Category Archives: Linux

The correct permissions needed on a Linux/Unix system for the /tmp and /var/tmp folders.

The /tmp and /var/tmp directories require different permissions to the other root directories. They need to be readable, writeable and executable by anyone but also need to have the Sticky Bit enabled.

The Sticky Bit means that whilst anyone can write to the directory, only the owner and root and edit or remove a file. This is denoted by the ‘t’ in the permissions string below:


# ls -l /tmp
drwxrwxrwt 21 root root 12288 Aug 09 12:37 /tmp

You can change the permissions using CHMOD with a ‘1’ before the normal all access 777 directory permissions:


# chmod 1777 /tmp
# chmod 1777 /var/tmp

How to upgrade to latest version of Ghostscript on Linux/Unix

For a new project, I need to use the latest verison of Ghostscript (at time of going to pixel, this is v9.21). However the CentOS yum install will only give me version 8.7.

Some Googling gave me some helpful answers, including downloading the latest version from the website and using then building manually. Following the instructions required me open a terminal and type:

./configure

Which would give me the error:

-bash: ./configure: No such file or directory

Turns out, I was downloading the latest x64 binary file from the Ghostscript website (which shouldn’t be used in a live, production environment). Actully what I needed was the source files.

So the full instructions to install the latest version of Ghostscript (v9.21) from a terminal session:

wget https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs921/ghostscript-9.21.tar.gz

./configure

make

make install

You should be able to execute and check the version:

/usr/local/bin/gs -v

Which outputs:

GPL Ghostscript 9.21 (2017-03-16)
Copyright (C) 2017 Artifex Software, Inc.  All rights reserved.

Voila.

Quick guide to setting up a VNC Server on CentOS

Install packages
yum install vnc vnc-server

User configuration
Assuming the user has already been configured on your system and have passwords already set.
For a user to be granted VNC access, they must have a VNC password set.
From within that user’s account (or you can su into it, e.g. su vnc_user), run:
vncpasswd
And type in your desired password and confirm.

VNC configuration
Using a text editor, open: /lib/systemd/system/vncserver@.service
Search for and replace with the actual required user name.
Example:
(ExecStart=/usr/sbin/runuser -l -c "/usr/bin/vncserver %i"
PIDFile=/home//.vnc/%H%i.pid)

Becomes:
(ExecStart=/usr/sbin/runuser -l vnc_user -c "/usr/bin/vncserver %i"
PIDFile=/home/vnc_user/.vnc/%H%i.pid)

Save and exit from the file. Run the following commands:
systemctl daemon-reload
systemctl enable vncserver@:1.service

Test setup
service vncserver@:1 start
service vncserver@:1 stop
If the service starts and stops without any errors, then you are ready to set to load at boot up.

Set to run at bootup
chkconfig vncserver on

Set the window manager
Edit your user’s VNC xstartup file: /home/vnc_user/.vnc/xstartup
Add the following to the bottom of the file:
gnome-session &
Save and close the file.

Add exception to iptables:
Edit /etc/sysconfig/iptables and add the following line:
-A INPUT -m state —state NEW -m tcp -p tcp -m multiport —dports 5901:5903,6001:6003 -j ACCEPT
Exit the file and restart iptables:
service iptables restart

Start the VNCServer:
service vncserver@:1 start

Using your client software, you can now connect via the IP address and display number. e.g. 192.168.0.5:1

Enable or Disable PHP Functions For One cPanel Account

Enabling certain PHP functions for all users can be a security risk. However, by creating a user specific php.ini file, the risk can be mitigated for that one (hopefully trusted) user who needs a bit more functionality.

Step 1: Find the main copy of the php.ini file – probably located as /usr/lib/php.ini

Step 2: Copy it to the root directory of your user.
cp /usr/lib/php.ini /home//public_html/

Step 3: Edit the new php.ini file and edit the ‘disable_functions’ line to include or remove whichever function you want.

Step 4: Create or edit the .htaccess file in the sites root directory and insert the following:
<IfModule mod_suphp.c>
suPHP_ConfigPath /home/<cPanel user>/public_html/php.ini
</IfModule>
<Files php.ini>
order allow,deny
deny from all
</Files>

Voila

How to find files in Linux modified on specific date

The below code will find all *.php files in every directory under the /path/to/dir/ directory modified on 14th June 2015 (ie between 00:00 on 2015-06-14 and 00:00 on 2015-06-15, hence why you need both dates).

find /path/to/dir/ -type f -name "*.php" -newermt 2015-06-14 ! -newermt 2015-06-15

Just modify each part of the command to suit your needs!

Install and Setup OpenVPN on CentOS Linux

As it says on the tin, this is how to install OpenVPN on your Redhat based Linux server.

Repo

First ensure you have the Enterprise Packages for Enterprise Linux (EPEL) repository installed / enabled on your system.

wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm -Uvh epel-release-7-5.noarch.rpm

Install OpenVPN

First, install the package using Yum:

yum install openvpn

Copy the sample configuration file to where it can be edited and used as the main configuration.

cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

Open the new configuration file using your favourite editor.

nano /etc/openvpn/server.conf

Look for this line and uncomment (i.e. remove the “;” to configure all clients to redirect their default network gateway through the VPN.

push "redirect-gateway def1 bypass-dhcp"

Look for these lines and uncomment. These IP addresses are those of the DNS server your VPN will use. You can change the IP addresses to, say, Google’s public DNS servers if you wish:

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.8.4"

To improve security, remove the comments on the following lines to reduce the permissions of the OpenVPN daemon:

user nobody
group nobody

RSA Security Keys

OpenVPN versions prior to 2.3 were bundled with EasyRSA, however it is now a separate project and must be downloaded separately.

Navigate to the OpenVPN folder:

cd /etc/openvpn

Download EasyRSA from the OpenVPN website and uncompress: (Alternatively go to the releases folder of the below link to retrieve the latest version)

wget https://github.com/OpenVPN/easy-rsa/releases/download/2.2.2/EasyRSA-2.2.2.tgz
tar -zxvf EasyRSA-2.2.2.tgz

Open the new EasyRSA-2.2.2 folder and Edit the vars file in the EasyRSA-2.2.2 folder with your favourite editor:

cd EasyRSA-2.2.2
nano vars

Find the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

Replace with the following:

export KEY_CONFIG=/etc/openvpn/EasyRSA-2.2.2/openssl-1.0.0.cnf

Find the below KEY_ settings and edit to suit your requirements (find list of country codes here):

export KEY_COUNTRY="GB"
export KEY_PROVINCE="London"
export KEY_CITY="London"
export KEY_ORG="TinnedGeek"
export KEY_EMAIL="webmaster@tinnedgeek.com"

Exit and save the configuration file and then prepare to generate the RSA certificate:

chmod 755 *
source ./vars
./vars
./clean-all

Build CA (follow the on-screen prompts):

./build-ca

Build key server (follow the on-screen prompts) and answer ‘yes’ to commit:

./build-key-server server

Build Diffie Hellman key exchange file (may take a while to process to generate the random key)

./build-dh

Generate keys to allow clients to authenticate and connect. Generate as many client keys as you need for each client program or device:

./build-key client1

Move into the keys directory and copy the respective files to the OpenVPN directory:

cd /etc/openvpn/EasyRSA-2.2.2/keys
cp ca.crt dh2048.pem server.crt server.key /etc/openvpn/

Disable SELinux

Disable SELinux by editing the SELinux configuration file:

nano /etc/selinux/config

Replace the below:

SELINUX=enforcing

With:

SELINUX=disabled

Routing and IPTables

Create an iptables rule to allow routing of our VPN subnet:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

Then, enable IP Forwarding in sysctl:

nano -w /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:

sysctl -p
service openvpn start
chkconfig openvpn on

Troubleshooting

If you get the following error:

service openvpn start
Redirecting to /bin/systemctl start  openvpn.service
Failed to issue method call: Unit openvpn.service failed to load: No such file or directory.

Then start the OpenVPN server manually:

openvpn /etc/openvpn/server.conf

And voila!

Check whether your partition table uses GPT or MBR

Easiest way to check whether your linux server uses GPT or MBR for partition tables is to run the GPT fdisk program (gdisk):

# gdisk -l /dev/sda
(Where /dev/sda is the device being queried)

This will output something similar to the following response where the partition table type is clearly listed:

GPT fdisk (gdisk) version 0.8.6

Partition table scan:
MBR: MBR only
BSD: not present
APM: not present
GPT: not present

***************************************************************
Found invalid GPT and valid MBR; converting MBR to GPT format.
***************************************************************

Automatically reduce/scale CPU frequency in Linux

I have recently been converting my old computer into a webserver and leaving it switched on in my lounge. After the constantly whirring cooling fan started to bother me, I looked at reducing the CPU frequency in order to reduce heat production (and power consumption).

A bit of research led me to try and install CPUSPEED. However I when I tried to install via yum, I kept the getting package not available error.

I have since found the CPUPOWER package:

yum install cpupower
# cpupower --help
Usage:	cpupower [-d|--debug] [-c|--cpu cpulist ]  []
Supported commands are:
	frequency-info
	frequency-set
	idle-info
	idle-set
	set
	info
	monitor
	help

Not all commands can make use of the -c cpulist option.

Use 'cpupower help ' for getting help for above commands.

This is clearly very powerful for controlling the CPU. Enjoy the help file to find the answer, or for automatic control:

--cpu all frequency-set --governor ondemand