codeblog code is freedom — patching my itch

April 9, 2009

CODEGATE 2009 ran Ubuntu Intrepid

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 9:05 pm

I’m pleased to hear than the CODEGATE 2009 International Hacking Contest ran Ubuntu Intrepid for both the qualifying rounds and the final match. The host machine was running the 32bit -server kernel, so NX was active (along with all the other memory-corruption protections). From what I can see the compiled challenges were stack-protected and fortified, so the contestants had to work around that as well as the randomized stack, heap, and library locations. Sounds like it was a fun contest in a real-world situation. All that’s left now is for 64bit to become the standard. And PIE too. I can’t wait to hear more. :)

$ nm cracktris | grep _chk
         U __fprintf_chk@@GLIBC_2.3.4
         U __printf_chk@@GLIBC_2.3.4
         U __sprintf_chk@@GLIBC_2.3.4
         U __stack_chk_fail@@GLIBC_2.4
         U __strcat_chk@@GLIBC_2.3.4
         U __strcpy_chk@@GLIBC_2.3.4

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

February 13, 2009

World Of Goo compiled on Ubuntu

Filed under: Blogging,Debian,Reverse Engineering,Ubuntu — kees @ 3:44 pm

I first played World of Goo on the Wii. I loved it. Great stuff, reminded me a little of Lemmings, but way way better. Today I found out it’s also available for Linux, and I immediately downloaded it. I was pleased to see a .deb available and thought I’d dig into the binary a little to see how it was put together.

I’m hugely excited to see that it looks like the game was built on Ubuntu Intrepid for both the .deb and .tar.gz packages:

$ strings -a WorldOfGoo.bin | grep -i gcc
...
GCC: (Ubuntu 4.3.2-1ubuntu12) 4.3.2

The bundled libraries appear to come from Gentoo:

$ strings -a libs/libogg.so.0 | grep -i gcc
...
GCC: (GNU) 4.2.3 (Gentoo 4.2.3 p1.0)

OpenSSL (and libpng?) from Gentoo seem to have been statically linked into the binary:

$ strings -a WorldOfGoo
...
GCC: (GNU) 4.2.3 (Gentoo 4.2.3 p1.0)
_x86_AES_encrypt
...

What I’m so very excited about is that third party software producers are using Ubuntu for their releases. This means they get all the security and code-quality improvements that are built into the Ubuntu compiler for free:

$ objdump -CR WorldOfGoo.bin | grep _chk
...
084043f0 R_386_JUMP_SLOT __memcpy_chk

Many thanks to Maks Verver for doing the porting. I’m really enjoying the demo. Also, I can see your devel path! :)

$ strings -a WorldOfGoo.bin | grep openssl
OPENSSLDIR: "/home/maks/Projects/wog/libs/openssl-0.9.8j-linux-i386/ssl"
...

All this said, it may be that they’re actually only compiling pieces (like the Open Dynamics Engine, which seems to contain the bulk of the *_chk calls) on Ubuntu (or using .a files from a distro-compiled library that enables hardening only in builds — RedHat, SuSE), but doing the .deb and .tar.gz project linking on Ubuntu (which is why the compiler name shows up in the resulting binary). The RPM shows the *_chk functions too — actually the disassembly is identical between deb and RPM, which would imply that only final linking was done on the native distros but compiled elsewhere. I’d love to hear more details if Maks stumbles on this blog. :)

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

January 24, 2009

debugging hangs in MIMEDefang

Filed under: Blogging,Debian,Ubuntu,Ubuntu-Server — kees @ 3:21 pm

I spent a while this morning hunting down the root cause of a 100% CPU MIMEDefang process. (Turned out to be one specific email triggering one of my custom SpamAssassin rules that seems to get processed really inefficiently.) I wasn’t able to find any documentation on how to debug where in MIMEDefang an email was getting stuck, and even jacking up the debugging output of my mimedefang-filter script seemed to imply it was happening late in the filtering process. After digging through mimedefang.pl, I found a “status reporting” subsystem and tracked it back out into configuration in /etc/default/mimedefang:

# Uncomment next line to have busy slaves send status updates to the
# multiplexor. NOTE: Consumes one extra file descriptor per slave, plus
# a bit of CPU time.
# MX_STATUS_UPDATES=yes

Turning this on, and then using “md-mx-ctrl busyslaves” (I command I didn’t know existed until today either) I got to see exactly where it was stuck:

3 B 13380 (Running SpamAssassin j951iX1t025805)

Now I’m having fun running md-mx-ctl with histo, barstatus, and load. :)

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

January 13, 2009

ETOOMANYCERTS

Filed under: Debian,Networking,Ubuntu,Ubuntu-Server — kees @ 10:46 pm

After upgrading an Ubuntu mail server from Hardy to Intrepid, two users could no longer connect via SSL to send email though sendmail. One was using msmtp and the other was using Outlook Express. The msmtp issue was tracked down as a supposed deficiency in msmtp. However, this left Outlook, which is neigh-impossible to debug. From the Debian msmtp bug linked from the Ubuntu bug, it seemed that the root cause was the server sending too much data during the initial connection. Packet captures of an Outlook connection seemed to back this up: Outlook negotiated STARTTLS fine, and then just never responded to the SSL handshake.

It seems that something (openssl? sendmail?) changed between Hardy and Intrepid so that instead of using the /etc/ssl/certs/ca-certificates.crt file just for verification, its contents were now being sent during the SSL handshake. (I reduced the number of configured certs with “sudo dpkg-reconfigure ca-certificates“, and checked on the size of the handshake with “openssl s_client -connect server:port | wc -l“.) It spewed 143 certs sent at every connection. Unsurprisingly, it seems some clients were choking on it (I would like to note that Thunderbird behaved correctly).

In the end, I configured my sendmail’s CAfile (“confCACERT”) to aim at just a single CA (the CA used to sign the server’s SSL key), and that fixed both msmtp and Outlook. How fun.

© 2009 – 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

January 1, 2009

happy new year, RIP md5

Filed under: Blogging,Debian,Security,Ubuntu,Ubuntu-Server — kees @ 10:59 am

Welcome to 2009! Really, seriously, everyone can stop using MD5 now. However, be sure not to overreact. The forged CA research is a great read, but there’s no need to break existing certs. For a calm reaction, please read this.

© 2009, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

December 3, 2008

bogosec run on intrepid main

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 10:16 am

Care of Mike Owens and Dustin Kirkland, bogosec has been uploaded to Jaunty (in the NEW queue at the moment). It is a source-code analyzer framework with plugins for lintian, rats, and flawfinder. Out of curiousity, I ran it on all of Intrepid main. Highest 5 scores were:

  1. 0.717338929043293 lsscsi
  2. 0.612729234088457 nevow
  3. 0.561151781356762 powertop
  4. 0.431034482758621 language-pack-tk-base
  5. 0.431034482758621 language-pack-se-base

As Dustin reminded me, bogosec seems biased against smaller code bases. In the case of the lang packs, the score is entirely from lintian. Both lsscsi and powertop deal mostly with input from kernel strings, so while they scored highly, I doubt either is actually vulnerable to very much. I haven’t looked at nevow yet. Also, both rats and flawfinder yell about things that are mitigated by compiler flags (e.g. -D_FORTIFY_SOURCE=2) so those warnings are less interesting too.

Really, this all boils down to “we need better code analyzers”. The best tool will be one that predicts CVE counts (I would expect the Linux kernel to be at the top, since it has the all-time highest number of CVEs filed against it).

To get closer to reality, I think just doing a normal package build and scanning for stderr output would be meaningful (gcc has plenty of built-in checks already). Steve Beattie suggested writing a plugin for sparse, too.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

November 21, 2008

directing firefox url opening

Filed under: Blogging,Debian,Ubuntu,Web — kees @ 5:53 pm

A while ago, I found a way to open multiple firefox instances so I could have multiple cookie/password repositories. One issue that plagued me was that when launching URLs from other applications (e.g. liferea, gnome-terminal, etc), the URL would open in the longest running firefox, so if I opened my Browsing instance first, then my Authenticated instance, URLs would open in the Browsing instance. That’s what I wanted.

However, if I had to restart my Browsing instance (like, say, when flash was crashing), URLs would start opening in the Authenticated instance, which I didn’t want. So, I changed the Gnome preferences to run this script when launching a browser:

#!/bin/sh
firefox -p Browsing -remote 'openURL('"$@"')'

Ta-da, URLs are always directed to the “Browsing” instance, regardless of when it was started.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

make your BIOS love security

Filed under: Security,Ubuntu,Ubuntu-Server — kees @ 1:39 pm

There’s this great CPU feature called “nx” — it protects your computer from intrusion by blocking execution of memory regions that weren’t expected to be executable (i.e. stack/heap data). You really want this enabled. Unfortunately for you, it seems some BIOSes default to disabling it. On Dell laptops, look under “Security” / “CPU XD Support”: you want it enabled. In an American Megatrends BIOS, I found it under “CPU Features” / “Execute Disable Bit”: you want it enabled.

As far as making use of the CPU feature once it’s not disabled in the BIOS, you’re already using it if you’re running a 64bit kernel. And if you’re using 32bit, you can start using it if you install the -server flavor of the 32bit kernel. As a bonus, you get to address all your physical RAM if you do this too (since -server’s “PAE” mode is the kernel mode that allows “nx” to work). For Ubuntu Jaunty, I’m hoping to get some element of the system (installer? jockey?) to make the right kernel selection for a given system.

If “pae” is in your /proc/cpuinfo flags:

$ grep --color pae /proc/cpuinfo
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov \
pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx lm constant_tsc \
arch_perfmon pebs bts rep_good nopl pni monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr lahf_lm

(note the “nx” in there too, since my BIOS isn’t set to disable it)

Then you almost certainly want to use -server kernel flavor:

sudo apt-get install linux-server linux-restricted-modules-server

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

November 18, 2008

md5 lookups for 4 chars and common words

Filed under: Blogging,Debian,Security,Ubuntu,Web — kees @ 8:19 pm

Here’s a fun link. This site appears to have seeded their md5 hash list with all lower case character strings of 4 characters or fewer and many english words (probably from some large dictionaries), and they seem to be adding more as they go. This makes me want to put up an interface to the 7 character alpha-numeric-plus-many-special-chars rainbow table I’ve got. But searching the 500G table for a single hash takes… a while. I’d need to batch it up. Go-go-gadget web 2.0!

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

November 11, 2008

phrase from nearest book meme

Filed under: Blogging,Debian,General,Ubuntu — kees @ 12:42 pm

Meme from Jono:

  • Grab the nearest book.
  • Open it to page 56.
  • Find the fifth sentence.
  • Post the text of the sentence in your journal along with these instructions.
  • Don’t dig for your favorite book, the cool book, or the intellectual one: pick the CLOSEST.

My result:

“The term linear just means that each output bit of the mixing function is the XOR of several of the input bits.”Practical Cryptography, Niels Ferguson, Bruce Schneier.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

November 9, 2008

“rooting” the HTC G1 Android

Filed under: Blogging,Debian,Embedded,Security,Ubuntu,Vulnerabilities — kees @ 10:27 am

People noticed that running telnetd seemed to run as root. Later it was discovered that everything you typed was being run by the root user also. So, that ends the first mystery: when you typed “telnetd” both the Terminal user and root ran it. It would fail (without error messages) for the Terminal user, and run successfully for the root user. So now, the question is, what the f is a root shell doing mirroring user input?!

So, there is a much easier way to get root that doesn’t require network connectivity. While the /sdcard mount point is nosuid,noexec, it’ll still run scripts if you explicitly direct them to run. It seems that the weird background root shell doesn’t understand the alt-keys, so it can only run stuff that can be typed without using alt, shift, etc. So, put the following in /sdcard/pwn:


mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
cd /system/bin
cat sh > sh.root
chmod 4755 sh.root
mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system

You can either do this by dropping the file in place over USB mass storage, or you can type it via the Terminal using “cat“. (Rebooting here might help get the root shell in a sane state.) Finally, just navigate there without slashes and run the script:


$ cd sdcard
$ sh pwn

You’ll see lots of errors (but these are only from the Terminal user). The script is, however, run by the root shell too. You can verify the results:


$ ls -l /system/bin/sh*
-rwxr-xr-x root          shell     86936 2008-09-13 00:13 sh
-rwsr-xr-x root          root      86936 2008-11-09 10:12 sh.root

Next up: cross-compiling a little helper to elevate to real UID 0, and require a password to keep malware from looking for setuid shells.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

November 3, 2008

days since last incident…

Filed under: Blogging,Debian,Networking,Security,Ubuntu,Ubuntu-Server — kees @ 11:15 am

If I made one of those work-site signs that tracked “Days since last incident”, and made one for “Days since last in-the-wild remote-root worm” for Windows and Linux, what would they each say? 0 and 7304 respectively?

Update: while the post was tongue-in-cheek (everyone suffers when any large subset of computers is being attacked), I should lower the Linux days count to 2783 (for L10n on March 23, 2001, which is slightly newer than Ramen on January 17, 2001). Thanks for everyone’s comments. :)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 30, 2008

how to drain your entropy and have fun with ssh fingerprint ASCII-art

Filed under: Blogging,Debian,General,Ubuntu,Ubuntu-Server — kees @ 10:48 am

SSH’s new “VisualHostKey” option (in Ubuntu Intrepid and Debian Lenny) is great fun. Normally it is disabled, but it seems that “ssh-keygen” turns it on when generating new keys. In celebration of the Ubuntu release, here is a script to entertain yourself with RSA ASCII-art, care of SSH and your system’s entropy pool:


#!/bin/sh
set -e
DIR=$(mktemp -t -d rsa-art-XXXXXX)
trap "rm -f $DIR/key*; rmdir $DIR" EXIT HUP INT QUIT TERM

while :
do
    ART=$(ssh-keygen -t rsa -f $DIR/key -N "" | tail -n 11)
    rm -f $DIR/key
    /bin/echo -e "\x1Bc"
    echo "$ART"
done

Makes me feel like I’m watching Life. (Use control-C to stop it.)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 22, 2008

using hdhomerun IR with lirc

Filed under: Debian,Multimedia,Ubuntu — kees @ 5:18 pm

Followed the instructions and got lirc configured with my HDHomeRun’s IR:


# ID=$(hdhomerun_config discover | cut -d" " -f3)
# hdhomerun_config $ID set /ir/target "10.0.0.100:5000 store"
# echo 'REMOTE_LIRCD_ARGS="-H udp -d 5000"' >> /etc/lirc/hardware.conf
# /etc/init.d/lirc restart
# /etc/init.d/gdm restart

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 21, 2008

Feisty Finale

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 3:59 pm

Feisty is now officially at end-of-life.

Looking back through my build logs, I can see that my desktop spent 34 hours, 44 minutes, and 46 seconds building 255 security updates. (And 25 hours, 40 minutes, 13 seconds doing 249 builds during the Feisty devel window.) As before, these times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the porting machines, etc.

As a correction to the Edgy EOL post, my desktop actually spent 50:59:40 doing 322 security builds and 04:14:23 doing 84 devel builds.

Current standings:

dapper: 49:42:36
gutsy: 43:14:36
hardy: 166:11:15
intrepid: 70:24:52

As mentioned, these numbers are mixed devel/security times.

Thank you Feisty! You were much more stable than Edgy, even if we didn’t see eye-to-eye about wifi connectivity.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 14, 2008

RCS keyword expansion in BZR

Filed under: Blogging,Ubuntu — kees @ 6:04 pm

I’m going to need to look into keyword expansion in bzr. I use $Id:$ and $Revision:$ headers in a bunch of the files I shove out to web servers. Switching to bzr has caused me to lose that for the time-being. I probably don’t want it enabled in all my repositories, so this is really just a reminder to my future self to investigate it further.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 10, 2008

the goal is freedom

Filed under: Blogging,Ubuntu — kees @ 10:37 am

I’m proud of Ubuntu, but I’m always a little sad when I see news items like this.

I don’t want to see everyone who contributes to the World Resource Institute and the Conservation International Foundation to start giving entirely to the Greenpeace Fund. They’re all doing fantastic work and doing it in slightly different ways. Changing allocation between these organizations doesn’t have any real benefit.

I want to see the news of everyone moving their money out of Exxon and General Motors and putting it into the things linked above or anything like them. Then big stuff starts happening; multinationals have less to work with and environmental groups have more. That’s a win.

Organizations moving from Free Software to Free Software is a distraction. There is no net gain; there is no more freedom; there are no more users and no more chances to create new Free Software developers. It is news when an organization moves from proprietary software to Free. That’s important, and we should stay focused on that goal.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

September 13, 2008

their names are…

Filed under: Blogging,Ubuntu — kees @ 8:05 am

Continuing the meme:

  • lucien – not strictly owned by me, but the first Linux machine I had influence over. Named by my college roommate after Lucien from the Sandman comics, the librarian of The Dreaming. Seemed right for a computer.
  • locutus – this name served multiple machines in late college. It was my desktop at home, at work at Motorola, and at my HP post at UIUC. For a while, all three were simultaneously online. They all had different domain names, so it seemed sensible and little comical. The name itself comes from my infatuation with the Borg of Star Trek fame. Locutus was the first to have an individual designation.
  • clam – given to multiple machines, but both laptops (an ancient Toshiba, and a more recent Mac). Like clamshell mobile phones, laptops look the same.
  • boofis – served as the name for a public XTerm for guests, and later as a desktop machine. This was based on a friend’s alternate word for “thingy” or “dohicky”.
  • naboo – currently the home firewall, but was my desktop when it was new. From the Star Wars planet Naboo.
  • cube – always the home multimedia server hooked to the TV, but has had three incarnations. Originally, it was a Shuttle box, which was, frankly, cube shaped. It was also influenced again by the Borg, and it was around here that I started to notice a strange and unintentional trend in my computer names: they nearly all had an “oou” sound. Since then I’ve usually managed to avoid it, but have tried to include at least 1 if not 2 “o” letters in future computer names.
  • stompy – currently the home disk server, but was my desktop when it was new. Named based on a game my wife and I play with our dogs called Stompy Stompy Bad Thing, in which we slowly approach our dog like a Sumo wrestler, and the dog goes crazy barking and running in circles.
  • ox – current laptop. Compared to the Toshiba from 1999, it’s like an ox, even if now it’s 3 years old itself.
  • gorgon – current desktop. Loosely based on the concept that the most famous gorgon has multiple heads. As this is a 4-way machine, it seemed fitting.
  • nushooz – currently my wife’s desktop, but was mine prior to gorgon, but named differently. Current name is based on the freaky “*pft* New shoes!” line from Twin Peaks.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

September 4, 2008

all PIE distro

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 2:00 pm

Major props to NCommander for taking on the painful experiment of getting the entire Ubuntu Intrepid archive rebuilt with PIE on amd64. After getting all the other hardening defaults enabled for Intrepid, PIE is the last on the original list for enabling “by default”. Due to the overhead of PIE on i386, it’s really only an option on architectures with lots of general registers.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

September 3, 2008

kvm disk image filesystem growth notes

Filed under: Blogging,Debian,Ubuntu,Ubuntu-Server — kees @ 12:14 pm

Here are my notes on growing a KVM disk image’s root filesystem. I had a few 4G partitions that really needed to be bigger. This shows how to get a report on the sizes of the disk images, convert them to raw, work on the partition tables, grow the root filesystem, and rebuild the swap partition with the original UUID. With some work, it could probably become fully scripted, but since the partition layout may not always be the same from VM to VM, the “fdisk” step needs human interaction to delete and rebuild the partition table. Note that the method below also maintains the sparseness of the images.

# Look for files to change
for i in /vmware/*/*{vmdk,qcow2}; do qemu-img info $i; done
...

# Pick one...
cd dir...
ORIG=64bit-Ubuntu-7.10-desktop.vmdk
SIZE=8G


ORIG_TYPE=$(echo $ORIG | awk -F. '{print $NF}')
TARGET_TYPE="qcow2"
TARGET_BASE=$(basename "$ORIG" ."$ORIG_TYPE")
TARGET_RAW="$TARGET_BASE".raw
TARGET="$TARGET_BASE"."$TARGET_TYPE"

qemu-img convert -f "$ORIG_TYPE" "$ORIG" -O raw "$TARGET_RAW"

trunc "$TARGET_RAW" "$SIZE"

sudo kpartx -a "$TARGET_RAW"
SWAP_PART=$(for i in /dev/mapper/loop0p*; do sudo vol_id $i | \
    grep -q ^ID_FS_TYPE=swap && echo $i; done | head -n 1)
UUID=$(sudo vol_id "$SWAP_PART" | grep ^ID_FS_UUID= | cut -d= -f2)
sudo kpartx -d "$TARGET_RAW"

# use losetup otherwise fdisk doesn't know cylinder count
sudo losetup /dev/loop0 "$TARGET_RAW"
# FIXME: Need to automate fdisk (detect swap partition size, etc)
# I'm deleting the swap and growing the root partition, then re-adding swap
sudo fdisk /dev/loop0
sudo losetup -d /dev/loop0

sudo kpartx -a "$TARGET_RAW"
sudo e2fsck -f /dev/mapper/loop0p1
sudo resize2fs /dev/mapper/loop0p1
sudo mkswap -U "$UUID" "$SWAP_PART"
sudo kpartx -d "$TARGET_RAW"

qemu-img convert -f raw "$TARGET_RAW" -O "$TARGET_TYPE" "$TARGET"
rm "$TARGET_RAW"
# FIXME: change disk image path
sudo vi /etc/libvirt/qemu/THING
# FIXME: have the daemon notice the file change
sudo /etc/init.d/libvirt-bin restart
if [ "$ORIG" != "$TARGET" ]; then rm "$ORIG"; fi

The “trunc” command above is based on my network backups post, but is now a general script I use:

#!/usr/bin/perl
# Copyright (C) 2006-2008 Kees Cook <kees@outflux.net>, License: GPLv3
use strict;
use warnings;

my $filename = $ARGV[0];
die "Need valid size also\n" unless ($ARGV[1] =~ /^(\d+)([KMG])$/);
my $size       = $1 + 0;
my $multiplier = $2;

$size *= 1024 if $multiplier =~ /^[KMG]$/;
$size *= 1024 if $multiplier =~ /^[MG]$/;
$size *= 1024 if $multiplier =~ /^[G]$/;

#die "Not trunc'ing existing file\n" if (-e $filename);
die "$filename: $!\n" if (!open(FILE,">>$filename"));
die "seek: $!\n" if (!(seek(FILE,$size,0)));
die "truncate: $!\n" if (!(truncate(FILE,$size)));
die "close: $!\n" if (!(close(FILE)));

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

September 1, 2008

bash trivia

Filed under: Blogging,Debian,Ubuntu — kees @ 8:42 am

I have been playing too many puzzle games lately. This trivia question just popped into my head:

What command will never appear in a .bash_history file?

Unfortunately, I seem to have disproven the answer I originally had. I wonder if there are others? My original answer was going to be “unset HISTFILE”, but I can make it show up in my .bash_history file:

unset HISTFILE
export HISTFILE=/home/kees/.bash_history

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 20, 2008

Ubuntu security repository structure

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 12:04 pm

Miguel Ruiz asked about Ubuntu security repositories. Here’s how things are done:

The “security.ubuntu.com” archive contains explicitly only the “$RELEASE-security” pockets. It is included in all Ubuntu sources.list files so that the package manager knows what the most recent security release of a package will be.

The central “archive.ubuntu.com” server (and all the Ubuntu mirrors) also contain the “$RELEASE-security” pockets, in addition to the rest of the archive (and will continue to have all pockets — which answers the core of Miguel’s question). While mirrors are not required to mirror the -security pocket, it certainly helps with the load on the primary Ubuntu archive servers.

The “security.ubuntu.com” entry is last in sources.list, giving the option of pulling an updated package from an earlier mentioned mirror (resulting in a faster download for the user, and less bandwidth used by the central Ubuntu archive servers). In the case that the mirror is behind, the package is available directly from “security.ubuntu.com”. In this way, mirrors cannot (accidentally or intentionally) “go rogue” — the latest security updates are always visible on the security archive server.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 5, 2008

dbus session access from remote

Filed under: Blogging,Networking,Ubuntu — kees @ 8:49 pm

In order to turn off the music playing on my desktop (in audacious) from my laptop in another room, I must figure out the DBUS session, and set it up before using the audacious session management control (like “--play-pause“).

$ ssh MACHINE "set -x
export DISPLAY=:0.0
PID=\$(pidof audacious)
if [ -z \"\$PID\" ]; then
    rhythmbox-client --pause
else
    export \$(xargs -0 -n1 /proc/\$PID/environ | grep ^DBUS_SESSION_BUS_ADDRESS=)
    audacious --play-pause
fi"

(Updated to shorter version, thanks Kirikaza.)

© 2008 – 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

August 4, 2008

(late to the) history meme

Filed under: Blogging,Ubuntu — kees @ 11:27 am

My history isn’t entirely interesting, but does seem to show the single-mindedness of my terminals:

$ history | awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}' | sort -rn | head
73 cd
68 vi
39 ls
24 bzr
18 exit
18 cat
13 u-build
13 sudo
13 am
10 echo

Random details:

  • I use a lot of terminals, and have only just recently gotten into the habit of using Ctrl-D to close them — as seen above, I use exit.
  • am is a script that takes apt-cache madison "$@" and shows only the most recent version from each release.
  • u-build is a script that prepares and performs a build in my sbuild/schroot/lvm environments.
  • echo snuck onto this list because I was verifying some x86 machine code, and kept typo-ing it as I ran “variations” of (the correct command line) echo -ne '\x33\xdb\x68\x70\x77\x6e\x0a\x8b\xcc\x8d\x43\x04\x43\x8b\xd0\xcd\x80\xeb\xfa' | ndisasm -u -
  • It seems I’m in need of the same thing helix noted from Greg KH’s terminal-tied-to-Twitter: an alias for cd "$@" && ls instead of constantly typing cd followed by ls.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

July 13, 2008

zooming in Xine

Filed under: Blogging,Multimedia,Ubuntu — kees @ 11:34 pm

I use Xine to watch DVDs. In the past I’ve encountered “full screen” (4:3) DVDs that carried a wide-screen (16:9) image. This means there were black bars on the top and bottom of the video frame. When watching this sort of video on a 16:9 monitor, you end up with a full border of black surrounding the image. I have encountered this much more frequently when recording standard definition TV that contains wide-screen video. For example, many music videos on MTV have a wide aspect, but are displayed with top/bottom bars in the 4:3 standard definition frame:

16:9 displayed in 4:3 with black top/bottom bars

Displayed on a 16:9 monitor, in Xine:

16:9 within 4:3 on a 16:9 display resulting in black border

In MythTV, there is a “zoom” function that zooms the video, matching the width of the frame to the width of the display. This ends up cropping the top and bottom black bars, allowing the zoom to fit to the width of the frame:

zoomed to 16:9, cropping unneeded 4:3 bars

I have been unable to find such a feature in either Xine or MPlayer. A weekend ago I ran into another DVD doing the wide-screen-in-4:3 trick, and wrote a patch to Xine to create a zoom post-processing filter. Now I can start Xine like this:

xine --disable-post --post zoom path/to/video

And Ctrl-Alt-Shift-P will let me enable-disable post processing. In my case, I’ll be mapping the VPProcessEnable to the same lirc button I use for zooming in MythTV.

© 2008 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 27, 2008

another gnome easter egg

Filed under: Blogging,Ubuntu — kees @ 4:59 pm

While I had tried the Alt-F2 “gegls from outer space” easter egg, I’d never done the “free the fish” one. It was fun, but while looking around for how to disable it (“killall gnome-panel” — there is no programmatic way to stop the fish), I found another egg that I don’t think any one has mentioned before. It re-uses the goat from the gegls game:

  1. Right-click an open panel area
  2. Select “properties”
  3. Right-click on a notebook tab 3 times

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 22, 2008

bold fonts in libvte (gnome-terminal, terminator)

Filed under: Ubuntu — kees @ 11:22 am

A while back I complained about terminal fonts. In the end, I was shown that the real source of my pain was a 7 year old gnome bug where vte did not attempt to use bold fonts and always used double-strike instead. For me, this was a show-stopper given my desire for using tiny bitmap fonts for my terminals. Double-strike bolding made things unreadable.

I finally had a solid chunk of time to dedicate to working on the plumbing needed for vte to support bold fonts sanely. (I’ve attached all my patches to the bug linked above.) I’m really quite happy — I can finally stop using “xterm” everywhere and fully switch to gnome-terminal and terminator for all their UTF8 goodness. Now I just need to tweak gnome-terminal’s colors — things seem slightly washed out.

For anyone else interested in using bitmap fonts in gnome-terminal, here is the final recipe (since digging through all the comments in the original blog post doesn’t make it entirely obvious):

$ mkdir -p ~/.fonts
$ cp /usr/share/fonts/X11/misc/7x14{,B}.pcf.gz ~/.fonts
$ cat > ~/.fonts.conf <<EOM
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>

  <!-- /usr/share/fonts/X11/misc/7x14{,B}.pcf.gz copied to ~/.fonts/ -->
  <selectfont>
    <acceptfont>
      <pattern>
        <patelt name="family"><string>fixed</string></patelt>
        <patelt name="pixelsize"><int>14</int></patelt>
      </pattern>
    </acceptfont>
  </selectfont>

</fontconfig>
EOM

At this point, you can verify that fontconfig sees your bitmap fonts:

$ fc-list | grep Fixed
Fixed:style=Bold
Fixed:style=Regular

Now just close all your gnome-terminals to get vte to reload the new fonts, and configure it to use the newly available font:

$ gconftool-2 -s /apps/gnome-terminal/profiles/Default/font -t string "Fixed 14"
$ gconftool-2 -s /apps/gnome-terminal/profiles/Default/use_system_font -t bool false

Ta-da!

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 18, 2008

Linux Plumbers Conference 2008

Filed under: Blogging,kernel.org,Ubuntu — kees @ 10:17 am

The Call for Speakers (and registration) for the Linux Plumbers Conference is open! Get those proposals in, register, and come join us in sunny Portland, OR.

The Linux Plumbers Conference was created to bring together the key developers involved in Linux plumbing – the “Linux plumbers” – and give them an opportunity to discuss problems face-to-face, both within subsystems and across subsystems. Participants include invited attendees, speakers selected through an open, competitive review process, and students. Registration is open to the general public as well.

The goal of the Plumbers Conference is to solve problems. The conference is arranged as a series of microconferences, each on a topic that is narrow enough to identify specific problem areas and brainstorm workable solutions. Each microconference is led by an expert in the field and organized to encourage discussion and problem solving.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

June 12, 2008

zombie meme

Filed under: Blogging,Ubuntu — kees @ 10:45 pm

Tollef posted a fun (and short) Zombie mem:

You are in a mall when zombies attack. You have:

  1. One weapon
  2. One song blasting on the speakers
  3. One famous person to fight along side you.

I can’t resist.

  1. BFG9000: ranged weapon that vaporizes multiple zombies at once. I should be out of the mall before I’m out of ammo.
  2. “Good Vibrations” by the Beach Boys: up beat and a little silly.
  3. Jet Li: he could totally handle the zombies within slicing/kicking/clubbing range.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

April 25, 2008

Farwell Edgy

Filed under: Blogging,Security,Ubuntu — kees @ 6:39 pm

Edgy is now officially at end-of-life.

Looking back through my build logs, I can see that my desktop spent 55 hours, 14 minutes, and 3 seconds on 406 builds related to edgy-security updates I was involved in publishing. These times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the porting machines, etc. Comparing to my prior post on this topic, here are the standings for other releases:

dapper: 44:48:24
feisty: 58:49:04
gutsy: 37:06:08
hardy: 86:25:58

Hmm… I think my hardy numbers include devel builds times… I’ll have to sort that out. :)

Thank you Edgy! I will remember you for your wonderful default -fstack-protector.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

« Newer PostsOlder Posts »

Powered by WordPress