Enable root account in Ubuntu?

After my recent experience with broken su and sudo commands in a failed system upgrade, I realized that although disabling the root account has many advantages, one of the disadvantage is that I can’t login as root in the terminal when I’m physically in front of the system. This is a major issue if su, sudo, and passwd binaries are broken somehow. Luckily, chroot was there to the rescue for me. Now, I contemplate whether I should enable the root account on my systems…

Build 32 bit R on 64 bit Ubuntu by utilizing chroot

In the past, I’ve described how one could build multiarch (64 bit and 32 bit) versions of R on a 64 bit Ubuntu machine. The method based on this thread no longer works as of R 2.13 or 2.14 I believe. I received advice from someone on #R over on freenode (forgot who) a few months ago that suggested the chroot route (see this also). I recently tried it and wanted to document the procedures. Although the solution isn’t as nice as the previous multiarch route, it will suffice for now. With the chroot method, first compile the 64 bit version of R the usual way. For the 32 bit version of R, do:

<pre class="src src-sh"><span style="color: #ff4500;">#### </span><span style="color: #ff4500;">change my.username to your username, or modify path per your taste</span>

### create chroot jail sudo apt-get install dchroot debootstrap sudo mkdir ~/chroot-R32 sudo emacs -q -nw /etc/schroot/schroot.conf ## paste the following in the file: (no quotes) [natty] description=Ubuntu Natty location=/home/my.username/chroot-R32 priority=3 users=my.username groups=sbuild root-groups=root

## build a basic Ubuntu system in the chroot jail sudo debootstrap –variant=buildd –arch i386 natty /home/my.username/chroot-R32 http://ubuntu.cs.utah.edu/ubuntu/ ## pick a mirror from https://launchpad.net/ubuntu/+archivemirrors

## copy my source locations for apt sudo cp /etc/apt/sources.list /var/chroot/etc/apt/sources.list ## edit this new file if to reflect only the needed source

### do following steps whenever you need to access 32 bit R ## access to proc and dns sudo mount -o bind /proc /home/my.username/chroot-R32/proc sudo cp /etc/resolv.conf /home/my.username/chroot-R32/etc/resolv.conf ## go into jail; do this whenever you want sudo chroot /home/my.username/chroot-R32 dpkg-architecture ## make sure system is i386 ### now the root / location should reflect the jail

### following happens in jail ## tools needed to build R apt-get install gcc g++ gfortran libreadline-dev libx11-dev xorg-dev ## get svn to get latest r source code apt-get install git-core subversion

## compile 32 bit R cd home/ mkdir R32 cd R32 svn checkout https://svn.r-project.org/R/trunk/ r-devel cd r-devel/ apt-get install rsync ./tools/rsync-recommended ./configure make make install R

How big is my /home/my.username/chroot-R32 folder? It is at 791 MB after the above steps. Let me know if you have suggestions for having both 32 bit or 64 concurrently on Linux. I believe Windows and Mac ships and compiles both 32 bit and 64 bit versions of R. I’m surprised this isn’t the case for Linux.

sftp with restricted folder

I recently needed to set up an ftp server (or sftp server) that allows the user to transfer files. I had some restrictions:

  1. The account cannot have ssh access since I don’t want an unauthorized person to run jobs on the server.
  2. The account needs to be restricted to a single directory. I don’t want the account to have access to all files on the server.

I first followed this guide to get proftpd up with an account. However, I kept getting errors trying to log in using Nautilus or Filezilla. The error came from PASV mode, which I think stems from a firewall/NAT issue. I next tried this to use vsftpd. Still no go (same error).

I decided to use sftp since I know for sure ssh works and that it’s more secure. Now that I think about it, none of my server has an ftp server running since sftp is more secure and Nautilus and Filezilla supports the sftp protocol.

From this post, I re-discovered rssh and the native support from recent versions of openssh. The “match user” method for openssh and the rssh method did not work for me. I finally stumbled on this post that made things work.

sudo apt-get install openssh ## this is already installed for me
## modify /etc/ssh/sshd_config
# Use the following line to *replace* any existing 'Subsystem' line
Subsystem sftp internal-sftp

# These lines must appear at the *end* of sshd_config
Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

## in shell
sudo groupadd sftponly
sudo useradd newuser
sudo passwd newuser ## set password
sudo usermod -g sftponly -s /bin/false -d /home/newuser newuser
sudo chown root:root /home/newuser
cd /home/newuser
sudo mkdir upload ## upload files in here
sudo chown newuser:newuser upload
sudo /etc/init.d/ssh restart

Now, ssh with the newuser should not work, and sftp (via command line, nautilus, or filezilla) should only access one location.

Note that /home/newuser is own by root, so newuser can’t do much in there. Create a directory upload, and make newuser the owner.