After my recent experience with broken su
and sudo
commands in a failed system upgrade, I realized that although disabling the root account has many advantages, one of the disadvantage is that I can’t login as root in the terminal when I’m physically in front of the system. This is a major issue if su
, sudo
, and passwd
binaries are broken somehow. Luckily, chroot was there to the rescue for me. Now, I contemplate whether I should enable the root account on my systems…
Tag: chroot
Build 32 bit R on 64 bit Ubuntu by utilizing chroot
In the past, I’ve described how one could build multiarch (64 bit and 32 bit) versions of R on a 64 bit Ubuntu machine. The method based on this thread no longer works as of R 2.13 or 2.14 I believe. I received advice from someone on #R
over on freenode
(forgot who) a few months ago that suggested the chroot route (see this also). I recently tried it and wanted to document the procedures. Although the solution isn’t as nice as the previous multiarch route, it will suffice for now. With the chroot
method, first compile the 64 bit version of R the usual way. For the 32 bit version of R, do:
<pre class="src src-sh"><span style="color: #ff4500;">#### </span><span style="color: #ff4500;">change my.username to your username, or modify path per your taste</span>
### create chroot jail sudo apt-get install dchroot debootstrap sudo mkdir ~/chroot-R32 sudo emacs -q -nw /etc/schroot/schroot.conf ## paste the following in the file: (no quotes) “ [natty] description=Ubuntu Natty location=/home/my.username/chroot-R32 priority=3 users=my.username groups=sbuild root-groups=root “
## build a basic Ubuntu system in the chroot jail sudo debootstrap –variant=buildd –arch i386 natty /home/my.username/chroot-R32 http://ubuntu.cs.utah.edu/ubuntu/ ## pick a mirror from https://launchpad.net/ubuntu/+archivemirrors
## copy my source locations for apt sudo cp /etc/apt/sources.list /var/chroot/etc/apt/sources.list ## edit this new file if to reflect only the needed source
### do following steps whenever you need to access 32 bit R ## access to proc and dns sudo mount -o bind /proc /home/my.username/chroot-R32/proc sudo cp /etc/resolv.conf /home/my.username/chroot-R32/etc/resolv.conf ## go into jail; do this whenever you want sudo chroot /home/my.username/chroot-R32 dpkg-architecture ## make sure system is i386 ### now the root / location should reflect the jail
### following happens in jail ## tools needed to build R apt-get install gcc g++ gfortran libreadline-dev libx11-dev xorg-dev ## get svn to get latest r source code apt-get install git-core subversion
## compile 32 bit R cd home/ mkdir R32 cd R32 svn checkout https://svn.r-project.org/R/trunk/ r-devel cd r-devel/ apt-get install rsync ./tools/rsync-recommended ./configure make make install R
How big is my /home/my.username/chroot-R32
folder? It is at 791 MB after the above steps. Let me know if you have suggestions for having both 32 bit or 64 concurrently on Linux. I believe Windows and Mac ships and compiles both 32 bit and 64 bit versions of R. I’m surprised this isn’t the case for Linux.
sftp with restricted folder
I recently needed to set up an ftp server (or sftp server) that allows the user to transfer files. I had some restrictions:
- The account cannot have
ssh
access since I don’t want an unauthorized person to run jobs on the server. - The account needs to be restricted to a single directory. I don’t want the account to have access to all files on the server.
I first followed this guide to get proftpd up with an account. However, I kept getting errors trying to log in using Nautilus or Filezilla. The error came from PASV
mode, which I think stems from a firewall/NAT issue. I next tried this to use vsftpd. Still no go (same error).
I decided to use sftp since I know for sure ssh works and that it’s more secure. Now that I think about it, none of my server has an ftp server running since sftp is more secure and Nautilus and Filezilla supports the sftp protocol.
From this post, I re-discovered rssh and the native support from recent versions of openssh. The “match user” method for openssh and the rssh method did not work for me. I finally stumbled on this post that made things work.
sudo apt-get install openssh ## this is already installed for me ## modify /etc/ssh/sshd_config # Use the following line to *replace* any existing 'Subsystem' line Subsystem sftp internal-sftp # These lines must appear at the *end* of sshd_config Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no ## in shell sudo groupadd sftponly sudo useradd newuser sudo passwd newuser ## set password sudo usermod -g sftponly -s /bin/false -d /home/newuser newuser sudo chown root:root /home/newuser cd /home/newuser sudo mkdir upload ## upload files in here sudo chown newuser:newuser upload sudo /etc/init.d/ssh restart
Now, ssh with the newuser
should not work, and sftp (via command line, nautilus, or filezilla) should only access one location.
Note that /home/newuser
is own by root, so newuser
can’t do much in there. Create a directory upload
, and make newuser
the owner.