Hi All
I've setup an ubuntu 9.10 server at home that I am planning to use instead of the pay for web server I have at the moment. It's the 32bit version running on an old AMD 2.0GHz with 1GB of RAM, that I'm hoping to upgrade to 2GB once I can find some. It's seems pretty nippy at the moment, but it's only running Apache2 and Subversion. You can get up my PHP test page here if you're interested:
http://82.69.121.44/phpinfo.php
I've installed vsftpd, obviously so that I can transfer files to it easily and although I can move .php files into the /var/www folder, it is of course owned by the www-data user, so the files transfered, when logged in as me, will not execute. After some googling I read that I can configure vsftpd to give the files the right permissions automatically on transfer, but I can't find out how?
Also, I cannot delete files via ftp that I transfered onto the server using my user. Can that be rectified with vsftpd configuration too?
On Tue, Dec 29, 2009 at 08:41:09AM +0000, Paul Grenyer wrote:
Hi All
I've setup an ubuntu 9.10 server at home that I am planning to use instead of the pay for web server I have at the moment. It's the 32bit version running on an old AMD 2.0GHz with 1GB of RAM, that I'm hoping to upgrade to 2GB once I can find some. It's seems pretty nippy at the moment, but it's only running Apache2 and Subversion. You can get up my PHP test page here if you're interested:
I'm doing much the same on my Acer Revo, Ubuntu 9.10 server running apache, mysql and postgresql plus postfix as a mail server.
I've installed vsftpd, obviously so that I can transfer files to it easily and although I can move .php files into the /var/www folder, it is of course owned by the www-data user, so the files transfered, when logged in as me, will not execute. After some googling I read that I can configure vsftpd to give the files the right permissions automatically on transfer, but I can't find out how?
Also, I cannot delete files via ftp that I transfered onto the server using my user. Can that be rectified with vsftpd configuration too?
I don't use ftp at all for transferring files (as in archiving, backup, etc.) I export a filesystem from the server so that other systems on the LAN can copy files back and forth pretty transparently.
You can set up exports from the server so that only specified systems and/or users can read/write so it can be made reasonably secure given that (presumably) it's in a home LAN so physical security is reasonable.
Using NFS makes things *much* easier IMHO. Basically all you need to do is install nfs-kernel-server on the server machine.
Hi
I'm doing much the same on my Acer Revo, Ubuntu 9.10 server running apache, mysql and postgresql plus postfix as a mail server.
Cool!
I don't use ftp at all for transferring files (as in archiving, backup, etc.) I export a filesystem from the server so that other systems on the LAN can copy files back and forth pretty transparently.
Ok, that's something I could consider.
You can set up exports from the server so that only specified systems and/or users can read/write so it can be made reasonably secure given that (presumably) it's in a home LAN so physical security is reasonable.
It is, but I want to be able to access it from outside too, so I'd really like to get ftp working too.
Using NFS makes things *much* easier IMHO. Basically all you need to do is install nfs-kernel-server on the server machine.
Yep, very easy install. Thanks.
On Tue, Dec 29, 2009 at 12:18:32PM +0000, Paul Grenyer wrote:
Hi
I'm doing much the same on my Acer Revo, Ubuntu 9.10 server running apache, mysql and postgresql plus postfix as a mail server.
Cool!
I don't use ftp at all for transferring files (as in archiving, backup, etc.) I export a filesystem from the server so that other systems on the LAN can copy files back and forth pretty transparently.
Ok, that's something I could consider.
You can set up exports from the server so that only specified systems and/or users can read/write so it can be made reasonably secure given that (presumably) it's in a home LAN so physical security is reasonable.
It is, but I want to be able to access it from outside too, so I'd really like to get ftp working too.
Where 'outside' are you transferring files from? If it's from somewhere that you have ssh access into your server you can use scp or sftp.
Using NFS makes things *much* easier IMHO. Basically all you need to do is install nfs-kernel-server on the server machine.
Yep, very easy install. Thanks.
Hi Chris
Where 'outside' are you transferring files from? If it's from somewhere that you have ssh access into your server you can use scp or sftp.
Wherever I happen to be: work, my laptop via my blackberry, etc. Also, at least one other person needs access to update a wiki I run for them.
Hi
I'm having an interesting morning! Especially as I just noticed that replies don't go back to the list by default. I'll have to remember that one.
Ok, so I've had a lot of success and one big and, I expect, classic novice, error.
The good news is that I have uninstalled vsftpd and can access my file system remotely using FileZilla via openSSH. I've also made www-data the owner of /var/www/ and added the user I use to login with to the www-data group. Now everything works as expected (Yay!).
Then I went back and, as recommended, disabled root access via SSH. This is where I think I made my novice error, because when I SSH into the box now I can no longer 'sudo'. In fact I get the message:
<user> is not in the sudoers file. This incident will be reported.
This of course means I can't even shut the machine down remotely. Before I take a monitor and keyboard downstairs to it, is there a way I can get around this (after you've all had a good laugh of course!)?
Thanks!
2009/12/30 Paul Grenyer paul.grenyer@gmail.com:
Then I went back and, as recommended, disabled root access via SSH. This is where I think I made my novice error, because when I SSH into the box now I can no longer 'sudo'. In fact I get the message:
<user> is not in the sudoers file. This incident will be reported.
This of course means I can't even shut the machine down remotely. Before I take a monitor and keyboard downstairs to it, is there a way I can get around this (after you've all had a good laugh of course!)?
Add the appropriate users to the sudoers file. /etc/sudoers
Or, as mine is configured, add the appropriate users to the admin group.
Good luck, Tim.
Paul Grenyer wrote:
I've ... added the user ... to the www-data group. ...
How?
Then I went back and, as recommended, disabled root access via SSH.
How?
This is where I think I made my novice error, because when I SSH into the box now I can no longer 'sudo'. In fact I get the message:
<user> is not in the sudoers file. This incident will be reported.
It sounds like your user was previously in group that is allowed to sudo, but is not anymore. Check your /etc/sudoers file for something like:
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
then check that you're in that group, e.g. for my userid "mak":
root@yoda:~# grep ^admin /etc/group admin:x:119:mak
If you get stuck with groups, you can always specifically add a line for your user: "su" to root, then run "visudo" and add a line like:
mak ALL=(ALL) ALL
This of course means I can't even shut the machine down remotely. Before I take a monitor and keyboard downstairs to it, is there a way I can get around this (after you've all had a good laugh of course!)?
You can just "su" to root, and then shut down.
-- Martijn
Hi
Ok, I'm feeling really sill now.
I've ... added the user ... to the www-data group. ...
IIRC: sudo usermod g www-data <user>
I'm now wondering if that's taken me out of every group except www-data.
How?
Then I went back and, as recommended, disabled root access via SSH.
How?
I set PermitRootLogin in /etc/ssh/sshd_config to no.
It sounds like your user was previously in group that is allowed to sudo, but is not anymore.
It does. Problem is, as far as I know, this is my only user.
Check your /etc/sudoers file for something like:
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
then check that you're in that group, e.g. for my userid "mak":
root@yoda:~# grep ^admin /etc/group admin:x:119:mak
If you get stuck with groups, you can always specifically add a line for your user: "su" to root, then run "visudo" and add a line like:
mak ALL=(ALL) ALL
Thanks, but I don't have permission to do any of that and no idea what the root password might be. I've always just logged in as me and used sudo.
This of course means I can't even shut the machine down remotely. Before I take a monitor and keyboard downstairs to it, is there a way I can get around this (after you've all had a good laugh of course!)?
You can just "su" to root, and then shut down.
Same problem.
Is my system toast? Do I need to start again? :-(
2009/12/30 Paul Grenyer paul.grenyer@gmail.com:
Is my system toast? Do I need to start again? :-(
Boot off a recovery disk and edit the files.
Good luck, Tim.
Hi
On Wed, Dec 30, 2009 at 10:32 AM, Tim Green timothy.j.green@gmail.com wrote:
2009/12/30 Paul Grenyer paul.grenyer@gmail.com:
Is my system toast? Do I need to start again? :-(
Boot off a recovery disk and edit the files.
Thanks! Worked perfectly! And thanks to Ted for pointing out where I went wrong. I am now back in the admin group.
On 30-Dec-09 11:24:05, Paul Grenyer wrote:
Hi
On Wed, Dec 30, 2009 at 10:32 AM, Tim Green timothy.j.green@gmail.com wrote:
2009/12/30 Paul Grenyer paul.grenyer@gmail.com:
Is my system toast? Do I need to start again? :-(
Boot off a recovery disk and edit the files.
Thanks! Worked perfectly! And thanks to Ted for pointing out where I went wrong. I am now back in the admin group.
-- Thanks Paul
I would also add that, when you are modifying a system config file (e.g. /etc/sudoers but there are many others), it is wise to do e.g.
cp /etc/sudoers /etc/sudoers.bk
or the like (I use ".bk" rather than ".bak" since the system itself often makes backups with extension ".bak"). Then, if you screw something up, you can restore the original.
Ted.
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@manchester.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 30-Dec-09 Time: 12:02:59 ------------------------------ XFMail ------------------------------
On 30-Dec-09 09:52:12, Paul Grenyer wrote:
Hi Ok, I'm feeling really sill now.
I've ... added the user ... to the www-data group. ...
IIRC: sudo usermod g www-data <user>
I'm now wondering if that's taken me out of every group except www-data.
There is a latent 'gotcha' in usermod. From 'man usermod':
"The options which apply to the usermod command are: [...] -a, --append Add the user to the supplemental group(s). Use only with -G option." [...] -G, --groups GROUP1[,GROUP2,...[,GROUPN]]] A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option. If the user is currently a member of a group which is not listed, the user will be removed from the group. This behaviour can be changed via -a option, which appends user to the current supplementary group list."
So the command to use would be
sudo usermod -a -G www-data <user>
I hit this myself a little while ago, attempting to add myself to an existing group but using a flawed command. I found I had deleted myself from everything else. Fortunately, I had another (dummy) user set up, so I did 'groups dummy' and noted the groups that 'dummy' was in. Then I set about it the right way, and added myself back into the groups I had previously been in ...
However, I cannot guarantee that the above is authoritative. It is based on advice I had found at:
http://www.cyberciti.biz/faq/howto-linux-add-user-to-group
Hoping this helps, Ted. [And welcome to ALUG]
How?
Then I went back and, as recommended, disabled root access via SSH.
How?
I set PermitRootLogin in /etc/ssh/sshd_config to no.
It sounds like your user was previously in group that is allowed to sudo, but is not anymore.
It does. Problem is, as far as I know, this is my only user.
Check your /etc/sudoers file for something like:
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL
then check that you're in that group, e.g. for my userid "mak":
root@yoda:~# grep ^admin /etc/group admin:x:119:mak
If you get stuck with groups, you can always specifically add a line for your user: "su" to root, then run "visudo" and add a line like:
mak ALL=(ALL) ALL
Thanks, but I don't have permission to do any of that and no idea what the root password might be. I've always just logged in as me and used sudo.
This of course means I can't even shut the machine down remotely. Before I take a monitor and keyboard downstairs to it, is there a way I can get around this (after you've all had a good laugh of course!)?
You can just "su" to root, and then shut down.
Same problem.
Is my system toast? Do I need to start again? :-(
-- Thanks Paul
Paul Grenyer e: paul.grenyer@gmail.com b: paulgrenyer.blogspot.com
main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
-------------------------------------------------------------------- E-Mail: (Ted Harding) Ted.Harding@manchester.ac.uk Fax-to-email: +44 (0)870 094 0861 Date: 30-Dec-09 Time: 10:42:05 ------------------------------ XFMail ------------------------------
Paul Grenyer wrote:
I'm having an interesting morning! Especially as I just noticed that replies don't go back to the list by default. I'll have to remember that one.
Yes, they do, if you are using a good email program that supports email lists. The List-Post header is now over 11 years old - almost as old as ALUG! - and it's a blooming disgrace if Google don't support it yet.
One list of good email programs is slowly updated at http://mjr.towers.org.uk/comp/list-mua.html - recent additions are Thunderbird 3 and Gnus.
[...]
Then I went back and, as recommended, disabled root access via SSH. This is where I think I made my novice error, because when I SSH into the box now I can no longer 'sudo'. In fact I get the message:
<user> is not in the sudoers file. This incident will be reported.
This of course means I can't even shut the machine down remotely. Before I take a monitor and keyboard downstairs to it, is there a way I can get around this (after you've all had a good laugh of course!)?
You could try the command "su -" (without the quotes).
Once you regain root, visudo to edit the sudoers settings to prevent a repeat of that warning.
Hope that helps,
2009/12/30 MJ Ray mjr@phonecoop.coop:
You could try the command "su -" (without the quotes).
... but only if you know the root password.
By default on friendly Ubuntu type installs root doesn't have a valid password (so all those bots out there hammering on one's ssh door will never get in).
Tim.
Tim Green wrote:
2009/12/30 MJ Ray mjr@phonecoop.coop:
You could try the command "su -" (without the quotes).
... but only if you know the root password.
By default on friendly Ubuntu type installs root doesn't have a valid password (so all those bots out there hammering on one's ssh door will never get in).
Sorry, I thought the OP had commented that disabling remote root logins over ssh had prevented access, so I assumed that a root password had been set, but it seems that a usermod goof was the more likely cause.
Apologies for my confusion,
On Tue, 29 Dec 2009 08:41:09 +0000 Paul Grenyer paul.grenyer@gmail.com allegedly wrote:
I've installed vsftpd, obviously so that I can transfer files to it easily and although I can move .php files into the /var/www folder, it is of course owned by the www-data user, so the files transfered, when logged in as me, will not execute. After some googling I read that I can configure vsftpd to give the files the right permissions automatically on transfer, but I can't find out how?
Paul
If you are exposing this server to the big bad internet then I'd recommend against using any standard FTP server. It would be much better to use sftp. Not only is is /much/ more secure, it is also easier to configure all the relevant firewall settings (both on the server itself and on any port forwarding NAT hardware device you may have on your network connection).
So set up openSSH on the server (and disable root login). You may also care to move the SSH daemon to a non-standard port - that will at least cut down the number of attempted brute force attacks by botnets (and reduce the number of log entries...)
Mick
---------------------------------------------------------------------
The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this?
Douglas E Comer - Internetworking with TCP/IP Volume 1
http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
-
Chris G -
Martijn Koster -
mick -
MJ Ray -
Paul Grenyer -
Ted.Harding@manchester.ac.uk -
Tim Green