A very interesting read about the serious vulnerability in DNS discovered by Dan Kaminsky earlier this year: An Illustrated Guide to the Kaminsky DNS Vulnerability. Recommend read if you are interested in security. Should be possible to understand even for people without prior knowledge of DNS.
One comment so far, add another ▶Strip trailing whitespace in emacs
Just installed WP-Syntax, a WordPress plugin for highlighting code. The first test will be this short elisp code I wrote to strip trailing whitespace from all lines in a file.
(defun strip-trailing-ws () "Strip trailing whitespace from all lines" (interactive) (let ((cur (point-marker))) (goto-char (point-min)) (while (re-search-forward "[ \t]+$" nil t) (replace-match "" nil nil)) (goto-char (marker-position cur))))
Debian packages
My Debian packages are now available at debian.ejohansson.se instead of eddie.ejohansson.se. Please update your /etc/apt/sources.list to point to the new location.
Comments OffSite moved to Host Gator
I decided to move my site from my own server to Host Gator. So far I’m very pleased with them. I’ve been in contact with the support two times and I’m very pleased. It only took a few minutes to get in contact with a real person and a few minutes more to have my issue resolved. Excellent support so far!
I’m also liking this cPanel software that’s used to administrate sites at Host Gator (and many other hosting companies). Really useful and easy to use. Used that to install this WordPress installation.
I’m currently in the process of moving content from the old site. The looks is still that of a default WordPress installation, but I’ll probably get around fixing that later.
Comments OffCamillas Matuppror
This entry is different from what I usually write about, but I just wanted to point any Swedish reader to Camillas Matuppror.
Jag anser att det är en mänsklig rättighet att svenska barn, sjuka och äldre varje dag skall få äta sig mätta på god mat, lagad med omsorg och nära dem som skall äta den. Det gagnar både vår hälsa och miljö om vi tillsammans kan bryta trenden mot industrimat inom storhushåll och i livsmedelsbutiker.
(English summary: She wants Swedish children, sick, and elderly people to get good, locally produced food. I agree with her.)
One comment so far, add another ▶Web security
LWN has an interesting article on web security. Linked from that article is another interesting blog entry: Hardened stateless session cookies by the guy that discovered the latest WordPress vulnerabilities.
Back to catching up on LWN issues…
Comments OffSELinux and mail() in PHP
Since I upgraded my server and activated SELinux I haven’t gotten any emails from wordpress when people post comments on this blog (that’s why it has taken my so long time to approve comments). Today I decided it was time to look into the problem.
It turned out that the problem was related to the following message that I’ve been seeing in my log:
avc: denied { execute_no_trans } for pid=972 comm="apache2"
name="bash" dev=hda1 ino=26110
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
The mail() function in PHP (which is what wordpress uses to send the notification mail) is implemented using popen(3). When you call mail(), PHP executes popen(“sendmail …”, “w”). This ends up with a call to “sh -c sendmail …”, which explains the log message.
The solution was allow execute_no_trans for httpd:
allow httpd_t shell_exec_t:file execute_no_trans;One comment so far, add another ▶
++git;
As all the other cool kids, I’ve also started experimenting with git, the version control system used by many, most notably the Linux kernel developers.
As a test I converted my program that enables the volume knob on Dell USB keyboards. You can find it on my gitweb site.
Also there is the selinux policy module I blogged about in my previous post, and a new one that I had to do to get gitweb to work. Getting gitweb to work also required the git repositories to be properly labelled:
semanage fcontext -a -t httpd_sys_script_ro_t '/home/git(/.*)?' restorecon -Rv /home/git
Some day I need to figure out the correct syntax for putting file contexts in the policy module.
Comments OffSELinux, Subversion and mod_svn
After upgrading my server (from Debian Sarge to Debian Etch) I decided to enabled SELinux. After reading some documentation (besides Debian’s basic setup documentation I can recommend Fedora’s SELinux wiki and especially this presentation) I got the basic setup working. Getting Subversion to fully work required a few extra steps. For your convenience and my memory I’ve listed them below.
1. Turn on httpd_builtin_scripting and httpd_enable_cgi. Turning on httpd_builtin_scripting gives httpd_t (i.e. apache) permission to read and write files marked httpd_sys_script_rw_t. This is needed for commits to work. Turning on httpd_enable_cgi gives httpd_t permission to execute scripts (marked httpd_sys_script_exec_t), something which is needed for hooks to work.
# setsebool -P httpd_builtin_scripting=1 # setsebool -P httpd_enable_cgi=1
2. Set the proper security context on the files in the repository. Assuming that all repositories are located under /home/svn, the following commands will do the job. Also make sure that the user apache is running as (e.g. www-data) has read access to the repository and write access to the directories dav and db (this is the script I use for that).
# semanage fcontext -a -t httpd_sys_content_t '/home/svn(/.*)?' # semanage fcontext -a -t httpd_sys_script_rw_t '/home/svn/[^/]+/(dav|db)(/.*)?' # semanage fcontext -a -t httpd_sys_script_exec_t '/home/svn/[^/]+/hooks(/.*)?' # restorecon -Rv /home/svn
3. Make sure selinux-policy-refpolicy-dev is installed.
4. Create the directory mysvn. In that directory, create the file mysvn.te with the following contents:
policy_module(mysvn,0.0.1)
require {
type httpd_t;
type shell_exec_t;
type httpd_sys_script_t;
type var_run_t;
};
# If hooks are shell scripts, apache must be able to run a shell. The
# hooks will run in httpd_sys_script_t.
allow httpd_t shell_exec_t:file rx_file_perms;
# For some reason the scripts searches /var/run
allow httpd_sys_script_t var_run_t:dir search;
5. Then run:
# make -f /usr/share/selinux/refpolicy-targeted/include/Makefile # semodule -i mysvn.pp
The mysvn policy module is needed because hooks are normally shell scripts. For apache to be able to run them it must be able to run a shell. Once the scripts have started, they run in the httpd_sys_script_t domain.
4 comments so far, add yours ▶Google apps (and gmail) gets IMAP support
It was somewhat expected that Google would do it sooner or later, and now they’ve done it! The only thing I was missing from the otherwise excellent service that I’m using for my email at ejohansson.se: IMAP. Thank you Google!
Comments Off