Entries posted in October 2007

Here's a quick question - does there exist a stable and reliable caching proxy for APT?

Both apt-proxy and approx cause me problems on a regular basis - with MD5 sum mismatches on Release files. And general hangs, stalls and timeouts.

I've just installed and configured apt-cacher but #437166 doesn't fill me with confidence..

Tags: apt caching, caching, debian, questions | No comments

Thanks to the people who commented on my post about a decent apt cacher, it was good to see that I'm not alone.

Thanks to RobertH for recommending the new tool acng - I've not used it yet, instead I gave it a quick look and reported a potentially serious bug. Hopefully that'll be fixed in the next release.

In the meantime apt-cacher actually appears to be holding up quite nicely and the nice HTML report it generates is cute!

Now onto the next challenge...

I would like some kind of tool to convert a random hierarchy of images (jpg) into a small gallery. (Utterly non-dynamic - but ideally with tagging support and RSS feeds).

There seem to be a plethora of options to the problem, suprisingly many of them involving Python ..

If anybody has any pointers I'd appreciate a link.

For reference my current galleries tend to look like this - warning fluffy animals!

Using "apt-cache search static gallery" I find three programs:

bins - Very heavyweight. Unattractive.

photon - Pretty. Requires GIMP for creating thumbnails - unsuitable for my lightweight webhost.

jigl - Looks great. Does 90% of what I want - specifically misses tags & rss.

Tags: apt, apt-caching, debian packages, image galleries, lazyweb, security holes | No comments

Curse you Debian! Your programs are too secure...

So I was looking over some setgid binaries last night, seeing if there were any obvious security bugs.

Up popped omega-rpg - a fun game I've recently been playing. Unfortunately it is mostly OK:

• The insecure support for save-game-compression is disabled for Debian.
• The use of environmental variables is safe.
• The use of low-memory detection is disabled on non-MSDOS systems.
• The console-based input doesn't succumb to badness if you resize your terminal to allow >80 character input.

The only thing that I can is persuade the game to die with a SIGSEG if I manaully edit a save-game file, then load it. I'm sure with care and patience it could be coerced into running shellcode.

In theory this is a security hole. In practise it is hard to take seriously!

On the other hand I'm not convinced the game should be setgid(games)..

Tags: auditing, obrandom, security | No comments

Today mostly consisted of a new release of the chronicle blog compiler. Interestingly this received several random mails today. I wonder what caused that all of a sudden?

The release of the compiler is timely, as it reminds me I've still not managed to find a decent gallery compiler. Although the thought of writing my own, rightly, fills me with depression.

I've been interested in reading more about both Git and SELinux upon Planet Coker Debian recently. I've switched several small projects over to GIT but I've not yet listed them publically. First of all I would like to see if there is a version of trac that I can install which supports git repositories. I guess that's a job to research tomorrow.

I wonder if I would confuse people by hosting GIT projects upon cvsrepository.org? ;)

Tags: chronicle, cvs, git | No comments

Felipe Sateler kindly made a Debian package for the chronicle blog compiler, so you can now get it from my apt-get repository.

He suggested it be uploaded to Debian sid, I'm happy to do so if there is any interest. Otherwise I'll keep placing release there when they occur.

(To be honest I don't anticipate any major development unless there are bugs, or people would like to contribute themes ..)

Tags: apt-get, chronicle | No comments

For future reference:

• Xen-Hosting.org: Outage record.

I will ensure this is kept up to date.

(Prompted by an unscheduled outage which I'm really annoyed about!)

Tags: outages, xen-hosting | No comments

Previously I wrote about two "bugs" with GNU Screen.

Now I discover, via a customer, that one of the servers I setup had allowed shell access when it should have been prohibited. A potentially serious security hole in this context.

Here is an example, with this small .screenrc file:

#
#  Normally "ctrl-a c" would open a new "window".
#
#  We wish to prohibit that
#
bind c

Start GNU screen. Press "Ctrl-a c" nothing happens. All looks well, you've denied a new window! If you'd setup a shell in /etc/passwd to point to a wrapper which invoked GNU Screen with this configuration file you'd be fine, right?

Actually not. Try pressing "Ctrl-a" and whilst those two keys are held down press and release "c". Joy. New window created. Even though it shouldn't be.

Update - Turns out I'm stupid "ctrl-a c" is the same as "ctrl-a ctrl-c" by default. I didn't add "bind ^c" appropriately. My bad.

For reference if you want to stop shell creation and you invoke screen as a login shell as a wrapper for other things then you must unbind a lot of builtins. eg. "bind :". You should then set:

shell /bin/false

Only then will you be secure. Probably.

Thankfully this doesn't affect the Xen shell.

Tags: false alarm, gnu screen, rants, screen | No comments

After years of on-again-off-again infatuation I now own my very own steam engine.

This makes me far far happier than I was expecting.

In other news a new release of xen-tools was made to fix some stupid bugs, a release of xen-shell is pending for the same reason, and after declaring I'd not make another release of GNUMP3d again I'm just about to do that too.

I am finding myself rather bored working on the same projects for so long. Though thankfully each of those three is essentially complete. If I died tomorrow there would be no real need for future development. I guess I need a new project to work upon.

The mail-scanning was going to be that project, but that has been sidetracked as I've been stripping out all the pretty and functional user-interface code with the aim of selling the code to $company as a one-off deal. (Not confirmed. Nice idea though.)

So I need a new project. People like Joey Hess who can almost instantly start fun projects (such as moreutils, ikiwiki, pristine-tar, mr) which just seem so obvious, necessary and useful on a whim make me jealous!

All in all life is good and steamy.

I just need inspiration. And more hours in the day too.

Tags: gnump3d, steam, xen-shell, xen-tools | No comments

Bits from the Security Team

• We get tons of spam. If your issue isn't replied to at least once wait a day and resend.
• Frequently advisories are delayed because our buildd machines are broken. We can't fix them.
• People reporting bugs with the 'security' tag help us.
• People reporting bugs with patches help us more.
• People reporting bugs with patches and pointers to fixed packages they have build help us best.
• I like pies.

I am happy to look over patches, built packages, and generally encourage people to be involved. Our team isn't huge but historically we've only added people who've done a fair bit of work first. That is both good and bad.

I could write more, and probably should, but I'll stop there for now because I'm frustrated by the HPPA build machine. Again.

ObRelated: Moritz is trying to get the archive rebuilt with security features from our compilers (eg. -fstack-protector) included. This would be a fantastic achievement. People interested in tested kernel patches, donating buildd machines, etc, etc should give him a ping.

Tags: debian, dsa, hardening, pies, security team | No comments

It is interesting that there have been posts about archive tools appearing upon the Planet Debian.

Recently I setup an instance of rebuildd which worked nicely once I'd installed the required dependencies manually.

I also run three instances of reprepro, but there life is not such a happy picture.

I might be using reprepro incorrectly, but despite fighting with it for some time I cannot coerce the software into allowing me to upload the same version of a binary package for amd64 & i386 architectures - something I frequently want to do.

On the face of it importing packages into a small database doesn't seem terribly difficult, but it is a problem I've not spent much time looking at yet.

Tags: debian, irritations, rebuildd, reprepro | No comments

A while back I posted about a couple of my irritations with GNU Screen.

One of my irritations was the failure to reattach to sessions by name, if common prefixes were in use. For example with the following two (detached) sessions:

There are screens on:
        24419.abc       (Detached)
        24395.abcd      (Detached)
2 Sockets in /var/run/screen/S-skx.

The naive "screen -R abc" fails.

Yesterday whilst looking over the screen bug list I came up with a patch. It isn't ideal as it introduces a new failure case, but I believe it is a step in the right direction and better than the current situation. See attachment to #361274 for the code.

Also I patched screen so that #330036 is now fixed, and the blankerprg primitive works as expected.

Finally I closed #317450 (with a version) as it has been fixed since Etch.

Fun stuff.

In the spirit of completeness I should say I had a stab at #447210 which is tilde (~) expansion in the chdir primitive, but gave up after a while as the code got too messy even for me.

The trivial s/~/getenv("HOME")/ approach works fine for the simple case, but dealing with the expansion of strings such as ~foo/bar/ gets messy quickly. I can offer my patch if there is any interest though as a stop-gap measure.

Now I'm almost tempted to look over another package's bugs, but I think I'd rather eat pie & drink beer...

must. stop. talking. about. pies.

Update: Patch for tilde expansion submitted to #447210 - tested and seemed to cover all cases. Now time for beer!

Tags: bts, bugs, coding, gnu screen, screen | No comments

I made a new release of the Chronicle blog compiler the other day, which seems to be getting a suprising number of downloads from my apt repository.

The apt repository will be updated shortly to drop support for Sarge, since in practise I've not uploaded new things there for a while.

In other news I made some new code for the Debian Administration website! The site now has the notion of a "read-only" state. This state forbids new articles from being posted, new votes being cast, and new comments being posted.

The read-only state is mostly designed for emergencies, and for admin work upon the host system (such as when I'm tweaking the newly installed search engine).

In more coding news I've been updating the xen-shell a little recently, so it will shortly have the ability to checksum the filesystem of Xen guests - and later validate them. This isn't a great security feature because it assumes you trust dom0 - and more importantly to checksum files your guest must be shutdown.

However as a small feature I believe the suggestion was an interesting one.

Finally I've been thinking about system exploitation via temporary file abuse. There are a couple of cases that are common:

• Creation of an arbitrary (writeable) file upon a host.
• Creation of an arbitrary (non-writable) file upon a host.
• Truncation of an existing file upon a host.

Exploiting the first to go from user to root access is trivial. But how would you exploit the last two?

Denial Of Service attacks are trivial via the creation/truncation of /etc/nologin, /etc/shadow, (or even /boot/grub/menu.lst! But gaining privileges? I can't quite see how.

Comments welcome!

Tags: chronicle, debian-administration, security, xen-shell | No comments

During the cleaning of my home office I came across an old notebook from a few years back, full of notes about the configuration of my PCs.

In it I find things like this:

Linux Kernel Config
2.0.36
Loadable Modules Support
 [*] Enable loadable module support

Network device support
 [*] Ether express pro 100 (mice)
 [*] NE2000 support (rats)

/dev/cdrom => /dev/scd0

Most interesting to me is the mention of mice.my.flat and rats.my.flat - fun hostnames! A quick google suggests that 2.0.36 was current sometime in early January 1999

I remember buying a network card, at that time, meant going to the local computer shop, and picking two cards at random from their "network card bin". Each card cost £5 and my approach was to go in and buy two cards at random, then get home and modprobe every module until I found one of them at least. If there was no joy I'd return the next weekend and exchange them for two more!

Funny how things change.

Nowadays on my primary machine, vain.my.flat, I have autodetection of my current (onboard) NIC. I don't have to worry about ports or iobase for my (onboard) sound.

Everything just works... (Except for the GNOME-panel volume control applet which crashes on startup. Hmmm.)

Same local domain name, different flat.

Tags: mice.my.flat, nostalgia, rats.my.flat | No comments