opensource.com

The entire systemd concept and implementation have introduced many changes since it began to replace the old SystemV startup and init tools. Over time, systemd has been extended into many other segments of the Linux environment.

read more

Manage Linux users' home directories with systemd-homed David Both Wed, 03/09/2022 - 02:00 Up 1 reader likes this

The entire systemd concept and implementation have introduced many changes since it began to replace the old SystemV startup and init tools. Over time, systemd has been extended into many other segments of the Linux environment.

One relatively new service, systemd-homed, extends the reach of systemd into the management of users' home directories. The feature enforces human user access only and restricts system users in the User ID (UID) range between 0 and 999. I support the systemd plan to take over the world, but I wondered if this was a bit excessive. Then I did some research.

More for sysadmins Enable Sysadmin blog The Automated Enterprise: A guide to managing IT with automation eBook: Ansible automation for Sysadmins Tales from the field: A system administrator's guide to IT automation eBook: A guide to Kubernetes for SREs and sysadmins Latest sysadmin articles What is systemd-homed?

The systemd-homed service supports user account portability independent of the underlying computer system. A practical example is to carry around your home directory on a USB thumb drive and plug it into any system which would automatically recognize and mount it. According to Lennart Poettering, lead developer of systemd, access to a user's home directory should not be allowed to anyone unless the user is logged in. The systemd-homed service is designed to enhance security, especially for mobile devices such as laptops. It also seems like a tool that might be useful with containers.

This objective can only be achieved if the home directory contains all user metadata. The ~/.identity file stores user account information, which is only accessible to systemd-homed when the password is entered. This file holds all of the account metadata, including everything Linux needs to know about you, so that the home directory is portable to any Linux host that uses systemd-homed. This approach prevents having an account with a stored password on every system you might need to use.

The home directory can also be encrypted using your password. Under systemd-homed, your home directory stores your password with all of your user metadata. Your encrypted password is not stored anywhere else thus cannot be accessed by anyone. Although the methods used to encrypt and store passwords for modern Linux systems are considered to be unbreakable, the best safeguard is to prevent them from being accessed in the first place. Assumptions about the invulnerability of their security have led many to ruin.

This service is primarily intended for use with portable devices such as laptops. Poettering states, "Homed is intended primarily for client machines, i.e., laptops and thus machines you typically ssh from a lot more than ssh to, if you follow what I mean." It is not intended for use on servers or workstations that are tethered to a single location by cables or locked into a server room.

The systemd-homed service is enabled by default on new installations—at least for Fedora, which is the distro that I use. This configuration is by design, and I don't expect that to change. User accounts are not affected or altered in any way on systems with existing filesystems, upgrades or reinstallations that keep the existing partitions, and logical volumes.

Creating controlled users

Traditional tools such as useradd create accounts and home directories that systemd-homed does not manage. Therefore, if you continue to use the conventional user management tools, the home directories on your home directories are not managed by systemd-homed. This is also the case with the non-root user account created during a new installation.

The homectl command

The homectl command creates user accounts that systemd-homed manages. Using the homectl command to create a new account generates the metadata needed to make the home directory portable.

The homectl command man page has a good explanation of the objectives and function of the systemd-homed service. However, reading the homectl man page is quite interesting, especially the Example section. Of the five examples, three show how to create user accounts with specific limits imposed, such as a maximum number of concurrent processes or a maximum amount of disk space.

In a non-homectl setup, the /etc/security/limits.conf file imposes these limits. The only advantage I can see to this is that it adds a user and applies the limits with a single command. With the traditional method, the sysadmin must configure the limits.conf file manually.

Limitations

The only significant limitation I am aware of is that it is not possible to access a user home directory remotely using OpenSSH. This limitation is due to the current inability of PAM to provide access to a home directory managed by homectl. Poettering seems doubtful that this can be overcome. This issue would prevent me from using systemd-homed for my home directory on my primary workstation or even my laptop. I typically log into both computers remotely several times per day using SSH, so this is a showstopper for me.

The other concern I can see is that you still need a Linux computer for use with a USB thumb drive with your home directory on it, and that computer needs to have systemd-homed running.

It is optional

You don't have to use it, however. I plan to continue using the traditional tools for user management to support my workflow. The default for the few distros I have some little knowledge of, including Fedora, is for the systemd-homed service to be enabled and running. You can disable and stop the systemd-homed service without impacting traditional user accounts.

Final thoughts

Sysadmins can use the systemd-homed service for a secure form of management of roaming users' home directories. It is useful on portable devices like laptops and can be especially useful for users who carry a thumb drive containing only their home directories to plug it into any convenient Linux computer.

The primary limitation of using systemd-homed is that it is impossible to log in remotely using SSH. And even though the systemd-homed is enabled by default, it does not affect home directories created with the useradd command. I do need to point out that—like many systemd tools—systemd-homed is optional. So I just stopped and disabled the service.

If I need to take my home directory in a package smaller than my laptop, I can just use a live USB with persistent storage.

Resources

• https://systemd.io/HOME_DIRECTORY/
• https://www.freedesktop.org/software/systemd/man/homectl.html
• https://www.freedesktop.org/software/systemd/man/systemd-homed.service.html
• https://wiki.archlinux.org/title/Systemd-homed

Sysadmins can use the systemd-homed service for a secure form of management of roaming users' home directories.

Image by:

Opensource.com

Sysadmin Linux What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

In my previous article, I explained how to install and set up EGroupware on your own server. It also introduced the modules and external applications of the open source groupware solution. This article shows you how to take care of an existing installation and manage backups.

read more

In OpenStack's 2021 User Survey, the majority of respondents said they use Kubernetes as the container orchestration or Platform-as-a-Service (PaaS) tool to manage their OpenStack applications. Simply put, OpenStack and Kubernetes work together to benefit sysadmins, developers, and users alike.

It's one thing to say that users rely on these two technologies, but I wanted to know how. I've found several typical use cases.

read more

EGroupware administration tips to meet your collaboration needs Heike Jurzik Tue, 03/08/2022 - 02:00 Up 1 reader likes this

In my previous article, I explained how to install and set up EGroupware on your own server. It also introduced the modules and external applications of the open source groupware solution. This article shows you how to take care of an existing installation and manage backups.

The Admin menu

The central point of administration is the Admin menu in the left sidebar. This is where you adjust EGroupware's general settings, take care of user accounts and passwords, change the home screen, view access logs, clear the web server cache, test the push server, and more.

 

In this area, you also configure users and groups, their access, and permissions. Right-click an entry to open a context menu with quick access to important configuration options. Please be extra careful with the User groups section. Each group has its own rights, so this is where you define access to specific data. Note that personal settings override those of the group, and the user's access rights are determined by what is set for the account and its groups.

Tip: You can limit access for users so that they only see what the resources really need—keep their workspaces clean and set sensible default settings. For example, hide those applications and functions which confuse less tech-savvy users.

More great content Free online course: RHEL technical overview Learn advanced Linux commands Download cheat sheets Find an open source alternative Explore open source resources Configure automatic upgrades

The whole EGroupware environment basically consists of several Docker containers working hand in hand. As a result, taking care of the installation is very convenient. Apart from delivering an optimally configured environment, the containers also make sure it's painless to upgrade single components as well as the entire system or even install additional applications.

EGroupware uses Watchtower to check for container updates. After the developers have published a new container image for EGroupware, Watchtower pulls it, gracefully shuts down the running container, and restarts the updated version with all necessary options. The check for updates runs every night at 4 a.m., but you can adjust the schedule by modifying the /etc/egroupware-docker/docker-compose.override.yml file.

Add your own mail server

Up until early 2021, EGroupware's email module was a mere mail client. These days the developers offer an additional mail server component—perfect for administrators who run EGroupware on-prem and want to run their own MTA. The manufacturer provides the package egroupware-mail for Debian and Debian-based distributions, which installs a container with Postfix and Dovecot, including an extension for push functionality in the EGroupware web client.

The entire administration of the mail server then runs via EGroupware's web interface. Every time the admin sets up a new user account, the corresponding mailboxes are generated automatically. The configuration for existing accounts happens in the Admin menu (User accounts). Right-click an entry and select Mail account to set up identities, signatures, IMAP folder structure, aliases, and forwards.

The Encryption tab allows you to upload an S/MIME certificate. Users must install the open source Mailvelope browser add-on to use PGP encryption. The private key remains with the owner (not with the EGroupware operator!), and users in the Mail module set up the public key.

 

SSL and 2FA

As noted in the first article, setting up SSL certificates is vital. At a bare minimum, admins should take the time to set up an SSL certificate for the reverse proxy (not the EGroupware webserver!)—even if EGroupware runs only on the local network.

EGroupware supports various authentication methods. The default is the local SQL database which stores the users' credentials. Alternatively, the groupware authenticates against LDAP, Active Directory, mail servers, and SAML 2/Shibboleth (Single Sign-On). Administrators can choose the preferred authentication in the setup dialog (www.example.com/egroupware/setup) immediately after the installation. In this context, they should restrict access to the setup dialog to local IPs.

Look at the Admin menu, Site configuration, tab Security. This is where you enable two-factor authentication (2FA), define rules for blocking users after incorrect password entries, and set up password policies.

 

Users of the Enterprise Line (EPL) version can configure a Web Application Firewall (Admin, Applications, EPL-Features, Firewall / 2FA). If only a small group of users should have access from external networks, you first define a rule that prevents access for everyone outside the local network. After that, create a new group and add all users allowed to log in from external networks. All firewall rules are processed one after the other. You can change their order with a drag-and-drop.

The firewall only handles interactive logins through the EGroupware web interface, but not synchronization with external clients, WebDAV access, or file shares. Check your firewall rules before saving them (button Test), ideally in an incognito tab or another web browser. Because the firewall only reacts to the logins, don't close the current session, so you remain logged in during testing.

Backup and restore

EGroupware offers help with creating backups, but you have to enable this—it's not part of the default settings. Go to Admin, DB backup and restore to adjust the configuration and access existing backups. In this section, you can define, amongst other things, a backup schedule and the number of copies you want to keep. Since this is a simple database dump (with a few extra config files), a backup doesn't need much space and time, so it's okay to keep 20 versions or more. Please note that if you rename a backup in this dialog, it no longer gets deleted during the automatic cleanup process.

You can download existing backups as Bzip2 archives to keep them safe on external storage media. Of course, you can upload the backups to another EGroupware server and restore them there. This even works on different Linux distributions.

 

When planning your backup strategy, you might want to consider the virtual file system in which EGroupware stores the internal file manager's data. Of course, those files and folders are not recorded in the database and are therefore not backed up automatically. You can save those files if you tick the Check to backup and restore the files directory... box—this may take up a lot of disk space, though.

For a full backup, you should also take care of the /var/lib/egroupware directory on the EGroupware server with the backup software of your choice. This has one significant advantage: In addition to the file manager's data, you preserve the header file (with the database passwords), files from external applications (e.g., from Guacamole, Rocket.Chat, and Collabora Online), logs from the installation, etc.

Close collaboration

Taking care of an EGroupware installation is not particularly difficult, but it needs to be done. As an admin, you should familiarize yourself with the software and its configuration. Luckily, the developers follow the KISS principle (Keep it sweet and simple)—all modules collaborate nicely, and upgrades are thoroughly tested before they are released.

If you run into trouble, the community forum is there to help. This forum is also where you hear about upcoming changes and other news.

Familiarize yourself with these tips and tricks to optimize this open source groupware solution for your team.

Image by:

Opensource.com

Alternatives What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

Container platforms and edge computing continue to grow, powering major networks and applications across the globe, and Java technologies have evolved new features and improved performance to match steps with modern infrastructure. Java 17 (OpenJDK 17) was released recently (September 2021) with the following major features:

read more

A groupware solution is a must-have, whether you're working in a small organization, a medium-sized company, or a large enterprise. It promotes collaboration and glues teams together. Are you looking for an open source alternative to the big players? Maybe EGroupware can replace Microsoft 365 or Google Workspace in your team soon.

read more

The National Science Foundation (NSF) just announced US$ 21 million to fund open source development through a new program: Pathways to Enable Open-Source Ecosystems (PEOSE).

read more

I’ve recently explored some of the differences between Java and Groovy when creating and initializing lists and building lists at runtime. I observed the simple facilities provided by Groovy for these purposes in comparison to the complexity required in Java.

read more

It's no secret that a career in software engineering is enviable. In fact, the US News & World Report recently ranked software development as one of the best jobs in America in 2022, based on qualities that job seekers desire most: High salaries, low stress levels, employment growth, and job prospects. And unlike most of the other jobs in that list, software development does not require an advanced degree (or necessarily any degree at all).

read more

In 2022, open source is becoming more and more of a household name. But for many years, open source was known as the scrappy underdog of the enterprise IT landscape. Open source has been around for decades in some form or fashion, but it wasn't even until the late 1990s that it was formalized with its name.

read more

In recent years, interest in using open source collaboration platforms to enhance business productivity increased. Proprietary software has managed to overwhelm customers with a maze of licensing requirements and pay-to-play features that many companies don't want to manage. On the other hand, open source offers alternatives that give companies the liberty of choice and allow new businesses to enter existing markets easier with more control over upfront costs.

read more

The httpx package for Python is a sophisticated web client. Once you install it, you can use it to get data from websites. As usual, the easiest way to install it is with the pip utility:

$ python -m pip install httpx --user

To use it, import it into a Python script, and then use the .get function to fetch data from a web address:

read more

There's always Vim. Vim is one of the most popular text editors in use today. This is in large part because it's available everywhere. When you SSH into another system, you may not find Emacs, Nano, or VSCodium installed, but you can rest assured that Vim is there for you. 

read more

If you've been hearing a lot of talk about "the cloud" over the past several years, then you may also have heard rumblings about something called "the edge."

read more

I remember the first time I went to an "un" conference. It was a chaotic event at first, with lots of socializing and sharing of personal projects, but it gradually coalesced into a mostly self-organized technical event. It didn't happen with magic, but with sticky notes. People wrote ideas for talks and presentations on those colorful adhesive notepads, and stuck them to a common wall, and other people grouped similar ideas into clusters, and eventually everyone knew where to congregate to discuss specific topics.

read more

When you work with containers on Kubernetes, you often group applications together in a pod. When you launch a container or a pod into production, it's called a deployment. If you're using Kubernetes daily or even just weekly, you've probably done it hundreds of times, but have you thought about what exactly happens when you create a pod or a deployment?

read more

If you spent your high school years gazing at TI-80 series calculators but lost track of the device somewhere along the way, then you might sometimes yearn to relive those thrilling years of algebra and calculus. Somebody on the Linux KDE project must have felt that way, too, because one of the KDE Framework libraries, Analitza, provides syntax and widgets to enable you to perform advanced math functions with K apps like the graphing calculator KAlgebra.

read more

I love a good game that you can immerse yourself in for hours, but I don't always have the luxury of ignoring daily tasks to disappear into a video game. Still, I do love a fun challenge from time to time, and two of my favourite applications to launch when my computer gets busy doing something that I need to wait on are games from the KDE Games package: KBlocks and Kolf.

read more

If you've ever done remote support professionally or out of familial obligation, then you've been on a call where solving problems are only secondary to the impossible task of visualizing what's actually on your user's screen. How many times have you described complex desktop tasks only to later realize that your user hasn't even turned their computer on yet? Support is important, but the frustration is real, and it's a shared experience for both the people in need of support and the people who graciously try to provide it.

read more