codeblog code is freedom — patching my itch

April 13, 2007

Farewell Breezy

Filed under: Blogging,Security,Ubuntu — kees @ 6:46 pm

Breezy is now officially at end-of-life.

Looking back through my build logs, I can see that my desktop spent 18 hours, 49 minutes, and 4 seconds on 108 builds related to the roughly 64 breezy-security updates I was involved in publishing. So far, Dapper is at 132 builds totaling 19:59:40, and Edgy is at 142 builds totaling 23:32:28. These times obviously don’t include patch hunting/development, failed builds, testing, stuff done on my laptop or the PPC machine, etc. Even if it’s a bit incomplete, I think it’s fun to be able to point to some hard numbers about CPU time spent on Breezy updates. :)

Thank you Breezy! You have housed my MythTV installation very nicely, but now it’s time for some long over-due upgrades…

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

April 2, 2007

AppArmor now in Feisty

Filed under: Security,Ubuntu — kees @ 11:03 am

With the help of Magnus Runesson, Jesse Michael, Martin Pitt, and many others, I’ve got AppArmor packaged and uploaded into Feisty universe. Prior to this, admins interested in a Mandatory Access Control system in Ubuntu only had SELinux available; now we have more of a choice. For anyone wanting to try out AppArmor, you will need to compile the modules, and install the base packages:

sudo apt-get install apparmor-modules-source dpatch
sudo m-a -v -t prepare
sudo m-a -v -t build apparmor-modules
sudo m-a -v -t install apparmor-modules
sudo apt-get install apparmor apparmor-utils apparmor-profiles libterm-readline-gnu-perl

With the default profiles, you can see one quick example of a confined process. Try doing this:

ping localhost >/dev/null &
sudo ps aZ | grep ping

In the first column, you should see what profile is being used to confine the process:

/bin/ping 14351 pts/14 S 0:00 ping localhost
unconstrained 15381 pts/14 S+ 0:00 grep ping

The list of active profiles can be seen as root in /sys/kernel/security/apparmor/profiles, which are loaded from /etc/apparmor.d/.

To confine a process, use aa-autodep and aa-logprof. For example, I wanted to confine my PDF document browser to only use /tmp (since I tend to only use it when browsing PDFs online):

  • First, I create an empty profile in “complain” mode: sudo aa-autodep evince
  • Next, I run evince like I normally would, including as many actions as I can think of (printing, preferences, help, etc). Watching the output of dmesg you can follow the trail of all the actions evince is taking. When I’m finished, I quit evince.
  • Next, I run aa-logprof, which runs through all the kernel audit output and offers suggestions on what to allow from evince. Where appropriate, I select “abstrations” for things like Gnome, DNS, fonts, tmp dir usage, etc. When a whole directory tree should be allowed, I double-glob the path (/usr/share/evince/**). Once all the items from the log have been processed, the profile is saved.
  • Finally, I enable the profile with aa-enforce evince. Any disallowed actions will show up in the kernel logs.

Check out the resulting profile for evince.

Now if I end up reading a malicious PDF that takes advantage of some currently-unknown vulnerability in evince, it will be confined to the above AppArmor profile, unable to exec new processes, and only able to write to the Gnome preferences for evince. (It’s also unable to read files out of /home, so that the above profile may be way too strict for common usage. And to even get caught by AppArmor, the imaginary exploit would have to avoid the randomized stack, randomized heap, stack protector, and, since I’m running 64bit, the NX processor bit.)

Be aware, this is still a new bit of packaging for Ubuntu, so you may run into sneaky gotchas. If that happens, please open a bug.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

March 9, 2007

detecting space-vs-tab indentation type in vim

Filed under: General,Ubuntu — kees @ 10:36 am

I edit a lot of other people’s code. Dealing with indenting depth has always plagued me, and I’ve tried all sorts of things to try to address it, but the “real” problems I have are when tabs are mixed into code.

I personally use “4 spaces” for code indentation, and if I’m working on code that uses 8, I just hit “tab” twice, and if I’m working on code that uses 2, I can just backspace over the 2-too-many spaces. When the code has actual tabs, things break. When the code has a mix of tabs and spaces, it becomes a serious head-ache.

I wrote some vim insanity to detect which indentation type was being used “the most” in a given source file. If anyone has a simpler way to solve this (without switching to a different editor), I’m all ears. What follows are some bits from my .vimrc.

First, my space-indentation defaults:

set noai ts=4 sw=8 expandtab

Next, Makefiles and debian/rules files always use tabs, so I have a base set of overrides:

" Makefile sanity
autocmd BufEnter ?akefile* set noet ts=8 sw=8
autocmd BufEnter */debian/rules set noet ts=8 sw=8

Finally, define a function that compares the number of lines that start with a tab to those that start with a space. If the tabs outnumber the spaces, disable my defaults, and don’t expand tabs:

function Kees_settabs()
    if len(filter(getbufline(winbufnr(0), 1, "$"), 'v:val =~ "^\\t"')) > len(filter(getbufline(winbufnr(0), 1, "$"), 'v:val =~ "^ "'))
        set noet ts=8 sw=8
    endif
endfunction
autocmd BufReadPost * call Kees_settabs()

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

February 3, 2007

OpenID and goofy Claims

Filed under: Blogging,Inkscape,Ubuntu,Web — kees @ 8:33 am

I’ve been having fun fighting religious battles and confusing people with in-jokes at jyte.com. Other good claims:

Or just see what’s been claimed about linux in general. Yay for silly social networking sites! :)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 23, 2007

CVE links via Greasemonkey

Filed under: Blogging,Security,Ubuntu,Web — kees @ 10:00 pm

I spend a good bit of time reading CVEs but their entries are plain text, without links associated with their various recorded URLs. I’m annoyed at having to select/paste to load a URL, so I had to go code a work-around. :)

Since MozDev‘s “linkify.user.js” was a bit heavy-handed, I wrote up a quick hack based on similar code to only look at mitre.org’s LI tags: “cve-links.user.js“.

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

January 10, 2007

attempting a secondlife build on ubuntu

Filed under: Blogging,Ubuntu — kees @ 5:37 am

Linden Labs released their Second Life client under the GPL, so I figured I’d have a go at getting it compiled on Ubuntu. Three libraries weren’t already packaged, so I threw together some initial attempts at getting them usable (libelfio, libopenjpeg, and libxmlrpc-epi). I think the long-term approach will be trying to convince Linden Labs to use stuff that is being actively maintained.

One big hurdle is audio, since FMOD doesn’t have a Free license. I hope it can get replaced; I’d be curious to hear what Second Life needs from FMOD that some of the other Free stacks can’t do.

So, if you’re in a mood to play with getting the Second Life client running, hopefully my stab at packaging can help (I’ve solved a number of gotchas in the assumptions their build system made), and so far it built:

$ ls -lh secondlife-x86_64-bin
-rwxr-xr-x 1 kees kees 34M 2007-01-10 05:33 secondlife-x86_64-bin*
$ ldd ./secondlife-x86_64-bin | wc -l
77

Unfortunately, it immediately crashes when I load it. :)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 25, 2006

2006 recommended reading

Filed under: Blogging,Ubuntu — kees @ 10:45 am

It’s not quite the end of the year yet, but here are Kirsten’s top 6 books from 2006:

  1. The Great Influenza: The Epic Story of the Deadliest Plague in History The Great Influenza
  2. The Devil in the White City:  Murder, Magic, and Madness at the Fair that Changed America The Devil in the White City
  3. Cloud Atlas: A Novel Cloud Atlas
  4. The Fortress of SolitudeThe Fortress of Solitude
  5. It's Superman!: A Novel It’s Superman!
  6. Welcome to Our Hillbrow Welcome to Our Hillbrow

(Also, figured this would be a good test of the WP plugin for Amazon, which is very handy. I’m going to see if I can patch it to hook things to my blog roll “Reading” category.)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 13, 2006

silly things to do with unicode

Filed under: Blogging,Ubuntu,Web — kees @ 12:37 pm

˙ǝɓuɐɹʇs ʎɹǝʌ ʍoH

‮Unicode is so odd.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 9, 2006

frozen-bubble handicapping

Filed under: Blogging,Ubuntu — kees @ 10:32 am

At UDS, I learned that I am a poor frozen-bubble player. After getting repeated trounced by pitti, I decided I had to find some way to level the playing field. I was my own worst enemy due to my bad aim, but all the malus (as in, the opposite of bonus) balls were clearly causing me greater pain. I wrote a patch that creates a new key binding “b” to toggle the blocking of malus balls. Using this made things a little more even, and after a week of practice, I was a much better player (and quit using my cheat).

Since frozen-bubble depends on a shared game state between all players, everyone will notice if you’re using a mod like that, since they will just queue up on your malus post:

malus blocking

So be sure you’re playing with people you know. :)

© 2006 – 2015, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

December 7, 2006

paranoid browsing with squid

Filed under: Security,Ubuntu — kees @ 11:40 pm

As Carthik says, the SSH SOCKS option is a great way to quickly tunnel your web traffic. A word of caution for the deeply paranoid: all your DNS traffic is still in the clear. While the web traffic and URLs aren’t sniffable any more, curious people can still get a sense for what kinds of stuff you’re browsing, based on domain names. (And for the really really paranoid: if you’re on open wireless, your DNS lookups could get hijacked, causing you to browse to look-alike sites ready to phish your login credentials.)

Luckily, with SOCKS5 Firefox can control which side of the proxy handles DNS lookups. By default, it does the lookups locally resulting in the scenario above. To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel.

Update: Oops, as the title hints, I was going to talk about Squid. But then I didn’t. It’s pretty cool too. Carry on…

© 2006 – 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

filtering email body URLs with whois

Filed under: Networking,Ubuntu — kees @ 10:21 pm

I use SURBL filtering for my inbound email. It’s very handy except when my domain receives the leading edge of a new spam campaign. Whenever spam with a URL got through the filters, I’d go look it up and discover that it was added to the block lists about 20 minutes after I got the email. I’d think to myself, “dang, if only I had greylisted that email”.

Well, I got to thinking: all the URL-based spam campaigns have one thing in common: the domains they’re spamming have been recently registered. So now I greylist any email whose body contains a recently registered domain in a URL. It gets delayed just long enough that the SURBLs catch up, and when it is finally reattempted, it gets permanently rejected. Unfortunately, I have not found a common API for querying the registrars for a domain’s creation date, so I wrote an insane script to make a best-effort guess:

$ ./whois-created kernel.org 2>/dev/null
‘kernel.org’ created on: 1997-03-07
$ ./whois-created outflux.net 2>/dev/null
‘outflux.net’ created on: 2000-03-17
$ ./whois-created hosteije.net 2>/dev/null
‘hosteije.net’ created on: 2006-12-01

Any URLs with kernel.org or outflux.net I’d let through, but I’d greylist anything mentioning hosteije.net (which is now listed on the SURBLs).

Most of my email filtering is based on some heavily modified MIMEDefang code (which handles hooking to my script and doing the greylisting), but I’m figuring this sort of thing should live in some optional routine in SpamAssassin so more people can benefit.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer Posts

Powered by WordPress