Open source software security

Installing VMWare Workstation 6.5.3 on Fedora 12

The recent Fedora kernel upgrade to 2.6.32 again wreaked havoc on all my Linux installations. Every time a kernel upgrade comes out my VMWare Workstation breaks, and typically my TrueCrypt installation as well, or at the very least my nVidia drivers. Thankfully nothing but the VMWare was a major problem this time. I kept getting installation failures on VMWare, specifically with kernel module configuration - the vmnet module to be precise. Finally I found the answers I needed at http://jbmoore61.blogspot.com/2010/02/fixing-vmware-workstation-652-and-linux.html.

Upgrading Fedora

I've been doing a lot of work on several different machines recently and I've noticed that quite a few of them have fallen behind on their installed version of Fedora. Fedora 14 (the latest version as of this writing) doesn't include any real stand out features for end users, but it's got some great stuff for developers (such as upgraded Eclipse and Perl). Upgrading is usually quite a hassle, involving burning new DVD's to boot from and running through a complex download and install process.

Where does this conf resolve?

The file /etc/resolv.conf is used by Linux systems to identify DNS servers used to resolve host names into IP addresses. On Mandriva (and other) systems, resolv.conf is actually a file generated by the program resolvconf. This leads to an interesting situation when you view the /etc/resolv.conf file because you are greeted with a strange warning:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Beyond Linux Security

Luc de Louw's Blog recently presented an article on hardening RHEL systems based on critique and updates of the NSA's seminal, and 200 page, "Guide to the Secure Configuration of Red Hat Enterprise Linux 5" (http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf). Luc's post gives some extra guidance on security configuration that I think is well reasoned and worth noting. I think it also points to the fundamental problem with Linux security in general, however.

Fist Impressions of Gnome 3

Fedora 15 recently launched with the addition of Gnome 3 (or Gnome Shell) as the standard desktop environment. So far you can color me less than impressed. Gnome 3 has some wonderful additions in terms of appearance. The fonts are smoother, there is window shading, and there are lots of neat improvements to window management (snap two windows side by side).

VMWare Workstation on Linux Kernel 2.6.40

I was having some trouble getting VMWare 7.1.4 running on my Fedora 15 machines running x86_64 kernel 2.6.40 until I found the patch described at http://linux-knowledgebase.com/cms/common/pdf.php?article_id=186 that points to the patch at http://linux-knowledgebase.com/userFiles/files/vmware2_6_39patchv3.tar.bz2. Installing the patch is a breeze with the instructions provided. Just unzip the patch with 'tar xvjf vmware2_6_39patchv3.tar.bz2', then run the patch using './patch-modules_2.6.39.sh'. Once that's done you can upgrade VMWare. I usually do this using: $ sudo vmplayer

Using SSH PKA on Linux

The Secure SHell (SSH) is an increasingly popular way for linux machines to communicate securely. SSH has become the de facto remote shell access protocol, replacing telnet but also providing alternatives to file transfer protocol (FTP) and in some cases virtual private networking (VPN). SSH can be used to connect security to a remote machine, transfer files, and even tunnel connections to remote locations.

Installing PHP 5.3 on CentOS 5.3

CentOS is a wonderful, stable, enterprise Linux distribution. Because it follows an enterprise model, however, the latest and greatest packages are often not available for installation from RPM repositories. In order to deploy binaries such as the new PHP 5.3 you'll need to compile them from source. Luckily this isn't terribly hard, but it does take some trial and error. I've tried to enumerate the process on a CentOS 5.3 host to take some of the pain out of it.

Installing TrueCrypt on Mandriva

TrueCrypt is a great encryption utility that is available for several operating systems and uses. TrueCrypt will let you create encrypted volumes, encrypted devices, or even do whole disk encryption. I use TrueCrypt on Windows and Linux, and it's handy to be able to move encrypted volume files from one operating system to another and be able to mount them. Unfortunately, due to some disputes over licensing, Mandriva has re-branded TrueCrypt as RealCrypt and distributes it with Mandriva. I've had some problems getting the RealCrypt RPM's to work, and for this reason I decided to go ahead and install TrueCrypt 6.0 on my Mandriva 2008.1 system.

Debian OpenSSL Predictable Key Vulnerability

It seems Debian has introduced a critical flaw into the OpenSSL implementation that could allow an attacker to listen in on an encrypted web session or even an SSH session. What's worse is that even after an upgrade, old keys will still contain this vulnerability. This means that Debian (and Debian based systems - like Ubuntu) will have to patch/upgrade their systems and then regenerate all of their encryption keys. The Debian announcement can be found at Debian.org and the Ubuntu advisory can be found at Ubuntu.com. Update your systems as soon as you can! Update: It looks like code has been released to the wild to brute force ssh keys to gain unauthorized access to servers running the bad openssl code (with openssh and key authorization enabled):

ablog_Where Does My Resolv.conf Resolve To?

The file /etc/resolv.conf is used by Linux systems to identify DNS servers used to resolve host names into IP addresses. On Mandriva (and other) systems, resolv.conf is actually a file generated by the program resolvconf. This leads to an interesting situation when you view the /etc/resolv.conf file because you are greeted with a strange warning:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
This is curious because if you don't edit the listings in this file where should you edit them? Of course many distributions have a GUI for managing your network connections but if you're stuck at the command line you might have to go digging.

SSL Default Virtual Host Problem on Mandriva

Mandriva 2007 (http://www.mandriva.com) has an interesting implementation of Apache 2. There are a lot of non-standard implementations that will drive you crazy if you don't know where they are or what they do. One instance of this configuration is the handling of SSL if you have apache-mod_ssl installed. Normally your virtual hosts are controlled from within the file /etc/httpd/conf/vhosts.d/Vhosts.conf. This has changed in the latest distribution and Mandriva seems to have moved to a more inetd style of configuration files. Now the virtual hosts file is in /etc/httpd/conf/vhosts.d/00_default_vhosts.conf. The 00 prefix would tend to indicate that this is the first virtual host file to be loaded, but that others could be appended or loaded outside of this one. I actually tested this out and it works. For instance, say you have two virtual hosts and you want to list them separately.

Crontab -e You are not allowed to use this program (crontab)

I recently noticed that my user account wasn't able to use crontab on a newly installed Mandriva 2007.1 machine. This was pretty troubling since it meant I couldn't schedule jobs as a regular user. Running scheduled tasks as root is often unwise given the power of that account. Every time I tried to edit my user crontab using the '-e' flag I got the following message:

[justin ~]$ crontab -e
You (justin) are not allowed to use this program (crontab)
See crontab(1) for more information

It turns out that Mandriva doesn't create default rules for crontab's use by users. Instead, on a new install crontab is restricted to the root account. There are two files that control usage of crontab, both in /etc. These are:

/etc/cron.allow
/etc/cron.deny

The system checks cron.allow first, and if it doesn't exist checks cron.deny. If neither file exists then the system won't allow anyone but root to utilize cron.

Using FreeNX on Mandriva

FreeNX is a remote desktop client/server program much like VNC. I've found that on Mandriva, remote connections using the TightVNC server that is usually installed, can be sluggish. Part of the reason for that is that TightVNC establishes a connection with the machine in the same way as VNC, i.e. it 'mirrors' the existing desktop across the remote desktop. FreeNX operates more like a thin client. It creates and exports a new session. This makes FreeNX a lot more responsive, but it also creates some unique challenges. Overall I prefer FreeNX to TightVNC.

Getting GPG Encryption with Evolution

I have to admit I'm loving using Gnome on my Mandriva machine. Mandriva is a popular French distribution of Linux that, like most of it's European counterparts (well, perhaps SUSE can't be considered European now that they belong to Novell), uses KDE as it's default window manager. I used KDE for ages and became quite comfortable with it, but I actually find Gnome to be a lot cleaner and easier to use these days. Gnome integrates quite nicely with Evolution. Despite having Thunderbird available, Sunbird hasn't come along far enough to make calendar integration with Thunderbird feasible quite yet.

Getting TrueCrypt to Work with Mandriva 2007.1

I've been using TrueCrypt for some time now on my Windows machines and I wanted to explore how easy or hard it was to get it working under Mandriva 2007.1 (Spring). It turns out there are quite a few hidden caveats to getting TrueCrypt working. In my case I had a USB drive connected to the machine that was serving as an encrypted volume. When I booted up Mandriva I wanted to be able to mount the drive.

Return to Castle Wolfenstein on Mandriva

Playing Return to Castle Wolfenstein on Mandriva is a lot of fun. Linux detractors will often point out that Linux lacks games, and point to that as one of the main reasons to stay away from Linux for home use. In fact, there are many games available that will run under Linux natively and tons more that will run under Cedega from TransGaming.

Mandriva 2007 on Intel dg965wh

Ok, so buying bleeding edge hardware is not exactly smart when you want to run a Linux box. I recently purchased a bunch of new parts, among them an Intel dg965wh motherboard, a new dual core Pentium processor, and an XFX Nvidia 7300 graphics card. I should have known better when installing Windows XP on top of this hardware was problematic, and that was *with* manufacturer provided drivers. Installing Linux was next to impossible. I tried Fedora Core 6, Ubuntu 6.10 and even Ubunto 7.04, all with no success. I finally got Mandriva 2007 working by adding the additional parameters: all-generic-ide pci=nommconf To the install options. Even this though isn't enough. You have to set your BIOS drive settings to 'AHCI' from 'IDE' to even get this working. Then after the install you have to make sure to modify the lilo boot so that the above parameters are provided.

C and Building a B0x3n

Whoa! What a crazy freakin' weekend. I hate to blog about "regular life" because I find it to be incredibly mundane, but nobody reads this blog anyway so what the heck. Several things occurred to me over the weekend.

Mandriva vs. Ubuntu

So Iíve been struggling with a problem recently. I have two main workstation machines. One is a custom built tower with dual 256 MB graphics accelerators, 1 GB of RAM and a 2 GHz Celeron. The other is a HP nx6125 notebook with an AMD Turion 64 1.6 GHz processor and 1 GB of RAM.

Installing Wine on Mandriva

Recently I decided to install Wine so that I could run some old Windows games that I had purchased for next to nothing. After a couple of years it seems that game values plummet. I took a look at the Mandriva RPM's but they were a little older than the current Wine distribution and I know a lot of active development goes into Wine so I decided to download and compile the source myself to get the latest version. There are quite a few snafus in the install, so be sure to watch errors carefully. You'll need a few libraries installed beforehand to make sure things go smoothly.

Getting Truecrypt to work with Mandriva 2007

I've been using TrueCrypt for some time now on my Windows machines and I wanted to explore how easy or hard it was to get it working under Mandriva 2007.1 (Spring). It turns out there are quite a few hidden caveats to getting TrueCrypt working. In my case I had a USB drive connected to the machine that was serving as an encrypted volume. When I booted up Mandriva I wanted to be able to mount the drive.

Mounting an NTFS Partition for Use in Mandriva

Linux workstations are often configured as multiple operating system booting machines. This means that the machine will often have separate partitions with various operating systems allowing the user to boot into Linux or Windows (or another operating system). It is ideal to use a data partition so that both operating systems had access to the files stored there.

Using URPM with Mandriva

Installing and managing software at the command line can be a daunting task for many novice Linux users. Mandriva leverages the URPM package manager that allows users to install and update software from remote repositories. Understanding URPMI and these remote software sources will allow you to script updates to your system and install new software without having to constantly use the installation media.

Linux Permissions

Understanding the nuances of file permissions in Linux is a daunting task. The basics are pretty straightforward but this article attempts to illuminate file and directory permissions with all their less frequently utilized incarnations as well, including often glossed over topics such as octal notation and the sticky bit.

Writing Buffer Overflows

It has been a long time since a relevant buffer overflow tutorial was written. While the classics still serve as wonderful guides I thought it might be time to put together an up to date tutorial that incorporated many of the techniques of other tutorials along with a few things I've learned on my own.

Using Oracle's SQL Developer from Mandriva

This article was written specifically for a Mandriva workstation, but the principles are the same so it applies to almost any Linux distribution. This article provides instructions to get SQL Developer working and connecting to a remote Oracle host behind a firewall (i.e. not accepting inbount port 1521 tcp connections) by utilizing an SSH port forwarding tunnel.

Dual Head Single Video Card Setup

Recently I managed to get my workstation to function using two monitors, a dongle and a single video card. It was quite a trick to get things functioning.

Rebuilding My URPMI Database

URPMI is a powerful package management utility for Mandriva Linux (formerly Mandrake). Using urpmi you can install and update packages to keep up with security patches and user requests. It is important to keep your urpmi database of sources up to date so you can install the latest patches and versions. This quick article explains how I rebuilt my urpmi database after completely ruining several config files.

Getting LogWatch Like Functionality from Mandrake

A short shell script that parses log files and assembles some useful information and mails it out. Scheduled with cron, this script makes for an effective lightweight passive intrusion detection scheme.

Scheduling Tasks with Cron

A quick tutorial on scheduling simple scripts to run using the cron daemon. Covers using crontab to edit your cron jobs.

BASH Shell Scripting

A quick introduction to shell scripting concepts and uses in the Bourne Again Shell (BASH). Brief discussion of variables and flow control in shell scripts as well.

What is With Those BASH Commands?

A short discussion of proper syntax and usage of BASH commands, including why and how flags and parameters work and a little about your .bash_profile file.

VNC Computing with Linux

A short review of installing and running VNC, or Virtual Network Computing, on Linux including a brief review of functionality and customization.

Linux Shorts

A series of common questions and answers for Linux users.

Linux Networking Primer

A description of how to examine and change your Linux networking settings from the shell. Info on DNS, gateways and IP settings.

The BASH Shell

Getting started with the command line on your Linux system, essential for administration.

Linux Security Tools

A list of some common and helpful Linux security tools, including brief reviews and links to the tool source.

Using Crontab

Crontab is an incredibly useful function that allows users to schedule tasks in the same way as the system does with cron. Each user has their own crontab that they can maintain and edit.

Setup of My Laptop

A short run down of my system configuration to include partitioning information.