I recently did some rearranging of our network setup, in part with the explicit aim of removing user logon access to several of the servers (both for security and for performance reasons). In general this has worked out fine - we use NFS so that users can still access all the relevant directories. However, the RAID array is used, among other things, for users to back up their laptops to - which means that the server running the RAID array needs to act as an rsync server.

By default these days, rsync runs over ssh. Which is great, but means that just restricting ssh access to the admin (me!) for the RAID array machine isn’t an option; since then rsync too will fail. I wasn’t keen on the idea of running it without ssh; not only a security issue, but also because it seemed that would mean having to keep another set of usernames/passwords, rather than relying on LDAP/Kerberos.

The solution I’ve come up with is slightly clunky but does the trick:

• ssh is allowed, but only for a subset of users (using the AllowUsers directive in /etc/ssh/sshd_config) - those who’ve told me they need rsync backup access.
• These users are then added to /etc/password, with the shell set as ‘/bin/nologin’ (thus overriding the LDAP data) (this and the next step are the slightly clunky parts!)
• They’re also added to /etc/shadow, with *K* (meaning ‘use Kerberos’) as the password (maintaining two lots of passwords would be Very Bad).
• /bin/nologin looks like this:

  #!/bin/sh
  # Script to disallow remote login - set as shell in /etc/passwd
  if (expr "$2" : 'rsync ..server .* .raid' > /dev/null)
  then
      if (expr "$2" : '.*;' > /dev/null)
      then
          exit
      else
          /bin/sh "$@"
      fi
  else
      echo "***********************************"
      echo "*        No login allowed!        *"
      echo "***********************************"
      exit
  fi
  

The trick I used for finding the command that’s being sent (which is not the same as the command that you type on the command line) was to first set up /bin/nologin simply as

#!/bin/sh
echo $@ > /tmp/command
exit

and then examine /tmp/command on the rsync server.

Note that this doesn’t worry about looking terribly hard for shell escapes (although it does look for anyone trying to pass an extra command in using ; - e.g. rsync directory/ "server:/data/directory/;rm -rf /" ). I’m using this in a local-access-only setup with a small number of reasonably trusted users, not on a machine that’s open to the world at large, so I’m prepared to take more compromises than if the circs were different.

Also note that unfortunately rsync doesn’t handle echo statements well - so there is no message to the user if they are misusing rsync (whether deliberately or accidentally). Again, in my case this is fine as the user will just contact me if they’re legitimate and behaving legitimately.

On May 15th Mark Golden wrote an article for the Wall Street Journal titled Out The Window where he posed the question: “Can the ordinary user ditch Windows for Linux?” His conclusion, in most cases, is a resounding no. Sadly Mr. Golden’s methodology in trying out Linux for his article bears little resemblance to what an ordinary user trying out Linux would likely do. Indeed, his approach almost guaranteed his results.

Mr. Golden purchased a copy of Linux for Dummies, an excellent book which, as Mr. Golden correctly points out, included a DVD with six outdated versions of Linux distributions. Mr. Golden actually claims these are different “operating systems built around Linux technology” which is incorrect. Linux is Linux. The presentation and tools of different distributions may vary but the same underlying code is in all of them and the same software will work on all. Further, Mr. Golden correctly points out that he could have freely downloaded a current version of five of the included distributions but chose not to do so. Linux development proceeds at a much faster pace than Windows development. If Mr. Golden had worked with current versions some of the issues he ran into might have been avoided, particularly hardware detection of graphics and sound cards.

Mr. Golden asserts that “…getting some of the systems to work required more time and effort than I was willing to exert.” This is perfectly reasonable and is an attitude that would be shared by ordinary users. However the ordinary user would likely pick one distribution that was recommended to them rather than divide their time between six. I suspect had Mr. Golden chosen one popular distribution and stuck with it he could have had everything working. He himself conceded that solutions exist for virtually every problem he encountered.

The other flaw with Mr. Golden’s methodology was picking up a book and pretty much going it alone. When he did ask for help he called software manufacturers. That’s perhaps the correct way to do things in the Windows world and it might also make sense for a newcomer to Linux in a very rural part of Montana or Wyoming. For most of us who live in small, medium, and large cities there are a plethora of Linux Users Groups, or LUGs, that encourage and assist newcomers. Many have “install parties” where an ordinary user could have brought a laptop like the one Mr. Golden used and received knowledgeable assistance that would have gotten everything working in short order.

This is one of the funniest stories I’ve ever read, the tale of how a well-meaning do-gooder corrupted an 86-year old great-grandmother. She went from innocent Web surfing to hacking the entire Senior Assisted Living Center to becoming an enthusiastic, unrepentant music pirate.

“I turned a 86 year old Marlboro-smoking, Chrysler Sebring Convertable-driving, Pinochole-playing, Maroon-Five listening Great Grandmother into a music pirate. An enthusiastic one at that. I should be ashamed of myself. I’m not, but at least I have morals enough to know I should.”
86 Year Old Great-Grandmother Hoists The Jolly Roger

Last December I blogged about the uproar Linux creator Linus Torvalds had caused by posting on the gnome.org Usability list his extreme dislike for the direction the Gnome developers had taken with the UI. For those of you who may have missed his original post the high point follows:

This “users are idiots, and are confused by functionality” mentality of Gnome is a disease. If you think your users are idiots, only idiots will use it. I don’t use Gnome, because in striving to be simple, it has long since reached the point where it simply doesn’t do what I need it to do.Please, just tell people to use KDE.As the thread went on Linus became even more colorful in his criticism, calling the Gnome developers “interface Nazis” and citing examples of how Gnome’s UI makes it take longer to do things. At the time I agreed with the eminent Mr. Torvalds wholeheartedly.

Why rehash this now? A number of people have written to me about the wonders of Gnome 2.14. One reader of my review of Fedora Core 5 here on O’Reillynet went so far as to suggest that the performance improvements I was seeing were because of the wonderful new Gnome code. They aren’t. Carla Schroder, the author of the absolutely wonderful Linux Cookbook, was one of two people to praise the alacarte menu editor. Carla is usually right on about all things Linux so I tried it. Sadly, on my systems running Fedora it seems very broken. I really wanted to like the new Gnome. Honestly, I did. Gnome generally consumes less resources and memory than KDE and that, combined with excellent internationalization and localization, made it worth another long look. Sadly, I came away feeling every bit as frustrated with Gnome as I had been with previous versions.

The good news is that in Fedora Core 5 the performance improvements do result is a snappier, crisper KDE. On a modern system with significant resources I will repeat Linus’ sage advice: Just use KDE. For those of us dealing with embedded systems, nano-ITX technology, or older systems with limited resources, KDE may not be an option. The good news is that other alternatives just keep improving. Some are reaching the point where they are worth looking at even on a well equipped high end system. The idea that the “desktop wars” are strictly a Gnome vs. KDE battle may be a bit passé.

The Linspire Linux distribution gets a lot of attention for its so-called pragmatic view on device drivers. The idea seems to be that making an easy-to-install and easy-to-use Linux distribution and getting many people to use it will be good for Linux and open source and free software.

I do agree that the more people who use free software, the greater the argument for hardware manufacturers to provide drivers.

However, Linspire’s approach is a mistake, at least in part.

Anyone who administers boxes which are always-online is familiar with the experience of finding their logs clogged with script-kiddie attempts to brute-force passwords. Despite being pretty unsophisticated, and unlikely to prove a serious security problem (provided you’re enforcing a reasonable password policy), they’re still a nuisance. This article discusses a very good way of limiting connections via iptables, using the ‘recent’ module, so that clients who try to connect too many times in a short space of time are denied access.

I’ve been using this for somewhere between 6 and 12 months, and been very happy with it. However, after a recent upgrade, ssh started to act up on certain machines - all connections, even from machines on the local subnet, were refused. Experimentation revealed that this was due to the iptables ‘recent’ rules.

There’s a discussion of exactly what happens here, and it’s also been reported as a Debian bug (however, I can confirm that it also affects at least RHEL4 on its current kernel). Looking at the files in /proc/net/ipt_recent (which is
where the module keeps track of the relevant data), this is exactly what I was experiencing.

It’s been fixed in 2.6.12 and upwards; unfortunately, the current Debian stable kernel is 2.6.8 (the current RHEL4 is 2.6.9). Solutions: either remove the ‘recent’ rule for the moment and live with the script-kiddies (as mentioned above, you should be enforcing decent password policies…); or use apt-get pinning (on Debian) to upgrade your kernel; or be prepared to reboot every 25 days…

One of the nice things about Linux is that you can take an old laptop and make it new again, at least as far as the software is concerned. I took a pair of Mitsubishi Amity CN subnotebooks, very small 133MHz Pentium machines with 48MB of RAM, and installed Damn Small Linux (a/k/a DSL) on them. They now run modern lightweight apps and a version of an operating system that is being actively maintained and developed.

There are at least half a dozen mini-distros I could have used. My favorite, Austrumi, sports a 2.6.14 kernel and a really well thought out desktop but lacks wireless support, something I want on a laptop. DSL still runs a 2.4.26 kernel but it does have very decent wireless support and a fair selection of applications, both as part of the core 50MB distribution and as extensions, packages easily added onto the core system. I could have gone with the brand new DSL-N and had a 2.6.x kernel but none of the extensions have been updated to work on it yet. DSL extensions offered in .uci format (Universal Compressed ISOs) allow me to add apps, libraries, and development tools while still conserving what little RAM I have.

Probably the best thing about DSL is their frugal install, basically a Knoppix poorman’s install where the 50MB iso image is run much the way a live CD would run but with the speed of a hard drive. It also loads as much as it can into a RAM disk and surprisingly that works out really well even with only 48MB of memory to work with. Frugal is more than just poorman’s: It boots directly from grub or lilo with whatever options you need for your hardware, and, perhaps more importantly, allows for persistant /opt and /home directories, allowing you to drop in a new version of the OS easily while preserving data and add-on software. It’s also nice from a security standpoint since the OS lives in a read-only filesystem and executes from RAM.

The net result is that my ancient little laptops are actually pretty fast at most things and actually very useful again.

Kids these days, with their lo-fi iTunes and iPods and ringtones (that they pay money for!!) and mp3 collections. Why, I remember the early days of the Diamond Rio, one of the first portable digital music players, and even then I stuck my nose in the air and scoffed. If I want to listen to horrid low-quality low-fidelity tunes, I said to myself, I’ll go fire up the 8-track in my antique Datsun. Lossy formats and crappy little tiny speakers, bah.

I’m still not into lo-fi music players, or trying to make my poor little PC do everything in the world. I have all these nice electronics in my living room for playing music and movies with good-quality sound and video. But there is one newfangled method of delivering music that I have come to like a lot- Internet radio. (I know it’s not radio, but since we still dial our touch-tone phones, I am comfortable with saying “Internet radio.”)

Broadcast radio long ago ceased to be interesting or relevant. Or, to put it in terms suitable for us cranky old audiophiles, it became a poo-ridden wasteland. I swear if I hear “Stairway to Heaven” one more time I’m going to go nukular. Nothing ruins a good song like playing it to death, then flogging its poor little corpse to the end of time.