Flyn Computing

gowasmdemo

Thu, 02 Oct 2025 10:15:55 -0400

Overview

This project provides a starting point for web applications written entirely in Go. The client-side portion of the example compiles to WebAssembly.

Downloads

The gowasmdemo project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/gowasmdemo

reflectcrud

Sun, 09 Mar 2025 10:07:45 -0400

Overview

Reflectcrud allows for a Go program to interact with an SQL database using reflection. For example, you can create a table in a database by providing only a Go structure that contains a few field tags.

Downloads

The reflectcrud project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/reflectcrud

Terminal colors

Wed, 14 Aug 2024 10:33:41 -0400

Setting your terminal’s colors is a matter of use and personal preference, but it is generally important that the colors contrast sufficiently to leave text legible. Use of a projector, operating equipment in dark or sunny conditions, and office environments can all impact color choice. My uses favor a dark background with vibrant foreground colors.

The basis for color terminals is commonly related to the ANSI standard that defined eight colors. Modern terminals often support far more colors, but building a palette based on the original eight leaves applications displaying more-or-less as intended. If you deviate too much, you might find a terminal application uses green—rather than red—for a critical alert or places light blue text on a blue background. An example of careful color selection is Ethan Schoonover’s Solarised.

Here are the original eight colors, along with their bold variants (i.e., modifier = 1), which brings the total count to sixteen:

Modifier	Value	Normal hue	Escape code example
0	30	Black	`printf '\033[0;30mCOLOR\033[0m'`
0	31	Red	`printf '\033[0;31mCOLOR\033[0m'`
0	32	Green	`printf '\033[0;32mCOLOR\033[0m'`
0	33	Brown/Orange	`printf '\033[0;33mCOLOR\033[0m'`
0	34	Blue	`printf '\033[0;34mCOLOR\033[0m'`
0	35	Purple	`printf '\033[0;35mCOLOR\033[0m'`
0	36	Cyan	`printf '\033[0;36mCOLOR\033[0m'`
0	37	Light Gray	`printf '\033[0;37mCOLOR\033[0m'`
1	30	Dark Gray	`printf '\033[1;30mCOLOR\033[0m'`
1	31	Light Red	`printf '\033[1;31mCOLOR\033[0m'`
1	32	Light Green	`printf '\033[1;32mCOLOR\033[0m'`
1	33	Yellow	`printf '\033[1;33mCOLOR\033[0m'`
1	34	Light Blue	`printf '\033[1;34mCOLOR\033[0m'`
1	35	Light Purple	`printf '\033[1;35mCOLOR\033[0m'`
1	36	Light Cyan	`printf '\033[1;36mCOLOR\033[0m'`
1	37	White	`printf '\033[1;37mCOLOR\033[0m'`

My color preferences follow. I do not use the full GNOME desktop environment, but many of my applications, including gnome-terminal, follow GNOME’s settings.

Set the TERM environment variable to hold the value xterm-256color.
Run gnome-control-center, and set GNOME→Appearance→Style to Dark.
Run gnome-terminal, and select Custom in Preferences→Colors. Next, customize the following values:

Palette entry 0: #000000
Palette entry 1: #ff0000
Palette entry 2: #00ff00
Palette entry 3: #ff8800
Palette entry 4: #00ccff
Palette entry 5: #ff00ff
Palette entry 6: #00ffff
Palette entry 7: #f0f0f0
Palette entry 8: #888888
Palette entry 9: #ff8888
Palette entry 10: #88ff88
Palette entry 11: #ffff00
Palette entry 12: #8888ff
Palette entry 13: #ff88ff
Palette entry 14: #88ffff
Palette entry 15: #ffffff

Edit .vimrc and add colorscheme=koehler.
Edit .muttrc and add the following color definitions (notice mutt expects variants of the ANSI colors):

color hdrdefault red default
color quoted yellow default
color signature red default
color indicator black brightyellow
color error brightred default
color status black white
color tree magenta default
color tilde magenta default
color message brightcyan default
color markers brightcyan default
color attachment brightmagenta default
color search default green
color header blue default ^(From|Subject|To):
color body magenta default "(ftp|http)://[^ ]+"
color body magenta default [-a-z_0-9.]+@[-a-z_0-9.]+
color underline brightgreen default
color index black brightred '~h "X-Spam-Flag: YES"'    # Spamassassin.
color index black brightyellow '~h "X-Bogosity: Spam"' # Bogofilter.

Testing terminal colors involves running various commands and observing the appearance of their output. You should test under the conditions you expect, such as with a projector, in sunlight, or in a dark office. Here are some illustrative commands:

mutt
dircolors --print-ls-colors (and the LS_COLORS environment variable)
grep
vim (view various languages and HTML)
diff --color
git diff
git log
git status

FIDO2 and its companions

Tue, 21 Nov 2023 13:42:58 -0400

Commands that interact with a YubiKey

Display basic information about an attached YubiKey:

ykman info

Disable YubiKey features:

ykman config usb --disable F, where F is OTP, OATH, PIV, OPENPGP, or HSMAUTH

Change a YubiKey's PIN:

ykman fido access change-pin

Reset a YubiKey's PIN and other persistent storage:

ykman fido reset

List the credentials present on a YubiKey:

ykman fido credentials list

Courses as Code: The Aquinas Learning System

Mon, 01 Aug 2022 00:00:00 +0000

alpine-build

Sat, 09 Jul 2022 09:02:58 -0400

The alpine-build script builds an Alpine disk image from a JSON-encoded definition. See definitions/example.json for one such definition.

The alpine-build project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/alpine-build

golatex

Thu, 14 Apr 2022 09:28:26 -0400

Overview

GoLaTeX provides routines for the Go programming language that are helpful when writing code that involves LaTeX.

Downloads

The golatex project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/golatex

safe

Thu, 14 Apr 2022 09:28:26 -0400

Overview

Safe provides routines for the Go programming language that sanitize, unmarshal, and marshal input.

Downloads

The safe project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/safe

wasm

Thu, 14 Apr 2022 09:28:26 -0400

Overview

Wasm provides routines for the Go programming language that are helpful when writing code that is compiled to WebAssembly.

Downloads

The wasm project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/wasm

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture

Wed, 01 Sep 2021 00:00:00 +0000

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 2: Instruction Set Reference

Wed, 01 Sep 2021 00:00:00 +0000

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3: System Programming Guide

Wed, 01 Sep 2021 00:00:00 +0000

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 4: Model-Specific Registers

Wed, 01 Sep 2021 00:00:00 +0000

Web security playground

Wed, 24 Mar 2021 12:01:36 -0500

View this page in various browsers to observe how they handle different aspects of web security. Most browsers include development tools that will allow you to inspect your browser’s behavior.

Loading this page created the following cookies:

<script>
	document.cookie = "name1=val1; SameSite=Strict";
	document.cookie = "name2=val2; Path=/; SameSite=Strict";
	document.cookie = "name3=val3; Path=/; SameSite=Lax";
	document.cookie = "name4=val4; Path=/; SameSite=None; Secure";
</script>

Reloading this page should cause your browser to submit cookies “name1”, “name2”, “name2”, and “name4”.

This link should cause your browser to submit cookies “name2”, “name3”, and “name4”. The default Path attribute forbids cookie “name1” here.

Selecting this link and then following the “Flyn Computing” link therein back to https://www.flyn.org should cause your browser to submit cookies “name3” and “name4”. The SameSite=Strict attribute causes your browser not to submit cookie “name2” when entering this site from another.

An HTML document that is provided by another web server and that references the image at https://www.flyn.org/projects/VisorFlow/fig-architecture.png should cause your browser to submit cookie “name4”. Your browser will only submit cookies marked with SameSite=None in such a cross-site scenario. See, for example, https://www.cs.uwlax.edu/~wpetullo/web-security.html.

Mixed passive content

The following image is fetched using HTTP. Many browsers will log to their console the presence of mixed passive content, and they might indicate this with a broken security lock.

Source:

<img src="http://nacl.cr.yp.to/cace-logo-25.png"/>

Mixed active content

The following “script” is fetched using HTTP. Many browsers will refuse to load this mixed active content, and many will log this refusal to their console.

<script src="http://cr.yp.to/"></script>

HTTPS Strict Transport Security

This web server makes use of HTTPS Strict Transport Security. You should find that it provides a Strict-Transport-Security field in its response headers.

This page attempts to load WebAssembly code from https://www.aquinas.dev/wasm/busycrate.wasm. This should fail because (1) the domain hosting the code is different than the domain hosting this page and (2) aquinas.dev does not set the Access-Control-Allow-Origin header. A server sets an Access-Control-Allow-Origin header to indicate that its API is meant for use from third-party sites. Many browsers will log to their console the action they take to block these types of requests.

<script>
const go = new Go();
go.argv = [];
WebAssembly.instantiateStreaming(fetch("https://www.aquinas.dev/wasm/busycrate.wasm"), go.importObject).then((result) => {
    go.run(result.instance);
});
</script>

This page also loads JavaScript code from https://api.flyn.org/httpsmtp/wasm_exec.js. The browser allows this because the server at api.flyn.org sets the appropriate CORS header.

<script src="https://api.flyn.org/httpsmtp/wasm_exec.js"></script>

Note that the user could load the code in either of the above cases by clicking on the links. CORS regulates only fetches from JavaScript, WebAssembly, and other dynamic code ran by the browser. The use of a Content-Security-Policy header could further define the sites from which this page could load scripts and other resources.

GnuPG signing party

Wed, 17 Mar 2021 20:16:53 -0500

This document summarizes how to host a GnuPG signing party. For a more detailed description that considers how to store keys and how to handle large parties, see The Keysigning Party HOWTO.

If you do not yet have a set of keys, generate them. Run gpg --full-generate-key. Select the default key type, select the default curve or number of bits, indicate a lifetime of five years, and provide your full name and email address.
Obtain your key’s identifier (MY-ID) by running gpg --list-secret-keys. The identifier is comprised of 40 hex digits.
Optionally edit the key to add additional email addresses you own. Run gpg --edit-key MY-ID, and execute adduid and save.
Export your key by running gpg --armor --export MY-ID. Share this form of your key with the other key-signing attendees.
Prepare to confirm the other attendees safely received your key: Display your key’s fingerprint with gpg --fingerprint MY-ID. The fingerprint is comprised of 40 hex digits, and they are separated by spaces to make them easier for a human to read.
Import other attendee keys with gpg --import F, where F is a file containing their exported key.
Find each attendee’s key by running gpg --list-keys, and note its identifier (HIS-ID).
For each key identifier HIS-ID, run gpg --fingerprint HIS-ID. Verbally confirm the fingerprint with its owner. Once satisfied, run gpg --sign-key HIS-ID. This records that you have met the owner of the key, and that you confirmed the key is valid.

Now you can safely encrypt messages intended for the owners of keys you imported and verified. For example, encrypt the file F for the recipient bob@example.com by running the command gpg --encrypt --recipient=bob@example.com --compress-algo none --armor F.

The Industrial Age of Hacking

Fri, 01 Jan 2021 00:00:00 +0000

Towards Binary Diversified Challenges For A Hands-On Reverse Engineering Course

Fri, 01 Jan 2021 00:00:00 +0000

OpenWrt and SELinux

Tue, 01 Sep 2020 00:00:00 +0000

The Industrial Age of Hacking

Sat, 01 Aug 2020 00:00:00 +0000

OpenWrt-based XMPP server

Wed, 03 Jun 2020 14:56:43 -0400

This document describes how to build an OpenWrt-based XMPP server. We build on top of OpenWrt because of the distribution’s simplicity and small size. Here we assume that the server will run within the confines of a Xen hypervisor.

Establish the VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host the XMPP server:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/prosody-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Write the following at /etc/xen/vm-prosody.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "prosody"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/prosody-lede-17.01.1-x86-64-combined-ext4.img,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on the VM:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
        dnsmasq \
        kmod-ppp \
        kmod-pppoe \
        kmod-pppox \
        kmod-r8169 \
	logd \
        luci-app-firewall \
        luci-lib-ip \
	luci-lib-jsonc \
        luci-lib-nixio \
        luci-proto-ipv6 \
        luci-proto-ppp \
        luci-theme-bootstrap \
	luci-mod-admin-full \
	luci-base \
	luci \
        mtd \
        odhcpd-ipv6only \
        ppp \
        ppp-mod-pppoe \
        r8169-firmware \
        uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
        freifunk-watchdog \
        prosody \
        zoneinfo-core \
        zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring the Prosody chat server

/etc/prosody/certs/example.com.cert: Concatenate your certificate, the immediate certificate, and the root certificate to produce etc/prosody/certs/example.com.cert.
/etc/prosody/certs/example.com.key: Place your private key in etc/prosody/certs/example.com.key.
/etc/prosody/prosody.cfg.lua (replace example.com):

admins = { }

modules_enabled = {
	"roster";
	"saslauth";
	"tls";
	"dialback";
	"disco";
	"private";
	"vcard";
	"legacyauth";
	"version";
	"uptime";
	"time";
	"ping";
	"pep";
	"register";
	"posix";
};

allow_registration = false;

pidfile = "/var/run/prosody/prosody.pid";
	
ssl = { 
	key = "/etc/prosody/certs/example.com.key";
	certificate = "/etc/prosody/certs/example.com.cert";
	c2s_require_encryption = true;
	s2s_require_encryption = true;
}

log = {
	{ levels = { "error" }; to = "syslog";  };
	{ levels = { "error" }; to = "file"; 
		filename = "/var/log/prosody/prosody.err";  };
	{ levels = { min = "info" }; to = "file"; 
		filename = "/var/log/prosody/prosody.log";  };
}

VirtualHost "example.com"
	enabled = true

Set the ownership of Prosody’s sensitive files using chown prosody /etc/prosody/certs/*, and set the permissions on these files with chmod 600 /etc/prosody/certs/*.
For each prosody user, prosodyctl register USERNAME example.com PASSWORD, replacing USERNAME, PASSWORD, and example.com. (Use LDAP?)

Configure the host firewall

/etc/config/firewall:

config defaults
	option drop_invalid 1
	option input ACCEPT
	option output ACCEPT
	option forward ACCEPT

config zone
	option name lan
	option network lan
	option input DROP
	option output ACCEPT
	option forward DROP

# Allow Jabber client-to-server connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 5222

# Allow Jabber server-to-server connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 5269

Configure basic system settings

/etc/config/system:

config system
	option hostname	prosody.flyn.org
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

ulimit

Fri, 27 Mar 2020 17:33:54 -0400

UNIX provides the getrlimit and setrlimit system calls to limit the resources available to processes, and most shells provide a command—such as ulimit—to provide an interface to these settings. Running ulimit -a using a modern Bourne shell will print the current limitations:

$ ulimit -a
core file size          (blocks, -c) unlimited
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 11724
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) 11724
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

The output above included resource categories (e.g., file size), an optional unit (e.g., blocks), the flag used to adjust the resource limit (e.g., -f), and the current limit (e.g., unlimited). Limiting the size of the file that can be created by any process run by the current shell to 1,024 blocks is a matter of running:

$ ulimit -f 1024

Similar commands can limit the other resource categories.

The following program is useful for testing one’s understanding of ulimit. Assuming you save this to a file named ulimitest.c, you can compile this program with cc -o ulimitest ulimitest.c. Inspecting the source should give you an indication of what resources the program uses. The For example, lots_of_files functions simultaneously opens 128 files; this would exceed the limit set by ulimit -n 64.

#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

/* Test -d, data segment size. */
unsigned char buf1[1024 * 1024];

void
recurse(int n)
{
	if (n-- > 1) {
		recurse(n);
	}
}

void
big_file(void)
{
	FILE *f;
	size_t rc;

	f = tmpfile();
	if (NULL == f) {
		perror("error creating temporary file");
		exit(EXIT_FAILURE);
	}

	rc = fwrite(buf1, 1, sizeof buf1, f);	
	if (rc != sizeof buf1) {
		perror("error writing 1 MB to file");
		exit(EXIT_FAILURE);
	}

	fclose(f);
}

void
lots_of_processes(void)
{
	/* NOTE: parent makes 128. */
	pid_t c[127], rc, fail = false;

	for (int i = 0; i < sizeof c / sizeof *c; i++) {
		c[i] = fork();
		switch (c[i]) {
		case -1:
			/* Parent (error). */
			perror("error forking");
			fail = true;
			goto done;
		case 0:
			/* Child. */
			sleep(100);
			exit(EXIT_SUCCESS);
		default:
			/* Parent. */
			{}
		}
	}

done:
	for (int i = 0; i < sizeof c / sizeof *c; i++) {
		kill(c[i], SIGKILL);
	}

	for (int i = 0; i < sizeof c / sizeof *c; i++) {
		rc = waitpid(c[i], NULL, 0);
		if (-1 == rc) {
			perror("error waiting for process");
			exit(EXIT_FAILURE);
		} else if (rc != c[i]) {
			fprintf(stderr, "waited on wrong process\n");
			exit(EXIT_FAILURE);
		}
	}

	if (fail) {
		exit(EXIT_FAILURE);
	}
}

void
lots_of_files(void)
{
	int f[128];

	for (int i = 0; i < sizeof f / sizeof *f; i++) {
		f[i] = open("/dev/null", O_RDONLY);

		if (-1 == f[i]) {
			perror("error opening file");
			exit(EXIT_FAILURE);
		}
	}

	for (int i = 0; i < sizeof f / sizeof *f; i++) {
		close(f[i]);
	}
}

int
main(void)
{
	/* Test -s, stack size. */
	recurse(128);

	/* Test -f, maximum file size. */
	big_file();

	/* Test -m, maximum memory size. */
	unsigned char buf2[1024 * 1024];

	/* Test -n, open files. */
	lots_of_files();

	/* Test -u, open files. */
	lots_of_processes();

	printf("finished\n");

	exit(EXIT_SUCCESS);
}

The -u limit refers to threads rather than strictly processes, and the limit applies to every program the user has running. Ulimitest will try to simultaneously run 128 processes, but you likely already have a number of processes running (to include your shell). Use ps -eLf | grep $USER | wc -l to count the number of threads you are presently running, and take this into account when setting a limit.

USA

Fri, 27 Mar 2020 17:33:54 -0400

I try to buy products that are made in the USA. Here are some manufacturers I have found:

System76 builds their THELIO line of desktop computers in Colorado.
Kendall Howard builds server racks and other products in Minnesota.
Made in USA Tools sells tools from manufacturers that build their products in the USA.

Proposals

Thu, 12 Mar 2020 09:29:06 -0400

I am looking for talented collaborators for ongoing research. Undergraduate and graduate students alike can participate in research, and Master of Software Engineering students can contribute through their capstone project. My interests span software systems and security.

Master of Software Engineering capstone

Students must submit a coherent, well-written proposal before I will take on the task of advising them. Ultimately, student work must demonstrate both the technical ability to complete a challenging programming project and the application of the software engineering principles. When advising capstone projects, I expect to see hard evidence of both of these things. I suggest you keep The Heilmeier Catechism in mind as you form your plan:

What are you trying to do? (State objectives clearly with no jargon.)
How is this done today? What are the limitations of current practice?
What is new in your approach, and why do you think it will be successful?
Who cares? If you are successful, what difference does it make?
What are the risks?
How much will it cost? (Consider both financial and other costs.)
How long will it take?
What are the mid-term and final “exams” to check for success?

Good design, a robust testing regimen, and an introspective approach to software engineering will set you up for success. Frantically trying to get things to work will not. Regarding design, I like the summary of software architecture research that Roy Fielding provided in the abstract of his dissertaion; I summarize his words and apply them to design as:

Determine how to best partition a system.
Define how components identify and communicate with each other.
Express how information is communicated.
Allow for elements of a system to evolve independently.
Describe all of this using formal and informal notations.

Undergraduate and graduate research and project ideas

Research

The following is a list of tasks that might make a good line of student research. Diamonds (♦) indicate the degree of difficulty.

Aquinas

Aquinas has an extensive list of goals, including

perform a privacy and/or security review,
write new lessons,
add a grading scheme that permits revealing test inputs to students whose submission fails,
fix dark mode so that code displays properly
support user-specific assignment variations, and
study the efficacy of Aquinas.

Benchmarks

Modern, repeatable benchmarks for things like Xen, SSH/scp, HTTP, and system calls; a more up-to-date lmbench.

Network benchmarks

IPsec vs. QUIC vs. TLS vs. tcpcrypt vs. MinimaLT: latency, DoS resistence, number of simultaneous connections, etc.

Open-Source Supply-Chain Security

See, e.g., The Linux Foundation's analysis

Little SELinux

SELinux on embedded systems, especially OpenWrt.

Covert channels ♦♦

A covert-channel analysis of the Linux kernel.

Heap protections ♦♦

Memory protections for the Linux heap.

Exfiltration countermeasures

Implement automated countermeasures for DNS- and other exfiltration techniques.

Port Go 1.0 to Ethos ♦♦

We have the differences between upstream and our port of Go r60.3. Changes to Go's Goroutine implementation might add to the difficulty of this task.

Programming language for Ethos ♦♦♦

We would like to develop a language which internalizes ETN definitions and provides IPC that is as convenient and type-safe as Go's channels. Modernize the beauty of C+UNIX!

Go OS ♦♦♦

A simple operating system kernel in Go. Would first require thinking through Go's garbage collector. See Biscut, Go unikernel, and gVisor.

Rust OS ♦♦♦

A simple operating system kernel in Rust. Contribute to Redox OS?

Ethos in Qubes

Allow Ethos to easily run within Qubes.

Unikernel work

Play with unikernels. Compare unikernels, which minimize code and thus attack surface, with Ethos, which focuses on OS interfaces that promote robust programming. Port something like Aquinas to unikernels.

Adapt Tor to use MinimaLT ♦

Tor might benefit from the low-latency behavior of MinimaLT.

Ethos access controls ♦♦♦

Writing access controls within the Ethos kernel.

Implement typed command-line arguments in Ethos

This is a small task that can serve as an introduction to Ethos development. I think PowerShell supports types.

Certificate survey

Study what is required to prove your identity in order to purchase certificates from a number of certificate authorities.

Capsicum

Put Capsicum to use.

HiStar

Put HiStar to use.

seL4 port of Ethos interfaces ♦♦♦

Implement Ethos on top of the seL4 microkernel.

Code auditing tools

Implement a tool which takes as input a program and configuration and produces the lines of code which will run.

Ethos applications

Write Ethos applications and compare their security properties to their POSIX counterparts.

More study of OpenSSL and other APIs

Study the patterns of API use. How many are accidental? How many are inherent to proper use? Does libtlssep cover them all?

Linux kernel MinimaLT implementation

Implement a MinimaLT module for the Linux kernel and figure out a user-space tie in.

~~TLS service~~

~~Using the lessons learned from Fahl, Georgiev, et al., develop a service-based TLS library.~~ (Thank you, Leo St. Amour.)

~~SimpleFlow~~ ♦♦

~~Create a simple-flow-based security model for Linux.~~ (Thank you, Jessie Lass and Ryan Johnson.)

More SimpleFlow

Port SimpleFlow to a newer kernel, and couple with a framework to write information-flow-aware applications. Build a more sophisticated flow model.

~~VisorFlow~~ ♦♦

~~A hypervisor-based information flow monitor.~~ (Thank you, Matt Shockley, Chris Maixner, Ryan Johnson, and Mitch DeRidder.)

General programming and administration proposals

NetworkManager

Add FIDO/WebAuthn/USB support (Red Hat Bugzilla #2247565). Would require extending WebKitGTK (WebKit Bugzilla #205350).

Kodi

Add Grilo support to Kodi.

Grilo

Pandora plugin
iHeartRadio plugin
Netflix plugin

Libdmapsharing, etc.

Various tasks, including:

fix the DACP (i.e., iOS Remote) support in libdmapsharing,
analyze libdmapsharing and dmapd for code quality, and
add DPAP support to GNOME Photos.

Awesome window manager

Various tasks, including:

support for opening a new terminal using a current working directory which matches an existing terminal,
easy command-line emailing with attachments,
unified up-arrow histories across all bash instances, and
Khal notifications.

Small devices

Improvements to Golem, Siren, and Sprite, including:

support for encrypted NFSv4,
use of LDAP/Kerberos in Dovecot and Postfix,
certificate-based logins,
improved use of watchdogs,
more multiplatform network shares (e.g., WebDAV and SMB),
better DVD support,
a user-configurable SPAM filter, and
integrated support for console-video-game emulation.

Survey virtualization platforms

OpenNebula
Eucalyptus
OpenStack

Approximate security and systems conference schedule

Event	Timeframe
Shmoocon	Mid January
USENIX Enigma	Late January
USENIX Security Deadline	Mid February
NDSS	Late February
NSDI	Mid March
SOSP Deadline (biennial)	Late March
ASPLOS	Early April
EuroSys	Mid April
Blackhat Deadline	Mid April
NSPW Deadline	Late April
OSDI Deadline (biennial)	Early May
ACM CCS Deadline	Mid May
IEEE S&P	Late May
ACSAC Deadline	Early June
IEEE SecDev Deadline	Late June
Blackhat	Early August
USENIX Security	Mid August
USENIX Enigma Deadline	Late August
NSDI	Mid September
NSPW	Late September
SOSP (biennial)	Early October
ACM CCS	Mid October
EuroSys Deadline	Mid October
IEEE SecDev	Early November
OSDI (biennial)	Early November
IEEE S&P Deadline	Mid November
ASPLOS Deadline	Mid November
ACSAC	Early December

Reading List

Thu, 12 Mar 2020 09:29:06 -0400

Programming mistakes

Evidence shows that the software we rely on every day is simply not trustworthy. Why do we have so much trouble crafting robust computer programs? Reading literature that enumerates mistakes made while programming will help you begin to draw general conclusions about what is wrong with the state of practice.

Rethinking SSL Development in an Appified World

Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, Matthew Smith

Jan 1, 2013

Cite

The most dangerous code in the world: validating SSL certificates in non-browser software

Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, Vitaly Shmatikov

Jan 1, 2012

Cite

Why Eve and Mallory love Android: an analysis of Android SSL (in)security

Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, Bernd Freisleben

Jan 1, 2012

Cite

Secure design

There are many examples in the literature of designs that advance the state of the art in crafting robust programs. While reading these papers, you should ask yourself, “how do these designs categorically remove errors described by the ‘mistake’ papers”, and “how could we further improve these designs by making their protections more mandatory?”

The security impact of a new cryptographic library

Daniel J. Bernstein, Tanja Lange, Peter Schwabe

Jan 1, 2012

Cite

Some thoughts on security after ten years of qmail 1.0

Daniel J. Bernstein

Jan 1, 2007

PDF Cite

Preventing Privilege Escalation

Niels Provos, Markus Friedl, Peter Honeyman

Aug 1, 2003

Cite

Security in Plan 9

Russ Cox, Eric Grosse, Rob Pike, Dave Presotto, Sean Quinlan

Jan 1, 2002

Cite

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

Peter Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrel

Jan 1, 1998

Cite

Access control systems

Programmers craft programs which transform universal Turing machines into machines which serve a particular purpose. Attackers find ways to break out of these particular machines and thus restore access to the underlying universal machine. Access controls serve to constrain programs such that they are given only least privilege.

There is a limit to access control systems. Dan Bernstein points out in “Some thoughts on security after ten years of qmail 1.0” that even least privilege is too much. Put another way, computer programs themselves will be able to violate security requirements even with the most tightly-designed access controls. Robust systems must both make the act of programming robust applications easier and provide access controls to sufficiently restrict applications.

Capsicum: practical capabilities in UNIX

Robert Watson, Janathan Anderson, Ben Laurie, Kris Kennaway

Aug 1, 2010

Cite

Making information flow explicit in HiStar

Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Nov 1, 2006

Cite

Integrating Flexible Support for Security Policies into the Linux Operating System

Peter Loscocco, Stephen Smalley

Jun 1, 2001

Cite

Protection and the Control of Information Sharing in Multics

J. H. Saltzer

Jul 1, 1974

Cite

The UNIX time-sharing system

Dennis M. Ritchie, Ken Thompson

Jan 1, 1974

Cite DOI

Reading and writing systems papers

Reading and writing systems papers is unlike reading for leisure and informal writing.

R3: Repeatability, Reproducibility and Rigor

Jan Vitek, Tomas Kalibera

Mar 1, 2012

Cite

How to Read a Paper

S. Keshav

Jul 1, 2007

Cite

An Evaluation of the Ninth SOSP Submissions or How (and How Not) to Write a Good Systems Paper

Roy Levin, David D. Redell

Oct 1, 1988

Cite

See also Dan Bernstein's The devil's guide to citing the literature.

Life in academia

Mor Harchol-Balter captured the considerations involved in applying to Ph.D. programs with the aim of studying computer science.

Did you think you were going to get away with avoiding our papers?

See our publications. We recommend the following order:

“Simple-to-use, secure-by-design networking in Ethos”
“MinimaLT: Minimal-latency networking through better security”
“Ethos' deeply integrated distributed types”
“On the generality and convenience of Etypes”

Service inquiry

Thu, 12 Mar 2020 09:29:06 -0400

You can use ICANN|Lookup to check for the availability of a domain, or provide us with some ideas, and we will find available options.

SRPMS

Thu, 12 Mar 2020 09:29:06 -0400

Statistics

Thu, 12 Mar 2020 09:29:06 -0400

Committees, panels, and paper reviewing

Calendar year 2024

29th ACM Conference on Innovation and Technology in Computer Science Education

Calendar year 2023

28th ACM Conference on Innovation and Technology in Computer Science Education

Calendar year 2022

27th ACM Conference on Innovation and Technology in Computer Science Education

Calendar year 2017

Ninth ACM CCS International Workshop on Managing Insider Security Threats

Calendar year 2015

Fifth International Conference on Security, Privacy, and Applied Cryptography Engineering
NSF Secure and Trustworthy Cyberspace

Grants awarded

NSF CRII: SaTC: Next-Generation Robust Software (CNS-1464121)

College courses taught

2024–2025: UW–L CS220, Software Design II; UW–L CS356, Software Exploitation; UW–L CPE105, Introduction to the Computing Environment; UW–L CPE309, Systems Programming; UW–L CS455/555, Fundamentals of Information Security
2023–2024: UW–L CS220, Software Design II; UW–L CS356, Software Exploitation; UW–L CS455/555, Fundamentals of Information Security; UW–L CS456/556, Secure Software Development
2022–2023: UW–L CS120, Software Design I; UW–L CS356, Software Exploitation; UW–L CS410/510, Open Source Software Development; UW–L CS441, Operating System Concepts; UW–L CS455/555, Fundamentals of Information Security
2021–2022: UW–L CS120, Software Design I; UW–L CS356, Software Exploitation; UW–L CS455/555, Fundamentals of Information Security; UW–L CS456/556, Secure Software Development
2020–2021: UW–L CS120, Software Design I; UW–L CS410/510, Open Source Software Development; UW–L CS455/555, Fundamentals of Information Security; UW–L CS456/556, Secure Software Development
2016–2017: USMA CS481, Operating Systems; USMA CS401, Software Systems Design; USMA XE402, Integrative Systems Design; USMA CS474, Fundamentals of Computer Theory
2015–2016: USMA CS481, Operating Systems; USMA CS401, Software Systems Design; USMA XE402, Integrative Systems Design; USMA CS301, Fundamentals of Computer Science
2014–2015: USMA CS481, Operating Systems; USMA CS482, Cyber-Security Engineering
2013–2014: USMA CS481, Operating Systems; USMA IT305, Theory and Practice of Military Information Systems

Masters capstone committees

Spring 2023: Jordan LaRue: Emperor Parking Management
Spring 2022: Christian Strauss: Audio Canvas: An Audio Visualization Tool
Fall 2021: Drew Lohmeyer: Parlay: A Web Application Designed to Facilitate Competition in the Form of Sports Betting Leagues
Fall 2020: Dongyi Liang: A Route Recommendation System Based on Check-In Data
Fall 2020: Tyler Durr: Online Photo Gallery with E-Commerce Support

* Served as thesis advisor.

Conferences and workshops attended

ACM DIM 2010, Chicago, Illinois*
ACM CCS 2010, Chicago, Illinois
IEEE Security & Privacy 2012, San Francisco, California
USENIX Security 2012, Bellevue, Washington
USENIX OSDI 2012, Hollywood, California
ACM CCS 2012, Raleigh, North Carolina
RESoLVE 2013, Houston, Texas*
ASPLOS 2013, Houston, Texas
EUROSEC 2013, Prague, Czech Republic*
Greater Chicago Area Systems Research Workshop 2013, Evanston, Illinois
ACM CCS 2013, Berlin, Germany*
IEEE LangSec 2014, San Jose, California*
IEEE Security & Privacy 2015, San Jose, California
IEEE LangSec 2015, San Jose, California*
Black Hat USA 2015, Las Vegas, Nevada
SPACE 2015, Jaipur, India*^,†
Black Hat USA 2016, Las Vegas, Nevada
USENIX Advances in Security Education 2016, Austin, Texas*
USENIX Security 2016, Austin, Texas
ACM CCS 2016, Vienna, Austria
ACM MIST 2016, Vienna, Austria*
ASEE Annual Conference 2017, Columbus, Ohio*
ACM MIST 2017, Dallas, Texas*^,†
High Confidence Software and Systems Conference 2019, Annapolis, Maryland*
USENIX Security 2020, Boston, Massachusetts (held online due to COVID-19)*
Workshop on Cyber Security Experimentation and Test 2022*
55th Midwest Instruction and Computing Symposium, Cedar Falls, Iowa

* Presented, or paper included in proceedings.
^† Served on program committee.

Statistics

Thu, 12 Mar 2020 09:29:06 -0400

Official Fedora packages maintained

academic-admin
checkmake
dmapd
festival
fmt-ptrn
gnupg-pkcs11-scd
golang-github-alecthomas-assert-2
golang-github-alecthomas-chroma-2
golang-github-apache-thrift
golang-github-azure-amqp
golang-github-azure-amqp-common
golang-github-bep-clocks
golang-github-bep-workers
golang-github-devigned-tab
golang-github-evanw-esbuild
golang-github-fatih-color
golang-github-getkin-kin-openapi
golang-github-gohugoio-locales
golang-github-google-flatbuffers
golang-github-google-subcommands
golang-github-google-wire
golang-github-googlecloudplatform-cloudsql-proxy
golang-github-hashicorp-lru-2
golang-github-johncgriffin-overflow
golang-github-jwt-5
golang-github-klauspost-compress
golang-github-ncruces-strftime
golang-github-pbnjay-memory
golang-github-pelletier-toml-2
golang-github-rwcarlsen-goexif
golang-github-tj-assert
golang-gopkg-neurosnap-sentences-1
golang-lukechampine-uint128
golang-modernc-cc-3
golang-modernc-cc-4
golang-modernc-ccgo-3
golang-modernc-ccgo-4
golang-modernc-ccorpus2
golang-modernc-ebnf
golang-modernc-ebnfutil
golang-modernc-gc-2
golang-modernc-httpfs
golang-modernc-ir
golang-modernc-irgo
golang-modernc-libc
golang-modernc-memory
golang-modernc-opt
golang-modernc-parser
golang-modernc-scannertest
golang-modernc-sortutil
golang-modernc-sqlite
golang-modernc-strutil
golang-modernc-token
golang-modernc-xc
golang-modernc-y
golang-modernc-z
golang-nhooyr-websocket
hugo (co-maintain with Athos Ribeiro)
LaTeXML
libdmapsharing4
libvmi
Mars
nex
openfst
opengrm-ngram
pocketsphinx
python-ana
python-angr
python-bibtexparser
python-cart
python-ailment (co-maintain with Fabian Affolter)
python-archinfo (co-maintain with Fabian Affolter)
python-claripy (co-maintain with Fabian Affolter)
python-cle
python-colored-traceback
python-cooldict
python-intervaltree
python-mulpyplexer
python-plumbum
python-pwntools
python-pyvex
python-ROPGadget
python-rpyc
python-sounddevice
python-uv-dynamic-versioning
rust-unidiff
spim
tex-cjw
tikzit
unicorn
x2gowswrapper

We also maintain a number of submitted—but not yet accepted—packages.

Official OpenWrt packages maintained

bison
bogofilter
cyrus-sasl
dmapd
flex
fuse-overlayfs
gcc
grilo
grilo-plugins
gst1-libav
gst1-plugins-bad
gst1-plugins-base
gst1-plugins-good
gst1-plugins-ugly
gstreamer1
hwloc
krb5
lcdgrilo
lcdringer
libdaq3
libdmapsharing
libexif
libgcrypt
libgee
libgpg-error
libmpeg2
liboil
libpsl
libsoup3
libtheora
loudmouth
luaexpat
luafilesystem
luasec
luasocket
mandoc
nfdump
openldap
php8-pecl-imagick
php8-pecl-krb5
pigeonhole
python3-libselinux
python3-networkx
quota
scapy
semodule-utils
sendmail
setools
shared-mime-info
snort3
totem-pl-parser
vala
vips

Formal bug reports or report contributions

Thank you!

Thu, 12 Mar 2020 09:29:06 -0400

Your message is being delivered, and we look forward to receiving it.

Adventure

Thu, 12 Mar 2020 09:02:58 -0400

I have been playing William Crowther’s Colossal Cave Adventure with my children.

We have found these actions useful:

north
south
east
west
ne
se
nw
sw
up
down
building
climb
downstream
drop
enter
forest
info
inventory
pour
save
score
take
throw

We also found a technique which allows us to script Adventure when running the program from a graphical terminal. Since Adventure responds to commands entered on standard in, we can paste a series of commands into Adventure. For example, the following scripts work as described when executed immediately after starting Adventure:

Such scripting is confounded by rooms with randomized passages, so you should proceed through passages like these manually.

We have been using Graphviz to record the adventures we have had. I share here our map in two formats: .dot .svg The map also appears below.

Colossal Cave Adventure map

alsa-utils-0.5.10-toggle

Thu, 12 Mar 2020 09:02:58 -0400

alsa-utils-0.5.10-toggle

A patch for the Advanced Linux Sound Architecture utilities which adds mute toggling to amixer. This really makes sence when a user wishes to use a remote control or joystick to control his sound device. For example, the command amixer set Master toggle could be run whenever the mute button is pressed on a remote control.

Apple

Thu, 12 Mar 2020 09:02:58 -0400

Introduction

This is a collection of Open Source applications for the Macintosh. This collection is intended to supplement package manager-based distributions such as MacPorts.

If you would like to build these applications yourself using my instructions, then you will need to install MacPorts. The following instructions document how to install GTK+/Quartz:

Ensure that you have Apple's X11 package installed.
Install Apple's Xcode.
Install MacPorts.
Add the following lines to ~/.bash_profile:

export PATH="/opt/local/bin:$PATH"
export CPPFLAGS="-I/opt/local/include $CPPFLAGS"
export LDFLAGS="-L/opt/local/lib $LDFLAGS"

Use the command sudo port install PACKAGE to build and install the following packages and their dependencies:

cairo +quartz+no_x11
pango +quartz+no_x11
gtk2 +quartz+no_x11
poppler +quartz

Packages

AbiWord

AbiWord screenshot

AbiWord is a word processor. This package contains a native build for Mac OS X and does not require X11. Download.

Building from Source

Edit AbiWord's configure script, setting ABIWORD_CONTENTSDIR to /Applications/AbiWord.app/Contents.
Run ./configure.
Run make
Run sudo make install

Bugs Filed

I have filed or reviewed the following bugs related to AbiWord:

~~Abisource Bugzilla #11793, Build Abiword against GTK/Quartz~~
~~AbiSource Bugzilla #12446, Compile error on Snow Leopard~~
Abisource Bugzilla #13233, configure script does not allow customization of ABIWORD_CONTENTSDIR
MacPorts ticket #17012, Request newer build of abiword

Gnumeric

Gnumeric screenshot

Gnumeric is a spreadsheet application. The following instructions will build the application to use GTK's Quartz backend (no X11 required.) Mac OS X 10.4 or newer is required for this build. GTK's Quartz backend is currently experimental, so this package is also unstable. These instructions are provided so that people may more easily build and test GTK Quartz. Download.

Building from Source

Use the command sudo port install gnumeric to build and install gnumeric.

Bugs Filed

I have filed or reviewed the following bugs related to this process and the resulting Gnumeric application:

~~GNOME Bugzilla #382925, gail doesn't build with Quartz GDK backend~~
~~GNOME Bugzilla #396329, src/Makefile still includes -lpopt~~
~~GNOME Bugzilla [#396434}(http://bugzilla.gnome.org/show_bug.cgi?id=396434), Gnumeric crashes when mouse over File->Open on Mac OS X / gtk-quartz~~
~~GNOME Bugzilla #396438, Build fails on Mac OS X / gtk-quartz because of missing -lgthread-2.0~~
~~GNOME Bugzilla #396654, libgnomeprint ./configure fails on Mac OS X~~
GNOME Bugzilla #477381, Use the Mac OS X menubar when built with GTK+/Quartz
GNOME Bugzilla #534134, Gnumeric does not seem to support XDG Base Directory Specification
~~GNOME Bugzilla #600085, Cell labels' text not rendered on Mac OS X / Quartz~~
~~MacPorts ticket #14853, RFE: have icon-naming-utils not depend on p5-getopt-long~~
~~MacPorts ticket #15052, pango: Font display problems when compiled against cairo 1.6.4~~
~~MacPorts ticket #15558](http://trac.macports.org/ticket/15558), Provide quartz-only variant of cairo port~~
~~MacPorts ticket #15559, gtk2 error for missing ${prefix}/include/cairo/cairo-quartz.h incorrect~~
~~MacPorts ticket #15560, Patch gnumeric to integrate into Mac OS X menu~~
~~MacPorts ticket #16083, gnumeric row/column labels show broken character box instead of the letter/number~~
~~MacPorts ticket #16798, gnumeric fails to build on Leopard~~
~~MacPorts ticket #17049, pango +quartz cannot build 64-bit~~
~~MacPorts ticket #20924, OS X 10.6 with +no_x11 +quartz: Pango-WARNING **: shaping failure, expect ugly output~~
~~MacPorts ticket #21624, pango @1.26.0_0+macosx makes software freeze~~
~~MacPorts ticket #22581, new Portfile: goffice08~~

Building Application Bundle

In order to make an Application Bundle for Gnumeric, follow these steps:

Use the command sudo port install ige-mac-bundler to build and install the ige-mac-bundler utility
Download the definitions of Gnumeric.app.
Extract the Gnumeric.app definitions, enter its directory and execute the following:

ige-mac-bundler Gnumeric.bundle

Replace Gnumeric.app/Contents/Resources/etc/pango with the contents of /opt/local/etc/pango
Double-click on Gnumeric (Gnumeric.app) in the Finder.

Gthumb

Gthumb screenshot

Gthumb is an image viewer. The following instructions will build the application to use GTK's Quartz backend (no X11 required.) Mac OS X 10.4 or newer is required for this build. GTK's Quartz backend is currently experimental, so this package is also unstable. These instructions are provided so that people may more easily build and test GTK Quartz.

Building from Source

Use the command sudo port install gthumb to build and install gthumb.

Bugs Filed

I have filed or reviewed the following bugs related to this process and the resulting Gthumb application:

~~GNOME Bugzilla #551225, Gthumb will not build against GTK/Quartz (Mac OS), requires X11~~
~~GNOME Bugzilla #554240, Use the Mac OS X menubar when built with GTK+/Quartz~~

Building Application Bundle

In order to make an Application Bundle for Gthumb, follow these steps:

Use the command sudo port install ige-mac-bundler to build and install the ige-mac-bundler utility
Download the definitions of Gthumb.app.
Extract the Gthumb.app definitions, enter its directory and execute the following:

ige-mac-bundler Gthumb.bundle

Double-click on Gthumb (Gthumb.app) in the Finder.

Inkscape

Inkscape screenshot

Inkscape is a vector graphics illustration program. The following instructions will build the application to use GTK's Quartz backend (no X11 required.) Mac OS X 10.4 or newer is required for this build. GTK's Quartz backend is currently experimental, so this package is also unstable. These instructions are provided so that people may more easily build and test GTK Quartz. Download.

Building from Source

Use the command sudo port install inkscape to build and install inkscape.

Bugs Filed

I have filed or reviewed the following bugs related to this process and the resulting Inkscape application:

~~Inkscape / Launchpad bug #251982, Inkscape's -g option does not make sense when using GTK/Quartz on Mac OS X~~
~~libproxy bug #101, libproxy does not compile on Mac OS X 10.6.2~~
To file: Xft2 (required by Inkscape) requires xorg-proto and xrender
To file: Xft2 build requires xorg-xcmiscproto and xorg-bigreqsproto, but Portfile does not

Building Application Bundle

In order to make an Application Bundle for Inkscape, follow these steps:

Use the command sudo port install ige-mac-bundler to build and install the ige-mac-bundler utility
Download the definitions of Inkscape.app.
Extract the Inkscape.app definitions, enter its directory and execute the following:

ige-mac-bundler Inkscape.bundle

Double-click on Inkscape (Inkscape.app) in the Finder.

appliance-config

Thu, 12 Mar 2020 09:02:58 -0400

Configuration system for a network appliance

Overview

Appliance-config is a web-based configuration system intended for use on network appliances. The core functionality of the system provides the following features:

Fileserver (WebDAV, NFS and SMB)
CUPS-based print server
Backup and restore system

The backup system can replicate data to an external disk or an external host that also runs appliance-config. When backing up to a remote host, appliance-config can encrypt the data so that the owner of the remote host can not read it. In this way, two people can help each other by hosting a backup without nessessarily sharing the data that is backed up.

Additional functionality may be implemented as a module. Appliance-config uses a CGI-based tool to present configuration options to an administrator. After configuration options are saved, the system invokes a backend to implement any necessary changes to system services. The system's backends are written primarily as bash shell scripts.

Nasty Details

As documented in the overview, the appliance-config system consists of a daemon that runs as root and modules that handle configuring services.

The daemon waits for notification that a configuration has changed. After receiving a notification, the daemon executes the modules' backend scripts.
Each configuration module consists of:

CGI Program: When executed by a GET, the program displays a form. When executed by a POST, it writes configuration data to a file or directions to a spool and notifies the daemon of the change.
Configuration File: Configuration files are written by the CGI programs.
Backend Script: Executed by the daemon after the daemon receives a notice. Reads appliance-config configuration files and writes system configurations based on templates. Reconfigures and restarts system services. May also read a spool and perform some action based on its contents.

Aquinas

Thu, 12 Mar 2020 09:02:58 -0400

Aquinas is an interactive learning system that aims to teach computer programming and exploit development. Teachers define programming projects, and students complete the projects and submit their work using Git. Aquinas provides a website that lists the projects and provides a summary of each student’s progress.

A number of goals drove the design of Aquinas:

Allow for projects that involve network programming and exploit development.
Facilitate easy-to-define projects with a consistent specification language.
Ease reuse of projects across many programming languages.
Allow for high-quality assignment instructions.
Provide a web- and Git-based interface to students.
Provide for automated grading and student feedback.
Apply the principle of least privilege and use a type-safe language.

Aquinas dependencies

Building, configuring, and deploying Aquinas requires the following software:

make
GCC, including support for C++ (to build VMs)
A C library suitable for static linking
expect
qemu-system-x86
The Go programming language
The Perl programming language (to build VMs)
The jq JSON parser
Git
An ssh client
LaTeXML and TeX Live
The tidy HTML beautifier
The dig DNS resolver
The Hugo website generator
The wget HTTP utility (to build VMs)
which

Obtaining Aquinas

Download Aquinas using:

git clone --recurse-submodules https://www.flyn.org/git/aquinas

Building Aquinas

Building Aquinas can take a long time. If you prefer to install Aquinas using the binary VM images we provide, then download them from https://www.flyn.org/projects/Aquinas, and skip to the section titled “Configuring and deploying Aquinas.”

Quick check

Run “make deps all”.
Run “(sudo) ./build/httpd -dummy -root www/public/”.

You should now be able to browse to http://localhost/. The dynamic aspects of Aquinas will not work without a full installation, but you should be able to review most of Aquinas’ look and feel using this dummy mode.

Full build

Review aquinas-build.json to facilitate installing Aquinas at your site. The default values should be adequate in most cases.
Run “make deps all vms”. This will build some utilities and the Aquinas VMs.

Configuring and deploying Aquinas

Install your public SSH key the VMs by running “./aquinas-setup-ssh-developer DEVELOPER-HOME/.ssh/id_rsa.pub” with root privileges. (Mounting the VM disk images requires root privileges.)
Install each disk image (e.g., aquinas-git-alpine-x86-64.img) and each domain configuration (e.g., vm-aquinas-git.cfg) so that they can be run by your hypervisor. Edit each domain configuration to suit your needs. (Note that you will need to build a new VM around each disk image if not using Xen.)
Update your DHCP service to provide the correct IP address to each domain. Refer to each domain configuration for the host’s MAC address.
Update your DNS service to provide an appropriate A record for each domain. Refer to each domain configuration for the host’s name.
Start each configured VM.
Use SSH to sign in on each VM to edit /etc/aquinas/aquinas.json. It is likely you will need to modify “domain,” “logServer,” “emailRegex,” “emailRelay,” emailSender," and “emailSenderName.”
Install a certificate and private key in aquinas-www’s /etc/httpd directory, writing them to the files aquinas.cert and aquinas.key, respectively.
Configure syslog-ng on each VM. The /etc/hosts files on aquinas-user and aquinas-target must contain records for the syslog server (which accepts connections on TCP port 6514), as their firewall prohibits DNS queries.
Configure collectd on each VM. The /etc/hosts files on aquinas-user and aquinas-target must contain records for the collectd server (which accepts connections on UDP port 25826), as their firewall prohibits DNS queries.
Add a record for your target host to /etc/hosts on your user host; neither can make DNS requests, as their firewall prohibits DNS queries.
Add a record for your user host to /etc/hosts on your target host.
Add “server [IP of git host]” to /etc/ntpd.conf on www, user, and target.
Edit /etc/config/system on each VM. You might need to adjust the timezone, and you should set the NTP server to the IP address of aquinas-git host on all of the VMs except for aquinas-git. Note that the firewall rules will allow NTP queries from aquinas-user and aquinas-target only to aquinas-git, and these hosts can only reference aquinas-git by its IP address due to the firewall blocking DNS.
On your development computer, run “./aquinas-setup-ssh”.
On aquinas-www, run “sudo -u http aquinas-add-student test PASSWORD ‘Test Account’”. Ensure you select a strong password to replace PASSWORD.
On your development computer, run “./aquinas-add-teacher DEVELOPER-HOME/.ssh/id_rsa.pub”.
Push a projects repository to aquinas-git:/home/teacher/projects.
Push a records repository to aquinas-git:/home/teacher/records.
Push the HTML documents to aquinas-www using make all publish.
On your development computer and from the directory test/, run “./test-all.”

Writing a project

Writing a project is a matter of creating a machine-readable JSON file to define the project and a LaTeX (or Markdown) fragment to instruct students in how to complete the project.

Project definition

Here is the definition of a very simple project named unix. The absence of the checks keyword means that Aquinas will not grade this project. Because languages is set to none, Aquinas will generate no language-specific variants of this project. Perhaps this project could guide the student through an introduction to UNIX without requiring a graded deliverable.

{
        "name": "unix",
	"summary": "An introduction to Unix and the Bourne shell",
        "languages": [ "none" ]
}

Here is another language-agnostic project. This project, git, assumes the completion of unix. Aquinas will take this into account when ordering the list of projects presented to a student. This project provides a check (checks); running the command cat NOTES from the root of the student’s Git repository should print “In case of fire: git commit, git push, and leave the building!” to standard out. (I.e., the file NOTES should exist in the Git repository and it should contain “In case of fire: …”)

The value in the stdout field is this string, base64 encoded (but not depicted in its entirety here). The base64 encoding is to allow such values to contain binary data.

Aquinas will present the string defined in a check’s hint field as part of the feedback it provides upon grading a failed submission.

{
	"name": "git",
	"summary": "An introduction to the Git version control system",
	"languages": [
		"none"
	],
	"prerequisites": [
		"unix"
	],
	"checks": [
		{
			"type": "basic",
			"parameters": {
				"command": "cat NOTES",
				"stdin": null,
				"stdout": "SW4gY2Fz...",
				"stderr": null,
				"exitCode": 0,
				"hint": "Does your NOTES file contain the correct string?"
			}
		}
	]
}

Using a check of kind compare causes Aquinas to evaluate student work in a different way. With compare checks, Aquinas can reveal its test inputs without allowing the student to tailor his solution to a limited test plan. The idea is to use a generator to produce random input that is well-formed with respect to the project definition. Aquinas generates such input, which it provides both to the reference solution and the student submission. If the programs’ outputs match, then Aquinas deems the student submission correct. Otherwise, the student submission is incorrect. A compare check requires the definition of a reference solution along with a program that generates standard input data (genstdin) or a program that generates command-line arguments (gencmdargs). The following example demonstrates a compare check that generates standard input data.

{
	"kind": "compare",
	"parameters": {
		"command": "./project",
		"reference": "projectC.c",
		"genstdin": "generator-project.c"
	}
},

Assume the project processes non-negative integers, read from standard input. The following definition of generator-project.c generates such inputs.

#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>

int main(void)
{
        struct timeval tv;

        gettimeofday(&tv, NULL);
        srand((unsigned int)(tv.tv_sec * tv.tv_usec));
        printf("%d\n", rand());
}

The use of gencmdargs is similar. Aquinas assumes each line printed by this type of generator represents a command-line argument. Aquinas will compile and deploy generators and reference solutions that exist in a project’s directory and are referenced by a compare check.

A student may submit the following project in C or Python. In the case of C, the submission should contain hello.c, and this file should compile to a program that prints “Hello, world\n”. A Python submission should take the form of hello as an executable script (i.e., with shebang). As with the previous example, the value of stdout is base64 encoded to support binary data.

{
	"name": "hello",
	"summary": "Printing to the screen",
	"languages": [
		"C",
		"Python"
	],
	"prerequisites": [
		"git"
	],
	"checks": [
		{
			"type": "basic",
			"parameters": {
				"command": "./hello",
				"stdin": null,
				"stdout": "SGVsbG8sIHdvcmxkIQo=",
				"stderr": null,
				"exitCode": 0
			}
		}
	]
}

The following network project installs a service, defined in network.go, on Aquinas’ target host. A correct solution will interact with this service as the project instructions prescribe to produce the output required by the project’s checks. The value of source minus its extension must match the value of name, and every project must bear a unique port. Note that Aquinas will replace TARGET with the target host’s name when performing this check.

{
	"name": "network",
	"summary": "Programming a TCP/IPv4 client",
	"languages": [
		"C",
		"Go",
		"Python"
	],
	"prerequisites": [
		"hello",
		"variables"
	],
	"checks": [
		{
			"type": "basic",
			"parameters": {
				"command": "./network TARGET 1025",
				"stdin": null,
				"stdout": "...",
				"stderr": null,
				"exitCode": 0
			}
		}
	],
	"services": [
		{
			"source": "service-network.go",
			"port": 1025
		}
	]
}

Adding the following within a particular service’s definition makes the service binary available for download.

        "publish_binary": true

A teacher can also specify flags in a service definition that Aquinas will pass to the compiler when building the service binary:

        "compiler_flags": "-fstack-protector"

When presenting lists of projects, Aquinas will make use of tags for organization. A set of tags augment the language categories:

	"tags": {
		"Exploitation": true
	}

Sometimes it might be useful to directly call functions in a project solution when testing. An altmain statement allows this. For example, if altmain is defined as true for C, Aquinas will compile the submitted program such that the function main2 in the teacher-defined file main2.c serves as the program’s main function.

{
	"name": "functions",
	"summary": "Abstraction and code reuse using functions",
	"languages": [
		"C",
		"Go",
		"Python"
	],
	"prerequisites": [
		"hello",
		"variables"
	],
	"altmain": {
		"C": true,
		"Go": true,
		"Python": true
	},
	"checks": [
		{
			"type": "basic",
			"parameters": {
				"command": "./functions",
				"stdin": null,
				"stdout": "...",
				"stderr": null,
				"exitCode": 0
			}
		}
	]
}

Aquinas supports solution templates, which provide students with a starting point for their solution. In this example, the values of templates should correspond with template files for C, Go, and Python. These files must exists in the same Git repository as this description, and Aquinas will copy them to the students’ variables repositories. If the template value is a directory, then Aquinas will copy all of the files in that directory to the root of the student’s repository.

{
	"name": "variables",
	"summary": "Programming language variables and arithmetic operators",
	"languages": [
		"C",
		"Go",
		"Python"
	],
	"prerequisites": [
		"hello"
	],
	"checks": [
		{
			"type": "basic",
			"parameters": {
				"command": "./variables",
				"stdin": "...",
				"stdout": "...",
				"stderr": null,
				"exitCode": 0
			}
		},
		{
			"type": "basic",
			"parameters": {
				"command": "./variables",
				"stdin": "...",
				"stdout": "...",
				"stderr": null,
				"exitCode": 0
			}
		},
		{
			"type": "basic",
			"parameters": {
				"command": "./variables",
				"stdin": "...",
				"stdout": "...",
				"stderr": null,
				"exitCode": 0
			}
		}
	],
	"templates": {
		"C": "template-variablesC.c",
		"Go": "template-variablesGo.go",
		"Python": "template-variablesPython"
	}
}

Aside from templates, Aquinas supports the following file-related specifications. Each of these name an array of strings:

files: Causes grader to place files in student's submission directory after cloning it, possibly overwriting what is already there
user_files: Places files in /usr/libexec/aquinas/files/PROJECT on aquinas-user, making them available to the grader
service_files: Places files in /usr/libexec/aquinas/services/PROJECT on aquinas-target, making them available to the target service
service_links: Set up a link on aquinas-target from the given path outside the service chroot to inside of the service chroot
service_chroot_programs: Copies files from outside the target service chroot to inside the target service chroot

Project instructions

Teachers write project instructions in the form of a LaTeX fragment, which Aquinas combines with a template before processing into a HTML document. It is a good practice to use \section* to provide three sections: Command (or Function) summary, Lesson, and Assignment. Aquinas will provide the prelude and epilog material; here it is sufficient to begin with the first \section*.

Aquinas provides the following LaTeX commands for use in a project’s instructions:

\cmd: Typeset the argument as a command.
\project: Typeset the argument as a project name.
\conf: Typeset the argument as a configuration file.
\file: Typeset the argument as a file name.
\dir: Typeset the argument as a directory name.
\fn: Typeset the argument as a function name.
\host: Typeset the argument as a host name.
\keypress: Typeset the argument as if it were a key to be pressed.
\unix: Typeset the work UNIX.
\shprompt: Typeset a Bourne shell prompt.
\cmddesc: Define a command within a LaTeX description list. Like \item, except Aquinas notes occurences of \cmddesc to produce a command reference page.
\fncdesc: Define a C function within a LaTeX description list. Like \item, except Aquinas notes occurences of \fncdesc to produce a C function reference page. Variants exist for other languages such as Go (\fngodesc) and Python (\fnpythondesc).
\ifC: If the language associated with the current project variant matches (here the C variant), then include the subsequent text up until the next \fi. Otherwise print nothing.
\ifshebang: If the language can make use of a shebang, then print the second argument. Otherwise print nothing.
\clone: Provide instructions on how to clone the current project using Git.
\submission: Print instructions on how to submit a project solution.
\submissionNoLanguage: Print instructions on how to submit a language-agnostic project solution.

Alternatively, a teacher can describe a project using Markdown.

The Aquinas VMs

aquinas-www: The HTTP server that allows users to read project assignments and view submission results.
aquinas-git: The Git server to which users make project submissions.
aquinas-user: The host that runs project submissions during the grading process.
aquinas-target: The host that runs network services with which user programs might interact.

System inputs

(unauthenticated) http://aquinas-www/landing.html: Allows a user to either log in or register.
(unauthenticated) http://aquinas-www/login.html: Accepts student email and password. Allows a student to log in to the web interface. Transitions state of HTTP session to authenticated.
(unauthenticated) http://aquinas-www/register.html: Accepts an email address. Allows a registering student to initiate the registration process. Sends an email to the registering student that allows him to complete the registration.
(unauthenticated) http://aquinas-www/register3.html: Accepts an email address, nonce, hashed token, and password. Allows a registering student to prove ownership of an email address and thus complete the registration process.
(authenticated) http://aquinas-www/index.html: Allows a student to select a project page.
(authenticated) http://aquinas-www/p.html, where p is a project: Allows a student to view information that describes project p.
ssh://s@aquinas-git/home/s/p, where s is a student and p is a project: Interact with student s's project p submission using Git/git-shell.
ssh://t@aquinas-git/home/teacher/projects, where t is a teacher: Interact with the project definitions using Git/git-shell. Git hook invokes aquinas-initialize-projects, run as root.
ssh://t@aquinas-git/home/teacher/records, where t is a teacher: Interact with the project submission records using Git/git-shell.
ssh://root@\*: Allows developers shell access.

Sudo permissions

aquinas-git

All users can run grader as teacher
Teacher can run aquinas-initialize-projects as root
Http can run aquinas-add-student-slave as root
Http can run aquinas-get-ssh-authorized-keys as root
Http can run aquinas-deploy-key as root
Http can run aquinas-remove-student-slave as root

SSH keys

root@aquinas-git: generated by alpine-build
teacher@aquinas-git: generated by alpine-build
http@aquinas-www: generated by alpine-build
Developers: installed by hand
Teachers: installed by aquinas-add-teacher
Students: installed by ssh/ssh2.html

Permitted SSH connections

From	To	Installed by	Purpose
Developers	root@aquinas-git	alpine-build/manual	Development/administration
Developers	test@aquinas-git	test case	Pushing solutions during test
Teachers	teacher@aquinas-git	add-teacher	Project deployment
http@aquinas-www	http@aquinas-git	setup-ssh	Httpd uses to run httpsh: check for student check for SSH key add a new student deploy SSH key remove a student
Students	STUDENT@aquinas-git	ssh/ssh2.html	Commit submissions to Git
Developers	root@aquinas-www	alpine-build/manual	Development/administration
Teachers	teacher@aquinas-www	add-teacher	Updating HTML documents
teacher@aquinas-git	teacher@aquinas-www	setup-ssh	Used by grader to update records on aquinas-www
Developers	root@aquinas-user	alpine-build/manual	Development
teacher@aquinas-git	root@aquinas-user	setup-ssh	Used by initialize-project to pull host key and user key from aquinas-user (Cannot use test@, because test has shell set to buildrunsh) Also used by grader to place user-submitted code on aquinas-user
teacher@aquinas-git	teacher@aquinas-user	setup-ssh	Used grader to run reference solution on aquinas-user in the case of compare-type checks
root@aquinas-git	root@aquinas-user	setup-ssh	Add or remove user
root@aquinas-git	teacher@aquinas-user	setup-ssh	Compile network project services
teacher@aquinas-git	STUDENT@aquinas-user	add-student	Grader uses to run buildrunsh on user VM; Git hook runs as user, and uses sudo to run grader as teacher
root@aquinas-git	root@aquinas-target	setup-ssh	Deploy network project services

Component isolation

The design of Aquinas isolates its components to prevent student program from exfiltrating data available to them during the grading process. This prevents student knowledge of the checks that grade their submissions. Furthermore, student programs cannot interact beyond the aquinas-user host with the exception of allowed connections to aquinas-target.

Firewall rules

The host firewalls on aquinas-user and aquinas-target prohibit all outgoing connections with the exception of a connection to a syslog server (TCP port 6514). All interaction with these hosts is by way of incoming SSH connections or project-specific services. The aim of this is to prevent a user-written program from exfiltrating data from either host while executing for the purpose of grading.

Chroot jails

Services on aquinas-target run as the user nobody and within a chroot jail.

Aquinas administation

Manually fork a repository

The following assumes the student is using Aquinas’ native Git repository, rather than a third-party repository such as GitLab. If this is not the case, then you would need to provide more information in the JSON-encoded parameter.

aquinas-fork-project STUDENT@EXAMPLE.COM PROJECT '{"git-provider":"","git-path":"","git-username":"","git-token":""}'

Force the grading of a project

root@aquinas-git> aquinas-enqueue /usr/sbin/grader STUDENT@EXAMPLE.COM PROJECTLANG

Force the grading of a project directly, without using the queuing system

root@aquinas-git> scp -r /home/teacher/workdir/students/STUDENT@EXAMPLE.COM/helloC/ root@aquinas-user.EXAMPLE.COM:/home/STUDENT@EXAMPLE.COM/helloC/
root@aquinas-git> ssh root@aquinas-user.EXAMPLE.COM chown -R STUDENT_at_EXAMPLE_dot_COM:STUDENT_at_EXAMPLE_dot_COM /home/STUDENT@EXAMPLE.COM/helloC
root@aquinas-git> ( echo build; echo \"C\"; cat /home/teacher/workdir/projects/hello/description.json ) | sudo -u teacher ssh -T STUDENT_at_EXAMPLE_dot_COM@aquinas-user.EXAMPLE.COM
Possibly copy files required by project to root@aquinas-user.EXAMPLE.COM:/home/STUDENT@EXAMPLE.COM/helloC/.
root@aquinas-git> ( echo run; echo \"C\"; cat /home/teacher/workdir/projects/hello/description.json ) | sudo -u teacher ssh -T STUDENT_at_EXAMPLE_dot_COM@aquinas-user.EXAMPLE.COM

Rename a user

Note the student’s alias.
Backup the student OLD’s home directory at /home/OLD@EXAMPLE.COM.
On aquinas-www, run sudo -u http aquinas-remove-student OLD@EXAMPLE.COM.
On aquinas-www, run sudo -u http aquinas-add-student NEW@EXAMPLE.COM PASSWORD.
Install SSH key from backup.
Restore student’s alias.
For each repository in the backup, git clone the repository to a temporary location, and from that location run git push repo=NEW_AT_EXAMPLE_DOT_COM@aquinas-git.DOMAIN:/home/NEW@EXAMPLE.COM/PROJECT --all --force.

Mark a user as a teacher

root@aquinas-www> touch /etc/httpd/accounts/USER/teacher
root@aquinas-www> chown http:www-data /etc/httpd/accounts/USER/teacher

Courses as Code: The Aquinas Learning System

W. Michael Petullo

PDF Cite

Downloads

The Aquinas project is also available as a Git repository. To clone the repository, execute

git clone --recurse-submodules https://www.flyn.org/git/aquinas

army_tex

Thu, 12 Mar 2020 09:02:58 -0400

Army_tex is a set of LaTeX classes for generating U.S. Army documents, compliant with AR 25-50. The army_tex package provides classes to create documents such as memorandums and letters.

arty

Thu, 12 Mar 2020 09:02:58 -0400

Arty is an artillery simulation game. It is currently in the infancy of its development. Arty takes advantage of OpenGL and the X Window System.

asterisk-1.6.0-beta9-crashfix

Thu, 12 Mar 2020 09:02:58 -0400

asterisk-1.6.0-beta9-crashfix

Asterisk's realtime LDAP module, with fixes from subversion, backported to Asterisk 1.6 Beta 9. This bug is documented in Asterisk bug #12572.

authconfig-4.6.1-1-pam_mount

Thu, 12 Mar 2020 09:02:58 -0400

authconfig-4.6.1-1-pam_mount

A patch for Red Hat's authconfig tool that adds the ability to configure pam_mount.

avfs-0.9.3-devfs

Thu, 12 Mar 2020 09:02:58 -0400

avfs-0.9.3-devfs

A simple patch for Miklos Szeredi's AVFS that makes avfscoda work with /dev/coda/0, a devfs style device name, out of the box.

Awesome

Thu, 12 Mar 2020 09:02:58 -0400

First, install the Awesome window manager:

$ dnf install awesome

Next, configure Awesome. I maintain my Awesome configuration such that it is accessible with:

$ git clone https://www.flyn.org/git/awesome-config

You should install the contents of the awesome-config folder at ~/.config/awesome (i.e., drop the -config portion of the directory name). My configuration assumes that ~/.config/awesome/themes/flyn/background is a symbolic link to a background picture. Set this with something like:

$ ln -sf /usr/share/backgrounds/default.png ~/.config/awesome/themes/flyn/background.png

To login with awesome, select the “awesome” option presented by GDM (gears button). The result is a very simple configuration with the following input bindings. The modifier key (i.e., Mod) is the key most often labeled something like Command or Windows.

Mod-Ctrl-q: Quit Awesome and thus terminate the login session.
Mod-Ctrl-r: Restart Awesome.
Mod-Ctrl-Space: Toggle the focused window between floating and tiled mode.
Mod-Escape: Return to the previous virtual desktop.
Mod-Left: Select the next virtual desktop to the left.
Mod-Right: Select the next virtual desktop to the right.
Mod-Return: Run a gnome-terminal.
Mod-f: Grow the focused window to span the screen.
Mod-q: Quit the focused application.
Mod-r: Activate a run-command prompt at the bottom of the screen.
Mod-r: Activate a run-command prompt at the bottom of the screen.
Mod-Space: Toggle the tiling style.
Mod-Tab: Shift focus to previous window.
Mod-Volume Down: Lower the speaker volume.
Mod-Volume Mute: Mute the speaker.
Mod-Volume Up: Raise the speaker volume.
Mod-Click-and-drag: Move a window.
Mod-Left-click-and-drag: Resize a window.

I use many of the GNOME tools along with Awesome. Some of them require a little nudging to get to work:

gnome-control-center requires the XDG_CURRENT_DESKTOP environment variable set to GNOME.

backup-scripts

Thu, 12 Mar 2020 09:02:58 -0400

A series of scripts for performing backups of servers and workstations

balsa-1.2.3-attachment

Thu, 12 Mar 2020 09:02:58 -0400

balsa-1.2.3-attachment

A patch for Jay Painter and Stuart Parmenter's Balsa. When this patch is applied, a user may specify mail attachments on the command line using the -a or –attachment option.

Incidentally, this patch allows one to integrate Balsa very nicely with the graphical shell Nautilus. One can right click on selected files, scale them to a reasonable size, and open a new mail message with them attached if one places my mail_file script in their Nautilus scripts directory. Mail_file is distributed in my nautilus_scripts package.

balsa-2.1.0-ab-window-dnotify

Thu, 12 Mar 2020 09:02:58 -0400

balsa-2.1.0-ab-window.c.dnotify balsa-2.1.0-ab-window.h.dnotify

A patch for the balsa email client that reloads a user's address book automatically when a dnotify event indicates that it has changed. This replaces the reload button.

balsa-2.1.0-attachments

Thu, 12 Mar 2020 09:02:58 -0400

balsa-2.1.0-attachments

A patch for the balsa email client that fixes some issues with attaching files from the command line.

balsa-2.1.0-defclient

Thu, 12 Mar 2020 09:02:58 -0400

balsa-2.1.0-defclient

A patch for the balsa email client that causes the program to ask if it should be the default email client when run for the first time.

bbb

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Burn_baby_burn's replacement, bbb, is a set of utilities for burning to CD-R and CD-RW media. The package allows one to easily perform tasks such as burning the contents of a directory, burning an audio CD, burning a CD image and copying CD media from the command line. Bbb differs from burn_baby_burn primarily in the interface it presents the user. Bbb is designed as several simple tools that may be used easily in standard UNIX pipelines.

Nasty Details

Bbb provides a mechanism for keeping the system load down during CD burning. A file, /tmp/be_nice, exists when a CD is being burned. Cron and other similar systems should check for the existence of this file before executing jobs. Bbbnice is a tool provided by bbb that waits until /tmp/be_nice no longer exists before executing a task.

Here is an example of a crontab that uses bbbnice:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

01 * * * * root bbbnice run-parts /etc/cron.hourly
02 4 * * * root bbbnice run-parts /etc/cron.daily
22 4 * * 0 root bbbnice run-parts /etc/cron.weekly
42 4 1 * * root bbbnice run-parts /etc/cron.monthly

For burning bootable backup CD-ROMS, I recommend Gratien D'haese's Make CD-ROM Recovery. For encoding audio CDs into MPEG 1 Layer III or Ogg Vorbis files, I recommend autorip by Jonathan Mayer.

beamer-control

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Beamer is a LaTeX class for creating slides for presentations. beamer-control allows you to simultaneously control two PDF viewers to synchronize slides—displayed with a projector—and notes—displayed on a laptop screen. beamer-control uses the AT-SPI accessibility framework to communicate with any compatible viewers, such as evince.

Setup (in the case of the Awesome window manager)

Ensure you are running at-spi2-registryd.
Run beamer-control and use xwininfo to identify its window identifier.
Configure Awesome to treat beamer-control as a floating window; write the following to your Awesome configuration, where Beamer Control is the window identifier from the previous step:

awful.rules.rules = {
...
	{ rule = { name="Beamer Control", instance = "python3" }, properties = {floating = true}},
...
}

A workflow

Add the following to your presentation's preamble to ensure every slide has a note, and thus the number of slides and note pages are equal:

\makeatletter
\def\beamer@framenotesbegin{%
	\gdef\beamer@noteitems{}%
	\gdef\beamer@notes{{}}%
}
\makeatother

Add the following to allow building either the slides or notes from the command line:

\ifcsname ifshowOnlyNotes\endcsname\else
\expandafter\let\csname ifshowOnlyNotes\expandafter\endcsname
\csname iffalse\endcsname
\fi

\ifshowOnlyNotes
\setbeameroption{show only notes}
\fi

Build slides with pdflatex presentation.tex.
Build notes with pdflatex --jobname=notes "\let\ifshowOnlyNotes\iftrue\input{presentation}".
Open the slides using evince and place them on one screen in presentation mode.
Open the notes using evince and place them on the other screen in fullscreen mode.
Run beamer-control and place on the notes screen (anywhere but the top-left corner).
Control the presentation by placing the focus on beamer-control and pressing the up or down arrow keys.

Downloads

beamer-control

Beholder

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Beholder, a multi-function server. Beholder runs on commodity router hardware and provides a number of features:

SSH access
a Snort network intrusion prevention system
a NetFlow exporter

We build Beholder on top of OpenWrt because of the distribution’s simplicity and small size. Beholder is made up of roughly 90 packages, and its programs and configurations take up less than 40 MB of storage space. Here we assume that Beholder will run within the confines of a Xen hypervisor.

Establish the Beholder VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Beholder:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Create a disk image to serve as the server’s large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/beholder-data.qcow.
Write the following at /etc/xen/vm-beholder.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "beholder"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/beholder-lede-17.01.1-x86-64-combined-ext4.img,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on Beholder:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
dnsmasq \
kmod-ppp \
kmod-pppoe \
kmod-pppox \
kmod-r8169 \
logd \
luci \
luci-app-firewall \
luci-base \
luci-lib-ip \
luci-lib-nixio \
luci-proto-ipv6 \
luci-proto-ppp \
luci-theme-bootstrap \
mtd \
odhcpd-ipv6only \
ppp \
ppp-mod-pppoe \
r8169-firmware \
uhttpd-mod-ubus \
uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
	freifunk-watchdog \	
	snort \
	softflowd \
	syslog-ng \
	zoneinfo-core \
	zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configure the firewall

/etc/config/firewall:

config defaults
        option drop_invalid 1
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name lan
        option network lan
        option input ACCEPT
        option output ACCEPT
        option forward DROP

Configure basic system settings

/etc/config/system:

config system
        option hostname beholder.EXAMPLE.COM
        option timezone EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/freifunk-watchdog:

config process
        option process dropbear
        option initscript /etc/init.d/dropbear

config process
        option process snort
        option initscript /etc/init.d/snort

/etc/config/network:

config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname eth0
        option proto dhcp

/etc/config/dropbear:

config dropbear
        option PasswordAuth 'off'
        option RootPasswordAuth 'off'
        option Port         '22'

Forwarding packets to Snort host

Once Snort is running, you will want to forward a copy of network packets to the Snort host. The tee feature of netfilter can perform this work. To configure an OpenWrt router to forward a copy of each packet to the Snort host at beholder.EXAMPLE.COM, add the following to /etc/firewall.user on the router (replace BEHOLDER-IP):

iptables -t mangle -A INPUT  ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A OUTPUT ! -d BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP
iptables -t mangle -A FORWARD ! -d BEHOLDER-IP/32 ! -s BEHOLDER-IP/32 -j TEE --gateway BEHOLDER-IP

Configuring Snort

/etc/config/snort:

config snort snort
	option config_dir /etc/snort/etc/
	option alert_module alert_syslog
	option interface eth0

Register with Snort, download the registered Snort rules from https://www.snort.org/downloads/registered/snortrules-snapshot-3000.tar.gz, and install them at /etc/snort/.
Uncomment the appropriate rules in each file found in /etc/snort/rules/.
Restart Snort, and test its functionality. One way to do this is to uncomment the NessusTest rule in /etc/snort/rules/snort3-server-webapp.rules and run wget http://webserver/NessusTest. Snort should log something like this: “SERVER-WEBAPP nessus 2.x 404 probe.”

Configuring softflowd

/etc/config/softflowd (replace example.com):

config softflowd
	option enabled        '1'
	option interface      'eth0'
	option pcap_file      ''
	option timeout        ''
	option max_flows      '8192'
	option host_port      'golem.example.com:9995'
	option pid_file       '/var/run/softflowd.pid'
	option control_socket '/var/run/softflowd.ctl'
	option export_version '5'
	option hoplimit       ''
	option tracking_level 'full'
	option track_ipv6     '0'
	option sampling_rate  '100'

bluefish-0.12-desktop

Thu, 12 Mar 2020 09:02:58 -0400

bluefish-0.12-desktop.patch.gz gnome-vfs.keys-bluefish.patch.gz

Patches that integrate Bluefish into the GNOME MIME system more effectively.

C

Thu, 12 Mar 2020 09:02:58 -0400

Standardizing style with the aim of aiding inspection and removing pitfalls

Human review remains one of the best ways to ensure a body of source code specifies the program that the programmer set out to write. Testing is usually a practical necessity, but a programmer’s ultimate goal should be a program that humans can read and understand. Source files that follow a single style are easier to review and audit. The pedansee utility parses source files in C and indicates whether they comply with one such style.

Pedansee’s default style strives for consistency, and it also removes pitfalls that lead to bugs. For example, C does not require braces around one-line blocks. However, leaving them off sometimes leads to the situation where a programmer later indents a statement following a block and expects it to be included in the block.

It is possible to integrate pedansee with a project that builds using the GNU autotools. First, add the following to the project’s configure.ac:

AC_PATH_PROG(PEDANSEE, pedansee)
AM_CONDITIONAL(HAVE_PEDANSEE, test -n "$PEDANSEE")

Next, add this to the Makefile.am responsible for compiling the project’s source code (replace proj_1_0):

check:
if HAVE_PEDANSEE
       set -e; for i in $(proj_1_0_la_SOURCES); do $(PEDANSEE) $$i -- -x c $(DEFS) $(proj_1_0_la_CFLAGS); done
endif

With this, running pedansee is a matter of executing make check.

The tool indent will reformat C source code according to a configurable style. Flyn Computing’s preferred use is indent -linux foo.c. This follows Linus Torvalds’s preferred style.

Catching bugs with assertions

Assertions can help catch the bugs that result from ill composition or otherwise misused interfaces, but you should not use them to catch runtime conditions from which a program could otherwise recover. In general, it is best to catch bugs as early as possible during the course of writing a program; the following definition of C_ASSERT will at compile time catch bugs involving constants:

#define C_ASSERT(e) typedef char __C_ASSERT__[(e)?1:-1] __attribute__((unused))

Catching bugs with run-time unit testing

Proving the correctness of a program or relying completely on code audits does not measure up to the complexity found in most programs. Thus run-time testing remains necessary. Unit testing tests the components of a program independently, and it is best performed as a program is written. For example, the programmer specifies a C function, and then he writes a series of tests to ensure the C function implements the specification. Finally, he writes the function itself and runs the tests. This makes the programmer an adversary of himself. Precisely when he best has in mind the purpose of a function, he writes the tests for that function. Only after the tests exist and can provide evidence of the correctness of the function does he write the function itself.

The check framework aids in writing unit tests for programs specified in C. Check can use fork/exec to allow a series of tests to run even if one terminates due to a memory error, although this feature can be turned off to facilitate running the tests in a debugger. Check also supports environment variables that result in running a subset of tests.

It is possible to integrate check with a project that builds using the GNU autotools. First, add the following to the project’s configure.ac:

PKG_CHECK_MODULES([CHECK], [check &gt;= 0.9.4],have_check=yes,have_check=no)
AM_CONDITIONAL(HAVE_CHECK, test x"$have_check" = "xyes")

Next, add this to the Makefile.am responsible for compiling the project’s tests (replace … or omit the statement entirely):

if HAVE_CHECK
noinst_PROGRAMS += unit-test
endif

if HAVE_CHECK
unit_test_SOURCES = unit-test.c
unit_test_LDADD = ...
endif

Note that this example assumes that the project ships a library, namely libproj.

Each source file ought to contain tests. For example, this checks that the function x produces the string bar when passed foo:

#ifdef HAVE_CHECK

START_TEST(x_test)
{
    ck_assert_str_eq(x("foo"), "bar");
}
END_TEST

#endif

Refer to check’s documentation for a description of the API used to write such tests.

Writing the framework code necessary for test execution can be tedious, as it involves bundling tests into suites and maintaining a main function. Some projects include a script that generates this source; see libdmapsharing’s generate-test-suites, for example.

Measuring code coverage using gcov

Unit tests ought to maximally cover the body of source code that makes up a program. Although it is impossible to test other than the simplest programs across all possible inputs, testing should at least try to execute each possible branch in a program. GCC’s gcov can help achieve path coverage.

To use gcov to measure your path coverage, compile your program using -fprofile-arcs -ftest-coverage. You can build with the GNU autotools a configure script that activates these flags when passed --enable-coverage. To do this, use the following pattern in configure.ac:

AC_ARG_ENABLE(debug, [AC_HELP_STRING([--enable-debug],[enable debugging build])])
AC_ARG_ENABLE(coverage, [AC_HELP_STRING([--enable-coverage],[enable code-coverage build])])
if test "x$enable_debug" = "xyes"; then
    CFLAGS="$CFLAGS -g"
elif test "x$enable_coverage" = "xyes"; then
    CFLAGS="$CFLAGS -fprofile-arcs -ftest-coverage"
else
    CFLAGS="$CFLAGS -O2"
fi

AC_PROG_CC

Run your program after building it with gcov support. The result is an instrumented execution that will produce files containing the details of the execution. To view these details, run:

$ gcov foo.c

where foo.c is a source file. This will provide a summary along with a detailed report in foo.c.gcov. The report marks lines with an integer representing how many times that line executed. A line preceded by ##### did not execute, and thus indicates insufficient test coverage.

Some projects require an argument that points gcov to the directory containing the project’s object files (i.e., .libs). This is the case when the project includes library code:

$ gcov foo.c -o .libs/libfoo_1_0-foo.gnco

Catching memory errors with Valgrind

Valgrind helps find in programs memory errors such as buffer overflows and memory leaks, and thus it might help find bugs missed even when unit tests provide full path coverage. To use Valgrind, compile your program to include debugging symbols and without optimization. Then run the following (replace program -options …):

$ valgrind --leak-check=full --num-callers=100 program -options ...

The configure.ac fragment described in the gcov section above also provides support for a --enable-debug flag.

Catching memory errors with GCC

Always use GCC’s -Wall and -Wextra options.

GCC supports a -fsanitize=address option that instruments a program to catch memory errors, including out-of-bounds memory accesses and memory that is used after having been freed. Simply invoke the option when compiling, and run the resulting program. As a dynamic analyzer, this will only catch errors that manifest while running. Refer to GCC’s documentation for other GCC sanitize options.

GCC also supports a -fanalyzer option that invokes a static analyzer on the program GCC is compiling.

Catching programming errors with American Fuzzy Lop

Fuzzing provides randomized input patterns to a program in an attempt to cause the program to crash and thereby expose a bug. This technique might help find bugs missed by the techniques above.

For a program to be tested by American Fuzzy Lop (AFL), the program must read its input from standard input. If this is not the case, then you will need to write a wrapper program to facilitate testing.

To use AFL, compile your program using the following pattern:

$ afl-gcc program.c -o program

Next, craft a series of input patterns that will guide AFL as it later produces its random inputs. The AFL documentation describes how to do this, but placing the following in fuzz_testcase_dir/0 will cause AFL to produce character inputs:

Finally, run the program with:

$ afl-fuzz -i fuzz_testcase_dir -o fuzz_findings_dir ./fuzz

This will run AFL. AFL provides a real-time display and, when run as described, places crash-producing inputs in fuzz_findings_dir/crashes/.

Static linking with the GNU linker

When you statically link using the GNU linker, ld adds library symbols referenced by your code to the program it outputs. Ld adds these symbols using source-file granularity; that is, if you require the function foo, then ld will include foo along with any other symbols defined in the same source file as foo. If you want to produce small programs, then it might make sense to write your libraries such that each source file contains a single externally-visible function; this will minimize the amount of code included in your program.

Ld only includes symbols that you have not already defined, allowing you to override library functions. This must be used with care, because if you redefine foo but not bar but both were defined in the same library source file, then you will get a symbol conflict; ld will include both foo and bar, and the conflict arises as a result of two definitions: your foo and the library's foo.

Certificates

Thu, 12 Mar 2020 09:02:58 -0400

Generate

Generate a CA certificate and key

openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -extensions v3_ca -nodes -keyout ca.key -out ca.pem

This should result in a certificate with X509v3 Basic Constraints set to CA:TRUE.

Generate a self-signed certificate and key

openssl req -new -x509 -sha256 -newkey rsa:4096 -days 365 -nodes -keyout example.com.key -out example.com.pem

Generate a PKCS#10 X.509 certificate signing request

Generate a private key:

openssl genrsa -out example.com.key 4096

Produce a corresponding CSR:

openssl req -new -key example.com.key -out example.com.csr

Review the CSR:

openssl req -in example.com.csr -noout -text

Generate a “CA”-signed certificate from a certificate signing request and “CA” certificate/key

openssl x509 -req -sha256 -days 365 -in example.com.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out example.com.pem

Display

Display in human-readable form the contents of a certificate in PEM format

openssl x509 -in example.com.pem -noout -text

Display in human-readable form the contents of a certificate in DER format

openssl x509 -in example.com.der -inform DER -noout -text

Display in human-readable form the contents of a certificate revocation list in DER format

openssl crl -in example.com.crl -inform DER -noout -text

Convert

Convert a PKCS#7 certificate into a X.509 certificate

openssl pkcs7 -print_certs -in example.com.p7p -out example.com.pem

Convert a certificate and private key into a PKCS#12 file

openssl pkcs12 -export -out certificate.pfx -inkey example.com.key -in example.com.pem -certfile ca.pem

cryptoswap

Thu, 12 Mar 2020 09:02:58 -0400

Overview

The cryptoswap package supports building an encrypted swap partition when a system boots. This may be necessary on systems that use encrypted filesystems because plaintext secrets may be written to disk when memory is swapped to disk.

Nasty Details

Cryptoswap.sh should be installed in /etc/init.d. During system boot, cryptoswap.sh should execute right before checkroot.sh. When shutting down, cryptoswap should execute after sysklogd.

This package also includes an initialization script for building loopback encrypted /tmp. This may be necessary if a system contains encrypted filesystems but / is not encrypted. A link from directories like /var/tmp to /tmp may be appropriate. There are a few other alternatives for systems such as these:

Tmpfs is a Linux kernel feature that allows /tmp to exist in memory. This is a good solution for systems with a lot of memory and/or (encrypted) swap.
If you have a system that uses encrypted home directories, per-user temporary directories inside $HOME could be used. This would ensure that user's data is protected but would require that all applications use $HOME/tmp instead of /tmp.

Finally, the project may be used to create an encrypted root filesystem. Doing so requires two special partitions. First, create a small partition to hold your kernel and initrd image, /dev/hdaX. Second create a large partition to contain the root of your filesystem, /dev/hdaY.

Next configure and install an initrd-based boot system:

Ensure romfs is compiled in your kernel (not a module).
Create a kernel-supported filesystem on /dev/hdaX and copy your kernel to /vmlinux.
Download busybox and extract it as initrd/busybox.
Update initrd/src/etc/modules.initrd to include any modules needed to boot.
Build cryptoswap's initrd image (cd initrd && make initrd) and copy it to the filesystem on /dev/hdaX at /initrd.img.gz.
Make sure you use literal = "root=/dev/ram0 init=/linuxrc rw" or liLO equivalent.

Finally, create a proper encrypted filesystem on /dev/hdaY:

Randomize the partition: dd if=/dev/urandom of=/dev/hdaY.
Set up a loopback device: openssl enc -d -aes-256-ecb -in initrd/src/etc/efsk | losetup -p0 -e aes /dev/loop0 /dev/hdaY.
Create the root filesystem: mkfs.ext2 /dev/loop0.
Mount your new root filesystem: mount /dev/loop0 <mountpoint>.
Populate your new root filesystem.

cryptsetup-0.2-hexkey

Thu, 12 Mar 2020 09:02:58 -0400

cryptsetup-0.2-hexkey

A patch that allows one to input a key into cryptsetup using hexadecimal notation.

dia-20030920-exportformat

Thu, 12 Mar 2020 09:02:58 -0400

dia-20030920-exportformat

A patch for dia that allows one to use dia's -t and -e options together.

dia-20031203-vfs

Thu, 12 Mar 2020 09:02:58 -0400

dia-20031203-vfs

A patch for dia that begins to add support for GNOME VFS.

DirectFB-0.9.8-dev_input_js

Thu, 12 Mar 2020 09:02:58 -0400

DirectFB-0.9.8-dev_input_js

A patch for the DirectFB library which allows it to work with new-style Linux joystick device names (/dev/input/js?).

dmapd

Thu, 12 Mar 2020 09:02:58 -0400

The dmapd project provides a GObject-based, Open Source implementation of DMAP sharing with the following features:

Support for both DAAP and DPAP
Support for realtime transcoding of media formats not natively supported by clients
Support for many metadata formats, such as those associated with Ogg Vorbis and MP3 (e.g., ID3)
Detection of video streams so that clients may play them as video
Use of GStreamer to support a wide range of audio and video CODECs
Caching of photograph thumbnails to avoid regenerating them each time the server restarts

Dmapd runs on Linux and other POSIX operating systems. It has been used on OpenWrt Linux-based systems with as little as 32MB of memory to serve music, video, and photograph libraries containing thousands of files.

Dmapd supports the following command line options:

-?, --help: Show help options
-f, --foreground: Do not fork; remain in foreground
-n, --name: Name of media shares
-m, --music-dir: Music directory
-p, --picture-dir: Picture directory
-M, --music-format: Acceptable music format
-P, --picture-format: Acceptable picture format
-l, --lockpath: Path to lockfile
-i, --pidpath: Path to PID file
-d, --db-dir: Media database directory
-u, --user: User to run as
-g, --group: Group to run as
-t, --transcode-mime-type: Target MIME type for transcoding
-r, --rt-transcode: Perform transcoding in real-time
-w, --max-thumbnail-width: Maximum thumbnail size (may reduce memory use)
-c, --directory-containers: Serve DMAP containers based on filesystem heirarchy

Dmapd supports the following environment variables:

DMAPD_DEBUG: Enable verbose debugging messages
DMAPD_CONFIG_FILE: Path to an alternate configuration file
DMAPD_MODULEDIR: Directory containing dmapd modules
DMAPD_AV_META_READER_MODULE: Name of an alternate AV module
DMAPD_AV_RENDER_MODULE: Name of an alternate AV render module; when applicable may also specify a host, e.g.: DMAPD_AV_RENDER_MODULE=gst:host=192.168.0.1
DMAPD_PHOTO_META_READER_MODULE: Name of an alternate photograph module
DMAPD_DB_MODULE: Name of an alternate database module

Dmapd can provide content to any client that supports DAAP or DPAP. This includes the following software clients and hardware devices:

Apple iTunes™
Apple iPhoto™
Rhythmbox
Roku SoundBridge™

Dmapd can read metadata from any music file supported by GStreamer. In order to use this feature you must have the appropriate GStreamer plugins installed. The following plugins are always required if you wish to use this feature:

app
decodebin
typefindfunctions

The following GStreamer plugins are required for the corresponding media types:

mad (MP3)
id3demux (MP3)
ogg (Ogg Vorbis, etc.)
vorbis (Ogg Vorbis)
flac (FLAC)
mpeg2dec (MPEG video)
theora (Ogg Theora video)

The dmapd project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/dmapd

DoD Common Access Card and other smartcards on Unix

Thu, 12 Mar 2020 09:02:58 -0400

Fedora

Prerequisites

Install the DoD root certificates:

Download the DoD root certificates. Visit the DoD PKI/PKE Document Library, and download the target of the link “PKI CA Certificate Bundles: PKCS#7 For DoD PKI Only - Version 5.6”.
Unzip the downloaded package, and enter the unzipped directory.
Copy the certificates to the system directory: cp DoD_PKE_CA_chain.pem /etc/pki/ca-trust/source/anchors/.
Update the CA trust store: update-ca-trust.

Install the necessary packages: yum install opensc pcsc-lite-ccid pcsc-lite pcsc-tools
Start the PC/SC daemon: systemctl start pcscd
Configure the system to start the PC/SC daemon each time it boots: systemctl enable pcscd.service

DoD Common Access Card

This document describes how to integrate the US Department of Defense Common Access Card with UNIX. Here we assume that you have a CAC which already contains the appropriate certificates and private keys.

Firefox

Insert your CAC into the smart-card reader
Introduce the PC/SC interface to Firefox:

Select Preferences→Privacy & Security
Select Security Devices
Select Load
Name the module something like CAC Support and select /usr/lib64/pkcs11/opensc-pkcs11.so

PAM

Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and run the following command to add the certificate to your local certificate database: certutil -A -n DODCA_29 -t pCcT,pCcT,pCcT -i DODCA_29.cer -d /etc/pki/nssdb
Review /etc/pam.d/smartcard-auth
Edit /etc/pam_pkcs11/pam_pkcs11.conf and set user_mappers to subject
Run pkcs11_inspect debug, and look for Printing data for ...
Edit /etc/pam_pkcs11/subject_mapping to contain something like CN=LAST.FIRST.MIDDLE.ID,OU=USA,OU=PKI,OU=DoD,O=U.S. Government,C=US -> username, replacing LAST.FIRST.MIDDLE.ID with the output from pkcs11_inspect and username with the corresponding UNIX username

GnuPG

First, complete the following steps:

Install the necessary packages: yum install dirmngr gnupg2-smime gnupg-pkcs11-scd
Add scdaemon-program /usr/bin/gnupg-pkcs11-scd to ~/.gnupg/gpg-agent.conf
Add the following to ~/.gnupg/gnupg-pkcs11-scd.conf:

providers p1
provider-p1-library /usr/lib64/pkcs11/libcoolkeypk11.so
emulate-openpgpg
openpgp-sign hash
openpgp-encr hash
openpgp-auth hash

Replace hash with the output from echo "SCD LEARN" | gpg-agent --server gpg-connect-agent (You will probably want the hashes from the second record)

Obtain the DoD certificate set from https://crl.chamb.disa.mil/ and your own certificate from https://dod411.gds.disa.mil/

PIVKey C910

A PIVKey C910 arrives without certificates or private keys. Unfortunately, the management of these materials requires Windows. The necessary utilities exist in the archive available at http://pivkey.com/pkadmin.zip. You can use the vSEC:CMS tool contained therein to perform the following tasks:

Set the PIN of the smartcard (the default is 000000)
Set the administrative key of the smartcard (the default is 000000000000000000000000)
Load a PKCS#12 certificate/key onto the smartcard

The PIVKey C910 supports a number of key slots which are defined by various standards:

Slot identifier	Description
9A	Authentication (e.g., system logins)
9C	Digital signatures
9D	Key management (encryption)
9E	Card authentication; does not require PIN (e.g., door locks)

You can use the following invocations of PivKeyTool.exe to associate certificates/keys with these slots:

PivKeyTool.exe --listmd: List the certificates/keys present on the smartcard.
PivKeyTool.exe --listpiv: List the mappings between certificate IDs and key slots.
PivKeyTool.exe --userpin PIN --mappiv9n certid, where n is a, c, d, or e: Establish a mapping between a certificate ID and key slot.

Once you have installed and configured GnuPG, you might find the following commands helpful:

gpg2 --card-status: Test the interoperability between GnuPG and the CAC
gpgsm --import DODCA_29.cer DODEMAILCA_29.cer: Import the DoD certificates downloaded from https://crl.chamb.disa.mil/
gpgsm --import name.cer: Import the personal certificate downloaded from https://dod411.gds.disa.mil/
gpgsm --learn-card: Learn about the CAC
gpgsm --list-secret-keys: Describe the secret keys available on the CAC
gpgsm --verbose --disable-crl-checks --armour --sign path: Perform a test signature
gpgsm --verbose --disable-crl-checks --armour --verify path: Perform a test verification

Domain Controller

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to configure a computer running FreeBSD to serve as an Active Directory domain controller.

Base UNIX Domain Controller

First, setup the server:

Install FreeBSD and configure networking. Be sure to set the server’s hostname such as with hostname="dc.example.com" in /etc/rc.conf
Configure the Samba 4 port by entering /usr/ports/net/samba43/ and running make config. (The version 4.4 of the Samba port is presently broken.)
For a minimal install, select neither mDNSresponder nor avahi while configuring the build.
Build and install Samba 4 by running make install clean.
Activate filesystem ACLs in /etc/fstab, e.g., /dev/ada0p2 / ufs rw,acls 1 1.
Configure Samba by running samba-tool domain provision --use-rfc2307 --interactive.
Use samba-tool user add to add users to Samba’s authentication database.
Activate Samba by adding samba_server_enable="YES" to /etc/rc.conf.

Next, add a Windows client to the domain:

Set the Windows host’s DNS resolver to point to the Samba server’s IP address.
Right click on the computer icon; select properties; select change settings near the text computer name; and press the button to change the computer’s domain.
Select the domain radio button and type in Samba 4’s full domain.
Click ok and provide the administrative password for the Samba 4 domain.
Restart the client computer.

As an aside, Red Hat-derived Linux distributions such as RHEL, CentOS, and Fedora make it difficult to configure Samba 4 as an Active Directory domain controller. This is primarily because these distributions use MIT Kerberos, while many of the Active Directory-related features in Samba 4 require Heimdal Kerberos. Information about the coming solution to this problem can be found on the Internet, including as documented by the Samba project.

Adding Host Records to Samba’s DNS implementation

Each domain host will likely require a DNS record in Samba’s DNS service. You can use the following command to add an A record to the domain controller at dc.example.com for the host which is named host.example.com and bears the IP address 10.0.0.64: samba-tool dns add dc.example.com example.com host A 10.0.0.64.

Remote Management from a Windows Computer

Windows provides facilities for remotely managing domain-connected computers. In order to activate one such facility on a user computer, run the following on that user computer:

Enable-PSremoting

Once the user computer is set to accept remote-management requests, you can run the following command as the domain administrator from an administrative computer to test remote management (replace TARGET with the computer you intent to manage):

Invoke-Command -Computer TARGET -ScriptBlock { "C:\Program files" |  Get-ChildItem }

Smart-Card Authentication

Certificate Production

Establish a Certificate Authority

Smart-card-based authentication requires a number of certificates: CA "root-of-trust" certificate, a certificate for the domain controller, and certificates for each user.

Create a basic CA directory structure from within the root of where you intend to store your certificates and other materials: mkdir certs crl private newcerts.
Create a blank file named index.txt.
Create files named serial and crlnumber containing 00.
Add the following to /etc/openssl.cnf:

CRLURL      = [URL of CRL server, e.g., https://crl.example.com/example.com.crl]
BASEDIR     = [Base of certificate store; where signed certificates go]
COUNTRY     = [Two-letter country code]
STATE       = [State of province (not abbreviated)]
LOCALITY    = [City, town, etc.]
ORG         = [Name of organization]
OU          = [Organizational unit]
DOMAIN      = [Domain, e.g., example.com]
EMAIL       = [Email address]@$DOMAIN
DC          = [Hostname of domain controller]

# Using "ADSI Edit" on Windows:
#   1. Connect to domain controller
#   2. Default naming context
#   3. DC=...
#   4. OU=Domain Controllers
#   5. Right click on CN=... and select Properties
#   6. View objectGUID in hexadecimal
DCGUID      = [Domain controller's GUID in HEX, eg, FEEDDEADBEEF...]

# Using "ADSI Edit" on Windows:
#   1. Connect to domain controller
#   2. Default naming context
#   3. DC=...
#   4. CN=Users
#   5. Right click on CN=... and select Properties
#   6. View usePrincipalName
UPN         = [UPN of user]

oid_section = new_oids

[ new_oids ]
scardLogin = 1.3.6.1.4.1.311.20.2.2
msUPN      = 1.3.6.1.4.1.311.20.2.3
msKDC      = 1.3.6.1.5.2.3.5
msADGUID   = 1.3.6.1.4.1.311.25.1

[ ca ]
default_ca  = CA_default                  # The default ca section

[ CA_default ]
dir              = $BASEDIR               # Where everything is kept
certs            = $dir/certs             # Where the issued certs are kept
crl_dir          = $dir/crl               # Where the issued crl are kept
database         = $dir/index.txt         # database index file.
unique_subject   = yes                    # Set to 'no' to allow creation of
new_certs_dir    = $dir/newcerts          # default place for new certs.
certificate      = $dir/cacert.pem        # The CA certificate
serial           = $dir/serial            # The current serial number
crlnumber        = $dir/crlnumber         # the current crl number
crl              = $dir/ca-crl.pem        # The current CRL
private_key      = $dir/private/cakey.pem # The private key
RANDFILE         = $dir/private/.rand     # private random number file
# x509_extensions =               # Extensions to add to certificate
name_opt         = ca_default             # Subject Name options
cert_opt         = ca_default             # Certificate field options
crl_extensions   = crl_ext
default_days     = 730                    # how long to certify for
default_crl_days = 30                     # how long before next CRL
default_md       = sha256                 # use public key default MD
preserve         = no                     # keep passed DN ordering
policy           = policy_match

[ policy_match ]
countryName            = match
stateOrProvinceName    = match
organizationName       = match
organizationalUnitName = optional
commonName             = supplied
emailAddress           = optional

[ policy_anything ]
countryName            = match
stateOrProvinceName    = match
localityName           = match
organizationName       = match
organizationalUnitName = match
commonName             = supplied
emailAddress           = supplied

[ req ]
default_bits           = 4096
default_keyfile        = privkey.pem
distinguished_name     = req_distinguished_name
x509_extensions        = v3_ca            # The extensions to add to the self signed cert
string_mask            = utf8only
attributes             = req_attributes

[ req_attributes ]
challengePassword     = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName      = An optional company name

[ req_distinguished_name ]
countryName                    = Country Name (2 letter code)
countryName_default            = $COUNTRY
countryName_min                = 2
countryName_max                = 2
stateOrProvinceName            = State or Province Name (full name)
stateOrProvinceName_default    = $STATE
localityName                   = Locality Name (eg, city)
localityName_default           = $LOCALITY
organizationName               = Organization Name (eg, company)
organizationName_default       = $ORG
organizationalUnitName         = Organizational Unit Name (eg, section)
organizationalUnitName_default = $OU
emailAddress                   = Email Address
emailAddress_default           = $EMAIL
emailAddress_max               = 64
commonName                     = Common Name (eg, YOUR name)
commonName_default             = hostname.$DOMAIN
commonName_max                 = 64

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage         = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true
keyUsage               = cRLSign, keyCertSign
crlDistributionPoints  = URI:$CRLURL
nsCertType             = sslCA, emailCA
subjectAltName         = email:copy
issuerAltName          = issuer:copy

[ crl_ext ]
issuerAltName          = issuer:copy
authorityKeyIdentifier = keyid:always

# Extensions for domain-controller certificates:

[ usr_cert_mskdc ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end-user certificate as a CA.
basicConstraints       = CA:FALSE
crlDistributionPoints  = URI:$CRLURL
nsCertType             = server
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
nsComment              = "Domain Controller Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = @dc_subjalt
issuerAltName          = issuer:copy
nsCaRevocationUrl      = $CRLURL
extendedKeyUsage       = clientAuth,serverAuth,msKDC

[dc_subjalt]
DNS                    = $DC
otherName              = msADGUID;FORMAT:HEX,OCTETSTRING:$DCGUID

# Extensions for smart-card user certificates:

[ usr_cert_scarduser ]

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end-user certificate as a CA.
basicConstraints       = CA:FALSE
crlDistributionPoints  = URI:$CRLURL
nsCertType             = client, email
keyUsage               = nonRepudiation, digitalSignature, keyEncipherment
nsComment              = Smart Card Login Certificate
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName         = email:copy,otherName:msUPN;UTF8:$UPN
issuerAltName          = issuer:copy
nsCaRevocationUrl      = $CRLURL
extendedKeyUsage       = clientAuth,scardLogin

Generate a CA Root Certificate

Properly define the variables at the top of openssl.cnf.
See notes on the use of certificates. You will want to use the -config openssl.cnf option to use the above configuration.

Generate a Certificate for Samba

Under the CA_default section of openssl.cnf, set x509_extensions = usr_cert_mskdc and ensure the line is not commented out.
Generate the certificate using openssl req -new -newkey rsa:4096 -keyout private/dc-key.pem -out dc-req.pem -config openssl.cnf -nodes.
Sign the Samba certificate using the CA certificate openssl ca -config openssl.cnf -in dc-req.pem -out dc-cert.pem.

Generate a Smart-Card User Certificate

Under the CA_default section of openssl.cnf, set x509_extensions = usr_cert_scarduser and ensure the line is not commented out.
Generate the certificate using openssl req -new -newkey rsa:2048 -keyout private/user-key.pem -out user-req.pem -config openssl.cnf -nodes. Note that you might have limited key types/sizes to choose from, depending on the type of smartcard you plan to use.
Sign the user certificate using the CA certificate openssl ca -config openssl.cnf -in user-req.pem -out user-cert.pem.
Install the certificate and private key onto a smartcard.

Certificate-Revocation-List Server

Configure, build, and install the apache24 port.
Generate and install a certificate and private key for Apache at /usr/local/etc/apache24/.
Configure Apache, including the following in /usr/local/etc/apache24/httpd.conf:

LoadModule ssl_module modules/mod_ssl.so
ServerName crl.example.com:443
Listen 443
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/crl.example.com.pem
SSLCertificateKeyFile /usr/local/etc/apache24/crl.example.com.key

Generate the CRL with openssl ca -config openssl.cnf -gencrl -out example.com.crl and install the result in Apache’s document directory.

Copy the necessary certificates and the CRL onto the Samba host (see the next step for what Samba will require).
Generate Diffie-Hellman parameters: openssl dhparam 4096 -out dc-dhparams.pem.
Add to smb4.conf:

tls enabled       = yes
tls certfile      = /usr/local/samba/private/tls/dc-cert.pem
tls keyfile       = /usr/local/samba/private/tls/secure/dc-privkey.pem
tls cafile        = /usr/local/samba/private/tls/cacert.pem
tls crlfile       = /usr/local/samba/private/tls/ca.crl
tls dhparams file = /usr/local/samba/private/tls/dc-dhparams.pem

Convert your PEM-format CA certificate to DER: openssl x509 -in cacert.pem -out cacert.cer -outform DER.
Convert your user certificate to DER: openssl x509 -in Administrator-cert.pem -out Administrator-cert.cer -outform DER.

Doppelganger

Thu, 12 Mar 2020 09:02:58 -0400

Doppelganger is configured as Mimic with the following exceptions:

Change the hostname in /etc/hostname.
Configure logging in a way appropriate for the host network.
Adjust mynetworks in golem’s /etc/postfix/main.cf, because Doppelganger might exist on a different network than Mimic.
Adjust /etc/postfix/saslpasswd and relayhost in golem’s /etc/postfix/main.cf to use a relay appropriate for Doppelganger’s network. Compile with postmap.
Install the wireguard-tools package, configure WireGuard by writing the configuration below to /etc/wireguard/wg0.conf, and run systemctl enable wg-quick@wg0.

[Interface]
Address = 192.168.2.4/32
ListenPort = 51820
# Generate with umask 077 && wg genkey | tee privkey | wg pubkey >pubkey
# Deploy public key to server.
PrivateKey = PRIVATEKEY

[Peer]
# Obtain public- and pre-shared-key from server.
PublicKey = PUBLICKEY
PresharedKey = PRESHAREDKEY
AllowedIPs = 192.168.2.0/24, 192.168.1.0/24
EndPoint = IP:51820
PersistentKeepalive = 30

esound-0.2.15-unlock

Thu, 12 Mar 2020 09:02:58 -0400

esound-0.2.15-unlock

A patch for EsounD which adds the two command line options which permit non-owners to control the dæmon.

fctk

Thu, 12 Mar 2020 09:02:58 -0400

Overview

The Flyn Computing Template Kit (fctk) is a collection of fmt-ptrn templates, XSLT templates, and project descriptions. These tools are used at Flyn Computing for development. The collection of templates use XML and the priciple of not repeating oneself. For example, this description comes from an XML file that is used to generate the fctk package's man page, HTML documentation, RPM specification, Debian package specifications, etc.

Nasty Details

Using np with the included project template, gnu_c:

np foo gnu_c

…will create the following directory tree:

.:
AUTHORS    INSTALL      TODO          dry         missing        src
COPYING    Makefile.am  configure.in  include     mkinstalldirs
ChangeLog  NEWS         debian        install-sh  scripts
 
./debian:
changelog  control  copyright  rules
 
./dry:
Makefile.am  foo.xml
 
./include:
Makefile.am
 
./scripts:
Makefile.am
 
./src:
Makefile.am  foo.c

Each file that is created provides a reasonable starting point for a GNU C project. Dry/foo.xml is used by dry/Makefile to create getopt() C code, man pages, etc.

Project directory structure:

xslt: XSLT templates to generate getopt() C code, man pages, HTML documentation, Debian package specifications, RPM specifications, etc. from one XML description.
templates: Templates for use with nf.
projects: Project descriptions for use with np
fctk: Auxillary files which are referenced by some of the other templates. These should go in /etc/fctk/

Fedora Nano

Thu, 12 Mar 2020 09:02:58 -0400

Introduction

Fedora Nano is a project with three goals:

Develop and document a technique for installing the smallest possible Fedora installation onto a CompactFlash or other solid-state disk.
Provide a centralized location for package enhancement requests geared towards small, embedded systems. Most often, packages will be broken up into core and optional components, reducing core package dependencies.
Document redundancy within Fedora. Redundancy can be an indication of a healthy software environment as competing projects may promote innovation. However, redundancy also increases memory and disk usage and makes code auditing more difficult.

I am using the following components:

VIA EPIA ME6000 Fanless Mini-ITX Motherboard
PC2100/DDR266 256MB Memory
Morex 2699 Mini-ITX Case
Round IDE cables
CFDISK.2G CompactFlash to IDE adapter
Notebook 2.5" to 2.3" HD IDE adapter (soldered into molex connector)

Installation of Fedora 9 on a CompactFlash disk

These instructions assume your build host is of the same architecture as your target.

Create a filesystem on the CompactFlash disk and mount it at /mnt. Mount any other filesystems required on top of /mnt.
Use the command yumdownloader –installroot=/mnt –resolve –destdir=packages package to download the following packages and their dependencies (see also Use yum to install to a temporary, yumless filesystem, yum bug #1):
- filesystem
- busybox
Use the command rpm --root /mnt -Uvh packages/*.rpm to install the packages downloaded using the previous step.
At a minimum, create the following busybox links:
- ln -s /sbin/busybox /mnt/sbin/init
- ln -s /sbin/busybox /mnt/bin/sh
- ln -s /sbin/busybox /mnt/bin/hostname
- ln -s /sbin/busybox /mnt/bin/mv
- ln -s /sbin/busybox /mnt/bin/touch
Edit /mnt/etc/init.d/rcS to execute startup services.
Build and install a custom kernel (my configuration is available here):
- Copy your kernel config to .config and run make oldconfig or run make menuconfig to configure the kernel.
- make clean
- make clean binrpm-pkg
- rpm --root /mnt -Uvh /usr/src/redhat/RPMS/i386/*kernel*.rpm
Add an entry to /etc/grub.conf for the new root disk.
Execute grub-install primary-disk-devnode.
Use pwconv to create /etc/shadow.

In order to make the root filesystem readonly, perform the following steps:

/var, /home and /tmp should be mounted from a readwrite partition. I have these directories on one partition and mount them by adding /shared/var /var none bind 0 0 to /etc/fstab.
Set READONLY=yes in /etc/sysconfig/readonly-root.

Note: The febootstrap project looks like an interesting project to create a small Fedora installation.

Fine-grained Package Requests

Pull out perl dependency

Perl is a good language, but may be too large a requirement for some small systems.

Stunnel: Pull /usr/sbin/stunnel3 into seperate package?, ✓Red Hat Bugzilla #442842
Bogofilter: Pull /usr/bin/bogoupgrade into seperate package?, ✓Red Hat Bugzilla #442843

cups: /usr/lib/cups/backend/dnssd is written in perl. This is a CUPS backend that discovers printers using avahi. See the ✓CUPS Software Programmers Manual . move cups perl backends into sub package, ✓Red Hat Bugzilla #465157.
fedora-ds-base: Several FDS scripts are written in perl.
foomatic: Much of foomatic is written in perl. RFE: Migrate to C foomatic once feasible, Red Hat Bugzilla #466068
ghostscript: The X11 code in ghostscript could be placed in a separate package.
texlive-utils: The X11 code in texlive-utils (/usr/bin/mf) could be placed in a separate package.
avahi-tools: The X11 code in avahi-tools (/usr/bin/avahi-discover) could be placed in a separate package. avahi-discover requires GTK, should move to avahi-ui-tools, ✓Red Hat Bugzilla #513768.
postfix: /usr/sbin/qshape is written in perl. Pull components dependent on perl out of main postfix package?, ✓Red Hat Bugzilla #467529.
ntp: /usr/sbin/ntp-wait and /usr/sbin/ntptrace are written in perl.
net-snmp: Some components are written in perl.

Pull out MySQL dependency

Postfix: Provide both mysql and postgresql support using loadable maps patch, ✓Red Hat Bugzilla #455206

Break up ImageMagick

ImageMagick provides a valuable library for image processing. However, Fedora presently packages ImageMagick in such a way that several X11 libraries are always required. I proposed that ImageMagick be broken up into -libs and -utilities packages. See Make ImageMagick package more fine-grained, ✓Red Hat Bugzilla #478789.

Break up GStreamer

Fine-grained packaging of GStreamer would allow users to choose which modules they want to install. See ✓gstreamer-plugins should be split up, Red Hat Bugzilla #108463.

Separate documentation packages

Package documentation, installed in /usr/share/doc, can occupy a lot of storage space. It would be beneficial to separate documentation into a -doc sub-package.

Separate locale packages

The /usr/lib/locale and /usr/share/locale directories quickly grow as more internationalized packages are added to a system. It would be beneficial to control which locales are installed. Perhaps a specialized package installation system like the one that has been developed for media codecs could be applied to this problem.

Redundancy Tracker

Tracking redundancy throughout all of Fedora is beyond the scope of this project. Instead, we focus on redundencies brought in by the following packages:

Fedora Directory Server
Kerberos
FreeIPA
Apache
mod_nss
OpenSSH
Postfix
Dovecot
Samba
Avahi
Jabberd
Bogofilter
mt-daapd
inadyn

FreeIPA requires OpenLDAP, FDS requires mozldap

It now seems that the 389 Directory Server may build against OpenLDAP in the future. See ✓Use OpenLDAP Clients in 389. It would follow that FreeIPA could do the same.

Previously, I tried to remove the OpenLDAP requirement from FreeIPA. I submitted a ✓patch so that FreeIPA may be built against mozldap. This package was integrated into FreeIPA. However, it was later reported that my patch broke ipa-kpasswd. As a result, I submitted a ✓second patch that fixed a preexisting misuse of the OpenLDAP API. Ipa-server ends up requiring both openldap-clients and mozldap-tools, ✓Red Hat Bugzilla #434153.

The following packages require OpenLDAP:

quota
openldap-clients
postfix
openldap
httpd
cyrus-sasl
libcurl
libuser
nfs-utils-lib
krb5-server-ldap
curl
nss_ldap
GConf2
gnupg
samba-winbind
samba-common
samba
libsmbclient
sudo
autofs
apr-util-ldap
cups
dirmngr
gnupg2
dhcp

The following packages require mozldap:

ipa-client
slapi-nis
mozldap-tools
perl-Mozilla-LDAP
ipa-server
389-ds-base

NSS vs. OpenSSL vs. the world

The ✓Crypto Consolidation Bug is an ambitious project to make NSS the standard cryptological library for Fedora.

FES

Thu, 12 Mar 2020 09:02:58 -0400

The Flyn Entertainment System, or FES, is a piece of software that provides entertainment in the form of an arcade, television, and audio player. Rather than provide a traditional computer interface, FES acts like a DVD player or other appliance, presenting a simple, joystick controlled menu.

FiOS G1100 Bridge

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to configure a Verizon FiOS G1100 to act in bridge mode. This mode deactivates some cable television features, but it allows another router to obtain an IP address directly from Verizon. Other users have documented these steps in publications such as DSL Reports.

Login to the G1100 from a computer which is directly connected to one of the G1100’s LAN ports.
Select Wireless Settings→ Basic Security Settings, and turn off 2.4 Ghz and 5 GHz wireless. Click Apply.
Select Wireless Settings→Advanced Security Settings, and disable 2.4 GHz and 5 GHz SSID broadcasting.
Select Firewall, and set Minimum Security for both IPv4 and IPv6. Click Apply.
Select My Network→Network Connections→ Advanced. Disable the listed access points, and click Apply.
Note the listed broadband connection. Select it, along with Settings, and uncheck Internet Connection Firewall. Set Internet Protocol to No IP Address. Click Apply. At this point, you will loose you connection to the Internet through the G1100.
Click Release and then Apply.
Select My Network→Network Connections→Network (Home/Office). Change the G1100’s IP address to 192.168.1.2 so as not to conflict with the replacement router. Under the bridge section, check Broadband Connection (Ethernet/Coax) and uncheck both wireless APs. Change IP Address Distribution to Disabled.
Click Apply. The G1100 is now in bridge mode, so it will no longer obtain an IP address. Connect your replacement router to one of the G1100’s LAN ports. From this point forward, you can interact with the G1100 by connecting a computer to its WAN port and manually assigning the computer an IP address on the 192.168.1.0/24 network.

firewalld

Thu, 12 Mar 2020 09:02:58 -0400

Commands that make use of --permanent will not take effect until firewalld restarts.

List the known zones:

firewall-cmd --get-zones

View information about the active zones:

firewall-cmd --get-active-zones

Add an interface to the DMZ zone:

firewall-cmd --permanent --zone=dmz --change-interface=interface
In /etc/sysconfig/network-scripts/ifcfg-interface, set ZONE=dmz

List the services known by firewalld—known service definitions exist in /usr/lib/firewalld/services/:

firewall-cmd --get-services

Describe the service named https:

firewall-cmd --info-service https

List the services permitted within within the zone named public:

firewall-cmd --zone=public --list-all

Permit the https service on the interfaces in the dmz zone:

firewall-cmd --permanent --zone=dmz --add-service=https

and:

firewall-cmd --zone=dmz --add-service=https

Define a new service, based on Wazuh:

* `firewall-cmd --permanent --new-service=wazuh` * `firewall-cmd --permanent --service=wazuh --set-description="Wazuh agent communication"` * `firewall-cmd --permanent --service=wazuh --set-short="Wazuh"` * `firewall-cmd --permanent --service=wazuh --add-port=1514/tcp` * `firewall-cmd --permanent --service=wazuh --add-port=1515/tcp` * `firewall-cmd --permanent --zone=public --add-service=wazuh`

Log rejections:

firewall-cmd --set-log-denied=all

flyn_docs

Thu, 12 Mar 2020 09:02:58 -0400

Flyn_docs is a set of files which may be used to create letterhead, envelopes, etc. related to Flyn Computing.

fmt-ptrn

Thu, 12 Mar 2020 09:02:58 -0400

Overview

New is a template system, especially useful in conjunction with a simple text editor such as vi. The user maintains templates which may contain format strings. At run time, nf replaces the format strings in a template with appropriate values to create a new file.

For example, given the following template:

//   FILE: %%(FILE)
// AUTHOR: %%(FULLNAME)
//   DATE: %%(DATE)

// Copyright (C) 1999 %%(FULLNAME) %%(EMAIL)
// All rights reserved.

nf will create:

//   FILE: foo.cpp
// AUTHOR: W. Michael Petullo
//   DATE: 11 September 1999

// Copyright (C) 1999 W. Michael Petullo new@flyn.org
// All rights reserved.

on my computer.

The program understands plaintext or gziped template files.

The fmt-ptrn system also provides a shared library which allows a programmer access to nf's functionality. The system was developed to be light and fast. Its only external dependencies are the C library, glib2 and zlib.

Nasty Details

Nf first looks for templates in ~/.fmt-ptrn/templates. Second, nf looks for templates in <datadir>/fmt-ptrn/template, where datadir is defined by autoconf. This directory is usually /usr/local/share or /usr/share.

The templates directory contains several subdirectories matching filename extensions. This may include directories such as html, cpp, c, and tex. Within each subdirectory are the actual template files. The template file named default is the default template used for the filename extension. Other templates can be used by specifying their filename to nf on the command line (see NF(1)).

Certain types of files generally don't have extensions. In this case, nf looks for a template directory with the same name as the file being created. This is useful when using templates to create files with names such as Makefile and README.

When filling a format pattern, nf knows the value for the following format patterns:

DATE: Today's date.
FILE: The name of the file being created.
FULLNAME: The user's full name (from GECOS field).
FIRSTNAME: The user's first name (from GECOS field).
MIDDLENAME: The user's middle name (from GECOS field).
LASTNAME: The user's last name (from GECOS field).
EMPTY_STR: The empty string.

In addition, any environment variable can be used as a format pattern. An alternate string to be used in the case of an environment variable being undefined can be specified as follows:

%(UNDEFINED:foo)

This will be replaced with ”foo” in the created file if UNDEFINED is not a part of one's environment.

The alternative may be a format pattern, too. If FIRSTNAME is defined a Mike, the following:

%(UNDEFINED:%(before="My name is " FIRSTNAME))

will print “My name is Mike.”

A format pattern can also be acted on by a modifier. The following will print the value of FOO in capital letters:

%(upper FOO)

It makes sense to use some modifiers with a literal, instead of a key which will be replaced by a value. For example:

%(file FOO)

will insert the text contained in a the file whose path is the value of the key FOO. But:

%(file "foo")

will insert the contents of the file named foo.

The following modifiers are currently available:

upper: Convert to upper case.
lower: Convert to lower case.
basename: Convert to the basename of a filename.
before="str": Append the string str before.
after="str": Append the string str after.
fn: Tag a " ()" on the end.
c_delim: Print enveloped in a C style deliminator, ie: /* == foo == */.
cpp_delim: Print enveloped in a C++ style deliminator, ie: // == foo.
sh_delim: Print enveloped in a shell script style deliminator, ie: # == foo.
tex_delim: Print eveloped in a LaTeX style deliminator, ie: % == foo.
newlines: Replaces occurrences of " " in the string with new lines
no_newlines: Replaces occurrences of "\n" in the string with ' '
remove_underscore: Replaces occurrences of '_' in the string with '-'
file: Treats the key as the path to a file, which is included
template: Treats the key as the path to a template, which is filled and included
#: A comment, this will not appear in destination file %(# Comment.)

Several modifiers can act within one format string as illustrated:

%(basename upper FOO)

Modifiers use a stack to be applied. The first modifier to be applied is the one farthest to the right. The last to be applied it the one farthest to the left.

Forensic analysis

Thu, 12 Mar 2020 09:02:58 -0400

Post-compromise analysis on Red-Hat-like operating systems

This describes some useful techniques for performing a post-compromise forensic analysis of a Red-Hat-like operating system, such as Red Hat Enterprise Linux, CentOS, and Fedora. While these instructions are RPM-centric, similar techniques could apply elsewhere, for example by replacing rpm with dpkg and yum with apt. We assume that you have an image of the compromised host’s disk partition (or partitions) which we refer to here as /evidence/partition.img. Where a whole disk is required, we use the name /evidence/disk.img. (See below for how to manipulate a partition within a whole-disk image and how to deal with Linux Volume Management.) We further assume that the compromised host was protected by neither a trusted boot process, nor a file integrity tool such as Tripwire, nor an encrypted disk. Such protections would only make this task easier.

Partition carving and Linux Volume Management

Given a whole-disk image, you can mount a single partition by first identifying where the partition begins with parted and then providing this byte offset to the mount command. The following example assumes a 512-byte sector size while mounting partition one:

$ parted /evidence/disk.img unit s print
WARNING: You are not superuser.  Watch out for permissions.
Model:  (file)
Disk /evidence/disk.img: 62914560s
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags: 

Number  Start     End        Size       Type     File system  Flags
 1      2048s     1026047s   1024000s   primary  xfs          boot
 2      1026048s  62914559s  61888512s  primary               lvm

$ sudo mount -o offset=$((2048*512)) /evidence/disk.img /mnt/

In the above example, the second partition is dedicated to LVM. You can mount partitions subject to LVM in this way:

$ sudo kpartx -va /evidence/disk.img
add map loop1p1 (253:4): 0 1024000 linear /dev/loop1 2048
add map loop1p2 (253:5): 0 61888512 linear /dev/loop1 1026048
$ ls /dev/mapper/
centos-root  loop1p1
centos-swap  loop1p2
control
$ sudo mount /dev/mapper/centos-root /mnt

Analysis setup

First, you will mount /evidence/partition.img into the filesystem of a trustworthy (i.e., likely uncompromised) computer. It would not hurt to isolate this computer from the rest of your network, but it is very important that you not immediately directly boot /evidence/partition.img. (Some analysis will require that you boot partition.img; you will need to decide when to do so in order to perform tests like netstat checks.)

mount /evidence/partition.img /mnt

It is possible that you will start with a disk image which is in some virtualization-platform format. If this is the case, then you can use qemu-img to convert it to a raw disk image. For an example of a disk-image-format conversion, see our notes on virtualization.

Weak RPM verification

The following will check the integrity of the files which were installed on /evidence/partition.img (mounted at /mnt) from RPM packages. However, this check relies on the integrity of the (possibly compromised) RPM database on /evidence/partition.img, and so the results here cannot be fully trusted. Despite this step’s flaws, it might turn up something of interest, especially if the attacker was careless.

sudo rpm --root /mnt --verify -a | grep "\(^[^.]\)\|^.[^.]\|^..[^.]\|^...[^.]\|^....[^.]\|^.....[^.]\|^......[^.]\|^.......[^.T]\|^........[^.]"

The rpm manpage documents the details of the output from this command. In summary, it indicates which files have changed since being installed from an RPM package. The use of grep prints only the files RPM thinks are modified other than mere mtime changes.

Trustworthy RPM verification

Here we describe how to check the integrity of a program named foo which we assume to have been installed using the package foo-version.rpm. You can identify version by running sudo rpm --root /mnt -q foo. Let us first install a trustworthy copy of foo on our trustworthy host:

sudo yum --releasever=/ --installroot=/tmp/scratch install foo-version

You will likely find that yum installs a number of dependencies for foo. This can cause trouble, because we are about to compare files on the compromised host with the files we download here. Rather than allow yum to install the latest versions of dependencies, you ought to install the same version which is present on the compromised host. Note the dependencies, identify the proper versions using rpm ... -q ..., and explicitly add these dependencies to the yum command line. You should write a script to perform these steps.

Once you have installed a trustworthy copy of the software which exists on the compromised host, you can start comparing files. This is a matter of running

md5sum /mnt/path/to/file

and

md5sum /scratch/path/to/file

and comparing the hashes. Again, you should write a script to automate these steps.

Considering the nature of dynamically-linked programs

Does a proper hash of /usr/bin/foo mean that foo is not compromised? No! Modern systems employ shared libraries, which a dynamic linker combines with program code at runtime. To illustrate this, run the following command to display the shared libraries that foo makes use of:

ldd /usr/bin/foo

If you run this command, then you should see that foo makes use of a number of shared libraries. You must check the integrity of each of these in addition to foo itself. Some programs are instead statically linked (i.e., all of their code is present in a single executable file). The file command will report whether a given executable is dynamically or statically linked.

Some environment variables influence from where the dynamic linker will load shared libraries. These include LD_LIBRARY_PATH and LD_PRELOAD. An attacker could set these variables to cause the linker to load a library from an unexpected location. Likewise, the dynamic linker honors a number of configuration files, including /etc/ld.so.conf and /etc/ld.so.preload.

Particularly dangerous programs

Setuid-bit programs run with the privileges of the owner of the program's file within the filesystem instead of the parent process. This mechanism is often used to temporarily escalate privileges, and so compromised setuid-bit programs are particularly dangerous. You can list the setuid-bit programs on the compromised system by running the following command:

find /mnt -perm -4000 -type f

A second set of commands which are dangerous are those that listen on a network socket. If they are compromised, then they might give a remote attacker access to the computer. To view the programs which are listening on (or are connected via) UNIX-domain, TCP, and UDP sockets, run:

netstat -ap

It is wise to compare these setuid and network-facing programs to the list of files modified since being installed by RPM.

Even more dangerous is a compromised kernel or bootloader, which we describe next.

The boot process

Modern PC hardware first executes a bootloader either from a master-boot record or—on capable firmware—from a particular file within a filesystem. In either case, the bootloader could be compromised. To investigate the 512-byte master-boot record, copy it to /scratch using:

dd bs=1 count=512 if=/evidence/disk.img of=/scratch/mbr

Other documentation describes the structure of the master-boot record.

The GRUB 2 bootloader places a stage-one bootloader, boot.img, within the master-boot record. This stage-one loader loads a stage-1.5 loader, core.img, which exists between the master-boot record and the first disk partition. The stage 1.5 loader also maintains a configuration file and a number of loadable modules which perform various tasks such as parsing various filesystem layouts. GRUB 2's first interaction with a filesystem takes place while executing its stage-two loader which finally loads the OS kernel. The stage-two loader is generally found in the /boot directory, and its configuration exists at /boot/grub2/config AKA /etc/grub2.cfg.

Checking GRUB 2 requires inspecting the stage-one, stage-1.5, and stage-two loaders as well as the related configuration files and loadable modules.

Instead of verifying each of GRUB 2's installed files, you can merely overwrite them with trustworthy copies. Updating a GRUB 2 installation is a matter of running as root:

grub2-mkconfig > /boot/grub2/grub.cfg
grub2-install /dev/sda

Kernels exist in /boot, and are named vmlinuz-version. Each kernel can load dynamic modules into its address space, and these modules exist in /lib/modules.

Checking a kernel is a matter of checking the kernel itself, as well as each of its loadable modules. While you can use the lsmod to review the currently loaded kernel modules, it is likely that lsmod is compromised.

The files /etc/passwd, /etc/shadow, and /etc/group define standard UNIX accounts and groups. However, many programs perform authentication using Pluggable Authentication Modules (PAM) which provide many other authentication techniques. Such techniques include Kerberos, NIS, and so on. The PAM modules each PAM-capable program uses to authenticate are defined using configuration files in /etc/pam.d. Thus checking for proper authentication involves:

Checking the integrity of each authenticating program
Checking the PAM configuration of each authenticating program
Checking the accounts themselves (e.g., expected accounts with strong passwords)

Graphical login authentication is generally performed using a display manager such as gdm, and text logins usually use agetty which spawns login.

Access controls

Access controls constrain programs. On UNIX, OS objects—such as files—bear permissions. For example, ls -l /path/to/file will display the permissions (along with other information) for the file at /path/to/file. An attacker might perturb these permissions to make returning to the compromised computer easier in the future. Thus it is wise to check the permissions of installed files in a manner similar to how you checked the integrity of the files themselves.

Permissions on block and 8char device nodes* are particularly troublesome. For example, if a block device which corresponds to a disk has permissive access controls, then an attacker could use this block device to undermine the access controls within the filesystem contained therein. To enumerate all of the device nodes on the compromised host, run

find /mnt -type b -o -type c

Other forms of access controls provide stronger or more expressive protections. For example, a filesystem’s access-control lists can be displayed using getfacl /path/to/file. SELinux policy source and binary files exist in /etc/selinux/, and SELinux can be activated/deactivated by editing /etc/sysconfig/selinux.

Checklist

Verify kernel, kernel modules, and GRUB 2 (do not forget to look for extra kernel modules)
Verify setuid programs and their shared libraries
Verify programs and their shared libraries
Verify permissions (especially device nodes)
Verify SELinux policy
Review PAM configurations
Review accounts
Review boot services
Review cron and at jobs

gamecon-2.4.19-modinc

Thu, 12 Mar 2020 09:02:58 -0400

gamecon-2.4.19-modinc

A patch for the Linux kernel's gamecon joystick driver that causes the driver to manage its usage count correctly.

gdm-2.4.4.5-pam_mount

Thu, 12 Mar 2020 09:02:58 -0400

gdm-2.4.4.5-pam_mount

A patch for gdm that ensures the X server is reset (and all X programs exit) before calling pam_session_close. This is required if a PAM module like pam_mount is to unmount a user's home directory upon logging out because programs like xscreensaver will block an unmount with open file descriptors.

ghostscript-7.07-glib2

Thu, 12 Mar 2020 09:02:58 -0400

ghostscript-7.07-gtk2 ghostscript-7.07-omni-glib2 ghostscript.spec-glib2

Three patches that cause Red Hat's ghostscript 7.07 packages to build against glib2.

gitstats

Thu, 12 Mar 2020 09:02:58 -0400

Gitstats collects statistics about the activity surrounding Git repositories.

The gitstats project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/gitstats

gnome-keyring-0.4.3-command-line

Thu, 12 Mar 2020 09:02:58 -0400

gnome-keyring-0.4.3-command-line

A patch for gnome-keyring that adds command line utilities to manipulate keyrings.

gnome-session-2.4.0-gconfd-shutdown

Thu, 12 Mar 2020 09:02:58 -0400

gnome-session-2.4.0-gconfd-shutdown

A patch for gnome-session that ensures gconfd-2 quits when a user logs out.

gnome-session-2.6.1-pam-keyring

Thu, 12 Mar 2020 09:02:58 -0400

gnome-session-2.4.0-gconfd-shutdown

A patch for gnome-session that ensures gnome-keyring-daemon is not executed if it is already running.

gnome-volume-manager-1.5.7-luks

Thu, 12 Mar 2020 09:02:58 -0400

gnome-volume-manager-1.5.7-luks

A patch for gnome-volume-manager that adds LUKS encrypted volume support.

Golem

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Golem, a multi-function server. Golem runs on commodity router hardware and provides a number of features:

SSH access
a media service compatible with iTunes
a file share
an LDAP and Kerberos service
a network proxy
a NetFlow collector

We build Golem on top of OpenWrt because of the distribution’s simplicity and small size. Golem is made up of roughly 120 packages, and its programs and configurations take up less than 50 MB of storage space. Here we assume that Golem will run within the confines of a Xen hypervisor.

Establish the Golem VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Golem:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/golem-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Create a disk image to serve as the server’s large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/golem-data.qcow.
Write the following at /etc/xen/vm-golem.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "golem"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [
  "tap2:tapdisk:aio:/var/lib/xen/images/golem-lede-17.01.1-x86-64-combined-ext4.img,xvda,w",
  "tap2:qcow:/var/lib/xen/images/golem-data.qcow,xvdb,w"
          ]
serial  = "pty"

Software installation

Perform the following steps on Golem:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
        dnsmasq \
        kmod-ppp \
        kmod-pppoe \
        kmod-pppox \
        kmod-r8169 \
	logd \
	luci \
        luci-app-firewall \
        luci-base \
        luci-lib-ip \
        luci-lib-nixio \
        luci-proto-ipv6 \
        luci-proto-ppp \
        luci-theme-bootstrap \
        mtd \
        odhcpd-ipv6only \
        ppp \
        ppp-mod-pppoe \
        r8169-firmware \
        uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
	block-mount \
	ca-certificates \
	dmapd \
	freifunk-watchdog \
	gst1-mod-app \
	gst1-mod-audioconvert \
	gst1-mod-audioparsers \
	gst1-mod-flac \
	gst1-mod-gio \
	gst1-mod-id3demux \
	gst1-mod-lame \
	gst1-mod-mpeg2dec \
	gst1-mod-mpg123 \
	gst1-mod-ogg \
	gst1-mod-playback \
	gst1-mod-theora \
	gst1-mod-typefindfunctions \
	gst1-mod-vorbis \
	krb5-server \
	nfdump \
	nfs-kernel-server \
	openldap-server \
	rsync \
	syslog-ng \
	tinyproxy \
	zoneinfo-core \
	zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring Kerberos authentication

/etc/krb5.conf (replace EXAMPLE.COM):

[libdefaults]
	default_realm = EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = false
	ticket_lifetime = 24h
	forwardable = yes

[realms]
	EXAMPLE.COM = {
		kdc = localhost:88
		admin_server = localhost:749
		default_domain = local
	}

[domain_realm]
	.local = EXAMPLE.COM
	local = EXAMPLE.COM

Add Kerberos principals by running kadmin.local and then add_principal user for each user.

Configuring LDAP network information

/etc/openldap/example.com.cert: Place your certificate in /etc/openldap/example.com.cert.
/etc/openldap/example.com.key: Place your private key in /etc/openldap/example.com.key.
/etc/openldap/ca.cert: Place your CA certificate in /etc/openldap/ca.cert.
/etc/openldap/slapd.conf (replace PASSWORD and example.com):

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/autofs.schema
include         /etc/openldap/schema/sudoers.schema

allow bind_v2

TLSCACertificateFile /etc/openldap/ca.cert
TLSCertificateFile /etc/openldap/example.com.cert
TLSCertificateKeyFile /etc/openldap/example.com.key

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

database        ldif
directory	/etc/openldap/db
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          PASSWORD

/etc/openldap/schema/sudoers.schema:

attributetype ( 1.3.6.1.4.1.15953.9.1.1
	NAME 'sudoUser'
	DESC 'User(s) who may  run sudo'
	EQUALITY caseExactIA5Match
	SUBSTR caseExactIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.2
	NAME 'sudoHost'
	DESC 'Host(s) who may run sudo'
	EQUALITY caseExactIA5Match
	SUBSTR caseExactIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.3
	NAME 'sudoCommand'
	DESC 'Command(s) to be executed by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.4
	NAME 'sudoRunAs'
	DESC 'User(s) impersonated by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.5
	NAME 'sudoOption'
	DESC 'Options(s) followed by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.6
	NAME 'sudoRunAsUser'
	DESC 'User(s) impersonated by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.7
	NAME 'sudoRunAsGroup'
	DESC 'Group(s) impersonated by sudo'
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.15953.9.1.8
	NAME 'sudoNotBefore'
	DESC 'Start of time interval for which the entry is valid'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

attributetype ( 1.3.6.1.4.1.15953.9.1.9
	NAME 'sudoNotAfter'
	DESC 'End of time interval for which the entry is valid'
	EQUALITY generalizedTimeMatch
	ORDERING generalizedTimeOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
	NAME 'sudoOrder'
	DESC 'an integer to order the sudoRole entries'
	EQUALITY integerMatch
	ORDERING integerOrderingMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
	DESC 'Sudoer Entries'
	MUST ( cn )
	MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
		sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
		sudoOrder $ description )
	)

From a computer with ldapadd on golem’s network, execute ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f accounts.ldif, where accounts.ldif contains records like (replace example, com, user, and Some User):

dn: dc=example,dc=com
objectClass: organization
objectClass: dcObject
o: Example Organization
dc: example

dn: automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_master

dn: automountMapName=auto_root,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto_root

dn: automountKey=/-,automountMapName=auto_master,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /-
automountInformation: auto_root

dn: automountKey=/home,automountMapName=auto_root,dc=example,dc=com
objectClass: top
objectClass: automount
automountKey: /home
automountInformation: golem.example.com:/home/

dn: ou=group,dc=example,dc=com
objectClass: organizationalUnit
ou: group

dn: cn=ldapusers,ou=group,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapusers
userPassword:: WFhYWA==
gidNumber: 1002

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: uid=user,ou=people,dc=example,dc=com
uid: user
cn: Some User 
objectClass: account
objectClass: posixAccount
objectClass: top
userPassword:: WFhYWA==
loginShell: /bin/bash
uidNumber: 1102
gidNumber: 1002
homeDirectory: /home/user
gecos: Some User

dn: ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: sudoers

dn: cn=user,ou=sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: user
sudoUser: user
sudoHost: ALL
sudoCommand: ALL

Configuring the dmapd media server

/etc/dmapd.conf:

[General]
Database-Dir=/mnt/sda1/var/dmapd

[Music]
Type=DAAP
Dirs=/mnt/sda1/Storage/Music/
Transcode-Mimetype=audio/mp3

[Picture]
Type=DPAP
Dirs=/mnt/sda1/Storage/Pictures/

Configuring NFS

/etc/exports:

/mnt/sda1 *(fsid=root,rw,insecure,no_subtree_check,async)
/mnt/sda1/Storage *(rw,insecure,no_subtree_check,async)
/mnt/sda1/home *(rw,insecure,no_subtree_check,async)

Configuring Tinyproxy

/etc/tinyproxy-filter.conf: List the websites that you want tinyproxy to allow access to, one per line (e.g., www.example.com).

Configure the firewall

/etc/config/firewall:

config defaults
        option drop_invalid 1
        option input ACCEPT
        option output ACCEPT
        option forward ACCEPT

config zone
        option name lan
        option network lan
        option input ACCEPT
        option output ACCEPT
        option forward DROP

Configure basic system settings

/etc/config/fstab:

config global automount
	option from_fstab 1
	option anon_mount 1

config global autoswap
	option from_fstab 1
	option anon_swap  1

/etc/config/nfs:

config nfs nfs
	option minversion '4'

/etc/config/system:

config system
	option hostname	golem.example.com
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/tinyproxy:

config tinyproxy

option enable 1
option User nobody
option Group nogroup
option Port 8080
option Timeout 600
option SysLog 1
option LogLevel Info
option MaxClients 100
option MinSpareServers 1
option MaxSpareServers 3
option StartServers 1
option MaxRequestsPerChild 0
option ViaProxyName "tinyproxy"
option Filter "/etc/tinyproxy-filter.conf"
option FilterDefaultDeny 1

/etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

config process
        option process crond
        option initscript '/etc/init.d/cron'
	
config process
	option process dmapd
	option initscript /etc/init.d/dmapd	

config process
	option process krb5kdc
	option initscript /etc/init.d/krb5kdc
	
config process
	option process slapd
	option initscript /etc/init.d/ldap

/etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

/etc/config/nfcapd:

config nfcapd nfcapd
	option enabled 1
	option port 9995
	option logdir /mnt/sda1/var/log/netflow

gpdf-20031030-highlights

Thu, 12 Mar 2020 09:02:58 -0400

gpdf-20031022-highlights gpdf-20031022-tools

Patches that add the ability to add highlights to a PDF file using gpdf.

grilo-dmap

Thu, 12 Mar 2020 09:02:58 -0400

grilo-dmap

A patch for Grilo that adds support for the DMAP family of protocols.

Growing a filesystem

Thu, 12 Mar 2020 09:02:58 -0400

Growing a Linux filesystem requires the manipulation of each level of abstraction involved from filesystem to disk partition. Here we assume that the disk is a virtual disk image and that the following things must be resized: the virtual disk image, the partition, the LVM volume group, the LVM logical volume, and the filesystem. Other scenarios will require similar procedures. We assume that you want to increase the size of a filesystem within the disk image named disk.img by 16 GB.

First, shut down the virtual machine which contains the disk you want to grow. Next, increase the size of the disk image:

dd if=/dev/zero bs=1G count=16 >> disk.img

You should complete the next steps from within the virtual machine. However, if you are resizing the root filesystem, then you will need to boot the virtual machine using some form of bootable external media. In any case, these instructions assume that the disk you resize is not mounted. Here we assume the disk is known as /dev/sda, that you want to resize partition 2, that the LVM logical volume you wish to resize is known as /dev/mapper/centos-root, and that all of this hosts an XFS filesystem.

Run fdisk /dev/sda to delete and recreate partition 2. Use d to delete, and n to create. When recreating partition 2, use the same start block, but use the new end block.
Run kpartx -va /dev/sda to scan the disk’s LVM logical volumes.
Run pvresize /dev/sda2 to cause LVM to use all of /dev/sda2’s new size.
Run pvdisplay to confirm the change.
Run lvextend -L+16GB /dev/mapper/centos-root to extend the logical volume to span the new disk size.
Resize the filesystem using xfs_growfs /.

grub-1.96-20080813-dmi

Thu, 12 Mar 2020 09:02:58 -0400

grub-1.96-20080813-dmi.patch.gz cryptsetup-1.0.5-dmi-v2.patch.gz

Patches for grub and cryptsetup that add the ability to read an encryption key from an SMBIOS record. The grub modification is dependent on Michael Gorven's encryption patch. Gustavo Duarte wrote some great documentation on the Intel Architecture boot process that I used while writing this patch. Documentation covering the SMBIOS records may be found here.

GSnes9x-3.12-joystick

Thu, 12 Mar 2020 09:02:58 -0400

GSnes9x-3.12-joystick

A patch for GNOME Snes9x which adds three useful features. First, support for configurable joystick device names is added. This makes it easiy to use GSnes9x on a system which manages its devices using devfs. Second, the patch causes GSnes9x to honor the standard –geometry option. Finally, the patch allows the basic controlling of GSnes9x with a joystick device.

gst-plugins-0.7.5-movext

Thu, 12 Mar 2020 09:02:58 -0400

gst-plugins-0.7.5-movext.patch.gz

Patch that helps gst-launch-ext create pipelines to play QuickTime files.

GStreamer

Thu, 12 Mar 2020 09:02:58 -0400

Adjust the system volume (e.g., bind these to the volume-control keys on a keyboard):

amixer set Master 5%+ unmute; ogg123 /usr/share/sounds/freedesktop/stereo/bell.oga
amixer set Master 5%- unmute; ogg123 /usr/share/sounds/freedesktop/stereo/bell.oga
amixer set Master toggle;     ogg123 /usr/share/sounds/freedesktop/stereo/bell.oga

Record audio:

arecord -f S16_LE -c 2 output.wav

Manipulate PulseAudio:

PULSE_RUNTIME_PATH=/var/run/user/UID/pulse pacmd ...

Get the title of a DVD:

dvdbackup -i /dev/cdrom -I | head -n 1 | awk -F \" '{ print $2 }'

Backup a DVD to an image file:

readom dev=/dev/cdrom f=output.iso

Alternatively:

dvdbackup -i /dev/cdrom -M
genisoimage -dvd-video -o output.iso /path/to/dvd/folder

Gst-launch examples

Transcode to WebM/VP8/Vorbis and scale to 1280×720 (this format is often used with HTML5):

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	webmmux name=mux ! filesink location=output.webm \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! vp8enc ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! vorbisenc ! mux.

Transcode to QuickTime/H.264 and scale to 1280×720 (this format is often used with HTML5, and it is—with the `profile=high` setting—suitable for Firefox and iOS/Safari):

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	qtmux name=mux ! filesink location=output.mov \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! x264enc ! \
                   video/x-h264,profile=high ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! avenc_aac ! mux.

Transcode to Ogg/Theora/Vorbis and scale to 1280×720 (this format is sometimes used with HTML5 on open-source browsers):

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	oggmux name=mux ! filesink location=output.ogg \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! theoraenc ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! vorbisenc ! mux.

Transcode to MPEG2 and scale to 1280×720:

gst-launch-1.0 filesrc location=input.mts ! decodebin name=decoder \
	avmux_mpeg name=mux ! filesink location=output.mpg \
	decoder. ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! avenc_mpeg2video ! mux. \
	decoder. ! progressreport ! audioconvert ! audiorate ! lamemp3enc ! mux.

Transcode title two from a DVD to the QuickTime format above:

gst-launch-1.0 dvdreadsrc title="2" device=/dev/cdrom ! decodebin name="decoder" \
        qtmux name=mux ! filesink location=output.mov \
        decoder. ! videoscale ! video/x-raw,width=720,height=480 ! videoconvert ! x264enc ! mux. \
        decoder. ! progressreport ! audioconvert ! audiorate ! avenc_aac ! mux.

Build a stop-motion video out of a series of images (the first command normalizes the images names—otherwise, there might be a missing number):

i=0; for f in *.JPG; do mv $f $i.JPG; i=$((i+1)); done
gst-launch-1.0 multifilesrc location=%d.JPG caps=“image/jpeg,framerate=(fraction)4/1” 

! jpegdec ! videoscale ! video/x-raw,width=1280,height=720 ! videoconvert ! videorate ! theoraenc 

! oggmux ! filesink location=output.ogg

Combine two videos to produce a blue/green-screen effect (here we specify the RGB values of the mask):

gst-launch-1.0 compositor name=mixer ! videoconvert ! xvimagesink \
	filesrc location=background.mts ! decodebin ! alpha ! mixer.sink_0 \
	filesrc location=foreground.mts ! decodebin \
	! alpha method=custom target-r=182 target-g=168 target-b=148 ! mixer.sink_1

Determine the plugin graph produced by playbin:

GST_DEBUG_DUMP_DOT_DIR=/tmp/ gst-launch-1.0 playbin uri=file:///path
dot -Tpng output.dot > graph.png

The first command will produce a number of GraphViz files which represent the pipelines produced by playbin. The most interesting of these is often the one that contains the string READY_PAUSED. The second command produces an image file which represents one of the pipelines.

gstreamer-cinepak

Thu, 12 Mar 2020 09:02:58 -0400

gst-ffmpeg-0.7.1-cinepak.patch.gz gst-plugins-0.7.5-cinepak.patch.gz

Patches that enable FFmpeg's cinepak support in GStreamer.

Guardian

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Guardian, a switch, router, and firewall. Guardian runs on commodity router hardware and provides a number of features, including:

a wireless access point,
a switch comprised of a number of Gigabit Ethernet ports,
a firewall and NAT translator, and
a print service.

Guardian is made up of the following hardware components:

a Microtik RouterBoard 493G,
a Microtik RouterBoard R52n-M miniPCI wireless adapter,
a Microtik 5V USB power injector,
a RouterBoard 493G case with interior USB extension cable,
two whip antennas,
a Belkin USB-to-RS-232 adapter,
an RS-232 cable,
a null-modem adapter,
a GFP121U-0520 GME switching AC/DC power adapter, and
a USB printer.

I purchased my hardware from Baltic Networks.

Selecting the software for a Guardian image

This section describes how to gather and select the OpenWrt source code which makes up Guardian.

Obtain the OpenWrt source tree using git clone https://git.openwrt.org/openwrt/openwrt.git.
Enter the OpenWrt source tree and modify the package configuration provided by feeds.conf to use src-git packages ssh://git@github.com/MikePetullo/packages.git. Run ./scripts/feeds update.
Activate the necessary packages using:

./scripts/feeds install ca-certificates \
                        ddns-scripts \
                        freifunk-watchdog \
                        libustream-openssl \
                        openvpn \
                        p910nd \
                        rsync \
                        wget \
                        zoneinfo-core \
                        zoneinfo-northamerica

Run make menuconfig and select:

Target System: Atheros ATH79 (DTS)
Subtarget: Mikrotik devices
Target Profile: MikroTik RouterBoard 493G
Target Images: ramdisk then tar.gz (Note that you need to build twice for the RB493G: (1) for a TFTP image and (2) for an installable rootfs image.)
Base system:
- ca-certificates
- Kernel Modules:
  - Netfilter Extensions: kmod-ipt-tee
  - Other modules: kmod-softdog
  - USB Support:
    - kmod-usb-ohci
    - kmod-usb-printer
    - kmod-usb2
  - Wireless Drivers: kmod-ath9k
LuCI: Freifunk: freifunk-watchdog
Network:
- File Transfer:
  - rsync
  - wget
- Firewall: iptables-mod-tee
- IP Addresses and Names:
  - ddns-scripts
  - ddns-scripts_no-ip.com
- Printing: p910nd
- VPN:
  - openvpn-openssl
Utilities:
- zoneinfo: zoneinfo-northamerica

Create the directory files and populate it as described in the following sections.

Configuring the network interfaces

Aside from the standard loopback device, Guardian provides for four networks:

a private LAN for workstations and internal servers (192.168.1.128/25),
a public LAN for Internet-facing servers (192.168.1.0/25),
a WAN (DHCP-assigned), and
a network for use with OpenVPN (192.168.2.0/24).

Guardian splits its switch ports between the private and public LANs. Guardian also provides WiFi connectivity to its private and public LANs.

/etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config switch
	option name switch0
	option enable 1
	option reset 1
	option enable_vlan 1

config switch
	option name switch1
	option enable 1
	option reset 1
	option enable_vlan 1

# Private:
config switch_vlan
	option device switch0
	option vlan 0
	option vid 100
	# 0: CPU, 1--4: phy. ports, 5 unused.
	# t indicates packets sent will be VLAN tagged; rec'd must match tag. 
	option ports "0t 1 2 3 4"

config interface privlan
	option ifname 'eth0.100 tap0' # Bridge in OpenVPN tap device.
	option type bridge
	option proto static
	option ipaddr 192.168.1.129
	option netmask 255.255.255.128

# Public:
config switch_vlan
	option device switch1
	option vlan 1
	option vid 200
	# 0: CPU, 1--4: phy. ports, 5 below.
	# t indicates packets sent will be VLAN tagged; rec'd must match tag. 
	option ports "0t 1 2 3 4"

config interface publan
	option ifname eth1.200
	option type bridge
	option proto static
	option ipaddr 192.168.1.1
	option netmask 255.255.255.128

# WAN:
config switch_vlan
	option device switch1
	option vlan 2
	option vid 300
	# t indicates packets sent will be VLAN tagged; rec'd must match tag. 
	option ports "0t 5"

config interface wan
	option ifname eth1.300
	option proto dhcp
	# Use OpenDNS (not ISP DNS) for content filter.                              
	option dns  "208.67.222.123 208.67.220.123"                                  
	option peerdns 0 

# OpenVPN:
config interface vpn
	option ifname tun0
	option proto none

/etc/config/wireless (replace PCIPATH, ExampleCom, ExampleComGuest, KEY1, and KEY2):

config wifi-device radio0
	option type     mac80211
	option country	US
	option channel  11
	option hwmode   11ng
	option htmode   HT20
	option path     PCIPATH
	list ht_capab   SHORT-GI-40
	list ht_capab   TX-STBC
	list ht_capab   RX-STBC1
	list ht_capab   DSSS_CCK-40

config wifi-iface                  
	option device   radio0     
	option network  privlan    
	option mode     ap         
	option ssid     ExampleCom
	option encryption psk2       
	option key      KEY1

config wifi-iface                                                               
	option device   radio0                                                  
	option network  publan                                                  
	option mode     ap                                                      
	option ssid     ExampleComGuest
	option encryption psk2                                                  
	option key      KEY2

Configuring the firewall

Guardian’s firewall drops most incoming traffic destined for its private and OpenVPN LANs. Guardian also blocks outgoing DNS queries from its LANs which are destined to servers other than Guardian. Aside from this, Guardian allows:

connections from the private LAN to Guardian,
connections from the OpenVPN LAN to Guardian,
DHCP and DNS requests from the public LAN to Guardian,
and OpenVPN connections from anywhere to Guardian.

Guardian allows LDAPS and Kerberos traffic to flow from the public LAN to the private LAN because it assumes that the network’s authentication services exist on the private LAN.

Guardian redirects connections for the following services from the WAN to 192.168.1.5 on the public LAN:

SSH,
HTTP,
HTTPS,
SMTP,
XMPP client-to-server connections, and
XMPP server-to-server connections.

Guardian also provides a copy of all packets to 192.168.1.8 for analysis.

/etc/config/firewall:

config include
	option path /etc/firewall.user

config defaults
	option drop_invalid 1
	option input DROP
	option output DROP
	option forward DROP

# WAN: NAT, drop incoming; accept outgoing; drop forward.
config zone
	option name wan
	option network wan
	option input DROP
	option output ACCEPT
	option forward DROP
	option masq 1

# Private LAN: drop incoming; accept outgoing; reject forward.
config zone
	option name privlan
	option network privlan
	option input DROP
	option output ACCEPT
	option forward REJECT

# Public (guest) LAN: drop incoming; accept outgoing; reject forward.
config zone
	option name publan
	option network publan
	option input DROP
	option output ACCEPT
	option forward REJECT

# OpenVPN LAN: drop incoming; accept outgoing; reject forward.
config zone
	option name vpn
	option network vpn
	option input DROP
	option output ACCEPT
	option forward REJECT

# Forward from private LAN to WAN.
config forwarding
	option src privlan
	option dest wan

# Forward from public LAN to WAN.
config forwarding
	option src publan
	option dest wan

# Forward from OpenVPN LAN to WAN.
config forwarding
	option src vpn
	option dest wan

# Forward from private LAN to public LAN.
config forwarding
	option src privlan
	option dest publan

# Forward from OpenVPN LAN to public LAN.
config forwarding
	option src vpn
	option dest publan

# Forward from OpenVPN LAN to private LAN.
config forwarding
	option src vpn
	option dest privlan

# Forward from private LAN to OpenVPN LAN.
config forwarding
	option src privlan
	option dest vpn

# Forbid DNS requests to outside servers unless from router.
config rule
	option target REJECT
	option src *
	option dest wan
	option dest_port 53
	option proto tcpudp

# Allow DNS requests from public LAN.
config rule
	option target ACCEPT
	option src publan
	option dest_port 53
	option proto tcpudp

# Allow ALL connections from private LAN to router.
config rule
	option target ACCEPT
	option src privlan
	option proto all

# Allow ALL connections from OpenVPN LAN to router.
config rule
	option target ACCEPT
	option src vpn
	option proto all

# Allow OpenVPN connections from anywhere to router.
config rule
	option target ACCEPT
	option src *
	option dest_port 1194
	option proto udp

# Allow DHCP requests from public LAN to router.
config rule
	option target ACCEPT
	option src publan
	option src_port 67-68
	option dest_port 67-68
	option proto udp

# Allow LDAPS requests from public LAN to private LAN.
config rule
	option target ACCEPT
	option src publan
	option dest privlan
	option dest_port 636
	option proto tcp

# Allow Kerberos requests from public LAN to private LAN.
config rule
	option target ACCEPT
	option src publan
	option dest privlan
	option dest_port 88
	option proto tcp

# Redirect HTTP to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 80
	option dest_ip 192.168.1.5
	option dest publan

# Redirect HTTPS to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 443
	option dest_ip 192.168.1.5
	option dest publan

# Redirect SMTP to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 25
	option dest_ip 192.168.1.5
	option dest publan

# Redirect Jabber client-to-server connections to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 5222
	option dest_ip 192.168.1.5
	option dest publan

# Redirect Jabber server-to-server connections to herald.
config redirect
	option target DNAT
	option src wan
	option proto tcp
	option src_dport 5269
	option dest_ip 192.168.1.5
	option dest publan

/etc/firewall.user:

iptables -t mangle -A INPUT  ! -s 192.168.1.8/32 -j TEE --gateway 192.168.1.8
iptables -t mangle -A OUTPUT ! -d 192.168.1.8/32 -j TEE --gateway 192.168.1.8
iptables -t mangle -A FORWARD ! -d 192.168.1.8/32 ! -s 192.168.1.8/32 -j TEE --gateway 192.168.1.8

Configure OpenVPN

Guardian accepts OpenVPN connections, allowing access to its private LAN from remote workstations.

/etc/config/openvpn (replace example.com):

package openvpn

config openvpn privlan
	option enable 1
	option port 1194
	option proto udp
	option dev tun0
	option txqueuelen 1000
	option tun-mtu 1500
	option mssfix 1300
	option ca /etc/openvpn/ca.cert
	option cert /etc/openvpn/example.com.cert
	option key /etc/openvpn/example.com.key
	option dh /etc/openvpn/dh2048.pem
	option ifconfig-pool-persist /tmp/ipp.txt
	option keepalive '10 120'
	option persist-key 1
	option persist-tun 1
	option status /var/log/openvpn-status.log
	option verb 3
	option server '192.168.2.0 255.255.255.0'
	option client-to-client 1
	option tls-version-min 1.2
	option tls ECDHE-RSA-AES256-GCM-SHA384
	list push 'redirect-gateway def1'
	list push 'dhcp-option DNS 192.168.1.129'
	list push 'route 192.168.1.0   255.255.255.128'
	list push 'route 192.168.1.128 255.255.255.128'

## Configure basic system settings

1. `/etc/config/p910nd`:

config p910nd option device /dev/usb/lp0 option port 0 option bidirectional 1 option enabled 1

2. `/etc/config/system`:

config system option hostname guardian.example.com option timezone EST5EDT,M3.2.0,M11.1.0

config timeserver ntp list server 0.openwrt.pool.ntp.org list server 1.openwrt.pool.ntp.org list server 2.openwrt.pool.ntp.org list server 3.openwrt.pool.ntp.org option enabled 1 option enable_server 0

3 `/etc/config/ddns` (replace `examplecom`, `example.com`, `USERNAME`, and `PASSWORD`):

config service ’examplecom' option enabled ‘1’ option interface ‘wan’ option service_name ’no-ip.com' option lookup_host ‘www.example.com’ option domain ’example.com' option username ‘USERNAME’ option password ‘PASSWORD’ option use_https ‘1’ option cacert ‘/etc/ssl/certs’ option use_syslog ‘3’ 4. /etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

config process
	option process crond
	option initscript '/etc/init.d/cron'
	
config process
	option process dnsmasq
	option initscript /etc/init.d/dnsmasq
	
config process
	option process p910nd
	option initscript /etc/init.d/p910nd

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

/etc/config/dhcp:

config dhcp privlan
	option interface    privlan
	option start        138 # Room for static at bottom.
	option limit        254 # Room for OpenVPN at top.
	option leasetime    24h
	# GW, DNS:
	list dhcp_option "3,192.168.1.129"
	list dhcp_option "6,192.168.1.129"

config dhcp publan
	option interface    publan
	option start        10
	option limit        126
	option leasetime    24h
	# GW, DNS:
	list dhcp_option "3,192.168.1.1"
	list dhcp_option "6,192.168.1.1"

config dnsmasq
	option leasefile   '/tmp/dhcp.leases'
	option resolvfile  '/tmp/resolv.conf.auto'
	option localise_queries 1

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config host
	option name 'host.example.com'
	option ip '192.168.1.2'
	option mac 'aa:bb:cc:dd:ee:ff'

/etc/hosts (replace examplecom):

127.0.0.1 localhost
192.168.1.1 guardian.example.com
192.168.1.5 www.example.com example.com

Build software and perform installation

Run make V=99.
Install the image you just built onto your router. The instructions here require a computer running Linux, in addition to the Guardian device.

On the Linux computer:
1. Install dhcp-server, tftp-server, minicom, mtd-utils, and mtd-utils-ubi. Configure minicom to emulate an 115,200-bps 8N1 terminal without hardware flow control and without software flow control.
2. Temporarily disable the host’s firewall (or allow incoming TFTP requests).
3. Run the tftp service with in.tftpd -v -s -p -L /var/lib/tftpboot/.
4. Place openwrt-ath79-mikrotik-mikrotik_routerboard-493g-initramfs-kernel.bin in /var/lib/tftpboot.
5. Set the computer’s IP address to 192.168.1.3 using ip addr add 192.168.1.3/24 dev enp0s25. (You might have to do this repeatedly, because the Linux computer’s interface might drop its IP address when the router reboots.)
6. Configure DHCP as shown below (replace XX:XX:XX:XX:XX:XX with your router’s MAC address (likely eth1), which you can discover using the router’s firmware utility), and start the DHCP server with systemctl start dhcpd.

allow booting;
allow bootp;

subnet 192.168.1.0 netmask 255.255.255.0 {
	option routers 192.168.1.3;
	option subnet-mask 255.255.255.0;
	option broadcast-address 192.168.1.255;
}

group {
	host routerboard {
		hardware ethernet XX:XX:XX:XX:XX:XX;
		next-server 192.168.1.3;
		fixed-address 192.168.1.2;
		filename "openwrt-ath79-mikrotik-mikrotik_routerboard-493g-initramfs-kernel.bin";
	}
}

On the router:
1. At boot menu, use e to erase the existing OS firmware.
2. Instruct the boot firmware to boot from the network (select o, e, and x). In order to boot the router over the network, it might be necessary to reset the Linux computer’s IP address (because the IP address might have been lost after the link momentarily went down). After the router boots, it might be necessary to wait while the router configures its network interfaces and generates its SSH keys; you might also need to deactivate the firewall’s router to permit SSH connections over its WAN interface.
3. After booting, run passwd to set the root password.
4. The router’s IP address should now be 192.168.1.2. Use scp to copy openwrt-ath79-mikrotik-mikrotik_routerboard-493g-squashfs-sysupgrade.bin to the router.
5. Run sysupgrade -n openwrt-ath79-mikrotik-mikrotik_routerboard-493g-squashfs-sysupgrade.bin.
6. Reboot the router, ensuring it boots from its internal flash.

Finalize the router install:

Run passwd to set the root password.
Create the OpenVPN key material using:
1. clean-all
2. build-ca
3. build-dh
4. build-key-server example.com
5. build-key client
Copy ca.cert, dh2048.pem, example.com.cert, and example.com.key to /etc/openvpn.
Copy ca.cert, dh2048.pem, client.cert, and client.key to the client’s /etc/openvpn.

Configure OpenVPN on each client host.

Place the client’s certificate, the client’s private key, and the CA certificate in /etc/openvpn.
Option 1: Configuration using NetworkManager
1. Create a new VPN connection using NetworkManager.
2. Under Advanced→TLS Authentication:
3. Set Subject Match to /CN=example.com.
4. Select Verify peer (server) certificate usage signature and set to Server.
Option 2: Direct configuration of OpenVPN
1. Copy /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up and client.down to /etc/openvpn.
2. Set the scripts’ permissions with chmod +x client.up client.down.
3. /etc/openvpn/example.conf (replace client.cert, client.key, and server.example.com):

dev tun
proto udp
verb 3
ca /etc/openvpn/ca.cert
cert /etc/openvpn/client.cert
key /etc/openvpn/client.key
dh /etc/openvpn/dh2048.pem
persist-tun
persist-key
client
remote-cert-tls server
remote server.example.com 1194
script-security 2
up /etc/openvpn/client.up
down /etc/openvpn/client.down

  4. `ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@example.service`
  5. `systemctl start openvpn@example.service`

guestrace

Thu, 12 Mar 2020 09:02:58 -0400

Ryan Johnson and Matt Shockley wrote guestrace as a prototype for a research project, and we have since packaged it as a stand-alone utility. A properly-configured guestrace will print as they occur the system calls which processes invoke within a Xen domain. This resembles strace, but provides the activity of every running process. The guestrace utility relies on libvmi to perform virtual-machine introspection. Guestrace can trace both Linux and Windows, and it requires no modifications to the target aside from running the target on Xen.

Guestrace also provides a library, libguestrace, which gives programmers access to the guestrace engine. This is useful for programs which must trace system calls and do more than merely print them.

Limitations

As an ongoing research project, guestrace presently has a few limitations in its implementation:

we have not yest tested any version of Windows other than Windows 7 Enterprise with Service Pack 1,
guestrace malfunctions when monitoring Windows running with more than 2 GB of memory (page sizes > 4 KB), and
guestrace supports only 64-bit guest operating systems.

We would be happy to consider any patches which remove these limitations, and we ourselves hope to address them when time permits.

Details

Please refer to guestrace's API documentation for details about how to use the library.

The guestrace project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/guestrace

hal-cvs-enc

Thu, 12 Mar 2020 09:02:58 -0400

hal-20050211-luks-1 hal-20050211-luks-2 hal-20050301-luks-3 hal-20050302-luks-4 hal-20050312-luks-5 hal-set-strlist-1.patch.gz

A series of patches that add support for encrypted volumes to HAL.

Hardening Unix computers

Thu, 12 Mar 2020 09:02:58 -0400

This describes some techniques which help harden Unix computers, that is reduce the likelihood that the will be compromised by an attacker. There is some overlap with another document, forensic analysis. This is because both hardening and forensic analysis require a deep understanding of how Unix works.

Strong access controls

If available, administrators should learn and apply the strong access controls available on their computers. For example, mandatory access control systems such as SELinux or AppArmor go a long way to constrain programs beyond the traditional Unix access controls. Using these controls requires a bit of study, but can provide a large benefit. Another document, SELinux, provides a basic introduction to SELinux.

Passwords and system accounts

Ideally, passwords should be used only for local authentication, where a user must be physically present at the computer performing authentication. The reason for this is that passwords are often compromised using various forms of guessing attacks, and extending password-based authentication beyond physically-present users increases the set of people who can mount these attacks. Other forms of authentication, such as public-key-based systems should authenticate network users.

The passwords that do exist must be strong. In most cases, as review of /etc/passwd will reveal the accounts which will need a password audit.

Another consideration is whether accounts should exist in the first place. A review of /etc/passwd will reveal a number of accounts with a legitimate shell and other accounts whose shell is set to something like /sbin/nologin. You should remove unnecessary accounts of the former case. Accounts of the latter case are pseudo-users. They do not have passwords, and are generally created by the act of installing some package. Pseudo-users exist to run software with the least privileges possible. To remove these latter accounts, remove unnecessary packages.

Pluggable Authentication Modules

Checking the integrity of each authenticating program
Checking the PAM configuration of each authenticating program
Checking the accounts themselves (e.g., expected accounts with strong passwords)

Graphical login authentication is generally performed using a display manager such as gdm, and text logins usually use agetty which spawns login.

Service/application-level accounts

Some services, such as databases and web-based applications, often provide their own account databases instead of relying on the system accounts provided by Unix. In such cases, you must audit these accounts too, as they exist separately from the system accounts. Since each account is defined in an application-specific way, you will need to refer to each service’s documentation to find out how to review that service’s accounts.

Least privilege

Avoid running programs as root to the maximum extent possible. Network-facing programs should run as pseudo-users, except when root privileges are absolutely needed (see the design of OpenSSH, qmail, Postfix, and Dovecot). X11 applications should never run as root. Indeed, even administrators should minimize running programs as root to avoid accidents. Use sudo to administer your system.

Minimal packages

A hardened computer contains only the software needed to serve its purpose. On Red Hat-like version of Linux, you can enumerate the packages installed with rpm -qa and remove a package with rpm -e *pkg-name*. In general, you should interact with the computer’s package system (i.e., RPM on Red Hat, dpkg on Debian/Ubuntu, or ports on BSD) rather than manually removing things with rm.

Dangerous programs

It is very difficult to audit everything on a modern, general-purpose computer (very small distributions such as OpenWrt can be of help here). Because of this, it is wise to consider those programs which might give an attacker a foothold on the computer. This includes network-facing programs and setuid-bit programs.

Network-facing programs

One way to audit the network-facing programs running on a computer is with a port scan. The nmap utility serves this purpose. There are a few things to remember here:

nmap scans only common ports by default, but you can scan all ports using -p1-;
nmap scans TCP by default, but you can scan UDP using -sU; and
nmap scans IPv4 by default, but you can scan IPv6 using -6.

You should scan the entire port range of IPv4 TCP and UDP and also IPv6 TCP and UDP.

Setuid-bit programs

find /mnt -perm -4000 -type f

It is especially important to remove unnecessary programs which have their setuid bit set.

Memory-bug countermeasures

Attackers sometimes use a memory bug present in a program to a undermine security policy. Such bugs include unchecked buffer accesses. It is generally best to select software which is written using a type-safe language, because type-safe languages remove entire classes of bugs. However, sometimes software written in unsafe languages such as C cannot be avoided. In these cases, certain features of Unix and compilers can help thwart attacks on memory bugs.

The following is a list of memory exploits along with countermeasures.

Stack smash, payload on stack: Non-executable stack, a feature of Unix.
Stack smash, return to existing library: Stack canaries, a compiler feature.
Stack smash, return-oriented programming: Address-space layout randomization, a feature of Unix which relies on code compiled in a position-independent way.

While these techniques can make the act of exploiting a bug more difficult, they often fail when software has more than one bug. For examples, ASLR might be ineffective in the presence of both a buffer-overflow bug and a bug which leaks the address of one of the program’s symbol.

Centralized logging

Computers should log events and send these logs to a centralized log consolidator using an encrypted and authenticated network channel. This allows a network administrator to view the activities on his network in a unified manner, and it stores a record of the activities on each computer separate from the computer being monitored. If a computer is compromised, the attacker might find it difficult to compromise the log server. Of course, the log server itself must also be hardened. Another document, logging strategies, describes one way to build a logging system with these properties.

Update software

Ensure that the software on the computer is up-to-date. You can do this using the computer’s package-management tool.

SSH configuration

Administrators commonly use SSH to administer a set of computers. SSH is a good choice, because it encrypts the connections it provides. Yet SSH can succumb to password-guessing attacks. For this reason, administrators should configure SSH to use public-key-based authentication and forbid password-based authentication.

You can disable OpenSSH’s use of passwords by setting PasswordAuthentication to no in /etc/ssh/sshd_config.

Generating the keys necessary for public-key-based authentication is a matter of running ssh-keygen -b 4096 and copying the resulting ~/.ssh/id_rsa.pub into the ~/.ssh/authorized_keys on the computers you wish to login on.

Herald

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Herald, a multi-function server. Herald runs on commodity router hardware and provides a number of features:

SSH access
a web service with PHP support
an SMTP service
an IMAP service
a Git service

We build Herald on top of OpenWrt because of the distribution’s simplicity and small size. Herald is made up of roughly 120 packages, and its programs and configurations take up less than 50 MB of storage space. Here we assume that Herald will run within the confines of a Xen hypervisor.

Establish the Herald VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Herald:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/herald-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Create a disk image to serve as the server’s large data store (see our notes on platform virtualization) and name it /var/lib/xen/images/herald-data.qcow.
Write the following at /etc/xen/vm-herald.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "herald"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [
  "tap2:tapdisk:aio:/var/lib/xen/images/herald-lede-17.01.1-x86-64-combined-ext4.img,xvda,w",
  "tap2:qcow:/var/lib/xen/images/herald-data.qcow,xvdb,w"
          ]
serial  = "pty"

Software installation

Perform the following steps on Herald:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
        dnsmasq \
        kmod-ppp \
        kmod-pppoe \
        kmod-pppox \
        kmod-r8169 \
	logd \
        luci-app-firewall \
        luci-lib-ip \
	luci-lib-jsonc \
        luci-lib-nixio \
        luci-proto-ipv6 \
        luci-proto-ppp \
        luci-theme-bootstrap \
	luci-mod-admin-full \
	luci-base \
	luci \
        mtd \
        odhcpd-ipv6only \
        ppp \
        ppp-mod-pppoe \
        r8169-firmware \
        uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
	option ifname lo
	option proto static
	option ipaddr 127.0.0.1
	option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
        block-mount \
        bogofilter \
        ca-certificates \
        dovecot (with GSSAPI and LDAP modules) \
	dovecot-pigeonhole \
        freifunk-watchdog \
        git \
        lighttpd \
	lighttpd-mod-accesslog \
        lighttpd-mod-auth \
        lighttpd-mod-authn_file \
        lighttpd-mod-authn_gssapi \
        lighttpd-mod-fastcgi \
        lighttpd-mod-redirect \
        lighttpd-mod-setenv  \
        php7 \
        php7-fastcgi \
        php7-mod-ctype \
        php7-mod-curl \
        php7-mod-dom \
        php7-mod-exif \
        php7-mod-fileinfo \
        php7-mod-gd \
        php7-mod-hash \
        php7-mod-iconv \
        php7-mod-json \
        php7-mod-mbstring \
        php7-mod-opcache \
        php7-mod-openssl \
        php7-mod-pdo \
        php7-mod-pdo-sqlite \
        php7-mod-session \
        php7-mod-simplexml \
        php7-mod-sqlite3 \
        php7-mod-xml \
        php7-mod-xmlreader \
        php7-mod-xmlwriter \
        php7-mod-zip \
	php7-pecl-krb5 \
	php7-pecl-ldap \
	php7-pecl-mcrypt \
        postfix \
        rsync \
	syslog-ng \
        zoneinfo-core \
        zoneinfo-northamerica

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring the lighttpd web server

Here we describe how to configure lighttpd to redirect HTTP to HTTPS; authenticate using passwords or GSSAPI, depending on which network the client connects from; maintain a log using syslog; and support FastCGI.

Create /etc/lighttpd/htpasswd to define non-Kerberos accounts which mirror the accounts defined by the network’s Kerberos server.
Set up lighttpd’s Kerberos principal by running kadmin.local on the network’s Kerberos server, and executing the following commands (replace example.com and EXAMPLE.COM):
1. add_principal -randkey HTTP/www.example.com@EXAMPLE.COM
2. (if needed) purgekeys -all HTTP/www.example.com@EXAMPLE.COM
3. ktadd -k keytab HTTP/www.example.com@EXAMPLE.COM
To configure Firefox to authenticate using Kerberos, visit about:config and set (replace example.com):
1. network.negotiate-auth.trusted-uris = https://
2. network.negotiate-auth.delegation-uris = .example.com
. Ensure the /etc/krb5.conf on each client contains dns_canonicalize_hostname = false.
Copy keytab from the network’s Kerberos server to /etc/lighttpd/ on Herald. Set the ownership and permissions of the file with chgrp www-data keytab and chmod 640 keytab, respectively.
/etc/lighttpd/example.com.pem: Some TLS certificate authorities provide free TLS/X.509 certificates. Run openssl req -out CSR.csr -new -newkey rsa:4096 -nodes -keyout privateKey.key to generate a private key and corresponding certificate signing request. You should submit the request (CSR.csr) to your certificate authority, and they should respond with your new certificate, a root CA certificate, and an immediate certificate. Concatenate the private key and certificate to produce etc/lighttpd/example.com.pem.
/etc/lighttpd/ca.pem: Concatenate the immediate and root certificate to produce etc/lighttpd/ca.pem.
/etc/lighttpd/dh-param.pem: Generate Diffie-Hellman parameters using openssl dhparam -out dh-param.pem -2 2048.
/etc/lighttpd/lighttpd.conf (replace example.com):

server.modules = (
)

server.errorlog-use-syslog  = "enable"
server.document-root        = "/mnt/sda1/var/www/example.com"
server.upload-dirs          = ( "/tmp" )
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "http"
server.groupname            = "www-data"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                                "index.lighttpd.html" )

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

server.modules += ( "mod_openssl" )

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/example.com.pem"
        ssl.ca-file = "/etc/lighttpd/ca.pem"
}

include       "/etc/lighttpd/mime.conf"
include_shell "cat /etc/lighttpd/conf.d/*.conf"

/etc/lighttpd/conf.d/10-redirect.conf:

server.modules += ( "mod_redirect" )

$HTTP["scheme"] == "http" {
        $HTTP["host"] =~ ".*" {
                url.redirect = (".*" => "https://%0$0")
        }
}

/etc/lighttpd/conf.d/20-auth.conf (replace network-cidr, example.com, EXAMPLE.COM, protected-path and application-name; network-cidr represents the network containing the hosts which have access to Kerberos authentication):

server.modules += ( "mod_auth" )

$HTTP["remoteip"] == "network-cidr" {
	auth.backend                  = "gssapi"
	auth.backend.gssapi.keytab    = "/etc/lighttpd/keytab"
	auth.backend.gssapi.principal = "HTTP/www.example.com@EXAMPLE.COM"

        auth.require = (
		"/protected-path" => (
			"method"  => "gssapi",
			"realm"   => "EXAMPLE.COM",
			"require" => "valid-user"
		),
	)
} else {
	auth.backend                   = "htpasswd"
	auth.backend.htpasswd.userfile = "/etc/lighttpd/htpasswd"

	auth.require = (
		"/protected-path" => (
			"method"  => "basic",
			"realm"   => "application-name",
			"require" => "valid-user"
		),
	)
}

/etc/lighttpd/conf.d/30-accesslog.conf:

server.modules += ( "mod_accesslog" )
  
accesslog.use-syslog   = "enable"
accesslog.syslog-level = 6

/etc/lighttpd/conf.d/30-fastcgi.conf:

server.modules += ( "mod_fastcgi" )

fastcgi.server = (
        ".php" => ((
                "bin-path" => "/usr/bin/php-cgi",
                "socket" => "/tmp/php-fastcgi.socket"
        ))
)

Set the ownership of lighttpd’s sensitive files using chown root:www-data /etc/lighttpd/*.pem /etc/lighttpd/htpasswd, and set the permissions on these files with chmod 640 /etc/lighttpd/*.pem /etc/lighttpd/htpasswd.
/etc/php.ini: Set doc_root = "/mnt/sda1/var/www/example.com", error_log = syslog, and date.timezone = America/New_York. 15.

Configuring the Postfix SMTP server and Bogofilter spam filter

/etc/postfix/master.cf (replace host.example.com):

# Do not filter mail from localhost (e.g., from Roundcube or a ssh tunnel).
127.0.0.1:smtp      inet  n       -       n       -       -       smtpd

# Filter all other mail through bogofilter (see below).
host.example.com:smtp      inet  n       -       n       -       -       smtpd
   -o content_filter=filter

pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
filter	  unix	-	n	n	-	-	pipe
   flags=Rq user=bogofilter argv=/usr/sbin/postfix-bogofilter -f ${sender} -- ${recipient}

/etc/postfix/main.cf (replace host.example.com, example.com, and mailrelay.example.com):

mail_owner = postfix
setgid_group = postdrop

myhostname = host.example.com
myorigin = example.com
mynetworks = 127.0.0.0/8 192.168.1.0/24

queue_directory = /mnt/sda1/var/spool/postfix
data_directory = /mnt/sda1/var/lib/postfix
mail_spool_directory = /mnt/sda1/var/spool/mail
virtual_mailbox_base = /mnt/sda1/var/spool/mail

relay_domains = $mydestination

smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
	permit_mynetworks,
	reject_non_fqdn_helo_hostname,
	reject_invalid_helo_hostname,
	permit

strict_rfc821_envelopes = yes
disable_vrfy_command = yes

smtpd_relay_restrictions =
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unauth_destination

# Note, we leave reject_rbl_client-like checks for later processing.
smtpd_recipient_restrictions =
	permit_mynetworks,
	reject_unauth_pipelining,
	reject_invalid_hostname,
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	reject_unknown_reverse_client_hostname,
	reject_unauth_destination,
	reject_rhsbl_helo dbl.spamhaus.org,
	reject_rhsbl_sender dbl.spamhaus.org,
	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rhsbl_sender fresh.fmb.la=127.2.0.[2;14],
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client dyna.spamrats.com,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
	reject_rbl_client truncate.gbudb.net,
	reject_rbl_client dnsbl.cobion.com,
	reject_rbl_client bl.fmb.la=127.0.0.2,
	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client bl.spamcop.net,
	check_recipient_access cdb:/etc/postfix/recipient_access,
	check_sender_access cdb:/etc/postfix/sender_access,
	reject

relayhost = [mailrelay.example.com]:587
smtp_tls_security_level = encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = cdb:/etc/postfix/saslpasswd
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous

virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_mailbox_lock = fcntl
virtual_uid_maps = ldap:/etc/postfix/ldap-uids.cf
virtual_gid_maps = static:8
virtual_alias_maps = cdb:/etc/postfix/virtual
virtual_transport = lmtp:unix:private/dovecot-lmtp

message_size_limit = 104857600
mailbox_size_limit = 0
virtual_mailbox_limit = 0

unknown_local_recipient_reject_code = 550
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

biff = no
html_directory = no
manpage_directory = no
readme_directory = no
inet_protocols = ipv4

mailbox_transport = lmtp:unix:private/dovecot-lmtp

/etc/postfix/virtual (replace recipient@example.com):

root recipient@example.com

/etc/postfix/saslpasswd (replace mailrelay.example.com, user@example.com, and password):

[mailrelay.example.com]:587 user@example.com:password

/etc/postfix/recipient_access (replace unrestricted_recipient@example.com):

unrestricted_recipient@example.com OK

/etc/postfix/sender_access (replace permitted_sender@example.com):

permitted_sender@example.com OK

Use postmap to compile each of virtual, saslpasswd, recipient_access, and sender_access.
/etc/postfix/aliases: Set the recipient of root's mail and run postalias /etc/postfix/aliases.
/etc/postfix/ldap-users.cf (replace ldap-server and dc=example,dc=com):

server_host = ldaps://ldap-server
server_port = 636
search_base = ou=people,dc=example,dc=com
version = 3
query_filter = uid=%u
result_attribute = uid

/etc/postfix/ldap-uids.cf (replace ldap-server and dc=example,dc=com):

server_host = ldaps://ldap-server
server_port = 636
search_base = ou=people,dc=example,dc=com
version = 3
query_filter = uid=%u
result_attribute = uidNumber

Check the ownership of Postfix's spool directories.
Create a bogofilter user in /etc/passwd, /etc/group, and /etc/shadow. Set the user’s shell to /bin/false and his home directory to /mnt/sda1/var/spool/bogofilter.
Create the directory /mnt/sda1/var/spool/bogofilter. Restrict the permissions of this directory so that only the bogofilter user may access it. Configure bogofilter to make use of the directory by modifying /etc/bogofilter.cf:

bogofilter_dir=/mnt/sda1/var/spool/bogofilter

Set the ownership of /etc/bogofilter.cf with chown bogofilter /etc/bogofilter.cf.

Configuring the Dovecot POP3/IMAP server

Set up Dovecot’s Kerberos principal by running kadmin.local on the network’s Kerberos server, and executing the following commands (replace example.com and EXAMPLE.COM):
1. add_principal -randkey imap/www.example.com@EXAMPLE.COM
2. (if needed) purgekeys -all imap/www.example.com@EXAMPLE.COM
3. ktadd -k keytab imap/www.example.com@EXAMPLE.COM
Copy keytab from the network’s Kerberos server to /etc/dovecot on Herald. Set the ownership and permissions of the file with chown dovecot keytab and chmod 600 keytab, respectively.
/etc/dovecot/dovecot.conf (replace example.com):

protocols = imap pop3 lmtp

auth_gssapi_hostname = "$ALL"
auth_mechanisms = plain login gssapi
auth_krb5_keytab = /etc/dovecot/keytab

userdb {
	driver = ldap
	args = /etc/dovecot/dovecot-ldap.conf
}

passdb {
	driver = passwd-file
	args = /etc/dovecot/passwd
}

service imap-login {
        inet_listener imaps {
                port = 0
        }
}

service pop3-login {
        inet_listener pop3s {
                port = 0
        }
}

service lmtp {
	unix_listener /mnt/sda1/var/spool/postfix/private/dovecot-lmtp {
		user = postfix
		group = postfix
		mode = 0600
	}
}

protocol lmtp {
	postmaster_address = postmaster@flyn.org
	hostname = flyn.org
	mail_plugins = $mail_plugins sieve
}

plugin {
        fts_autoindex=yes                                                            
	sieve_default = /etc/dovecot/sieve/default.sieve
}

ssl = required
ssl_cert = </etc/dovecot/example.com.cert
ssl_key = </etc/dovecot/example.com.key
ssl_dh = </etc/dovecot/dh-param.pem
mail_location = \
	mbox:/mnt/sda1/var/spool/mail/%n-folders:INBOX=/mnt/sda1/var/spool/mail/%n
mail_access_groups = mail
default_login_user = nobody
disable_plaintext_auth = yes
auth_username_format = %Ln
mbox_write_locks = fcntl

/etc/dovecot/dovecot-ldap.conf (replace dc=example,dc=com):

hosts = localhost
base = ou=people,dc=example,dc=com
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=posixAccount)(uid=%n))

/etc/dovecot/passwd (replace placeholder fields; hope to eventually use Kerberos):

user:{PLAIN}password:uid:gid:Full Name:/var/run/dovecot:/bin/false

/etc/dovecot/sieve/default.sieve:

require [
	"body",
	"fileinto",
	"regex",
	"variables"
];

set "blacklist" "(a v(e)*ry bad word|viagra)";

if header :matches "X-Bogosity" "Spam,*" {
	fileinto "Junk";
}

elsif header :regex "Subject" "${blacklist}" {
	fileinto "Junk";
}

elsif body :regex "${blacklist}" {
	fileinto "Junk";
}

else {
	keep;
}

/etc/dovecot/dh-param.pem: Generate Diffie-Hellman parameters using openssl dhparam -out dh-param.pem -2 2048.
Run sievec /etc/dovecot/sieve.
Copy certificate and private key to example.com.cert and example.com.key, respectively.
Set the ownership of Dovecot’s files using chown -R dovecot /etc/dovecot, and set the permissions on the most sensitive files with chmod 600 /etc/dovecot/example.com.key /etc/dovecot/passwd.

Configure Git

Add /usr/bin/git-shell to /etc/shells.
Create a git user in /etc/passwd, /etc/group, and /etc/shadow. Set the user’s shell to /usr/bin/git-shell and his home directory to /mnt/sda1/var/git.
Install the authorized users’ public SSH keys at /mnt/sda1/var/git/.ssh/authorized_keys.

Configure the host firewall

/etc/config/firewall:

config defaults
	option drop_invalid 1
	option input ACCEPT
	option output ACCEPT
	option forward ACCEPT

config zone
	option name lan
	option network lan
	option input DROP
	option output ACCEPT
	option forward DROP

# Allow SSH connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 22

# Allow SMTP connections from LAN.
config rule                 
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 25

# Allow IMAP connections from LAN.
config rule                 
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 143

# Allow HTTP connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 80

# Allow HTTPS connections from LAN.
config rule
	option target ACCEPT
	option src lan
	option proto tcp
	option dest_port 443

Configure basic system settings

/etc/config/fstab:

config mount
        option device   /dev/sda1
        option target   /mnt/sda1
	option fstype   ext4
        option options  rw
        option enabled  1
        option enabled_fsck 0

/etc/config/php7-fastcgi:

config php7-fastcgi
	option enabled 1

/etc/config/system:

config system
	option hostname	herald.flyn.org
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

/etc/config/freifunk-watchdog:

config process
	option process dropbear	
	option initscript /etc/init.d/dropbear

config process
        option process crond
        option initscript '/etc/init.d/cron'
	
config process
	option process lighttpd
	option initscript /etc/init.d/lighttpd

/etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

Herald applications

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to install a number of web applications on Herald. In each case, the instructions describe setting up the application within a local directory for later synchronization with Herald. This adds a bit of complexity but leaves the web applications managed in the same way as static files.

We call the local directory Local Root and the remote directory on Herald Remote Root. Under the conditions of the default install, Remote Root is /mnt/sda1/var/www/example.com on Herald. We also reference Remote Parent which is /mnt/sda1/var/www/ by default.

Nextcloud server

Installation

Download the Nextcloud Server source code.
Extract the source code at Local Root and rename its top-level folder to share.
Synchronize Local Root with Herald.
Create the directory Remote Root/example.com/share/data.
Run chgrp -R www-data Remote Root/example.com/share/apps Remote Root/example.com/share/config Remote Root/example.com/share/data.
Run chmod -R g+w Remote Root/example.com/share/apps Remote Root/example.com/share/config Remote Root/example.com/share/data.
Ensure that the file /etc/ssl/openssl.cnf exists, even if it is empty.
Use a browser to visit https://www.example.com/share/.

Once functioning, it is desirable to move Nextcloud Server’s data directory to Remote Parent/nextcloud-data.

Run mv Remote Root/example.com/share/data Remote Parent/nextcloud-data.
Update Remote Root/example.com/share/config/config.php to contain the following definition of datadirectory (replace Remote Parent):

'datadirectory' => 'Remote Parent/nextcloud-data/',

You might want to install a number of NextCloud applications, namely:

Calendar
Contacts
Deck
Forms
JavaScript XMPP Client
Mail
Polls
Talk
Workflow external scripts

Finally copy the apps and config directories back to Local Root/share. You should do this again each time you install a new Nextcloud application.

Configure

Using the Nextcloud Settings interface, configure Nextcloud in the following way:

Under Administration: Groupware, set a provisional email account.
Under Administration: JavaScript XMPP Client, set an external XMPP server.

Upgrade

Place the new version of Nextcloud at Local Root/share-new.
Synchronize Local Root with Herald.
Copy the old configuration into the new directory, but edit to use nextcloud-data-new.
Run chgrp -R www-data Remote Root/example.com/share-new/apps Remote Root/example.com/share-new/config.
Run chmod -R g+w Remote Root/example.com/share-new/apps Remote Root/example.com/share-new/config.
Run cp -a Remote Parent/nextcloud-data Remote Parent/nextcloud-data-new.
From Remote Root/example.com/share-new/, run php-cli occ upgrade.
Run mv Remote Root/example.com/share Remote Root/example.com/share-old.
Run mv Remote Root/example.com/share-new Remote Root/example.com/share.
Run mv Remote Parent/nextcloud-data Remote Parent/nextcloud-data-old.
Run mv Remote Parent/nextcloud-data-new Remote Parent/nextcloud-data.

Hugo

Thu, 12 Mar 2020 09:02:58 -0400

Hugo is a static HTML and CSS website generator, and Academic adds themes and features to Hugo.

Clone the Hugo Academic kickstart project: git clone https://github.com/sourcethemes/academic-kickstart.git www.example.com.
Enter the www.example.com directory.
Clone the theme submodule: git submodule update --init --recursive.
Edit the files in content/home, setting the active flag based on the site needs.
Edit config/_default/params.toml and config/_default/config.toml as appropriate. Set disablePathToLower = true in config.toml.
Edit content/authors/admin/_index.md.
Replace content/authors/admin/avatar.jpg or configure to use Gravatar.
Replace assets/images/icon.png with a 512×512 image.
Create content using commands like hugo new --kind project notes/foo.md.
Edit config/_default.menu.toml.
Adjust appearance by editing assets/scss/custom.scss.
Run hugo server to test the site.

hunt_n_gather

Thu, 12 Mar 2020 09:02:58 -0400

Hunt_n_gather is a script which attempts to determine the entries within a filesystem that should be backed up. It does this by noting which files are not listed in a system's rpm database, have been modified if installed as part of an rpm, etc. Once hunt_n_gather has a list of such files, it copied them to the directory given on the command line.

initscripts-7.41-mouse-emulation

Thu, 12 Mar 2020 09:02:58 -0400

initscripts-7.41-mouse-emulation

A patch for Fedora's initscripts that adds support for mouse emulation. This is useful with one-mouse-button Apple laptops.

initscripts-cryptoswap

Thu, 12 Mar 2020 09:02:58 -0400

initscripts-cryptoswap

A patch for Fedora's initscripts that adds support for encrypted swap.

insert

Thu, 12 Mar 2020 09:02:58 -0400

Many laptops and other small devices do not have an insert key. X11 allows you to remap keys using xmodmap.

Identify the event that you want to produce an insert: run xev and press the key to be remapped
Run xmodmap -e "keycode CODE = Insert"

kodi-plugin.audio.grilo

Thu, 12 Mar 2020 09:02:58 -0400

Kodi-plugin.audio.grilo is an addon for Kodi which provides access to shares supported by Grilo.

kodi-plugin.audio.grilo-0.0.1.tar.gz

The kodi-plugin.audio.grilo project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/kodi-plugin.audio.grilo

kupgrade

Thu, 12 Mar 2020 09:02:58 -0400

Kupgrade.sh is a simple script which automates upgrading one's Linux kernel. The script saves the current and previous kernel build configuration files. Kupgrade.sh greatly eases maintaining kernels for several non-heterogenous machines by maintaining configuration files and building custom kernel RPM files.

Kupgrade.sh also supports plugins for compiling drivers such as the Advanced Linux Sound Architecture modules.

LaTeX

Thu, 12 Mar 2020 09:02:58 -0400

After a fresh install of Fedora, I sometimes see the error “pdfTeX error (font expansion): auto expansion is only possible with scalable fonts” when running pdflatex. Installing the texlive-collection-fontsextra package collection seems to fix this.

The following error is fixed by installing texlive-updmap-map:

kpathsea: Running mktexpk --mfmode / --bdpi 600 --mag 1+57/600 --dpi 657 ptmri8r
gsftopk: fatal: map file `psfonts.map' not found.
mktexpk: don't know how to create bitmap font for ptmri8r.
mktexpk: perhaps ptmri8r is missing from the map file.
kpathsea: Appending font creation commands to missfont.log.
 )
!pdfTeX error: pdflatex (file ptmri8r): Font ptmri8r at 657 not found
 ==> Fatal error occurred, no output PDF file produced!
make: *** [Makefile:48: 02_summary.pdf] Error 1

lavtools-1.2-new-quicktime

Thu, 12 Mar 2020 09:02:58 -0400

lavtools-1.2-new-quicktime

A patch for Dr. Rainer Johanni's lavtools. When applied, lavtools will use a more modern QuickTime for Linux distribution, allowing lavtools to be used with the Broadcast 2000 video editing application.

lcdgrilo

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Lcdgrilo is a Grilo-based media player for use on a Raspberry Pi with a PiFace CAD. Because it is based on Grilo, lcdgrilo can play media from any Grilo audio source, including DMAP, Jamendo, and Magnatune. The program makes use of the PiFace CAD for input and output through the use of a menu-based interface.

Detailed instructions that describe one way to build a network radio using lcdgrilo, a Raspberry Pi, and a PiFace CAD can be found here.

The lcdgrilo project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/lcdgrilo

lcdringer

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Lcdringer is a ringer for use on a Raspberry Pi with a PiFace CAD. The idea is that the audio ring announces the intention to initiate a video chat. This is useful in households which do not leave their computers or other electronic devices on all of the time.

Lcdringer connects to an XMPP server, listens for messages, and displays messages that arrive before activating an audible alarm. Lcdringer also responds to the messages it receives with an indication of whether or not the audible alarm was acknowledged with a button press.

Upon running, lcdringer reads /etc/lcdringer.conf. Here is an example configuration (replace EXAMPLE.COM, PASSWORD, USER1, and USER2; USER1 and USER2 are the users permitted to cause lcdringer to ring):

[account]
jid=lcdringer@EXAMPLE.COM
password=PASSWORD
ring_path=/usr/share/lcdringer/ring.mp3

[friends]
jids=USER1@EXAMPLE.COM;USER2@EXAMPLE.COM

Detailed instructions that describe one way to build a device using lcdringer, a Raspberry Pi, and a PiFace CAD can be found here.

The lcdringer project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/lcdringer

Learning

Thu, 12 Mar 2020 09:02:58 -0400

Websites (paid and free) which teach programming

… kernel programming

The Eudyptula Challenge

… low-level security techniques

… cryptography

Cryptopals

Capture-the-flag competitions

Frameworks, code, and other such things

CTFd, a CTF framework
iCTF, A CTF framework
SecGen, Create vulnerable virtual machines
Scratch, The Scratch programming environment; great for children

libdmapsharing

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Libdmapsharing is a library which allows programs to access, share and control the playback of media content using DMAP (DAAP, DPAP & DACP). Libdmapsharing also detects audio AirPlay services; coupled with the AirPlay™ support in PulseAudio or GStreamer, this can allow an application to stream audio to an AirPlay device. The library presently supports Linux and other POSIX-based systems. It is written in C using GObject and libsoup. The DMAP family of protocols are used by products such as Apple iTunes™, Apple iPhoto™, and the Roku SoundBridge™ family to share media such as music and photos.

Possible uses for libdmapsharing include:

Adding picture sharing capabilities to a photograph application
Adding music sharing capabilities to an audio application
Adding audio AirPlay output to an application
Allowing an audio application to be controlled using Apple's iOS Remote
Developing DPAP server software for a home networking product
Developing DMAP client software for a media player appliance
Developing gateways that translate between DMAP and DLNA

Links

The libdmapsharing project is also available as a Git repository. To clone the repository, execute

git clone git://git.gnome.org/libdmapsharing

libgphoto2-2.1.1-openbsd

Thu, 12 Mar 2020 09:02:58 -0400

libgphoto2-2.1.1-openbsd

A patch for libgphoto that allows it to run on OpenBSD.

libnice-0.1.13-vpn

Thu, 12 Mar 2020 09:02:58 -0400

libnice-0.1.13-vpn

A kludge which allows the use of libnice on an OpenVPN client. See libnice task #7583.

libss

Thu, 12 Mar 2020 09:02:58 -0400

Libss is a cross-platform library for controlling screensavers. It allows one to temporarily disable a screensaver. This is useful for fullscreen, visual applications that take little input.

libtlssep

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Libtlssep (pronounced lib·te̅·el·sep) aims to provide an improved TLS API while also protecting private keys using privilege separation. Libtlssep's architecture includes a helper process called tlssep-decorator which handles all TLS operations and thus is able to isolate private keys from applications. An application first creates a network socket to a server (or client), and then it passes this socket to tlssep-decorator. All subsequent communication with the server passes through tlssep-decorator.

Please refer to libtlssep's API documentation for details about how to use the library.

The libtlssep project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/libtlssep

Linux kernel development

Thu, 12 Mar 2020 09:02:58 -0400

Building a Linux kernel module on Red Hat-derived distributions requires the kernel-devel package. Place the following in hello.c:

#include <linux/module.h>
#include <linux/kernel.h>

int init_module(void)
{
        /* NOTE: See kern_levels.h for level constants. */
        printk(KERN_INFO "Hello, world!\n");

        return 0;
}

void cleanup_module(void)
{
        printk(KERN_INFO "Goodbye, world!\n");
}

MODULE_LICENSE("GPL");

Place the following in Makefile:

obj-m += hello.o

all:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Build the module using make. Load the module using insmod hello.ko, and remove it using rmmod hello; upon completing either, you should see a message recorded by the computer’s logging system.

Receiving parameters at module load time

The module_param and MODULE_PARM_DESC macros aid in declaring and documenting kernel-module parameters, respectively. The module_param macro takes as arguments a parameter name, parameter type, and a series of permission bits which, if non-zero, apply to a sysfs entry that the module might later create. Each use of module_param should correspond with a global variable which shares the name of the parameter.

static char *option = "default value";

module_param(option, charp, 0000);
MODULE_PARM_DESC(option, "An example character string option");

The sample option above could be set using the command insmod hello.ko option=foo.

Reproducing the kernel source used to build the kernel for a Red Hat-derived distribution

These steps require the dnf-utils and rpm-build packages, along with the compiler and other tools needed to build the Linux kernel.

yumdownloader --source kernel
rpm -Uvh kernel...
rpmbuild -bp ~/rpmbuild/SPECS/kernel.spec

This will result in a copy of the kernel source tree at ~/rpmbuild/BUILD/kernel.... One way to build the kernel is to modify this source tree, produce a patch, place the patch in ~/rpmbuild/SOURCES, modify ~/rpmbuild/SPECS/kernel.spec to make use of the patch, and rebuild the kernel using rpmbuild -ba ~/rpmbuild/SPECS/kernel.spec:

Make a vanilla copy of the kernel source: cp -a ~/rpmbuild/BUILD/kernel.../linux.../ ~/rpmbuild/BUILD/kernel.../linux...-vanilla/.
Add pr_notice("Hello, world!\n"); to ~/rpmbuild/BUILD/kernel.../linux.../init/main.c immediately after the kernel prints "Kernel command line: ...".
Set your current directory to ~/rpmbuild/BUILD/kernel.../ and create a patch by running diff -u --recursive linux...-vanilla/ linux.../ >~/rpmbuild/SOURCES/kernel-hello.patch.
Add the patch to the kernel’s RPM specification by adding Patch2: kernel-hello.patch to ~/rpmbuild/SPECS/kernel.spec after the definition of Patch1.
Set the specification to apply your patch by adding ApplyOptionalPatch kernel-hello.patch after the application of patch-%{patchversion}-redhat.patch.
Run rpmbuild -ba ~/rpmbuild/SPECS/kernel.spec to build the result. This will take a long time, and it will use a lot of disk space.

Finally run rpm -ivh ~/rpmbuild/RPMS/x86_64/kernel-* to install your new kernel, and reboot the computer. After booting, you should find that dmesg includes Hello, world! in its output.

linux-xen-passive-oprofile

Thu, 12 Mar 2020 09:02:58 -0400

linux-2.6.38-xen-passive-oprofile linux-2.6.39.rc5.git5-xen-passive-oprofile linux-3.0-xen-passive-oprofile linux-3.2-xen-passive-oprofile linux-3.5.3-xen-passive-oprofile

A patch for the Linux kernel that enables passive profiling of unprivileged Xen domains.

Logging strategies

Thu, 12 Mar 2020 09:02:58 -0400

Configure a client to forward logs to a server using rsyslog/TLS

Install rsyslog using yum install rsyslog rsyslog-gnutls.
If you have not already done so, generate a self-signed CA certificate and private key. See the notes on certificates.
Generate a CA-signed certificate and private key for the log server and each client. See the notes on certificates.
On the log server and each client, place the CA certificate at /etc/pki/ca-trust/source/anchor/, and run update-ca-trust.
Install each host’s certificate and private key at /etc/pki/rsyslog/. Ensure that you use chmod to remove the read permissions from the private key.
On the server, ensure a large disk exists at /mnt/sda1 and place the following in /etc/rsyslog.conf, replacing example.com and logserver.example.com:

$ModLoad imuxsock
$ModLoad imtcp

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/pki/ca-trust/source/anchors/example.com.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/logserver.example.com.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/logserver.example.com.key

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.com
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 6514

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
local7.*                                                /var/log/boot.log

On each client, place the following in /etc/rsyslog.conf, replacing example.com, logserver.example.com, and logclient.example.com:

$ModLoad imuxsock
$ModLoad imjournal

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/pki/ca-trust/source/anchors/example.com.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/logclient.example.com.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/logclient.example.com.key

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer logserver.example.com
$ActionSendStreamDriverMode 1

*.* @@(o)logserver.example.com:6514;RSYSLOG_SyslogProtocol23Format

On each host, run systemctl enable rsyslog and systemctl restart rsyslog.
Permit rsyslog traffic through the server’s firewall:

Place the following in /etc/firewalld/services/syslog.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Syslog</short>
  <description>Remote syslog</description>
  <port protocol="tcp" port="6514"/>
</service>

Run firewall-cmd --permanent --add-service rsyslog.

You can troubleshoot rsyslog by running it manually: rsyslogd -nd.

Configure a client to forward logs to a server using syslog-ng/TLS

The EPEL repository provides the syslog-ng package for CentOS or RHEL: rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm.
Remove rsyslog using yum remove rsyslog.
Install syslog-ng using yum install syslog-ng.
If you have not already done so, generate a self-signed CA certificate and private key. See the notes on certificates.
Generate a CA-signed certificate and private key for the log server and each client. See the notes on certificates.
On the log server and each client, place the CA certificate at /etc/pki/ca-trust/source/anchors/, and run update-ca-trust.
Calculate the hash of the CA certificate’s common name with openssl x509 -noout -hash -in example.com.pem.
Within /etc/pki/ca-trust/source/anchors/, create a symbolic link from hash.0 to example.com.pem, where hash is the output from the previous step.
Install each host’s certificate and private key at /etc/pki/syslog-ng/. Ensure that you use chmod to remove the read permissions from the private key.
On the server, place the following in /etc/syslog-ng/syslog-ng.conf, replacing example.com and logserver.example.com:

@version:3.5
@include "scl.conf"

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
};

source s_net {
    syslog(ip(0.0.0.0) port(6514)
        transport("tls")
        tls(ca-dir("/etc/pki/ca-trust/source/anchors")
            cert-file("/etc/pki/rsyslog/logserver.example.com.pem")
            key-file("/etc/pki/rsyslog/logserver.example.com.key")
        )
    );
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

log { source(s_sys); source(s_net); filter(f_kernel); destination(d_kern); };
log { source(s_sys); source(s_net); filter(f_default); destination(d_mesg); };
log { source(s_sys); source(s_net); filter(f_auth); destination(d_auth); };
log { source(s_sys); source(s_net); filter(f_mail); destination(d_mail); };
log { source(s_sys); source(s_net); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); source(s_net); filter(f_news); destination(d_spol); };
log { source(s_sys); source(s_net); filter(f_boot); destination(d_boot); };
log { source(s_sys); source(s_net); filter(f_cron); destination(d_cron); };

@include "/etc/syslog-ng/conf.d/*.conf"

On each client, place the following in /etc/syslog-ng/syslog-ng.conf, replacing example.com, logserver.example.com, and logclient.example.com:

@version:3.5
@include "scl.conf"

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

destination d_net {
    syslog("logserver.example.com" port(6514)
        transport("tls")
        tls(ca-dir("/etc/pki/ca-trust/source/anchors")
            cert-file("/etc/pki/syslog-ng/logclient.example.com.cert")
            key-file("/etc/pki/syslog-ng/logclient.example.com.key")
        )
    );
};

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_net); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_net); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_net); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_net); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_net); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_net); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_net); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_net); destination(d_cron); };


@include "/etc/syslog-ng/conf.d/*.conf"

On each host, run systemctl enable syslog-ng and systemctl restart syslog-ng.
Permit syslog-ng traffic through the server’s firewall:

Place the following in /etc/firewalld/services/syslog.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Syslog</short>
  <description>Remote syslog</description>
  <port protocol="tcp" port="6514"/>
</service>

Run firewall-cmd --permanent --add-service syslog.

Configure a Windows client to forward logs to a server using Nxlog/TLS

Install Nxlog community edition on the Windows client.
Install the host’s TLS key material at C:\Program Files (x86)\nxlog\cert.
Configure Nxlog by writing to C:\Program Files (x86)\nxlog\conf\nxlog.conf:

define ROOT C:\Program Files (x86)\nxlog

ModuleDir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data
LogFile   %ROOT%\data\nxlog.log

<Extension syslog>
	Module xm_syslog
</Extension>

<Input in>
	Module im_msvistalog
</Input>

<Output out>
	Module om_ssl
	Host logserver.example.com
	Port 6514
	CAFile %ROOT%\cert\ca.pem
	CertFile %ROOT%\cert\logserver.example.com.pem
	CertKeyFile %ROOT%\cert\logserver.example.com.key
	AllowUntrusted FALSE
	Exec to_syslog_ietf();
	OutputType Syslog_TLS
</Output>

<Route 1>
	Path in => out
</Route>

Restart the Nxlog service.
Test connectivity by generating a log message on the Windows hosts using: eventcreate /ID 1 /L APPLICATION /T INFORMATION /SO MYEVENTSOURCE /D "Hello, world!".

Configure an OpenWrt server along with clients which forward logs to the server using syslog-ng/TLS

Stop the default logging service using /etc/init.d/log stop.
Remove the default logging service using opkg remove logd.
Remove the existing log with rm /var/log/messages.
Install syslog-ng using opkg install syslog-ng.
On the server, place the following in /etc/syslog-ng.conf:

@version:3.8

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(1024);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
};

source sys {
        internal();
        unix-dgram("/dev/log");
};

source net {
	syslog(ip(0.0.0.0) port(6514)
		max-connections(50)
		transport("tls")
		tls(ca-dir("/etc/syslog-ng.d/anchors")
			cert-file("/etc/syslog-ng.d/logserver.example.com.cert")
			key-file("/etc/syslog-ng.d/logserver.example.com.key")
		)
	);
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination messages {
        file("/mnt/sda1/var/log/messages");
};

log {
        source(sys);
        source(net);
        source(kernel);
        destination(messages);
};

On each client, place the following in /etc/syslog-ng.conf (replace SERVER and SERVER.EXAMPLE.COM, and consider removing the local file destination if the host’s local disk is small):

@version:3.8

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(1024);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
};

source sys {
        internal();
        unix-dgram("/dev/log");
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination messages {
        file("/mnt/sda1/var/log/messages");
};

destination SERVER {
        syslog("SERVER.EXAMPLE.COM" port(6514)
		transport("tls")
		tls(ca-dir("/etc/syslog-ng.d/anchors")
			cert-file("/etc/syslog-ng.d/logclient.example.com.cert")
			key-file("/etc/syslog-ng.d/logclient.example.com.key")
		)
	);
};

log {
        source(sys);
        source(kernel);
        destination(messages);
        destination(SERVER);
};

Install and configure Graylog2 on CentOS 7

Install and configure dependencies

Install the EPEL yum repository: rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm.
Install: yum install java-1.8.0-openjdk-headless mongodb-server pwgen policycoreutils-python.
Start MongoDB: systemctl restart mongod.
Ensure MongoDB starts on reboot: systemctl enable mongod.
Properly label MongoDB’s port: semanage port -a -t mongod_port_t -p tcp 27017.

Install and configure Elasticsearch

Install the Elasticsearch yum repository. Add the following to /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-1.7]
name=Elasticsearch repository for 1.7.x packages
baseurl=http://packages.elastic.co/elasticsearch/1.7/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

Install Elasticsearch: yum install elasticsearch.
Ensure the following settings exist in /etc/elasticsearch/elasticsearch.yml:

cluster.name: graylog-production
network.host: 127.0.0.1

Start Elasticsearch: systemctl restart elasticsearch.
Ensure Elasticsearch starts on reboot: systemctl enable elasticsearch.
Test Elasticsearch with: curl -XGET http://localhost:9200/_cluster/health?pretty=true; you should see a status of green.

Install and configure Graylog2

Install the Graylog2 yum repository: rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-1.3-repository-el7_latest.rpm.
Install Graylog2: yum install graylog-server.
Ensure the following settings exist in /etc/graylog/server/server.conf:

password_secret = [random secret generated using: pwgen -N 1 -s 96]
root_password_sha2 = [hashed password generated using: echo -n password | sha256sum]
elasticsearch_shards = 1
elasticsearch_replicas = 1
elasticsearch_cluster_name = graylog-production
elasticsearch_http_enabled = false
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300

Also consider adding the following:

root_timezone = America/New_York
allow_highlighting = true

Start Graylog2: systemctl restart graylog-server.
Ensure Graylog2 starts on reboot: systemctl enable graylog-server.

Configure syslog-ng to forward log entries to Graylog2

Add the following to /etc/syslog-ng/syslog-ng.conf, repeating variations of the log statement as necessary:

destination d_graylog { syslog("127.0.0.1" port(1514)); };

log { source(s_sys); source(s_net); filter(f_default); destination(d_mesg); destination(d_graylog); };

Properly label the alternate syslog port: semanage port -a -t syslogd_port_t -p tcp 1514.

Install and configure Graylog2’s web frontend

Install Graylog2: yum install graylog-web.
Ensure the following settings exist in /etc/graylog/web/web.conf:

graylog2_server.uris="http://127.0.0.1:12900"
application.secret="<i>random secret generated using: pwgen -N 1 -s 96</i>"

Start Graylog2’s web frontend: systemctl restart graylog-web.
Ensure Graylog2’s web frontend starts on reboot: systemctl enable graylog-web.
Once Graylog2’s web frontend is running, connect to it (http://localhost:9000/) and configure a log input which matches the syslog-ng configuration. Set the input’s Bind address to 127.0.0.1, its Port to 1514, and also set the its Title.
Permit Graylog web frontend traffic through the server’s firewall:

Place the following in /etc/firewalld/services/graylog-web.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Graylog</short>
  <description>Graylog's web frontend</description>
  <port protocol="tcp" port="9000"/>
</service>

Run firewall-cmd --permanent --add-service graylog-web.

Install and configure Graylog2’s NetFlow plugin

Download the plugin from https://github.com/Graylog2/graylog-plugin-netflow/releases.
Install the plugin at /usr/share/graylog-server/plugin, ensuring its permissions match the existing plugins.
Reload Graylog and add a NetFlow input using the web frontend.
Permit NetFlow traffic through the server’s firewall:

Place the following in /etc/firewalld/services/netflow.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>NetFlow</short>
  <description>Remote NetFlow</description>
  <port protocol="udp" port="2055"/>
</service>

Run firewall-cmd --permanent --add-service netflow.

luks-tools

Thu, 12 Mar 2020 09:02:58 -0400

Overview

The luks-tools package contains various utilities for working with LUKS-protected filesystems. HAL uses these utilities to automatically mount encrypted volumes when they are attached to a system, provided the user can produce the correct passphrase. These utilities are written as separate programs to allow MAC systems like SELinux to have fine-grained control over them.

Screenshot

luks-format: A utility that formats a filesystem to contain a LUKS encryption header.
luks-is-encrypted: A tool that can determine if a filesystem contains a LUKS encryption header.
luks-setup: A utility that sets up the dm-crypt device map for a partition.
gnome-luks-format: A GNOME front-end for luks-format.

Details

The following is an example of how to create an encrypted filesystem and prepare it for mounting:

luks-format -v -t ext3 -c aes -l 256 -n MyLuksVolume /dev/sda4

The luks-format step may take quite some time because it overwrites the partition with random data before it does anything else.

Once luks-format has been run, a device mapper entry should exist in /dev/mapper. This device may be mounted as any other appropriate block device:

mount /dev/mapper/luks_crypto_f20d9b37-ebe6-42c9-9665-CV035a81f0f3 /mnt

A volume that has already been initialized with a LUKS header and formatted may be mounted as follows:

luks-setup /dev/sda4
mount /dev/mapper/luks_crypto_f20d9b37-ebe6-42c9-9665-cb035a81f0f3 /mnt

magic_numbers

Thu, 12 Mar 2020 09:02:58 -0400

A collection of magic numbers for Ian Darwin's file implementation.

Maven

Thu, 12 Mar 2020 09:02:58 -0400

Building a JAR with dependencies

<build>
	<plugins>
		<plugin>
			<groupId>org.apache.maven.plugins</groupId>
			<artifactId>maven-dependency-plugin</artifactId>
			<executions>
				<execution>
					<id>copy-dependencies</id>
					<phase>prepare-package</phase>
					<goals>
						<goal>copy-dependencies</goal>
					</goals>
					<configuration>
						<outputDirectory>${project.build.directory}/lib</outputDirectory>
						<overWriteReleases>false</overWriteReleases>
						<overWriteSnapshots>false</overWriteSnapshots>
						<overWriteIfNewer>true</overWriteIfNewer>
					</configuration>
				</execution>
			</executions>
		</plugin>
		<plugin>
			<groupId>org.apache.maven.plugins</groupId>
			<artifactId>maven-jar-plugin</artifactId>
			<configuration>
				<archive>       
					<manifest>              
						<addClasspath>true</addClasspath>
						<classpathPrefix>lib/</classpathPrefix>
						<mainClass>full.path.to.MainClass</mainClass>
					</manifest>
				</archive>
			</configuration>
		</plugin>
	</plugins>
</build>

Mimic

Thu, 12 Mar 2020 09:02:58 -0400

The Mimic Xen host is capable of efficiently running a number of virtual machines. If you are reinstalling over an existing host, then you will first need to backup

the Xen domains’ disk images,
the Xen domains’ configurations,
data on partitions that are passed through to Xen domains (e.g., using rsync --inplace --delete -aHA * /BACKUP-DISK-MOUNT-POINT),
/etc/NetworkManager/system-connections/*, and
a public SSH key.

To ensure a GPT partition label, even on disks less than 2 GB, provide the inst.gpt argument to the Fedora installer’s boot process. Set aside partitions for any virtual machines that will require direct disk access; I used the following scheme:

Partition	Type	Mount point	Name	Size
1	BIOS boot	n/a	n/a	1,024 KiB
2	Standard/ext4	/boot	boot	1,024 MiB
3	btrfs (single subvolume)	/	root	200 GiB
4	Standard/ext4	n/a	herald	1.25 TiB
5	Standard/ext4	n/a	golem	Remaining space

Perform a minimal Fedora install on the computer. After finishing the install, complete the following steps:

Review the host’s BIOS/firmware menu to ensure its virtualization instructions are active.
Add nomodeset to the kernel’s command-line arguments if necessary (/etc/default/grub).
The combination of Xen and AVX2 instructions presents a vulnerability when using some CPUs under certain circumstances. RHEL 10 and compatible distributions require the AVX2 instructions. Add GRUB_CMDLINE_XEN_DEFAULT="spec-ctrl=gds-mit=no" to /etc/default/grub to turn off the related mitigation and enable AVX2 instructions.
During the Fedora install:
1. Set the hostname to mimic.flyn.org.
2. Activate the root account, and set its password.
3. Select the minimal install package set.
4. Set the timezone.
5. Layout the disk as described above, taking care to ensure the partition numbers are assigned as indicated.
Remove the firewalld-filesystem, firewalld, and systemd-resolved packages.
Run dnf update.
Install Xen, syslog-ng, net-tools, and the network bridge utilities: dnf install xen grub2-efi-modules syslog-ng net-tools bridge-utils.
Install a public SSH key, deactivate password-based SSH logins, and run systemctl restart sshd.
Configure syslog-ng (replace the host names that use example.com):
1. Generate an internal-CA-signed certificate for mimic.example.com.
2. Place the CA certificate at /etc/pki/ca-trust/source/anchors/ca.cert.
3. Identify the CA certificate’s hash by running openssl x509 -hash -noout -in ca.cert.
4. Link ca.cert to hash.0, where hash is the value from the previous step.
5. Place the host’s certificate and private key in /etc/pki/syslog-ng/.
6. Restrict the permissions on the private key.
7. Write the following to /etc/syslog-ng/syslog-ng.conf (replace the host names that use example.com):

@version: 3.35
@include "scl.conf"

options {
	flush_lines (0);
	time_reopen (10);
	log_fifo_size (1000);
	chain_hostnames (off);
	use_dns (no);
	use_fqdn (no);
	create_dirs (no);
	keep_hostname (yes);
};

source s_sys {
	system();
	internal();
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

destination d_net {
	syslog("logserver.example.com" port(6514)
		transport("tls")
		tls(
			ca-dir("/etc/pki/ca-trust/source/anchors")
			cert-file("/etc/pki/syslog-ng/mimic.flyn.org.cert")
			key-file("/etc/pki/syslog-ng/mimic.flyn.org.key")
		)
	);
};

filter f_kernel    { facility(kern); };
filter f_default   { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth      { facility(authpriv); };
filter f_mail      { facility(mail); };
filter f_emergency { level(emerg); };
filter f_news      { facility(uucp) or (facility(news) and level(crit..emerg)); };
filter f_boot      { facility(local7); };
filter f_cron      { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_net); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_net); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_net); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_net); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_net); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_net); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_net); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_net); destination(d_cron); };

@include "/etc/syslog-ng/conf.d/*.conf"

Configure a Xen network bridge device for each network interface on Mimic; for example /etc/NetworkManager/system-connections/xenbr0.nmconnection (replace xenbr0 and XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, and set method to auto if you would like to assign an IP address):

[connection]
id=xenbr0
uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
type=bridge
interface-name=xenbr0

[bridge]
stp=false

[ipv4]
method=auto

[ipv6]
dhcp-iaid=mac
method=auto

Ensure this file is owned by root and bears the permissions 0600.

Configure each network interface on Mimic; for example /etc/NetworkManager/system-connections/bridge-slave-eno0.nmconnection (replace eno0, XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX, and xenbr0):

[connection]
id=bridge-slave-eno0
uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
type=ethernet
interface-name=eno0
master=xenbr0
slave-type=bridge

Ensure this file is owned by root and bears the permissions 0600.

Place Xen guest configurations in /etc/xen, create links to /etc/xen/auto, and place guest disk images in /var/lib/xen/images. Here is an example guest configuration which boots an OpenWrt installation (replace guest and xx:xx:xx:xx:xx:xx):

name    = "guest"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr1,mac=xx:xx:xx:xx:xx:xx" ]
disk    = [ 
  "tap2:tapdisk:aio:/var/lib/xen/images/guest-openwrt-15.05.1-x86-64-combined-ext4.img,xvda,w",
  "tap2:qcow:/var/lib/xen/images/guest-data.qcow,xvdb,w"
          ]
serial  = "pty"

Allow xenstored to run under SELinux’s policy by running setsebool -P domain_can_mmap_files=true.
Ensure the Xen hypervisor is the default boot selection:

grub2-set-default "Fedora, with Xen hypervisor"
grub2-mkconfig -o /boot/grub2/grub.cfg

Optionally restore the backed up data from the previous install.

mkCDrec-0.4.9-flyn

Thu, 12 Mar 2020 09:02:58 -0400

mkCDrec-0.4.9-flyn

Development of Gratien D'haese's Make CD-ROM Recovery utility is now performed using SourceForge. I have been given write access to the project's CVS tree, so you can get my contributions there.

mkCDrec2

Thu, 12 Mar 2020 09:02:58 -0400

Overview

This is the second version of Gratien D’haese’s mkCDrec. This version adds support for OpenBSD, doing so in such a way that should make adding support of other platforms easier.

I recommend using livecd-tools on Fedora Linux and no longer maintain the mkCDrec2 package.

movespam-arbitrary-headers

Thu, 12 Mar 2020 09:02:58 -0400

movespam-arbitrary-headers

A patch for the movespam Roundcube plugin which modifies the plugin to permit moving spam messages based on an arbitrary IMF header.

NAT

Thu, 12 Mar 2020 09:02:58 -0400

Basic configuration using iptables

Perform the following steps to provide NAT routing on a Linux computer using iptables (replace wls3 with your Internet-facing interface and em1 with your private-network-facing interface):

sysctl net.ipv4.ip_forward=1
ip addr add W.X.Y.Z/N dev em1
iptables -t nat -A POSTROUTING -o wls3 -j MASQUERADE
iptables -A FORWARD -i wls3 -o em1 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip tables -A FORWARD -i em1 -o wls3 -j ACCEPT

Basic configuration using iptables

If you run firewalld, then you can substitute the following command:

firewall-cmd --add-masquerade

Configuration using a WiFi Internet connection and firewalld without NetworkManager

On a smaller computer or device, you might not have NetworkManager installed. These instructions demonstrate how to configure a WiFi adapter to use WPA, and then how to use this device to perform NAT when firewalld is installed.

wpa_passphrase ESSID >> /etc/wpa_supplicant/wpa_supplicant.conf (replace ESSID).
/etc/sysconfig/wpa_supplicant (replace EXTNETIF with your external network interface):

INTERFACES="-iEXTNETIF"

/etc/sysconfig/network-scripts/ifcfg-ESSID (replace ESSID and EXTMACADDRESS):

HWADDR=EXTMACADDRESS
MODE=managed
ESSID=EECSDS3
BOOTPROTO=dhcp
DEFROUTE=yes
ZONE=external
ONBOOT=yes

/etc/sysconfig/network-scripts/ifcfg-INTNETIF (replace INTNETIF and INTMACADDRESS):

HWADDR=INTMACADDRESS
BOOTPROTO=none
IPADDR=10.0.0.1
NETMASK=255.255.255.0
ZONE=internal
ONBOOT=yes

The use of the ZONE keyword above causes ifup to run following commands when bringing up the interfaces:

firewall-cmd --zone=external --change-interface=EXTNETIF
firewall-cmd --zone=internal --change-interface=INTNETIF

nautilus_scripts

Thu, 12 Mar 2020 09:02:58 -0400

Overview

This package contains several nautilus scripts to do various fun things with your files.

burn_cd_cue: Burns a cdrdao CUE file to disc.
burn_dir: Burns directory to disc.
mail_file: Send files by email. May transform files if necessary. For example, images a shrunk to 640x480 scale.
make_svcd_image: Creates an SVCD image from video files.
make_vcd_image: Creates an VCD image from video files.
new_extension: Prompts for a filename extension and renames files using that extension.
print: Prints files.
push_file: Uses scp to copy files to another host.
rotate_image: Rotates images clockwise or counter-clockwise.
search_n_replace: Searches files for a regular expression and replaces it with a string.
set_read_only: Sets files read-only.

Nasty Details

Install the scripts in ~/.gnome2/nautilus-scripts and let 'er rip.

nautilus_thumbnailers

Thu, 12 Mar 2020 09:02:58 -0400

Overview

This package provides scripts to generate thumbnails for several file formats commonly used in the GNOME environment. When using these scripts with the nautilus file manager, for example, icons for PDF files will present the same appearance as the document itself. This has long been the case with images, but this package extends this technique to formats like PDF, PostScript and GIMP XCF.

Nasty Details

This package provides a gconf schema and several scripts. The schema tells GNOME filemanagers like nautilus of the scripts' existance. The scripts do the dirty work of creating 128x128 pixel PNG thumbnails for documents at the file manager's request.

ncpfs-2.2.0.19-env

Thu, 12 Mar 2020 09:02:58 -0400

ncpfs-2.2.0.19-env

A patch for ncpfs 2.2.0.19.10 that adds the ability to read passwords from the environment variable PASSWD to ncpmount. This makes ncpmount play nicely with pam_mount.

Because environment variables are not a safe way to transmit passwords, pam_mount now uses a new technique. This patch is no longer required. All that is required is ncpfs >= 2.2.0.19.10.

netatalk-2.0.4-crosscompile

Thu, 12 Mar 2020 09:02:58 -0400

netatalk-2.0.4-crosscompile

Fixes Netatalk's configure script to support building in a cross-compile environment.

Network monitoring

Thu, 12 Mar 2020 09:02:58 -0400

yum install nagios.
Start the httpd and nagios services.
Set the Nagios administrator password using htpasswd -c /etc/nagios/passwd nagiosadmin.
Define the network to be monitored by editing Nagios' configuration files. You can place your configuration in /etc/nagios/conf.g/*foo.cfg*. For example, the following will define a host named smtp.example.com and also check that smtp.example.com is providing an SMTP service:

define host {
	use			linux-server
	host_name		smtp.example.com
	address			10.1.10.1
}

define service {
	use			generic-service
	host_name		smtp.example.com
	service_description	SMTP
	check_command		check_smtp
	notifications_enabled	0
}

Load http://localhost/nagios in a browser. (Note securing Nagios so that it can be accessed away from localhost is beyond the scope of these notes.)

Fedora packages plugins such as check_smtp separately from the core Nagios package installed above. The following packages provide common plugins:

Plugin package	Use
nagios-plugins-ping	Check the availability of a host using ICMP
nagios-plugins-tcp	Check the availability of common Internet services including FTP and IMAP
nagios-plugins-http	Check the availability of a HTTP/HTTPS service
nagios-plugins-smtp	Check the availability of a SMTP service
nagios-plugins-dns	Check the availability of a DNS service

Network monitoring

Thu, 12 Mar 2020 09:02:58 -0400

Monitoring a network from the command line

It is often convenient to monitor a network from the command line. For example, the use of command-line tools allows you to log into an OpenWrt router remotely in order to diagnose a network performance problem. Here I describe how to use some common open-source tools.

Bmon

Bmon monitors the use of a network interface in aggregate; it provides real-time information about the utilization of the network interfaces in a computer. After running bmon, you will likely want to press d and g to provide a detailed and graphical display, respectively. The graphical display plots utilization over time.

Iftop

Iftop helps determine the degree to which individual connections are using the network. For example, running iftop -i eth0 -P will show the connections making use of the interface eth0. Each measurement is displayed using two lines, which represent the two directions of communication. Behind each line, iftop displays, using a highlight, a bar which is proportional to the percentage the respective connection represents of the total network utilization (the unit for each bar is some degree of bits per second).

Throughput tests

Services like Speedtest.net allow you to measure the throughput of your network connection, but are generally designed for use with a web browser. The command-line tool speedtest-cli allows you to interact with Speedtest.net’s measurement servers. For an even lighter-weight solution, first obtain the list of Speedtest.net servers at http://www.speedtest.net/speedtest-servers.php. Next, choose a nearby server from the list and run time wget http://sto-chic-01.sys.comcast.net/speedtest/random4000x4000.jpg -O /dev/null.

NetFlow

Installing softflowd on a device that has visibility of your network allows that device to provide NetFlow data representing its observations (see beholder). Nfcapd can receive such a NetFlow stream and store it to disk (see golem). The nfdump utility will print stored NetFlow data in human-readable form. Here are some useful invocations of nfdump:

Print first five flows of month

nfdump -R . -c 5 -t 2020/01

Print first five flows of date range

nfdump -R . -c 5 -t 2020/01/01-2020/01/07

Print first five flows of time period

nfdump -R . -c 5 -t 2020/01/01.12-2020/01/01.13

Top users of upload bandwidth

nfdump -R . -s srcip/bytes -L +10M 'src net 192.168.1.0/24'

Top users of download bandwidth

nfdump -R . -s dstip/bytes -L +10M 'dst net 192.168.1.0/24'

Biggest download sources off local network

nfdump -R . -s srcip/bytes -L +10M 'not src net 192.168.1.0/24'

Ethtool

Running ethtool eth0 will describe the interface eth0, including the connection speed of the interface.

NTP

Thu, 12 Mar 2020 09:02:58 -0400

These instructions describe how to configure ntpd across the 10.0.0.0/24 subnet so that one host, NTP.EXAMPLE.COM, acts as the subnet’s NTP server. We make use of ntpd instead of chrony.

On each host:

rpm -e chrony.
yum install ntp.
Hosts other than NTP.EXAMPLE.COM should only permit NTP connections from localhost. In these cases, merely replace the server statements in /etc/ntp.conf with one that references your NTP server, NTP.EXAMPLE.COM.
Start the ntpservice.

On NTP.EXAMPLE.COM, follow the steps above, except:

Set server to point to the upstream NTP host.
Set restrict *10.0.0.0* mask *255.255.255.0* nomodify notrap.
Run firewall-cmd --permanent --add-service=ntp
Run firewall-cmd --permanent --add-service=ntp --permanent

openpam-20030502-openbsd

Thu, 12 Mar 2020 09:02:58 -0400

openpam-20030502-openbsd

A patch for OpenPAM. When applied, OpenPAM should build on OpenBSD. The patch also fixes a few bugs in OpenPAM's su.

openssh-2.9p2-quiet

Thu, 12 Mar 2020 09:02:58 -0400

openssh-2.9p2-quiet

A trivial patch for openssh which makes the -q quiet mode a little more quiet. I wrote this because I was tired of cron emailing unnecessary error output from ssh every time ssh was run.

OpenWrt-based DHCP/DNS server

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build a simple DHCP/DNS server on top of OpenWrt. We assume you already have a working OpenWrt installation and that you have configured basic networking (/etc/config/network) and the host’s name (/etc/config/system).

The following will configure dnsmasq to provide DHCP (assigning .1–.100), and DNS (e.g., assigning the hostname server.example.com to the computer with MAC address aa:bb:cc:dd:ee:ff). The DNS service will also resolve the local host’s name, as set in /etc/config/system.

config dnsmasq
	option domainneeded '1'	
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/example.com/'
	option domain 'example.com'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option server '192.168.1.1' # Upstream DNS.

config dhcp 'lan'
	option interface 'lan'
	option start '1'
	option limit '100'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '3,192.168.1.1' # Default gateway.
	list dhcp_option '121,192.168.0.0/16,192.168.1.1' # A static route.

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config host
	option name 'server.example.com'
	option ip '192.168.1.101'
	option mac 'aa:bb:cc:dd:ee:ff'

OpenWrt-based FTP server

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build a simple FTP server on top of OpenWrt. We assume you already have a working OpenWrt installation and that you have configured basic networking (/etc/config/network) and the host’s name (/etc/config/system).

Install the following packages:

zlib
libopenssl
vsftpd-tls
openssh-keygen
openssh-server
openssl-util

Remove the dropbear package
Take care to set the root password.
Create the directory /home/ftp.
Add a new user to the system, setting his home directory to /home/ftp and his shell to /bin/false.
Set the new user’s password.
Configure cleartext FTP: write the following to /etc/vsftpd.conf:

background=YES
listen=YES
anonymous_enable=YES
write_enable=NO
local_umask=022
check_shell=NO
local_root=/home/ftp
session_support=NO

Configure ciphertext SFTP: write the following to /etc/ssh/sshd_config:

AuthorizedKeysFile	.ssh/authorized_keys
UsePrivilegeSeparation	sandbox
Subsystem		sftp internal-sftp

Match User *
	ChrootDirectory 	%h
	AllowTCPForwarding 	no
	X11Forwarding		no
	ForceCommand		internal-sftp

openwrt-build

Thu, 12 Mar 2020 09:02:58 -0400

The openwrt-build script builds an OpenWrt disk image from a JSON-encoded definition. See definitions/example.json for one such definition.

Aside from example.json, you can provide openwrt-build with a diffconfig definition and one or more directory structures which openwrt-build will add to the disk image. For example,

./openwrt-build -c example.json files/

where files/ contains

etc/dropbear/authorized_keys

will produce an OpenWrt image to which the owner of the public key in authorized_keys can connect using SSH.

You can also specify a post-install script using the ‘-p’ option. The openwrt-build script will arrange for this script to run the first time a VM boots the image.

The default diffconfig causes openwrt-build to build an x86_64 image. You can provide an alternative diffconfig using the ‘-d’ option. See diffconfig/example.

The openwrt-build script also generates a file named vm-[NAME].cfg which defines a Xen domain which will boot the generated disk image. For quick tests, you might also want to run the disk image using QEMU; you can do this by executing:

qemu-system-x86_64 -hda [IMAGE.img] -net nic -net user -m 512 -localtime

The openwrt-build project is available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/openwrt-build

osdd

Thu, 12 Mar 2020 09:02:58 -0400

Osdd polls one's mixer device and provides an on-screen display when the mixer's volume levels change. It requires XOSD, which is available at http://www.ignavus.net/software.html.

This application has been superseded by osdsh.

Packets

Thu, 12 Mar 2020 09:02:58 -0400

Print a summary of the transmitting hosts present in the output from tcpdump:

tcpdump >packet-summaries
[Ctrl-C]
cat packet-summaries | egrep ^.{16}IP | awk '{ print $3 }' | sed 's/\(.*\)\..*/\1/g' \
                     | sort | uniq -c | sort -n

pam_ccreds-ccreds_chkpwd

Thu, 12 Mar 2020 09:02:58 -0400

pam_ccreds-ccreds_chkpwd-4.patch

A patch for pam_ccreds that adds a setuid helper utility. This allows portions of the PAM module to execute with higher privileges than the calling application (e.g., xscreensaver).

pam_keyring

Thu, 12 Mar 2020 09:02:58 -0400

A component of the GNOME Keyring now includes functionality based on pam_keyring. As a result, pam_keyring is now no longer maintained. See https://gitlab.gnome.org/GNOME/gnome-keyring.

pam_mount

Thu, 12 Mar 2020 09:02:58 -0400

The pam_mount module is now maintained by Jan Engelhardt and is available at http://pam-mount.sourceforge.net/.

Administrator’s Guide to Linux in the Windows Enterprise

Jan 1, 2003

Cite

Downloads

pam-0.75-devfsd

Thu, 12 Mar 2020 09:02:58 -0400

pam-0.75-devfsd

A patch for devfsd that allows it to work nicely with pam_console.

pedansee

Thu, 12 Mar 2020 09:02:58 -0400

Pedansee checks C source files for compliance with a particular programming style. The style is currently defined by the pedansee source code in the form of functions which walk each source file’s syntax tree. You can modify some aspects of this style through the use of regular expressions.

For example, given the following silly program stored at silly.c:

#include <stdio.h>
#include <glib.h>

float pi = 3.14;

static void foo(void)
{
}

int main(int argc, char *argv)
{
	foo();
	g_print("Hello, world!\n");
}

you could run pedansee in the following way, producing the indicated effect:

$ pedansee silly.c -- -I/usr/include/glib-2.0/ -I/usr/lib64/glib-2.0/include/
silly.c:4:7 id pi does not start with silly_
silly.c:6:13 static id silly does not start with '_'
silly.c:6:13 function silly name not on column one
silly.c:10:5 function main name not on column one

Pedansee prefers that silly.c instead contain:

#include <stdio.h>
#include <glib.h>

float silly_pi = 3.14;

static void
_foo(void)
{
}

int
main(int argc, char *argv)
{
	_foo();
	g_print("Hello, world!\n");
}

Pedansee supports configuration files which allow you to configure some aspects of its style. For example, the following pedansee.conf defines the form static, constant, and exported symbols must follow:

[regex]
        const = [A-Za-z_]*
        static = _[A-Za-z_]*
        exported = [^_][A-Za-z_]*

The pedansee project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/pedansee

plip-slow

Thu, 12 Mar 2020 09:02:58 -0400

plip-slow

A patch for the PLIP driver contained in the 2.4.3 version of the Linux kernel. This patch allows one to use PLIP with computers which have an interrupt-less parallel port and a slow processor. The stock PLIP driver constantly times out on my 80486-based laptop. This patch adds the ability to specify two key values, trigger_wait and nibble_wait, when loading the PLIP driver.

Using this patch and adding the following entry to the modules.conf file on the computers on either side of my PLIP link makes the connection work nicely:

 ## Because my laptop is so slow.
options plip                    trigger_wait=50000 nibble_wait=300000

print_filter

Thu, 12 Mar 2020 09:02:58 -0400

Print_filter is a simple filter which handles several file formats. Print_filter is designed to be as simple as possible, allowing one to easily modify or expand the source code.

Print_filter was originally written out of frustration with Red Hat's print filter, which was difficult to modify without using its GUI tools. Print_filter is small, simple, and easy to work with on a console system.

Profiling programs

Thu, 12 Mar 2020 09:02:58 -0400

Profiling using operf

Ensure you have access to your kernel’s debug symbols. On Fedora, you can install these symbols with sudo debuginfo-install kernel.
Run sudo operf --system-wide --vmlinux /usr/lib/debug/lib/modules/KERNEL-VERSION/vmlinux, execute your experiments, and press Ctrl-C.
Run opreport -l.

Profiling using gprof

Run a program and its children while collecting profiling data:

Compile with GCC’s -pg flag.
Run with GMON_OUT_PREFIX=prefix ./a.out.
Run gprof a.out prefix.PID.

Pylog

Thu, 12 Mar 2020 09:02:58 -0400

Pylog is a Python module which gives one access to a Prolog interpreter. Pylog simply executes a Prolog interpreter process, communicates with it using pipes, and provides a simple API for communicating with it.

The gocept company has modified Pypvm to work with newer versions of SWI Prolog.

pypvm

Thu, 12 Mar 2020 09:02:58 -0400

Pypvm is a Python module that allows interaction with the Parallel Virtual Machine (PVM) package. PVM allows a collection of computers connected by a network to serve as a single parallel computer.

Pypvm is intended to be an educational and prototyping tool.

Greg Baker has taken over the maintenance of pypvm. One can now find the up to date pypvm source code at http://pypvm.sourceforge.net.

pypvm-0.8.7.tar.gz

qtutils

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Qtutils currently contains the following applications:

qtsg: Generates a QuickTime video from image files and a soundtrack.
qtconv: Changes the codec used by a QuickTime video.
qtsplit: Splits a QuickTime file into smaller files.
mpegize: A script which generates an MPEG stream from QuickTime input.
vcdize: A script which generates a Video CD disc image from QuickTime input.
screenqt: A script which generates a QuickTime file from a series of screenshots.

Details

ima4: The ima4 compressor reduces 16 bit audio data to 1/4 size, with very good quality. This is the preferred codec for low bandwidth audio.
raw: Unsigned 8 bit encoding.
twos: Twos is the preferred encoding for audio. It stores 8, 16, and 24 bit audio, interleaved for multiple channels. The 8 bit mode is signed. The 16 and 24 bit modes are big endian signed.

raw: RGB packed frames.
jpeg: JPEG is preferred for low bandwidth video. This format writes a seperate JPEG photo for every frame.
mjpa: MJPA stores each frame as two JPEGs, interlaced. The real advantage is that it can split compression and decompression across 2 processors, doubling the frame rate.
png: This consists of one PNG image for every frame. Like ram this codec supports 32 bit depths.
yuv2: The human eye percieves brightness much more accurately than colors. YUV2 downsamples the color components by 50% for a total compression of 33% with virtually no image degredation. This is preferred for intermediate storage. YUV2 is sometimes called Component video.
yuv4: YUV4 is planar YUV, identical to MPEG. It downsamples the color components by 75% for a total 50% compression. This is the preferred intermediate format for working with MPEG.

Currently, qtsg can take JPEG images and Ogg Vorbis audio files as input. It renders a QuickTime video with JPEG encoded video frames and raw audio frames. This output is suitable for encoding into MPEG with MJPEG tools.

quicktime4linux-010401-build

Thu, 12 Mar 2020 09:02:58 -0400

quicktime4linux-010401-build

A patch for Heroine Virtual's QuickTime for Linux library which, in my opinion, improves its build process. The project now uses autoconf, automake, etc. and shared libraries and RPMs are now easily built. The mainstream distribution includes copies of libraries such as libdv to build; this patch causes QuickTime for Linux to build against shared libraries already existing on a system.

The Libquicktime project now exists to bring some modern features to QuickTime for Linux. These include the same build process changes that are in my patch.

Red Hat Enterprise Linux without root

Thu, 12 Mar 2020 09:02:58 -0400

Replacing GNOME’s metacity and gnome-panel with the awesome window manager

Build confuse and imlib2 from within their respective source directories using:

./configure --prefix=$HOME/Root --disable-shared
make all install

Build awesome from within its source directory using:

PKG_CONFIG_PATH=$HOME/Root/lib/pkgconfig ./configure --prefix=$HOME/Root

Add $HOME/Root/bin to your .bash_profile/.bashrc.
Set the contents of $HOME/.local/share/applications/awesome.desktop to:

[Desktop Entry]
Version=1.0
Type=Application
Name=Awesome
Comment=The awesome launcher!
TryExec=awesome
Exec=awesome

Use gconf-editor to:

edit the values at /desktop/gnome/session/required_components_list, ensuring only windowmanager and terminal are present,
set the value of /desktop/gnome/session/required_components/windowmanager to awesome, and
set the value of /desktop/gnome/session/required_components/terminal to gnome-terminal.

rhythmbox-libdmapsharing

Thu, 12 Mar 2020 09:02:58 -0400

0001-Patch-to-replace-DAAP-related-code-with-libdmapshari.patch.gz

Patch to replace DAAP-related code in Rhythmbox with libdmapsharing.

scald

Thu, 12 Mar 2020 09:02:58 -0400

Overview

Scald can assist lazy developers. Scald is a tool to generate program code from an HTML-like XML description. For example, scald will process an XML description into C code that prints an HTML form and saves user input data into a configuration file.

Details

There are many XSLT processors available to developers. The following examples use xmllint from libxml2 and xsltproc from libxslt. Here is example.xml, an example XML document that follows the scald schema:

<?xml version="1.0"?>

<!DOCTYPE webapp PUBLIC "-//Flyn Computing//DTD Scald XML Unstable//EN"
                        "http://www.flyn.org/xml/dtd/unstable/webapp.dtd">

<webapp name="/cgi-bin/example.cgi" short-name="example" description="Example">

	<form name="example" save-data-as="config" save-to-dir="/tmp/">
		<input name="example-input" type="text" label="Example Input"/>
		<submit value="Save"/>
	</form>

</webapp>

The file example.xml may be validated with the command xmllint –noout example.xml and processed with xsltproc http://www.flyn.org/xml/xslt/unstable/webapp-c.xslt example.xml. The result will be several functions, written in C:

void print_form(char *sidebar): Creates and prints an HTML form, selecting default values from a configuration file, if available.
void save_data(s_cgi *cgi): Reads a form and saves its values to a configuration file or spool.
char *get_post_mode(s_cgi *cgi): Returns the CGI mode of execution.

After you process an XML file to generate C code, you should write a main function that calls these three functions. One useful technique is to write a system configuration daemon. After running save_data, the main function may notify this daemon, which will then reconfigure a system service based on the updated configuration file (it may be a bad idea to allow your webserver the rights required to update system configurations directly).

The scald schema also allows for dependencies between inputs. For example, the fragment below describes an input, password, that is only enabled if another input, authenticate, is selected. This dependency is enforced by Javascript code that scald automatically generates.

<input name="authenticate" type="checkbox" label="Use Authentication"/>
<input name="password" type="password" label="Password"
       enabled-by="document.formname.authenticate"/>

The call-print- entites allow one to generate custom HTML at run runtime. The following fragment indicates that options should be generated at runtime by a custom function:

<form name="initialize" save-data-as="config" save-to-dir="/tmp/">
	<select name="device">
		<call-print-options-fn/>
	</select>
</form>

Scald will generate code that expects the function print_document_initialize_device_options() to be defined in a separate file and linked against the C output that scald generates. Here is a simple implementation of print_document_initialize_device_options():

void print_document_initialize_device_options(char *obj)
{
        printf("<option value=\"foo\">Foo</option>");
	printf("<option value=\"bar\">Bar</option>");
}

A more general-purpose entity is call-print-input-fn. This may be used to generate any HTML input tags:

<form name="initialize" save-data-as="spool" save-to-dir="/tmp/">
	<call-print-input-fn name="example"/>
</form>

This requires one to define both a print and save function:

void save_to_spool_document_initialize_example_input(s_cgi *cgi,
                                                     char *dir, char *obj)
{
	/* Code to read data from s_cgi *cgi and write it to spool file
	 * in char *dir
	 */
}

void print_document_initialize_example_input(char *obj)
{
	/*  Code to print HTML form */
}

The onclick option is available to the input tag. This may be set to a Javascript function that will execute when the input is clicked. The Javascript function may be either provided by the XML document or dynamically generated using a call-print- entity as in the following example:

<form name="initialize" save-data-as="config" save-to-dir="/tmp/">
	<input label="Host" name="destination" value="host" type="radio" onclick="populate_with_hosts"/><br/>
	<input label="Disk" name="destination" value="disk" type="radio" onclick="populate_with_disks"/><br/>
	<select label="Destination" name="dest">
		<call-print-options-fn/>
	</select>
</form>

The following is the implementation that will be called by the code generated by the call-print-options-fn entity. It prints the two Javascript functions that are referenced by the onclick options above. It also calls the populate_with_hosts function that it defines in order to initially populate the options list. Clicking between the radio buttons defined above will switch the options available.

void print_document_initialize_dest_options(char *obj)
{
        printf ("<script type=\"text/javascript\">");
	printf ("function populate_with_hosts() {");
	printf ("document.backup.dest.length = 0;");
	/* C Code to print Javascript that assigns hosts, e.g.: */
	for (i = 0; i < num_opts; i++) {
		printf ("%s[%d] = new Option(\"%s\", \"%s\", false);\n", obj, 
			i, "example.com", "example.com");
	}
	if (0 == i) {
		printf("for (i = %s.options.length; i >= 0; i--) { 			%s[i] = null; 			}\n", obj, obj);
	}
	printf ("}");
	printf ("function populate_with_disks() {");
	printf ("document.backup.dest.length = 0;");
	/* Code to print disks */
	printf ("}");
	printf ("populate_with_hosts(%s);", obj);
	printf ("</script>");
}

SDL-1.2.5-devfs

Thu, 12 Mar 2020 09:02:58 -0400

SDL-1.2.5-devfs

A patch for SDL that fixes support for Linux's modern joystick device names (/dev/input/js?).

SDL-20020602-screensaver

Thu, 12 Mar 2020 09:02:58 -0400

SDL-20020602-screensaver

A patch for SDL. When applied, SDL provides a cross-platform means of enabling and disabling screensavers.

SELinux

Thu, 12 Mar 2020 09:02:58 -0400

Activating and deactivating SELinux

A Linux kernel which supports SELinux can assume three modes: enforcing, where the kernel enforces the SELinux policy; permissive, where the kernel loads the policy but does not enforce its constraints; and disabled, where the kernel completely disables SELinux. Avoid the disabled mode because it can result in a mislabeled system which will not function if SELinux is reactivated. You can deactivate or activate enforcing mode temporarily by running the following commands:

setenforce 0
setenforce 1

The command getenforce will print the current enforcing status.

You can configure the SELinux mode which the kernel will adopt upon booting by editing /etc/syslinux/selinux.

SELinux labels

Under SELinux, system objects bear labels. You can use the standard Linux utilities to inspect these labels. Here are some examples:

Display the labels of filesystem nodes:

ls -Z

Recursively modify the label of part of the filesystem, and update the policy to retain the labels through a relabel:

chcon -v -R --type=mytype_file_t /path/to/branch
semanage fcontext -a -t mytype_file_t "/path/to/branch(/.*)?"

Restore the label of a filesystem node to the path’s SELinux policy default:

restorecon -v myfile.txt

Relabel the entire filesystem according to the SELinux policy:

touch /.autorelabel
reboot

Display the labels of TCP and UDP ports:

semanage port -l

Modify the label of a port:

semanage port -a -t mytype_port_t -p tcp 8080

Display the domains of running processes:

ps auxZ

Note that the domain a running process adopts is a function of the parent process’s domain, the label of the process’s program on disk, and the SELinux policy. One of these must be changes to modify the domain a process will run in.

SELinux booleans

The kernel permits the customization of many details about its SELinux policy through the use of boolean flags. To list the available booleans, along with their current status, run:

getsebool -a

You can modify a boolean by running statements such as:

setsebool -P httpd_can_network_connect_db on

Writing SELinux policy modules

Booleans only help tailor a policy to do things the original policy authors intended. When installing an uncommon program, an administrator might need to write an entirely new policy module. Here is a sample program in C, setoy.c, which we would like to constrain using a custom SELinux policy module:

#include <stdio.h>
#include <stdlib.h>

int main (int argc, char *argv[])
{
	int val;
	FILE *f = NULL;
	char buf[BUFSIZ];
	char *ptr = NULL;

	f = fopen ("setoy.txt", "r+");
	if (NULL == f) {
		perror("Could not open setoy.txt");
		exit(EXIT_FAILURE);
	}

	ptr = fgets(buf, BUFSIZ, f);
	if (NULL == ptr) {
		perror("Could not read setoy.txt");
		exit(EXIT_FAILURE);
	}

	val = fprintf(f, "%s\n", "Goodbye, cruel world!");
	if (val < 0) {
		perror("Could not write setoy.txt");
		exit(EXIT_FAILURE);
	}

	val = fclose(f);
	if (val != 0) {
		perror("Could not close setoy.txt");
		exit(EXIT_FAILURE);
	}

	f = fopen ("setoy2.txt", "w");
	if (NULL == f) {
		perror("Could not open setoy2.txt");
		exit(EXIT_FAILURE);
	}

	val = fprintf(f, "%s\n", "Goodbye, cruel world!");
	if (val < 0) {
		perror("Could not write setoy2.txt");
		exit(EXIT_FAILURE);
	}

	val = fclose(f);
	if (val != 0) {
		perror("Could not close setoy2.txt");
		exit(EXIT_FAILURE);
	}

	printf("All system calls succeeded: success (or failure?)\n");
	printf("Press enter to exit ");

	getchar();

	exit(EXIT_SUCCESS);
}

Here is a policy which constrains the program, mysetoy.te:

policy_module(mysetoy, 1.0.0)

# Must require any core policy definitions you use. This is similar to
# an import in Java or #include in C.
require {
	attribute file_type;
	type unconfined_t;
	role unconfined_r;
	type user_devpts_t;
	type user_home_t;
	type fs_t;
	class dir search;
	class chr_file { read write append getattr };
	class filesystem associate;
}

# ==============================================================================
# | Declare a number of types                                                  |
# ==============================================================================
type mysetoy_t;                 # The type we will assign to mysetoy processes.
type mysetoy_file_t, file_type; # Will assign to files mysetoy can read/write.
type mysetoy_exec_t;            # Will assign to the mysetoy program on disk.

# ==============================================================================
# | Allow/cause unconfined_t-domain processes to run mysetoy in mysetoy_t      |
# | domain.                                                                    |
# ==============================================================================
domain_type(mysetoy_t)
domain_entry_file(mysetoy_t, mysetoy_exec_t)
role unconfined_r types mysetoy_t;
type_transition unconfined_t mysetoy_exec_t:process mysetoy_t;

# ==============================================================================
# | Now we decide what SELinux will permit mysetoy to do.                      |
# ==============================================================================
# Allow mysetoy_t domain to read and write file objects labeled with mysetoy_file_t.
allow mysetoy_t mysetoy_file_t:file { open read write };

# Allow mysetoy_t domain to read and write the console.
allow mysetoy_t user_devpts_t:chr_file { read write append getattr };

# Allow mysetoy_t domain to enumerate contents of a directory in ~.
allow mysetoy_t user_home_t:dir search;

# Allow mysetoy_t domain to create a file in ~ ...
allow mysetoy_t user_home_t:dir { write add_name create };
allow mysetoy_t mysetoy_file_t:file { create };

# ... and ensure it bears the label mysetoy_t.
allow mysetoy_t fs_t:filesystem associate;
filetrans_pattern(mysetoy_t, user_home_t, mysetoy_file_t, file)

You can compile an SELinux policy with make -f /usr/share/selinux/devel/Makefile mysenettoy.pp, and you can install the compiled policy using semodule -i mysetoy.pp.

Properly running setoy will also require:

echo Hello, world\! >setoy.txt
chcon -v --type=mysetoy_exec_t setoy
chcon -v --type=mysetoy_file_t setoy.txt

SELinux logging and machine-assisted policy modules

SELinux logs policy violations to /var/log/audit/audit.log. The command audit2allow can help turn the logs which result from a policy being overly cautious into a new, more appropriate policy module for a program. This should be done with care, because most of the time the enforcement of the policy is precisely what ought to happen. Thus you should carefully review the results from audit2allow before loading it into the running policy. Sometimes it is helpful to avoid ignoring common failures (i.e., do-not-audit rules) using:

semodule -DB

Restore the do-not-audit rules with:

semodule -B

Other resources

serial-5.05-actiontec

Thu, 12 Mar 2020 09:02:58 -0400

serial-5.05-actiontec

A patch for Theodore Ts'o's Linux serial driver which adds very ugly support for Actiontec's 56K Internal PCI Call Waiting Modem. This patch causes the driver to be hard-wired to auto-detect this modem. I believe that the Lucent Venus chipset may be buggy, and am currently working with Lucent, Actiontec, and Theodore Ts'o to fix it.

I have written open letters to Agere and Actiontec.

I wrote a kernel module to demonstrate the problems I am having with the Venus chipset. The module writes a value to the interrupt enable register (IER) on one's modem. It then immediately reads the value stored in the IER. Reading a value from the IER that does not equal the value written to it seems to represent a bug in the chipset. Theodore Ts'o's serial driver makes extensive use of a modem's IER when it performs detection operations; thus detecting a Venus-based modem often fails.

To try this test on your own machine, download the kernel module and read the directions included in the source file.

shadow_4.0.3-root_close

Thu, 12 Mar 2020 09:02:58 -0400

shadow_4.0.3-root_close

A patch for the standard linux shadow utilities that causes login to retain its root privileges until it calls PAM's close session code. This allows pam_mount to work properly with login and is correct behavior. Gdm, su, etc. already do this.

Shrieker

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Shrieker, a Raspberry Pi-based ringer. Shrieker connects to an XMPP server, listens for messages, and displays messages that arrive before activating an audible alarm.

Shrieker is designed to run on the hardware listed below:

Raspberry Pi Model B
PiFace Control & Display
PiFace Control & Display Case
5V Micro USB AC Adapter
8GB SD Card
Edimax 802.11b/g/n Nano USB Adapter
HDMI Cable
USB Keyboard (For initial setup)

At the time of writing, most of this hardware is available from MCM Electronics.

Selecting the software for a Shrieker image

Obtain the OpenWrt source tree using git clone git://git.openwrt.org/openwrt/openwrt.git.
Enter the OpenWrt source tree and modify the package configuration provided by feeds.conf to use src-git packages ssh://git@github.com/MikePetullo/packages.git. Run ./scripts/feeds update.

Pull the appropriate feeds, using ./scripts/feeds install \ freifunk-watchdog \ gst1-mod-mad \ lcdringer \ wpa-supplicant \ zoneinfo-core \ zoneinfo-northamerica
Run make menuconfig and select:
1. Target System: Broadcom BCM2708/BCM2709/
2. Subtarget: BCM2708 based boards
3. Target Profile: Raspberry Pi Model B

Base system:

Remove dnsmasq
Kernel Modules:
- Other modules: kmod-softdog
SPI Support:
- kmod-spi-bcm2835
- kmod-spi-dev
Wireless Drivers:
- kmod-rtl8192cu (for firmware)
- kmod-rtl8xxxu
LuCI: Freifunk: freifunk-watchdog
Multimedia:
- gstreamer1-plugins-base
  - Select all GStreamer base modules
- gstreamer1-plugins-good
  - Select all GStreamer good modules
- gstreamer1-plugins-ugly
  - Select all GStreamer ugly modules
Network:
- lcdringer
- Remove odhcpd
- wpa-supplicant
Utilities:
- zoneinfo: zoneinfo-northamerica

Create the directory files and populate it as described in the following sections.

Configure networking

etc/config/network:

config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname wlan0
        option proto dhcp

etc/config/wireless (replace MACADDR, SSID, and KEY):

config wifi-device radio0
        option type     mac80211
        option channel  11
        option hwmode   11g
        option country  US
        option macaddr  MACADDR

config wifi-iface
        option device   radio0
        option network  lan
        option mode     sta
        option ssid     SSID
        option encryption psk2
        option key      KEY

Configure lcdringer

etc/lcdringer.conf (replace EXAMPLE.COM, PASSWORD, USER1, and USER2; USER1 and USER2 are the users permitted to cause lcdringer to ring):

[account]
jid=lcdringer@EXAMPLE.COM
password=PASSWORD
ring_path=/usr/share/lcdringer/ring.mp3

[friends]
jids=USER1@EXAMPLE.COM;USER2@EXAMPLE.COM

Configure basic system settings

etc/config/system:

config system
	option hostname	shrieker.example.com
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

etc/config/freifunk-watchdog:

config process
        option process lcdringer
        option initscript /etc/init.d/lcdringer

Build software and perform installation

Run make V=99.
Use dd to copy openwrt-brcm2708-bcm2708-rpi-b-ext4-sdcard.bin to the Raspberry Pi’s flash card.

SimpleFlow

Thu, 12 Mar 2020 09:02:58 -0400

Overview

SimpleFlow implements a very simple view of information flow within the Linux kernel. (We do not claim to approach the sophistication of IX, HiStar, etc.) We have found the design of SimpleFlow useful in education and certain computer-security competitions, and we are also interested in the use of SimpleFlow to study post-compromise exfiltration and insider threats.

Under SimpleFlow, the system administrator designates some filesystem objects as confidential and some programs as trusted (SimpleFlow stores both using extended attributes). Any process not loaded from a trusted program will become tainted upon reading a confidential object. The kernel transfers this taint status from process to process as a result of inter-process communication (e.g., an untainted process reads from a tainted process over an IPC channel). If a tainted process writes to the network, the kernel sets the packet's RFC 3514 evil bit; this allows for a variety of filtering or spoofing strategies which might help determine the intention of the principal who read the confidential data in the first place.

SimpleFlow Virtual Machine

SimpleFlowDemo-0.3-linux-3.10.0.ova provides in OVA format a virtual machine which contains a SimpleFlow kernel along with a CentOS 7 installation. Some useful SimpleFlow-related commands include:

getfattr -n security.simple-flow.confidential -v true PATH: Set the confidential flag on the file at PATH.
getfattr -x security.simple-flow.confidential PATH: Remove the confidential flag from the file at PATH.
getfattr -n security.simple-flow.trusted -v true PATH: Set the trusted flag on the program at PATH.
getfattr -x security.simple-flow.trusted PATH: Remove the trusted flag from the program at PATH.
ps auxZ: Enumerate the running processes, including whether they are tainted.
echo 1 > /proc/PID/attr/current: Taint the process matching PID.
echo 0 > /proc/PID/attr/current: Untaint the process matching PID.
dmesg -w: Watch SimpleFlow (and other kernel) events.

Studying Naive Users and the Insider Threat with SimpleFlow

Ryan Johnson, Jessie Lass, W. Michael Petullo

PDF Cite

Downloads

The SimpleFlow project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/simple-flow-kernel -b v3.10-simpleflow

Siren

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Siren, a Raspberry Pi-based music player. Siren can play music made available by a DAAP server such as dmapd.

Siren is designed to run on the hardware listed below:

Raspberry Pi Model B
PiFace Control & Display
PiFace Control & Display Case
5V Micro USB AC Adapter
8GB SD Card
Edimax 802.11b/g/n Nano USB Adapter
HDMI Cable
USB Keyboard (For initial setup)

At the time of writing, most of this hardware is available from MCM Electronics.

Selecting the software for a Siren image

Obtain the OpenWrt source tree using git clone git://git.openwrt.org/openwrt/openwrt.git.
Enter the OpenWrt source tree and modify the package configuration provided by feeds.conf to use src-git packages ssh://git@github.com/MikePetullo/packages.git. Run ./scripts/feeds update.
Pull the appropriate feeds, using

./scripts/feeds install \
	freifunk-watchdog \
	gst1-mod-mad \
	gst1-mod-ogg \
	gst1-mod-vorbis \
	gst1-mod-flac \
	lcdgrilo \
	wpa-supplicant \
	zoneinfo-core \
	zoneinfo-northamerica</pre></li>

Run make menuconfig and select:

Target System: Broadcom BCM2708/BCM2709
Subtarget: BCM2708 based boards
Target Profile: Raspberry Pi Model B
Base system:
- Remove dnsmasq
Kernel Modules:
- Other modules: kmod-softdog
- SPI Support:
  - kmod-spi-bcm2835
  - kmod-spi-dev
- Wireless Drivers:
  - kmod-rtl8192cu (for firmware)
  - kmod-rtl8xxxu
LuCI: Freifunk: freifunk-watchdog
Multimedia:
- grilo-plugins
- Select grilo-plugins-dmap
- gstreamer1-plugins-base
- Select all GStreamer base modules
- gstreamer1-plugins-good
- Select all GStreamer good modules
- gstreamer1-plugins-ugly
- Select all GStreamer ugly modules
- lcdgrilo
Network:
- Remove odhcpd
- wpa-supplicant
Utilities:
- zoneinfo: zoneinfo-northamerica

Create the directory files and populate it as described in the following sections.

Configure networking

etc/config/network:

config interface loopback
        option ifname lo
        option proto static
        option ipaddr 127.0.0.1
        option netmask 255.0.0.0

config interface lan
        option ifname wlan0
        option proto dhcp

etc/config/wireless (replace MACADDR, SSID, and KEY):

config wifi-device radio0
        option type     mac80211
        option channel  11
        option hwmode   11g
        option country  US
        option macaddr  MACADDR

config wifi-iface
        option device   radio0
        option network  lan
        option mode     sta
        option ssid     SSID
        option encryption psk2
        option key      KEY

Configure basic system settings

etc/config/system:

config system
	option hostname	siren.example.com
	option timezone	EST5EDT,M3.2.0,M11.1.0

config timeserver ntp
        list server     0.openwrt.pool.ntp.org
        list server     1.openwrt.pool.ntp.org
        list server     2.openwrt.pool.ntp.org
        list server     3.openwrt.pool.ntp.org
        option enabled 1
        option enable_server 0

etc/config/dropbear:

config dropbear
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Port         '22'

etc/config/freifunk-watchdog:

config process
        option process lcdgrilo
        option initscript /etc/init.d/lcdgrilo

Build software and perform installation

Run make V=99.
Use dd to copy openwrt-brcm2708-bcm2708-rpi-b-ext4-sdcard.bin to the Raspberry Pi’s flash card.

snes9x-1.26-esd

Thu, 12 Mar 2020 09:02:58 -0400

snes9x-1.26-esd

A patch for Gary Henderson's snes9x which allows the SNES emulator to play sound through EsounD. The patch currently causes a lag in the emulator's audio, due to latency in EsounD.

Spam

Thu, 12 Mar 2020 09:02:58 -0400

This technique uses bogofilter to categorize email as spam or ham on a server, and it uses spamassassin and manual characterization on a client computer to train bogofilter. This assumes that the administrator will use the client computer to review spamassassin's classification decisions and deem missed email as spam where appropriate. Any unread email found in spam-samples was placed there as a result of automatic (spamassassin or bogofilter) classification; read mail was either hand-classified or manually reviewed. The efficacy of this technique requires that the administrator's spam resemble each user's spam.

Install and configure Postfix and bogofilter on your mail server.
Use spamassassin and mutt on a client machine to continuously train bogofilter:
Configure spamassassin:

required_hits 3.5
report_safe 0

Configure procmail to filter incoming mail using spamassassin and to move the email classified as spam to the folder spam-samples:

:0:
* ^X-Bogosity: (Spam|Yes)
$MAILDIR/spam-samples

# Process with spamassassin unless too big.   
:0fw: spamassassin.lock
* < 1048576   
| spamassassin                           

# Dump spamassassin spam in spam-samples.
:0:                  
* ^X-Spam-Status: Yes            
$MAILDIR/spam-samples

Add a cronjob to analyze spam-samples using bogofilter and install the resulting wordlist.db:

0	0	*	*	*	rm -f ~/mail/wordlist.db
	&& grep -av '\(^X-Spam[^ ]*:\|^X-Bogosity:\)' ~/mail/spam-samples | bogofilter -d ~/mail -M -s
	&& grep -av '\(^X-Spam[^ ]*:\|^X-Bogosity:\)' ~/mail/ham-samples  | bogofilter -d ~/mail -M -n
	&& scp ~/mail/wordlist.db root@example.com:/etc/bogofilter/

Configure mutt with hotkeys which manually characterize email as spam or ham and spam index highlights:

color index black brightred '~h "X-Spam-Flag: YES"'    # Spamassassin.
color index black brightyellow '~h "X-Bogosity: Spam"' # Bogofilter.

macro index S "\
<enter-command>set resolve=no<enter>\
<clear-flag>N\
<enter-command>set resolve=yes<enter>\
<save-message&gt;=spam-samples<enter><enter>" "Save to spam-samples"

macro pager S "\
<enter-command>set resolve=no<enter>\
<clear-flag>N\
<enter-command>set resolve=yes<enter>\
<save-message>=spam-samples<enter><enter>" "Save to spam-samples"

macro index H "\
<enter-command>set my_resolve=\$resolve resolve=no<enter>\
<copy-message>=ham-samples<enter><enter>\
<enter-command>set resolve=\$my_resolve<enter>" "Copy to ham-samples"

macro pager H "\
<enter-command>set my_resolve=\$resolve resolve=no<enter>\
<copy-message>=ham-samples<enter><enter>\
<enter-command>set resolve=\$my_resolve<enter>" "Copy to ham-samples"

macro index B "&lt;shell-escape&gt;rm -f ~/mail/wordlist.db
&& grep -av '\\(\^X-Spam[^ ]*:\\|\^X-Bogosity:\\)' ~/mail/spam-samples | bogofilter -d ~/mail -M -s\
&& grep -av '\\(\^X-Spam[^ ]*:\\|\^X-Bogosity:\\)' ~/mail/ham-samples  | bogofilter -d ~/mail -M -n\
&& scp ~/mail/wordlist.db root@www.flyn.org:/etc/bogofilter/&lt;enter&gt;" "Push bogofilter samples"

speak

Thu, 12 Mar 2020 09:02:58 -0400

Speak provides a simple interface to Festival, a speech synthesis package. The script attempts to detect when EsounD is running and takes advantage of it. Otherwise, speak uses the computer's sound device directly. Speak can be used for tasks such as reading incoming email.

Sprite

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Sprite, a home entertainment system.

Sprite is designed to run on a Zotac ZBOX Blu-ray, which provides the following:

1.8GHz Intel Atom processor
2GB memory
Bluray/DVD player
WiFi and Ethernet network interfaces
HDMI audio/video output
USB ports (Only the front-left USB port works with the ZBOX BIOS during the initial stages of booting.)

Sprite also makes use of two SNES-style USB joypads and a Rii mini wireless keyboard with touchpad.

Follow the instructions below to build Sprite:

Install Fedora using a CD-ROM containing a disk image such as Fedora-20-x86_64-netinst.iso.

During installation, create a 2GB swap partition and a / partition that spans the rest of the disk.
Create a user named sprite.
Install the minimum set of packages.

Use rpm -e to remove any unnecessary packages.
Use

rpm -Uvh \
	http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-20.noarch.rpm \
	http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-20.noarch.rpm \
	http://rpm.livna.org/livna-release.rpm

to install the RPM Fusion and livna repositories. 4. Install the required packages using

yum install \
	ConsoleKit \
	gdm
	kernel-modules-extra \
	mesa-dri-drivers \
	xorg-x11-drv-nouveau \
	xorg-x11-drv-evdev \
	libdvdcss \
	nfs-utils \
	nss-mdns \
	Nestopia \
	snes9x \
	xbmc

Configure Sprite to boot in graphical mode: ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target.
Install your public SSH key as /root/.ssh/authorized_keys and configure sshd to disallow password-based logins by editing /etc/ssh/sshd_config.
/etc/sysconfig/network-scripts/ifcfg-Auto_ExampleCom (replace ExampleCom, UUID [uuidgen], and MACADDRESS [ip link]):

ESSID="ExampleCom"
MODE=Managed
KEY_MGMT=WPA-PSK
TYPE=Wireless
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME="Auto ExampleCom"
UUID=UUID
ONBOOT=yes
HWADDR=MACADDRESS
WPA_ALLOW_WPA=yes
WPA_ALLOW_WPA2=yes
PEERDNS=yes
PEERROUTES=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

/etc/sysconfig/network-scripts/keys-Auto_ExampleCom (replace ExampleCom and PSK):

WPA_PSK='PSK'

/etc/hostname (replace example.com):

sprite.example.com

/etc/sysconfig/network:

NETWORKING=yes
NETWORKWAIT=1

/home/sprite/.snes9x/snes9x.xml:

<?xml version="1.0"?>
<snes9x>
 <preferences>
  <option name="default_esc_behavior" value="2"/>
  <option name="hires_effect" value="0"/>
  <option name="full_screen_on_open" value="1"/>
  <option name="video_mode_width" value="1920"/>
  <option name="video_mode_height" value="1080"/>
  <option name="window_width" value="1920"/>
  <option name="window_height" value="1080"/>
  <option name="prevent_screensaver" value="1"/>
  <option name="aspect_ratio" value="1"/>
  <option name="maintain_aspect_ratio" value="1"/>
  <option name="ui_visible" value="0"/>
  <option name="statusbar_visible" value="0"/>
  <option name="modal_dialogs" value="1"/>
  <option name="sync_to_vblank" value="1"/>
  <option name="joystick_threshold" value="40"/>
  <option name="sound_buffer_size" value="32"/>
  <option name="sound_driver" value="0"/>
  <option name="sound_input_rate" value="31950"/>
  <option name="sound_sync" value="1"/>
  <option name="transparency" value="1"/>
  <option name="frameskip" value="200"/>
  <option name="16bit_sound" value="1"/>
  <option name="stereo" value="1"/>
  <option name="playback_rate" value="5"/>
  <option name="block_invalid_vram_access" value="1"/>
  <option name="sram_directory" value="/home/sprite/.snes9x"/>
 </preferences>
 <controls>
  <calibration joystick="0">
   <axis number="0" min="-32767" max="32767" center="0"/>
   <axis number="1" min="-32767" max="32767" center="0"/>
  </calibration>
  <calibration joystick="1">
   <axis number="0" min="-32767" max="32767" center="0"/>
   <axis number="1" min="-32767" max="32767" center="0"/>
  </calibration>
  <joypad number="0">
   <binding name="Up" binding="556270082"/>
   <binding name="Down" binding="556270083"/>
   <binding name="Left" binding="556270080"/>
   <binding name="Right" binding="556270081"/>
   <binding name="Start" binding="553648135"/>
   <binding name="Select" binding="553648134"/>
   <binding name="A" binding="553648129"/>
   <binding name="B" binding="553648128"/>
   <binding name="X" binding="553648131"/>
   <binding name="Y" binding="553648130"/>
   <binding name="L" binding="553648132"/>
   <binding name="R" binding="553648133"/>
  </joypad>
  <joypad number="1">
   <binding name="Up" binding="573047298"/>
   <binding name="Down" binding="573047299"/>
   <binding name="Left" binding="573047296"/>
   <binding name="Right" binding="573047297"/>
   <binding name="Start" binding="570425351"/>
   <binding name="Select" binding="570425350"/>
   <binding name="A" binding="570425345"/>
   <binding name="B" binding="570425344"/>
   <binding name="X" binding="570425347"/>
   <binding name="Y" binding="570425346"/>
   <binding name="L" binding="570425348"/>
   <binding name="R" binding="570425349"/>
  </joypad>
 </controls>
</snes9x>

The first time you run Nestopia, perform the following configurations using a mouse:

Press escape to display Nestopia’s menu bar.
Configure Nestopia to use joypads for input.
Configure Nestopia to start in fullscreen mode.
Set the audio output to SDL.
After quitting Nestopia, edit /home/sprite/.nestopia/nstcontrols and replace the line STOP _ESCAPE with EXIT _ESCAPE. From this point on, you can access the Nestopia menu by pressing f.
Modify /etc/asound.conf so that the HDMI sound device is the default:

defaults.ctl.card	1
defaults.pcm.card	1
defaults.pcm.device	7
defaults.timer.card	1

XBMC’s default behavior allows the use of the backslash key to toggle full-screen mode, but this is rarely useful. Copy /usr/share/xbmc/system/keymaps/keyboard.xml to /home/sprite/.xbmc/userdata/keymaps/, and edit the file to replace <backslash>ToggleFullScreen</backslash> with <backslash>OSD</backslash>.
Using XBMC, perform the following configuration:
- Install video add-ons (e.g., select System→Add-ons→Get Add-ons→XMBC.org Add-ons→Video Add-ons→USTV VoD→Install).
- Install the Rom Collection Browser (i.e., select System→Add-ons→Get Add-ons→XMBC.org Add-ons→Program Add-ons→Rom Collection Browser→Install).
- Configure the Rom Collection Browser (i.e., select Programs→Rom Collection Browser):
  - Create configuration: yes
  - Scrape game information and artwork online
  - Choose a platform: NES
  - Path to NES emulator: /usr/bin/nestopia
  - Emulator parameters: "%ROM%" (default)
  - Path to NES ROMs: ...
  - File mask: *
  - NES artwork: /home/sprite/NES
Turn off the RSS feed ticker (i.e., deactivate System→Appearance→Show RSS news feeds).

spruce-0.5.9-fetchmail

Thu, 12 Mar 2020 09:02:58 -0400

spruce-0.5.9-fetchmail

A patch for Jeffrey Stedfast's Spruce email client. This patch allows one to use the external program fetchmail to retrieve one's mail when Spruce's Check button is pressed. Once the patch is applied, look for the Use External Fetchmail Program check button under the accounts tab of the options menu. Fetchmail has a few added benefits, such as allowing one to encrypt a connection to a pop server using ssh.

spruce-0.5.9-metamail

Thu, 12 Mar 2020 09:02:58 -0400

spruce-0.5.9-metamail

Another patch for Spruce. This patch allows MIME encoded attachments to be displayed using metamail. Look for the Display item in the Attachments menu.

swap

Thu, 12 Mar 2020 09:02:58 -0400

Swap allows one to easily change CD-ROM media with one command or click. Issuing the command swap unmounts a device, ejects the media, waits for the drive to close, and mounts the new media. Also included is a C library which gives the programmer access to swap's functionality.

Tracker

Thu, 12 Mar 2020 09:02:58 -0400

Tracker stores information about your files, and makes this information available to applications.

tracker-control: Show the current status of tracker, including its store and miners.
tracker-control -s: Start the tracker miners, which collect information about your files.
tracker-control -l: List the miners that are running.
tracker-control -a: List the miners preset on the system whether they are running or not.

TunesConvert

Thu, 12 Mar 2020 09:02:58 -0400

Overview

TunesConvert is a simple utility that converts an iTunes library into audio files encoded using FLAC. This allows you to move iTunes music to non-Apple devices. TunesConvert is not able to transcode files protected with DRM. For information about iTunes DRM, see the support page on the issue.

TunesConvert uses the GStreamer media framework and relies on plugins provided by the following packages:

gstreamer
gst-plugins-base
gst-plugins-good
gst-plugins-bad

Run TunesConvert, select an output directory, and press “Transcode”.

TunesConvert-0.0.1.tar.gz

tuxnes-0.75-sdl

Thu, 12 Mar 2020 09:02:58 -0400

tuxnes-0.75-sdl

Development of TuxNES is now performed using SourceForge. I have been given write access to the project's CVS tree, so you can get my contributions there.

util-linux-2.11z-mountpoint

Thu, 12 Mar 2020 09:02:58 -0400

util-linux-2.11z-mountpoint

A patch for util-linux that fixes umount's behavior when dealing with volumes remounted using –bind. When looking up data in /etc/mtab in order to unmount a volume, any mnt_dir match should take priority because unmounting by fsname is obsolete. Otherwise unmounting a volume that was also mounted with –bind will misbehave (Parent's mnt_dir is child's mnt_fsname).

Virtualization

Thu, 12 Mar 2020 09:02:58 -0400

Platform virtualization

Software-based virtualization (simulation)

Create an empty disk image and then install Fedora onto it, running the procedure in a qemu simulator:

$ qemu-img create -f qcow2 disk.qcow2 4G
$ qemu-system-x86_64 -hda disk.qcow2 \
	-cdrom Fedora-20-x86_64-netinst.iso \
	-boot d \
	-net nic \
	-net user \
	-m 1024

To accelerate qemu when virtualizing the same platform as the host, first use modprobe to install the appropriate KVM modules, and then add the --enable-kvm option to the qemu-system-x86_64 command above.

You might want to run qemu with -nographic when running on a computer with no graphical console. For this to work, the hosted kernel must use the serial device as its console. You can arrange for this by passing console=ttyS0 on the hosted kernel’s command line, likely by editing your bootloader’s configuration.

You can also set the host’s MAC address by using -net nic,macaddr=aa:bb:cc:dd:ee:ff.

Another option allows you to configure a network between two QEMU hosts without root access on the host running QEMU. Start one host with -device e1000,netdev=n1,mac=52:54:00:12:34:56 -netdev socket,id=n1,listen=:1024, and start another with -device e1000,netdev=n1,mac=52:54:00:12:34:57 -netdev socket,id=n1,connect=:1024.

Simulating other architectures

Qemu can simulate one architecture on another. For example, qemu can facilitate experimenting with the RISC-V architecture on an AMD64 computer. Fedora provides RISC-V kernels and disk images that are suitable for running in qemu at https://dl.fedoraproject.org/pub/alt/risc-v/repo/virt-builder-images/images/. After gathering and uncompressing a related pair of .elf and .raw files, you can boot them using qemu by running:

$ qemu-system-riscv64 -nographic \
        -machine virt \
        -smp 4 \
        -m 4G \
        -kernel riscv.elf \
        -bios none \
        -object rng-random,filename=/dev/urandom,id=rng0 \
        -device virtio-rng-device,rng=rng0 \
        -device virtio-blk-device,drive=hd0 \
        -drive file=riscv.raw,format=raw,id=hd0 \
        -device virtio-net-device,netdev=usernet \
        -netdev user,id=usernet,hostfwd=tcp::10000-:22

(Replace riscv.elf and riscv.raw with the name of the files you downloaded.)

“Real” networking in qemu

Qemu can easily simulate a network connection in userspace with the help of the host computer, but this approach has limitations. Sometimes it is helpful to tie the simulated computer’s network adapter into the host computer kernel’s view of networking. This is done using bridge and tap interfaces. Assuming the host computer uses NetworkManager, define a bridge interface by creating a file such as /etc/NetworkManager/system-connections/br0.nmconnection:

[connection]
id=br0
type=bridge
interface-name=br0

[bridge]
stp=false

[ipv4]
method=auto

Ensure /etc/NetworkManager/system-connections/br0.nmconnection is readable only by root. Next, configure a physical interface to be a member of the bridge, such as by editing /etc/NetworkManager/system-connections/enp3s0f0.nmconnection:

[connection]
id=enp3s0f0
type=ethernet
interface-name=enp3s0f0
master=br0
slave-type=bridge

In this way, the bridge can obtain an IPv4 address through the physical interface, which is defined to be a member of the bridge.

Next, create a tap interface for the simulated host, and add it to the bridge by running these commands:

$ tunctl -t tap0 -u root
$ brctl addif br0 tap0
$ ifconfig tap0 up

Finally, start the simulated host and associate the host with the tab device by running:

$ qemu-system-riscv64 -nographic \
        -machine virt \
        -smp 4 \
        -m 4G \
        -kernel riscv.elf \
        -bios none \
        -object rng-random,filename=/dev/urandom,id=rng0 \
        -device virtio-rng-device,rng=rng0 \
        -device virtio-blk-device,drive=hd0 \
        -drive file=riscv.raw,format=raw,id=hd0 \
        -device e1000,netdev=net0,mac=aa:bb:cc:dd:ee:ff \
        -device tap,id=net0,ifname=tap0,script=no,downscript=no

Notice the -device and -netdev options have changed from the earlier example.

Xen

Running OpenWrt as a Xen HVM DomU guest

The following Xen DomU configuration defines a guest named OpenWrt:

name    = "OpenWrt"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge" ]
disk    = [ "tap2:tapdisk:aio:/path/to/openwrt-x86-generic-combined-ext4.img,xvda,w" ]
serial  = "pty"

To select a network bridge on a host which has configured more than one, add a statement of the form bridge=brname to the list of network parameters. To hard-code an Ethernet MAC, add mac=mac.

Running CentOS as a Xen HVM DomU guest

The following Xen DomU configuration defines a guest named CentOS, which includes an SDL-based graphics console:

name    = "CentOS"
memory  =  4096
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge" ]
disk    = [ "tap2:tapdisk:aio:/path/to/disk.img,xvda,w" ]
serial  = "pty"
sdl     = 1

If you click on the SDL window, then the Xen interface will capture your mouse. To release the mouse, press Ctrl-Alt. Ctl-Alt-f will enter or leave full screen mode. Alternatively, you can omit sdl = 1 and configure GRUB to boot the Linux kernel with console=ttyS0.

Running OpenBSD as a Xen HVM DomU guest

The following Xen DomU configuration defines a guest named OpenBSD:

name    = "OpenBSD"
memory  =  4096
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge" ]
disk    = [ "tap2:tapdisk:aio:/path/to/disk.img,xvda,w" ]
serial  = "pty"
sdl     = 1

See the description of CentOS above for how to use the SDL console. Alternatively, you can omit sdl = 1 and configure OpenBSD to use a serial console. To do this, add tty00 "/usr/libexec/getty std.9600" vt220 on secure to /etc/ttys and add:

stty com0 19200
set tty com0

to /etc/boot.conf.

Networking

The Xen domain configurations above assume bridged networking. This requires some configuration on the host. The examples here assume the use of NetworkManager.

Bridged

You can set up a network bridge by placing the following in Dom0’s /etc/sysconfig/network-scripts/ifcfg-xenbr0: Define a bridge interface by creating a file such as /etc/NetworkManager/system-connections/xenbr0.nmconnection:

[connection]
id=xenbr0
type=bridge
interface-name=xenbr1

[ipv4]
method=auto

[ipv6]
dhcp-iaid=mac
method=auto

Replace the use of method=auto with method=link-local if you do not want the Dom0 host to obtain an IP address.

Associate an physical interface with the bridge, for example by creating /etc/NetworkManager/system-connections/bridge-slave-eno1.nmconnection:

[connection]
id=bridge-slave-eno1
type=ethernet
interface-name=eno1
master=xenbr0
slave-type=bridge

NAT

Alternatively, you can configure a Xen guest to connect to a network through Dom0 with Dom0 acting as a NAT router.

Configure the guest with vif = [ "model=e1000,script=vif-nat,ip=10.0.0.1/32,gatewaydev=INTERFACE" ], where INTERFACE is the network interface which links to your default Internet router.
Add the following to /etc/sysctl.conf on Dom0: net.ipv4.ip_forward=1 and run sysctl -p1.
Run iptables -t nat -A POSTROUTING -o INTERFACE -j MASQUERADE, where INTERFACE is the interface from step one. (If you use firewalld, then run firewall-cmd --add-masquerade instead.)
Boot the guest and configure its IP address as 10.0.0.1, its default gateway to 10.0.0.129 (Dom0’s virtual interface), and its DNS resolver to a valid server.

Boot from an installation CD-ROM

Add the following to your Xen DomU guest configuration:

disk = [ "tap2:tapdisk:aio:/path/to/cdrom.iso,hdc:cdrom,r" ]

You might want to instead add this statement to an existing disk list, as his will provide access to both the virtual CD-ROM and disk.

Pass an entire logical volume into a Xen guest

If you have an entire logical volume on Dom0 set aside for the guest, then you can pass it to the guest with the following configuration fragment:

disk = [ "phy:/dev/mapper/lv-name,xvdb,w" ]

Pass a USB device into a Xen guest

Add the following to your Xen DomU guest configuration:

usb       = 1
usbdevice = "host:xxxx:yyyy"

usb       = 1
usbdevice = "host:x.y"

In the first example, xxxx:xxxx represents the USB device’s tag. In the second example, x.y represents the USB device’s bus address. You can learn these identifiers by using lsusb.

Ensuring DomU virtual machines start after booting Dom0

Place the configurations which you want to start upon booting in /etc/xen/.
Make a symlink for each configuration from /etc/xen/ to /etc/xen/auto/.
Run systemctl enable xendomains to ensure the xendomains script executes when Dom0 boots.

OpenStack

Extracting a disk image that can be imported into other virtualization platforms

Generate a snapshot of a running instance.
Run glance image-list to find the identifier of the snapshot you want to extract.
Run glance image-download ID --file FILENAME.qcow2

Create an OpenStack image from an image on disk

In order for a disk image to interact fully with OpenStack it must contain a few utilities. On Fedora, the acpid, cloud-init, and cloud-utils-growpart packages provide them. Enable the acpid service, edit /etc/cloud/cloud.cfg accordingly (pay attention to the default username), and add NOZEROCONF=yes to /etc/sysconfig/network. Also ensure a SSH server is present.

Additionally, the disk image must include the virtual I/O drivers in its initial ramdisk. Edit /etc/dracut.conf.d/openstack.conf, and add add_drivers="virtio_blk virtio_gpu". Run dracut --regenerate-all --force on the computer to update its existing initial ramdisks to reflect this. You can inspect an initial ramdisk by running lsinitrd /boot/initramfs-VERSION.img.

To load the image into OpenStack, run glance image-create --name NAME --visibility=private --disk-format=qcow2 --container-format=bare --file=IMAGE-FILE.qcow2.

Manage OpenStack quotas

View quotas for a project using openstack quota show $(openstack project show -f value -c id PROJECT).
Set a quota using openstack quota set --QUOTANAME N $(openstack project show -f value -c id PROJECT).

General OpenStack management

Run openstack server list --all-projects as the admin user to view all servers.
Run openstack server show SERVER-ID to view the details about a server.
Run openstack volume list --all-projects as the admin user to view all volumes.
Run openstack server remove volume SERVER-ID VOLUME-ID to detach a volume from a server.
Run openstack volume delete VOLUME-ID to delete a detached volume.
Sometimes a volumes stays attached to a server that no longer exists. This command is the remedy: cinder reset-state --attach-status detached VOLUME-ID.

Interacting with underlying KVM

Lookup an instance name in OpenStack’s web UI.
Run virsh list --all --uuid --name to discover the KVM virtual machine name that corresponds with the instance ID.
Run virsh console VM-NAME to connect to the virtual machine’s console.

VirtualBox

Select guest Settings→Shared Folders.
Add the folder on your host which you would like to add to your guest; remember the folder name.
Ensure VirtualBox guest addition exists on the guest.
On the Linux guest, run mount -t vboxsf folder-name mount-point.

Pass a USB device from host to Linux guest

If you need USB 2 and 3 support, then install the VirtualBox extension pack from Oracle on the host: sudo VBoxManage extpack install path-to-extpack.
Add the user running VirtualBox to the vboxusers group: sudo gpasswd -a $USER vboxusers. You might need to log out and log back in for this change to take affect.
After booting the guest, look for the USB icon in VirtualBox’s guest control panel at the bottom of the guest’s window. Right click on it to select a USB device to pass through.

You might want to always pass a certain USB device to the guest. To do this, first identify the device’s properties using VBoxManager list usbhost, and then create a filter using the interface at guest Settings→USB.

Disk images

Convert a raw disk image such that it can be used with VirtualBox or VMware: qemu-img convert -f raw FOO.img -O vmdk FOO.vmdk (This will allow the use of an OpenWrt image such as openwrt-x86-generic-combined-ext4.img.gz if you uncompress it first.)
Create a sparse QCOW image for use with Xen: qcow-create $((1024*1024)) vm-disk.qcow

Eucalyptus

Administrative commands

Reset the password on a Eucalyptus account: euare-usermodloginprofile --as-account ACCOUNT-NAME -u admin -p "PASSWORD".
List the instances: euca-describe-instances verbose
List the security groups: euca-describe-groups verbose
List the keypairs: euca-describe-keypairs verbose
List the snapshots: euca-describe-snapshots verbose
List the volumes: euca-describe-volumes verbose

Publishing base images

Create a disk image containing an OS install; here we use fedora-37.img as an example.
With root privileges, run euca-import-volume --format raw --availability-zone ZONE --bucket fedora-37-3gb-ebs --description "Fedora 37 3 GB EBS" fedora-37.img.
Run euca-describe-conversion-tasks import-vol-ID, where ID is the value reported by the previous step.
Run euca-create-snapshot vol-ID.
Run euca-register --name "Fedora37-3GB-EBS" --snapshot snap-acef31baa17c634f0 -a x86_64 --root-device-name /dev/sda --description "Fedora 37 3 GB EBS".
Edit the image’s details, and set the access controls to “public”.

As an alternative to steps 1–4, you can snapshot an existing instance’s volume.

As written, the commands above will make an image available from within the administrator account, and the administrator can elect to mark them public and thus available to other accounts. Adding the -I ACCESS-KEY and -S SECRET-KEY arguments (and additionally the --owner-akid=ACCESS-KEY and --owner-sak=SECRET-KEY, in the case of euca-import-volume) will instead associate the image with another account. You can generate access and secret keys using Eucalyptus’s “Security Credentials” feature within the “Users” panel.

Extracting a true disk image that can be imported into other virtualization platforms

Inspect the instance to discover the volume name.
Stop the instance.
Find the instance’s volume file, which should exist in /var/lib/eucalyptus/volumes/.
Copy the volume file to a computer that has the utilities required by the remaining steps.
Associate the volume file with a loopback device by running losetup -f -P VOLUME-FILE.
Associate the loopback device with the computer’s LVM subsystem by running pvscan --cache and vgchange -ay.
Run losetup and pvdisplay and observe the links in /dev/mapper/ to identify the associations between disk images, loopback devices, physical devices, volume groups, and device mappings.
Extract the disk image using dd if=/dev/dm-N of=IMAGE, where N is the correct device number.
Make use of the disk image. It should boot in QEMU, for example. If it makes use of cloud-init, then a full virtualization suite should be able to setup SSH keys and other material after booting a virtual machine based around the disk image.

VisorFlow

Thu, 12 Mar 2020 09:02:58 -0400

Overview

VisorFlow uses virtual-machine introspection to observe system calls, infer information flow, and control confidential data. Under VisorFlow, the system administrator designates some filesystem objects as confidential and some programs as trusted. Any process not loaded from a trusted program will become tainted upon reading a confidential object. The kernel transfers this taint status from process to process as a result of inter-process communication (e.g., an untainted process reads from a tainted process over a pipe). If a tainted process writes to the network, then the kernel sets the packet’s RFC 3514 evil bit; this permits a variety of filtering or spoofing strategies that might help determine the human intentions involved.

VisorFlow architecture

The figure above depicts the components that make up VisorFlow, including:

the Xen hypervisor;
Linux, running in a Dom0 domain;
one or more DomU domains running Linux or Windows;
the VisorFlow security monitor;
one or more processes running within each DomU;
firewalld;
the VisorFlow network engine;
the VisorFlow Windows authorization engine; and
the VisorFlow Linux authorization engine.

Not pictured here is VisorFlow’s network filter.

Consider process P_n in DomU that invokes a system call (a). The act of invoking a system call normally involves the operating system (b), but here it also involves the hypervisor (c) and the VisorFlow security monitor (d). The VisorFlow security monitor observes such system calls and infers how they allow information to flow between processes, and the security monitor’s operating-system engines use these observations to implement a taint-tracking system that resembles SimpleFlow.

In the case of network system calls, the VisorFlow network engine works with Dom0 and the hypervisor to mark as evil packets originating from tainted processes and to taint processes that receive marked packets. For example, if the Linux engine infers that a system call from a tainted process P_n would result in network traffic, the Linux engine would notify the network engine (e). The network engine in turn adds a network filter rule to the host firewall through firewalld, which has the affect of labeling P_n’s packets as evil (f). The added rule involves instructing NetFilter to rely on VisorFlow to actually set the evil bit using the NFQUEUE interface (g). Later, the Linux engine might infer that P_n exited; when this happens, the Linux engine and network engine will remove the firewall rule that labeled P_n’s packets as evil.

Each operating-system-specific engine implements a different model upon which it relies to make decisions about the system. The models encompass:

which system calls can cause a process to taint,
which system calls can cause an object to become confidential,
which system calls can cause the generation of network packets,
which processes are tainted, and
which objects are confidential (this has to be persistently stored to survive reboots).

This primary advantage of VisorFlow over SimpleFlow is that VisorFlow needs no kernel modifications to operate. This has two important consequences: (1) VisorFlow can mediate closed-source operating systems such as Windows, and (2) VisorFlow avoids difficult-to-maintain modifications to open-source kernels. These advantages come at a performance cost.

By combining aspects of access-control and provenance systems, VisorFlow removes the race conditions found in some provenance systems.

Test VM

After saving the following files to your computer and decompressing them, you can boot the guest using xl create visorflow-guest-linux.cfg. The root password is password.

Disk image: disk.img.gz
Spare disk image: spare.img.gz
Domain configuration (you must modify the paths contained therein to suit your environment): visorflow-guest-linux.cfg

Using VisorFlow to Control Information Flow without Modifying the Operating System Kernel or its Userspace

Matt Shockley, Chris Maixner, Ryan Johnson, Mitch DeRidder, W. Michael Petullo

PDF Cite

Downloads

The VisorFlow project is also available as a Git repository. To clone the repository, execute

git clone https://www.flyn.org/git/visorflow

VPN

Thu, 12 Mar 2020 09:02:58 -0400

This assumes you have built an OpenVPN server as described in the Guardian document. After configuring an OpenVPN client as described below, you can start the VPN tunnel by running:

$ systemctl start openvpn-client@EXAMPLECOM

Place the CA certificate at /etc/openvpn/client/ca.pem.
Place the client host’s certificate at /etc/openvpn/client/CLIENT.EXAMPLE.COM.pem.
Place the client host’s private key at /etc/openvpn/client/CLIENT.EXAMPLE.COM.key.
Run chmod 600 /etc/openvpn/client/CLIENT.EXAMPLE.COM.key.
Write the following files:

/etc/openvpn/client/EXAMPLECOM.conf:

dev tun
txqueuelen 1000
proto udp
verb 3
ca /etc/openvpn/client/ca.pem
cert /etc/openvpn/client/CLIENT.EXAMPLE.COM.pem
key /etc/openvpn/client/CLIENT.EXAMPLE.COM.key
persist-tun
persist-key
client
remote-cert-tls server
remote guardian.EXAMPLE.COM 1194
script-security 2
up /etc/openvpn/client/client.up
down /etc/openvpn/client/client.down

/etc/openvpn/client/client.up (See Red Hat bug #1381413):

#!/bin/sh

# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
# Licensed under the GPL version 2

# First version by Jesse Adelman
# someone at boldandbusted dink com
# http://www.boldandbusted.com/

# PURPOSE: This script automatically sets the proper /etc/resolv.conf entries
# as pulled down from an OpenVPN server.

# INSTALL NOTES:
# Place this in /etc/openvpn/client.up
# Then, add the following to your /etc/openvpn/&lt;clientconfig&gt;.conf:
#   client
#   up /etc/openvpn/client.up
# Next, "chmod a+x /etc/openvpn/client.up"

# USAGE NOTES:
# Note that this script is best served with the companion "client.down"
# script.

# Tested under Debian lenny with OpenVPN 2.1_rc11
# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf

# This runs with the context of the OpenVPN UID/GID 
# at the time of execution. This generally means that
# the client "up" script will run fine, but the "down" script
# will require the use of the OpenVPN "down-root" plugin
# which is in the plugins/ directory of the OpenVPN source tree

# A horrid work around, from a security perspective,
# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
# been WARNED.
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

# init variables

i=1
domains=
fopt=
ndoms=0
nns=0
nl='
'

# $foreign_option_&lt;n&gt; is something like
# "dhcp-option DOMAIN example.com" (multiple allowed)
# or
# "dhcp-option DNS 10.10.10.10" (multiple allowed)

# each DNS option becomes a "nameserver" option in resolv.conf
# if we get one DOMAIN, that becomes "domain" in resolv.conf
# if we get multiple DOMAINS, those become "search" lines in resolv.conf
# if we get no DOMAINS, then don't use either domain or search.

while true; do
  eval fopt=\$foreign_option_${i}
  [ -z "${fopt}" ] &amp;&amp; break

  case ${fopt} in
        dhcp-option\ DOMAIN\ *)
       ndoms=$((ndoms + 1))
       domains="${domains} ${fopt#dhcp-option DOMAIN }"
       ;;
        dhcp-option\ DNS\ *)
       nns=$((nns + 1))
       if [ $nns -le 3 ]; then
         dns="${dns}${dns:+$nl}nameserver ${fopt#dhcp-option DNS }"
       else
         printf "%s\n" "Too many nameservers - ignoring after third" &gt;&amp;2
       fi
       ;;
    *)
       printf "%s\n" "Unknown option \"${fopt}\" - ignored" &gt;&amp;2
       ;;
    esac
  i=$((i + 1))
done

ds=""
if [ $ndoms -eq 1 ]; then
  ds="${nl}domain"
elif [ $ndoms -gt 1 ]; then
  ds="${nl}search"
fi

# This is the complete file - "$domains" has a leading space already
out="# resolv.conf autogenerated by ${0} (${1})${nl}${dns}${ds}${domains}"

# use resolvconf if it's available
if type resolvconf &gt;/dev/null 2&gt;&amp;1; then
  printf "%s\n" "${out}" | resolvconf -p -a "${1}"
else
  # Preserve the existing resolv.conf
  if [ -e /etc/resolv.conf ] ; then
    cp /etc/resolv.conf /etc/resolv.conf.ovpnsave
  fi
  printf "%s\n" "${out}" &gt; /etc/resolv.conf
  chmod 644 /etc/resolv.conf
fi

exit 0

/etc/openvpn/client/client.down (See Red Hat bug #1381413):

#!/bin/sh

# Copyright (c) 2005-2010 OpenVPN Technologies, Inc.
# Licensed under the GPL version 2

# First version by Jesse Adelman
# someone at boldandbusted dink com
# http://www.boldandbusted.com/

# PURPOSE: This script automatically removes the /etc/resolv.conf entries previously
# set by the companion script "client.up".

# INSTALL NOTES:
# Place this in /etc/openvpn/client.down
# Then, add the following to your /etc/openvpn/&lt;clientconfig&gt;.conf:
#   client
#   up /etc/openvpn/client.up
#   down /etc/openvpn/client.down
# Next, "chmod a+x /etc/openvpn/client.down"

# USAGE NOTES:
# Note that this script is best served with the companion "client.up"
# script.

# Tested under Debian lenny with OpenVPN 2.1_rc11
# It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf

# This runs with the context of the OpenVPN UID/GID 
# at the time of execution. This generally means that
# the client "up" script will run fine, but the "down" script
# will require the use of the OpenVPN "down-root" plugin
# which is in the plugins/ directory of the OpenVPN source tree

# A horrid work around, from a security perspective,
# is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have
# been WARNED.
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin

if type resolvconf &gt;/dev/null 2&gt;&amp;1; then
  resolvconf -d "${1}" -f
elif [ -e /etc/resolv.conf.ovpnsave ] ; then
  # cp + rm rather than mv in case it's a symlink
  cp /etc/resolv.conf.ovpnsave /etc/resolv.conf
  rm -f /etc/resolv.conf.ovpnsave
fi

exit 0

WebDAV, CalDAV, and CardDAV

Thu, 12 Mar 2020 09:02:58 -0400

We at Flyn Computing share our calendars and contacts using NextCloud and the CalDAV and CardDAV protocols. The following notes demonstrate the key parts of how to configure a selection of clients to use these services. You should also replace name with your calendar/address book name and password with your password. (We assume that NextCloud exists at the URL https://www.flyn.org/share/, but you could replace this portion of the examples below if you wish to use an NextCloud-based service hosted elsewhere.)

Apple iOS (Settings→Passwords & Accounts→Add Account→Other→Add CalDAV Account)

Replace name and password:

Server: https://www.flyn.org/share/remote.php/dav/principals/users/name/
User Name: name
Password: password
Description: Human-friendly description

Android

These directions require the DAVx⁵ app, which is available from the Android app store. Selecting the app will present a configuration dialog that you should fill out as described below. The native calendar and contact apps will display shared data after you have configured DAVx⁵. Replace name and password:

Base URL: https://www.flyn.org/share/remote.php/dav/
Email address: name
Password: password

Apple iCal 5.0.3

Replace name:

Server Address: www.flyn.org
Server Path: /share/remote.php/dav/principals/users/name/
Use SSL: checked

GNOME (gnome-control-center→Online Accounts)

Replace name and password:

Server: https://www.flyn.org/share/
Username: name
Password: password

vdirsyncer

Replace name and password:

url: https://www.flyn.org/share/remote.php/dav/
auth: basic
username: name
password: password

Wiping devices

Thu, 12 Mar 2020 09:02:58 -0400

These instructions document how to wipe the data from various devices.

Android

Plug the phone in so that it does not loose power during this process.
Reset the device by selecting Settings→Backup→Factory data reset.
When the phone restarts, follow the initialization steps, skipping the ones that are not required. Elect to associate a password with the screen lock. Use a very strong password such as a sequence of random characters.
Encrypt the device by selecting Settings→Security→Encrypt phone. This will prevent someone from recovering deleted data.
Reset the device again by selecting Settings→Backup→Factory data reset.

iPad

Plug the iPad in so that it does not loose power during this process.
Reset the device by selecting Settings→General→Reset. Select Erase All Content and Settings.

wnc

Thu, 12 Mar 2020 09:02:58 -0400

Wife's Network Controller is a GNOME applet to control diald. The applet allows you to choose from three states: auto, on, and off. When using the included scripts the auto state gives dial-up control to diald, the on state forces the dial-up link to come and stay up, and the off state closes the dial-up link.

Workstation

Thu, 12 Mar 2020 09:02:58 -0400

These instructions document how to configure a workstation for use with Golem and other servers. You will need two computers: the workstations itself and a build computer capable of downloading and preparing materials to install on the workstation.

Download the latest Fedora installer.
Attach a USB thumb drive to the build computer. Run dmesg and observe the device name associated with the thumb drive. You should see a message which resembles [X] Attached SCSI removable disk. Here, X indicates that you can access the thumb drive through /dev/X
Copy the Fedora installer image to the thumb drive by running dd if=Fedora-Everything-netinst-x86_64-30-1.2.iso of=/dev/X with root privileges. You should replace X with the correct name.
After copying the Fedora installer image to the thumb drive, remove it from the build computer, and attach it to the workstation. Turn on the workstation.
You should soon see a screen such as this:

Fedora 30

 Install Fedora 30
 Test this media &amp; install Fedora

 Troubleshooting

Press Tab to edit the installers parameters. Append the following to the end of the configuration line: ks=https://www.flyn.org/kickstart/Fedora-30-x86_64-workstation.ks.

Eventually, the installer will present a menu that allows you to set the workstation’s root password. Press 7 and enter a password of your choosing twice.
Enter b to begin the installation.
Reboot the workstation after the installation completes.

xawtv-3.24-quicktime

Thu, 12 Mar 2020 09:02:58 -0400

xawtv-3.24-quicktime

A patch for Gerd Knorr's xawtv. When applied, streamer will be able to save captured video using the QuickTime format.

xawtv-3.48-yuv2

Thu, 12 Mar 2020 09:02:58 -0400

xawtv-3.48-yuv2

A patch for Gerd Knorr's xawtv. When applied, streamer will be able to save YUV2 captured video using the QuickTime format. YUV2 is 16 bits per pixel, rather than 24 like QuickTime's raw encoding. I can capture 30 frames per second at a resolution of 640x480 pixels when using YUV2 and SGI's XFS filesystem on my machine.

xawtv-3.55-time

Thu, 12 Mar 2020 09:02:58 -0400

xawtv-3.55-time

A patch for Gerd Knorr's xawtv. When applied, streamer will accept a time, such as 3:52, as the argument to its -t option.

xawtv-3.64-joystick

Thu, 12 Mar 2020 09:02:58 -0400

xawtv-3.64-joystick

A patch for Gerd Knorr's xawtv. With this patch applied, fbtv may be controlled with a joystick.

xen-4.1.2-xl-command-line-domain-def

Thu, 12 Mar 2020 09:02:58 -0400

xen-4.1.2-xl-command-line-domain-def

A patch for Xen that modifies xl to allow the use of /dev/null as the domain configuration argument to its create option. xl treats the configuration argument /dev/null as a special case. This allows specifying an entire domain configuration on the command line.

xen-local-vif-scripts

Thu, 12 Mar 2020 09:02:58 -0400

xen-4.1.0-local-vif-scripts

A patch for Xen that allows the specification of local vif scripts that augment that standard scripts such as vif-bridge.

xine-lib-0.9.11a-twos

Thu, 12 Mar 2020 09:02:58 -0400

xine-0.9.11a-twos

A trivial patch for xine which adds support for QuickTime files which contain twos encoded audio.

xine-lib-1-beta4-openbsd

Thu, 12 Mar 2020 09:02:58 -0400

xine-lib-1-beta4-openbsd

A patch for xine-lib that allows it to run on OpenBSD.

xine-ui-0.9.18-openbsd

Thu, 12 Mar 2020 09:02:58 -0400

xine-ui-0.9.18-openbsd

A patch for xine-ui that allows it to run on OpenBSD.

xmms-1.2.3-geometry

Thu, 12 Mar 2020 09:02:58 -0400

xmms-1.2.3-geometry

A patch for XMMS which adds the standard –geometry command line option.

xmovie-1.8-vmscale

Thu, 12 Mar 2020 09:02:58 -0400

xmovie-1.8-vmscale

A patch for Adam Williams' XMovie. When applied, XMovie will choose and switch to the most appropriate X video mode when playing back full screen video. This can save a lot of CPU cycles, as the CPU may not need to scale the video to the screen.

xmovie-1.9-vmscale

Thu, 12 Mar 2020 09:02:58 -0400

xmovie-1.9-vmscale

A patch for Adam Williams' Xmovie that fixes the vidmode scaling code. As an added bonus, it fixes two lines in mpeg3io.h that were illegal in C, though fine in C++.

XMPP

Thu, 12 Mar 2020 09:02:58 -0400

Description of Empathy components

Description	RFC	Software
Debugging		empathy-debugger
Call management		(libexec) empathy-call
Streaming		farstream
NAT traversal	5245	libnice

Relevant bugs

Patches

A kludge which allows the use of libnice on an OpenVPN client

Debugging

Debug empathy-call, which establishes audio and video calls: G_MESSAGES_DEBUG=libnice,libnice-stun,libnice-nice-verbose EMPATHY_PERSIST=1 /usr/libexec/empathy-call

Zombie

Thu, 12 Mar 2020 09:02:58 -0400

This document describes how to build Zombie, a PXE and other protocol boot server. Zombie runs on commodity router hardware and provides a number of features:

PXE boot server

We build Zombie on top of OpenWrt because of the distribution’s simplicity and small size. Zombie is made up of roughly 80 packages, and its programs and configurations take up less than 125 MB of storage space. Here we assume that Zombie will run within the confines of a Xen hypervisor.

Establish the Zombie VM

Perform the following steps on the Xen Dom0 host to establish the VM which will host Zombie:

Obtain the x86_64 OpenWrt image at https://downloads.lede-project.org/releases/17.01.1/targets/x86/64/lede-17.01.1-x86-64-combined-ext4.img.gz.
Uncompress the image and place it at /var/lib/xen/images/zombie-lede-17.01.1-x86-64-combined-ext4.img on the Xen Dom0 host.
Write the following at /etc/xen/vm-zombie.cfg on the Xen Dom0 host (replace XX:XX:XX:XX:XX:XX):

name    = "zombie"
memory  =  1024
vcpus   =  1
builder = "hvm"
vif     = [ "model=e1000,script=vif-bridge,bridge=xenbr0,mac=XX:XX:XX:XX:XX:XX" ]
disk    = [ "tap2:tapdisk:aio:/var/lib/xen/images/herald-lede-17.01.1-x86-64-combined-ext4.img ,xvda,w" ]
serial  = "pty"

Software installation

Perform the following steps on Zombie:

Set the root password: passwd.
Remove unnecessary packages:

opkg remove \
	kmod-ppp \
	kmod-pppoe \
	kmod-pppox \
	kmod-r8169 \
	logd \
	luci-app-firewall \
	luci-lib-ip \
	luci-lib-jsonc \
	luci-lib-nixio \
	luci-proto-ipv6 \
	luci-proto-ppp \
	luci-theme-bootstrap \
	luci-mod-admin-full \
	luci-base \
	luci \
	mtd \
	odhcpd-ipv6only \
	ppp \
	ppp-mod-pppoe \
	r8169-firmware \
	uhttpd-mod-ubus \
	uhttpd

Configure networking by writing /etc/config/network:

config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0

config interface lan
	option ifname eth0
	option proto dhcp

Install the necessary software:

opkg update
opkg install \
        freifunk-watchdog \
	syslog-ng

Install a public SSH key at /etc/dropbear/authorized_keys.

Configuring TFTP

Here we describe how to configure dnsmasq to provide a TFTP service.

/etc/config/dhcp:

config dnsmasq
	option enable_tftp	1
	option tftp_root	/usr/libexec/tftpboot
	option localservice	1

config dhcp lan
	option ignore		1

Create the directory /usr/libexec/tftpboot/pxelinux/bios/.
Install the syslinux package on a Fedora host, and copy the files /usr/share/syslinux/{ldlinux.c32,libcom32.c32,libutil.c32,pxelinux.0,vesamenu.c32} to /usr/libexec/tftpboot/pxelinux/bios/ on Zombie.
usr/libexec/tftpboot/pxelinux/bios/pxelinux.cfg/default:

default vesamenu.c32
prompt 1
timeout 600

display boot.msg

label linux
	menu label ^Install or upgrade an existing system
	menu default
	kernel vmlinuz
	append initrd=initrd.img inst.repo=https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/ inst.ks=https://www.flyn.org/kickstart/Fedora-35-x86_64-workstation.ks

Create the directory /usr/libexec/tftpboot/pxelinux/efi/.
Install the shim, grub2-efi, and grub2-efi-x64 packages on a Fedora host, and copy the file /boot/efi/EFI/fedora/shim.efi to /usr/libexec/tftpboot/pxelinux/efi/ on Zombie.
Copy the files /boot/efi/EFI/fedora/grubx64.efi to /usr/libexec/tftpboot/ on Zombie.
usr/libexec/tftpboot/grub.cfg:

function load_video {
	insmod efi_gop
	insmod efi_uga
	insmod video_bochs
	insmod video_cirrus
	insmod all_video
}

load_video
set gfxpayload=keep
insmod gzio

menuentry 'Install Fedora 64-bit'  --class fedora --class gnu-linux --class gnu --class os {
	linuxefi pxelinux/bios/vmlinuz ip=dhcp inst.repo=https://download.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/ inst.ks=https://www.flyn.org/kickstart/Fedora-35-x86_64-workstation.ks
	initrdefi pxelinux/bios/initrd.img
}

Copy https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/images/pxeboot/vmlinuz to usr/libexec/tftpboot/pxelinux/bios/vmlinuz.
Copy https://dl.fedoraproject.org/pub/fedora/linux/releases/35/Everything/x86_64/os/images/pxeboot/initrd.img to usr/libexec/tftpboot/pxelinux/bios/initrd.img.

Configuring DHCP

Add the following to /etc/config/dhcp on the host that provides your network’s DHCP service (replace W.X.Y.Z and example.com with Zombie’s IP address and domain name, respectively):

config boot linux
	option serveraddress 'W.X.Y.Z'
	option servername 'zombie.example.com'
	option filename 'pxelinux/bios/pxelinux.0'

# For EFI:
# config boot linux
#	option serveraddress 'W.X.Y.Z'
#	option servername 'zombie.example.com'
#	option filename 'pxelinux/efi/shim.efi'

zsnes-1.337-gamepad-quit

Thu, 12 Mar 2020 09:02:58 -0400

zsnes-1.337-gamepad-quit

A nasty patch for the zsnes Super Nintendo emulator which allows one to quit the application by pressing L-R-Start on one's gamepad.

Courseware as Code: Instituting Agile Courseware Collaboration

Wed, 01 Jan 2020 00:00:00 +0000

Security Engineering: A Guide to Building Dependable Distributed Systems

Wed, 01 Jan 2020 00:00:00 +0000

Think Java: How to Think Like a Computer Scientist

Wed, 01 Jan 2020 00:00:00 +0000

The Art, Science, and Engineering of Fuzzing: A Survey

Tue, 01 Oct 2019 00:00:00 +0000

MAX_USERNAME_LEN set too low

Fri, 01 Mar 2019 00:00:00 +0000

The Python Tutorial

Tue, 01 Jan 2019 00:00:00 +0000

The Rust Programming Language

Tue, 01 Jan 2019 00:00:00 +0000

Strange behaviour [sic] surrounding ``ssh -T ...'' and non-zero exit

Thu, 01 Nov 2018 00:00:00 +0000

Operating Systems: Three Easy Pieces

Wed, 01 Aug 2018 00:00:00 +0000

PivotWall: SDN-Based Information Flow Control

Thu, 01 Mar 2018 00:00:00 +0000

Using VisorFlow to Control Information Flow without Modifying the Operating System Kernel or its Userspace

Sun, 01 Oct 2017 00:00:00 +0000

Lowering the Barriers to Capture The Flag Administration and Participation

Tue, 01 Aug 2017 00:00:00 +0000

Shell We Play a Game? CTF-as-a-service for Security Education

Tue, 01 Aug 2017 00:00:00 +0000

Between-Subjects Design

Sun, 01 Jan 2017 00:00:00 +0000

Counterbalancing

Sun, 01 Jan 2017 00:00:00 +0000

Within-Subjects Design

Sun, 01 Jan 2017 00:00:00 +0000

Studying Naive Users and the Insider Threat with SimpleFlow

Sat, 01 Oct 2016 00:00:00 +0000

The Use of Cyber-Defense Exercises in Undergraduate Computing Education

Mon, 01 Aug 2016 00:00:00 +0000

Build It, Break It, Fix It: Contesting Secure Development

Fri, 01 Jan 2016 00:00:00 +0000

Infrastructure as Code: Managing Servers in the Cloud

Fri, 01 Jan 2016 00:00:00 +0000

The Go Programming Language

Fri, 01 Jan 2016 00:00:00 +0000

Think Java: How to Think Like a Computer Scientist

Fri, 01 Jan 2016 00:00:00 +0000

Improving Application Security Through TLS-Library Redesign

Thu, 01 Oct 2015 00:00:00 +0000

Using CTFs for an Undergraduate Cyber Education

Sat, 01 Aug 2015 00:00:00 +0000

On the Generality and Convenience of Etypes

Fri, 01 May 2015 00:00:00 +0000

Beej's Guide to Unix Interprocess Communication

Thu, 01 Jan 2015 00:00:00 +0000

Codechella: Multi-user program visualizations for real-time tutoring and collaborative learning

Thu, 01 Jan 2015 00:00:00 +0000

Codeopticon: Real-Time, One-To-Many Human Tutoring for Computer Programming

Thu, 01 Jan 2015 00:00:00 +0000

Computer Security: Principles and Practice

Thu, 01 Jan 2015 00:00:00 +0000

Teaching Computer Security

Sat, 01 Nov 2014 00:00:00 +0000

Learning Obstacles in the Capture The Flag Model

Fri, 01 Aug 2014 00:00:00 +0000

PicoCTF: A Game-Based Computer Security Competition for High School Students

Fri, 01 Aug 2014 00:00:00 +0000

Ethos' Deeply Integrated Distributed Types

Thu, 01 May 2014 00:00:00 +0000

Pro Git

Wed, 01 Jan 2014 00:00:00 +0000

SEI CERT C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems

Wed, 01 Jan 2014 00:00:00 +0000

MinimaLT: Minimal-latency Networking Through Better Security

Fri, 01 Nov 2013 00:00:00 +0000

Learn Programming++: The Design, Implementation and Deployment of an Intelligent Environment for the Teaching and Learning of Computer Programming

Mon, 01 Jul 2013 00:00:00 +0000

Rethinking Operating System Interfaces to Support Robust Network Applications

Wed, 01 May 2013 00:00:00 +0000

Simple-to-use, Secure-by-design Networking in Ethos

Mon, 01 Apr 2013 00:00:00 +0000

The Lazy Kernel Hacker and Application Programmer

Fri, 01 Mar 2013 00:00:00 +0000

Online Python Tutor: Embeddable Web-Based Program Visualization for CS Education

Tue, 01 Jan 2013 00:00:00 +0000

Rethinking SSL Development in an Appified World

Tue, 01 Jan 2013 00:00:00 +0000

The Ethos Project: Security Through Simplification

Mon, 01 Oct 2012 00:00:00 +0000

Rethinking Operating System Interfaces to Support Robust Applications

Tue, 01 May 2012 00:00:00 +0000

R3: Repeatability, Reproducibility and Rigor

Thu, 01 Mar 2012 00:00:00 +0000

Let's Help Johnny Write Robust Applications

Sun, 01 Jan 2012 00:00:00 +0000

The most dangerous code in the world: validating SSL certificates in non-browser software

Sun, 01 Jan 2012 00:00:00 +0000

The security impact of a new cryptographic library

Sun, 01 Jan 2012 00:00:00 +0000

Why Eve and Mallory love Android: an analysis of Android SSL (in)security

Sun, 01 Jan 2012 00:00:00 +0000

Digital identity security architecture in Ethos

Sat, 01 Oct 2011 00:00:00 +0000

NIST Special Publication 800--145

Thu, 01 Sep 2011 00:00:00 +0000

Experiences In Cyber Security Education: The MIT Lincoln Laboratory Capture-the-Flag Exercise

Mon, 01 Aug 2011 00:00:00 +0000

Beej's Guide to Network Programming Using Internet Sockets

Sat, 01 Jan 2011 00:00:00 +0000

Building custom firmware with OpenWrt

Sun, 01 Aug 2010 00:00:00 +0000

Capsicum: practical capabilities in UNIX

Sun, 01 Aug 2010 00:00:00 +0000

Experiences with practice-focused undergraduate security education

Sun, 01 Aug 2010 00:00:00 +0000

Webseclab security education workbench

Sun, 01 Aug 2010 00:00:00 +0000

Browser Security: Lessons from Google Chrome

Sat, 01 Aug 2009 00:00:00 +0000

The Pintos Instructional Operating System Kernel

Thu, 01 Jan 2009 00:00:00 +0000

Nginx: The High-Performance Web Server and Reverse Proxy

Mon, 01 Sep 2008 00:00:00 +0000

Open source telephony: a Fedora-based VoIP server with Asterisk

Tue, 01 Jul 2008 00:00:00 +0000

From camera to website: Building an open source video streamer

Tue, 01 Apr 2008 00:00:00 +0000

SEED: A Suite of Instructional Laboratories for Computer Security Education

Sat, 01 Mar 2008 00:00:00 +0000

Hacking: The Art of Exploitation

Tue, 01 Jan 2008 00:00:00 +0000

Serving Apples: Integrating Mac OS X clients into a Fedora network

Tue, 01 Jan 2008 00:00:00 +0000

When Good Instructions Go Bad: Generalizing Return-oriented Programming to RISC

Tue, 01 Jan 2008 00:00:00 +0000

How to Read a Paper

Sun, 01 Jul 2007 00:00:00 +0000

Managing RPM-Based Systems with Kickstart and Yum

Thu, 01 Mar 2007 00:00:00 +0000

Disk encryption in Fedora: Past, present and future

Mon, 01 Jan 2007 00:00:00 +0000

Some thoughts on security after ten years of qmail 1.0

Mon, 01 Jan 2007 00:00:00 +0000

Subverting the Fundamentals Sequence: Using Version Control to Enhance Course Management

Mon, 01 Jan 2007 00:00:00 +0000

The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86)

Mon, 01 Jan 2007 00:00:00 +0000

The Open Science Grid

Mon, 01 Jan 2007 00:00:00 +0000

Making information flow explicit in HiStar

Wed, 01 Nov 2006 00:00:00 +0000

Adding encryption support to HAL: A user's experience with Fedora development

Sat, 01 Oct 2005 00:00:00 +0000

Developing GNOME applications with Java

Fri, 01 Jul 2005 00:00:00 +0000

Encrypt your root filesystem

Sat, 01 Jan 2005 00:00:00 +0000

Linux Device Drivers

Sat, 01 Jan 2005 00:00:00 +0000

The Net-SNMP Programming Guide

Mon, 01 Nov 2004 00:00:00 +0000

Implementing encrypted home directories

Fri, 01 Aug 2003 00:00:00 +0000

Preventing Privilege Escalation

Fri, 01 Aug 2003 00:00:00 +0000

Defcon Capture the Flag: defending vulnerable code from intense attack

Tue, 01 Apr 2003 00:00:00 +0000

Administrator’s Guide to Linux in the Windows Enterprise

Wed, 01 Jan 2003 00:00:00 +0000

Postfix: The Definitive Guide

Wed, 01 Jan 2003 00:00:00 +0000

OpenLDAP Everywhere

Sun, 01 Dec 2002 00:00:00 +0000

Setuid Demystified

Thu, 01 Aug 2002 00:00:00 +0000

Amateur Video Production Using Free Software and Linux

Wed, 01 May 2002 00:00:00 +0000

Security in Plan 9

Tue, 01 Jan 2002 00:00:00 +0000

Implementing SELinux as a Linux Security Module

Sat, 01 Dec 2001 00:00:00 +0000

Exploiting Format String Vulnerabilities

Sat, 01 Sep 2001 00:00:00 +0000

Integrating Flexible Support for Security Policies into the Linux Operating System

Fri, 01 Jun 2001 00:00:00 +0000

The Cathedral and the Bazaar

Fri, 01 Jan 1999 00:00:00 +0000

StackGuard: Automatic Adaptive Detection and Prevention of Buffer-overflow Attacks

Thu, 01 Jan 1998 00:00:00 +0000

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

Thu, 01 Jan 1998 00:00:00 +0000

Smashing The Stack For Fun And Profit

Mon, 01 Jan 1996 00:00:00 +0000

SSH---Secure Login Connections over the Internet

Mon, 01 Jan 1996 00:00:00 +0000

Unified Login with Pluggable Authentication Modules (PAM)

Mon, 01 Jan 1996 00:00:00 +0000

LINUX--a Free Unix-386 Kernel

Tue, 01 Oct 1991 00:00:00 +0000

An Evaluation of the Ninth SOSP Submissions or How (and How Not) to Write a Good Systems Paper

Sat, 01 Oct 1988 00:00:00 +0000

Project Athena Facilities---an Overview for Faculty

Tue, 01 Mar 1988 00:00:00 +0000

Development of the Domain Name System

Fri, 01 Jan 1988 00:00:00 +0000

The C Programming Language

Fri, 01 Jan 1988 00:00:00 +0000

A Berkeley Odyssey

Tue, 01 Jan 1985 00:00:00 +0000

Design and implementation of the Sun network filesystem

Tue, 01 Jan 1985 00:00:00 +0000

The UNIX Programming Environment

Sun, 01 Jan 1984 00:00:00 +0000

New Directions in Cryptography

Mon, 01 Nov 1976 00:00:00 +0000

The Protection of Information in Computer Systems

Wed, 01 Jan 1975 00:00:00 +0000

Protection and the Control of Information Sharing in Multics

Mon, 01 Jul 1974 00:00:00 +0000

The UNIX time-sharing system

Tue, 01 Jan 1974 00:00:00 +0000

Flyn Computing

gowasmdemo

Overview

Downloads

reflectcrud

Overview

Downloads

Terminal colors

FIDO2 and its companions

Commands that interact with a YubiKey

Courses as Code: The Aquinas Learning System

alpine-build

golatex

Overview

Downloads

safe

Overview

Downloads

wasm

Overview

Downloads

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 1: Basic Architecture

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 2: Instruction Set Reference

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 3: System Programming Guide

Intel 64 and IA-32 Architectures Software Developer's Manual Volume 4: Model-Specific Registers

Web security playground

Cookie attributes

Mixed passive content

Mixed active content

HTTPS Strict Transport Security

Cross-Origin Resource Sharing (CORS)

GnuPG signing party

The Industrial Age of Hacking

Towards Binary Diversified Challenges For A Hands-On Reverse Engineering Course

OpenWrt and SELinux

The Industrial Age of Hacking

OpenWrt-based XMPP server

Establish the VM

Software installation

Configuring the Prosody chat server

Configure the host firewall

Configure basic system settings

ulimit

USA

Proposals

Master of Software Engineering capstone

Undergraduate and graduate research and project ideas

Research

General programming and administration proposals

Approximate security and systems conference schedule

Reading List

Programming mistakes

Secure design

Access control systems

Reading and writing systems papers

Life in academia

Did you think you were going to get away with avoiding our papers?

Service inquiry

SRPMS

Statistics

Committees, panels, and paper reviewing

Calendar year 2024

Calendar year 2023

Calendar year 2022

Calendar year 2017

Calendar year 2015

Grants awarded

College courses taught

Masters capstone committees

Conferences and workshops attended

Statistics

Official Fedora packages maintained

Official OpenWrt packages maintained

Formal bug reports or report contributions

Thank you!

Adventure

alsa-utils-0.5.10-toggle

Apple

Introduction

Packages