/dev/null

This is a small vsftpd howto I wrote some months ago, while installing it on a SuSE Linux 10 server – sorry to those who don’t understand German or use another Linux distribution! Some hints may be useful anyways…

The official vsftpd home page is: http://vsftpd.beasts.org/

vsftpd installieren und anpassen

Zunaechst sollte man sicherstellen, dass man vsftpd ueberhaupt installiert hat:

walrus:~ # rpm -q vsftpd
vsftpd-2.0.2-3

Falls nicht, wie gewohnt ueber yast installieren (die Suchfunktion erspart Scrollen in der Paketliste!). Bei anderen Linux Distributionen entsprechend (z.B. yum unter Fedora).

Als naechstes legt man in /etc/passwd (bzw. ueber den Befehl useradd) einen user fuer vsftpd an:

useradd --system --home /var/run/vsftpd/ ftpsecure

In /etc/xinetd.d/vsftpd setzt man disable = no.

Die /etc/vsftpd.conf kann beispielsweise so aussehen (die Strings fuer guest_username und ftpd_banner sind ggf. anzupassen):

dirmessage_enable=YES
guest_enable=YES
guest_username=someuser
user_sub_token=$USER
write_enable=YES
anon_mkdir_write_enable=YES
anon_upload_enable=YES
nopriv_user=ftpsecure
ftpd_banner="Welcome to MY_HOSTNAME"
hide_ids=YES
local_enable=YES
chroot_local_user=YES
anonymous_enable=NO
anon_world_readable_only=YES
pam_service_name=vsftpd

FTP User anlegen

Um vsftpd mit virtuellen Accounts betreiben zu koennen, benoetigt man einen richtigen User Account (guest_username) und ein Verzeichnis (Home Verzeichnis dieses Users). Grundsaetzlich kann man dazu auch bereits bestehende Accounts aus der /etc/passwd verwenden (wie z.B. wwwrun oder apache, wenn man Webhosting betreibt):

someuser:x:1234:100:Virtual FTP User Account:/home/virtual/$USER:/bin/false

Zum Anlegen eines neuen Users kann wie oben ggf. useradd verwendet werden.

Wichtig ist das $USER, damit jeder User ein eigenes Verzeichnis hat. Man kann es selbsverstaendlich auch weglassen, aber dann landen alle Benutzer im selben Verzeichnis. Die $USER Verzeichnisse werden uebrigens, anders als in der vsftpd Doku angegeben, NICHT automatisch erstellt! Scheint ein Bug zu sein, ueber den man auch ueber Google einiges findet. Loesung habe ich noch keine gefunden.

PAM

Wo kommen nun die virtuellen Accounts her? Die Authentifizierung wird (leider nicht ganz trivial) ueber PAM (pam_pwdfile) und eine Apache-kompatible Account-Datei realisiert. Diese kann grundsatzlich ueberall liegen, sollte aber nur von root gelesen werden koennen. Im Beispiel heisst sie /etc/ftp/users und hat das einfache Format user:password_crypt. Sie kann mit dem Tool htpasswd bzw. htpasswd2 verwaltet werden. Auf debianhowto.de ist auch ein Perl Script zur Userverwaltung zu finden.

Da wir oben pam_service_name=vsftpd gesetzt haben, muss die Konfiguration in /etc/pam.d/vsftpd erfolgen:

#%PAM-1.0

auth    required pam_pwdfile.so pwdfile /etc/ftp/users
account required pam_permit.so

Wir waeren nun fertig, wuerde SuSE das benoetigte PAM Modul pam_pwdfile.so mitliefern – dies ist jedoch bei OpenSuSE 10 ganz offensichtlich nicht der Fall

Aber kein Problem… man kann es hier downloaden:

http://cpbotha.net/pam_pwdfile.html

Zusaetzlich muss man zum Kompilieren noch Linux-PAM selbst herunterladen:

ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library

Anschliessend pam_pwdfile-0.XX.tar.gz in Linux-PAM-0.XX/modules/ entpacken:

tar -xzf Linux-PAM-0.78.tar.gz
cd Linux-PAM-0.XX/modules/
tar -xzf pam_pwdfile-0.XX.tar.gz

Jetzt kann man das Modul kompilieren und kopieren:

cd ..
./configure
make all
Auf 64-bit Systemem:
cp modules/pam_pwdfile-0.XX/pam_pwdfile.so /lib64/security/
oder auf 32-bit Systemem:
cp modules/pam_pwdfile-0.XX/pam_pwdfile.so /lib/security/

Das wars

Restart des xinetd ueber /etc/init.d/xinetd restart sollte nun zum gewuenschten Ergebnis fuehren. Bitte nicht vergessen User in /etc/ftp/users und die entsprechenden Unterverzeichnisse in /home/virtual anzulegen (wenn keine Schreibrechte da sind, funktioniert der Upload natuerlich nicht… also darauf achten, dass die Rechte ueberall stimmen).

Wenn noch eine Firewall da ist, dann muss Port 21 uebrigens freigegeben werden

Kate and Raimond from Melbourne, Australia stayed at my place for the last 5 days. They just left and I’d like to thank them for being my guests!

The results of the plat_forms contest are finally published! PHP was the best platform in terms of completeness, maintainablity and security. Also, the differences between the PHP teams were small compared to Perl and Java – that means, our **Team 8** was quite good, even if OXID (Team 6) is the winning team for PHP: Congratulations

I’d like to mention that we had almost no defects in our solution:

Here’s a quote from page 47:

“Team8 PHP has excellent correctness with just one single mistake in the search usecase, only one fourth as many defects as the runner-up. Team4 Java’s defect weight is also quite small (but should be viewed relative to the lower amount of functionality implemented) and team2 Perl is best on the Perl platform (because team5 Perl’s problems more often concern MUST requirements).”

I had heaps of fun with SQL today (again). Ever heard of Common Table Expressions? Here is an example of a recursive query:


WITH
nodeCTE (nodeId, nodeName)
AS (
SELECT
a.nodeId,
nodeName = CONVERT(varchar(8000), nodeName)
FROM
nodeNames a JOIN nodes b ON a.nodeId = b.nodeId
AND a.locale = 'en' AND b.parentId = 0
UNION ALL SELECT y.nodeId,
x.nodeName + ' -> ' + CONVERT(varchar(8000),
z.nodeName)
FROM
nodeCTE x JOIN nodes y ON y.parentId = x.nodeId
JOIN nodeNames z ON z.nodeId = y.nodeId AND
z.locale = 'en'
)
SELECT * FROM nodeCTE;


Another task was to create a database record in the locale ‘de’, if it did not exist yet:


INSERT INTO users
(userId, locale, title, firstName, lastName,
middleName, nobleName, displayName, email)
SELECT
userId, 'de', title, firstName, lastName,
middleName, nobleName, displayName, email
FROM
users b
WHERE
locale = 'en' AND NOT EXISTS
(
SELECT NULL
FROM mdb_users a
WHERE a.userId = b.userId AND locale = 'de'
);


Afterwards, it was easy to eliminate all special (German) characters from the original records in the default locale ‘en’.
Did you know that there is a major difference between German and English is the abbreviation for “Doctor”, which is “Dr” in English and “Dr.” in German? That had to be fixed too:

UPDATE users
SET title = REPLACE(title, 'Dr.', 'Dr')
WHERE locale = 'en';


Last query example is a search for name parts and the phone extension. You had to search in all locales of the multi-lingual database, but only return distinct results in the locale ‘en’ with Name und Initial:


SELECT
displayName, initial
FROM
users
WHERE
locale = 'en'
AND
userId IN


(
SELECT
userId
FROM
users
WHERE
(lastName LIKE '%example%' OR
firstName LIKE '%example%' OR
middleName LIKE '%example%' OR
nobleName LIKE '%example%' OR
title LIKE '%example%' OR
initial LIKE '%example%')
UNION SELECT
userId
FROM
userAddresses
WHERE
adrPhoneExt = '%example%'
)


ORDER BY
lastName


If you want to install the free VMware Server 1.0.3 on Fedora Core 6 with the latest kernel, you need to change the kernel module source as follows:

cd /usr/lib/vmware/modules/source/
tar -xvf vmmon.tar
vi vmmon-only/include/compat_kernel.h

Change the line

static inline _syscall1(int, compat_exit, int, exit_code);

to

int compat_exit(int exit_code);

Then recreate the archive:

cp vmmon.tar vmmon.tar.orig
tar -cf vmmon.tar vmmon-only

Now, you should be able to run the config script as described in the installation manual:

/usr/bin/vmware-config.pl

I’ve been on the LinuxTag in Berlin during the past days. It was a fun event and I met lots of nice people – also the recruiting staff of Google, which gave me a nice notepad, some other toys and an invitation for lunch at the headquarters in Mountain View.

I’ve also had quick look into “Einstieg in SQL” (“SQL for beginners”) of Galileo Press. The cool thing about that book is, that it is supposed to cover all SQL dialects. Of course, the author suggested to use triggers to emulate MySQL’s AUTO_INCREMENT in MS SQL. So I told them about the existence of identities in Transact-SQL – will be corrected in the next run

The new solaris init system was also looking very promissing. They replaced the old stuff by an XML database and a very good depedency system between the components. That way, they can start many services at once which minimizes the startup time and improves fault tollerance. Nice!

The guys from KDE were surprised that the PHP bindings are not available by default in many linux distributions. That’s why only Python and Ruby are integrated in some KDE applications so far. Should be changed!

I guess there will be some talks about Web 2.0 security now… so that’s it for now.

When it comes to Web search, everybody thinks of Google nowadays. But there are shortcomings: Google has just one large index for all users. This is why search engine optimization has become so popular and why you sometimes don’t find what you’re looking for. A possible solution would be to have different indexes, maintained by the users, that cover the various needs (e.g. topics, regions, content quality,…). That way, a user can decide to only get search results from Germany without ads, for example. Of course one large monolithic company could have problems to provide such a service. This is the point where peer-to-peer search comes into play. I think shared and categorized bookmark lists are the start of a trend to individualize information search and organization. The question is just, how fast the required technology develops.

Web links:

• ODISSEA: A Peer-to-Peer Architecture for Scalable Web Search and Information Retrieval
• YaCy – Web Search Engine
• Folksonomy (Wikipedia)
• del.icio.us