The Nubby Admin

My Problem

I have sometimes had to copy the permissions on one directory over to another directory. Sometimes it’s simply due to the migration of files from one server to another. Other times it’s for the purpose of backing up ACL entries before an ACE edit. When frobbing around with permissions, it’s often nice to make a dummy folder or file and copy the pre-frobbed permissions over. That way any post-frobbing disasters can be rectified rather quickly.

At first, I thought copying permissions would be a simple matter of using icacls to perform some kind of permission dump. Sadly, and somewhat surprisingly, I was not able to find an easy way to do that. Certainly you can simply pipe the output of icacls to a text file, however I could not find an easy way to consume that text-based permission record. That’s where the wonder of RoboCopy comes in.

My Solution

Reading Microsoft KB323275 reveals yet another interesting use of RoboCopy.

robocopy [source] [destination] /secfix [include appropriate exclusion filters here]

Yes, once again RoboCopy comes to the rescue for things other than copying files and folders. If you’ve been an admin on Windows boxxen for terribly long, I hope you’re at least moderately familiar with RoboCopy.

In this usage, have a peek at the /secfix switch. The official TechNet help for the switch simply says:

Fixes file security on all files, even skipped ones.

However there is a larger note at the bottom of the help document that states:

When using the /SECFIX copy option, specify the type of security information you want to copy by also using one of these additional copy options:

• /COPYALL
• /COPY:O
• /COPY:S
• /COPY:U
• /SEC

If you’re simply performing a permissions copy, make sure that you use the proper file selection options (/XO, /XN, /XF, etc.) to get only the files and/or folders you want. No use in copying an entire directory structure if you only need the permissions on one folder to be copied. Also, if you’re only interested in copying permissions and not the files themselves, keep in mind the /CREATE switch:

/CREATE - Creates a directory tree and zero-length files only.

Perhaps I should start collecting various uses for RoboCopy and compile them into a series of “Stupid RoboCopy Tricks” posts. =)

Some discussion with some colleagues made me consider how someone who was lazy / inexperienced / crushed for time might be tempted to solve a web app problem. If you’ve performed the following operation…. just sit in the corner and think about what you’ve done.

One year has come and gone! In early 2011 I started a challenge to all interested Systems Administrators to add 10,000 points to their existing ServerFault reputation. Quite a few people signed up for it, but how many actually made it to the finish line? Oh, but let’s not get ahead of ourselves. Let’s talk about what our participants will win.

The Prizes

How many IT workers, in the course of being a SysAdmin / Developer / Frobnosticator, have come up against a seemingly insurmountable quandary? If you are in that category, how many times have you written out your woes in a forum post, only to have the problem (and solution) become clear to you as you’re nearly ready to post your question? I thought it was just me and my strange brain, however it appears that it’s a common experience.

This experience is so common for me that the main reason why I even have a blog is because I so frequently find solutions as a result of writing / talking out my problems. There is a name for this kind of behavior within the IT realm. It’s commonly known as “Rubber Duck Debugging.” I think all SysAdmins, IT workers in general and human beings both near and far would see immense benefits from calmly talking out their problems. To encourage this end, the prize for our winners will be handsome Luxury Ducks made by a company called bud (intentional lower case ‘b’).

Specifically, those who achieved their goal of adding 10,000 points in the year 2011 will receive a large luxury duck of their choice:

Those who achieved at least half of their 10,000 point goal will receive a mini luxury duck of their choice:

The Winners

Finally, we get to our well deserving winners. We only have two participants who added 10,000 points to their January 1st 2011 reputation levels. Those two winners are:

1. Philip “Chopper3” Buckley-Mellor who added nearly 23,000 points to his reputation.
2. Michael “Voretaq7” Graziano who added 20,500 points to his reputation

We have a few participants who made a valiant effort to get to 10,000 points, but only passed the halfway mark:

1. Rob Moir made 7,200 points in 2011
2. Phil Hollenback made 6,700 points in 2011 (Two words: Cron. Master.)
3. Tom O’Connor made 5,000 points in 2011

Adulations!

The whole goal of the ServerFault / Stack Exchange challenge was to encourage professional growth, community involvement, knowledge sharing and some old fashioned fun. I hope it achieved its goal, but only you can be the proper judge of that.

Congratulations to all of those involved! Your contributions are top notch and help to teach the next generation of professional IT workers and even the current crowd. No one knows it all and every one of us can help another to learn a bit more and become a bit better.

Thank you for what you did in 2011 and what you continue to do.

The Future

Will there be a 2012 challenge? Will it be the same format? Same prizes? Same rules?

Stay tuned…

…and keep answering questions on ServerFault.

Are you a SysAdmin? Are you also a gamer? Do you use the Steam platform? If you answered yes to all three of those questions, you have a new group that you can join. It’s the ServerFault Steam group.

While the group’s name and logo show strong ties to ServerFault, one does not have to be a member of ServerFault to join the group (although it might help for familiarity’s sake). The group is new, with no home on the web beyond the steam group page nor is there an event calendar. However, we’re still young and the opportunities are limitless.

Join up, help out and we can help… umm… decommission some users. Load your LARTs and ready your PODs. It’s game time!

Seriously, Cisco Press. What is your problem? I used to think you were incompetent. Now I think you’re deliberately evil. They explicitly stated that transport layer traffic that uses UDP is called a “datagram.” That stands to reason. After all, UDP is a TLA for “User Datagram Protocol.” Then, immediately afterwards, they state (emphasis mine):

However, this book refers to data formed in the transport layer as a segment, data at the network layer as a datagram or packet, and data at the link layer as a frame.

No rhyme. No reason. Just fiat. “Hey, we know that it’s standard practice to call a specific type of Layer 4 traffic a datagram, but we’re gonna call Layer 3 traffic a datagram. Or we might also call it a packet too, JUST ‘CAUSE WE’RE GANGSTAH LIKE THAT!“

For those wondering, I’m brushing up on my networking knowledge by going through “Interconnecting Cisco Network Devices, Part 1 (ICND1): CCNA Exam 640-802 and ICND1 Exam 640-822 (2nd Edition)” It’s already caused me to make the first part in this series. A series which will likely have many sequels.

I’m not even halfway through it and already finding some annoying inconsistencies. I thought I left things like this behind when I stopped reading MS Press books. Apparently vendor endorsed books have a disproportionate amount of fail in them.

(Updated September 24, 2012)

I’ve been researching web-based server control panels for a few months now. Most people will likely think of cPanel when they hear the phrase “server control panel” and have visions of web hosts dancing in their heads. Server control panels can be used for much more than web hosting, however. Control panels can allow people to administer systems with the click of a button having little interaction with the gorier details. Some might think that kind of scenario is categorically wrong, but I disagree. There are some *NIX oriented colleagues that I’d tackle before they got too close to a Windows server. For them, WebsitePanel might be a better option. There are also some folks that have need of their own server(s) and are happy to perform their own button mashing to reboot services and etc. I’m reminded of Jordan Sissel’s SysAdvent post “Share Skills and Permissions with Code.” In those scenarios, server control panels are excellent.

The nature of server control panels makes them most desirable by web hosting companies. As such, most of the web-based server control panels that I have found are slanted in that direction and might take some creativity to warp to your needs. Others appear to be more easily used as a general “E-Z Mode” SysAdmin front-end (Open Panel comes to mind). Don’t discard a control panel simply because it is slanted to web hosting. Some of them are much fuller than that.

Here is my list of web-based server control panels:

FOSS Control Panels

• DTC (Linux, FreeBSD and Mac OS X Server. GPL license. Stands for “Domain Technologie Control.” Looks like a great feature set. I don’t know why it’s not more popular.)
• EHCP (Linux only. GPL license. Stands for “Easy Hosting Control Panel”)
• Froxlor (Linux and BSD. GPL License. A fork of SysCP. )
• GNU Panel (Linux only. BSD license. Just kidding! It’s GPL.)
• ISPConfig (Linux only. BSD license. Made by the HowToForge folks. HTTP, SMTP, FTP, DNS and OpenVZ virtualization are supported among many other features)
• IspCP Omega (Linux only. Fork of VHCS. Old VHCS code is MPL, new code is GPL2. The goal is to port everything and make it GPL2.)
• Open Panel (Linux only. GPL license. Their pre-made OpenApps looks cool. I don’t know why this hasn’t made more waves than it has!)
• SysCP (Linux only. GPL license.)
• VHCS (Linux only. MPL license. Stands for “Virtual Hosting Control System”)
• WebController (Windows. only GPL. SourceForge project with an appalling website. Looks like it’s abandoned but I’m not sure.)
• Web-CP (Linux only. Not sure what license, but I assume GPL since it was a fork of the older web://cp product that itself was GPL. Web-CP looks abandoned. The last update on the site was 2005 and the latest bug closed in Mantis is 2006. The wiki is full of spam [I've never seen spam for breast enlargement and pistachios on the same page before - Thanks Web-CP!])
• zpanel (Windows and POSIX-based OSs – that supposedly includes Max OS X, but a commentor below disputes that.)

Control Panels with a Free and Paid Edition

• ApPHP Admin Panel (Free, Advanced, and Pro version. Linux. )
• Webmin(Primarily POSIX-based OSs, however a limited Windows version exists)
  • Usermin Module (POSIX only. Simple webmail interface and user account modification for non-root users)
  • Virtualmin Module (POSIX only. Allows for multi-tenant use of a server much like a shared web host)
  • Cloudmin Module (POSIX only. Creats VPSs using Xen, KVM and OpenVZ among others)

Commercial Control Panels

• cPanel / WHM (Linux and FreeBSD. The granddaddy of control panels started back in 1996 as an in-house app that eventually got licensed. WHM controls the entire server. cPanel is user-oriented.)
  • WHMXtra (Not a control panel on its own, but it’s a significant third-party add-on to WHM)
• DirectAdmin (Linux and BSD.)
• Ensim (Control panel that handles the management of cloud services Microsoft Hyper-V, Active Directory, Lync, Mozy, Anti Virus / Anti Spam Solutions like F-Secure, MessageLabs, Barracuda and a ton of other things. It’s really for $n aaS providers to build a business around.)
• Enkompass (Windows only. cPanel’s Windows product.)
• H-Sphere (Windows, Linux and BSD. Originally made by Positive Software before being bought by Parallels. I’m not sure how this software compares / competes with Parallels’s Plesk. This is an all-in-one provisioning, billing and control panel tool. Obviously focused solely on web hosts.)
• HMS Panel (Linux only.)
• Hosting Controller (Windows and Linux. Also supports managing Microsoft Exchange, BlackBerry Enterprise Server, SharePoint, Office Communication Server, Microsoft Dynamics and more.)
• HyperVM (Linux only. Virtualization management platform. Uses Xen and OpenVZ. Sister product to Kloxo.)
• InterWorx (Linux only. Can manage Ruby on Rails.)
• Kloxo (Linux only. More than just a server management platform, this is a large web hosting platform that is geared very much for a client / provider relationship.
• Layered Panel (Control panel geared towards free hosts that inject ads into their customers sites. Linux.)
• Live Config (Linux)
• Machsol (Unusual in this list because it’s a control panel to manage the hosting of major enterprise server applications like Exchange, Sharepoint and BES.)
• Parallels Helm (Windows. One of the many acquisitions that Parallels has made.)
• Parallels Plesk (Linux and Windows. Probably the biggest competitor to cPanel.)
• SolusVM (Linux only. Manages VPSs and VPS clusters using OpenVZ, Xen and KVM.)
• vePortal VPS Control Panel
• vePortal veCommander
• WebsitePanel (Windows only. The former dotnetpanel after it was revised by SMB SAAS Systems Inc. and released as a SourceForge project.)
• xpanel (Rather emaciated looking control panel with very low price. Only advertised to run on Fedora.)

Billing / Automation Tools for Control Panels

These are billing and automation tools that tightly integrate with control panels.

Misc. Inclusions

I’d like for this to become a definitive list of web-based control panels (regardless of their focus; server management or web hosting). Basically, if it can manage a server or services and has a web front-end, I’d like to know about it. I’d appreciate any social shares. Likes, +1s, Tweets, Stumbles, Digg’s and etc. are awesome. If you know of any control panels that I’ve missed (active or defunct, since I love history), or if you spot a control panel that I mis-categorized, please let me know in the comments below.

Oh Cisco Press. Why must you annoy me so.

If you look at the top of my blog you’ll see an oddly place rectangle that touts “Stop Censorship.” Depending on your browser dimensions it might be obscuring the whole “logo” as well as a few tabs. What is this all about?

It’s about the American Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA). Both are American bills that I believe will have a terribly negative effect on the Internet as a whole and especially within America’s borders. Even worse, the bills have a shockingly large amount of congressional support. The loudest (and seemingly only) congressional voice against these bills seems to be Oregon senator Ron Wyden. The strongest voice for the bills is Nevada senator Harry Reid.

I will not attempt to convince you one way or the other about these bills. As an IT worker, you are undoubtedly an autodidact and can easily research and come to your own conclusions in just an evening or two. However, what I would like to bring to your attention is what you can do to oppose this bill if that is the stance that you take.

If you are one of my US readers, click on over to www.AmericanCensorship.org to find a list of Congressional phone numbers for those senators and representatives that you are a constituent of. Then call them and respectfully voice your opinion for or against. I believe that the American government already has designs on somehow making the internet (or an “alternate internet”) a place “where anonymity is not an option.” As such I take the opposition view on these bills and believe that we need as many voices as we can gather together to work against these threats to internet freedom.

Part of that opposition is getting the word out by utilizing a handy “Stop Censorship” banner at the top of my site. You can place that on your site too by going to the www.AmericanCensorship.org home page and scrolling one page down for some links and directions. Please consider it.

Also, take the time to thank senator Wyden through email, Twitter or give his office a call using the numbers that you can find on AmericanCensorship.org.

I fear for the future of the internet if one or both of these bills pass, and they could in just a matter of hours or days. Take action! All shares, +1s, RTs and etc. are appreciated.

While mucking about in bash with some files containing rather cryptic text, I needed to easily copy and paste it into a web browser. I had hoped that perhaps there was a built-in tool or interface that could help me. Perhaps /dev/clipboard? Yes, I’m that naïve.

The crux of the matter is that I’m using the X Window system to present Gnome to me. Bash needs to pass information up to X and to do that you’ll need a spiffy little package called xclip. It’s not standard in my distro and will likely not be in yours, so you’ll need to consult your repositories.

It turns out that there’s several different clipboard-like interfaces for X and I will not pretend to understand each of them. Simply saying that you’re going to put something into X’s clipboard isn’t specific enough. xclip can redirect bash output to various X displays (it defaults to $DISPLAY if no display is explicitly stated) and to the sundry X selections (primary, secondary or clipboard).

What would a more common usage of xclip be? Perhaps:

cat ~/.ssh/id_dsa.pub | xclip -selection CLIPBOARD

Now you can paste your hairy public keys somewhere useful and not have to worry if you captured any bad characters or not. Or perhaps puke your .vimrc file to pastebin for bragging rights. Do you have any other ways to pipe terminal output to X? Let me know in the comments.

This one goes out to Michael @Voretaq7 Graziano. He’s been sharpening his collection of wiggle blade daggers ever since he discovered that I access one server of mine using a password-less RSA keypair. I finally got around to rectifying that situation the other evening.

Obviously I didn’t want to recreate keypairs on my host machine and break all of the other applications that depend on them. Can one add a password to an existing RSA or DSA private key? Yes! Yes you can!

The key to the situation (pun intended) is to use the –p option for ssh-keygen (assuming that you’re using OpenSSH, of course) and then pointing it to the private key that you want to protect. For example:

ssh-keygen –p –f ~/.ssh/id_rsa

This also works to change the password on an existing protected private key.

Michael, this ssh-agent -D is for you. =)