bsd.m3th.org
Yet another *nix admin blog

Go hit by buggy network manager on OpenSuSE 11.3 turned disabled after waking up from suspend/hibernate.

Simple workarounds to get network manager working again (Use any of these) :-


# qdbus --system org.freedesktop.NetworkManager /org/freedesktop/NetworkManager wake



# nm-online



# rm /var/lib/NetworkManager/NetworkManager.state && rcnetwork restart


This resume bug is marked fixed. However it is not available in update repo yet.

Keymap for laptop keyboard is fun especially there are lots of default actions attached to it. One particular key, FnF8, which has tiny battery icon is not mapped to any action. It has a keycode of 137 on HP elitebook 6930p. I decided to bind the keycode to call up kpowersave information dialog since I am using KDE4 as desktop manager. But how to call up only kpowersave information dialog? Running command “kpowersave” will only trigger another instance of kpowersave.

I tried to use qdbus but could not find suitable dbus object to display kpowersave information dialog. Nevertheless qdbus is quit handy when come to change power profile of kpowersave.

qdbus is a no go for this purpose. I had to look for something else. Luckily, it did not take much of my time searching. “dcop” is it! dcop kpowersave KPowersaveIface showDetailedDialog will display kpowersave information dialog. Awesome!

I edited keytouch keyboard with these lines.

<key>
<name>battery</name>
<scancode>137</scancode>
<keycode>PROG2</keycode>
<default-action>dcop kpowersave KPowersaveIface showDetailedDialog</default-action>
</key>

Reactivated keytouch, the nifty application to map your multimedia keyboard. This is the result of pressing FnF8.

Nice eh?

I had migrated some of the old machines at work to Xen hypervisor VM. The procedure is rather straight forward and with many options. In this post, I used simple dd command to migrate physical machine to a flat file image on Xen server.

DD IN ACTION

debian-HP370:~/ # dd if=/dev/cciss/c0d0 | ssh me@xenserver cat ‘>’/home/xen/img/debian-HP370.img

This will take a long time depending on your disk size/network speed. So leave it there and go on with other stuff. After a couple of hours, you have the image transferred to Xen server.

TAILORING TO VM ENVIRONMENT

As the physical machine has smart array raid and VM has choices of disk options: IDE, SATA, physical partition under the VM guest, I mounted the image and edit /etc/fstab to reflect disk on VM. Mounting an image file with many partitions is simple. Firstly, offset value of the partition is required. This can be obtained via fdisk command.

xenserver:/home/xen/img # fdisk -lu debian-HP370.img
You must set cylinders.
You can do this from the extra functions menu.

Disk debian-HP370.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0×111f5759

Device Boot Start End Blocks Id System
debian-HP370.imgp1 * 63 102269789 51134863+ 83 Linux
debian-HP370.imgp2 102269790 106655534 2192872+ 5 Extended
debian-HP370.imgp5 102269853 106655534 2192841 82 Linux swap / Solaris

The offset value in this example is 63 * 512 = 32256

Note : 63 is the Start sector of the partition that I wanted to mount.

xenserver:/home/xen/img # mount -o loop,offset=32256 debian-HP370.img /mnt/stuff

Next, you can just vi /mnt/stuff/etc/fstab, to suit your Xen VM configurations. We are almost done.

CREATING NEW VM

Creating a new VM is rather easy. You need a configuration file for VM guest. Please refer to example and wiki for complete parameters. Just run xm new <configure file> i.e. xm new debian-vmconfig or else use vm-install and be prompted with bunch of questions for configuration parameters. Sample HVM configuration file for my VM:-

name=”Linux-debian-HP370″
memory=1024
maxmem=2048
vcpus=2
on_poweroff=”destroy”
on_reboot=”restart”
on_crash=”destroy”
localtime=0
keymap=”en-us”

builder=”hvm”
extid=0
device_model=”/usr/lib/xen/bin/qemu-dm”
kernel=”/usr/lib/xen/boot/hvmloader”
boot=”c”
disk=[ 'file:/home/xen/img/debian-HP370.img,sda,w', ]
vif=[ 'mac=00:16:3e:51:16:ee,bridge=br0,model=e1000', ]

stdvga=0
vnc=1
vncunused=1
apic=1
acpi=1
pae=1

serial=”pty”

START THE MACHINE, LITERALLY

At this point of time, you should turn off the physical machine to avoid IP address clash. There is one last step to go which is the editing grub on VM. You could just fire up the new guest VM with xm start Linux-debian-HP370 && xm console Linux-debian-HP370 and hit “e” at GRUB menu to edit kernel parameter for root disk. Lastly, modify /boot/grub/menu.lst to reflect your root partition. Remember to run update-grub after finished editing.

OPTIONAL

Since my xen is a headless box, I have to go extra mile to get into the console by ssh tunnel.

ssh me@xenserver -L 5900:127.0.0.1:5900

Connect vnc to localhost will give you the new shinny VM console.

On my previous post, I encountered problem with ssl-cert in chrooted environment. By installing ssl-cert via apt-get, these processes were triggered.

root 27799 0.0 0.4 4676 2256 pts/2 Ss+ 04:33 0:00 /usr/bin/dpkg --status-fd 13 --configure ssl-cert
root 27800 0.4 1.3 10016 7132 pts/2 S+ 04:33 0:00 /usr/bin/perl -w /usr/share/debconf/frontend /var/lib/dpkg/info/ssl-cert.postinst configure
root 27806 0.0 0.2 3804 1192 pts/2 S+ 04:33 0:00 /bin/sh -e /var/lib/dpkg/info/ssl-cert.postinst configure
root 27808 0.0 0.2 3820 1280 pts/2 S+ 04:33 0:00 /bin/bash -e /usr/sbin/make-ssl-cert generate-default-snakeoil
root 27812 0.0 0.2 3780 1448 pts/2 S+ 04:33 0:00 openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key


Further investigation showed that process 27812 stuck. Running the openssl command manually brings up:

27830:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 5


The error message is exactly same as what Michael Prokop has found out.

The content of /tmp/tmp.OXerK27810 is:

#
# SSLeay example configuration file.
#

[ req_distinguished_name ]
commonName = myshinnybox


DIRTY SOLUTION
As I’m only interested to get packages such as Postfix, Postgresql Apache mod SSL to install, killed the “apt-get install ssl-cert” process and fired up vi and removed the line RANDFILE = $ENV::RANDFILE from /tmp/tmp.OXerK27810.


# openssl req -config /tmp/tmp.OXerK27810 -new -x509 -days 3650 -nodes -out /etc/ssl/certs/ssl-cert-snakeoil.pem -keyout /etc/ssl/private/ssl-cert-snakeoil.key
Generating a 1024 bit RSA private key
................................................++++++
.......++++++
writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
-----
# apt-get install ssl-cert
Reading package lists... Done
Building dependency tree
Reading state information... Done
ssl-cert is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Setting up ssl-cert (1.0.15) ...
#


I don’t understand why the package ssl-cert exist in the first place when user can just use “openssl” command to generate ssl certificate. Yet making the situation worst, ssl-cert was added as dependency to many packages. Duh! In additional, chroot seems to be buggy under Linux.

Ran into some issues with ssl-cert 1.0.15 installation on Debian chroot environment. But looks like I’m not alone. The issue was reported by Michael Prokop.


molecule:/# apt-get install ssl-cert
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
ssl-cert
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/7938B of archives.
After this operation, 90.1kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package ssl-cert.
(Reading database ... 27065 files and directories currently installed.)
Unpacking ssl-cert (from .../ssl-cert_1.0.15_all.deb) ...
Setting up ssl-cert (1.0.15) ...

……took forever……

make-ssl-cert generate-default-snakeoil took forever. So it looks like no fun with ssl-cert in chroot’ed environment. Any solution out there? Buzz me. Thanks.

As Linux kernel vmsplice local root exploit in the wild and the Debian boxes in my office is vulnerable to the exploit, I have decided to upgrade their kernels. It’s sad to see rock-solid Linux boxes went down for the 1st time after running stable nearly 8 months.

17:01:25 up 230 days, 9:59, 3 users, load average: 0.00, 0.00, 0.02


17:02:31 up 231 days, 7:02, 1 user, load average: 0.18, 0.38, 0.18

After upgrade

chflags@mzimyklosb03:~$ ./c
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e64000 .. 0xb7e96000
[-] vmsplice: Bad address
chflags@mzimyklosb03:~$ uname -smr
Linux 2.6.24.2 i686

This a just a short note for my own reference.

1) Install postfix
# yum install postfix

2) Set default MTA to Postix via this command
# alternatives –set mta /usr/sbin/sendmail.postfix

3) Autostart Postfix (Optional but you really want to do it)
# chkconfig –levels 235 sendmail off
# chkconfig –levels 235 postfix on
# /etc/init.d/sendmail stop
# /etc/init.d/postfix start

Well, it seems like people like to mess around with Ubuntu logo. Some of them are creative, hilarious, and offensive in the eyes of Ubuntu users. PLEASE PARDON THE PUN. DON’T HIT ME! Especially Ubuntu-my meetup is just around the corner. Please don’t ask me for the author of those images. These are just some of the images that I came across on the net.

WARNING!

Rated 18SX: The images might contain non-excessive sexual element and they are only for viewers of age of 18 years old and above. :p

Click to view.
(more…)

Another way of fighting images spam is by Realtime Black List lookup. This tactic is probably one of method which is inexpensive to server resource.

With postfix, you could just add reject_rbl_client images.rbl.msrbl.net to smtpd_client_restrictions section of postfix’s main.cf.

For instance:

smtpd_client_restrictions = permit_mynetworks,
    reject_rbl_client images.rbl.msrbl.net,
    ....

For qmail, you could just add -r images.rbl.msrbl.net as tcpserver option of your qmail smtp startup script.

Note : images.rbl.msrbl.net – Hosts found sending mail contaning spam images. Check out MSRBL for more info.

On my previous post, I have discussed some of the anti image/PDF spam. I have tried clamav with Sanesecurity’s phishing and scam signatures.

On FreeBSD, I downloaded update shell script by Dan Larsson and made a slight modification as I do not wish to install/use rsync on production servers just to download signature files. I have added these two lines to update shell script under “http_source_urls” and commented out “rsync_source_urls“.

http://download.mirror.msrbl.com/MSRBL-Images.hdb

http://download.mirror.msrbl.com/MSRBL-SPAM.ndb

http_source_urls="

http://www.sanesecurity.com/clamav/phishsigs/phish.ndb.gz

http://www.sanesecurity.com/clamav/scamsigs/scam.ndb.gz

http://clamav.securiteinfo.com/vx.hdb.gz

http://download.mirror.msrbl.com/MSRBL-SPAM.ndb

http://download.mirror.msrbl.com/MSRBL-Images.hdb

http://www.malware.com.br/cgi/submit?action=list_clamav,fetch_interval=86400,target_file=mbl.db

"#rsync_source_urls="
#   rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-Images.hdb
#   rsync://rsync.mirror.msrbl.com/msrbl/MSRBL-SPAM.ndb
#"

(more…)