Archive for the CentOS 6 Category

Running scripts as root from PHP

| December 12th, 2015

I needed to integrate a Linux server with our existing web application, which involved dynamically changing iptables rules by a bash script. For obvious reasons, the script needed root privileges to execute successfully.

On CentOS (and a handful of other distros), Apache processes run as the apache user by default. To call a script with root privileges and dump out the output from PHP, we can use the shell_exec command with sudo:

<?php
    echo shell_exec("sudo /usr/sbin/mycommand.sh");
?>

Unsurprisingly, The apache user doesn’t have sudo privileges by default, so we need to add a line to the /etc/sudoers file using the visudo command. Visudo makes sure that the file’s syntax is correct before applying the new rules, which is especially important if you have the root user disabled in your system.

The following line will allow the apache user to run the above dummy example script (and nothing else) with sudo without asking for a password:

apache ALL=NOPASSWD: /usr/sbin/mycommand.sh

If you need to run more than one command, just add them separated by commas.

There might be one more thing to change in /etc/sudoers: at this point if the output is empty and the command silently fails, it’s because sudo is set to only be used directly from the terminal. To lift this requirement for a certain command or user, use the following:

# This line is probably in sudoers somewhere,
# disallowing script usage
Defaults    requiretty
 
# To allow our script to be run from anywhere,
# add the following line:
Defaults!/usr/sbin/mycommand.sh !requiretty
 
# Alternatively you can enable apache user
# to run all allowed commands from anywhere.
# (Not recommended, be as specific as you can be!)
Defaults:apache !requiretty
Security warning

Please make sure you think about security and be especially careful when accepting user input as command parameters to avoid injection attacks. It’s also good idea to implement some sort of authentication before executing the code path with the script.

I only needed it for communication between servers, so I put it in an Apache VirtualHost on a custom port and made sure it’s only accessible from the other server’s internal IP address.

source: http://codebin.co.uk/blog/running-scripts-as-root-from-php/

i have a task to rsync all files and folders which is older than 3 days in capacity 2TB.

Here is the way i did.

# touch -mt 09201200 /tmp/compare
[[email protected] media.live]# ll /tmp/ |grep compare
-rw-r--r--   1 root     root        0 Sep 20 12:00 compare

the run the find command:

find /.../product -type f -newer ./tmp/compare -exec stat {} \; |egrep "File|Modify"

it should list all the files which is modified from 09201200 date up to present.

then you will have file list. just need to run rsync to do the last step.

Transparent Huge Pages (THP) are enabled by default in RHEL 6 for all applications. The kernel attempts to allocate hugepages whenever possible and any Linux process will receive 2MB pages if the mmap region is 2MB naturally aligned. The main kernel address space itself is mapped with hugepages, reducing TLB pressure from kernel code…
Read more:
https://access.redhat.com/solutions/46111
more »

Install Bad Wolf Color for Vim

| August 14th, 2015

So we have a good color for vim which give your more visualization about vim editor.

Bad Wolf looks like a good candidate
https://github.com/sjl/badwolf/

Here is the instruction how to install color for vim

1. Copy colors/badwolf.vim to ~/.vim/colors/badwolf.vim; create directories if needed. Alternatively, git clone into ~/.vim/bundles/ and use the Pathogen package manager, or specify the repository with the Vundle package manager, etc.

2. In your ~/.vimrc, put / replace any existing :colorscheme command with:
colorscheme badwolf

more »

When you are using special fonts for your terminal and it could not display correctly. We need to install these front to make it work better

So Powerline fonts is a good candidate and easy to install on MacOS and Linux
https://github.com/powerline/fonts
more »

Because I investigated this for a project, Linux (at least RHEL) mailx can use a remote SMTP server, thus enabling us to test whether that server allows email sending from our application.

mailx -S smtp=<smtp-server-address> -r <from-address> -s <subject> -v <to-address> < content.txt

Where “-S smtp ” is the crucial component (that apparently AIX mail/mailx doesn’t support) allowing you to send through a remote server rather than a locally-configured server.

-v is "verbose"
content.txt is a local file that contains the body of the test message I'm sending.


more »

One day you received a keypair is shared by your colleagues and you would like to check where is it correct or not

The private key contains a series of numbers. Two of those numbers form the “public key”, the others are part of your “private key”. The “public key” bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the commands:

$ openssl x509 -noout -text -in server.crt
$ openssl rsa -noout -text -in server.key

more »

in some cases, we would like to have dedicated php-fpm server to serve LB php processes.

PHP-FPM Configuration
Modify the listen line:

listen = 10.10.10.10:9000

Modify the listen.allowed_clients line to allow your load balancer or Nginx server:

listen.allowed_clients = 10.10.10.20

more »

Here is some command to test your puppet syntax

# "bundle exec rake spec" <= check whole puppet script
# "bundle exec rake spec SPEC_OPTS=-fd" <= with debug mode
# "bundle exec rake syntax" <= check syntax
# "bundle exec rspec spec/hosts/server_spec.rb" <= check puppet script on specific host

In this article, , let us review how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on nginx server.

Step One — Create the SSL Certificate

We can start off by creating a directory that will be used to hold all of our SSL information. We should create this under the Nginx configuration directory:

# sudo mkdir /etc/nginx/ssl

Now that we have a location to place our files, we can create the SSL key and certificate files in one motion by typing:

# sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

more »