Safeer's Techlog: 2007

Friday, December 21, 2007

Per User web hosting in Apache and Tomcat

If there are multiples users on a web server, each user may be allowed to host a web site in his home directory. By this way the to access the web site hosted in the home directory of safeer on the server www.myhostingteam.net use the URL: http://www.myhostingteam.net/~safeer. This is most often used in Universities and research labs, where each staff/scholar will have a user account in the organization's web server.

Apache HTTPD

In apache, this is achieved by using the UserDir directive. This feature will be disabled by default. The web contents will be supplied from the directory public_html inside the users home directory. The directive for this is:

UserDir public_html
This directive will be commented out by default. If the directory path does not start with a leading slash, the path will be considered relative to the user home directory.In this case the user direcory can be anywhere in the file system. Apache will search the user database (/etc/passwd) to find out the home directory of the user and will fetch the web contents from the public_html subdirectory there.

If the path starts with a leading slash, apache will not search the user database, instead the path will be constructed by appending the username to the path given. That is, if
UserDir /home
when you access http://www.myhostingteam.net/~safeer the contents will be supplied from /home/safeer. This setting has a disadvantage that every world readable file and world executable directory in your home directory will be accessible to the public, if they know that such a file or directory exists. Another disadvantage(?) is that apache will treat every directory under /home as a user. That is, if i create a directory "nouser" in the home directory and the public_html stuff under that, the contents can be accessed as http://www.myhostingteam.net/~nouser.

We can solve the first of these issues by using another format for UserDir:
UserDir /home/*/public_html
The asteric (*) will be replaced by the username. In this and the first approach, only the subdirectory public_html will be accessible by apache, and this is a better choice from a security point of view.
For UserDir to work, the file system permissions should be set properly:
The home directory should be world executable ( chmod 711/a+x),
The files/directories under/including public_html should be world readable & executable ( chmod 755/a+rx).

We can restrict which user has permission to use this feature by using additional UserDir directives.

As in any access restriction scheme there are two approaches here, mostly open and mostly closed.

Mostly Open:

All users will be granted access, except for somebody,
UserDir disabled safeer nebu
Here, all users except safeer & nebu will be granted access

Mostly Closed:

All users will be granted access, except for somebody,
UserDir disabled
UserDir enabled safeer nebu
Here, all users except safeer & nebu will be denied access

By default the feature is disabled by the single directive UserDir disabled. If a user is listed in both disabled and enabled, he will be denied access.

Tomcat

In tomcat, the user web application configurations(and many other features) are configured using the Listener element which is included in the Host element. A "className" attribute of the Listener element determines what feature is to be implemented. For per user web applications, the className attribute will be "org.apache.catalina.startupe.UserConfig".

Here we have two approaches , in the first user home directory information is collected from the password database (/etc/passwd) and in the second all directories under a particular directory will be considered as user home directories. The later approach is used mainly in windows and other systems that do not have /etc/passwd user database. This approaches are implemented using the userClass attribute of the Listener element. A "directoryName" attribute is used to specify the name of the directory under user home directory where the user web applications will be deployed.

First Scenario:

<Host name=. . . . . . . . . . >
. . . . . . . .
< Listener className="org.apache.catalina.startup.UserConfig"
directoryName="public_html"
userClass="org.apache.catalina.startup.PasswdUserDatabase" />
. . . . . . . . . . . . < /Host>

Second Scnario:

< Host name=. . . . . . . . . . >
. . . . . . . .
< Listener className="org.apache.catalina.startup.UserConfig"
directoryName="public_html"
homeBase="C:\TomcatHomes
userClass="org.apache.catalina.startup.HomesUserDatabase" / >
. . . . . . . . . . . . < /Host>

In the first scenario, contents for the request to http://www.myhostingteam.net/~safeer will be
rendered from /home/safeer/public_html where as in second scenario it will be from C:\TomcatHomes\safeer\public_html

Wednesday, December 19, 2007

Tomcat Virtual Hosting

Tomcat virtual hosts are defined inside the Host elements in $CATALINA_HOME\conf\server.xml. $CATALINA_HOME is the tomcat installation directory, hich in my case is /usr/apache-tomcat-5.5.17.
All the Host elements will be enclosed in an "Engine" element. The relevant portion of deafult server.xml is shown below:

<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>

Each host element defines a virtual host. To define a virtual host www.myhostingteam.net, we will define a host element as follows.

<Host name="www.myhostingteam.net" appBase="webapps/myhostingteam_net" >
<Context path="" docBase="hostingteam"/>
</Host>

name : The DNS name of the virtual host.

appBase : Application base directory for the virtual host. This directory will hold the web application(s) to be deployed in this virtual host. Path to the directory can be absolute or relative to $CATALINA_HOME.

The "Context" element defines one or more web application contexts defined for this virtual host. There should be atleast one context defined.

path : context path of the web application, which will be matched against the URI request. If left blank, that context will be the default web application for the particular virtual host.

docBase : Document Base/Context Root for the web appliation. This can be either the directiry containing the web application or path to the the web archive (WAR) file for that application. Th e path can be absolute or relative to "appBase" of the virtual host.

Considr the following example:

<Engine name="Catalina" defaultHost="myjavanet.com">

<Host name="www.myjavanet.com" appBase="webapps/myjavanet_com" >
<Context path="" docBase="."/>
</Host>

<Host name="www.myhostingteam.net" appBase="webapps/myhostingteam_net" >
<Context path="" docBase="hostingteam"/>
<Context path="/special" docBase="special_packages"/>
</Host>

</Engine>

Here we have defined two virual hosts, www.myjavanet.com & www.myhostingteam.net

Host www.myjavanet.com: The base directory that holds web applications is /usr/apache-tomcat-5.5.17/webapps/myjavanet_com. There is only one "Context" element, so only one web application is deployed for this host. The "path" attribute is blank indicating that this context is the default context for www.myjavanet.com . The docBAse is ".", means current directory, so the web application is directly deployed inside the appBase Deirectory, which is /usr/apache-tomcat-5.5.17/webapps/myjavanet_com in this case.

Host www.myhostingteam.net : The base directory for web applications is /usr/apache-tomcat-5.5.17/webapps/myhostingteam_net. It holds two web applications, which are deployed in the directories hostingteam and special_packages (docBase) under the "appBase" /usr/apache-tomcat-5.5.17/webapps/myhostingteam_net. The context hostingteam can be accessed with URL http://www.myhostingteam.net, where as special_packages can be accessed with http://www.myhostingteam.net/special (path="/special").

The defaultHost attribute of the Engine element specifies the default virtual host of the tomcat server( if host name in an HTTP request to this server do not match any of the configured virtual host's name attribute, the contents of this virtual host will be supplied instead). This value should match the name attribute of any one of the virtual hosts configured. The default value for this attribute is "localhost".

Multiple DNS names for a single virtual host

Sometimes, you will need to access your site with more than one DNS name, like:
www.myhostingteam.net & hostingteam.net. In such a situation, use the "Alias" element inside the "Host" element.

<Host name="www.myhostingteam.net" ............... >
....................................
<Alias>myhostingteam.net</Alias>
................................
</Host>

You can have any number of <Alias> elements inside a <Host> element.

Monday, December 17, 2007

Running Apache and Tomcat on the same server

Tomcat is a popular servlet container used to host java web applications. By default Tomcat listens on port 8080 (HTTP-Non SSL) and 8443 (HTTP-SSL). If your machine has multiple IPs, Tomcat will automatically bind itself to all the IPs configured.

In a production environement, there are mainly two aproaches to deploy web applications through tomcat. In the first one, the tomcat server will listen on 8080/8443 or any custom ports. All the HTTP request coming to the server (which will default to 80/443) will be received by a web server- most probably "Apache" complied with mod_jk support, or sometimes IIS. All the java related requests will be forwarded to Tomcat. Thus Apache/IIS will act as a proxy for Tomcat. The second approch, which is much more straight forward is to configure tomcat to listen on port 80/443.

With the second aproach, Tomcat will listen on port 80/443 on all configured IP addresses of the server. This is ok if you have a dedicated server for running tomcat. But it may not be the case always. In my case, when I was asked to set up Tomcat(to listen on 80/443) on one of our live servers, it was already running an apache server that serve a bunch of production web sites.

I had two choices now, either to buy a new server for hosting tomcat or to configure both apache and tomcat on the same server. I would have chosen the first option for perfomance reasons, but it was costly. So I decided to go for the later, and bought one additional public IP for the current production server.

I reconfigured apache to listen on one IP address. For this I edited

/etc/httpd/conf/httpd.conf file to change the entry
Listen 80
TO
Listen 61.17.42.50:80

AND
/etc/httpd/conf.d/ssl.conf to change the entry
Listen 443
TO
Listen 61.17.42.50:443

Now apache will listen on the IP 61.17.42.50 only.

Then I configured Tomcat to listen on the newly prcuhased IP, 61.17.42.76

The configuration file for tomcat is CATALINA_HOME/conf/server.xml where CATALINA_HOME is the installation directory for tomcat. In my case it is
/usr/apache-tomcat-5.5.17.

The file server.xml consists of a number of 'elements' enclosed in ankle brackets and a number of attributes specified for each element within those brackets.

The element that is of interest to us is "connector". There is one connector elements each for HTTP-Non-SSL and HTTP-SSL. I will quote the relevant portions of the configuration file:

HTTP Non SSL

<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

HTTP SSL

<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

First, change the ports to listen on 80 and 443

<Connector port="80" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

HTTP SSL

<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

This is not enough, because tomcat will now try to bind on ports 80 & 443 on both the public IPs. To limit tomcat to listen on 61.17.42.76 only, add an attribute "address" to both the connector elements.

<Connector port="80" maxHttpHeaderSize="8192" address="61.17.42.76"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

HTTP SSL

<Connector port="443" maxHttpHeaderSize="8192" address="61.17.42.76"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

It is not important in what order you arrange the attributes inside an element, but leave spaces between each attributes.

Now that I have apache and tomcat running on the 80/443, I can configure the DNS records for the web sites hosted in apache to point to 61.17.42.50 and DNS record for web sites to be served by tomcat to point to 61.17.42.76.

Tuesday, September 4, 2007

Important Port Numbers

Here is a list of important port numbers categorized by the type of use

Databases
3306	MySQL
1433	MS SQL Server
5432	PostgreSQL
Remote Access - Graphical
3389	MS Remote Desktop
5800	VNC-HTTP
5900	VNC
Remote Access - Console
22	SSH
23	Telnet
512	Rexec
513	Rlogin
514	RSH
Remote Data Transfer & Management
20	FTP Data
21	FTP
69	TFTP
2049	NFS
Directory Service
389	LDAP
636	LDAP Secure
Web
80	HTTP
443	HTTPS
3128	Squid Web Proxy
Mail & Chat
25	SMTP
110	POP3
995	POP3S
143	IMAP
993	IMAPS
5222	Jabber
5223	Jabber SSL
Infrastructure Management
53	DNS
1512	WINS
67	DHCP Server
68	DHCP Client
123/UDP	NTP
161	SNMP

Sunday, July 29, 2007

MMC Snap-ins

Following is a list of MMC (Microsoft Management Console) snapins which you can launch from Start -> Run

MMC	Description
certmgr.msc	Certificate Manager
ciadv.msc	Indexing Service
compmgmt.msc	Computer management
devmgmt.msc	Device Manager
dfrg.msc	Disk Defragment
diskmgmt.msc	Disk Management
fsmgmt.msc	Shared Folders Management
eventvwr.msc	Event Viewer
gpedit.msc	Group Policy
lusrmgr.msc	Local Users and Groups
ntmsmgr.msc	Removable Storage
perfmon.msc	Performance Manager
secpol.msc	Local Security Settings
services.msc	System Services
wmimgmt.msc	Windows Management Instrumentation Manager

This information is based on Windows XP Professional/2003

Control Panel Applets

Many components of Control Panel can be launched from Start->Run independantly. All of these components have the extention 'cpl'. These independant components are called control panel applets.

Applet	Description
access.cpl	Accessibility Options
hdwwiz.cpl	Add New Hardware Wizard
appwiz.cpl	Add/Remove Programs
timedate.cpl	Date and Time Properties
desk.cpl	Display Properties
inetcpl.cpl	Internet Explorer Properties
joy.cpl	Joystick/Game Controller Properties
main.cpl keboard	Keyboard Properties
main.cpl	Mouse Properties
ncpa.cpl	Network Connections
telephon.cpl	Phone and Modem options
powercfg.cpl	Power Management
intl.cpl	Regional settings
mmsys.cpl sounds	Sound Properties
mmsys.cpl	Sounds and Audio Device Properties
sysdm.cpl	System Properties
nusrmgr.cpl	User settings
firewall.cpl	Firewall Settings (sp2)
wscui.cpl	Security Center (sp2)

This information is based on Windows XP Professional/2003

Application shortcuts from RUN

These application shortcuts will help you to launch many of the commonly used windows utilities from the Run option of start menu.

Shotrcut	Description
calc	Calculator
charmap	Character Map
cleanmgr	Cleans up hard drives
clipbrd	Windows Clipboard viewer
cmd	Opens a new Command Window (cmd.exe)
control	Displays Control Panel
control printers	Printers and Faxes
drwatson	Records programs crash & snapshots
dxdiag	DirectX Diagnostic Utility
explorer	Windows Explorer
ftp	ftp.exe program
iexplore	Internet Explorer
inetmgr	IIS Manager
mmc	Microsoft Management Console
msconfig	Configuration to edit startup files
msinfo32	Microsoft System Information Utility
regedit	Registry Editor
sysedit	Edit system startup files (config.sys, autoexec.bat, win.ini, etc.)
taskmgr	Task manager
sfc /scannow	System File Checker
sndrec32	Sound Recorder
sndvol32	Volume control for soundcard

This information is based on Windows XP Professional/Windows 2003

Sunday, June 24, 2007

Creating Virtual File Systems in Linux

When you want to test some configuration involving file systems, its not always possible to use a live running system. In such situations it is a good idea to create a virtual filesystem in your hard disk, which will not affect the operation of your machine, except for occupying the hard disk space that you need.

The first step is to create an empty directory as the mount point for the virtual file system.
[root@LinuxBox1 ~]#mkdir /vfsmount

Now we have to create the virtual file system image. Here we will create a file vfs-image in the directory /var/vfs. This file will hold the virtual file sytem.
[root@LinuxBox1 ~]#mkdir /var/vfs

We will create a file system with a size of 100MB. For this we will have to create the file vfs-image with 100MB size.
[root@LinuxBox1 ~]#dd if=/dev/zero of=/var/vfs/vfs-image count=204800
204800+0 records in
204800+0 records out
104857600 bytes (105 MB) copied, 2.3716 seconds, 44.2 MB/s

The count option indicates how many blocks of data should be filled in the file vfs-image. By default 1 block= 512 bytes
1 MB= 512 x 2 x 1024=2048 Blocks
100 MB = 2048 x 100 Blocks = 204800 Blocks

To cross check this
[root@LinuxBox1 ~]#du -h /var/vfs/vfs-image
101M /var/vfs/vfs-image

Now format this file as an ext3 filesystem
[root@LinuxBox1 ~]#mkfs.ext3 -q /var/vfs/vfs-image
/var/vfs/vfs-image is not a block special device.
Proceed anyway? (y,n) y

'mkfs.ext3' is actually a short form for 'mkfs -t ext3'. You can avoid the warning regarding the file not being a block device by using the '-F' option

Now, to use this file system we will have to mount it. To make this mount permanent add an entry into fstab as follows

/etc/fstab

/var/vfs/vfs-image /vfsmount ext3 rw,loop 0 0

The loop option asigns an availiable loop device to the file system.

[root@LinuxBox1 ~]#mount -a
[root@LinuxBox1 ~]#mount|grep vfs-image
/var/vfs/vfs-image on /vfsmount type ext3 (rw,loop=/dev/loop0)
[root@LinuxBox1 ~]#df -h|grep vfs-image
/var/vfs/vfs-image 97M 5.6M 87M 7% /vfsmount

Now just to demonstarate that we can use this filsystem in the same way as other filesystems:
[root@LinuxBox ~]# cd /vfsmount/
[root@LinuxBox ~]# mkdir temp

Now create a 5MB sized file
[root@LinuxBox vfsmount]# dd if=/dev/zero of=/vfsmount/temp/test-space-usage count=10240
10240+0 records in
10240+0 records out
5242880 bytes (5.2 MB) copied, 0.129863 seconds, 40.4 MB/s

Check the filesystem usage
[root@LinuxBox vfsmount]# df -h|grep vfs-image
/var/vfs/vfs-image 97M 11M 82M 12% /vfsmount

Wednesday, May 23, 2007

Job scheduling with cron

Cron is the task scheduling daemon in linux. The daemon is called 'crond' and the program that manipulate cron jobs is 'crontab'. Once the daemon is started, it goes into sleep and wakes up every minute to examine all the files containing crontab entries. If a job is scheduled to run at the current minute, it will be executed and the daemon will go back to sleep.

A user can manipulate the cronjobs for his account using the command 'crontab'. Some security restrictions are imposed on use of this command with two files /etc/cron.allow & /etc/cron.deny.

If the file /etc/cron.allow exists, the user should be listed in that inorder to run crontab. If this file doesnt exist the user should not be listed in /etc/cron.deny to run crontab. If both the files does not exist, no users other than root is allowed to use crontab.

Cron jobs for individual users are stored in a seperate text file /var/spool/cron/username which is edited by corresponding user with the command 'crontab -e'

The system wide crontab configuration file is /etc/crontab. What this does is run the cronjob files under a set of directories.

/etc/crontab:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

As the name of the directories indicate, the files inside the directories are inspected by cron once every hour, day, week and month. The files insied this directories will be in the standard cronjob format as indicated below.

For per user crontab files (/var/spool/cron/username) the format is:

minute hour day month dayofweek command-to-be-scheduled

For all other crontab files the format is

minute hour day month dayofweek USER command-to-be-scheduled

Values for each field:

minute: 0-59
hour: 0-23
day: 1-31
month: 1-12 (or short names as jan,feb,jun etc can be used)
dayofweek: 0-7 ( or short names as sun, mon,fri etc; 0 & 7 represent Sunday )

For all these fields following rules apply:

Asteric (*) in any field indicate all applicable values for that field.
A hiphen (-) between two digits specify all the values in between inlcuding the two.
A comma seperated list specify all the values listed.

Eg:

10 9 * * 0 = 10:10 AM every sunday
0 10-17 * * * = Everyday at 10AM, 11AM..5PM
15,30,45 9 * * * = Everyday 9:15 AM, 9:30AM and 9:45 AM
*/5 * * * * = Every 5 minutes

USER: the user account under whose privilege the cron job should be run.

The command to execute can be a standatd linux command or a script. Whatever thing that can be executed in shell can be substituted here.

At the starting of the file, we can set the environemnt variables under which the cron job should run. Comments can be inserted with '#'. You can see both these in the /etc/crontab example above.

The script `run-parts` that you see in the crontab file is a standard script that takes a directory as its argument and run all the binaries under that directory.

Individual users can manipulate only their personal crontab file. All other files are managed by root.

In addition to the directories mentioned above, there is one more directory /etc/cron.d. If you want to run task at a custom time, ie not every hour/day/week/month the files should be put in this directory.

crontab command

For individual users to manipulate their cronjobs, use the command crontab.

To add a new job or edit an existing:
[safeer@LinuxBox1 ~]$crontab -e

This will open /var/spool/cron/safeer in the default editor. Now the user can edit this file just like any text file.

To add a job to run a script under the home directory to run at 10 minutes after 10 AM every day

10 10 * * * ~/bin/backup.sh >> backup.log 2>&1

To view safeer's current crontab entries:
[safeer@LinuxBox1 ~]$crontab -l
10 10 * * * ~/bin/backup.sh >> backup.log 2>&1

To remove all the cuurent cron jobs for safeer:
[safeer@LinuxBox1 ~]$crontab -r

The root user can edit anu users cronjob with the -u switch. With this command root can edit the croontab for user safeer:
[root@LinuxBox1 ~]#crontab -[e/l/r] -u safeer

The service name for cron is crond. Use this to start or stop the service. You will hardly need to do this ever.
[root@LinuxBox1 ~]#service crond restart

Tuesday, May 22, 2007

VSFTPD Configuration

VSFTPD- Very Secure FTP Daemon is the default ftp server for RedHat flavours of linux. The version discussed here is 2.0.4.

The configuration directory for vsftpd is /etc/vsftpd.

Here is a short description of most common configuration options in the main configuration file: /etc/vsftpd/vsftpd.conf

Listen Port & Address

To change the listening port from default 21
listen_port=10021

By default vsftpd listen on all configured ip addresses. To configure vsftpd to listen on a single ip address
listen_address=65.17.45.85

User Management

Enable local system users of the ftp server to connect with their credentials
local_enable=YES

To restrict local users to their home directory (chroot)
chroot_local_user=YES

This will restrict all local users from accessing folders other than their home directory. If you want
to excempt some users from this restriction, you can specify a list of such user as follows.

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

/etc/vsftpd/chroot_list should contain the list of users who do not have the chroot restriction
If you set chroot_list_enable=NO or comment this line the file chroot_list will not be read by vsftpd

Anonymous Access

Enable anonymous user access. The home directory for anonymous user is /var/ftp
anonymous_enable=YES

If you want to allow anonymous users to upload files. This is disabled by default
anon_upload_enable=YES

Enable anonymous users to create directories. Disabled by default
anon_mkdir_write_enable=YES

To allow anonymous users to login without being prompted for a password:
no_anon_password=YES

Greeting/Message

FTP Welcome Banner
ftpd_banner=Welcome to XYZ Co Ltd FTP service.

Directory Message Enabling. Enabled by default
dirmessage_enable=YES

If this is enabled you can put a text file name .dirmessage in any directory that ftp user can access.
The contents of the file will be displayed to the ftp user when he changes to that directory.

Security

All users listed in the file /etc/vsftpd/ftpusers will be denied access to the ftp service

IF the entry userlist_enable is set to YES in vsftpd.conf, another file /etc/vsftpd/user_list is read for the users list.
But whether the users listed in this file are denied or allowed access depends on another directive in vsftpd.conf: If,

userlist_deny=NO
only users in this file will be allowed access. But if
userlist_deny=YES
the users in this file will also be denied ftp access.

The file ftpusers take precedence over user_list if the same user is listed in both files.
The file name user_list can be changed with
userlist_file=another_user_list_filename

Monday, May 21, 2007

Simple File Encryption with GPG

The easiest way to encrypt a file is to use the symmetric encryption provided by GPG (GNU Privacy Guard). This helps you to encrypt a file by providing a password. The same password is later used to decrypt the file.

Encryption
[safeer@LinuxBox1 ~]$echo "This is plain text" > file1_txt

Now encrypt this file with gpg
[safeer@LinuxBox1 ~]$ gpg -c file1_txt
Enter passphrase:

You will be prompted to enter the passphrase twice. Once the password is entered the encrypted file will be saved as "file1_txt.gpg". This will be a binary file. If you open this you will see a lot of unreadable characters. Instead if you want to make this readable use the armor option (ASCII format) as follows
[safeer@LinuxBox1 ~]$ gpg -c -a file1_txt

This will create a file "file1_txt.asc"
[safeer@LinuxBox1 ~]$ cat file1_txt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)

jA0EAwMCvQn1YCJCMmFgyTBooxld2Zo/Vb5hYg00Pyg1OMeaZ3CXIrICjUwHqj50
RKRRZMoQmvRnZzISt01uoZs=
=3UMZ
-----END PGP MESSAGE-----

This format is particularly useful when you are sending this file to somebody, most probably through e-mail. You will also have to let the receiver know the passsphrace, may be through phone or some other secure channel. Otherwise he wont be able to decrypt the file.

You can alternatively specify an output file other than the default -filename.(gpg/asc).

[safeer@LinuxBox1 ~]$ gpg -c -a --output file1.secure file1_txt

Now the encrypted output will be stored in "file1.secure".

Decryption

[safeer@LinuxBox1 ~]$ cp file1_txt.asc /tmp
[safeer@LinuxBox1 tmp]$ gpg file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

This will create the plain text file file1_txt. If a file of this name already exist in the current directory, yo will be prompted whether to overwrite it, or provide an alternative file name as follows:

[safeer@LinuxBox1 tmp]$ gpg file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
File `file1_txt' exists. Overwrite? (y/N) N
Enter new filename: file1_plain
gpg: WARNING: message was not integrity protected

If you want the decrypted output to be printed to standard output:

[safeer@LinuxBox1 tmp]$ gpg --decrypt file1_txt.asc
gpg: CAST5 encrypted data
Enter passphrase:
gpg: encrypted with 1 passphrase
This is plain text
gpg: WARNING: message was not integrity protected

Here also you can give an alternate output file name:

[safeer@LinuxBox1 tmp]$ gpg --decrypt --output file1.plain file1_txt.asc

Decryption method is the same for asc and gpg files.

This method uses symmetric key encryption which is not considered much secure nowadays, because the passphrase should also be shared. Generally asymmetric/public key encryption is preferred. But for a starter, this is good enough.

Beware! If you forget the encryption password, you are done. You will never be able to decrypt the file.

Thursday, May 17, 2007

Cisco HTTP Server

The conventional way to access a router is to use router lines console,auxiliary or telnet. But there is another method which is more flexible. Cisco comes with a built in web server which once enabled can be accessed from anywhere in the network through the web browser. The configuration steps are as follows:

Enable http server

RouterA(config)#ip http server

Tell the server the base path where the web server files are located. Flash memory in this case:
RouterA(config)#ip http path flash:

If you want to change the port on which the web server listens (default 80),
RouterA(config)#ip http port 8080

Authentication

To access the router through web interface you should have a level 15 authentication. The default is to use enable password/secret. To change this beahaviour, we can use:
RouterA(config)#ip http authentication local

This instructs the router to use local user databases for user authentication. After this you can login through the web interface with a username and password configured for level 15 access.

To switch back to the default authentication with enable passwords:
RouterA(config)#ip http authentication enable

Monday, April 9, 2007

Linux Quota

Quota is used to limit the disk space used by a user or group on a particular file system, thus giving system administrators better control over their disk usage policies. The quota package helps implementing quota for Linux.

The first step in setting up quota is to enable quota for a file system partition. To do this, either remount the file system with appropriate mount options, or edit /etc/fstab to make the changes permanent.

Suppose your home partition is mounted on the file system /dev/hda5 and you want to enforce quota for users. Mount the file system with quota options,

/etc/fstab

/dev/hda5 /home ext3 defaults,usrquota,grpquota 0 0

usrquota : Enables per user quota
grpquota : Enables per group quota

Remount home partition
[root@LinuxBox1 ~]#mount -o remount /home
[root@LinuxBox1 ~]#mount|grep /home
/dev/hda5 on /home type ext3 (rw,usrquota,grpquota)

Quota information for a file system is stored in files aquota.user and aquota.group files under the root of the file system, in this case /home. This files will be owned and accessible only by root. You have to initialise these files first using quotacheck command.
[root@LinuxBox1 ~]#quotacheck -vgum /home
quotacheck: Scanning /dev/hda5 [/home] done
quotacheck: Checked 1708 directories and 8935 files
If you are using this command for the first time, you may see some errors about file not in correct format/missing. Its ok.
[root@LinuxBox1 ~]#ls -la /home/aquota*
-rw------- 1 root root 9216 Apr 10 04:44 /home/aquota.group
-rw------- 1 root root 8192 Apr 10 04:44 /home/aquota.user

Enable quota on /home partition with quotaon command
[root@LinuxBox1 ~]#quotaon /home
/dev/hda5 [/home]: group quotas turned on
/dev/hda5 [/home]: user quotas turned on

Now everything is set up correctly, we can set quota for user 'safeer' using edquota command. This will open a file in your default editor (most probably 'vi '). You have to change its values appropriately.
[root@LinuxBox1 ~]#edquota -f /home -u safeer
Disk quotas for user safeer (uid 507):
Filesystem blocks soft hard inodes soft hard
/dev/hda5 1020 0 0 14 0 0

blocks : Space in 1k blocks used by the user (Current usage is 1MB)
inodes : Number of files/folders created by user (14 files/folders in total)
soft : Warning limit of space used/number of files created by the user. User gets a warning when this limit is reached, but he can still create/modify files.
hard : Maximum of space used/number of files created by the user. User can't cross this limit.

Let us enforce a soft limit of 4 MB and hard limit of 5 MB on space usage.
[root@LinuxBox1 ~]#edquota -f /home -u safeer
Disk quotas for user safeer (uid 507):
Filesystem blocks soft hard inodes soft hard
/dev/hda5 1020 4096 5120 14 0 0
Note that we are not restricting the number of inodes

Let us check this by creating files as safeer
[root@LinuxBox1 ~]#su - safeer
[safeer@LinuxBox1 ~]$quota
Disk quotas for user safeer (uid 507):
Filesystem blocks quota limit grace files quota limit grace
/dev/hda5 1020 4096 5120 2 0 0
Users can use quota command to view his current quota usage and quota limits as above.
'safeer' is already using 1MB of disk space. Let us create a file of 2MB:
[safeer@LinuxBox1 ~]$dd if=/dev/zero of=./temp1 bs=1024 count=2048
2048+0 records in
2048+0 records out
2097152 bytes (2.1 MB) copied, 0.024208 seconds, 86.6 MB/s
This will work fine since user has not exceeded the quota limit.
Now create another file of 1.5MB, making the total disk usage 4.5 MB (exceeds softlimit of 4MB)
[safeer@LinuxBox1 ~]$dd if=/dev/zero of=./temp2 bs=1024 count=2560
hda5: warning, user block quota exceeded.
2048+0 records in
2048+0 records out
2097152 bytes (2.6 MB) copied, 0.024208 seconds, 86.6 MB/s
Again create another file of size 1MB, thus exceeding the hard limit:
[safeer@LinuxBox1 ~]$dd if=/dev/zero of=./temp3 bs=1024 count=1024
hda5: write failed, user block limit reached.
dd: writing `./temp3': Disk quota exceeded
497+0 records in
496+0 records out
507904 bytes (508 kB) copied, 0.007349 seconds, 69.1 MB/s
If you want to set quota based on inode or both inode & space in the same way.
You can also set quota for group using the command
[root@LinuxBox1 ~]#edquota -f /home -g developers
This will edit the quota for group 'developer'. One thing people often misunderstand is that group quota means total space/inodes used by all members of a group. But actually it is the size/inodes used by users who have this group as primary group.

Administrators will frequently need to check the status of user quotas.
To find out the quota usage of a particular user:
[root@LinuxBox1 ~]#quota -u safeer
Disk quotas for user safeer (uid 507):
Filesystem blocks quota limit grace files quota limit grace
/dev/hda5 5008* 4096 5010 6days 5 0 0

Similarly use -g option instead of -u to find the quota of a group
Instead of individual quota reports, you can get the quota report for the entire filesystem:
[root@LinuxBox1 ~]#repquota /home
*** Report for user quotas on device /dev/hda5
Block grace time: 7days; Inode grace time: 7days
Block limits File limits
User used soft hard grace used soft hard grace
----------------------------------------------------------------------
root -- 1172676 0 0 6109 0 0
vinu -- 239188 0 0 4347 0 0
safeer +- 5008 4096 5010 6days 5 0 0
nebu +- 5120 4096 5120 6days 4 0 0

This will list each users current usage as well as the limit for usage. Using repquota with -g option will give the group quota report. Use '-a' option to list quota of all patitions.

You can use the command warnquota to sent mail to all users who have exceeded quota. The message sent can be customeised by editing the file /etc/warnquota.conf. You should set an administrator for each group so that this administrators will be emailed when their groups exceed the quota (use command: warnquota -g). You can do this by editting /etc/quotagrpadmins, syntax of the file is group:admin_user.

Monday, April 2, 2007

Basics of Samba configuration

Samba is a file sharing service in linux that uses SMB (Server Message Block) protocol. Both windows and linux support SMB protocols. So this service can be used for file sharing between two linux machines or linux and windows machines. In addition to file sharing samaba can also be used to share printers in network. It can also act as a Domain controller or client in an active directory environment.

Samba runs two daemons, smbd (SMB daemon) & nmbd (Netbios naming daemon). They listen on 4 ports as listed below

Netbios Name Service: netbios-ns 137
Netbios Datagram Service: netbios-dgm 138
Netbios Session Service: netbios-ssn 139
Microsoft Active Directory Service: microsoft-ds 445

The main configuration file of samba is /etc/samba/smb.conf. It contains a number of sections, starting with a section name enclosed in square brackets and containing one or more key/value pair seperated by equal sign.

The [global] section contains settings that are applied server wide. The most common of them are listed below:

workgroup: The name of the windows work group to which this samba server should belong. This name will be shown in a windows machines My Network Places -> Entire Network -> Microsoft Windows Network.
Eg:
workgroup = Linux Shares

We can also set a description about this particular server using (This is optional)
server string = Linuxbox1_WinShare

As part of security measures, you should restrict which networks or machines have access to this share. Here we will allow our local network 192.168.0.0/24 and the local loop.
host allow = 192.168.0. 127.

We can share a directory through samba with the following syntax (minimal)
[sharename]
comment = Comment about this share
path = /path/to/directory/to/be/shared

We can use many other configuration parameters to change the properties of this share, some of them are:

read only = [yes]/[no] :If yes, permits only read access to the share
writable = [yes]/[no] : If yes, data can be written to the share

By default all shares will have read only permission. The above two are actually complements of each other.

bowsable = [yes]/[no] : Whether the share should be visible in when browsing machine resources, set to 'yes' by default.
hide dot files = [yes]/[no] : If yes, hides unix hidden files in windows also. Set to 'no' by default.

In places where you can provide a list of values, separate each value by space.

admin user = admin1 admin2 ..... : Users allowed to act as root (for the share)
valid users = user1 user2 ..... : Users allowed to access the share
invalid users = root nfs mail .... :Users not allowed to access the share.
read list = user1 user2 ..... : Users who have read only permission on the share
write list = user 5 user6 ... : Users who have write permission to the share.

You can grant permission to members of a group instead of a long list of users. If you want to grant write permission on a share to the accounts group members, add the following line to the share section.
write list = @accounts

Samba uses separate user database (when the variable "security = user" is set - default ) stored in /etc/samba/smbpaswd. This database is manipulated by the command smbpasswd. To add a user to samba database, he should be present in the system user database (/etc/passwd). Some useful options of smbpasswd are:

-a : Add a samba user
-x : Delete samba user
-d : Disable samba user
-e : enable samba user

[root@LinuxBox1 ~]#smbpasswd -a safeer
New SMB password:
Retype new SMB password:
Added user safeer.

The share [homes] is a special share which lets the users to access their home directories via samba.

[homes]
browsable = no
writable = yes

The user home directories will not be visible in the browse list, but authenticated users will be able to see their home directory.

[printers] is another special session used to share the printers configured on the samba server. When a request comes for a printer, samba will search the Unix printer capability file (/etc/printcap usually), and automatically use each printers listed in the file. The minimum configuration required for printing is

[printers]
printable = yes
path = /var/spool/samba
printcap name = /etc/printcap
public = no
valid users = user1 user2 user2

If you want to add a separate printer

[hp-accounts]
printable = yes
path = /var/spool/samba/hp-3500
printer = hp-3500
valid users = @accounts

This will create a printer share hp-accounts accessible only by accounts department.

Restart samba service, when smb.conf is changed

[root@LinuxBox1 ~]#service smb restart

Wednesday, March 28, 2007

Linux user management

The primary user database in Linux systems is /etc/passwd. The file reserves a single line for each user account and each line contains 7 fields seperated by colons. Let us see a single line extract from the passwd file.

enterprisedb:x:517:523:Enterprise Database Server:/home/enterprisedb:/bin/bash

Field 1 - enterprisedb : Username/loginname of the account

Field 2 - x : In older linux versions this filed was used to store passwords (in encrypted format), but rescent systems store this in a seperate file /etc/shadow to which only root has access permissions. Now the 'x' character indicate that the password is stored seperately (reffered to as password shadowing).

Field 3 - 517 : Numeric user id. Associated with every user/group account will be a numeric identifier called user id / group id.

Field 4 - 523 : Numeric group id of user's primary group.

Field 5 - Enterprise Database Server : Comment section or additional information section, can contain any inforamtion about the user (usually his Real name or, purpose of account if it is a system/service account). Here the user enterprisedb was created when I installed enterprise database on my server. Hence the comment Enterprise Database Server.

Field 6 - /home/enterprsiedb : Home directory of the user

Field 7 - /bin/bash : The shell from which the user can execute commands when he is logged in

We need to manipulate this database (and many more) for adding, modifying and deleting user accounts from the system. Linux provides many handy command line tools for this.

useradd

Used to add users to the system, you can change all the 7 fields of the passwd file using this command.

Syntax:
useradd [options] LOGIN
useradd -D [OPTIONS]

The first syntax is used to adding an account to the system

options :

-c comment : Add additional information or comment about the user (blank by default)

-b HOME_DIR: The prefix path that will be appended to username to make the full path to users home directory. The default is "/home". Thus the user "safeer" will have home directory /home/safeer by default.

-d HOME: complete path to homedirectory

-e EXPIRE DATE: the expiration date for the account.

-f INACTIVE: number of days after which the accoount will be disabled once the password is expired.

-g GID: Group id/group name to which the user should belong (this group should already exist) of the user (automatically assigned by default)

-G group1,[group2]....... : List of additional groups the user is a memebr of

-p password: the password for the account in the irreversible crypt format. This option is not recommented, instead use passwd command.

-s shell : The shell used by the account. To find out the shells availiable in your machine, check /etc/shells (can be listed using the command chsh -l).

-u UID : User's numeric userid

there are a lot more options, to obtaim a complete list use man pages

One special feature of useradd availiable in Redhat systems is the User Private Group (UPG) scheme which creates a unique group for every user created, and the user will be the only memebr of that group. This adds a certain level of security to user permissions. To turn off this behaviour use the option -n.

The second syntax is used to set the default values for useradd. When specified without any options, it will display current default values. There are only limitted number of options.

-b HOME_DIR: The home directory prefix

-e EXPIRE DATE: the expiration date for the account.

-f INACTIVE: number of days after which the accoount will be disabled once the password is expired.

-g GID: Group id

-s SHELL: shell

Consider an example where the user baiju will be added to the system with following criteria:
He should be the member of developers group, he should also be a memeber of staff group
His home directory should be /usr/dev/baiju
He should have cshell as his login shell

[root@LinuxBox1 ~]#useradd -d /usr/dev/baiju -s /bin/csh -G developers,staff baiju

Now, set password for baiju
[root@LinuxBox1 ~]#passwd baiju
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Instead of setting all the options when the user is first created, we can simply create a user with default options and modify the user properties later as and when the need arises. We can use the usermod command for this

usermod

Syntax:
usermod [OPTIONS] login

login : user loginname

OPTIONS:

many options of the useradd command are applicable here, they include -[c/d/e/f/g/G/p/s/u]. Othe options are:

-l login_name : Change user login name. If we want to change the login name 'baiju' to 'baijujohn'
use
[root@LinuxBox1 ~]#usermod -l baijujohn baiju

-L : lock user password, effectively disabling the user login
-U : unlock the user locked by -L option

If you want to change a users login shell later you can use "usermod -s /bin/ksh login_name". Linux provides another command for achieving this - 'chsh':
[root@LinuxBox1 ~]#chsh -s /bin/ksh baiju

To remove a user use userdel command

userdel

Syntax:
userdel [-r] login

-r : if this option is used the user's home directory and mail spool will be deleted from the system. User's files in other locations wil have to be removed manually. (Use find command with user UID as search criteria)

The files affected by above commands are /etc/passwd, /etc/shadow, /etc/groups

You can manually edit /etc/passwd & /etc/shadow using the command "vipw".

Friday, March 16, 2007

Subversion Server as Xinetd Service

Subversion has emerged as a popular versioning system. The subversion package ships with almost all Redhat flavours of Linux . The subversion server is run using the binary "svnserve" with appropriate arguments. I will mention a few of them here.

-r Directory : Specifies the root/base directory for all repositories.
-d : Run the server in daemon mode
-i : Run the server in inetd mode

What I usually do was to run "svnserve" in the daemon mode with a root directory specified, as follows:

[root@LinuxBox1 ~]#svnserve -r /home/repository -d

This will run as a standalone process all the time . This server is not accessed regularly, usually it is accessed only at the morning and evening of working days, when developers checkout and commit their projects. But svnserve is sitting there all the time consuming my valuable system resources. Another problem with this daemon mode is that I have to run the above command every time the machine restart, or have to put it in a start up script.

So I thought about a better alternative, to run it under xinetd service. The good thing about xinetd is that it will invoke svnserve only when necessary, thus consuming least system resources required, and I don't have to write separate start up script for svnserve.

All that is required to do is create a service file for svn(Even though the binary is svnserve, the service and subversion generally is called svn).

[root@LinuxBox1 ~]# vi /etc/xinetd.d/svn
#Subversion Server
#http://subversion.tigris.org/

service svn
{
socket_type = stream
wait = no
user = root
server = /usr/bin/svnserve
server_args = -r /home/repository -i
disable = no
}

# : Comments

socket_type : On what type of socket the service should listen. TCP(stream), UDP (dgram)

wait : How the server treats threads, a value of "yes" indicates that only a single connection will be managed by the service. If value is "no", a new server is started for each connection request.

user : The user identity under which the service will be started.

server : The binary used to start the service. To find out the path on your system, use:
[root@LinuxBox1 ~]#which svnserve
/usr/bin/svnserve

server_args : the arguments passed to the binary indicated by the option "server". Here, svnserve is run in inetd mode with /home/repository as the root

disable : Whether the service is enabled or disabled.

Save the file and restart the xinetd service.

[root@LinuxBox1 ~]#service xinetd restart

Svn by default listens on the port 3690. You can find out this in /etc/services.
[root@LinuxBox1 ~]#grep Subversion /etc/services
svn 3690/tcp # Subversion
svn 3690/udp # Subversion

Now to make sure that xinetd has invoked svnserve, check whether xinetd is listening on port 3690

[root@LinuxBox1 ~]# netstat -anp|grep 3690
tcp 0 0 0.0.0.0:3690 0.0.0.0:* LISTEN 30254/xinetd

As a final step to make sure that everything is working fine, checkout a project in this repository from another machine

[safeer@LinuxBox2 ~]$svn checkout --username safeer svn://linuxbox1/project1
Authentication realm: <svn://linuxbox1:3690> Project 01 Repository
Password for 'safeer':
Checked out revision 0.

Thursday, March 15, 2007

MySQL user options file

The normal way to connect to a mysql server is to use the command line client 'mysql' as follows

[safeer@LinuxBox1 ~]$mysql -u safeer -h server01 -p app1
Enter password:

This will connect to the database 'app1' in server 'server01' using the username safeer, and a password.

There are different mysql clients used for different purposes, like mysqldump for backing up databases, mysqladmin for administrative tasks etc. For each of these clients you should specify the username, password,host and many other options.

If you are using the same values for these options frequently, you can get rid of typing the long statement by using mysql user options file. This file will be having the name .my.cnf and will be located in the users home directory.

Actually there are three Global option files for mysql viz,
/etc/my.cnf --- Global Options

$MYSQL_HOME/my.cnf --- Server Specific Options
$MYSQL_HOME will usually be /var/lib/mysql/. my.cnf will not be present here always.

Defaults-Extra-File - File specified with the option --defaults-extra-file=path
This need not have to be present at all.

User specific options will be present in the home directory of the user
~/.my.cnf

In addition, options can be specified at command line when using the clients.

If the same option appears in more than one place in the above mentioned list, the last one will get precedence over others.

Following contents are permitted in option files

Comments : Comments can be inserted with "#" and ";" at the begining

[group] : Program or program group that interact with mysql server. This can be the command line tools like mysql,mysqldump,mysqladmin,mysql,mysqld_safe etc....To represent all the command line client together (except mysqld) you can use [client]

Syntax for option file is the same as the command line options, except that the leading double dashes are removed

option : same as --option on command line

option=value : same as --option=value

For example, to connect to a database "app2" in the machine "server01" using the username "nebu" and password "my_pass123" using command line, also the communication between server and client should be compressed (if both end supports compression).

[safeer@LinuxBox1 ~]$mysql --compress --user="nebu" --password="my_pass123" --database="app2" --host="server01"

instead we can set this in user option file
/home/safeer/.my.cnf

[mysql]
compress
user="nebu"
password="my_pass123"
database="app2"
host="server01"

Now you can simply use 'mysql' without all those long options.
[safeer@LinuxBox1 ~]$mysql
This will achieve the same task as the previous command.

you can override any of the above options from command line. Suppose that you want to connect to another database "db_app3" on the same server, use:
[safeer@LinuxBox1 ~]$mysql --database="db_app3"

If you are using the same credentials for all clients you can put it under the [client] group. We can override those setting or add addition settings by including more [group] options

/home/safeer/.my.cnf

[client]
user="nebu"
password="my_pass123"

[mysqldump]
compact

You should make sure that only you have the permision to read and write to the options file

This setting will allow all clients to use the username "nebu" and password "my_pass123" (unless overridden at command line). In addition mysqldump will use the compact option.

I found the option file most useful when I had to use mysql clients with scripts, especially to take backups of databases. since there is no way for user interaction, I created database users with read permission to the databases to be backed up, put its username and password in the options file, and run mysqldump from a cronjob.

Apache HTTP Authentication

With apache http authentication, you can password protect either part of or an entire website. Thus you can allow only a selected set of people to view parts of your website.

The configuration directives required for this can be put either in apche server configuration files ( /etc/httpd/conf/httpd.conf OR /etc/httpd/conf.d/*.conf ) under the directory directive or in a per directroy user access file (.htaccess). If you are using .htaccess file, your main configuration should have the following directive in it:

AllowOverride AuthConfig

First of alll, we need to create a password database file containing the username password pair. The password is encrypted by default using CRYPT encryption. This is a kind of irreversible encryption.

The command used to create password file is htpasswd which comes with apache package
[root@LinuxBox1 ~]#htpasswd -c /var/hosting/safeer/secrets/users.sec safeer
New password:
Re-type new password:
Adding password for user safeer

This command does 2 things. The '-c' option creates a new password file /var/hosting/safeer/secrets/users.sec if it does not exist or erases its contents if already exists. Then the user 'safeer' is added to the file.

[root@LinuxBox1 ~]#cat /var/hosting/safeer/secrets/users.sec
safeer:zgmIJyIiuD87U

To add a new user to the file
[root@LinuxBox1 ~]#htpasswd /var/hosting/safeer/secrets/users.sec rojar
New password:
Re-type new password:
Adding password for user rojar
[root@LinuxBox1 ~]#cat /var/hosting/safeer/secrets/users.sec
safeer:zgmIJyIiuD87U
rojar:NQ7DlFlAqSMBQ

To delere a user from the file
[root@LinuxBox1 ~]#htpasswd -D /var/hosting/safeer/secrets/users.sec safeer
Deleting password for user safeer

My document root is /var/hosting/safeer/www and I want to password protect a subdirectory /var/hosting/safeer/www/confidential.

If you are modifying the main configuration files, the entries whould go inside <Diretory /var/hosting/safeer/www/confidential></Directory> . If you are using .htaccess place that file in /var/hosting/safeer/www/confidential. If you are editing the main configuration files, dont forget to restart the service.

Now either in the main configuration files or .htaccess file add the following.

AuthType Basic
AuthName "Confidential Data"
AuthUserFile /var/hosting/safeer/secrets/users.sec
Require user rojar

AuthType : Type of authentication. Most common form is 'Basic'. Password is sent in cleartext. Another methode supported is 'Digest' and uses SHA or MD5 algorithms. This is very secure methode, but only recent versions of http clients support this type of authentication.

AuthName : Authentication Ream. This information will be displayed to client as part of the pop window that prompts for username and password. In addition the client will automatically use the same credentials if two or more restricted areas are sharing the same realm. Once entered his/her credentials, the user will not be prompted for username and passwrod repeatedly for different areas if they are using the same realm.

AuthUserFile : Location of the password file. The file should not be inside the document root.

Require : Specifies who have acces to the area (authorization). Here only the user rojar has the privilege to access this area.

If you want to allow more than one user to allow access to a particular area:

Require user safeer baiju nebu rojar ...
will allow all these users provided they all have corresponding entries in the 'AuthUserFile'

The easiest way is to allow all the users in the AuthUserFile:
Require valid-user

You can use groups to organise users for authorization. The directive:
AuthGroupFile /var/hosting/safeer/secrets/groups.sec
The group file can contain a number of group names and its members in the following format:
Groupname: user1 user2 user3 ....

Eg:
/var/hosting/safeer/secrets/groups.sec
Confidential: safeer rojar

Now modify the Require directive to include this group for authorization:
Require group Confidential

This will let users listed in Confidential group to access this area. Altogether the directives reauired are:
AuthType Basic
AuthName "Confidential Data"
AuthUserFile /var/hosting/safeer/secrets/users.sec
AuthGroupFile /var/hosting/safeer/secrets/groups.sec
Require group Confidential