http://www.outflux.net/blog code is freedom -- patching my itch Thu, 11 Mar 2010 06:49:00 +0000 http://backend.userland.com/rss092 en I realize the openssl s_client tool tries to be upper-layer protocol agnostic, but doesn't everything that uses SSL do commonName checking (HTTP, SMTP, IMAP, FTP, POP, XMPP)? Shouldn't this be something openssl s_client does by default, maybe with an option to turn it off for less common situations? Here it ... http://www.outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/ I don't like unconditionally clearing /tmp on boot, since I'm invariably working on something in there when my system locks up. But I do like /tmp getting cleaned up from time to time. As a compromise, I've set TMPTIME=7 in /etc/default/rcS so that only stuff older than 7 ... http://www.outflux.net/blog/archives/2010/03/10/clearing-tmp-on-boot/ I've finally soldered on the LEDs for the Cylon DorkShield I designed and got built in a recent DorkBotPDX PCB run. I'm having trouble with the programmer, but I got the shield mostly working: ... http://www.outflux.net/blog/archives/2010/03/08/cylon-dorkshield/ I'm never sure when my commits to Linux actually make it into an official release. Luckily, since releases are tagged, I can use "git tag --contains COMMIT" to find them. So, in a stunning display of inefficiency, here's what I use to find my commits: git log --author='Kees Cook' ... http://www.outflux.net/blog/archives/2010/02/28/egosurfing-with-git/ In an attempt to force an exec to totally stall so I could attach gdb to a process that does a setuid transition without freaking it out (i.e. can't launch "sudo gdb ..."), I briefly played with process priority, scheduling, and CPU affinity (pinning a process to a CPU). So far, ... http://www.outflux.net/blog/archives/2010/02/25/fun-with-process-scheduling/ 9% of Ubuntu systems that were used to report bugs that included their /proc/cpuinfo file need to fix their BIOS settings to gain the NX bit. Check for yourself. (Run it with --verbose for useful details.) Out of 7511 Ubuntu bugs Brian Murray collected for me that included /proc/cpuinfo files, there ... http://www.outflux.net/blog/archives/2010/02/18/data-mining-for-nx-bit/ Instead of using setuid programs, the goal for the future is to use fine-grained capabilities. For example, here is /bin/ping: $ ls -la /bin/ping -rwsr-xr-x 1 root root 35680 2009-11-05 00:41 /bin/ping $ ./ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.041 ms ... $ sudo setcap CAP_NET_RAW=ep /bin/ping $ ... http://www.outflux.net/blog/archives/2010/02/09/easy-example-of-fscaps/ In Ubuntu, I uploaded an rng-tools that supports the RNG in TPM devices (my patch is waiting in Debian). This hardware is available on a bunch of systems, including several Thinkpads and the Intel Q35, Q45 and newer main boards. While most TPM RNGs aren't really heavy-duty hardware RNGs, they ... http://www.outflux.net/blog/archives/2010/02/08/rng-tools-with-tpm/ So, a while back, Google started providing location services. This seemed pretty cool, but I kind of ignored it until recently when I was playing with my Android's location API. With the GPS off, and no cell towers visible (my basement gets terrible cell service), my phone knew ... http://www.outflux.net/blog/archives/2010/01/24/google-is-wardriving/ Based on a friend's recommendation, I decided I would install Hulu Desktop for my MythTV system. The MythTV wiki instructions were very good. However, I didn't like that it was a closed-source binary doing network traffic. (While "system" doesn't show up in "readelf -r" output, that doesn't mean it isn't ... http://www.outflux.net/blog/archives/2010/01/19/using-huludesktop-on-mythtv/ Happy Holidays! Or, as my firewall reported this morning: Dec 25 04:39:18 firewall kernel: [1054241.000084] sd 2:0:0:0: [sda] ABORT operation started ... Dec 25 04:40:10 firewall kernel: [1054292.072173] raid1: sdb2: redirecting sector 3490144 to another mirror I guess I'm getting my firewall a new hard drive for Christmas. :) ... http://www.outflux.net/blog/archives/2009/12/25/happy-holidays-2009/ Run "gstreamer-properties", click the "Video" tab, change Default Input Plugin to "Custom", and add this Pipeline: v4l2src ! ffmpegcolorspace ! vertigotv ! ffmpegcolorspace Now when Empathy video-chatting with a friend, you can give them a headache! Or give yourself a headache by trying it directly from the command line: gst-launch v4l2src ! ffmpegcolorspace ! ... http://www.outflux.net/blog/archives/2009/12/16/headache-empathy/ As quickly pointed out by Rick, don't install random software that isn't in the official distribution archive unless you really know what you're doing (and copy/pasting commands from a website doesn't count). You're just asking to be made part of a botnet. ... http://www.outflux.net/blog/archives/2009/12/09/install-from-official-repositories-only/ As more attention is given to the ARM ports of Linux, I'm hoping someone (maybe me if I learn a bunch) will be able to implement some upstream kernel features that are implemented only on x86 so far: ASLR of mmap allocations ASLR of text/exec area ASLR of vdso ASLR of brk area Stack is ... http://www.outflux.net/blog/archives/2009/11/24/missing-kernel-features-in-arm/ In Ubuntu's Karmic and and Debian's Lenny, sysklogd was replaced with rsyslog. This is fine, since rsyslog will have converted your /etc/syslog.conf to /etc/rsyslog.d/50-default.conf. However, if you modified the (maddeningly strange sysklogd-specific) log file rotation in /etc/cron.daily/sysklogd or /etc/cron.weekly/sysklogd, you'll want to review the new (sane) /etc/logrotate.d/rsyslog. ... http://www.outflux.net/blog/archives/2009/10/24/karmic-and-log-rotation/ I was reminded about some TPM coding I'd done to get random bytes from the pRNG on my TPM-enabled system from Matt Domsch's recent post. I'm not fully convinced that the pRNG of the TPM is an appropriate source of entropy, but it does pass my simple FIPS-140-2 test. I ... http://www.outflux.net/blog/archives/2009/10/22/tpm-as-rng/ Inspired by the Larson Scanner project, I finally broke out my Arduino and ported the code from the ATtiny to the ATmega. (The Arduino IDE runs fine with openjdk-6.) I'm sure the power usage is terrible, but I wasn't after long battery life. I wanted my very ... http://www.outflux.net/blog/archives/2009/10/07/larson-scanner-on-arduino/ With the vrms meme raging on Planet Ubuntu, I noticed some people still have sun-java6 installed. I've been using openjdk-6 since Hardy, and everything I use works fine with it (e.g. Vuze, Catan, Eclipse, FreeMind, and even Facebook's photo uploader thing). Given the Ubuntu Tech Board's "remove sun-java6 ... http://www.outflux.net/blog/archives/2009/09/12/uninstall-sun-java6/ Inspired by Jorge, I decided to see how high a vrms score I could manage. I started with a minimal chroot (via mk-sbuild-lv), and did: $ sudo -s # echo "deb http://archive.canonical.com/ jaunty partner" >> /etc/apt/sources.list # sudo apt-get update # apt-get --no-install-recommends install $(grep ^Package /var/lib/apt/lists/*{multiverse,partner}*Packages | awk '{print $NF}' | sort ... http://www.outflux.net/blog/archives/2009/09/10/vrms-meme-152/ New for Linux 2.6.31 (and Ubuntu 9.10) is the ability to throw a one-way toggle to block module loading via /proc/sys/kernel/modules_disabled: # uname -a Linux sec-karmic-amd64 2.6.31-4-generic #23-Ubuntu SMP Mon Jul 27 18:39:59 UTC 2009 x86_64 GNU/Linux # lsmod | head -n3 Module ... http://www.outflux.net/blog/archives/2009/07/31/blocking-module-loading/ Dapper has reached it's half-way support age. This means that only shipped server packages are getting official support. If you're still running Dapper, upgrade to Hardy (and then consider upgrading through Intrepid to Jaunty too, since Intrepid and newer has awesome compiler defaults). Looking back through my build logs, ... http://www.outflux.net/blog/archives/2009/07/16/diminished-dapper/ Now available for early testing, Ubuntu Karmic Alpha 1 has a kernel feature I've long wanted in Ubuntu: NX emulation. Basically, if your hardware lacks NX support, the kernel will emulate the feature using memory segment limits and ordering. This was AFAIBT originally developed by PaX, and a ... http://www.outflux.net/blog/archives/2009/05/14/nx-emulation-in-ubuntu/ Every PulseAudio "Sink" has a "Source" named "monitor". This lets you attach to a given Sink and chain more stuff to it, for example, recording the audio that is playing through PulseAudio at any given moment. This is very handy for creating, for example, PubQuiz-style clips of songs, ... http://www.outflux.net/blog/archives/2009/04/19/recording-from-pulseaudio/ (In reading my prior EOL posts, I realize I should have said "Enough Edgy" or something like that to be appropriately alliterative.) Gutsy is now officially at end-of-life. Looking back through my build logs, I can see that my desktop spent 25 hours, 6 minutes, and 47 seconds building 208 security updates. ... http://www.outflux.net/blog/archives/2009/04/17/goodbye-gutsy/ I'm pleased to hear than the CODEGATE 2009 International Hacking Contest ran Ubuntu Intrepid for both the qualifying rounds and the final match. The host machine was running the 32bit -server kernel, so NX was active (along with all the other memory-corruption protections). From what I can see ... http://www.outflux.net/blog/archives/2009/04/09/codegate-2009-ran-ubuntu-intrepid/ I first played World of Goo on the Wii. I loved it. Great stuff, reminded me a little of Lemmings, but way way better. Today I found out it's also available for Linux, and I immediately downloaded it. I was pleased to see a .deb available ... http://www.outflux.net/blog/archives/2009/02/13/world-of-goo-compiled-on-ubuntu/ I spent a while this morning hunting down the root cause of a 100% CPU MIMEDefang process. (Turned out to be one specific email triggering one of my custom SpamAssassin rules that seems to get processed really inefficiently.) I wasn't able to find any documentation on how to ... http://www.outflux.net/blog/archives/2009/01/24/debugging-hangs-in-mimedefang/ After upgrading an Ubuntu mail server from Hardy to Intrepid, two users could no longer connect via SSL to send email though sendmail. One was using msmtp and the other was using Outlook Express. The msmtp issue was tracked down as a supposed deficiency in msmtp. However, ... http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/ Welcome to 2009! Really, seriously, everyone can stop using MD5 now. However, be sure not to overreact. The forged CA research is a great read, but there's no need to break existing certs. For a calm reaction, please read this. ... http://www.outflux.net/blog/archives/2009/01/01/happy-new-year-rip-md5/ Care of Mike Owens and Dustin Kirkland, bogosec has been uploaded to Jaunty (in the NEW queue at the moment). It is a source-code analyzer framework with plugins for lintian, rats, and flawfinder. Out of curiousity, I ran it on all of Intrepid main. Highest 5 scores ... http://www.outflux.net/blog/archives/2008/12/03/bogosec-run-on-intrepid-main/