codeblog code is freedom — patching my itch

October 10, 2008

the goal is freedom

Filed under: Blogging,Ubuntu — kees @ 10:37 am

I’m proud of Ubuntu, but I’m always a little sad when I see news items like this.

I don’t want to see everyone who contributes to the World Resource Institute and the Conservation International Foundation to start giving entirely to the Greenpeace Fund. They’re all doing fantastic work and doing it in slightly different ways. Changing allocation between these organizations doesn’t have any real benefit.

I want to see the news of everyone moving their money out of Exxon and General Motors and putting it into the things linked above or anything like them. Then big stuff starts happening; multinationals have less to work with and environmental groups have more. That’s a win.

Organizations moving from Free Software to Free Software is a distraction. There is no net gain; there is no more freedom; there are no more users and no more chances to create new Free Software developers. It is news when an organization moves from proprietary software to Free. That’s important, and we should stay focused on that goal.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 13, 2008

their names are…

Filed under: Blogging,Ubuntu — kees @ 8:05 am

Continuing the meme:

  • lucien – not strictly owned by me, but the first Linux machine I had influence over. Named by my college roommate after Lucien from the Sandman comics, the librarian of The Dreaming. Seemed right for a computer.
  • locutus – this name served multiple machines in late college. It was my desktop at home, at work at Motorola, and at my HP post at UIUC. For a while, all three were simultaneously online. They all had different domain names, so it seemed sensible and little comical. The name itself comes from my infatuation with the Borg of Star Trek fame. Locutus was the first to have an individual designation.
  • clam – given to multiple machines, but both laptops (an ancient Toshiba, and a more recent Mac). Like clamshell mobile phones, laptops look the same.
  • boofis – served as the name for a public XTerm for guests, and later as a desktop machine. This was based on a friend’s alternate word for “thingy” or “dohicky”.
  • naboo – currently the home firewall, but was my desktop when it was new. From the Star Wars planet Naboo.
  • cube – always the home multimedia server hooked to the TV, but has had three incarnations. Originally, it was a Shuttle box, which was, frankly, cube shaped. It was also influenced again by the Borg, and it was around here that I started to notice a strange and unintentional trend in my computer names: they nearly all had an “oou” sound. Since then I’ve usually managed to avoid it, but have tried to include at least 1 if not 2 “o” letters in future computer names.
  • stompy – currently the home disk server, but was my desktop when it was new. Named based on a game my wife and I play with our dogs called Stompy Stompy Bad Thing, in which we slowly approach our dog like a Sumo wrestler, and the dog goes crazy barking and running in circles.
  • ox – current laptop. Compared to the Toshiba from 1999, it’s like an ox, even if now it’s 3 years old itself.
  • gorgon – current desktop. Loosely based on the concept that the most famous gorgon has multiple heads. As this is a 4-way machine, it seemed fitting.
  • nushooz – currently my wife’s desktop, but was mine prior to gorgon, but named differently. Current name is based on the freaky “*pft* New shoes!” line from Twin Peaks.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 4, 2008

all PIE distro

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 2:00 pm

Major props to NCommander for taking on the painful experiment of getting the entire Ubuntu Intrepid archive rebuilt with PIE on amd64. After getting all the other hardening defaults enabled for Intrepid, PIE is the last on the original list for enabling “by default”. Due to the overhead of PIE on i386, it’s really only an option on architectures with lots of general registers.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 3, 2008

kvm disk image filesystem growth notes

Filed under: Blogging,Debian,Ubuntu,Ubuntu-Server — kees @ 12:14 pm

Here are my notes on growing a KVM disk image’s root filesystem. I had a few 4G partitions that really needed to be bigger. This shows how to get a report on the sizes of the disk images, convert them to raw, work on the partition tables, grow the root filesystem, and rebuild the swap partition with the original UUID. With some work, it could probably become fully scripted, but since the partition layout may not always be the same from VM to VM, the “fdisk” step needs human interaction to delete and rebuild the partition table. Note that the method below also maintains the sparseness of the images.

# Look for files to change
for i in /vmware/*/*{vmdk,qcow2}; do qemu-img info $i; done
...

# Pick one...
cd dir...
ORIG=64bit-Ubuntu-7.10-desktop.vmdk
SIZE=8G


ORIG_TYPE=$(echo $ORIG | awk -F. '{print $NF}')
TARGET_TYPE="qcow2"
TARGET_BASE=$(basename "$ORIG" ."$ORIG_TYPE")
TARGET_RAW="$TARGET_BASE".raw
TARGET="$TARGET_BASE"."$TARGET_TYPE"

qemu-img convert -f "$ORIG_TYPE" "$ORIG" -O raw "$TARGET_RAW"

trunc "$TARGET_RAW" "$SIZE"

sudo kpartx -a "$TARGET_RAW"
SWAP_PART=$(for i in /dev/mapper/loop0p*; do sudo vol_id $i | \
    grep -q ^ID_FS_TYPE=swap && echo $i; done | head -n 1)
UUID=$(sudo vol_id "$SWAP_PART" | grep ^ID_FS_UUID= | cut -d= -f2)
sudo kpartx -d "$TARGET_RAW"

# use losetup otherwise fdisk doesn't know cylinder count
sudo losetup /dev/loop0 "$TARGET_RAW"
# FIXME: Need to automate fdisk (detect swap partition size, etc)
# I'm deleting the swap and growing the root partition, then re-adding swap
sudo fdisk /dev/loop0
sudo losetup -d /dev/loop0

sudo kpartx -a "$TARGET_RAW"
sudo e2fsck -f /dev/mapper/loop0p1
sudo resize2fs /dev/mapper/loop0p1
sudo mkswap -U "$UUID" "$SWAP_PART"
sudo kpartx -d "$TARGET_RAW"

qemu-img convert -f raw "$TARGET_RAW" -O "$TARGET_TYPE" "$TARGET"
rm "$TARGET_RAW"
# FIXME: change disk image path
sudo vi /etc/libvirt/qemu/THING
# FIXME: have the daemon notice the file change
sudo /etc/init.d/libvirt-bin restart
if [ "$ORIG" != "$TARGET" ]; then rm "$ORIG"; fi

The “trunc” command above is based on my network backups post, but is now a general script I use:

#!/usr/bin/perl
# Copyright (C) 2006-2008 Kees Cook <kees@outflux.net>, License: GPLv3
use strict;
use warnings;

my $filename = $ARGV[0];
die "Need valid size also\n" unless ($ARGV[1] =~ /^(\d+)([KMG])$/);
my $size       = $1 + 0;
my $multiplier = $2;

$size *= 1024 if $multiplier =~ /^[KMG]$/;
$size *= 1024 if $multiplier =~ /^[MG]$/;
$size *= 1024 if $multiplier =~ /^[G]$/;

#die "Not trunc'ing existing file\n" if (-e $filename);
die "$filename: $!\n" if (!open(FILE,">>$filename"));
die "seek: $!\n" if (!(seek(FILE,$size,0)));
die "truncate: $!\n" if (!(truncate(FILE,$size)));
die "close: $!\n" if (!(close(FILE)));

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 1, 2008

bash trivia

Filed under: Blogging,Debian,Ubuntu — kees @ 8:42 am

I have been playing too many puzzle games lately. This trivia question just popped into my head:

What command will never appear in a .bash_history file?

Unfortunately, I seem to have disproven the answer I originally had. I wonder if there are others? My original answer was going to be “unset HISTFILE”, but I can make it show up in my .bash_history file:

unset HISTFILE
export HISTFILE=/home/kees/.bash_history

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

August 20, 2008

Ubuntu security repository structure

Filed under: Blogging,Security,Ubuntu,Ubuntu-Server — kees @ 12:04 pm

Miguel Ruiz asked about Ubuntu security repositories. Here’s how things are done:

The “security.ubuntu.com” archive contains explicitly only the “$RELEASE-security” pockets. It is included in all Ubuntu sources.list files so that the package manager knows what the most recent security release of a package will be.

The central “archive.ubuntu.com” server (and all the Ubuntu mirrors) also contain the “$RELEASE-security” pockets, in addition to the rest of the archive (and will continue to have all pockets — which answers the core of Miguel’s question). While mirrors are not required to mirror the -security pocket, it certainly helps with the load on the primary Ubuntu archive servers.

The “security.ubuntu.com” entry is last in sources.list, giving the option of pulling an updated package from an earlier mentioned mirror (resulting in a faster download for the user, and less bandwidth used by the central Ubuntu archive servers). In the case that the mirror is behind, the package is available directly from “security.ubuntu.com”. In this way, mirrors cannot (accidentally or intentionally) “go rogue” — the latest security updates are always visible on the security archive server.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

August 5, 2008

dbus session access from remote

Filed under: Blogging,Networking,Ubuntu — kees @ 8:49 pm

In order to turn off the music playing on my desktop (in audacious) from my laptop in another room, I must figure out the DBUS session, and set it up before using the audacious session management control (like “--play-pause“).

$ ssh MACHINE "set -x
export DISPLAY=:0.0
PID=\$(pidof audacious)
if [ -z \"\$PID\" ]; then
    rhythmbox-client --pause
else
    export \$(xargs -0 -n1 /proc/\$PID/environ | grep ^DBUS_SESSION_BUS_ADDRESS=)
    audacious --play-pause
fi"

(Updated to shorter version, thanks Kirikaza.)

© 2008 – 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

August 4, 2008

(late to the) history meme

Filed under: Blogging,Ubuntu — kees @ 11:27 am

My history isn’t entirely interesting, but does seem to show the single-mindedness of my terminals:

$ history | awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}' | sort -rn | head
73 cd
68 vi
39 ls
24 bzr
18 exit
18 cat
13 u-build
13 sudo
13 am
10 echo

Random details:

  • I use a lot of terminals, and have only just recently gotten into the habit of using Ctrl-D to close them — as seen above, I use exit.
  • am is a script that takes apt-cache madison "$@" and shows only the most recent version from each release.
  • u-build is a script that prepares and performs a build in my sbuild/schroot/lvm environments.
  • echo snuck onto this list because I was verifying some x86 machine code, and kept typo-ing it as I ran “variations” of (the correct command line) echo -ne '\x33\xdb\x68\x70\x77\x6e\x0a\x8b\xcc\x8d\x43\x04\x43\x8b\xd0\xcd\x80\xeb\xfa' | ndisasm -u -
  • It seems I’m in need of the same thing helix noted from Greg KH’s terminal-tied-to-Twitter: an alias for cd "$@" && ls instead of constantly typing cd followed by ls.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

July 13, 2008

zooming in Xine

Filed under: Blogging,Multimedia,Ubuntu — kees @ 11:34 pm

I use Xine to watch DVDs. In the past I’ve encountered “full screen” (4:3) DVDs that carried a wide-screen (16:9) image. This means there were black bars on the top and bottom of the video frame. When watching this sort of video on a 16:9 monitor, you end up with a full border of black surrounding the image. I have encountered this much more frequently when recording standard definition TV that contains wide-screen video. For example, many music videos on MTV have a wide aspect, but are displayed with top/bottom bars in the 4:3 standard definition frame:

16:9 displayed in 4:3 with black top/bottom bars

Displayed on a 16:9 monitor, in Xine:

16:9 within 4:3 on a 16:9 display resulting in black border

In MythTV, there is a “zoom” function that zooms the video, matching the width of the frame to the width of the display. This ends up cropping the top and bottom black bars, allowing the zoom to fit to the width of the frame:

zoomed to 16:9, cropping unneeded 4:3 bars

I have been unable to find such a feature in either Xine or MPlayer. A weekend ago I ran into another DVD doing the wide-screen-in-4:3 trick, and wrote a patch to Xine to create a zoom post-processing filter. Now I can start Xine like this:

xine --disable-post --post zoom path/to/video

And Ctrl-Alt-Shift-P will let me enable-disable post processing. In my case, I’ll be mapping the VPProcessEnable to the same lirc button I use for zooming in MythTV.

© 2008 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

June 27, 2008

another gnome easter egg

Filed under: Blogging,Ubuntu — kees @ 4:59 pm

While I had tried the Alt-F2 “gegls from outer space” easter egg, I’d never done the “free the fish” one. It was fun, but while looking around for how to disable it (“killall gnome-panel” — there is no programmatic way to stop the fish), I found another egg that I don’t think any one has mentioned before. It re-uses the goat from the gegls game:

  1. Right-click an open panel area
  2. Select “properties”
  3. Right-click on a notebook tab 3 times

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

June 22, 2008

bold fonts in libvte (gnome-terminal, terminator)

Filed under: Ubuntu — kees @ 11:22 am

A while back I complained about terminal fonts. In the end, I was shown that the real source of my pain was a 7 year old gnome bug where vte did not attempt to use bold fonts and always used double-strike instead. For me, this was a show-stopper given my desire for using tiny bitmap fonts for my terminals. Double-strike bolding made things unreadable.

I finally had a solid chunk of time to dedicate to working on the plumbing needed for vte to support bold fonts sanely. (I’ve attached all my patches to the bug linked above.) I’m really quite happy — I can finally stop using “xterm” everywhere and fully switch to gnome-terminal and terminator for all their UTF8 goodness. Now I just need to tweak gnome-terminal’s colors — things seem slightly washed out.

For anyone else interested in using bitmap fonts in gnome-terminal, here is the final recipe (since digging through all the comments in the original blog post doesn’t make it entirely obvious):

$ mkdir -p ~/.fonts
$ cp /usr/share/fonts/X11/misc/7x14{,B}.pcf.gz ~/.fonts
$ cat > ~/.fonts.conf <<EOM
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>

  <!-- /usr/share/fonts/X11/misc/7x14{,B}.pcf.gz copied to ~/.fonts/ -->
  <selectfont>
    <acceptfont>
      <pattern>
        <patelt name="family"><string>fixed</string></patelt>
        <patelt name="pixelsize"><int>14</int></patelt>
      </pattern>
    </acceptfont>
  </selectfont>

</fontconfig>
EOM

At this point, you can verify that fontconfig sees your bitmap fonts:

$ fc-list | grep Fixed
Fixed:style=Bold
Fixed:style=Regular

Now just close all your gnome-terminals to get vte to reload the new fonts, and configure it to use the newly available font:

$ gconftool-2 -s /apps/gnome-terminal/profiles/Default/font -t string "Fixed 14"
$ gconftool-2 -s /apps/gnome-terminal/profiles/Default/use_system_font -t bool false

Ta-da!

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

June 18, 2008

Linux Plumbers Conference 2008

Filed under: Blogging,kernel.org,Ubuntu — kees @ 10:17 am

The Call for Speakers (and registration) for the Linux Plumbers Conference is open! Get those proposals in, register, and come join us in sunny Portland, OR.

The Linux Plumbers Conference was created to bring together the key developers involved in Linux plumbing – the “Linux plumbers” – and give them an opportunity to discuss problems face-to-face, both within subsystems and across subsystems. Participants include invited attendees, speakers selected through an open, competitive review process, and students. Registration is open to the general public as well.

The goal of the Plumbers Conference is to solve problems. The conference is arranged as a series of microconferences, each on a topic that is narrow enough to identify specific problem areas and brainstorm workable solutions. Each microconference is led by an expert in the field and organized to encourage discussion and problem solving.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

June 12, 2008

zombie meme

Filed under: Blogging,Ubuntu — kees @ 10:45 pm

Tollef posted a fun (and short) Zombie mem:

You are in a mall when zombies attack. You have:

  1. One weapon
  2. One song blasting on the speakers
  3. One famous person to fight along side you.

I can’t resist.

  1. BFG9000: ranged weapon that vaporizes multiple zombies at once. I should be out of the mall before I’m out of ammo.
  2. “Good Vibrations” by the Beach Boys: up beat and a little silly.
  3. Jet Li: he could totally handle the zombies within slicing/kicking/clubbing range.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 25, 2008

Farwell Edgy

Filed under: Blogging,Security,Ubuntu — kees @ 6:39 pm

Edgy is now officially at end-of-life.

Looking back through my build logs, I can see that my desktop spent 55 hours, 14 minutes, and 3 seconds on 406 builds related to edgy-security updates I was involved in publishing. These times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the porting machines, etc. Comparing to my prior post on this topic, here are the standings for other releases:

dapper: 44:48:24
feisty: 58:49:04
gutsy: 37:06:08
hardy: 86:25:58

Hmm… I think my hardy numbers include devel builds times… I’ll have to sort that out. :)

Thank you Edgy! I will remember you for your wonderful default -fstack-protector.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 5, 2008

getting Xv on the projector

Filed under: Ubuntu — kees @ 4:22 pm

Today I spent the afternoon testing various video drivers and hardware with Bryce. My “workflow” for watching a movie from my laptop on a projector in Hardy is much simpler now. :) For ATI, everything Just Works, with one small exception: Xv. By default (at least with the open ATI driver), the Xv port displays to the LCD on the laptop instead of out an attached VGA port. This is controlled by the “XV_CRTC” Xv attribute, which is settable with the “xvattr” utility.

To watch a movie:

  • Plug in projector
  • Open System/Preferences/Screen Resolution
  • Pick nice big resolution for the attached projector
  • Run “xvattr -a XV_CRTC -v 1” (“-v 0” will push Xv back to the LCD)
  • Eat popcorn

projector

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 16, 2008

SELinux in Hardy

Filed under: Security,Ubuntu — kees @ 1:32 pm

Hardy has seen a major overhaul in the SELinux department. Prior to the Hardy UDS, the folks at Tresys had contacted me, asking “why doesn’t SELinux work with Ubuntu?” and I basically said, “because no one has given it any attention, yet — feel free to help out.” And so they did! :)

As a result, if AppArmor isn’t the MAC system you want, you can now install a functional SELinux system on Ubuntu with just a simple “sudo apt-get install selinux”.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 9, 2008

using select on a fifo

Filed under: Ubuntu — kees @ 5:00 pm

The right way to handle on-going input from file descriptors is to use select(). All readable events are flagged (one such event is “end of file”, which is indicated by a 0-sized read()). For example, if we’re reading from file descriptor fd:

  fd_set rfds;
  int rc;

  FD_ZERO(&rfds);
  FD_SET(fd, &rfds);

  tv.tv_sec = 1;
  tv.tv_usec = 0;

  rc = select(fd + 1, &rfds, NULL, NULL, &tv);
  if (rc > 0) {
    char buf[80];
    ssize_t got = read(fd, buf, sizeof(buf));
    if (got < 0) {
      perror("read");
      return 1;
    }
    else if (got == 0) {
      printf("EOF\\n");
      return 1;
    }
    else {
      printf("read bytes: %d\\n", got);
    }
  }

When dealing with sockets, the above loop is sane — EOF means the other end hung up and you’ll never get more data from the file descriptor. In the case of a FIFO, however, “0 length read” means there are no more FIFO writers — but more could attach later and continue feeding in data! The problem with this is that select misbehaves and marks the file descriptor as “EOF” forever. Only the initial select() call blocks until there is something to read — once it hits EOF, select will always immediately return, defeating the purpose of select().

One solution is to re-open the FIFO, but you might miss writers between your 0-length read() and the next open().

The seemingly correct solution is rather simple: the FIFO reader should open the FIFO as a writer also. In this case, select() never thinks all the writers have vanished, so there is never an EOF condition, and the reader never misses any writers. So, instead of O_RDONLY, use:

fd = open(FIFO_PATHNAME, O_RDWR | O_NONBLOCK);

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 8, 2008

instaELF via GNU as

Filed under: Ubuntu — kees @ 2:47 pm

Today I needed to generate a fake ELF file with specific section contents (I was testing “modinfo”, which expects to read the “.modinfo” ELF section). For future reference, here’s how to create an empty .ko file that claims to have a GPL license:

$ cat <<EOM | as - -o /tmp/fake.ko
> .section .modinfo
> .string "license=GPL"
> EOM
$ modinfo /tmp/fake.ko
filename:       /tmp/fake.ko
license:        GPL

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 5, 2008

swapping encryption, hurting your head

Filed under: Security,Ubuntu — kees @ 11:18 am

Last week Soren helped me move my manually cryptsetup’d swap partition into the initramfs logic so that I could hibernate. Bottom line was:

  1. Create /etc/initramfs-tools/conf.d/cryptroot for your partition, based on the logic and defaults in /usr/share/initramfs-tools/scripts/local-top/cryptroot.
  2. Convert the existing encrypted swap to the new configuration.
  3. Update initrd, reboot, enjoy.

Assuming your swap partition (in encrypted form) is stored at /dev/laptopvg/swaprawlv, and you want your accessible swap partition as /dev/mapper/swap, here are the above steps in detail:

Doing step 1 is simple, we’re assuming the defaults from the cryptroot script above:

    echo source=/dev/laptopvg/swaprawlv target=swap > /etc/initramfs-tools/conf.d/cryptroot
    

Step 2 hurt my head. Make sure you’ve unmounted your swap before attempting this, or you can destroy the partition contents. The parameters come from the cryptroot script again:

    swapoff /dev/mapper/swap
    vol_id /dev/mapper/swap
    cryptsetup -c aes-cbc-essiv:sha256 -h sha256 -s 256 create swap2 /dev/laptopvg/swaprawlv
    dd if=/dev/mapper/swap of=/dev/mapper/swap2 bs=4k
    cryptsetup remove swap
    vol_id /dev/mapper/swap2
    

Step 3 is simple again:

    update-initramfs -u
    shutdown -r now
    

Ta-da!

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

February 23, 2008

Ubuntu Server administration

Filed under: Blogging,Ubuntu — kees @ 6:24 pm

Apress was kind enough to send me a copy of their new book “Beginning Ubuntu Server Administration: From Novice to Professional” by Sander van Vugt. Overall, I was very impressed with this book — it was well written, filled with applicable examples, covered a wide range of topics, and provided background for people new to Ubuntu or Linux in general. The book was written to Ubuntu 7.04, so there are a few places where 8.04 will make for an improved experience without having been changed too drastically. All through the book I was pleased to see various slightly advanced topics covered well enough to get a reader started down the right path without getting them lost in the details. I think this was especially true in the command line and scripting sections which were great for someone unfamiliar with what can be a daunting experience.

In disk management, a lot of time was spent discussing LVM, which I’m very fond of myself. (Even LVM snapshots were covered!) I have a hard time imagining running any computer without LVM, so it was great to see it get a solid chunk of attention. The only thing I felt was missing from disk management was a discussion of RAID (md). For server environments, I think this is a critical topic. Providing redundancy against drive failure is, I think, even more important than demonstrating how to easily manage partition layouts with LVM.

In filesystem management, basic ACLs were covered as well as quota management. I think quota management is an often neglected part of administration, so I was glad to see this covered. In network management, basic iptables were outlined with good examples. (Hardy’s “ufw” will help make this section even simpler in future revisions of the book.) IPv6 was touched on, though I would have liked to see slightly more details.

Under service management I enjoyed the introduction to PKI, which is critical to understanding the basics of SSH and other services using SSL. The examples for DNS, DHCP, NFS, and Samba were all very well done. I think they make handy references for how to get a network or file-sharing server up and running in short order.

As another Hardy feature to call out, the addition of “virt-manager” will make the Virtualization section on KVM much nicer to deal with.

I took some notes for ideas and corrections that may be a benefit to other readers of this book:

  • I personally like suffixing VG and LV names with “vg” and “lv” just to be able to quickly distinguish them when looking at device names.
  • Administrators watching long-running “tail -f” output would benefit from using “tail -F” for when log files are rotated.
  • In the section on “Finding Files” I was expecting to see mention of “locate”.
  • When viewing compressed files: “zless” instead of “zcat FILE.gz | less”.
  • When discussing Job Control, I would have liked to see a mention of “screen” for managing long-running processes (kernel compiles, “top”, etc). Not enough people know about “screen”. :)
  • While the book was written to Feisty, it would be nice to have a short section in future versions on how to generate and use AppArmor profiles for the various running network services.
  • Instead of the manual symlink management for Apache modules and sites, administrators can use the “a2{dis,en}{site,mod}” tools.
  • Typos I saw: tailing “sudo” in mysql db creation example, “_netdec” should be “_netdev” in NFS fstab example.

As I mentioned at the start — I think this is a great book for someone either new to Ubuntu server management or looking for simple service configuration references in a single place. Thanks again to Apress for sending me a copy; I tried not to be too biased. :)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

February 20, 2008

OSS Security – OSU CS419 2008

Filed under: Security,Ubuntu — kees @ 5:36 pm

Today I gave my presentation on Open Source Security to the Open Source class at Oregon State University. Along with the presentation is a collection of examples of bad (and good) programs ranging from XSS, CSRF, temp races, system() and SSL misuse, stack and heap memory corruption, format strings, and all sorts of other things I could think of. I gave this presentation in 2007 and was again honored to be asked back in 2008. I think more schools need to be teaching dedicated Open Source classes, and I’m pleased to help out. I’m hoping people will take away a few good ideas that will contribute to them producing safe code.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

February 16, 2008

firefox trick and recovery help

Filed under: Ubuntu,Web — kees @ 10:05 am

To provide myself with slightly more safety through separation, I run two firefox profiles simultaneously. One is the “general” browser for day-to-day viewing of random (and unauthenticated) sites, and the other is the “authenticated” browser, which contains the cookies for known sites I authenticate against. The trick for this is having a launcher that runs firefox without attempting to request a new window from the currently running profile:

bash -c "MOZ_NO_REMOTE=1 firefox -ProfileManager"

And in a recent bug-hunting session, I had a firefox profile that just kind of didn’t load javascript correctly any more (“change_feedback_state is not defined” on facebook). I have no idea what was causing the issue (something not extensions — it didn’t go away in “-safe-mode“), and so I just reconstructed the profile one bit at a time, eventually leaving all of prefs.js out. I used the migration checklist I found at mozillazine.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 15, 2008

full ASLR in Hardy

Filed under: Security,Ubuntu — kees @ 11:07 am

Thanks to all the people that worked on it from the coding, breaking, testing, and refactoring, Hardy is now sporting the last piece of full Address Space Layout Randomization support. ASLR has been mostly unchanged since Dapper, when the first bits of ASLR went in: stack and mmap (library) randomization. Those changes made simple stack overflow, heap overflow, and return-into-libc attacks much less trivial. Now in Hardy, with the VDSO and brk (text) randomization, things are even more difficult for attackers to exploit.

For binaries that have been compiled with -pie (Position Independent Executable), the kernel is finally able to take advantage of it. As an example, openssh is already using this compile option, and the results are easy to see. Here are the processes from two SSH connections:

$ pstree -lp | grep sshd
        |-sshd(7243)-+-sshd(9136)---sshd(9140)---bash(9142)-+-grep(15380)
        |            +-sshd(9181)---sshd(9185)---bash(9186)

If we examine the memory layout of both sshd processes (9136 and 9181), we can see no user-space memory locations are shared:

$ sudo cat /proc/9136/maps
7ff69df86000-7ff69e0c6000 rw-s 00000000 00:09 34320                      /dev/zero (deleted)
7ff69e0c6000-7ff69e0c9000 r-xp 00000000 fe:15 480495                     /lib/security/pam_limits.so
...
7ff6a1fc8000-7ff6a1fd0000 rw-p 7ff6a1fc8000 00:00 0 
7ff6a1ff7000-7ff6a1ffa000 rw-p 7ff6a1ff7000 00:00 0 
7ff6a1ffa000-7ff6a1ffc000 rw-p 0001d000 fe:15 1040531                    /lib/ld-2.7.so
7ff6a1ffc000-7ff6a205b000 r-xp 00000000 fe:15 98598                      /usr/sbin/sshd
7ff6a225a000-7ff6a225d000 rw-p 0005e000 fe:15 98598                      /usr/sbin/sshd
7ff6a225d000-7ff6a2289000 rw-p 7ff6a225d000 00:00 0                      [heap]
7fffaa045000-7fffaa05a000 rw-p 7ffffffea000 00:00 0                      [stack]
7fffaa1fe000-7fffaa200000 r-xp 7fffaa1fe000 00:00 0                      [vdso]
...
$ sudo cat /proc/9181/maps
7f05a07b8000-7f05a08f8000 rw-s 00000000 00:09 35989                      /dev/zero (deleted)
7f05a08f8000-7f05a08fb000 r-xp 00000000 fe:15 480495                     /lib/security/pam_limits.so
...
7f05a47fa000-7f05a4802000 rw-p 7f05a47fa000 00:00 0 
7f05a4829000-7f05a482c000 rw-p 7f05a4829000 00:00 0 
7f05a482c000-7f05a482e000 rw-p 0001d000 fe:15 1040531                    /lib/ld-2.7.so
7f05a482e000-7f05a488d000 r-xp 00000000 fe:15 98598                      /usr/sbin/sshd
7f05a4a8c000-7f05a4a8f000 rw-p 0005e000 fe:15 98598                      /usr/sbin/sshd
7f05a4a8f000-7f05a4abb000 rw-p 7f05a4a8f000 00:00 0                      [heap]
7fffac877000-7fffac88c000 rw-p 7ffffffea000 00:00 0                      [stack]
7fffac9fe000-7fffaca00000 r-xp 7fffac9fe000 00:00 0                      [vdso]
...

The larger the memory space, the more effective ASLR is, so 64bit is the way to go. And, as always, using 64bit kernels automatically gives you the NX bit protections too. Running a 64bit Hardy system is going to rock. :)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 21, 2007

best universal remote evar

Filed under: Blogging,Security,Ubuntu — kees @ 6:16 pm

As a quick break from software, I spent a little time this evening soldering together my TV-B-Gone Kit. It was way fun to break out all my microelectronics gear. Gave me an excuse to clean up my desk. This thing is the silliest tool ever: it’s programmed with a mess of TV remote codes — but only those to turn off TVs. So, just point at a TV near you, hit the button, and it’ll almost certainly turn off.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 20, 2007

VMware on Hardy

Filed under: Blogging,Ubuntu — kees @ 4:17 pm

For people using VMware, the new Hardy kernel requires updates to the source module tarballs that live in /usr/lib/vmware/modules/source/

Grab the three updated tarballs from the “vmware-any-any” tar.gz here. Currently update115 works for me just fine.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 18, 2007

force sendmail to deliver a specific item from the queue

Filed under: Networking,Ubuntu — kees @ 8:11 pm

In case I or someone else ever needs this trick again, here’s my quick solution to work around QueueAge limits, and only force a specific queue id to get delivery retried:

/usr/sbin/sendmail -v -o MinQueueAge=0 -qI${ID_GOES_HERE}

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 12, 2007

search for a crisp monospace true-type font

Filed under: Blogging,Ubuntu — kees @ 9:36 am

I’ve been using xterms forever. Whenever I try to switch to using a terminal with a true-type font, my eyes hurt after a few hours. I’ve tried changing the various font-rendering options, and gone through lots of monospaced fonts — nothing gives the same clarity as the fixed raster fonts. I suspect this is basically the same problem as Icon Scaling. Things don’t work correctly when trying to line up a vector image against hard pixel edges. I wish I could find a workable fix for this.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 28, 2007

CUPS banner template variables

Filed under: Networking,Ubuntu — kees @ 5:51 pm

A while back, I wanted to design some banner pages for a shared network printer that would show the name of the host that sent the request (none of the standard CUPS banners report this). It was easy enough to define a custom banner page:

<Printer lj4200>
...
JobSheets shared-banner none
...
</Printer>

Then, I could drop a modified banner into /usr/share/cups/banners with the filename “shared-banner”. The banner is just a regular PostScript file, so I could muck around with it. While looking at the “standard” banner, I saw some PS variables being used that had been defined by CUPS:

...
  (Job ID: ) RIGHT
  2 copy                % Copy X & Y
  moveto
  ({printer-name}-{job-id}) show
...

I couldn’t find documentation on the available variables, but managed to track down some of the list at cupsGetJobs2 in cups/utils.c:

job-id
job-priority
job-k-octets
job-state
time-at-completed
time-at-creation
time-at-processing
job-printer-uri
document-format
job-name
job-originating-user-name

None of these had the sending host listed, so I continued searching. Additional ones are defined in scheduler/ipp.c, including:

printer-name
job-id
job-billing
job-hold-until
job-sheets
job-media-sheets-completed
job-originating-host-name

“job-originating-host-name” did the trick for my banner:

...
  (Host: ) RIGHT
  moveto
  ({job-originating-host-name}) show
...

I’ve seen some other partial lists, but I haven’t found an official complete list. It’d be handy to see this documented better, since some variables aren’t valid until after the job is processed (job-sheets), so it’s only valid in the trailing banner, not the leading banner.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 27, 2007

stupid BIOS tricks to find your 4G of RAM

Filed under: Ubuntu — kees @ 7:36 am

A few months ago I upgraded my system to 4G of RAM. Blinded by my shiny new DIMMs, I never actually looked at the output of “free”. All I saw was that the system-monitor applet now showed lots of free memory. Only recently did I notice that I only had 3G of RAM, instead of my expected 4G. This is a rather common problem when running a 32bit OS, but I’ve been running 64bit for a while now. In fact, since it’s such a common complaint for 32bit OSes, I didn’t have any luck Googling for an answer. I did find references to chipset limitations (motherboards with only a 32bit memory bus), but “lshw” seemed to think I was okay. I had 4 banks each showing:

*-bank:0
description: DIMM DDR Synchronous 333 MHz (3.0 ns)

size: 1GB
width: 64 bits
clock: 333MHz (3.0ns)

On reboot, I also noted that my BIOS said I only had 3G. I started to get worried, but managed to find a setting on my Northbridge for Memory to enable “Hardware memory hole”. After that, both the BIOS and Linux were happy and seeing the full 4G. I assume the BIOS just bumps the memory in the 3G region to above 4G, which makes for a silly kernel message:

[ 24.617275] Memory: 3977852k/5259264k available (2281k kernel code, 150272k reserved, 1182k data, 300k init)

But I don’t care. :) It works now, and my “free” output makes me happy again:

             total       used       free     shared    buffers     cached
Mem:       3986156    3958396      27760          0      68268    2949472
-/+ buffers/cache:     940656    3045500
Swap:      3903672      38676    3864996

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 26, 2007

stupid dpkg tricks when fighting XFS bugs

Filed under: Ubuntu — kees @ 3:26 pm

A few days ago, I found myself with corrupted libraries and other insanity after doing a “dist-upgrade”. As it turns out, my filesystem was to blame. After running xfs_repair on it, I used a handy short-cut to re-install all the packages that might have gotten caught in the breakage:

sudo apt-get –reinstall install $(grep ^2007-09-24 /var/log/dpkg.log | cut -d\ -f4)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer PostsOlder Posts »

Powered by WordPress