Sambar
Server Documentation
|
Linux Configuration |
Overview The Sambar Server code base is designed to run equally well on both Windows and Linux platforms. There are a handful of features exclusive to one platform or the other, but by and large, any site that runs on Windows can be moved to Linux unchanged (including all configuration files), with the notable exception of file and directory names, which are case-sensitive on Linux, and so any reference to those must have matching case; this includes not only configuration files but also HTTP URLs. Only the executables in the bin directory differ between the two installations. One significant feature difference Linux users should make use of is the ability the server has to change the user and group permissions of the server after starting up and binding to port 80/443. This chuser/chgrp allows you to sandbox the server with non-privileged permissions. This functionality can be configured using the System Administration -> Configure forms. Installation To install Sambar Server on Linux systems, the .tgz file should first be extracted into a temporary directory, then that directory moved into the default installation directory. The following command illustrate this: mkdir sambar #create a
'sambar' directory Running /sbin/chkconfig --add sambar-inetd The first command instructs the system to install the script that was placed in /etc/init.d/ to be installed as a service; the second command tells the system that the service should be automatically started when the system is in run levels 3 (non-graphical, multiuser, networking enabled) and 5 (graphical, multiuser, networking enabled). (run level 5 is the default on most Linux distros). Once the service script has been installed, you can start, stop, or restart the server using one of two different methods: Call the init-script directly: /etc/init.d/sambar-inetd start #instructs the server to start Or, use the 'service' program: /sbin/service sambar-inetd restart # append the same action
names above in place of the 'restart' verb. To customize various or assign any environment variables that may be specific to your installation (such as $PATH, $LD_LIBRARY_PATH, $CLASSPATH, etc), edit the /etc/init.d/sambar-inet.d script appropriately. This is where you would also make any need customizations to ulimit, etc. You will need to restart the server for changes to take effect. Security Sambar Server supports traditional Unix style security modes of operations. These are:
chown -R www:www /usr/local/sambar #presuming the server is setuid as the 'www' account and installed into the given directory. In addition to the traditional Unix security safeguards, some newer items are noteworthy as they are enabled by default on modern Linux systems:
SELinux The security rules associated with Selinux ('Security Enhanced Linux') are defined by security policy files, which are initially script based and then compiled onto the machine. The contents of these files layout preset rules for what files and directories on the system should have what selinux context labels applied to them. Generally, anytime a problem is encountered with software no running as desired, one should review the system log files: /var/log/messages and /var/log/secure; if messages such as: kernel: audit(1150227810.132:754): avc: denied { your-program-or-command } for pid=21659 comm="your-program-or-command" src=636 scontext=.... this indicates that selinux has prohibited access to the file. In this case the problem may be corrected by having the system reapply the preset/default selinux labels for the program's installed directory, using the following command (which is for an example sambar server installation directory): /sbin/restorecon -v -R /usr/local/sambar Iptables Modern Linux distributions are installed with the iptables firewall, which by default does not allow network connections to all of the services that may be enabled in your Sambar Server installation. The iptables configuration file format and installed location varies by Linux distribution; however it is most commonly located as /etc/sysconfig/iptables. If your distribution does not have this file, please consult it's documentation. Generally, it is safe to add new allowance rules (represented as lines in the file) on an as-needed basis, by their TCP or UDP port, by simply copy-pasting existsing lines and then modifying their port numbers. However it is highly suggested that you make a backup of you iptables file before modifying it, and that you also become familiar with what each line does. Upon making any change to the iptables configuration files, one must restart iptables using a command such as: /etc/init.d/iptables restart The following iptables contents should be used ONLY as a guideline to modify one on your system; however the format may vary by Linux vendor distribution and so not be compatible. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1023:65535 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1023:65535 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 990 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 993 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1194 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT If you have questions about running Sambar Server not addressed here, please send an email to the Sambar Server Users Mailing List, or contact customer support. |