soledad penadés

repeat 4[fd 100 rt 90]

There are lots of urban legends around the intrincate complexities of setting up a web server in order to allow more than just one person to work with it. In fact, there are lots of bad habits, unfortunately very well established, like the "make your files writable == chmod 777 rule" which are just plainly Very Bad Ideas, and are also consequences of not understanding how things work.

So how do things work?

The main goal is to be able to add and modify files in the web server, regardless of which user does it. And the solution is just a combination of appropiate permissions and groups:

1. Identify which user is executing apache in your server. For example, in an ubuntu machine it is usually www-data.
2. Identify which users need to be able to read, write and delete files and directories inside the web root. For example, there could be a couple of users called foo and bar. Both need to be able to change files in the server, whether they were created first by them or not.
3. Add foo and bar to the www-data group.
4. For fixing possible glitches with permissions, do this:

1. sudo chgrp -R www-data /var/www # change all the files' group to www-data
2. sudo chmod g+w -R /var/www # allow people in the group to write to the files
3. sudo chmod g+s -R /var/www # set the group id bit, so newly created files and folders inside the folders will inherit the group id of their container

Now, with this set up, everybody in the www-data group can modify stuff in /var/www, and newly created files will belong to the www-data group. And, of course, apache will be able to read and modify those files, so all should work nicely.

The only problem you can find is that when new files are created or copied they don't get the write permission for its group. A solution could just be to do a chmod g+w right after creating it (that's what I'm doing currently); advanced solutions will involve modifying the mask used to deal with files in the user profile.

Conclussion

As you see, this is a very easy process - it just requires a bit of attention to detail when setting up the server, and saves lots of headaches later. It is mostly useful for people with a dedicated server, or with an in-house machine, like the ubuntu box we have, where we can modify permissions, ownerships, groups, etc, at our will.
If you are in a shared hosting solution, I hope your hosting sets up things properly, so you will be able to avoid most of the cases where you need to do a chmod 777 in order to have apache writing stuff to folders that you, as a user, created. It is not that difficult, as you see!

Unfortunately most of the times they set things like this:

1. apache is in its own group: apache
2. user accounts are in their own group: foo
3. stuff created by users, and the very folder for the user files, do not have the GID bit

So apache can read stuff which users upload, but it can't modify or write to those folders because apache and the user are in different groups. And the traditional solution is to give permissions to everybody. Which, if you have attacks like this one, may allow the attacker to modify the whole hosted tree, which proves that using chmod 777 systematically is a Very Bad Idea.

Some weeks ago I was doing some stuff with our ubuntu machine and I don't know how I did manage to do it but I kicked our one and only user out of the sudoers list. But I didn't really notice until trace told me that the Administration menu was quite empty and most of the options didn't appear anymore :O
But there's still hope!
I found a general indication in the forum thread "Add an account to the sudoers list". I'll detail it a bit so that next time I break it I can fix it even quicker than today :D

Boot ubuntu, using ubuntu's live cd (you'll need to be physically in front of the computer, no VNC or ssh connections will work, so you need a keyboard and mouse connected to the computer).

Then once it's booted, open up a terminal and do:

sudo mkdir /myhd

sudo mount -t ext3 /dev/hda1 /myhd

That's for mounting the harddisk on the filesystem. As we need a place where to mount it, I create /myhd and then link my first hard disk (which is where the linux partition is, you should change it depending on your configuration) to it. Man mount for more info ;)

Don't worry about /myhd, it's in the virtual filesystem which gets created when the livecd is executed, and it will dissappear when you close the session.

Sudoers in ubuntu seem to be the ones which are in the admin group. So, for example, when you run the package manager and it asks you for the password, it does it so that it can run sudo and effectively give you root privileges temporarily. It also seems that the Admin menu is built depending on the actual privileges of the user, and as it was not in the admin group, he wasn't shown admin options anymore. Pretty logical/obvious!
Now we need to edit the /etc/group file to add us back to the admin group:

sudo gedit /etc/group

There was a line which said

admin: x:112:

So I added my user to that line, like

admin: x:112:myuser

If there had been more users, the way to add more several users to a group is simply to separate their names with commas:

admin: x:112:myuser,anotheruser

Then I saved the file, crossed the fingers and rebooted the computer - and it worked :) :)

Let's set aside the security of this solution (i.e. allowing a user to add himself to the admin group just by running a livecd) and celebrate that we're back in the sudoers list!

Are you fed up with Google Analytics not showing the full referrer url and just showing something like http://www.example.com/forum/viewtopic.php? I also do, I love to know who's linking me (yeah I'm curious!).

My hosting compresses access_logs which reach a certain size, so when I downloaded the access logs files I get a bunch of .gz files which I'm not going to manually uncompress… So I went to the terminal and once in the folder where the log files are, I type

find . -name "*.gz" -exec gunzip {} \;

Now I have lots of files like access_log.20060929, access_log.20060930, etc. For searching let's say a referrer called example.com which I see in GA, I do:

cat * | grep example.com

and that will return you the apache log lines where the term appears.

For example:

81.39.91.97 - - [26/Sep/2006:11:27:47 +0000] "GET /index.php HTTP/1.1" 200 9562 "http://example.com/viewtopic.php?t=747" "Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"

It's a bit of brute force approach as it's searching in all the files (now that I realize it's even searching in the compressed files since I didn't remove they yet, haha!). But it's very fast even though!

With a bit more of love this could be a rudimentary stats script but I'm not that much into shell scripting (and I'm trying to force myself into really learning regular expressions to do that stats script with ruby instead).
Oh and I forgot to say this works for any decent shell - linux, mac… I think I also could do it with a windows box with unxutils installed (so that you get the funky stuff like grep, find, cat, etc).

IES4Linux is an script which configures wine and downloads and installs IE in your linux box. I know this is an aberration but it can also serve for making more people switch to linux while still being able to test the sites in the Cancer (i.e. Internet explorer), because of those clients which love to remain in the Paleozoic era of browsers.

You just need Wine and Cabextract which can be obtained with simple apt-gets or with the fantastic ubuntu's Synaptic package manager. Although this is better explained in IES4linux page!
I'm still very impressed with the performance of this… Last time I tried wine (like 4 years ago) it was horribly slow, and was unable of open the simplest program. Now I am able to start the browser and have a complete view of everything, even run javascript properly - everything works fine. I think it's even more stable than the windows environment :D
There's another advantage over windows: you can install different versions of IE: 6, 5.5 or 5, all at the same time. Each one is isolated from the others so it's the perfect test environment - something you can't get in windows, where it's very complicated to keep different iexplorer versions coexisting peacefully in the same partition.

You have a @googlemail account and each time you try to connect with Gaim it gives you an "Authentication failure"?

Right, instead of entering server=gmail.com as specified in the instructions, enter server=googlemail.com

It's as simple as that … I already tried installing TLS packages and all sorts of weird suggestions on forums, until I found this subtle detail.

Obviously this will just apply to those people in countries where Google had legal issues with gmail's name and had to rename it as "google mail". For example, UK.

Enjoy it!