Entries posted in October 2007

thinking everything's gonna be as sweet as pie

Thursday, 1 November 2007

I'm in a position where I need to rebuild a Linux kernel for a number of distributions and architectures. Currently the distributions are:

  • Debian Etch
  • Ubuntu Dapper
  • Ubuntu Edgy
  • Ubuntu Feisty
  • Ubuntu Gutsy

(For each distribution I need a collection of packages for both i386 and amd64.)

I've written a couple of scripts to automate the process - first of all running "make menuconfig" within a debootstrap-derived chroot of each arch & distribution pair. Then later using those stored .config files to actually produce the packages via make-kpkg.

This process, as you could imagine, takes several hours to complete. Then there's the testing ...

I'm sure there must be other people with this kind of need but I was suprised to see nothing in my search attempts.

ObRandom: I'm tempted to switch from song-lyrics to film names as post titles. Undecided as yet. I guess it doesn't really matter, just gives me a small amount of amusement. Even now.

| No comments


Some of them want to abuse you

Tuesday, 30 October 2007

During the cleaning of my home office I came across an old notebook from a few years back, full of notes about the configuration of my PCs.

In it I find things like this:

Linux Kernel Config
Loadable Modules Support
 [*] Enable loadable module support

Network device support
 [*] Ether express pro 100 (mice)
 [*] NE2000 support (rats)

/dev/cdrom => /dev/scd0

Most interesting to me is the mention of mice.my.flat and rats.my.flat - fun hostnames! A quick google suggests that 2.0.36 was current sometime in early January 1999

I remember buying a network card, at that time, meant going to the local computer shop, and picking two cards at random from their "network card bin". Each card cost £5 and my approach was to go in and buy two cards at random, then get home and modprobe every module until I found one of them at least. If there was no joy I'd return the next weekend and exchange them for two more!

Funny how things change.

Nowadays on my primary machine, vain.my.flat, I have autodetection of my current (onboard) NIC. I don't have to worry about ports or iobase for my (onboard) sound.

Everything just works... (Except for the GNOME-panel volume control applet which crashes on startup. Hmmm.)

Same local domain name, different flat.

| No comments


It's been seven hours and fifteen days

Friday, 26 October 2007

I made a new release of the Chronicle blog compiler the other day, which seems to be getting a suprising number of downloads from my apt repository.

The apt repository will be updated shortly to drop support for Sarge, since in practise I've not uploaded new things there for a while.

In other news I made some new code for the Debian Administration website! The site now has the notion of a "read-only" state. This state forbids new articles from being posted, new votes being cast, and new comments being posted.

The read-only state is mostly designed for emergencies, and for admin work upon the host system (such as when I'm tweaking the newly installed search engine).

In more coding news I've been updating the xen-shell a little recently, so it will shortly have the ability to checksum the filesystem of Xen guests - and later validate them. This isn't a great security feature because it assumes you trust dom0 - and more importantly to checksum files your guest must be shutdown.

However as a small feature I believe the suggestion was an interesting one.

Finally I've been thinking about system exploitation via temporary file abuse. There are a couple of cases that are common:

  • Creation of an arbitrary (writeable) file upon a host.
  • Creation of an arbitrary (non-writable) file upon a host.
  • Truncation of an existing file upon a host.

Exploiting the first to go from user to root access is trivial. But how would you exploit the last two?

Denial Of Service attacks are trivial via the creation/truncation of /etc/nologin, /etc/shadow, (or even /boot/grub/menu.lst! But gaining privileges? I can't quite see how.

Comments welcome!

| No comments


You see I'm falling in the vast abyss

Wednesday, 24 October 2007

A while back I posted about a couple of my irritations with GNU Screen.

One of my irritations was the failure to reattach to sessions by name, if common prefixes were in use. For example with the following two (detached) sessions:

There are screens on:
        24419.abc       (Detached)
        24395.abcd      (Detached)
2 Sockets in /var/run/screen/S-skx.

The naive "screen -R abc" fails.

Yesterday whilst looking over the screen bug list I came up with a patch. It isn't ideal as it introduces a new failure case, but I believe it is a step in the right direction and better than the current situation. See attachment to #361274 for the code.

Also I patched screen so that #330036 is now fixed, and the blankerprg primitive works as expected.

Finally I closed #317450 (with a version) as it has been fixed since Etch.

Fun stuff.

In the spirit of completeness I should say I had a stab at #447210 which is tilde (~) expansion in the chdir primitive, but gave up after a while as the code got too messy even for me.

The trivial s/~/getenv("HOME")/ approach works fine for the simple case, but dealing with the expansion of strings such as ~foo/bar/ gets messy quickly. I can offer my patch if there is any interest though as a stop-gap measure.

Now I'm almost tempted to look over another package's bugs, but I think I'd rather eat pie & drink beer...

must. stop. talking. about. pies.

Update: Patch for tilde expansion submitted to #447210 - tested and seemed to cover all cases. Now time for beer!

| No comments


Drip drip drip drip drink a little drip drip drip drip

Sunday, 21 October 2007

It is interesting that there have been posts about archive tools appearing upon the Planet Debian.

Recently I setup an instance of rebuildd which worked nicely once I'd installed the required dependencies manually.

I also run three instances of reprepro, but there life is not such a happy picture.

I might be using reprepro incorrectly, but despite fighting with it for some time I cannot coerce the software into allowing me to upload the same version of a binary package for amd64 & i386 architectures - something I frequently want to do.

On the face of it importing packages into a small database doesn't seem terribly difficult, but it is a problem I've not spent much time looking at yet.

| No comments


As I move on through the year

Friday, 19 October 2007

Bits from the Security Team

  • We get tons of spam. If your issue isn't replied to at least once wait a day and resend.
  • Frequently advisories are delayed because our buildd machines are broken. We can't fix them.
  • People reporting bugs with the 'security' tag help us.
  • People reporting bugs with patches help us more.
  • People reporting bugs with patches and pointers to fixed packages they have build help us best.
  • I like pies.

I am happy to look over patches, built packages, and generally encourage people to be involved. Our team isn't huge but historically we've only added people who've done a fair bit of work first. That is both good and bad.

I could write more, and probably should, but I'll stop there for now because I'm frustrated by the HPPA build machine. Again.

ObRelated: Moritz is trying to get the archive rebuilt with security features from our compilers (eg. -fstack-protector) included. This would be a fantastic achievement. People interested in tested kernel patches, donating buildd machines, etc, etc should give him a ping.

| No comments


Prepare yourself you know it's a must

Wednesday, 17 October 2007

After years of on-again-off-again infatuation I now own my very own steam engine.

This makes me far far happier than I was expecting.

In other news a new release of xen-tools was made to fix some stupid bugs, a release of xen-shell is pending for the same reason, and after declaring I'd not make another release of GNUMP3d again I'm just about to do that too.

I am finding myself rather bored working on the same projects for so long. Though thankfully each of those three is essentially complete. If I died tomorrow there would be no real need for future development. I guess I need a new project to work upon.

The mail-scanning was going to be that project, but that has been sidetracked as I've been stripping out all the pretty and functional user-interface code with the aim of selling the code to $company as a one-off deal. (Not confirmed. Nice idea though.)

So I need a new project. People like Joey Hess who can almost instantly start fun projects (such as moreutils, ikiwiki, pristine-tar, mr) which just seem so obvious, necessary and useful on a whim make me jealous!

All in all life is good and steamy.

I just need inspiration. And more hours in the day too.

| No comments


She couldn't quite explain it

Monday, 15 October 2007

Previously I wrote about two "bugs" with GNU Screen.

Now I discover, via a customer, that one of the servers I setup had allowed shell access when it should have been prohibited. A potentially serious security hole in this context.

Here is an example, with this small .screenrc file:

#  Normally "ctrl-a c" would open a new "window".
#  We wish to prohibit that
bind c

Start GNU screen. Press "Ctrl-a c" nothing happens. All looks well, you've denied a new window! If you'd setup a shell in /etc/passwd to point to a wrapper which invoked GNU Screen with this configuration file you'd be fine, right?

Actually not. Try pressing "Ctrl-a" and whilst those two keys are held down press and release "c". Joy. New window created. Even though it shouldn't be.

Update - Turns out I'm stupid "ctrl-a c" is the same as "ctrl-a ctrl-c" by default. I didn't add "bind ^c" appropriately. My bad.

For reference if you want to stop shell creation and you invoke screen as a login shell as a wrapper for other things then you must unbind a lot of builtins. eg. "bind :". You should then set:

shell /bin/false

Only then will you be secure. Probably.

Thankfully this doesn't affect the Xen shell.

| No comments


Well! My manner is vague and aloof

Saturday, 13 October 2007

For future reference:

I will ensure this is kept up to date.

(Prompted by an unscheduled outage which I'm really annoyed about!)

| No comments


I put a spell on you

Thursday, 11 October 2007

Felipe Sateler kindly made a Debian package for the chronicle blog compiler, so you can now get it from my apt-get repository.

He suggested it be uploaded to Debian sid, I'm happy to do so if there is any interest. Otherwise I'll keep placing release there when they occur.

(To be honest I don't anticipate any major development unless there are bugs, or people would like to contribute themes ..)

| No comments


I role and I tumble practically all night long

Wednesday, 10 October 2007

Today mostly consisted of a new release of the chronicle blog compiler. Interestingly this received several random mails today. I wonder what caused that all of a sudden?

The release of the compiler is timely, as it reminds me I've still not managed to find a decent gallery compiler. Although the thought of writing my own, rightly, fills me with depression.

I've been interested in reading more about both Git and SELinux upon Planet Coker Debian recently. I've switched several small projects over to GIT but I've not yet listed them publically. First of all I would like to see if there is a version of trac that I can install which supports git repositories. I guess that's a job to research tomorrow.

I wonder if I would confuse people by hosting GIT projects upon cvsrepository.org? ;)

| No comments


Oh, didnt i, didnt i, didnt I see you cryin?

Monday, 8 October 2007

Curse you Debian! Your programs are too secure...

So I was looking over some setgid binaries last night, seeing if there were any obvious security bugs.

Up popped omega-rpg - a fun game I've recently been playing. Unfortunately it is mostly OK:

  • The insecure support for save-game-compression is disabled for Debian.
  • The use of environmental variables is safe.
  • The use of low-memory detection is disabled on non-MSDOS systems.
  • The console-based input doesn't succumb to badness if you resize your terminal to allow >80 character input.

The only thing that I can is persuade the game to die with a SIGSEG if I manaully edit a save-game file, then load it. I'm sure with care and patience it could be coerced into running shellcode.

In theory this is a security hole. In practise it is hard to take seriously!

On the other hand I'm not convinced the game should be setgid(games)..

| No comments


For you the sun will be shining

Saturday, 6 October 2007

Thanks to the people who commented on my post about a decent apt cacher, it was good to see that I'm not alone.

Thanks to RobertH for recommending the new tool acng - I've not used it yet, instead I gave it a quick look and reported a potentially serious bug. Hopefully that'll be fixed in the next release.

In the meantime apt-cacher actually appears to be holding up quite nicely and the nice HTML report it generates is cute!

Now onto the next challenge...

I would like some kind of tool to convert a random hierarchy of images (jpg) into a small gallery. (Utterly non-dynamic - but ideally with tagging support and RSS feeds).

There seem to be a plethora of options to the problem, suprisingly many of them involving Python ..

If anybody has any pointers I'd appreciate a link.

For reference my current galleries tend to look like this - warning fluffy animals!

Using "apt-cache search static gallery" I find three programs:

bins - Very heavyweight. Unattractive.

photon - Pretty. Requires GIMP for creating thumbnails - unsuitable for my lightweight webhost.

jigl - Looks great. Does 90% of what I want - specifically misses tags & rss.

| No comments


When you want to go to it

Thursday, 4 October 2007

Here's a quick question - does there exist a stable and reliable caching proxy for APT?

Both apt-proxy and approx cause me problems on a regular basis - with MD5 sum mismatches on Release files. And general hangs, stalls and timeouts.

I've just installed and configured apt-cacher but #437166 doesn't fill me with confidence..

| No comments


Recent Posts

Recent Tags