Discuss September 2013

discuss@lists.centos.org

139 participants
128 discussions

Howto: Extremely tight security rsync shell for backups
by Lists 24 Sep '13

24 Sep '13

We've been using rsync since forever to back up all our servers and it's worked without a problem. But in a recent security review, we noted that our specific rsync backup host is using root keys to access the server, meaning that if the keys on the backup server were leaked/compromised in any fashion, that would provide r00t access to the servers being backed up. Since this doesn't seem to be readily documented, I thought I'd provide it to the community. After some playing around, we've found it is possible to set up rsync/ssh so that the connecting server can ONLY run rsync with a predetermined set of options. // OBJECTIVES // 1) Make it so the backup server's SSH key can only be used A) in an rsync read-only. (no write capability to the production webserver) B) against a predetermined set of directories and with a predetermined set of options. 2) Limit the power of the webserver/backup account so that it cannot do anything other than a read-only rsync. 3) Limit access to the backup account to a specific IP address, EG: only the backup server can access the account. # ON WEBSERVER (note: normal account!) ------------------------------------- [root] # adduser backupaccount; # ON WEBSERVER in /home/backupaccount/.ssh/authorized_keys ("backupserver" must be the remote, publicly visible IP address of the backup server) ------------------------------------- from="backupserver" ssh-dss AAAAB3NzaC1kc3MAAACBAKLv/SNIP/ root@backupserver ------------------------------------- # ON BACKUPSERVER Verify that root@backupserver can log in normally via ssh without password: ------------------------------------- [root@backupserver] # ssh backupaccount@webserver # ON WEBSERVER In /etc/passwd. (change the shell at the end of the line) ------------------------------------- backupaccount:x:514:514::/home/backupaccount:/usr/local/bin/backupaccount.sh # ON WEBSERVER in /etc/sudoers ------------------------------------- backupaccount ALL=NOPASSWD: /usr/bin/rsync Defaults:backupaccount !requiretty ------------------------------------- # ON WEBSERVER And in /usr/local/bin/backupaccount.sh ------------------------------------- #! /bin/sh # look in this file to see what options were passed, if the rsync doesn't work. echo $* > /home/backupaccount/options.passed.sh # rsync -va backupaccount@WEBSERVER:/home/ /mnt/backup/home/ /usr/bin/sudo /usr/bin/rsync --server --sender -vlogDtpre.iLs . /home/ ------------------------------------- Note that in this solution, it doesn't matter what the backupserver specifies as the backup location, it will ALWAYS get /home/ and it may well break if you change the options any. EG: using "z" for compression, etc. If this happens, look in options.passed.sh to see what rsync on the backup server tried to pass and, if it makes sense, modify the backupaccount.sh script with these options, or modify backupaccount.sh so that it can take any of a number of source directories after appropriate validation.

6 10

New Orleans Dojo on September 30, 2013
by Johnny Hughes 24 Sep '13

24 Sep '13

We are having another CentOS Dojo, this time in New Orleans on September 30th, 2013. We would like to thank our Dojo sponsor, cPanel for helping have this event. If you are coming to New Orleans for the cPanel Conference 2013 and can make it to the Sheraton by 9:00am on the 30th then register and stop by the CentOS Dojo, which ends (at 5:30pm local time) just as the Second Line Parade for cPanel 2013 begins (6:00pm local time). You can see the agenda and the scheduled speakers for the Dojo here: http://wiki.centos.org/Events/Dojo/NewOrleans2013 And the Dojo registration is here: https://centosdojoneworleans2013.eventbrite.co.uk/ Lets get the Ballroom full and have some fun ! Thanks, Johnny Hughes

1 0

CentOS-announce Digest, Vol 103, Issue 14
by centos-announce-request＠centos.org 24 Sep '13

24 Sep '13

Send CentOS-announce mailing list submissions to centos-announce(a)centos.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-request(a)centos.org You can reach the person managing the list at centos-announce-owner(a)centos.org When replying, please edit your Subject line so it is more specific than "Re: Contents of CentOS-announce digest..." Today's Topics: 1. CEBA-2013:1276 CentOS 6 chkconfig Update (Karanbir Singh) 2. CEBA-2013:1278 CentOS 6 autofs Update (Karanbir Singh) 3. CEBA-2013:1276 CentOS 6 chkconfig Update (Karanbir Singh) ---------------------------------------------------------------------- Message: 1 Date: Mon, 23 Sep 2013 14:32:56 +0000 From: Karanbir Singh <kbsingh(a)centos.org> Subject: [CentOS-announce] CEBA-2013:1276 CentOS 6 chkconfig Update To: centos-announce(a)centos.org Message-ID: <20130923143256.GA6438(a)n04.lon1.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Bugfix Advisory 2013:1276 Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-1276.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: b7e728c1cb477f0464c8244ab7391216b8e48e04cc4cd1eb306896091b4ac1c8 chkconfig-1.3.49.3-2.el6_4.1.i686.rpm 70db47b60c2bf241090f147ff681266528c8741146357ff1f400104c737016ea ntsysv-1.3.49.3-2.el6_4.1.i686.rpm x86_64: 56694998883d5606d040c0d0ce9d76078aee500aa8e640b5a1f4c8ff6ed20f7e chkconfig-1.3.49.3-2.el6_4.1.x86_64.rpm 35a80e4baffe5331ae317298b1a34c9e8b2544e755a6523997cac3e7da3dffda ntsysv-1.3.49.3-2.el6_4.1.x86_64.rpm Source: e00a8330d55620b91e4c16a8571b6c1ed093845e3bbce1eac7e31a60cc237d7d chkconfig-1.3.49.3-2.el6_4.1.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos(a)irc.freenode.net ------------------------------ Message: 2 Date: Mon, 23 Sep 2013 14:34:17 +0000 From: Karanbir Singh <kbsingh(a)centos.org> Subject: [CentOS-announce] CEBA-2013:1278 CentOS 6 autofs Update To: centos-announce(a)centos.org Message-ID: <20130923143417.GA6523(a)n04.lon1.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Bugfix Advisory 2013:1278 Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-1278.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 38ba1750155bfcb08b80ed70353bc3870e9c1dc1d155ba255dd28a77bc8cc428 autofs-5.0.5-75.el6_4.i686.rpm x86_64: f3a945f1062a8cfa917da787a518b3b496282faebbf8411d17c543f8fd803663 autofs-5.0.5-75.el6_4.x86_64.rpm Source: 9b3166fe5b3e24ce6fb8a143ab7ec880d526e0ac79327aa1938cd8eb070e05d1 autofs-5.0.5-75.el6_4.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos(a)irc.freenode.net ------------------------------ Message: 3 Date: Mon, 23 Sep 2013 19:36:18 +0000 From: Karanbir Singh <kbsingh(a)centos.org> Subject: [CentOS-announce] CEBA-2013:1276 CentOS 6 chkconfig Update To: centos-announce(a)centos.org Message-ID: <20130923193618.GA53240(a)n04.lon1.karan.org> Content-Type: text/plain; charset=us-ascii CentOS Errata and Bugfix Advisory 2013:1276 Upstream details at : https://rhn.redhat.com/errata/RHBA-2013-1276.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: f2bd516b2881594e510e39b95b0fe0ae875204d80ab1f322f9624590b1db1099 chkconfig-1.3.49.3-2.el6_4.1.i686.rpm b959bc1e4a176452f2544d8a5067bf2133d164e08b9e82ebd4ca13028406be61 ntsysv-1.3.49.3-2.el6_4.1.i686.rpm x86_64: bc1e754226c33a5152761d66d0b569e7cc68d16239e6e60bd6f4a7ac04a739f1 chkconfig-1.3.49.3-2.el6_4.1.x86_64.rpm dbae3ff25340240fc45ab2c68be37a9346e8133adfb8ea4b83d247df980ee1c7 ntsysv-1.3.49.3-2.el6_4.1.x86_64.rpm Source: 2985848e00ebff25446226f939892a474d18c1191a6818f61d2ea48067f3955b chkconfig-1.3.49.3-2.el6_4.1.src.rpm -- Karanbir Singh CentOS Project { http://www.centos.org/ } irc: z00dax, #centos(a)irc.freenode.net ------------------------------ _______________________________________________ CentOS-announce mailing list CentOS-announce(a)centos.org http://lists.centos.org/mailman/listinfo/centos-announce End of CentOS-announce Digest, Vol 103, Issue 14 ************************************************

1 0

Package chkconfig-1.3.49.3-2.el6_4.1.x86_64.rpm is not signed
by Leonard den Ottolander 23 Sep '13

23 Sep '13

Hello, gpk-update-viewer on my CentOS 6 desktop gives me an error about untrusted updates. When running yum update from a terminal I get the following error: Package chkconfig-1.3.49.3-2.el6_4.1.x86_64.rpm is not signed No other packages seem to be affected so for now I updated excuding chkconfig and ntsysv. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research

3 2

Chromium update
by Robert Arkiletian 23 Sep '13

23 Sep '13

Latest chromium-el6 at http://people.centos.org/hughesjr/chromium/6/x86_64/RPMS/ is chromium-28.0.1500.95-213514.x86_64.rpm but latest chromium stable is 29.0.1547.xx wondering if there are any problems building version 29?

9 10

Setting up postfix under CentOS-6
by Timothy Murphy 22 Sep '13

22 Sep '13

I recently, perhaps foolishly, changed over a remote server from sendmail/procmail to postfix/amavis/spamassassin/clamd , and I'm finding it difficult to configure this setup. The CentOS document <http://wiki.centos.org/HowTos/postfix> explicitly says that its instructions may not work in CentOS-6. Does anyone know of reasonably simple postfix documentation for CentOS-6? I've been amazed how bad the postfix documentation is. It actually seems to be worse that sendmail documentation, which I thought established a record for this sort of thing. The official documentation at <http://www.postfix.org/documentation.html> is ludicrously wordy, with every conceivable option listed in random order. -- Timothy Murphy e-mail: gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin 2, Ireland

10 33

Run one-time startup script
by Kai Schaetzl 22 Sep '13

22 Sep '13

I have to change IP numbers across a number of virtual and physical machines because of network center move. This has to be done before network startup, of course. I'm thinking about the best method to do this. Where should I include/init this script? Or would it rather make more sense to do this on the last shutdown? Changes largely involve removing old files and putting new files in place (resolv.conf, hosts, sysconfig/network + network-scripts, firewall, postfix, httpd etc.). The only other change besides replacing files would be changing the IP address in a webcontrol interface in a MySQL table, so this part has to be done after MySQL startup. Could be run-once or have to disable manually after successful startup. Thanks, Kai

6 6

updates issue
by Fred Smith 22 Sep '13

22 Sep '13

Since doing "yum update" this morning, an update that installed several packages, the updater shows me 3 packages to install: hpijs-1:3.12.4-4.el6_4.1 (x86_64) hplip-common-3.12.4-4.el6_4.1 (x86_64) hplip-libs-3.12.4-4.el6_4.1 (x86_64) but when I attempt to actually run the update I get: hplip-libs-3.12.4-4.el6.i686 requires libsane.so.1 hplip-libs-3.12.4-4.el6.i686 requires hplip-common = 3.12.4-4.el6 : Success - empty transaction this is a 64-bit computer running 6.4 x86_64, and none of these 3 packages as installed is i686 they are all x86_64. So, why would I be getting errors saying that the 32-bit packages have certain requirements that aren't being met? there are no such 32-bit packages on this computer. # yum list installed | grep -y hplip-libs hplip-libs.x86_64 3.12.4-4.el6 @cr -- ---- Fred Smith -- fredex(a)fcshome.stoneham.ma.us ----------------------------- "For him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy--to the only God our Savior be glory, majesty, power and authority, through Jesus Christ our Lord, before all ages, now and forevermore! Amen." ----------------------------- Jude 1:24,25 (niv) -----------------------------

3 7

Re: [CentOS] Dual Boot Windows 8 & CentOS 6.4
by Amit Joshi 21 Sep '13

21 Sep '13

Thanks!! But where is this disable secure boot option exactly? I can't find it anywhere in my BIOS. Regards, adj -----Original Message----- From: "Xinyun Zhou" <me(a)xyzhou.com> Sent: ‎21/‎09/‎2013 14:51 To: "centos(a)centos.org" <centos(a)centos.org> Subject: Re: [CentOS] Dual Boot Windows 8 & CentOS 6.4 On Fri, 2013-09-20 at 17:42 +0300, Amit Joshi wrote: > > I am studying for the RHCSA Exam and wanted to install CentOS 6.4 alongside Windows 8. I got a new laptop with a processor that supports virtualization. > > > > I am planning to remove all the recovery partitions after backing up all drivers etc. on them. Lets see how it works out. > > > > Any caveats I should know about? >From my experience from the RHCSA exam, all you need to do is to use the KVM, which is a pre-installed system. You will use that as your exam client (all your answer will be in the virtual machine). If you really want to boot that, I would suggest you use a external hard drive to boot CentOS, and install virtual machines in it. Be sure to disable Secure Boot. -- Xinyun Zhou _______________________________________________ CentOS mailing list CentOS(a)centos.org http://lists.centos.org/mailman/listinfo/centos

1 0

Re: [CentOS] reputable sites to download RPMs
by Patrick 21 Sep '13

21 Sep '13

Hi Everyone I would like to use kicad for circuit design. It does not appear to be in the repos. I have built all the other software that I need and not included in the repos from source but I have struggled with kicad. There looks to be lots of places on the net that I can download RPMs not in the repos from but I don't know which ones run honest operations. Could anyone point me to a good site? Thanks for reading my post-Patrick

2 1

← Newer
1
2
3
4
5
6
7
8
...
13
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss September 2013