|Aligning WebDav and Linux permissions||Monday 19th November 2012|
I wanted to set up a directory that I could write to easily over WebDAV running on Apache2. I also wanted to be able to use these same files locally as a standard user.|
Any file system access by WebDAV in Apache is done under the credentials of the Apache process (e.g. wwwuser:wwwgroup). This means if you create a WebDAV file, or local file then the other won't be able to use it due to permissions.
This can be worked around by using groups and access control lists.
I created a group called "davusers" that had everybody who needed read/write access to the shared directory, and applied it with a SGID flag:
chmod g+s sharedfolder
By setting "s" on the group for a directory, anything created in this directory will inherit the same group. This means that any new files or folders will automatically be set up with the group as "davusers" for me.
The next hurdle is the default mask for Apache is to allow only the file owner (the Apache process owner) read/write access. Group users will only get read.
To combat this we can use "setfacl" to add an access control list for groups:
setfacl -m d:g::rwx sharedfolder
What this bizarre combination of letters does is set the default, group access to read/write/execute
With these combined I now get files being owned by whoever created them (either apache or a local user), but the group will always be "davusers" and that group will always have the ability to edit the files too.
|DD-WRT not returning Internet traffic to subnet||Thursday 15th November 2012|
I have been struggling with getting my VPN client accessing the Internet when I redirect the gateway through my VPN server.|
I discovered that I can contact the Internet gateway inside the VPN, but when I try and hop through to the Internet I never get a response. A bit of packet sniffing showed that the SYNs were being sent, just I never got an ACK.
My Internet router is running on DD-WRT, and whilst it had a static route setup to talk to VPN clients (which worked), Internet traffic wasn't getting back.
Luckily with a bit of troubleshooting with a colleague I got the right words for my Google Kung-Fu and hit on this thread:
The issue comes down to SNAT (Source NAT). When an internal network wants to send data out, a NAT router (as such that is used for most Internet access) will change the source address of the packet and send it out. This way, when packets are returned from the Internet they come to your router, and are not attempted to be delivered to an internal address that doesn't exist on the Internet.
By default, SNAT is only performed on DD-WRT for the LAN network (as setup in the basic settings). If you have any additional subnets the traffic will just vaporise into the ether that is the Internet. To add your network you have to update "iptables" postrouting rules.
As per the thread linked above you can do this with this command:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT -s 192.168.2.0/24 --to `nvram get wan_ipaddr`
Pay attention to the back-ticks ` not single quotes ' being used. I'm not sure the technicalities behind this, but they appear to be a way of accessing configuration items on the fly. I this example I've set my second subnet to be 192.168.2.0/255.255.255.0. If you omit the -s option then any subnet will work.
Put this into your firewall startup scrip to ensure it sticks over a reboot.
|Gesture middle click||Thursday 1st November 2012|
I've just got a new laptop, so expect to see some generic hacks appearing on here over the next few months.|
First off, it has one of those awful gesture/multi-touch track pads. Which just lands up making doing things difficult as a nudge will set them off.
The first problem I had was no middle click function on my particular vendor's install (joy), but I know the driver supports it.
Luckily, somebody as already figured this out.
Adding middle click to Synaptics touch