Selcuk's Blog

Salı, Mart 10, 2015

Chroot, sftp,scp, ssh, limited shell in Redhat Enterprise linux 5 (SSH 4.3P2.EL5)

       Few days ago, our client try to domain for their application. They wanted sftp access and also they need ssh command in bash for their user, but user is /bin/false shell :(

     After make some searches i found rssh and lshell but they didn't satify me.

    Ok, we have too many subdomains in RHEL5 server. users have own folder which can access ftp protocol. That's hy we just user's shell /bin/false. but this time we need to change this settings for one specific user

Here is the steps.

change shell of user /bin/bash
     chsh -s /bin/bash username

our folder structureis like this


dir1, dir2, dir3 permissions is root:root

userhomefolder permissions is root:root and mod is 755

goto username home folder.

mkdir -p home
mkdir -p dev
mkdir -p usr
mkdir -p usr/bin
mkdir -p bin
mkdir -p lib
mkdir -p usr/lib/openssh
mkdir -p etc
mkdir -p etc/pam.d/
mkdir -p root
chown username:usernamegroup root
chmod 755 root

mknod dev/null c 1 3
mknod dev/zero c 1 5
mknod  dev/tty c 5 0
mknod dev/urandom c 1 9
chmod 666 dev/null
chmod 666 dev/zero
chmod 666 dev/tty
chmod 666 dev/urandom

cp /lib/ /lib/ /lib/ /lib/ /lib/ /lib/ ./lib/

cp /etc/hosts etc/
cp /etc/resolv.conf etc/
cp /etc/pam.d/* etc/pam.d/
cp -r /lib/security lib/
cp -r /etc/security etc/
cp /etc/login.defs etc/
cp /usr/lib/ usr/lib/
cp /usr/lib/ usr/lib/
cp /usr/lib/ usr/lib/
cp /lib/ lib/
cp /usr/lib/ usr/lib/

echo '#!/bin/bash' > usr/bin/groups
echo "id -Gn" >> usr/bin/groups
touch etc/passwd
grep /etc/passwd -e "^root" > etc/passwd
grep /etc/username
grep /etc/group -e "^root" -e "^users" > etc/group

So all these folder owned by root, except root folder (becouse of ssh client )

after that, create a shell script under /usr/local/sbin or whereever you want


APPS="/bin/sh /bin/bash /usr/sbin/chroot /bin/cp /bin/ls /bin/mkdir /bin/mv /bin/pwd /bin/rm /bin/rmdir /usr/bin/id /usr/bin/ssh /usr/bin/ssh-keygen /bin/ping /usr/bin/dircolors /bin/vi /usr/bin/sftp /usr/libexec/openssh/sftp-server"   #your apps here
/usr/bin/sftp /usr/libexec/openssh/sftp-server is not neccessary but future use.
for prog in $APPS;  do
        mkdir -p ./`dirname $prog` > /dev/null 2>&1
        cp $prog ./$prog

        # obtain a list of related libraries
        ldd $prog > /dev/null
        if [ "$?" = 0 ] ; then
                LIBS=`ldd $prog | awk '{ print $3 }'`
                for l in $LIBS; do
                        mkdir -p ./`dirname $l` > /dev/null 2>&1
                        cp $l ./$l  > /dev/null 2>&1

after that run this command in  /dir1/dir2/dir3/userhomefolder/

Ok, we have one more step for chroot. Chroot command run only root user, so we need to write a small program

#include   stdio.h
#include  stdlib.h
#include  sys/types.h
#include   unistd.h
#include   string.h

int main(int argc, char *argv[])
   char str_command[500] = "/root/ ";
   strcat(str_command,argv[1]); // first parameter is user home folder.
   setuid( 0 );
   system( str_command );

   return 0;

save this code whatever. here is call-script.c. After that compile and set permissions

make call-script call-script.c
chmod +x call-script
chmod u+s call-script

let's create /root/ file

chroot $1  // this home path parameter from call-script program
and set permission

chmod +x /root/

and finally goto /etc/profile file add end of the file

if [ $USER == "username" ]; then
    /usr/local/src/call-script username_home_folder

also you make change in sshd_config file ;

Subsystem       sftp    internal-sftp
ChrootDirectory %h

also i created web folder in user home dir, and set apache's documentroot this web folder.

1. chroot error "cannot change root directory to /jail: Operation not permitted"
2. SSH Chroot in ISPConfig Centos-4.6

Çarşamba, Mayıs 28, 2014

Sieve and managesieve on redhat EL 6 with Dovecot 2.0.9

Last time , I applied LDA deliverey on our MTA instead of procmail.

let's try to add sieve funtions to dovecot.

first, stop everything :)

# service stop postfix

# service stop dovecot

after that you must install dovecot pigeonhole with

yum install dovecot-pigeonhole

after that, go to dovecot/conf.d directory.
1. Edit your 15-lda.conf file and 
uncomment plugins parameter in protocol lda seciton:

mail_plugins = $mail_plugins sieve 

We have aditional two files in here for sieve configuration, 20-managesieve.conf and 90-sieve.conf.

2. Go to 90-sieve.conf file and edit parameters below:

sieve = /var/sieve-scripts/%u.sieve
sieve_dir = /home/vmail/domains/sieve/%n/.sieve
 %u user     full username (e.g. user@domain)
 %n username user part in user@domain, same as %u if there's no domain
 %d domain   domain part in user@domain, empty if user with no domain

3. In 20-managesieve.conf file uncomment

  protocols = $protocols sieve


 inet_listener sieve {
    port = 4190

lines and add this parameters end of  file
plugin {
  # Used by both the Sieve plugin and the ManageSieve protocol
  sieve = /var/sieve-scripts/%u.sieve  
  sieve_dir = /home/vmail/domains/sieve/%n/.sieve

* Our mail_location is mbox:/home/vmail/domains/%d/%u and there is no mail_home config parameter. Home directory is come form OpenLDAP field (Jamm schema)

and scripts folder is like this.
drwxr-xr-x 2 vmail vmail 4096 May 28 14:43 /var/sieve-scripts 

And start everything
# service start postfix
# service start dovecot

I suggest , you must do change delivery method to LDA , so after that install sieve things. If you have any webmail interface like roundcube, afterlogic , you can install managesieve plugin or filter plugin than you can start create your filters.

Cuma, Mayıs 23, 2014

Convert mail delivery from Procmail to Dovecot 2.0.9 on Redhat EL 6

Maybe you installed this like MTA system


So i installed this MTA system but our delivery method remained procmail. Last two days i try to change delivery system promail to dovecot, after thart i installed dovecot-pigeonhole sieve manager, so users can create their own filters or etc. Before that there is no need just like these thing , everybody is happy.

HowTo :

first stop everything,

service stop postfix
service stop dovecot

ok these are steps of procmail to dovecot

1. in

change mailbox_command to

mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"

change virtual_transport to 
virtual_transport = dovecot
and add
dovecot_destination_recipient_limit = 1

2. in

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}

in this example our user is vmail you must change with your own.

3. in dovecot/conf.d/15-lda.conf  add log file values
protocol lda
  log_path = /var/log/dovecot-lda-errors.log
  info_log_path = /var/log/dovecot-lda.log
  debug_log_path = /var/log/dovecot-lda-errors.log
maybe all these log values are not neccessary but it works :) i didn't touch them.

4. in dovecot/conf.d/10-master.conf uncomment mod and user, remember vmail is our user in here

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Its default
  # permissions make it readable only by root, but you may need to relax these
  # permissions. Users that have access to this socket are able to get a list
  # of all usernames and get results of everyone's userdb lookups.
  unix_listener auth-userdb {
    mode = 0600
    user = vmail 
    #group = 

finally start everything 

service start postfix
service start dovecot

that's it.

i hope helps someone else.

Çarşamba, Kasım 20, 2013

BIND DNS Subdomain Settings For Office 365

When you have BIND DNS server with subdomains, and you want to add Office 365 e-mail server settings one of the subdomains, you need add to records below in your master zone dns file.
; Microsoft Office 365
;         IN      MX             0         IN      TXT             "v=spf1 -all"    IN      CNAME     IN      CNAME    IN      CNAME
; Microsoft Lync Online
;        IN      SRV 100 1 443   IN      SRV 100 1 5061   IN      CNAME

Pazartesi, Ekim 07, 2013

SQL Server Index Fragmentation Monitoring


This is the very simple monitoring command for sql server. Of course you must create a mail profile.


SET @xml = CAST(( SELECT Object_name(object_id) as 'td', as 'td1'
,LTRIM(Str(avg_fragmentation_in_percent, 25, 3)) as 'td2'
FROM sys.dm_db_index_physical_stats (DB_ID('AdventureWorks2012'), NULL, NULL , NULL, 'LIMITED') d
join sysindexes s on d.object_id =
and d.index_id = s.indid
and avg_fragmentation_in_percent > 30 and is not null

SET @body =' < html >< body >< H 3>Index Fragmantetion Results< / H3 >
< table border = 1 >
< tr >
< th > Table Name < /th> Index Name < /th> Avg. Rate  < /tr >'    

SET @body = @body + @xml +'< /table>< /body>< /html>'
SET @body = REPLACE(@body,'td1','td')
SET @body = REPLACE(@body,'td2','td')

EXEC msdb.dbo.sp_send_dbmail
    @profile_name = 'dbmail', -- you have to create this
    @recipients = '',
@body = @body,
    @body_format ='HTML',
--@execute_query_database='AdventureWorks2012', --maybe necessary
    @subject = 'Index Monitoring' ;

Salı, Nisan 19, 2011

PDFCreator AutoSave Folder Reset at Windows 2008 R2

Just Set

Under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PDFCreator\Program Key SEt Auto-Save folder value.

Pazartesi, Mart 14, 2011

Simple OnAccess Scan Solution For Clamav in Redhat

Clamav is powerfull antivir solution for linux. But if you wantto add onaccess scan functionality of clamav you maus re-compile your kernel with DazukoFS. I think it is quite diffucult process for running systems.

There is another alternative for this with inotify tools. Here is the steps;

1. Instal ClamAv for linux.
2.Install intotify tools for linux
2.1. wget
2.2 goto inotify source inotifywait.c line 310
2.3 add this lines before " fflush( NULL );" atom

static char * scanfiles;
nasprintf( &scanfiles, "%s%s",inotifytools_filename_from_wd( event->wd ), event->name );
char command[1000];
strcpy (command,"/usr/local/clamav/bin/clamscan -r --remove ");
strcat (command,scanfiles);

2.4 goto instalation dir of inotify tools
2.5 run
make install
2.6 goto rc.local add this line

nohup /usr/local/bin/inotifywait -qq -r -m -e create,close_write /watch_folder_name/ > /dev/null &

also you can add these parameters before folder name , if you have joomla or another application

--exclude "refTableSQL/* --exclude "cache/*" (quotas must be include)

and that's it. When new file created or replaced , or whatever event ocuured, clamav scan these files.

I hope that this is helpfull for anyone.