Smokes your problems, coughs fresh air.

Author: halfgaar (Page 25 of 26)

Halfgaar is Wiebe. Wiebe is a contributing author on this weblog. He also has a lot of stuff (such as long, in-depth articles) on his personal website.

Wiebe works at YTEC, where he is a senior developer of customer-specific tailor-made software ("klantspecifieke maatwerk software") for clients in a few select markets: wholesale, printing and healthcare.

Disabling SSH shell access for SVN users on a Linux/Unix system

A common problem is that Linux/Unix system administrators want to grant users access to SVN repositories, but prevent them from logging in on the shell. This can be accomplished quite easily.

First, disable the user’s account by running:

usermod --lock [user]

This way, only public key authentication is allowed. Then, when adding the user’s key to the ~/.ssh/authorized_keys file, prefix it with this:

command="/usr/local/bin/svnserve -t",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding

I used our wrapper script in /usr/local/bin as the command, because it sets an umask of 002 before actually running svnserve. This is necessary when using svn+ssh access.

The source for this trick explains it in more detail.

Configuring a Debian satellite Exim server

A very common way to configure Exim on a Debian machine, is to make it a ‘satellite’; a server which uses another SMTP server for sending and does not do local delivery, the latter being the difference with a ‘smarthost’. It can be used by other computers in the network to send mail, but also by the machine itself, to send system notifications and such (one of my favorite apps, arpwatch, for example).

The following needs to be in /etc/update-exim4.conf:

dc_smarthost='[your SMTP server]'

The following needs to be in /etc/mailname:


[mailname] is the same in both locations, and is simply the FQDN (world wide, not just local, such as which should appear after the @-sign. The reason that it must entered in both places, is because both have a different function. ‘etc/mailname’ Takes care of putting the specified domain after the @-sign if you mail to, for example, root. The ‘dc_other_hostnames’ is to let the server know that this is the machine that handles that domain. If you don’t specify the ‘dc_other_hostnames’, the server will just try to send it to the next relay. BTW, ‘dc_other_hostnames’ is colon (;) seperated.

Make sure the FQDN you use exists, otherwise a lot of mailservers refuse to accept it. What I don’t understand, though, is that in my experience, whatever you use as domain doesn’t have to exist as MX record, but just as an A record.

Also don’t forget to include an alias for root in /etc/aliases. I usually let all mail sent to root be sent to a local user, and alias that local user to an outside e-mail address.

Crane camera shots with just a tripod

When shooting footage with a motion camera, one of the most important things to achieve to avoid it looking like a home-barbecue video, is stable motion, normally achieved with a crane. A simple way to achieve this, is by retracting one leg of your tripod, and then tilt it forwards and backwards. This video gives a good demonstration. The difference between the tripod shots, and the hand-held shots (the shots made to demonstrate the technique) is astounding.

Video Cam Super Trick! – video powered by Metacafe

Creating a bash fork bomb

Logged into a Unix machine? Does “ulimit -a” say that the max number of user processes is unlimited? Then type the following to crash the machine (provided it uses bash, or another shell with compatible syntax):

:(){ :|:& };:

What does it do? It creates a function named “:”, which calles itself, and sends the output to itself.

You’d better find out how to protect your machine if it also states that the max number of user processes is unlimited. Even a hight limit can be dangerous, such as 15000.

Setting up a domaincontroller with Samba

I occasionally have to set up a domain controller using Samba. There are a lot of guides and howto’s available, but I made a step-by-step howto just for myself, and I thought it’d be smart to make it available on the internet for me to access anywhere.

These commands have only been tested on Debian. Some distro’s may do thing a little differently, especially when it comes to adding/modifying users and groups.

  • Create a Unix group for ntadmins:
    # groupadd ntadmins
  • And assign root to that group:
    # usermod –append –groups ntadmins root
  • Add the root user to the smb users (use a different password than the Unix root password!):
    # smbpasswd -a root
  • Map Samba groups (the rid is important!):
    # net groupmap add ntgroup=”Domain Admins” unixgroup=ntadmins rid=512 type=d
    # net groupmap add ntgroup=”Domain Users” unixgroup=users rid=513 type=d
    # net groupmap add ntgroup=”Domain Guests” unixgroup=nobody rid=514 type=d
  • Add normal user accounts which can login in the domain controller (without home dirs or shells):
    # useradd -d /dev/null -s /bin/false example_username
    # smbpasswd -a example_username

When adding a machine to the domain, it will ask for a username and password. Use the root username you’ve added to smbusers here. The normal user accounts are for when the machine is successfully added to the domain, and asks for user login.

The following is an example config file, with some comments:

  ; When using domains, the workgroup is the domain name
  workgroup = my_domain
  server string = my_server (Samba server %v)
  security = USER
  encrypt passwords = true
  os level = 65
  domain master = yes
  local master = yes
  preferred master = yes
  domain logons = yes
  panic action = /usr/share/samba/panic-action %d
  guest account = samba
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  dns proxy = no

  ; Location of NT/2000/XP profiles. %L expands to the servername, %u to the user.
  ; You may also want to put in %m, which expands to the machine name, to have a 
  ; separate account for each machine. With only identical machines, it's useful to have
  ; a "roaming" profile, but you can imagine what happens when you login on a Windows 
  ; 2000 machine with an account that actually belongs to a Windows XP machine...
  ; or, even simply on machines with different versions of software packages installed.
  ; update: I think it should actually be %U. And, you may want the machine name in the path:
  logon path = \\%L\profiles\%m\%U
  ; logon path = \\%L\profiles\%u ; old one, before update.
  logon script = logon.bat

  time server = yes

  ; I don't let useradd create home dirs. I prefer to do that myself. 
  add user script = /usr/sbin/useradd -d /dev/null -s /bin/false %u
  ; I intentionally leave out -r (remove home dir) because I don't accidentally
  ; want to remove home dirs when I happen to remove domain users 
  ; which are also unix users. Also, it means that if a user is recreated, 
  ; its data is accessible again.
  delete user script = /usr/sbin/userdel %u
  add group script = /usr/sbin/groupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/usermod -a -G %g %u
  ; how does one delete a user from a group...? There doesn't seem 
  ; to be a command for that...
  ;delete user from group script = /usr/sbin/ %u %g
  add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

  ; You can add netlogon.bat here, the logon script executed by the client.
  path = /var/lib/samba/netlogon
  writable = no
  browsable = no

  ; This path should be chmod 777
  path = /home/samba-nt-profiles/
  browsable = no
  writable = yes
  ; You can choose to make these 0660 and 0770. If you force group = samba and put all your samba users in it, that can be convenient. It is a must when you have the machine name in the profile path, otherwise, only the first user can login on a machine.
  create mask = 0600
  directory mask = 0700

The useradd commands are for when a domain admin asks for users to be created and such. The only one I’ve needed in practice, it would seem, is the add machine script. When I add a machine called “butter” to the domain controller, this command will automatically create a user called “$butter” in your /etc/passwd, and the machine can login.

An example command to put in the netlogon.bat, is:

net use o: "\\server\networkshare"

The reason is obvious, I would say :).

An example network share accessible to anyone is:

  comment = Central storage for all our documents
  path = /home/samba-our-documents
  guest ok = yes
  writeable = yes
  browseable = yes
  force group = samba
  create mask = 0660
  directory mask = 0770

And, a network share for an individual domain user with full access for that user, but read-only to the rest:

  path = /home/samba-john-documenten
  guest ok = yes
  writeable = yes
  browseable = yes
  force group = samba
  create mask = 0640
  directory mask = 0750

I believe this is it. I will update the post with relevant info in the future.

Playing Quake3 in Linux with Skype or Teamspeak

I wanted to play a game of Quake3 against someone, and have Skype or Teamspeak open at the same time, for obvious reasons. Somehow, it reported the sound device being in use: “device or resource busy”. This doesn’t make any sense, because my card can do hardware mixing, and also because all other games work fine with Skype or Teamspeak active.

I don’t know exactly what’s going on, but this is how it can be fixed:

# echo "quake3.x86 0 0 direct" > /proc/asound/card0/pcm0p/oss
# echo "quake3.x86 0 0 disable" > /proc/asound/card0/pcm0c/oss
# echo "quake3-smp.x86 0 0 direct" > /proc/asound/card0/pcm0p/oss

Happy fragging 🙂

Mounting partititions residing inside a disk image

When you’ve read a disk with dd or ddrescue into an image file, one of the things you want to do is mount the partitions inside it. But, how does one do that? The answer is using losetup, with a bit of knowledge of partition offsets.

First, you have to map the disk image to a loopback device:

# losetup /dev/loop/0 disk_image_file

Then use fdisk to print the partition table, displaying offsets in sectors:

# fdisk -lu /dev/loop/0

For my disk, that results in:

Disk /dev/sda: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders, total 488397168 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x00000000

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63   482415884   241207911   fd  Linux raid autodetect
/dev/sda2       482415885   488392064     2988090   fd  Linux raid autodetect

You can see that the first partition begins at sector 63. Now we’re going to setup a new loop device, with the proper offset. A disk sector is 512 bytes long, so an offset of 63 sectors is 32256 bytes. Therefore, you setup the first partition with this command:

# losetup -o 32256 /dev/loop/1 disk_image_file

Then you can mount that loop device:

# mount /dev/loop/1 /mnt/mountpoint

Humanity Lobotomy – The Importance of Net Neutrality

In the early days, radio used to be a two-way communication system. Radio communication played a part in social, religious and political dialogs between people. Later, big corporations like NBC and CBS produced 97% of nighttime broadcasting in the United States; all courtesy of the Federal Communications Commission. We cannot let them do the same to the internet.

Push the limits

Besides making good music, Enigma also writes meaningful lyrics. A quote from “Push the Limits”, from the album “The Screen Behind the Mirror”, by Enigma:
Don’t submit to stupid rules Be yourself and not a fool. Don’t accept average habits Open your heart and push the limits.
The irony of this is, that while most people agree with this, they don’t really understand it or put it into practice. This was true for me personally as well. It’s all too easy to accept consensus reality without a second thought. But this consensus reality is often misleading and it can be hard to oppose it, mostly because of social reasons. Anyway, my suggestion for today is: read the quote again and apply it. Allow your doubts to float to the surface and express them, because I know those doubts are there.

Ron Paul: Going the Distance

Here I am again with a message about Ron Paul. He asks not to give up, even though election victories are already practically claimed, prematurely of course. He also wants to organize a march to Washington D.C., to give the media something they can’t ignore, like they usually do. Take a look at this campaign update. And learn more about the revolution march.
« Older posts Newer posts »

© 2022 BigSmoke

Theme by Anders NorenUp ↑