Sunday, May 01, 2005

CVSm Check. Apache....

Holidays have started so I doubt I'll add much for the next week. But last week my investigations of cvs led me back to discworld. Discworld is a MUD and the reason stdying cvs led me back there is not going to be explained here. Suffice to say I now feel confidant enough about using cvs to put it back on the bback burner until I've installed Apache 2.

Once the webserver is looking the way I want it I'll come back to the - user/developer access question.

posted by J.J. Juggins the Third at 6:25 pm 1 comments

Friday, April 22, 2005

Never mind FTP for now... learn CVS!

Thats right. After seeking advice I have reached the conclusion that my proposed scheme - give a group of users/rw acces to the webroot directory (including the ability to klobber each other's files) is no signifigant improvement over the 'single user' set up we use now.

Naturally I was encouraged to go learn about CVS. Now I've known about CVS for quite a while now but have put off learning anything about it on account of not being a developer. However it looks like it might really be what I need now. I already have reason to learn on account of my recent interest in wikis. I particularly like tinywiki - (warning: don't follow that link if you're using (or pretending to use) Microsoft Internet Explorer®. You have been warned.)

So for the next little while this freestyle curriculum is going to focus on CVS.

----
Here's my exchange with people in the BSD Forums:

posted by J.J. Juggins the Third at 1:52 pm 2 comments

blogger ... more like blocker

Meh, every time I wanted write an update the blogger engine died on me.

posted by J.J. Juggins the Third at 11:38 am 0 comments

Monday, April 18, 2005

The FTP question

Summary: decided not to install any kind of ftp server for now. Use sftp only (part of ssh).

When the webserver is built I'm going to need to give access to the staff in the department who updates content - using Dreamweaver, as well as to our design company.

I want to make sure that each user who accesses the web folders with write access has an individual account (counting the design vendor as a single user). Furthermore I want all login information to be encrypted.

This means that instead of using the default ftp server I'm going to need a secure method of file transfer.

Briefly I considered web-dav, http, sftp and others. The deiciding factors are security and ease of use. Ease of use applies only to myself, my office staff and our design company.
  • Dreamweaver 4.0 supports ftp, web-dav and some other proprietary protocols
  • Dreamweaver MX supports the the above plus sftp (which actually uses shh protocol not ftp)

When it came time to choose an ftp over ssl server I relied completely on the information on this site: www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html I also refered to a link which convinced me that ftp-ssl was preferable to sftp www.enterprisedt.com/products/edtftpjssl/faq-answers.html

I've spent several days (over the past two weeks) evaluating ftp-ssl servers and I've gone through considerable trouble learning how to install them. (I went with bsdftpd-ssl-1.0.2 Secure FTP server with the TLS/SSL support) , however, in the process of writing this update in the blog I reviewed the requirements for Dreamweaver. I cannot find any indication that DW supports ftp-ssl after all. So it looks like I'll have to go back to the drawing board and enable sftp.


Partway through the headache of trying to find information in man sshd(8) and sftp-server(8) about setting up sftp I just decided to try it out on a whim. It seems that ssh is already running the sftp subsystem. Hah! I'll try to figure out where this is set later.

As the day wears on I'm getting frustrated. SSH seems like a poor subsitute for the functionality of ftp (and the security of ftp-ssl). I'm going to have to step back and look at the problem objectively.

What we love about ftp is that you can specify clear separation of shell accounts vs ftp. In the file ftpusers you can list all accounts and groups that are not allowed ftp access. I put @wheel there. So no account that is able to SU is able to login with ftp.

Also it is easy to set up ftp with chroot so that ftp users can be limited to specific directories. I want my staff and designers to have ftp access to the web documents only. Maybe even only a subdirectory of the web document even. With sftp I'm allowing people ssh access by default. Also they have access to the whole file system.

I think ftp-ssl is clearly more elegant and less complex however I am stuck supporting dreamweaver both in the office and for our vendors.
-------------

After some agonizing I'm sketching in the following plan. I'll go with sftp after all. But I won't use the chroot and I wont deny shell access. chroot() and no shell access introduces more complexity into the system than I'm willing to deal with at the moment. It's better to trust my staff and our design vendor than to risk openning a new security hole by screwing up chroot or jails.

However - to make things simple. The sftp users accounts will all have the web document root as their home directory. At least that make their job simpler as by default they will start in the correct directory when they log in either through sftp or shh.

------------

Okay that's not so simple. Must give these users r/w access to htdocs and below. Also if one user creates a file in the web root will it default to 644 or 755? What they will need is 664 or 775. Hmm.
...
right, umask does this. umask can be set for each user in their profile or for login classes (sic) in /etc/profile or /etc/login.conf - thats the job for tomorrow.

I wonder what everyone else does?
I also wonder what will happen when I start using scripts in web pages. Argh.
I would think - if the users all create files that are group rwx 'able and the http server (www) will be a member of the same group...? But does any one ever do this?

posted by J.J. Juggins the Third at 12:38 pm 5 comments

Friday, April 15, 2005

Backlog

Since I'm starting this journal several weeks into the project I'm inserting this update to mention include past activities.

  1. Decided we had reason to run our own server.
    • I think it started because of SSL
    • The co. is doing a privacy audit - since the laws in Japan have just changed requiring higher standards of customer privacy protection. I thought we'd better use SSL on pages where we collect customer data.
    • Our webhost didn't have things set up the way I liked. I thought - if we had our own system and sysadmin I could ask them to set it up just right.
    • But we can't have any new staff so I decided I'll learn how to do it myself. How hard can it be?
    • Looked into the price of dedicated hosting - its getting cheap.
      • But running your own machine off ADSL is even cheaper. Asahi-net offers fixed IP address ADSL for about $50/month.*
  2. Collected hardware and connections.
    • network - provided by the office.
    • computer
  3. Chose OS FreeBSD 5.3
  4. Install OS
    1. 4.9 - I had 4.9 sitting around on disc so I tried it first. It went smoothly enough but I decided why not get the latest. 5.3 just went "stable" recently so why wait.
    2. 5.3 I had a problem which was identicle to the one described here except that my hardware = CPU: Pentium II/Pentium II Xeon/Celeron (501.14-MHz 686-class CPU) and the person on the list had: AMD-K6(tm) 3D processor (450.13-MHz 586-class CPU)
      • After an install of 5.3-Release on a freshly formatted drive, I am
        getting loads of calcru errors:

        calcru: negative runtime of - usecs for pid  ()
        calcru: runtime went backwards from  usecs to 
        usecs for pid  ()
    • the best advice I found came from another place where someone with a similar problem was advised to simply run with ACPI turned off
  5. Set up NIC
    1. This went smoothly enough - I can't remember any problems. The co. network requires that I use a fixed IP. I just made up an arbitrary host.domain name for the machine since it will not be accessible from the internet.
  6. Minimal applications added.
    1. With the 5.3 install I did not add any packagest or distribution sets. I wanted to be sure that only the bare necessities are on this machine (within reason - ie. I was not going to compile my own kernel)
    2. installed sshd (now I do most of my work through a putty window on my other computer which is running a graphical desktop. This makes it more convenient for studying documentation on the web and sometimes cutting and pasting commands into the ssh window.)
  7. ftp or ftp-ssl?
  8. apache 1.3 or 2.0?
  9. ...to be continued

posted by J.J. Juggins the Third at 5:11 pm 3 comments

My first Server Project

I've decided to learn something about running a server by setting one up in the office. If all goes well I hope to migrate our website off of the shared hosting and onto my own machine which will run on an empty desk near mine. This will actually save some money since we are being grossly overcharged by the hosting co. The real reason I'm doing this though is of course because I hope to learn something.

I have an old machine sitting around. I'll use it first. If we need something more powerful I'll request it after I've at least got things working with this one.

hardware:
  • CPU: Pentium II/Pentium II Xeon/Celeron (501.14-MHz 686-class CPU)
  • HDD: 9787MB [19885/16/63]
  • NIC: RealTek 8139 10/100BaseTX
platform:
  • I decided to install FreeBSD 5.3
I determined that I wanted to go with a BSD since our shared hosting server was running FreeBSD 4.7-RELEASE-p28 (VKERN). I had heard of NetBSD and OpenBSD too. My decision to go with FreeBSD was based primarily on the quality of their documentation.
  • www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/index.html

posted by J.J. Juggins the Third at 4:39 pm 0 comments

TM

TM stands for "task master" which is a mechanic in a game I like to play whereby a player can improve skills just by attempting to use them.

Attempting to use skills that I don't have is what I'm all about.

posted by J.J. Juggins the Third at 4:35 pm 0 comments