Welcome to Orb Designs

Home

Graffiti

About

Sitemap

Visual

DevWork

Email Brian Bilbrey

Email Brian

GPG Key

GRAFFITI -- October 24, 2005 thru October 30, 2005

>> Link to the Current Week <<

Last Week << Mon   Tues   Wed   Thu   Fri   Sat   Sun >> Next Week

Search this site :

Welcome to Orb Graffiti, a place for me to write daily about life and computers. Contrary to popular belief, the two are not interchangeable.     About eMail - I publish email sometimes. If you send me an email and you want privacy or anonymity, please say so clearly at the beginning of your message.

 Ron Paul in 2008

Creative Commons License

Read LinuxGazette, get a clue.

MONDAY    Tues    Wed    Thu    Fri    Sat    Sun   
October 24, 2005

0626 - Good morning. So, this weekend I refinished a kitchen ceiling to replace a light fixture, mowed the lawns front and back, and did 6 hours of PowerPoint to get some revised slides ready for our new Training courses. That along with all the other usual weekend stuff. I guess I'm looking foward to the relaxation that the work-week provides! Oh, and I received this in the email:

Subject: Linux kernel vulnerabilities
From: adriano

Hi,

I´m a TI Engineer and I want to learn how to gain root privileges through Kernel
2.6.3 vulnerabilities. Can you teach-me? I had compilated the elflbl_v108.c (I
needed to change line 425 - "modify_ldt_ldt_s" + "user_desc") but it still didn´t
work. After compilated, it shows the following message:

===BEGIN===

    child 1 VMAs 0
[+] moved stack bfffe000, task_size=0xc0000000, map_base=0xbf800000
[+] vmalloc area 0xc6000000 - 0xcbff1000

[-] FAILED: try again (-f switch) and again (Cannot allocate memory)
Killed

===END===

P.S.: Excuse my poor english: I´m not american.

Sds,
        Adriano César.

Thanks, for all.
--
Esta mensagem foi verificada pelo sistema de anti-virus e 
acredita-se estar livre de perigo.

I've not replied yet, but am taking suggestions on the best way (aside from deleting it) to respond to this learned request. Is it homework? A foreign script-kiddie wannabe? Your thoughts and suggestions are welcome. Happy Monday!

Top  /  Email Brian

Mon    TUESDAY    Wed    Thu    Fri    Sat    Sun   
October 25, 2005

No Post.

Top  /  Email Brian

Mon    Tues    WEDNESDAY    Thu    Fri    Sat    Sun   
October 26, 2005

1805 - Good evening. More mail...

Subject: Xandros OCE3 burning limitation
From: Greg P.

I have read your article and it was a great article. I am new to linux and
have been playing with it for a while. My wife does not like Linux at all
and so I finally found something that she liked and that was Xandros OCE3.
It took me 2 weeks of playing with Xandros to figure out how to put VMware
on the machine so that if there was something that Xandros could not do then
my wife could use VMware to do her windows stuff. I was really excited when
I finally got it working and then when I tried to burn I found the
limitation. I was so dissapointed. I tried to download new apps from the
extended repository to see if this limitation could be bypassed but nothing
works. When I read your article I noticed that you put "(grin)" when talking
about the limitation which made me think that you have a work arround for
this problem. I would really appreciate any help or any links that you could
refer to me in regards to solving this little puzzle for me. Thank you very
much for your time.

Here you go:

su -
<root password>

edit /etc/apt/sources.list, here's what mine says:

***
deb http://xnv3.xandros.com/3.0/pkg xandros3.0-xn main contrib non-free
deb http://xnv3.xandros.com/3.0/pkg unsupported3.0-xn main contrib non-free

deb http://www.archlug.org/apt xandros3 zzupp
deb http://www.archlug.org/apt xandros3 archlug
deb http://www.archlug.org/apt xandros3 boylinux
deb ftp://ftp.nerim.net/debian-marillat sarge main
***

apt-get update
apt-get install k3b

Answer Y when it asks permission to install the dependency programs.

Note: You may want to comment out those extra 4 deb lines again after installation, as sometimes during updates you can accidentally get stuff that breaks Xandros. I tend to enable them for cherry-picking special things, then comment out again.

exit

k3b

You'll like K3B. BTW, the OCE burning limitation is artificial, it's just a front-end to cdrecord. If you used cdrecord from the command line, you'd be burning at top speed for your burner.

Oh, and if you really do like Xandros, why not support them with your wallet?

Now to feed the dogs. Ciao!

Top  /  Email Brian

Mon    Tues    Wed    THURSDAY    Fri    Sat    Sun   
October 27, 2005

0630 - Good morning. Another day with my nose to the Microsoft grindstone. I'm working in Word to do final pass on the documents that we're using for our new release, going gold real soon now. So soon after so much PowerPoint, I think I may be up for sainthood. Then I got this from my sister-in-law, and just had to laugh...

Subject: You know you're in 2005 when...
From: Karen

1. You accidentally enter your password on the microwave. 

2. You haven't played solitaire with real cards in years. 

3. You have a list of 15 phone numbers to reach your family of 3. 

4. You e-mail the person who works at the desk next to you. 

5. Your reason for not staying in touch with friends and family is that 
they don't have e-mail addresses. 

6. You pull up in your own driveway and use your cell phone to see if 
anyone is home to help you carry in the groceries. 

7. Every commercial on television has a web site at the bottom of the 
screen. 

8. Leaving the house without your cell phone, which you didn't have the 
first 20 or 30 (or 60) years of your life, is now a cause for panic and 
you turn around to go and get it. 

10. You get up in the morning and go on line before getting your 
coffee. 

11. You start tilting your head sideways to smile. : ) 

12. You're reading this and nodding and laughing. 

13. Even worse, you know exactly to whom you are going to forward this 
message. 

14. You are too busy to notice there was no #9 on this list. 

15. You actually scrolled back up to check that there wasn't a #9 on this list...! 

AND NOW U R LAUGHING at yourself.

The only good news is that I don't forward messages like this. I post them here, then people can come visit and suffer on their own hook!

Time to roll. Is it Friday yet? I fear not... Ciao!

Top  /  Email Brian

Mon    Tues    Wed    Thu    FRIDAY    Sat    Sun   
October 28, 2005

0702 - Good morning. Yes! NOW it's Friday, I'm finished with my week in MS hell, doing PowerPoint and Word docs. Everything goes to press today! And I can laugh at this link: Blowjob by Mastercard. You'll laugh too, unless you're easily offended. There's no nudity, or simulated anything, so you might be safe...

For the kernel-hacker wannabe who sent me email early this week, I don't have any advice from you, gentle readers. So I'll wing it:

Adriano wrote:
> Linux kernel vulnerabilities
> 
> Hi,
>        I´m a TI Engineer and I want to learn how to gain root privileges
> through Kernel 2.6.3 vulnerabilities. Can you teach-me? 

Nope. I'm not a kernel hacker myself, much less a wannabe cracker. 
Why would you want to ask me to help you with something like this? 
There's no indication on my site of any leanings towards the dark side. 

...
> P.S.: Excuse my poor english: I´m not american.
> 

The english isn't so bad, just the request. Here's an idea, learn about kernel 
internals with a few good books from O'Reilly and others, start hanging out 
on lkml, and learn how to help, how to contribute to building something up, 
instead of looking for quick pointers on how to tear something down?

> Sds,
>         Adriano César.
> 
> Thanks, for all.

-- 
Brian Bilbrey : http://www.orbdesigns.com/ 
	"Kirk to Enterprise -- beam down yeoman Rand and a six-pack."

On Tuesday I heard from Darryl Hoar, for the first time since November of 2002. Then he was having fun with Gentoo. Or maybe not too much fun, since multi-boot and SCSI got wrapped around the axle for him. I sent him what pointers I could, and don't recall ever hearing back. Now he's looking for guidance on moving his company away from way, way legacy msmail.

Subject: email server question
From: Darryl Hoar

Greetings,

I have been read your website for quite some time. The mix of technical and personal writing is quite appealing.

I do wish to ask for your thoughts regarding replacing a Microsoft MSMail install with an open source solution.

We got lured into the Microsoft msmail solution a long time ago and it has stuck around for far too long. I now have the opportunity to kill it and replace it with an open source solution.

My experience is with Freebsd but I have no aversion to penguins. So, I want to create an email server that would serve email internally (Not open to the wild world of the internet). The email client in use is Outlook (one step at a time).

What open source email solutions would you recommend ?

-Darryl

In my initial reply I pointed him towards Debian, or WBEL, or suggested that he just stick with FreeBSD, and install packages or ports and start experimenting. I also allowed as I might see what I could throw together on short notice. They apparently don't use this server for external communications, they can just plunk it down inside and let it serve for internal mail. Later on he can stand up another box at the edge of his network, have that receive mail, do av scanning, etc, and forward it to the inside box...

So White Box Enterprise Linux 4 is the distro of choice for this little exercise. It's the right price (free), it's supported by every book that's written about RHEL4, and it just works for me. If I recall correctly, there's something about Yum not being installed properly on the install pass. I'll let you know. I pulled and burnt 4 CD's, and popped in the first one. After bypassing the disk test option (I feel lucky), I find myself at the first screen...

WBEL Intro screen

It's dead familiar, this trip through the common installation routines, at least for me. Accept defaults for Language and Keyboard, then I'm faced with the first decision: Server or Workstation install. Here I'll take Server. White Box has all of the tools neccessary to make WS, ES, or AS style systems (in RHEL-speak). For our purposes, Server fits the need. I'll imagine that I have the ability to customize the packages loadout later.

The next choice is partitioning: Automatic or Manual (with Disk Druid). Normally I'd take the latter course, but since this is a demo of an internal box, theoretically with no shell users or outside attackers to worry about, we can just let automatic build it's usual Boot|Swap|Root setup, with all the spare space in the main partition. It's not ideal for many purposes, but it's fast, and with modern huge hard drives, it takes a good long while to DoS a box by filling up the /var/logs to kill the / partition freespace. So Automatic it is. And it takes the 7G VMware partition I offer up happily.

Grub bootloader options come next in this install, and I take all the defaults. Following that, it's time to configure networking. Because this is a mailserver (or any server at all, for that matter), I'll be using a static IP address, and manually entering all of the nameserver and gateway information. It's much easier to point a mail client at a server at a known address, eh? In the following screen, I'll enable firewalling, and allow SMTP and SSH for starters. However, as I have no experience with SELinux, I'll disable that security capability (but remind me to spend some time looking HARD at that, real soon now).

Back to the simple stuff, I'll set the default language and other sets loaded, set the clock (and check the UTC box), and enter a root password. Now it's time to inspect the package selection, at least at the group level. So I hit the radio button for "Customize software packages to be installed", and press the Next button, observing that it's going to try to give me a web server and SMB, too. I'll be killing those for now, by deselecting them from the installation set.

Within the software selections, I'll add Vim from the Editors group (via the Details link) and deselect the Text-based Internet group. In the Server Configuration Tools, I'll add all of the config tools. Then I deselect the Web Server group. Next I checked the Mail Server group, and clicked on the Details link. Therein I unchecked the default dovecot IMAP server, since I know nothing about it, and selected cyrus-imapd, cyrus-imapd-utils, and perl-Cyrus, along with adding postfix. I've left sendmail.cf and spamassassin checked, as well.

Back at the group level, I deselected the Windows File Server group, then scrolled down past many unchecked groups. I'll accept the defaults for the Administration Tools, then check System Tools as well. But using the Details link there, I remove all of the optional components except screen, which I want. After accepting that config, I deselected Printing Support (who needs it on a server, anyway?!?), and I'm done. At the bottom are the miscellaneous groups: Everything and Minimal. Everything is fun for spelunking through everything the distro has to offer, and Minimal is interesting for just how much cruft they can cram in, claiming necessity. More on that topic another day. This mail server is going to be a 1.4G load, that's pretty large. But on we go ... I click on the Next button.

The installer checks for dependencies,, then warns me which discs it will need, and gives me one more chance to bail out before it starts on the irreversable part of installation: formatting followed by software installation and initial configuration. Here's what the beginning of the installation looks like:

WBEL4 install in progress

As I watch the package installs flash by underneath the progress bar, I observe that it's still installing lots of crap that I don't want (par for the course, it's why I like Debian and have become deeply enamoured of OpenBSD of late. I'll be disabling lots of services, it looks like. I'll demonstrate that after I get logged in. The installation, from start to first boot, including writing this up, took just a hair over an hour. Another 10 minutes sees the VMware tools installed, yum installed manaully from disc 4 of the CD set, and Up2Date (modified) run to grab any needed packages that have been upgraded since the WBEL4 discs were spun.

I think the rest of this exercise will wait until this evening, or even the weekend. Now I must to work, since the lunch is free and the company is good. Ciao!

Top  /  Email Brian

Mon    Tues    Wed    Thu    Fri    SATURDAY    Sun   
October 29, 2005

1031 - Good morning. Continuing from where I left off yesterday...

After checking to see which services were still running at startup, I shut down, then removed from the startup routine many of them with commands similar to this:


[root@wbelmail init.d]# ./rawdevices off
[root@wbelmail init.d]# chkconfig --level 2345 rawdevices off

Once that was done, I was left with just the services I want running at the moment: 


[root@wbelmail init.d]# chkconfig --list | grep ':on'
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ntpd            0:off   1:off   2:off   3:on    4:off   5:on    6:off
readahead       0:off   1:off   2:off   3:off   4:off   5:on    6:off
xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
xfs             0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
readahead_early 0:off   1:off   2:off   3:off   4:off   5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
vmware-tools    0:off   1:off   2:off   3:off   4:off   5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
irqbalance      0:off   1:off   2:off   3:on    4:on    5:on    6:off
acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:off   6:off

Note the command I used to generate that listing is in bold. All I want to do at this point is see what's running, so that I can turn off services that I don't want running. Now, I'll use this command to switch over from the default Sendmail installation to running Postfix:


[root@wbelmail init.d]# system-switch-mail-nox

That drew up a crappy little ncurses dialog that let me choose between Sendmail and Postfix. After doing so, I checked. Postfix was running and added to the startup list, Sendmail was stopped and removed from the startup list. Excellent. Now to see which services are still really running and listening on the external interface. Even though I'm still firewalled, I'd rather make sure that only those listeners I want are listening...


[root@wbelmail init.d]# netstat -an | grep tcp | grep LISTEN
tcp     0    0 127.0.0.1:25         0.0.0.0:*                   LISTEN
tcp     0    0 127.0.0.1:6010       0.0.0.0:*                   LISTEN
tcp     0    0 127.0.0.1:6011       0.0.0.0:*                   LISTEN
tcp     0    0 :::22                :::*                        LISTEN
tcp     0    0 ::1:6010             :::*                        LISTEN
tcp     0    0 ::1:6011             :::*                        LISTEN

You can use Google to figure out any bits that I might leave out explaining this... But simply: 127.0.0.1 is the IP address of the local host, and is essentially the machine listening to itself. So there are four services running listening on tcp ports: 25 is email, which is postfix. We'll have to get that listening to an outside interface, or this box will not be a running mailserver. 22 is the SSH daemon, and that's good, I allow for (in the firewall) and approve of SSH. I happen to know that 6010 and 6011 are the X11 forwards for my two current SSH connections to the box. I can make those go away by configuring the file /etc/ssh/sshd_config to change/add a line to read like this:


X11Forwarding no

With that change made, I can restart sshd, drop and reconnect to the server, and retest, thusly:


[root@wbelmail init.d]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
 ...
[root@wbelmail ~]# netstat -an | grep tcp | grep LISTEN
tcp     0    0 127.0.0.1:25         0.0.0.0:*                   LISTEN
tcp     0    0 :::22                :::*                        LISTEN

[root@wbelmail ~]# netstat -an | grep udp
udp        0      0 192.168.1.89:123        0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*
udp        0      0 :::123                  :::*

All is happiness in TCP land for the moment. Observe that I then checked for UDP (stateless) listeners. Port 123 open everywhere ... I happen (again) to know that this service is NTP. Now I *know* that I setup NTP during installation, but didn't think it was going to come up as a service, just as a utility to keep this box in line ... before I go to much further, you can always look at the file /etc/services to see which service names (which often correlate to program names) are associated with which port numbers. That said, let me see where to configure the ntpd daemon...


[root@wbelmail ~]# cd /etc
[root@wbelmail etc]# vim ntp.conf

Hmmm. That's not as useful as I had hoped. While I can see which line I want to modify, I don't know what valid parameters are available to me. I'd gone straight to the conf file because many of them are sufficiently commented to be useful without referring to the manual page for the parent daemon. But not this time. I guess I'd better go read the ntpd manpage...


[root@wbelmail ~]# man ntpd

Bummer. Even the man page doesn't offer guidance on the correct form of arguments to the restrict option in the ntp.conf file I'll have to go read the recommended /usr/share/doc/ntp-*/ntpd.html ...

By changing that first restrict line to read "restrict default ignore", I've let it continue to listen, but not to serve. Perhaps it'll just be better to shut it off, and run ntpdate every once in a while via cronjob. Yeah, that's what I'll do. Now to get Postfix listening on the outside. I'll change the appropriate line to read:


inet_interfaces = all

Then restart postfix and check that it's now listening on all (0.0.0.0) interfaces:


[root@wbelmail postfix]# /etc/init.d/postfix restart
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
[root@wbelmail postfix]# netstat -an | grep tcp | grep LISTEN
tcp     0      0 0.0.0.0:25           0.0.0.0:*                   LISTEN
tcp     0      0 :::22                :::*                        LISTEN
tcp     0      0 :::25                :::*                        LISTEN

That's better, and all the time I have to devote to this today. Now I'm going to go get some soil amendments to add nitrogen to the raised beds, then I'll take out the last of the vegetables and turn the amendments into the soil. Ciao!

Top  /  Email Brian

Mon    Tues    Wed    Thu    Fri    Sat    SUNDAY  
October 30, 2005

1119 - Good morning. Shopping's done, and the front yard still needs my attention. Back in a bit...

1758 - Good evening. I'm back. So. Yesterday I picked up 12 bags of compost/manure mix. Back home, I harvested the remaining peppers, carrots and brussells sprouts. Then I cleaned out all the vegetation from the 6 main raised beds, and used fork and rake to turn in the soil amendments.

After cleaning up, I started a salsa. With all of the peppers, several cloves of garlic, all of the remainin cilantro and both tomatoes in the fridge, I had a pint and a half of some bubbling greenish concoction with red flecks of tomato therein, signaling for help. When I took the cover off of the Cuisinart, my eyes started bleeding, and my throat started closing. I found myself standing about 5 feet away, wondering what to do next. So I gingerly approached the salsa, and added a few drops of lime juice. A brief taste let me know two things: My lips and tongue were numb (that was the good news, because when numb faded, it was going to be hot), and that I needed more tomatoes. Or I'd have to give it to Erik, who'd have asked why I watered it down. Heh.

In the evening, Marcia and I watched Kung Fu Hustle, fresh in on our Netflix subscription. This one had been my request. Ten minutes into the movie, I was planning on how to grovel my way out of having to watch the whole thing. By twenty minutes in, we were both laughing. It's a surprisingly fun movie, just as I'd hoped, but surprising in that it takes you through the dispair of believing you're watching a bomb to get there.

Today, with all the clocks reset (one hour back, have you done your ex-DST duty?), we got our shopping done and back home by about 1030. Oh, today was the first frost, on this side of town. After a short donut break, I started in on the front yard. Using the fork again, I turned up all of the gladiola bulbs that survived. They had not done well this year, so it's time to rest them, and put in the 72 tulip bulbs we got from Brecks. Those went in five different groupings: Most in two patches replacing the gladiolas, and the rest in three smaller groups over on raised bed in the side lawn north of the driveway. Hopefully I'll have pictures of all that for you next spring. Then I mowed the lawns wiith the bag on, to get up all of the leaves. I'll have to do that at least once more before Fall is really done. As a couple of final steps, I used the compressor to blow the irrigation lines clear of water, took down all the outside hoses, shut off the outside water feed and let those pipes drain, all in preparation for winter. I also caulked a few things that desperately needed the attention. More of that before the year is done, perhaps. But I've gotten the worst of it done.

With a trimmed beard and a shower behind me, I added another seven vine-ripened tomatoes to the salsa. That's done the trick. Now it's merely very hot, and my lips and tongue hardly go numb at all! And you're caught up on my doings, mundane as they are.

In a week that saw Harriet Miers decline her nomination to the Supremes, and indictments delivered at 1600 Pennsylvania Ave. for Louis "Scooter" Libby, official scapegoat of the moment ... we also passed the 2000th American combat death since the beginning of "Major Hostilities" in our Iraq entanglement. The media made much of this... "blah blah blah watershed blah blah bleh milestone blah polls blah public opinion blah" My opinion is that our boys and girls are doing a damn fine job trying to accomplish the mission that The George has set for them: democracy in Iraq. It's not a mission that particularly suits the armed forces, nor one that they trained for, but they're doing better than I've expected, really, given those circumstances. Regardless of that, I honor our service men and women, and bow my head in recognition of those reported fallen in this last week.

Now it's time to feed the dogs. Perhaps this evening I'll finish up the White Box mailserver writeup. Or I may collapse. Reality is uncertain.

Top  /  Email Brian

Last Week << Mon   Tues   Wed   Thu   Fri   Sat   Sun >> Next Week

Visit the rest of the DAYNOTES GANG, a collection of bright minds and sharp wits. Really, I don't know why they tolerate me <grin>. My personal inspiration for these pages is Dr. Jerry Pournelle. I am also indebted to Bob Thompson and Tom Syroid for their patience, guidance and feedback. Of course, I am sustained by and beholden to my lovely wife, Marcia. You can find her online too, at http://www.dutchgirl.net/. Thanks for dropping by.

All Content Copyright © 1999-2011 Brian P. Bilbrey.

Creative Commons License
Except where otherwise noted, this site is licensed under the
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.