Thursday, 19 April 2012

Centos 5 post install config including locale info

OS check

First thing is to confirm what OS we're using. We know we should be using CentOS but let's see:
cat /etc/redhat-release
You should get an output similar to this:
CentOS release 5.5 (Final)
Good.

Using free

Memory usage should be very low at this point but let's check using 'free -m' (the -m suffix displays the result in MB's which I find easier to read):
free -m
It's nice to know what is going on so let's look at that output:
.                  total       used       free     shared    buffers     cached
Mem:           254        55          199          0           2               21
-/+ buffers/cache:      30          223
Swap:            511        0           511
The line to take notice of is the second one as the first line includes cached memory - in this demo slice I have 254MB memory in total with 30MB actually used, 223MB free and no swap used. Nice.

.bashrc

Normally the "ls" command doesn't list files that start with a period. Those are usually configuration files or directories, and ls hides them so they don't clutter up your directory view. To see all of what's there, run:
ls -a ~
The "-a" option is what tells ls to list all files, not just the non-configuration files.
You'll see several files, but let's focus on ".bashrc" right now. This is ultimately where your user environment (the "shell") will look for its settings. Go ahead and open it for editing:
nano ~/.bashrc
Inside you'll see a lot of shell script commands — don't worry if you don't understand it all. Anything we add at the end of the file will override what came before. If you want to, say, change your prompt, you don't necessarily need to figure out what all the "if" statements in there by default are for, and which line you need to edit. You can just add your own setting at the end.

Custom prompt

With that in mind, let's look at how to change your prompt. At its simplest, the prompt's format is set with the "PS1" environment variable. It consists of some numbers that determine color and some codes that act as stand-ins for variables like the current working directory and your hostname. To set your prompt to just your hostname and working directory, both in different colors, you could add this line to the end of the .bashrc file:
PS1='\[\033[0;35m\]\h\[\033[0;33m\] \w\[\033[00m\]: '
The chunks like "0;35m" and "0;33m" are what control the colors - those are pink and brown, for example. Other colors you can substitute include "0;32m" for green and "0;36m" for blue — it's just a matter of changing those numbers.
Other important parts of that jumbled collection of characters are "\h" and "\w", which represent the hostname and working directory, respectively. If you wanted to include your username in the prompt you could add the "\u" code along with an "@" symbol, and it would look like this:
PS1='\[\033[0;35m\]\u@\h\[\033[0;33m\] \w\[\033[00m\]: '
Before we see what that will look like, however, let's also look at another useful feature of your shell, aliases.

Alias

The "alias" keyword lets you set a shortcut for another command. Some examples to get you started, which can be added to the end of your .bashrc file:
alias free="free -m"
alias update="sudo yum update"
alias install="sudo yum install"
alias upgrade="sudo yum upgrade"
alias remove="sudo yum remove"
They're pretty simple examples, and are just meant to save you a little typing. Notice that you can essentially replace a command with an alias, like we did by setting the alias "free" to be a shortcut for "free -m". With that alias set, when you type "free" on the command line, behind the scenes the shell actually runs "free -m", so you don't have to type the extra characters to get the memory usage numbers in megabytes.
Similarly, those other aliases are shorthand for some yum commands to update or install packages. Since "sudo" is run behind the scenes you'll still have to type your password, but at least before that you won't have to type as much to run an update or install a package.
To activate the changes you've made to the .bashrc file, either log out and log back in or enter this command:
source ~/.bashrc
If you set a value for "PS1" above, you'll see your prompt change. Feel free to go back and change the colors or format of the prompt, or add your own aliases.

Set locale

You can check the current locale setting for your slice by running:
/usr/bin/locale
If the code doesn't match what it should be for the localization you would like to use for your slice (or if it uses a generic locale like 'POSIX'), run something like the following commands:
sudo /usr/bin/localedef -i en_US -f UTF-8 en_US.UTF-8
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
'Something like' because you may want to use a locale other than US English. If so, substitute the language code for 'en' and the region code for 'US' above. The locale code 'cy_GB' would designate Welsh for the language and Great Britain for the region, for example. 
Note that if you need another character set (we recommend UTF-8), you can change that as well.
Now that you've made those changes, type 'locale' again to make sure those are the language and region settings you want. If everything looks good, you need to make one more change to ensure that those locale settings will be automatically applied for all users. Run:
sudo nano /etc/sysconfig/i18n
Note that 'i18n' is shorthand for 'internationalization' (since there are 18 letters between the 'i' and the 'n'). Just so you know why that configuration file has such an odd name.
Change the LANG entry in that file, and add a line for LC_ALL, like you did with the 'export' commands above (but without the export). So when you're done, the two lines for your locale might look like:
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
You might want to test to be sure the locale settings are properly set up by logging out and logging back in, then running 'locale' to check the output.

Package repositories

A CentOS Slice comes with a basic set of repositories.
Have a look at the enabled repositories by running:
sudo yum repolist enabled
Each repository listed should include a brief description and the number of packages available from that source.
If you'd like to have a look at the configuration files that point to each repository, they're stored in this directory:
/etc/yum.repos.d
If you look through one of the files there, you will see each repository has a set of definitions including which mirror to use and what gpg key to use (and actually whether to check the package signature at all).
You can, of course, add more repositories whenever you want to but I would just give a word of caution: Some of the available repositories are not officially supported and may not receive any security updates should a flaw be discovered.
Keep in mind it is a server we are building and security and stability are paramount.

Update

Now we can update the package list that yum uses.
The following command will also offer to install any updated packages. As with all installs have a careful look at the list and, once happy, press 'y' to continue:
sudo yum update
NOTE: If you have used the .bashrc aliases shown above you just need to enter 'update' as the alias will use the entire command. I've put the whole thing here so you know what is happening.
That's really the basics done for the Slice.
Once any updates have been installed, we can move on to installing some essential packages.

Development Tools

CentOS has some handy meta-packages that include sets of pre-defined programs required for a single purpose.
So instead of installing a dozen different package names, you can install just one meta-package. One such package is called 'Development Tools'. Issue the command:
sudo yum groupinstall 'Development Tools'
Notice the programs that are to be installed include gcc, make, patch and so on. All these are needed for many other programs to install properly. A neat system indeed.
Enter 'y' and install them.
Now we have the necessary packages should we want to build an application from source.
 References:


Thursday, 12 April 2012

lock a user to chroot directory

To lock users to their home directories in Linux, I've used the following:

Created the chrooted jail as follows:

 #mkdir -p /users/{dev,etc,lib,usr,bin}
# mkdir -p /users/usr/bin
# mkdir -p /users/libexec/openssh


Create /users/dev/null:
# mknod -m 666 /users/dev/null c 1 3
Copy required /etc/ configuration files, as described above to your jail directory /users/etc:
# cd /users/etc
# cp /etc/ld.so.cache .
# cp -avr /etc/ld.so.cache.d/ .
# cp /etc/ld.so.conf .
# cp /etc/nsswitch.conf .
# cp /etc/passwd .
# cp /etc/group .
# cp /etc/hosts .
# cp /etc/resolv.conf .

Open /usres/group and /users/passwd file and remove root and all other accounts.
Copy required binary files, as described above to your jail directory /users/bin and other locations:
# cd /users/usr/bin
# cp /usr/bin/scp .
# cp /usr/bin/rssh .
# cp /usr/bin/sftp .
# cd /users/usr/libexec/openssh/
# cp /usr/libexec/openssh/sftp-server .

OR
# cp /usr/lib/openssh/sftp-server .
# cd /users/usr/libexec/
# cp /usr/libexec/rssh_chroot_helper

OR
# cp /usr/lib/rssh/rssh_chroot_helper
# cd /users/bin/
# cp /bin/sh .

OR
# cp /bin/bash

Copy all shared library files

The library files that any of these binary files need can be found by using the ldd / strace command. For example, running ldd against /usr/bin/sftp provides the following output:
ldd /usr/bin/sftp
Output:
     linux-gate.so.1 =>  (0x00456000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x0050e000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x0013e000)
        libutil.so.1 => /lib/libutil.so.1 (0x008ba000)
        libz.so.1 => /usr/lib/libz.so.1 (0x00110000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x0080e000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00a8c000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00656000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00271000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00304000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00777000)
        libdl.so.2 => /lib/libdl.so.2 (0x00123000)
        libnss3.so => /usr/lib/libnss3.so (0x00569000)
        libc.so.6 => /lib/libc.so.6 (0x00b6c000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00127000)
        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00130000)
        /lib/ld-linux.so.2 (0x00525000)
        libplc4.so => /usr/lib/libplc4.so (0x008c9000)
        libplds4.so => /usr/lib/libplds4.so (0x00133000)
        libnspr4.so => /usr/lib/libnspr4.so (0x00d04000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x0032a000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00341000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x00964000)
You need to copy all those libraries to /lib and other appropriate location. However, I recommend using my automated script called l2chroot:
# cd /sbin
# wget -O l2chroot http://www.cyberciti.biz/files/lighttpd/l2chroot.txt
# chmod +x l2chroot

Open l2chroot and set BASE variable to point to chroot directory (jail) location:
BASE="/users"
Now copy all shared library files
# l2chroot /usr/bin/scp
# l2chroot /usr/bin/rssh
# l2chroot /usr/bin/sftp
# l2chroot /usr/libexec/openssh/sftp-server

OR
# l2chroot /usr/lib/openssh/sftp-server
# l2chroot /usr/libexec/rssh_chroot_helper

OR
# l2chroot /usr/lib/rssh/rssh_chroot_helper
# l2chroot /bin/sh

OR
# l2chroot /bin/bashOnce the Directories are created and populated accordingly, if openssh is newer than 4.6 version then we can add the following in the /etc/ssh/sshd_config for user based restrictions ( group based restrictions can be configured in a similar fashion):
Match User user1
        ChrootDirectory /users           
        AllowTcpForwarding no
We also need to make sure that the permissions are correct so that the above chrooting works, that is the user should own the files/directories inside the chroot but the chroot directory itself must be owned by root.
chown root:root /users
user1 owns the remaining files/directories inside
chown user1:user1 /users
and create a home directory as well 
mkdir -p /users/home/user1/
References: