Entries posted in May 2014

Sometimes reading code makes you scream.

Friday, 30 May 2014

So I've recently been looking at proxy-server source code, for obvious reasons. The starting point was a simple search of the available options:

~$ apt-cache search proxy filter
trafficserver - fast, scalable and extensible HTTP/1.1 compliant caching proxy server
ssh-agent-filter - filtering proxy for ssh-agent

Hrm? trafficserver? That sounds like fun. Lets look at the source.

cd /tmp
apt-get source trafficserver

Lots of code, but scanning it quickly with my favourite tool, grep, we find this "gem":

$ rgrep /tmp .
./mgmt/tools/SysAPI.cc:  tmp = fopen("/tmp/shadow", "w");
./mgmt/tools/SysAPI.cc:    system("/bin/mv -f /tmp/shadow /etc/shadow");

Is that really what it looks like? Really? Sadly yes.

There's lots of abuse of /tmpfiles in the code in mgmt/tools/, and although the modular structure took a while to understand the code that is compiled here ultimately ends up being included in /usr/bin/traffic_shell. That means it is a "real" security issue, allowing race-tastic local-attackers to do bad things.

Bug reported as #749846.

In happier news, the desk I was building is now complete. Pretty.


I feel like I should write about auditing software, but equally I feel unqualified - better people than me have already done so, e.g. David Wheeler.

Also I've done it before, and nobody paid attention. (Or rather the poeple that should consider security frequently fail to do so, which is .. frustrating.)



Using a cubox as a media platform.

Friday, 23 May 2014

Somebody recent got in touch offering to mail me a Cubox, in exchange for me experimenting with it and writing about it. In the past I've written book reviews in exchange for receiving free copies, and while I don't want to make a habit of it I don't see a problem providing I'm up-front and honest.

So, what is the cubox-i? It's another one of those "small computers", roughly similar to the Raspberry Pi, but with slightly different hardware, and a really neat little case design, as the name suggests it just looks like a tiny two inch cube, only spoiled by the mass of cabling attached to the back.

Me? I was cheeky and said I'd have no use for one, unless it was the fancy-model. The hardware comes in 4 different versions, which you can read about on the Cubox-i product page.

Ignoring the smaller/cheaper models the fancy version is the CuBox-i4Pro, and this differentiates itself from the Rasberry Pi:

  • It has built in WiFi support.
  • It has two USB ports, and a SATA port too.
  • It has a built in infrared receiver/transmitter.
  • The onboard NIC is 1Gb - though limited to 400Mb or so due to bus-constraints, certainly faster than the Pi.
  • The on-board storage is micro SD.
  • It looks lovely.

I had two uses for this toy; the first was to be a random NAS-box hosting local backups, the second was to be a media-center. In the past I used a Rasberry PI as a media-box, but unfortunately performance was appalling, largely because of the low-spead of the USB WiFi dongle I bought.

The video playback would stall at times, even though the hardware could display full HD-output, the network constraints seemed to be a limiting factor. In the end I abandoned it and these days use it sporadically for emulation, and little else. I've been meaning to do something more interesting with it, but never quite got round to it.

By contrast the Cubox-i is wonderful at being a media-box. I've exported some shares of MP4/AVI files from my desktop host, via NFS, then downloaded a binary image of the geexbox (XBMC) distribution which I installed onto the MicroSD card via dd.

The box boots in about seven seconds, was configured to use WiFi (via "Programs | Settings"), and was streaming media in less than two minutes.

There is a Debian disitribution available for download from the cubox-i wiki, but sadly it is an ancient snapshot of Jessie from December last year. It did install, but there was no WiFi out of the box. Gunnar Wolf wrote about bootstrapping an image from sources, rather than using a binary snapshot. He's kindly shared the resulting image he built, but again sadly no WiFi support, so for the moment I'm just enjoying the media-suport.

In the future I need to decide what to do:

  • Keep the Cubox-i as a media box, using the PI for backup-hosting.
  • Avoid having two devices and lose media-streaming.

I also need to look at running Pure Debian, for obvious reasons, but if I can't use WiFi the machine is no good to me. (The TV is in a different room to the office which contains our Linux hosts.)

Either way I've not been excited about new hardware for a while, not since I bought a Logitech Squeezebox, and we're both enjoying watching media on the TV.



So firefox is dead to me now, sadly.

Thursday, 22 May 2014

I've somehow managed to break firefox:

Random downloads fail

They appear in the download manager with "failed" next to them.

Copying and pasting the URL and fetching via wget works.

Random extensions fail to install.

"Ghostery could not be installed because firefox cannot modify the needed file".

Moving ~/.cache/mozilla and ~/.mozilla out of the way don't help. Installing "tree style tabs" fails with no particular error.

The actual error reads "The extension couldn't be installed because firefox couldn't modify the needed file".

Googling didn't help, because it says "Create a new profile", which doesn't help, or "Disable extensions", which doesn't apply since none are present in the new profile.

Running strace doesn't reveal any obvious EACCES, EPERM, or ENOENT errors so I'm struggling to spot an obvious problem.

Downloading a binary firefox to /opt/firefox fails in the same way. Logging out of my desktop fails to make any difference.


The only thing I can say is:

shelob ~ $ dpkg --list | egrep '(xul|icewea)'
ii  iceweasel     29.0.1-1~bpo70+1    ...
ii  xulrunner-29  29.0.1-1~bpo70+1    ...

For the moment I'm hating the use of chromium, but it will suffice until I can try to dig deeper.



An email client and a new desk.

Wednesday, 14 May 2014

Today I released version 0.25 of my console mail client, which is a release focussed upon portability (DragonFly BSD, and MacOSX specifically).

Over the past couple of weeks I've written a fair bit of code, wondering if I want to make the jump to a graphical email client, but the conclusion for the moment has to be no.

With the scripting support built into my client, and even before then using the hooks/hacks that mutt supported, I just process mail so much more quickly than via a GUI system.

I also benefit from reading the mail on the host to which it is delivered - mail gets filtered by something like procmail, and I read it in-situa. IMAP is available if I travel, but I rarely do so.

Having a GUI client might be fun, but it would mean I'd read mail on my desktop - pretty much the only system I don't backup (except for images, videos, and local media). It would also involve running imapsync, or similar, to pull the mail in, and relaying through the remote server to avoid my ISPs poor IP-reputation.

In short I believe if I use a GUI client I'll get slower, and I'll still need the remote host regardless.

It was this time last year when I thought it was functional, but now it is functional, battle-tested, and reliable.

So I guess I'm done with email for the next few years. Maybe in that time somebody will write something better - console based for preference, GUI as a last resort, and certainly not another webmail client.

In other news ..

I had a fun interview on Monday, it went well until they admitted they couldn't afford me - so their goal is to pay a junior member a small salary and hope to get somebody senior to work part-time for a similarly minimal salary. Might work for somebody else, but it wouldn't for me right now, so on that basis I declined.

The most annoying thing about interviewing is the waiting, between the early flirting about duties and expectations, to scheduling meetings, and then awaiting decisions.

On that note I'm half-way through building a new desk which is a nice physical job I can really concentrate upon. I'm currently waiting for the stain to dry on the legs, and then I'll get the damn thing finished. It probably looks more "rustic" than "modern", but it smells nice, so that's the main thing ;)

Expect pictures when it is finished.

| No comments


Some brief updates

Thursday, 8 May 2014

Some brief notes, between tourist-moments.

Temporary file races

I reported some issues against the lisp that is bundled with GNU Emacs, the only one of any significance related to the fall-back uudecode option supported by tramp.el.

(tramp allows you to edit files remotely, it is awesome.)

Inadvertantly I seem to have received a CVE identifier refering to the Mosaic web-browser. Damn. That's an old name now.

Image tagging

A while back I wrote about options for tagging/finding images in large collections.

Taking a step back I realized that I mostly file images in useful hierarchies:

Images/People/2014/01/03-Heidi/{ RAW JPG thumbs }
Images/People/2014/01/13-Hanna/{ RAW JPG thumbs }

On that basis I just dropped a .meta file in each directory with brief notes. e.g:

name     = Jasmine XXX
location = Leith, Edinburgh
source   = modelmayhem
theme    = umbrella, rain, water
contact  = 0774xxxxxxx

Then I wrote a trivial perl script to find *.meta - allowing me to create IMAGE_123.CR2.meta too - and the job was done.

Graphical Applications

I'm currently gluing parts of Gtk + Lua together, which is an experiment to see how hard it is to create a flexible GUI mail client. (yeah.)

So far its easy if I restrict the view to three-panes, but I'm wondering if I can defer that, and allow the user to handle the layout 100%. I suspect "not easily".

We'll see, since I'm not 100% sold on the idea of a GUI mail client in the first place. Still it is a diversion.


I actually find myself looking forward to my next visit which is .. interesting?

| No comments


New emacs?

Tuesday, 6 May 2014

The recent flurry of activity with neovim have made me wonder if there could be something similar for the other editor, emacs.

If you poke around recent GNU Emacs releases you'll come across random signs that the code carries a lot of baggage:


There are special considerations for a variety of this system which is known as the ``Yellow Dog [GNU/]Linux'

Yellow Dog [GNU/]Linux has been dead for many years now.


Contains references to skipping stuff that runs under Emacs 19, 20, 21, & 22.

None of these are huge things, and the core code of Emacs is a pleasure to read in many places, but it does make you think, or not, whichever the case may be it is all good :)

(I do all "real work" in emacs. I write all outgoing emails in vim, and use it for git/mercurial commit messsages, otherwise the only time I use it is for random one-line edits over slow links.)



Sometimes it is surprising how stable systems are

Monday, 5 May 2014

Yesterday I received an automated alert from my kvm-hosting host-machine, informing me that one of the drives in the RAID-pair had failed.

This particular machine has been up and running since 2009, and according to my outage log this is the first downtime in three years. (The uptime was over 1000 days, which seems to confirm that pretty nicely.)

I like reliable systems, and sometimes it's worth remembering just how well they can work.

In other news I'm currently continuing to chase a new job. The companies I've approached, or which have approached me, are being a little slow in replying which is a shame, but I'm not hugely concerned .. yet.

I'm going to give things another week, or so, and then add a banner to the Debian-Administration website, and see if that results in anything interesting.

In the meantime I've got some wood, and a new mitre saw, and I will be spending the remainder of today working on my new desk. Doing physical things is always fun, and right now especially.



Cold lakes are cold.

Saturday, 3 May 2014

Swimming in a Finnish lake, after some (naked) sauna-time with my new brother in-law (lanko):

(Did I mention that it was cold? So. Very. Cold.)

And that concludes my annual tour of Helsinki, and the very beautiful surrounding scenery, which is largely water-based.

| No comments


Recent Posts

Recent Tags