About Archive Tags RSS Feed

 

Entries posted in July 2007

I'm starving now, feeling dead on my feet

1 July 2007 21:50

Three, count them, three local root exploits discovered so far via the source scan of the Debian archive. More to follow.

Right now my biggest irritation is the amount of time it takes to report bugs in packages which don't have security issues - just bad coding. It takes me a fair while to do it, since I either have to install the package and use "reportbug", or lookup version numbers and submit manually. I should think of a better way of doing it.

| No comments

 

We all have earned a lightness

3 July 2007 21:50

Films

One of the very few good things about my partner being away to the US for the next six weeks is that I can catch up on watching films which she doesn't like!

Every weekend we go out and spend £10-15 pounds on 2-3 second-hand DVDs from local stores. That gives us something new to watch every week, and is a fun way to spend a day shopping together, in amongst doing other things.This has meant I've watched an awful lot of (awful!) films I'd never have previously considered, but I've also found a few gems I'm glad I got to see.

The down-side is that we don't often watch films we've already got, since we don't have the time to do so.

Anyway tonight is Aliens & Battle Royale..

Source Scanning

A little more progress on that this week, another local root attack, a symlink attack against the Amaya browser and a potential root attack against evms.

The EVMS bug is frustrating because the code is contained in a plugin which appears to never get built. I've tried searching the web for more details, but unfortunately I couldn't find anything.

So in the interest of demonstration here's how you should not write code which runs as root:


        if(system("lsrsrc -axd IBM.PeerNode > /tmp/rsct_node_info") == -1){
                LOG_ERROR("ERROR:get_nodes_info() fails ");
        }
        

Why is this bad? Because it users a static filename /tmp/rsct_node_info - and that could be a symlink. Consider what happens if a local user were to run:

skx@vain:~$ ln -s /etc/passwd /tmp/rsct_node_info

The EVMS plugin would happily trash the /etc/passwd file, rendering the system broken...

If this works on other distros that I couldn't spot don't tell anybody; it'll be our little secret ;)

X.org

Today I rebooted, to make sure that purging EVMS hadn't screwed with my initrd - and found errors relating to failure to load "keyboard" driver(s).

Turns out you need to change:


Section "InputDevice"
        Identifier      "Generic Keyboard"
        Driver          "keyboard"
        Option          "CoreKeyboard"

TO:

Section "InputDevice"
        Identifier      "Generic Keyboard"
        Driver          "kbd"
        Option          "CoreKeyboard"

That took a fair bit of head-scratching.

| No comments

 

BC

8 July 2007 21:50

If you use xen-tools and you've ever wanted to be able to setup arbitrary partitions within your new guests you can do so now.

skx@vain:~$ sudo xen-create-image  --boot --hostname=pt.my.flat --partitions=sample-server
...
...
General Information
--------------------
Hostname       :  pt.my.flat
Distribution   :  etch
Partitions     :  swap            2G    (swap)
                  /               1G    (ext3)
                  /var            4G    (xfs)
                  /opt            1.5G  (xfs)
                  /usr            4G    (xfs)
                  /tmp            0.5G  (xfs)
                  /home           1G    (xfs)
                  /var/tmp        1.5G  (xfs)
...

How cool is that? Many thanks to Sascha Kettler for the patch.

| No comments

 

She said she'd teach me 'bout voodoo

10 July 2007 21:50

So I've been very happy with exaile - the media player - for the past week or so.

I think I'm going to switch to it full time.

The "random play" is suprisingly random. Despite listening to music 24x7 I'm finding myself hearing new music. I can only conclude that xmms and xmms2 have poor random functionlity ..

The bigger issue is the handling of plugins. How do plugins get loaded? Via an external website.

You do the pointy-clicky dance with the user-interface, and the system downloads arbitary code from exaile.org, installs it into ~/.exaile/plugins and executes it.

Double-plus ungood.

 download_url = "http://www.exaile.org/plugins/plugins.py?version=%s&plugin=%s" \
    % (self.app.get_plugin_location(), file)
  xlmisc.log('Downloading %s from %s' % (file, download_url))

Let us hope they never lose control of that domain, (and never implement automatic plugin updates) otherwise all current users will hit the site, be persuaded there are newer plugins available and be compromised en masse...

In other news, even with my planet-searching script, I cannot find the blog entry I wanted to refer people to. It involved people looking pretty and acting miserable. Possibly on buses?

| No comments

 

In World War II the average age of the combat soldier was 26

13 July 2007 21:50

Bootstrapping non-Debian distributions suck.

The only available tool appears to be rpmstrap which quite frankly fails more often than it works.

Since my xen-tools project needs to do carry out this kind of operation I've been pondering the idea of writing a tool which will install CentOS/Fedora/SuSE into a directory, in a similar fashion to debootstrap.

If there's nothing out there that you can point to, then I think that will be my next project.

| No comments

 

And behold, a pale horse, and he who sat on it, his name was Deat

13 July 2007 21:50

I've made some progress on the bootstrapping idea :)

As a proof of concept I wrote a simple script which will download *all* the required RPM files for an installation of Fedora-Core 6. (i386)

This downloads 348 .rpm files, which is about 700Mb. (I'm downloading way more files than I need, because I'm not using dependency-discovery yet....)

However the proof of concept works. I can successfully chroot inside the unpackaged directory tree - so I think it is sufficient to persuade me that I can dynamically determine which RPM files need to be installed. This avoiding the problem which rpmstrap suffers from. (ie. having a static list of specific RPM version to fetch.)

If you'd like to test my script, hardwired as it is, (did I mention ugly?), then feel free. In terms of requirements you'll need:

  • wget
  • rpm
  • alien

Note: I'd expect this script to take in the order of 30-40 minutes to run. It is pretty noisy though, so you'll know it hasn't died!

The script will live here for a day or two:

  • http://steve.org.uk/Software/tmp/fc6

PS. Don't run this as root. Please.

| No comments

 

Do you remember a time when fear

14 July 2007 21:50

I can successfully boot Fedora Core 6 & 7 - to the extent that RPM and Yum both work.

This takes in the order of 70Mb and around 2 minutes - assuming the caching mechanism works.

Now I need :

  1. A cute name.
  2. To abstract the common parts of the code somehow.
  3. To get started on SuSE + CentOS.

Today: Hacking. Tomorrow: Security work.

| No comments

 

My brother makes the noises for the talkies

16 July 2007 21:50

I now have a working system for creating minimal installations of Fedora Core (6), and CentOS (4.5 & 5).

I've updated xen-tools to make use of this, via --install-method=rinse - and now I can create new Xen guests :)

There were several false starts:

Have a static list of .rpm names + versions

This is precisely what rpmstrap does, and it is a broken approach. I'm happy to have a static list of packages, but restricting the packages to specific versions is fragile and broken.

Use Yum
yum is used by many RPM based distributions, but unfortunately each distro uses slightly different versions to the one in Debian - so whilst I could run:

mkdir /tmp/fc6
yum -c /tmp/yum.conf --installroot /tmp/fc6 install yum

This results in a system which cannot be updated:

chroot /tmp/fc6 /usr/bin/yum update
[errors about yum database formats]

I suspect this is because the versions of the Berkeley database are different .. but I'm not sure.

Parse Dependencies

This would be a neat approach, however it is difficult. Too difficult.

Abandoned after several fruitless hours.

Cheating

I cheated in the end.

  • Download a list of packages which are known to be required to produce a working yum, and unpack them.
  • Copy those downloaded packages into the yum cache tree.
  • Run yum install yum - to make the local Yum + RPM database match what we fetched manually
    • Unfortunately "rpm rebuilddb" couldn't do that for us.

Worst case? I download each package twice. Once for the initial download, and once again when the Yum process runs. I can live with that.

I'll talk about something else next time. Promise.

| No comments

 

But you better not kill the groove

21 July 2007 21:50

The rinse tool has been sucking up a bit of my time recently, but happily it now installs:

  • Centos 4 & 5.
  • Fedora Core 4, 5 & 6.

(Debian package for Etch available here. Could be worth uploading to Sid? I'm tempted to do it myself .. at the very least it provides an alternative to rpmstrap and it shouldn't require constant updates... Yay? Nay?)

Each of the seven supported distributions may be installed as either "i386" or "amd64" flavours.

The current CVS version of xen-tools can use rinse as an installation method, so I can now create Xen guests of RPM-based distributions with a single command and a few minutes of patience.

Nothing else exciting is happening right now. My partner is still away in the United States. (Counting fiddler crabs in the Florida Everglades!) Still it isn't all bad - she promised to bring me back a Nintendo DS - and the pictures seem to suggest she's having a fine time. Argh! Pirates!

The only other thing I'm doing right now is working on the alternative dating site. That seems to be picking up steam in two geographical clusters. So I'm now spending a fair bit of time pimping, promoting and advertising specifically in the Edinburgh & London areas.

| No comments

 

We're all to blame

22 July 2007 21:50

Jose Carlos Garcia Sogo: Whilst breasts are everywhere I find it highly inappropriate for people to link to videos of them on Planet Debian.

I'd comment to that effect upon your post but I'm getting a 500 error from your server.

In other news Joey Hess reminded me this evening that it is pretty much the 1 year anniversary of my Xen Hosting setup.

In the next few days, once I've checked dates and looked to see if we can upgrade, etc, I'll be requesting payment from those people who wish to continue.

| No comments

 

That I can't show you how

30 July 2007 21:50

Russell Coker has recently started posting random tech-tips and recipes in his blog :

To improve things in this regard I plan to increase the number of posts I write with solutions to random technical problems that I encounter with the aim of providing a resource for google searches and to randomly inform people who read my blog.

This is nice to see on Planet Debian - although I hope we continue to see the personal entries.

For anybody else who is considering posting things like this I would be delighted if you'd copy them to the Debian Administration website. There have been numerous times when I've been just about to write something on a topic, seen it posted elsewhere and figured I shouldn't do so:

  • Because it would be duplication.
  • Because it would look like plagiarism

(Notable examples off the top of my head: Introduction to OpenVZ, Introduction to GIT, several Xen pieces.)

I don't get many submissions, which I'm getting resigned to, but it is easy and people really really are greatful for new posts.

In other news linuxlinks.com are a bunch of spammers and will be reported as such. I utterly fail to care that they've added "my software" to their list; if I cared I'd join their site and agree to receive emails from them..

| No comments