Saturday, 7 January 2012

How to Debug Rewrite Rules with Apache


 
How to Debug Rewrite Rules with Apache

RewriteLog "/myfolder/mylogfile.log" 
RewriteLogLevel 3
 
Please note that:
 
  • it can slow down your server a lot
  • you should not leave this in production for long (even with RewriteLogLevel set to 0 – instead, remove both directives)
If you want to learn more about these two directives:

Original Post:http://blog.nexcess.net/2011/12/19/debugging-apache-rewrites-and-redirects/

with the left angle bracket (<) indicating that this is a response from the server (right angle brackets (<) are commands sent by the client -- curl, in this case)

senseexcept-lm:~ hitesha$ curl --verbose --head --location www.yahoo.com
 * About to connect() to www.yahoo.com port 80 (#0)*   Trying 98.139.180.149... connected
* Connected to www.yahoo.com (98.139.180.149) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.16.4 (i386-apple-darwin9.0) libcurl/7.16.4 OpenSSL/0.9.7l zlib/1.2.3
> Host: www.yahoo.com
> Accept: */*
>
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Date: Sat, 07 Jan 2012 16:40:13 GMT
Date: Sat, 07 Jan 2012 16:40:13 GMT
< P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
< Cache-Control: private
Cache-Control: private
< Set-Cookie: IU=deleted; expires=Fri, 07-Jan-2011 16:40:12 GMT; path=/; domain=.yahoo.com
Set-Cookie: IU=deleted; expires=Fri, 07-Jan-2011 16:40:12 GMT; path=/; domain=.yahoo.com
< Set-Cookie: fpc=d=62nSIYYXWh.YRIFs4999Ph1zERHiOCTvaBLdbi5i3LWiDkwct_jexHLg8L_bfL0jsECYnDKSrGhBAGve9VycrVM9N.QAZWBMuCtDTeYY9qkv8.xVvJvmNb9XFHgeBwNQSsY7w94U7_.lOvoisDvarPneTNMe8nP8toplokK_sV84ogfdqmCCxOCe4af6wI3MmZfTKF8-&v=2; expires=Sun, 06-Jan-2013 16:40:13 GMT; path=/; domain=www.yahoo.com
Set-Cookie: fpc=d=62nSIYYXWh.YRIFs4999Ph1zERHiOCTvaBLdbi5i3LWiDkwct_jexHLg8L_bfL0jsECYnDKSrGhBAGve9VycrVM9N.QAZWBMuCtDTeYY9qkv8.xVvJvmNb9XFHgeBwNQSsY7w94U7_.lOvoisDvarPneTNMe8nP8toplokK_sV84ogfdqmCCxOCe4af6wI3MmZfTKF8-&v=2; expires=Sun, 06-Jan-2013 16:40:13 GMT; path=/; domain=www.yahoo.com
< Location: http://in.yahoo.com/?p=us
Location: http://in.yahoo.com/?p=us
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Age: 0
Age: 0
< Connection: keep-alive
Connection: keep-alive
< Server: YTS/1.20.0
Server: YTS/1.20.0

<
* Connection #0 to host www.yahoo.com left intact
* Issue another request to this URL: 'http://in.yahoo.com/?p=us'
* Disables POST, goes with HEAD
* About to connect() to in.yahoo.com port 80 (#1)
*   Trying 121.101.152.229... connected
* Connected to in.yahoo.com (121.101.152.229) port 80 (#1)
> HEAD /?p=us HTTP/1.1
> User-Agent: curl/7.16.4 (i386-apple-darwin9.0) libcurl/7.16.4 OpenSSL/0.9.7l zlib/1.2.3
> Host: in.yahoo.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Sat, 07 Jan 2012 16:40:14 GMT
Date: Sat, 07 Jan 2012 16:40:14 GMT
< P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
< Cache-Control: private
Cache-Control: private
< Set-Cookie: IU=deleted; expires=Fri, 07-Jan-2011 16:40:13 GMT; path=/; domain=.yahoo.com
Set-Cookie: IU=deleted; expires=Fri, 07-Jan-2011 16:40:13 GMT; path=/; domain=.yahoo.com
< Set-Cookie: PH=deleted; expires=Fri, 07-Jan-2011 16:40:13 GMT; path=/; domain=.yahoo.com
Set-Cookie: PH=deleted; expires=Fri, 07-Jan-2011 16:40:13 GMT; path=/; domain=.yahoo.com
< Set-Cookie: fpc=d=JgEWsD4UWh.7t0gCxPiBAO3.lhOy5fuIS7.0f6.nKmlAB38s64fQvVZcwcRo43CXVNNumllSE5G_oj7ISZj3n59Ki4xEit.x6r1HIT8N278OalgmLFy_WeTq7TES3v2.1PnqnHTf_AZcLrwclutenqSf4LJ9MO1JNxH8XfV.SwaCQd9LOjM6s5KYpLsH.z1EnESrooY-&v=2; expires=Sun, 06-Jan-2013 16:40:14 GMT; path=/; domain=in.yahoo.com
Set-Cookie: fpc=d=JgEWsD4UWh.7t0gCxPiBAO3.lhOy5fuIS7.0f6.nKmlAB38s64fQvVZcwcRo43CXVNNumllSE5G_oj7ISZj3n59Ki4xEit.x6r1HIT8N278OalgmLFy_WeTq7TES3v2.1PnqnHTf_AZcLrwclutenqSf4LJ9MO1JNxH8XfV.SwaCQd9LOjM6s5KYpLsH.z1EnESrooY-&v=2; expires=Sun, 06-Jan-2013 16:40:14 GMT; path=/; domain=in.yahoo.com
< Set-Cookie: fpc=d=S8TNp6AUWh8pruj6562p7VI3GhA.iiDbpEwhF2mxTJ9U2pmN9SKV55DPxOhZtBpQoROkCz2VHLF_1cpqLRnfIIZlumKqgLMKUHAvFVlS_JUP9o6LBdjiAm6f_kvXfpWQQSD6qmR4ZIcRcJl9Oa4LupfpjSE40iyRYATS780m6OW44R94vxiL.Z1mJxnkR37u_IKRk0lX77KPovhShJeRvMftJ3E2MKquhblUaoaIjuStX6JsRAyoO6iRfZJDsP9uv.0_l0rM&v=2; expires=Sun, 06-Jan-2013 16:40:14 GMT; path=/; domain=in.yahoo.com
Set-Cookie: fpc=d=S8TNp6AUWh8pruj6562p7VI3GhA.iiDbpEwhF2mxTJ9U2pmN9SKV55DPxOhZtBpQoROkCz2VHLF_1cpqLRnfIIZlumKqgLMKUHAvFVlS_JUP9o6LBdjiAm6f_kvXfpWQQSD6qmR4ZIcRcJl9Oa4LupfpjSE40iyRYATS780m6OW44R94vxiL.Z1mJxnkR37u_IKRk0lX77KPovhShJeRvMftJ3E2MKquhblUaoaIjuStX6JsRAyoO6iRfZJDsP9uv.0_l0rM&v=2; expires=Sun, 06-Jan-2013 16:40:14 GMT; path=/; domain=in.yahoo.com
< Set-Cookie: fpps=_page=%7B%22wsid%22%3A%2221445690%22%7D; expires=Sun, 06-Jan-2013 16:40:14 GMT; path=/; domain=in.yahoo.com
Set-Cookie: fpps=_page=%7B%22wsid%22%3A%2221445690%22%7D; expires=Sun, 06-Jan-2013 16:40:14 GMT; path=/; domain=in.yahoo.com
< Set-Cookie: fpt=d=aS68.yfXeczppyKttfFELEaqVxoxTepIVTZcCs4QI0YnY9uoGKrAOyc379WQuBVI7iSNhLZ1m20TH9OAxITki79pAece9Khcu8XfmClaXxtWsouOzuPjpAtYyAQVFHuAJI0x0QU8JD2UErJtHiBBBRjlfC.BU.da3aWT3AETz93pXx7LSvj_m9YweDx_UegK5yghY0x6bBFhuAYDr2DrjcJOVE5yGlI5_cdjRpgmkCL.gGks64HkZG1ZLpg8ubutzij9jam.1kmJFLvKleHMksMgJgvDPW4EWA9C.xEK6y9HUsDEzzePZv3jMrCWuHAY23exbqmHG_uYFaiYOAAiTf8vEMZoqCptokVclXu_xz89klL4IvWDj6UQzpxmwaQc.yNL.2QK.hXmgDqRljny1ip2e3b1hF0HtdNZHSSaq2ftU4ynCaIQqhG6negjD8wEu8aXQy8d6FphWtiEYr3GJRrn6UQGD5efQ7dFfeA7yxHv188BeBRsOAA5AgmVZgFDMmgeBXPuFHq5uV4GG9sPkG273Jcn37QU3zLP&v=1; path=/; domain=in.yahoo.com
Set-Cookie: fpt=d=aS68.yfXeczppyKttfFELEaqVxoxTepIVTZcCs4QI0YnY9uoGKrAOyc379WQuBVI7iSNhLZ1m20TH9OAxITki79pAece9Khcu8XfmClaXxtWsouOzuPjpAtYyAQVFHuAJI0x0QU8JD2UErJtHiBBBRjlfC.BU.da3aWT3AETz93pXx7LSvj_m9YweDx_UegK5yghY0x6bBFhuAYDr2DrjcJOVE5yGlI5_cdjRpgmkCL.gGks64HkZG1ZLpg8ubutzij9jam.1kmJFLvKleHMksMgJgvDPW4EWA9C.xEK6y9HUsDEzzePZv3jMrCWuHAY23exbqmHG_uYFaiYOAAiTf8vEMZoqCptokVclXu_xz89klL4IvWDj6UQzpxmwaQc.yNL.2QK.hXmgDqRljny1ip2e3b1hF0HtdNZHSSaq2ftU4ynCaIQqhG6negjD8wEu8aXQy8d6FphWtiEYr3GJRrn6UQGD5efQ7dFfeA7yxHv188BeBRsOAA5AgmVZgFDMmgeBXPuFHq5uV4GG9sPkG273Jcn37QU3zLP&v=1; path=/; domain=in.yahoo.com
< Set-Cookie: fpc_s=d=hVjAbR8UWh.3C6IKs4uB5Br.uhIQuGAdy635M1qsR7rU3lCDZexkFtqPmxIo_NNjWWY.HMGPDLNVNsSLY0hfPspxeAFXlfn_NEUJIuprb6yCx0eEKtShbiiZgT5s_9XEwZ_3IOuCz3Z55NDE8.q1VQHOhpQe80T9TgYCROHmruHPAuuaShN2U8ZtUtLlzuc1iz6EwFnXOzwyYiuOeFylk_vK4wMm36ixCDUuAbdJzmzPHymxOaniTOG78kCf7419PRkJjU8zeBrvCSZ3MKJPDRvmOWSTdDoRLcoFJWytG7kSoDGHWDi3Qi2ZofGSkOUfM5tf8Y2F7JxQ_BPDmepo.vN9FPfTSAX8YQWVn7KImHwQ8etGnwtjHU1X53LqeOszpdQzJFRz.56Io6ZhKggx5Sw19C8ZeaFSvL07x2DGZU2B1R95&v=2; path=/; domain=in.yahoo.com
Set-Cookie: fpc_s=d=hVjAbR8UWh.3C6IKs4uB5Br.uhIQuGAdy635M1qsR7rU3lCDZexkFtqPmxIo_NNjWWY.HMGPDLNVNsSLY0hfPspxeAFXlfn_NEUJIuprb6yCx0eEKtShbiiZgT5s_9XEwZ_3IOuCz3Z55NDE8.q1VQHOhpQe80T9TgYCROHmruHPAuuaShN2U8ZtUtLlzuc1iz6EwFnXOzwyYiuOeFylk_vK4wMm36ixCDUuAbdJzmzPHymxOaniTOG78kCf7419PRkJjU8zeBrvCSZ3MKJPDRvmOWSTdDoRLcoFJWytG7kSoDGHWDi3Qi2ZofGSkOUfM5tf8Y2F7JxQ_BPDmepo.vN9FPfTSAX8YQWVn7KImHwQ8etGnwtjHU1X53LqeOszpdQzJFRz.56Io6ZhKggx5Sw19C8ZeaFSvL07x2DGZU2B1R95&v=2; path=/; domain=in.yahoo.com
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html;charset=utf-8
Content-Type: text/html;charset=utf-8
< Age: 0
Age: 0
< Connection: keep-alive
Connection: keep-alive
< Server: YTS/1.20.0
Server: YTS/1.20.0
* no chunk, no close, no size. Assume close to signal end

<
* Closing connection #1
* Closing connection #0
senseexcept-lm:~ hitesha$

The above curl command, `curl --verbose --head --location www.yahoo.com` tells us that curl should be verbose, it should just send a "HEAD" HTTP request instead of GET, and that it should follow any "Location: [...]" responses that it receives from the server (telling it to go to a new location  --302 http redirect). In this case, as we've seen above, curl will re-run the request with the updated location as the input URL. This behavior mimics that of browsers, but it isn't the default curl behavior.









There are some cases when we might need to more closely simulate a browser. If your application handles GET requests and ignores HEAD, you might need to omit '--head' and instead just use '-o /dev/null' to write the downloaded file out to nowhere. You could also just leave this out, which will dump the page source to your STDOUT (effectively the same as '-o -'). You might also need to specify a user agent string to trigger specific site behavior such as a mobile site. Let's try with example.com again. We're going to simulate a request from an iPhone running iOS 5.0 using Safari, with the '--trace-ascii' for full geek mode which will show us even more details that could be useful for optimized mobile content. We'll also use the '--limit-rate' option for curl to slow down the transfer to a crawl (2G cellular GPRS speeds that an average connection might see -- 25kbit/sec):

 curl –trace-ascii – –location -o /dev/null 
–user-agent ‘Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) 
AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 
Safari/7534.48.3′ –limit-rate 25k example.com

Tar over secure ssh

How do I use tar command over secure ssh session?

The GNU version of the tar archiving utility (and other old version of tar) can be use through network over ssh session. Do not use telnet command, it is insecure. You can use Unix/Linux pipes to create actives. Following command backups /wwwdata directory to dumpserver.nixcraft.in (IP 192.168.1.201) host over ssh session.
The default first SCSI tape drive under Linux is /dev/st0.

# tar zcvf - /wwwdata | ssh root@dumpserver.nixcraft.in "cat > /backup/wwwdata.tar.gz"OR# tar zcvf - /wwwdata | ssh root@192.168.1.201 "cd /tmp;cat > /backup/wwwdata.tar.gz"
Output:
tar: Removing leading `/' from member names
/wwwdata/
/wwwdata/n/nixcraft.in/
/wwwdata/c/cyberciti.biz/
....
..
...
Password:
You can also use dd command for clarity purpose:
# tar cvzf - /wwwdata | ssh root@192.168.1.201 "dd of=/backup/wwwdata.tar.gz"
It is also possible to dump backup to remote tape device:
# tar cvzf - /wwwdata | ssh root@192.168.1.201 "cat > /dev/nst0"
OR you can use mt to rewind tape and then dump it using cat command:
# tar cvzf - /wwwdata | ssh root@192.168.1.201 $(mt -f /dev/nst0 rewind; cat > /dev/nst0)$
You can restore tar backup over ssh session: # cd /
# ssh root@192.168.1.201 "cat /backup/wwwdata.tar.gz" | tar zxvf -
If you wish to use above command in cron job or scripts then consider SSH Keys to get rid of the passwords.

Netcat for debugging

Original Post: http://dustinbreese.blogspot.com/2008/09/debugging-with-netcat.html



Debugging with Netcat

Wanted to spotlight one of my favorite utlities -- NETCAT. It's probably my most favorite of utilities. I've used it for years in debugging network issues, especially web issues. It's been described as the "The TCP/IP Swiss Army Knife." It's very powerful.

I use it frequently to grab and send http requests. It allows you to see the exact bytes sent/received on the wire from your browser.

Using netcat to grab an http request
1) Start netcat in listen mode on a port and save the request.
$ nc -l -p 9999 | tee somerequest.http

2) Perform a sample HTTP request using browser: http://localhost:9999/index.html
3) View the request -- you'll see the entire http request payload (headers & content)
GET /index.html HTTP/1.1
Host: localhost:9999
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

Using netcat to play back an http request
Easy as capturing a request -- just redirect the saved HTTP request using:

$ nc www.google.com 80 < somerequest.http > someresponse.http

You may notice that the response looks garbled -- this is probably due to the fact that it is GZipped-encoded. Look for a header such as "Content-Encoding: gzip". You could re-submit the request after removing the "Accept-Encoding:" header and it will no longer be in gzip format.

Cool Things to Do to Impress Your Friends
1) Copy a file from 1 server to another
Netcat just reads & dumps byts to and from ports. Very simple. To copy a file from one server to another without using SSH/FTP/RCP/etc, just do this:
On the source server, just redirect a file to a port:
$ nc -l -p 9999 < somefile.txt

On the destination server, just connect to that port and redirect the bytes to a local file:
$ nc source.server.com 9999 > somefile.txt

You may want to do a checksum on the file to ensure contents were not modified or somehow broken.

2) Copy segments of a file (i.e., restarting a transfer)
If you are doing the above transfer and something occurred which caused network to fail, you can simply send just parts of the file and concatenate the new segments to the old file. You just need to know how may bytes the destination file already has, then use "dd" to strip them off. In the following example, the destination already had the first 12,000,150 bytes, so we will skip those.

$ dd bs=1 skip=12,000,150 if=somefile.txt | nc -l -p 9999

Then, just simply append the new contents to what you already have on the destination:
$ nc source.server.com 9999 >> somefile.txt

3) Give shell access
Netcat can be used to pipe STDIN/STDOUT to a process, too. This can be dangerous, but also powerful. :)

This example creates a network pipe to bash, so anyone connecting to the listener port will have the users bash command access:

$ nc -l -p 9999 -e /bin/bash

Probably, a better way to utilize this feature is to perform a quick backup of a directory. On the source server, type (the -q 5 options tells netcat to close the connection 5 seconds after reaching the EOF)

$ tar zcfv - somedir | nc -q 5 -l -p 9999

Then, on the destination server, type:

$ nc myserver.com 9999 > somedir.tar.gz

3b) If you have the "pv" utility installed, you can get progress information displayed to your terminal. Pv just displays information about the bytes traveling through a network pipe.

tar zcf - somedir | pv | nc -l -p 9999
61.3MB 0:00:30 [ 2MB/s] [ <=> ]

4) Port scanning
Netcat can act as a port-scanner, too.

$ nc -v -z localhost 1-100
localhost [127.0.0.1] 80 (www) open

5) Opening Shell with nc
$mkfifo backpipe
$eval /bin/bash <backpipe | nc -l 12345 >backpipe

From another box
$nc server 12345 ( Voila u have a shell exposed)

What about HTTPS?
Stunnel is another one of my favorite utilities. It allows you to tunnel TCP/IP connections over SSL. It also can act as an HTTPS proxy so that you can stick with HTTP traffic locally, but switch to HTTPS when you put it on the wire.

This is very handy when you don't have control over the server and it only requests https, but you want to take a look at packets/http messages b/w your client and the server.

I'll do another post soon on how to use stunnel to handle https.

Alternatives
WireShark/Tcpdump -- Packet analyzer. Very nice and powerful (wireshark used to be called Ethereal)
TcpMon -- was bundled with earlier version of Axis 1.x, but not sure where it went now? -- just sat in the middle b/w TCP/IP connections and listened, logged, and fwded in real time.
Firebug Firefox plugin -- Nice for HTTP debugging.

Tuesday, 3 January 2012

How to setup automounters on a Redhat Linux System

AUTOFS -- To automatically mount devices(floppy/cdrom) or nfs mount points

RPM Required : - autofs  ( On my box its   autofs-5.0.1-0.rc2.102 )

Config Files:

#rpm -qc autofs-5.0.1-0.rc2.102

/etc/auto.master --Master Map for automounter
The  auto.master  map  is  consulted to set up automount managed mount points when the autofs(8) script is invoked or the automount(8) program is
       run. Each line describes a mount point and refers to an autofs map describing file systems to be mounted under the mount point.

/etc/auto.misc
/etc/auto.net
/etc/auto.smb
/etc/autofs_ldap_auth.conf
/etc/rc.d/init.d/autofs
/etc/sysconfig/autofs


What Does automount means:
 An automount daemon mounts and unmounts filesystem when they are accessed as and when required. This minimizes the no of active mount pts and is mostly  transparent to users


                       automount - autofs - /etc/auto.master
   ==========================================

/usr/sbin/automount*       - User-land automounter process or Binary
/etc/auto.master           - Master config file
/etc/auto.misc             - Later
/etc/rc.d/init.d/autofs    - InitScript to start/stop autofs

* automount is a bg process that configures a single mt pt for autofs, the
  kernel portion of the Linux automounter

* The startup script /etc/rc.d/init.d/autofs starts the automount* daemon which
  parses a master file - /etc/auto.master - and runs the automount* daemon for
  each of the listed mounts

     It's typical to see a running instance of the automount* daemon for each
  automatic mt pt that has been configured in /etc/auto.master

                                /etc/auto.master
                                ----------------------

* The /etc/auto.master file associates a mount point with a map.

* The map translates the dir name accessed - the key - into a cmd line that
  mount* can use to perform the real mount

Format : Consists of 3 fields :

    1. The key - Specifies the mount root dir to use for FSs specified in the
                 map file [next field]

    2. The map file - which can be a text file, an exec prg, a NIS or LDAP DB

    3. Timeout value used to determine when to unmount the automounted FS

*  Eg

                        /etc/auto.master
                        ----------------

        # Mt Pt            File to consult    options
        # ---------              ---------------        -------
          /mnt             /etc/auto.misc       --timeout 60
          /funny           /etc/auto.misc      --timeout 60


                        /etc/auto.misc
                        --------------

Format : Consists of 3 fields :

    1. The key - Usually also the name of the subdir that you would access
                 to cause the device or FS specified in the 3rd field to be
                 mounted

    2. Comma-seperated list of options to pass to the mount prg

    3. Device driver/ Target NFS Server

                        /etc/auto.misc
                        --------------

        floppy      -fstype=auto,user           :/dev/fd0
        cdrom     -fstype=iso9660,ro,user :/dev/cdrom
        smile                                                nfsserver:/jokes
                           /|\
Note:                   |
        You could leave this blank or put soft,intr,rsize=8192,wsize=8192 etc
        This corresponds to the "-o" options given when mounting a NFS share
        on a client from the CLI


        Finally do a service autofs restart

        service autofs status or ps -el to check

---> If a user accesses the cdrom dir [ by doing cd /mnt/cdrom ], the
     automounter will construct a mount cmd and mount the device driver -
     /dev/cdrom -  on /mnt/cdrom and time out after 60 secs

=================================================

EXAMPLE 1:
-------

---> On nfsserver, set up an NFS server and export /jokes
     Do not forget portmap on both places

---> On nfsclient, do this : [ Do not forget to create dirs "/funny/smile"

     # cd /funny/smile
     # ls
      and you will be automounting the nfsserver:/jokes on nfsclient's local
      /funny/smile

MO:  When you do a /funny/smile, the automount* daemon, which is monitoring
     you, will, then, construct a mount command like this :

          from                                                from              from
      /etc/auto.misc                              auto.master          auto.misc
            |                                                     |                          |
           \|/                                                   \|/                        \|/
  mount nfsserver:/jokes                    /funny                  /smile


So eventually automount will mount nfsserver:/jokes to /funny/smile

=================================================
EXAMPLE 2: Automounting HomeDirs of Users from master nfsserver -- Indirect maps

On nfsserver export /home

On nfsclient
/etc/auto.master
        # Mt Pt            File to consult    options
        # ---------        ---------------    -------
         /home           /etc/auto.home      --timeout=60


/etc/auto.home
#User directory       NFSMountOptions                               Target Server
*                         -rw,soft,intr,rsize=8192,wsize=8192            nfsserver:/home/&



 Explanation:
So when a user foo logs into the system (nfsclient) his home directory /home/foo get automounted from nfsserver:/home/foo with mount options -rw,soft,intr,rsize=8192,wsize=8192


================================================= 
EXAMPLE 3: Automounting -- Direct Maps with /





On nfsserver export /data

On nfsclient
/etc/auto.master
        # Mt Pt            File to consult    options
        # ---------               ---------------    -------
         /-                  /etc/auto.direct      --timeout=60



/etc/auto.direct

#Mount directory       NFSMountOptions                               Target Server
/data                       -rw,soft,intr,rsize=8192,wsize=8192        nfsserver:/data


^ Don't forget this front slash ( else it will never work).


 Explanation:
So when a user foo cd to /data onto the system (nfsclient)  /data get automounted from nfsserver:/data with mount options -rw,soft,intr,rsize=8192,wsize=8192




===============================================
Quick Tips:
1) Make sure portmap and autofs is started on client for autofs to work properly.







How to setup sudoers on Linux Server


sudoers - list of which users may execute what
 
First things first : Backup your /etc/sudoers file 
 
Always use "visudo"
Keep checking your logs - /var/log/secure - for violations with sudo

Files to look out for
 /etc/sudoers
                        /var/log/secure
                        visudo* 


       The sudoers file is composed of two types of entries:
      1) aliases (basically variables) and
      2) user specifications (which specify who may run what).

       Imp: When multiple entries match for a user, they are applied in order.
       Where there are conflicting values, the last match is used (which is
       not necessarily the most specific match).



1.  Aliases

There are four kinds of aliases: [All are reserved/key words] 

         User_Alias
         Cmnd_Alias
         Runas_Alias
         Host_Alias
 
   Each alias definition is of the form

        Alias_Type NAME = item1, item2, ...

       where Alias_Type is one of User_Alias, Runas_Alias, Host_Alias, or
       Cmnd_Alias.  A NAME is a string of uppercase letters, numbers, and
       underscore characters ('_').  A NAME must start with an uppercase let-
       ter.  It is possible to put several alias definitions of the same type
       on a single line, joined by a colon (':').  E.g.,

        Alias_Type NAME = item1, item2, item3 : NAME = item4, item5





----------------------------------------------------------------------------
                                    E X A M P L E S 
----------------------------------------------------------------------------

Example 1

# Define Aliases for easier reading,understanding and future updates

User_Alias   HTTPD_FULL = foo
User_Alias   HTTPD_RESTRICTED = bar
 
Cmnd_Alias   WEBANY = /etc/init.d/httpd *
Cmnd_Alias   WEBRESTART = /etc/init.d/httpd start, /etc/init.d/httpd stop

# User bar can only run the start and stop options while foo can use all

HTTPD_FULL         ALL = (ALL) WEBANY
HTTPD_RESTRICTED   ALL = (ALL) WEBRESTART

Users in HTTPD_RESTRICTED can run httpd only with the start/stop option while
those in HTTPD_FULL can run it with any arg that is supported viz., restart,
configtest etc    

       After logging in, this is what foo would have to type :

   # sudo /etc/init.d/httpd restart or anything that is supported
   
       After logging in, this is what bar would be able to do ONLY :

   # sudo /etc/init.d/httpd stop or start  ONLY

          bar will not be able to use the other options such as configtest,
          reload, status etc
----------------------------------------------------------------------------
Note:
 ALL : Built-in cmd alias. If no list of users specified in parentheses, sudo 
       will run cmds only as root
Note:
 root        ALL = (ALL) ALL
 %wheel        ALL = (ALL) ALL

This means let root and any user in group wheel run any command on any host 
as any user.
----------------------------------------------------------------------------

Example 2

  foo  server = (operator) /bin/ls, (root) /usr/sbin/adduser, /usr/sbin/userdel

   User foo is now allowed to run /bin/ls as operator, but /usr/sbin/adduser,
   and /usr/sbin/userdel as root on machine server.

       After logging in, this is what foo would have to type :

   # sudo -u operator /bin/ls
   
          # sudo /usr/sbin/adduser someuser
          # sudo /usr/sbin/userdel -r someuser
----------------------------------------------------------------------------

Example 3

 foo    server = (operator) /bin/ls, /bin/kill, /usr/bin/lprm

       The user foo may run /bin/ls, /bin/kill, and /usr/bin/lprm -- but only
       as "operator" [must be a Valid Linux User and is created by default by RHL] 
       on machine server.  E.g.,

       After logging in, this is what foo would have to type :

   # sudo -u operator /bin/ls
----------------------------------------------------------------------------

Example 4

        foo  server = NOPASSWD: /usr/sbin/adduser, /usr/sbin/userdel

would allow the user foo to run adduser, userdel as root on the machine server
without authenticating himself.

       After logging in, this is what foo would have to type :

          # sudo /usr/sbin/adduser someuser
          # sudo /usr/sbin/userdel -r someuser

          No password would be asked in either case
----------------------------------------------------------------------------

Example 5

If we only want foo to be able to run /usr/sbin/adduser without a password 
but to delete a user - /usr/sbin/adduser - he will have to give his password 

      foo  server = NOPASSWD: /usr/sbin/adduser, PASSWD : /usr/sbin/userdel

----------------------------------------------------------------------------

Example 6
         
      foo  server = NOPASSWD: /usr/bin/*, PASSWD: /bin/ls, /usr/bin/lprm

         matches /usr/bin/who but not /usr/bin/X11/xterm.

----------------------------------------------------------------------------
Example 7
         
# Define Aliases for machines in the Maths and CS depts

    Host_Alias  CS = cerf, postel, behlendorff, wall, allman, venema
    
    Host_Alias  MATHS = newton, leibnitz, fourier, laplace, riemann 

# Define Collection of commands

Cmnd_Alias  DUMP     = /sbin/dump, /sbin/restore
Cmnd_Alias  PRINTING = /usr/sbin/lpc, /usr/bin/lprm 
Cmnd_Alias  SHELLS   = /bin/sh, /bin/tcsh, /bin/csh,/bin/bash,/bin/ash,/bin/bsh

# Permissions                  

foo, bar      MATHS = ALL

# Users foo,bar can access all machines in the MATHS group. since no list of 
# users is specified in parentheses, sudo will only run cmds as root
 
superman      CS = /usr/sbin/tcpdump : MATHS = (operator) DUMP

# Allows superman to run tcpdump on all CS group machines,and the cmds specifed
# by DUMP on all MATHS group machines but only as operator. 
# Hence superman would have to type 

#               % sudo -u operator /sbin/dump 0u /dev/hda2

flashgordon    ALL=(ALL) ALL, !SHELLS

# User flashgordon can run cmds as any user on any machine, except that he can't
# run several common shells. He could beat this limitation with :
#           cp -p /bin/csh  /tmp/csh
#           sudo /tmp/csh

%wheel         ALL, !MATHS = NOPASSWD: PRINTING

# All users in group wheel can run lpr, lprm as root on all machines except 
# the ones in the MATHS group. Furthermore,no password is reqd to run the cmds.

----------------------------------------------------------------------------

Example 8

 User_Alias     FULLTIMERS = foo, bar, superman
 FULLTIMERS     ALL = NOPASSWD: ALL

Full time sysadmins (foo, bar, superman) may run any command on any host
without authenticating themselves.

----------------------------------------------------------------------------

Example 9

Full time sysadmins (foo,bar,superman) may run any command on any host but they 
must authenticate themselves first (since the entry lacks the NOPASSWD tag).


 PARTTIMERS     ALL = ALL

----------------------------------------------------------------------------

More EXAMPLES

Below are example sudoers entries.  Some of these are a bit contrived. 
First, we define our aliases:

 # User alias specification
 User_Alias     FULLTIMERS = millert, mikef, dowdy
 User_Alias     PARTTIMERS = bostley, jwfox, crawl
 User_Alias     WEBMASTERS = will, wendy, wim

 # Runas alias specification
 Runas_Alias    OP = root, operator
 Runas_Alias    DB = oracle, sybase

 # Host alias specification
 Host_Alias     SPARC = bigtime, eclipse, moet, anchor :\
         SGI = grolsch, dandelion, black :\
         ALPHA = widget, thalamus, foobar :\
         HPPA = boa, nag, python
 Host_Alias     CUNETS = 128.138.0.0/255.255.0.0
 Host_Alias     CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
 Host_Alias     SERVERS = master, mail, www, ns
 Host_Alias     CDROM = orion, perseus, hercules

 # Cmnd alias specification
 Cmnd_Alias     DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
          /usr/sbin/restore, /usr/sbin/rrestore
 Cmnd_Alias     KILL = /usr/bin/kill
 Cmnd_Alias     PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias     SHUTDOWN = /usr/sbin/shutdown
 Cmnd_Alias     HALT = /usr/sbin/halt, /usr/sbin/fasthalt
 Cmnd_Alias     REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
 Cmnd_Alias     SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
    /usr/local/bin/tcsh, /usr/bin/rsh, \
    /usr/local/bin/zsh
 Cmnd_Alias     SU = /usr/bin/su

       Here we override some of the compiled in default values.  We want sudo
       to log via syslog(3) using the auth facility in all cases.  We don’t
       want to subject the full time staff to the sudo lecture, and user
       millert need not give a password.  In addition, on the machines in the
       SERVERS Host_Alias, we keep an additional local log file and make sure
       we log the year in each log line since the log entries will be kept
       around for several years.

 # Override built in defaults
 Defaults        syslog=auth
 Defaults:FULLTIMERS    !lecture
 Defaults:millert       !authenticate
 Defaults@SERVERS       log_year, logfile=/var/log/sudo.log

       The User specification is the part that actually determines who may run
       what.

 root        ALL = (ALL) ALL
 %wheel        ALL = (ALL) ALL

       We let root and any user in group wheel run any command on any host as
       any user.

 FULLTIMERS     ALL = NOPASSWD: ALL

       Full time sysadmins (millert, mikef, and dowdy) may run any command on
       any host without authenticating themselves.

 PARTTIMERS     ALL = ALL

       Part time sysadmins (bostley, jwfox, and crawl) may run any command on
       any host but they must authenticate themselves first (since the entry
       lacks the NOPASSWD tag).

 jack        CSNETS = ALL

       The user jack may run any command on the machines in the CSNETS alias
       (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
       those networks, only 128.138.204.0 has an explicit netmask (in CIDR
       notation) indicating it is a class C network.  For the other networks
       in CSNETS, the local machine’s netmask will be used during matching.

 lisa        CUNETS = ALL

       The user lisa may run any command on any host in the CUNETS alias (the
       class B network 128.138.0.0).

 operator       ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
         /usr/oper/bin/

       The operator user may run commands limited to simple maintenance.
       Here, those are commands related to backups, killing processes, the
       printing system, shutting down the system, and any commands in the
       directory /usr/oper/bin/.

 joe        ALL = /usr/bin/su operator

       The user joe may only su(1) to operator.

 pete        HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

       The user pete is allowed to change anyone’s password except for root on
       the HPPA machines.  Note that this assumes passwd(1) does not take mul-
       tiple usernames on the command line.

 bob        SPARC = (OP) ALL : SGI = (OP) ALL

       The user bob may run anything on the SPARC and SGI machines as any user
       listed in the OP Runas_Alias (root and operator).

 jim        +biglab = ALL

       The user jim may run any command on machines in the biglab netgroup.
       Sudo knows that "biglab" is a netgroup due to the ’+’ prefix.

 +secretaries   ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser

       Users in the secretaries netgroup need to help manage the printers as
       well as add and remove users, so they are allowed to run those commands
       on all machines.

 fred        ALL = (DB) NOPASSWD: ALL

       The user fred can run commands as any user in the DB Runas_Alias (ora-
       cle or sybase) without giving a password.

 john        ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*

       On the ALPHA machines, user john may su to anyone except root but he is
       not allowed to give su(1) any flags.

 jen        ALL, !SERVERS = ALL

       The user jen may run any command on any machine except for those in the
       SERVERS Host_Alias (master, mail, www and ns).

 jill        SERVERS = /usr/bin/, !SU, !SHELLS

       For any machine in the SERVERS Host_Alias, jill may run any commands in
       the directory /usr/bin/ except for those commands belonging to the SU
       and SHELLS Cmnd_Aliases.

 steve        CSNETS = (operator) /usr/local/op_commands/

       The user steve may run any command in the directory /usr/local/op_com-
       mands/ but only as user operator.

 matt        valkyrie = KILL

       On his personal workstation, valkyrie, matt needs to be able to kill
       hung processes.

 WEBMASTERS     www = (www) ALL, (root) /usr/bin/su www

       On the host www, any user in the WEBMASTERS User_Alias (will, wendy,
       and wim), may run any command as user www (which owns the web pages) or
       simply su(1) to www.

 ALL        CDROM = NOPASSWD: /sbin/umount /CDROM,\
         /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM

       Any user may mount or unmount a CD-ROM on the machines in the CDROM
       Host_Alias (orion, perseus, hercules) without entering a password.
       This is a bit tedious for users to type, so it is a prime candidate for
       encapsulating in a shell script.
       forced by policy).
Note:
       The sudoers file should always be edited by the visudo command which
       locks the file and does grammatical checking. 
       It is imperative that sudoers be free of syntax errors since sudo will 
       not run with a syntactically incorrect sudoers file.

FILES
 /etc/sudoers        List of who can run what
 /etc/group        Local groups file
 /etc/netgroup        List of network groups