June 24th, 2000 – August 23, 2012
Ok, maybe it’s not very pretty – but it’s a science project you can put together in about 10 minutes once you’ve got the parts together AND those parts are likely things you’ve got around your home now. It was a long weekend and the kids and I were looking for something to make, this fit the bill and just maybe taught them a little bit about science (maybe I learned something too). The original article is a great reference, as usual I’ll repeat the steps here with my notes.
For reference, in the picture at the top of the post – the bottom of the box is facing us, and the tube is coming out of the right side.
First we cut an oval hole for the paper tube in the right side. Choose a side, and use the CD as a guide – place it in the lower left corner and mark the center hole. Now use that as a guide to center the paper tube and mark the outside of the tube. Shift the tube left so it’s touching the center of the CD hole marking and mark the outside of the tube. You should have two outlines of the paper tube that you can make into an oval.
The next hole is for the razor blades, it goes on the side to the left of the oval hole. It should be 1/2 inch wide by 2 inches high – give or take a bit. It should the same height up the box as the tube hole (use the CD as a guide) but about 1/2 inch in from the edge. We’re going to cover this slot with the razor blades in a minute.
Now place the razor blades over the second hole and tape them in place. They should fully cover the hole and be spaced as closely together as possible, almost but not quite touching. It is important to have an even spacing top to bottom.
Orient the box as seen in the picture at the top of the post. Place the CD on the side of the box that is lying on the ground now, label side down. Shine a flashlight into the razor blade slit, and hold the tube in the oval at an angle. You may need to close the box to see this, but you should see a rainbow of sorts when you look through the tube at the CD.
Once you’ve got this basically aligned (and don’t sweat it too much), tape things in place. Use the foil tape to seal the box up to prevent any light leaks.
That’s it, we’ve built a spectrometer!
The pinhole effect is much more obvious in this photo which shows some trees blocking some of the light.
Today it’s fairly typical to have an always on, high speed internet connection. Many geeks like myself will run a Linux box 24/7 at home that acts as a file server, media server, and possibly a few other roles like email and web. Enabling ssh access it extremely handy for when you’re away from home, not only does it give you secured shell access but it enables tunneling over ssh. A secondary but also valuable ability of this type of setup is online file storage that is on hardware you own (or more specifically, not owned by someone random).
You might want to enable friends of yours to also enjoy the benefits of having online file storage, but you might not want them tinkering around inside your system with full shell access. Whatever the reason for your paranoia, scponly is a great solution.
scponly is an alternative ‘shell’ (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution priviledges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications.
$ sudo apt-get install scponly
During the package configuration step that is triggered automatically on the install, you’ll be asked if you want chroot or not.
While the warning appears to be quite dire, choosing yes has some advantages. In a chroot jail the apparent root directory is modified, this limits the users visibility to the filesystem – often to their home directory. The security warning is due to the implementation of scponly needing suid-root privileges in order to create the chroot jail. You need to assume that the scponly code doesn’t contain any potential exploits, a trade off for the reduced filesystem visibility that in turn increases system security. In the end, as scponly is wrapping the well known and validated ssh suite we’re in a fairly good place.
Next we need to uncompress and modify the setup helper script to be executable:
$ cd /usr/share/doc/scponly/setup_chroot
$ sudo gunzip setup_chroot.sh.gz
$ sudo chmod +x setup_chroot.sh
Use the helper script to create a chroot restricted user (frank).
$ sudo ./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
-en Username to install [scponly]
-en home directory you wish to set for this user [/home/frank]
-en name of the writeable subdirectory [incoming]
creating /home/frank/backup directory for uploading files
Your platform (Linux) does not have a platform specific setup script.
This install script will attempt a best guess.
If you perform customizations, please consider sending me your changes.
Look to the templates in build_extras/arch.
- joe at sublimation dot org
please set the password for frank:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /home/frank/bin/groups
In the above I provided a username (frank) and I accepted the defaults except for the writeable subdirectory (backup) and password.
On my test system, an Ubuntu 11.04 (Natty) desktop install I wasn’t able to connect using scp, or sftp.
$ scp testfile.txt frank@desktop:testfile.txt
unknown user 1001
It turns out I was hit by a reported problem, and it was a simple matter of copying some missing files into the chroot jail:
$ sudo cp -av /lib/i386-linux-gnu/libnss_files* /home/frank/lib/i386-linux-gnu/
Now everything worked. I could scp, sftp and mount using sshfs (one of my favorite utilities).
If you want the writeable subdirectory to be the default directory, simply modify the system /etc/passwd file to have a double slash followed by the directory:
Changing the password is also supported by scponly:
$ ssh -t frank@desktop passwd