3 I'm setting up TripWire to cut out some unneccessary data from its report. --MichaelLeonhard
7 Well, suitable time to add some comments. We've opened for the public in the meanwhile, and things are looking very good.
8 We've had some problems with backup process bringing the system to a stall, but we've niced it to a lower priority task.
9 Adam's portal is doing its job perfectly well, I am taking care of simpler run-time issues, and generally I am delighted
10 to see the new server a full success. Enjoy a better service, everyone. --DavorOcelic
14 InterServer folks seem to be behaving unethically, and the end product is that they aren't ''really'' offering the backup service that they advertise at the moment. They also won't guarantee that they will ever offer it to us at any future time. We're using a half-assed replacement scheme, documented at BackupServices. Anyway, while this isn't the best way to remove your last to-do item, it removed it all the same, and so we finally reached the point of MemberMigration. --AdamChlipala
18 Just to give some signs of activity. We're waiting for InterServer's backup service to go up again. Once
19 they do that and we set up backups, things will get moving again. --DavorOcelic
23 I got OTP (One-Time Passwords) support working. Basically, all services that use PAM (Pluggable Authentication Modules) to authenticate users will first open up the standard Password prompt, and then, if users just press
24 Enter or type in the wrong password, it will present an OTP challenge.
26 The principle of OTP is that, while you're
27 logged in over ssh from a trusted source, you generate a list of say, 10 one-time passwords. Each time you
28 connect after that, you can skip the standard prompt and type in the one-time password. When you use all
29 one time passwords, you need to access HCOOP from a secure location again, and generate a new list of passwords.
30 So it will be possible to use OTP if you're accessing HCOOP from untrusted machines which may be hacked or
31 have some kind of password logging turned on.
33 Not everyone will want to use OTP, but that is OK. If you want, it's available and it integrates transparently into the infrastructure. --DavorOcelic
37 I think our firewall setup is actually ready to go into use. With lots of help from DavorOcelic, I have gotten per-user firewall rules working, to allow only certain users to listen on a port or connect to a particular port of a particular remote IP address. --AdamChlipala
39 I've modified the Apache log file scheme to put each domain's log files in a separate subdirectory of `/var/log/apache2`, (somewhat) as per TerrenceBrannon's suggestion. --AdamChlipala
43 DavorOcelic got his firewall configuration running in a way that seems to allow all of the "trusted" services that we need. Still to come is support for other user connections, both client and server. --AdamChlipala
47 I just picked off the easy to-do of adding an `addsubuser` script in `/usr/local/sbin`. Run like `addsubuser adamc web`, it calls `adduser` to create `adamc_web`, with flags to give the new user no password or login ability. It also sets an initial `.forward` to `adamc` for `adamc_web`, and helpfully reminds you to give `adamc` sudo rights as `adamc_web`. --AdamChlipala
51 I've modified suphp to impose the same limits. --AdamChlipala
53 I've modified Apache 2 suexec to impose ulimits on scripts, and to give up on scripts after a time-out, killing them and all their child processes. --AdamChlipala
55 I've set up login/cron ulimits, as described on ResourceLimits. --AdamChlipala
57 I've extended dbtool to add Postgres databases. See UsingDatabases. --AdamChlipala
61 Concerning our firewall infrastructure, I made some initial progress. This file takes care about all the standard stuff in our setup.
62 What's left to add, is one chain for each user, which we use for both user traffic-accounting, and user-specific
63 firewall rules. --DavorOcelic
65 Disk quotas are now functional. We've come to the conclusion that user ownership may be different, but group ownership will always point to real file owners. Therefore, we use group quotas. Users can check their quota
66 statistics with ''quota -g'', while administrative overview can be had with ''sudo repquota -ag''. --DavorOcelic
70 I've integrated the old web bandwidth stats page into the portal. I've also replaced the old disk usage page, which was based on reading the results of a daily cronjob which ran `du`, with a slicker one that uses `repquota` output. --AdamChlipala
72 Quick surveys in `#perl` and `#python`, including definitive answers from people who at least think they know what they're talking about, lead me to believe there is no good way to provide secure, multi-user use of mod_perl or mod_python in a shared Apache 2 daemon... so I have removed those from the list. It looks like, if you want these, you'll need to install and run your own Apache daemon. --AdamChlipala
74 I have the portal from Abulafia (both code and current database) up and running here. Things look promising for getting Postgres to run with proper permissions. I'm still waiting for DavorOcelic to update domtool to automate the sorts of permission changes that I made, though. --AdamChlipala
78 After some discussion with DavorOcelic, I set out to modify some permission schemes so that we can account for all of a user's filesystem usage with his group quota. This involved the most wrangling for Mailman. I've summarized the results on DaemonFileSecurity. --AdamChlipala
82 I made the 'dbtool' script (see CVS on [http://www.sf.net/projects/hcoop]) which allows users to
83 manage the databases themselves. Not to repeat myself, see UsingDatabases.
85 This works nicely for MySQL (as you can see from the above page and CVS), but is a little tricky
86 for Postgres. Postgres can't be fooled by symlinks, and we need to use the "tablespaces" feature
89 The only problem with tablespaces is that they force mode 700 on a directory, thus clearing our
90 sgid bit on a directory. As a consequence, files don't belong to the users' group but to
91 a generic group 'postgres', which prevents filesystem quotas from working as we want them.
93 One solution is to have a script that traverses the directory and chgrps the files, but we
94 should see if that would mess up postgres. The other solution is to bend the behavior to our
95 liking and recompile postgres. --DavorOcelic
97 MRTG (link statistics) is up as well. It is dumping output to /var/www/mrtg/ . Make it
98 available over the web somewhere, at members.hcoop.net perhaps. --DavorOcelic
102 Spam``Assassin learning is good to go. I fixed a problem in our Abulafia SA config that was causing a message to be e-mailed to `spamd` at every 5-minute interval when there were no new training messages! I've recorded the (to my knowledge) right configuration procedure at SpamAssassinAdmin. --AdamChlipala
104 Mailman is up. Following our general plan of consolidating disk usage accounting, we're giving ownership of all growing mailing list files to their owning users. I've also improved the exim configuration so it doesn't deliver mail addressed to `somelist@dom1.com` to a list called `somelist@dom2.net`. --AdamChlipala
106 SquirrelMail up, this time running properly inside of the main Apache instance via the squirrelmail Debian package and suphp. --AdamChlipala
108 Webalizer is up and running. I've set a convention for SSL virtual hosts where both the Apache log files and Webalizer directories of SSL host www.dom.net are called `www_ssl.dom.net.<suffix>`. --AdamChlipala
110 Apache SSL is up and integrated with domtool. See VirtualHostConfiguration for details. --AdamChlipala
112 I've installed `mod_suphp` and concluded that to make it work with `/~username` URLs, we need to make `/home` the `DocumentRoot` of `hcoop.net`. Suexec CGI always checks for presence in `/var/www` or `/home/*/public_html/`, while suphp checks for presence in the current vhost's `DocumentRoot`. This means that `mod_suphp` allows direct execution in both userdirs and vhosts, but the required configuration for `hcoop.net` is a pain, and we may need to change it later for security reasons. --AdamChlipala
116 After a suitable amount of wrestling, I think all of the e-mail stuff from Abu is properly replicated, possibly with improvements. The big change is that virtual mailboxes are now owned by the user who owns their domains, meaning that your virtual mailbox contents will count automatically toward your filesystem quota. The big thing not yet set up is any kind of web mail client, but I group that into a separate to-do bucket, anyway. --AdamChlipala
118 The DNS server should be up now. I've submitted a change request at the registrar for one of my little-used domains to begin using our new machine as its primary DNS server, which will allow me to test the setup under realistic conditions. --AdamChlipala
120 To state the obvious, I've gotten the almost-latest version of [http://moinmoin.wikiwikiweb.de/ MoinMoin] installed here. I'm using this wiki as an opportunity to test the proposed new scheme for scripts, where every virtual host script request is proxied to use a `~username` URL. The benefit of this is that Apache suexec has special support for `~username` scripts, which prevents us from needing to give users subdirectories of `/var/www`. This seems to be working now, with only the annoying problem remaining that MoinMoin uses absolute URLs, reverting to the uglier `~username` form. Hopefully I can fix this, and also implement some infrastructure to help us take advantage of the centralized "wiki farm" support in the latest Moins. (Update: Fixed!) --AdamChlipala
122 I've got a proof-of-concept iptables setup running, that will allow us to account for all bandwidth used on a
123 packet level. This is really excellent and fits our idea to run all services under user accounts. --DavorOcelic
127 I've installed domtool from [http://hcoop.sf.net/ CVS]. It was remarkably easy to get the basic stuff working. The only changes so far have to do with our switch to Apache 2 from Apache 1.3, which required using a different directive to indicate which user and group suexec should use for a vhost. --AdamChlipala
131 I spent time installing bits and pieces here and there, most notably the configuration files tracker
132 (changetrack), tripwire, and other stuff. --DavorOcelic
136 I installed disk quotas. By default, each user will have 4 G soft quota, and 5 G hard quota on home directory
137 size. Similarly, each user has a soft number-of-files quota set at 400,000, and hard quota at 500,000. I picked
138 the numbers based on current usage pattern on Abulafia.
140 Additionally, thanks to grsecurity kernel patch, we now have the ability to restrict socket creation and
141 program execution. By adding users to special groups, we can prevent them from creating server, client or
142 any INET sockets. In the same way, we can allow users to only run files from root-owned directories.
144 Regardless of grsecurity, I am planing use the standard Unix groups mechanism to restrict use of the
145 development tools (compilers, most notably). Users who will want access to compilers will be added to
148 Cron and At services will be disabled by default as well. As usual, people needing them will have to ask
149 for them. --DavorOcelic
153 Since we had two disks in the server, and the other one was unused (simply mounted on /backup), I repartitioned
154 it, installed new Debian GNU installation on it (using debootstrap), compiled the kernel, and successfully
155 rebooted into it on the first try!
157 Then I went to move the installation to /dev/hda, thereby replacing the stock setup we got from InterServer.
158 Evertyhing worked fine, and then I went to set up software RAID-1. I made a minor mistake in lilo.conf,
159 and the server didn't want to boot properly. We filled in a Support Ticked at InterServer's site, and in
160 2 hours, John Quaglieri booted the system from the CD, fixed lilo.conf and even performed one additional
161 step regarding RAID-1. I was impressed by his support. --DavorOcelic
165 Our new server is ready to go at [http://interserver.net/ InterServer].
HCoop / hcoop / zz_old / ikiwiki / blob