Wednesday, June 22, 2016

Marking files on UFS as compressed on Solaris

Bernd Schemmer has an interesting post about using fiocompress for file-system level compression of individual files on UFS file systems...

However, it might be useful to mark files as compressed after compressing the file, such as when you forgot the "-m" option when compressing a large file.

The fiocompress utility does this by calling the _FIO_COMPRESSED ioctl on the file.

There seems to be no way to unmark a file that is marked as compressed. (The ioctl sets a cflag on the file called ICOMPRESS, but no operation to clear the cflag seems to exist)

I stripped down fiocompress to a minimal tool to just mark a file as compressed. It is important to ensure that it is a valid file (outfile in the example) generated by "fiocompress -c infile outfile" before running this command. Bad things may happen if this is not the case.

To mark output as compressed, compile the code (compile.sh should do that for you) and run "./markcompressed -m /path/to/outfile" if you are running it from the directory where it was compiled.

Source code can be downloaded from here. (A quick ugly hack, based on fiocompress from OpenSolaris, with some likely bugs)

As always, you should ensure that you have the latest recommended patchset installed.

Older OpenSSH versions - using a different authorized_keys file for a single user

Sometimes, multiple users share a home directory or there are other reasons why a user's authorized_keys file won't pass OpenSSH's permission checks. While those can be disabled, it is generally a bad idea.

In recent OpenSSH versions, using a different authorized_keys file for a single user is easy:

Match User username
AuthorizedKeysFile /etc/ssh/authorized_keys/%u

In older versions however,AuthorizedKeysFile is not supported under a Match block.

In order to get around that, at least on some version, you can use AuthorizedKeysCommand instead, which is supported under a Match block (at least on an up-to-date RHEL5): (It can also be used outside a Match block to enable the option for all users)

Match User username
AuthorizedKeysCommand /etc/ssh/etc_ssh_authorized_keys

You can then create the following script to use as the command and put keys into /etc/ssh/authorized_keys/username #!/bin/sh
/bin/cat "/etc/ssh/authorized_keys/${1}"

To prepare the script and directory: (Users can view each other's public keys in this example, but that for a small number of users is a smaller risk than disabling the permission checks, which might allow other users to edit the user's authorized_keys file)

echo -e '#!/bin/sh\n/bin/cat "/etc/ssh/authorized_keys/${1}"' > /etc/ssh/etc_ssh_authorized_keys
mkdir -m 755 /etc/ssh/authorized_keys
chmod 755 /etc/ssh/etc_ssh_authorized_keys
chmod 644 /etc/ssh/authorized_keys/* # there is probably nothing there yet
chown -R root:root /etc/ssh/etc_ssh_authorized_keys /etc/ssh/authorized_keys