Category Archives: linux
Defending against shell shock
I started writing a longer post about the so-called shell shock, with analysis of what makes a web server vulnerable or secure. Or, strictly speaking, not a webserver, but a platform an attacker might access through a web server. But I’m not sure when I’ll find time to do justice to that, so here’s the short announcement:
I’ve updated mod_taint to offer an ultra-simple defence against the risk of shell shock attacks coming through Apache HTTPD, versions 2.2 or later. A new simplified configuration option is provided specifically for this problem:
LoadModule taint_module modules/mod_taint.so
Untaint shellshock
mod_taint source and documentation are at http://people.apache.org/~niq/mod_taint.c and http://people.apache.org/~niq/mod_taint.html respectively.
Here’s some detail from what I posted earlier to the Apache mailinglists:
Untaint works in a directory context, so can be selectively enabled for potentially-vulnerable apps such as those involving CGI, SSI, ExtFilter, or (other) scripts.
This goes through all Request headers, any PATH_INFO and QUERY_STRING, and (just to be paranoid) any other subprocess environment variables. It untaints them against a regexp that checks for “()” at the beginning of a variable, and returns an HTTP 400 error (Bad Request) if found.
Feedback welcome, indeed solicited. I believe this is a simple but sensible approach to protecting potentially-vulnerable systems, but I’m open to contrary views. The exact details, including the shellshock regexp itself, could probably use some refinement. And of course, bug reports!
Partitioning with an SSD
I have a new laptop (“ultrabook”) with, as appears to be the norm these days, both a regular hard disc and an SSD device. The latter should be fast and efficient, but needs to be carefully managed due to the limited number of writes it’ll accept. Hence anything like a big build with the GNU toolchain has to use the regular hard drive.
I’m thinking through how to partition it. I presume putting the root of the filesystem on SSD will benefit performance, and the core stuff like /etc, /bin, /sbin and /lib. And /boot, though I expect rebooting to be a rare thing unless I have trouble with ACPI. I can tune that to avoid writes with noatime and no journaling. I expect /var and /home and a swap partition to be kept on the regular hard drive, and /tmp to cohabit with swap, without any need for customisation.
What about /usr? Development work involves a lot of writes to /usr/local on “make install”. It’s an order of magnitude less than will be happening on /home, but perhaps I should nevertheless ensure at least /usr/local is on the regular disc?
And what about /dev, /proc, /mnt? Do any of these filesystem entries map to hard disc activity I need to consider?
I understand hibernate-to-disc is one of the biggest gains of having an SSD. Can I hibernate to SSD without having a regular swap partition there? How much does it really gain, and can it be tuned to minimise SSD wear?
New laptop
After 7 years heavy use, my old macbook is showing its age. The battery has long been knackered: just about adequate to move the machine from one room to another and plug it in to the mains. The backlight failed last year and needs nursing to keep it working. And now the battery has reached a point where it powers down if I just accidentally knock the power lead out of place for half a second.
It’s been a good little machine and served its purpose: a laptop with a Unix-family OS and hardware that just worked. Plus a fantastic display quality that made a desktop substitute of the 13″ screen. It’s not been trouble-free: I had to replace the disc a while back, but on the whole it’s been great. But now with two major expensive-to-repair faults, I guess it’s time to look around the market again, and take advantage of other advances, notably further reductions in size and weight since 2006.
I don’t think I’ll go for another Macbook. My experiences with more recent macbooks have been rather less positive than the old one, while at the same time I’d expect there to be a much wider range of laptops where the more ‘challenging’ things of 2006 – like ACPI and builtin wifi – just work, without hassle.
So what’s a good laptop for Linux[1], or even with Linux preinstalled? Another 13″ screen will suffice provided the display is of comparable quality to the old Mac, and I’d love it to be genuinely small and light with a good battery life. That probably implies ‘ultrabook’. And since I’ll be doing lots of work with the GNU toolchain – which can write hundreds of thousands of tempfiles in a typical build – I can’t alas go for an SSD-only machine.
A bit of preliminary poking around suggests cheapo ultrabooks from Asus or Acer as good candidates with positive experiences from Linux users, and Lenovo and Toshiba as labels to avoid in the ultrabook space. Comments solicited from readers who know more than I: will a £500-ish ultrabook be a decent working machine, or is it likely to be as shoddy and useless as the Dell I had before the macbook? Anything in particular to look out for? Any further suggestions?
[1] Or I’d consider other-*X if someone convinced me it would be hassle-free on an appropriate piece of hardware.
Fear Novell. Or buy Novell.
Remember SCO? The world’s saddest, most ludicrous software company? Well, if not, Groklaw has a rich and colourful (not to mention opinionated) archive on the subject.
The ghost of SCO has long since joined that of Jarndyce & Jarndyce, the perpetual litigants. But this week, an actual decision by a Utah jury: Novell owns the Unix copyrights.
Some believe SCO’s litigation was inherently doomed: there’s nothing to be had from Unix IP. Yes, there’s value, but that’s long-since been opened to the world, and of course independently re-engineered elsewhere, most importantly in GNU/Linux.
Others take a different view: there’s gold beyond the dreams of avarice in that Unix IP. SCO had a great idea; they just made a hash of executing it. After all, in the real world, pirates have taken such major companies as Blackberry-maker RIM and even Microsoft to the cleaners over IP that is, by any standards, a drop in the ocean set against UNIX.
So when a hedge fund bids for Novell, I expect they’re in the latter camp. They’re not an Oracle, a huge and powerful software company getting Sun, a crown-jewel complementary company on the cheap. They’re a pure money-machine. They have no business to fit Novell’s. So it seems likely they want the crown jewels of Novell’s IP.
That was before the jury declared Novell owner of such an important part of the IP! It must be worth more now, to a cash-rich wannabe-pirate.
Novell under current management has shown itself benign, and hero of the SCO story. Under other management, all bets would be off. The fact that they rejected one bid (or did they?) doesn’t necessarily mean they’ll always be able to do so – that’s up to the shareholders.
How much is it worth to lay that spectre to rest? Are you a shareholder, and if not, why not?
Living with Maemo
OK, I’ve had the new pocket-puter a couple of weeks now, and apart from that keyboard I like it. As predicted, I’ve come to terms with the touchscreen and find it easy to use (except for some web controls which can be hard to pick up: e.g. the volume control on the BBC iplayer).
Overall, I prefer the hardware on the old E71, with the obvious exceptions of the screen and camera where the N900 excels. But the Maemo software is incomparably better. Just to take one example, I want to connect to the ‘net using a wifi network where available but otherwise defaulting to the telephone network. While Symbian requires a deal of faffing to do that, Maemo “just works”.
When I was contemplating the purchase, I asked on this blog what Maemo really is, and was assured that it’s a real Linux. I can confirm that it is indeed that, and that I can install Linux packages through the Debian tools (apt-get et al). I have yet to install gcc and a developer environment, but I don’t anticipate any difficulty with it.
Maemo is not stripped down to a toy: rather it takes a Debian base, and adds an alternative GUI, which is optimised for the small screen. It’s intuitive and easy to use, and makes brilliant use of available screen space and the touchscreen. Interactive applications toggle easily between fullscreen, fullscreen-with-toolbar, and thumbnail (minimised) with a consistent look-and-feel. The web browser is a small-screen skin on gecko (firefox), and is not bad. The mailer is positively nice, or will be when I figure out how to fix composition to get rid of pseudo-HTML: much better than some mainstream mailers I use, including thunderbird and to a lesser extent Mac mail.
One thing has me baffled: how do I bootstrap a password either for root or sudo? After googling for a solution, I worked around it by installing a rootshell which gets me passwordless root powers (!), but that’s not the kind of hack to which I expect to have to resort. /me shudders.
I’ve looked at Nokia’s OVI store, but I don’t see so much point to most of it when I have the whole repertoire of *X apps at my fingertips. OK, having said that, I’m sure I’ll install some things: the radio player, for instance. I installed a weather widget, but I don’t even recollect if that was from OVI or pre-loaded, and it’s only really a toy. The only serious app I installed was the root shell, which seems to be a prerequisite for using apt!
One more slight niggle: on the E71, Nokia’s maps are nice, but Google’s are nicer. On the N900 there’s no google maps: I can get them on the ‘net, but that loses the GPS functionality. So it’s Nokia or nothing with the GPS.
But in a sense, all this is mere detail. What I now have is connectivity from anywhere I can get the ‘phone network. So I needn’t lose email, ssh, etc (and be fretting to get home) when I spend a day or two somewhere with no wifi available, whether it be in a technophobe house or up on the moors. Yay!
New toy
I have a new toy: an Acer Revo box, which I’m using as a desktop. Ideally I’d’ve liked something ARM-powered (for low power consumption), but the Acer has an Atom processor, which seems to be the best available in the real world without having to DIY hardware.
It’s a lovely box: tiny size (smaller than a laptop, due to the latter having a screen), sleek to look at, and blissfully quiet. And Acer evidently believe in people who dual-boot: the machine was supplied with three disc partitions, of which one was formatted but unused by the inevitable windows installation. So that’s somewhere to install a real OS without losing the windoze games supplied (I have yet to play them, but …).
I’ve now got around to installing Linux on it. This required a bit of reading TFM, as it has neither a floppy nor a CDROM drive, so I had to figure out making a bootable installation image on a USB stick. I selected a kubuntu image, and after some faff with the install (the installer wanted to do something strange with the partitions, so I ran fdisk by hand instead) I have a working kubuntu. Some more faff getting the display to work correctly (cursing the absence of xorg.conf, and installing a non-free nvidia driver), and it’s up and running. Wow, it’s been quite a few years since a linux install didn’t “just work” without my having to do anything!
And I´m reminded just how long it is since I used KDE: I’ve run gnome on both linux and solaris variants for some years. It seems really strange now, and I’m missing gnome’s nice little dock for my favourite apps. Time will tell if I stick with it or switch!
Convergence?
Convergence between the ‘puter and the mobile ‘phone is coming. My existing phone (E71) is a step along the way, and arguably skype on the laptop is approaching from the other direction.
Now Nokia have released the N900, and I’m thinking this looks interesting. Have they bridged the gap to the point of being worth buying as a converged device, or is this still no more than an interesting device that nearly makes it?
On the plus side, it’s a Linux box, with builtin display but also the capability of plugging in to a monitor, keyboard and mouse when at a desk, all in a unit that’ll fit in a pocket, and can be used in a smaller space than a conventional laptop/netbook. And with a SIM card it offers builtin connectivity.
As against that, it’s on the bulky side for a mobile ‘phone, and lacks the battery life of the E71 or a simpler device. One wouldn’t want it to replace the phone.
And the crux of the matter: is Maemo really Linux as we know it, or am I going to find it a waste of time to attach that keyboard and monitor and try to use it as a porta-‘puter?
I guess a good proxy for that question is, does it run X11 natively / without fuss? If it does, I think enough follows from that to make it a real ‘puter. If not, what I want may still be vaporware.
Anyone using the device as I envisage? Or tried but found it problematic?
Sun Glassfish Webstack 1.5
Sun Glassfish Web Stack 1.5 is out this week, for Solaris and Linux platforms.
This is the latest update to the webstack, and like previous versions is available both as a free download and commercially as a supported product in a choice of bundles, to meet the needs of everyone from enterprise clients, through small and medium size business and startups, to students and hobbyists. The most striking change for most users will probably be the shiny new Enterprise Manager dashboard.
Open sourcers will note the updates to the constituent open-source components of the webstack. In this context, and in view of my recent blog entry, I should perhaps mention that while the Apache HTTPD version bundled is 2.2.11, it does include local patches, most importantly the security fixes in this week’s 2.2.12 release from Apache. Other components are similarly upgraded.
selinux
Just attended a talk by Ralph Angenendt on selinux. Most of what he said concerned selinux with apache, and much of it was negative: error messages are unhelpful, it’s under-documented, and he’s not aware of anyone working to make apache selinux-aware. Furthermore, a lot of selinux policies duplicate the functionality of apache’s own configuration directives: for example, selinux can be used to disable whole features such as userdirs, CGI execution, and SSI.
Add the fact that the room was horrible, and some idiots were chatting away so I had to strain to hear the speaker, and it was a sadly unproductive talk. I fear selinux will continue to be seen as the enemy for the forseeable future.
netbooks to run cool!
The agreement between Canonical and ARM to support Linux on ARM is one of the most exciting in the tech industry. Canonical is the company behind Ubuntu, the Linux distro providing the best out-of-the-box desktop experience, and clearly has expertise in that classic geek blind spot: providing for the resolutely dumb consumer. And ARM has the processor with the single most important advantage today: power consumption an order of magnitude better than Intel and other rivals.
Supported Ubuntu on ARM is, I understand, aimed at ARM’s existing market in ultra-portable devices. But in principle it could also pave the way for a laptop and even a desktop that’ll run cool. And in the laptop’s case, the choice of much-improved battery life or a significant weight-saving. Amongst existing netbook devices, the ARM-driven Nokia N810, at less than half the weight of an Intel-powered Eee PC or its imitators, could be a forerunner of a whole family of better things.
For myself, I’ve long looked for lower power consumption in all my computing. A big thank you to ARM and Canonical for bringing the prospect closer!
p.s. Yes, I know linux is already supported on ARM, but I understand it’s something quite limited. And it hasn’t caught the market the way the Eee-family has, and that the Canonical deal may lead to.
niq's soapbox 
