in the way, then you can use svn export to create a local copy of all or part of your repository sans .svn directories. As with svn update and svn checkout, you can also pass the – -revision switch to svn export:
12. Cleanup if a Subversion operation is interrupted (if the process is killed, or if the machine crashes, for example), the log files remain on disk. By re-executing the log files, Subversion can complete the previously started operation, and your working copy can get itself back into a consistent state.
$svn cleanup
13. Revision specifiers: HEAD: The latest (or “youngest”) revision in the repository. BASE: The revision number of an item in a working copy. If the item has been locally modified, the “BASE version” refers to the way the item appears without those local modifications. COMMITTED: The most recent revision prior to, or equal to, BASE, in which an item changed. PREV: The revision immediately before the last revision in which an item changed. Technically, this boils down to COMMITTED-1.
$svn diff -r PREV:COMMITTED main.c (shows the last change committed to main.c)
$svn log -r HEAD (shows log message for the latest repository commit)
$svn diff -r HEAD (compares your working copy with all of its local changes to the latest version of that tree in the repository)
svn diff -r BASE:HEAD main.c (compares the unmodified version of foo.c with the latest version of foo.c in the repository)
$svn log -r BASE:HEAD (shows all commit logs for the current versioned directory since you last updated
$svn update -r PREV main.c (rewinds the last change on foo.c, decreasing foo.c’s working revision)
$svn diff -r BASE:14 main.c (compares the unmodified version of foo.c with the way foo.c looked in revision 14)
$svn propset copyright ‘(c) 2006 Red-Bean Software’ calc/button.c property ‘copyright’ set on ‘calc/button.c’
$svn propset license -F /path/to/LICENSE calc/button.c property ‘license’ set on ‘calc/button.c’
$svn propedit copyright calc/button.c No changes to property ‘copyright’ on ‘calc/button.c’
$svn propset copyright ‘(c) 2006 Red-Bean Software’ calc/* property ‘copyright’ set on ‘calc/Makefile’ property ‘copyright’ set on ‘calc/button.c’ property ‘copyright’ set on ‘calc/integer.c’
$svn proplist calc/button.c Properties on ‘calc/button.c’: copyright license
$svn checkout http://svn.example.com/repos/calc bigwc A bigwc/trunk/ A bigwc/trunk/Makefile A bigwc/trunk/integer.c A bigwc/trunk/button.c A bigwc/branches/ Checked out revision 340.
Now create the branch;
$cd bigwc $svn copy trunk branches/my-calc-branch $svn status A + branches/my-calc-branch
$svn commit -m “Creating a private branch of /calc/trunk.” Adding branches/my-calc-branch Committed revision 341.
You can do all the above in one step (Recommended way):
$svn merge – -dry-run -c 344 http://svn.example.com/repos/calc/trunk U integer.c (- -dry-run is a double dash without spaces. Word press munges the double dash into one when put together.)
$svn status (nothing printed, working copy is still unchanged)
