Another nice way to create users on linux that have just rights for scp/ftp/cvs/rdist/rsync is RSSH (restricted ssh).

Example (for debian)

installation

apt-get install rssh

configure the rights by editing the config file (uncomment the things he should be able to do)

vi /etc/rssh.conf

add user or modify a already existing user

useradd -m -d /home/heinzi -s /usr/bin/rssh heinzi
usermod -s /usr/bin/rssh heinzi

Now the user can just access by the application you choose for him in rssh.conf.

By default a user in user has a lot of rights, nothing really critical, but why allow him to peak in any config files if he doesn't really need to? So i was looking for a way to limit the rights of a remote user, without the need to chmod a lot of files. The first way i found was to create a jail shell. This is a pretty cool way to limit a user to a handful of commands and prevent him of leaving his home-directory. It works either with SFTP (easy) and SSH (bit more of configuration) and can either be applied to a user or a group. The user is named "heinzi" in this example:

SFTP

user

  Match User heinzi
  ChrootDirectory /home/heinzi
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand /usr/lib/openssh/sftp-server

group

  Match Group users  
  ChrootDirectory /home
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand /usr/lib/openssh/sftp-server

restart ssh

/etc/init.d/ssh restart 

The user should now be limited to his homedirectory.

Here the example for ssh:jail_small

SSH

apt-get install sudo debianutils coreutils
get the script that does a lot of configuration for us
cd /usr/local/sbin
wget http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh
chmod 700 /usr/local/sbin/make_chroot_jail.sh

take a look if the script contains all APPS you need

vi /usr/local/sbin/make_chroot_jail.sh

create symlink back to home

cd /home
ln -s . home

create jailshell

make_chroot_jail.sh heinzi /bin/bash /home

config /etc/ssh/sshd_config

vi /etc/ssh/sshd_config

add at end of file

user
Match User heinzi
ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no
group

Match Group users

  ChrootDirectory /home
AllowTCPForwarding no
X11Forwarding no

restart ssh

/etc/init.d/ssh restart 
bacu_logo-redWhen bacula jobs get the status "E" but the FileDaemon tells you that everything was ok, then you probably have to set the heartbeat interval in your bacula-configuration-files. It worked for me to set "Heartbeat Interval = 1 minutes" in the FileDaemon and StorageDaemon configuration files.

oralogo_small

 

"java.lang.InstantiationException: jms.xml: port 9240 already in use"

This error can occur if you try to start the oc4j (startinst.bat on windows) and the oc4j was not shutdown with the shutdown script that is delivered by oracle. Just execute the shutdown script (stopinst.bat on Windows). That should solve your problem.

 

If you want to run XPlanner+ with the security-manager of tomcat turned on, you need to give following permissions tested with tomcat5:

 

permission javax.security.auth.AuthPermission "modifyPrincipals";
permission java.net.SocketPermission "127.0.0.1:3306","connect, resolve";
permission java.net.SocketPermission "localhost:9090","connect,resolve";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote";
permission java.lang.RuntimePermission "accessClassInPackage.javax.el";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.io.FilePermission 
"/var/lib/tomcat5.5/webapps/xplanner-plus/xplanner-plus-activity.log", "read,write";
permission java.io.FilePermission "*","read";
permission java.io.FilePermission "/usr/share/tomcat5.5/common/-","read";
permission java.io.FilePermission "/usr/share/tomcat5.5/bin/bootstrap.jar", "read";
permission java.io.FilePermission "/usr/share/java/commons-daemon.jar", "read";
permission java.io.FilePermission 
"/var/lib/tomcat5.5/webapps/xplanner-plus/WEB-INF/classes/logging.properties","read";
permission java.util.PropertyPermission "*","read,write";
permission java.net.SocketPermission "jakarta.apache.org:80","connect,resolve";
 

 

I tested this permissions on Debian Lenny. The xplanner-plus-activity.log is in this path because i changed it manually. Reason is that there seems to be a bug in the log4j configuration i already reported.

xppSome years ago a colleague introduced a tool named XPLanner in our project. I was a little bit sceptic, because it's originally designed for agile develoment, not exactly i was used to. But after some days i noticed that it is a really good tool to keep an eye of your own tasks, and also to the tasks of your colleagues, that is for example important if you wait for some feature to finish to complete your own work.
I really liked it! But a while ago development stopped completely. A lot of people were waiting for a new version, there seem to be a lot of installations still out there. I also tried some other tools for XP or agile development, but i could not find anything comparable.
XPLanner is simple and fast. You need about ten  mins to explain somebody else how to use it.

Some weeks ago i came upon XPlanner+ that is a continuation of XPlanner. Maxim Chirkov seems to be the lead developer, and is doing a good job. I currently am trying to make it run on Debian, that is not that easy mainly because of my (the lack of) Tomcat-skills.
This project is really worth to keep an eye on!

tomcat

And again a tomcat issue! If you ever get over

 

1
2
3
Cannot configure CacheManager: 
file:/var/lib/tomcat5.5/webapps/testappl/WEB-INF/classes/ehcache.xml:12: 
Could not set attribute "path"

 

in your logfiles, you have a permission problem on your tomcat-application-server. If you are in debian go to the directory /etc/tomcat5.5/policy.d/ choose the right file (system/debian/webapps/catalina/admin policy) and add following permission

1
permission java.util.PropertyPermission "java.io.tmpdir", "read";

 

After restarting your tomcat (/etc/init.d/tomcat5.5 restart on debian) this config issue should be gone.

 

I am trying to get an webapplication run on Debian. This application needs the sun-jdk not the GNU-jdk. Following is reproducable at will:

A) WORKS:
apt-get install sun-java6-jdk sun-java6-plugin
apt-get install tomcat5.5 tomcat5.5-admin

B) DOES NOT WORK:
apt-get install tomcat5.5 tomcat5.5-admin
apt-get install sun-java6-jdk sun-java6-plugin

A does not install the gcj VM, B does install gcj + sun (that's fine)

i tried to make B choosing the sun-jdk by
update-alternatives --config java
update-alternatives --config javac
update-java-alternatives --set java-6-sun

when starting the tomcat-manager always java 1.5 is displayed
when removing apt-get remove java-gcj-compat
the manager is not able to run anymore

There seems to be an issue, when installing the tomcat without a sun-java-jdk (or jre) is present. I am investigating further.

patchToday i was looking for about an hour for the patch to upgrade my newly installed Oracle Developer Suite to 10.1.2.3. It was hard to find, because Oracle renamed the product on the update page to "Oracle Fusion Middleware Family". Yell

If you wanna get it, here is the Patchset Number: 5983622.

LevienFontsAfter installing the new font (see previous post) we had another problem. It was a font that was not commonly used, so most of the clients did not have it installed on their PCs.
That means Adobe Reader tries to simulate the font by using MM fonts (see wikipedia for that). The result is awesome, almost the same without installing a font. But it's just almost the same. The customer wanted to have exactly the same one. So we had to decide if we want to use embedding or subsetting (differences are listed here).

We decided for the commonly used subsetting. Subsetting is easy in Oracle reports... most times.... You simply look for your uifont.ali file, edit it and put for example "testfont" = "testfont.ttf" in the [PDF:Subset] section. You can check if the font is embedded by looking in the properties of the generated pdf file.
In my case it did not work.

Reason was, that i took the entry "FontName" from afm file and not the "FamilyName" entry. That means not "testfont" = "testfont.ttf" its "testfontfamily" = "testfont.ttf"
Worked perfectly after reports server restart.

AmharicSampleShort time ago a customer wanted a "corporate identity" font in his report output files (pdf). Installing a new Font in Windows is easy, just copy the .TTF file to c:\windows\fonts and windows will take care of the rest. It's not so easy in Linux/Unix, the Oracle documentation is .... a lot, i counted 5 different sections in the documentation where they were talking about almost the same and there was no short howto. Here is a small cooking-recipe how to install a font on a Linux Reports-Server, i hope i did not forget anything, comments welcome.
  • Download a converter that is able to convert TTF files to Adope Type 1. I did it with ttf2pt1 for windows that can be downloaded here.
  • create the afm file for your font (f.e. c:\program......\gnuwin32\bin\ttf2pt1.exe .\testfont.ttf)
  • create a new directory on the linux reports-server.
  • copy your ttf and afm file in there.
  • change the file $ORACLE_HOME/bin/reports.sh so that it includes the new created directory with the font files
  • ! use dos2unix on the AFM file (f.e. dos2unix testfont.afm) so you can ensure your ftp did not change anything, this step costed me several hours.
  • copy the AFM file to $ORACLE_HOME/guicommon/tk/admin/AFM.
  • edit the printer file (in most circumstanceds screenprinter.ppd) $ORACLE_HOME/guicommon/tk/admin/PPD and add the new font in the *Font section for example: *Font testfont Standard '(00.1001)" Standard ROM !ensure that the font name is the same as the one of the FontName entry in the AFM-file.
  • restart the reports server (by using "opmnctl stopall" and "opmnctl startall"