Originally Published: Tuesday, 3 October 2000 Author: Mike Baker
Published to: interact_articles_irc_recap/IRC Recap Page: 1/1 - [Printable]

Best of IRC for Tuesday, October 3rd!

Welcome to yet another edition of Best of IRC. As always, we'll be taking an indepth look at some of the questions asked on #Linuxhelp. If you haven't already been to #Linuxhelp you'll find instructions on how to get there at the bottom of the Live! page; feel free to stop by and ask questions or possibly even answer a few.

   Page 1 of 1  

Welcome to yet another edition of Best of IRC. As always we'll be taking an indepth look at some of the questions asked on #Linuxhelp. If you haven't already been to #Linuxhelp you'll find instructions on how to get there at the bottom of the Live! page; feel free to stop by and ask questions or possibly even answer a few.

Tcpd

Anyone know a daemon which can trigger a script on port activity?
<phalanx> I'd like a daemon listening on 110 and when a Win client is banging on this port, fetchmail has to be triggered.
<MbM> you know you can just set fetchmail to automatically fetch every 5 min or whatever right?
<phalanx> Yes, have that now but when there's no client active why should fetchmail fill up the logs?
<MbM> oh I see what you're saying, you have a pop3 server and you want it to fetch mail every time someone connects?
<phalanx> MbM: Got it!
<phalanx> MbM: Win client <- linux POP qmail <- ISP pop
<phalanx> MbM: when win client connects, fetchmail has to fetch mail from ISP to Linux gateway
<freon> phalanx : sounds like something you might have to write yourself...
<phalanx> freon: :-(
<MbM> phalanx: in your hosts.allow file try this: in.pop3d: spawn fetchmail -r /root/.fetchmailrc
<phalanx> MbM: that's all?
<MbM> phalanx: that should do it (emphasis on should)

You don't need a special daemon to do this; you can accomplish what you're trying to do through the used of tcpd. When a connection is established to your pop3 port, a program called tcpwrappers (/sbin/tcpd) is run to check if the client is allowed to connect. If tcpd parses through hosts.allow and hosts.deny and finds nothing saying that the client isn't allowed to connect. If everthing is cool, it passes control to the actual service for that port. In a normal situation, that's all you see of tcpd, but it can do much more.

There's a few options you can add to your hosts.allow and hosts.deny file to make tcpd more useful. If you look carefully through the tcpd documentation, you'll find references to the spawn and twist commands. The spawn command is used to launch a program upon connect to that service, while the twist command is used to launch a program instead of that service. Let's take at how inetd spawns tcpd and the pop3 service:

pop3 stream tcp nowait root.mail /usr/sbin/tcpd in.pop3d

While you may find that your inetd.conf is slightly different, the principal is still the same. The inetd.conf file is separated out into fields separated by spaces; the first four fields describe the port while the remainder tell inetd which program to run. We're only interested in the latter portion of the line for this example, specifically '/usr/sbin/tcpd in.pop3d.' The first argument given to tcpd represents both the program to be run and the keyword in hosts.allow and hosts.deny that refer to it. To get tcpd to run fetchmail before in.pop3d, we need to add the following line to our hosts.allow:

in.pop3d: ALL: spawn fetchmail -f /root/.fetchmailrc

Now, what does this mean? The 'in.pop3d' comes because that's the first argument to the tcpd program; the keyword 'ALL' refers to who this line applies to. The last part of the line is the command to spawn, and this gets loaded before our in.pop3d answers. If we want to avoid a delay, we could background fetchmail with an & but that defeats the purpose since the mail would still be downloading as the client was checking.

What other settings can I put in my hosts.allow/hosts.deny?
<MbM> freon: no, this is actually a command for the tcpd program
<freon> I understand what tcpd does
<freon> I was unclear what phalanx was doing
<MbM> freon: spawn loads somethign before the connection is established and twish runs something instead of the normal service
<freon> really? I have never heard of those options... sounds handy
<MbM> freon: the other rarely known thing is that you can use hosts.allow and hosts.deny to block on a per user basis

The other option you can use is twist. Twist is useful for if you want to deny access to a port while leaving an error message. If you want to deny all access to your telnet except from 192.168.0.0/24 you'd add these lines:

In hosts.allow:
in.telnetd: 192.168.0.0/255.255.255.0

In hosts.deny:
in.telnetd: ALL: twist /bin/echo "Permission denied"

For abit more fun you can use user@host syntax instead of ALL
in.telnetd: root@ALL: twist /bin/echo "remote user is root"

The username used by this line is based on the remote username as reported by their inetd. You may find this syntax useful to allow only certain users from the remote machine, such as allowing yourself access from the school computer lab.

chmod

What do the various chmod numbers mean?
<guest234> I'm having trouble with chmod, I've chmod'd my ~/public_html directory all the way to drwxrwxrwx and yet my apache still complains of permission errors, how do fix my permissions and what does it mean to "chmod 751" a directory?

Often times you'll see references to commands like chmod 660 /dev/dsp. The numbers represent permissions of the various users. The three numbers shown in the above example represent the owner, group and anyone else respectively. The numbers are in octal, 0-7:

+1 execute permission
+2 write permission
+4 read permission
In our above example of 660, the owner of the file and the group it belongs to can both read and write to /dev/dsp while anyone else has no permissions. In the case of directories, the permissions are slightly different. The execute permission when used on ad irectory allows the user to access that directory while the read permission allows the user to list files. You may find it useful to only give execute in cases where you want to give access to a subdirectory only, such as chmod 751.




   Page 1 of 1