Archive for July, 2006


What is /dev/shm and its practical usage ?

July 25, 2006

What is /dev/shm and its practical usage ?

/dev/shm is nothing but implementation of traditional shared memory concept. It is an efficient means of passing data between programs. One program will create a memory portion, which other processes (if permitted) can access. This will result into speeding up things on Linux.

If you type mount command you will see /dev/shm as a tempfs file system. Therefore, it is a file system, which keeps all files in virtual memory. Everything in tmpfs is temporary in the sense that no files will be created on your hard drive. If you unmount a tmpfs instance, everything stored therein is lost. By default almost all distro configured to use /dev/shm.

Nevertheless, where can I use /dev/shm?
You can use /dev/shm to improve the performance of application software or overall Linux system performance. On heavily loaded system, it can make tons of difference. For example VMware workstation/server can be optimized to improve your Linux host’s performance (i.e. improve the performance of your virtual machines).

For example, if you have 8GB RAM then remount /dev/shm as follows:

# mount -o remount,size=8G /dev/shm

To be frank if you have more than 2GB RAM and if you running multiple Virtual machines this hack always improves performance.


How to install CVS

July 21, 2006


Compile it from source

Download from

$ gunzip cvs-x.x.tar.gz $ tar -xvf cvs-x.x.tar $ cd cvs-x.x/  $ ./configure $ ./make $ su -l (enter password)	#switch user to root # ./make install

check to make certain CVS is installed:

$ which cvs /usr/bin/cvs

Create the cvsroot for a user and master repository:

You can choose to place your cvsroot almost wherever you want. I’ve historically placed it in /home/ to make regular backups easier. You might have your own reasons to place it where you want.

$ su -l # adduser cvs # rm -rf /home/cvs # mkdir /home/cvs

It can be convenient to enable user permissions by creating a ‘cvs’ group in /etc/group, and then adding various users to that group. While adding permissions to the cvsroot directories to the group ‘cvs’.


You need to set the environment variables, so that CVS knows where to find the root library.

$ export CVSROOT=/home/cvs/		#for bash users > setenv CVSROOT '/home/cvs'		#for csh, or tcsh users # this can also be added to /etc/profile for system-wide access

This can also be set automatically upon login by adding a line to your ~/.bashrc file (or whichever stores your shell environment variables).

Check to make sure that it’s set properly:

$ echo $CVSROOT /home/cvs/

As you may have noticed, the CVSROOT variable is set by the client, and not the server. This enables you to easily use multiple CVSROOTs, based on permissions, partitioning, etc.

Remote access:

The CVS slient can also be configured to use a cvsroot on a remote server, and to tunnel through SSH. The remote client needs to have these entered at the command line, or read in from the .bashrc file:

export CVSROOT="user@host.domain.tld:/pathto/cvsroot" export CVS_RSH="/usr/bin/ssh"

All commands should operate as usual, but each will require a password in order to proceed.

Bad CVSROOT error:

A common, and frustrating error to run into while using this method, because it’s not well documented.

cvs checkout: is set for a remote access method but your cvs checkout: CVS executable doesn't support it cvs [checkout aborted]: Bad CVSROOT.

Your problem most likely exists with the client version of the cvs binary. It’s probably version 1.11.1 or previous, upgrading to 1.11.2 should take care of this.


How do I Drop or block attackers IP with null routes?

July 4, 2006

Someone might attack on your system. You can drop attacker IP using IPtables. However one of our sr. sys admin highlighted something new for me. You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Suppose that bad IP is, type following command at shell:

# route add

You can verify it with following command:

# netstat -nr

This is cool, as you do not have to play with iptables rules.


Linux or UNIX disable null passwords

July 4, 2006

Q. How do I disabling logins for user with null passwords?

A. PAM (pluggable authentication modules) is used by both Unixish (Solaris/BSD/AIX/HP-UX) oses and Linux for configuring authentication related services.

A null password allows users to log onto a system without having to supply a valid password. This is a security risk to the system. In case if you are wondering how to setup null password, try command usermod as follows:

# usermod -p “” username

The PAM configuration option that enables null passwords is the nullok module argument passed to PAM module. You’ll want to remove this argument from any modules of auth type for services that allow login.

Debian Linux

Debian Linux use following two files:

  • /etc/pam/common-auth: authentication settings common to all services
  • /etc/pam.d/common-password: password-related modules common to all services

Caution: before modifying below mentioned PAM config files, make the backup of files using cp command.

a) Open /etc/pam/common-auth:

# cp /etc/pam/common-auth /etc/pam/common-auth.ORI
# vi /etc/pam/common-auth

Find out line that read as follows:

password required nullok obscure min=4 max=8 md5

Remove nullok from above line so that it read as follows:

password required obscure min=4 max=8 md5

b) Save the file and exit to shell prompt. Open file /etc/pam.d/common-password:

# cp /etc/pam.d/common-password /etc/pam.d/common-password.ORI
# vi /etc/pam.d/common-password

Find out line that read as follows:

auth required nullok_secure

Remove nullok_secure from above line so that it read as follows:

auth required

Save the file and exit to shell prompt. Now no one be able to login using null password.

Red Hat / Fedora Linux

You need to modify single file /etc/pam.d/system-auth:

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.ORI
# vi /etc/pam.d/system-auth

Find out line that read as follows:

auth sufficient /lib/security/ likeauth nullok

Remove nullok from above line so that it read as follows:

auth sufficient /lib/security/ likeauth

Save the file.


Dynamic DNS Setup

July 2, 2006

Notes on setting up a dynamic dns for home with bind-9.x

  1. Generating Secure DNS Keys
  2. On the home/client machine:

    # mkdir /etc/bind/tsig
    # cd /etc/bind/tsig
    # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST host.domain.tld.

    Note the “.” after the tld. This generates the public and the private keys.

  3. named.conf
  4. On the remote server:

    Edit “/etc/named.conf” and add the generated key to the conf. (Note the trailing dot):

    key host.domain.tld. {
    algorithm hmac-md5;
    secret "qUSfVtkYf7WLxiZaOTN3Ua==";

  5. Grant Authority
  6. Still on the remote server:

    Edit the “/etc/bind/zone.domain.tld” file, and modify the current allow-update line to include the key.

    allow-update   { key "default_key."; key "host.domain.tld."; };

    This allows full authority to modify any record within the domain (Be Warned).

    Restart named and make sure nothing is broken.

  7. nsupdate
  8. Back to the client machine:

    Run nsupdate to test that the client can now make updates.

    # nsupdate -k /etc/bind/tsig/Khost.domain.tld.*.key
    > update delete host.domain.tld A
    > update add host.domain.tld. 600 A
    > send
    > quit

    It first deletes host.domain.tld if it already exists, then recreates it with the given TTL, type, and IP address. The TTL is the time-to-live, which is a value used by other DNS servers to determine how often they refresh the entry for this host. A smaller values means they’ll refresh more often, which is what you want for a dynamic entry. “send” tells nsupdate to send the updates to the server.

  9. Automate
  10. Create a script and put it in a 10 minute cron to check for changes in the wan ip address and run nsupdate automagically.

    # cat /etc/cron.d/ddns
    */10 * * * * root /etc/bind/ddns

    Below is an example script that gets the info from a Belkin wireless router within the home lan.

    # ddnsHOSTNAME="host.domain.tld"
    NEW_IP=`wget -q -O - | grep "Up.*dw" | tr "\n" " " | awk -F "'" '{print $12}'`
    function do_nsupdate {
    echo "New IP address (${NEW_IP}) found. Updating..." >> $LOG
    echo $NEW_IP > $IP_FILE
    nsupdate -k $KEYFILE >> $LOG << EOF
    update delete $HOSTNAME A
    update add $HOSTNAME $TTL A $NEW_IP
    if [ ! -f $IP_FILE ]; then
    echo "Creating $IP_FILE..." >> $LOG
    OLD_IP=`cat $IP_FILE`
    if [ "$NEW_IP" = "$OLD_IP" ]; then
    echo "new and old IPs (${OLD_IP}) are same. Exiting..." >> $LOG
    exit 0
    exit 0

Permanently add static IP and default gateway

July 2, 2006

Red Hat Linux has made it fairly easy to set up network so that it will start automatically. There are a series of scripts in /etc/sysconfig/network-scripts that will do most of the work.

1. Binding IP address

In “/etc/sysconfig/network-scripts/ifcfg-eth0”, add your IPADDR (IP address), NETMASK, NETWORK and BROADCAST address







2. Adding Default Gateway

In “/etc/sysconfig/network” add your default gateway.


You can now restart your network:

#/etc/sysconfig/network-scripts/ifdown eth0

#/etc/sysconfig/network-scripts/ifup eth0
( please dont run the command remotely.. else you may have shutdown the interface and will be disconnected )

or in redhat:

#service network restart
# /etc/init.d/network restart

Check your “/sbin/route” (routing) to verify everything is in place and restarting your computer should hold your new settings.


Linux jail

July 2, 2006

Introduction to Jail

Basic concepts and supported platforms

Introduction to Jail

Basic concepts and supported platforms

Jail Chroot Project is an attempt of write a tool that builds a chrooted environment. The main goal of Jail is to be as simple as possible, and highly portable. The most difficult step when building a chrooted environment is to set up the right libraries and files. Here, Jail comes to the rescue with a tool to automagically configures & builds all the required files, directories and libraries. Jail is licensed under the GNU General Public License.

Jail program has been written using C, and the setup script has been written using a bash script and perl. Jail has been tested under Linux (Debian 2.1 & 2.2, RedHat 6.1, 6.2 and 7.0 and Caldera Openlinux 7.0), Solaris (2.6), IRIX (6.5) and FreeBSD 4.3. Some people has contributed to jail with patches and ideas. Thanks to all of them.

Jail supports lots of interesting features:

  • Runs on Linux, Solaris, IRIX and freeBSD (tested) and should run in any of the flavours of these operating systems.
  • Modular design, so you can port Jail in an easy way.
  • Support for multiple users in a single chrooted environment.
  • Fully customizable user shell.
  • Support for multiple servers: telnetd, sshd, ftpd…
  • Easy to install thanks to the enviroment creation script.
  • Should work in any UNIX.
  • Ease of porting.
  • Allows run any kind of program as a shell.

An html version of the mailing list has been added to the web site. Now you can read all the user contributions, ideas and patches here.

How Jail works

Jail’s design

How Jail works

Jail’s design

Jail is a login tool. Jail works as a wrapper to the user shell, so when the user log in the machine Jail is launched, and the chrooted environment is activated. Then, Jail execs the real user shell, so he gets his session in the server.

The ’chrooted environment’ is a subtree of the full tree in the filesystem, and the top of this subtree is saw by the chrooted user as the root ’/’ entry of the tree. So Jail is so useful for isolate users from the main filesystem’s directory tree. As you can see in the diagram, the light-gray shaded boxes are the chrooted environment:

So any user configured to be chrooted using Jail (e.g. user3) when log into the machine, he will be changed to his home directory (light-grey shaded box labeled user3) and his ’root’ directory will be ’chroot’ that will be showed just like ’/’. That is, user3 only can see the files under the directory called ’chroot’.

Jail internals

How jail interacts with the login process

by Juan M. Casillas

created at 26/08/2003 17:10:48
last updated at 05/09/2003 23:08:47

Before configure Jail, we have to need how Jail works. As you can see in the following diagram, the first things that Jail does is get the user’s information from the non-chrooted /etc/passwd. In this file there are information about where jail is located (the shell entry of the password file for this user) and which directory will be chrooted (the home directory entry of the password file for this user).

After that, Jail changes to the user directory and then it calls chroot in this directory, creating the chrooted environment. After this call, Jail only can see the files under the chrooted directory. Now, Jail setups some environment variables (the HOME and the SHELL variable that will be used by the real shell).

Now, Jail gets the users’ information from the /etc/passwd file in the chrooted environment, and checks if the user home directory is the same that the user home directory information readed from the non-chrooted file. If they are the same, the HOME variable is set to / else, Jail changes to this directory, and changes the HOME variable to this one.

Last, Jail set up again enviroment variables, SHELL is set up with the information readed from the chrooted /etc/passwd file. Now Jail replaces itsef with the shell program stored in the SHELL variable, runing the shell.

Configuring Jail

Overview of the installation process

Jail is launched as a login shell for any of the servers that allows access to the machine from the net, e.g. sshd, telnetd, ftpd, etc. So Jail is the shell of the chrooted users. To build a chrooted user, four steps are required:

  • Build user’s passwd entries in the non-chrooted environment.
  • Setup chrooted environment.
  • Add the software to the chrooted environment.
  • Add the users to the chrooted environment.

The first one is required to allow the user launch jail when a login process is invoked. The second, three and four steps are required to built the chrooted enviroment (create the required directories, copying the library and binary files, changing chrooted /etc/passwd file, and so on).

So these are the required steps in order to setup jail:

  1. Setup Entries
  2. Create directories
  3. Adding users
  4. Adding software

Configuring Jail entries

The non-chrooted /etc/passwd file

To build the user’s password entries we can use a user creation script (just one like adduser) or to add the entries by hand. I usually prefer the second way, but first is also fine. If you choose the first method, when the creation scripts ends its work, you have to edit the files by hand. Here, I will use the second. Our nick name for the test user used in the examples will be user3.

All the magic resides on the /etc/passwd file. We have to add a line in this file to create a user in this machine. You have to setup also /etc/group and /etc/shadow if you have shadow passwords installed. Note also that you have to fit the uid an gid fields password, etc.

  user3:x:101:101:Jail Test User:/var/chroot:/usr/local/bin/jail

Note the /var/chroot field. This is the root directory of the chroot environment for this user.

Creating the Jail environment

Or how to invoke mkjailenv

Creating the Jail environment

Or how to invoke mkjailenv

mkjailenv creates the directories, and generates the basic filesystem layout with the special devices. mkjailenv has been written in perl. This are the command line arguments:

mkjailenv chrootdir




The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file

Invocation example:

mkjailenv /home/chroot

This will create the chrooted enviroment under the directory /home/chroot.


Adding users to the Jail

Or how to invoke addjailuser

Adding users to the Jail

Or how to invoke addjailuser

addjailuser edit the chrooted /etc/passwd automatically, creates the user directories, addjailuser has been written in perl script. This are the command line arguments:

addjailuser chrootdir userdir usershell username




The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file


The directory inside the chrooted enviroment when the user will live, in our example, /home/user3.


The user’s shell full path (e.g. /bin/bash)


The user’s name. In our example, user3

Invocation example:

addjailuser /var/chroot /home/user3 /bin/bash user3

This will add a user under the directory /var/chroot setups the home directory of the user3 into /home/user3, and selects /bin/bash as default shell for user3. Also edits the chrooted /etc/passwd, /etc/group and /etc/shadow to configure propertly jail.


Adding software to Jail

Or how to invoke addjailsw

Adding software to Jail

Or how to invoke addjailsw

addjailsw will copy the programs and the dependencies (libraries, auxiliar files, special devices) into the right places in the chrooted environment. addjailsw has been written in perl script. This are the command line arguments:

addjailsw chrootdir [-D] [-P program args]




The directory where the chrooted environment will live. It its the home entry in the non-chrooted /etc/passwd file

-P program args (optional)

installs the specific program “program” into the chrooted environment. The script uses the “args” parameter to launch the program where doing the strace command, to allows the program exit nicely, so the strace can do its work. If this parameter isn’t specified, the standard programs included in the file will be installed. See addjailsw’s code for in-deep details.

Invocation examples:

addjailsw /var/chroot
addjailsw /var/chroot -D
addjailsw /var/chroot -P vi "-c q"

The first invocation will add the standard programs under the /var/choot directory. The second invocation will do the same that first’s but also will show what files are going to be copied in /var/chroot. Last, the third invocation will install only the program vi, and when launched in the strace call, the arguments “-c q” will be passed to it (so vi will exit inmediatly).


Jail install HOWTO

Installation quick guide

Jail install HOWTO

Installation quick guide


  1. Compiling and installing
  2. Creating the chrooted environment
  3. Adding software into the chrooted environment
  4. Adding users into the chrooted environment
  5. Troubleshooting
  6. Porting, improvements and hacks
  7. Copyright

Compiling and installing

Just untar the package, cd to ./src and edit the makefile and do a ’make’. Now you can choose your architecture from Linux, FreeBSD, Solaris and IRIX. then configure the installation directory (default /usr/local) and you’re ready !. Perhaps you need to tune some of the compiler directives, if you are in a different platform than these ones supported by Jail. After a while, you will have the jail binary created. Then, issue a ’make install’, to do this, you have to be root (the default path to install is /usr/local). Now you are ready to play with jail.

Creating the chrooted environment

Now choose where directory will be your chroot environment. In my example, I choose /var/chroot for the chrooted environment. Now become root, and launch the mkjailenv command:

/usr/local/bin/mkjailenv /var/chroot

The output should look like this:

                A component of Jail
                Juan M. Casillas
                Making chrooted environment into /var/chroot
                        Doing preinstall()
                        Doing special_devices()
                        Doing gen_template_password()
                        Doing postinstall()

After that, you will have the basic chrooted environment installed under /var/chroot.

Adding software into the chrooted environment

After the chrooted environment has been created, we have to add some software inside it. To do this, we will use addjailsw. This scripts, if called without -P argument, will install a default set of programs into the chrooted environment. First of all, were are going to install the basic set of programs, an then we will install the less command.

To install the basic set of programs, we will issue the following command:

/usr/local/bin/addjailsw /var/chroot

The output of the program should look like this:

  A component of Jail
  Juan M. Casillas
  Guessing head args()
  Guessing bash args()
  Guessing cat args()
  Guessing pwd args()
  Guessing ln args()
  Guessing mkdir args()
  Guessing rmdir args()
  Guessing ls args()
  Guessing sh args()
  Guessing mv args()
  Guessing rm args()
  Guessing more args()
  Guessing grep args()
  Guessing vi args()
  Guessing id args()
  Guessing cp args()
  Guessing tail args()
  Guessing touch args()
  creating /var/chroot//bin/ln
  creating /var/chroot//etc/nsswitch.conf
  creating /var/chroot//var/tmp/vi.recover/vi.wTrhwB
  creating /var/chroot//etc/group
  Warning: not allowed to overwrite /var/chroot/etc/group
  creating /var/chroot//lib/
  creating /var/chroot//bin/ls
  creating /var/chroot//etc/mtab
  creating /var/chroot//bin/mkdir
  creating /var/chroot//bin/rmdir
  creating /var/chroot//bin/bash
  creating /var/chroot//bin/sh
  creating /var/chroot//etc/passwd
  Warning: not allowed to overwrite /var/chroot/etc/passwd
  creating /var/chroot//tmp/vi.UrdLM7
  creating /var/chroot//bin/mv
  creating /var/chroot//etc/
  creating /var/chroot//etc/terminfo/x/xterm
  creating /var/chroot//bin/rm
  creating /var/chroot//usr/bin/vi
  creating /var/chroot//lib/
  creating /var/chroot//usr/bin/id
  creating /var/chroot//lib/
  creating /var/chroot//usr/bin/tail
  creating /var/chroot//bin/cp
  creating /var/chroot//lib/
  creating /var/chroot//usr/bin/head
  creating /var/chroot//bin/cat
  creating /var/chroot//lib/
  creating /var/chroot//bin/touch
  creating /var/chroot//lib/
  creating /var/chroot//bin/pwd
  creating /var/chroot//bin/more
  creating /var/chroot//bin/grep
  creating /var/chroot//proc/meminfo
  creating /var/chroot/null:c:1:3
  creating /var/chroot/tty:c:5:0

As you can see in the output there are some temporal files, and also, there are some files that are begin overwritten, and other that are not allowed to be overwritted. This files are the passwd, group and shadow files of the chrooted environment. When the scripts ends, it cleans all the temporal directories in the chrooted environment.

Now, we are going to install the ’awk’ program into the chrooted environment. We need to call the addjailsw script with the -P argument:

/usr/local/bin/addjailsw /var/chroot -P awk

The output for the script will be something like this:

  A component of Jail
  Juan M. Casillas
  Guessing awk args(0)
  creating /var/chroot//lib/
  Warning: file /var/chroot/lib/ exists.
  Overwritting it
  creating /var/chroot//usr/bin/awk
  creating /var/chroot//etc/
  Warning: file /var/chroot/etc/ exists.
  Overwritting it
  creating /var/chroot//lib/
  creating /var/chroot//lib/
  Warning: file /var/chroot/lib/ exists.
  Overwritting it

Now, you have awk installed into the chroot environment. You should use this script to install all the software into the chrooted environment

Adding users into the chrooted environment

Now, it is time to add some users into the chroot environment. First of all we need to have the users created in the system, so you can add them by hand, or using adduser. For this example, I will create a new user called chroottest with adduser To do this:

/usr/local/bin/addjailuser /var/chroot /home/chroottest /bin/bash chroottest

After answer all the questions and set the user password, we are ready to add this users to the chrooted environment. This program accepts some parameters:

  1. the first parameter is the full path to the chrooted environment (in my example, is /var/chroot)
  2. the full path of the directory under the user will live. This path will be created under the chrooted environment, and when the user logs into, it will see it as the full path. (e.g, in our example, /home/chroottest is the home directory. addjailuser will create /var/chroot/home/chrootest, and when the user logs into, he will see /home/chroottest. Because it lives under the chrooted environment, he will see a ’virtual’ home directory).
  3. The full path to the shell that the user will use. (e.g, I like to use bash, so I use the /bin/bash parameter. NOTE: if you want yo use some other shell (or program) you will need to add it to the list of the installed programs (see section 2 to see how to do that).
  4. The name of the user, in my example, chroottest

After that, we are ready to launch the program (always as root):


The inverted slashes are to allow us insert carriage returns because the line is too long to type it in a single shell line. After launch the command, the output should look like this:

  A component of Jail
  Juan M. Casillas
  Adding user pruebas in  chrooted environment /var/chroot

That’s all. You have the user added into the chrooted environment. Now is time to try it:

su - chroottest

As you can see, you are in the new created chrooted environment, Congratulations !


Setting up SSH & scp

Now jail support terminal handling and parameter-passing, so configure ssh & scp now is possible. You only have to install a standard chrooted environment (just as described in this section) and then, install the two programs with the addjailsw script. First of all, install ssh:

/usr/local/bin/addjailsw /var/chroot -P ssh --version

To finish, install scp in the same way:

/usr/local/bin/addjailsw /var/chroot -P scp --version

Now you have the two programs installed in the chrooted environment; you can test it doing a ssh form in and out the chrooted environment, and a scp.

Well, there are not troubleshooting section 😦 Im writting some documentation, and improving the code for jail, mkjailenv, addjailsw and addjailuser. Also we have a mailinglist with some of the tricks and recipes to have jail working:

Jail mail archive

Also, you can generate some log files and send them back to me, so I will try to manage them and find an answer for your problems. I usually need a log for,, and the output for a login session into a chrooted account.

Porting, improvements and hacks

If you tailor for your platform, please send me the new, so I can put it into the distribution, also, send me patches if you write any of them for jail.


This program, the web site, all the documentation an the scripts has been written by Juan M. Casillas . All the source code, web pages, documentation and scripts has been released using the GNU Public License, version 2.0 or above (you can find the complete GPL text in a file called GPL, in the root file of jail’s distribution). Also, this program has been done and improved thanks to the help of lot of people arround the world. Thanks to all for your work, your test-drives, and your improvements & ideas.