Categories
Internet, Unix en security

PAM bug hit Debian and others

It has been years since PAM was hit by a serious bug in PAM, but people who upgrade to libpam-systemd version 44-1 can find that sudo stops working. Reading the bugreport on Debian and FreeDesktop.org it doesn’t look promising as it also effects other distributions. For now it may be wise put systemd on hold in case the package transfers from unstable to testing.

Categories
Internet, Unix en security

Switching from VirtualBox to KVM (maybe)

I have been a VirtualBox user for a long time, but since I’m now looking more closely at BtrFS I also took a closer look at what is in $HOME. VirtualBox harddisks and ISO-images are a large chunk of it and maybe the time has come to look at a different solution. One of the plans is to move virtual machines to a dedicated machine instead of running some on my workstation when I need them. This could give me more options for longer experiments as then my personal data doesn’t has to share the same encrypted volume with the virtual machines.

As VirtualBox is mainly a desktop solution, then the other options are Xen and KVM for now. I picked KVM as it is shipped with RHEL6 and part of the vanilla Linux kernel since 2007. Also there is a nice (remote) management solution and closer integration in GNOME 3.4 in the form of GNOME Boxes. So the time has come to give it a go and first we create a line in /etc/fstab to mount the BtrFS subvolume.

LABEL=datavol	/var/lib/libvirt	btrfs	defaults,relatime,nodiratime,subvol=libvirt	0	0

Now we create the BtrFS subvolume and mount it. Afterward we install all required software and make a user member of the right group. It is important to note that one needs to logout and login afterwards. These right are only needed when doing local maintenance.

$ sudo btrfs subvolume create libvirt /media/btrfs-datavol
$ sudo mount /var/lib/libvirt
$ sudo apt-get install qemu-kvm virt-manager virt-viewer virtinst
$ sudo usermod -a -G libvirt 

The machine is now able to run virtual machines if it has an CPU with Intel-VT or AMD-V technology. And the first tests with Debian 6.0, Solaris 11 and Windows 7 looked very promising. The management interface is very clean and people who have worked with Solaris Container the commandline tool virsh is also a good option. One thing that seems to be missing is a storage snapshot option as in VirtualBox, but if it is a real miss I doubt as most images are on BtrFS and BtrFS supports snapshots on subvolume level.

For now KVM appears to be a good and free alternative for VirtualBox and VMWare. It may need some more love in the future, but for now it deserves some more testing from my side together with SELinux for stronger separation of virtual machines. Maybe I can say goodbye to DKMS for recompiling VirtualBox modules with every release and the Qt-toolkit as dependency for VirtualBox and switching back on the default GTK toolkit on my machine.

Categories
Internet, Unix en security

A goodbye to Java

In the past I already removed Flash and Mono from my systems due to security concerns, but since CVE-2011-3544 it was the final call for Java. It took some dependency checking as Debian was replacing OpenJDK with GCJ or vice versa in most cases, but the command below finished that on a lot of systems. I said farewell to NetBeans a long time ago since it was to slow on my system and the only thing left was LibreOffice Base that needed to be removed as well.

$ sudo apt-get remove --purge libgcj12 libgcj-common gcj-4.6-jre-headless \
    libgcj12-awt default-jre-headless

This action also made me wonder about the state of LibreOffice as it is mainly a big blob of code on the system like Firefox is as well btw. I read on there website somewhere that making Java an option is a long term goal, but will it be enough? For now it should be, as I prefer my documents in OpenDocument-format. When the next GTK3 based version of Abiword and Gnumeric are released I need to do some testing again to see if they support OpenDocument now better.

Categories
Internet, Unix en security

No smooth transition in Debian

Bugreport 638019 appears to be very straight forward, until the code finally hit Debian Testing last weekend. A simple relocation of a FIFO-buffer from /dev to /run caused direct trouble for machines with systemd and a normal shutdown wasn’t possible anymore. Both bugs 657979 and 657990 are a results of the modification. Seeing the overview of effected files and made me go back to the previous working release of source package sysvinit with the following commands

$ cd `xdg-user-dir DOWNLOAD`
$ wget http://snapshot.debian.org/archive/debian/20111223T034013Z/pool/main/s/sysvinit/bootlogd_2.88dsf-18_amd64.deb
$ wget http://snapshot.debian.org/archive/debian/20111223T034013Z/pool/main/s/sysvinit/initscripts_2.88dsf-18_amd64.deb
$ wget http://snapshot.debian.org/archive/debian/20111223T034013Z/pool/main/s/sysvinit/sysv-rc_2.88dsf-18_all.deb
$ wget http://snapshot.debian.org/archive/debian/20111223T034013Z/pool/main/s/sysvinit/sysvinit-utils_2.88dsf-18_amd64.deb
$ wget http://snapshot.debian.org/archive/debian/20111223T034013Z/pool/main/s/sysvinit/sysvinit_2.88dsf-18_amd64.deb
$ dpkg -i bootlogd_2.88dsf-18_amd64.deb initscripts_2.88dsf-18_amd64.deb sysvinit_2.88dsf-18_amd64.deb sysvinit-utils_2.88dsf-18_amd64.deb sysv-rc_2.88dsf-18_all.deb

And as there is no solution for now except a dependency change for systemd the package are being placed on hold like the last time they broke systemd.

$ echo "bootlogd hold" | sudo dpkg --set-selections
$ echo "initscripts hold" | sudo dpkg --set-selections
$ echo "sysvinit hold" | sudo dpkg --set-selections
$ echo "sysvinit-utils hold" | sudo dpkg --set-selections
$ echo "sysv-rc hold" | sudo dpkg --set-selections

It sounds strange for Linux-people, but I really wished I had an alternative boot environment like Solaris has. Maybe this is the reason for me to invest more time in read-write within BtrFS.

Categories
Internet, Unix en security Life and society

Blocking the piratebay

In a previous post, it became clear that censorship in The Netherlands has started. Due to the nature of the Internet and how it has been implemented in most lands, it means there is no central point of control to stop all to an IP-address. This means every network owner needs to take action, but how do they do it?

In the case of thepiratebay.org, it looks like it has been done by manipulating DNS-answers. The first attempt is just using the DNS-resolver from the internet access provider and the second is an attempt using Google public resolvers.

$ dig thepiratebay.org

; < <>> DiG 9.8.1 < <>> thepiratebay.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 6811
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;thepiratebay.org.		IN	A

;; ANSWER SECTION:
thepiratebay.org.	10	IN	A	194.109.6.92

;; ADDITIONAL SECTION:
thepiratebay.org.	10	IN	TXT	"Forged by XS4ALL for Stichting B.R.E.I.N."

;; Query time: 19 msec
;; SERVER: 192.168.178.1#53(192.168.178.1)
;; WHEN: Sat Feb  4 08:15:35 2012
;; MSG SIZE  rcvd: 104

$ dig thepiratebay.org @8.8.8.8

; <<>> DiG 9.8.1 < <>> thepiratebay.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 4847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;thepiratebay.org.		IN	A

;; ANSWER SECTION:
thepiratebay.org.	2596	IN	A	194.71.107.50

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Feb  4 08:16:16 2012
;; MSG SIZE  rcvd: 50

By just changing DNS resolvers on the client or internet router the censorship can be bypassed for now. The question remaining is how long this is going to stand when the first article is published by a big computer magazine on how to bypass it. Or when sites also get a .onion to bypass DNS completely.