How to restrict ftp users from getting console access

We have set up an FTP server with several users that also have access to the server through SSH, which is not what we want.
The way we have set up the server is not probable the best one, but it just works for us. We have a Debian server in which we create normal users that we modify their home directory to point to the FTP filesystem, /ftpdata, which is an LVM disc.

So, to remove console access we need to do two things, adding /usr/lib/sftp-server as a shell to the /etc/shells file:

root@host # echo '/usr/lib/stfp-server' >> /etc/shells

and modify the default user's console to sftp-server by editing /etc/passwd or

root@host # usermod -s /usr/lib/sftp-server username

Create unattended Ubuntu CD

This need came when we wanted to add a new machine to our infrastructure but it wasn't able to perform network boot, so it couldn't get the standard ubuntu installation from TFTP server. So, to get started, we need to have an Ubuntu Server edition ISO or an Ubuntu alternate edition, note that it won't work with the stardard Ubuntu Desktop edition.

Now we mount Ubuntu Alternate iso to some directory. Copy it with rsync to somewhere where you can edit it, and give write permisions to some directories.

mount -o loop /home/josep/ubuntu-alternate-12.04.iso /mnt/ubuntu

rsync -av /mnt/ubuntu/ /tmp/ubuntu

chmod -R u+w /tmp/ubuntu/isolinux

chmod -R u+w /tmp/ubuntu/preseed 

Modify the files /isolinux/txt.cfg to point to the new preseed that we have

default install
label install
  menu label ^Install Ubuntu
  kernel /install/vmlinuz
  append  file=/cdrom/preseed/ubuntu-our-preseed.seed locale=en_GB.UTF-8 console-setup/ask_detect=false keyboard-configuration/layoutcode=es vga=788 initrd=/install/initrd.gz quiet --
label check
  menu label ^Check disc for defects
  kernel /install/vmlinuz
  append   MENU=/bin/cdrom-checker-menu vga=788 initrd=/install/initrd.gz quiet --
label memtest
  menu label Test ^memory
  kernel /install/mt86plus
label hd
  menu label ^Boot from first hard disk
  localboot 0x80

And now we add our preseed to /preseed/ubuntu-our-preseed.seed

# Preseeding only locale sets language, country and locale.
d-i debian-installer/locale string en_GB.UTF-8
d-i debian-installer/country string ES
d-i localechooser/supported-locales en_US.UTF-8, en_GB.UTF-8, es_ES.UTF-8
# The values can also be preseeded individually for greater flexibility.
#d-i debian-installer/language string en
#d-i debian-installer/country string NL
#d-i debian-installer/locale string en_GB.UTF-8
# Optionally specify additional locales to be generated.
#d-i localechooser/supported-locales en_US.UTF-8, nl_NL.UTF-8
#
# Keyboard ======================
#
#d-i keyboard-configuration/modelcode skip
# New config
# Disable automatic (interactive) keymap detection.
d-i console-setup/ask_detect boolean false
d-i keyboard-configuration/layoutcode string es
#
#
# Network installation
#
# Any hostname and domain names assigned from dhcp take precedence over
# values set here. However, setting the values still prevents the questions
# from being shown, even if values come from dhcp.
d-i netcfg/choose_interface select auto
d-i netcfg/get_nameservers string 192.168.60.9
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string ic3.local
# If non-free firmware is needed for the network or other hardware, you can
# configure the installer to always try to load it, without prompting. Or
# change to false to disable asking.
d-i hw-detect/load_firmware boolean true
#
# Time ==========================
#
# Controls whether or not the hardware clock is set to UTC.
d-i clock-setup/utc boolean true
# You may set this to any valid setting for $TZ; see the contents of
# /usr/share/zoneinfo/ for valid values.
d-i time/zone string Europe/Madrid
# Controls whether to use NTP to set the clock during the install
d-i clock-setup/ntp boolean true
# NTP server to use. The default is almost always fine here.
d-i clock-setup/ntp-server string 1.es.pool.ntp.org
#
# MIRROR ==========================
#
# If you select ftp, the mirror/country string does not need to be set.
#d-i mirror/protocol string ftp
d-i mirror/country string Spain
d-i mirror/http/hostname string es.archive.ubuntu.com
d-i mirror/http/directory string /ubuntu
d-i mirror/http/proxy string

.

.

.

. 

At this point we just need to recreate de ISO image:

mkisofs -r -V "auto-ubuntu-minimalvm" -cache-inodes -J -l -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -o /home/josep/ubuntu-our-refurbished-image.iso /tmp/ubuntu




500 OOPS: Vsftpd: Refusing to Run With Writable Root Inside Chroot () on Debian

I am currently the GNU/Linux sysadmin of a small company who runs mainly Ubuntu installations for almost all the machines, including servers and workstations. Since the first day I got here I already found so many problems related to Ubuntu OS, so I decided to move the server infrastructure to Debian GNU/Linux starting from FTP server.

We were running vsftpd 2.3.5-3 which doesn't allow the users to have write access to their root directory unless

allow_writeable_chroot=YES

is specified. But in order to do so, we need to get a patched version(2.3.5-10 or above) available through Cyconet
It is pretty simple to install, we add the repos, install the new version, allow writeable chroot, and restart the server:

echo "deb http://ftp.cyconet.org/debian wheezy-updates main non-free contrib" >> \ /etc/apt/sources.list.d/wheezy-updates.cyconet.list; \ aptitude update; aptitude install -t wheezy-updates debian-cyconet-archive-keyring vsftpd && \ echo "allow_writeable_chroot=YES" >> /etc/vsftpd.conf && /etc/init.d/vsftpd restart

Mount cifs on Ubuntu fails, permission denied mount error(13): Permission denied

When trying to mount a Synology CIFS share an error message was shown, it says :

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

After making sure the credentials were correct, I found the solution in some forum, which is setting up a flag like this:

echo 0x27 > /proc/fs/cifs/SecurityFlags

And adding the domain and sec parameter when mounting it using fstab

//192.168.60.24/ic3data/jandres /ic3data cifs username=jandres,password=secret,domain=WORKGROUP,iocharset=utf8,sec=lanman  0     0

Rsync option to ignore permissions

rsync -rltzuv /source root@destination:/backup

SVN Warning: post-commit FS processing had error 'attempt to write a readonly database'.

When committing changes to the SVN server this error pop up, doesn't seem to be affecting the commits, however I wanted to fix it. With a little bit of google'ing I found out that rep-cache.db inside each repository was missing the right permissions.

root@molly:/srv/svn/turing# ll db/
total 56
drwxrwsr-x 6 www-data subversion 4096 Apr 22 14:05 ./
drwxrwsr-x 7 www-data subversion 4096 Apr 22 14:04 ../
-rw-rwSr-- 1 www-data subversion    2 Apr 22 14:05 current
-r--rwSr-- 1 www-data subversion   22 Apr 14 17:51 format
-rw-rwSr-- 1 www-data subversion 1920 Apr 14 17:51 fsfs.conf
-rw-rwSr-- 1 www-data subversion    5 Apr 14 17:51 fs-type
-rw-rwSr-- 1 www-data subversion    2 Apr 14 17:51 min-unpacked-rev
-rw-r--r-- 1 root     subversion 4096 Apr 14 18:29 rep-cache.db

I got it fixed just by setting www-data as the owner of the file.

chown www-data ../lamport/db/rep-cache.db

So I've done it for every repository that I have. The main directory hangs from /srv/svn and from there I have all repositories, different one for each server.

Mediawiki Error creating thumbnail: Unable to save thumbnail to destination

After installing a mediawiki on our managed server, I found that thumbnails were not displayed in the wiki because there was not a variable pointing to a temp folder were the thumbnails should go defined. I may probably had to enable ImageMagickConvertCommand as well, but not sure. That was my previous LocalSettings.php file:

## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads  = true;
#$wgUseImageMagick = false;
#$wgImageMagickConvertCommand = "/usr/bin/convert";

And this is how it looks like after enabling it.

## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads  = true;
$wgUseImageMagick = false;
#$wgImageMagickConvertCommand = "/usr/bin/convert";
$wgTmpDirectory = "$IP/images/temp";