Thursday, March 21, 2013

MySQL 5.5 Database directory change on Ubuntu 12.04 LTS

Once the MySQL server installed on Ubuntu server, the default database directory location is /var/lib/mysql. If you want to change the default database directory (for example to /mnt/data/db/mysql or any other directory of your choice) - just follow steps below:
  • Stop MySQL server:
sudo service mysql stop
  • I have completed the instructions below as root user - Create the new database directory:
mkdir /mnt/data/db/mysql
  • Modify the MySQL configuration file to point to the new database directory:
vi /etc/mysql/my.cnf 
#and change to: datadir = /mnt/data/db/mysql
  •  Change usr.sbin.mysqld file to reflect the new database directory:
vi /etc/apparmor.d/usr.sbin.mysqld
#and change from
/var/lib/mysql/ r,
/var/lib/mysql/** rwk,
to
/mnt/data/db/mysql/ r,
/mnt/data/db/mysql/** rwk,
#and run
/etc/init.d/apparmor restart
  • Initialize the new database directory:
mysql_install_db --user=mysql --datadir=/mnt/data/db/mysql
#change permissions as necessary
chown -R mysql:mysql /mnt/data/db/mysql 
chmod -R 700 /mnt/data/db/mysql 
  • Start MySQL server: 
sudo service mysql start

It is done!
You can change the new database directory to any directory of your choice, just modify the commands above to reflect it.
If you get "Access denied for user 'root'@'localhost'" after changes above, then run the following to update MySQL root user password:
sudo dpkg-reconfigure mysql-server-5.5

Tuesday, March 12, 2013

Using Postfix SASL authentication with Google 2-step verification on

If you configure your Google account for extra security to use the 2-step verification, then some applications which work outside the browser might not be compatible with 2-step verification and cannot ask for verification codes.
Postfix which was installed and configured to send out emails won't work anymore, and you might notice error messages in the /var/log/mail.log file. Something like -
SASL authentication failed; server smtp.gmail.com said: Application-specific password required.
The solution below should fix this issue:
First, you would need visit the Authorizing applications & sites page (pictured below) under your Google Account settings.

On this page page enter the name of the application to be authorized (Postfix) and click on Generate Password button. Write down the password generated by this page.
Then, the following changes need to be made to Postfix configuration:
  • As root user (or using sudo), modify the SASL password file:
vi /etc/postfix/sasl_passwd
# to contain the password generated instead of your Google account password used before.
[smtp.gmail.com]:587 <yourAccount>@gmail.com:<passwordGenerated>
  • Hash the password file
postmap /etc/postfix/sasl_passwd
  • Make sure SASL password files can be read by root user only
sudo chmod 600 /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd.db
  • Restart Postfix
/etc/init.d/postfix restart
That is it. Postfix should be able to send emails the same way it did before, using the 2-step verification feature from Google.

Monday, March 11, 2013

Ubuntu Samba Removal - XBMC 12.0 “Frodo” – XBMCbuntu

The installation of the latest XBMC 12.0 “Frodo” includes Samba server installed by default. So, right after the installation completed you have Samba on your XBMC box running and preconfigured with Samba shares – movies, pictures, music, system etc.
You can see the Samba process running on your XBMCbuntu machine if you SSH to it, and run:
$ ps -aux | grep smb
If you for any reason would like to get rid of Samba completely (for example, you have Samba running on some other machines in your network, or simply concerned about use of resources on your media box etc.) – you can follow the steps below to completely remove Samba from your system:
1.    Stop Samba processes
$ sudo stop smbd
2.    Remove Samba
#You run autoremove command, so it will get rid of other packages installed during the Samba installation, such as libfile-copy-recursive-perl tdb-tools update-inetd. These packages no longer required.
$ sudo apt-get autoremove samba
#This command leaves the configuration files intact, so if you decide to install Samba back later – you would have your shares configured the way it was originally. You can still see the smb.conf file:
$ less /etc/samba/smb.conf
This is basically it, you can reboot the XBMC – you won’t see Samba running and those Samba shares are not available anymore.

Sunday, March 10, 2013

Accessing Samba shares on Ubuntu - Security Considerations - Updated

Here is an update on my finding for Samba configuration.
As I said before, I have various clients accessing my Samba server - including Windows, Ubuntu and Mac. However, it turned out this is not an issue on the client side - it was an issue on the Samba server side. The fact that I was able to connect to Samba share from Windows was connected to the user privileges, that particular Windows user just had all possible privileges assigned on the Linux server hosting Samba.
My smb.conf file is configured to require a Unix account in the Linux server hosting Samba for every user accessing the server ( i.e., it has "security" parameter set to "user").
So, imagine you have powerUser who should have a write access to share and readOnlyUser who has a read only access to the same share. Here is an example of  such share configuration in smb.conf file:
[movies]
    path = /mnt/downloads/movies
    read only = yes
    guest ok = no
    force group = sambashare
    write list = powerUser 

This is a definition of a read only share with no guest users allowed, forcing the users with assigned primary group "sambashare" to access it. The powerUser has a write permission as intended.
Below I compiled a list of steps to eliminate permission related issues when clients from various OSs connect to the Samba share above:
  • Make sure these user accounts created on the Linux machine hosting Samba server:
#Create powerUser and readOnlyUser and assign both to sambashare group
sudo useradd powerUser 
sudo usermod -a -G sambashare powerUser
# Create readOnlyUser
sudo useradd -g sambashare readOnlyUser
# Set user passwords, make sure password used are the same as user password used on any other client machines accessing Samba. 
sudo passwd powerUser
sudo passwd readOnlyUser
  • Add users to Samba:
# Enter the same password used when account created when prompted to enter Samba password
sudo smbpasswd -L -a powerUser 
sudo smbpasswd -L -a readOnlyUser
# Activate both user accounts in Samba 
sudo smbpasswd -L -e powerUser
sudo smbpasswd -L -e readOnlyUser
  • Configure a file security of the Samba share folder:
# Make a share directory for movies Samba share:
/mnt/downloads$ sudo mkdir movies
# Assign ownership of this folder to powerUser
/mnt/downloads$ sudo chown powerUser movies
# Assign group ownership of this folder to sambashare group
/mnt/downloads$sudo chgrp –R sambashare movies
# Set the permissions on the Samba share folder for owner (powerUser) of this folder to read/write/execute and for sambashare group (readOnlyUser) to read/execute only
/mnt/downloads$ chmod 750 movies
# Set a group sticky bit on Samba share folder, so new files created by powerUser has a sambashare group ownership assigned - i.e., can be accessed by sambashare group (readOnlyUser)
/mnt/downloads$ sudo chmod g+s movies
  • Test users can access a folder content on Linux server, before trying to access a Samba share. This step would eliminate a lot of time troubleshooting users not being able to access a Samba share by making sure the Linux permission to shared folder are set correctly:
# Login as readOnlyUser from the user account used to setup users
su readOnlyUser
# Validate readOnlyUser has access to Samba share folder
cd /mnt/downloads/movies
ls -al
  • Add a share configuration to /etc/samba/smb.conf as stated above:
[movies]
    path = /mnt/downloads/movies
    read only = yes
    guest ok = no
    force group = sambashare
    write list = powerUser


  • Restart Samba share:
sudo restart smbd
  • Access Samba share from any of your client machines.
It should work from any OS client (e.g., Windows, Mac or Ubuntu) the same way you configure access to any other Windows share for example. No need to enter any passwords while you configure the share access - you login to client machine, and access the share. All authentication is completed behind the scene.

Sunday, March 3, 2013

Accessing Samba shares on Ubuntu - Security Considerations

If you, like me, have spent hours looking for how Samba manages an access to shares - then you might want to read this. I am not going to cover the configuration of Samba on your system - I assume you have defined shares and other required parameters in smb.conf file - this part should be relatively easy, and it is pretty well covered on many other sites.
My Samba server setup on Linux machine, and clients accessing shares are on Windows, Linux (Ubuntu) and Mac - the whole variety is here!:)
So far I encountered no problems connecting from Windows to Samba, however having issues connecting from Ubuntu to Samba (!) - getting NT_STATUS_ACCESS_DENIED from Samba server... I should say Samba logs are huge, and do not contain logging categories (I am looking for security messages only) - but the log level can be defined. I have set the log level to 3 (out of 10) - and logs are really big!
I am still looking for the trick to fix the system - exciting! I will keep the updates posted....