Too Far Afield

From a recent conversation with an IT department of a big company:

Coworker X: I have not had access to the directories of my department on the server since you changed permissions last week.
Help desk: Let me see. Your username was…?
Coworker X: UserX
Help desk: Ah, I see. We didn’t have your password on file in our big password database where we keep the passwods of all employees and that’s why we were unable to upgrade your permissions. What was your password again?

No comment. Emphasis mine.

Wichtige technische Information für alle Kanzleien, die seit Donnerstag, den 23.März unerwünscht Emails von Rechtsanwalt Stoffels aus Paderborn erhalten!

Ursache für den unaufhörlichen Versand ist mit sehr großer Wahrscheinlichkeit ein Softwarefehler im Microsoft Small Business Server 2003.

Further information here and here [via Udo Vetter]. I can only guess why there are still people who take the burden to use and administer Microsoft server software. Better use Linux in the first place. Doh! Of course you should never send mail to people, who did not opt into your newsletter in the first place. Even lawyers, who have never heard of BCC, should know, that this is illegal in Germany.

The Readings page has been updated.

She, yes, she, sent me an email tonight. Unexpected, but not unappreciated. Mr. S. has left his work space forever (not that Mr S. by the way). And the weather is good.

Na dann: Happy Birthday.

Pure-FTPd is a free (BSD), secure, production-quality and standard-conformant FTP server. It doesn’t provide useless bells and whistles, but focuses on efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers.

The goal of this post is to replace an existing ProFTPd installation on one of our Debian Stable (Sarge) systems with a fully-functional Pure-FTPd installation. The MySQL database used for ProFTPd user management should remain unchanged to keep customers happy.

Installation

Debian comes with a number of different Pure-FTPd packages. As we want MySQL support, we install the pure-ftpd-mysql package. There is one problem with the package, though: It removes our existing ProFTPd packages. That means you should probably test deployment of Pure-FTPd on one of your test boxes first, before rolling it out on your production server.

1. apt-get install pure-ftpd-mysql

When asked, choose standalone mode. As Pure-FTPd is started automatically after the installation of the packkage, you may want to stop it until you have configured everything according to you needs.

1. /etc/init.d/pure-ftpd-mysql stop

Basic configuration

Have a look at the PureFTPd configuration directory. Configuration is stored in /etc/pure-ftpd/conf and each file represents one configuration option. The name of the file is the name of the configuration option and the first line of the file is the setting of the configuration option. You want to delete the PureDB file as we don’t need that one and edit the PAMAuthentication file to say no. That disables PAM authentication. Have a look at your system configuration and edit the MinUID file if you require user ids beyond 1000.

MySQL database and configuration

I will now show you the structure of our existing MySQL database for ProFTPd. Yours may be different. If you don’t have a MySQL database you can keep the standard layout proposed by Pure-FTPd documentation (see /usr/share/doc/pure-ftpd-mysql/). Our database structure looks something like this:

1. CREATE TABLE `users` (
2. `id` int(10) unsigned NOT NULL auto_increment,
3. `username` varchar(150) NOT NULL default '',
4. `uid` smallint(5) unsigned NOT NULL default '1003',
5. `gid` smallint(5) unsigned NOT NULL default '1502',
6. `groupname` varchar(20) NOT NULL default 'ftp',
7. `password` varchar(15) NOT NULL default '',
8. `shell` varchar(15) NOT NULL default '/bin/false',
9. `homedir` text NOT NULL,
10. `status` int(2) NOT NULL default '1',
11. `added` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
12. PRIMARY KEY (`id`),
13. UNIQUE KEY `username` (`username`)
14. ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=17 ;

We will now edit the Pure-FTPd MySQL configuration file so that we can reuse the layout of this database. Open the file /etc/pure-ftpd/db/mysql.conf.

1. MYSQLUser your_username
2. MYSQLPassword your_password
3. MYSQLDatabase your_database
5. # how passwords are stored. in our case: crypt
6. MYSQLCrypt crypt
8. MYSQLGetPW SELECT password FROM users WHERE username='\L' AND status='1'

9. MYSQLGetUID SELECT uid FROM users WHERE username='\L' AND status='1'

10. MYSQLGetGID SELECT gid FROM users WHERE username='\L' AND status='1'

11. MYSQLGetDir SELECT homedir FROM users WHERE username='\L' AND status='1'


This should get you going. We basically use the format proposed by the Pure-FTPd documentation. Only the names of the fields are adapted to fit our existing database layout. Checking the status field in every query to the database enpowers you to disable certain FTP accounts without deleting the account information from the database. This might be useful for security reasons or if you are a hosting provider and you want to put some pressure on customers that do not pay their bills.

As you might have guessed, you only need the fields username, password, uid, gid and homedir for Pure-FTPd to work. status is not really neccessary, but is quite useful for day-to-day administration. So is the added field. Both the groupname and the shell fields, however, might be dropped from the database entirely after a successul migration.

Advanced MySQL options

You might want to add fields to implemet virtual quota or bandwidth restrictions. Those features are well documented by Pure-FTPd and are not discussed in this post.

Advanced configuration

You might want to evaluate some other configuration options.

If you want Pure-FTPd to listen to a specific IP address only, create a file called Bind in the configuration directory containing the IP address in question followed by a comma and the port Pure-FTPd should use, for example 192.168.0.1,21 for the IP address 192.168.0.1 and the port 21.

For security reasons, you probably also want to chroot each user to its home directory. To accomplish this, create a file called ChrootEveryone with the content yes.

If you are a webhosting provider, consider setting the option CustomerProof to yes. This prevents your users from making bad chmod commands, that would deny access to files or directories to themselves. Also consider setting DisplayDotFiles to yes to display dot files at all times, regardless of the ls command issued by the client.

If you want to display a message at connection time, create a file called FortunesFile containing the path to the file, that contains the contents to be displayed.

Useful options to prevent denial of service attacks (DoS) include MaxClientsPerIP to limit the number of clients that can be connected from one IP address at the same time and MaxDiskUsage that defines a maximum percentage of used disk space on your hard drive beyond which further uploads are denied automatically.

Possible problems

You might experience problems, if you use special characters in your usernames. For example, # is not allowed and access is denied without a log message stating why. If you are on a test server and the MySQL log is enabled, you can see that in those cases, where a username contains illegal characters, Pure-FTPd does not try to fetch data from the database, but otherwise you can’t tell. See Pure-FTPd documentation for a list of characters that are not allowed in usernames.

Ready, set, go!

You can now start your server and test everything to death.

1. /etc/init.d/pure-ftpd-mysql start

Yesterday I needed to go downtown to get the new KVV from Lehmanns (free of charge, by the way). I had found 20 Mark some time ago and because I was downtown anyway, I went to Willy-Brandt-Straße 73 (formerly Ost-West-Straße), where the Hamburg subsidary of Deutsche Bundesbank is located. They have guaranteed that all DM cash may be changed into Euros forever.

Banknotes in question.

The federal bank is a big black building with a lot of cameras all over the place. The cashpoint is on the second floor. There are three elevators ready for use. The elevator system differs a bit from the standard, though. Instead of waiting for an elevator and pressing a destination button inside, you press the destination button when you’re still outside and the elevator system tells you, which elevator you should enter. This is a great concept, but the usabiliy is still bad. People are not used to the system and hop right in once an elevator opens its doors. That means they eventually end up in the wrong elevator, which is not so nice at all.

Wir kauften am heutigen Tage von Ihnen an

From our support mailbox (IMAP is a nice technology):

1. Mr. X schrieb:
2. > irgendetwas Besonderes muss mit dem FTP-Server passiert
3. > sein. Er ist jetzt - wie früher - sofort da, wenn er
5. ja, da müssen wohl die HeinzelmännchenNachtarbeiter wieder mal am Werk gewesen sein...

Sorry, but when I found this email from one of our support people I thought this was just too sweet. I needed to blog that.

Today is the official Frühlingsanfang, or first day of spring. And guess what? The amount of snow on top of the hedgerows in our garden is actually getting smaller. It’s still quite a bit, though.

I just moved a 12 GB large backup file from the /root directory to a users home directory and it took less than a second. On the same physical hard disk though. A few weeks ago I did the same on a clients Windows box and it took ages (acutally: around 56 minutes). That’s why I love Linux.

I just got an invoice from a new service partner. Guess what? I was shocked. Guess why? No, the invoice was correct. At least it wasn’t too much…

Der Rechnungsbetrag entspricht DM… I mean, are we still in 2000 or what? Isn’t this a bit backward? A minute ago, I thought that 38 Euro was a fair price, but now I think that 75 Deutsche Mark is a bit much. Okay, some people still calculate everything in Mark. At least one of our customers does. So this might seem like a good service to those people. But to me, it just seems like a backward company, who didn’t even bother to update their accounting system in 5 years…

It’s done. The two Signum cable channels I bought in Oktober of 2005 have just been attached to the bottom of my table. Here’s a picture:

Now I just need to clean up the Kabelsalat…

Every once in a while I need to select a cutout from a photo using The GIMP. Often the size of the cutout is predefined. What are you doing to ensure you select the right part of the image? You guess how big the selection has to be to accommodate the predefined size and do a free-hand rectangle selection, right? Wrong. Fixed size rectangle selections to the rescue!

Use the rectangle selection tool. In the Size Constraint Option Menu for the tool choose Fixed size and give width and hight in pixels. You can now press your Alt and Shift keys to only move the marching ants-like border of the selection and select the best part of the image for the cutout.

Missing a recycle bin on your Ubunu Linux desktop? You can get it back in a minute. It’s easy. Press Alt + F2. Enter gconf-editor and press Enter. In the tree navigate to apps/nautilus/desktop.

Set the value of trash_icon_visible to true and save the changes. Congratulations! You should now have a recycle bin on your desktop.

If you run Mozilla Firefox as a regular user on Ubuntu or any other flavour of Linux, it will not update itsself automatically, because it lacks the neccessary system rights to do so.

To update Mozilla Fireofx on Ubuntu Linux just start Firefox with root rights like so:

1. sudo firefox

You can then click the Update Firefox menu option in the Help menu and Firefox will update itsself immediately. Only, if a new version is availlable, of course.

And we’re back now. I’ll publish some new posts soon. Everything went out of control. There should actually be a post written on Janaury 27 telling you about a nice classic concert I had attended earlier that day, but this post never appeared. And it never will. However, we have some other interesting topics coming up. So stay tuned.