scponly, rsync and Fedora

Leave a reply

A few years ago I wrote about the backup script that I use to do daily and weekly backups of my computers. Since this script must run unattended it makes use of a passphrase-less SSH key. The SSH key in question only exists on my main workstation and is used to login as a user which does not own any other files. While this isn’t a big security problem it would be nice to limit the privileges of this user. To this end I started using scponly some time ago. Scponly is a restricted shell which limits a logged in user to only executing a few commands such as scp, sftp and rsync. This small set of available programs greatly reduces the chances that the user will be able to find a local exploit. Scponly is already packaged for Fedora so installing it is simple.

yum install scponly

Setting an user’s shell to scponly is accomplished with the usermod command.

usermod -s /usr/bin/scponly backup

Like any shell, scponly must also be added to /etc/shells. Just add “/usr/bin/scponly” (without the quotes) to the end of this file.

As I mentioned when describing the backup script, the script works great except for large amounts of data such as media collections. Over time my photo collection has grown to over nine thousand images and now consumes more than eighteen gigabytes of disk space. So today I decided to cron up rsync to synchronize my photos to the same location where my backups are sent every night. Unlike my backup script, rsync will only send the changes to the remote server not the entire archive.

After much debugging I discovered that the most recently released version of scponly does not work with rsync. The thread where this problem was first discussed started in March 2006. More related posts can be found in subsequent months. Fortunately the scponly authors have fixed this bug in their CVS repository so I built a RPM for the CVS version.

scponly-4.7CVS20071229-1.fc8.x86_64.rpm

scponly-debuginfo-4.7CVS20071229-1.fc8.x86_64.rpm

scponly-4.7CVS20071229-1.fc8.src.rpm

This package successfully upgrades the scponly package provided by Fedora. Hopefully these RPMs are useful to someone.

Downloading source RPMs in Fedora

Leave a reply

The main yum executable doesn’t have an option for downloading source RPMs. Fortunately, this task is made easy by yumdownloader which can be found in the yum-utils package.

yum install yum-utils
yumdownloader --source scponly

This will leave a copy of the scponly source RPM in the current directory.

A Preview of HTML 5

Leave a reply

A Preview of HTML 5 gives a quick overview of some of the new features being worked on as part of HTML5. Especially interesting is the fact that HTML5 is being developed based on the DOM representation not the syntax as was done with previous versions of the standard. Also, two serializations, HTML and xHTML will be supported.

Things that NAT breaks

3 Replies

Network address translation (NAT) has become so common on the Internet that many people consider it normal for their Internet access to use NAT. It may be common, but it is not how the Internet is supposed to work. A large amount of unnecessary complexity has to be added to applications to work around NAT.

For more information take a look at this list of things NAT breaks.

And just for the record, NAT is not a security device. This is the most common argument I hear when I try to tell people how much NAT complicates Internet software. For more information on NAT and security read this NANOG thread (the topic changes to security and NAT a few posts in).

Thesis

2 Replies

Several weeks ago I successfully defended my MSc thesis. For anyone interested here is the abstract and a PDF version.

The IP Per Process Model: Bringing End-to-end Network Connectivity to Applications

Abstract:

The application of the end-to-end principle in the design of the Internet has been fundamental to its success. One of the most important advantages of the end-to-end principle is that it allows the introduction of new services and protocols into the network without requiring changes to intermediate nodes. This greatly reduces the difficulties associated with developing and deploying new transport layer protocols and network services.

Traditionally network protocol implementations are placed inside the operating system kernel. An alternative to this design found in the computing literature is user-level networking. User-level networking places the protocol implementation and processing inside the application. Among other advantages this design simplifies network stack development and deployment.

This thesis offers a network stack model based on user-level networking which has the primary goal of extending the benefits of the end-to-end principle to applications. This model is referred to as the IP per Process Model. A prototype of this model named Pnet/UNL has been built and evaluated against the Linux network stack. Performance evaluation shows this prototype to compare favorably against the Linux network stack on a 100 Mbps network but the performance gap widens at 1 Gbps.

Thesis in PDF format

Ontario Linux Fest

Leave a reply

This past Saturday I spent the day at the Ontario Linux Fest which was held at the Toronto Congress Centre. Despite this being the inaugural year for the event it was very well organized and I think, well attended. The number I heard was approximately 350 attendees. The most enjoyable aspect of the event was that it had a really nice community feel. Everywhere you looked there were groups of people chatting and having a good time. The only negative thing I can say is that many of the presentations were very high level. Given the broad audience this is not necessarily a bad thing but personally I was hoping for more technical detail. I really hope the organizers are able to this again next year because I’ll definitely be there.

I didn’t have a real camera along so the best I can offer is this picture of Jon ‘maddog’ Hall‘s closing presentation taken with my N800.

Picture from the Ontario Linux Fest

Theme update

Leave a reply

I have been using the default WordPress 2.3 theme for the last little while. The reason for this is that I wanted to use the new widget functionality in WordPress but my old theme did not support it. The widget feature I wanted most was the pull-down menus for the archive and category lists. These lists were simply getting too long and taking up too much space.

This weekend I got around to modifying my theme to support widgets and also making a large number of other small changes. Nothing huge but the theme is a lot cleaner now.

Unfortunately, due to a couple of WordPress bugs (#4287, #5168) the HTML on this site won’t validate anymore. I find this quite annoying but manually patching WordPress files seems like to much trouble to do after each release. Hopefully these bugs get fixed soon.